An account definition is comprised of the specific credential types required for a successful login. When logging in to Open Mobile, users are prompted for the required credentials for the account definition, based on the settings you configure.
For example, one account definition may require username and password, while another may require a password and domain name but no username. Account definitions are created in the Open Mobile Portal.
You can create multiple account definitions as needed, but you must create at least one for use on the iPass network that includes username, password, and domain.
Credential types are highly configurable to accommodate a variety of login and authentication schemes. This allows you take granular control over the user’s login experience. For example, you can control whether or not the user is prompted for a domain prefix when logging in, or whether the prefix is pre-supplied.
Account credentials can be configured as follows:
An account name is an identifier to differentiate between multiple accounts. Some examples of account names:
When defining a user account, the administrator can configure a description that will appear in the prompt the user will receive when entering that account name. Use the description that might help the user remember what username and password to use for this account. Some examples:
A username is required for authentication on the iPass network. In addition to authentication, this username will be used in reporting statistics. You can configure username as follows:
Option | Description |
---|---|
Field Label | The label for the Username field can be changed. For example, if your organization uses employee IDs for user accounts, the label for the username field can be changed to read Employee ID, which would help instruct the user as to what value to use for this account. |
User Text Entry | Requires users to type their own username. |
Pre-Filled Username | You can choose to pre-fill the username field with a pre-set value. Pre-filled usernames can be helpful if you want all users to share the same Internet account. Note: The Pre-filled Username option is not recommended. Sharing the same account may not be allowed as part of your iPass agreement, and even so, using a universal account can make reporting, troubleshooting, and recovery of a compromised account difficult. |
Use Windows Username | If enabled, the username field is pre-populated with the logged-in Windows username. You can then choose whether to allow edits to the pre-populated field, or whether to hide the username field completely. |
Allow Edit | If enabled, the user can edit the pre-populated username. |
Hide Field | If enabled, the field will be hidden from the user. |
A password is required for authentication on the iPass network. Although an Open Mobile password can be any number of characters in length, some iPass providers support only a RADIUS limit of 15 characters for password size. As a result, Open Mobile users with passwords longer than 15 characters may encounter issues at some network locations.
An Open Mobile is encrypted in three ways when it is stored locally: first, by characteristics derived from the user; second, by machine characteristics; and third, using an AES 256 key.
iSEEL: If a password is to be transmitted over the iPass network, the local encryption is not used. Instead, public key cryptography (specifically, elliptical curve cryptography) is used to encrypt it. The password is not decrypted until it reaches the iPass POD Transaction Center. This encryption scheme is known as iSEEL (iPass End-to-End Encrypted Login).
iSEEL is an integral part of the iPass network and cannot be disabled. However, iSEEL is not enabled for locations that cannot support it.
Depending on the type of connection, there may be additional encryption with iSEEL.
Option | Description |
---|---|
Field Label | The label for the Password field can be changed. For example, if you configured the label for username to be Email Username, you could also configure the label for the password to be Email Password. |
User Text Entry | Requires users to type their own password. |
Cache Duration | Sets the amount of time Open Mobile will cache the user’s password. The cache options available are: forever, until restart of Open Mobile, until sleep or hibernation, a specific period of time, or not at all. |
Save Password | iPass Open Mobile can be configured to allow the user to save the password. (Cache duration must be set at Forever.) |
Pre-filled Password | You can choose to pre-fill the password field with a value. Pre-filled password can be helpful if you want all users to share the same Internet account. Note: Pre-populated passwords are stored in clear text in the profile XML files. If a password is particularly sensitive, it is recommended that you do not pre-populate it in Open Mobile accounts. |
Allow Edit | If enabled, the user can edit the pre-populated password. |
Hide Field | You can choose to hide a pre-filled password field from users completely. |
An Open Mobile password (for client connections or Portal logins) may include any of these characters:
Unicode characters are not supported for Open Mobile passwords.
A routing domain is required for iPass authentication. The routing domain is used to differentiate one customer’s users from another and is established during the initial setup of service with iPass.
The routing domain does not have to be a registered Internet domain or even in the format of an Internet domain. However, It must be unique across the iPass customer base.
If the routing domain field is not used for iPass authentication routing, it can be used for authentication routing on the customer network. For instance, in a multiple domain Active Directory model, a domain name may be necessary to differentiate usernames that might exist in more than one domain (for example, jdoe@europe.acme.com instead of jdoe@asia.acme.com).
Fully Qualified Domains: A pre-filled domain may be fully qualified. However, you can you can only configure domains with a root suffix that matches a domain which is already registered to you. For example, if you were configuring a domain for example1.com, then sales.example1.com would be an acceptable fully qualified domain, but sales.example2.com would not be.
Options | Description |
---|---|
Display Name | The label for the Domain field can be changed. |
Pre-Filled Domain | You can choose to pre-fill the domain field with a fixed value. If the domain field is used for iPass authentication and only one domain is to be used, then pre-filling the domain field (and making it non-editable) will ensure that the user utilizes the correct domain name. |
Drop-Down List | You can choose to pre-configure a list of domains from which the user can choose. |
User Text Entry | Allows users to type in their own domain name. (If the user could be part of a large list of domains, or the profile in use is shared among multiple customers, then this is the most desirable option.) |
Allow Edit | If enabled, the user can edit the pre-populated domain. |
Hide Field | You can choose to hide a pre-filled domain field from users completely. |
Open Mobile supports RSA authentication tokens as part of an account definition. RSA token authentication is supported on 802.1x networks using PEAP-GTC protocol as part of ON-Campus Roaming and for Cisco AnyConnect and Juniper VPNs. See Connectivity for more information.
Option | Description |
---|---|
Token Type | A hard token is a hardware device, while a soft token is represented by software. |
Field Label | The label for the Token field can be changed. |
User Text Entry | Requires users to enter the RSA token. |
Pre-filled Token | You can choose to pre-fill the token field with a value. Pre-filled tokens can be helpful if you want all users to share the same Internet account. Note: This selection is not recommended. Pre-populated tokens are stored in clear text in the profile XML files. If a token is particularly sensitive, it is recommended that you do not pre-populate it in Open Mobile accounts. |
Cache Duration | Sets the amount of time Open Mobile will cache the user’s password. The cache options available are: forever, until restart of Open Mobile, until sleep or hibernation, a specific period of time, or not at all. |
Save Password | iPass Open Mobile can be configured to allow the user to save the password. (Cache duration must be set at Forever.) |
If the routing domain field is needed for customer authentication routing, then a routing prefix field can be enabled. If chosen, this value must be unique across the iPass customer base. A routing prefix can be used to differentiate one customer’s users from another. This prefix is typically established during the initial establishment of service with iPass.
Options | Description |
---|---|
Field Label | The label for the Prefix field can be changed. |
User Text Entry | Allows users to type in the prefix name. Note: If the prefix is not recognized by iPass, the connection will not succeed. As a result, it is recommended that you disable this option. |
Pre-Filled Prefix | Administrators can choose to pre-fill the prefix field with a fixed value. This is the most commonly used option. |
Allow Edit | If enabled, the user can edit the pre-populated prefix. Note: If the prefix is not recognized by iPass, the connection will not succeed. As a result, it is recommended that you disable this option. |
Hide Field | You can choose to hide a pre-filled prefix field from users completely. This is the most commonly used option. |
In some cases, an authentication format that differs from the standard iPass authentication may be desired. You can use any of the following tokens to assign attributes to the authentication string for the profile, for example %a for prefix, %u for username, and %d for domain. Each attribute (prefix, username, etc.) added to the authentication string has to be enabled for the Account.
Correct: %a/%u@%d = IPASS/jsmith@ipass.com
Incorrect: %a%u%d = IPASSjsmithipass.com
Your iPass technical contact can advise you on how to define an alternate authentication format for an Open Mobile profile. For more information please see the Portal Guide.
Open Mobile includes a utility that enables you to pre-set the values for username, password, and domain for a particular user account.
To pre-populate username, password and domain:
iPass\Open Mobile\omsi
directory.epcmd.exe iPass.AccountManager.SetUserCredential /a [Account Type] /u [Username] /p [Password] /d [DomainName]
/a,
/u, /p, and
/d are optional switches. Use one or more of these to indicate Account Type, Username, Password, and Domain Name, followed by the actual value of the parameter. If the account does not include a given parameter, then it may be omitted.If your users connect through a proxy server, you can choose the method of authentication to the proxy. The authentication can be performed using local Windows domain credentials, or you can choose the credentials from a specific account definition. You can also select the maximum number of authentications Open Mobile will perform in a 24-hour period.
Go to: Open Mobile for Windows Help