User administration

Create and configure users and groups (permissions)

Last adaptation to the version: 12.6.0

New:

Updated to Redesign of the webinterface

notempty

This article refers to a Resellerpreview

12.5.1 12.4 12.2.4 12.2.3 11.8.8 11.8.5 11.7

Introduction

The users entered here are stored in a local database on the appliance.
The authentication configured at this point is also performed against the local database.
In addition, local user groups can be assigned to an AD/LDAP group.

User

Caption	Value	Description	User UTMuser@firewall.name.fqdnAuthentication User administration
Name	`admin`	Login name of the user
Groups	Administrator	Group membership of the respective user
Permissions	Firewall administrator	Authorizations, configuration under Groups
Notes	Expires in 9 hours	After expiration the user can no longer log in.
		Edit or delete the user
		Suche über alle angezeigten Werte, somit auch unter Hinweise oder Berechtigungen.
Add user		Creates a new user. [[#{#var:Benutzer hinzufügen}} \| see below]]
Delete all expired users		Does exactly that. Support users are automatically removed 24 hours after the expiry date at the latest.
OTP codes		Generates a pdf document with OTP codes in QR format and plain text for all users except the user admin. notempty New as of v12.5 notempty One OTP code is displayed per page.
		Aktuallisiert die Tabelle
		Vergrößert den Anzeigebereich für die Tabelle auf die Bildschirmhöhe.

The support user is a temporary administrator who can be activated, for example, to be supported by Securepoint support.
Die Schaltfläche zum Anlegen eines Support-Benutzers befindet sich links in der Menuleiste: Support User

Multiple support users cannot be created at the same time. If a support user already exists, you will be asked whether the existing user should be deleted!

Caption	Value	Description	Add Support User UTMuser@firewall.name.fqdnSupport User Copy credentials
Login name:	support-XLP-QHY-EE5	Willkürlicher Name, der mit support- beginnt. Es ist keine manuelle Eingabe möglich.
Login name:		Neuen Anmeldenamen zufällig generieren.
Password:	•••••••••••••••••••	Zufällig generiertes Passwort. Es ist keine manuelle Eingabe möglich.
		Passwort anzeigen
		Neues zufälliges Passwort generieren
Expiry date:	2023-10-20 12:00:00	By default, the access for the support user expires after 24 hours. It is possible to extend this value up to 30 days. For support users, it is not possible to change this value afterwards.
Groups:	×administrator	By default, the first user group with the authorization Firewall Administrator is entered. You can select other groups that also have this permission.
Root permission::	No	With Yes activation gives the user additional root privileges. When connecting with SSH, the login is done directly on the root console!
Copy credentials		Username and password are saved to the clipboard. The content of the clipboard then looks like this: Username: support-NII-Z53-Yk2 Password: UMC-DP6-FSK-F46-ULD notempty Before saving, the login name and the password must be noted! The password can no longer be displayed after saving.
		Clicking the button creates and saves the support user.
CLI command	user support new name support-4711 password Insecure.123 groups administrator expirydate 2023-10-20 12:00 flags ROOT	The support user can also be created via CLI if required. The value for the expiry date can either be specified as Unixtime (time in seconds since 1.1.1970 00:00) or in the format: YYYY-MM-DD HH:MM

General User

Add / edit user

Add user /

The dialog Add user opens. This dialog contains several tabs. There is no need to make entries in all tabs. With the entries are accepted.

User General

General

root user

Caption	Value	Description	Add user UTMuser@firewall.name.fqdnAuthenticationUser Enter user login data
Login name:	admin-user	Login name of the user
Login name:	root	A user with the name root must also be a member of a group with administrator privileges This user will then automatically get root permission. After logging on to the appliance via ssh, this user does not end up on the CLI but immediately in the Linux console This user has extensive diagnostic tools available there, e.g. tcpdump The root user reaches the Command Line Interface (CLI) with the command spcli and leaves it with exit The root user should definitely be given a short-term expiration date or be removed immediately after the diagnostic work!
Password: Confirm password:	•••••••• Very strong	Passwords must meet the following criteria: at least 8 characters length at least 3 of the following categories: Upper case Lower case Special characters Digits
Expiry date:	2023-11-01 00:00:00	After expiration the user can no longer log in. However, the expiration date can be extended again. (It cannot be set in the past in the web interface!) The expiration date can also be changed via CLI: user attribute set name testnutzer attribute expirydate value 2023-11-01 00:00 The value is given as Unixtime (time in seconds since 1.1.1970 00:00) or as: YYYY-MM-DD HH:MM .
Groups:	×administrator	Group membership and therefore authorizations of this user

VPN

Here fixed tunnel IP addresses can be assigned to the users.

L2TP
Caption	Description	Define IP Tunnel Addresses
L2TP IP Address:	The tunnel IP address for L2TP
SSL-VPN
IPv4 Address:	The tunnel IPv4 address for SSL-VPN
IPv6 Address:	The tunnel IPv6 address for SSL-VPN
WIREGUARD
IPv4 Peer Address:	The tunnel IPv4 address for WireGuard
IPv6 Peer Address:	The tunnel IPv6 address for WireGuard
Private key:	Private key to be used for a user-related WireGuard connection.
Private key:	By clicking the button, the key management can be opened and a key can be created.
IPSEC
EAP-MSCHAPV2 Password:	The password for EAP-MSCHAPV2 For security reasons, the EAP password should differ from the user's general password. This HowTo describes the configuration of IPSec EAP
PPTP is no longer available because it has been proven to be an insecure protocol.

WireGuard

Caption	Value	Description	WireGuard settings for user
Use settings from the group:	Off Default	When On is enabled, the WireGuard settings from the group are used.
Configuration downloadable in the user interface:	On	The configuration can be downloaded in the user interface.
WireGuard connection:	wg_roadwarrior	WireGuard-Verbindung, die diese Benutzerin / dieser Benutzer verwenden sollen.
Endpoint:	192.168.175.1	IP address or host name of the UTM. Must only be set if the UTM is not accessible via the firewall name.
Endpoint port:	51820	The port to the associated endpoint. This must be between 49152 and 65535.
Pre-Shared Key:	**************	Enter the pre-shared key of the WireGuard connection.
	Generate	Generate a Pre-shared Key with very strong.
	Copy to clipboard	Copies the pre-shared key to the clipboard
Keepalive:	On 25 Sek.	When activated, the duration can be set in seconds by Keepalive.

SSL-VPN

Caption	Value	Description	Add User UTMuser@firewall.name.fqdnAuthenticationUser SSL-VPN settings for users
Use group settings:	No	If the user is a member of a group, the settings can be adopted from there. The following settings are then greyed out here and are to be configured in the Authentication Users Area Groups menu.
Client downloadable in the user interface:	Yes	The Securepoint VPN Windows client can be downloaded from the user web interface (accessible via port 1443 by default). The port is configurable in the → Network →Server settingsTab Server settings Button Webserver / User Webinterface Port: : 1443.
SSL VPN connection:	RW-Securepoint	Selection of a connection created in the VPN SSL-VPN menu.
Client certificate:	cs-sslvpn-rw(1)	A certificate must be specified that the client uses to authenticate itself to the UTM. It is also possible to use ACME certificates.
Remote Gateway:	192.168.0.162 (Example-IP)	External IP address or DNS resolvable address of the gateway to which the connection is to be established.
Redirect Gateway:	On	When enabled, all client network traffic is sent through the selected gateway.

Password

The Password tab defines the strength of the password and whether the password can be changed by the user.

Caption	Default	Description	Setting the password properties
Password change allowed:	Off	Determines whether the user can change his or her password in the user interface.
Minimum password length:	8	The minimum password length can be set to more than 8 characters.
Passwords must meet the following criteria: at least 8 characters length at least 3 of the following categories: Upper case Lower case Special characters Digits

Mailfilter

Caption		Description
Use group settings:	No	If the user is a member of a group, the settings can be applied from there. The following settings are then hidden here and can be configured in the menu Authentication Users / Groups.
Allow downloads of following attachments:	None (Default)	In the user interface, the user can download/u> attachments of mails that meet certain criteria.
	Filtered but not quarantined	This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
	Quarantined but not filtered	This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
	Quarantined and/or filtered	This function may allow the downloading of viruses and should therefore only be allowed for experienced users!
Allow forwarding of the following e-mails:	None	In the user interface, the user can forward/u> attachments of mails that meet certain criteria.
	Filtered but not quarantined
	Quarantined but not filtered (Default)	This function may allow the forwarding of viruses and should therefore only be allowed for experienced users!
	Quarantined and/or filtered	This function may allow the forwarding of viruses and should therefore only be allowed for experienced users!
Reports E-Mail Address		If several mail addresses for a user are stored in an AD, the entry configured there as Primary SMTP address is used as the default address.
Report language:	Default	Default under Network Server settings → Firewall → Language of reports It can be specifically selected: German or English
Email Addresses
		Adding an email address to the list
user@ttt-point.de		Email accounts that can be viewed by this user to control the mail filter. Delete with

WOL

WOL stands for Wake on LAN and switches on a computer via the network card. In order to start the computer via data packet, the computer must also support this. This is usually configured in the BIOS or UEFI.
After logging into the user interface, the user can trigger a WOL for devices entered here.

Caption	Default	Description	Configure Wake on Lan
Description:		Free text
MAC address:	__:__:__:__:__:__	MAC address of the computer to be activated via Wake on Lan.
Interface:	LAN1	Interface of the appliance via which the WOL packet must be sent.
		Calls the entry for editing.
		Deletes the item

OTP

Für die Einstellungen zum OTP gibt es eine eigene Seite im Wiki.

Groups

Some settings described in the Users section can also be set for the entire group. However, the settings for the individual user replace the group settings.

Permissions

Caption	Description	Add group UTMuser@firewall.name.fqdnAuthentication Add group
Group Name:	Choose name freely

Permissions
Firewall administrator	Members of this group can call the admin interface (by default accessible on port 11115. There must always be at least one firewall administrator.
Spamreport	Members of this group can receive a spam report
VPN-L2TP	Members of this group can establish a VPN-L2TP connection.
Mailrelay User	Members of this group can use the Mailrelay TLS/SSL encryption is required for authentication This permission is NOT required to access the quarantined emails.
HTTP-Proxy	Members of this group can use the HTTP proxy.
IPSEC XAUTH	Members of this group can authenticate themselves with IPSEC.
IPSEC EAP	Members of this group can authenticate for IPSec connections with IKEv2 using Microsoft CHAPv2
Userinterface	Members of this group have access to the user interface (including mailfilter)
Clientless VPN	Members of this group can use clientless VPN
Mailfilter administrator	Members of this group, in combination with the User Web Interface right, have access to all emails that are temporarily stored in the UTM's mail archive. - Regardless of whether they are legitimate recipients or senders of these emails.
SSL-VPN	Members of this group can establish an SSL VPN connection.
WireGuard	Members of this group can establish a WireGuard connection
User interface administrator	Members of this group can access the Captive Portal user administration via the user interface.

Clientless VPN

Connections created under VPN Clientless VPN are displayed here.

Open clientless VPN administration Here you can configure and add connections.

Caption	Default	Description
Clientless VPN
Name		Name of the connection
Access	Off	If On is activated, members of this group can use this connection.

Further information in the article to Clientless VPN.