Possibily to disable local admins and log in everywhere with Nebula account

Options
nielsscheldeman
nielsscheldeman Posts: 114 image  Ally Member
First Comment Friend Collector Third Anniversary
in Nebula Ideas

Security idea: why is the local admin on firewalls still enabled after they are joined on Nebula?

Why not only allow to log in on Security appliances with Nebula account and maybelocal admin account as applied in site settings with password random generated per organization in Nebula?

image.png

I now always get warning to enable 2FA on my appliances, but if local admin would be disabled, it would be better.

2
Up Down
2 votes

Active · Last Updated

Comments

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,835 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @nielsscheldeman

    To better discussing about this idea, please allow me to separate this to two part:

    1. Log in on Security appliances with Nebula account or site-wide admin with random password.
    2. Disable local admins.

    Let me start part 2 first. If you are talking about H series (I think of course since USG FLEX/ATP series doesn't enable local admin when using Nebula mode), this is because H series not just allows to be configured on Nebula but also can be configured on local GUI. Since that, creating an admin account is available on local GUI. If you want to disable the default local admin account, you need to:

    1. Upgrade to V1.38.
    2. Create a new admin account.
    3. Access User & Authentication > User/Group > User > Local Administrator > edit admin.
    4. Disable it and save.
    image.png

    Additionally, if you select Nebula mode via start-up wizard, the local admin account will be applied in site settings with password random generated per site, which might match part 1 requirement.

    Zyxel Melen


  • nielsscheldeman
    nielsscheldeman Posts: 114 image  Ally Member
    First Comment Friend Collector Third Anniversary
    https://community.zyxel.com/en/discussion/comment/84908#Comment_84908

    Hello, thank you for your answer.

    I always select Nebula mode via Start-up wizard, but afterwards I load in my custom ROM and then it uses the password I used in the previous ROM. I think I created that ROM with a Firewall default set up in Nebula Mode.

    Is there a possibility to use Method 2 on a running firewall?

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,835 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @nielsscheldeman

    Thanks for sharing your use case!

    May I know the Method 2 means the disabled default admin method that I mentioned?

    Zyxel Melen


  • nielsscheldeman
    nielsscheldeman Posts: 114 image  Ally Member
    First Comment Friend Collector Third Anniversary
    https://community.zyxel.com/en/discussion/comment/85132#Comment_85132

    Yes I mean to disable the default admin. If I disable it, I get this message:

    image.png

    I only want to be able for example the "support" user locally with this random generated password per organization/site(I have 60 organizations):

    image.png

    On Access Points I can use this password, but on firewall I get with both user support and admin, and the use of the Nebula password, a "Login denied"

Categories

Nebula Tips & Tricks


    Read more

    Nebula Help Center

    EnglishTiếng ViệtРусскийไทย中文(台灣)