| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| atmos:citation:soft:vpn [2020/07/12 20:33] – delene | atmos:citation:soft:vpn [2023/05/23 02:13] (current) – delene |
|---|
| ====== VPN: Virtual Private Network ====== | ====== VPN: Virtual Private Network ====== |
| |
| ===== University Wide VPN ===== | ===== May 2023 University of North Dakota VPN ===== |
| | Go to [[http://vpn.und.edu|http://vpn.und.edu]] to access. |
| |
| Open Browser at [[http://undvpn.und.edu|http://undvpn.und.edu]]. Enter you University username and password. On windows, the VPN will install automatically. On Linux, you need to download the install program and manually install it. More information is available at the [[http://help.aero.und.edu/index.php?option=com_content&view=article&id=66&Itemid=66|Aerospace Web site]]. | For Linux users use the open-connect version of the GlobalProtect client located at: |
| | [[https://github.com/yuezk/GlobalProtect-openconnect|https://github.com/yuezk/GlobalProtect-openconnect]] |
| |
| ===== Two-factor Authorization ===== | For users that do not have a UND-owned computer, please go [[https://und.teamdynamix.com/TDClient/2048/IT/KB/ArticleDet?ID=145487|here]] for installation instructions. |
| In the Summer of 2020, the University changed the VPN configuration to require two-factor authentication. Like most information technology decision at the University or State level, this decision was done without any data to back the "feeling" that it is necessary to improve security. While have two methods for authorization can improve security, any required security procedure should be reviewed in term of how it is implemented in practice. Two-factor authorization requires more work on the user's part, so the real question to address before implementing this requirement is, "Does the practical benefit of two-factor authorization provide benefits that are greater than the cost of the additional work of users?". No information on this question was provided to users when announcing two-factor authorization requirement. Only stating that the change was done for "security" reasons. This is an example of what people mean when they indicate that they want more "transparency" from the University administration. Transparency is not being informed of decision to add two-factor authorization for a general reason like "security"; but, is being provided with the cost-benefit analysis that went into the decision. In fairness to "transparency", I expect there was no analysis done at the University or State level. I expect a vendor justified raising the cost of their product/service by indicated they are providing a more "secure" produce; hence, all that can be done to justify the additional work required by users is to repeat the vendor's line that "this increases security". | |
| |
| One reason for assuming no analysis was done for requiring two-factor authorization is the limited, and in places incorrect, information provided on how to use two-factor authorization. This lack of information indicates how little is understood by them and requires more time on the user's part to figure out the new system. Hence, provided here is information on using the University's two-factor authorization, which requires a second method of authorization. The university's help page on using two-factor authorization for VPN access assumes you should request (put in und for the second password) this second authorization when you make a VPN login request. When you try to connect, an authorization request is sent to your North Dakota University System registered DUO app (put in und for the second password) device, typically on a smart phone. The university information page incorrectly states that you are doing the authorization when connecting; however, the authorization does not happen until later. They understand so little about two-factor authorization that they are unwilling to correct this information on their site when it is point out to them. If you need to use the DUO app anyway for authorization, why not just start there. Hence, you can easily provide the authorization at login by: | Instructions on accessing and using the GlobalProtect VPN can be found [[https://und.teamdynamix.com/TDClient/2048/IT/KB/ArticleDet?ID=145487|here]]. |
| |
| * Log into your DUO software on your smart phone or other device. | If you have any questions or are having difficulty connecting with VPN, please submit a ticket here to get in touch with UND Tech Support. |
| * Select (Press) the North Dakota University System item. Unless you are using for another system, this will be the only one it the site. This provide you the "second" limited use 6 digit number/password. | |
| * Open the VPN, type in your username, University Password, the Duo software provided "second" 6 digit number. | |
| * Select connect to start/connect using the VPN. | |
| |
| One piece of incorrect information provided by the initial user documentation on two-factor authorization is that it is only needed to access servers. However, I repeated find that if I start the VPN to access a server, and then the VPN drops (only 10 hours time limit so will drop overnight), then all University Web sites hosted on the University network will give a network time out. Seems that it is "too much" work, or their network is incorrectly configured so it not possible, for the University information technology people to configure the network traffic to Web servers to not go through the VPN. Hence, to access even simple Web Sites (for example this page) you need to use the VPN. | ===== Old (Before May 2023) University Wide VPN ===== |
| |
| ===== Installation ===== | Go to [[http://undvpn.und.edu|http://undvpn.und.edu]], and log in using your University username and password. Click on the Start AnyConnect link to install the VPN. On windows, the VPN will install automatically. On Linux, you need to download the install program and manually install it. More information is available at the [[http://help.aero.und.edu/index.php?option=com_content&view=article&id=66&Itemid=66|Aerospace Web site]]. |
| | |
| | ==== Two-factor Authorization ==== |
| | To Set-up Duo and Start the VPN, follow these steps. |
| | |
| | * Log into your UND Duo account at[[https://webapps.ndus.edu/duo-device-manager/login]]. |
| | * Download the Duo Mobile App on your smartphone or other device. |
| | * Next, go back to the UND Duo webpage and set-up your mobile device for Duo. More detailed instructions for this step can be found on [[https://und.teamdynamix.com/TDClient/2048/Portal/KB/ArticleDet?ID=62187]] |
| | * Select (Press) the North Dakota University System item on your device. Unless you are using another system, this will be the only item listed when the app is launched. This provides you the "second" limited use 6 digit number/password. |
| | * Open the VPN and exter Campusvpn into the field provided. This will bring up a new window. Type in your username in top field, your University password in top (first) password field, the Duo software provided 6 digit number in the bottom (second) password field. |
| | * Select connect to start/connect using the VPN. Nothing else is required. |
| | |
| | ==== Statement on Two-factor Authorization ==== |
| | In the Summer of 2020, the University changed the VPN configuration to require two-factor authentication. Like most information technology decisions at the University or State level, this decision was done without any data to back the "feeling" that it is necessary to improve security. While having two methods for authorization can improve security, any required security procedure should be reviewed in terms of how it is implemented in practice. Two-factor authorization requires more work on the user's part, so the real question to address before implementing this requirement is, "Does the practical benefit of two-factor authorization provide benefits that are greater than the cost of the additional work of users?". No information on this question was provided to users when announcing the two-factor authorization requirement. Only stating that the change was done for "security" reasons. This is an example of what people mean when they indicate that they want more "transparency" from the university administration. Transparency is not being informed of the decision to add two-factor authorization for a general reason like "security"; but, is being provided with the cost-benefit analysis that went into the decision. In fairness to "transparency", I expect there was no analysis done at the University or State level. I expect a vendor justified raising the cost of their product/service by indicated they are providing a more "secure" produce; hence, all that can be done to justify the additional work required by users is to repeat the vendor's line that "this increases security". |
| | |
| | One reason for assuming no analysis was done for requiring two-factor authorization is the limited, and in places incorrect, information provided on how to use two-factor authorization. This lack of information indicates how little is understood by them and requires more time on the user's part to figure out the new system. Hence, provided here is information on using the University's two-factor authorization, which requires a second method of authorization. The university's help page on using two-factor authorization for VPN access assumes you should request (put in und for the second password) this second authorization when you make a VPN login request. When you try to connect, an authorization request is sent to your North Dakota University System registered DUO app (put in und for the second password) device, typically on a smartphone. The university information page incorrectly states that you are doing the authorization when connecting; however, the authorization does not happen until later. They understand so little about two-factor authorization that they are unwilling to correct this incorrect information on their site when it is pointed out to them. If you need to use the DUO app anyway for authorization, why not just start there. |
| | |
| | One piece of incorrect information provided initially at the University/State level to users on two-factor authorization is that it is only needed to access servers. However, I repeatedly find that if I start the VPN to access a server, and then the VPN drops (only 10 hours time limit so will drop overnight), then all Web sites hosted on the University network will give a network time out. Seems that it is too much work, or their network is incorrectly configured so it not possible, for the University information technology people to configure the network traffic to Web servers to not go through the VPN. Hence, to access even simple Web Sites (for example this page) you need to use the VPN. |
| | |
| | I hope this information helps the users that are now required to use two-factor authorization for the University of North Dakota VPN. While ticket requests to improve VPN two-factor authorization have not been successful, I will try to submit a ticket request on how to use a Yubico USB key instead of the Duo app 6-digit password for two-factor authorization and post results here. |
| | |
| | ==== Installation ==== |
| |
| **Ubuntu Linux:** In a terminal window type "sudo apt-get install network-manager-openconnect network-manager-openconnect-gnome". The root password will need to be entered. Open 'Network Connections' and go to 'Add Network Connection'. From the drop down menu select 'Cisco AnyConnect Compatible VPN (openconnect)' and create. Connection name = UND, Gateway = undvpn.und.edu. SAVE. Open 'Network Connections', VPN Connections and select UND. Log in with UND username and password. | **Ubuntu Linux:** In a terminal window type "sudo apt-get install network-manager-openconnect network-manager-openconnect-gnome". The root password will need to be entered. Open 'Network Connections' and go to 'Add Network Connection'. From the drop down menu select 'Cisco AnyConnect Compatible VPN (openconnect)' and create. Connection name = UND, Gateway = undvpn.und.edu. SAVE. Open 'Network Connections', VPN Connections and select UND. Log in with UND username and password. |
