I'm currently working on configuring a VPN server using RRAS for our employees, which was initially set up by my predecessor. Right now, it's using a cloud-based RADIUS server to enforce MFA following a standard username and password prompt. I'm trying to transition to a certificate-based authentication system, but I've run into some obstacles.
I can connect using computer certificates if I enable the 'Allow machine certificate authentication for IKEv2' option, but doing so completely bypasses our configured RADIUS server and directly connects to Active Directory instead. So, as long as the device has a valid certificate, it can connect without any restrictions from RADIUS/NPS or security groups, which I'm hoping to avoid.
When I disable that option and stick to basic EAP settings, I face two issues:
1. If I set the VPN client to 'Use machine certificates', it fails because the IKE authentication credentials are deemed unacceptable (which makes sense since I disabled the option).
2. Selecting 'Use EAP with Smart Card or other certificate (EAP-TLS)' gives an error stating that a suitable certificate could not be found, despite having a valid one that I use for WiFi authentication.
I suspect the issue is that Windows is trying to use a user certificate instead of the intended computer certificate. Is there a way to ensure the VPN connection specifically utilizes IKEv2, EAP-TLS, and computer certificates without reverting to user certificates?
2 Answers
It looks like there's a bit of confusion between the Device Tunnel and User Tunnel concepts. The Device Tunnel should automatically establish if a valid device certificate is presented, while RADIUS manages user access based on group membership. If you’re struggling, I'd suggest checking out Richard Hicks's resources on Always On VPN for further clarification. You can get a lot of helpful insights there!
It seems like you're mixing up the roles of machine and user certificates a bit. When you enable 'Allow machine certificate authentication', it's for phase 1, which strictly uses certificate authentication while bypassing AD. After this, you’d typically do a user authentication, but machine certs aren’t directly usable for that. Could you clarify what requirements are pushing you towards EAP over the machine certs and causing these security concerns?
When you mention 'after phase 1 there’s user authentication', who is that user exactly? Once I configure 'Use machine certificates' on the client, the RAS doesn't have knowledge of the logged-in user, so the connection still succeeds. You're right, it's purely certificate-based without AD involvement, but how does user access come into play?
Thanks for the recommendation! Just to clarify, I'm not going for AOVPN; I want users to manually start the connection as needed. I also need to confirm that the device has the right group membership, not just a valid certificate, similar to our current WiFi access setup.