Quelle anzeigen

Description:

This article describes how to use a LANCOM router to authenticate VPN clients at a Microsoft Active Directory domain using IKEv2-EAP.

Requirements:

LCOS as of version 10.40 Rel (download latest version)
LANtools as of version 10.40 Rel (download latest version)
LANCOM central-site gateway, router of the 19xx series, WLAN controller, or LANCOM router with an activated VPN 25 Option
Advanced VPN Client as of version 3.10
Windows server with an installed and functioning domain
Any web browser for accessing the router web interface

Scenario:

VPN clients should be able to use Active Directory to authenticate on a Windows server using a user name and password (MSCHAPv2).

Procedure:

1) Activate the CA and create the certificates on the router using Smart Certificate:

1.1) In LANconfig, open the configuration for the router, navigate to the menu Certificates → Certificate authority (CA) and set a checkmark next to Certificate authority (CA) active.

Then write the configuration back to the router.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 1.png

1.2) Open the web interface for the router and switch to the menu item Setup Wizards → Manage certificates.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 2.png

1.3) Click on Create new certificate.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 3.png

1.4) Adjust the following parameters, click on Enroll (PKCS # 12) and save the certificate:

Profile name: From the drop-down menu, select VPN.
Common name (CN): Enter a descriptive common name.
Validity period: Enter a validity period that is as long as possible (in this example 10 years).
Password: Enter a password used to encrypt the certificate.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 4.png

1.5) In the web interface, change to the menu Extras → Upload Certificate or File.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 5.png

1.6) Modify the following parameters and then click Start upload:

File Type: Select an unused VPN container from the drop-down menu (in this example the VPN container (VPN1)).
File Name/Location: Select the certificate created in step 1.4.
Passphrase: Enter the password set in step 1.4.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 6.png

2) Set up the IKEv2-EAP connection on the LANCOM router:

2.1) Open the configuration of the router in LANconfig, switch to the menu VPN → General and set the drop-down menu for Virtual Private Network to Activated.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 7.png

2.2) Switch to the menu VPN → IKEv2/IPsec → Authentication.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 8.png

2.3) Add a new Authentication profile.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 9.png

2.4) Enter the following parameters:

Name: Enter a descriptive name.
Local authentication: From the drop-down menu, select RSA signature.
Local identifier type: From the drop-down menu, select ASN.1 Distinguished-Name.
Local identifier: Enter the common name set in step 1.4.
Remote authentication: From the drop-down menu, select EAP.
Local certificate : From the drop-down menu, select the VPN container created in step 1.6.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 10.png

2.5) Switch to the menu VPN → IKEv2/IPsec → IPv4 addresses.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 11.png

2.6) Adjust the following parameters to create a new IPv4 address pool:

Name: Enter a descriptive name.
First address: Enter the first IP address from an address pool. An IP address from this pool will be assigned to the VPN client when it dials in.
Last address: Enter the last IP address from an address pool. An IP address from this pool will be assigned to the VPN client when it dials in.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 12.png

2.7) Switch to the menu VPN → IKEv2/IPsec → Extended settings.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 13.png

2.8) Go to the menu RADIUS server.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 14.png

2.9) Create a new entry and adjust the following parameters:

Name: Enter a descriptive name.
Server address: Enter the IP address or a DNS name where the Windows server can be reached.
Port: Check that the port is set to 1812.
Secret: Enter a password for the router to use for authenticating at the Windows server and for issuing RADIUS requests (see step 3.3).
Protocols: Check that the protocol is set to RADIUS.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 15.png

2.10) Navigate to the menu VPN → IKEv2/IPsec → Connection list.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 16.png

2.11) Edit the DEFAULT entry.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > ufw_1e.png

2.12) Enter the following parameters:

Name of connection: Keep the name DEFAULT.
Authentication: From the drop-down menu, select the authentication profile created in step 2.4.
Rule Creation: Set Rule creation to Manual.
IPv4 rules: From the drop-down menu, select the predefined object RAS-WITH-CONFIG-PAYLOAD.
IKE-CFG: From the drop-down menu, select Server.
IPv4 address pool: From the drop-down menu, select the IP address pool created in step 2.6.
RADIUS auth. server : From the drop-down menu, select the RADIUS object created in step 2.9.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > ufw_2e.png

2.13) This concludes the configuration of the VPN connection. Write the configuration back to the router.

3) Setting up network policy services on the Windows server:

3.1) Install the role Network Policy and Access Services on the Windows server.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 20.png

3.2) Change to the Network Policy Server created in step 3.1.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 21.png

3.3) Under NPS → RADIUS clients and servers, create a new RADIUS client and adjust the following parameters:

Make sure the checkmark is set for Enable this RADIUS client.
Friendly name: Enter a descriptive name.
Address (IP or DNS): Enter the IP address or DNS name of the router.
Shared secret: Enter the shared secret that you stored on the router in step 2.9.
Confirm shared secret: Repeat the shared secret.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 22.png

3.4) Under Policies, create a new network policy and give it a descriptive name.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 23.png

3.5) Change to the Conditions tab and click on Add.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 24.png

3.6) Click on Add groups to create a new user group.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 25.png

3.7) Select the user group that should be able to establish a VPN connection.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 26.png

3.8) Change to the Constraints tab and, under Authentication Methods, select the EAP type Microsoft: Secured password (EAP-MSCHAP v2).

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 27.png

3.9) Switch to the Settings tab. In the menu RADIUS Attributes → Standard, make sure that the attributes are set as Framed Protocol - PPP and Service Type - Framed.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 28.png

3.10) Import the certificate created in step 1.4 into the Windows certificate store.

A reference to the certificate in the Windows server is not necessary. This is found automatically after the import.

3.11) Right-click on NPS and click on the context-menu entry Start NPS service.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 29.png

3.12) Right click once again on NPS and click on the context-menu entry Register server in Active Directory.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 30.png

3.13) In the Windows firewall, create a rule that allows incoming data traffic on the UDP port 1812.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 31.png

3.14) Allow the connection and select where the firewall rule is used to allow access.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 33.png

3.15) Give the rule a meaningful name.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > 35.png

3.16) For user group set in step 3.7, add those AD user accounts that are to be authenticated using EAP.

3.17) This concludes the configuration of the network policy services on the Windows server.

4) Exporting the CA certificate from the LANCOM router and importing it into the Advanced VPN Client:

4.1) Connect to the web interface of the LANCOM router, switch to the menu Extras → Download current CA certificate and save the certificate.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > CA-Certificate-Download-WEBconfig.png

4.2) Copy the certificate to the computer that is to establish the VPN connection and save it to the directory C:\ProgramData\LANCOM\Advanced VPN Client\cacerts.

When using client version 6.21, the directory can also be C:\ProgramData\LANCOM\Trusted Access Client\cacerts. This depends on whether you have initially reinstalled version 6.21 or updated from an older version.

4.3) Start the Advanced VPN Client and navigate to the menu Connection → Certificates → Display CA certificates.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > AVC1.png

4.4) Check whether the Advanced VPN Client recognized the certificate.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > AVC2.png

5) Setting up an IKEv2-EAP connection with the Advanced VPN Client:

5.1) In the Advanced VPN Client, navigate to the menu Configuration → Profiles.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > AVC3.png

5.2) Click on Add / import to create a new VPN connection.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > AVC4.png

5.3) Select Link to corporate network using IPsec and click on Next.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > AVC5.png

5.4) Enter a descriptive profile name.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > AVC6.png

5.5) From the drop-down menu, select the Communication media to be used for establishing the VPN connection.

If you wish to establish the VPN connection with different connection media (e.g. LAN and WLAN), select automatic media detection.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > AVC7.png

5.6) Under Gateway (tunnel endpoint) enter the public IP address or the DNS name of the router.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > AVC8.png

5.7) Enter the following parameters:

Exchange mode: From the drop-down menu, select IKEv2.
PFS Group: From the drop-down menu, select DH14 (modp2048).

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > AVC9.png

5.8) As authentication via EAP cannot be configured via the setup wizard, these steps have to be configured manually in the Advanced VPN Client profile (see steps 5.12 - 5.13). Therefore click Next without making changes.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > AVC10.png

5.9) For the IP address assignment select the drop-down menu entry IKE Config Mode. This allows the Advanced VPN Client to obtain an IP address from the router when dialing in via VPN.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > AVC11.png

5.10) Enter the target network to which the VPN connection is to be established. This means that only the data traffic destined for the target network is routed via the VPN tunnel.

Then click on Finish.

For more information on split tunneling, see this knowledge base article .

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > AVC12.png

5.11) Mark the VPN profile created in steps 5.1 – 5.10 and click on Edit.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > AVC13.png

5.12) Change to the tab IPsec General Settings and set the IKEv2 authentication to EAP.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > AVC14.png

5.13) Change to the Identities tab and enter the user’s Local Identity as well as the login data.

The User ID must be specified in full, including the domain.

LANCOM Support Knowledge Base > Configuring a connection to Active Directory using IKEv2-EAP and a LANCOM router > AVC15.png

5.14) This concludes the configuration of the VPN connection in the Advanced VPN Client. Confirm the manually entered changes by clicking on OK.