Description:
In order to protect the connection of an Advanced VPN Client against unauthorized access (e.g. if the end device is stolen), it makes sense to provide it with a password, which must be entered before the VPN connection can be established. Until now it was only possible to use a static password. If attackers can find this out, access via Advanced VPN Client would be possible again.
It is therefore worthwhile to use temporary passwords as an additional factor. This can be implemented for a LANCOM router and the Advanced VPN Client by means of EAP OTP (Extensible Authentication Protocol – One Time Password). To this end, an OTP user is created on the router and connected to an authenticator app. The router and the authenticator app periodically generate a one-time password based on the password and the current time (OTP). The router then compares the password entered by the authenticator app with the one that was generated. If these match, the VPN connection is established.
This article describes how to set up a VPN connection from the Advanced VPN Client for macOS to a LANCOM router with two-factor authentication (IKEv2-EAP-OTP).
The configuration with a LANCOM Advanced VPN Client for Windows is described in this knowledge base article. |
Requirements:
All involved devices (LANCOM router, computer with Advanced VPN Client and smartphone with authenticator app) must have up-to-date time settings. Information on configuring time synchronization on a LANCOM router can be found in this article. |
Scenario:
To establish an Advanced VPN Client connection to a router, a one-time password (OTP) should be generated, which is displayed in an authenticator app and must be entered when starting the VPN connection.
Procedure:
1) Activate the CA and create the certificates on the router using Smart Certificate:
1.1) In LANconfig, open the configuration for the router, navigate to the menu Certificates → Cert. authority (CA) and set a checkmark next to Certificate authority (CA) active.
Then write the configuration back to the router.
1.2) Open the web interface of the router and switch to the menu item Setup Wizards → Manage certificates.
1.3) Click on Create new certificate.
1.4) Adjust the following parameters, click on Enroll (PKCS # 12) and save the certificate:
1.5) In the web interface, change to the menu Extras → File management → Upload Certificate or File.
1.6) Modify the following parameters and then click Start upload:
2) Set up the IKEv2-EAP connection on the LANCOM router:
2.1) Open the configuration of the router in LANconfig, switch to the menu VPN → General and set the drop-down menu for Virtual Private Network to Activated.
2.2) Switch to the menu VPN → IKEv2/IPsec → Authentication.
2.3) Add a new Authentication profile.
2.4) Enter the following parameters:
2.5) Switch to the menu VPN → IKEv2/IPsec → IPv4 addresses.
2.6) Adjust the following parameters to create a new IPv4 address pool:
2.7) Switch to the menu VPN → IKEv2/IPsec → Extended settings.
2.8) Go to the menu RADIUS server.
2.9) Create a new entry and adjust the following parameters:
2.10) Navigate to the menu VPN → IKEv2/IPsec → Connection list.
2.11) Edit the existing DEFAULT entry.
2.12) Enter the following parameters:
After the modification, existing VPN connections with preshared-key still work as usual. |
2.13) This concludes the configuration of the VPN connection.
3) Configuring the RADIUS and OTP settings on the router:
3.1) Go to the menu RADIUS → Server and enable the option RADIUS authentication active.
Make sure that the port 1812 is entered as the Authentication port in the menu RADIUS services ports (default setting). |
3.2) Go to the menu RADIUS → Server → EAP.
3.3) In the drop-down menu Default method select the option OTP.
3.4) Go to the menu RADIUS → Server → User table.
3.5) Create a new entry and adjust the following parameters:
Repeat this step for each VPN user. Optionally you can assign a fixed IP address to the VPN client by entering the parameter Framed-IP-Address in the field Attribute values. It has to be entered in the syntax Framed-IP-Address=<IP address> (e.g. Framed-IP-Address=192.168.1.10). The IP address must be within the dial-in address range created in step 2.6. By assigning a fixed IP address, it is possible to assign individual rights to a user via the firewall. |
3.6) Go to the menu RADIUS → Server → OTP user accounts.
3.7) Create a new OTP user account and modify the following parameters:
Hash algorithm: From the drop-down menu, select the option SHA1.
Repeat this step for each VPN user. |
The Secret must contain capital letters and numbers between 2 - 7 only (see RFC3548). Otherwise the configuration cannot be written back to the router via LANconfig! If the Google Authenticator is used, the Secret must have at least 16-digits, as otherwise the scan of the QR code will fail. |
4) Exporting the CA certificate from the LANCOM router and importing it into the Advanced VPN Client:
4.1) Connect to the web interface of the LANCOM router, switch to the menu Extras → Download current CA certificate and save the certificate.
4.2) Copy the certificate to the computer that is to establish the VPN connection and save it to the directory /Library/Application Support/NCP/Secure Client/cacerts.
4.3) Start the Advanced VPN Client and navigate to the menu Connection → View Certificates.
4.4) Check whether the Advanced VPN Client recognized the certificate.
5) Setting up an IKEv2-EAP-OTP connection with the Advanced VPN Client:
5.1) In the Advanced VPN Client, navigate to the menu Configuration → Profiles.
5.2) Click on the + button to create a new VPN connection.
5.3) Enter a descriptive Profile Name.
5.4) Under Gateway (Tunnel Endpoint) enter the public IP address or the DNS name of the router.
5.5) Enter the following parameters:
LANCOM Systems recommends to use the PFS group DH16 (modp4096). For this purpose DH16 must also be active in the encryption profile DEFAULT on the router (VPN → IKEv2/IPSec → Encryption).
|
5.6) Authentication via EAP-OTP cannot be configured in the wizard, so this must be done manually at a later stage. Click Next without making changes.
5.7) For the IP address assignment select the drop-down menu entry IKE Config Mode. This allows the Advanced VPN Client to obtain an IP address from the router when dialing in via VPN.
5.8) Then click Finish.
5.9) Mark the VPN profile created in the steps 5.1 – 5.10 and click Edit.
5.10) In the Split Tunneling menu, enter the destination network to which the VPN connection should be established. This ensures that only the data traffic destined for the destination network is routed over the VPN tunnel.
For more information on split tunneling, see this Knowledge Base article. |
5.11) Go to the tab IPsec General Settings and set the IKEv2 Authentication to EAP.
5.12) Switch to the Identities tab and enter the user name of the RADIUS user as the Local Identity and also the OTP user name as the user ID for the EAP Authentication.
5.12.1 If you are using LCOS firmware up to version 10.80, please leave the password field blank. 5.12.2 If you are using LCOS firmware version 10.90 or later, please enter the password you configured in step 3.5 in the Password field. |
5.13) This concludes the configuration of the VPN connection in the Advanced VPN Client. Confirm the manually entered changes by clicking on OK.
6) Add the VPN OTP user in the authenticator app:
6.1) Use WEBconfig to connect to the router and navigate to the menu Extras → EAP-OTP users.
6.2) Next to the user, click the “eye” icon to view the QR code.
6.3) Scan the QR code with an authenticator app. OTP codes are now generated and displayed in the app.
6.4.1) If you are using LCOS firmware up to version 10.80, you must now enter the password of the RADIUS user assigned in step 3.5, directly followed by the one-time password (OTP) displayed in the Authenticator app when establishing the VPN connection. 6.4.2) If you are using LCOS firmware version 10.90 or later, the one-time password (OTP) displayed in the Authenticator app must be entered when establishing the VPN connection. |
|
