These are instructions for OUAs to manage access to the BSD VPN for their Departments.

In order to grant access, you need to set the AD account attribute msNPAllowDialIn to “True.” This setting can be made via the dial-in tab within ADUC or by using attribute editor (screen shot below). A script can be provided upon request (security@bsd.uchicago.edu) that will enable VPN for all accounts within your OU, if you wish to go that route.

The default attribute setting of the msNPAllowDialIn is configured as “Not Set”, and will be interpreted by the BSD VPN system to mean “Not Authorized”. If you wish to explicitly deny BSD VPN access to an account, the msNPAllowDialIn attribute should be set to “False.” This can be set now, or at any time in the future, such as in cases of termination or suspected account compromise.

In addition to the above two methods of restricting BSD VPN access controlled by an OUA, a third method is controlled by the BSD Information Security Office, using an AD Group called “BSD$ Deny VPN Access”. If an account is placed within this group, the BSD VPN system will interpret access as “Not Authorized,” regardless of the setting in msNPAllowDialIn.

Please Note: The dial-in tab within ADUC is not turned on by default. The program files which enable this tab are also available upon request.

 

Quick Tip: Most the time when users have connection issues, it is because the msNPAllowDialIn attribute wasn’t properly set. In those cases, the user will see a prompt like below (red text). You can fix this simply by editing the attribute to “True” or set the Dial-in tab to “Allow access.”