Configure Accounts

Accounts are used to authenticate users on the iPass network, a VPN, or other network. The definition of an account determines the attributes required for a successful login and authentication. Different account definitions may have different attributes: one account definition might use username and password; a second might use password, prefix, and domain. An account definition represents the attributes required for users to create an account; it does not represent a particular user’s login credentials.

At least one account is required for your Open Mobile users to authenticate, so creating an account should be the first task you perform when creating a profile.

For Windows profiles, you can create multiple account definitions as needed, but you must create at least one for use on the iPass network that includes username, password, and domain.

Account Attributes

Account attributes are highly configurable to accommodate a variety of login and authentication schemes. This enables you to take granular control over the user’s login experience. You can customize account attributes in a variety of ways.

  • Re-labeling: The field labels for accounts can be changed and customized. For example, you can change the label Username to another value, such as Login Name.
  • Pre-population: Many attribute values can be pre-populated with a value of your own choosing.
  • Drop-down list: For some attributes, users can be prompted with a drop-down list with multiple selections.
  • Hidden: Some fields can be hidden entirely from the end user.

Attribute Options

Account attributes can be configured as follows:

  • Username: Username can be re-labeled, pre-populated, and hidden from the end user.
  • Password: Password can be re-labeled, pre-populated, and hidden from the end user. In addition, you can control how Open Mobile caches the password and set the duration of the cache: forever, until Open Mobile is restarted, until sleep or hibernation, a specific interval, or never.
  • Domain: Domain can be re-labeled. You can also choose to allow the user to enter the domain, to select it from a drop-down list of previously entered domains, or to use a specific domain.
  • PIN: (Windows 1.4.1 and later clients) Some accounts, such as those used for VPNs, require a Personal Identification Number for authentication. (For example, NCP VPN requires such a PIN.) You can choose to allow the user to enter the PIN or to pre-fill it with a PIN.
  • Token: (Windows 2.x clients) Authentication token can be re-labeled, pre-populated, and hidden from the end user. You can also specify how long Open Mobile will save the token. For more about configuring token authentication, click here.
  • Prefix: Prefix can be re-labeled, pre-populated, and hidden from the end user.
  • Authentication Format: In some cases, an authentication string that differs from the standard iPass authentication string may be desired.

About Authentication Formats

You can define your own format for authentication strings to be used with all connections made with a given account definition. Authentication string formats are constructed from tokens, each representing a portion of the authentication requirements. You can use any of the following tokens to assign a format to the authentication string for the profile. Only include tokens for authentication attributes that are or will be enabled for the account.

Attribute Token Description
Network Prefix %p Prefix used when authenticating to the network.
Network Suffix %s Suffix used when authenticating to the network.
Customer Prefix %a Prefix associated with the account defined for use when authenticating to the network. Note: in Windows clients before 1.4.1, Open Mobile automatically appends a forward slash character (/) to the end of the %a token. However, for Windows 1.4.1 and later clients, you must add in the slash character manually after the customer prefix.
Username %u Username used when authenticating to the network.
Customer Domain %d Suffix associated with the account defined for use when authenticating to the network.
Literal String N/A Literal string. For example, if the domain value is always, then could be used as part of the authentication format in place of %d.

An example of a valid authentication format would be %p%u%d. Assume these values for the tokens:

  • %p (network prefix) = EXAMPLECO/
  • %u (username) = testuser
  • %d (customer suffix) =

The resulting authentication string passed to Open Mobile would be: EXAMPLECO/

If no forward slash were part of the network prefix, the string would be

Authentication Format Overrides

Accounts are generally assigned to an entire profile, and connections made using the account will use the authorization format defined for the account. However, accounts can be assigned for connections of a specific type (such as Mobile Broadband), as well as for directories. Any authorization formats assigned to such accounts will override the more general one.

The hierarchy of accounts works as follows:

  • A default (master) account is defined for each entire profile. If no account is assigned at a more specific level, this account and its associated authentication format is used for connections.
  • An account can be assigned for a specific connection type (for example, Wi-Fi). You can also define an authorization format to be used with the account, which will override the format defined for the default account.
  • An account can be assigned for connections made to specific network directory. Again, you can also define an authorization format to be used with the account, which will override the format defined for the default account. In addition, you can choose whether to enable USID (Unique Session Identifier) for connections made to networks in the directory.


Each Open Mobile session (and connection attempt) is assigned a Unique Session Identifier (USID) for tracking purposes. By default, USID is prepended to the authentication format before the username (for example, @<domain>).

USID is enabled by default for connections made to access points in the iPass network directory. However, because the authentication format with USID may exceed 20 characters in length, which is longer than many networks will support, you can choose whether to include USID in directory-level authentication format overrides, to keep the authentication format under the character limit for custom directories.

Creating an Account Definition

You must define an iPass account before defining other accounts. For the iPass account, use the account name iPass, and select username, password, and domain for attributes.

To define an account:

  1. Under Accounts, click Define New Account.
  2. Under Configure Account Definition, in Name, enter the name of the account.
  3. In Display Name, enter the account name, as you would like it to appear in Open Mobile.
  4. In Display Description, enter a brief description of the account. This will be displayed to the user when logging in and used as a reminder to the user of login information.
  5. If this will be the default account type, select Set to be Master Account.
  6. Under Account Attributes, select the attributes that are required for this account. (Username, password, and domain are required for any account used on the iPass network.) Then, select the configuration settings for each attribute as required.
  7. Click Save.
iPass End-to-End Encrypted Login (iSEEL): iSEEL uses 131-bit ECC (Elliptic Curve Cryptography) in conjunction with 128-bit Public Key Unidirectional SSL tunnels to protect Internet passwords over the iPass network. Passwords are encrypted before they are ever transmitted over a connection, and they are not decrypted until reaching the iPass POD Transaction Center.

Advanced Authentication Settings

Some clients allow you to set an additional authentication request to give the client more information about why an attempt to connect might fail. For more information, please see Advanced Authentication Settings.

Create a New Profile > Configuration Settings > Connectivity


©2015 iPass Inc. All rights reserved. Terms of Use