Q: for users logging through ToS templates, without entering their own username and passwords, how do we restrict their access rights?

A: There are two ways to do so:

1. through CLI settings, eg. using "client-bandwidth xx" and "client-timeout xx" commands. (see details).

2. through RADIUS profiles.The ToSxxx template still has an embedded user called demouser, in this case, you can create a RADIUS profiles (with the required settings) and apply it to demouser. (see reference).