SF State provides a secure VPN for faculty and staff to access protected on-campus resources.
( Cisco Identity Services Engine Network Component Compatibility, Release 2.2 - Cisco) Cisco ASA/ Anyconnect with 2FA Identity sources such as RSA secure ID for remote access/off campus support; Anyconnect NAM (unique chaining scheme) for on-campus. Note that there are other multi-factor solutions that work with ISE, but are transparent to ISE. Push-based 2FA It confirms a user's identity with multiple factors of authentication that other methods cannot. Because push-based 2FA sends notifications through data networks like cellular or Wi-Fi, users must have data access on their mobile devices to use the 2FA functionality. Since the Cisco AnyConnect application does not support the inline Duo Prompt to choose your authentication method, this is handled with the Duo Append Mode. Append Mode by default will send a push notification to your default device, but allows you to choose from our other supported 2FA methods including a passcode, phone call, or push to. Featured Personal Purchase Products. The featured products below represent only a handful of the 350+ software titles offered through WebStore. Login to see the products you are eligible to purchase. After the reboot, go to your home computer's Windows Start Menu, search for Cisco AnyConnect VPN Client and open the program The AnyConnect window will come up and indicate that the VPN is 'Ready to connect'.
- VPN Access Control and Authorization (VPN Management)
Please note, this document pertains to the new GlobalProtect VPN service implemented June 5th, 2020. If you experience issues or discover a previously available service is not accessible via VPN, please report the issue to [email protected].
When to use VPN
SF State’s VPN has two purposes: It enables campus users to send and receive data across a public network as if their device is directly connected to the campus network, and adds Two-Factor Authentication (2FA) for high security services. VPN is needed:
- When accessing a service restricted to use on campus networks or subnets. Examples: Departmental shares/servers, OnBase, Appworx, Windows/Office authentication, and Active Directory access
- When accessing services that store Level 1 data (two-factor authentication required). Example: Departmental secure shares
- When administering servers/applications. Examples: SSH, Oracle, and server maintenance
- By PeopleSoft developers with privileged access
VPN can be installed on personal computers, but if you are planning on accessing Level 1 data, the following security requirements must be in place:
- All devices used (e.g., laptops, desktops, tablets, mobile devices) are at current patching levels and have anti-malware installed/enabled with no active virus infections or malware
- Users must connect to Level 1 data using Two-Factor Authentication (2FA) and VPN only
- Devices are configured to lock after 15 minutes of inactivity
- Level 1 data does not get sent/downloaded to locations outside of existing approved Level 1 data repositories (e.g., PeopleSoft applications such as Common Financial System (CFS), Campus Solutions (CS), and Human Resources (HR); OnBase; Secure File Shares; Student Health Services (SHS) systems)
NOTE: Before VPN access is granted, completion of the Data Security and FERPA annual training is required and will be validated.
VPN Security Groups
Current faculty and staff are automatically included in the FACULTY-STAFF security group. For access to other groups, the SF State Virtual Private Network (VPN) Account Authorization request should be completed. For more information regarding specific VPN groups, refer to the VPN Access Control and AuthorizationTo view PDF files, please download Adobe Reader.
NOTE: A SF State ID is required to use VPN. For vendors who do not have a SF State ID, the sponsoring department should contact Human Resources for Community Member credentials before completing the SF State Virtual Private Network (VPN) Account Authorization request on the vendor's behalf. Community Member credentials must be renewed annually. To view PDF files, please download Adobe Reader.
PAN GlobalProtect Agent Installation - Windows/Apple/iOS devices
Users on a Managed Machine
Cisco Anyconnect And 2fa
PaloAlto Networks GlobalProtect is a standard software installation. You will see the software in the Application Menu (Windows).
Managed Windows Users
Install Using the Microsoft Software Center: (note the Software Center is not available for machines that are not managed)
1. First connect to Cisco AnyConnect. You will not be able to download software unless you are first connected to VPN using Cisco AnyConnect.
2. Click the Start Menu
3. In the tile menu, select Software Center
4. In the Application Menu, click the GlobalProtect icon
5. GlobalProtect will install
6. The application will open when the installation is complete
Software Installation Service Request
If you are prompted for an administrator password, create a Software Installation Service Request for your IT support team.
The URL for “Software Installation Service Request” is:
https://sfsu.service-now.com/sp?id=sc_cat_item&sys_id=f2016d06db862bc009...
https://sfsu.service-now.com/sp?id=sc_cat_item&sys_id=f2016d06db862bc009...
PAN GlobalProtect Agent Installation - Personal Computers / Users with Administrative Rights
First-time Installation
Download and Install the GlobalProtect Client
- Disconnect from Cisco AnyConnect
- Navigate your web browser tohttps://gp.sfsu.edu
- Enter your SF State ID
- Enter your SF State Password
- Click Login
- Enter your DUO password if prompted
- Once prompted with the Download (manual installation) step, download the GlobalProtect agent installer and run it to install the agent.
Note: if you aren't sure which version to install, right click on your windows menu and select System, then look at the System type
How to log into GlobalProtect
- Launch the installed GlobalProtect software
- Enter gp.sfsu.edu in the Portal Address box and click Connect
- Enter your SF State ID
- Enter your SF State Password
- If prompted, enter your DUO password
GlobalProtect VPN for Linux
Install GlobalProtect for Linux
- The Global Protect Linux Client can be found at: https://sfsu.app.box.com/
GlobalProtect VPN for iPhone/iPad
Install GlobalProtect for iPhone/iPad
- Open the App Store app
- At the bottom of the App Store screen, click on Search, and type GlobalProtect in the search box. When it appears in the list, tap GlobalProtect
- Tap Get, then tap Install to download the GlobalProtect app
- When prompted,enter your Apple ID & Password
- Once the application is installed, tap Open to open the application
- Enter gp.sfsu.edu as the Portal Address
- Tap Allow when prompted that GlobalProtect would like to add VPN configurations to your device
Run GlobalProtect for iPhone/iPad
- Open the GlobalProtect App
- Duo Authentication users: If you use the same iPhone/iPad for Duo, get your Duo credential before entering your ID and Password
- Enter your SF State ID
- Enter your SF State Password
- Complete your Duo Authentication
- To disconnect, tap the shield icon
GlobalProtect VPN for Android
Install GlobalProtect for Android
- Open the Play Store app
- At the top of the Play Store screen, click on Search, and type GlobalProtect in the search box. When it appears in the list, tap GlobalProtect
- TapInstall to download the GlobalProtect app
- When prompted,select Skip to finish installation, there is no need to setup 'in-app purchases'
- Once the application is installed, Reboot your device
Run GlobalProtect for Android
- Open the GlobalProtect App
- Duo Authentication users: If you use the same Android device for Duo, get your Duo credential before entering your ID and Password
- Tap Allow when prompted that GlobalProtect would like to add VPN configurations to your device
- Enter your SF State ID
- Enter your SF State Password
- Complete your Duo Authentication
- To disconnect, tap the shield icon
Contact your system administrator if you have an issue that isn't listed here.
I need to reactivate Duo Mobile
If you get a new phone you'll need to re-activate Duo Mobile. You may enroll your new device yourself using Duo's device management portal if self-service is enabled. Otherwise, ask your administrator to send you a new activation link.
Choose your platform on the left for specific activation instructions.
If your administrator enabled Duo Mobile's backup and restore functionality and you previously backed up your Duo Mobile accounts then you can restore your accounts to Duo Mobile on your new phone (same platform as the original device i.e. Android to Android and iOS to iOS) via the guided recovery process. See the full Duo Restore guide here.
I have stopped receiving push notifications on Duo Mobile.
You may have trouble receiving push requests if there are network issues between your phone and our service. Many phones have trouble determining whether to use the WiFi or cellular data channel when checking for push requests, and simply turning the phone to airplane mode and back to normal operating mode again often resolves these sort of issues, if there is a reliable internet connection available. Similarly, the issue may be resolved by turning off the WiFi connection on your device and using the cellular data connection.
Check the time and date on your phone and make sure they are correct. If the date and time on your phone are manually set, try changing your device's configuration to sync date and time automatically with the network.
iOS users can run a troubleshooting tool from within Duo Mobile version 3.32.0 or later. To run the tool:
- Open the Duo Mobile app on your iOS device and tap the Edit button in the top left of the accounts list screen, then tap the name of the account for you aren't receiving push requests.
- Next, tap the Get Started button in the 'Missing Notifications?' section of the the 'Account Details' screen.
- Duo Mobile performs the test. If any step fails, you'll receive further troubleshooting suggestions. After taking the suggested actions, tap **Run test again* to retry.
The steps that Push Troubleshooting performs automatically are as follows:
- Check device settings.
- Check internet connectivity.
- Check that the device can contact Duo's cloud service.
- Attempts to send a test Duo Push notification.
Should none of these actions help, see the Duo Knowledge Base for additional iOS and Android troubleshooting steps.
If you can't get Duo Push working on your own and your administrator has enabled Duo's device management portal, you can log in with a passcode generated by the Duo Mobile app and send a new activation link to your phone. See the My Settings & Devices guide for instructions.
If you've tried the suggestions here but can't get Duo Push working or reactivate your device yourself, please contact your organization's Duo administrator to request reactivation of Duo Mobile.
I lost my phone.
Contact your Duo administrator immediately if you lose your phone or suspect that it's been stolen!
If your organization enabled Duo's self-service feature and you had previously enrolled a second authentication device you can use My Settings & Devices to delete your lost or stolen phone.
If you aren't able to log in to Duo at all then your Duo administrator can disable the missing phone for authentication and help you log in using another method.
While it's important that you contact your administrator if you lose your phone, remember that your password will still protect your account.
I use Duo Mobile to generate passcodes for services like Instagram and Facebook, and I can't log in.
![Anyconnect Anyconnect](https://community.cisco.com/legacyfs/online/legacy/9/2/3/145329-VPN client version.jpg)
You can use Duo Mobile to generate passcodes for use with third-party services like Instagram, Facebook, Snapchat, and others. When setting this up, you likely logged into those sites, visited the security settings for your account, and scanned a barcode provided by that site with Duo Mobile.
Duo does not have access to your third-party accounts or account credentials, so our Support Team is unable to help if you become locked out of these accounts.
If the application provided recovery codes to you when you enabled two-factor authentication, use a recovery code to log into the application, then visit the security settings where you first set up 2FA to restore Duo Mobile passcode access.
If you previously enabled Duo Restore for third-party accounts and made a backup, you can restore the account to your device.
If you don't have a Duo Mobile backup to restore or you experience some other issue logging in, please refer to the documentation for the application you're trying to log in to or contact the support team for that application for more help.
See the article What do I do if I’m locked out of Instagram, Facebook, or another third-party Duo Mobile account? in the Duo Knowledge Base for additional information.
My hardware token stopped working.
Contact your administrator if your token stops working or if you can't log in with the passcodes it generates.
Your token can get 'out of sync' if the button is pressed too many times in a row and the generated passcodes aren't used for login. In some cases this can happen by accident if the token is stored next to other objects in a pocket, backpack, etc. Your administrator will ask you to generate three passcodes in a row and can attempt to resynchronize the token.
I am running iOS 10 and I am not able to install the current version of Duo Mobile from the App Store on my device.
The minimum supported operating system version for Duo Mobile 3.29.0 and above is iOS 11.
iOS 10 users may download the last Duo Mobile version compatible with that iOS version (3.28.1) via Apple's TestFlight program.
- You'll need to install the Apple TestFlight application on your device.
- Once you have TestFlight installed, tap this link and then tap Install to install Duo Mobile 3.28.1 on your iOS 10 device.
Contact your administrator if further assistance is required.
I am using Microsoft Internet Explorer and the Duo Prompt does not display correctly.
For the best results we do not recommend using Internet Explorer's Compatibility View with Duo authentication. You may be able to turn off Compatibility View yourself.
From the Address bar:
If the Compatibility View button displays in the Address bar to the right of the page address, you can click the button to exit Compatibility mode.
From the Internet Explorer Tools Menu:
In the Internet Explorer browser window press the Alt key to display the menu bar. Navigate to Tools → Compatibility View settings and make one or more of the following changes:
- Remove the website where you use Duo authentication from the 'Websites you've added to Compatibility View'
- Uncheck the 'Display all websites in Compatibility View' option if present and enabled.
- Uncheck the 'Display intranet sites in Compatibility View' option.
Click the Close button to save your change.
Contact your administrator if the Duo Prompt continues to display incorrectly.
Cisco Anyconnect 2fa Options
Other issues
Cisco Anyconnect 2fa
Please check our knowledge base or contact your system administrator if you have an issue that isn't listed here.