The Settings tab in the User Manager controls how the firewall authenticates users for the GUI and SSH.
- Session Timeout
This field specifies how long a GUI login session will last when idle. This value is specified in minutes, and the default is four hours (
240minutes). A value of
0may be entered to disable session expiration, making the login sessions valid forever. A shorter timeout is better, though it should be long enough that an active administrator would not be logged out unintentionally while making changes.
Allowing a session to stay valid when idle for long periods of time is insecure. If an administrator leaves a terminal unattended with a browser window open and logged in, someone or something else could take advantage of the open session.
- Authentication Server
This selector chooses the primary authentication source for users logging into the GUI. This can be a RADIUS or LDAP server, or the default Local Database.
If the RADIUS or LDAP server is unreachable, the authentication will fall back to Local Database even if another method is chosen.
- Password Hash Algorithm
Selects which algorithm the firewall will use when creating hashes for passwords in user manager accounts.
May be one of the following choices:
- bcrypt - Blowfish-based crypt
Secure password hashing with a crypt algorithm based on Blowfish. The most secure option currently available.
This hashing algorithm is restricted to a maximum password length of 72 characters.
- SHA-512 - SHA-512-based crypt
Secure password hashing with a crypt algorithm based on SHA-512. Weaker than bcrypt but still has an acceptable level of security in many environments.
Some users may prefer SHA-512-based crypt hashes for compatibility or compliance purposes.
- Shell Authentication
When set, the selected Authentication Server will also be configured as the authentication source for SSH access to the firewall. By default, only accounts in the User Manager with shell privileges can login over SSH.
This works with both RADIUS and LDAP servers, with some caveats:
- RADIUS Servers
When used with a RADIUS server, accounts must exist on the firewall with the same names and the expected privileges. They will authenticate against RADIUS but use the local accounts settings otherwise.
- LDAP Servers
When used with an LDAP server, the Shell Authentication Group DN must be set on the LDAP Authentication Server entry. Users must be a member of that group and have valid
posixAccountattributes in their LDAP account.
- Auth Refresh Time
Time in seconds for which the firewall cache authentication results. The default is
3600(one hour). Shorter times result in more frequent queries to authentication servers.
The firewall periodically re-authenticates users against the remote server to ensure the account is still valid and has the expected privileges. Checking frequently is more secure, but puts a larger burden on the authentication server and can increase page load times on the firewall.
Remote Authentication Servers and Privileges¶
When using a RADIUS or LDAP server to authentication for the GUI, the users and/or group memberships must be defined in the firewall in order to properly allocate permissions, as there is no method to obtain permissions dynamically from an authentication server.
For group membership to work properly, the firewall must be able to recognize the groups as presented by the authentication server. This requires two things:
The local groups must exist with identical names (Manage Local Groups).
The firewall must be able to locate or receive a list of groups from the authentication server.
See Authentication Servers for details specific to each type of authentication server.