How To Change The Domain On Softether

Tabular array of contents

1. 2.2.i Anonymous Hallmark
ii. ii.2.two Password Authentication
three. 2.two.3 RADIUS Hallmark
1. three.1. Authentication Using RADIUS Server
2. 3.2. RADIUS Settings for Each User and for All Users
four. ii.two.iv NT Domain and Active Directory Authentication
1. 4.i. Authentication Using NT Domain Controller or Active Directory Controller
2. four.2. NT Domain Authentication Setting for Private Users and for All Users
v. two.two.five Individual Certificate Authentication
1. v.one. Matters Common to Document Hallmark
2. 5.ii. Client Certificate Authentication by Private Certificate Hallmark
3. five.iii. Advantages of Individual Certificate uthentication
4. 5.4. Disadvantages of Private Certificate Authentication
six. 2.2.6 Signed Certificate Authentication
1. half-dozen.1. Client Document Authentication by Signed Certificate Authentication
2. vi.ii. Limit of Connectable Certificate by Mutual Name or Serial Number

With SoftEther VPN, security is ensured past conducting strict user authentication when a new VPN session attempts to connect to a Virtual Hub to prevent a security violation whereby an unauthorized tertiary political party could connect to a Virtual Hub without permission.

In order to conduct user authentication, the Virtual Hub administrator must create users for the SoftEther VPN Server in advance, select from amidst half-dozen types of user authentication and specify the required parameters.

A type of user authentication can exist specified for each created user. For instance you lot can easily make it where Mr. A and Mr. B can connect to VPN by password authentication but the communications contents are express by security policy and access list, and Mr. C tin merely connect with stricter document hallmark but limitations are lenient.

The is department contains a clarification of each type of user authentication.

2.2.i Bearding Authentication

Anonymous authentication is the simplest type of user hallmark. If a user set past bearding authentication exists for Virtual Hub, anyone who knows the user name can connect to the Virtual Hub and conduct VPN advice.

With SoftEther VPN, anonymous authentication does not offer much help for concern networks, etc. Anonymous authentication should exist used in the following cases.

If providing Virtual Hub that anybody can connect to for public IP network such as the Internet.
If creating Virtual Hub that does non require user authentication for VPN server in company LAN. Case where for example streaming video can be viewed if connected to Virtual Hub.

ii.ii.2 Countersign Hallmark

Password authentication is the easiest way to utilize for identifying and authenticating users. A password is established for the user if using password authentication.

Users will be refused to exist accessed, if the password doesn't match when they attempt to connect to VPN. Users can change the password registered in VPN Server themselves at any time using VPN Client. For details encounter 4.ix Other Functions.

The passwords for password authentication are registered in the configuration database of SoftEther VPN Server. At this time the password is hashed by hash function, so the original password no longer exists. When conducting password authentication, SoftEther VPN protocol checks passwords for user authentication by challenge and response authentication (digest authentication). At this time the original countersign is not transmitted on the network.

The drawbacks of password authentication are as follows.

If there are few users, operation can be conducted with no problem, but if there are more than several hundred users, it takes effort to register/delete users. In such cases, RADIUS authentication, NT domain or Active Directory authentication is used.
The countersign base authentication method is connected with weaknesses such every bit the possibility of the password existence guessed. Certificate authentication is used if corporate security policy does non recommend the countersign base authentication method and higher security is required.

Password authentication.

2.2.three RADIUS Authentication

Just as with countersign hallmark, RADIUS authentication authenticates user proper noun and countersign, just when doing so, the countersign is managed by hallmark server that supports RADIUS protocol rather than past the SoftEther VPN Server. This enables user authentication using the existing company password database. If visitor employees change their passwords on the RADIUS server, it also applies to the countersign for SoftEther VPN connection, thereby enabling password unification.

Hallmark Using RADIUS Server

There are software based and hardware based RADIUS servers (authentication server that supports RADIUS protocol), both of which are widely used. Thus companies and Internet service providers that take RADIUS based authentication service can conduct user hallmark by RADIUS server.

If users ready to use RADIUS authentication acquit user authentication, the hallmark data sent by the user (encrypted by SSL) is sent from the SoftEther VPN Server to the RADIUS server gear up in advance. Users that pass user authentication by the RADIUS server are permitted past the SoftEther VPN Server to connect. In any other example, permission volition exist denied (if user authentication fails or if RADIUS server cannot be accessed).

If using RADIUS authentication, the IP accost of the SoftEther VPN Server is registered on the RADIUS server side, and subsequently a countersign called "shared cloak-and-dagger" is decided, Virtual Hub settings are changed. The RADIUS server to be used can be set for each Virtual Hub, and security settings of Virtual Hubs are independent of each other. The following iii items are required to gear up RADIUS server settings for a Virtual Hub.

Host proper noun and IP address of RADIUS server to be used
UDP port number of RADIUS server to be used
Shared secret decided in accelerate

This information can be obtained from the RADIUS server administrator. The RADIUS server to be used must exist set up to enable utilize of Password Authentication Protocol (PAP).

The server production proper noun that the SoftEther VPN Server notifies the RADIUS server of is "SoftEther VPN Server".

RADIUS authentication.

RADIUS Settings for Each User and for All Users

If users within a Virtual Hub are authenticated past the RADIUS server, at that place are the following two methods:

If yous only want to employ RADIUS authentication for some users registered in advance:
In this case users to use RADIUS authentication equally the method of user authentication are created and RADIUS authentication is set as the hallmark method for those users. Then when the user attempts to connect to Virtual Hub, the input hallmark data is verified by the RADIUS server and access is either permitted or denied. Also, if the user name for the Virtual Hub and that of the RADIUS server differ, you can specify a user name (other proper name) for the RADIUS server.
If you want to make all users registered for in the RADIUS server to connect to Virtual Hub past RADIUS authentication:
To basically let all users already registered in the RADIUS server and users whose connection to Virtual Hub is registered, the user account is created with an asterisk (*) as the user proper noun. By setting the user blazon, no matter what user proper name the connection is made nether, the user proper noun and authentication information are checked by RADIUS Server, and if information technology passes hallmark, access to the Virtual Hub is permitted. With this method, if a user passes RADIUS hallmark and connects to Virtual Hub, fifty-fifty if a user of that user name is not really registered to Virtual Hub, user authentication is passed, and the security policy setting value asterisk (*) is used every bit the user setting value. In other words, the asterisk (*) user is used every bit a template for VPN sessions continued by that method. As well if you want to allow all users registered in the RADIUS server except a few to connect to VPN, y'all tin create user of user name to exist denied and set that user for RADIUS authentication, and past disabling access permission as security policy, you tin can make that user fail user authentication. Also, fifty-fifty if at that place are users registered as an asterisk (*) or other users registered in Virtual Hub, user hallmark past explicitly registered user data is first attempted, and only if it fails, RADIUS authentication is conducted via asterisk (*) user.

two.two.4 NT Domain and Active Directory Hallmark

NT domain and Active Directory authentication are methods whereby user name and countersign are authenticated, simply like with password authentication, but passwords are managed by NT domain controller of a Windows NT four.0 Server or later or an Active Directory controller of Windows Sever rather than SoftEther VPN Server. This enables user hallmark using the existing company password database. If company employees change their passwords on the Windows domain, it also applies to the password for SoftEther VPN connexion, thereby enabling password unification.

Authentication Using NT Domain Controller or Active Directory Controller

Windows domain by Windows Server is already widely used. Thus companies and Internet service providers that have Windows domain based authentication service tin behave user authentication by NT domain controller or Agile Directory controller.

If users set to use NT domain controller or Agile Directory controller authentication conduct user authentication, the authentication data sent by the user (encrypted past SSL) is sent from the SoftEther VPN Server to the NT domain controller or Active Directory controller. Users that pass user hallmark by the NT domain controller or Agile Directory controller are permitted by the SoftEther VPN Server to connect. In any other instance, permission is denied (if user authentication fails or if NT domain controller or Agile Directory controller cannot exist accessed).

If using NT domain or Active Directory authentication, the SoftEther VPN Server must be made to participate in the Windows domain to exist used. SoftEther VPN Servers participating in the Windows domain can conduct NT domain or Active Directory authentication of users set for NT domain or Active Directory authentication without special setting.

In society to conduct NT domain or Agile Directory authentication, the SoftEther VPN Server to conduct user authentication must be capable of running on Windows NT, with capable of participating in domain. SoftEther VPN Servers that run on Windows 98, Windows 98 2nd Edition, Windows Millennium Edition or Linux, FreeBSD, Solaris or Macintosh OS X cannot acquit NT domain or Active Directory authentication. VPN Server cannot authenticate the NT domain or Active Directory. In this example, westwardhile authentication method is fix to "NT domain" or "Active Directory" domain, authentication does not work.

NT domain or Agile Directory authentication.

NT Domain Authentication Setting for Individual Users and for All Users

If users inside a Virtual Hub are authenticated by NT domain controller or Active Directory controller, there are the post-obit 2 methods:

If you only desire to use NT domain controller or Agile Directory controller for some users registered in advance:
In this case, users to employ NT domain or Agile Directory authentication as user authentication method are created and NT domain or Active Directory authentication is set as the authentication method for those users. Then when the user attempts to connect to Virtual Hub, the input authentication data is verified by the NT domain controller or Active Directory controller and access is either permitted or denied. Also, if the user name for the Virtual Hub and that of the NT domain controller or Agile Directory controller differ, you lot can specify a user name (other name) for the NT domain controller or Active Directory controller.
If you lot want to make all users registered in the NT domain controller or Active Directory controller to connect to Virtual Hub by NT domain or Agile Directory authentication:
To basically permit all users already registered in the NT domain controller or Active Directory controller and users whose connectedness to Virtual Hub is registered, the user account is created with an asterisk (*) equally the user name. By setting the user blazon, no matter what user name the connectedness is made under, the user name and authentication information are checked by the NT domain controller or Active Directory controller, and if it passes authentication, access to the Virtual Hub is permitted. With this method, if a user passes NT domain or Active Directory authentication and connects to Virtual Hub, fifty-fifty if a user of that user name is not actually registered to Virtual Hub, user authentication is passed, and the security policy setting value asterisk (*) is used every bit the user setting value. In other words, the asterisk (*) user is used as a template for VPN sessions connected past that method. As well if you lot want to allow all users registered in the NT domain controller or Active Directory controller except a few to connect to VPN, you can create user of user name to exist denied and ready that user for NT domain or Active Directory hallmark, and by disabling access permission equally security policy, yous can brand that user neglect user authentication. Also, even if in that location are users registered as an asterisk (*) or other users registered in Virtual Hub, user authentication by explicitly registered user data is first attempted, and only if it fails, NT domain or Active Directory authentication is conducted via asterisk (*) user.

2.ii.v Individual Document Authentication

Matters Mutual to Certificate Authentication

With countersign authentication, RADIUS authentication, NT domain and Agile Directory authentication, user hallmark is achieved past the VPN client side proving that information technology is authorized to connect to the SoftEther VPN Server by user proper noun and password. The method of user authentication using passwords generally offers sufficient security, but if corporate security policy does not recommend using a password for user authentication, user authentication must exist conducted using a more secure method called certificate authentication (besides chosen PKI hallmark). There are 2 kinds of certificate authentication -- individual certificate authentication and signed certificate authentication. Each user may select the kind that all-time suits his needs. The SoftEther VPN Client that attempts to connect to the SoftEther VPN Server in the customer certificate authentication manner tin select either the customer estimator's hard disk drive or an external smart card as the identify for storing the document and private key.

With certificate hallmark, when the connection source figurer attempts to connect to the Virtual Hub it presents a user name together with an Ten.509 electronic document. The SoftEther VPN Server checks whether is right and the connectedness source computer is only allowed to connect if information technology passes.

The connection source figurer must possess certificate data and a individual key (RSA private key) that corresponds to the public key in the certificate to present. Certificate information is sent from the connection source computer to the VPN Server by private central data is non transmitted. Next the VPN Server sends random number information (called challenge values) to the customer. When the customer receives the data, it signs it past the private key it possesses and returns the data. VPN Server verifies the signature data sent by the client using the public primal in the electronic document initially received and makes sure that the client figurer has the certificate and corresponding individual key (if it tin't be confirmed, user authentication fails on the spot). Information technology subsequently checks if the certificate subsequently presented by the client matches the attributed defined for each user equally user authentication data. You can select either individual document authentication or signed certificate authentication every bit the test method at this fourth dimension.

Certificates that can be used with SoftEther VPN are Ten.509 format. RSA is used for PKI algorithm, and bit length for public and individual keys is ane,024 or ii,048 $.25. Version one of X.509 certificates and later can exist used, simply some extension fields are not supported (contents are ignored). The field of study values that can be recognized by all SoftEther VPN modules are "CN" and "O" and "OU", "C" and "ST", "Fifty".

Certificates which have expired and those registered in the listing of invalid certificates that can be set per Virtual Hub are recognized as invalid and user hallmark always fails.

Certificate authentication.

Client Certificate Authentication by Individual Certificate Hallmark

With individual certificate hallmark, document data is registered for user in Virtual Hub side user database, and permission to connect is granted if the certificate presented by the user perfectly matches the previously registered document.

Advantages of Individual Certificate uthentication

Using individual document authentication facilitates use of SoftEther VPN with certificate authentication function. Especially if the number of users using certificate authentication ranges from several users to tens of users, the VPN system can exist operated sufficiently by individual certificate authentication. As for the specific operation method, the Virtual Hub administrator creates several Ten.509 certificates, registers them sequentially in the Virtual Hub, and past transferring the certificate and private cardinal to the user past a secure method (e-post in company LAN, shared folder or smart menu), the user can utilise them to connect to Virtual Hub of VPN Server whatsoever fourth dimension. Oppositely the user tin create the certificate and can annals it past transferring to the Virtual Hub administrator (this method is more secure considering the private primal never leaves from the user's possession).

The private key and 10.509 certificate can exist created with a utility (freeware or commercially bachelor software) that supports various existing PKIs. The X.509 document file and private cardinal file tin can be created by the MakeCert control of certificate cosmos tool and SoftEther VPN control line management utility (vpncmd) which are functions of SoftEther VPN Server Managing director (see 6. Command Line Management Utility Manual). These unproblematic utilities support creation of both self-signing certificates and signed certificates.

Disadvantages of Individual Certificate Authentication

private document authentication is difficult to utilise if there a large number of users that need to be registered or PKI has been adopted by the company and each employee has a private fundamental in a smart menu (employee ID, etc.). In such a example we recommend you select signed document authentication.

two.2.6 Signed Certificate Hallmark

Client Certificate Authentication by Signed Certificate Authentication

Signed document authentication is convenient when used when company CA (Certification Association) distributes Ten.509 certificate and private key file to each individual employee. Likewise if PKI system is currently not nonetheless adopted but you want to permit a large number of users to access Virtual Hub, it can exist used if you want to utilize certificate hallmark. The requirements for using this method are as follows.

An X.509 certificate and corresponding private key must be distributed to each user to access Virtual Hub by file or smart carte.
Certificates for each respective user are signed by root certificate (or intermediate certificate) and individual central possessed by company CA (document association) and have tree construction reliability relationship.

If using signed document authentication, root certificate (or intermediate certificate) signed for each user is registered in the certificate list of CA trusted by Virtual Hub.

Next, new user is created and signed certificate authentication is set every bit the hallmark method for that user. Thus if the certificate presented by client computer connected by user proper name is confirmed to exist signed by a certificate the certificate list of a trusted CA registered in Virtual Hub, that client figurer passes user hallmark.

With this method, however, because of equal handling, any employee having a certificate issued by visitor root CA for example if users who want to increment the types of protocol that can be communicated are differentiated, it is used together with method of limiting connectable certificates past serial number or Common Name, which will be described next.

Limit of Connectable Certificate by Common Proper name or Serial Number

The contents of X.509 certificate may include Mutual Proper name (CN) and serial number. In such instance, by limiting Common Proper noun and serial number, for example, even in the example where it could non be confirmed that the document is signed by a certificate of a CA trusted Virtual Hub or when one or both items of the serial number practise non match perfectly, admission tin be denied.

If this function is used, by creating users that can connect simply if certain serial number or CN value of certificate signed by certificate that tin can be trusted, security policy, etc. can exist differentiated according to type of document.