Configure a VPN client for point-to-site: RADIUS - other methods and protocols
To connect to a virtual network over point-to-site (P2S), you need to configure the client device that you'll connect from. This article helps you create and install the VPN client configuration for RADIUS authentication that uses methods other than certificate or password authentication.
When you're using RADIUS authentication, there are multiple authentication instructions: certificate authentication, password authentication, and other authentication methods and protocols. The VPN client configuration is different for each type of authentication. To configure a VPN client, you use client configuration files that contain the required settings.
Note
Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN Gateway will support only TLS 1.2. Only point-to-site connections are impacted; site-to-site connections won't be affected. If you're using TLS for point-to-site VPNs on Windows 10 or later clients, you don't need to take any action. If you're using TLS for point-to-site connections on Windows 7 and Windows 8 clients, see the VPN Gateway FAQ for update instructions.
Workflow
The configuration workflow for P2S RADIUS authentication is as follows:
Obtain the VPN client configuration for the authentication option of your choice and use it to set up the VPN client (this article).
Important
If there are any changes to the point-to-site VPN configuration after you generate the VPN client configuration profile, such as the VPN protocol type or authentication type, you must generate and install a new VPN client configuration on your users' devices.
To use a different authentication type (for example, OTP), or to use a different authentication protocol (such as PEAP-MSCHAPv2 instead of EAP-MSCHAPv2), you must create your own VPN client configuration profile. If you have Point to Site VPN configured with RADIUS and OpenVPN, currently PAP is only authentication method supported between the gateway and RADIUS server. To create the profile, you need information such as the virtual network gateway IP address, tunnel type, and split-tunnel routes. You can get this information by using the following steps.
Generate VPN client configuration files
You can generate the VPN client configuration files by using the Azure portal, or by using Azure PowerShell.
Azure portal
- Navigate to the virtual network gateway.
- Click Point-to-Site configuration.
- Click Download VPN client.
- Select the client and fill out any information that is requested.
- Click Download to generate the .zip file.
- The .zip file will download, typically to your Downloads folder.
Azure PowerShell
Use the Get-AzVpnClientConfiguration cmdlet to generate the VPN client configuration for EapMSChapv2.
View the files and configure the VPN client
Unzip the VpnClientConfiguration.zip file and look for the GenericDevice folder. Ignore the folders that contain the Windows installers for 64-bit and 32-bit architectures.
The GenericDevice folder contains an XML file called VpnSettings. This file contains all the required information:
- VpnServer: FQDN of the Azure VPN gateway. This is the address that the client connects to.
- VpnType: Tunnel type that you use to connect.
- Routes: Routes that you have to configure in your profile so that only traffic that's bound for the Azure virtual network is sent over the P2S tunnel.
The GenericDevice folder also contains a .cer file called VpnServerRoot. This file contains the root certificate that's required to validate the Azure VPN gateway during P2S connection setup. Install the certificate on all devices that will connect to the Azure virtual network.
Use the settings in the files to configure your VPN client.
Next steps
Return to the article to complete your P2S configuration.
For P2S troubleshooting information, see Troubleshooting Azure point-to-site connections.