Conditional Access VPN with Azure AD

I utilize Microsoft MFA with NPS and ikev2 today. It does the job, but it would be great if I could have clients authenticate first to Azure AD, then get a time based certificate from Azure where then the firebox has the Azure Root cert created via conditional access to just authenticate the session. It would provide a much more smooth experience.

I believe this would require the firebox to accept cert based authentication that is dynamic which I haven't found or been able to do.

For example see -
MS Guidance on setting it up and how it works.
https://docs.microsoft.com/en-us/windows/security/identity-protection/vpn/vpn-conditional-access

F5 utilizing it -
https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/related/apm-f5-access-windows-10-using-intune/3.html

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @AschildmeyerSTR

    IKEv2 does use certs, but not short duration certs. For ease of use we provide an install script that inserts the VPN into the customer's network devices.

    Having to go through the step of adding a VPN each time seems like it'd be a larger burden from the perspective of the end-user.

    I'd be happy to make a feature request on your behalf, but if you can provide me with some of the benefits from your perspective that'd be helpful.

    -James Carson
    WatchGuard Customer Support

  • edited March 2021

    Hey James,

    Thanks, for looking over the idea. It wouldn't be adding the VPN each time like it does with the install script. I use that script as well as some tweaked versions of it and it works nicely. This would keep the ikev2 policy, but there is something in windows 10 where it can detect conditional access based on the vpn settings. It then uses the standard Azure SAML authentication path to authenticate the user. So instead of the windows vpn client issuing a username and password challenge in it's normal window it would create a browser time session like most azure/office365 challenges.

    In Azure AD you generate a root cert in the conditional access options to place on the firebox. Then the conditional access function in Azure generates client certs after they authenticate and get authorization using Azure Conditional Access. The short client cert is then signed with the root cert that would authenticate the connection for that user and the cert would only be good for an hour. If the user gets disconnected within that error the cert just lets them back on without reauth. But if the hour window has passed then they have to go through conditional access again.

    The nice thing about doing this is it allows for using Azure AD without on premise AD and gives users the ability to build conditional access policies with intune. Like is it on a trusted IP, device, did the IP change recently etc. Basically following the rest of the modern authentication flow of Azure AD and cloud services.

    https://youtu.be/UcchWo_dwMs?t=584 this guy shows a SSLVPN action of what it looks like. Fast forward to 9:44 to see the Conditional Access VPN attempt.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @AschildmeyerSTR

    I generated a feature request for you -- it's FBX-21394.

    If you'd like to follow that feature request, please open a support case and mention FBX-21394 somewhere in the case. The tech that is assigned the case can set that up for you.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • Great! Thanks James, I do appreciate that.

Sign In to comment.