BYOD security for Windows networks
Enhance BYOD security for your Windows network with the ability to restrict and limit Wi-Fi & VPN sessions, thanks to UserLock.
Published June 20, 2013BYOD security is a concern for many IT departments. Because of this, UserLock includes a Wi-Fi and VPN session control feature that permits an organization to control their wireless networks and help secure BYOD environments.
With UserLock an organization can monitor, restrict and record every Wi-Fi and/or VPN session.
The following post explains how UserLock enables you to manage Wi-Fi and VPN sessions.
Wi-Fi sessions are managed if configured with RADIUS Authentication and Accounting.
VPN sessions are managed if configured with RADIUS Authentication and Accounting, or if configured with a Microsoft RRAS Server.
Here are examples of such sessions:
By restricting Wi-Fi & VPN sessions, you can better control user access of a network.
(Note that more advanced technical details about Wi-Fi, RADIUS, IAS and RRAS are available at the end of the document.)
Note that for this article we use the following conventions:
“IAS” to talk about “NPS” (Windows Server 2008 and higher) or “IAS” (Windows Server 2003 and lower).
“IasSrv” is the name of the IAS server.
192.168.1.2 is the IP of the IAS server.
192.168.1.3 is the IP of the Wi-Fi Access Point.
“RrasSrv” is the name of the Microsoft RRAS server.
192.168.1.4 is the IP of the Microsoft RRAS server.
A Wi-Fi Access Point compatible and configured with RADIUS Authentication and Accounting. An example of such a device is Cisco Aironet 1700 which is used in this article.
A VPN server compatible and configured with RADIUS Authentication and Accounting, or a Microsoft RRAS Server.
When we read “configured with RADIUS,” we may just configure the RADIUS Authentication and forget to configure RADIUS Accounting.
If RADIUS Accounting is not configured, UserLock will not receive logoff notifications, so its data will be incomplete. (That’s why we are highlighting all instances of RADIUS Accounting).
Install the UserLock agent corresponding to your network:
Install the IAS UserLock agent on an IAS server authenticating a Wi-Fi Access Point (1st scheme).
Install the IAS UserLock agent on an IAS server authenticating a VPN server (2nd scheme).
Or install the RRAS UserLock agent on a RRAS server (3rd scheme).
Configure UserLock protected accounts with Wi-Fi & VPN restrictions.
In this example, you will see how to configure protected accounts allowing only one Wi-Fi & VPN session to all users. It is based on the 4th scheme:
On the IAS server, run the IAS console, and configure the Wi-Fi Access Point and the Microsoft RRAS server as RADIUS clients:
Configure the Wi-Fi Access Point with the RADIUS Authentication and Accounting specifying the IAS server
Open the web Administration console of the Wi-Fi Access Point (here, Cisco Aironet 1700)
Go to “SECURITY”/”SSID Manager”:
On “Client Authentication Settings” / “Server Priorities”, click on “Define Defaults”:
Then configure RADIUS server with your server’s parameters and click on “Apply”. (You can configure multiple servers and then select priority between them):
Configure your VPN server with the RADIUS Authentication and Accounting specifying the same IAS server
On the VPN server (here a Microsoft RRAS server), open RRAS then configure it with the RADIUS Authentication and Accounting specifying the same IAS server:
Install the IAS UserLock agent on that IAS server
Complete the installation restarting the concerned Windows services
On the IAS server, run CMD (or PowerShell) as administrator and run the following commands: (caution: it will disconnect all Wi-Fi connections active at that moment):
net stop remoteaccess
net stop ias
net start ias
net start remoteaccess
In the UserLock Console, check that the status of the IAS agent is “Installed”
Add the “Everyone” protected account to make all users concerned by the new rule:
Allow 1 Wi-Fi & VPN session:
Make a VPN connection with one account (in this example the account "Alice." The connection is successful. You can see the session in the UserLock console
Now try a Wi-Fi connection with ‘Alice’. It will be denied.
If you then close the VPN connection opened by "Alice," and then try a Wi-Fi connection with "Alice," it will now be allowed
Other restrictions are also possible for Wi-Fi & VPN sessions: For example, defining working hours, time quotas…
RADIUS (Remote Authentication Dial-In User Service) is a protocol for authentication and accounting.
RADIUS Authentication and RADIUS Accounting are two different things, and both are needed to be compatible with UserLock. Usually, RADIUS Authentication is on port 1812 or 1645, and RADIUS Accounting is on port 1813 or 1646.
IAS is the Microsoft implementation of RADIUS in Windows Server 2003. NPS is the same but from Windows Server 2008.
Wi-Fi is a standard for wireless communications. It is possible to configure RADIUS for Wi-Fi depending on access points. RADIUS Authentication and Accounting are required for UserLock to manage Wi-Fi sessions.
RRAS is a Microsoft technology to manage VPN sessions. A RRAS server can be configured with Windows Authentication or RADIUS Authentication.
Currently, it is not possible to log off Wi-Fi & VPN sessions through UserLock, it is only possible with Interactive (desktop) sessions.
Need help? Visit our support page.