UserLock Documentation
UserLock Documentation
You are here: Reference > Protected sessions > Wi-Fi / VPN sessions

Wi-Fi / VPN sessions

UserLock can audit, control and apply a user access policy to two kinds of Wi-Fi/VPN sessions:

VPN sessions and Wi-Fi sessions when authenticated with the RADIUS protocol on a Microsoft Network Policy Server (included in Windows Server).

  • This requires the 'NPS agent' to be installed in this service.
  • Important:
    RADIUS clients (Microsoft RRAS, VPN hardware routers and Wi-Fi access points) should be configured to contact the NPS server for 'RADIUS authentication' and 'RADIUS accounting'.
  • Limitations:
    - Generally, the RADIUS protocol does not allow to recover the name of the client. As a result, you will not be able to apply Workstation restrictions with the client name. The only known case where this name is available is if your RRAS server is configured with RADIUS Authentication and RADIUS Accounting.
    - The VPN client address is not provided by all RADIUS clients (hardware routers) so you may also not be able to enforce IP address restrictions.
    - Controlling Wi-Fi sessions may be unreliable if the Wi-Fi access point doesn't correctly notify the end of a session to the RADIUS server when a Wi-Fi client is powered off without closing the Wi-Fi session properly.
    - If the Wi-Fi client is a member of the Active Directory domain, the Wi-Fi session may be authenticated with the computer account instead of the user account. In this case,     UserLock will not manage the session. UserLock only manages sessions with user accounts, and not sessions with computer accounts.
    - Multiple RADIUS servers for a single RADIUS client (hardware router) is not supported as the logon may be managed by a different agent to the logoff.
    - When a VPN/Wi-Fi session is denied, the user is prompted to enter new credentials. There is currently no way to display a more intelligible message to the user.

    Currently, there is no hardware compatibility list showing all hardware routers and Wi-Fi access points that are compatible with UserLock. We therefore suggest you test your hardware device with UserLock.

RAS sessions (VPN and dialup) on the Microsoft Routing and Remote Access Service (included in Windows Server).

  • This requires the 'RRAS agent' to be installed in this service.
  • Limitations:
    - In this mode UserLock is unable to retrieve the Internet IP address of the VPN client. As a workaround, RRAS can be configured in order to use the 'RADIUS authentication' with an NPS server.
    - When a VPN session is denied, the user is prompted to reconnect again. There is currently no way to display a more intelligible message to the user.