User/Group
This chapter describes how to set up user accounts, user groups, and user settings for the ZyWALL. You can also set up rules that control when users have to log in to the ZyWALL before the ZyWALL routes traffic for them.
What You Need To Know
User Account
A user account defines the privileges of a user logged into the ZyWALL. User accounts are used in firewall rules and application patrol, in addition to controlling access to configuration and services in the ZyWALL.
User Types
These are the types of user accounts the ZyWALL uses.
Types of User Accounts 
Type
Abilities
Login Method(s)
Admin Users
admin
Change ZyWALL configuration (web, CLI)
WWW, TELNET, SSH, FTP, Console
limited-admin
Look at ZyWALL configuration (web, CLI)
Perform basic diagnostics (CLI)
WWW, TELNET, SSH, Console
Access Users
user
Access network services
Browse user-mode commands (CLI)
WWW, TELNET, SSH
guest
Access network services
WWW
ext-user
External user account
WWW
ext-group-user
External group user account
WWW
Note:
The default admin account is always authenticated locally, regardless of the authentication method setting.
Ext-User Accounts
Set up an ext-user account if the user is authenticated by an external server and you want to set up specific policies for this user in the ZyWALL. If you do not want to set up policies for this user, you do not have to set up an ext-user account.
All ext-user users should be authenticated by an external server, such as AD, LDAP or RADIUS. If the ZyWALL tries to use the local database to authenticate an ext-user, the authentication attempt always fails.
Note:
If the ZyWALL tries to authenticate an ext-user using the local database, the attempt always fails.
Once an ext-user user has been authenticated, the ZyWALL tries to get the user type from the external server. If the external server does not have the information, the ZyWALL sets the user type for this session to User.
For the rest of the user attributes, such as reauthentication time, the ZyWALL checks the following places, in order.
1
User account in the remote server.
2
User account (Ext-User) in the ZyWALL.
3
Default user account for AD users (ad-users), LDAP users (ldap-users) or RADIUS users (radius-users) in the ZyWALL.
See Setting up User Attributes in an External Server for a list of attributes and how to set up the attributes in an external server.
Ext-Group-User Accounts
Ext-Group-User accounts work are similar to ext-user accounts but allow you to group users by the value of the group membership attribute configured for the AD or LDAP server. See Adding an Active Directory or LDAP Server for more on the group membership attribute.
User Groups
User groups may consist of user accounts or other user groups. Use user groups when you want to create the same rule for several user accounts, instead of creating separate rules for each one.
Note:
You cannot put access users and admin users in the same user group.
Note:
You cannot put the default admin account into any user group.
The sequence of members in a user group is not important.
User Awareness
By default, users do not have to log into the ZyWALL to use the network services it provides. The ZyWALL automatically routes packets for everyone. If you want to restrict network services that certain users can use via the ZyWALL, you can require them to log in to the ZyWALL first. The ZyWALL is then ‘aware’ of the user who is logged in and you can create ‘user-aware policies’ that define what services they can use. See User Aware Login Example for a user-aware login example.
Finding Out More
See User /Group Technical Reference for some information on users who use an external authentication server in order to log in.
The ZyWALL supports TTLS using PAP so you can use the ZyWALL’s local user database to authenticate users with WPA or WPA2 instead of needing an external RADIUS server. See User-aware Access Control for an example.
See User-aware Access Control for an example of configuring user accounts and user groups as part of user-aware access control.
See User-aware Access Control for an example of how to use a RADIUS server to authenticate user accounts based on groups.
User Summary
The User screen provides a summary of all user accounts.
Configuration > Object > User/Group 
Label
Description
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so.
Object References
Select an entry and click Object References to open a screen that shows which settings use the entry.
#
This field is a sequential value, and it is not associated with a specific user.
User Name
This field displays the user name of each user.
User Type
This field displays the types of user accounts the ZyWALL uses:
admin - this user can look at and change the configuration of the ZyWALL
limited-admin - this user can look at the configuration of the ZyWALL but not to change it
user - this user has access to the ZyWALL’s services and can also browse user-mode commands (CLI).
guest - this user has access to the ZyWALL’s services but cannot look at the configuration
ext-user - this user account is maintained in a remote server, such as RADIUS or LDAP. See Ext-User Accounts for more information about this type.
ext-group-user - this user account is maintained in a remote server, such as RADIUS or LDAP. See Ext-Group-User Accounts for more information about this type.
Description
This field displays the description for each user.
User Add/Edit
The User Add/Edit screen allows you to create a new user account or edit an existing one.
Rules for User Names
Enter a user name from 1 to 31 characters.
The user name can only contain the following characters:
Alphanumeric A-z 0-9 (there is no unicode support)
_ [underscores]
- [dashes]
The first character must be alphabetical (A-Z a-z), an underscore (_), or a dash (-). Other limitations on user names are:
User names are case-sensitive. If you enter a user 'bob' but use 'BOB' when connecting via CIFS or FTP, it will use the account settings used for 'BOB' not ‘bob’.
User names have to be different than user group names.
Here are the reserved user names:
adm
admin
any
bin
daemon
debug
devicehaecived
ftp
games
halt
ldap-users
lp
mail
news
nobody
operator
radius-users
root
shutdown
sshd
sync
uucp
zyxel
Configuration > User/Group > User > Add 
Label
Description
User Name
Type the user name for this user account. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. User names have to be different than user group names, and some words are reserved.
User Type
This field displays the types of user accounts the ZyWALL uses:
admin - this user can look at and change the configuration of the ZyWALL
limited-admin - this user can look at the configuration of the ZyWALL but not to change it
user - this user has access to the ZyWALL’s services and can also browse user-mode commands (CLI).
guest - this user has access to the ZyWALL’s services but cannot look at the configuration.
ext-user - this user account is maintained in a remote server, such as RADIUS or LDAP. See Ext-User Accounts for more information about this type.
ext-group-user - this user account is maintained in a remote server, such as RADIUS or LDAP. See Ext-Group-User Accounts for more information about this type.
Password
This field is not available if you select the ext-user or ext-group-user type.
Enter the password of this user account. It can consist of 4 - 31 alphanumeric characters.
Retype
This field is not available if you select the ext-user or ext-group-user type.
Group Identifier
This field is available for a ext-group-user type user account.
Specify the value of the AD or LDAP server’s Group Membership Attribute that identifies the group to which this user belongs.
Associated AAA Server Object
This field is available for a ext-group-user type user account. Select the AAA server to use to authenticate this account’s users.
Description
Enter the description of each user, if any. You can use up to 60 printable ASCII characters. Default descriptions are provided.
Authentication Timeout Settings
If you want the system to use default settings, select Use Default Settings. If you want to set authentication timeout to a value other than the default settings, select Use Manual Settings then fill your preferred values in the fields that follow.
Lease Time
If you select Use Default Settings in the Authentication Timeout Settings field, the default lease time is shown.
If you select Use Manual Settings, you need to enter the number of minutes this user has to renew the current session before the user is logged out. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. Admin users renew the session every time the main screen refreshes in the Web Configurator. Access users can renew the session by clicking the Renew button on their screen. If you allow access users to renew time automatically , the users can select this check box on their screen as well. In this case, the session is automatically renewed before the lease time expires.
Reauthentication Time
If you select Use Default Settings in the Authentication Timeout Settings field, the default lease time is shown.
If you select Use Manual Settings, you need to type the number of minutes this user can be logged into the ZyWALL in one session before the user has to log in again. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. Unlike Lease Time, the user has no opportunity to renew the session without logging out.
Configuration Validation
Use a user account from the group specified above to test if the configuration is correct. Enter the account’s user name in the User Name field and click Test.
OK
Click OK to save your changes back to the ZyWALL.
Cancel
Click Cancel to exit this screen without saving your changes.
User Group Summary
User groups consist of access users and other user groups. You cannot put admin users in user groups. The Group screen provides a summary of all user groups. In addition, this screen allows you to add, edit, and remove user groups.
Configuration > Object > User/Group > Group 
Label
Description
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Remove
To remove an entry, select it and click Remove. The ZyWALL confirms you want to remove it before doing so. Removing a group does not remove the user accounts in the group.
Object References
Select an entry and click Object References to open a screen that shows which settings use the entry.
#
This field is a sequential value, and it is not associated with a specific user group.
Group Name
This field displays the name of each user group.
Description
This field displays the description for each user group.
Member
This field lists the members in the user group. Each member is separated by a comma.
Group Add/Edit
The Group Add/Edit screen allows you to create a new user group or edit an existing one.
Configuration > User/Group > Group > Add 
Label
Description
Name
Type the name for this user group. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. User group names have to be different than user names.
Description
Enter the description of the user group, if any. You can use up to 60 characters, punctuation marks, and spaces.
Member List
The Member list displays the names of the users and user groups that have been added to the user group. The order of members is not important. Select users and groups from the Available list that you want to be members of this group and move them to the Member list. You can double-click a single entry to move it or use the [Shift] or [Ctrl] key to select multiple entries and use the arrow button to move them.
Move any members you do not want included to the Available list.
OK
Click OK to save your changes back to the ZyWALL.
Cancel
Click Cancel to exit this screen without saving your changes.
User/Group Setting
The Setting screen controls default settings, login settings, lockout settings, and other user settings for the ZyWALL. You can also use this screen to specify when users must log in to the ZyWALL before it routes traffic for them.
Configuration > Object > User/Group > Setting 
Label
Description
User Authentication Timeout Settings
Default Authentication Timeout Settings
These authentication timeout settings are used by default when you create a new user account. They also control the settings for any existing user accounts that are set to use the default settings. You can still manually configure any user account’s authentication timeout settings.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
#
This field is a sequential value, and it is not associated with a specific entry.
User Type
These are the kinds of user account the ZyWALL supports.
admin - this user can look at and change the configuration of the ZyWALL
limited-admin - this user can look at the configuration of the ZyWALL but not to change it
user - this user has access to the ZyWALL’s services but cannot look at the configuration
guest - this user has access to the ZyWALL’s services but cannot look at the configuration
ext-user - this user account is maintained in a remote server, such as RADIUS or LDAP.
ext-group-user - this user account is maintained in a remote server, such as RADIUS or LDAP.
Lease Time
This is the default lease time in minutes for each type of user account. It defines the number of minutes the user has to renew the current session before the user is logged out.
Admin users renew the session every time the main screen refreshes in the Web Configurator. Access users can renew the session by clicking the Renew button on their screen. If you allow access users to renew time automatically, the users can select this check box on their screen as well. In this case, the session is automatically renewed before the lease time expires.
Reauthentication Time
This is the default reauthentication time in minutes for each type of user account. It defines the number of minutes the user can be logged into the ZyWALL in one session before having to log in again. Unlike Lease Time, the user has no opportunity to renew the session without logging out.
Miscellaneous Settings
Allow renewing lease time automatically
Select this check box if access users can renew lease time automatically, as well as manually, simply by selecting the Updating lease time automatically check box on their screen.
Enable user idle detection
This is applicable for access users.
Select this check box if you want the ZyWALL to monitor how long each access user is logged in and idle (in other words, there is no traffic for this access user). The ZyWALL automatically logs out the access user once the User idle timeout has been reached.
User idle timeout
This is applicable for access users.
This field is effective when Enable user idle detection is checked. Type the number of minutes each access user can be logged in and idle before the ZyWALL automatically logs out the access user.
User Logon Settings
Limit the number of simultaneous logons for administration account
Select this check box if you want to set a limit on the number of simultaneous logins by admin users. If you do not select this, admin users can login as many times as they want at the same time using the same or different IP addresses.
Maximum number per administration account
This field is effective when Limit ... for administration account is checked. Type the maximum number of simultaneous logins by each admin user.
Limit the number of simultaneous logons for access account
Select this check box if you want to set a limit on the number of simultaneous logins by non-admin users. If you do not select this, access users can login as many times as they want as long as they use different IP addresses.
Maximum number per access account
This field is effective when Limit ... for access account is checked. Type the maximum number of simultaneous logins by each access user.
User Lockout Settings
Enable logon retry limit
Select this check box to set a limit on the number of times each user can login unsuccessfully (for example, wrong password) before the IP address is locked out for a specified amount of time.
Maximum retry count
This field is effective when Enable logon retry limit is checked. Type the maximum number of times each user can login unsuccessfully before the IP address is locked out for the specified lockout period. The number must be between 1 and 99.
Lockout period
This field is effective when Enable logon retry limit is checked. Type the number of minutes the user must wait to try to login again, if logon retry limit is enabled and the maximum retry count is reached. This number must be between 1 and 65,535 (about 45.5 days).
Apply
Click Apply to save the changes.
Reset
Click Reset to return the screen to its last-saved settings.
Default User Authentication Timeout Settings Edit
The Default Authentication Timeout Settings Edit screen allows you to set the default authentication timeout settings for the selected type of user account. These default authentication timeout settings also control the settings for any existing user accounts that are set to use the default settings. You can still manually configure any user account’s authentication timeout settings.
Configuration > Object > User/Group > Setting > Edit 
Label
Description
User Type
This read-only field identifies the type of user account for which you are configuring the default settings.
admin - this user can look at and change the configuration of the ZyWALL
limited-admin - this user can look at the configuration of the ZyWALL but not to change it.
user - this user has access to the ZyWALL’s services but cannot look at the configuration.
ext-user - this user account is maintained in a remote server, such as RADIUS or LDAP.
ext-group-user - this user account is maintained in a remote server, such as RADIUS or LDAP.
Lease Time
Enter the number of minutes this type of user account has to renew the current session before the user is logged out. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited.
Admin users renew the session every time the main screen refreshes in the Web Configurator. Access users can renew the session by clicking the Renew button on their screen. If you allow access users to renew time automatically , the users can select this check box on their screen as well. In this case, the session is automatically renewed before the lease time expires.
Reauthentication Time
Type the number of minutes this type of user account can be logged into the ZyWALL in one session before the user has to log in again. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. Unlike Lease Time, the user has no opportunity to renew the session without logging out.
OK
Click OK to save your changes back to the ZyWALL.
Cancel
Click Cancel to exit this screen without saving your changes.
User Aware Login Example
Access users cannot use the Web Configurator to browse the configuration of the ZyWALL. Instead, after access users log into the ZyWALL.
Web Configurator for Non-Admin Users 
Label
Description
User-defined lease time (max ... minutes)
Access users can specify a lease time shorter than or equal to the one that you specified. The default value is the lease time that you specified.
Renew
Access users can click this button to reset the lease time, the amount of time remaining before the ZyWALL automatically logs them out. The ZyWALL sets this amount of time according to the
User-defined lease time field in this screen
Lease time field in the User Add/Edit screen (see User Add/Edit)
Lease time field in the Setting screen (see User/Group Setting)
Updating lease time automatically
This box appears if you checked the Allow renewing lease time automatically box in the Setting screen. (See User/Group Setting.) Access users can select this check box to reset the lease time automatically 30 seconds before it expires. Otherwise, access users have to click the Renew button to reset the lease time.
Remaining time before lease timeout
This field displays the amount of lease time that remains, though the user might be able to reset it.
Remaining time before auth. timeout
This field displays the amount of time that remains before the ZyWALL automatically logs the access user out, regardless of the lease time.
User /Group Technical Reference
This section provides some information on users who use an external authentication server in order to log in.
Setting up User Attributes in an External Server
To set up user attributes, such as reauthentication time, in LDAP or RADIUS servers, use the following keywords in the user configuration file.
LDAP/RADIUS: Keywords for User Attributes 
Keyword
Corresponding Attribute in Web Configurator
type
User Type. Possible Values: admin, limited-admin, user, guest.
leaseTime
Lease Time. Possible Values: 1-1440 (minutes).
reauthTime
Reauthentication Time. Possible Values: 1-1440 (minutes).
Creating a Large Number of Ext-User Accounts
If you plan to create a large number of Ext-User accounts, you might use CLI commands, instead of the Web Configurator, to create the accounts. Extract the user names from the LDAP or RADIUS server, and create a shell script that creates the user accounts.