SonicWall SonicOS, SonicOSX 7 Administration Guide

SonicOS and SonicOSX 7
Users

Administration Guide

for the TZand NSv Series

Contents

Configuring Users Status 4

Logging Out Users 5

Logging Out a Single User 5
Logging Out Multiple Users 5

Displaying Inactive Users 5

Displaying Unauthenticated Users 6

Displaying the User Count 6

Refreshing the Users List 6

Configuring User Settings 7

User Login Settings 7

Setting the Authentication Method for Login 7
Setting the Single-Sign-On Methods 9
Requiring User Names be Treated as Case-Sensitive 9
Preventing Users From Logging in from More than One Location 10
Forcing Users to Log In Immediately After Changing Their Passwords 10
Displaying User Login Information Since the Last Login 10

One-Time Password Settings 10

Configuring the User Web Login Settings 11

Setting the Timeout for the Authentication Page 11
Setting How the Browser is Redirected 11
Managing Redirections to the Login Page 12
Using a CHAP challenge to Authenticate Users 13
Redirecting Unauthenticated Users 13
Adding URLs to Authentication Bypass 14

User Session Settings 14

User Session Settings for SSO-Authenticated Users 16
User Session Settings for Web Login 16

Accounting 17

Configuring RADIUS Accounting 18
Configuring TACACS+ Accounting 20

Configuring Guest Services 21

Adding Guest Profiles 21

Editing Guest Profiles 23

Deleting Guest Profiles 23

Configuring Guest Accounts 24

Adding Guest Accounts 24

Editing Guest Accounts 26

SonicOS/X 7 Users Administration Guide for the TZand NSv Series

Contents

2

Deleting Guest Accounts 26

Deleting a Guest Account 26
Deleting Multiple Guest Accounts 26
Deleting All Guest Accounts 27

Managing Guest Status 27

Logging Out Guests 27
Logging Out All Guests 27

Configuring Local Users and Groups 28

About Authentication and Passwords 28

Using Two-Factor Authentication 28
Enforcing First Login Password Change 28

Configuring Local Users 29

Quota Control for all Users 29
Viewing Local Users 30
Adding Local Users 30
Editing Local Users 33

Configuring Local Groups 33

Adding Local Groups 34
Editing Local Groups 37

SonicWall Support 38

About This Document 39

SonicOS/X 7 Users Administration Guide for the TZand NSv Series

Contents

3

Configuring Users Status

NOTE: References to SonicOS/X indicate that the functionality is available in both SonicOS and

SonicOSX.

The Users > Status page displays the Active User Sessions on the firewall. IPv4 and IPv6 IP addresses
are accepted/displayed in the Active User Sessions table.

1

The Active User Sessions table lists:

l User Name
l IP Address
l Session Time
l Time Remaining
l Inactivity Remaining
l Type/Mode
l Settings
l Logout

Topics:

l Logging Out a Single User
l Logging Out Multiple Users
l Displaying Inactive Users
l Displaying Unauthenticated Users
l Displaying the User Count
l Refreshing the Users List

SonicOS/X 7 Users Administration Guide for the TZand NSv Series

Configuring Users Status

4

Logging Out Users

Topics:

l Logging Out a Single User
l Logging Out Multiple Users

Logging Out a Single User

To log out a user:

1.

Navigate to the Users > Status page.

2.

Select the user you would like to logout.

3.

Click Logout Selected Users.

Logging Out Multiple Users

To log out multiple users:

1.

Navigate to the Users > Status page.

2.

Select the checkbox at the top left of the list, just below the Search icon, to select all of the users
currently displayed.

3.

Click Logout Selected Users.

Displaying Inactive Users

By default, only active users are displayed in the Users list.

To display inactive users:

1.

Navigate to the Users > Status page.

2.

Click the slider next to Include Inactive Users above the list.

Inactive users will now also be displayed in the Users list.

SonicOS/X 7 Users Administration Guide for the TZand NSv Series

5

Configuring Users Status

Displaying Unauthenticated Users

To display unauthenticated users:

1.

Navigate to the Users > Status page.

2.

Click the slider next to Show Unauthenticated Users above the list.

Unauthenticated users will now also be displayed in a separate Unauthenticated Users list below
the Users list.

Displaying the User Count

To display the current user count:

1.

Navigate to the Users > Status page.

2.

Click the Show User Count icon on the far right of the toolbar above the Users list.

The User Counts window displays:

l User Type

l Active

l Inactive

l Total

3.

Click the X on the top right of User Counts window to close it.

Refreshing the Users List

To refresh the Users list:

1.

Navigate to the Users > Status page.

2.

Click the Refresh icon on the far right of the toolbar above the Users list.

SonicOS/X 7 Users Administration Guide for the TZand NSv Series

6

Configuring Users Status

2

Configuring User Settings

In addition to the regular authentication methods, SonicOS/X allows you to use Lightweight Directory Access
Protocol (LDAP) to authenticate users. LDAP is compatible with Microsoft’s Active Directory.

For SonicWall appliances, you can select the SonicWall Single Sign-On Agent to provide Single Sign-On
functionality. Single Sign-On (SSO) is a transparent user authentication mechanism that provides privileged
access to multiple network resources with a single workstation login. SonicWall network security appliances
provide SSO functionality using the SonicWall Single Sign-On Agent (SSO Agent) to identify user activity
based on workstation IP address when Active Directory is being used for authentication. The SonicWall SSO
Agent must be installed on a computer in the same domain as Active Directory.

Topics:

l User Login Settings
l One-Time Password Settings
l Configuring the User Web Login Settings
l User Session Settings

User Login Settings

Topics:

l Setting the Authentication Method for Login
l Setting the Single-Sign-On Methods
l Requiring User Names be Treated as Case-Sensitive
l Preventing Users From Logging in from More than One Location
l Forcing Users to Log In Immediately After Changing Their Passwords
l Displaying User Login Information Since the Last Login

Setting the Authentication Method for Login

To set the authentication method for login:

1.

Navigate to the Users > Settings page.

2.

Select one of the following authentication methods from Authentication method for login:

SonicOS/X 7 Users Administration Guide for the TZand NSv Series

Configuring User Settings

7

Local Users To configure users in the local database using the Users > Local Users

and Users > Local Groups pages. For information on configuring local
users and groups, refer to Configuring Local Users and Configuring
Local Groups.

RADIUS If you have more than 1,000 users or want to add an extra layer of

security for authenticating the user to the SonicWall. If you select Use
RADIUS for user authentication, users must log into the SonicWall
using HTTPS in order to encrypt the password sent to the SonicWall. If
a user attempts to log into the SonicWall using HTTP, the browser is
automatically redirected to HTTPS. For information on configuring
RADIUS, refer to Configuring RADIUS.

RADIUS + Local
Users

If you want to use both RADIUS and the SonicWall local user database
for authentication. For information on configuring RADIUS, refer to
Configuring RADIUS.

LDAP If you use a Lightweight Directory Access Protocol (LDAP) server or

Microsoft Active Directory (AD) server to maintain all your user account
data. For information about configuring LDAP, refer to Configuring
LDAP.

LDAP + Local Users If you want to use both LDAP and the SonicWall local user database for

authentication. For information about configuring LDAP, refer to
Configuring LDAP.

TACACS+ If you use Terminal Access Controller Access-Control System Plus

(TACAS+) protocol for authentication.

TACACS+ + Local
Users

If you use Terminal Access Controller Access-Control System Plus
(TACAS+) protocol and the SonicWall local user database for
authentication.

3.

Click Update.

SonicOS/X 7 Users Administration Guide for the TZand NSv Series

Configuring User Settings

8

Setting the Single-Sign-On Methods

The Single-sign-on method(s) displays the status of the available method(s). You can enable/disable
methods, or click Configure to configure a single-sign-on method. The following methods are available:

To set the single-sign-on methods:

1.

Navigate to the Users > Settings page.

2.

Enable or disable the methods, or click Configure to configure a single-sign-on method. These
methods are available:

SSO Agent Configure the SSO Agent if you are using Active Directory

for authentication and the SonicWall SSO Agent is
installed on a computer in the same domain.

Terminal Services Agent Configure the SSO Agent if you are using Terminal

Services and the SonicWall Terminal Services Agent (TSA)
is installed on a terminal server in the same domain.

Browser NTLM Authentication Configure Browser NTLM Authentication if you want to

authenticate Web users without using the SonicWall SSO
Agent or TSA. Users are identified as soon as they send
HTTP traffic. NTLM requires RADIUS to be configured (in
addition to LDAP, if using LDAP), for access to MSCHAP
authentication.

RADIUS Accounting Configure RADIUS Accounting if you want a network

access server (NAS) to send user login session accounting
messages to an accounting server.

3rd Party API Configure the XML-/JSON-based REST API for third-party

devices or scripts to pass user login/logout notifications to
the firewall.

3.

Click Update.

Requiring User Names be Treated as Case-Sensitive

To require that user names are treated as case-sensitive:

1.

Navigate to the Users > Settings page.

2.

Select Case-sensitive user names. (This option is selected by default.)

3.

Click Update.

SonicOS/X 7 Users Administration Guide for the TZand NSv Series

Configuring User Settings

9

Preventing Users From Logging in from More than One Location

To prevent users from logging in from more than one location at a time:

1.

Navigate to Users > Settings.

2.

Select Enforce login uniqueness. (This option is not selected by default.)

3.

Click Update.

Forcing Users to Log In Immediately After Changing Their Passwords

To force the user to login immediately after changing the password:

1.

Navigate to Users > Settings.

2.

Select Force relogin after password change. (This option is not selected by default.)

3.

Click Update.

Displaying User Login Information Since the Last Login

To display user login information since the last login:

1.

Navigate to the Users > Settings page.

2.

Select Display user login info since last login. (This option is not selected by default.)

3.

Click Update.

One-Time Password Settings

To configure the one-time password settings:

1.

Navigate to Users > Settings.

2.

For the One-time password Email format, choose an email format for :

l Plain Text
l HTML

3.

For the One-time password format, select the password format:

l Characters
l Characters + Numbers
l Numbers

SonicOS/X 7 Users Administration Guide for the TZand NSv Series

Configuring User Settings

10

4.

In the One-time password length beginning and ending fields, enter the minimum and maximum
length of the password. The length must be between 4-14 characters. The default for both fields is 10
characters.

5.

Click Update.

Configuring the User Web Login Settings

Topics:

l Setting the Timeout for the Authentication Page
l Setting How the Browser is Redirected
l Managing Redirections to the Login Page
l Using a CHAP challenge to Authenticate Users
l Redirecting Unauthenticated Users
l Adding URLs to Authentication Bypass

Setting the Timeout for the Authentication Page

While the login authentication page is displayed, it uses system resources. By setting a limit on how long a
login can take before the login page is closed, you free up those resources.

To set the timeout for the Authentication Page:

1.

Navigate to Users > Settings.

2.

In the Show user authentication page for (minutes) field, enter the number of minutes that users
have to log in with their username and password before the login page times out. If it times out, a
message displays informing them what they must do before attempting to log in again. The default
time is 1 minute.

3.

Click Update.

Setting How the Browser is Redirected

To set how the browser is redirected:

1.

Navigate to Users > Settings > Web Login.

2.

From Redirect the browser to this appliance via, choose one of the following options to
determine how a user’s browser is initially redirected to the SonicWall appliance’s Web server:

l The interface IP address – Select this to redirect the browser to the IP address of the

appliance Web server interface. This option is selected by default.

l Its domain name from a reverse DNS lookup of the interface IP address – When

clicked, displays the appliance Web server’s Interface, IP Address, DNS Name, and TTL (in
seconds). This option is not selected by default.

l Its configured domain name – Select to enable redirecting to a domain name configured

on the System > Administration page.

SonicOS/X 7 Users Administration Guide for the TZand NSv Series

Configuring User Settings

11

3.

Click Update.

NOTE: This option is available only if a domain name has been specified on the System

> Administration page. Otherwise, this option is dimmed. To enable redirection to a
configured domain name, set the firewall’s domain name on the System >
Administration page. Redirection is allowed when an imported certificate has been

selected for HTTPS web management of that page.

l The name from the administration certificate – Select to enable redirecting to a

configured domain name with a properly signed certificate. Redirecting to the name from this
administration certificate is allowed when an imported certificate has been selected for
HTTPS web management on that page.

NOTE: This option is available only if a certificate has been imported for HTTPS

management in the Web Management Settings section of the System >
Administration page. Otherwise, this option is dimmed.

TIP: If you are using imported administration certificates, use this option. If you are not

going to use an administration certificate, select Its configured domain name.

To do HTTPS management without the browser displaying invalid-certificate warnings, you
need to import a certificate properly signed by a certification authority (administration
certificate) rather than use the internally generated self-signed one. This certificate must be
generated for the appliance and its host domain name. A properly signed certificate is the
best way to obtain an appliance’s domain name.

If you use an administration certificate, then to avoid certificate warnings, the browser needs
to redirect to that domain name rather than to the IP address. For example, if you browse the
internet and are redirected to log in at https://gateway.SonicWall.com/auth.html, the
administration certificate on the appliance says that the appliance really is

gateway.sonicwall.com, so the browser displays the login page. If you are redirected to
https://10.0.02/auth.html, however, even though the certificate says it is
gateway.sonicwall.com, the browser has no way to tell if that is correct, so it displays a

certificate warning instead.

Managing Redirections to the Login Page

Limiting redirections prevents possibly overloading the SonicWall appliances’ web server by limiting
redirections to the login page should HTTP/HTTPS connections that would otherwise get redirected there be
repeatedly opened at a high rate from some unauthorized users.

To manage redirections to the login page:

1.

Navigate to Users > Settings > Web Login.

2.

In the Limit redirecting users to field, enter the number of times per minute per user. The default
value is 10 times.

3.

To further limit redirects of the same page, select the Don’t redirect repeated gets of the same
page option. This option is selected by default.

4.

If the session does not need to be encrypted, select Redirect users from HTTPS to HTTP on
completion of login.

5.

Click Update.

SonicOS/X 7 Users Administration Guide for the TZand NSv Series

Configuring User Settings

12