How to Configure Additional Administrators Locally when Using LDAP or RADIUS in SonicOS Enhanc

03/26/2020 1,062 People found this article helpful 480,579 Views

Description

How to Configure Additional Administrators Locally when Using LDAP or RADIUS in SonicOS Enhanced?

Resolution

Overview / Scenario:

SonicOS Enhanced release 4.0 introduced support for multiple concurrent administrators. This feature allows for multiple users to log-in with full administrator privileges. In addition to using the default admin user name, additional administrator usernames can be created.

Because of the potential for conflicts caused by multiple administrators making configuration changes at the same time, only one administrator is allowed to make configuration changes. The additional administrators are given full access to the GUI, but they cannot make configuration changes.

Please Note: Administrators with full configuration privilege can also log in using the Command Line Interface (CLI).

Procedure:

When using RADIUS or LDAP authentication, if you want to ensure that some or all administrative users will always be able to manage the appliance, even if the RADIUS or LDAP server becomes unreachable, then you can use the RADIUS + Local Users or LDAP + Local Users option and configure the accounts for those particular users locally.

For users authenticated by RADIUS or LDAP, create user groups named SonicWall Administrators and/or SonicWall Read-Only Admins on the RADIUS or LDAP server (or its back-end) and assign the relevant users to those groups. Note that in the case of RADIUS you will probably need special configuration of the RADIUS server to return the user group information – see the SonicWall RADIUS documentation for details.

When using RADIUS or LDAP authentication, if you want to keep the configuration of administrative users local to the appliance whilst having those users authenticated by RADIUS/LDAP, perform these steps:

Step 1: Navigate to the Users > Settings page.

Step 2: Select either the RADIUS + Local Users or LDAP + Local Users authentication method.

Step 3: Click the Configure button.

Step 4: For RADIUS, click on the RADIUS Users tab and select the Local configuration only radio button and ensure that the Memberships can be set locally by duplicating RADIUS user names checkbox is checked.

Step 5: For LDAP, click on the LDAP Users tab and select the User group membership can be set locally by duplicating LDAP user names checkbox.

Step 6: Then create local user accounts with the user names of the administrative users (note no passwords need be set here) and add them to the relevant administrator user groups.

Preempting Administrators

When an administrator attempts to log in while another administrator is logged in, the following message is displayed. The message displays the current administrator’s user name, IP address, phone number (if it can be retrieved from LDAP), and whether the administrator is logged in using the GUI or CLI.

This window gives you three options:

• Continue - Preempts the current administrator. The current administrator is dropped to non-config mode and you are given full administrator access.
• Non-config - You are logged into the appliance in non-config mode. The current administrator’s session is not disturbed.
• Cancel - Returns to the authentication screen.

Activating Configuration Mode

When logging in as a user with administrator rights (that is not the admin user), the User Login Status popup window is displayed.

To go to the SonicWall user interface, click the Manage button. You will be prompted to enter your password again. This is a safeguard to protect against unauthorized access when administrators are away from their computers and do not log out of their session.

Disabling the User Login Status Popup

You can disable the User Login Status popup window if you prefer to allow certain users to log in solely for the purpose of managing the appliance, rather than for privileged access through the appliance. To disable the popup window, select the Members go straight to the management UI on web login checkbox when adding or editing the local group.

If you want some user accounts to be administrative only, while other users need to log in for privileged access through the appliance, but also with the ability to administer it (that is, some go straight to the management interface on login, while others get the User Login Status popup window with a Manage button), this can be achieved as follows:

Step 1 Create a local group with the Members go straight to the management UI on web login checkbox selected.

Step 2 Add the group to the relevant administrative group, but do not select this checkbox in the administrative group.

Step 3 Add those user accounts that are to be administrative-only to the new user group. The User Login Status popup window is disabled for these users.

Step 4 Add the user accounts that are to have privileged and administrative access directly to the top-level administrative group.

Viewing Multiple Administrator Related Log Messages

Log messages are generated for the following events:

• A GUI or CLI user begins configuration mode (including when an admin logs in).

• A GUI or CLI user ends configuration mode (including when an admin logs out).

• A GUI user begins management in non-config mode (including when an admin logs in and when a user in configuration mode is preempted and dropped back to read-only mode).

• A GUI user begins management in read-only mode.

• A GUI user terminates either of the above management sessions (including when an admin logs out).

Source: SonicOS Enhanced 5.0 Multiple Administrators Feature Module

Not Finding Your Answers?

ASK THE COMMUNITY

Was This Article Helpful?

YES NO

How to Configure Additional Administrators Locally when Using LDAP or RADIUS in SonicOS Enhanc

Description

Resolution

Related Articles

Categories

Not Finding Your Answers?

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Follow Us

Subscribe to newsletter

Stay In Touch