RRAS-Windows2019-Authentication-EAP-TLS/PEAP - Default Group Policy impact for the VPN clients

Question

RRAS-Windows2019-Authentication-EAP-TLS/PEAP - Default Group Policy impact for the VPN clients

tn57chgs-3733 6

We use Microsoft Windows Server 2019 RRAS, NPS, PKI, and AD in our environment. We provide AOVPN via SSTP to our cloud-managed clients (AzureAD Joined and NOT domain-joined).

For Windows, we use P-EAP-TLS, and for MacOS, we use EAP-TLS, both requires smartcard certificates for authentication. After the initial security negotiation between the client and server, VPN requests the client to send an AUTH packet, which is then forwarded to NPS for authentication. NPS then verifies the certificate based on the network policy like its validity, UPN (in our case), security group membership, and a variety of other properties, and the connection is established between the client and server.

Before password/certificate-based authentication takes place, the EAP-Protected Extensible Authentication Protocol (PEAP) creates a more secure, encrypted channel. With PEAP-TLS, the encrypted tunnel will be the first phase, followed by server side authentication and encryption of all user-sensitive data. This approach does not require a user certificate, however when PEAP-TLS is used, the second phase of authentication requires a client user OR device certificate.

So, we have configured our client VPN adapters "Rasphone.pbk" file via Intune device management where "UseRasCredentials" is set to 0 which ensures that the client does not cache the credentials used for VPN authentication. In my understanding, user certificate alone is sufficient to connect to AOVPN and user credentials are not required. According to the MS article below, once a connection is made, the device will have a direct line of sight to the domain controller where user credentials can be used to access on-premises services.

User's image

The real confusion I have here is, all users are subject to the default GPO policy listed below, thus if a machine connects to the AOVPN using user certificate[PEAP-TLS], will it disconnect after 10 hours because the user ticket life time is set to 10 hours? I believe it won't instead as per my understanding it will use the cached credentials to get a new Kerberos TGT token.

Enabling user logon limitations in a policy setting
Maximum ticket lifetime is 600 minutes
Maximum user ticket lifetime
10 hours
7 days is the maximum user ticket renewal lifespan.
Five minutes is the maximum tolerance for synchronizing computer clocks.

Please enlighten me on this

2 answers

Your answer

Answer 1

Limitless Technology 44,751

Hi,

Thank you for posting your query.

Kindly follow the steps provided below to resolve your issue.

The Extensible Authentication Protocol (EAP) is an architectural framework that provides extensibility for authentication methods for commonly used protected network access technologies, such as IEEE 802.1X-based wireless access, IEEE 802.1X-based wired access, and Point-to-Point Protocol (PPP) connections such as Virtual Private Networking (VPN). EAP is not an authentication method like MS-CHAP v2, but rather a framework on the access client and authentication server that allows networking vendors to develop and easily install new authentication methods known as EAP methods.

Go to this link for your reference and other troubleshooting procedures https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/network-access

Do not hesitate to message us if you need further assistance.

If the answer is helpful kindly click "Accept as Answer" and up vote it

tn57chgs-3733 6 Reputation points

2023-02-02T11:48:56.38+00:00

Thanks for your response.

The question is not about how EAP works instead it is about what happens in the flow, what is expected in the flow, and what is appropriate. Please check out the question 1.

Please check out this link to get what I am referring to in regards to the question 1 flow from client to server. This means when UseRasCredentials=0 then VPN Client adapter will not look for cached user credentials. we set this to zero because we want the client VPN adapter to use user certificate by default. So during the client/server handshake AUTH phase server expects user certificate as proof of possession for authentication in the encrypted tunnel. Once the session is established.

According to MS, once the device gets the line of sight to the domain controller (after VPN is established between the client and server), the Kerberos authentication provider receives the credentials and attribute on the device to request a Kerberos TGT and this enables cloud-native-endpoints to connect on-prem resources without a need of interactive sign-in and it does SSO smoothly. Now the question raises here, when I say cloud-native-endpoints (devices) which means they are not domain-joined and there no possibility of getting on-prem AD gpo policies , so does the default domain policy for the user applies on these devices as well?

Reference link

Hope I managed to summarize my question again for better understanding.

Please assist.
tn57chgs-3733 6 Reputation points

2023-02-14T07:05:57.9066667+00:00

Hope you would have read my last response. Please help me with your answers.

Answer 2

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Share via

RRAS-Windows2019-Authentication-EAP-TLS/PEAP - Default Group Policy impact for the VPN clients

2 answers

Your answer