Local Users: Difference between revisions

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
 
(One intermediate revision by one other user not shown)
Line 4: Line 4:


''Local Users'' stores a list of users that can be used by the applications.
''Local Users'' stores a list of users that can be used by the applications.
For example, [[Captive Portal]] can use the local directory to authenticate users.
For example, [[Captive Portal]] and [[OpenVPN]] can use the local directory to authenticate users.


{{BiScreenshot|config|local-directory}}
{{BiScreenshot|config|local-directory}}


To add new users click on the Add button. You must supply a username, first name, last name, email address, and password. Only the administrator can set the password for a given user. Users can be imported or exported using the import/export buttons on the upper right.  
To add new users click on the Add button. You must supply a username, first name, last name, email address, and password. Only the administrator can set the password for a given user. Users can be imported or exported using the import/export buttons on the upper right.


An expiration date can be specified for a user. If the expiration date has passed that user will no longer be authenticated.
An expiration date can be specified for a user. If the expiration date has passed that user will no longer be authenticated.


To use the Local Directory, simply configure [[Captive Portal]] to authenticate against the Local Directory while requiring user authentication.
To use the Local Directory, configure apps such as [[Captive Portal]] and [[OpenVPN]] to authenticate against the Local Directory while requiring user authentication.


'''WARNING:''' Typically, when passwords are stored, password hashes are saved and the original cleartext password is forgotten so administrators do not have access to user passwords. However, The passwords for users are stored in the local directory are stored in cleartext because some applications and features (L2TP) depend on access to the cleartext password. Administrators do have access to cleartext user passwords and caution is advised.
== MFA and OpenVPN ==
You can enable TOTP based multi factor authentication for OpenVPN client connections. When adding a user, select '''Enable MFA for OpenVPN''' and click '''Generate new key'''.
[[Image:local_directory_mfa.png|500px|center|Local Directory User MFA]]
After generating a key, click the gear icon to show the QR code. Use the generated code in any TOTP mobile app such as Google Authenticator. The TOTP app generates a temporary that the user enters into their OpenVPN client.
'''Note:''' You must also enable MFA for client configurations in [[OpenVPN]].
[[Image:local_directory_mfa_code.png|500px|center|Local Directory User MFA]]
 
 
'''WARNING:''' Typically, when passwords are stored, password hashes are saved and the original cleartext password is forgotten so administrators do not have access to user passwords. However, The passwords for users that are stored in the local directory are stored in cleartext because some applications and features (L2TP) depend on access to the cleartext password. Administrators do have access to cleartext user passwords and caution is advised.

Latest revision as of 22:38, 7 May 2021

Local Users

Local Users stores a list of users that can be used by the applications. For example, Captive Portal and OpenVPN can use the local directory to authenticate users.

To add new users click on the Add button. You must supply a username, first name, last name, email address, and password. Only the administrator can set the password for a given user. Users can be imported or exported using the import/export buttons on the upper right.

An expiration date can be specified for a user. If the expiration date has passed that user will no longer be authenticated.

To use the Local Directory, configure apps such as Captive Portal and OpenVPN to authenticate against the Local Directory while requiring user authentication.

MFA and OpenVPN

You can enable TOTP based multi factor authentication for OpenVPN client connections. When adding a user, select Enable MFA for OpenVPN and click Generate new key.

Local Directory User MFA
Local Directory User MFA

After generating a key, click the gear icon to show the QR code. Use the generated code in any TOTP mobile app such as Google Authenticator. The TOTP app generates a temporary that the user enters into their OpenVPN client. Note: You must also enable MFA for client configurations in OpenVPN.

Local Directory User MFA
Local Directory User MFA


WARNING: Typically, when passwords are stored, password hashes are saved and the original cleartext password is forgotten so administrators do not have access to user passwords. However, The passwords for users that are stored in the local directory are stored in cleartext because some applications and features (L2TP) depend on access to the cleartext password. Administrators do have access to cleartext user passwords and caution is advised.