Endian banner

Authentication

This page shows three tabs, which allow to manage local Users, local Groups, and Settings for remote authentication.

Users

In this page, all users that have an account on the Endian 4i Edge Appliance’s VPN server are displayed in the table, and for each the following information is shown:

  • Name. The name of the user.

  • Remark. A comment.

  • Authentication server. The server used for the user authentication, which is either local (the Endian 4i Edge Appliance itself) or LDAP (an external LDAP server, configurable in the Settings tab).

  • Actions. The available operation that can be carried out on the account. For LDAP users they are Enable/Disable and Edit, for local users, there is also the possibility to Delete . Editing an LDAP user only allows to modify its local options, not of other data like username or password, which are entirely managed by the LDAP server.

Click on Add new local user above the table to add a new local account. In the form that will show up, the following options can be specified for each user.

Add new local user

Username

The login name of the user

Remark

An additional comment.

Authenticate using external authentication server

This checkbox is only visible if at least one external authentication server has been configured. Once it has been selected, the password input fields will disappear and the user will be authenticated by using the authentication servers chosen.

Password, Confirm password

The password for the user, to be entered twice. The passwords are actually not shown: To see them, tick the two checkboxes on their right.

One Time Password secret

This field contains the TOTP secret for the specific user. Due to the constraints in creating these secrets it is not possible to insert them manually but they must be generated by clicking on the Generate new secret button. A QR code representation of the secret can be displayed by clicking on the Show QR Code button.

Note

This option appears only if an authentication server of type One Time Password has already been added and configured in the Authentication settings.

One-Time Passwords

There are many different one-time password algorithms. On Endian 4i Edge Appliance systems the Time-based One-Time Password algorithm has been implemented as described in RFC 6238. Since this is an open standard applications exist for almost all devices (Android, iOS, and Windows smartphones, PCs etc.). To be able to use a device, it needs to be initialized with the One Time Password secret, which can be achieved by either entering the secret manually or even more easily by taking a picture of the QR code.

Certificate configuration

Select the mode to assign a certificate to the user. The available modes are selectable from the drop-down menu: Generate a new certificate, Upload a certificate, and Upload a Certificate signing request. Upon selection, below the drop-down menu appear the available options for each mode, which are described in the Certificates page.

Organizational unit name

The Organisation Unit to which the user belongs to, i.e., the company, enterprise, or institution department identified with the certificate.

Organization name

The organisation to which the user belongs to.

City

The city (L) in which the organisation is located.

State or province

The state or province (ST) in which the organisation is located.

Country

The Country (C) in which the organisation is located, chosen from those in the selection menu. By typing one or more letters, matching countries are searched for and displayed.

Email address

The e-mail address of the user.

Group membership

In this part of the panel it is possible to assign membership to one or more groups to the user. In the search widget it is possible to filter existing groups to find matching groups. Group membership is added by clicking on the + on the right of the group name. Groups to which the user belongs are show in the textfield below. There are also shortcuts to Add all and to Remove all groups memberships at once.

Override OpenVPN options

Tick this checkbox to allow the OpenVPN protocol to be used. This option will reveal a box in which to specify custom option for the account, see below.

Override L2TP options

Tick this checkbox to show a box in which to choose the L2TP tunnel to be used, see below.

Note

This option can not be selected if no L2TP tunnel has yet been configured. In such a case, an informative message appears as a hyperlink: Upon clicking on it, the IPsec connection editor opens. Once done, it will be possible to allow a VPN user to connect using the L2TP Protocol.

Hint

The box for L2TP options will appear below the OpenVPN options box, if also OpenVPN option are to be overridden

Enabled

Tick the checkbox to enable the user, i.e., to allow her to connect to the OpenVPN server on the Endian 4i Edge Appliance.

OpenVPN Options

direct all client traffic through the VPN server

If this option is checked, all the traffic from the connecting client, regardless of the destination, is routed through the uplink of the Endian 4i Edge Appliance. The default is to route all the traffic whose destination is outside any of the internal zones (such as Internet hosts) through the client’s uplink.

Push only global options to this client

For advanced users only. Normally, when a client connects, tunnelled routes to networks that are accessible via VPN are added to the client’s routing table, to allow it to connect to the various local networks reachable from the Endian 4i Edge Appliance. This option should be enabled if this behaviour is not wanted, but the client’s routing tables (especially those for the internal zones) should be modified manually.

Push route to GREEN [BLUE, ORANGE] zone,

When this option is active, the client will have access to the GREEN, BLUE, or ORANGE zone. These options have no effect if the corresponding zones are not enabled.

Push only these networks

Write in this textfield which of the networks governed by the Endian 4i Edge Appliance should be pushes to the client.

Networks behind client

This option is only needed if this account is used as a client in a Gateway-to-Gateway setup. In the box should be written which networks lay behind this client that should be pushed to the other clients. In other words, these networks will be reachable rfrom the server and therefore from the other clients.

Static IP addresses

Dynamic IP addresses are assigned to clients, but a static IP address provided here will be assigned to the client whenever it connects.

Note

If the client connects to a multicore VPN server running on the Endian 4i Edge Appliance, this assignment will not be taken into account.

Push these nameservers

Tick the checkbox to assign custom nameservers on a per-client basis and write them in the underneath textfield. This setting (and the next one) can be defined, but enabled or disabled at will.

Push these domains

Tick the checkbox to assign custom search domains on a per-client basis and write them in the underneath textfield.

Note

When planning to have two or more branch offices connected through a Gateway-to-Gateway VPN, it is good practice to choose different subnets for the LANs in the different branches. For example, one branch might have a GREEN zone with the 192.168.1.0/24 subnet while the other branch uses 192.168.2.0/24. Using this solution, several possible sources for errors and conflicts will be avoided. Indeed, several advantages come for free, including: The automatic assignment of correct routes, without the need for pushing custom routes, no warning messages about possibly conflicting routes, correct local name resolution, and easier WAN network setup.

L2TP Options

IPsec Tunnel

This drop-down menu allows to choose the tunnel that will be employed by the user, among those already defined.

Groups

In this page a table is displayed, which shows all the groups that are either defined on the Endian 4i Edge Appliance or on an external LDAP server. For each group the following information is shown:

  • Groupname. The name of the group.

  • Remark. A comment.

  • Authentication server. The server used for the user authentication, which is either local (the Endian 4i Edge Appliance itself) or LDAP (an external LDAP server, configurable in the vpnauthsettings tab).

  • Actions. The available operation that can be carried out on the account. For LDAP servers the only action is to Edit the local properties, while for local groups there is also the possibility to Delete the group.

Click on Add new local groups above the table to add a new local group. In the form that will show up, the following options can be specified for each group.

Group Name

The name given to the group.

Remark

A comment.

Users

In this part of the panel it is possible to assign users to the group. in the search widget it is possible to filter existing local users to find matching users. Users are added to the group by clicking on the + on the right of the username. Users in the Group are shown in the textfield below. There are also shortcuts to Add all and to Remove all users to/from a group.

Override OpenVPN options

Tick this checkbox to allow the OpenVPN protocol to be used. This option will reveal a box in which to specify custom option for the account, which are the same as those specified for the local users.

Override L2TP options

Tick this checkbox to show a box in which to choose the L2TP tunnel to be used from a drop-down menu.

Note

This option can not be selected if no L2TP tunnel has yet been configured. In such a case, an informative message appears as a hyperlink: Upon clicking on it, the IPsec connection editor opens. Once created a new L2TP tunnel, it will be possible to associate it to a user.

Hint

The box for L2TP options will appear below the OpenVPN options box, if also OpenVPN option are to be overridden

Enabled

Tick the checkbox to enable the user, i.e., to allow her to connect to the OpenVPN server on the Endian 4i Edge Appliance.

Warning

While the same user can be legally part of one or more groups, care must be taken that the groups the user belongs to do not define contrasting override options. As an example, consider a user member of two groups, one allowing access only to the GREEN zone, and one only to the BLUE. In this case, it is not easy to predict whether that user will be granted or not access to the BLUE or GREEN zone. The management of these issues is left to the manager of the OpenVPN server.

Settings

This page contains the current configuration of the authentication servers on which the Endian 4i Edge Appliance relies and allows for their management. Several authentication servers are available: LDAP/Active directory, Local, One Time Password, Radius and Split Data.

There are two tables in this page, one displaying information about Authentication servers, and one showing Authentication server mappings. In the former, this information is shown:

  • Name. The name given to the server

  • Type. Whether the server is a local or an external LDAP one.

  • Service. Which authentication is available for that server.

  • Actions. For local authentication, it is possible to enable/disable the server, to edit it, or to delete it. For LDAP servers there is also the ability to refresh the connection, for synchronising the users and groups.

The table at the bottom shows the correspondences between a service (e.g. IPsec XAuth, OpenVPN or L2TP) and the allowed type of authentication. The only Actions for the mappings is to Edit them. By clicking on Edit, a form will appear, in which a selector allows to select which authentication backends will be used for that service.

A click on the Add new authentication server link above the tables opens a form in which to supply all data to set up a new authentication server.

This form replaces the tables displaying the already defined authentication servers and allows to configure a new one, by specifying appropriate values for the following configuration options.

Name

The name given to the authentication server.

Enabled

Tick the checkbox to enable the server.

Type

Select the server type from the drop-down menu. The following options are available:

  • LDAP / Active Directory

    Choose this option to use an LDAP server to authenticate the users. The following options are supported for this type:

    LDAP server URI

    The URI of the LDAP server.

    LDAP server type

    This drop-down menu allows the choice of the type of the authentication server among Generic, Active Directory, or Novell eDirectory. Depending on this selection additional fields will be displayed or hidden.

    LDAP bind DN username

    The fully distinguished name of the LDAP account that is used to retrieve user data from the LDAP server.

    LDAP bind DN password

    The password of the bind DN user.

    The following options depend on the server setup and are used to identify which users and groups shall be granted access to Endian 4i Edge Appliance’s OpenVPN server: LDAP user base DN, LDAP group base DN.

    When using a Generic LDAP server type additional parameters must be configured: LDAP user search filter, LDAP user unique ID attribute, LDAP group unique ID attribute, LDAP group member attribute, LDAP group search filter.

    Limit to specified groups This option allows to select which groups on the LDAP server are allowed to connect to the Endian 4i Edge Appliance’s OpenVPN server.

  • Local

    Choose this option to create and manage users locally. The following option is available:

    Limit to specified groups

    This option allows to select which local groups are allowed to connect to the Endian 4i Edge Appliance’s OpenVPN server.

  • One Time Password

    By choosing this option, the two-factor authentication will be selected. Like the Split Data (User Information & Password) server type, this type of authentication works as a proxy for two different providers and additionally it will add two-factor authentication using time-based, one-time passwords. This type allows to select the sources for both the user information as well as the password providers. The fields that need to be configured are:

    User information provider

    Choose from this drop-down menu which provider supplies the user-specific information.

    Password provider

    Choose from this drop-down menu which provider supplies the passwords to be used for users’ authentication.

  • RADIUS

    Choose this option to configure a RADIUS server. Note that RADIUS servers can only be used as password providers in both One Time Password and Split Data authentication servers. To use a RADIUS server the following information must be defined:

    RADIUS server

    The address of the RADIUS server.

    RADIUS shared secret

    The shared secret between the RADIUS server and the Endian 4i Edge Appliance.

    RADIUS authentication port

    The TCP port that is used for the RADIUS authentication.

    RADIUS accounting port

    The TCP port that is used for the accounting.

    RADIUS identifier

    The Endian 4i Edge Appliance’s RADIUS identifier or NAS ID.

  • Split Data (User Information & Password)

    This server type works as a proxy for two different providers - but unlike the One time Password type, it does not add two-factor authentication. This type allows to select the sources for both the user information as well as the password providers. The fields that need to be configured are:

    User information provider

    Choose from this drop-down menu which provider supplies the user-specific information.

    Password provider

    Choose from this drop-down menu which provider supplies the passwords to be used for users’ authentication.

Table Of Contents

Previous topic

IPsec

Next topic

Certificates

Documentation archive (Endian UTM)

Version 3.0
Version 2.5
Version 2.4
Version 2.3
Version 2.2
Version 2.1

Other products

Endian UTM 5.0
Endian Hotspot 5.0