Chapter 29 Object
USG20(W)-VPN Series User’s Guide
457
Note: If the USG tries to authenticate an
ext-user
using the local database, the attempt
always fails.
Once an
ext-user
user has been authenticated, the USG tries to get the user type (see
) from the external server. If the external server does not have the information, the
USG sets the user type for this session to
User
.
For the rest of the user attributes, such as reauthentication time, the USG checks the following
places, in order.
1
User account in the remote server.
2
User account (Ext-User) in the USG.
3
Default user account for AD users (
ad-users
), LDAP users (
ldap-users
) or RADIUS users (
radius-
users
) in the USG.
See
Setting up User Attributes in an External Server on page 469
for a list of attributes and how to
set up the attributes in an external server.
Ext-Group-User Accounts
Ext-Group-User
accounts work are similar to ext-user accounts but allow you to group users by
the value of the group membership attribute configured for the AD or LDAP server. See
for more on the group membership attribute.
User Groups
User groups may consist of user accounts or other user groups. Use user groups when you want to
create the same rule for several user accounts, instead of creating separate rules for each one.
Note: You cannot put access users and admin users in the same user group.
Note: You cannot put the default
admin
account into any user group.
The sequence of members in a user group is not important.
User Awareness
By default, users do not have to log into the USG to use the network services it provides. The USG
automatically routes packets for everyone. If you want to restrict network services that certain
users can use via the USG, you can require them to log in to the USG first. The USG is then ‘aware’
of the user who is logged in and you can create ‘user-aware policies’ that define what services they
can use. See
for a user-aware login example.
Finding Out More
for some information on users who use an external
authentication server in order to log in.
• The USG supports TTLS using PAP so you can use the USG’s local user database to authenticate
users with WPA or WPA2 instead of needing an external RADIUS server.
Summary of Contents for ZyWall USG20-VPN
Page 17: ...17 PART I User s Guide ...
Page 18: ...18 ...
Page 99: ...99 PART II Technical Reference ...
Page 100: ...100 ...