This is the way. Machine cert plus MFA (either CAC/PIN or SMS code).
This is the proper way.
Wouldn’t this only work for windows and VPN servers that support this? OpenVPN for example I don’t think support it.
Used to use Pulse. They have a host checker that can confirm the machine is joined to the domain, or can scan for specific registry entries
Same here. Client must meet certain posture checks like the domain they are joined to, our EDR must be installed, and then after all that, they must use their Entra credentials which are also locked down to managed computers.
Cisco FTD
((Shudder))
We are doing this with ASA and any connect also, it was a little tricky to make it run but works flawlessly.
Their users have the permissions to install a VPN client?
Agreed…but for the normal user, which the OP is referring to, obscurity would work just fine. Unless he’s an admin for a company of white hat hackers. And even if someone does eventually figure it out, company policy with the threat of termination if anyone tries to put a BYOD device on the network. Still not negating from configuring the VPN using best practices.
Security by obscurity isn’t security
Always fun when the certificate expires because it randomly decided not to renew itself.
Palo Alto can also enable pretty specific and granular machine profiles that need to be validated before connection.
At the end of the days that’s just words on a paper. If you have no way to enforce it through technology it’s slightly more usefull than useless
Are the bad guys also respecting HR’s policy and not attempting to connect to your SSOless MFAless vpn?
Hip check for the win. We check to make sure that the machine is enrolled in MDM, it’s up to date (passed Kolide checks) and a few other things before we allow VPN connections.
This, but deploy your VPN client as an app via package deployment with a profile that includes the PSK.
You can do it with a custom plist if your MACs are managed and your VPN/Profiler support it. PAN does I believe.
So two pieces of information that I can read out and use to connect using my personal computer.
I hope you’re actually doing some kind of encryption too…
Mac addresses can be changed. Horrible security.
To add onto this. You would secure through conditional access and use the grant controls to require either a compliant device or an entra joined device 