Configure VPN authentication using SoftPI RADIUS server
Setting SoftPI RADIUS server
Server SoftPI RADIUS (hereinafter RADIUS server) checks the users who connect to the access point (authentication), checks whether the right of the user to connect to the access point at the moment (authorization), and keeps a record of all user sessions (accounting is).
The first thing you need in the "Management Console RADIUS" server to configure the access server, as which will act as the VPN server. You must enter the IP address and shared secret. Shared secret - is the password used in the communication between the RADIUS server and the VPN server. Using this code eliminates the possibility of unauthorized VPN server. RADIUS-server will ignore all requests from the access server, if it is not known IP-address and shared secret server. Example of adding an access server is shown in Figure 1.
Figure 1
Next, enter the user settings that will have the right to connect to the VPN server. To add a user should use the "Console Settings RADIUS-server": "Users / Groups" → "Users". For the user, be sure to specify the user name and password. You can also specify a group of attributes, the permitted time of entry, and a number of other parameters. Box to add a user is shown in Figure 2.
After creating a user when necessary, ask him attributes. To send an authorized user attributes, you must parameter "Type" select "Send in the Access-Accept".
Figure 2
To set the IP address displayed to the user can be added to the user attribute Framed-IP-Address and as a value to specify the desired IP address (Figure 3).
Figure 3
To limit the time a user session by means of an access server (if there is such a possibility), you can use the attribute Session-Timeout (or other, which is supported by specific access server), which specifies the maximum session duration in seconds.
Similarly, you can create as many user logins.
In addition to manually create users, SoftPI Radius also supports data import from Active Directory or other directory that supports the protocol LDAP.
Access server (VPN server) can support, and other attributes that can be set to the user and / or group of users.
Configuring a Network Access Server (Network Access Server - NAS)
Depending on the setting of the VPN server may be different. To configure authentication and authorization using RADIUS protocol must specify:
- IP address of the authentication server RADIUS.
- Authentication port number (default - 1812).
- Shared secret, previously introduced in the RADIUS server. 4. If necessary, accounting services provided should specify the IP address of the billing server.
Setting up the client computer VPN (Example settings for Windows XP)
1. Create a new connection.
1.1 Open the "Network Connections" and select "Create a new connection".
1.2 Create a new connection to connect using VPN (Figures 4 - 7).
Figure 4
Figure 5
Figure 6
Figure 7
1.3 Enter the IP address of the VPN server (Figure 8).
Figure 8
2. Setting up a VPN connection.
2.1 Open the created connection, enter the user name and password, and then click "Properties" (Figure 9).
Figure 9
2.2 In the "Security" tab, select "Advanced" and click on "Options" (Figure 10).
Figure 10
2.3 In the "Advanced Security Settings", select the protocols) for authentication (Figure 11).
Figure 11
The most secure protocol of the presented - EAP. Additional settings for PEAP protocol are described below in the appropriate section. For use in a local area network protocol might be enough MS-CHAPv2. It is not recommended to use the protocols PAP / CHAP due to their weakly protected.
Settings for the EAP
If you select "Extensible Authentication Protocol (EAP)» becomes available protocol list from which to select a protocol PEAP. By pressing the "Properties" dialog is displayed "Advanced Security Settings" to specify settings for PEAP. In the dialog box, select the option RADIUS server certificate validation or disable certificate validation. If the option "Check for server certificate" on the client computer certificate store must be installed root certificate SoftPI RADIUS server. This certificate must be selected in the list of "Trusted Root Certification Authorities". Other options should be set, as shown in Figure 12.
Figure 12
Figure 13 shows the properties window authentication method EAP-MSCHAP v2.
Figure 13
Example settings for Windows Vista / Windows 7
Procedure for creating and configuring a connection via VPN channel for operating systems Windows Vista and Windows 7 similar instructions for Windows XP. The figure below shows the basic configuration steps for Windows 7. Open mode "Control Panel" Windows, allows you to create a VPN connection (Figures 14, 15).
Figure 14
Figure 15
Next, you need to open a connection wizard, as shown in Figure 16.
Figure 16
Select the type of connection "Connect to a workplace» (VPN) (Figure 17).
Figure 17
To create a new connection, select the connection type "Connecting to the network using a virtual private network (VPN)» (Figures 18 - 19).
Figure 18
Figure 19
Then choose the option "Put up your Internet connection" because attributes not yet installed (Figure 20).
Figure 20
Enter the address or domain name of the server VPN, and an arbitrary name for the new connection (Figure 21).
Figure 21
Enter your username and password (Figure 22).
Figure 22
Figure 23
After you create a connection should go to its properties and configure the security settings. Configuration is similar to Windows XP.