In this page you find:
This page shows three tabs, which allow to manage local Users, local Groups, and Settings for remote authentication
In this page, all users that have an account on the Panda GateDefender Appliance‘s VPN server are displayed in the table, and for each the following information are shown:
Click on Add new local user above the table to add a new local account. In the form that will show up, the following options can be specified for each user.
One-Time Passwords
There are many different one-time password algorithms. On Panda GateDefender Appliance systems the Time-based One-Time Password algorithm has been implemented as described in RFC 6238. Since this is an open standard applications exist for almost all devices (Android, iOS and Windows smartphones, PCs etc.). To be able to use your device it needs to be initialized with the One Time Password secret. You can either do this by entering the secret manually or even more easily by taking a picture of the QR code with your application.
Tick this checkbox to show a box in which to choose the L2TP tunnel to be used.
Note
This option can not be selected if no L2TP tunnel has yet been configured. In such a case, an informative message appears as a hyperlink: Upon clicking on it, the IPsec connection editor opens. Once done, it will be possible to allow a VPN user to connect using the L2TP Protocol.
Hint
The box for L2TP options will appear below the OpenVPN options box, if also OpenVPN option are to be overridden
Dynamic IP addresses are assigned to clients, but a static IP address provided here will be assigned to the client whenever it connects.
Note
If the client connects to a multicore VPN server running on the Panda GateDefender Appliance, this assignment will not be taken into account.
Note
When planning to have two or more branch offices connected through a Gateway-to-Gateway VPN, it is good practice to choose different subnets for the LANs in the different branches. For example, one branch might have a GREEN zone with the 192.168.1.0/24 subnet while the other branch uses 192.168.2.0/24. Using this solution, several possible sources for errors and conflicts will be avoided. Indeed, several advantages come for free, including: The automatic assignment of correct routes, without the need for pushing custom routes, no warning messages about possibly conflicting routes, correct local name resolution, and easier WAN network setup.
In this page a table is displayed, which shows all the groups that are either defined on the Panda GateDefender Appliance or on an external LDAP server. For each group the following information are shown:
Click on Add new local groups above the table to add a new local group. In the form that will show up, the following options can be specified for each group.
Tick this checkbox to show a box in which to choose the L2TP tunnel to be used from a drop-down menu.
Note
This option can not be selected if no L2TP tunnel has yet been configured. In such a case, an informative message appears as a hyperlink: Upon clicking on it, the IPsec connection editor opens. Once created a new L2TP tunnel, it will be possible to associate it to a user.
Hint
The box for L2TP options will appear below the OpenVPN options box, if also OpenVPN option are to be overridden
Warning
While the same user can be legally part of one or more groups, care must be taken that the groups the user belongs to do not define contrasting override options. As an example, consider a user member of two groups, one allowing access only to the GREEN zone, and one only to the BLUE. In this case, it is not easy to predict whether that user will be granted or not access to the BLUE or GREEN zone. The management of these issues is left to the manager of the OpenVPN server.
This page contains the current configuration of the authentication servers on which the Panda GateDefender Appliance relies and allows for their management. Currently, only local and LDAP / Active Directory are supported, though in future releases additional types of authentication server might be added, like e.g. Radius servers.
There are two tables in this page, one displaying information about Authentication servers, and one showing Authentication server mappings. In the former, this information is shown:
The table at the bottom shows the correspondences between a service (IPsec XAuth, OpenVPN, and L2TP) and the type of authentication allowed. The only Actions for the mappings is to Edit them. By clicking on Edit, a form will appear, in which a selector allows to select which authentication backends will be used for that service.
A click on the Add new authentication server link above the tables opens a form in which to supply all data to set up a new authentication server.
This form replaces the tables displaying the already defined authentication servers and allows to configure a new one, by specifying appropriate values for the following configuration options.
LDAP / Active Directory
Choose this option if you want to use an LDAP server to authenticate your users. The following options are supported for this type:
The URI of the LDAP server.
This drop-down menu allows the choice of the type of the authentication server among Generic, Active Directory, or Novell eDirectory. Depending on this selection additional fields will be displayed or hidden.
The fully distinguished name of the LDAP account that is used to retrieve user data from the LDAP server.
The password of the bind DN user.
The following options depend on the server setup and are used to identify which users and groups shall be granted access to Panda GateDefender Appliance‘s OpenVPN server: LDAP user base DN, LDAP group base DN. When using a Generic LDAP server type additional parameters must be configured: LDAP user search filter, LDAP user unique ID attribute, LDAP group unique ID attribute, LDAP group member attribute, LDAP group search filter.
Limit to specified groups This option allows to select which groups on the LDAP server are allowed to connect to the Panda GateDefender Appliance‘s OpenVPN server.
Local
Choose this option if you want to create and manage users locally. The following option is available:
Limit to specified groups This option allows to select which groups on the LDAP server are allowed to connect to the Panda GateDefender Appliance‘s OpenVPN server.
One Time Password
Choosing this option will enable two-factor authentication. Just like the Split Data (User Information & Password) server type this works as a proxy for two different providers - additionally it will add two-factor authentication through time-based one-time passwords. Choosing this type will let you select the sources for both the user information as well as the password providers. The fields that need to be configured are:
You can configure them in the following fields:
User information provider This option will let you specify from where the user-specific information should be taken.
Password provider This option will let you choose from the list of configured authentication servers. The chosen server will then be used to authenticate the users.
RADIUS
Choose this option if you want to configure a RADIUS server. Note that RADIUS servers can only be used as password providers in both One Time Password and Split Data authentication servers. To use a RADIUS server the following information must be defined:
RADIUS server The address of the RADIUS server.
RADIUS shared secret The shared secret between the RADIUS server and the Panda GateDefender Appliance.
RADIUS authentication port The TCP port that is used for the RADIUS authentication.
RADIUS accounting port The TCP port that is used for the accounting.
RADIUS identifier The Panda GateDefender Appliance‘s RADIUS identifier or NAS ID.
Split Data (User Information & Password)
Just like the One Time Password server type this works as a proxy for two different providers - but it does not add two-factor authentication. Choosing this type will let you select the sources for both the user information as well as the password providers. The fields that need to be configured are:
User information provider This option will let you specify from where the user-specific information should be taken.
Password provider This option will let you choose from the list of configured authentication servers. The chosen server will then be used to authenticate the users.