Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Looking for a student VPN solution

From: Christian Hroux <Christian.Heroux () ETSMTL CA>
Date: Wed, 11 Apr 2007 13:36:22 -0400
Hello!

 

            We already have a Cisco VPN 3000 VPN solution with ACS and user authentication with Active directory. The 
solution cannot apply to student for many reasons so we are looking for other VPN solutions. You might have come across 
the same limitation that I have so I would appreciate some suggestion.

 

With Cisco solution, if you want to implement authorization with ACS group mapping and "locking user into a vpn group" 
Cisco vpn recipe, VPN profiles are mutually exclusive:

*         VPN profiles are created with filters to limit internal access to certain servers.

*         Engineering employee will have access to Engineering servers via VPN profile ( authorization part of AAA)

*         Finance employee will have access to Finances servers via VPN profile ( authorization part of AAA)

*         It is impossible to have an employee to chose today which profile he want to use you need to create another 
combine profile Engeenring- Finance

 

When you try to apply the VPN solution to student, it fails in many ways

*       The numbers of VPN group grows exponentially with the workaround
*       You create a profile per lab or course basis with limited access to server of that course or lab 
*       Students take many courses and will need to be authenticated and authorized to use many VPN profiles.
*       Because authentication is Active directory and authorisation to use the vpn profile is implemented via AD group 
and ACS group mapping and VSA class 25 it can`t track the vpn profile used during authentication phase. 
*       The VPN profile used/configured in the VPN concentrator is not carried in the Radius packet to the AAA. The AAA 
can query AD and verify username/pwd (authentication) but not if the VPN profile (authorization) the student can use. 
In ACS once the user is authenticated ACS will check group mapping and put the user in the first group the user match 
not the one used to authenticate.

 

How did you solve this issue in your university? Any other VPN solution can bypass that limitation. 

 

You can reply directly to my email address, 

 

Thanks 

 

Christian Héroux
Previous By Date Next
Previous By Thread Next

Current thread: