How to configure SSL VPN on Vigor 2925 using RADIUS authentication on Windows 2008 server
Posted by on 04 June 2015 04:12 PM
This document will show you how to configure the Vigor2925 router to allow a remote user to log into the network using SSL VPN with Radius authentication:
Configuration on Vigor 2925:
1). Login to the router using your web browser:
Default IP address: 192.168.1.1
Default user name: admin
Default password: admin
2). Go to Applications >> RADIUS/TACACS+.
Click on Enable
Enter RADIUS server IP and shared secret.
You need to use same Shared Secret value in Step 4 described below under “Radius configuration on Windows 2008 R2 server”
Click OK to save the settings.
3). Go to User management >> User Profile and click Index #3 to create a user profile.
Check the box of Enable this account and type a user name. Choose Radius as External Server Authentication and click OK to save the settings.
4). Go to SSL VPN >> General Setup >> Enter the port number to access SSL VPN. Default port is 443.
5). Go to SSL VPN >> SSL Application >> click on Index 1>> “Enable Application Service” >> Enter the application details:
Click OK to save the configuration.
6). SSL VPN >> User Group >> Click on Index 1 >> Check the Enable Box.
Enter the group name
Provide the access for required application (e.g. here access has been provided to RDP application 192.168.1.14 which we just created in step 6)
Check the Radius box to allow radius users to login to SSL VPN
Click Ok to save the configuration.
Radius configuration on Windows 2008 R2 server:
Login to Windows 2008 R2 server and Go to Server Manager
Create a user account and password by clicking Local Users and Groups>>Users. Here we will be using existing user “administrator”
Navigate to Radius Clients under Server Manager >> right click the mouse button to select New >> Enter the details like Friendly name, IP address of the Vigor 2925, Shared secret. This will be same as shared secret typed in router under step 2 of section 1
Click on Advanced tab >> Here we will use default values as shown below:
Configure Connection Request Policies under Service Manager.
If you have default policy “Use Windows authentication for all users” configured under connection request policies then you can skip this step. Else you need to configure connection request policy.
Right click Policies >> Connection Request Policies >> Add New
Enter policy name
Select the criteria under conditions tab. We will select user criteria under Network policy and will allow users to log in to all the time as described below:
Remaining values will be default under various tabs under settings as shown below:
Configure Network Policies under Service Manager
Right click Network Policies >> Add New
Enter policy name and other details as shown below:
Choose the condition. Here you can select the user group to whom you want to give access for SSL VPN
E.g. here we have given access to two user groups - vpn and administrators. Hence any user who is member of these groups will get access for SSL VPN
Select Authentication Method as Unencrypted
Remaining setting will be default as shown below:
Check SSL VPN authentication
Go to web browser of the laptop from which you want to access SSL VPN.
Enter address: https://<public IP>:<port number set for SSL VPN>
Now you can login to SSL VPN:
Click on Login button
Audit Success Logs on server (Event Viewer)
Logs captured through Wireshark