Authentication¶
This section contains a few sub-pages: Users and Groups allow to manage all the clients that have access to the OpenVPN or IPsec services, Lockout allows to configure the VPN lockout mechanism, and while Settings allows to define different means of authentication, either local on the Connect Switchboard or remote.
New in version 6.1.: Lockout functionality
Users¶
In this page, all users that have an account on the Connect Switchboard‘s VPN server are displayed in the table, and for each the following information is shown.
Name. The name of the user.
Remark. A comment.
Authentication server. The server used for the user authentication, which is either local (the Connect Switchboard itself) or LDAP (an external LDAP server, configurable in the Settings page).
Actions. The available operation that can be carried out on the account.
Note
Editing an LDAP user only allows to modify the local options, not other data like username or password, which are entirely managed by the LDAP server.
Click on above the table to add a new local account. In the form that will show up, the following options can be specified for each user.
Add new local user
- Username
The login name of the user.
- Remark
An additional comment.
Authentication options
- Authenticate using external authentication server
This checkbox is only visible if at least one external authentication server has been configured. Depending on the choice, either of the following options appears.
- Password, Confirm password
The password for the user, to be entered twice. The passwords are actually not shown: To see them, tick the two checkboxes on their right.
- One Time Password secret
This field contains the TOTP secret for the specific user. Due to the constraints in creating these secrets it is not possible to insert them manually but they must be generated by clicking on the button. A QR code representation of the secret can be displayed by clicking on the button.
Note
This option appears only if an authentication server of type One Time Password has been added in the Authentication settings.
One-Time Passwords
There exist many different one-time password algorithms. On Connect Switchboard systems the Time-based One-Time Password algorithm has been implemented as described in RFC 6238. Since this is an open standard, applications exist for almost all devices (Android, iOS and Windows smartphones, PCs etc.). To be able to use a device, it needs to be initialised with the One Time Password Secret. Copy the secret manually to the smartphone, or better take a picture of the QR code or scan it.
user certificate
Certificate configuration
Select how to assign a certificate to the user. The choices available in the drop-down menu are: Don’t change (i.e., inherit the configuration from the server), Generate a new certificate, Upload a certificate, and Upload a Certificate request. Upon selection, below the drop-down menu appear the available options for each mode, which are described in the Certificates page.
additional user information
- Organizational unit name
The Organisation Unit to which the user belongs to, i.e., the company, enterprise, or institution department identified with the certificate.
- Organization name
The organisation to which the user belongs to.
- City
The city (L in the certificate) in which the organisation is located.
- State or province
The state or province (ST in the certificate) in which the organisation is located.
- Country
The Country (C in the certificate) in which the organisation is located, chosen from those in the selection menu. By typing one or more letters, matching countries are searched for and displayed.
- Email address
The e-mail address of the user.
- Member of
In this part of the panel it is possible to assign membership to one or more groups to the user. In the search widget it is possible to filter existing groups to find matching groups. Group membership is added by clicking on the group’s name in the left column, and removed by clicking on the name in the right column. There are also shortcuts to add or remove all groups at once by clicking on >> and << respectively.
Note
At least one group must have been defined in groups settings.
vpn custom options
- Override OpenVPN options
Tick this checkbox to allow the OpenVPN protocol to be used. This option will reveal a box in which to specify custom option for the account, see below.
- Override L2TP options
Tick this checkbox to show a box in which to choose the L2TP tunnel to be used.
Hint
The box for L2TP options will appear below the OpenVPN options box, if also OpenVPN option are to be overridden
- Enabled services
By default, a user can use all services, i.e., OpenVPN, IPsec XAuth, and L2TP. Tick any checkboxes to enable or disable the service for the user.
- Enabled
Tick the checkbox to allow the user to connect to the Connect Switchboard using the selected services.
OpenVPN Options
- Direct all client traffic through the VPN server
If this option is checked, all the traffic from the connecting client, regardless of the destination, is routed through the uplink of the Connect Switchboard. The default is to route through the VPN only the client traffic to the internal networks (see next options).
- Push only global options to this client
For advanced users only. Normally, when a client connects, tunnelled routes to networks that are accessible via VPN are added to the client’s routing table, to allow it to connect to the various local networks reachable from the Connect Switchboard. This option should be enabled if this behaviour is not wanted, but the client’s routing tables (especially those for the internal zones) should be modified manually.
custom client routing
- Push route to GREEN [BLUE, ORANGE] zone
When this option is active, the client will have access to the GREEN, BLUE, or ORANGE zone. These options have no effect if the corresponding zones are not enabled.
- Push only these networks
If any networks is written here (one per line and in CIDR notation, only routes to these networks will be sent to the client.
- Networks behind client
When the user will be used to connect a remote gateway in a GW2GW setup, this box contains the list of the networks laying behind the client that must be made reachable from the other clients through the OpenVPN Server. It is not used for roadwarrior (single) user.
Warning
This option is mandatory if the user will connect a GW2GW client. If no networks are specified here, no route to them will be pushed to the other clients, making therefore these networks unreachable.
custom push configuration
- Static IP addresses
Dynamic IP addresses are assigned by default to clients, but a static IP address provided here will be assigned to the client whenever it connects.
Note
If the client connects to a multicore VPN server running on the Connect Switchboard, this assignment will not be taken into account.
- Push these nameservers
Assign custom nameservers on a per-client basis here. This setting (and the next one) can be defined, but enabled or disabled at will.
- Push these domains
Assign custom search domains on a per-client basis here.
Note
When planning to have two or more branch offices connected
through a Gateway-to-Gateway VPN, it is good practice to choose
different subnets for the LANs in the different branches. For
example, one branch might have a GREEN zone with the
192.168.1.0/24 subnet while the other branch uses
192.168.2.0/24. Using this solution, several possible sources
for errors and conflicts will be avoided. Indeed, several
advantages come for free, including: The automatic assignment of
correct routes, without the need for pushing custom routes, no
warning messages about possibly conflicting routes, correct local
name resolution, and easier WAN network setup.
L2TP Options
- IPsec Tunnel
This drop-down menu allows to choose the tunnel that will be employed by the user, among those already defined.
Note
If no IPsec tunnel has yet been configured or all IPsec tunnels are in closed state, the Select a tunnel… message appears instead of the list of IPsec tunnels.
Groups¶
In this page a table is displayed, which shows all the groups that are either defined on the Connect Switchboard or on an external LDAP server. For each group the following information is shown:
Groupname. The name of the group.
Remark. A comment.
Authentication server. The server used for the user authentication, which is either local (the Connect Switchboard itself) or LDAP (an external LDAP server, configurable in the Settings page).
Actions. The available operation that can be carried out on the group.
Click on above the table to add a new local group. In the form that will show up, the following options can be specified for each group.
Add
- Group Name
The name given to the group.
- Remark
A comment.
- Group members
In this part of the panel it is possible to assign users to the group. In the search widget it is possible to filter existing local users to find matching users. Group membership is added by clicking on the user’s name in the left column, and removed by clicking on the name in the right column. There are also shortcuts to add or remove all groups at once by clicking on >> and << respectively.
- Override OpenVPN options
Tick this checkbox to allow the OpenVPN protocol to be used. This option will reveal a box in which to specify custom option for the account, which are the same as those specified for the local users.
- Override L2TP options
Tick this checkbox to show a box in which to choose the L2TP tunnel to be used from a drop-down menu.
Note
If no IPsec tunnel has yet been configured or all IPsec tunnels are in closed state, the Select a tunnel… message appears instead of the list of IPsec tunnels.
Hint
The box for L2TP options will appear below the OpenVPN options box, if also OpenVPN option are to be overridden
- Enabled
Tick the checkbox to enable the user, i.e., to allow her to connect to the OpenVPN server on the Connect Switchboard.
Warning
While the same user can be legally part of one or more groups, care must be taken that the groups the user belongs to do not define contrasting override options. As an example, consider a user member of two groups, one allowing access only to the GREEN zone, and one only to the BLUE. In this case, it is not easy to predict whether that user will be granted or not access to the BLUE or GREEN zone. The management of these issues is left to the manager of the OpenVPN server.
Lockout¶
New in version 6.1.0.
This page is organised in four tabs and allows to configure how long a user or IP address will be forbidden any access after a repeated authentication failure and is intended to mitigate the effects of a brute-force or DDos attack.
The table in this tabshows at a glance all the users that have been locked out from the Switchboard. Username and IP-based searches within the table is possible, as well as a manual release of the locked users.
Note
A message is shown instead of the table if the Dynamic Lockout Settings (see below) are disabled.
In the Blacklist page, blocking rules can be defined by clicking on the button. Whenever a connection matches one of the, rules, any login attempt will always fail, even when valid credentials are provided.
Rule editor
- User (or wildcard *)
Write a username in the textfield to always block their login attempts.
- Source IP (or wildcard *)
Add an IP address in the textfiled to block all login attempts from it.
Note
Since both the fields require a value, to block a user it is also needed to add a wildcard in the Source IP field; while to block an IP, a wildcard must be added to the User field. Examples:
User: johndoe Source IP: * User: * Source IP: 10.64.1.120
Similar to the previous page, rules can be defined that will always allow connections and login attempts.
Rule editor
- User (or wildcard *)
Write a username in the textfield to always allow their login attempts.
- Source IP (or wildcard *)
Add an IP address in the textfiled to block all login attempts from it.
Note
Like for the Blacklist, both these fields require a value.
Here the lockout settings can be configured. The whole functionality can be enabled or disabled by clicking on the toggle button on top of the page. How the lockout mechanism works is explained in the box below.
Settings
- Max. failed logins
The number of failures before the first lockout. Defaults to 3.
- Initial timeout
The number of seconds that the first lockout will last. Defaults to 30 seconds.
- Max. timeout
The number of seconds of the longest timeout. Defaults to 600 seconds.
- Backoff ratio
How much the lockout duration will increase after the second and next failed attempts. Defaults to 2.
Settings¶
This page contains the current configuration of the authentication servers on which the Connect Switchboard relies and allows for their management. Several authentication servers are available: LDAP/Active directory, Local, One Time Password, Radius and Split Data.
There are two tables in this page, one displaying information about every Authentication server defined, and one showing the Authentication server mappings.
Authentication server
This table carries the following information:
Name. The name given to the server
Type. Whether the server is a local or an external LDAP one.
Service. Which authentication is available for that server.
Actions.The available operation that can be carried out on the server.
A click on the button above the tables opens a form in which to supply all data to set up a new authentication server.
Add new authentication server
- Name
The name given to the authentication server.
- Enabled
Tick the checkbox to enable the server.
- Type
Select the server type from the drop-down menu. Depending on the choice made, the following options are available:
Choose this option to use an LDAP server to authenticate the users. The following options are supported for this type:
ldap settings
- LDAP server URI
The URI of the LDAP server.
- LDAP server type
This drop-down menu allows the choice of the type of the authentication server among Generic, Active Directory, Novell eDirectory, or OpenLDAP. Depending on this selection, some options will not be displayed.
- LDAP bind DN username
The fully distinguished name of the LDAP account that is used to retrieve user data from the LDAP server.
- LDAP bind DN password
The password of the bind DN user.
ldap user settings
- LDAP user base DN
The name of the Directory’s section where users will be searched for.
- LDAP user search filter
The user filter allows to limit the selection of users only to those that match the given filter.
- LDAP user unique ID attribute
The attribute used to uniquely identify the user.
ldap group settings
- LDAP group base DN
The name of the Directory’s section where groups will be searched for.
- LDAP group search filter
The group filter allows to limit the selection of groups only to those that match the given filter.
- LDAP group unique ID attribute
The attribute used to uniquely identify the group.
- LDAP group member attribute
The attribute used for group members.
- Limit to specified groups
This option allows to select which groups on the LDAP server are allowed to connect to the Connect Switchboard‘s OpenVPN server.
Note
When saving the settings, a click on the button will immediately start the synchronisation process of groups and users between the Connect Switchboard and the LDAP server.
Choose this option to create and manage users locally. The following option is available:
local group settings
- Limit to specified groups
This option allows to select which groups on the LDAP server are allowed to connect to the Connect Switchboard‘s OpenVPN server.
Choose this option to configure a RADIUS server. Note that RADIUS servers can only be used as password providers in both One Time Password and Split Data authentication servers. To use a RADIUS server the following options must be defined:
radius settings
- RADIUS server
The address of the RADIUS server.
- RADIUS shared secret
The shared secret between the RADIUS server and the Connect Switchboard.
radius advanced settings
- RADIUS authentication port
The TCP port that is used for the RADIUS authentication.
- RADIUS accounting port
The TCP port that is used for the accounting.
- RADIUS identifier
The Connect Switchboard‘s RADIUS identifier or NAS ID.
This server type works as a proxy for two different providers, but it does not add two-factor authentication. By choosing this server, two drop-down menus allow to chose different providers for users and passwords:
proxy settings
- User information provider
Choose from the drop-down menu which authentication server will be used to retrieve the user information.
- Password provider
Choose from the drop-down menu which authentication server will be used to retrieve the user information.
Note
If any servers of type One Time Password or type RADIUS have been defined, they will available for selection as password provider.
The choice of this option enables two-factor authentication. Like the Split Data option, this server type acts as a proxy for two different providers with the addition of the the two-factors authentication using a time-based, one-time passwords. Choosing this type will let you select the sources for both the user information as well as the password providers. The options are the same as in the Split Data option:
proxy settings
- User information provider
Choose from this drop-down menu the authentication server from which to retrieve the user information.
- Password provider
Choose from this drop-down menu the authentication server used to authenticate the users.
Authentication server mappings
This table shows which authentication server is used in each available service, namely IPsec XAuth, OpenVPN or L2TP.
The only available action for each mapping is to edit it. By clicking on the edit icon, a form will appear, in which a selector allows to select which authentication backends will be used for that service.
Hint
It is possible to map multiple servers to a service and use the same authentication server for more services.