This article provides information on how to create a local user and assign various group memberships, or network access to the user.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
You can add local users to the internal database on the Security Appliance from the Users > Local Users & Groups page.
To add a local user to the database:
Navigate to MANAGE | System Setup | Users | Local Users & Groups
Partitioning: If Partitioning is Enabled, select the partition to which the settings apply from the Authentication partitioning drop-down menu. (The default is All)
If partitioning is not Enabled, skip this step.
Click the Add icon. The Add User dialog displays.
In the Settings tab, indicate whether the group memberships, access rights, and other attributes apply to any domain user logging in using the registered domain account by selecting option "This represents a domain user" option (This option is not selected by default). If the option "This represents a domain user" is:
Selected, then any attributes, such as group membership and access rights, set apply for users who log in using the named domain account (authenticated through RADIUS or LDAP) or who are identified as that domain user by SSO.
Not selected, the local user is a local account and anything that is set applies only for users who log in using the account and authenticated locally.
Type the user name into the Name field and in the Password field, type a password for the user. Confirm the password by retyping it in the Confirm Password field. NOTE: Passwords are case-sensitive and should consist of a combination of 32 alphanumeric and special characters. The length and type of characters are configured on MANAGE | Appliance | Base Settings | Login Security.
User must change password – Check this box to force users to change their passwords the first time they login. (This option is not selected by default.)
From One-time password method, select the method to require SSL VPN users to submit a system generated password for two-factor authentication.
OTP via Mail – Users receive a temporary password by email after they enter their user name and first password. After receiving the password-containing email, they can enter the second password to complete the login process
TOTP – Users receive a temporary password by email after they input their user name and first password, but to use this feature, users must download a TOTP client App (such as Google Authentication, DUO, or Microsoft Authentication) on their smartphone. The UNBIND TOTP KEY displays. NOTE: If a Local User does not have one-time password enabled, while a group it belongs to does, ensure the user’s email address is configured, otherwise this user cannot login.
Enter the user’s email address so they may receive one-time passwords.
From Account Lifetime, select the duration a user account exists before it is either deleted or disabled. Depending on your selection, more options displays:
Never expires makes the account permanent: This is the default
Minutes, Hours, or Days specify a lifetime after which the user account is either deleted or disabled. If you choose a limited lifetime, the option changes. You can specify up to 9999 hours, minutes, or days.
To have the user account deleted after the lifetime expires, select Prune account upon expiration. (This option is selected by default.)
Optionally, enter a comment in the Comment field.
User Groups – Users can belong to one or more local groups. By default, all users belong to the groups Everyone and Trusted Users. You can remove these group memberships for a user and can add memberships in other groups:
Select one or more groups to which the user belongs
Click the Right Arrow to move the group name(s) into the Member of list. The user is a member of the selected groups.
Click Add All.
VPN Access – To configure which network resources VPN users (either GVC, NetExtender, or Virtual Office bookmarks) can access, click VPN Access. When configuring VPN access settings, you can select from a list of networks. The networks are designated by their Address Group or Address Object names.
Select one or more networks from Networks
Click Right Arrow to move them to Access List. NOTE: The VPN access configuration for users and groups affects the ability of remote clients using GVC, NetExtender, and SSL VPN Virtual Office bookmarks to access network resources. To allow GVC, NetExtender, or Virtual Office users to access a network resource, the network address objects or groups must be added to the “allow” list on the VPN Access tab
Additionally, To remove the user’s access to a network, Select the network(s) from the Access List, and then click Left Arrow.
Click Remove All.
Click OK to save changes
Bookmarks – User bookmarks can be defined to appear on the Virtual Office home page of SSLVPN Service. Individual users cannot modify or delete bookmarks created by the administrator. NOTE:Users must be members of the SSL VPN Services group before you can configure Bookmarks for them. If the users are not members, you must add them to the SSL VPN Service group and submit the change to enable bookmarks
User Quota - The quota control for users feature provides quota control based on the user’s account. The quota can be specified as a session lifetime, or a transmit and/or receive traffic limit. With a cyclic quota, a user can not access the Internet upon meeting the account quota until the next cycle (day, week, or month) begins. If the quota cycle is Non Cyclic, the user is unable to access the Internet upon meeting the quota.
NOTE: Previously, the quota control was supported only for guest users. Quota control is now specified for all local users as well.