I have a need to connect a fleet of Windows 10 laptops back to the on-prem network for various reasons. Legacy applications, AD, updates, all that jazz.
Whilst we do have Azure AD (all devices are hybrid joined), and an SCCM CMG, we're not yet doing Intune for Windows devices.
So in the interim I want to get all the devices using an always on VPN. Thing is, I've ended up in paralysis by analysis, and not sure where to go next.
Presently I've got pfSense running IPSEC with IKEv2, using the Windows Agile VPN client. They use EAP MSCHAPv2, logging in as the user, with Cisco ISE at the back end. It works well, but many users are hopping on and off the VPN at random, rather than dialling up and staying connected. If they connect at all as some stuff is available in the cloud so the VPN isn't necessary for the user's work.
Ideally I want to do Always On VPN, using the inbuilt VPN client as it allows login scripts and GPo to run, as well as keeping SCCM a bit happier.
But I'm at an impasse as to how that would work. I assumed I could do something like dot1x machine auth (via EAP) but that's not the case. It seems machine certificate auth is pretty simplistic.
I can also use a Sophos UTM to terminate traffic, or Cisco ASA (that's going to need licenses). I also looked at RRAS but my experience of that has been frustrating as the logging isn't as good as Strongswan, so troubleshooting is tough.
Any thoughts?
Long term, the plan would be more Intune and Cloud All The Things, but not now. I just need to make devices act as if they're on prem.
No comments:
Post a Comment