Elektron Accounts

Elektron maintains an internal database of users and groups. This can be useful when you would like to keep your network access authentication separate from your other authentication stores, such as Active Directory or Open Directory.

To configure Elektron accounts, use the Elektron Accounts and Elektron Account Groups panes. The following options are available when configuring an Elektron user account:

• Username This is the username that will be used to login to the wireless network. This can be a simple, unadorned username such as “alice”, or may have a domain appended, such as “alice@periodiklabs.com”. Similarly, a Windows-style domain can be prepended, such as “PERIODIKLABS\alice”, but Elektron stores domain names in “user@domain” format, so any usernames entered in the Windows format will be converted.
• Full Name This is the user’s real name, such as “Alice Smith”. It is used for display purposes, and is optional.
• Password This is the password that will be required of the user when logging into the network. You should select a password that is difficult to guess, and include in it mixed-case letters, numbers, and punctuation characters. Avoid words that appear in the dictionary. The tab and carriage return characters are not allowed in passwords. Spaces, however, are allowed, so you can create multi-word passphrases.
• Store Password in Reversible Format With this option selected, the account password will be stored on disk in an easily decoded format. Leaving this option disabled will make the server more secure by only storing passwords in a hashed format, but will prevent some protocols that require the server to maintain a database of plain text passwords will not be able to authenticate.In this release of the server, the only protocol that requires plain text passwords is CHAP. For users with non-reversible passwords accessing the server via TTLS, an inner authentication method other than CHAP must be selected (PAP is the most common). For PEAP, an inner authentication method other than EAP-MD5-Challenge must be selected (EAP-MS-CHAP-V2 and EAP-GTC are most common).
• User Can Administer Elektron If you have enabled Elektron remote administration, selecting this option will allow this account to be used for administration
• Account is Disabled With this option enabled, the account will not be able to be used to log in to the network. The account can be used to administer Elektron, however. The purpose of this is to allow you to create an account that can be used for administration but not for network login.
• Group Membership Check the box next to the group name to add the Elektron account to a specific group. Groups are useful for creating authorization policies.

You can import text files with multiple accounts by a tab-delimited or comma-separated list of account information where each line is of the form:

username<tab or comma>real name<tab or comma>password

The real name is optional, while the username and password are required. Duplicate usernames and illegally formatted lines are ignored. For example, to add the username “alice” with the password “foobar” and no real name in comma-separated value (CSV) format, the entry in the import file would look like:

alice,,foobar