Re: Looking for a student VPN solution

[Charlie Prothero <Charlie.Prothero () KEYSTONE EDU>]

At Keystone College, we found VPN an overall pain to support (not to mention the risk of letting unknown computers onto 
the network), so now we primarily offer terminal server access to our users.  RDP protocol has supported encryption for 
a while now, so we have two terminal servers available from off-campus.  No more support calls from folks who don't 
understand why they can't open their 600MB PowerPoint through a VPN connection!  For employees who have specialty 
applications on their computers and absolutely have to take control of them from home, we still grant VPN access.  But 
we're now down to around 10 regular VPN users.  This approach might not scale up very well, but we're small and it 
works for us...

 

- Charlie

 

________________________________

From: Christian Hroux [mailto:Christian.Heroux () ETSMTL CA] 
Sent: Wednesday, April 11, 2007 1:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Looking for a student VPN solution

 

Hello!

 

            We already have a Cisco VPN 3000 VPN solution with ACS and user authentication with Active directory. The 
solution cannot apply to student for many reasons so we are looking for other VPN solutions. You might have come across 
the same limitation that I have so I would appreciate some suggestion.

 

With Cisco solution, if you want to implement authorization with ACS group mapping and "locking user into a vpn group" 
Cisco vpn recipe, VPN profiles are mutually exclusive:

*         VPN profiles are created with filters to limit internal access to certain servers.

*         Engineering employee will have access to Engineering servers via VPN profile ( authorization part of AAA)

*         Finance employee will have access to Finances servers via VPN profile ( authorization part of AAA)

*         It is impossible to have an employee to chose today which profile he want to use you need to create another 
combine profile Engeenring- Finance

 

When you try to apply the VPN solution to student, it fails in many ways

*       The numbers of VPN group grows exponentially with the workaround
*       You create a profile per lab or course basis with limited access to server of that course or lab 
*       Students take many courses and will need to be authenticated and authorized to use many VPN profiles.
*       Because authentication is Active directory and authorisation to use the vpn profile is implemented via AD group 
and ACS group mapping and VSA class 25 it can`t track the vpn profile used during authentication phase. 
*       The VPN profile used/configured in the VPN concentrator is not carried in the Radius packet to the AAA. The AAA 
can query AD and verify username/pwd (authentication) but not if the VPN profile (authorization) the student can use. 
In ACS once the user is authenticated ACS will check group mapping and put the user in the first group the user match 
not the one used to authenticate.

 

How did you solve this issue in your university? Any other VPN solution can bypass that limitation. 

 

You can reply directly to my email address, 

 

Thanks 

 

Christian Héroux