User/Group
See the User/Group section for related information on these screens.
User Account Overview
A user account defines the privileges of a user logged into the ZyWALL. User accounts are used in firewall rules and application patrol, in addition to controlling access to configuration and services in the ZyWALL.
User Types
There are the types of user accounts the ZyWALL uses.
Types of User Accounts
Type
|
Abilities
|
Login Method(s)
|
Admin Users
|
|
|
Admin
|
Change ZyWALL configuration (web, CLI)
|
WWW, TELNET, SSH, FTP
|
Limited-Admin
|
Look at ZyWALL configuration (web, CLI)
Perform basic diagnostics (CLI)
|
WWW, TELNET, SSH
|
Access Users
|
|
|
User
|
Access network services
Browse user-mode commands (CLI)
|
WWW, TELNET, SSH
|
Guest
|
Access network services
|
WWW
|
Ext-User
|
External User Account
|
WWW
|
Note: The default admin account is always authenticated locally, regardless of the authentication method setting.
Ext-User Accounts
Set up an Ext-User account if the user is authenticated by an external server and you want to set up specific policies for this user in the ZyWALL. If you do not want to set up policies for this user, you do not have to set up an Ext-User account.
Ext-User users should be authenticated by an external server, such as LDAP or RADIUS. If the ZyWALL tries to use the local database to authenticate an Ext-User, the authentication attempt always fails.
Note: If the ZyWALL tries to authenticate an Ext-User using the local database, the attempt always fails.
Once an Ext-User user has been authenticated, the ZyWALL tries to get the user type from the external server. If the external server does not have the information, the ZyWALL sets the user type for this session to User.
For the rest of the user attributes, such as reauthentication time, the ZyWALL checks the following places, in order.
- User account in the remote server.
- User account (Ext-User) in the ZyWALL.
- Default user account for LDAP users (ldap-users) or RADIUS users (radius-users) in the ZyWALL.
Setting up User Attributes in an External Server
To set up user attributes, such as reauthentication time, in LDAP or RADIUS servers, use the following keywords in the user configuration file.
LDAP/RADIUS: Keywords for User Attributes
Keyword
|
Corresponding Attribute in Web Configurator
|
type
|
User Type. Possible Values: admin, limited-admin, user, guest.
|
leaseTime
|
Lease Time. Possible Values: 1-1440 (minutes).
|
reauthTime
|
Reauthentication Time. Possible Values: 1-1440 (minutes).
|
Creating a Large Number of Ext-User Accounts
If you plan to create a large number of Ext-User accounts, you might use CLI commands, instead of the web configurator, to create the accounts. Extract the user names from the LDAP or RADIUS server, and create a shell script that creates the user accounts.
User Groups
Use user groups when you want to create the same rule for several user accounts, instead of creating separate rules for each one. User groups may consist of user accounts or other user groups, but you cannot put access users and admin users in the same user group.
Note: You cannot put access users and admin users in the same user group.
In addition, you cannot put the default admin account into any user group.
Note: You cannot put the default admin account into any user group.
The sequence of members in a user group is not important.
Access Users and the ZyWALL
By default, access users do not have to log in to the ZyWALL to use the network services it provides. The ZyWALL automatically routes packets for everyone. In this case, the ZyWALL does not enforce any user-aware policies, but you can still set up policies based on IP address or other criteria.
If you want to enforce user-aware policies, access users must log in to the ZyWALL first. In this case, they should go to the appropriate IP address (or domain name, if you set up DNS) to log in to the ZyWALL.You can provide an incentive to do this by preventing access users from using network services until they log in.
Force User Authentication Policy
Instead of making users to go to the Login screen manually, you can configure the ZyWALL to display the Login screen automatically whenever it routes HTTP traffic for anyone who has not logged in yet. Then, the ZyWALL can enforce user-aware policies.
Note: This works with HTTP traffic only. The ZyWALL does not force users to log in before it routes other kinds of traffic.
The ZyWALL does not automatically route the request that prompted the login, however, so users have to make this request again.
User Summary
The User screen provides a summary of all user accounts.
User/Group
Label
|
Description
|
#
|
This field is a sequential value, and it is not associated with a specific user.
|
User Name
|
This field displays the user name of each user.
|
Description
|
This field displays the description for each user.
|
Add icon
|
This column provides icons to add, edit, and remove users.
To add a user, click the Add icon at the top of the column. The User Add/Edit screen appears.
To edit a user, click the Edit icon next to the user. The User Add/Edit screen appears.
To delete a user, click the Remove icon next to the user. The web configurator confirms that you want to delete the user before doing so.
|
User Add/Edit
The User Add/Edit screen allows you to create a new user account or edit an existing one.
User/Group > User > Edit
Label
|
Description
|
User Name
|
Type the user name for this user account. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. User names have to be different than user group names, and some words are reserved.
|
User Type
|
Select what type of user this is. Choices are:
- Admin - this user can look at and change the configuration of the ZyWALL
- Limited-Admin - this user can look at the configuration of the ZyWALL but not to change it
- User - this user has access to the ZyWALL's services but cannot look at the configuration
- Guest - this user has access to the ZyWALL's services but cannot look at the configuration
- Ext-User - this user account is maintained in a remote server, such as RADIUS or LDAP.
|
Password
|
Enter the password of this user account. It can consist of 4 - 30 alphanumeric characters.
|
Retype
|
This field is only available if Password is checked. Enter the password again.
|
Description
|
Enter the description of each user, if any. You can use up to 60 printable ASCII characters. Default descriptions are provided.
|
Lease Time
|
Enter the number of minutes this user has to renew the current session before the user is logged out. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. Admin users renew the session every time the main screen refreshes in the web configurator. Access users can renew the session by clicking the Renew button on their screen. If you allow access users to renew time automatically , the users can select this check box on their screen as well. In this case, the session is automatically renewed before the lease time expires.
|
Reauthentication Time
|
Type the number of minutes this user can be logged into the ZyWALL in one session before the user has to log in again. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. Unlike lease time, the user has no opportunity to renew the session without logging out.
|
Rules for User Names
Enter a user name from 1 to 31 characters.
The user name can only contain the following characters:
The first character must be alphabetical (A-Z a-z), an underscore (_), or a dash (-). Other limitations on user names are:
- User names are case-sensitive. If you enter a user 'bob' but use 'BOB' when connecting via CIFS or FTP, it will use the account settings used for 'BOB' not `bob'.
- User names have to be different than user group names.
- Reserved user names are listed in the following table.
Group Summary
User groups consist of access users and other user groups. You cannot put admin users in user groups. The Group screen provides a summary of all user groups. In addition, this screen allows you to add, edit, and remove user groups.
User/Group > Group
Label
|
Description
|
#
|
This field is a sequential value, and it is not associated with a specific user group.
|
Group Name
|
This field displays the name of each user group.
|
Description
|
This field displays the description for each user group.
|
Member
|
This field lists the members in the user group. Each member is separated by a comma.
|
Add icon
|
This column provides icons to add, edit, and remove user groups.
To add a user group, click the Add icon at the top of the column. The Group Add/Edit screen appears.
To edit a user group, click the Edit icon next to the user group. The Group Add/Edit screen appears.
To delete a user group, click the Remove icon next to the user group. The web configurator confirms that you want to delete the user group before doing so. If you delete the group, you do not delete the users in the group.
|
Group Add/Edit
The Group Add/Edit screen allows you to create a new user group or edit an existing one.
User/Group > Group > Add
Label
|
Description
|
Name
|
Type the name for this user group. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. User group names have to be different than user names.
|
Description
|
Enter the description of the user group, if any. You can use up to 60 characters, punctuation marks, and spaces.
|
#
|
The sequence of members in the user group is not important.
|
Available
|
This field displays the names of the users and user groups that can be added to the user group.
Select users and groups that you want to be members of this group and click the right arrow to add them to the member list.
|
Member
|
This field displays the names of the users and user groups that have been added to the user group. The order of members is not important. To remove members, select them and click the left arrow.
|
Setting Screen
The Setting screen controls default settings, login settings, lockout settings, and other user settings for the ZyWALL. You can also use this screen to specify when users must log in to the ZyWALL before it routes traffic for them.
User/Group > Setting
Label
|
Description
|
User Default Setting
|
|
User Type
|
Select the default user type when you create a new user account. You can still change the user type for each user account.
|
Lease Time
|
Select the default lease time when you create a new user account. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. You can still change the lease time for each user account.
|
Reauthentication Time
|
Select the default reauthentication time when you create a new user account. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. You can still change the reauthentication time for each user account.
|
User Logon Setting
|
|
Limit ... for administration account
|
Select this check box if you want to set a limit on the number of simultaneous logins by admin users. If you do not select this, admin users can login as many times as they want at the same time using the same or different IP addresses.
|
Maximum number per administration account
|
This field is effective when Limit ... for administration account is checked. Type the maximum number of simultaneous logins by each admin user. The number must be between 1 and 1024.
|
Limit ... for access account
|
Select this check box if you want to set a limit on the number of simultaneous logins by non-admin users. If you do not select this, access users can login as many times as they want as long as they use different IP addresses.
|
Maximum number per access account
|
This field is effective when Limit ... for access account is checked. Type the maximum number of simultaneous logins by each access user. The number must be between 1 and 1024.
|
User Lockout Setting
|
|
Enable logon retry limit
|
Select this check box to set a limit on the number of times each user can login unsuccessfully (for example, wrong password) before the IP address is locked out for a specified amount of time.
|
Maximum retry count
|
This field is effective when Enable logon retry limit is checked. Type the maximum number of times each user can login unsuccessfully before the IP address is locked out for the specified lockout period. The number must be between 1 and 99.
|
Lockout period
|
This field is effective when Enable logon retry limit is checked. Type the number of minutes the user must wait to try to login again, if logon retry limit is enabled and the maximum retry count is reached. This number must be between 1 and 65,535 (about 45.5 days).
|
User Miscellaneous Setting
|
|
Allow renewing lease time ...
|
Select this check box if access users can renew lease time automatically, as well as manually, simply by checking the Update lease time automatically check box on their screen.
|
Enable user idle detection
|
This is applicable for access users.
Select this check box if you want the ZyWALL to monitor how long each access user is logged in and idle (in other words, there is no traffic for this access user). The ZyWALL automatically logs out the access user once the User idle timeout has been reached.
|
User idle timeout
|
This is applicable for access users.
This field is effective when Enable user idle detection is checked. Type the number of minutes each access user can be logged in and idle before the ZyWALL automatically logs out the access user.
|
Force User Authentication Policy
|
Use this section to specify when users must log in to the ZyWALL before the ZyWALL routes HTTP traffic for them. Once users have logged in, the ZyWALL can enforce user-aware policies.s
This section displays the conditions that are applied, in sequence, to decide what the appropriate action is. By default, users do not have to log in to the ZyWALL.
|
#
|
This field is a sequential value, and it is not associated with a specific condition.
|
Schedule
|
This field displays the schedule object that specifies when this condition applies. It displays none if this condition always applies.
|
Source
|
This field displays the source address object of traffic to which this condition applies. It displays any if this condition applies to traffic from all source addresses.
|
Destination
|
This field displays the destination address object of traffic to which this condition applies. It displays any if this condition applies to traffic from all destination addresses.
|
Authenticate
|
This field displays whether users must log in (force) or whether users do not have to log in (skip) when this condition is checked and satisfied.
|
Add icon
|
This column provides icons to add, edit, move, and remove conditions. It also provides icons to activate and deactivate conditions.
To add a condition, click the Add icon at the top of the column or next to each condition. If you click the one at the top of the column, the new condition is first in the list. If you click the one next to a condition, the new condition appears right below this condition.
To edit a condition, click the Edit icon at the top of the column or next to each condition. The Force User Authentication Policy Add/Edit screen appears.
To remove a condition, click on the Remove icon next to the condition. The web configurator confirms that you want to delete the condition before doing so.
To move a condition up or down in the list, click on the Move to N icon next to the condition, and type the line number (# field) where you want to move this condition. The # field is updated accordingly.
To activate or deactivate
|
Force User Authentication Policy Add/Edit
Use this screen to specify a condition when users must log in or do not have to log in to the ZyWALL before their HTTP traffic can pass through the ZyWALL.
User/Group > Setting > Force User Authentication Policy > Add/Edit
Label
|
Description
|
Enable
|
Select this if you want this condition to be active.
|
Description
|
Enter a description for this condition. It can be up to 60 printable ASCII characters long.
|
Authentication
|
Select whether users must log in (force) or whether users do not have to log in (skip) when this condition is checked and satisfied.
|
Source Address
|
Select a source IP address object or select Create Object to configure a new one.
Select any if this condition applies to traffic from all source addresses.
|
Destination Address
|
Select the destination address of traffic to which this condition applies or select Create Object to configure a new one. Select any if this condition applies to traffic from all destination addresses.
|
Schedule
|
Select the schedule object that specifies when this condition applies or select Create Object to configure a new one (see Schedules for details). Select none if this condition always applies.
|
OK
|
Select this to save your changes and return to the previous screen.
|
Cancel
|
Select this to return to the previous screen without saving any changes.
|
Web Configurator for Non-Admin Users
Access users cannot use the Web configurator to browse the configuration of the ZyWALL. Instead, when access users log in to the ZyWALL.
Web Configurator for Non-Admin Users
Label
|
Description
|
User-defined lease time (max ... minutes)
|
Access users can specify a lease time shorter than or equal to the one that you specified. The default value is the lease time that you specified.
|
Renew
|
Access users can click this button to reset the lease time, the amount of time remaining before the ZyWALL automatically logs them out. The ZyWALL sets this amount of time according to the
|
Updating lease time automatically
|
This box appears if you checked the Allow renewing lease time automatically box in the Setting screen. (See Setting Screen.) Access users can select this check box to reset the lease time automatically 30 seconds before it expires. Otherwise, access users have to click the Renew button to reset the lease time.
|
Remaining time before lease timeout
|
This field displays the amount of lease time that remains, though the user might be able to reset it.
|
Remaining time before auth. timeout
|
This field displays the amount of time that remains before the ZyWALL automatically logs the access user out, regardless of the lease time.
|