General Information

• 2 of 6 Manifest groups control WiscVPN access and access to the WiscVPN Static IP assignment site.
  • 3 = Middleware/IAM takes the "initial" population(where NS puts other groups)
  • 2 = Substracts out the "disable VPN" population
  • 1 = Leaving the population allowed to use either service.
  • Think: "3 - 2 = 1"
• There are several populations in both groups. The general list can be seen in:
  • WiscVPN - Overview
  • Otherwise, go directly to the groups via Manifest, see links below.
• The helpdesk can add users to their own groups to temporarily allow someone access to either service. Normally they apply a two week end date.
  • Customers should reach out to their HR department to have a $0 affiliate appointment created. This will get them a SpecAuth account which will give them both MFA-Duo and WiscVPN access automatically.
• When someone requests WiscVPN or Static WiscVPN services through a Manifest request, see Manifest - Services . 
  • A notification is sent to IAM for approval
  • If approve, Network Services designated staff will be notified to approve or deny.
  • If approved, they'll automatically be added to the "initial" group(s) mentioned above.

WiscVPN Access

The 1-FINAL-VPN-USER-LIST Manifest group is the list of all users who can authenticate to uwmadison.vpn.wisc.edu (WiscVPN).

We use 3 different Manifest groups today to give someone the ability to disable a user's VPN access. Think "3 - 2 = 1"

• 3-ALLOWED-INITIAL-VPN-USERS (uw:domain:vpn.wisc.edu:144.92.254.227:uwmadison.vpn.wisc.edu:3-ALLOWED-INITIAL-VPN-USERS ) 
  • This is the initial group of users that are allowed to use uwmadison.vpn.wisc.edu. All allowed VPN users should go here so Cyber can disable users in Manifest group "2-DISABLED-VPN-USERS".
  • The Help Desk has a Manifest group that they can add users to for WiscVPN access. This is to get the user calling in temporary access until Network Services and IAM can go through to figure out populations missed.
  • The Help Desk manifest group is https://manifest.services.wisc.edu/Group/Index/aa478be8fc6d45ed9696aeee64a90ef2
• 2-DISABLED-VPN-USERS (uw:domain:vpn.wisc.edu:144.92.254.227:uwmadison.vpn.wisc.edu:2-DISABLED-VPN-USERS ) 
  • Users placed in this group will be disabled from using uwmadison.vpn.wisc.edu.
  • IAM takes users in "3-ALLOWED-INITIAL-VPN-USERS", subtracts users in "2-DISABLED-VPN-USERS", and puts the final list of users in "1-FINAL-VPN-USER-LIST".
  • Cyber owned/managed group is used here.  "uw:domain:cybersec.wisc.edu:uwmadison.WiscVPN:Restrict_WiscVPN Access"
• 1-FINAL-VPN-USER-LIST (uw:domain:vpn.wisc.edu:144.92.254.227:uwmadison.vpn.wisc.edu:1-FINAL-VPN-USER-LIST)
  • This is the final group that uwmadison.vpn.wisc.edu uses to determine who's allowed to VPN in. This group is the product of when IAM subtracts "2-DISABLED-VPN-USERS" from "3-ALLOWED-INITIAL-VPN-USERS".
    • Note: IAM needs to write some software before the above group can be used on their RADIUS servers. The actually location the IAM RADIUS servers we are using is "uw:domain:vpn.wisc.edu:144.92.254.227:1-FINAL-VPN-USER-LIST". "uw:domain:vpn.wisc.edu:144.92.254.227:uwmadison.vpn.wisc.edu:1-FINAL-VPN-USER-LIST" are simply members of this temporary group.

WiscVPN Static IP assignments

Q: Where can a user reserve or delete a static IP address for uwmadison.vpn.wisc.edu?

A: https://access.services.wisc.edu/IPaddress

Q: How many IPs can a user reserve?

A: 4 = https://access.services.wisc.edu/CIDR/Edit/1

Q: What determines who's allowed to reserve a Static IP for uwmadison.vpn.wisc.edu via https://access.services.wisc.edu/IPaddress?

A: The short answer is, Manifest group: "1-STATIC-IP_FINAL-VPN-USER-LIST"

We use 3 different Manifest groups today to give someone the ability to disable a user from reserving IP addresses. Think "3 - 2 = 1"

• 3-STATIC-IP_ALLOWED-INITIAL-VPN-USERS ( uw:domain:vpn.wisc.edu:144.92.254.227:uwmadison.vpn.wisc.edu:3-STATIC-IP_ALLOWED-INITIAL-VPN-USERS )
  • This is the initial group of users that are allowed to access https://access.services.wisc.edu/IPaddress. All users allowed to reserve a Static IP should go here so Cyber can disable users in Manifest group "2-STATIC-IP_DISABLED-VPN-USERS".
  • The Helpdesk has a Manifest group that they can add users to for Static IP website access. This is to get the user calling in temporary access until Network Services and IAM can go through to figure out populations missed.
  • The Helpdesk manifest group is https://manifest.services.wisc.edu/Group/Index/710c7d0f892544c990172c3a74de9d92
• 2-STATIC-IP_DISABLED-VPN-USERS ( uw:domain:vpn.wisc.edu:144.92.254.227:uwmadison.vpn.wisc.edu:2-STATIC-IP_DISABLED-VPN-USERS ) 
  • Users placed in this group will be disabled from accessing https://access.services.wisc.edu/IPaddress. IAM takes users in "3-STATIC-IP_ALLOWED-INITIAL-VPN-USERS" subtracts them out and puts the final list of users in "1-STATIC-IP_FINAL-VPN-USER-LIST".
  • Cyber owned/managed group is used here. "uw:domain:cybersec.wisc.edu:uwmadison.WiscVPN:Restrict_StaticVPN Access"
• 1-STATIC-IP_FINAL-VPN-USER-LIST ( uw:domain:vpn.wisc.edu:144.92.254.227:uwmadison.vpn.wisc.edu:1-STATIC-IP_FINAL-VPN-USER-LIST )
  • This is the final group that https://access.services.wisc.edu/IPaddress uses to determine who's allowed to reserve a Static IP address for uwmadison.vpn.wisc.edu. This group is the product of when IAM subtracts "2-STATIC-IP_DISABLED-VPN-USERS" from "3-STATIC-IP_ALLOWED-INITIAL-VPN-USERS".
    • Q: Where is this group applied?
    • A:https://access.services.wisc.edu/CIDR/Edit/1

Q: How does this service compare to a Departmental VPN?

A: See Palo Alto Based Departmental & Central VPN concentrators - Manifest Integrated

References: