Configuring Management User Accounts

The Local Users table lets you configure up to 20 management user accounts for the device's management interfaces (Web interface, CLI and REST API).

You configure each user account with login credentials (username and password) and a management user level which defines the level of read and write privileges. The table below describes the different types of user levels.

Description of Management User Levels

User Level

Numeric Representation in RADIUS

Privileges

Security Administrator

200
Read-write to all Web pages.
Read-write (access) to the CLI's Privileged User mode (> enable).
Create all other user levels.

Note:

At least one Security Administrator user must exist.
Only the Security Administrator can create the first Master user. Once created, additional Master users can only be created or deleted by other Master users.

Master

220
Read-write to all Web pages.
Read-write (access) to the CLI's Privileged User mode (> enable).
Create all user levels (including Security Administrators).
Delete all users except the last Security Administrator.
Create or delete Master users.

Note:

Only the Security Administrator can create the first Master user. Once created, additional Master users can only be created or deleted by other Master users.
If only one Master user exists, it can be deleted only by itself.

Administrator

100

Read-write to all Web pages, except security-related pages (including the Local Users table) where this user has read-only privileges.

Note: This user level can access only the CLI's Basic User mode.

Monitor

50

Read-only, but access to security-related pages (including the Local Users table) is blocked.

Note: This user level can access only the CLI's Basic User mode.
Only Security Administrator and Master users can configure users in the Local Users table.
For privileges per user level for the device's REST API, refer to the document, REST API for SBC-Gateway-MSBR Devices.
Regardless of user level, all users can change their login password as described in Changing Login Password by All User Levels.
You can change the read-write and read-only privileges per Web page for Monitor, Administrator, and Security Administrator user levels. For more information, see Customizing Access Levels per Web Page.

The device provides the following two default user accounts:

Default User Accounts

User Level

Username
(Case-Sensitive)

Password
(Case-Sensitive)

Security Administrator

"Admin"

"Admin"

Monitor

"User"

"User"
For security, it's recommended that you change the default username and password of the default users.
To restore the device to these default users (and with their default usernames and passwords), configure the [ResetWebPassword] parameter to [1]. All other configured accounts are deleted.
If you want to use the same Local Users table configuration for another device, before uploading this device's configuration file (.ini) to the other device, you must edit the file so that the passwords are in plain text.
If you delete a user who is currently in an active Web session, the user is immediately logged off the device.
Up to five users can be concurrently logged in to the Web interface; they can all be the same user.
You can set the entire Web interface to read-only (regardless of Web user access levels), using the [DisableWebConfig] parameter (see Web and Telnet Parameters).
You can configure additional Web user accounts using a RADIUS server (see RADIUS Authentication).

The following procedure describes how to configure user accounts through the Web interface. You can also configure it through ini file [WebUsers] or CLI (configure system > user).

To configure management user accounts:
1. Open the Local Users table (Setup menu > Administration tab > Web & CLI folder > Local Users).
2. Click New; the following dialog box is displayed:

3. Configure a user account according to the parameters described in the table below.
4. Click Apply, and then save your settings to flash memory.

Local Users Table Parameter Descriptions

Parameter

Description

General

'Index'

[WebUsers_Index]

Defines an index number for the new table row.

Note: Each row must be configured with a unique index.

'Username'

user

[WebUsers_Username]

Defines the Web user's username.

The valid value is a string of up to 40 alphanumeric characters, including the period ".", underscore "_", and hyphen "-" signs.

'Password'

password

[WebUsers_Password]

Defines the Web user's password.

The valid value is a string of 8 to 40 ASCII characters.

To ensure strong passwords, adhere to the following password complexity requirements:

The password should contain at least eight characters.
The password should contain at least two uppercase letters (e.g., A).
The password should contain at least two lowercase letters (e.g., a).
The password should contain at least two numbers (e.g., 4).
The password should contain at least two symbols (non-alphanumeric characters, e.g., $, #, %).
The password must not contain any spaces.
The password should contain at least four new characters that were not used in the previous password.

To enforce password complexity requirements as listed above, configure the [EnforcePasswordComplexity] to [1]. If you enable password complexity, you can also configure the minimum length (number of characters) of the password, using the [MinWebPasswordLen] parameter.

Note:

The password must not contain a backslash (\).
For security, password characters are not shown in the Web interface or ini file. In the Web interface, they are displayed as dots when you enter the password and then once applied, the password is displayed as an asterisk (*) in the table. In the ini file, they are displayed as an encrypted string.
To enforce obscured (encrypted) passwords when configuring the Local Users table through CLI, see the [CliObscuredPassword] parameter.
The password cannot be configured with wide characters.

'User Level'

privilege

[WebUsers_UserLevel]

Defines the user's access level.

Monitor = (Default) Read-only user. This user can only view Web pages and access to security-related pages is denied.
Administrator = Read/write privileges for all pages except security-related pages including the Local Users table where this user has read-only privileges.
Security Administrator = Full read/write privileges for all pages.
Master = Read/write privileges for all pages. This user also functions as a security administrator.

Note:

At least one Security Administrator must exist. You cannot delete the last remaining Security Administrator.
The first Master user can be added only by a Security Administrator user.
Additional Master users can be added, edited and deleted only by Master users.
If only one Master user exists, it can be deleted only by itself.
Master users can add, edit, and delete Security Administrators (except the last Security Administrator).
Only Security Administrator and Master users can add, edit, and delete Administrator and Monitor users.

'SSH Public Key'

public-key

[WebUsers_SSHPublicKey]

Defines a Secure Socket Shell (SSH) public key for RSA or ECDSA public-key authentication (PKI) of the remote user when logging into the device's CLI through SSH. Connection to the CLI is established only when a successful handshake with the user’s private key occurs.

The valid value is a string of up to 512 characters. By default, no value is defined.

Note:

For more information on SSH and for enabling SSH, see Enabling SSH with RSA Public Key for CLI.
To configure whether SSH public keys are optional or mandatory, use the [SSHRequirePublicKey] parameter.

'Status'

status

[WebUsers_Status]

Defines the status of the user.

New = (Default) User is required to change its password on the next login. When the user logs in to the Web interface, the user is immediately prompted to change the current password.
Valid = User can log in to the Web interface as normal.
Failed Login = The state is automatically set for users that exceed a user-defined number of failed login attempts, set by the 'Deny Access on Fail Count' parameter (see Configuring Web Session and Access Settings). These users can log in only after a user-defined timeout configured by the 'Block Duration' parameter (see below) or if their status is changed (to New or Valid) by a Security Administrator or Master.
Inactivity = The state is automatically set for users that have not accessed the Web interface for a user-defined number of days, set by the 'User Inactivity Timer' (see Configuring Web Session and Access Settings). These users can only log in to the Web interface if their status is changed (to New or Valid) by a System Administrator or Master.

Note:

The Inactivity option is applicable only to Administrator and Monitor users; Security Administrator and Master users can be inactive indefinitely.
If there is only one Security Administrator user, you cannot configure it to Inactivity; at least one Security Administrator must be Valid.
For security, it is recommended to set the status of a newly added user to New in order to enforce password change.
If you have configured LDAP or RADIUS based user authentication, users in the Local Users table whose 'Status' is New are blocked from logging into the device.

Security

'Password Age'

password-age

[WebUsers_PwAgeInterval]

Defines the duration (in days) of the validity of the password. When the duration elapses (i.e., password expires), when attempting to log in, the user is prompted to change the password (shown below), and then log in with the new password; otherwise, access to the Web interface is blocked.

The valid value is 0 to 10000, where 0 means that the password is always valid. The default is 90.

Note: After logging in with your new password, you must save your settings, by clicking the Save button on the Web interface's toolbar. If not, the next time you attempt to log in, you will be prompted again to change the expired password.

'Web Session Limit'

session-limit

[WebUsers_SessionLimit]

Defines the maximum number of concurrent Web interface and REST sessions allowed for the specific user account from different management stations / computers (IP addresses) or different Web browsers.

For example, if configured to 2, the user account can be logged into the device’s Web interface (i.e., same username-password combination) from two different management stations (i.e., IP addresses), or from two different Web browsers (e.g., Google Chrome and Microsoft Edge) at the same time.

Once the user logs into the device, the session is active until the user logs off or until the session expires if the user is inactive for a user-defined duration (see the 'Web Session Timeout' parameter below).

The valid value is 0 to 5. The default is 5. A value of 0 means that no sessions are allowed (see note below regarding REST).

Note:

If you configure the parameter, when you click Apply you're automatically logged out of the Web session (and can log in again if configured to any value other than 0).
Closing the Web browser's window (by clicking the window's x button) doesn't end the session. Therefore, whenever you finish using the Web interface, it's recommended to log out of the Web interface to end your session.
If the number of concurrently logged-in users is at maximum, the device allows an additional user to log in through REST.

'CLI Session Limit'

cli-session-limit

[WebUsers_CliSessionLimit]

Defines the maximum number of concurrent CLI sessions allowed for the specific user. For example, if configured to 2, the same user account can be logged into the device’s CLI (i.e., same username-password combination) from two different management stations (i.e., IP addresses) at any one time. Once the user logs in, the session is active until the user logs off or until the session expires if the user is inactive for a user-defined duration (see the 'Web Session Timeout' parameter below).

The valid value is -1, or 0 to 100. The default is -1, which means that the limit is according to the global parameters, 'Maximum Telnet Sessions' (TelnetMaxSessions) or 'Maximum SSH Sessions' (SSHMaxSessions).

'Web Session Timeout'

session-timeout

[WebUsers_SessionTimeout]

Defines the duration (in minutes) of inactivity of a logged-in user in the Web interface, after which the user is automatically logged off the Web session. In other words, the session expires when the user has not performed any operations (activities) in the Web interface for the configured timeout duration.

The valid value is 0, or to 100000. A value of 0 means no timeout. The default value is according to the settings of the WebSessionTimeout global parameter (see Configuring Web Session and Access Settings).

'Block Duration'

block-duration

[WebUsers_BlockTime]

Defines the duration (in seconds) for which the user is blocked when the user exceeds the maximum number of allowed failed login attempts, configured by the global parameter, 'Deny Access On Fail Count' [DenyAccessOnFailCount] parameter (see Configuring Web Session and Access Settings).

The valid value is 0 to 100000, where 0 means that the user can do as many login failures without getting blocked. The default is according to the settings of the global parameter, 'Deny Authentication Timer' [DenyAuthenticationTimer] parameter (see Configuring Web Session and Access Settings).

Note: The 'Deny Authentication Timer' parameter relates only to failed Web logins from specific IP addresses (management stations), which configures the interval (in seconds) that the user needs to wait before logging into the device from the same IP address after reaching the maximum number of failed login attempts.