in the row for the NAS client you want to edit. The row turns to bold for the client being edited. Single_Sign_On
Single Sign-On RADIUS Accounting
(SuperMassive 9000 Series Only)
RADIUS Accounting is specified by RFC 2866 as a mechanism for a Network Access Server to send user login session accounting messages to an accounting server. These messages are sent at user logon, user logoff, and optionally periodically through the user’s session. SonicOS 6.1.1.0 makes this available for use by Single Sign-On (SSO) by having the Dell SonicWALL appliance act as the RADIUS Accounting Server.
The following attributes, that are relevant for SSO, are sent in Accounting Requests:
• Status-Type
The type of accounting request (such as Start, Stop, Interim-Update).
• User-Name
Gives the user’s name. This can be anything from a simple login name to a string giving various values such as login name, domain, or distinguished name (DN).
• Framed-IP-Address
Gives the user’s IP address. When NAT is used, this must be the internal IP address for SSO to work.
• Calling-Station-Id
Used by some appliances to give a string representation of the user’s IP address.
• Proxy-State
Used with pass-through for proxy forwarding requests on to another RADIUS accounting server.
To be compatible with the Dell SonicWALL appliance for SSO via RADIUS accounting, a third party network access appliance must be able to:
• Support RADIUS Accounting.
• Send both Start and Stop messages. Sending Interim-Update messages is not required, but it is advantageous if they are sent.
• Send the user’s IP address in either the Framed-IP-Address attribute or Calling-Station-Id attribute in both Start and Stop messages. In the case of a remote access server that is using NAT to translate a user’s external public IP address, the Framed-IP-Address attribute or Calling-Station-Id attribute must contain the internal IP address that is used on the internal network, and it must be a unique IP address for the user.
Note If both attributes are sent, only the Framed-IP-Address must contain the internal IP address. However, sending the user’s external IP address in the Calling-Station-Id attribute and the user’s internal IP address in the Framed-IP-Address attribute is fine.
• Send the user’s login name in the User-Name attribute in Start messages and in Interim-Update messages if those are to be monitored, and ideally in Stop messages too, but that is not mandatory. The attribute must include either the account name or DN, and may include the domain. This must be in a format that can be decoded by the Dell SonicWALL appliance.
A RADIUS accounting server listens on UDP port 1646 or 1813 by default (the latter is the IANA-specified port, 1646 is an older unofficial standard, the equivalents for RADIUS authentication being 1645 and 1812). This is configurable so that other port numbers can be used, but it will only listen on the one port. If there are multiple NAS’s, they must all be configured to send to the same port number.
To configure SSO with RADIUS accounting in SonicOS, perform the following steps:
1. Got the Users > Settings page.
2. For Single-sign-on method(s), select the RADIUS Accounting option.
3. Click the Configure SSO button.
The SSO Authentication Configuration screen appears.
4. In the SSO Authentication Configuration screen, click the RADIUS Accounting tab.
5. Click the Add button.
The Settings, RADIUS, and Forwarding tabs appear in the lower section.
6. Under the Settings tab, in the Client host name or IP address box, enter the host name or IP address of the NAS appliance.
7. In the Shared Secret box, enter the value for the shared secret.
8. In the Confirm Secret box, re-enter the value for the shared secret.
9. Select the RADIUS tab.
10. From the User-Name attribute format menu, the format that you want.
11. (Optional) If desired, select the Log user out if no accounting interim updates are received option and enter the number of minutes for this option.
12. If you selected a format from the User-Name attribute format that requires the Domain, select the action to take if the domain is missing.
If you select Other from the User-Name attribute format menu, the screen displays additional fields for specifying the format of the attribute content as a limited scanf-style string, with up to 3 component fields. If you pause your mouse over any of the Components boxes, a tool tip dialog appears that explains how to enter the scanf-style string.
The component fields can be any of the following items:
• User’s Account Name
• Domain
• Fully Qualified Distinguished Name (DN)
13. Select the Forwarding tab.
14. Configure the settings for proxy forwarding to up to four other RADIUS accounting servers. Additional RADIUS accounting servers can be used for generating reports about user activity, or similar purposes.
To add another RADIUS accounting server, type its IP address into the Server 1 field or another Server X field. Then type in the shared secret in the Shared Secret and Confirm Shared Secret fields. The Port number can be changed, if needed.
15. Click Apply. The lower section will close.
To edit the lower section settings again, click the Edit icon in the row for the NAS client you want to edit. The row turns to bold for the client being edited.
16. After you apply the change to add another RADIUS accounting server on the Forwarding tab for one NAS client, the Forwarding tab provides a Select from drop-down list when you add or edit another NAS client. You can easily select the same RADIUS accounting server for that NAS client. All fields are then populated with the same settings.
17. Click Apply to save the settings for the NAS client being edited.
The status icon for each RADIUS accounting NAS client will show yellow if the NAS is idle and green if it is active, where the latter means that the appliance has received a request from it in the last 5 minutes.
18. The General Settings tab provides the Enable SSO by RADIUS accounting checkbox, which is selected by default, and the Port number field containing the UDP port number to listen on for RADIUS accounting messages, which defaults to port 1813.
19. Click OK when finished.
Configuring Multiple Administrator Support
This section contains the following subsections:
• Configuring Additional Administrator User Profiles
• Configuring Administrators Locally when Using LDAP or RADIUS
• Activating Configuration Mode
• Verifying Multiple Administrators Support Configuration
• Viewing Multiple Administrator Related Log Messages
Configuring Additional Administrator User Profiles
To configure additional administrator user profiles, perform the following steps:
1. While logged in as admin, navigate to the Users > Local Users page.
2. Click the Add User button.
3. Enter a Name and Password for the user.
4. Click on the Group Membership tab.
5. Select the appropriate group to give the user Administrator privileges:
• Limited Administrators - The user has limited administrator configuration privileges.
• SonicWALL Administrators - The user has full administrator configuration privileges.
• SonicWALL Read-Only Admins - The user can view the entire management interface, but cannot make any changes to the configuration.
6. Click the right arrow button and click OK.
7. To configure the multiple administrator feature such that administrators are logged out when they are preempted, navigate to the System > Administration page.
8. Select the Log out radio button for the On preemption by another administrator option and click Accept.
Configuring Administrators Locally when Using LDAP or RADIUS
When using RADIUS or LDAP authentication, if you want to ensure that some or all administrative users will always be able to manage the appliance, even if the RADIUS or LDAP server becomes unreachable, then you can use the RADIUS + Local Users or LDAP + Local Users option and configure the accounts for those particular users locally.
For users authenticated by RADIUS or LDAP, create user groups named SonicWALL Administrators and/or SonicWALL Read-Only Admins on the RADIUS or LDAP server (or its back-end) and assign the relevant users to those groups. Note that in the case of RADIUS you will probably need special configuration of the RADIUS server to return the user group information – see the SonicWALL RADIUS documentation for details.
When using RADIUS or LDAP authentication, if you want to keep the configuration of administrative users local to the appliance whilst having those users authenticated by RADIUS/LDAP, perform these steps:
1. Navigate to the Users > Settings page.
2. Select either the RADIUS + Local Users or LDAP + Local Users authentication method.
3. Click the Configure button.
4. For RADIUS, click on the RADIUS Users tab and select the Local configuration only radio button and ensure that the Memberships can be set locally by duplicating RADIUS user names checkbox is checked.
5. For LDAP, click on the LDAP Users tab and select the User group membership can be set locally by duplicating LDAP user names checkbox.
6. Then create local user accounts with the user names of the administrative users (note no passwords need be set here) and add them to the relevant administrator user groups.
When an administrator attempts to log in while another administrator is logged in, the following message is displayed. The message displays the current administrator’s user name, IP address, phone number (if it can be retrieved from LDAP), and whether the administrator is logged in using the GUI or CLI.
This window gives you three options:
• Continue - Preempts the current administrator. The current administrator is dropped to non-config mode and you are given full administrator access.
• Non-config - You are logged into the appliance in non-config mode. The current administrator’s session is not disturbed.
• Cancel - Returns to the authentication screen.
When logging in as a user with administrator rights (that is not the admin user), the User Login Status popup window is displayed.
To go to the SonicWALL user interface, click the Manage button. You will be prompted to enter your password again. This is a safeguard to protect against unauthorized access when administrators are away from their computers and do not log out of their session.
Disabling the User Login Status Popup
You can disable the User Login Status popup window if you prefer to allow certain users to log in solely for the purpose of managing the appliance, rather than for privileged access through the appliance. To disable the popup window, select the Members go straight to the management UI on web login checkbox when adding or editing the local group.
If you want some user accounts to be administrative only, while other users need to log in for privileged access through the appliance, but also with the ability to administer it (that is, some go straight to the management interface on login, while others get the User Login Status popup window with a Manage button), this can be achieved as follows:
1. Create a local group with the Members go straight to the management UI on web login checkbox selected.
2. Add the group to the relevant administrative group, but do not select this checkbox in the administrative group.
3. Add those user accounts that are to be administrative-only to the new user group. The User Login Status popup window is disabled for these users.
4. Add the user accounts that are to have privileged and administrative access directly to the top-level administrative group.
To switch from non-config mode to full configuration mode, perform the following steps:
1. Navigate to the System > Administration page.
In the Web Management Settings section, click on the Configuration mode button. If there is not currently an administrator in configuration mode, you will automatically be entered into configuration mode.
3. If another administrator is in configuration mode, the following message displays.
4. Click the Continue button to enter configuration mode. The current administrator is converted to read-only mode and you are given full administrator access.
Verifying Multiple Administrators Support Configuration
User accounts with administrator and read-only administrators can be viewed on the Users > Local Groups page.
Administrators can determine which configuration mode they are in by looking at either the top right corner of the management interface or at the status bar of their browser.
To display the status bar in Firefox and Internet Explorer, click on the View menu and enable status bar. By default, Internet Explorer 7.0 and Firefox 2.0 do not allow Web pages to display text in the status bar. To allow status bar messages in Internet Explorer, go to Tools > Internet Options, select the Security tab, click on the Custom Level button, scroll to the bottom of the list, and select Enable for Allow Status Bar Updates Via Script.
To allow status bar messages in Firefox, go to Tools > Options, select the Content tab, click the Advanced button, and select the checkbox for Change Status Bar Text in the pop-up window that displays.
When the administrator is in full configuration mode, no message is displayed in the top right corner and the status bar displays Done.
When the administrator is in read-only mode, the top right corner of the interface displays Read-Only Mode.
The status bar displays Read-only mode - no changes can be made.
When the administrator is in non-config mode, the top right of the interface displays Non-Config Mode. Clicking on this text links to the System > Administration page where you can enter full configuration mode.
The status bar displays Non-config mode - configuration changes not allowed.
Viewing Multiple Administrator Related Log Messages
Log messages are generated for the following events:
• A GUI or CLI user begins configuration mode (including when an admin logs in).
• A GUI or CLI user ends configuration mode (including when an admin logs out).
• A GUI user begins management in non-config mode (including when an admin logs in and when a user in configuration mode is preempted and dropped back to read-only mode).
• A GUI user begins management in read-only mode.
A GUI user terminates either of the above management sessions (including when an admin logs out).