Endian banner

Authentication

This page shows two tabs, which allow to manage local Users and Groups.

Users

In this page, all users that have an account on the Endian Hotspot Appliance’s VPN server are displayed in the table, and for each the following information is shown.

  • Name. The name of the user.

  • Remark. A comment.

  • Authentication server. The server used for the user authentication.

  • Actions. The available operation that can be carried out on the account.

Click on Add new local user above the table to add a new local account. In the form that will show up, the following options can be specified for each user.

Add new local user

Username

The login name of the user.

Remark

An additional comment.

Password, Confirm password

The password for the user, to be entered twice. The passwords are actually not shown: To see them, tick the two checkboxes on their right.

Certificate configuration

This drop-down menu is used to select the method of creation of a new certificate. The available options are:

  • Use selected certificate. Select one certificate from those available, shown on the right-hand side of the drop-down menu. It is possible to see the full details of this certificate by clicking on the View details hyperlink.

    Hint

    The name of the certificate selected appears right above the hyperlink.

  • Use an existing certificate. A new drop-down menu on the right-hand side on the left allows to select a certificate that has already been created and stored on the Endian Hotspot Appliance.

  • Generate a new certificate. Create a new certificate from scratch. This option is only available if no host certificate has already been generated. A form will open where to specify all options necessary to create a new certificate.

  • Upload a certificate. By clicking on the Browse… button that appears underneath the drop-down menu it will be possible to select from the workstation and to upload an existing certificate. The password for the certificate, if needed, can be provided in the textfield on the right-hand side.

  • Upload a certificate signing request. The Browse… button that appears underneath the drop-down menu can be clicked to select from the workstation and upload an existing certificate signing request. The validity of the certificate in days can be provided in the textfield on the right-hand side.

Note

Note that it is currently not possible to generate a Let’s Encrypt CA from here.

Organizational unit name

The Organisation Unit to which the user belongs to, i.e., the company, enterprise, or institution department identified with the certificate.

Organization name

The organisation to which the user belongs to.

City

The city (L in the certificate) in which the organisation is located.

State or province

The state or province (ST in the certificate) in which the organisation is located.

Country

The Country (C in the certificate) in which the organisation is located, chosen from those in the selection menu. By typing one or more letters, matching countries are searched for and displayed.

Email address

The e-mail address of the user.

Group membership

In this part of the panel it is possible to assign membership to one or more groups to the user. In the search widget it is possible to filter existing groups to find matching groups. Group membership is added by clicking on the + on the right of the group name. Groups to which the user belongs are show in the textfield below. There are also shortcuts to Add all and to Remove all groups memberships at once.

Override OpenVPN options

Tick this checkbox to allow the OpenVPN protocol to be used. This option will reveal a box in which to specify custom option for the account, see below.

Enabled

Tick the checkbox to enable the user, i.e., to allow her to connect to the OpenVPN server on the Endian Hotspot Appliance.

Override OpenVPN Options

Direct all client traffic through the VPN server

If this option is checked, all the traffic from the connecting client, regardless of the destination, is routed through the uplink of the Endian Hotspot Appliance. The default is to route through the VPN only the client traffic to the internal networks (see next options).

Push only global options to this client

For advanced users only. Normally, when a client connects, tunnelled routes to networks that are accessible via VPN are added to the client’s routing table, to allow it to connect to the various local networks reachable from the Endian Hotspot Appliance. This option should be enabled if this behaviour is not wanted, but the client’s routing tables (especially those for the internal zones) should be modified manually.

Push route to GREEN [BLUE, ORANGE] zone

When this option is active, the client will have access to the GREEN, BLUE, or ORANGE zone. These options have no effect if the corresponding zones are not enabled.

Push only these networks

If any networks is written here (one per line and in CIDR notation, only routes to these networks will be sent to the client.

Networks behind client

When the account will be used to connect a remote gateway in a GW2GW setup, this box contains the list of the networks laying behind the client that must be made reachable from the other clients through the OpenVPN Server. It is not used for roadwarrior (single) user.

Warning

This option is mandatory if the user will be used to connect a GW2GW client. If no networks are specified here, no route to them will be pushed to the other clients, making them unreachable.

Static IP addresses

Dynamic IP addresses are assigned by default to clients, but a static IP address provided here will be assigned to the client whenever it connects.

Push these nameservers

Assign custom nameservers on a per-client basis here. This setting (and the next one) can be defined, but enabled or disabled at will.

Push these domains

Assign custom search domains on a per-client basis here.

Note

When planning to have two or more branch offices connected through a Gateway-to-Gateway VPN, it is good practice to choose different subnets for the LANs in the different branches. For example, one branch might have a GREEN zone with the 192.168.1.0/24 subnet while the other branch uses 192.168.2.0/24. Using this solution, several possible sources for errors and conflicts will be avoided. Indeed, several advantages come for free, including: The automatic assignment of correct routes, without the need for pushing custom routes, no warning messages about possibly conflicting routes, correct local name resolution, and easier WAN network setup.

Groups

In this page a table is displayed, which shows all the groups that are either defined on the Endian Hotspot Appliance or on an external LDAP server. For each group the following information is shown:

  • Groupname. The name of the group.

  • Remark. A comment.

  • Authentication server. The server used for the user authentication.

  • Actions. The available operation that can be carried out on the group.

Click on Add new local group above the table to add a new local group. In the form that will show up, the following options can be specified for each group.

Group Name

The name given to the group.

Remark

A comment.

Users

In this part of the panel it is possible to assign users to the group. in the search widget it is possible to filter existing local users to find matching users. Users are added to the group by clicking on the + on the right of the username. Users in the Group are shown in the textfield below. There are also shortcuts to Add all and to Remove all users to/from a group.

Override OpenVPN options

Tick this checkbox to allow the OpenVPN protocol to be used. This option will reveal a box in which to specify custom option for the account, which are the same as those specified for the local users.

Enabled

Tick the checkbox to enable the user, i.e., to allow her to connect to the OpenVPN server on the Endian Hotspot Appliance.

Warning

While the same user can be legally part of one or more groups, care must be taken that the groups the user belongs to do not define contrasting override options. As an example, consider a user member of two groups, one allowing access only to the GREEN zone, and one only to the BLUE. In this case, it is not easy to predict whether that user will be granted or not access to the BLUE or GREEN zone. The management of these issues is left to the manager of the OpenVPN server.

Table Of Contents

Previous topic

OpenVPN client (Gw2Gw)

Next topic

The Hotspot Menu

Documentation archive

Version 5.0
Version 3.2
Version 3.0
Version 2.5
Version 2.4
Version 2.3
Version 2.2
Version 2.1

Other products

Endian UTM 5.1
Endian 4i Edge 5.1