...
This article describes how to set up a VPN connection from the Advanced VPN Client for Windows to a LANCOM router with two-factor authentication (IKEv2-EAP-OTP).
| Info | ||
|---|---|---|
The following authenticator apps have been tested for interoperability in the context of this article (as of october 2023). Apple iOS 16/17: | ||
| Authenticator app | App supports SHA-1 | App supports SHA-256 |
| Google Authenticator | Yes | Yes |
| Microsoft Authenticator | Yes | No |
| NCP Authenticator | Yes | Yes |
| Authenticator app | App supports SHA-1 | App supports SHA-256 |
| Google Authenticator | Yes | Yes |
| Microsoft Authenticator | Yes | No | NCP Authenticator | Yes | Yes
Requirements:
- LANCOM router with at least 25 VPN licenses (Central-Site gateway, 19xx series router or LANCOM router with the VPN 25 Option)
- Advanced VPN Client for Windows as of version 5.0
- LCOS as of version 10.70 REL (download latest version)
- LANtools as of version 10.70 REL (download latest version)
- Authenticator app for Android or iOS (e.g. Google Authenticator or Microsoft Authenticator)
...
| Info |
|---|
Repeat this step for each VPN user. |
| Hinweis |
|---|
The Secret must contain capital letters and numbers between 2 - 7 only (see RFC3548). Otherwise the configuration cannot be written back to the router via LANconfig! If the If the Google Authenticator is used, the Secret must have at least 16-digits, as otherwise the scan of the QR code will fail. |
4) Exporting the CA certificate from the LANCOM router and importing it into the Advanced VPN Client:
...
- Exchange Mode: From the drop-down menu, select IKEv2.
- PFS Group: From the drop-down menu, select DH14 (modp2048). DH16 (modp4096).
| Info |
|---|
LANCOM Systems recommends to use the PFS group DH16 (modp4096). For this purpose DH16 must also be active in the encryption profile DEFAULT on the router (VPN → IKEv2/IPSec → Encryption).
|
5.8) Authentication via EAP-OTP cannot be configured in the wizard, so this must be done manually at a later stage (see steps 5.12 - 5.13). Click Next without making changes.
...
5.13) Switch to the Identities tab and enter the user name of the RADIUS user as the Local Identity and also the OTP user name as the user ID for the EAP Authentication. You must also enter any password under EAP Authentication as the field may not be left empty.
| Hinweis | ||
|---|---|---|
| ||
5.13.1 If you are using LCOS firmware up to version 10.80, please leave the password field blank.
5. |
...
13.2 If you are using LCOS firmware version 10.90 or later, please enter the password that you have configured in step 3.5 in the Password field.
|
5.14
5.15) This concludes the configuration of the VPN connection in the Advanced VPN Client. Confirm the manually entered changes by clicking on on OK.
6) Add the VPN OTP user in the authenticator app:
...
6.3) Scan the QR code with an authenticator app. OTP codes are now generated and displayed in the app.
| Hinweis | ||
|---|---|---|
| ||
6.4.1) |
...
If you are using LCOS firmware up to version 10.80, you must now enter the password of the RADIUS user |
...
assigned in step 3.5 |
...
, directly followed by the one-time password (OTP) displayed in the Authenticator app when establishing the VPN connection.
6.4.2) If you are using LCOS firmware version 10.90 or later, the one-time password (OTP) displayed in the Authenticator app must be entered when establishing the VPN connection.
|
...
| Inhalt nach Stichwort | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
