Walkthrough - Onboard people to your Airwall secure network with User Authentication

How to set up global user/password authentication for Airwall Agents and Servers connecting to your Airwall secure network.

This walkthrough walks you through setting up authentication for all people connecting to your Airwall secure network.
Note: This walkthrough covers globally onboarding people with authentication. You can also turn on authentication for individual Airwall Agents and Servers.
Supported Versions
Conductor v2.2.10 and later. This walkthrough is based on v3.0, so some things may be slightly different on earlier versions.

The basic steps are:
  1. Require User authentication globally.
  2. Onboard people using People Groups.
  3. Add people as Remote Access Users.

These steps are covered in more detail below.

Note: For pre-2.2.8 Airwall Agents and Servers only: There is an extra step to provide access at the end of this walkthrough.
Best Practice:

Finding the right balance between ease of use and security is an ongoing challenge.

This walkthrough shows how you can easily onboard and provide trust to a person, but you may choose to keep additional security checks in place, like granting the provisioning request based on the Device ID a person gives you.

A balanced option might include automatic onboarding, but only granting trust to a benign device that they can ping for communication verification and then provide final trust to secure environments once information has been verified verbally.

Step 1: Require user authentication globally

  1. Go to SettingsAuthentication, and under Settings, select Edit Settings (in pre-v3.0, this is under Global Airwall agent authentication settings).
  2. Check or set your authentication options:
    • Check Require Airwall agent authentication and select the option for all agents.
    • Under Airwall agent authentication, under Airwall Agent Authentication Provider, select Username and password, or an OpenID Connect (OIDC) third-party authentication provider, if you've set it up. See ../../auth_openid_connect.ditamap.
    • (Optional) You can also set a custom Session timeout or whether people need to log in when they restart their Airwall Agent

    Global Airwall agent authentication settings

    pre v3.0 – Global Airwall agent authentication settings

    For more information, see Configure Authentication Options. You can also require authentication per device on the Airwall Agent or Server page.

Step 2: Onboard People using People Groups

You may also want to Import people using a CSV file.
  1. Set up a People Group, configuring the onboarding options you want to this People group to have. You can add people on the People tab, or add them to the group as you create users in the Conductor.
  2. On the User onboarding tab:
    • Check Provide an activation code for each member.
    • Check Send onboarding email to users if you want to send emails automatically.
    • Pre-configure the General, Airwall, and Groups settings for users when they onboard. Setting these options allows members of the group to activate their connections. For more information, see Connect People's Devices with Activation Codes.
    Note: If you want to configure which version of the Airwall Agent they download, you can set that on the Conductor Settings page under Global Airwall agent settings.
On the People Groups page, you'll see your new group, and to the right, you'll see the Activation Code icon Activation code icon (plug) that indicates every person added to this group will receive an Activation Code. For more information, see Connect People’s Devices with Airwall Invitations or Connect People's Devices with Activation Codes.

Step 3: Add Remote Access Users

  1. Add the people you want to connect to the Conductor. For Remote Access Users, see Connect People as Remote Access Users.
  2. As you save each user, from each person's People page, add users to the people onboarding group created in Step 2.
    1. Under People groups, select Edit.

      Add a person to People groups from their People page

    2. Select the onboarding People group created in Step 2.
  3. The people are sent an onboarding email. If desired, you can send them custom instructions, or point them to one of these help topics: I have a "Finish Setting up my account" email or I have an Activation Code.
    As people click the link in the email to set their password and log in to the Conductor, they'll be directed to the Connect an Airwall Agent page where they can install an Airwall Agent or Server and activate their connections.

What's Next

You can get a report on remote sessions from Visibility > Reports. For more information, see Run Network Activity Reports.

You can see who's remotely logged into your Airwall secure network. See Check Remote Sessions.

You can also see which users have used their Activation codes. See Check Status of People Onboarding.

For pre-2.2.8 Airwall Agents and Servers only) Give the People group access

If you are onboarding people using pre-2.2.8 Airwall Agents and Servers you need to give the People group access by adding them to Overlays and Relay Rules.
On the Overlay these people need to access, add the People group you created as a Viewer (or pre v3.0, as a Member).
Add people group as a viewer of the overlay