End User FAQs:
Q: Is everyone allowed to use VPN?
A: An individual must be authorized for NIHnet VPN services. An IC Administrative Officer (AO) authorizes VPN access using the NIH Enterprise Directory (NED). Please contact your AO to determine the VPN authorization process for your IC.
Q: Can I test my VPN connection while at my NIH Office?
A: Yes, you can test your Remote Access VPN connection when connected to the NIH network. Your machine has to be connected using the wired network. Because we have a separate Wireless VPN system, you cannot test Remote Access VPN connection using the NIH wireless network.
Q: Why do I need to upgrade the VPN client?
A: The old VPN client does not support PIV card 2-factor authentication properly. The majority of the NIH community will use the PIV card to log in to the Remote Access VPN.
Q: How will I get the new VPN client?
A: Your IC technical support group will coordinate installation of the VPN client.
Q: What is a PIV card?
A: A PIV card is the NIH-issued badge and smart card containing Personal Identify Verification (PIV) Information. This FAQ will refer to the NIH badges as PIV cards.
Q: What is 2-factor authentication?
A: The access given by the PIV smart card is termed "2-factor authentication" because it includes:
- Something you know, like a PIN or a password, and
- Something you have, like a smart card or SecureID token
Q: How do I know if my computer is ready for PIV authentication?
A: All computers will require a PIV card reader. Most new laptops already have built-in card readers, and many AOs have already begun purchasing external card readers for older systems and desktops. If you do not have a card reader for your computer, see your AO or appropriate procurement person.
Q: What should I do if I forget my PIN?
A: If you forgot or need to change your PIN, go to http://idbadge.nih.gov/badge/resetting.asp. Your IC may also have purchased a badge maintenance workstation to allow users to reset their own PIN more easily.
Q: What is CIT doing to support users who cannot use or do not have PIV cards?
A: At present, CIT is planning on offering SecurID tokens for users who cannot use PIV cards. CIT is investigating supporting other government-issued smart card devices but presently only NIH issued PIV cards are supported.
Q: Will the Onsite Wireless VPN require 2-factor authentication?
A: No
Technical FAQs:
Q: What does an IC need to do to prepare for the transition to 2-factor VPN?
A: Most NIH users will have an NIH-issued PIV card, and it is expected that they will use those cards for VPN login.
For PIV card users, an IC will need to:
- Ensure that the user's laptop has a smart card reader, and the necessary middleware, such as ActivClient, to read the certificate off the card.
- Ensure that the user's laptop has the updated VPN client, available on ISDP (see link below)
If an IC has users who do not have an NIH-issued PIV card to log in to the Remote Access VPN, those users will need to have an NIH-issued SecurID token. Procurement procedures for the SecurID tokens are being developed and will be shared when finished. Each IC will need to identify at least one person who can authorize users to receive SecurID tokens, and authorize billing for the tokens.
Q: What operating systems have CIT tested with the new VPN client?
A: CIT has confirmed that the new client works on:
- Windows: XP, Vista 32- and 64-bit, 7 32- and 64-bit
- Macintosh OS X: 10.5 and 10.6
On windows 7 64-bit, CIT has seen problems with interactions between the ActivClient middleware and the Cisco VPN client. However, Windows 7 can read smart cards natively, so if the ActivClient middleware is not needed for some other application, CIT recommends removing it for Windows 7.
Q: What are the differences between new and previous VPN client?
A: Aside from handling smart card authentication properly, the main technical difference between the old and new client is that the new client uses SSL as its transport technology, while the old client used IPSec. One primary advantage of the new client is that it natively supports 64-bit windows, which was lacking in the old client. Another advantage of the new client is that the new client will automatically update itself when it connects to the NIH VPN server, so security patches for the new client can be handled transparently to both the user and the IC.
Q: In the files on ISDP, there are three files in the client Zip file, and 2 client profiles. What are they all for?
A: In the Zip file, the three files are all part of the VPN client. One is the client itself, one is a logging/troubleshooting component (named "Dart") and the last is the plugin to allow the VPN client to start before the user logs into the system. We included all three separately to allow ICs with distinct package management systems to deploy them as they felt appropriate.
The 2 profiles are there to address a usability concern. One profile is targeted at users who will use PIV cards to log in (named "profile_PIV.xml"). The other is for people who will use SecurID or some username/password field to log in (named "profile_PW.xml"). A user can use a SecurID token or username/password if they have the PIV card profile, but the Cisco client will always challenge them for a PIV card *first* with that profile, and the users would have to cancel out of PIV PIN challenge. Some users found that confusing, so CIT developed a profile to remove that challenge.
Q: How do ICs migrate their users to use only 2-factor authentication for VPN?
A: The method to migrate a user to require 2-factor authentication for VPN will be to change the user's VPN group membership in NED. CIT has created copies of every VPN group presently in use, and configured their systems so that users in the new groups will use 2-factor authentication. CIT has copied all existing VPN users into the new groups, so at present all NIH users *can* use 2-factor authentication, but are not required to. ICs will migrate their users to require 2-factor authentication by using NED to remove their users from the old VPN groups, leaving them in the new 2-factor VPN groups. The new groups are named identically to the old ones, but with "-svpn" appended to their name. It is presumed that IC AOs will be involved in this process, and a message explaining the process will be sent to the AO community.
Q: Should the VPN software load before login?
A: CIT recommends that the VPN software load before the user logs in on Windows, though we are leaving that up to the IC to determine for themselves. The reason for this recommendation is that Windows will establish the user's domain credentials when the user logs into the system, and will not reload those credentials when a user VPNs into NIH. So, a user who is working from home will not establish proper domain credentials if they log in to their system before logging into the VPN, and will not get many of the benefits of automatic Windows authentication to some applications, such as SharePoint.
Q: Where should I look for additional information or have more questions?
A: The Office of the Chief Information Officer has a website devoted to smart card information that you may find useful- http://smartcard.nih.gov. In addition, feel free to contact the NIH IT Service Desk:
- http://itservicedesk.nih.gov - 301-496-4357
- 866-319-4357
- 301-496-8294 (TTY)
