2.10.1. Local Proxy Authentication

Local user authentication is the preferred solution for SOHO environments. Users need to authenticate when accessing web sites by entering a valid username and password. The user management resides on the IPCop Proxy Server. Users are categorized into three groups: Extended, Standard and Disabled.

This authentication method lets you manage user accounts locally without the need for external authentication servers.

Local Proxy Authentication

2.10.1.1. Global authentication settings

Global authentication settings section

Number of authentication processes The number of background processes listening for requests. The default value is 5 and should be increased if authentication takes too long or Windows integrated authentication falls back to explicit authentication.

Authentication cache TTL Duration in minutes how long credentials will be cached for each single session. If this time expires, the user has to re-enter the credentials for this session. The default is set to 60 minutes, the minimum will be 1 minute. The TTL will always be reset when the user sends a new request to the Proxy Server within a session.

Note

If the user opens a new session, the credentials must always be entered, even if the TTL has not expired for another session.

Limit of IP addresses per user (optional).  Number of source IP addresses a user can be logged in at one time. The IP address will be released after the time defined at User/IP cache TTL.

Note

This takes no effect if running Local authentication and the user is a member of the “Extended” group.

User/IP cache TTL Duration in minutes, how long relations between each user name and the used IP address will be cached. The default value is 0 (disabled).

A value greater than 0 is only reasonable while using a limit for concurrent IP addresses per user.

Require authentication for unrestricted source addresses By default authentication is required even for unrestricted IP addresses. If you don't want to require authentication for these addresses, untick this box.

Authentication realm prompt This text will be shown in the authentication dialog. The default is “IPCop Advanced Proxy Server”.

Destinations without authentication This allows you to define a list of destinations that can be accessed without authentication.

Note

Any domains listed here are destination DNS domains and not source Windows NT domains.

Examples:

Entire domains and subdomains

*.example.net
*.google.com

Single hosts

www.example.net
www.google.com

IP addresses

81.169.145.75
74.125.39.103

URLs

www.example.net/download
www.google.com/images

Note

You can enter all of these destination types in any order.

Example for Windows Update.

To allow access to Windows Update without authentication add these destinations to the list:

*.download.microsoft.com
*.windowsupdate.com
windowsupdate.microsoft.com

2.10.1.2. Local user authentication

The integrated user manager can be executed from the main settings page.

User based access restrictions section

Min password length Enter the minimum required length of passwords. The default is set to 6 alphanumeric characters.

Bypass redirection for members of the group extended If any redirector (e.g. like the URL filter add on) is installed, all members of the group Extended will bypass this redirector.

User management This button opens the local user manager.

2.10.1.3. Local user manager

The user manager is the interface for creating, editing and deleting user accounts.

Local user administration

Within the user manager page, all available accounts are listed in alphabetically order.

Group definitions.  You can select between three different groups:

Standard

The default for all users. All given restrictions apply to this group.

Extended

Use this group for unrestricted users. Members of this group will bypass any time and filter restrictions.

Disabled

Members of this group are blocked. This can be useful if you want to disable an account temporarily without losing the password.

Proxy service restart requirements.  The following changes to user accounts will require a restart of the proxy service:

  • A new user account was added and the user is not a member of the Standard group.

  • The group membership for a certain user has been changed.

The following changes to user accounts will not require a restart of the proxy service:

  • A new user account was added and the user is a member of the Standard group.

  • The password for a certain user has been changed.

  • An existing user account has been deleted.

2.10.1.4. Create user accounts

Username.  Enter the username for the user. If possible, the name should contain only alphanumeric characters.

Group.  Select the group membership for this user.

Password.  Enter the password for the new account.

Password (confirm).  Confirm the previously entered password.

Create user.  This button creates a new user account. If this username already exists, the account for this username will be updated with the new group membership and password.

Back to main page.  This button closes the user manager and returns to the main page.

2.10.1.5. Edit user accounts

A user account can be edited by clicking on the Yellow pencil icon. When editing a user account, only the group membership or password can be changed.

While editing an account, the referring entry will be marked with a yellow bar.

Edit local user

To save the changed settings, use the button Update user.

Note

The username cannot be modified. This field is read-only. If you need to rename a user, delete the user and create a new account.

2.10.1.6. Delete user accounts

A user account can be deleted by clicking on the Trashcan icon. The account will be deleted immediately.

2.10.1.7. Client side password management

Users may change their passwords if needed. The interface can be invoked by entering this URL:

http://192.168.1.1:81/cgi-bin/chpasswd.cgi

Note

Replace 192.168.1.1 with the GREEN IP address of your IPCop.

The web page dialog requires the username, the current password and the new password (twice for confirmation).

Change web access password page