Differences

This shows you the differences between two versions of the page.

Link to this comparison view

windows_account_definitions [2015/02/25 17:57]
ybarajas [Authentication Format]
windows_account_definitions [2015/02/26 18:02] (current)
ybarajas [Authentication Format]
Line 1: Line 1:
 +====== Account Definitions ======
 +
 +
 +An //account definition// is comprised of the specific credential types required for a successful login. When logging in to Open Mobile, users are prompted for the required credentials for the account definition, based on the settings you configure.
 +
 +
 +For example, one account definition may require username and password, while another may require a password and domain name but no username. Account definitions are created in the Open Mobile Portal.
 +
 +
 +You can create multiple account definitions as needed, but you must create at least one for use on the iPass network that includes username, password, and domain.
 +
 +
 +<note important>An account definition represents the attributes used to create an account. It does not represent a particular user’s login credentials.</note>
 +===== Credential Types =====
 +
 +
 +Credential types are highly configurable to accommodate a variety of login and authentication schemes. This allows you take granular control over the user’s login experience. For example, you can control whether or not the user is prompted for a domain prefix when logging in, or whether the prefix is pre-supplied.
 +
 +
 +    * The field labels for accounts in Open Mobile can be changed and customized. For example, you can change the label Username to another value, such as Login Name.
 +    * The values of several attributes may be pre-populated.
 +    * Field Labels even can be hidden so that the information never needs to be entered by the end user.
 +
 +
 +Account credentials can be configured as follows:
 +
 +
 +    * **Username:**  username can be re-labeled, pre-populated, and hidden from the end user.
 +    * **Password:**  password can be re-labeled, pre-populated, and hidden from the end user. In addition, you can control how Open Mobile caches the password, and set the duration of the cache: forever, until Open Mobile is restarted, until sleep or hibernation, a specific interval, or never.
 +    * **Domain:**  domain can be re-labeled. You can also choose to allow the user to enter the domain, select it from a drop-down list of previously entered domains, or to use a specific domain.
 +    * **Token:**  Soft authentication token can be re-labeled, pre-populated, and hidden from the end user. You can also specify how long Open Mobile will save the token.
 +    * **Prefix:**  prefix can be re-labeled, pre-populated, and hidden from the end user.
 +    * **Authentication Format:**  In some cases, an authentication format that differs from the standard iPass authentication may be desired. You can use any of the following tokens to assign a format to the authentication string for the profile: %a for prefix, %u for username, and %d for domain. Your iPass technical contact will be able to advise you on how to define an alternate authentication format for your Open Mobile profile.
 +===== Account Settings =====
 +
 +
 +==== Account Name ====
 +
 +
 +An account name is an identifier to differentiate between multiple accounts.   Some examples of account names:
 +
 +
 +    * Internet
 +    * VPN
 +    * Campus Network
 +
 +
 +==== Account Description ====
 +
 +
 +When defining a user account, the administrator can configure a description that will appear in the prompt the user will receive when entering that account name. Use the description that might help the user remember what username and password to use for this account.  Some examples:
 +
 +
 +    * “This is the same username/password used for Acme Corporation email accounts.”
 +    * “This is your Active Directory username/password.”
 +
 +
 +==== Username ====
 +
 +
 +A username is required for authentication on the iPass network. In addition to authentication, this username will be used in reporting statistics. You can configure username as follows:
 +
 +
 +^Option ^Description |
 +|**Field Label**  |The label for the Username field can be changed.  For example, if your organization uses employee IDs for user accounts, the label for the username field can be changed to read Employee ID, which would help instruct the user as to what value to use for this account. |
 +|**User Text Entry**  |Requires users to type their own username. |
 +|**Pre-Filled Username**  |You can choose to pre-fill the username field with a pre-set value. Pre-filled usernames can be helpful if you want all users to share the same Internet account. **Note:** //The Pre-filled Username option is not recommended.  Sharing the same account may not be allowed as part of your iPass agreement, and even so, using a universal account can make reporting, troubleshooting, and recovery of a compromised account difficult.//  |
 +|**Use Windows Username**  |If enabled, the username field is pre-populated with the logged-in Windows username. You can then choose whether to allow edits to the pre-populated field, or whether to hide the username field completely. |
 +|**Allow Edit**  |If enabled, the user can edit the pre-populated username. |
 +|**Hide Field**  |If enabled, the field will be hidden from the user. |
 +
 +
 +==== Password ====
 +
 +
 +A password is required for authentication on the iPass network. Although an Open Mobile password can be any number of characters in length, some iPass providers support only a RADIUS limit of 15 characters for password size. As a result, Open Mobile users with passwords longer than 15 characters may encounter issues at some network locations.
 +
 +
 +=== Password Encryption ===
 +
 +
 +An Open Mobile is encrypted in three ways when it is stored locally: first, by characteristics derived from the user; second, by machine characteristics; and third, using an AES 256 key.
 +
 +
 +**iSEEL:**  If a password is to be transmitted over the iPass network, the local encryption is not used. Instead, public key cryptography (specifically, elliptical curve cryptography) is used to encrypt it. The password is not decrypted until it reaches the iPass POD Transaction Center. This encryption scheme is known as iSEEL (iPass End-to-End Encrypted Login).
 +
 +
 +iSEEL is an integral part of the iPass network and cannot be disabled. However, iSEEL is not enabled for locations that cannot support it.
 +
 +
 +Depending on the type of connection, there may be additional encryption with iSEEL.
 +
 +
 +    * For instance, with a Wi-Fi connection, the iSEEL-encrypted password would be passed through SSL encryption because of the SSL communication between PC and Wi-Fi gateway.
 +    * For dial connections, when PAP is used iSEEL would be used to encrypt the password. However, when CHAP is used, only a hash of the password is sent, which is subsequently encrypted using iSEEL.
 +    * For iSEEL-enabled locations, the total limit of username, plus password, plus domain name, is 34 characters.
 +
 +
 +^Option ^Description |
 +|**Field Label**  |The label for the Password field can be changed. For example, if you configured the label for username to be //Email Username//, you could also configure the label for the password to be //Email Password//. |
 +|**User Text Entry**  |Requires users to type their own password. |
 +|**Cache Duration**  |Sets the amount of time Open Mobile will cache the user’s password.  The cache options available are: forever, until restart of Open Mobile, until sleep or hibernation, a specific period of time, or not at all. |
 +|**Save Password**  |iPass Open Mobile can be configured to allow the user to save the password. (Cache duration must be set at Forever.) |
 +|**Pre-filled Password**  |You can choose to pre-fill the password field with a value. Pre-filled password can be helpful if you want all users to share the same Internet account. **Note:** //Pre-populated passwords are stored in clear text in the profile XML files. If a password is particularly sensitive, it is recommended that you do not pre-populate it in Open Mobile accounts.//  |
 +|**Allow Edit**  |If enabled, the user can edit the pre-populated password. |
 +|**Hide Field**  |You can choose to hide a pre-filled password field from users completely. |
 +
 +
 +=== Valid Password Values ===
 +
 +
 +An Open Mobile password (for client connections or Portal logins) may include any of these characters:
 +
 +
 +    * Alphanumeric: A-Z, a-z, 0-9.
 +    * Special: accent mark (`), approximation mark (~), exclamation point (!), at-sign (@), pound sign (#), dollar sign ($), percentage (%), carat (^), ampersand (&), asterisk (%%*%%), left or right parenthesis, dash (-), underscore (_), equals sign( = ), plus sign (+), left or right bracket ({ }), left or right square bracket ([ ]), slash (/), backslash (%%\%%), pipe (|), colon( : ), semicolon(;), question mark (?), period (.), apostrophe (‘), comma (,), quotation mark ("), greater than sign(>), less than sign (<), space ( ).
 +
 +
 +Unicode characters are not supported for Open Mobile passwords.
 +
 +
 +==== Domain ====
 +
 +
 +A routing domain is required for iPass authentication. The routing domain is used to differentiate one customer’s users from another and is established during the initial setup of service with iPass.
 +
 +
 +The routing domain does not have to be a registered Internet domain or even in the format of an Internet domain.  However, It must be unique across the iPass customer base.
 +
 +
 +If the routing domain field is not used for iPass authentication routing, it can be used for authentication routing on the customer network.  For instance, in a multiple domain Active Directory model, a domain name may be necessary to differentiate usernames that might exist in more than one domain (for example, jdoe@europe.acme.com instead of jdoe@asia.acme.com).
 +
 +
 +**Fully Qualified Domains:**   A pre-filled domain may be fully qualified. However, you can you can only configure domains with a root suffix that matches a domain which is already registered to you. For example, if you were configuring a domain for example1.com, then sales.example1.com would be an acceptable fully qualified domain, but sales.example2.com would not be.
 +
 +
 +^Options ^Description |
 +|**Display Name**  |The label for the Domain field can be changed. |
 +|**Pre-Filled Domain**  |You can choose to pre-fill the domain field with a fixed value.  If the domain field is used for iPass authentication and only one domain is to be used, then pre-filling the domain field (and making it non-editable) will ensure that the user utilizes the correct domain name. |
 +|**Drop-Down List**  |You can choose to pre-configure a list of domains from which the user can choose. |
 +|**User Text Entry**  |Allows users to type in their own domain name. (If the user could be part of a large list of domains, or the profile in use is shared among multiple customers, then this is the most desirable option.) |
 +|**Allow Edit**  |If enabled, the user can edit the pre-populated domain. |
 +|**Hide Field**  |You can choose to hide a pre-filled domain field from users completely. |
 +
 +
 +==== Authentication Token ====
 +
 +
 +Open Mobile supports RSA authentication tokens as part of an account definition. RSA token authentication is supported on 802.1x networks using PEAP-GTC protocol as part of ON-Campus Roaming and for Cisco AnyConnect and Juniper VPNs. See [[:windows_connectivity|Connectivity]] for more information.
 +
 +
 +^Option ^Description |
 +|**Token Type**  |A hard token is a hardware device, while a soft token is represented by software. |
 +|**Field Label**  |The label for the Token field can be changed. |
 +|**User Text Entry**  |Requires users to enter the RSA token. |
 +|**Pre-filled Token**  |You can choose to pre-fill the token field with a value. Pre-filled tokens can be helpful if you want all users to share the same Internet account. **Note:** //This selection is not recommended. Pre-populated tokens are stored in clear text in the profile XML files. If a token is particularly sensitive, it is recommended that you do not pre-populate it in Open Mobile accounts.//  |
 +|**Cache Duration**  |Sets the amount of time Open Mobile will cache the user’s password.  The cache options available are: forever, until restart of Open Mobile, until sleep or hibernation, a specific period of time, or not at all. |
 +|**Save Password**  |iPass Open Mobile can be configured to allow the user to save the password. (Cache duration must be set at Forever.) |
 +
 +
 +==== Prefix ====
 +
 +
 +If the routing domain field is needed for customer authentication routing, then a routing prefix field can be enabled. If chosen, this value must be unique across the iPass customer base.  A routing prefix can be used to differentiate one customer’s users from another.  This prefix is typically established during the initial establishment of service with iPass.
 +
 +
 +^Options ^Description |
 +|**Field Label**  |The label for the Prefix field can be changed. |
 +|**User Text Entry**  |Allows users to type in the prefix name. **Note:** //If the prefix is not recognized by iPass, the connection will not succeed. As a result, it is recommended that you disable this option.//  |
 +|**Pre-Filled Prefix**  |Administrators can choose to pre-fill the prefix field with a fixed value.  This is the most commonly used option. |
 +|**Allow Edit**  |If enabled, the user can edit the pre-populated prefix. **Note:** //If the prefix is not recognized by iPass, the connection will not succeed. As a result, it is recommended that you disable this option.//  |
 +|**Hide Field**  |You can choose to hide a pre-filled prefix field from users completely. This is the most commonly used option. |
 +
 +
 +==== Authentication Format ====
 +
 +
 +In some cases, an authentication format that differs from the standard iPass authentication may be desired. You can use any of the following tokens to assign attributes to the authentication string for the profile, for example %a for prefix, %u for username, and %d for domain. Each attribute (prefix, username, etc.) added to the authentication string has to be enabled for the Account.
 +
 +<note warning>In Windows clients before 1.4.1, Open Mobile automatically appends a forward slash character (/) to the end of the %a token. However, for Windows 1.4.1 and later clients, you must add in the slash character manually after the customer prefix and the @ character after the username. For example:
 +
 +**Correct**: %a/%u@%d = IPASS/jsmith@ipass.com 
 +
 +**Incorrect**: %a%u%d = IPASSjsmithipass.com 
 +
 +
 +
 +
 + 
 +
 +Your iPass technical contact can advise you on how to define an alternate authentication format for an Open Mobile profile. For more information please see the [[:portal_guide|Portal Guide]].</note>
 +
 +
 +
 +
 +
 +
 + 
 +
 +
 +===== Account Pre-Population Utility =====
 +
 +
 +Open Mobile includes a utility that enables you to pre-set the values for username, password, and domain for a particular user account.
 +
 +
 +**To pre-populate username, password and domain:** 
 +
 +
 +    - Launch the Windows command line.
 +    - Change to the ''iPass%%\%%Open Mobile%%\%%omsi''  directory.
 +    - Type: ''epcmd.exe iPass.AccountManager.SetUserCredential /a [Account Type] /u [Username] /p [Password] /d [DomainName]''
 +    - ''/a, ''/u, ''/p, and ''/d are optional switches. Use one or more of these to indicate Account Type, Username, Password, and Domain Name, followed by the actual value of the parameter. If the account does not include a given parameter, then it may be omitted.
 +    - Press Enter. The requested values are set.
 +
 +
 +===== Proxy Settings =====
 +
 +
 +If your users connect through a proxy server, you can choose the method of authentication to the proxy. The authentication can be performed using local Windows domain credentials, or you can choose the credentials from a specific account definition.  You can also select the maximum number of authentications Open Mobile will perform in a 24-hour period.
 +
 +
 +<note important>In Windows 1.4.x and earlier clients, Open Mobile includes a (non-configurable) ability to authenticate to proxy servers using Windows domain credentials. However, in Windows 2.x clients, in order to authenticate to proxy servers, you must affirm whether to use Windows domain credentials or whether to use separate account credentials. This applies both to new Windows 2.x profiles and to profiles upgraded to Windows 2.x from earlier versions.</note>
 +
 +
 +Go to: **[[:windows_help|Open Mobile for Windows Help]]**
 +
 +
 +{{tag> authentication_format password username accounts credentials iseel domain prefix windows}}
 +
 +
 +
  
 

©2015 iPass Inc. All rights reserved. Terms of Use