GSAC
Golden State Athletic Conference?
Gas Station Arts Centre?
Great Southwest Athletic Conference?
Graduate Student Advisory Council?
Those are what come up in the first page of google. What’s the full name of what you mean?
If it’s the user’s personally owned device, as mentioned by OP, then yes, they’re probably going to be an admin.
This is the way to do this properly
Could you set this up with the native windows VPN server Service where you could have samL authentication/ authorization?
health
“Error: user has a cold”
Yep. That’s the right way to
This here is the right way
Business requires non managed devices to connect so we use a third party posturing tool to verify non managed devices to be of optimal security posture and allow those to connect as well
You are doing it right.
We’re using SAML auth VPN with Azure CAPs but instead outright blocking all device OS types (android, Linux) that we don’t own/support as desktop devices. All other devices must be domain joined & compliant in Intune.
Intune contains a custom compliance detection policy that checks for not only required security functions but also checks our EDR & AV agents are installed and the registry key for last policy sync epoch date is within 5 days. A simultaneous remediation script also checks and reinstalls agents that have disabled/broken/out-of-sync agents every few hours.
A lot of our core apps are published with reverse proxies and some slightly less severe CAPs, plus we have a VDI/RemoteApp farm, so waiting for a spare machine that’s been offline for a while to sync up and self-heal isn’t as disruptive as it may sound.
Edit: we run some devices where users have admin rights, as well as some external contractor scenarios so reporting on device health is more effective than just assuming all corporate devices are safe.
Beware there sometimes are ways to export the keys to those non exportable certificates. A skilled attacker may still be able to copy them and connect to your VPN from another machine. Which might let them go from having temporary access to a user’s laptop to having near permenant access from their own.
It will stop pretty much every regular user though. No more just copying the settings from the work laptop to their personal one and entering their own password.
We do certs, with MDM using Intune and enforce checks on our VPN client if you are not managed, and don’t have the cert, you cannot connect.
For those working in more modern spaces you can also push user/device certs from ADCS via Intune via SCEP. I’ve done it via the Intune Certificate Connector and Azure Application Proxy but where I had to do it from scratch again I’d use SCEPman.
User certs can be marked as non exportable. Users won’t be able to export the private keys from the MMC interface or any other normal methods.
I think all the ways to export non exportable certs require at least admin rights.
OpenVPN can use PKI certs (and soon it will be the only option), so I’d be very surprised if you couldn’t massage it into using ADCS certs.
The OpenVPN server can also be told to run a script on auth, and if the script exits !=0 it kicks the connection with an auth failure. You could potentially one-two this with the certs to do a backend check if the computer is allowed to auth.
Radius authentication, plus require client cert on the vpn tunnel. You’ll need the root ca put on the firewall.
Yes. The app is managed in Entra just like any other SAML/Oauth app. Authentication is done with Conditional Access policies, so you can require passwordless or FIDO keys, etc. Compliance is managed in Intune.
I would assume they would on their non-work PCs.
Yeah, that can definitely be problematic.
What are your cert lifetimes?
My workaround is to allow my helpdesk permissions to a certificate template that allows them to manually generate a short lifetime certificate then they can push that into the disconnected client out of band.
Usually if it’s not calling into the CA it’s indicative of a larger group policy processing problem. I try to press to get those machines re-imaged. Usually those problems don’t go away even if you do get GP going again.