Re: The VPN question

[Chris Green <cmgreen () UAB EDU>]

I'd like some feedback on how people deal with a problem that's plagued us (and it may just be not knowing a good 
configuration).

We have lots of roles to get people into the right FW zone for their department.    We basically keep an access-list of 
users <> departments.  One issue that hits us with this design is users that reside in more than one department 
generally require the creation of a separate role.   Sometimes, it's acceptable for them to not be doing the same role 
at the same time and they could just "select" the group they expected to be in.

Unfortunately, RADIUS just spits out a group name they should be in and we end up with a "first match" behavior.

If this sounds like a common problem to you, please let me know how you target your groups in your areas.

Thanks,
Chris

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Lovaas,Steven
Sent: Wednesday, June 29, 2011 5:39 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] The VPN question

Hi Jay,

Wow, that's a lot of user roles!

At Colorado State, we have the same set of technologies that you're talking about (a pair of Cisco ASAs and a pair of 
SA4000s which we're swapping out for SA4500s). We've been moving away from IPSec for remote access, encouraging 
everyone to go SSL (either through the web interface or using the full tunnel mode) unless they have some burning need 
for IPSec. I love the granularity of access control that I get with the Junipers, as well as the freedom from having to 
chase down installations of old client versions.

I'm surprised to hear to say that you're required to create separate roles for Pulse users. Is that something specific 
to the 6000 hardware? We've had the ability to mix and match for some time now, first using Network Connect and now its 
replacement (Pulse). We do have this capability enabled natively on some roles, though most people are actually 
conecting to a specific URL to enable mapping into a NetConnect/Pulse role, and that gets added to whatever other roles 
they get assigned based on who they are.


We've had good results with iOS devices using Pulse, including a surprisingly large number of iPads recently. In fact, 
at the last two conferences I've traveled to, my iPad got me through the day and my laptop never came out of its bag. 
We're hoping that upcoming versions of Pulse support VPN functionality for Android devices too, but support for the 
various flavors is more complicated both technically and contractually, I would imagine.

Hope that helps. If you have specific questions, I'd be happy to help; feel free to follow up off-list.

Steve


===================
Steven Lovaas
IT Security Manager
Colorado State University
steven.lovaas () colostate edu
970-297-3707
===================
________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Jay Graham 
[jwg+ () pitt edu]
Sent: Wednesday, June 29, 2011 3:44 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] The VPN question

Hello Folks,

Here at Pitt we are in the process of a few VPN projects.

We currently have an SSL VPN (Juniper SA6000s in a redundant config) and are testing Cisco ASAs as our IPSec solution.

Background:

With our SA6000s we create roles to protected resources based on LDAP groups and currently have over 300 roles. We are 
now implementing the Pulse Client for this so that iOS and other platforms can use it to access protected resources. 
With the SA6000s you need to create a "seperate" Pulse role for these users. We are thinking of only creating Pulse 
roles for people that request them rather than just duplicating all 300 roles believing that not all users will need 
all roles from the iPad (or other device). (We are not supporting Pulse for Windows or Mac OSes yet, just for mobile 
devices)

The Question:
What are other schools doing for mobile device VPN solutions and how are you giving users access to their roles?

Thanks in advance.
Jay Graham