Hi everyone
I'm trying to figure out my options to allow users to connect to a VPN server (RRAS) from the windows 10 login screen.
The problem here is that I want the authentication is being done by machine certificate but their are constraints:
1> The user should not authenticate himself, the existence of the machine certificate should suffice.
2> The machine certificate is not related to the machine perse (it's "a" machine certificate which is the same for all PCs)
3> While Credential Guard doesn't like MS-Chap v2, I guess TLS-PEAP is the way to go
A Couple of clarifications:
1> This is a migration scenario for machines currently not in the target domain
2> These machines do not connect to the target network (road warriors)
3> I know, security wise this is not advisable but I don't see a lot of other options
I got a piece of this working by using Pulse but with Pulse you don't have the option to show the VPN connection at the logon screen after a domain join so I was wondering if
1> this kind of scenario would be supported by W2K16 RRAS and NPS?
2> is TLS-PEAP the protocol to use ?
3> Any advice is welcome if other options are available
Thanks!
Jan
jgs
