User Settings

Username – Unique identifier that the user will use for authentication.

Full Name – User’s first and last name

E-mail – User’s email address. This email address is used for Certificate delivery if using the TLS authentication method.

Organizational Unit – Unit that the user is member of. Every user can be a member of one unit. The user will automatically inherit group membership and all group attributes.

Authentication Source – Determines what identity database should be used for credential validation. Valid options are:

  • local – verify using internal password database as defined in IronWifi Console
  • google – forward request to Google servers for verification
  • rest – use a REST API to verify provided credentials
  • ldap – provided credentials will be verified using external AD/LDAP server

Google, REST and LDAP authentication sources require working Connector setup.

Password – Clear-Text password that should be stored in IronWifi database for local verification

Status – User account can be Enabled (user can authenticate) or Disabled (authentication request will always be rejected)

Login Time – time span when the user is allowed to authenticate. Valid examples: Wk2305-0855, Sa, Su2305-1655. Any or Al means all days. All Times are in UTC timezone.

Creation Date – when the user account was created.

Last seen – last authentication attempt using this username

Groups

The user can be a member of multiple groups and inherit attributes from these groups. To add a user to a Group, click Add to Group button, select Group and assign Priority. Click Save to save this membership information.

Priority – determines the order how the group membership should be evaluated, starting with 1 (highest priority), down to 10 (lowest priority). Evaluation will continue through all groups until a match is found – all Check Attributes match the request. If this happens, group Reply attributes will be added to the Response, and no further Groups will be checked.

Certificates

IronWifi allows certificate based authentication using EAP TLS authentication protocol. Every user can have multiple certificates that can be installed on different devices. To generate a certificate, click Add Certificate button, select Distribution and Validity. Click Create to generate a new certificate.

Distribution – certificates need to be installed on user’s device to work. Three options are available to obtain generated certificate:

  • Download certificate – certificate will be automatically downloaded to administrator’s browser. An import password will be displayed in the pop-up window.
  • Email certificate to the User – user will obtain an email with a certificate in attachment. Import password is included in the email. This method requires the user to have valid email address.
  • Email download link to the User – an email is sent to the user with an import password and a link to download the certificate. The certificate can be downloaded only once. Valid email address in the user profile is required to deliver the email.

You can customize outgoing emails sent to your users to match with your company brand and style.

Attributes

Users can have check and reply attributes. These attributes are used to control session behavior and provide a control mechanism for your NAS controller. Additional attributes can be inherited from assigned Organizational Unit or Group.

To add an attribute to a user, click Add Attribute button. In the pop-up window, you can search for an attribute by name or select a vendor and its attributes.

Table – you can select the type of this attribute:

  • check – received attribute value is compared to the pre-defined value
  • reply – if check attribute match, this reply attribute is returned to the NAS/Controller for further processing

Operator – The following is a list of operators, and their meaning.

Operator Example Use with ‘check’ items Use with ‘reply’ items
= Attribute = Value Not allowed as a check item for RADIUS protocol attributes. It is allowed for server configuration attributes (Auth-Type, etc), and sets the value of on attribute, only if there is no other item of the same attribute. As a reply item, it means “add the item to the reply list, but only if there is no other item of the same attribute.”
:= Attribute := value Always matches as a check item, and replaces in the configuration items any attribute of the same name. If no attribute of that name appears in the request, then this attribute is added. As a reply item, it has an identical meaning, but for the reply items, instead of the request items.
== Attribute == Value As a check item, it matches if the named attribute is present in the request, AND has the given value. Not allowed as a reply item.
+= Attribute += Value Always matches as a check item, and adds the current attribute with value to the list of configuration items. As a reply item, it has an identical meaning, but the attribute is added to the reply items.
!= Attribute != Value As a check item, matches if the given attribute is in the request, AND does not have the given value. Not allowed as a reply item.
> Attribute > Value As a check item, it matches if the request contains an attribute with a value greater than the one given. Not allowed as a reply item.
>= Attribute >= Value As a check item, it matches if the request contains an attribute with a value greater than, or equal to the one given. Not allowed as a reply item.
< Attribute < Value As a check item, it matches if the request contains an attribute with a value less than the one given. Not allowed as a reply item.
<= Attribute <= Value As a check item, it matches if the request contains an attribute with a value less than, or equal to the one given. Not allowed as a reply item.
=~ Attribute =~ Expression As a check item, it matches if the request contains an attribute which matches the given regular expression. This operator may only be applied to string attributes. Not allowed as a reply item.
!~ Attribute !~ Expression As a check item, it matches if the request contains an attribute which does not match the given regular expression. Not allowed as a reply item.
=* Attribute =* Value As a check item, it matches if the request contains the named attribute, no matter what the value is. Not allowed as a reply item.
!* Attribute !* Value As a check item, it matches if the request does not contain the named attribute, no matter what the value is. Not allowed as a reply item.

Value – Provides the value of the Attribute. For time-related attributes, the value is usually in seconds. For data-related attributes, the value is representing bytes.