Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Securing VPN Authentication with AD CS

The rise in remote working has been increasing since the dawn of the digital age, but the increase has seen an especially massive jump since the outbreak of the COVID-19 pandemic. Because of this, organizations from around the world have started using VPNs to allow their employees to access company data from their homes.

According to ISC SANS instructors, from a program that monitors cyberattacks, VPN security should be a top priority since millions of people have started working remotely. Even as quarantine protocols worldwide relax, the demand for VPN remains 22% higher than the demand before the pandemic started.

But what is the best method in doing so? Digital certificates of course! Certificates have taken the top spot in terms of authentication due to their advanced security and proven superiority over passwords. Check out how we helped one of our customers here.

Many organizations have turned to Active Directory Certificate Services (AD CS), a Windows server designed to issue digital certificates, for their certificate needs; but can you use AD CS to secure your VPN?

 

What is Always On VPN Solution?

Always On VPN is a Microsoft remote access solution that is built into Windows 10. Microsoft has positioned Always On VPN as the replacement for their older remote access solution, DirectAccess.

 

How is Always On VPN different from Direct Access?

Always On VPN has a number of advantages over DirectAccess in terms of security, authentication, management, and supportability.

One difference is that Windows 10 Always On VPN includes support for granular traffic filtering. Where DirectAccess provides access to all internal resources when connected, Always On VPN allows administrators to restrict client access to internal resources in a variety of ways. In addition, traffic filter policies can be applied on a per-user or group basis. This allows administrators to segment different types of employees into different access groups. For example, if desired, the legal department will not be able to access data from the engineering team or vice versa.

This limits who has access to what, strengthening the overall security of the network.

Another massive improvement comes from Always On VPN being much more infrastructurally independent. It can be deployed using third-party VPN servers such as Cisco, Checkpoint, SonicWALL, Palo Alto, and more, whereas Direct Access must be deployed using a Windows Server and Active Directory.

 

Can I Use Always On VPN With AD CS

You can use AD CS with Always On VPN to provide your users with an attainable authentication mechanism. With AD CS, admins can issue certificates to users, devices, servers, etc., and distribute certificates for Always On VPN authentication.

Here’s a brief overview of how to enable Always On VPN with AD CS:

  1. Set up security groups in AD
    • Create groups for servers and users and start assigning them to your custom groups.
  2. Set up PKI solution
    • Most organizations use AD CS, but many have had issues installing AD CS because they didn’t properly plan out their PKI implementation. Take some time to determine what you need, what you don’t need. There could be other PKI solutions that work better for you than AD CS.
  3. Create and publish certificate templates
    • You need to create three templates: one for VPN users, one for NPS server, and one for VPN server.
  4. Use Group Policy to Auto-enroll Certificates
    • Admins can use Group Policy to configure certificates with security policies and automatically provision them to devices, computers, workstations, and more.
  5. Install NPS (RADIUS)
    • In order to deploy Always On VPN, you need an authentication server, most Microsoft systems use NPS as a RADIUS server, but you can configure third-party servers, like SecureW2’s Dynamic CloudRADIUS.
  6. Setup RAS
    • RAS and its successor, RRAS, allow users to connect to Microsoft networks remotely.
  7. Configure your Windows 10 Machines.
  8. Deploy Settings.

 

Always On VPN + SecureW2 PKI and CloudRADIUS

Always On is a great starting point but there is much to be desired if you’re looking for foolproof security.

SecureW2 provides a turn-key PKI that simplifies the certificate issuance process and allows for easy certificate management. Admins are able to visualize management with our fully loaded GUI, which allows you to sort certificates by username, SAN, operating system, and more. You can select individual users and view all their certificates and devices, alongside their certificate enrollment logs to easily identify any suspicious activity.

Our PKI solution also comes with the JoinNow onboarding software that allows both managed devices BYODs easy enrollment for certificates. Our advanced SCEP gateways send payloads that automatically enroll managed devices themselves for certificates and users can easily enroll their BYODs with just a few inputs.

SecureW2 also provides a state-of-the-art Cloud RADIUS equipped with a dynamic policy engine that lets you make policy decisions in real-time! CloudRADIUS can work with any SAML and LDAP Identity Provider such as AD or Azure AD (Microsoft Entra ID).

If you want to make sure your employees are working safely there is no better method than combining Always On VPN and CloudRADIUS to connect your remote workers to on-prem resources. Contact us today and we can get you set up with everything you need to make sure your users are completely secure even when they are working from home.

 

Key Takeaways:
  • Combine Always On VPN and CloudRADIUS to easily and securely connect your remote workers to on-prem resources.
Learn about this author

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.

Securing VPN Authentication with AD CS