User Management: Difference between revisions

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
No edit summary
No edit summary
Line 26: Line 26:
* ''Username (OpenVPN)'' is the username according to OpenVPN
* ''Username (OpenVPN)'' is the username according to OpenVPN
* ''Username (IPsec VPN)'' is the username according to IPsec VPN
* ''Username (IPsec VPN)'' is the username according to IPsec VPN
= Techniques =
There are many techniques and approaches to set the IP to username mapping. Below are some of the common ones and the some of the advantages and drawbacks to each.
== Device Username ==
On simple and small networks where Untangle can see the MAC address of all devices and there are not shared devices, the simplest method is to simple go into [[Devices]] and manually set a username for each device.
For smaller networks where each device is owned by a user, this is a very quick and easy way to associate usernames. After doing this any Host (IP address) that is associated with that Device (MAC Address). The host's ''Username (Device)'' will be set based on the username in the associated device.
=== Advantages ===
* Simple
* Quick
=== Disadvantages ===
* Only works on ''flat'' networks where Untangle can resolve the MAC address for all IP addresses.
* Requires the administrator to manually set the username for each device, which is painful for larger networks.
== Captive Portal ==
Another very common approach is to install a [[Captive Portal]] on your network and force users to identify themselves before being able to use the network.
To do this simple configure Captive Portal to require authentication with a username/password. The username/password can be verified against the [[Local Directory]] or an external directory through [[Directory Connector]].
When a new host (IP address) comes onto the network or becomes active, it must authenticate with a username and password through captive portal. Captive Portal will then set the ''Username (Captive Portal)'' attribute for the lifetime of the session.
=== Advantages ===
* Simple
* Reliable and Accurate - The user identifies themselves each and every time they join the network.
=== Disadvantages ===
* Requires the use of a captive portal which can increase administrator overhead because it may confuse users, cause issues with headless devices, etc.

Revision as of 21:25, 31 May 2017

In networking and firewalling, often policies and reporting are done with IP addresses. This is because devices are most easily identified by their IP address because every single IP packet contains an source IP address and a destination IP address.

However, often it is more convenient for administrators to set policy and review reporting data using "usernames."

For example, I wish to allow jerry to visit a specific website where other users are not allowed to visit. I want Jerry to be able to visit this website from any device, as long as Jerry is the one using the device.

Alternatively, I may wish to review all of sally's network activity. I may not care which device Sally is using at any given time or if she is using multiple devices. I want to see all of her activity.

There are indeed many cases, where it is more convenient to users (or groups) instead of IP address or MAC address to identify and handle network traffic appropriately. However, as stated earlier IP packets do not contain a username. The IP (Internet Protocol) header contains a source IP address and a destination IP address.

Given this, How is it possible to control traffic via username? In other words, if we see a packet from 192.168.1.100 going to 1.2.3.4 - how do we know which "user" is responsible for this packet?

The way Untangle handles this is very simple; it maintains a mapping from IP address to username. This mapping can be viewed by looking at Hosts. At any given time, Untangle knows the jerry is logged into 192.168.1.100 so anytime Untangle sees traffic from 192.168.1.100 it knows to associate this traffic with username jerry.

Hosts Mapping

To view the current username associated with any host view the Hosts table. Each host has several username-related attributes:

  • Username is the username associated with this host.
  • Username Source is the source of that username, which can be one of many described below.
  • Username (Directory Connector) is the username according to Directory Connector
  • Username (Captive Portal) is the username according to Captive Portal
  • Username (Device) is the username of this host's MAC address according to Devices
  • Username (OpenVPN) is the username according to OpenVPN
  • Username (IPsec VPN) is the username according to IPsec VPN

Techniques

There are many techniques and approaches to set the IP to username mapping. Below are some of the common ones and the some of the advantages and drawbacks to each.

Device Username

On simple and small networks where Untangle can see the MAC address of all devices and there are not shared devices, the simplest method is to simple go into Devices and manually set a username for each device.

For smaller networks where each device is owned by a user, this is a very quick and easy way to associate usernames. After doing this any Host (IP address) that is associated with that Device (MAC Address). The host's Username (Device) will be set based on the username in the associated device.

Advantages

  • Simple
  • Quick

Disadvantages

  • Only works on flat networks where Untangle can resolve the MAC address for all IP addresses.
  • Requires the administrator to manually set the username for each device, which is painful for larger networks.

Captive Portal

Another very common approach is to install a Captive Portal on your network and force users to identify themselves before being able to use the network.

To do this simple configure Captive Portal to require authentication with a username/password. The username/password can be verified against the Local Directory or an external directory through Directory Connector.

When a new host (IP address) comes onto the network or becomes active, it must authenticate with a username and password through captive portal. Captive Portal will then set the Username (Captive Portal) attribute for the lifetime of the session.

Advantages

  • Simple
  • Reliable and Accurate - The user identifies themselves each and every time they join the network.

Disadvantages

  • Requires the use of a captive portal which can increase administrator overhead because it may confuse users, cause issues with headless devices, etc.