Configuring Management User Accounts

The Local Users table lets you configure up to 20 management user accounts for the device's management interfaces (Web interface, CLI, and REST API).

You configure each user account with login credentials (username and password) and a management user level which defines the user's level of read and write privileges. The table below lists the different types of user levels.

Management User Levels

User Level

Numeric Representation in RADIUS

Privileges

Security Administrator

200

This user level has the following privileges:

Read-write to all Web pages.
Read-write (access) to the CLI's Basic mode and Privileged User mode (> enable).
Access to all the device's folders (e.g., /debug and /configuration) through SFTP.
Create all other user levels.

Note:

At least one Security Administrator user must exist.
Only the Security Administrator can create the first Master user. Once created, additional Master users can only be created or deleted by other Master users.

Master

220

This user level has the following privileges:

Read-write to all Web pages.
Read-write (access) to the CLI's Privileged User mode (> enable).
Create all user levels (including Security Administrators).
Delete all users except the last Security Administrator.
Create or delete Master users.
Access to all the device's folders (e.g., /debug and /configuration) through SFTP.

Note:

Only the Security Administrator can create the first Master user. Once created, additional Master users can only be created or deleted by other Master users.
If only one Master user exists, it can be deleted only by itself.

Administrator

100

This user level has the following privileges:

Read-write to all Web pages, except security-related pages (including Local Users table) where this user has read-only privileges.
Access to only the CLI's Basic User mode.

Monitor

50

This user level has the following privileges:

Read-only to all Web pages, except security-related pages (including Local Users table and Configuration Wizard) which are blocked to this user.
Access to only the CLI's Basic User mode.
Access blocked to the device's folders through SFTP.
Only Security Administrator and Master users can configure users in the Local Users table.
For privileges per user level for the device's REST API, refer to the document REST API for SBC-Gateway-MSBR Devices.
All users, regardless of user level, can change their login password (see Changing Your Login Password).
You can change the read-write and read-only privileges per Web page for Monitor, Administrator, and Security Administrator user levels. For more information, see Customizing Access Levels per Web Page.

The device provides the following two default user accounts:

Default User Accounts

User Level

Username
(case-sensitive)

Password
(case-sensitive)

Security Administrator

Admin

Admin

Monitor

User

User

For security, it's recommended that you change the default username and password of the default users.
To restore the device to the default users (with their default usernames and passwords), configure the [ResetWebPassword] parameter to [1]. All other configured accounts are deleted.
If you want to use the same Local Users table configuration for another device, before uploading this device's configuration file (.ini) to the other device, you must edit the file so that the passwords are in plain text.
If you modify any parameter in the Local Users table of an existing user or delete the user, and the user is currently logged into the device's management interface (i.e., active session), after clicking Apply the device immediately logs the user out of the management interface.
If you delete a user who is currently in an active Web session, the user is immediately logged off the device.
Web sessions capacity:
The device supports up to 10 concurrent Web interface sessions (regardless of which users are logged in). For example, if user "Sue" and user "Joe" are each currently running 5 sessions (i.e., a total of 10), no more Web sessions can be established with the device, by any user.
Up to five users can be concurrently logged in to the Web interface.
You can define the maximum number of concurrent Web interface (and REST) sessions allowed for a specific user, accessed from different management stations / computers (IP addresses) or different Web browsers. For more information, see the 'Web Session Limit' parameter below.
You can set the entire Web interface to read-only (regardless of Web user access levels), using the [DisableWebConfig] parameter (see Web and Telnet Parameters).
You can configure additional Web user accounts using a RADIUS server (see RADIUS Authentication).

The following procedure describes how to configure user accounts through the Web interface. You can also configure it through ini file [WebUsers] or CLI (configure system > user).

To configure management user accounts:
1. Open the Local Users table (Setup menu > Administration tab > Web & CLI folder > Local Users).
2. Click New; the following dialog box is displayed:

3. Configure a user account according to the parameters described in the table below.
4. Click Apply, and then save your settings to flash memory.

Local Users Table Parameter Descriptions

Parameter

Description

General

'Index'

[Index]

Defines an index number for the new table row.

Note: Each row must be configured with a unique index.

'Username'

user

[Username]

Defines the Web user's username.

The valid value is a string of up to 40 alphanumeric characters, including the period ".", underscore "_", and hyphen "-" signs. It cannot contain spaces.

'Password'

password

[Password]

Defines the Web user's password.

The valid value is a string of 8 to 40 ASCII characters, and can't contain the following:

Wide characters
Spaces
Backslashes (\)

Note:

To enforce the use of strong passwords (password complexity), see the [EnforcePasswordComplexity] parameter.
To enforce password history policy so that users can't reuse any of their four previous (old) passwords, see the [CheckPasswordHistory] parameter.
For security, the password is not displayed in the Web interface or ini file. In the Web interface, passwords are displayed as dots when you enter the password and then once applied, they are displayed as an asterisk (*) in the table. In the ini file, they are displayed as an encrypted string.
To enforce obscured (encrypted) passwords when configuring the Local Users table through CLI, see the [CliObscuredPassword] parameter.
You can configure a list of weak passwords (in the Weak Passwords List table) and if the user's password also appears in this list, the device raises an SNMP alarm. For more information, see Detection of Weak Passwords.

'User Level'

privilege

[UserLevel]

Defines the user's access level.

Monitor = (Default) Read-only user. This user can only view Web pages and access to security-related pages is denied.
Administrator = Read/write privileges for all pages except security-related pages including the Local Users table where this user has read-only privileges.
Security Administrator = Full read/write privileges for all pages.
Master = Read/write privileges for all pages. This user also functions as a security administrator.

Note:

At least one Security Administrator must exist. You cannot delete the last remaining Security Administrator.
The first Master user can be added only by a Security Administrator user.
Additional Master users can be added, edited and deleted only by Master users.
If only one Master user exists, it can be deleted only by itself.
Master users can add, edit, and delete Security Administrators (except the last Security Administrator).
Only Security Administrator and Master users can add, edit, and delete Administrator and Monitor users.

'SSH Public Key'

public-key

[SSHPublicKey]

Defines a Secure Socket Shell (SSH) public key for RSA or ECDSA public-key authentication (PKI) of the remote user when logging into the device's CLI through SSH. Connection to the CLI is established only when a successful handshake with the user’s private key occurs.

The valid value is a string of up to 512 characters. By default, no value is defined.

Note:

For more information on SSH and for enabling SSH, see Enabling SSH with RSA Public Key for CLI.
To configure whether SSH public keys are optional or mandatory, use the [SSHRequirePublicKey] parameter.

'Status'

status

[Status]

Defines the status of the user.

New = (Default) The user is required to change the password upon the next login. When the user logs in to the Web interface or CLI, the user is immediately prompted to change the current password (see the figure for the 'Password Age' parameter below).
Valid = User can log in to the Web interface as normal.
Failed Login = The state is automatically set for users that exceed a user-defined number of failed login attempts, set by the 'Deny Access on Fail Count' parameter (see Configuring Web Session and Access Settings). These users can log in only after a user-defined timeout configured by the 'Block Duration' parameter (see below) or if their status is changed (to New or Valid) by a Security Administrator or Master.
Inactivity = The state is automatically set for users that have not accessed the Web interface for a user-defined number of days, configured by the 'User Inactivity Timer' parameter (see Configuring Web Session and Access Settings). These users can only log in to the Web interface if their status is changed (to New or Valid) by a System Administrator or Master.

Note:

The Inactivity option is applicable only to Administrator and Monitor users; Security Administrator and Master users can be inactive indefinitely.
If there is only one Security Administrator user, you cannot configure it to Inactivity; at least one Security Administrator must be Valid.
For security, it is recommended to configure the status of a newly added user to New in order to enforce password change.
If you have configured LDAP- or RADIUS-based user authentication, users in the Local Users table whose 'Status' is New are blocked from logging into the device.

Security

'Password Age'

password-age

[PwAgeInterval]

Defines the duration (in days) of the validity of the password. When the duration elapses (i.e., password expires), when attempting to log in, the user is prompted to change the password (shown below), and then log in with the new password; otherwise, access to the Web interface is blocked.

The valid value is 0 to 10000, where 0 means that the password is always valid. The default is 90.

Note: After logging in with your new password, you must save your settings, by clicking the Save button on the Web interface's toolbar. If not, the next time you attempt to log in, you will be prompted again to change the expired password.

'Web Session Limit'

session-limit

[SessionLimit]

Defines the maximum number of concurrent Web interface and REST sessions allowed for the specific user, from different management stations / computers (IP addresses) or different Web browsers.

For example, if configured to 2, the user account can be logged into the device’s Web interface (i.e., same username-password combination) from two different management stations (i.e., IP addresses), or from two different Web browsers (e.g., Google Chrome and Microsoft Edge) at the same time.

Once the user logs in to the device, the session is active until the user logs off or until the session expires if the user is inactive for a user-defined duration (see the 'Web Session Timeout' parameter below).

The valid value is 0 to 10. The default is 5. A value of 0 means that no sessions are allowed (see note below regarding REST).

Note:

If you configure the parameter, you're automatically logged out of the Web session (and can log in again if configured to any value other than 0) after you click Apply.
Closing the Web browser's window (by clicking the window's x button) doesn't end the session. Therefore, whenever you finish using the Web interface, it's recommended to log out of the Web interface to end your session.
If the number of concurrently logged-in users is at maximum, the device allows an additional user to log in through REST.

'CLI Session Limit'

cli-session-limit

[CliSessionLimit]

Defines the maximum number of concurrent CLI sessions allowed for the specific user. For example, if configured to 2, the same user account can be logged into the device’s CLI (i.e., same username-password combination) from two different management stations (i.e., IP addresses) at any one time. Once the user logs in, the session is active until the user logs off or until the session expires if the user is inactive for a user-defined duration (see the 'Web Session Timeout' parameter below).

The valid value is -1, or 0 to 100. The default is -1, which means that the limit is according to the global parameters, 'Maximum Telnet Sessions' (TelnetMaxSessions) or 'Maximum SSH Sessions' (SSHMaxSessions).

'Web Session Timeout'

session-timeout

[SessionTimeout]

Defines the duration (in minutes) of inactivity of a logged-in user in the Web interface, after which the user is automatically logged off the Web session. In other words, the session expires when the user has not performed any operations (activities) in the Web interface for the configured timeout duration.

The valid value is 0, or to 100000. A value of 0 means no timeout. The default value is according to the settings of the [WebSessionTimeout] global parameter (see Configuring Web Session and Access Settings).

'Block Duration'

block-duration

[BlockTime]

Defines the duration (in seconds) for which the user is blocked when the user exceeds the maximum number of allowed failed login attempts, configured by the global parameter, 'Deny Access On Fail Count' [DenyAccessOnFailCount] parameter (see Configuring Web Session and Access Settings).

The valid value is 0 to 100000, where 0 means that the user can do as many login failures without getting blocked. The default is according to the settings of the global parameter, 'Deny Authentication Timer' [DenyAuthenticationTimer] parameter (see Configuring Web Session and Access Settings).

Note: The 'Deny Authentication Timer' parameter relates only to failed Web logins from specific IP addresses (management stations), which configures the interval (in seconds) that the user needs to wait before logging into the device from the same IP address after reaching the maximum number of failed login attempts.