Howto:How to configure Kerberos using commands: Difference between revisions
Jump to navigation
Jump to search
(New page: == Summary == You can use the following commands to configure devices to use Kerberos for authentication. == Applies To == * all innovaphone Gateways * firmware V8 and later == More Inform...) |
|||
| (16 intermediate revisions by 4 users not shown) | |||
| Line 2: | Line 2: | ||
You can use the following commands to configure devices to use Kerberos for authentication. | You can use the following commands to configure devices to use Kerberos for authentication. | ||
== Applies To == | == Applies To == | ||
* all innovaphone | * all innovaphone devices | ||
* firmware V8 and later | * firmware V8 and later | ||
== More Information == | == More Information == | ||
=== Client Configuration === | === Client Configuration === | ||
==== Configure | ==== Configure Server Addresses ==== | ||
vars create KDC/<REALM-NAME> p udp:<SERVER-ADDRESS>:88:464 | vars create KDC/<REALM-NAME> p udp:<SERVER-ADDRESS>:88:464 | ||
or | |||
vars create KDC/<REALM-NAME> p udp:<PRIMARY-SERVER-ADDRESS>:88:464,udp:<SECONDARY-SERVER-ADDRESS>:88:464 | |||
==== Join a realm ==== | ==== Join a realm ==== | ||
mod cmd CMD0 join-realm /realm <REALM-NAME> [/name <DEVICE-ID>] /user <ADMIN-NAME> /pass <ADMIN-PASSWORD> | mod cmd CMD0 join-realm /realm <REALM-NAME> [/name <DEVICE-ID>] /user <ADMIN-NAME> /pass <ADMIN-PASSWORD> | ||
The parameter <nowiki>/name <DEVICE-ID></nowiki> can be omitted and the added device will use an own HW-ID instead. | |||
=== Automated Client Configuration (V8 Hotfix8 and later) === | |||
Alternatively the steps above can be automated by writing the parameters to the var <code>CMD0/KCMD</code> and restarting the box. After restart the box will continuously try to join the realm until success. | |||
The format of the XML is like follows: | |||
<code xml> | |||
<join realm="..." host="..." user="..." password="..." disable-local="..." force="..."> | |||
<server realm="..." address="..." port="..." secondary-address="..." secondary-port="..."/> | |||
</join> | |||
</code> | |||
* '''join''' | |||
** '''realm:''' The realm to join | |||
** '''host:''' The host name for the box (optional, otherwise the hardware id will be used) | |||
** '''user:''' Admin user name from the Kerberos server | |||
** '''password:''' Admin password from the Kerberos server | |||
** '''disable-local:''' tells if the local accounts shall be disabled (true or false, optional, defaulting to false) | |||
** '''default-realm:''' The default realm for user authentication (optional, from v10) | |||
** '''force:''' tells if an existing realm membership shall be discarded (true or false, optional, defaulting to false) | |||
** '''server:''' This is a list of kerberos realms with their servers (that is, the <code>server</code> tag my appear multiple times). It will be copied in to the list of kerberos servers in [[Reference10:General/Admin#Authentication_Servers|General/Admin/Authentication Servers]]. If kerberos servers are known via DNS, it may be ommitted | |||
*** '''realm:''' The realm of the Kerberos server | |||
*** '''address:''' The address of the primary Kerberos server | |||
*** '''port:''' The port of the primary Kerberos server (optional, defaulting to 88) | |||
*** '''secondary-address:''' The address of the secondary Kerberos server (optional) | |||
*** '''secondary-port:''' The port of the secondary Kerberos server (optional, defaulting to 88) | |||
For writing the XML to the VAR all line breaks have to be removed and all spaces have to be replaced by plus signs. | |||
<code xml>vars create CMD0/KCMD p <join+realm="REALM"+user="admin"+password="secret"+default-realm="REALM"+disable-local="true"+force="true"><server+realm="REALM"+address="172.16.17.1"/></join></code> | |||
== Known Problems == | |||
If you use special character in the password you have to use URL-Encoding. http://en.wikipedia.org/wiki/URL-Encoding. | |||
=== Example === | |||
mod cmd CMD0 join-realm /realm Testrealm /user kerberos /pass test# | |||
URL-Encode | |||
mod cmd CMD0 join-realm /realm Testrealm /user kerberos /pass test%23 | |||
Latest revision as of 16:03, 26 April 2013
Summary
You can use the following commands to configure devices to use Kerberos for authentication.
Applies To
- all innovaphone devices
- firmware V8 and later
More Information
Client Configuration
Configure Server Addresses
vars create KDC/<REALM-NAME> p udp:<SERVER-ADDRESS>:88:464
or
vars create KDC/<REALM-NAME> p udp:<PRIMARY-SERVER-ADDRESS>:88:464,udp:<SECONDARY-SERVER-ADDRESS>:88:464
Join a realm
mod cmd CMD0 join-realm /realm <REALM-NAME> [/name <DEVICE-ID>] /user <ADMIN-NAME> /pass <ADMIN-PASSWORD>
The parameter /name <DEVICE-ID> can be omitted and the added device will use an own HW-ID instead.
Automated Client Configuration (V8 Hotfix8 and later)
Alternatively the steps above can be automated by writing the parameters to the var CMD0/KCMD and restarting the box. After restart the box will continuously try to join the realm until success.
The format of the XML is like follows:
<join realm="..." host="..." user="..." password="..." disable-local="..." force="...">
<server realm="..." address="..." port="..." secondary-address="..." secondary-port="..."/>
</join>
- join
- realm: The realm to join
- host: The host name for the box (optional, otherwise the hardware id will be used)
- user: Admin user name from the Kerberos server
- password: Admin password from the Kerberos server
- disable-local: tells if the local accounts shall be disabled (true or false, optional, defaulting to false)
- default-realm: The default realm for user authentication (optional, from v10)
- force: tells if an existing realm membership shall be discarded (true or false, optional, defaulting to false)
- server: This is a list of kerberos realms with their servers (that is, the
servertag my appear multiple times). It will be copied in to the list of kerberos servers in General/Admin/Authentication Servers. If kerberos servers are known via DNS, it may be ommitted- realm: The realm of the Kerberos server
- address: The address of the primary Kerberos server
- port: The port of the primary Kerberos server (optional, defaulting to 88)
- secondary-address: The address of the secondary Kerberos server (optional)
- secondary-port: The port of the secondary Kerberos server (optional, defaulting to 88)
For writing the XML to the VAR all line breaks have to be removed and all spaces have to be replaced by plus signs.
vars create CMD0/KCMD p <join+realm="REALM"+user="admin"+password="secret"+default-realm="REALM"+disable-local="true"+force="true"><server+realm="REALM"+address="172.16.17.1"/></join>
Known Problems
If you use special character in the password you have to use URL-Encoding. http://en.wikipedia.org/wiki/URL-Encoding.
Example
mod cmd CMD0 join-realm /realm Testrealm /user kerberos /pass test#
URL-Encode
mod cmd CMD0 join-realm /realm Testrealm /user kerberos /pass test%23