Versionen im Vergleich

Alte Version 42

changes.mady.by.user LANCOM Review User

Gespeichert am

verglichen mit

Neue Version Aktuell

changes.mady.by.user LANCOM Redaktion

Gespeichert am

Schlüssel

  • Diese Zeile wurde hinzugefügt.
  • Diese Zeile wurde entfernt.
  • Formatierung wurde geändert.

...

This article describes how to set up a VPN connection from the Advanced VPN Client for Windows to a LANCOM router with two-factor authentication (IKEv2-EAP-OTP).

Android 13:

configuration with a LANCOM Advanced VPN Client for macOS is described in this knowledge base article.

Info

The following authenticator apps have been tested for interoperability in the context of this article (as of october 2023).

Apple iOS 16/17:

Authenticator appApp supports SHA-1App supports SHA-256
Google AuthenticatorYesYes
Microsoft AuthenticatorYesNo
NCP AuthenticatorYesYes
Authenticator appApp supports SHA-1App supports SHA-256
Google AuthenticatorYesYes
Microsoft AuthenticatorYesNo
NCP AuthenticatorYesYes


Requirements:

  • LANCOM router with at least 25 VPN licenses (Central-Site gateway, 19xx series router or LANCOM router with the VPN 25 Option)
  • Advanced VPN Client for Windows as of version 5.0
  • LCOS as of version 10.70 REL (download latest version)
  • LANtools as of version 10.70 REL (download latest version)
  • Authenticator app for Android or iOS (e.g. Google Authenticator or Microsoft Authenticator)

...

  • Username: From the drop-down menu, select the name of the user account created in step 3.5.

  • Hash algorithm: From the drop-down menu, select the option SHA-256. If your authenticator app does not support the hash algorithm SHA256, you can use SHA1.

  • Time step: This parameter is the interval after which a new OTP token is generated. Leave the setting at the default value of 30 seconds.  
  • Network delay: This parameter specifies the number of time steps by which the clock of the end device with the authenticator app may deviate from the time of the router. The router then also checks the OTPs before and after. Leave this setting at the default value of 1 (i.e. OTPs are checked 30 seconds before and after). 
  • Secret: Enter a 16-digit password. This should contain capital letters and numbers between 2 - 7 only (see RFC3548). The password is encoded in Base32 and shared with the authenticator. 
  • Issuer: Enter a descriptive name for the issuer (in this example LANCOM-OTP).
  • Number digits: Leave the setting at the default value of 6 characters
Info

Repeat this step for each VPN user.

Hinweis

The Hash algorithm SHA256 is currently not supported by some older Android devices and the Microsoft Authenticator. In this case please use SHA1. Secret must contain capital letters and numbers between 2 - 7 only (see RFC3548). Otherwise the configuration cannot be written back to the router via LANconfig!

If the Google Authenticator is used, the Secret must have at least 16-digits, as otherwise the scan of the QR code will fail.

Modifying the parameters for OTP user accountImage Modified



4) Exporting the CA certificate from the LANCOM router and importing it into the Advanced VPN Client:

...

4.2) Copy the certificate to the computer that is to establish the VPN connection and save it to the directory C:\ProgramData\LANCOM\Advanced VPN Client\cacerts.

Info

When using Windows client version 6.21, the directory can also be C:\ProgramData\LANCOM\Trusted Access Client\cacerts. This depends on whether you have initially reinstalled version 6.21 or updated from an older version.

...

  • Exchange Mode: From the drop-down menu, select IKEv2.
  • PFS Group: From the drop-down menu, select DH14 (modp2048). DH16 (modp4096).
Info

LANCOM Systems recommends to use the PFS group DH16 (modp4096). For this purpose DH16 must also be active in the encryption profile DEFAULT on the router (VPN → IKEv2/IPSec →  Encryption).

Image Added

Image Modified

5.8) Authentication via EAP-OTP cannot be configured in the wizard, so this must be done manually at a later stage (see steps 5. 12 - 5.13). Click Next without making changes. 

...

5.13) Switch to the Identities tab and enter the user name of the RADIUS user as the Local Identity and also the OTP user name as the user ID for the EAP Authentication. You must also enter any password under EAP Authentication as the field may not be left empty.

Hinweis
titleIMPORTANT NOTE

5.13.1 If you are using LCOS firmware up to version 10.80, please leave the password field blank.

Modifying the parameters for the vpn identityImage Modified

5

...

.13.2 If you are using LCOS firmware version 10.90 or later, please enter the password that you have configured in step 3.5 in the Password field.

Image Added

5.14

Configuration of the connection control in the expert mode menuImage Removed

5.15) This concludes the configuration of the VPN connection in the Advanced VPN Client. Confirm the manually entered changes by clicking on on OK.


6) Add the VPN OTP user in the authenticator app:

...

6.3) Scan the QR code with an authenticator app. OTP codes are now generated and displayed in the app.

QR code of a selected EAP-OTP user

Hinweis
titleIMPORTANT NOTE

6.4.1)

...

If you are using LCOS firmware up to version 10.80, you must now enter the password of the RADIUS user

...

assigned in step 3.5

...

, directly followed by the one-time password (OTP) displayed in the Authenticator app when establishing the VPN connection.

Enter the password and OTP token to establish the vpn connectionImage Added

6.4.2) If you are using LCOS firmware version 10.90 or later, the one-time password (OTP) displayed in the Authenticator app must be entered when establishing the VPN connection.

Image Added


...

Inhalt nach Stichwort
showLabelsfalse
max5
showSpacefalse
sortcreation
titleMore articles on this topic:
excludeCurrenttrue
cqllabel = "avc" and space = "KBEN"
authenticator app.Entering user data and one-time password during VPN loginImage Removed