Morning all,
I’m exploring using always on VPN on Windows 10 but rather than use an RRAS server it would be using a 3rd party firewall for the vpn endpoint with IKEv2 using NPS and Radius behind it. Reasons are a bit complex but comes down to merging companies and a mix of technologies so I’m trying to get something working with existing infrastructure with relatively minimal change.
As far as I can tell this is possible and the world authority Richard Hicks mentions this too on one of his posts. I’ve seen mention to it in a load of the posts on here.
Has anyone ever actually done this or has anyone found a blog or anything with how to do it? I’ve read 50 things today but I am more than a little confused.
TIA!
Do you have Azure AD as well? A good VPN solution today is some “Zero Trust” Access products, the likes of Prisma Access, Zscaler Access, Proofpoint Meta
Those are modern VPN 2.0s that can do what you want without the need for radius and old nps
Only if the 3rd party VPN understands you want to use Microsofts PKI. i.e. certificates tied to AD users / machines and optionally Azure AD if you want to use conditional access.
What this boils down to is a VPN server that supports Microsoft specific MS-CHAPv2 and the Protected EAP (PEAP) EAP extension.
To your dismay, you will probably discover most if not all 3rd party VPNs support EAP-TLS instead of PEAP-MSCHAPv2. Leaving you with a RAS server as the only on prem solution.
I am pretty sure a coworker said he had for this working for a PoC on a FortiGate firewall, prob running 5.6 or 6.0 code at the time. Don’t have specifics on the configuration and never went live so don’t have a load more to go on but could at least ask next week if there were any gotchas etc., or it it didn’t work!
Thanks, I’ve got zero budget to spend so changing to a different platform isn’t possible at the moment.
I’ve just looked at their websites and they tell you absolutely nothing about how they work. It’s just VPN2.0, security perimeter, buzzword bingo. What happened to the days when tech companies sold to techies by actually explaining what and how their stuff works!!!
The firewall we’re using (watchguard) for IKEv2 connections will only use a Radius server for authentication and we’ve got windows NPS doing that. The WG doc says it will only use EAP-MSCHAPv2 for auth so this looks like it might be possible. I can feel a lot more reading coming on unless I can find some nice soul who’s done this and written it up 
Thanks.
Yeah I dislike tech sales as well, it’s the american way of credit cards and 3 sales meetings…
The main difference in a VPN 2.0 is that you have a global VPN receiver, or VPN firewall if you will, so that the users connect to the nearest point of access. Some companies have 5, some have 25 points of access spanning the globe, ensuring a good VPN connection into the computer highway (instead of having to navigate through the African desert via public internet lines)
It’s also click-to-set-up, with granular rules that are easy to define, they are light weight, they do posture controls and modern MFA, outbound proxy only and always up to date as a SaaS offering.
Doesn’t work. You can’t authenticate the computer vpn logins with a watchguard. It only understands users.
It looks like it will trombone the traffic through the cloud provider then if I understand it correctly. Might be one to consider in the future, thanks for your input.
I’m rapidly coming to this conclusion myself unfortunately, shame as it would have been a nice method. thanks.
Yes, you can split tunnel it. If you go full tunnel you basically cloud gateway your devices, which is a good long-term strategy for things like 0 trust
