Auth Control

The control page is used to view the current status of the authentication sub-system, and to restart and stop the service. It also allows diagnostic tests to be performed against different areas of the authentication service.

To view the system status, click the Refresh button and check the Current status field.

The authentication service should only usually be restarted if there are unapplied configuration changes. In such instances, an "Unapplied changes" reminder will be displayed at the top of the authentication configuration pages.

To restart the authentication service click the Restart button.

Note - Restarting the authentication service will automatically log off any users.

There are practically no reasons to ever stop the authentication system. This procedure should only be carried out if instructed to do so by an Authorised SmoothWall Support Agent.

To stop the authentication service click the Stop button.

Diagnostic tests can be run against the authentication system to determine if the service is operating correctly.

To run a diagnostic test, click the Run diagnostics button. The following fields are used to display the results of the diagnostic test:

• Authentication service running - Displays the status of the authentication service.
• Authentication service local connection - Displays whether the local authentication service is responding correctly to authentication requests and if local groups and users can be authenticated.

Auth Settings

The settings page is used to set global authentication settings.

This page is also used to enable the SSL Login authentication method on a per-interface basis.

The global settings are used to specify authentication time-out limits and concurrent user logon limits.

The following controls are used to configure the global settings:

• Authentication timeout in minutes - Used to set the number of minutes that a user's authenticated status will last once they have been authenticated.
• Concurrent logins per user - Used to set the number of systems that a user can simultaneously be authenticated on. The default value of 1 means that each user can only be authenticated on a single system at any moment. Note that concurrent login limits cannot be applied with authentication schemes where the user's IP is unknown (E.g. proxy authentication).
• User defined - Used to set the number of systems that a user can simultaneously be authenticated on, when the value of Concurrent logins per user is set to "User defined".

To set the global authentication settings, enter appropriate configuration values into each of these controls and click the Save button. For more detailed information about choosing timeout values, see the Choosing a suitable authentication timeout period section below.

Time-out occurs when an authenticated user fails to let the authentication service know that they are still there, for example by ceasing to browse the web or by closing the SSL Login page. The Authentication timeout in minutes text field determines this time-out - once exceeded, the user's authenticated status at a particular IP address will be invalidated by the authentication service.

Note - If there are any configuration errors, the settings will not be saved. All errors must be corrected and the settings saved again.

Auth Groups

The groups page is used to customise group names.

Groups are typically organised to mirror an organisation's structure and can be renamed by administrators to describe the users that they contain. The authentication system supports a maximum of 16 authentication groups, of which the first four operate in a special manner:

• Unauthenticated IPs - Like a normal group, users can be mapped to 'Unauthenticated IPs'. However, the main purpose of this group is to allow authentication-enabled services to define permissions and restrictions for unauthenticated users, I.e. users that are either not logged in, currently unauthenticated or unauthenticatable. This group cannot be renamed.
• Default Users - Like a normal group, users can be mapped to 'Default Users'. [if CAP_LDAP_AUTH] However, the main purpose of this group is to allow authentication-enabled services to define permissions and restrictions for users that are not specifically mapped to a group, I.e. LDAP users that can be authenticated, but who are not mapped to a specific authentication system group. This group cannot be renamed.
• Banned Users - This group is a normal user group pre-configured with a preset name and setup for the purpose of banning users from an authentication-enabled service. Because 'Banned Users' is actually a normal group with a preset configuration, it can be both renamed and used by authentication-enabled services to enforce any kind of permissions or restrictions.
• Network Administrators - This group is a normal user group pre-configured with a preset name and setup for the purpose of granting network administrators access to an authentication-enabled service. Because 'Network Administrators' is actually a normal group with a preset configuration, it can be both renamed and used by authentication-enabled services to enforce any kind of permissions or restrictions.

To rename a group, first select the group from the Select group drop-down menu and click the Select button. Alter the current group name in the Group name field in the "Configure group" region. Click the Save button at the bottom of the page.

Local Users

The local users page is used to add, import and export user profiles (E.g. usernames and passwords) to and from the system's own local user database - thus providing a standalone authentication service for network users.

To add a user to the local database, enter their username and password details into the Username, Password and Again fields. Choose the group which the users should be added to using the Select group drop-down menu in the "Add a user" region. Click the Add button.

To import users to the local user database, first choose a group into which the users should be imported using the Select group drop-down menu in the "Import and export users" region. Click the Browse button to locate a suitably encoded text file (listing one or more comma delimited usernames and passwords, one user per line):

username,password
username2,password2
etc

Note - The username and password must be lower case, and have no special characters or spaces. You must include the comma to separate the columns. If the password is in the clear (not encrypted) it will automatically be encrypted when the user is added. It is advisable to test importing a few users to confirm that you are getting the results you expect.

Use the browser's open dialog to select the import file and click its Open button. Check that the file's path and filename have been correctly inserted into the Import users text field and click the Upload and import users to group button.

To export users from the local user database, first choose a group from which users should be exported using the Select group drop-down menu in the "Import and export users" region. Click the Export group users button to export the group's users to a comma delimited text file (with the passwords securely hashed using MD5). Use the browser's Open (or equivalent) dialog to save the exported file to the local file system.

To move users from one group to another, select the Mark tick-box control adjacent to each user that should be moved in the "Current users" region. Select the group to move the users to using the from Group to move users to drop-down menu. Click the Move user(s) button.

To delete users from the local user database, select the Mark tick-box control adjacent to each user that should be deleted in the "Current users" region. Click the Delete user(s) button.

To edit a particular user in the local user database, select the Mark tick-box control adjacent to the user in the "Current users" region and click the Edit user button. The user will be removed from the local user database and their details added to the configuration controls in the "Add a user" region. Make the necessary changes using these configuration controls and click the Add button when complete.

User Activity

The user activity page is used to display the login times, usernames, group membership and IP address details of recently authenticated users.

Users in cache shows the number of users currently in the authentication service cache. The purpose of this cache is to maintain a list of the users, their login states and their IP address.

To display user activity details, first choose the quantity of recent information to view using the Most recent users to show drop-down menu. To display only users that are currently logged in (users that have not timed out or have not specifically logged out using a method such as the SSL Login page), select the Logged in users tick-box control. Click the Update button to display recent activity in the "User activity" table.

The following columns are used to display user activity information in the "User activity" table:

• Time - Displays the time that the user activity occurred. For example, the last time the user viewed a web page (with proxy auth) or that the SSL Login page refreshed.
• User - Displays the user's username.
• Group - Displays the user's group membership. Note that this column may be blank if no group membership has yet been looked up.
• Source IP - Displays the IP address of the system from which the user was authenticated. Note this may be blank if this information is not known such as if proxy auth is used.

Note - An error will be displayed if the page is unable to obtain a list of groups from the authentication service. To help diagnose the problem, use the diagnostics on the control page.

SSL Login

The ssl login configuration page is used to customise the end-user SSL Login page.

The SSL Login page will prompt the user for a username and password. Once entered and the user credentials have been verified, the login page will automatically refresh itself to let the authentication service know that the user is still logged in. The user must not close the login page or they will be prompted again (after the authentication time-out period) for the username and password. To logout securely the user must click on the logout button.

The SSL Login page, as the name suggests, uses SSL encryption to send the username and password securely. It is more secure than either Ident or Proxy Auth and, unlike Proxy Auth, can also be used in transparent mode. The main disadvantage of this method is that a browser window must be left open which automatically refreshes the SSL Login to let the authentication service know the user is still at that IP.

Note - The SSL Login page uses the non-standard port 442 and port 80. This is to enable admin access controls to be used without affecting this feature.

The "Upload SSL Login page images" region allows the images that appear on the SSL Login page to be replaced. The two images are the title jpeg and the background jpeg. The files to upload must be jpeg (.jpg) files and be of the correct dimensions. The Custom title jpeg must be 500 by 69 pixels. The Custom background jpeg should be similar to 500 by 471 pixels. If the uploaded images are not the correct size, they will not display correctly. Use an image manipulation program to adjust them accordingly. To upload, browse to the file and click Upload custom jpeg.

Custom title jpeg file size and Custom background jpeg file size will show the file sizes of any uploaded custom images. If none are uploaded it will show 'not installed'. Images can be previewed by clicking the file size hyperlink.

The "Customise SSL Login page" region configures the how the SSL Login page is displayed when someone accesses it. The Messages line 1 and Messages line 2 fields can be altered to display a customised message on the SSL Login page. The use of custom jpegs is also determined here. Click the Save button to save the settings.

The SSL Login page will automatically read the web browser language preference configuration and, if available, display the non-customisable elements of the page in that language.