Employee VPN access

Summary

Winona State University Information Technology Services provides employee VPN access to those working from off-campus locations. To maintain data security, access to some online systems and services requires a direct connection to our private campus network. Using our virtual private network (VPN), employees working remotely can emulate this direct, private connection and access these services as if they were on campus. Most employees do not need a continuous VPN connection when working remotely. Employees cannot establish a VPN connection using a personally-owned device and must use multi-factor authentication to verify their credentials when connecting to our VPN.

Information Applies to

Faculty, Staff

Setting up VPN in the Authenticator App

Employee access to our VPN requires multi-factor authentication. This must be set up before you connect to our VPN for the first time. Follow the steps below:

Install the Microsoft Authenticator app

If you have not installed the Microsoft Authenticator app on your smart phone.

• Apple App Store
• Google Play Store

Add your VPN account to Microsoft Authenticator

This step must be completed while on the Winona or Rochester campus. Please use Google Chrome to complete this step. There are known issues with other browsers.

Read the instructions carefully before logging in and make sure your Microsoft Authenticator is open on your smart phone or mobile device. 

1. If using a Winona State University laptop, you must be connected to the WAZOO or WSU wireless network. You can also complete this step using your office desktop with a secure wired network connection.
2. Use Chrome to go to the VPN enrollment site at https://otp.winona.edu/enroll.
3. Enter your StarID (e.g., ab1234cd) in the Username field and select Submit.
4. Enter your StarID password and select Submit.
   • If the screen has a YubiKey or Oath passcode field and you don't have Winona Online or VPN on your authenticator already, you will not be able to log in. Contact Tech Support to assist you further.
5. Open Microsoft Authenticator on your phone or tablet, tap Add Accounts, then Work or School account. The app will ask for permission to use your camera, tap Allow.
6. On your computer, select the Add OATH Token button.
7. Select the radio button next to Online then select Add. You will be presented with a QR code and a manual code.
8. On your smart phone, scan the QR code on your computer screen. Your account will be added to the app.
9. IMPORTANT: You must select the Done button on your computer screen to complete the enrollment process. If you don't select Done in 60 seconds, the process will have not set the codes up properly. 
10. Close and reopen Microsoft Authenticator to ensure that the Winona online account was added. Select that account to see a rolling one-time password. You will use that to verify your VPN credentials. Note that you may have other accounts listed in your authenticator app with their own rolling codes.

• Pro tip: Rename the Winona online account to VPN or WSU VPN to find it easier when you go to use it. 

Installing Cisco AnyConnect Secure Mobility Client

Cisco AnyConnect Secure Mobility Client is the program Winona State University uses for VPN. We don't preinstall the program anymore on campus devices. If you can not find Cisco AnyConnect Secure Mobility Client on your laptop, you can install it from our network. 

• Company Portal on Windows - for most employee laptops received after the Summer of 2025.
• Software Center for Windows - for most employee laptop received before the Summer of 2025. 
• Managed Software Center for Mac

Connect to the VPN

VPN will not work on the Winona State campus networks: WSU networks, warrior, WAZOO, and WSU Guest. You do not need the vpn network if you are on campus and can connect to these networks. This network does not provide you with a wireless network, you need to be connect to a wireless network to use the vpn. If you need to connect to the vpn network while on campus, either to test or log in for the first time, come to Tech Support or connect to the Eduroam network. 

Windows

1. Select Start and type "Cisco." Open the Cisco AnyConnect Secure Mobility Client when it appears. If the program doesn't appear, go back to the section Installing Cisco AnyConnect Secure Mobility Client.

2. Delete WSUtunnel.winona.edu if it appears and replace it with ot.winona.edu. Then select Connect.

• If your drop down menu is blank, Type ot.winona.edu on the drop down menu.

3. Select your Group from the drop-down list. If you do not know your group, choose grp_employee or contact Technical Support to find out what group you should use. 
4. Enter your StarID password in the Password field.
5. Open Microsoft Authenticator on your smart phone and select Winona Online or VPN account to get your rolling one-time password.
6. In the Username field, enter: your StarID-Microsoft Authenticator one time password (e.g., ab1234cd-042565). Do not forget the dash between your StarID and the one time password.
7. Select OK

Mac

1. Select the Spotlight Search icon in the upper right corner of your screen. Type "Cisco." Open the "Cisco AnyConnect Secure Mobility Client" when it appears. If the program doesn't appear, go back to the section Installing Cisco AnyConnect Secure Mobility Client.

2. Delete WSUtunnel.winona.edu if it appears and replace it with ot.winona.edu. Then select Connect.

3. Select your Group from the drop-down list. If you do not know your group, choose grp_employee or contact Technical Support to find out what group you should use.
4. Enter your StarID password in the Password field.
5. Open Microsoft Authenticator on your smart phone and select Winona Online or VPN account to get your rolling one-time password.
6. In the Username field, enter: your StarID-Microsoft Authenticator one time password (e.g., ab1234cd-123456). Do not forget the dash between your StarID and the one time password.
7. Select OK

Troubleshooting

Reminder that the VPN will not work on the Winona State campus networks. Tech Support can help you if you are unsure of your group or if you are experiencing issues connecting remotely.

These are the most common reason why a user experiences issues connecting to the vpn that they upgraded their devices.

• Smart Phone
  • If your Microsoft Authenticator app was not backed up and restored properly, you may not have the code for Winona Online or VPN account anymore. You will not be able to regenerate one on your own. Please contact Tech Support and we will assist you with getting a new code.
• Computer
  • Logging in the first time can be tricky to remember the network and group. Follow the steps from the Connect to the VPN section. Popular groups are employee and staff. 
  • Once logged in again, your information will be remembered.

Learn More

Need additional information or assistance? Contact WSU Tech Support by email or call 507.457.5240, option 1.