SonicOS 7.3 Users

Technical Documentation>  Configuring Local Users and Groups>  Configuring Local Users>  Adding Local Users>  Configuring Local Users Settings
Table of Contents

Configuring Local Users Settings

You can add local users to the internal database on the network security appliance from the Device > Users > Local Users & Groups page.

To create a user for an SSL VPN client, refer to SonicOS 7.1 SSL VPN Administration Guide.

To add local users to the database

  1. Navigate to Device > Users > Local Users & Groups.
  2. Click the Add User.
  3. The User Settings select Settings tab.
  4. Select This represents a domain user if:
    • If This represents a domain user is enabled then any group memberships, access rights, etc. that are set using this user object will apply for users who log in using the named domain account (authenticated via RADIUS or LDAP) or who are identified as that domain user by SSO. When it is checked you can then choose to have it apply for the named user account in a specific domain, or for a user with the given name in any domain.
    • If This represents a domain user is not checked, then it is a local account and anything that is set using it will apply only for users who log in using it, authenticated locally (a password must be set here for this case).
  5. In the Name field, enter the name associated with the user.
  6. In the Password and Confirm Password fields, enter the password assigned to the user.
  7. Optional: select User must change password to force users to change their passwords the first time they login. This option is not selected by default.

  8. To invalidate compromised passwords, from the Restrict access until password is changed drop-down menu, select the level of restriction.

    This restriction applies to web login, login from a VPN client and CLI login via SSH. It does not restrict administrator login on the console, or user’s login via SSO. It can only be set for a local non-domain user accounts that have configured passwords.

    • Block remote access: The user is only allowed to login from the trusted locations. A user can restore remote access by resetting password but only if they can access a secure internal location. Otherwise, the user must contact a firewall administrator.

      The trusted locations include the LAN zone, the MGMT zone, and any other zones with security type 'Trusted', and remote locations connected through a site-to-site VPN tunnel including GMS.

    • Block all but console access: The user is not allowed to login from any locations apart from the admins on the console port. To restore remote access, a user must contact a firewall administrator.

    • Block remote access except GMS/NSM: The user is not allowed to login from any locations except GMS/NSM. To restore remote access, a user must contact a firewall administrator.

    • Block all but console and GMS/NSM: The user is not allowed to login from any locations apart from the admins on the console port and GMS/NSM. To restore remote access, a user must contact a firewall administrator.

  9. From the One-time password method list, select the method to require SSL VPN users to submit a system-generated password for two-factor authentication:

    When a Local User does not have a one-time password enabled, while a group it belongs to does, ensure the user’s email address is configured, otherwise this user cannot login.

    To avoid another password change request for this user, this option applies only to the first login.

    • Disabled (default) – If User must change password is selected, a dialog to change it displays at the first login attempt.
    • OTP via Mail – Users receive a temporary password by email after they enter their user name and first password. After receiving the password-containing email, they can enter the second password to complete the login process.

    • TOTP – Users receive a temporary password by email after they input their user name and first password, but to use this feature, users must download a TOTP client app (such as Google Authentication, DUO, or Microsoft Authentication) on their mobile device.

      The unbind totp key displays.

  10. In the E-mail Address field, enter the user’s email address so they can receive one-time passwords.

  11. In Account Lifetime, select Never expires to make the account permanently. Or select Minutes, Hours, or Days to specify a lifetime after which the user account will either be deleted or disabled.

  12. Optional: In the Comment field, enter any comments.
  13. Click Save.