Many VPN solutions have something called a Posture Check which can vary with methods. Certs, registry keys, domain join status, computer name or part of, even the existence of a file or folder. Any of these can be used to prevent non domain computers from using VPN. Just a matter of how secure you want it and how much work you want to put into it. PKI is secure but can be a very steep curve to implement. A file or folder with obscure name and location is easy to implement but less secure if the users learn of it.
Proper modern (post covid) SASE type VPN with posture checks. Won’t let the PC connect if they are not following X Y and Z, amongst them being in Intune, having the company EDR installed, etc.
Which vendor’s VPN are you using? Many offer this capability built in as a feature of the client with a watchdog agent that verifies the machine is compliant before allowing the connection.
Allways ON VPN requires it be domain joined with PKI 
Moving to SAML auth is my best suggestion. Many good VPN solution providers support it and it will incentivize you to secure your SAML platform appropriately (win/win).
HIP Checks with Palo Alto.
I count on my users being dumb as rocks!
realtalk: Certificates like most everyone else here, but also most of my users struggle to forward emails correctly, soo…
So I just started at a new co and said I was going to deploy a new VPN… it’s machine certs and it works fantastic
Conditional Access Policies, Certificates, PAC file, list goes on. Haven’t used radius but would assume you can check for a file or conditions. You can verify it’s a domain or hybrid joined machine. Look for an installation certificate. We have a hidden folder that after software is pushed to a machine drops what’s called a tag file. Just says tag#### with the numbers being the apps ID.
You express to management how dangerous this is. It should also be a formal part of your software/Internet usage policy and you fire the first SOB loudly who is caught violating the rule. IT has made a cottage industry out of technical solutions to management problems.
Just as you auth users you can auth computers/verify that they are on the domain with radius
I don’t. ZTNA enables end users to use any device.
Remove VPN and use GSAC. Used PKI previously.
I use FortiClient. I have to manually configure the IPsec key, so unless they get a hold of that (which would be a pretty bad data breach), no one is getting on our VPN without my say so.
We do this, and we use SAML auth with Azure/CAPs. It has to have our cert, and follow all of the conditional access policies (health, Geolocation, Intune management, etc) before it can connect to the VPN.
I think that’s my answer right there. Thank you all!
This. Machines certs automatically pushed from active directory is the best.
User certs can be exported by users. Machine certs require admin rights to export. Assuming everyone doesn’t have local admin rights machine certs are best.
I was going to post exactly this.
Another option is to use Entra ID and Intune enrollment (which uses certificates) and configure SAML SSO with Entra ID for VPN, requiring Intune enrollment to log in, and restrict Intune Enrollment of course.
This^^ . We have our User and Computers certs set to NOT allow export, so there is no way for the user to re-use on personal equipment.
You can export non exportable certificates. Several Tools can do this. When someone wants to use a private computer, they will mostly find a way to do so.