In its default configuration, NetMotion Mobility connections are established at the user level. In most cases this level of access is sufficient, but there are some common uses cases that require VPN connectivity before the user logs on. Examples include provisioning a new device to a user who has never logged on before, or to allow support engineers to connect to a remote device without requiring a user to log in first.
Infrastructure Requirements
To support NetMotion Mobility’s “unattended mode” (device tunnel) it will be necessary to deploy a Windows Server 2016 (or 2012R2) Network Policy Server (NPS). In addition, an internal private certification authority (CA) will be required to issue certificates to the NPS server and all NetMotion Mobility client computers.
Client Certificate Requirements
A certificate with the Client Authentication Enhanced Key Usage (EKU) must be provisioned to the local computer certificate store on all NetMotion Mobility clients that require a device tunnel (figure 1). The subject name on the certificate must match the fully qualified domain name of the client computer (figure 2). It is recommended that certificate auto enrollment be used to streamline the provisioning process.
Figure 1. Computer certificate with Client Authentication EKU.
Figure 2. Computer certificate with subject name matching the client computer’s hostname.
NPS Server Certificate Requirements
A certificate with the Server Authentication EKU must be provisioned to the local computer certificate store on the NPS server (figure 3). The subject name on the certificate must match the fully qualified domain name of the NPS server (figure 4).
Figure 3. Computer certificate with Server Authentication EKU.
Figure 4. Computer certificate with subject name matching the NPS server’s hostname.
NPS Server Configuration
Next install the NPS server role by running the following PowerShell command.
Install-WindowsFeature NPAS -IncludeMamagementTools
Once complete, open the NPS server management console and perform the following steps.
Note: Below is a highly simplified NPS configuration designed for a single use case. It is provided for demonstration purposes only. The NPS server may be used by more than one network access server (NAS) so the example policies included below may not work in every deployment.
- Expand RADIUS Clients and Servers.
- Right-click RADIUS clients and choose New.
- Select the option to Enable this RADIUS client.
- Enter a friendly name.
- Enter the IP address or hostname of the NetMotion gateway server.
- Click Verify to validate the hostname or IP address.
- Select Manual to enter a shared secret, or select Generate to create one automatically.
- Copy the shared secret as it will be required when configure the NetMotion Mobility gateway server later.
- Click OK.
- Expand Policies.
- Right-click Network Policies and choose New.
- Enter a descriptive name for the new policy.
- Select Type of network access server and choose Unspecified.
- Click Next.
- Click Add.
- Select Client IPv4 Address.
- Click Add.
- Enter the internal IPv4 address of the NetMotion Mobility gateway server.
- Click OK.
- Click Next.
- Select Access granted.
- Click Next.
- Click Add.
- Choose Microsoft: Protected EAP (PEAP).
- Click OK.
- Select Microsoft: Protected EAP (PEAP).
- Click Edit.
- Choose the appropriate certificate in the Certificate issued to drop down list.
- Select Secure password (EAP-MSCHAP v2).
- Click Remove.
- Click Add.
- Choose Smart Card or other certificate.
- Click OK.
- Select Smart Card or other certificate.
- Click Edit.
- Choose the appropriate certificate in the Certificate issued to drop down list.
- Click OK.
- Uncheck all options beneath Less secure authentication methods.
- Click Next three times.
- Click Finish.
Mobility Server Configuration
Open the NetMotion Mobility management console and perform the following steps.
- In the drop-down menu click Configure.
- Click Authentication Settings.
- Click New.
- Enter a descriptive name for the new authentication profile.
- Click OK.
- Expand Authentication.
- Select Mode.
- Select Unattended Mode Authentication Setting Override.
- From the Authentication mode drop-down box choose Unattended.
- Click Apply.
- Expand RADIUS: Device Authentication.
- Select Servers.
- Select [Profile Name] Authentication Setting Override.
- Click Add.
- Enter the IP address of the NPS server.
- Enter the port (default is 1812).
- Enter the shared secret.
- Click OK.
- In the drop-down menu click Configure.
- Click Client Settings.
- Expand Device Settings.
- Select the device group to enable unattended mode for.
- Expand Authentication.
- Select Settings Profile.
- Select [Device Group Name] Group Settings Override.
- In the Profile drop-down menu choose the authentication profile created previously.
- Click Apply.
Validation Testing
If everything is configured correctly, the NetMotion Mobility client will now indicate that the user and the device have been authenticated.
Summary
Enabling unattended mode with NetMotion Mobility provides feature parity with DirectAccess machine tunnel and Windows 10 Always On VPN device tunnel. It ensures that domain connectivity is available before the user logs on. This allows users to log on remotely without cached credentials. It also allows administrators to continue working seamlessly on a remote computer after a reboot without having a user present to log on.
Additional Resources
NetMotion Mobility as an Alternative to DirectAccess
DirectAccess can be configured to enforce strong user authentication using smart cards or one-time passwords (OTP). This provides the highest level of assurance for remote users connecting to the internal network via DirectAccess. OTP solutions are commonly used because they require less administration and are more cost effective than typical smart card implementations. Most OTP solutions will integrate with DirectAccess as long as they support Remote Access Dial-In User Service (RADIUS).
