Re: VPN Concentrator replacement

["Dugan, Darin D [ITSYS]" <dddugan () IASTATE EDU>]

Cisco ASA / AnyConnect here for a long time. As soon as they fix the iOS
AnyConnect client we'll be changing authentication from LDAP to SAML against
our SSO IDP. Users see the SSO login and MFA challenge they're used to from
other services, not the AnyConnect username/password window. Makes MFA much
more user friendly than RADIUS integration.

 

(Cisco acknowledged bug in iOS AnyConnect where during connection if you
navigate away from AnyConnect to approve/retrieve MFA in another app on the
same device the connection starts over because you left AnyConnect. Supposed
to be fixed in 4.8 "Real Soon Now".)

 

Cheers.

--
Darin Dugan
Information Technology
Iowa State University

 

From: The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Akey, Michael
Sent: Tuesday, May 7, 2019 3:51 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] VPN Concentrator replacement

 

Hello Security list,

 

At OSU we're looking to replace our aging Cisco ASA devices with a new VPN
solution.  We wanted to know what other higher-ed institutions are using
these days with regards to VPN for end users (not site-to-site/cloud VPN).
Our current solution was very over-built for how it was ultimately used and
we only have about 100-300 concurrent users on any given day.  Any solution
we go with must support Duo 2fa - though I'm seeing that nearly any VPN
service is supported by way of a RADIUS shim or custom login pages for SSL
web VPNs.

 

If you've recently moved to a new VPN solution and are willing to briefly
share your experiences with certain vendors/products I would appreciate it.
If you know of a good article or existing survey of what other higher-ed
institutions use for client VPNs I'd love that too.

 

Thank you,

 

Mike Akey
Systems Engineer, IT Infrastructure
University Information and Technology | Oregon State University
541-737-4948 | uit.oregonstate.edu

Attachment: smime.p7s
Description: