Really depends on what you have… Forti and Cisco have ways to query the client when you connect. Other’s have mentioned SAML with Entra (which means something is querying the client via the browser)
Using Cisco ISE & AVC to scan for features, AV and whatever other security policies (e.g. minimum OS level) to ensure even personal laptops have the necessary baseline security requirements. Granted, we do not have many “users” in the standard sense so maybe it allows a little more trust.
Best scenario is to use SAML based Horizon VDI or similar client and all work is done on either in the VDI (vmware, AWS, MS, pick your flavor of remote desktop). If the users company issued device goes down they can use personal until replacement arrives. Almost all security concerns are non-existent as there is no direct access from user device to company network. IMO anyway, this is the best and the direction we steer clients in unless they have specific business requirements\rationale. This solution is also FedRAMP high compliant; basically meaning if setup correctly, its secure.
Key based device auth.
Customer contract, certification, and audit required. Employee policy enforced.
Last place wasn’t that way at first, but customer contracts drove the business need. No traction before that. Usually how that goes.
Later became an insurance requirement also but we were already there. Separate audit by checkbox auditors.
ZTNA and multiple posture checks
Multiple things, policy, compliance, posture check (like machine must have a certain registry key or something).
Use AAD (Azure AD) for authentication & have a BYOD block policy. Let Microsoft do the heavy lifting.
Use vlan for the computers and if they dont auth deny access in radius.
I’ve used Cisco any connect that was locked to my MAC address. Not my doing and a real pain in the ass.
Edit: words!
Depends what you use actually, but many possibilities here : zero trust, radius, let microsoft handle with policie blockking byod, fortiEMS etc…
The client needs to be installed and configured with the server. Even if someone got their hand on the installer and figured out the server for the connection each new machine is automatically quarantined and blocked from fully connecting when it connects.
DUO trusted endpoints
Host checker for us. It checks for our antivirus and proxy service agent installed, with specific versions required.
The same way we prevent everything else coming from non-company devices…. Conditional Access policies.
Posture requirements checked via Cisco ISE.
-MDR
-Windows up to date
-PC bound to company domain
-Antivirus installed and up to date
Okta can check if their device is MDM enrolled, and if it isn’t it won’t let them authenticate to the VPN app. Same with access to other Okta-gated apps we don’t want accessed on non company devices.
One of our clients uses Pulse Secure and has a rule where you need to add the MAC address to access the VPN. Also they have a ton of other rules in place for various security software to be present and certain processes to be running. So even someone knew their VPN address, they have to get past a tightly managed access list.
Conditional access polices that only allow hybrid joined devices.
End users should be blocked with technical controls that prevent them from installing software to begin with. Don’t give them admin rights on their computers.
SSO to entra ID. Entra id does not allow authentication unless it’s on a device managed by intune.
Bing bang boom.
PKI, MAC and AD authorization.
also helps if the VPN software is not customer download-able (like cisco’s VPN Client)