User Management & Access Control
Some DrayTek routers have built-in User Management which allows you to provide internet access to wireless and wired users based on their own unique login, stored in the router, or on an external Radius/LDAP server.
This is useful for devices such as shared computers that may have different filtering allowances and quotas that need to be applied depending on which user is logged in, instead of simply checking the IP address of the computer making the request.
Accounts can be restricted by schedules, maximum usage times or bandwidth quotas to control internet access and limit bandwidth usage. Firewall and Content Filtering can be applied to specific users, with a rule for each user, or to a group of users with the same filtering applied to each user.
As an example of its application, the Sales department might not be allowed access to social networking sites except at lunch time, or in a school, teachers and staff have more access permitted than pupils. In a home environment, children's access to the internet could be limited to 2 hours online per day, regardless of the device used.
User Management is used to filter access based on user account instead of IP address. If a client accesses the internet, they will not be able to do so until their account has been validated by the router. Exceptions to this can be made where necessary for specific IP addresses or subnets so that User Management could be applied only to specific VLANs, such as a guest network.
The User Management profiles can be configured on the router, or the router can validate accounts through RADIUS or LDAP authentication, with the latter being able to apply different filtering levels to LDAP authenticated users based on their Group.
If the router supports it, the User Profile accounts configured can also be used for authentication of wireless clients using 802.1X or on other devices, such as the Vigor AP910C Access Point with the router's RADIUS server.
Each user account can have a Firewall Rule applied to it, which makes it possible to set up Content Filtering and other firewall settings that would apply to a group of users.
By default, the router will apply the Firewall's Default Rule settings to the user, but if a different Firewall Rule is selected, it will apply the Content Filtering and other settings configured in that rule.
In this example, the Filter Rules have been configured to allow different levels of access to different groups:
- Staff - basic Content Filtering applied
- Students - strict Content Filtering applied with the Web Content Filter and DNS Filter and App Enforcement, to block unwanted software usage and access to websites such as Facebook
When a user accesses the internet through a DrayTek Vigor router with User Management configured on it, they will be presented with a login interface before they can proceed to access the internet.
In its default state, this will be the same as the router's web interface login page but this can be customised in several ways:
- Custom Text - The title of the login box can be customised (up to 31 characters) and HTML text (up to 511 characters) can be added below the login box
- Custom Logo - A custom logo image can be loaded on to the router which will be displayed when logging in to User Management or to the router's web administration interface, this can be used with Custom Text
- Blank - The DrayTek logo image can be disabled, this can be used with Custom Text
Once the user has logged in, their browser can be forwarded to a landing page which can display HTML text from the router or forward to an internet address.
User Management can be used to limit the amount of time that a user can log in to access the internet for and limit the amount of data that can be downloaded per account by using the Time and Bandwidth Quota settings in each User Management account profile.
When a user logs in, the router will pop-up a status window showing the time and data available. If either of these run out, the user will not be able to access the internet until these values are reconfigured in the user profile.
The administrator can manually increase the time and data amounts available to the user in the profile, or the router can set these values on an hourly, daily or weekly basis using the schedule facility:
The router's web interface, shows a real-time status report of online users. This shows where (IP Address), who and when each user connected, along with the amount of time and data that each user has remaining (if configured). It is also possible to log user login and logoff times to Syslog.
In the example below, Dave Smith's account has a Data Quota with 900MB remaining and will be logged out by the Time Quota in one hour.
Clicking the User name will show options to increase or decrease the remaining quota values from the status window:
The capability of any particular product will vary; please refer to specifications of each product for feature support.