We’re using RADIUS for VPN auth. Users need to be in a domain group to connect. How do we prevent people from installing VPN on their own PCs and using that instead of company machines? It doesn’t look like we can create a network policy based on both the machine and the user.
PKI. Require machine or user certificates to connect to your VPN. Issue non-exportable certificates to every machine or user. If the machine doesn’t have a certificate issued by your internal CA, it can’t connect.
Require a cert, and they won’t have that cert on personal computers. Issued by your own cert provider.
The answer will depend on your VPN platform and what it supports. We have moved to Zero Trust Network Access clients, which require deployment keys to be added, then we apply policy based on location, device attributes and users etc.
What VPN client are you using?
With a Cisco FTD, you can use enable Entra ID authentication and require Entra device compliance.
Your users know how to install a vpn client???
Don’t give them the secret key.
What VPN?
We make our VPN reliant on a machine certificate, no certificate? No VPN.
Palo Alto if that matters.
We have replaced RADIUS with SAML-based auth, requiring Entra ID compliance.
You have users capable enough to install and configure the VPN?
We have a policy that says in no uncertain terms “No non-company equipment shall be used on site or connected to any corporate resources. Violation of this policy directive will result in permanent confiscation, possible legal action, and possible termination.” You read and sign it when you’re hired, all of us have to re-read and sign it yearly. With the regulatory compliance we’re under at $dayjob we can’t afford any fuckups of the sort.
Have you considered using 802.1x authentication with certificates and RADIUS?
We have an Information Security policy that employees are required to read and sign that spells out that violations of the Information Security Policy are grounds for immediate termination of employment.
We also explain the benefits of separating work and personal devices in terms of Legal Discovery in the case the business becomes involved in a lawsuit. You don’t want your personal computing devices confiscated, do you?
However, among other security measures, the best key to our success is that we don’t hire jerks.
GlobalProtect has a system profiling feature.
Conditional Access requires an authorized user and a corporate device.
Also, the VPN profile is only distributed to authorized devices via Intune and it’s not something typical users can trivially copy off their machine.
we use a combination of certificates and host integrity checks. OS levels, patch levels and we look for specific applications. The biggest is our security software, as most home users don’t use the enterprise versions of the stuff we’re using. And if even one of any of the checks we look for doesn’t match, that client doesn’t get on the network. Period.
Palo Alto HIP profiles
Require client certificates for connection. The certificates are auto-enrolled for every domain user to domain computers through a Certification Authority Server (Windows Server).
PSK on top of user authentication and don’t give the PSK out ie IT do all VPN setups and enter the PSK.
Add a registry key and have the VPN connection scan for it. If not found, connection fails. Doesn’t work for Macs though.
We have our own VPN App which is checking CPU ID and SSD Serial number.