SonicOS 7.1 Users
- SonicOS 7.1
- About SonicOS
- About User Management
- Using Local Users and Groups for Authentication
- Using RADIUS for Authentication
- Using LDAP/Active Directory/eDirectory Authentication
- Using RADIUS
- Using TACACS+
- Using Single Sign-On
- What is Single Sign-On?
- Benefits of SonicWall SSO
- Platforms and Supported Standards
- How Does Single Sign-On Work?
- How Does SSO Agent Work?
- How Does Terminal Services Agent Work?
- How Does Browser NTLM Authentication Work?
- How Does RADIUS Accounting for Single-Sign-On Work?
- Installing the Single Sign-On Agent and/or Terminal Services Agent
- Single Sign-On Advanced Features
- Configuring Access Rules
- Managing SonicOS with HTTP Login from a Terminal Server
- Viewing and Managing SSO User Sessions
- Multiple Administrator Support
- Configuring Users Status
- Configuring User Settings
- User Login Settings
- Setting the Authentication Method for Login
- Configuring RADIUS Authentication
- Configuring LDAP
- Configuring TACACS+
- Requiring User Names be Treated as Case-Sensitive
- Preventing Users From Logging in from More than One Location
- Forcing Users to Log In Immediately After Changing Their Passwords
- Displaying User Login Information Since the Last Login
- Setting the Single-Sign-On Methods
- One-Time Password Settings
- Configuring the User Web Login Settings
- Adding URLs to Authentication Bypass
- User Session Settings
- Accounting
- [[[Missing Linked File System.LinkedTitle]]]
- User Login Settings
- Configuring and Managing Partitions
- Configuring Local Users and Groups
- Configuring Guest Services
- Configuring Guest Accounts
- Managing Guest Status
- SonicWall Support
Configuring LDAP Setting
- Navigate to Device > Users > Settings > Accounting.
- Next to Configure LDAP, click Configure.
The LDAP Configuration page is displayed.
-
Under the Settings > LDAP servers tab, click Add Server.
The Settings page displays.
-
Under Settings, do the following:
-
Select the one of the LDAP server roles in Role.
-
Primary LDAP server
-
Secondary LDAP server
-
Backup/replica server
-
-
In Name or IP Address enter the FQDN or the IP address of the LDAP server against which you wish to authenticate.
If using a name, be certain it can be resolved by your DNS server. Also, if using TLS with the ‘Require valid certificate from server’ option, the name provided here must match the name to which the server certificate was issued (such as the CN) or the TLS exchange will fail.
-
In Port Number, select one of the following:
- Default LDAP over TLS port number (636)
- Default LDAP port (389)
-
Windows Global Catalog port (3268)
-
Global Catalog over TLS port (3269)
-
In Server timeout, enter the amount of time, in seconds, that the SonicWALL waits for a response from the LDAP server before timing out.
Allowable ranges are 1 to 99999 (in case you are running your LDAP server on a VIC-20 located on the moon), with a default of 10 seconds.
-
In Overall operation timeout (minutes), enter the maximum time to spend on any auto-operation.
-
Select the Use TLS (SSL), to log in to the LDAP server. This is selected by default.
It is strongly recommended that TLS be used to protected the username and password information that is sent across the network. Most modern implementations of LDAP server, including AD, support TLS.
-
Select the Send LDAP ‘Start TLS’ Request.
Some LDAP server implementations support the Start TLS directive rather than using native LDAP over TLS. This allows the LDAP server to listen on one port (normally 389) for LDAP connections, and to switch to TLS as directed by the client. AD does not use this option, and it should only be selected if required by your LDAP server.
-
If partitioning has been configured then in the Authentication Partition drop-down menu select the Default.
-
Click Save.
-
- Under Login/Bind do the following:
- Select the Anonymous Login option for some LDAP servers allow for the tree to be accessed anonymously.
If your server supports this (MS AS generally does not), then you could select this option.
If you select Give login name/location in tree provide the following:
- In Login user name specify a user name that has rights to log in to the LDAP directory.
Select the User tree for login to server when Give login name/location in tree is selected this specifies the tree in the directory that holds the user object for the user account configured there for login (bind) to the LDAP server.
- The password for the user account in Password.
If you select Give bind distinguished name provide the following:
In Bind distinguished name specify a user name.
The password for the user account in Password.
In When referred to other servers select one of the following:
Bind with this account
Bind with an equivalent account on that server (same password)
Click Save.
- Select the Anonymous Login option for some LDAP servers allow for the tree to be accessed anonymously.
- Under Schema, do the following:
- In LDAP Schema, select the predefined schemas will automatically populate the fields used by that schema with their correct values.
Microsoft Active Directory
RFC2798 InetOrgPerson
RFC2307 Network Information Service
Samba SMB
Novell eDirectory
User defined
Selecting User defined allows you to specify your own value use this only if you have a specific or proprietary LDAP schema configuration.
- In Object class, select which attribute represents the individual user account.
- In Attributes, enter the following:
- Enter Login name
- Enter Qualified login name to specify an attribute of a user object that sets an alternative login name for the user in name@domain format
- In User group membership enter the information in the user object of which groups it belongs.
- In Additional user group ID enter the user group id and select Use.
If the Additional user group ID user attribute is set and its use is enabled (the Use is enabled) then when a user object is found with one or more instances of this attribute, a search for additional user groups matching those will be made in the LDAP directory. If a group is found with the Additional user group match attribute set to that value then the user will also be made a member of that group.
In Framed IP address enter the IP address to retrieve a static IP address that is assigned to a user in the directory.
Click Save.
- In LDAP Schema, select the predefined schemas will automatically populate the fields used by that schema with their correct values.
- Under Directory, do the following:
- In Primary Domain, specify the user domain used by your LDAP implementation.
Click Auto-configure to auto-configure the Trees containing users and Trees containing user groups fields by scanning through the directory/directories looking for all trees that contain user objects.
In Trees containing users add the users. The trees where users commonly reside in the LDAP directory. One default value is provided which can be edited, an up to a total of 64 DN values might be provided, and the SonicWALL search the directory using them all until a match is found, or the list is exhausted. If you have created other user containers within your LDAP or AD directory, you should specify them here.
In Trees containing user groups add the groups. A maximum of 32 DN values might be provided. These are only applicable when there is no user group membership attribute in the schema's user object, and are not used with AD.
Click Save.
- Click Apply.
- In General Settings do the following:
- In the Protocol version from the drop-down menu select either LDAP version 3 or LDAP version 2.
Select Require valid certificate from server when using TLS to validate the certificate presented by the server during the TLS exchange, matching the name specified above to the name on the certificate.
In the Local certificate for TLS to be used only if the LDAP server requires a client certificate for connections.
Click Apply.
The old, weaker ciphers have been deprecated. From SonicOS 7.1, they have been replaced with more secured cipher suites. They are:
-
Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
-
Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
-
Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
-
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
-
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
-
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)
-
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
-
Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
-
Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
-
Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xccaa)
-
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 (0xc0af)
-
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CCM (0xc0ad)
-
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CCM_8 (0xc0a3)
-
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CCM (0xc09f)
-
Cipher Suite: TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 (0xc05d)
-
Cipher Suite: TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (0xc061)
-
Cipher Suite: TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 (0xc057)
-
Cipher Suite: TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (0xc053)
-
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
-
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
-
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
-
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
-
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (0xc0ae)
-
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CCM (0xc0ac)
-
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CCM_8 (0xc0a2)
-
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CCM (0xc09e)
-
Cipher Suite: TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 (0xc05c)
-
Cipher Suite: TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (0xc060)
-
Cipher Suite: TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 (0xc056)
-
Cipher Suite: TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (0xc052)
-
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
-
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
-
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
-
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
-
Cipher Suite: TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 (0xc073)
-
Cipher Suite: TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (0xc077)
-
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (0x00c4)
-
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 (0x00c3)
-
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
-
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
-
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
-
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
-
Cipher Suite: TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 (0xc072)
-
Cipher Suite: TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (0xc076)
-
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (0x00be)
-
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 (0x00bd)
-
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
-
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
-
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
-
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
-
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
-
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
-
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
-
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
-
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
-
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
-
Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)
-
Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099)
-
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
-
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
-
Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
-
Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
-
Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
-
Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
-
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
-
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
-
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
-
Cipher Suite: TLS_RSA_WITH_AES_256_CCM_8 (0xc0a1)
-
Cipher Suite: TLS_RSA_WITH_AES_256_CCM (0xc09d)
-
Cipher Suite: TLS_RSA_WITH_ARIA_256_GCM_SHA384 (0xc051)
-
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
-
Cipher Suite: TLS_RSA_WITH_AES_128_CCM_8 (0xc0a0)
-
Cipher Suite: TLS_RSA_WITH_AES_128_CCM (0xc09c)
-
Cipher Suite: TLS_RSA_WITH_ARIA_128_GCM_SHA256 (0xc050)
-
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
-
Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (0x00c0)
-
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
-
Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (0x00ba)
-
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
-
Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
-
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
-
Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)
-
Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
-
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
-
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
-
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Was This Article Helpful?
Help us to improve our support portal