VPN - client certificate-based authentication

Hello,

I've read some older posts in here, but I'll ask again to make sure:

Are there any plans to allow vpn clients to authenticate using a client certificate only?
So not certficate+user authentication, only certificate authentication.

We have a customer case who wants a vpn which doesn't need any user intervention, to avoid helpdesk calls (of course, vpn & certificate deployment could also create incidents, but that's another thing :-D).

Thanks in advance.

Kind regards,

Thibaud

Comments

  • or maybe any ZTNA solution you're planning to bring...

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Thibaud

    If the customer would like to VPN without any user intervention, I'd suggest using a small endpoint device (such as a T20 or T40) and a branch office VPN. All of the mobile user VPNs require user authentication. Due to security concerns (it'd be very easy to access the VPN with a compromised cert if this were the case) we don't have any plans on designing the VPN client in order to do this.

    If the customer would like a more hands-off approach, the IKEv2 VPN will store user name and password if that option is enabled in Windows. Password is still required, and will need to be updated if the customer's password ever changes.

    -James Carson
    WatchGuard Customer Support

  • Thanks James
  • @james.carson said:

    Due to security concerns (it'd be very easy to access the VPN with a compromised cert if this were the case) we don't have any plans on designing the VPN client in order to do this.

    If the customer would like a more hands-off approach, the IKEv2 VPN will store user name and password if that option is enabled in Windows. Password is still required, and will need to be updated if the customer's password ever changes.

    Does this mean that the enhancement FBX-7518 which I have a case linked to might not ever see the light of day (it was to allow IKEv2 mobile VPN clients to authenticate using a certificate - in this case an Intune NDES issued one)?

    In my support case (01389860) it was mentioned that L2TP/IPsec does support user authentication although I have not tried this myself, and our use case doesn't lend to using L2TP/IPsec since it is for Microsoft Intune's "Always On VPN" feature (which IKEv2 is the supported VPN method).

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @PhilT_VIT Reading thru the feature request, certs would likely be in addition to password or some other 2FA token, but not by themselves.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.