| (11 intermediate revisions by the same user not shown) | |||
| Line 9: | Line 9: | ||
{| class="wikitable" | {| class="wikitable" | ||
| − | |+ Username Authentication | + | |+ Username / MAC Authentication |
|- | |- | ||
| − | ! style='width:150px' | Item !! Required !! Description | + | ! style='width:150px' | Item !! Required !! Description !! remarks |
|- | |- | ||
| − | | Username|| Yes || The multibyte characters(e.g, korean, japaneses) are not allowed. | + | | Username|| Yes || The multibyte characters(e.g, korean, japaneses) are not allowed. || username authentication only |
|- | |- | ||
| − | | Status || Yes || Select "authorized" | + | | Status || Yes || Select "authorized" || |
|- | |- | ||
| − | | | + | | User-Type || Yes || Select a user-type. An external user means that the username and password locates in an external database(normally a customer database). If you select the "external user", you can't set the password because this username is used only for applying additional attributes.<ref>If you switch on the RADIUS > Settings > General> [[RADIUS Settings - General | cached user]], the user passwords will be filled using strong encryption algorithm and usernames are also used for authentication.</ref> In other words, an external username is not authenticated by itself without connecting to an external authentication database. || username authentication only |
| + | |||
|- | |- | ||
| − | | Password | + | | Password Type || Yes || It is the encryption method of a password. If a user machine is windows 10, the type must be either the Windows NT hashed passwords or clear-text passwords. || username authentication only |
|- | |- | ||
| − | | | + | | Password<br>Confirm Password|| Yes || Input the password of a username. || username authentication only |
|- | |- | ||
| − | | | + | | MAC Address || Yes || The [[MAC Address]] of a user machine. The address is case-sensitive and also may include delimiters and you can find the format of the MAC address from the [[Accounting]]. || MAC authentication only |
|- | |- | ||
| − | | | + | | Expiration || No || Set the user authentication expiration date. || |
| − | + | |- | |
| − | + | | Auto-Associate MAC Address || No || Refer to [[#mac-asso|"Auto-Associate MAC Address"]]. | |
| − | |||
|- | |- | ||
| − | + | | User Information || Optional || You can fill out the general user informations. The requirement of this field depends on "Environment > [[Environment | Custom Fields]]". || | |
|- | |- | ||
| − | | | + | | Group || No || A group to which the user. || |
|- | |- | ||
| − | | | + | | Additional Attributes || No || You can add more attributes for authentication or reply. You done't need to add additional attributes at this step because they can be added after creating a user. || |
|- | |- | ||
|} | |} | ||
| Line 42: | Line 42: | ||
A username that was registered from the captive portal page will be added as an un-authorized one. You can authorize it by click the [[File:popup.png|23x]] icon in front of each row. | A username that was registered from the captive portal page will be added as an un-authorized one. You can authorize it by click the [[File:popup.png|23x]] icon in front of each row. | ||
Within the same interface, you can also change other information and delete a user. | Within the same interface, you can also change other information and delete a user. | ||
| + | |||
| + | |||
| + | ==== <span id='mac-asso'>Auto-Associate MAC Address</span> ==== | ||
| + | When a created user undergoes initial authentication, the MAC address (calling-station-id) of the client at that time is automatically included in the 'additional authentication attribute.' Using this function, when the MAC address is associated, user identification requires the initial authenticated client's MAC address to match, in addition to the username and password. | ||
| + | |||
| + | Auto-Associate of MAC addresses is only done automatically when there is no existing calling-station-id. To add two or more MAC addresses (calling-station-id), use the 'additional attributes' or refer to the detailed information in the 'Recent Post-Authentication. | ||
| + | |||
| + | |||
| + | ==== Additional Attributes ==== | ||
| + | ===== Authentication Attributes ===== | ||
| + | Authentication attributes are pieces of information used in RADIUS authentication in addition to the basic information (User-Name, User-Password). For useful authentication attributes, refer to the [[Attributes]] section. | ||
| + | |||
| + | ===== Reply Attributes ===== | ||
| + | Reply attributes refer to the attributes provided to the user after RADIUS authentication. For useful reply attributes, refer to the [[Attributes]] section. | ||
| + | |||
| + | |||
| + | ==== Recent Post-Authentication ==== | ||
| + | It displays the user's recent approval/disapproval history, and clicking on the icon at the beginning of the list allows you to view detailed authentication processing information. Clicking the 'Associate MAC Address' button enables the registration of the calling-station-id as an additional authentication attribute. | ||
| + | |||
| + | |||
| + | ==== Password Reset ==== | ||
| + | You can reset the password of registered users. | ||
| + | |||
| + | When a user's password is reset, the previous password becomes unusable, and a temporary password is issued. The use of such temporary passwords and the password reset feature can be configured in RADIUS > Settings > General > [[RADIUS Settings - General | Password Complexity Requirements for RADIUS User-Password]]. If the password reset feature is inactive (default state), users cannot use the password reset function. | ||
| + | |||
| + | When a password is reset, the user must create a new password using the temporary password on the password change page. For more details, refer to RADIUS > Settings > General > [[RADIUS Settings - General | Password Complexity Requirements for RADIUS User-Password]]. | ||
| + | |||
| + | {{note|Passwords for users authenticated based on MAC address or stored in an external database as "[[RADIUS Settings - General | cached user]]" cannot be reset.}} | ||
| + | |||
| + | ==== Expiration ==== | ||
| + | Users with a specified expiration time that has passed will not be granted authentication (Access-Reject), and this information will not be automatically deleted." | ||
Latest revision as of 11:43, 18 December 2023
RADIUS > Users
You can add, update, or delete the usernames for the RADIUS authentication.
Create New User
You can add a new user at the top right of the page and can create a user as either a Username authentication or a MAC Address authentication.
The Username authentication stores a User-Name and User-Password and the credentials are validated with the two attributes to authenticate an ACCESS-REQUEST.
The MAC address authentication store a MAC address of a user machine and the credentials are validated with the address. The MAC address type is applied usually in the environment of an open wireless network.
| Item | Required | Description | remarks |
|---|---|---|---|
| Username | Yes | The multibyte characters(e.g, korean, japaneses) are not allowed. | username authentication only |
| Status | Yes | Select "authorized" | |
| User-Type | Yes | Select a user-type. An external user means that the username and password locates in an external database(normally a customer database). If you select the "external user", you can't set the password because this username is used only for applying additional attributes.[1] In other words, an external username is not authenticated by itself without connecting to an external authentication database. | username authentication only |
| Password Type | Yes | It is the encryption method of a password. If a user machine is windows 10, the type must be either the Windows NT hashed passwords or clear-text passwords. | username authentication only |
| Password Confirm Password |
Yes | Input the password of a username. | username authentication only |
| MAC Address | Yes | The MAC Address of a user machine. The address is case-sensitive and also may include delimiters and you can find the format of the MAC address from the Accounting. | MAC authentication only |
| Expiration | No | Set the user authentication expiration date. | |
| Auto-Associate MAC Address | No | Refer to "Auto-Associate MAC Address". | |
| User Information | Optional | You can fill out the general user informations. The requirement of this field depends on "Environment > Custom Fields". | |
| Group | No | A group to which the user. | |
| Additional Attributes | No | You can add more attributes for authentication or reply. You done't need to add additional attributes at this step because they can be added after creating a user. |
User Authorization, Updating, and Deleting
A username that was registered from the captive portal page will be added as an un-authorized one. You can authorize it by click the 
icon in front of each row.
Within the same interface, you can also change other information and delete a user.
Auto-Associate MAC Address
When a created user undergoes initial authentication, the MAC address (calling-station-id) of the client at that time is automatically included in the 'additional authentication attribute.' Using this function, when the MAC address is associated, user identification requires the initial authenticated client's MAC address to match, in addition to the username and password.
Auto-Associate of MAC addresses is only done automatically when there is no existing calling-station-id. To add two or more MAC addresses (calling-station-id), use the 'additional attributes' or refer to the detailed information in the 'Recent Post-Authentication.
Additional Attributes
Authentication Attributes
Authentication attributes are pieces of information used in RADIUS authentication in addition to the basic information (User-Name, User-Password). For useful authentication attributes, refer to the Attributes section.
Reply Attributes
Reply attributes refer to the attributes provided to the user after RADIUS authentication. For useful reply attributes, refer to the Attributes section.
Recent Post-Authentication
It displays the user's recent approval/disapproval history, and clicking on the icon at the beginning of the list allows you to view detailed authentication processing information. Clicking the 'Associate MAC Address' button enables the registration of the calling-station-id as an additional authentication attribute.
Password Reset
You can reset the password of registered users.
When a user's password is reset, the previous password becomes unusable, and a temporary password is issued. The use of such temporary passwords and the password reset feature can be configured in RADIUS > Settings > General > Password Complexity Requirements for RADIUS User-Password. If the password reset feature is inactive (default state), users cannot use the password reset function.
When a password is reset, the user must create a new password using the temporary password on the password change page. For more details, refer to RADIUS > Settings > General > Password Complexity Requirements for RADIUS User-Password.
Passwords for users authenticated based on MAC address or stored in an external database as " cached user" cannot be reset.
Expiration
Users with a specified expiration time that has passed will not be granted authentication (Access-Reject), and this information will not be automatically deleted."
- ↑ If you switch on the RADIUS > Settings > General> cached user, the user passwords will be filled using strong encryption algorithm and usernames are also used for authentication.