Anyone leveraging modern tools like Windows Hello, Yubikey, etc. to setup remote employees to access internal or office systems with simplified or streamlined MFA? Possibly in-concert with AAD? Just curios what the latest trends are here, many of our clients are still using the plain old VPN client ALA Sonicwall GVC, forticlient, etc. Would love to hear thoughts/discuss. My dream is that the user logs in with MFA to their client PC on bootup and are then authenticated/connected to their VPN automatically.
VPN → NPS/Radius server with Azure AD MFA addon.
Todyl does this really well.
Check out tailscale. Sso is required via aad or Google or another. Acls are wide open to start with but you can lock it down nicely. End user experience is very nice and it’s easy to use.
I’ve had some great luck with CylanceGateway. We use it as a VPN replacement for some of our users.
It mixes a VPN, WebFiltering and inline IDS. You can use Azure AD to login to the PC passwordless with Yubikeys and then CylanceGateway will auto connect the VPN after it’s been enrolled.
Gateway supports Yubikeys, DUO, AD auth, with customizable auth policies for the initial login.
We use globalprotect with azure ad saml it just signs them in.
Look for VPNs with SAML integration - this is the most user friendly solution type
We use Secret Double Octopus for our customers. Mostly passwordless MFA. It can support LDAP/Radius with push notifications or FIDO2/Push with SAML based. It can do OTP codes if you are in classic MFA too (totp and hotp)
That’s what we did with Sonicwall and net extender. It can be setup to connect pre login.
I appreciate these replies, I know there are several companies vying for this sdwan/0-trust client space (Cylance, Todyl, tailscale in this thread alone…). I was hoping to keep it more integrated 
(am I asking for too much?). There is this old ass article from MS which is somewhat akin to what I was thinking (if you scroll down to the diagram). Is it possible to do what I’m asking with the native MS suite (AAD and then an on-prem RRAS/VPN server)?
Can you elaborate on this further or post a link/guide? I’m semi-interested in this route also since we have so much sonicwall infra out there.
Yes, Always On VPN (was called Direct Access) would accomplish what you’re looking for. It comes with the drawbacks of traditional VPN; requires physical on-premise infrastructure. Data access speeds are going to vary drastically depending on the user’s internet connection, requires additional components for internet and endpoint security, etc.
SD-WAN/SASE is typically easier to deploy and manage and reduces or eliminates the drawbacks.
Some, like Todyl, directly integrate with Azure AD for user/group driven firewall rules, easy deployment with Intune, etc. It’s not native, but it is really well integrated.
Make sense! Cylance does integrate with Azure for login, group/rule, and identity management but it’s not a first party solution.
Take a look at this.
The Radius /NPS config is all over their knowledgebase.
Get the radius working first then add the MFA extension in.