ZyXEL Communications ISG50 User Manual
Chapter 44 User/Group
ISG50 User’s Guide
600
Note: The default admin account is always authenticated locally, regardless of the
authentication method setting. (See
for more information
about authentication methods.)
Ext-User Accounts
Set up an ext-user account if the user is authenticated by an external server and you want to set
up specific policies for this user in the ISG50. If you do not want to set up policies for this user, you
do not have to set up an ext-user account.
up specific policies for this user in the ISG50. If you do not want to set up policies for this user, you
do not have to set up an ext-user account.
All ext-user users should be authenticated by an external server, such as AD, LDAP or RADIUS. If
the ISG50 tries to use the local database to authenticate an ext-user, the authentication attempt
always fails. (This is related to AAA servers and authentication methods, which are discussed in
the ISG50 tries to use the local database to authenticate an ext-user, the authentication attempt
always fails. (This is related to AAA servers and authentication methods, which are discussed in
, respectively.)
Note: If the ISG50 tries to authenticate an ext-user using the local database, the
attempt always fails.
Once an ext-user user has been authenticated, the ISG50 tries to get the user type (see
) from the external server. If the external server does not have the information, the
ISG50 sets the user type for this session to User.
For the rest of the user attributes, such as reauthentication time, the ISG50 checks the following
places, in order.
places, in order.
1
User account in the remote server.
2
User account (Ext-User) in the ISG50.
3
Default user account for AD users (ad-users), LDAP users (ldap-users) or RADIUS users (radius-
users) in the ISG50.
users) in the ISG50.
See
for a list of attributes and how to
set up the attributes in an external server.
Ext-Group-User Accounts
Ext-Group-User accounts work are similar to ext-user accounts but allow you to group users by
the value of the group membership attribute configured for the AD or LDAP server. See
the value of the group membership attribute configured for the AD or LDAP server. See
for more on the group membership attribute.
User Groups
User groups may consist of user accounts or other user groups. Use user groups when you want to
create the same rule for several user accounts, instead of creating separate rules for each one.
create the same rule for several user accounts, instead of creating separate rules for each one.
Note: You cannot put access users and admin users in the same user group.
Note: You cannot put the default admin account into any user group.
The sequence of members in a user group is not important.