So the documentation says this
You can use one or a combination of the following:
https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html
So can i turn on BOTH and if a client connects get a choice what to use or which one is forced upon them the federated OR client/key? How can you have a mix?
When both are active, both would be used. Clients need a certificate and pass the federated authentication. I am using this in production and it works pretty well with certificates from acm-Pca and keycloak integration. The drawback for federation is that you need to use the Aws provided client. Just Mutual auth works with openvpn client. But you can even extend the auth mechanism with the lambda handler which is cool too.
So, i finally figured that when AWS says COMBINATION, they don’t mean either or and the client decides or can be configured to use one or the other. They mean BOTH are required to get through which i didn’t understand.
Thank you for the response.
Thanks for the follow up - I spent a couple of hours trying to get this to work before I found this old thread, as it was not clear in the AWS documentation that it was ‘either’ or ‘both’. So, multiple VPN endpoints are required to support separate authentication types. Cheers!
Thanks for this, documentation is a bit ambigous from AWS which made me believe I can use either, I wasn’t sure which takes precedence