This article describes how to use a LANCOM router to authenticate VPN clients at a Microsoft Active Directory domain using IKEv2-EAP.
- LCOS as of version 10.40 Rel (download latest version)
- LANtools as of version 10.40 Rel (download latest version)
- LANCOM central-site gateway, router of the 19xx series, WLAN controller, or LANCOM router with an activated VPN 25 Option
- Advanced VPN Client as of version 3.10
- Windows server with an installed and functioning domain
- Any web browser for accessing the router web interface
VPN clients should be able to use Active Directory to authenticate on a Windows server using a user name and password (MSCHAPv2).
1) Activate the CA and create the certificates on the router using Smart Certificate:
1.1) In LANconfig, open the configuration for the router, navigate to the menu Certificates → Certificate authority (CA) and set a checkmark next to Certificate authority (CA) active.
Then write the configuration back to the router.
1.2) Open the web interface for the router and switch to the menu item Setup Wizards → Manage certificates.
1.3) Click on Create new certificate.
1.4) Adjust the following parameters, click on Enroll (PKCS # 12) and save the certificate:
- Profile name: From the drop-down menu, select VPN.
- Common name (CN): Enter a descriptive common name.
- Validity period: Enter a validity period that is as long as possible (in this example 10 years).
- Password: Enter a password used to encrypt the certificate.
1.5) In the web interface, change to the menu Extras → Upload Certificate or File.
1.6) Modify the following parameters and then click Start upload:
- File Type: Select an unused VPN container from the drop-down menu (in this example the VPN container (VPN1)).
- File Name/Location: Select the certificate created in step 1.4.
- Passphrase: Enter the password set in step 1.4.
2) Set up the IKEv2-EAP connection on the LANCOM router:
2.1) Open the configuration of the router in LANconfig, switch to the menu VPN → General and set the drop-down menu for Virtual Private Network to Activated.
2.2) Switch to the menu VPN → IKEv2/IPsec → Authentication.
2.3) Add a new Authentication profile.
2.4) Enter the following parameters:
- Name: Enter a descriptive name.
- Local authentication: From the drop-down menu, select RSA signature.
- Local identifier type: From the drop-down menu, select ASN.1 Distinguished-Name.
- Local identifier: Enter the common name set in step 1.4.
- Remote authentication: From the drop-down menu, select EAP.
- Local certificate: From the drop-down menu, select the VPN container created in step 1.6.
2.5) Switch to the menu VPN → IKEv2/IPsec → IPv4 addresses.
2.6) Adjust the following parameters to create a new IPv4 address pool:
- Name: Enter a descriptive name.
- First address: Enter the first IP address from an address pool. An IP address from this pool will be assigned to the VPN client when it dials in.
- Last address: Enter the last IP address from an address pool. An IP address from this pool will be assigned to the VPN client when it dials in.
2.7) Switch to the menu VPN → IKEv2/IPsec → Extended settings.
2.8) Go to the menu RADIUS server.
2.9) Create a new entry and adjust the following parameters:
- Name: Enter a descriptive name.
- Server address: Enter the IP address or a DNS name where the Windows server can be reached.
- Port: Check that the port is set to 1812.
- Secret: Enter a password for the router to use for authenticating at the Windows server and for issuing RADIUS requests (see step 3.3).
- Protocols: Check that the protocol is set to RADIUS.
2.10) Navigate to the menu VPN → IKEv2/IPsec → Connection list.
2.11) Edit the DEFAULT entry.
2.12) Enter the following parameters:
- Name of connection: Keep the name DEFAULT.
- Authentication: From the drop-down menu, select the authentication profile created in step 2.4.
- Rule Creation: Set Rule creation to Manual.
- IPv4 rules: From the drop-down menu, select the predefined object RAS-WITH-CONFIG-PAYLOAD.
- IKE-CFG: From the drop-down menu, select Server.
- IPv4 address pool: From the drop-down menu, select the IP address pool created in step 2.6.
- RADIUS auth. server: From the drop-down menu, select the RADIUS object created in step 2.9.
2.13) This concludes the configuration of the VPN connection. Write the configuration back to the router.
3) Setting up network policy services on the Windows server:
3.1) Install the role Network Policy and Access Services on the Windows server.
3.2) Change to the Network Policy Server created in step 3.1.
3.3) Under NPS → RADIUS clients and servers, create a new RADIUS client and adjust the following parameters:
- Make sure the checkmark is set for Enable this RADIUS client.
- Friendly name: Enter a descriptive name.
- Address (IP or DNS): Enter the IP address or DNS name of the router.
- Shared secret: Enter the shared secret that you stored on the router in step 2.9.
- Confirm shared secret: Repeat the shared secret.
3.4) Under Policies, create a new network policy and give it a descriptive name.
3.5) Change to the Conditions tab and click on Add.
3.6) Click on Add groups to create a new user group.
3.7) Select the user group that should be able to establish a VPN connection.
3.8) Change to the Constraints tab and, under Authentication Methods, select the EAP type Microsoft: Secured password (EAP-MSCHAP v2).
3.9) Switch to the Settings tab. In the menu RADIUS Attributes → Standard, make sure that the attributes are set as Framed Protocol - PPP and Service Type - Framed.
3.10) Import the certificate created in step 1.4 into the Windows certificate store.
A reference to the certificate in the Windows server is not necessary. This is found automatically after the import.
3.11) Right-click on NPS and click on the context-menu entry Start NPS service.
3.12) Right click once again on NPS and click on the context-menu entry Register server in Active Directory.
3.13) In the Windows firewall, create a rule that allows incoming data traffic on the UDP port 1812.
3.14) Allow the connection and select where the firewall rule is used to allow access.
3.15) Give the rule a meaningful name.
3.16) For user group set in step 3.7, add those AD user accounts that are to be authenticated using EAP.
3.17) This concludes the configuration of the network policy services on the Windows server.
4) Exporting the CA certificate from the LANCOM router and importing it into the Advanced VPN Client:
4.1) Connect to the web interface of the LANCOM router, switch to the menu Extras → Download current CA certificate and save the certificate.
4.2) Copy the certificate to the computer that is to establish the VPN connection and save it to the directory C:\ProgramData\LANCOM\Advanced VPN Client\cacerts.
4.3) Start the Advanced VPN Client and navigate to the menu Connection → Certificates → Display CA certificates.
4.4) Check whether the Advanced VPN Client recognized the certificate.
5) Setting up an IKEv2-EAP connection with the Advanced VPN Client:
5.1) In the Advanced VPN Client, navigate to the menu Configuration → Profiles.
5.2) Click on Add / import to create a new VPN connection.
5.3) Select Link to corporate network using IPsec and click on Next.
5.4) Enter a descriptive profile name.
5.5) From the drop-down menu, select the Communication media to be used for establishing the VPN connection.
If you wish to establish the VPN connection with different connection media (e.g. LAN and WLAN), select automatic media detection.
5.6) Under Gateway (tunnel endpoint) enter the public IP address or the DNS name of the router.
5.7) Enter the following parameters:
- Exchange mode: From the drop-down menu, select IKEv2.
- PFS Group: From the drop-down menu, select DH14 (modp2048).
5.8) As authentication via EAP cannot be configured via the setup wizard, these steps have to be configured manually in the Advanced VPN Client profile (see steps 5.12 - 5.13). Therefore click Next without making changes.
5.9) For the IP address assignment select the drop-down menu entry IKE Config Mode. This allows the Advanced VPN Client to obtain an IP address from the router when dialing in via VPN.
5.10) Enter the target network to which the VPN connection is to be established. This means that only the data traffic destined for the target network is routed via the VPN tunnel.
Then click on Finish.
For more information on split tunneling, see this knowledge base article.
5.11) Mark the VPN profile created in steps 5.1 – 5.10 and click on Edit.
5.12) Change to the tab IPsec General Settings and set the IKEv2 authentication to EAP.
5.13) Change to the Identities tab and enter the user’s Local Identity as well as the login data.
The User ID must be specified in full, including the domain.
5.14) This concludes the configuration of the VPN connection in the Advanced VPN Client. Confirm the manually entered changes by clicking on OK.