Provisioning VPN User Accounts

Written by Cassa Niedringhaus on April 6, 2020

Share This Article

With the sudden shift to a work-from-home model for many organizations, IT admins have scrambled to provide IT resource access to remote users. One such resource is the virtual private network (VPN), which establishes a secure “tunnel” between two points. The VPN connects users to internal corporate networks and encrypts their data if they work on insecure WiFi networks. The challenge, though, is how best to provision VPN user accounts for remote users.

Two VPN Use Cases for Remote Workers 

1. VPN for Active Directory

In on-premises domains, like that of Active Directory®, remote and distributed workers need to use a VPN to securely access the internal network. The VPN supports an encrypted connection that helps establish a direct connection with AD to authenticate a user’s access to the domain and subsequently their IT resources. They also need to ensure that a VPN connection is active to reset their core AD passwords, which is critical for organizations that enforce password rotation or expiration policies.

2. VPN to Secure Network Traffic

Even if IT organizations use directories that do not require a VPN to access domain-bound IT resources — like cloud directory services — they can still benefit by providing users with VPN access for other uses. Although users should avoid working on public or otherwise unsecured WiFi networks, admins can advise them to use a VPN if they absolutely need to do so while working remotely. That way, at least, their data is encrypted and harder to access.

In either case, admins can adhere to several best practices when they provision VPN user accounts.

VPN Provisioning Best Practices 

Ideally, the VPN is connected to the core directory service so that IT admins don’t have to manually provision VPN user accounts that are managed separately from core user accounts. More often than not, though, VPNs aren’t connected to the core directory and therefore require manual provisioning and deprovisioning, which can be tedious and pose various security risks. Users might pick insecure passwords or repeat passwords from other services, and IT departments have to manage another mini directory for the same users, in essence.

VPNs should also be protected with multi-factor authentication (MFA) to guard against phishing, credential stuffing, and other attacks.

Solutions exist so admins can link their VPN infrastructure to their directory service without spinning up a RADIUS server or using any other additional on-prem equipment. JumpCloud® Directory-as-a-Service® offers both cloud RADIUS and LDAP functionality to integrate with a variety of VPN solutions, as well as MFA for RADIUS to protect VPN access.

JumpCloud can either serve as an organization’s core directory or act as a comprehensive identity bridge to extend AD to virtually all IT resources. With JumpCloud’s Active Directory Integration feature, AD admins can federate AD identities to their VPN and ensure users enter the same core credentials to access their domain-bound resources and their VPN. Click here to learn more about how a VPN can serve as one piece of a toolkit for a remote workforce.

Continue Learning with our Newsletter