Solved: Implementing SAML authentication for VPN

RobTurner

Hi,

Apologies in advance for the rather long post, but I’m looking at configuring our R81.10 gateways (JHF 130) to use SAML authentication for remote access VPN (Entra as the identity provider), and I'm a bit uncertain about some of the implications of switching from our current authentication method (on premises Active Directory via radius). I've found some good documentation covering the configuration process (e.g. sk172909, the remote access VPN administration guide, the supplementary instructions here, and Microsoft's own documentation), but I was wondering whether there's a way of rolling out the change gradually, for example by allowing a subset of users to authenticate via SAML while the majority continue to authenticate as usual via radius?

This thread suggests it isn't possible to configure different authentication methods based on LDAP groups, but this one suggests that it might be possible using different LDAP account units. Is the idea to add multiple login options under General Properties > VPN Client > Authentication, to configure each option to use a different authentication method and user directory, to configure those user directories to use a different AU, and then to have each AU scoped to look at a different branch of the user directory (in our case, an OU within Active Directory)?

Assuming each login option is configured to use a single authentication method and a different group of users, what would users see when they try to connect? The documentation for multiple login options mentions that "users select one of the available options", but I wasn't sure how that would work in practice if separate groups of users only have access to a single authentication method. Would users only be presented with the methods that apply to them, or will all users see a list of all configured options, some of which they won't be able to use?

If the only option is to switch the authentication method for everyone at the same time, I was wondering how easy it would be to back out of that configuration if there are any problems? Can we just change authentication back to using radius, or do we need to unpick some of the other changes as well? For example, would we need to revert the changes made using GuiDBEdit, or unset the generic API objects added by the configuration script (allow_VPN_RA_for_R8040_and_above_gateways_V2.sh)? Would the changes made using GuiDBEdit or the config script be incompatible with switching VPN authentication back to radius, or could we just leave those changes in place? Is there any more documentation about what the changes made using GuiDBEdit or the generic API objects are actually doing?

Another possible complication is that we use machine authentication to control which resources VPN users can access depending on whether they're connecting from a personal machine or an institutionally owned one (business owned machines are identified using AD auto-enrolment certificates, and Machine Certificate Authentication > Send Machine Certificate is set to "When Available"). Would this still be possible If we switched over to SAML? Would the machine auth be handled completely separately from the SAML based user authentication, so that the VPN client passes back the SAML token and the machine cert independently of each other?

Related to that, would users still be able to authenticate from personal machines that don't exist in Entra? The administration guide seems to suggest not, saying that "All Remote Access VPN users and endpoint computers must be configured in an Identity Provider for authentication. This applies to managed endpoint computers and non-managed endpoint computers." Is that right? Would we need to enrol all personal devices before users could VPN connect from them?

Apologies again for the lengthy post, thanks for reading, and many thanks in advance for any advice.

Rob

PhoneBoy

The list of login options will be shown for all users.
This allows you to use multiple types in parallel.
This does not provide you a way of forcing specific users to use a specific authentication method, though.

Machine Certificates are only relevant until a user logs in, where the tunnel is reconnected with a user-specific login.
Which means they can be used with SAML, though I believe Machine Certificates must be the first factor.

From our end, it does not matter if the end user's machine is in Entra ID or not.
That requirement is configured on the Entra ID side.

View solution in original post

the_rock

No need to apologize Rob... EXCELLENT explanation. I really dont believe you can roll this out gradually, based on my own lab tests, as well as what TAC told me previously.

Maybe someone else will correct me if Im wrong, but you can certainly check with them.

Best,

Andy

Best,
Andy

RobTurner

Thanks very much for your feedback Andy, much appreciated - I had a surge of optimism when I saw PhoneBoy's reply to that other thread, but it's entirely possible I've misunderstood...

Given the way our support partner seems to be heading (the phrase "value extraction" springs to mind), I'll probably have to try something first and see if it breaks anything - pleasant discussions of hypotheticals seem to be a thing of the past (or rather a thing that's now preceded by a conversation about professional services rates).

Thanks again

Rob

Ruan_Kotze

In my experience it is not possible to have different Authentication methods. Not only that - there is no way to make the SAML authentication method the default without touching the clients, either manually or via automation.

Users will be fine authenticating from non-managed devices, except if you do not allow it via MS Entra CAP's,

Some unsolicited advice: I see many orgs enabling the option to force MFA on every login by configurating it on the gateway. My suggestion would be to not do this, as I've seen this setting being overwritten by something as simple as a Jumbo Install. Rather configure your MFA requirement through CAP - that way you can bring in stuff like device posture, geo restrictions, user risk levels etc. as well (assuming MS licensing levels allows for it).

the_rock

My experience is exactly the same.

Best,
Andy

the_rock

I re-read what Phoneboy said and it makes perfect sense.

Best,
Andy

RobTurner

Thanks for your comments everyone - I really appreciate the feedback.

Good to know that we wouldn't need to enrol personal devices - nice from a security perspective I guess, but a bit unmanageable from an admin perspective.

Thanks as well for confirming that there's no way to force particular groups of users to use a particular type of authentication - after a bit of testing I think I was probably overthinking the issue. Basically, I didn't want to add a new login option that wasn't ready yet, and that most people wouldn't be able to use, so I was hoping to make sure that the new option was only visible to a few test users.

As it turns out though, it's not that disruptive to simply add a new login option that's available to everyone, as long as the option that people are currently using remains available, and remains configured as the default. Anyone who needs to can be made aware of the new option, but the majority should remain blissfully unaware. For the few who do find it, the name and login prompts can be configured to discourage use. In our case, that's more than good enough for testing purposes (I must have looked at the "Change Login Option Settings" link in the Endpoint client thousands of times myself and never really processed it…)

For the benefit of anyone else who finds this looking to achieve something similar, all I'm going to do is add a second login option to VPN authentication, call it “Test-Ignore”, and make sure it appears below the "Standard" login option that most people will be using.

Anyone who needs to can select Test-Ignore as a login option in the Endpoint VPN client, and anyone who doesn’t specifically choose a login option will continue to get Standard by default.

Capsule VPN only seems to allow the login option to be configured when a new site is created (on Windows at least, I’ve not tested on anything else), so there's even less risk of affecting existing users there.

Ruan_Kotze - I completely agree that CAPs are the way to go to enforce MFA – once everything’s up and running, that’s definitely the approach I’ll try to take.

Thanks again for your help

Rob

the_rock

Glad we can help, Rob.

Best,
Andy

PhoneBoy

The list of login options will be shown for all users.
This allows you to use multiple types in parallel.
This does not provide you a way of forcing specific users to use a specific authentication method, though.

Machine Certificates are only relevant until a user logs in, where the tunnel is reconnected with a user-specific login.
Which means they can be used with SAML, though I believe Machine Certificates must be the first factor.

From our end, it does not matter if the end user's machine is in Entra ID or not.
That requirement is configured on the Entra ID side.

Are you a member of CheckMates?

Implementing SAML authentication for VPN