If you use VPN, you need to read this

Irwin Gaines

A few months ago, I wrote about the fact that we will soon require the use of multifactor authentication (MFA) for VPN. This means that, in addition to your Services account username and password, you’ll need to use one of the varieties of MFA tokens that will soon be issued to VPN users.

I also wrote that, as a first step in migrating VPN to use MFA, VPN users needed to make sure they had what is called a Fermilab Root CA certificate installed on every device on which they use VPN to access the lab network and that they should test that the certificate is working now to avoid problems using VPN in the future. If you have not done these things, you need to do them now.

Beginning April 15, if you do not have a properly installed and configured certificate, you will receive an error message when you attempt to log in to the VPN client.

If you have a centrally managed Windows or Mac device, the Fermilab Root CA certificate should already be installed, and you just need to test that it is working properly. If you use VPN on any other devices (phones, tablets, home laptops, etc.), you’ll need to install and configure the certificate on those devices, too. Instructions on how to test, install and configure the certificate are available in this article.

The next step for the VPN transition is to issue MFA tokens to those who do not already have them. Those who already have RSA tokens (hardware or software) will be able to continue to use them for VPN. Those without tokens will be issued a token (hardware or software). Some current users of RSA tokens (mainly, those that need to access lab’s financial applications) will be required to use a Yubikey, which has enhanced security features.

Tokens are expected to be issued from April through June. Each VPN user will be notified about when and how they can get their token and how to use it. Once most VPN users have received their tokens, most likely in late summer, we will disable non-MFA use of VPN.

To help ease the transition, be sure to test, and if necessary, install your Fermilab Root CA certificate on every device now.

Get ongoing news and information about MFA at the MFA at Fermilab website at http://computing.fnal.gov/mfa.