The Authentication Menu

New in version 6.8.0: Authentication Menu

To better manage the interaction of users and the UTM there is now a unified interface for managing all system authentication (excluding Web/CLI). The sub-menu on the left-hand side of the page grants access to their configuration pages and options, which are summarised as follows:

• Users - manage local users on the UTM

• Groups - manage local groups on the UTM

• Lockout - manage the dynamically locked users, blacklist, whitelists and settings

• Providers - manage the providers of user information, e.g. credential providers like LDAP, AD, etc

• Services - map the Provider to be used by available Services on the UTM

Users

In this page, all users that have an account on the UTM are displayed in the table, and for each the following information is shown.

• Name. The name of the user.

• Provider. The provider where this user is located (e.g. Local, LDAP, etc).

• Additional Comment. Any remarks or descriptions for this user

• 2FA. Status of 2-factor authentication (on/off) for this user

• Actions. The available operation that can be carried out on the account.

Note

Editing an LDAP user only allows one to modify the local options, not other data like username or password, which are entirely managed by the LDAP server.

Click on New user above the table to add a new local account. In the form that will show up, the following options can be specified for each user.

New User

Basic Info

Username

The login name of the user.

Enabled

Checkbox to enable/disable this user account.

Authentication

Use external password provider

This checkbox is only visible if at least one external authentication server has been configured. Once it has been selected the following password input fields will disappear and the user will be authenticated by using the external authentication servers.

Password, Confirm password

The password for the user, to be entered twice. The passwords are actually not shown: To see them, tick the eye icon on the right side of the input field.

Email Address

Enter the email address to be used for this user account.

Additional Comment

An additional comment.

Additional User Info

Organizational Unit Name

The Organisation Unit to which the user belongs to, i.e., the company, enterprise, or institution department identified with the certificate.

Organization Name

The organisation to which the user belongs to.

City

The city (L in the certificate) in which the organisation is located.

State

The state or province (ST in the certificate) in which the organisation is located.

Country

The Country (C in the certificate) in which the organisation is located, chosen from those in the selection menu. By typing one or more letters, matching countries are searched for and displayed.

Group Membership

Edit members

In this part of the panel it is possible to assign membership to one or more groups to the user. After clicking the Edit members it is possible to select and/or filter existing groups to find matching groups. Group membership is added by clicking on the + on the right of the group name. Groups to which the user belongs then show their action as Delete. Once added, the Edit members will then show the number of groups selected inside the parenthesis of the button label.

Services

Enable this user for the following VPN Services:

Enabled services

By default, a user can use all services, i.e., OpenVPN, XAuth (IPsec), and L2TP. For any new authentication sever defined, checkboxes will appear. Tick any checkboxes to enable or disable the service for the user.

Changed in version 5.1.

OTP

One Time Password secret

This field contains the TOTP secret for the specific user. Due to the constraints in creating these secrets it is not possible to insert them manually but they must be generated by clicking on the Generate new secret button. A QR code representation of the secret will be displayed automatically next to the button.

One-Time Passwords

There are many different one-time password algorithms. On UTM systems the Time-based One-Time Password algorithm has been implemented as described in RFC 6238. Since this is an open standard, applications exist for almost all devices (Android, iOS and Windows smartphones, PCs etc.). To be able to use a device, it needs to be initialized with the One Time Password Secret: Either do this by entering the secret manually or by taking a picture of the QR code.

OpenVPN

Select the OpenVPN User Type

Remote Access

Click this box to utilize this user account for OpenVPN remote access which is used by users using the Connect App (or OpenVPN) to connect remotely to this appliance in order to access internal network resources.

Net2Net

Click this box to utilize this user account for a Net2Net OpenVPN connection in order to connect two Endian gateways together so they each access the others internal networks.

---

Accessible Remote Networks Through this Connection

When setting up a Net2Net connection you must provide the remote subnets of the remote gateway connecting to this UTM. In this way, this UTM will know which routes to add for this specific Net2Net connection.

---

Override the global OpenVPN configuration for this user

Tick this checkbox to allow the OpenVPN protocol to be used. This option will reveal a box in which to specify custom option for the account, see below.

Override OpenVPN Options

Custom Client Routing

Direct all client traffic through the VPN (full tunnel)

If this option is checked, all the traffic from the connecting client, regardless of the destination, is routed through the uplink of the UTM. The default is to route through the VPN only the client traffic to the internal networks (see next options).

Hint

If this is selected then relevant options below are hidden since they are not able to be used simultaneously.

Or push the following routes

When not using full tunnel mode, the user can optionally choose to select GREEN, BLUE, or ORANGE zones to be pushed to the client. These options have no effect if the corresponding zones are not enabled.

Push only these networks

If any networks is written here (one per line and in CIDR notation), only routes to these networks will be sent to the client.

Push Other Client Settings

Static IP addresses

Dynamic IP addresses are assigned by default to clients, but a static IP address provided here will be assigned to the client whenever it connects.

Note

If the client connects to a multicore VPN server running on the UTM, this assignment will not be taken into account.

Push these nameservers

Assign custom nameservers on a per-client basis here.

Push these domains

Assign custom search domains on a per-client basis here.

Note

When planning to have two or more branch offices connected through a Gateway-to-Gateway VPN, it is good practice to choose different subnets for the LANs in the different branches. For example, one branch might have a GREEN zone with the 192.168.1.0/24 subnet while the other branch uses 192.168.2.0/24. Using this solution, several possible sources for errors and conflicts will be avoided. Indeed, there are several advantages, including: The automatic assignment of correct routes, without the need for pushing custom routes, no warning messages about possibly conflicting routes, correct local name resolution, and easier WAN network setup.

Groups

In this page, all groups that exist on the UTM are displayed in the table, and for each the following information is shown.

• Name. The name of the group.

• Provider. The provider where this group is located (e.g. Local, LDAP, etc).

• Number of Members. The number of users in this group.

• Additional Comment. Any remarks or descriptions provider for this group.

• Actions. The available operation that can be carried out on the account.

Click on New group above the table to add a new local group. In the form that will show up, the following options can be specified for each user.

New Group

Basic

Name

The name of the group.

Enabled

Checkbox to enable/disable this group account.

Additional Comment

An additional comment.

Group Members

Edit members

In this part of the panel it is possible to assign membership to one or more users to this group. After clicking the Edit members it is possible to select and/or filter existing users to find matching users. Group membership is added by clicking on the + on the right of the user name. Users assigned to this Group are then show their action as Delete. Once added, the Edit members will then show the number of users selected inside the parenthesis of the button label.

VPN Options

Override the global OpenVPN configuration for this group

Tick this checkbox to allow the OpenVPN protocol to be used. This option will reveal a box in which to specify custom option for the group account, see below.

Override OpenVPN Options

Custom Client Routing

Direct all client traffic through the VPN (full tunnel)

If this option is checked, all the traffic from the connecting client, regardless of the destination, is routed through the uplink of the UTM. The default is to route through the VPN only the client traffic to the internal networks (see next options).

Hint

If this is selected then relevant options below are hidden since they are not able to be used simultaneously.

Or push the following routes

When not using full tunnel mode, the user can optionally choose to select GREEN, BLUE, or ORANGE zones to be pushed to the client. These options have no effect if the corresponding zones are not enabled.

Push only these networks

If any networks is written here (one per line and in CIDR notation), only routes to these networks will be sent to the client.

Push Other Client Settings

Static IP addresses

Dynamic IP addresses are assigned by default to clients, but a static IP address provided here will be assigned to the client whenever it connects.

Note

If the client connects to a multicore VPN server running on the UTM, this assignment will not be taken into account.

Push these nameservers

Assign custom nameservers on a per-client basis here.

Push these search domains

Assign custom search domains on a per-client basis here.

Note

When planning to have two or more branch offices connected through a Gateway-to-Gateway VPN, it is good practice to choose different subnets for the LANs in the different branches. For example, one branch might have a GREEN zone with the 192.168.1.0/24 subnet while the other branch uses 192.168.2.0/24. Using this solution, several possible sources for errors and conflicts will be avoided. Indeed, there are several advantages, including: The automatic assignment of correct routes, without the need for pushing custom routes, no warning messages about possibly conflicting routes, correct local name resolution, and easier WAN network setup.

Lockout

New in version 6.1.0.

This page is organised in four tabs and allows to configure how long a user or IP address will be forbidden any access after a repeated authentication failure and is intended to mitigate the effects of a brute-force or DoS attack.

Note

For the UTM, any user who utilizes the authentication daemon will be affected by the lockout module. This includes web user(s), VPN users, VPN portal users or any other defined authentication source

Dynamically locked users

The table in this tab shows at a glance all the users that have been locked out from the Switchboard. Username and IP-based searches within the table is possible, as well as a manual release of the locked users.

Note

A message is shown instead of the table if the Dynamic Lockout Settings (see below) are disabled.

Blacklist

In the Blacklist page, blocking rules can be defined by clicking on the Add new rule button. Whenever a connection matches one of the, rules, any login attempt will always fail, even when valid credentials are provided.

Rule editor

User (or wildcard *)

Write a username in the textfield to always block their login attempts.

Source IP (or wildcard *)

Add an IP address in the textfield to block all login attempts from it.

Note

Since both the fields require a value, to block a user it is also needed to add a wildcard in the Source IP field; while to block an IP, a wildcard must be added to the User field. Examples:

User: johndoe
Source IP: *

User: *
Source IP: 10.64.1.120

Whitelist

Similar to the previous page, rules can be defined that will always allow connections and login attempts.

Rule editor

User (or wildcard *)

Write a username in the textfield to always allow their login attempts.

Source IP (or wildcard *)

Add an IP address in the textfield to block all login attempts from it.

Note

Like for the Blacklist, both these fields require a value.

Dynamic lockout settings

Lockout explained

With the help of the default values displayed above, the following example shows how lockout works in few steps.

1. Whenever a user tries to login to the Switchboard and fails, a tuple Username - IP address is recorded.

2. If the user fails 3 consecutive attempts (Max. failed logins), the tuple will be banned for 30 seconds (Initial timeout). If the user still tries to access during this time, no authentication is carried out on the Switchboard side and any attempt will automatically fail.

3. When the 30 second period is over, authentication is again enabled for the tuple. If the login is successful, the user can access and the tuple is deleted.

4. However, if there is another failure, the lockout period will now last 60 seconds (Initial timeout multiplied by Backoff ratio). After that, any additional failure will cause the lockout to double (120, 240, 480 seconds). Once 600 seconds are reached (Max. Timeout), all next failure will last 600 seconds.

Note

The exact duration of the lockout is not given by the timeout, and might be slightly longer. Indeed, to avoid attackers to schedule the login attempts, other factors influence the algorithm.

Here the lockout settings can be configured. The whole functionality can be enabled or disabled by clicking on the toggle button on top of the page. How the lockout mechanism works is explained in the box below.

Settings

Max. failed logins

The number of failures before the first lockout. Defaults to 3.

Initial timeout

The number of seconds that the first lockout will last. Defaults to 30 seconds.

Max. timeout

The number of seconds of the longest timeout. Defaults to 600 seconds.

Backoff ratio

How much the lockout duration will increase after the second and next failed attempts. Defaults to 2.

Providers

New in version 6.8.0.

In this page, all authentication providers on the UTM are displayed in the table, and for each the following information is shown.

• Name. The name of the provider

• Type. The provider type like Local, LDAP, AD, etc.

• Mapped. Field showing if this Provider is mapped to any Services (and number of services used)

• Status. Status of the Provider (enabled/disabled)

• Actions. The available operations that can be carried out on the server

Note

There are two integrated services which cannot be disabled or deleted which are the Administration Web Portal and Local Database.

Click on New provider above the table to add a new provider. In the form that will show up, the options displayed will vary slightly depending on the provider type selected.

LDAP

Connection Type

Here you can use the Credential provder which includes the following choices:

Active Directory

Choose this option to use an Active Directory server to authenticate the users. The following options are supported for this type:

Name

A descriptive name for this server.

Hint

Once created, this field is no longer able to be changed (edited).

Enable sync

Check this box to enable syncing from remote directory.

Server IP / FQDN

The IP address of FQDN (fully-qualified domain name) of the server.

Port

The port number of the LDAP service on the designated server.

Bind DN username

The fully distinguished name of the LDAP account that is used to retrieve user data from the LDAP server.

Bind DN password

The password of the bind DN user.

User Base DN

The base DN which is used as the starting place for looking up users.

Group Base DN

The base DN which is used as the starting place for looking up groups.

Edit groups

This option allows you to select which groups on the LDAP server are allowed to connect to the UTM‘s services using this provider.

Hint

This field won’t be editable until all required fields are completed.

Active Directory with UPN

Choose this option to use an LDAP or Active Directory server to authenticate the users. This option differs from the previous one in that directory users and groups are not synced to the UTM. This can be especially useful when dealing with very large directories (1000s of users/groups). The options displayed here are identical to the previous LDAP / Active Directory

Name

A descriptive name for this server.

Hint

Once created, this field is no longer able to be changed (edited).

Enable sync

Check this box to enable syncing from remote directory.

Server IP / FQDN

The IP address of FQDN (fully-qualified domain name) of the server.

Port

The port number of the LDAP service on the designated server.

Bind DN username

The fully distinguished name of the LDAP account that is used to retrieve user data from the LDAP server.

Bind DN password

The password of the bind DN user.

User Base DN

The base DN which is used as the starting place for looking up users.

Group Base DN

The base DN which is used as the starting place for looking up groups.

Edit groups

This option allows you to select which groups on the LDAP server are allowed to connect to the UTM‘s services using this provider.

Hint

This field won’t be editable until all required fields are completed.

LDAP

Choose this option to use a generic LDAP server to authenticate the users.

Name

A descriptive name for this server.

Hint

Once created, this field is no longer able to be changed (edited).

Enable sync

Check this box to enable syncing from remote directory.

Server IP / FQDN

The IP address of FQDN (fully-qualified domain name) of the server.

Port

The port number of the LDAP service on the designated server.

Bind DN username

The fully distinguished name of the LDAP account that is used to retrieve user data from the LDAP server.

Bind DN password

The password of the bind DN user.

User Base DN

The base DN which is used as the starting place for looking up users.

Advanced

User Search Filter

The object that holds all the users of the database.

User UID

The attribute that holds the ID of the users on the database.

Group Base DN

The base DN which is used as the starting place for looking up groups.

Advanced

Group Search Filter

The object that holds all the groups of the database.

Group UID

The attribute that holds the ID of the groups on the database.

Group Member

The attribute that holds the members of the groups of the database.

Edit groups

This option allows you to select which groups on the LDAP server are allowed to connect to the UTM‘s services using this provider.

Hint

This field won’t be editable until all required fields are completed.

OpenLDAP

Choose this option to use an OpenLDAP server to authenticate the users.

Name

A descriptive name for this server.

Hint

Once created, this field is no longer able to be changed (edited).

Enable sync

Check this box to enable syncing from remote directory.

Server IP / FQDN

The IP address of FQDN (fully-qualified domain name) of the server.

Port

The port number of the LDAP service on the designated server.

Bind DN username

The fully distinguished name of the LDAP account that is used to retrieve user data from the LDAP server.

Bind DN password

The password of the bind DN user.

User Base DN

The base DN which is used as the starting place for looking up users.

Group Base DN

The base DN which is used as the starting place for looking up groups.

Edit groups

This option allows you to select which groups on the LDAP server are allowed to connect to the UTM‘s services using this provider.

Hint

This field won’t be editable until all required fields are completed.

eDirectory

Choose this option to use a Novell eDirectory LDAP server to authenticate the users.

Name

A descriptive name for this server.

Hint

Once created, this field is no longer able to be changed (edited).

Enable sync

Check this box to enable syncing from remote directory.

Server IP / FQDN

The IP address of FQDN (fully-qualified domain name) of the server.

Port

The port number of the LDAP service on the designated server.

Bind DN username

The fully distinguished name of the LDAP account that is used to retrieve user data from the LDAP server.

Bind DN password

The password of the bind DN user.

User Base DN

The base DN which is used as the starting place for looking up users.

Group Base DN

The base DN which is used as the starting place for looking up groups.

Edit groups

This option allows you to select which groups on the LDAP server are allowed to connect to the UTM‘s services using this provider.

Hint

This field won’t be editable until all required fields are completed.

Other

RADIUS

Choose this option to configure a RADIUS server. Note that RADIUS servers can only be used as password providers in Proxy provider. To use a RADIUS server the following options must be defined:

Name

A descriptive name of the RADIUS server.

Note

Once created, this field is no longer able to be changed (edited).

Server Address

The IP address of the RADIUS server.

Shared Secret

The shared secret between the RADIUS server and the UTM.

Authentication Port

The TCP port that is used for the RADIUS authentication (default 1812).

Access Port

The TCP port that is used for the accounting (default 1813).

Identifier

The UTM‘s RADIUS identifier or NAS ID.

Proxy

Note

This was formerly know as Split Data (User Information & Password).

This server type works as a proxy for two different providers, but it does not add two-factor authentication. By choosing this server, two drop-down menus allow to chose different providers for users and passwords:

User Provider

Choose from the drop-down menu which authentication server will be used to retrieve the user information.

Password Provider

Choose from the drop-down menu which authentication server will be used to retrieve the user information.

Note

If any servers of type One Time Password or type RADIUS have been defined, they will be available for selection as password provider.

For any given provider, you can click on the Edit icon to access the settings for the selected provider. The following options are available:

Multi-Factor Type

Here you can enable the use of OTP (One-Time Password) by selecting it from the drop-down menu. The default option is that this feature is disabled. Each user can find their OTP information on the Users page.

Services

New in version 6.8.0.

In this page, all authentication services on the UTM are displayed in the table, and for each the following information is shown.

• Name. The name of the service

• Providers. The provider mapped to this service

• Actions. The available operations that can be carried out on the server

Note

There is one integrated service which cannot be disabled, deleted or edited which is the Administration Web Portal & API.

Click on Manage providers below the table to go to the Provider page in order to manage the providers.

For each supported service, you can click the Edit icon to manage the service type selected. For each service, the options are the same as described below:

Credential Provider

Here you can add/manage the list of credential providers. A credential provider is a user database source which is local either (a) on the UTM itself or (b) on a local network like a Microsoft Active Directory or LDAP server (for example). By default, the VPN services are configured to use the Local database on the UTM but you can add or change this by clicking the Add credential provider and selecting from one of the already configured providers. You can also sort the order of the provider by using the arrows to move a rule up or down accordingly.

Note

The order of the rules are processed sequentially in order from top to bottom so ensure you order the rules appropriately.