Help Desk - GlobalProtect 'Authentication Failed' Error due to WiscVPN Eligibility
Problem
If users try to connect to the WiscVPN and they are not eligible, they will receive an “Authentication Failed” error message after signing in with Duo.
Checking Eligibility
Eligibility for WiscVPN is covered here: WiscVPN - Overview.
-
Open the Manifest Lookup Tool
-
Search for the user’s NetID under the Search memberships by NetID section
-
Selecting the Filter icon in the top right of the search results box, set the top filter to Show items with value that Contains VPN and press Filter
-
Expand the dropdown for uw:domain:vpn.wisc.edu:144.92.254.227:uwmadison.vpn.wisc.edu
If the user is a member of the 1-FINAL-VPN-USER-LIST group, then they are eligible for the WiscVPN service. You can also refer to WiscVPN GlobalProtect (All OS) - Installing, Connecting, and Uninstalling.
Note: If a user is eligible but is still receiving an authentication failure error, advise them to update their OS, as this has worked for some eligible users in the past.
If the user does not have a dropdown for this path or is not in this group, they are not eligible for the WiscVPN service.
For in-depth background on how the final VPN user list is maintained, please visit WiscVPN - Manifest Integration.
Common reasons why a user is not eligible
Eligibility for WiscVPN is covered here: WiscVPN - Overview.
Undergraduate Applicant/Future Student
An undergraduate applicant is not eligible for the WiscVPN service. If an applicant is admitted as a student, they will gain eligibility for the WiscVPN service once their status is officially updated by the Office of the Registrar. When this will occur varies for each student. A good rule of thumb is that they will become eligible for the VPN around the same time that they become eligible for MFA Duo.
If the student needs temporary access before their matriculation, consult QA about giving them temporary VPN eligibility (WiscVPN - Temporary MFA & VPN Eligibility Process and Handling).
Graduate Applicant/Future Student
A graduate applicant is not eligible for the WiscVPN service. If an applicant is admitted as a student, they will gain eligibility for the WiscVPN service once they have been matriculated by the Graduate School (NetID - Graduate Students and NetID Status). Graduate applicants who think they should be eligible for the WiscVPN service but aren't should contact their admitting department for more information regarding the status of their matriculation.
If the student needs temporary access before their matriculation, consult QA about giving them temporary VPN eligibility (WiscVPN - Temporary MFA & VPN Eligibility Process and Handling)
Former Student
Former students lose access to the WiscVPN service once their “Current Student” status is removed by the Office of the Registrar.
If a former student is continuing their affiliation with UW through research or other means, they will need to work with their department’s HR to confirm that the appropriate affiliation has been entered into the system. This will grant them access to WiscVPN service for as long as their affiliation is still active.
If the student needs temporary access after leaving the university, consult QA about giving them temporary VPN eligibility (WiscVPN - Temporary MFA & VPN Eligibility Process and Handling)
Employee
Employees only become eligible for the VPN once their appointment has started. You can see when an employee’s appointment start date is by looking up their NetID in the Arrow Lookup Tool and checking the “Begin Date”.
If the employee believes that this date is incorrect, refer them to their HR department.
If the employee needs temporary access before their start date, consult QA about giving them temporary VPN eligibility (WiscVPN - Temporary MFA & VPN Eligibility Process and Handling)
Departmental VPNs
Certain departments around campus have their own departmental VPN where users need to be given access to it by their local IT. If a user is not eligible for the WiscVPN service, then they will not be able to connect to any VPNs, even if they are given permission to access a departmental VPN by their local IT.