WiscVPN (uwmadison.vpn.wisc.edu) - Getting Started
A way for remote users to connect to University of Wisconsin-Madison resources through an encrypted tunnel.
Where can I get the VPN Client?
WiscVPN is based on the Palo Alto client named GlobalProtect. The GlobalProtect client can be downloaded either by
- Connecting to https://uwmadison.vpn.wisc.edu, or
- By visiting https://vpn.wisc.edu and following the manual download NetID protected link at the bottom of the page "Manual download and install, VPN Client Downloads".
Installing and Connecting
See:
- WiscVPN - How to Install, Connect, Uninstall, and Disconnect WiscVPN Palo Alto GlobalProtect
- WiscVPN - Installing the Palo Alto GlobalProtect Client (Mac)
- Global Protect - Accessibility & Usability Information
NOTE: You MUST use a GlobalProtect client when using the static WiscVPN service. You will not get a static IP address if you configure the native IPSEC for OSX, or Linux. You will get a dynamic IP address even if you log in with your username_1.
On 8/23/2021 between 2-3AM(originally 6-7AM, scheduling conflicts), WiscVPN will have Multi-Factor Authentication(MFA) enabled. After a successful login using your NetID & Password, you will see the following:
At this point you can either type:
"1" and hit "Enter" to have a Duo Push sent to your phone
or
Enter the code you see in your Duo app or hardware token
Q: Why is Multi-factor authentication(MFA) being enabled on WiscVPN? (UW-Madison uses Duo for MFA)
A: MFA-Duo provides two pieces of evidence to ensure the user is who they say they really are and in return protecting the resources they have access to.
Q: I can't log into WiscVPN.
A1: If after 8/23/2021, please make sure you are MFA-Duo enrolled.
A2: If you are a guest/contractor, please reach out to your UW contact to confirm your account is still WiscVPN eligible.
A3: Please reach out to the DoIT Helpdesk, they may need to add you to the "mfa_eligibility" Manifest group.
Who currently has WiscVPN access?
As of 8/16/2021, all members below should be eligible for MFA-Duo in preparation for enabling MFA for WiscVPN on 8/23/2021. Please enroll in MFA-Duo prior to 8/23/2021.
If you find you cannot, you will need to work with the DoIT Helpdesk to resolve the issue.
- All Current and Future Enrolled Students
- All Current and Future Employees
- Consultants (as entered in as a POI in HRS)
- Emeritus
- Non-UW TimeSheet Approver (HRS POI)
- All Colleges/Extension Restructure POIs (as entered in as a POI in HRS)
- Extension POI Affiliates
- NetID Request for Affiliates
- Special Authorizations
- Volunteers (as entered in to as a POI in HRS)
- UW Medical Foundation or UW Hospital and Clinics employees
- Manifest groups who have requested WiscVPN services via Manifest process Manifest - Services
Guest Access / Temporary Access
Q: "tmp-###" based NetIDs are not able to log into WiscVPN?
A: As of 2/21/2021, when we switched to the new authentication method for WiscVPN, NetIDs starting with "tmp-" lost the ability to log into WiscVPN. Per IAM, the site that does supply temporary NetIDs will be going away Spring 2021.
IAM does have a another option using Manifest groups. This new process can be found here Manifest - Services
Generally the new process steps are:
- Create/request Manifest folder.
- Create a Manifest group within the Manifest folder mentioned above. Maybe called something like "WiscVPN access".
- Request that this group is "service" eligible. (A group will look over the reason for the new group to confirm that one doesn't already exist.)
- Request WiscVPN and Static WiscVPN (if required) services. (A group will look over the request for approval. Approval is based on the reason given.)
- Invite outside members to the group via an email address.
- We recommend that you put a 1 year or less end date for each invite. If longer is needed, we recommend to add a reminder in your calendar to look over this group at least once a year.
Related:
As of 8/16/2021, if a user in this category has logged into WiscVPN over the past 3 months, they should be eligible for MFA-Duo in preparation for enabling MFA for WiscVPN on 8/23/2021. Please enroll in MFA-Duo prior to 8/23/2021.
If you find you cannot, you will need to work with your UW Contact that gave you WiscVPN access or the DoIT Helpdesk to resolve the issue:
Dynamic IP Addressing
When workstations are connected to the WiscVPN (uwmadison.vpn.wisc.edu) service, the client computers will not be NAT translated while on campus and use the IP address ranges of:
10.130.176.0/20 (10.130.176.0-10.130.191.255)
10.254.0.0/16 (10.254.0.0-10.254.255.255)
All workstations, servers, firewalls, networking equipment on campus will see the 10.130.176.0/20 or 10.254.0.0/16 as a source IP address.
When workstations are connected to the GlobalProtect vpn service and accessing non-campus Internet sites, the client computers IP source address will be translated to 144.92.38.224/27
Static IP assignments
When you log into "uwmadison.vpn.wisc.edu" using the GlobalProtect VPN client, using your "username_#", like "bbadger_1", you'll be assigned your static IP after a successful authentication. Static IPs are assigned from:
146.151.192.0/19 (146.151.192.0 - 146.151.223.254)
Note: You MUST use a GlobalProtect client when using the static WiscVPN service. You will not get a static IP address if you configure the native IPSEC for OSX, or Linux. You will get a dynamic IP address even if you log in with your "username_1".
Who currently has access to reserve a static IP address?
- All Current and Future Employees
- Consultants (as entered in as a POI in HRS)
- Special Authorizations
- Manifest groups who have requested WiscVPN services via Manifest process Manifest - Services
Q: Where can a I reserve, view or delete a static IP address for https://uwmadison.vpn.wisc.edu?
A: https://access.services.wisc.edu/IPaddress
Q: How many static IPs can I reserve?
A: "4" per user NetID
Q: I don't see uwmadison.vpn.wisc.edu when I go to https://access.services.wisc.edu/IPaddress, why?
A: You most likely don't have access. All current employees of UW Madison should have access. If you feel this is in error, please create a ticket with the Helpdesk. They'll add you to a temporary group until IAM and Network Services looks at the users and figures out what population may have been missed during the authentication migration on 2/21/2021.
Q: Where can I find the list of static IPs for a group of users?
A: There is no way for a single user today to be able to view the static IPs of other WiscVPN users. CyberSecurity is looking into feasibility of providing such information. Last Updated: 3/2/2021 For now, a user will have to login into https://access.services.wisc.edu/IPaddress, to see their static IP and send it to admins requesting it.
Q: I need to reserve a static IP for a new employee, how can I do this on their behalf?
A: Reserving a static IP for someone else is not possible after 2/21/2021. CyberSecurity is currently looking into whether to provide that ability in the near future. Last Updated:3/4/2021 Today, all new employees can go to https://access.services.wisc.edu/IPaddress, to request their static IP address.
Departmental GlobalProtect based VPN Service
There are also departmental VPNs on campus under a different "DEPT-NAME".vpn.wisc.edu. These behave, in many ways, much like uwmadison.vpn.wisc.edu.
More details can be found here:
Traffic Filtering
The new service allows for protection of client devices though the use of URL filtering of malware and phishing sites. The policy of what is filtered is determined and implemented though the Office of Cyber security. NO SSL decryption is enabled so no banking and passwords are decoded.
Troubleshooting
See:
- WiscVPN - General Connectivity Troubleshooting
- WiscVPN - Static IP Troubleshooting
- WiscVPN - Troubleshooting the Palo Alto GlobalProtect Client (Windows)
- WiscVPN - Troubleshooting the Palo Alto GlobalProtect Client (MacOS)
- WiscVPN - Troubleshooting the Palo Alto GlobalProtect Client (iOS/ Android)
- Palo Alto GlobalProtect VPN - What DoIT will need to troubleshoot client connectivity issues
Tunneling
The old WiscVPN service allowed the user to pick either off or on campus profiles as a method to pick either fully tunneling all VPN traffic or only traffic to UW campus resources. The new GlobalProtect VPN service tunnels ALL internet bound traffic though campus.
FAQ
Q: What happens if I connect multiple times with my static WiscVPN username?
A: If you do not log out of the static WiscVPN service, any additional logins to the service will result in your workstation being assigned a dynamic IP address from the non-static WiscVPN service.
Q: How do I know what IP address my workstations got assigned (i.e. maybe I forgot to log out on my work machine and I am connecting in from another computer):
A: You may view the currently assigned IP address by clicking on the Palo Alto GlobalProtect icon in your tray, selecting "Settings" from the drop-down menu, and then clicking on the "Connection" tab and viewing "Assigned Local IP:" Or you can use one of the "what is my IP address" web sites to view what external network sees your computer. Typing in "what is my ip address" in a google.com search will give you that information.