Help Desk - Temporary MFA & WiscVPN Eligibility Process and Handling

This document details the process to temporarily allow users access to MFA and VPN until the users have been added to the correct population groups driving access to the service.

This Manifest group allows the Help Desk to give users temporary WiscVPN access and also makes them MFA-Duo eligible. The users themselves will need to enroll in MFA-Duo if they are not already enrolled: MFA-Duo - How to Enroll for MFA Duo for your NetID Login Account

Cases should be classified as Network Access > VPN > Submit Incident.

Important Help Desk Agent Notes

If a user needs VPN access but is not part of a group making them eligible, please read the two notes below before having HDQA give the user temporary access to WiscVPN.

Important: Users being added should be told to reach out to their supervisor/manager to let them know that their Static IP or WiscVPN access is temporary. Their supervisor/manager may need to follow up with their local HR department to get the user added as a Person of Interest in HRS (POI). This should provide the user with eligibility for the VPN and Duo indefinitely. Otherwise, if the user's status is going to change in the near future (like becoming an enrolled student or gaining employment at the UW), this will also provide them with the eligibility they need.

Note: If the user cannot register a Duo device and does not have a token/fob yet, please follow steps on MFA-Duo - Exemption Process to exempt them from Duo temporarily.

HDQA - Temporary VPN Eligibility Process

To add users to the WiscVPN Temporary Exemption Group:

  1. Go to the Manifest Group. (Full path: uw:app:duo:service:policy:WiscVPN_Service:helpDesk_ad_hoc_mfa_eligibility)

  2. Make sure you are on the Members tab. Click on Add Member(s).

    ad_hoc_vpn_group

  3. Enter the user's NetID in the Add individual members box.

  4. Click Add individuals.

  5. Set the end date to no more than a month from the current date. The user will need to coordinate with their local HR to be added as a Person of Interest (POI) in HRS, or they will have to enter an eligible population (like becoming an enrolled student or gaining employment at the UW) if they wish to have further eligibility.

  6. Enter the Cherwell case number as the Membership comment.

  7. Click Save.

    Adding_member_adhoc_vpn

  8. Include the user's NetID and note the temporary eligibility.
  9. Remember to remind the customer that their eligibility is TEMPORARY.
  10. Classify as Network Access > VPN > Submit Incident. Resolve the case.


Keywords:
anyconnect exempt exemption extension global globalprotect hdqa ip manifest mfa multi factor duo protect static staticip temporary uwmadison.vpn.wisc.edu vpn
Doc ID:
108839
Owned by:
Help Desk KB Team in DoIT Help Desk
Created:
2021-02-03
Updated:
2025-06-27
Sites:
DoITHelpDesk-internal, IAM-internal, NetworkSrvcs-internal