Documentation

 

Last updated: July 22, 2019

Introduction

Use this guide to integrate NetMotion Wireless Mobility server with SecureAuth IdP RADIUS Server Version 2.1.0 and later. This integration provides end users with VPN access for mobile devices in a wireless environment. In this setup, trust is established between the end user's mobile device and the SecureAuth IdP RADIUS server, not the VPN.

NetMotion Mobility server only supports the Protected Extensible Authentication Protocol (PEAP) protocol. By default, SecureAuth IdP RADIUS server detects the PEAP request type and handles the request accordingly. The PEAP protocol is implemented in Java with dependencies on the Java Native Interface (JNI) calls to a custom OpenSSL library.

Note: SecureAuth IdP RADIUS Server Version 2.0.X and earlier support the PAP protocol only.



Prerequisites

NetMotion Mobility RADIUS components include:

  • NetMotion Mobility version 10.71
  • Microsoft Visual C++ runtime (Redistributable for Visual Studio 2012 Update 4) installed on the Windows Server where SecureAuth IdP RADIUS server is installed
  • NetMotion Mobility server 10.X and later
  • NetMotion Mobility client installed on each end user mobile device to be used for VPN login access
  • Certificate, .PFX file, private key, and private key password

SecureAuth IdP configuration steps 

Follow the steps in Configuration guide - v19.06 - SecureAuth IdP RADIUS server, in the "Step B: IdP Realms configuration" section.



Configure the NetMotion Mobility Server

The NetMotion Mobility Server configuration includes setting up how the SecureAuth IdP RADIUS server will authenticate users. Use the NetMotion Mobility Authentication Settings user interface to make the following changes:

  1. Under Global Authentication Settings, set the User authentication protocol to RADIUS - EAP (PEAP and EAP-TLS).

  2. Set RADIUS - Retransmit Interval to 30000 milliseconds.

  3. Add the RADIUS server IP address appended by authentication port number 1812.

  4. Ensure that the EAP-GTC Auto-Response Mode setting is disabled.

  5. Under Server Settings, select the node on the Global Server Settings tree. 

    Scroll down to Virtual Address and click Add to enter the IP addresses of the DNS servers for the Mobility clients to use.

  6. Click Add and enter the Virtual Address Pool Ranges of IPs on the network where end users will authenticate.

    Include the default gateway used on the network for dynamic IP address assigned to end users.

    The following image is a sample of Virtual Address Range entries.



Configure Windows Server 

Configure Windows Server 2012 R2 or Windows Server 2016 with Active Directory in the same location where users will perform authentication.

Note: Be sure to install Microsoft Visual C++ runtime (Redistributable for Visual Studio 2012 Update 4) on the Windows Server where SecureAuth IdP RADIUS server is installed.



End-user experience

All end users added to SecureAuth RADIUS through Active Directory can authenticate into the corporate VPN by using SecureAuth IdP's Push to Accept second-factor MFA method. 

When the end user selects the Push-to-Accept option, the VPN waits for RADIUS to respond. When the Login Request screen appears on the mobile app, tap Approve or Deny on the screen. The following images show Push-to-Accept examples that end users will see in the Authenticate App:

App is closed

  1. Open the app by swiping down on the login request notification.

2. Tap Accept to securely authenticate into the corporate VPN.

App is open 

Tap Approve this request to securely log into the corporate VPN.

  • No labels