We are using a PPTP VPN, on Windows RAS/Server 2003.
We have users verify anti-virus patching, and then after verification grant access to the VPN. We don't use a CMAK applet, we just provide users with instructions on configuring their home device to connect to the VPN.
My question is how can we ensure that they do not save the VPN password when they save the connection? Is there any method to audit it? We can remind users, but if they've already set up VPN it's not too likely that they'll actually follow through and change the settings.
A method that works for XP is most important, but also support OS X and Windows 7/Vista would be nice. I would be willing to switch our VPN to a new solution and distribute a connectoid if that's the only real way to do it.
Edit: I should point out two things: we can't really afford to use 2-factor authentication. Also, I understand that there's probably not a perfect way to ensure it. Our users aren't malicious, but they are lazy. If I can identify even 90% of users that are saving the password and then deny them access until they fix it, that's enough for me.