Educause Security Discussion mailing list archives
Re: Looking for a student VPN solution
From: Charlie Prothero <Charlie.Prothero () KEYSTONE EDU>
Date: Wed, 11 Apr 2007 14:08:10 -0400
At Keystone College, we found VPN an overall pain to support (not to mention the risk of letting unknown computers onto the network), so now we primarily offer terminal server access to our users. RDP protocol has supported encryption for a while now, so we have two terminal servers available from off-campus. No more support calls from folks who don't understand why they can't open their 600MB PowerPoint through a VPN connection! For employees who have specialty applications on their computers and absolutely have to take control of them from home, we still grant VPN access. But we're now down to around 10 regular VPN users. This approach might not scale up very well, but we're small and it works for us... - Charlie ________________________________ From: Christian Hroux [mailto:Christian.Heroux () ETSMTL CA] Sent: Wednesday, April 11, 2007 1:36 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Looking for a student VPN solution Hello! We already have a Cisco VPN 3000 VPN solution with ACS and user authentication with Active directory. The solution cannot apply to student for many reasons so we are looking for other VPN solutions. You might have come across the same limitation that I have so I would appreciate some suggestion. With Cisco solution, if you want to implement authorization with ACS group mapping and "locking user into a vpn group" Cisco vpn recipe, VPN profiles are mutually exclusive: * VPN profiles are created with filters to limit internal access to certain servers. * Engineering employee will have access to Engineering servers via VPN profile ( authorization part of AAA) * Finance employee will have access to Finances servers via VPN profile ( authorization part of AAA) * It is impossible to have an employee to chose today which profile he want to use you need to create another combine profile Engeenring- Finance When you try to apply the VPN solution to student, it fails in many ways * The numbers of VPN group grows exponentially with the workaround * You create a profile per lab or course basis with limited access to server of that course or lab * Students take many courses and will need to be authenticated and authorized to use many VPN profiles. * Because authentication is Active directory and authorisation to use the vpn profile is implemented via AD group and ACS group mapping and VSA class 25 it can`t track the vpn profile used during authentication phase. * The VPN profile used/configured in the VPN concentrator is not carried in the Radius packet to the AAA. The AAA can query AD and verify username/pwd (authentication) but not if the VPN profile (authorization) the student can use. In ACS once the user is authenticated ACS will check group mapping and put the user in the first group the user match not the one used to authenticate. How did you solve this issue in your university? Any other VPN solution can bypass that limitation. You can reply directly to my email address, Thanks Christian Héroux
Current thread:
- Looking for a student VPN solution Christian Hroux (Apr 11)
- <Possible follow-ups>
- Re: Looking for a student VPN solution Charlie Prothero (Apr 11)
- Re: Looking for a student VPN solution Julian Y. Koh (Apr 11)
- Re: Looking for a student VPN solution Gary Flynn (Apr 11)