Users > Settings

RADIUS if you have more than 1,000 users or want to add an extra layer of security for authenticating the user to the firewall. If you select RADIUS for user authentication, users must log into the firewall using HTTPS in order to encrypt the password sent to the firewall. If a user attempts to log into the firewall using HTTP, the browser is automatically redirected to HTTPS.

RADIUS may be required in addition to LDAP in a number of cases:

•

LDAP does not usually support CHAP/MSCHAP authentication (Microsoft Active Directory and Novell eDirectory do not), so the Dell SonicWALL authenticates CHAP/MSCHAP via RADIUS if that is the case and RADIUS is configured.

•

If NTLM is used for SSO, it can only be authenticated via RADIUS in MSCHAP mode.

•

RADIUS may be required for CHAP/MSCHAP with L2TP servers or with VPN or SSL VPN clients, including NetExtender and Portal, or if it may be required for NTLM.


	NOTE: LDAP is generally still used for non-CHAP authentications when RADIUS is used for CHAP.

For information about using a RADIUS database for authentication, see Using RADIUS for Authentication .

For detailed configuration instructions, see Configuring RADIUS Authentication .

•

RADIUS + Local Users if you want to use both RADIUS and the firewall local user database for authentication.

•

LDAP if you use a Lightweight Directory Access Protocol (LDAP) server, Microsoft Active Directory (AD) server, or Novell eDirectory to maintain all your user account data.

For information about using an LDAP database for authentication, see Using LDAP/Active Directory/eDirectory Authentication .

For detailed configuration instructions, see Integrating LDAP into the SonicWALL Appliance .

•

LDAP + Local Users if you want to use both LDAP and the firewall local user database for authentication.

For Single-sign-on method, select one of the following:


	NOTE: Do not select any of these options if you are not using Single Sign-On to authenticate users.

•

SonicWALL SSO Agent if you are using Active Directory for authentication and the SSO Agent is installed on a computer in the same domain. For detailed SSO configuration instructions, see Single Sign-On Overview .

•

Terminal Services Agent if you are using Terminal Services and the Terminal Services Agent (TSA) is installed on a terminal server in the same domain.

•

Browser NTLM authentication only if you want to authenticate Web users without using the SSO Agent or TSA. Users are identified as soon as they send HTTP traffic. NTLM requires RADIUS to be configured (in addition to LDAP, if using LDAP), for access to MSCHAP authentication. If LDAP is selected above, a separate Configure button for RADIUS appears here when NTLM is selected.

•

RADIUS Accounting if you want a network access server (NAS) to send user login session accounting messages to an accounting server.

Select Case-sensitive user names to enable matching based on capitalization of user account names.

Select Enforce login uniqueness to prevent the same user name from being used to log into the network from more than one location at a time. This setting applies to both local users and RADIUS/LDAP users, but it does not apply to the default administrator with the username admin. This setting is not selected by default.

To make users log in after changing their passwords, select the Force relogin after password change checkbox. This setting is not selected by default.

Configure the following One-Time Password options:

•

One-time password Email format – Select either Plain text or HTML.

•

One Time Password Format – Select Characters (default), Characters+Numbers, or Numbers from the drop-down menu.


	TIP: The format selection along with the two values for password length result in a password strength of Poor, Good, or Excellent. The strongest passwords have long lengths and either Characters or Characters+Numbers format; The weakest password strength is the Numbers format regardless of length.

•

At One Time Password Length, enter the minimum length in the first field and the maximum length in the second field. The minimum and maximum must be within the range of 4 to 14, with a default value of 10 for each field. The minimum length cannot be greater than the maximum length.

User Web Login Settings

In the Show user authentication page for (minutes) field, enter the number of minutes that users have to log in with their username and password before the login page times out. If it times out, a message displays informing them what they must do before attempting to log in again. The default time is 1 minute.

While the login authentication page is displayed, it uses system resources. By setting a limit on how long a login can take before the login page is closed, you free up those resources.

From the Redirect the browser to this appliance via radio buttons, select one of the following options to determine how a user’s browser is initially redirected to the Dell SonicWALL appliance’s Web server:

•

The interface IP address – Select this to redirect the browser to the IP address of the appliance Web server interface.

•

Its domain name from a reverse DNS lookup of the interface IP address – Enables the Show Cache button which, when clicked, displays the appliance Web server’s Interface, IP Address, DNS Name, and TTL (in seconds). Click the button to verify the domain name (DNS name) being used for redirecting the user’s browser. Click close to close the display.

•

Its configured domain name – Select to enable redirecting to a domain name configured on the System > Administration page.


	NOTE: This option is available only if a domain name has been specified on the System > Administration page. Otherwise, this option is dimmed.

•

The name from the administration certificate – Select to enable redirecting to a configured domain name with a properly signed certificate. Redirecting to the name from this administration certificate is allowed when an imported certificate has been selected for HTTPS web management on that page.


	NOTE: This option is available only if a certificate has been imported for HTTPS management in the Web Management Settings section of the System > Administration page. See Web Management Settings .


	TIP: If you are using imported administration certificates, use this option. If you are not going to use an administration certificate, select the Its configured domain name option.

To do HTTPS management without the browser displaying invalid-certificate warnings, you need to import a certificate properly signed by a certification authority (administration certificate) rather than use the internally generated self-signed one. This certificate must be generated for the appliance and its host domain name. A properly signed certificate is the best way to obtain an appliance’s domain name.

If you use an administration certificate, then to avoid certificate warnings, the browser needs to redirect to that domain name rather than to the IP address. For example, if we try to browse the internet and are redirected to log in at https://gateway.sonicwall.com/auth.html, the administration certificate on the appliance ways that the appliance really is gateway.sonicall.com, so the browser displays the login page. If we are redirected to https://10.0.02/auth.html, however, even though the certificate says it is gateway.sonicall.com, the browser has no way to tell if that is correct, so it displays a certificate warning instead.

To limit redirections to the login page enter the number of times in the Limit redirecting users to times per minute per user field. The default value is 10 times.

Limiting redirections prevents possibly overloading the Dell SonicWALL appliances’ web server by limiting redirections to the login page should HTTP/HTTPS connections that would otherwise get redirected there be repeatedly opened at a high rate from some unauthorized users.

To further limit redirects of the same page, select the Don’t redirect repeated gets of the same page checkbox. This option is selected by default.

Select Redirect users from HTTPS to HTTP on completion of login if you want users to be connected to the network through your firewall via HTTP after logging in via HTTPS. If you have a large number of users logging in via HTTPS, you may want to redirect them to HTTP, because HTTPS consumes more system resources than HTTP. This option is selected by default. If you deselect this option, you will see a warning dialog.

Select Allow HTTP login with RADIUS CHAP mode to have a CHAP challenge be issued when a RADIUS user attempts to log in using HTTP. This allows for a secure connection without using HTTPS. Be sure to check that the RADIUS server supports this option. This option is not selected by default.


	NOTE: If you log in using this method, you are restricted in the management operations you can perform because some operations require the appliance to know the administrator's password; with CHAP authentication by a remote authentication server, the appliance does not know the password. If this setting is checked, therefore, any users who are members of administrative user groups may need to manually log in via HTTPS if logging in for administration. This restriction does not apply to the built-in admin account.


	NOTE: When using LDAP, this mechanism can normally be used by setting the Authentication method for login to RADIUS and then selecting LDAP as the mechanism for setting user group memberships in the RADIUS configuration.

User Session Settings

To configure settings that apply to all users who are authenticated through the firewall:

Specify the length of time for inactivity after which users are logged out of the firewall in the Inactivity timeout (minutes) field. The default is 15 minutes.

From the Don’t allow traffic from these services to prevent user logout on inactivity drop-down menu, select the service or service group option to be prevented from logging out inactive users. This option saves system overhead and possible delays re-identifying aged-out authenticated users by making them inactive instead of logging them out. Inactive users do not use up system resources and can be displayed on the Users > Status page. The default is None.

For the following For logging of connections on which the user is not identified options, select the type of logging, Log no user name or Log user name, to be done, and optionally, the log user name:

•

If SSO fails to identify the user: Log user name Unknown SSO failed (default)

•

For connections that bypass SSO: Log user name SSO Bypass (default)


	NOTE: This option also can be set in the SSO Bypass section of the Enforcement tab of the SSO Authentication Configuration dialog.

•

For connections originating externally: Log no user name (default); if Log user name is selected, the default user name is Unknown (external)

•

For other unidentified connects: Log no user name (default); if Log user name is selected, the default user name is Unknown

Specify how to handle a user’s connections that remain after the user logs out from the Dell SonicWALL appliance with the Actions for remaining user connections on logout options.


Type of logout	Action
Type of logout	For connections requiring user authentication ¹	For other connections ²
On logout due to inactivity	Leave them alive (default) Terminate them Terminate after… minutes	Leave them alive (default) Terminate them Terminate after… minutes
On active/reported logout	Leave them alive Terminate them (default) Terminate after… minutes	Leave them alive Terminate them Terminate after… 15 minutes (default)

Applies for connections via access rules that allow only specific users.

Applies for other connections that do not have a specific user authentication requirement.

You can set different actions for:

•

Inactivity logout, where the user may or may not still be logged into the domain/computer

•

Users actively logging themselves out or being reported to the Dell SonicWALL appliance as being logged out (the latter normally means that the user has logged out from the domain/user)

User Session Settings for SSO Authenticated Users

To specify how inactive SSO-authenticated users are handled:

To put a user identified to the Dell SonicWALL appliance via an SSO mechanism, but no traffic has yet been received from the user, into an inactive state so they do not use resources, select the On being notified of a login make the user initially inactive until they send traffic checkbox. The users remain in an inactive state until traffic is received. This option is selected by default.

Some SSO mechanisms do not give any way for the Dell SonicWALL appliance to actively re-identify a user, and if users identified by such a mechanism do not send traffic, they remain in the inactive state until the appliance eventually receives a logout notification for the user. For other users who can be re-identified, if they stay inactive and do not send traffic, they are aged-out and removed after a period that can be set in Step 3.

If an SSO-identified user who has been actively logged in is timed out due to inactivity, then users who cannot be re-identified are returned to an inactive state. To have users who would otherwise be logged out on inactivity to be returned to an inactive state, select the On inactivity timeout make all user inactive instead of logged out checkbox. Doing this avoids overhead and possible delays re-identifying the users when they become active again. This setting is selected by default.

For inactive users who are subject to getting aged out, you can set the time, in minutes, after which they are aged-out and removed if they stay inactive and do not send traffic by selecting the Age out inactive users after (minutes) checkbox and specifying the timeout in the field. This setting is selected by default, and the minimum timeout value is 10 minutes, the maximum is 10000 minutes, and the default is 60 minutes.


	NOTE: As the reason for keeping inactive user separate from active users is to minimize the resources used to manage them, the age-out timer runs once every 10 minutes. It may, therefore, take up to 10 minutes longer to remove inactive users from active status.

User Session Settings for Web Login

Enable login session limit for web logins: Limit the time a user is logged into the firewall via web login by selecting the checkbox and typing the amount of time, in minutes, in the Login session limit (minutes) field. This setting is selected by default The default value is 30 minutes.

Show user login status window — For users logging in via web login, displays a status window with a Log Out button during the user’s session. The user can click the Log Out button to log out of their session.


	NOTE: The window must be kept open throughout the user’s session as closing it logs the user out.


	IMPORTANT: If this option is not enabled, the status window is not displayed and users may not be able to log out. In this case, a login session limit must be set to ensure that they do eventually get logged out.

The User Login Status window displays the number of minutes the user has left in the login session. The user can set the remaining time to a smaller number of minutes by entering the number and clicking the Update button.

When this option is enabled, a mechanism that monitors heartbeats sent from that window also can be enabled to detect and log out users who disconnect without logging out.

If the user is a member of the SonicWALL Administrators or Limited Administrators user group, the User Login Status window has a Manage button the user can click to automatically log into the firewall’s management interface. See Disabling the User Login Status Popup for information about disabling the User Login Status window for administrative users. See Configuring Local Groups for group configuration procedures.

•

User's login status window sends heartbeat every (seconds) — Sets the frequency of the heartbeat signal used to detect whether the user still has a valid connection. The minimum heartbeat frequency is 10 seconds, the maximum is 65530 seconds, and the default is 120 seconds.

Enable disconnected user detection — Causes the firewall to detect when a user’s connection is no longer valid and ends the session. This setting is selected by default.

•

Timeout on heartbeat from user's login status window (minutes) — Sets the time needed without a reply from the heartbeat before ending the user session. The minimum delay before ending the user session is 1 minute, the maximum is 65535 minutes, and the default is 10 minutes.

Optionally, select to have the user’s login status window display in the same window rather than a popup window by selecting Open user’s login status window in the same window rather than in a popup checkbox.

Other Global User Settings

The specified HTTP URLs bypass users authentication access rules. In this section, you define a list of URLs users can connect to without authenticating.

To add a URL to the list:

Click Add below the URL list. The Add URL dialog displays.

In the Enter URL field, enter the top-level URL you are adding, for example, www.sonicwall.com. All sub directories of that URL are included, such as www.sonicwall.com/us/Support.html.

Click on OK to add the URL to the list. A message displays.

Click Accept.

Acceptable Use Policy

An acceptable use policy (AUP) is a policy that users must agree to follow in order to access a network or the Internet. It is common practice for many businesses and educational facilities to require that employees or students agree to an acceptable use policy before accessing the network or Internet through the firewall.

The Acceptable Use Policy section allows you to create the AUP message window for users. You can use HTML formatting in the body of your message. Clicking the Example Template button creates a preformatted HTML template for your AUP window; see Example Template .

•

Display on login from - Select the network interface(s) you want to display the Acceptable Use Policy page when users login. You can choose Trusted Zones (default), WAN Zone, Public Zones (default), Wireless Zones, and VPN Zone in any combination.

•

Window size (pixels) - Allows you to specify the size of the AUP window, in pixels.

•

Checking the Enable scroll bars on the window allows the user to scroll through the AUP window contents. Specify both:

•

Width: Minimum size is 400 pixels, maximum size is 1280 pixels, and the default is 460 pixels.

•

Height: Minimum size is 200 pixels, maximum size is 1024 pixels, and he default is 310 pixels.

•

Enable scroll bars on window - Turns on the scroll bars if your content will exceed the display size of the window. This setting is enabled by default.

•

Acceptable use policy page content - Enter your Acceptable Use Policy text in this field. You can include HTML formatting. The page that is displayed to the user includes an I Accept button and Cancel button for user confirmation.

Topics:

•

Example Template

•

Preview Message

Example Template

Click the Example Template button to populate the content with the default AUP template, which you can modify:

<center>Welcome to the SonicWALL</center>

<center>Enter your usage policy terms here.

</td></tr>

</table>

Click "I Accept" only if you wish to accept these terms and continue,

or otherwise select "Cancel".

Preview Message

Click the Preview button to display your AUP message as it will appear for the user.

Customize Login Pages

SonicOS provides the ability to customize the text of the login authentication pages that are presented to users. Administrators can translate the login-related pages with their own wording and apply the changes so that they take effect without rebooting.

Although the entire SonicOS interface is available in different languages, sometimes the administrator does not want to change the entire UI language to a specific local language.

However, if the firewall requires authentication before users can access other networks, or enables external access services (e.g. VPN, SSL-VPN), those login related pages usually should be localized to make them more usable for typical users.

The Customize Login Page feature provides the following functionality:

•

Keeps the style of original login by default

•

Customizes login related pages

•

Uses the default login related pages as templates

•

Saves customized pages into system preferences

•

Allows preview of changes before saving to preferences

•

Presents customized login-related pages to typical users

The following login-related pages can be customized:

•

•

•

•

•

•

Policy Access Unavailable

•

Policy Login Redirect

•

Policy SSO Probe Failure

•

User Password Update

•

User Login Message

To customize one of these pages, perform the following steps:

On the Users > Settings page, scroll down to the Customize Login Pages section.

Select the page to be customized from the Select Login Page drop-down menu.

Scroll to the bottom of the page and click Default to load the default content for the page.

Edit the content of the page.


	NOTE: The "var strXXX =" lines in the template pages are customized JavaScript Strings. You can change them into your preferring wording. Modifications should follow the JavaScript syntax. You can also edit the wording in the HTML section.

Click Preview to preview how the customized page will look.

When you are finished editing the page, click Accept.

Leave the Login page content field blank and apply the change to revert to the default page to users.


	CAUTION: Be careful to verify the HTML of your custom login page before deploying it, because HTML errors may cause the login page to not function properly. An alternative login page is always available for the administrator, in case a customized login page has any issues. To access the alternate login page, manually input the URL: https://(device_ip)/defauth.html directly into the address line of browser (case sensitive). The default login page without any customization is then displayed, allowing you to login as normal and reset your customized login related pages.