The campus virtual private network (VPN) service provides VPN access control groups that use Active Directory (AD) security groups for group membership. Active Directory security groups have an associated manager who is responsible for group membership. Active Directory security groups may contain nested groups. VPN access control security group membership must be actively managed by delegated AD administrators with all changes tracked using Footprints tickets. Each VPN access control group is associated with an IP range assigned to users after successful authentication. Because users can belong to more than one group but can only log in as one group, some groups may have more access permission than needed.
- Active Directory Groups
- How to Determine Which VPN Group a User Should Choose
- VPN Group Priority and AD Group Mapping
- Responsibilities of a Delegated Administrator
- VPN Membership Request Review Procedure
- VPN Membership Monthly Review Procedure
Users must set up their SF State password before they can be added to an Active Directory security group.
Use Active Directory Users and Computers (ADUC) to determine which VPN related Active Directory groups an individual is a member of. Compare the AD group membership to the mapping below to identify the groups an individual is a member of.
Each VPN group is associated with an Active Directory security group that may include nested groups. Individuals can be a member of more than one group, but must select the group with the lowest number they are a member of. Example: if someone is a member of groups 11.FACULTY-STAFF, 4.GROUP-ITS, and 2.GROUP-CMS they must select 2.GROUP-CMS when they login.
The campus VPN service provides the following VPN groups for access control. Some groups use Duo two-factor authentication (2FA). The groups are listed in relative priority order.
|Priority||VPN Group||Purpose||Managed By||AD Groups Mapped to VPN Group (Includes nested groups)||Duo 2FA|
|0||n/a||Deny access to all||ITS Information Security||SFS-vpn_access-denied||n/a|
|1||SYSTEMS||Access to campus Systems resources||ITS Systems||SFS-vpn_systems||Yes|
|2||GROUP-HR||Access to Human Resources||ITS Accounts||SFS-vpn_HR||Yes|
|3||GROUP-CMS||Access to Campus Management Solution resources||ITS Accounts||SFS-vpn_CMS||Yes|
|Access to Information Technology Services resources||ITS Accounts||
|5||GROUP-L1-LTD||Access to high risk Level 1 data protected resources||ITS Accounts||
|6||GROUP-L1||Access to high risk Level 1 data protected resources (sec.sfsu.edu)||ITS Accounts||
|7||GROUP-AT||Access to Academic Technology resources||Academic Technology||SFS-vpn_AT||Yes|
|8||GROUP-3rdPARTY||Vendor access to campus resources||ITS Accounts||SFS-vpn_3rdParty||No|
|9||FACULTY-STAFF||General access to campus resources from outside the campus firewall||ITS Information Security||
|10||GROUP-STUDENTS-LTD||Access to class resources for BECA, Journalism, and Biology students in approved classes||Academic Technology||
|n/a||NETWORKS||Access to campus Network resources||ITS Network||n/a|
Each area that manages AD security groups must identify the AD delegated administrators assigned to manage the group. AD delegated administrators are responsible for:
- Checking for current affiliation before adding members
- Reviewing membership monthly and removing members without a business need for access
- Granting access to only primary 9xxxxxxxxx IDs – no secondary or shared accounts permitted
- Advising individuals if they lose their current affiliation they will be automatically dropped
- Use privileged P9xxxxxxx account to manage security groups that have access to Level 1 data
- Determine if individual has a current affiliation – student, staff, faculty or community member – if not, advise user to obtain affiliation before request can be processed
- Determine if user has existing VPN access based upon employee affiliation or existing membership in a security group that provides VPN access.
- Review reason to determine if VPN is necessary, request additional info
If needed, has current affiliation, and does not have existing access or requires a higher level of access:
- Add to VPN exception spreadsheet log
- Login using privileged P9xxxxxxx account and use Active Directory Users and Computers to manage group membership (Note: Legacy groups can be managed using Gateway until they are converted to be managed by privileged P9xxxxxxx accounts)
- Add the user to the appropriate security group
- Notify user request is complete
- Monthly review of the users in the security group
- Identify those with no current affiliation or the end date has been reached
- Notify user that they need a current affiliation and access will be revoked in 2 weeks if they do not obtain such an affiliation. VPN access is restricted to individuals with a current status*
- Notify users that have automatic access because they are an employee that the exception will be removed