always on vpn before windows logon with user certificate as user tunnel

[Gerald Muller1709156932]

Hello,

using the documentation procedure , I’ve been able to configure the machine tunnel using a device certificate and an ldap authentication for the user tunnel.

Now, instead of using the ldap authentication, I wish to use a user certificate to connect the user tunnel. If it’s possible, how can I achieve this?

And if yes, will il be possible to use policies and authorization to allow different access to the user?

Thanks

 

[Brian Korrow]

I’m going to say no, because you have to enable the client certificate policy on the AAA. Not sure the AOService is going to react well to that, and you can not split out to multiple gateways. 
However, if you are looking to do a seamless machine to user tunnel transition if you have Azure AD you could either AAD join or Hybrid join the machine to the Azure AD tenant, then set the next NFactor after AOService to SAML.  I have an EPA scan looking at the registry to determine hybrid join status and if successful using SAML, if not then fail back to LDAP. 

[piddon]

On 11/13/2021 at 11:48 PM, Brian Korrow said:

I’m going to say no, because you have to enable the client certificate policy on the AAA. Not sure the AOService is going to react well to that, and you can not split out to multiple gateways. 
However, if you are looking to do a seamless machine to user tunnel transition if you have Azure AD you could either AAD join or Hybrid join the machine to the Azure AD tenant, then set the next NFactor after AOService to SAML.  I have an EPA scan looking at the registry to determine hybrid join status and if successful using SAML, if not then fail back to LDAP. 

Do you know of any blog post showing the SAML nfactor approach? I’ve been trying to do this but the policy fails.