We're trying to beef up security and implement multi-factor authentication for non-domain joined machines.
Currently only domain joined machines (the users need to provided their domain credentials and a computer cert is required on the device - autoenrollment is used) have the ability to do a L3 VPN in order to access our resources.
We'd like to extend that to non-domain joined machines such as Macs, Linux, Android, iOS devices. I was thinking along these lines, but don't know where to start:
- a user goes to a website and requests a new certificate. I don't know which is preferable user (probably) or computer, esp. if the user has many devices. If this wouldn't be possible, I'm not sure this URL would be available off the LAN, I need to
generate the certificate on behalf of the user and send it to them. I'm also thinking of limiting them so they can only import the cert once, but am not sure this is a good idea (how would I handle multiple devices?).
- I need to know which cert is for which user, so I can easily revoke it when he/she leaves the company.
CA's are 2008 R2.
Could someone provide a few tips and then URLs as to how to implement something like this.