Allowing access from company devices only?
Posted: Mon Nov 22, 2021 11:20 am
Has anyone a way to restrict OpenVPN access to just company devices? This is by far our biggest request and while the 'post_auth hardware address checking script' works it is cumbersome to manage. (https://openvpn.net/vpn-server-resource ... -checking/)
We use the Azure NPS agent so all logins are via Azure + MFA push but looking to add conditional access rules so you can only connect if your device is AD or Hybrid AD joined. Alternatively, maybe install a certificate on each company device that we could check for but have not had any luck figuring this out?
In meanwhile we will use the "post_auth hardware address checking script" but the limitation to just two MAC addresses per user is a problem as most users have three MACs (NIC, Wifi, and docking).
Any ideas?
Thank you
PS: we run Access Server in AWS and all 100+ systems are up to date running 2.9.5 on Ubuntu 18.
We use the Azure NPS agent so all logins are via Azure + MFA push but looking to add conditional access rules so you can only connect if your device is AD or Hybrid AD joined. Alternatively, maybe install a certificate on each company device that we could check for but have not had any luck figuring this out?
In meanwhile we will use the "post_auth hardware address checking script" but the limitation to just two MAC addresses per user is a problem as most users have three MACs (NIC, Wifi, and docking).
Any ideas?
Thank you
PS: we run Access Server in AWS and all 100+ systems are up to date running 2.9.5 on Ubuntu 18.