Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
This following example will give you a step by step guide on how to restrict users access to Wi-Fi
sessions with UserLock, using RADIUS Authentication and RADIUS Accounting. You will also find
instructions on how to configure a Cisco Aironet 1700 Wi-Fi Access Point with a preconfigured NPS
Server.
Overview Diagram
Getting Started
Conventions
"NPS" refers to "Network Policy Server" (available for Windows Server 2008 and later editions)
or "IAS" to talk about "Internet Authentication Service" (available for Windows Server 2003 and
earlier editions).
A Wi-Fi Access Point compatible and configured with RADIUS Authentication and RADIUS
Accounting. An example of such a device is Cisco Aironet 1700 which will be used in this
document.
If RADIUS Accounting is not configured, UserLock will not receive logoff notifications, so its data
will be incomplete. That's why all instances of RADIUS Accounting are in bold.
Notes
RADIUS (Remote Authentication Dial-In User Service) is a protocol for authentication and accounting.
RADIUS Authentication and RADIUS Accounting are two different things, and both are needed to be
compatible with UserLock. Usually, RADIUS Authentication is on port 1812 or 1645, and RADIUS
Accounting is on port 1813 or 1646.
NPS is the Microsoft implementation of RADIUS from Windows Server 2008. It is the successor of IAS
used in editions up to Windows Server 2003.
Wi-Fi is a standard for wireless communications. It is possible to configure RADIUS for Wi-Fi depending
on access points. RADIUS Authentication and Accounting are required for UserLock to manage Wi-Fi
sessions.
Currently, it is not possible to log off Wi-Fi (and VPN) sessions with UserLock. It is only possible with
Interactive (desktop) and IIS sessions.
2. Go to "SERVICES"/"VLAN"
3. To configure VLAND ID, select "Native VLAN", "Radio0-802.11N2.4GHZ" and "Radio0-
802.11N5HZ" options.
Click on "Apply"
Configure the NPS server
In some cases (for example, just after adding the NPS role to the server), it is necessary to reset the NPS
configuration to the default one. To do that :
o Del C:\Windows\System32\ias\ias.xml
o Del C:\Windows\System32\ias\iasTemplates.xml
3. To enable the radius Client, type a Name for this Radius Client, input the IP address of the
Access Point and finally type a shared key or let it generate one.
Click on OK to validate.
4. Select Radius server and click on "Configure 802.1X"
5. Select Secure Wireless Connections, type a new name or leave the default connection name and
click on Next.
6. Leave by default and click on next.
7. Select "Microsoft Protected EAP (PEAP)" in the dropdown list
Click on "Configure..."
1. Go to "SECURITY/SSID Manager"
2. Type a SSID name, select VLAN 1, check the boxes for both radio interface.
3. Under "Client Authentication Settings" Select "Open Authentication" with EAP:
4. Under "Accounting Settings" select "Enable Accounting". And on "Accounting Server Priorities"
select your RADIUS server/s:
5. Under "Multiple BSSID Beacon Settings" select "Set SSID as Guest Mode" option:
Click on "Apply".
6. Under "Guest Mode/Infrastructure SSID Settings", select "Single BSSID" and select previous
configured SSID:
Click on "Apply".
1. Open "Security / Encryption Manager". On "Encryption Modes" select "Cipher" and "WEP 128
bit". And click on "Apply":
2. Go to "SECURITY"/"SSID Manager". Select previously configured SSID from list and under "Client
Authenticated Key Management", Configure "Key Management" as "Mandatory" and select
"Enable WPA" selecting "WPAv2":
3. If you want to protect Wi-Fi sessions on laptop computers, configure these computers with the
User Wi-Fi Authentication as follows:
In the properties of the Wi-Fi network adapter of all laptops to protect (you can use a GPO to
change them all at once), choose the Authentication mode "User". Note that if you choose
"Computer", UserLock will not protect Wi-Fi sessions because they will be opened as sessions of
the computer, not the user.
Connect to Wi-Fi
1. Check the Wi-Fi connections in the interface of the Wi-Fi access Point:
1. From the UserLock console, deploy the NPS agent on the NPS server:
2. Under the NPS server, run CMD (or PowerShell) as administrator and run the following
commands (caution: it will disconnect all Wi-Fi connections active at that moment):
3. From the UserLock Console, check that the status of the NPS agent is "Installed"
4. Create a protected account called "Everyone" to apply this new rule to all users.
5.
Configure the "Everyone" protected account to restrict each user to 1 Wi-Fi session
Allow 1 Wi-Fi / VPN session
1. Make a Wi-Fi connection with one account (in this example the account "Alice"). The connection
is successful. You can see the session in the UserLock console.
2. Now try opening a second Wi-Fi connection with Alice, it will be denied.
Other restrictions are also possible for Wi-Fi sessions: For example by defining working hours, time
quotas...
To learn more about all the rules allowing you to define network access conditions, please see the
"Protected accounts" help section.