8
6
Fork
You've already forked windows
1

VPN pre-login possible? #195

Open
opened 2022年06月09日 12:48:08 +02:00 by Lukas-UAUX · 7 comments
Lukas-UAUX commented 2022年06月09日 12:48:08 +02:00 (Migrated from github.com)
Copy link

Would it be possible to get eduVPN to connect pre login (Windows)?

Maybe similar to the way that Cisco AnyConnect (SBL) provides? If this module is installed, you get an additional icon next to the regular network-icon at the login screen. If you click on it the vpn app shows up, and you can connect to your network.

This would be a really nice feature, for example to have an active connection to the ActiveDirectory at login, for example for a new user or if the mobile account expired - and GPO of course...

Would it be possible to get eduVPN to connect pre login (Windows)? Maybe similar to the way that Cisco AnyConnect (SBL) provides? If this module is installed, you get an additional icon next to the regular network-icon at the login screen. If you click on it the vpn app shows up, and you can connect to your network. This would be a really nice feature, for example to have an active connection to the ActiveDirectory at login, for example for a new user or if the mobile account expired - and GPO of course...
rozmansi commented 2022年06月09日 12:55:47 +02:00 (Migrated from github.com)
Copy link

I'm afraid this is not possible with the classic Windows VPN clients. However, your feature suggestion makes sense and I will investigate possibilities. See if there is a chance to implement it.

I'm afraid this is not possible with the classic Windows VPN clients. However, your feature suggestion makes sense and I will investigate possibilities. See if there is a chance to implement it.
Lukas-UAUX commented 2022年06月09日 12:58:44 +02:00 (Migrated from github.com)
Copy link

I have a very, very faint memory, that Cisco AnyConnect does it via a "login provider" (or is it credential provider?) Maybe that would be the trick

I have a very, very faint memory, that Cisco AnyConnect does it via a "login provider" (or is it credential provider?) Maybe that would be the trick
efef commented 2022年06月14日 16:44:40 +02:00 (Migrated from github.com)
Copy link

We are actually working on pre-provisioning. The work done so far is documented here: https://github.com/FlorisHendriks98/eduVPN-provisioning
In this page we describe how to leverage MS AD (and PKI) to do pre-provisioning. However at the moment we are working on another path:
use MS intune in combination with an new eduVPN server API call to pre-provisioning Windows and macOS devices.

If you like to be involved @Lukas-UAUX please email us: eduvpn-support@lists.geant.org

We are actually working on pre-provisioning. The work done so far is documented here: https://github.com/FlorisHendriks98/eduVPN-provisioning In this page we describe how to leverage MS AD (and PKI) to do pre-provisioning. However at the moment we are working on another path: use MS intune in combination with an new eduVPN server API call to pre-provisioning Windows and macOS devices. If you like to be involved @Lukas-UAUX please email us: eduvpn-support@lists.geant.org
Lukas-UAUX commented 2022年06月14日 18:06:09 +02:00 (Migrated from github.com)
Copy link

That sadly doesn't look like it would fit our use case or environment. For one thing the user must be able to control the vpn and we have multiple networks/profiles that can not be tied to a machine identity but user only. Additionally eduroam which is considerably important at a university is a user-config network that starts after login - which would result in a lot of errors

That sadly doesn't look like it would fit our use case or environment. For one thing the user must be able to control the vpn and we have multiple networks/profiles that can not be tied to a machine identity but user only. Additionally eduroam which is considerably important at a university is a user-config network that starts after login - which would result in a lot of errors
ghost commented 2022年06月14日 19:00:15 +02:00 (Migrated from github.com)
Copy link

Just to clarify, are you talking about "managed devices", or "bring your own" devices? We only consider "managed devices" as it seems (too) invasive to require users to subject their personal devices to this kind of control by their organization.

For one thing the user must be able to control the vpn and we have multiple networks/profiles that can not be tied to a machine identity but user only.

The way we saw this working is to take a "layered" approach. For example, the "system VPN" can only reach the AD server(s). A "user VPN", i.e. the eduVPN client. can later be used to choose a specific profile for a user and have additional MFA if so desired.

Additionally eduroam which is considerably important at a university is a user-config network that starts after login - which would result in a lot of errors

But how can you reach your AD server when there is no network connectivity at all? Having a VPN client available before login can't do anything if there's no network?

Just to clarify, are you talking about "managed devices", or "bring your own" devices? We only consider "managed devices" as it seems (too) invasive to require users to subject their personal devices to this kind of control by their organization. > For one thing the user must be able to control the vpn and we have multiple networks/profiles that can not be tied to a machine identity but user only. The way we saw this working is to take a "layered" approach. For example, the "system VPN" can only reach the AD server(s). A "user VPN", i.e. the eduVPN client. can later be used to choose a specific profile for a user and have additional MFA if so desired. > Additionally eduroam which is considerably important at a university is a user-config network that starts after login - which would result in a lot of errors But how can you reach your AD server when there is no network connectivity at all? Having a VPN client available before login can't do anything if there's no network?
Lukas-UAUX commented 2022年06月14日 19:18:19 +02:00 (Migrated from github.com)
Copy link

Of course managed devices, students and private devices of staff would have no use for pre-login.

The way we saw this working is to take a "layered" approach. For example, the "system VPN" can only reach the AD server(s). A "user VPN", i.e. the eduVPN client. can later be used to choose a specific profile for a user and have additional MFA if so desired.

Ouch that would kill VPN for any connection below 16 Mbits, to accommodate that much headers either fragmentation would kill it (TCP only, UDP would just stop working) or the MSS/MTU would be to low for any reasonable performance.

But how can you reach your AD server when there is no network connectivity at all?

They don't - the devices use a wired connection most of the time. A connection is only necessary when we change GPOs that require to be pulled on login or a new user logs in.

The pre-login is intended for HomeOffice or "emergency" scenarios, where the user has no possibility to use a wired connection at least sometimes.

Of course managed devices, students and private devices of staff would have no use for pre-login. > The way we saw this working is to take a "layered" approach. For example, the "system VPN" can only reach the AD server(s). A "user VPN", i.e. the eduVPN client. can later be used to choose a specific profile for a user and have additional MFA if so desired. Ouch that would kill VPN for any connection below 16 Mbits, to accommodate that much headers either fragmentation would kill it (TCP only, UDP would just stop working) or the MSS/MTU would be to low for any reasonable performance. > But how can you reach your AD server when there is no network connectivity at all? They don't - the devices use a wired connection most of the time. A connection is only necessary when we change GPOs that require to be pulled on login or a new user logs in. The pre-login is intended for HomeOffice or "emergency" scenarios, where the user has no possibility to use a wired connection at least sometimes.
ghost commented 2022年06月15日 07:40:10 +02:00 (Migrated from github.com)
Copy link

Ouch that would kill VPN for any connection below 16 Mbits, to accommodate that much headers either fragmentation would kill it (TCP only, UDP would just stop working) or the MSS/MTU would be to low for any reasonable performance.

Do you mean this occurs when you run one VPN over another VPN? That was not exactly what I meant. With the "system VPN" you only send traffic to the AD over the VPN, with the "user VPN" you can send additional traffic over the VPN, or all traffic if so desired.

By the way, this is one possible approach, but perhaps @rozmansi has ideas on how to make it work more like what you describe.

> Ouch that would kill VPN for any connection below 16 Mbits, to accommodate that much headers either fragmentation would kill it (TCP only, UDP would just stop working) or the MSS/MTU would be to low for any reasonable performance. Do you mean this occurs when you run one VPN over another VPN? That was not exactly what I meant. With the "system VPN" you only send traffic to the AD over the VPN, with the "user VPN" you can send additional traffic over the VPN, or all traffic if so desired. By the way, this is _one_ possible approach, but perhaps @rozmansi has ideas on how to make it work more like what you describe.
Sign in to join this conversation.
No Branch/Tag specified
master
study/no-token-import
ver/3.x
govVPN
ver/3.3.0.x
ver/2.x
ver/1.x
4.6
4.5.99.8
4.5.99.7
4.5.99.6
4.5.99.5
4.5.99.4
4.5.99.3
4.5.99.2
4.5.99.1
4.5.99.0
4.5
4.4.99.4
4.4.99.3
4.4.99.2
4.4.99.1
4.4.99.0
4.4
4.3.99.1
4.3.99.0
4.3.2
4.3.1
4.3
4.2.8
4.2.7
4.2.6
4.2.5
4.2.4
4.2.3
4.2.2
4.2.1
4.2
4.1.7
4.1.6
4.1.5
4.1.4
4.1.3
4.1.2
4.1.1
4.1
4.0
3.255.23
3.255.22
3.255.21
3.255.20
3.255.19
3.7
3.6.2
3.6.1
3.255.18
3.255.17
3.255.16
3.255.15
3.6
3.255.14
3.5
3.255.13
3.4.3
3.255.12
3.255.11
3.255.10
3.255.9
3.255.8
3.255.7
3.255.6
3.255.5
3.255.4
3.255.3
3.255.2
3.4.2
3.4.1
3.255.1
3.255
3.4
3.3.8
3.3.7
3.3.6
3.3.5
3.3.4
3.3.0.1
3.3.3
3.3.2
3.3.1
3.3
3.2.2
3.2.1
3.2
3.1.8
3.1.7
3.1.6
3.1.5
3.1.4
3.1.3
3.1.2
3.1.1
3.1
3.0.5
3.0.4
3.0.3
3.0.2
3.0.1
3.0
2.255.6
2.255.5
2.255.4
2.255.3
2.255.2
2.255.1
2.1.4
2.255.0
2.1.3
2.1.2
2.1.1
2.1
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.1
2.0
1.255.11
1.255.10
1.255.9
1.0.39
1.255.8
1.255.7
1.255.6
1.255.5
1.0.38
1.255.4
1.0.37
1.255.3
1.255.2
1.255.1
1.255.0
1.0.36
1.0.34
1.0.35
1.0.33
1.0.32
1.0.31
1.0.30
1.0.29
1.0.28
1.0.27
1.0.26
1.0.25
1.0.24
1.0.23
1.0.22
1.0.21
1.0.20
1.0.19
1.0.18
1.0.17
1.0.16
audit/2017-12
1.0.15
1.0.14
1.0.13
1.0.12
1.0.11
1.0-alpha8
1.0-alpha6
1.0-alpha5
1.0-alpha4a
1.0-alpha3
1.0-alpha2a
1.0-alpha1
1.0-alpha
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
eduVPN/windows#195
Reference in a new issue
eduVPN/windows
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?