Authenticate SSL VPN Client by Windows 2008 R2 RADIUS Server 

This document demonstrates how to configure Vigor Router to use a Windows 2008 R2 Server as RADIUS server and authenticate SSL VPN clients.

Vigor Router Setup

1. To allow Vigor Router to authenticate remote VPN clients with an external RADIUS server, we need to identify the RADIUS server. Go to Applications >> RADIUS/TACACS+:

  1. Check Enable
  2. Enter the IP address of the Windows Server in Server IP Address.
  3. Enter the Shared Secret and confirm. Note that we need to use the same Shared Secret value in Radius configuration on Windows 2008 R2 server.
  4. Click OK to save the settings.
  5. Note: Vigor Router uses UTF-8 encoding, while Windows RADIUS server uses big5. Please prevent any special characters in Shared Secret with Windows RADIUS server.

a screenshot of DrayOS RADIUS settings

2. Create an SSL User Group which allows authentication by RADIUS server: Go to SSL VPN >> User Group, click on an index number to edit the profile:

  1. Check Enable
  2. Enter Group Name
  3. Check "RADIUS" for Authentication Method.
  4. Click OK to save the settings. 
a screenshot of DrayOS SSL User Group

Windows 2008 R2 Server Setup

1. Log in to the Windows 2008 R2 server and go to Server Manager. Create a user account and password by clicking Local Users and Groups >> Users.

a screenshot of Windows 2008 R2

2. Add Vigor Router to RADIUS Client: Go to Network Policy Server >> RADIUS Client and Servers, right-click RADIUS Clients, and then click New RADIUS Client:

  1. Check Enable this RADIUS Client
  2. Enter Friendly name
  3. For Address, enter the IP Address of Vigor Roter.
  4. Enter Shared Secret as the same in Vigor Router's RADIUS Setup.
  5. Click OK to save
a screenshot of Windows 2008 R2

3. Configure Connection Request Policies. If you have default policy "Use Windows authentication for all users" configured under connection request policies, then you can skip this step. Else it is required to set a connection request policy. Go to Network Policy Server >> Policies, right-click Connection Request Policies, and then click New Connection Request Policies:

  1. Enter a Policy name in the Overview tab.
  2. a screenshot of Windows 2008 R2
  3. Select the Day and Time restrictions under the Conditions tab.
  4. a screenshot of Windows 2008 R2

4. Configure Network Policies: Go to Network Policy Server >> Policies, right-click Network Policies and then click New Network Policies.

  1. In the Overview tab, enter policy name and other details.
  2. a screenshot of Windows 2008 R2
  3. In the Conditions tab, select the user groups to whom you would like to give access for SSL VPN.
  4. a screenshot of Windows 2008 R2
  5. In the Constraints tab. Set Authentication Methods as Unencrypted authentication. 
  6. a screenshot of Windows 2008 R2

Establishing the SSL VPN Connection

For SSL VPN Client, open web browser and enter https://<public IP>:<port number for SSL VPN> in address tab. For example, And you can log in to SSL VPN with the user profile in Windows 2008 R2 server.

a screenshot of Vigor2925 SSL login page

We can check the Success Logs on Windows server from Event Viewer.

a screenshot of Windows 2008 R2

From the logs captured by Wireshark, we will see packets like this between Vigor Router and the Windows Server.

a screenshot of wireshark logs

Published On:2015-06-18 

Was this helpful?   

book icon

Related Articles