Configure a VPN client for point-to-site: RADIUS - password authentication

To connect to a virtual network over point-to-site (P2S), you need to configure the client device that you'll connect from. You can create P2S VPN connections from Windows, macOS, and Linux client devices. This article helps you create and install the VPN client configuration for username/password RADIUS authentication.

When you're using RADIUS authentication, there are multiple authentication instructions: certificate authentication, password authentication. and other authentication methods and protocols. The VPN client configuration is different for each type of authentication. To configure a VPN client, you use client configuration files that contain the required settings.

Note

Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN Gateway will support only TLS 1.2. Only point-to-site connections are impacted; site-to-site connections won't be affected. If you’re using TLS for point-to-site VPNs on Windows 10 or later clients, you don’t need to take any action. If you're using TLS for point-to-site connections on Windows 7 and Windows 8 clients, see the VPN Gateway FAQ for update instructions.

Workflow

The configuration workflow for P2S RADIUS authentication is as follows:

  1. Set up the Azure VPN gateway for P2S connectivity.
  2. Set up your RADIUS server for authentication.
  3. Obtain the VPN client configuration for the authentication option of your choice and use it to set up the VPN client (this article).
  4. Complete your P2S configuration and connect.

Important

If there are any changes to the point-to-site VPN configuration after you generate the VPN client configuration profile, such as the VPN protocol type or authentication type, you must generate and install a new VPN client configuration on your users' devices.

You can configure username/password authentication to either use Active Directory or not use Active Directory. With either scenario, make sure that all connecting users have username/password credentials that can be authenticated through RADIUS.

When you configure username/password authentication, you can only create a configuration for the EAP-MSCHAPv2 username/password authentication protocol. In the commands, -AuthenticationMethod is EapMSChapv2.

Generate VPN client configuration files

You can generate the VPN client configuration files by using the Azure portal, or by using Azure PowerShell.

Azure portal

  1. Navigate to the virtual network gateway.
  2. Click Point-to-Site configuration.
  3. Click Download VPN client.
  4. Select the client and fill out any information that is requested.
  5. Click Download to generate the .zip file.
  6. The .zip file will download, typically to your Downloads folder.

Azure PowerShell

Generate VPN client configuration files for use with username/password authentication. You can generate the VPN client configuration files by using the following command:

New-AzVpnClientConfiguration -ResourceGroupName "TestRG" -Name "VNet1GW" -AuthenticationMethod "EapMSChapv2"

Running the command returns a link. Copy and paste the link to a web browser to download VpnClientConfiguration.zip. Unzip the file to view the following folders:

  • WindowsAmd64 and WindowsX86: These folders contain the Windows 64-bit and 32-bit installer packages, respectively.
  • Generic: This folder contains general information that you use to create your own VPN client configuration. You don't need this folder for username/password authentication configurations.
  • Mac: If you configured IKEv2 when you created the virtual network gateway, you see a folder named Mac that contains a mobileconfig file. You use this file to configure Mac clients.

If you already created client configuration files, you can retrieve them by using the Get-AzVpnClientConfiguration cmdlet. But if you make any changes to your P2S VPN configuration, such as the VPN protocol type or authentication type, the configuration isn’t updated automatically. You must run the New-AzVpnClientConfiguration cmdlet to create a new configuration download.

To retrieve previously generated client configuration files, use the following command:

Get-AzVpnClientConfiguration -ResourceGroupName "TestRG" -Name "VNet1GW"

Windows VPN client

You can use the same VPN client configuration package on each Windows client computer, as long as the version matches the architecture for the client. For the list of client operating systems that are supported, see the FAQ.

Use the following steps to configure the native Windows VPN client for certificate authentication:

  1. Select the VPN client configuration files that correspond to the architecture of the Windows computer. For a 64-bit processor architecture, choose the VpnClientSetupAmd64 installer package. For a 32-bit processor architecture, choose the VpnClientSetupX86 installer package.

  2. To install the package, double-click it. If you see a SmartScreen pop-up, select More info > Run anyway.

  3. On the client computer, browse to Network Settings and select VPN. The VPN connection shows the name of the virtual network that it connects to.

Mac (macOS) VPN client

  1. Select the VpnClientSetup mobileconfig file and send it to each of the users. You can use email or another method.

  2. Locate the mobileconfig file on the Mac.

    Screenshot shows location of the mobile config file.

  3. Optional Step - If you want to specify a custom DNS, add the following lines to the mobileconfig file:

     <key>DNS</key>
     <dict>
       <key>ServerAddresses</key>
         <array>
             <string>10.0.0.132</string>
         </array>
       <key>SupplementalMatchDomains</key>
         <array>
             <string>TestDomain.com</string>
         </array>
     </dict> 
    
  4. Double-click the profile to install it, and select Continue. The profile name is the same as the name of your virtual network.

    Screenshot shows profile install with continue selected.

  5. Select Continue to trust the sender of the profile and proceed with the installation.

    Screenshot shows continue message.

  6. During profile installation, you can specify the username and password for VPN authentication. It's not mandatory to enter this information. If you do, the information is saved and automatically used when you initiate a connection. Select Install to proceed.

    Screenshot shows enter settings for username and password.

  7. Enter a username and password for the privileges that are required to install the profile on your computer. Select OK.

    Screenshot shows enter settings for username and password privileges.

  8. After the profile is installed, it's visible in the Profiles dialog box. You can also open this dialog box later from System Preferences.

    Screenshot shows profiles dialog box.

  9. To access the VPN connection, open the Network dialog box from System Preferences.

    Screenshot shows network dialog box.

  10. The VPN connection appears as IkeV2-VPN. You can change the name by updating the mobileconfig file.

    Screenshot shows connection name.

  11. Select Authentication Settings. Select Username in the list and enter your credentials. If you entered the credentials earlier, then Username is automatically chosen in the list and the username and password are pre-populated. Select OK to save the settings.

    Screenshot that shows the Authentication settings drop-down with Username selected.

  12. Back in the Network dialog box, select Apply to save the changes. To initiate the connection, select Connect.

Linux VPN client - strongSwan

The following instructions were created through strongSwan 5.5.1 on Ubuntu 17.0.4. Actual screens might be different, depending on your version of Linux and strongSwan.

  1. Open the Terminal to install strongSwan and its Network Manager by running the command in the example. If you receive an error that's related to libcharon-extra-plugins, replace it with strongswan-plugin-eap-mschapv2.

    sudo apt-get install strongswan libcharon-extra-plugins moreutils iptables-persistent network-manager-strongswan
    
  2. Select the Network Manager icon (up-arrow/down-arrow), and select Edit Connections.

    Edit connections in Network Manager.

  3. Select the Add button to create a new connection.

    Screenshot shows add connection for network connections.

  4. Select IPsec/IKEv2 (strongswan) from the drop-down menu, and then select Create. You can rename your connection in this step.

    Screenshot shows select connection type.

  5. Open the VpnSettings.xml file from the Generic folder of the downloaded client configuration files. Find the tag called VpnServer and copy the name, beginning with azuregateway and ending with .cloudapp.net.

    Screenshot shows contents of the VpnSettings.xml file.

  6. Paste this name into the Address field of your new VPN connection in the Gateway section. Next, select the folder icon at the end of the Certificate field, browse to the Generic folder, and select the VpnServerRoot file.

  7. In the Client section of the connection, select EAP for Authentication, and enter your username and password. You might have to select the lock icon on the right to save this information. Then, select Save.

    Screenshot shows edit connection settings.

  8. Select the Network Manager icon (up-arrow/down-arrow) and hover over VPN Connections. You see the VPN connection that you created. To initiate the connection, select it.

    Screenshot shows connect.

Next steps

Return to the article to complete your P2S configuration.

For P2S troubleshooting information, see Troubleshooting Azure point-to-site connections.