SonicOS 7.0 Users
- SonicOS 7.0 Users
- About User Management
- Using Local Users and Groups for Authentication
- Using RADIUS for Authentication
- Using LDAP/Active Directory/eDirectory Authentication
- Using RADIUS
- Using TACACS+
- Using Single Sign-On
- What is Single Sign-On?
- Benefits of SonicWall SSO
- Platforms and Supported Standards
- How Does Single Sign-On Work?
- How Does SSO Agent Work?
- How Does Terminal Services Agent Work?
- How Does Browser NTLM Authentication Work?
- How Does RADIUS Accounting for Single-Sign-On Work?
- Installing the Single Sign-On Agent and/or Terminal Services Agent
- Single Sign-On Advanced Features
- Configuring Access Rules
- Managing SonicOS with HTTP Login from a Terminal Server
- Viewing and Managing SSO User Sessions
- Multiple Administrator Support
- Configuring Users Status
- Configuring User Settings
- User Login Settings
- Setting the Authentication Method for Login
- Configuring RADIUS Authentication
- Configuring LDAP
- Configuring TACACS+
- Requiring User Names be Treated as Case-Sensitive
- Preventing Users From Logging in from More than One Location
- Forcing Users to Log In Immediately After Changing Their Passwords
- Displaying User Login Information Since the Last Login
- Setting the Single-Sign-On Methods
- One-Time Password Settings
- Configuring the User Web Login Settings
- Adding URLs to Authentication Bypass
- User Session Settings
- Accounting
- [[[Missing Linked File System.LinkedTitle]]]
- User Login Settings
- Configuring and Managing Partitions
- Configuring Local Users and Groups
- Configuring Guest Services
- Configuring Guest Accounts
- Managing Guest Status
- SonicWall Support
SonicWall SSO Authentication Using the Terminal Services Agent
For users logged in from a Terminal Services or Citrix server, the TSA takes the place of the SSO Agent in the authentication process. The process is different in several ways:
- The TSA runs on the same server that the user is logged into, and includes the user name and domain along with the server IP address in the initial notification to the firewall.
- Users are identified by a user number as well as the IP address (for non-Terminal Services users, there is only one user at any IP address and so no user number is used). A non-zero user number is displayed in the SonicOS Management Interface using the format
x.x.x.x user n
, wherex.x.x.x
is the server IP address andn
is the user number. - The TSA sends a close notification to SonicOS when the user logs out, so no polling occurs.
After a user has been identified, the Security Appliance queries LDAP or a local database (based on administrator configuration) to find user group memberships, match the memberships against policy, and grant or restrict access to the user accordingly. Upon successful completion of the login sequence, the saved packets are sent on. If packets are received from the same source address before the sequence is completed, only the most recent packet is saved.
User names are returned from the authorization agent running the SSO Agent in the format <domain>/<user-name>
. For locally configured user groups, the user name can be configured to be:
- The full name returned from the authorization agent running the SSO Agent (configuring the names in the firewall local user database to match).
- A simple user name with the domain component stripped off (default).
For the LDAP protocol, the <domain>/<user-name>
format is converted to an LDAP distinguished name by creating an LDAP search for an object of class domain with a dc (domain component) attribute that matches the domain name. If one is found, then its distinguished name is used as the directory sub-tree to search for the user’s object. For example, if the user name is returned as SV/bob
, then a search for an object with objectClass=domain
and dc=SV
is performed. If that returns an object with distinguished name dc=sv,dc=us,dc=SonicWall,dc=com
, then a search under that directory sub-tree is created for (in the Active Directory case) an object with objectClass=user
and sAMAccountName=bob
. If no domain object is found, then the search for the user object is made from the top of the directory tree.
When a domain object has been found, the information is saved to avoid searching for the same object. If an attempt to locate a user in a saved domain fails, the saved domain information is deleted and another search for the domain object is made.
User logout is handled slightly differently by SonicWall SSO using the SSO Agent as compared to SSO with TSA. The network security appliance polls the authorization agent running the SSO Agent at a configurable rate to determine when a user has logged out. Upon user logout, the authentication agent running the SSO Agent sends a User Logged Out response to the firewall, confirming that the user has been logged out and terminating the SSO session. Rather than being polled by the network security appliance, the TSA itself monitors the Terminal Services/Citrix server for logout events and notifies the network security appliance as they occur, terminating the SSO session. For both agents, configurable inactivity timers can be set, and for the SSO Agent the user name request polling rate can be configured (set a short poll time for quick detection of logouts, or a longer polling time for less overhead on the system).
Was This Article Helpful?
Help us to improve our support portal