Always on vpn with Microsoft authenticator

Question

Hi,

Intune deployment of vpn connection.

Today we have a custome Configuration Profile configured with the xml below so that the users will have a vpn connection created within Windows. Then they need to click on this and the Microsoft authenticator request you to confirm and then you are connected.

Is it possible to have this as always on vpn, as you can see in the xml the setting is false "<AlwaysOn>false</AlwaysOn>"
If we set this to True, the user logges into the machine, and Microsoft authenticator request you to confirm but nothing happens.
Is this not a valid configuration, do we need to have certificates in place to be able to use always on vpn.
(I know always on vpn worked before, but that was before we implemented Microsoft authenticator)

Thanks for reply.

/R
Andy

---

<VPNProfile>
<DnsSuffix>customer.com</DnsSuffix>
<NativeProfile>
<Servers>vpn.customer.com</Servers>
<NativeProtocolType>IKEv2</NativeProtocolType>
<Authentication>
<UserMethod>Eap</UserMethod>
<Eap>
<Configuration>
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">26</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>26</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1"><UseWinLogonCredentials>true</UseWinLogonCredentials></EapType></Eap></Config></EapHostConfig>
</Configuration>
</Eap>
</Authentication>
<CryptographySuite>
<AuthenticationTransformConstants>SHA256128</AuthenticationTransformConstants>
<CipherTransformConstants>AES128</CipherTransformConstants>
<EncryptionMethod>AES128</EncryptionMethod>
<IntegrityCheckMethod>SHA256</IntegrityCheckMethod>
<DHGroup>ECP256</DHGroup>
</CryptographySuite>
<RoutingPolicyType>SplitTunnel</RoutingPolicyType>
<DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>
</NativeProfile>
<Route>
<Address>101.133.11.0</Address>
<PrefixSize>24</PrefixSize>
</Route>
<Route>
<Address>192.168.100.0</Address>
<PrefixSize>24</PrefixSize>
</Route>
<Route>
<Address>192.168.150.10</Address>
<PrefixSize>32</PrefixSize>
</Route>
<AlwaysOn>false</AlwaysOn>
<RememberCredentials>true</RememberCredentials>
<TrustedNetworkDetection>customer.com</TrustedNetworkDetection>
<DomainNameInformation>
<DomainName>.customer.com</DomainName>
<DnsServers>192.168.100.15,192.168.100.12</DnsServers>
</DomainNameInformation>
<RegisterDNS>true</RegisterDNS>
</VPNProfile>

Answer 1

@Andreas Thanks for posting in our Q&A.

Based on my research, if we want authentication for the VPN profile, it is needed to configure certificates for authentication in intune.
https://learn.microsoft.com/en-us/mem/intune/protect/certificates-configure

Honestly, VPN issue is complex and it is needed to analyze the issue based on the actual situation of the client. So, it is better to create an online support ticket to handle this issue more effectively. It is free. Here is the online support link and hope it helpful.
https://learn.microsoft.com/en-us/mem/get-support

Thanks for understanding.

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.