Help with User level authentication settings like Local Users, LDAP, RADIUS
Description
Introduction to User Management
SonicWall security appliances provide a mechanism for user level authentication that gives users access to the LAN from remote locations on the Internet as well as a means to enforce or bypass content filtering policies for LAN users attempting to access the Internet. You can also permit only authenticated users to access VPN tunnels and send data across the encrypted connection. The SonicWall authenticates all users as soon as they attempt to access network resources in a different zone (such as WAN, VPN, WLAN, etc.), which causes the network traffic to pass through the SonicWall.
Users who log into a computer on the LAN, but perform only local tasks are not authenticated by the SonicWall. User level authentication can be performed using a local user database, LDAP, RADIUS, or a combination of a local database with either LDAP or RADIUS. SonicOS also provides Single Sign-On (SSO) capability. SSO can be used in conjunction with LDAP. The local database on the SonicWall can support up to 1000 users. If you have more than 1000 users, you must use LDAP or RADIUS for authentication.
Resolution
- Using Local Users and Groups for Authentication
Local Users are users stored and managed on the security appliance's local database. In the Users | Local Users page, you can view and manage all local users, add new local users, and edit existing local users. The SonicWall security appliance provides a local database for storing user and group information. You can configure the SonicWall to use this local database to authenticate users and control their access to the network. The local database is a good choice if the number of users accessing the network is relatively small.
KBID 7002 - UTM - CFS: Using custom Content Filter policies to block Internet access to a specific group (CFS + ULA + local groups).For networks with larger numbers of users, user authentication using LDAP or RADIUS servers can be more efficient.
- Using RADIUS for Authentication
Remote Authentication Dial In User Service (RADIUS) is a protocol used by SonicWall security appliances to authenticate users who are attempting to access the network. The RADIUS server contains a database with user information, and checks a user's credentials using authentication schemes such as Password Authentication Protocol (PAP), Challenge handshake authentication protocol (CHAP), Microsoft CHAP (MSCHAP), or MSCHAPv2.
While RADIUS is very different from LDAP, primarily providing secure authentication, it can also provide numerous attributes for each entry, including a number of different ones that can be used to pass back user group memberships. RADIUS can store information for thousands of users, and is a good choice for user authentication purposes when many users need access to the network.
- Using LDAP / Active Directory / eDirectory Authentication
In addition to RADIUS and the local user database, SonicOS Enhanced supports LDAP for user authentication, with support for numerous schemas including Microsoft Active Directory (AD), Novell eDirectory directory services, and a fully configurable user-defined option that should allow it to interact with any schema.
Lightweight Directory Access Protocol (LDAP) defines a directory services structure for storing and managing information about elements in your network, such as user accounts, user groups, hosts, and servers. Several different standards exist that use LDAP to manage user account, group, and permissions. Some are proprietary systems like Microsoft Active Directory which you can manage using LDAP. Some are open standards SAMBA, which are implementations of the LDAP standards. Some are proprietary systems like Novell eDirectory which provide an LDAP API for managing the user repository information.
See also:
KBID 7813 UTM - LDAP: Configuring Active Directory/LDAP over TLS (Certificate) on SonicOS Enhanced
KBID 7768 UTM: Integration of LDAP and multiple/Custom CFS policies for different user groups (ULA + CFS + LDAP)
TIP: Microsoft Active Directory also works with SonicWall Single Sign-On and the SonicWall SSO Agent.
- Single Sign-On
SonicWall SSO is a reliable and time-saving feature that utilizes a single login to provide access to multiple network resources based on administrator-configured group memberships and policy matching. SonicWall SSO is transparent to end users and requires minimal administrator configuration.
SonicWall SSO works for any service on the SonicWall security appliances that uses user level authentication, including Content Filtering Service (CFS), Firewall Access Rules, group membership and inheritance, and security services (Application Firewall, IPS, GAV, and SPY) inclusion/exclusion lists.
Other benefits of SonicWall SSO include:
- Ease of use ' Users only need to sign in once to gain automatic access to multiple resources.
- Improved user experience ' Windows domain credentials can be used to authenticate a user for any traffic type without logging in using a Web browser.
- Transparency to users ' Users are not required to re-enter user name and password for authentication.
- Secure communication ' Shared key encryption for data transmission protection.
- SonicWall SSO Agent can be installed on any Windows server on the LAN, and TSA can be installed on any terminal server.
- Multiple SSO Agents ' Up to 8 agents are supported to provide capacity for large installations
- Multiple TSAs ' Multiple terminal services agents (one per terminal server) are supported. The number depends on the SonicWall UTM appliance model and ranges from 4 to 256.
- Login mechanism works with any protocol, not just HTTP.
- Terminal Service Agent (TSA):
To use SonicWall SSO with Windows Terminal Services or Citrix, SonicOS Enhanced 5.6 or higher is required, and SonicWall TSA must be installed on the server.
See also:
UTM - TSA: configuring SonicWall Terminal Services Agent
UTM - TSA: How Does SonicWall Terminal Services Agent (TSA) Work?