This occurred to me when looking at the security model wireguard is using. Instead of relying on users credentials and Radius authenticating central server each user has a private key used to authenticate VPN. This is modeled after SSH PKI.
But how does it work when users switch computers. In big organisation it is common for employees to move around a lot and login to different machines. Is the idea for them to only have access VPN, SSH from their own desks? Or are the keys stored on some local network file share?