Has anyone a way to restrict OpenVPN access to just company devices? This is by far our biggest request and while the 'post_auth hardware address checking script' works it is cumbersome to manage. (https://openvpn.net/vpn-server-resource ... -checking/)
We use the Azure NPS agent so all logins are via Azure + MFA push but looking to add conditional access rules so you can only connect if your device is AD or Hybrid AD joined. Alternatively, maybe install a certificate on each company device that we could check for but have not had any luck figuring this out?
In meanwhile we will use the "post_auth hardware address checking script" but the limitation to just two MAC addresses per user is a problem as most users have three MACs (NIC, Wifi, and docking).
Any ideas?
Thank you
PS: we run Access Server in AWS and all 100+ systems are up to date running 2.9.5 on Ubuntu 18.
Allowing access from company devices only?
-
- OpenVpn Newbie
- Posts: 6
- Joined: Thu Jun 01, 2017 9:40 am
-
- OpenVPN Power User
- Posts: 156
- Joined: Thu Mar 28, 2013 8:31 am
Re: Allowing access from company devices only?
If you know a little python, you can easily extend the existing post_auth script to support three MACs instead of just two.
If you are already using Azure MFA push then maybe what you are looking for to accomplish locking to a device is Windows Hello for Business to leverage the device's TPM. I recommend you get in touch with Azure support.
PS: 2.9.5 is no longer up to date. 2.9.6 provides a security fix.
If you are already using Azure MFA push then maybe what you are looking for to accomplish locking to a device is Windows Hello for Business to leverage the device's TPM. I recommend you get in touch with Azure support.
PS: 2.9.5 is no longer up to date. 2.9.6 provides a security fix.