IS Decisions logo

IS Decisions Blog

BYOD security for Windows networks

Enhance BYOD security for your Windows network with the ability to restrict and limit Wi-Fi & VPN sessions, thanks to UserLock.

Published June 20, 2013

BYOD security is a concern for many IT departments. Because of this, UserLock includes a Wi-Fi and VPN session control feature that permits an organization to control their wireless networks and help secure BYOD environments.

With UserLock an organization can monitor, restrict and record every Wi-Fi and/or VPN session.

How to restrict Wi-Fi & VPN sessions with UserLock

The following post explains how UserLock enables you to manage Wi-Fi and VPN sessions.

Wi-Fi sessions are managed if configured with RADIUS Authentication and Accounting.

VPN sessions are managed if configured with RADIUS Authentication and Accounting, or if configured with a Microsoft RRAS Server.

Here are examples of such sessions:

Wi-Fi sessions (with RADIUS Authentication and Accounting)

WIFI sessions with RADIUS authentication and accounting

VPN sessions (with RADIUS Authentication and Accounting)

VPN with RADIUS

VPN sessions (with a Microsoft RRAS Server)

VPN Sessions

Wi-Fi & VPN sessions (with RADIUS Authentication and Accounting)

WIFI VPN sessions with RADIUS

By restricting Wi-Fi & VPN sessions, you can better control user access of a network.

(Note that more advanced technical details about Wi-Fi, RADIUS, IAS and RRAS are available at the end of the document.)

Getting Started

Conventions

Note that for this article we use the following conventions:

  • “IAS” to talk about “NPS” (Windows Server 2008 and higher) or “IAS” (Windows Server 2003 and lower).

  • “IasSrv” is the name of the IAS server.

  • 192.168.1.2 is the IP of the IAS server.

  • 192.168.1.3 is the IP of the Wi-Fi Access Point.

  • “RrasSrv” is the name of the Microsoft RRAS server.

  • 192.168.1.4 is the IP of the Microsoft RRAS server.

Requirements

For Wi-Fi sessions

A Wi-Fi Access Point compatible and configured with RADIUS Authentication and Accounting. An example of such a device is Cisco Aironet 1700 which is used in this article.

For VPN sessions

A VPN server compatible and configured with RADIUS Authentication and Accounting, or a Microsoft RRAS Server.

Why RADIUS Accounting is important

When we read “configured with RADIUS,” we may just configure the RADIUS Authentication and forget to configure RADIUS Accounting.

If RADIUS Accounting is not configured, UserLock will not receive logoff notifications, so its data will be incomplete. (That’s why we are highlighting all instances of RADIUS Accounting).

How to install

  • Install the UserLock agent corresponding to your network:

For Wi-Fi sessions

Install the IAS UserLock agent on an IAS server authenticating a Wi-Fi Access Point (1st scheme).

For VPN sessions

Install the IAS UserLock agent on an IAS server authenticating a VPN server (2nd scheme).

Or install the RRAS UserLock agent on a RRAS server (3rd scheme).

 

  • Configure UserLock protected accounts with Wi-Fi & VPN restrictions.

How to use

In this example, you will see how to configure protected accounts allowing only one Wi-Fi & VPN session to all users. It is based on the 4th scheme:

Add RADIUS clients to the RADIUS Server

On the IAS server, run the IAS console, and configure the Wi-Fi Access Point and the Microsoft RRAS server as RADIUS clients:

Add RADIUS clients to RADIUS server

Configure the Wi-Fi Access Point with the RADIUS Authentication and Accounting specifying the IAS server

Open the web Administration console of the Wi-Fi Access Point (here, Cisco Aironet 1700)

Go to “SECURITY”/”SSID Manager”:

Security SSID manager

On “Client Authentication Settings” / “Server Priorities”, click on “Define Defaults”:

Client authentication settings

Then configure RADIUS server with your server’s parameters and click on “Apply”. (You can configure multiple servers and then select priority between them):

Configure RADIUS server

Configure your VPN server with the RADIUS Authentication and Accounting specifying the same IAS server

On the VPN server (here a Microsoft RRAS server), open RRAS then configure it with the RADIUS Authentication and Accounting specifying the same IAS server:

Configure VPN server
Change Secret
Add RADIUS server
RADIUS authentication

Install the IAS UserLock agent on that IAS server

Install IAS UserLock agent on IAS server

Complete the installation restarting the concerned Windows services

On the IAS server, run CMD (or PowerShell) as administrator and run the following commands: (caution: it will disconnect all Wi-Fi connections active at that moment):

  • net stop remoteaccess

  • net stop ias

  • net start ias

  • net start remoteaccess

In the UserLock Console, check that the status of the IAS agent is “Installed”

IAS agent installed

Allow at most 1 Wi-Fi & VPN session in UserLock for all users

Add the “Everyone” protected account to make all users concerned by the new rule:

protected accounts
Add group protected account
add to protected account

Allow 1 Wi-Fi & VPN session:

Allow WIFI and VPN session

Test restrictions

Make a VPN connection with one account (in this example the account "Alice." The connection is successful. You can see the session in the UserLock console

Now try a Wi-Fi connection with ‘Alice’. It will be denied.

If you then close the VPN connection opened by "Alice," and then try a Wi-Fi connection with "Alice," it will now be allowed

Create other restrictions in UserLock

Other restrictions are also possible for Wi-Fi & VPN sessions: For example, defining working hours, time quotas

Advanced Notes

  • RADIUS (Remote Authentication Dial-In User Service) is a protocol for authentication and accounting.

  • RADIUS Authentication and RADIUS Accounting are two different things, and both are needed to be compatible with UserLock. Usually, RADIUS Authentication is on port 1812 or 1645, and RADIUS Accounting is on port 1813 or 1646.

  • IAS is the Microsoft implementation of RADIUS in Windows Server 2003. NPS is the same but from Windows Server 2008.

  • Wi-Fi is a standard for wireless communications. It is possible to configure RADIUS for Wi-Fi depending on access points. RADIUS Authentication and Accounting are required for UserLock to manage Wi-Fi sessions.

  • RRAS is a Microsoft technology to manage VPN sessions. A RRAS server can be configured with Windows Authentication or RADIUS Authentication.

  • Currently, it is not possible to log off Wi-Fi & VPN sessions through UserLock, it is only possible with Interactive (desktop) sessions.

Need help? Visit our support page.

Try UserLock for free

3400+ organizations like yours choose UserLock to secure access for Active Directory identities and meet compliance requirements.

Download a free trial