The Berkeley Lab virtual private network (VPN) will require multi-factor authentication (MFA) starting on October 11, 2022. The change will improve security for the Lab’s information systems.
Users can switch anytime between now and the October 11 deadline to the new multi-factor system. Non-multi-factor authentication will not be allowed after the final switch date. We strongly recommend that users switch as soon as possible. As user move to the new system, fewer resources will be devoted to the old system and capacity in the old system will be reduced.
What is VPN and do I need to use it?
The LBL-VPN allows computers and devices to act as if they were inside the Berkeley Lab network. There are some resources, such as servers, instruments, and workstations, which require a VPN connection.
Many resources like keyplans.lbl.gov, fms.lbl.gov (including eBuy and Trex), and other systems no longer require VPN for access. Check with the administrator of a specific site or system if you have questions regarding their VPN requirements.
How do I switch?
Users have a choice of three ways to switch to using MFA. Once the switch is completed, the settings will persist and no further action is needed. You can do any one of these three and only one is needed:
- Change the destination to mfavpn.lbl.gov in the existing Cisco AnyConnect client. If mfavpn.lb;l.gov or LBL-MFA-VPN does not appear pre-populated in the drop-down the first time you can type the new hostname.
- or, Visit mfavpn.lbl.gov to download the latest Cisco VPN client.
- or, Visit software.lbl.gov and download the new profile for your existing client.
How can I check my access to the VPN?
If you have been to the VPN Page of software.lbl.gov and installed Cisco AnyConnect, then you have access to the VPN. If you are starting the AnyConnect client and logging in, then you’re using the VPN. When the VPN is active, the AnyConnect client will show a “Connected” status. If you have not been using the AnyConnect client, you will need to start using it to maintain access to LBL-VPN.
When are the changes happening?
You can start using the new MFA-based VPN today. MFA will be required starting on October 11, 2022 when the old system is turned off.
What if I don’t use AnyConnect?
The Lab’s VPN will no longer support clientless connection or IPSEC connection. If you have been using the Mac OS native client, an IPSEC-based client, or any method other than the AnyConnect client, you will need to switch in order to maintain your access. Only the Cisco AnyConnect client will be supported in order to use the Lab VPN.
Are there features no longer supported?
The LBL-VPN will no longer allow
- IPSEC connections
- MAC OS native clients
- Start before Logon
If losing access to any of these features will negatively impact your work, please contact lblnet at firstname.lastname@example.org so that we can assist you.
Need more help?
If you need assistance installing or accessing the MFA VPN, please contact the IT Help Desk at email@example.com.
If you have questions about a specific site or system, check with the administrator of that system to see if VPN is still required.