12.5.5. Configuring UserGate console access control

This section is configured at the settings administrators level. This section describes how to configure account security settings, administrators, and their profiles.

12.5.5.1. General access settings

In this section, you can configure additional security options for administrator accounts. This is configured at the settings administrators general level.

To change the settings, use the following command:

Admin@UGOS# set settings administrators general

Add the parameters you want to change:

Parameter

Description

password

Change the current administrator password.

unblock

Unblock an administrator.

strong-password

Use a strong password:

  • on.

  • off.

num-auth-attempts

Maximum number of incorrect authentication attempts.

block-time

Time to block an account if the maximum number of authentication attempts is reached by the administrator (in seconds, max value: 3600 seconds).

min-length

Minimum password length (max value: 100).

min-uppercase

Minimum number of uppercase characters (max value: 100).

min-lowercase

Minimum number of lowercase characters (max value: 100).

min-digits

Minimum number of digits (max value: 100).

min-special-characters

Minimum number of special characters (max value: 100).

max-characters-repetition

Maximum single character repetition block length (max value: 100).

To view the current security settings for administrator accounts, use the following command:

Admin@UGOS# show settings administrators general

12.5.5.2. Configuring administrator accounts

You configure administrator accounts at the settings administrators administrators level.

To create administrator account, use the following command:

Admin@UGOS# create settings administrators administrators

Specify the administrator account type (local, LDAP user, LDAP group, with auth profile) and the respective parameters:

Parameter

Description

local

Add a local administrator:

  • enabled: enable/disable an administrator account:

    • on.

    • off.

  • login: administrator login name.

  • description: administrator account description.

  • admin-profile: administrator profile. For more details about creating administrator profiles, see below.

  • password: administrator password.

ldap-user

Add a user from the existing domain (you need to have the LDAP connector configured correctly; for more details, see the section Configuring LDAP connectors):

  • enabled: enable/disable an administrator account:

    • on.

    • off.

  • ldap-login: administrator login name. When providing this parameter, use the following command structure:

    Admin@UGOS# create settings administrators administrators ldap-user ... ldap‑login connector <ldap-connector-name> user <domain\user> ...

  • description: administrator account description.

  • admin-profile: administrator profile. For more details about creating administrator profiles, see below.

ldap-group

Add a user group from the existing domain (you need to have the LDAP connector configured correctly; for more details, see the section Configuring LDAP connectors):

  • enabled: enable/disable an administrator account:

    • on.

    • off.

  • ldap-login: administrator login name. When providing this parameter, use the following command structure:

    Admin@UGOS# create settings administrators administrators ldap-group ... ldap-login connector <ldap-connector-name> group <domain\group> ...

  • description: administrator account description.

  • admin-profile: administrator profile. For more details about creating administrator profiles, see below.

admin-auth-profile

Add an administrator with an auth profile (you need to have the auth servers configured correctly; for more details, see the section Configuring authentication servers):

  • enabled: enable/disable an administrator account:

    • on.

    • off.

  • login: administrator login name.

  • description: administrator account description.

  • admin-profile: administrator profile. For more details about creating administrator profiles, see below.

  • auth-profile: select an auth profile from those created earlier; for more details about auth profiles, see the section Configuring authentication profiles.

To update administrator account settings, use the following command (the parameters are the same as for creating an administrator profile):

Admin@UGOS# set settings administrators administrators <admin-type> <admin-login>

To delete an account, use the following command:

Admin@UGOS# delete settings administrators administrators <admin-type> <admin-login>

To display information about all administrator accounts, use the following command:

Admin@UGOS# show settings administrators administrators

To display information about an individual administrator account, use the following command:

Admin@UGOS# show settings administrators administrators <admin-type> <admin-login>

12.5.5.3. Configuring Permissions for Administrator Profiles

You set up permissions for administrator profiles at the settings administrators admin-profiles level.

To create an administrator profile, use the following command:

Admin@UGOS# create settings administrators admin-profiles

Provide the following parameters:

Parameter

Description

name

Administrator profile name.

description

Administrator profile description.

api-permissions

API permissions:

  • no-access: no access.

  • read: read-only.

  • readwrite: read and write.

You can assign rights to all or individual objects:

Admin@UGOS# create settings administrators admin-profiles ... api-permissions <permission> all

or

Admin@UGOS# create settings administrators admin-profiles ... api-permissions <permission> [ object ... ]

webui-permissions

UserGate interface permissions:

  • no-access: no access.

  • read: read-only.

  • readwrite: read and write.

You can assign rights to all or individual objects:

Admin@UGOS# create settings administrators admin-profiles ... webui-permissions <permission> all

or

Admin@UGOS# create settings administrators admin-profiles ... webui-permissions <permission> [ object ... ]

cli-permissions

Command line interface permissions:

  • no-access: no access.

  • read: read-only.

  • readwrite: read and write.

You can assign rights to all or individual objects:

Admin@UGOS# create settings administrators admin-profiles ... cli-permissions <permission> all

or

Admin@UGOS# create settings administrators admin-profiles ... cli-permissions <permission> [ object ... ]

To update the profile, use the following command (the parameters are the same as for creating an administrator profile):

Admin@UGOS# set settings administrators admin-profiles <profile-name>

To delete an administrator profile, use the following command:

Admin@UGOS# delete settings administrators admin-profiles <profile-name>

To view information about all administrator profiles, use the following command:

Admin@UGOS# show settings administrators admin-profiles

To display information about a specific profile, use the following command:

Admin@UGOS# show settings administrators admin-profiles <profile-name>

12.5.5.4. Settings for administrator sessions

The following commands allow you to view sessions of administrators who have been authorized in the web console or CLI and close the sessions (this is done at the settings administrators sessions level).

To view administrator sessions for the current UserGate node, use the following command. You can view an individual administrator's session; to do so, browse the IP address list and select the address used to authenticate the administrator.

Admin@UGOS# show settings administrators sessions

To display sessions, you can use a filter:

  • ip: IP address from which the administrator was authorized.

  • source: where they were authorized: the CLI (cli), the web console (web), or an SSH connection (ssh).

  • admin-login: administrator name.

  • node: UserGate cluster node.

Admin@UGOS# show settings administrators sessions ( node <node-name> ip <session-ip> source <cli | web | ssh> admin-login <administrator-login> )

To close an administrator session, use the following command. Select the IP address from which the administrator was authorized, from the list.

Admin@UGOS# execute terminate settings administrators sessions

When closing administrator sessions, you can use a filter ( <filter> ). Enabled filtering options are the same as those for the show command.

Admin@UGOS# execute terminate settings administrators sessions ( node <node-name> ip <session-ip> source <cli | web | ssh> admin-login <administrator-login> )