• In the User Authentication method drop-down list, select the type of user account management your network uses:
• Select Local Users to configure users in the local database in the firewall using the Users > Local Users and Users > Local Groups pages.For information about using the local database for authentication, see Using Local Users and Groups for Authentication .
• Select RADIUS if you have more than 1,000 users or want to add an extra layer of security for authenticating the user to the firewall. If you select RADIUS for user authentication, users must log into the firewall using HTTPS in order to encrypt the password sent to the firewall. If a user attempts to log into the firewall using HTTP, the browser is automatically redirected to HTTPS.For information about using a RADIUS database for authentication, see Using RADIUS for Authentication .
• Select RADIUS + Local Users if you want to use both RADIUS and the firewall local user database for authentication.
• Select LDAP if you use a Lightweight Directory Access Protocol (LDAP) server, Microsoft Active Directory (AD) server, or Novell eDirectory to maintain all your user account data.For information about using an LDAP database for authentication, see Using LDAP/Active Directory/eDirectory Authentication .
• Select LDAP + Local Users if you want to use both LDAP and the firewall local user database for authentication.
• For Single-sign-on method, select one of the following:
• Select SonicWALL SSO Agent if you are using Active Directory for authentication and the SSO Agent is installed on a computer in the same domain. For detailed SSO configuration instructions, see Configuring Single Sign-On .
• Select Terminal Services Agent if you are using Terminal Services and the Terminal Services Agent (TSA) is installed on a terminal server in the same domain.
• Select Browser NTLM authentication only if you want to authenticate Web users without using the SSO Agent or TSA. Users are identified as soon as they send HTTP traffic. NTLM requires RADIUS to be configured (in addition to LDAP, if using LDAP), for access to MSCHAP authentication. If LDAP is selected above, a separate Configure button for RADIUS appears here when NTLM is selected.
• Select RADIUS Accounting if you want a network access server (NAS) to send user login session accounting messages to an accounting server.
• Select Case-sensitive user names to enable matching based on capitalization of user account names.
• Select Enforce login uniqueness to prevent the same user name from being used to log into the network from more than one location at a time. This setting applies to both local users and RADIUS/LDAP users. However the login uniqueness setting does not apply to the default administrator with the username admin.
• Configure the following One-Time Password options. The values you enter will result in a password strength of Poor, Good, or Excellent.
•
• At One Time Password Format, select Character, Characters+Numbers, or Numbers from the drop-down list.
• At One Time Password Length, enter the minimum length in the first field and the maximum length in the second field. The minimum and maximum must be within the range of 4 to 14.
• In the Show user authentication page for field, enter the number of minutes that a user has to log in before the login page times out. If it times out, a message displays saying they must click before attempting to log in again.
• In the Redirect the browser to this appliance via field, select one of the following options to determine how a user’s browser is initially redirected to the Dell SonicWALL appliance’s Web server:
• The interface IP address – Select this to redirect the browser to the IP address of the appliance Web server interface.
• Its domain name from a reverse DNS lookup of the interface IP address – Enables the Show Reverse DNS Cache button at the bottom of the window; when clicked, a popup displays the appliance Web server’s Interface, IP Address, DNS Name, and TTL in seconds. Click the button to verify the domain name (DNS name) being used for redirecting the user’s browser.
• Its configured domain name – Type in the Web server domain name to which the user’s browser should be redirected.
• The name from the administration certificate – To enable redirecting to a configured domain name, set the firewall’s domain name on the System > Administration page. Redirecting to the name from the administration certificate is allowed when an imported certificate has been selected for HTTPS web management on that page.
• Select Redirect users from HTTPS to HTTP on completion of login if you want users to be connected to the network through your firewall via HTTP after logging in via HTTPS. If you have a large number of users logging in via HTTPS, you may want to redirect them to HTTP, because HTTPS consumes more system resources than HTTP. If you deselect this option, you will see a warning dialog.
• Select Allow HTTP login with RADIUS CHAP mode to have a CHAP challenge be issued when a RADIUS user attempts to log in using HTTP. This allows for a secure connection without using HTTPS. Be sure to check that the RADIUS server supports this option.
• Inactivity timeout (minutes): Specify the length of time for inactivity (the default is 5 minutes) after which users will be logged out of the firewall.
• On inactivity timeout make users inactive instead of logging out: Select this option to save system overhead and possible delays re-identifying aged-out SSO-authenticated users by making them inactive instead of logging them out. Inactive users do not use up system resources and can be displayed on the Users > Status page.
• Age out inactive users after (minutes): Set the number of minutes of inactivity after which SSO-authenticated users will be aged out. The age-out timer runs once every 10 minutes, so it may take up to 10 minutes longer to remove users from active status.
• Enable login session limit for web logins: Limit the time a user is logged into the firewall by selecting the check box and typing the amount of time, in minutes, in the Login session limit (minutes) field. The default value is 30 minutes.
• Show user login status window — Displays a status window with a Log Out button during the user’s session. The user can click the Log Out button to log out of their session.The User Login Status window displays the number of minutes the user has left in the login session. The user can set the remaining time to a smaller number of minutes by entering the number and clicking the Update button.If the user is a member of the SonicWALL Administrators or Limited Administrators user group, the User Login Status window has a Manage button the user can click to automatically log into the firewall’s management interface. See Disabling the User Login Status Popup for information about disabling the User Login Status window for administrative users. See Configuring Local Groups on Users > Local Groups for group configuration procedures.
• User's login status window sends heartbeat every (seconds) — Sets the frequency of the heartbeat signal used to detect whether the user still has a valid connection
• Enable disconnected user detection — Causes the firewall to detect when a user’s connection is no longer valid and end the session.
• Timeout on heartbeat from user's login status window (minutes) — Sets the time needed without a reply from the heartbeat before ending the user session.
1 Click Add below the URL list.
2 In the Enter URL window, enter the top level URL you are adding, for example, www.sonicwall.com. All sub directories of that URL are included, such as www.sonicwall.com/us/Support.html.
3 Click on OK to add the URL to the list.The Acceptable Use Policy section allows you to create the AUP message window for users. You can use HTML formatting in the body of your message. Clicking the Example Template button creates a preformatted HTML template for your AUP window; see Example Template .
• Display on login from - Select the network interface(s) you want to display the Acceptable Use Policy page when users login. You can choose Trusted Zones, WAN Zone, Public Zones, Wireless Zones, and VPN Zone in any combination.
• Window size (pixels) - Allows you to specify the size of the AUP window defined in pixels. Checking the Enable scroll bars on the window allows the user to scroll through the AUP window contents.
• Enable scroll bars on window - Turns on the scroll bars if your content will exceed the display size of the window.
• Acceptable use policy page content - Enter your Acceptable Use Policy text in the text box. You can include HTML formatting. The page that is displayed to the user includes an I Accept button or Cancel button for user confirmation.Click the Preview button to display your AUP message as it will appear for the user.The Customize Login Page feature provides the following functionality:
1
2 Select the page to be customized from the Select Login Page drop-down menu.
3 Scroll to the bottom of the page and click Default to load the default content for the page.
5 Click Preview to preview how the customized page will look.
CAUTION: Be careful to verify the HTML of your custom login page before deploying it, because HTML errors may cause the login page to not function properly. An alternative login page is always available for the administrator, in case a customized login page has any issues. To access the alternate login page, manually input the URL: https://(device_ip)/defauth.html directly into the address line of browser (case sensitive). The default login page without any customization is then displayed, allowing you to login as normal and reset your customized login related pages.