Configuring User Settings
In addition to the authentication methods available in SonicOS Standard, SonicOS Enhanced allows you to use Lightweight Directory Access Protocol (LDAP) to authenticate users. LDAP is compatible with Microsoft’s Active Directory.
For SonicWALL appliances running SonicOS Enhanced 4.0 and higher, you can select the SonicWALL Single Sign-On Agent to provide Single Sign-On functionality. Single Sign-On (SSO) is a transparent user authentication mechanism that provides privileged access to multiple network resources with a single workstation login. SonicWALL PRO and TZ series security appliances running SonicOS Enhanced 4.0 and higher provide SSO functionality using the SonicWALL Single Sign-On Agent (SSO Agent) to identify user activity based on workstation IP address when Active Directory is being used for authentication. The SonicWALL SSO Agent must be installed on a computer in the same domain as Active Directory.
Refer to the following to configure user settings:
User Login Settings
To configure the user login settings, complete the following:
1
Navigate to the User > Settings page.
 
2
Select one of the following authentication methods from the Authentication method for login pull-down list:
Local Users—To configure users in the local database using the Users > Local Users and Users > Local Groups pages. For information on configuring local users and groups, refer to Configuring Local Users and Configuring Local Groups .
RADIUS—If you have more than 1,000 users or want to add an extra layer of security for authenticating the user to the SonicWALL. If you select Use RADIUS for user authentication, users must log into the SonicWALL using HTTPS in order to encrypt the password sent to the SonicWALL. If a user attempts to log into the SonicWALL using HTTP, the browser is automatically redirected to HTTPS. For information on configuring RADIUS, refer to Configuring RADIUS for SonicOS Enhanced .
RADIUS + Local Users—If you want to use both RADIUS and the SonicWALL local user database for authentication. For information on configuring RADIUS, refer to Configuring RADIUS for SonicOS Enhanced .
LDAP—If you use a Lightweight Directory Access Protocol (LDAP) server or Microsoft Active Directory (AD) server to maintain all your user account data. For information about configuring LDAP, refer to Configuring LDAP and Active Directory .
LDAP + Local Users—If you want to use both LDAP and the SonicWALL local user database for authentication. For information about configuring LDAP, refer to Configuring LDAP and Active Directory .
3
The Single-sign-on method (s) field displays the status of the available method(s). You can enable/disable methods, or click the configure button to configure a single-sign-on method. The following methods are available:
SSO Agent — Configure the SSO Agent if you are using Active Directory for authentication and the Dell SonicWALL SSO Agent is installed on a computer in the same domain.
Terminal Services Agent — Configure the SSO Agent if you are using Terminal Services and the Dell SonicWALL Terminal Services Agent (TSA) is installed on a terminal server in the same domain.
Browser NTLM Authentication — Configure Browser NTLM Authentication if you want to authenticate Web users without using the Dell SonicWALL SSO Agent or TSA. Users are identified as soon as they send HTTP traffic. NTLM requires RADIUS to be configured (in addition to LDAP, if using LDAP), for access to MSCHAP authentication.
RADIUS Accounting — Configure RADIUS Accounting if you want a network access server (NAS) to send user login session accounting messages to an accounting server.
Refer to Configuring Single Sign-On for details.
4
5
6
7
Select Redirect users from HTTPS to HTTP on completion of login if the session does not need to be encrypted.
8
If using RADIUS authentication (and if the RADIUS server supports it) a CHAP challenge can be used to authenticate users during web login, click Allow HTTP login with RADIUS CHAP mode to enable this. This option is only available when the Authentication method for login is RADIUS or RADIUS+Local Users.
9
Select Force relogin after password change to force the user to login immediately after changing the password.
One-Time Password Settings
To configure the one-time password settings, complete the following:
1
2
3
User Web Login Settings
To configure the user web login settings, complete the following:
1
2
3
Select Redirect users from HTTPS to HTTP on completion of login if the session does not need to be encrypted.
4
If using RADIUS authentication (and if the RADIUS server supports it) a CHAP challenge can be used to authenticate users during web login, click Allow HTTP login with RADIUS CHAP mode to enable this. This option is only available when the Authentication method for login is RADIUS or RADIUS+Local Users.
User Session Settings
The settings listed below apply to all users when authenticated through the SonicWALL. To configure user session settings, expand the Users tab and click on the Settings tab.
The following options are configured in the User Session Settings section:
Inactivity timeout (minutes): you are logged out of the SonicWALL after a preconfigured length of inactivity time. Enter the number of minutes in this field. The default value is five minutes.
Enable login session limit: you can limit the time a user is logged into the SonicWALL by selecting the check box and typing the amount of time, in minutes, in the Login session limit (minutes) field. The default value is 30 minutes.
Login session limit (minutes): defines how much time you have to log in before the login page times out. If it times out, a message displays saying you must click before attempting to log in again.
Show user login status window with logout: causes a status window to display with a Log Out button during the user’s session. Click Log Out to log out of your session.
User's login status window refreshes every (minutes): determines how often your status display is updated.
User's login status window sends status heartbeat every (seconds): determines how often a heartbeat is sent back to the SonicWALL. This heartbeat notifies the SonicWALL of your connection status and continues to be sent as long at the status window is open.
Enable disconnected user detection: causes the SonicWALL to detect when your connection is no longer valid and ends the session.
Timeout on heartbeat from user's login status window (minutes): sets the time needed without a reply from the heartbeat before ending your session.
Open user’s login status window in the same window rather than in a popup: enable this option if you do not want the login status window to open as a pop-up window.
LDAP read from server options: are available when the LDAP option is active. The options are:
Acceptable Use Policy
An acceptable use policy (AUP) is a policy you must agree to follow in order to access a network or the Internet. It is common practice for many businesses and educational facilities to require that employees or students agree to an acceptable use policy before accessing the network or Internet through the SonicWALL.
The Acceptable Use Policy section allows you to create the AUP message window for users. You can use HTML formatting in the body of your message. Clicking Example Template creates a preformatted HTML template for your AUP window.
To configure an AUP, complete the following steps:
1
Expand the Users tree and click on the Settings tab.
 
2
Select which users will see the AUP page by selecting the Display on login from check boxes. For SonicOS Enhanced, select the zones that displays the AUP page. For SonicOS Standard, select the network interfaces.
3
4
Click Enable scroll bars on the window to allow users to scroll through the AUP window contents.
5
Enter the text for the AUP in the Acceptable use policy page content. The content can include HTML formatting. The page that is displayed to the user includes an I Accept button or Cancel button for user confirmation.
6
Click Example Template to create a preformatted HTML template for your AUP window.
7
Click Preview to display your AUP message as it appears for the user.
8
Click Update.
Other Global User Settings
Define a list of URLs users can connect to without authenticating.
To add a URL to the list, complete the following:
1
Click Add.
2
In the Enter URL window, enter the top level URL you are adding.
For example:
www.SonicWALL.com, all sub directories of that URL are included, such as www.SonicWALL.com/us/Support.html.
3
Click on OK to add the URL to the list.
For wildcard matching, prefix with '*.' and/or suffix with '...', for example: *.windowsupdate.com...
To allow access to a file on any host, prefix with '*/', for example: */wpad.dat.
Customize Login Pages
SonicOS provides the ability to customize the text of the login authentication pages that are presented to users. Administrators can translate the login-related pages with their own wording and apply the changes so that they take effect without rebooting.
Although the entire SonicOS interface is available in different languages, sometimes the administrator does not want to change the entire UI language to a specific local language.
However, if the firewall requires authentication before users can access other networks, or enables external access services (for example, VPN, SSL-VPN), those login related pages usually should be localized to make them more usable for typical users.
The Customizable Login Page feature provides the following functionality:
The following login-related pages can be customized:
To customize one of these pages, complete the following steps:
1
On the Users > Settings page, scroll down to the Customize Login Pages section.
 
2
Select the page to be customized from the Select Login Page pulldown menu.
3
Scroll to the bottom of the page and click Default to load the default content for the page.
4
5