| title | Connect to a virtual network using P2S and RADIUS authentication - PowerShell | ||
|---|---|---|---|
| titleSuffix | Azure VPN Gateway | ||
| description | Learn how to connect VPN clients securely to a virtual network using P2S and RADIUS authentication. | ||
| author | cherylmc | ||
| ms.service | azure-vpn-gateway | ||
| ms.topic | how-to | ||
| ms.date | 12/06/2024 | ||
| ms.author | cherylmc | ||
| ms.custom |
|
This article helps you create a point-to-site (P2S) connection that uses RADIUS authentication. You can create this configuration using either PowerShell, or the Azure portal. If you have an active-active mode VPN gateway, at this time we advise you to use the Azure portal article to configure the RADIUS server settings. P2S VPN gateways require an additional IP address when the gateway is in active-active mode.
For more information about point-to-site VPN connections, see About point-to-site VPN.
This type of connection requires:
- A RouteBased VPN gateway.
- A RADIUS server to handle user authentication. The RADIUS server can be deployed on-premises, or in the Azure virtual network (VNet). You can also configure two RADIUS servers for high availability.
- The VPN client profile configuration package. The VPN client profile configuration package is a package that you generate. It contains the settings required for a VPN client to connect over P2S.
Limitations:
- If you're using IKEv2 with RADIUS, only EAP-based authentication is supported.
- An ExpressRoute connection can't be used to connect to an on-premises RADIUS server.
AD Domain authentication allows users to sign in to Azure using their organization domain credentials. It requires a RADIUS server that integrates with the AD server. Organizations can also use their existing RADIUS deployment.
The RADIUS server can reside on-premises, or in your Azure virtual network. During authentication, the VPN gateway acts as a pass-through and forwards authentication messages back and forth between the RADIUS server and the connecting device. It's important for the VPN gateway to be able to reach the RADIUS server. If the RADIUS server is located on-premises, then a VPN site-to-site connection from Azure to the on-premises site is required.
Apart from Active Directory, a RADIUS server can also integrate with other external identity systems. This opens up plenty of authentication options for P2S VPNs, including MFA options. Check your RADIUS server vendor documentation to get the list of identity systems it integrates with.
:::image type="content" source="./media/point-to-site-how-to-radius-ps/radius-diagram.png" alt-text="Diagram of RADIUS authentication P2S connection." lightbox="./media/point-to-site-how-to-radius-ps/radius-diagram.png":::
Verify that you have an Azure subscription. If you don't already have an Azure subscription, you can activate your MSDN subscriber benefits or sign up for a free account.
[!INCLUDE PowerShell]
You can use the example values to create a test environment, or refer to these values to better understand the examples in this article. You can either use the steps as a walk-through and use the values without changing them, or change them to reflect your environment.
- Name: VNet1
- Address space: 10.1.0.0/16 and 10.254.0.0/16
For this example, we use more than one address space to illustrate that this configuration works with multiple address spaces. However, multiple address spaces aren't required for this configuration. - Subnet name: FrontEnd
- Subnet address range: 10.1.0.0/24
- Subnet name: BackEnd
- Subnet address range: 10.254.1.0/24
- Subnet name: GatewaySubnet
The Subnet name GatewaySubnet is mandatory for the VPN gateway to work.- GatewaySubnet address range: 10.1.255.0/27
- VPN client address pool: 172.16.201.0/24
VPN clients that connect to the virtual network using this P2S connection receive an IP address from the VPN client address pool. - Subscription: If you have more than one subscription, verify that you're using the correct one.
- Resource Group: TestRG1
- Location: East US
- DNS Server: IP address of the DNS server that you want to use for name resolution for your virtual network. (optional)
- GW Name: Vnet1GW
- Public IP name: VNet1GWPIP
- VpnType: RouteBased
The following steps create a resource group and a virtual network in the resource group with three subnets. When substituting values, it's important that you always name your gateway subnet specifically GatewaySubnet. If you name it something else, your gateway creation fails.
-
Create a resource group using New-AzResourceGroup.
New-AzResourceGroup -Name "TestRG1" -Location "EastUS" -
Create the virtual network using New-AzVirtualNetwork.
$vnet = New-AzVirtualNetwork ` -ResourceGroupName "TestRG1" ` -Location "EastUS" ` -Name "VNet1" ` -AddressPrefix 10.1.0.0/16 -
Create subnets using New-AzVirtualNetworkSubnetConfig with the following names: FrontEnd and GatewaySubnet (a gateway subnet must be named GatewaySubnet).
$subnetConfigFrontend = Add-AzVirtualNetworkSubnetConfig ` -Name Frontend ` -AddressPrefix 10.1.0.0/24 ` -VirtualNetwork $vnet $subnetConfigGW = Add-AzVirtualNetworkSubnetConfig ` -Name GatewaySubnet ` -AddressPrefix 10.1.255.0/27 ` -VirtualNetwork $vnet -
Write the subnet configurations to the virtual network with Set-AzVirtualNetwork, which creates the subnets in the virtual network:
$vnet | Set-AzVirtualNetwork
A VPN gateway must have a Public IP address. You first request the IP address resource, and then refer to it when creating your virtual network gateway. The IP address is statically assigned to the resource when the VPN gateway is created. The only time the Public IP address changes is when the gateway is deleted and re-created. It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.
-
Request a public IP address for your VPN gateway using New-AzPublicIpAddress.
$gwpip = New-AzPublicIpAddress -Name "GatewayIP" -ResourceGroupName "TestRG1" -Location "EastUS" -AllocationMethod Static -Sku Standard -
Create the gateway IP address configuration using New-AzVirtualNetworkGatewayIpConfig. This configuration is referenced when you create the VPN gateway.
$vnet = Get-AzVirtualNetwork -Name "VNet1" -ResourceGroupName "TestRG1" $gwsubnet = Get-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet $gwipconfig = New-AzVirtualNetworkGatewayIpConfig -Name gwipconfig1 -SubnetId $gwsubnet.Id -PublicIpAddressId $gwpip.Id
Before you create and configure the virtual network gateway, your RADIUS server should be configured correctly for authentication.
- If you don’t have a RADIUS server deployed, deploy one. For deployment steps, refer to the setup guide provided by your RADIUS vendor.
- Configure the VPN gateway as a RADIUS client on the RADIUS. When adding this RADIUS client, specify the virtual network GatewaySubnet that you created.
- Once the RADIUS server is set up, get the RADIUS server's IP address and the shared secret that RADIUS clients should use to talk to the RADIUS server. If the RADIUS server is in the Azure virtual network, use the CA IP of the RADIUS server VM.
The Network Policy Server (NPS) article provides guidance about configuring a Windows RADIUS server (NPS) for AD domain authentication.
In this step, you configure and create the virtual network gateway for your virtual network. For more complete information about authentication and tunnel type, see Specify tunnel and authentication type in the Azure portal version of this article.
- The -GatewayType must be 'Vpn' and the -VpnType must be 'RouteBased'.
- A VPN gateway can take 45 minutes or more to build, depending on the Gateway SKU you select.
In the following example, we use the VpnGw2, Generation 2 SKU. If you see ValidateSet errors regarding the GatewaySKU value and are running these commands locally, verify that you have installed the latest version of the PowerShell cmdlets. The latest version contains the new validated values for the latest Gateway SKUs.
Create the virtual network gateway with the gateway type "Vpn" using New-AzVirtualNetworkGateway.
New-AzVirtualNetworkGateway -Name "VNet1GW" -ResourceGroupName "TestRG1" `
-Location "EastUS" -IpConfigurations $gwipconfig -GatewayType Vpn `
-VpnType RouteBased -EnableBgp $false -GatewaySku VpnGw2AZ -VpnGatewayGeneration "Generation2"
- The -RadiusServer can be specified by name or by IP address. If you specify the name and the server resides on-premises, then the VPN gateway might not be able to resolve the name. If that’s the case, then it's better to specify the IP address of the server.
- The -RadiusSecret should match what is configured on your RADIUS server.
- The -VpnClientAddressPool is the range from which the connecting VPN clients receive an IP address. Use a private IP address range that doesn't overlap with the on-premises location that you'll connect from, or with the virtual network that you want to connect to. Ensure that you have a large enough address pool configured.
Note
If your VPN gateway is in active-active mode, use the Azure portal article steps to specify the RADIUS server settings. P2S configurations require an additional IP address when the gateway is in active-active mode.
-
Create a secure string for the RADIUS secret.
$Secure_Secret=Read-Host -AsSecureString -Prompt "RadiusSecret" -
You're prompted to enter the RADIUS secret. The characters that you enter won't be displayed and instead will be replaced by the "*" character.
RadiusSecret:***
In this section, you add the VPN client address pool and the RADIUS server information. There are multiple possible configurations. Select the example that you want to configure.
$Gateway = Get-AzVirtualNetworkGateway -ResourceGroupName "TestRG1" -Name "VNet1GW"
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $Gateway `
-VpnClientAddressPool "172.16.201.0/24" -VpnClientProtocol "SSTP" `
-RadiusServerAddress "10.51.0.15" -RadiusServerSecret $Secure_Secret
$Gateway = Get-AzVirtualNetworkGateway -ResourceGroupName "TestRG1" -Name "VNet1GW"
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $Gateway -VpnClientRootCertificates @()
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $Gateway `
-VpnClientAddressPool "172.16.201.0/24" -VpnClientProtocol "OpenVPN" `
-RadiusServerAddress "10.51.0.15" -RadiusServerSecret $Secure_Secret
$Gateway = Get-AzVirtualNetworkGateway -ResourceGroupName "TestRG1" -Name "VNet1GW"
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $Gateway `
-VpnClientAddressPool "172.16.201.0/24" -VpnClientProtocol "IKEv2" `
-RadiusServerAddress "10.51.0.15" -RadiusServerSecret $Secure_Secret
$Gateway = Get-AzVirtualNetworkGateway -ResourceGroupName "TestRG1" -Name "VNet1GW"
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $Gateway `
-VpnClientAddressPool "172.16.201.0/24" -VpnClientProtocol @( "SSTP", "IkeV2" ) `
-RadiusServerAddress "10.51.0.15" -RadiusServerSecret $Secure_Secret
To specify two RADIUS servers, use the following syntax. Modify the -VpnClientProtocol value as needed.
$radiusServer1 = New-AzRadiusServer -RadiusServerAddress 10.1.0.15 -RadiusServerSecret $radiuspd -RadiusServerScore 30
$radiusServer2 = New-AzRadiusServer -RadiusServerAddress 10.1.0.16 -RadiusServerSecret $radiuspd -RadiusServerScore 1
$radiusServers = @( $radiusServer1, $radiusServer2 )
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $actual -VpnClientAddressPool 201.169.0.0/16 -VpnClientProtocol "IkeV2" -RadiusServerList $radiusServers
The VPN client profile configuration packages contain the settings that help you configure VPN client profiles for a connection to the Azure virtual network.
To generate a VPN client configuration package and configure a VPN client, see one of the following articles:
- RADIUS - certificate authentication for VPN clients
- RADIUS - password authentication for VPN clients
- RADIUS - other authentication methods for VPN clients
After you configure the VPN client, connect to Azure.
-
To verify that your VPN connection is active, open an elevated command prompt, and run ipconfig/all.
-
View the results. Notice that the IP address you received is one of the addresses within the P2S VPN Client Address Pool that you specified in your configuration. The results are similar to this example:
PPP adapter VNet1: Connection-specific DNS Suffix .: Description.....................: VNet1 Physical Address................: DHCP Enabled....................: No Autoconfiguration Enabled.......: Yes IPv4 Address....................: 172.16.201.3(Preferred) Subnet Mask.....................: 255.255.255.255 Default Gateway.................: NetBIOS over Tcpip..............: Enabled
To troubleshoot a P2S connection, see Troubleshooting Azure point-to-site connections.
[!INCLUDE Connect to a VM]
-
Verify that the VPN client configuration package was generated after the DNS server IP addresses were specified for the virtual network. If you updated the DNS server IP addresses, generate and install a new VPN client configuration package.
-
Use 'ipconfig' to check the IPv4 address assigned to the Ethernet adapter on the computer from which you're connecting. If the IP address is within the address range of the virtual network that you're connecting to, or within the address range of your VPNClientAddressPool, this is referred to as an overlapping address space. When your address space overlaps in this way, the network traffic doesn't reach Azure, it stays on the local network.
For FAQ information, see the Point-to-site - RADIUS authentication section of the FAQ.
Once your connection is complete, you can add virtual machines to your virtual networks. For more information, see Virtual Machines. To understand more about networking and virtual machines, see Azure and Linux VM network overview.