VPN Users: ACTION REQUIRED! VPN migrating to MFA

UPDATE 4/26/19On May 1, between 7 and 8 a.m. Central, any new VPN connection will require a Fermilab Root CA certificate. VPN users must load the Root CA certificate on each device on which they use VPN by following the instructions below. If you do not have a properly configured certificate, you will receive an error message once you attempt to log in to the VPN system beginning May 1. 

 


The Fermilab VPN system will be migrated to use multi-factor authentication (MFA) over the next several months. In order to continue using the Fermilab VPN system in the future, you will need to take action. The first step is outlined below.

 

WHAT IS THE IMPACT TO YOU?

The first step for the migration is for VPN users to load the Fermilab Root CA certificate and configure it to be trusted for SSL connections.  This step will not affect the way you are using the current VPN system. For now, you can continue using the current VPN system as usual.

 

WHAT DO YOU NEED TO DO?

Individuals who have centrally managed Windows or Mac computers should have the certificates installed already. It’s important that you test this by executing the following steps:

  1. Open your AnyConnect VPN application
  2. In the “Connect” field, type “vpntest.fnal.gov
  3. Click the Connect button.

No need to log in. If the certificate is installed correctly, you will be prompted to log in but do not need to do this. You should NOT see any warnings about connecting to an untrusted site.

 

If you do see a warning, or if you have a Linux machine or a non-centrally-managed device, follow the appropriate instructions for your device:

Windows computers: https://fermi.service-now.com/wp?id=kb_article&sys_id=KB0012906
Mac computers: https://fermi.service-now.com/wp?id=kb_article&sys_id=KB0012919
Mobile devices: https://fermi.service-now.com/wp?id=kb_article&sys_id=KB0012905
Linux: https://fermi.service-now.com/wp?id=kb_article&sys_id=KB0012914

 

Once you have successfully tested the new Fermilab CA root certificates, you can continue to use the current VPN.FNAL.GOV system as usual until next steps in the migration process are announced.