The last couple of months I worked together with Microsoft on protecting the Windows 10 AlwaysOn VPN connection with AzureAD Conditional Access. As I’ve explained in this blogpost I found a strange issue where a user was able to connect without having being compliant to the Conditional Access request. I described that in this blogpost. After publishing that blogpost Microsoft came back to me that even that configuration is not the ‘total’ solution. The reason is that the VPN backend (RAS or NPS) should enforce the use of the AzureAD Conditional Access certificate. In this blogpost I will explain the steps needed to get this configured.
The first step in this process is to disable CRL checking on NPS. The AzureAD Conditional Access certificates does not have CRLs within the certificate. If you don’t disable the CRL check you will not be able to connect anymore since NPS requires to check if the certificate is not revoked. NPS does this by checking the CRL of the certifcate. You can disable CRL checking on your NPS server by adding the follow registry key:
- Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13
- Click Edit > New and select DWORD (32-bit) Value and type IgnoreNoRevocationCheck
- Double-click IgnoreNoRevocationCheck and set the Value data to 1
- Click OK and reboot the server. (Restarting the RRAS and NPS services will not be enough)
Next step is to configure NPS to enforce the use of the AzureAD Conditional Access certificate for authentication of the VPN. The following steps are needed to configure this:
- Open the Network Policy Server snap-in and expand Policies > Network Policies
- Click on Constraints and Authentication methods and check if only ‘Microsoft: Protected EAP (PEAP)’ is on the list. If not remove the other EAP types. Also remove all checkboxes in the ‘Less secure authentication methods’ list:
- Click on ‘Microsoft: Protected EAP (PEAP)’ and click Edit. Validate if ‘Smart Card or Certificate’ is the only EAP type available in the selection area:
- The next step is to configure NPS to only accept the AzureAD Conditional Access certificate for authentication of the VPN. Go to the settings tab and Under ‘Vendor Specific’ click ‘Add’:
- Select the first option of ‘Allowed-Certificate-OID’ and click ‘Add’:
- Paste the AAD Conditional Access OID of ‘220.127.116.11.4.1.311.87’ as the attribute value and click OK:
- Click OK, Close, Apply
Now go back to one of your clients and try to connect. You should get AzureAD Conditional Access and when compliant you should be able to connect. After these changes you should not be able to bypass the Conditional Access flow.
Thanks to Microsoft for helping me in this scenario. If you have any questions regarding these posts please let me know.