Reference13r1:General/Admin

From innovaphone wiki
Revision as of 10:39, 4 May 2022 by Slu (talk | contribs) (→‎Additional Administrator Accounts)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
There are also other versions of this article available: Reference | Reference7 | Reference8 | Reference9 | Reference10 | Reference13r1 (this version) | Reference14r1 | Reference14r2

Parameters for the Administration access of the device are configured here.

Basic parameters

Device Name

The name of the device. This name is displayed in the browser as a title. It is also added to the product id sent with outgoing registrations. This way it is displayed e.g. on the registrations page of the PBX.

User/Password

The administrator account. This account can be used for telnet access (if configured) and all password protected pages of the web user interface. By default all pages except Administration/General/Info are password protected. The web server of the device can be configured to protect all pages. The password has to be entered twice.

The password cannot be left empty. If an empty password is entered, the password won't be changed. The length of the password is limited to 15 characters.

Automatic Logout after (min)

Require Certificate

If mutual TLS is used to login, the device does not usually check that the trusted client certificate is issued to the user who is trying to login.

For enhanced security the device can require that a trusted client certificate issued to the user is available to be able to login.

The following conditions must be met before enabling this feature:

  • A trusted client certificate with the associated private key must be available in the web browser’s certificate store.
  • The Subject Alternative Name in the certificate must correspond to the User ID entered at login.
  • The trusted client certificate issued to the user or the CA certificate that signed client certificate must be added to the trust list in the device.
  • Mutual TLS authentication must be enabled.

IMPORTANT: Make sure that the correct certificate is installed before requiring a user certificate. If the correct certificate is not available, and mutual TLS authentication is enabled, it is not possible to access the device in any other way.

Disable Native Authentication

The use of http authentication can be disabled and the form-based login is used all the time when user authentication is required. Native authentication is disabled by default.

Additional Administrator Accounts

Additional user accounts. These user accounts can have viewer or full administrator privileges. The length of the password is limited to 15 characters.

Help URL

The URL to access the online help. By default an URL of "http://wiki.innovaphone.com/index.php?Title=Reference<major firmware version number>:<page name>" is used. This links to online help pages in the Reference namespace of the innovaphone wiki.

For example on a V9 device configure following Help URL to link to the local wikitogo installation:

http://192.168.0.100:8081/index.php?Title=Reference9:

Delegated Authentication

In v8 devices can delegate authentication of administrative users to an authentication server using Kerberos. To enable remote user authentication the device has to join the realm of an innovaphone Kerberos server. Delegated authentication can only be used with HTTPS.

Join realm

The server location of the realm has to be configured, first (see section "Authentication Servers").

Click "Join realm" and specify the username and password of an administrator in the target realm to add the device to the remote host database. This works only with innovaphone servers. If you want to authenticate users from a third-party server setup cross-realm authentication.

Leave realm

An administrator username and password from the realm is needed to deregister from the realm and remove the device from the remote host database. If the server does not exist any longer the registration can be deleted manually.

Default user realm

This is the default Kerberos realm that shall be used if users log-in without specifying a realm.

\user -> example.com\user
user@ -> user@example.com

If no default user realm is configured, the Kerberos realm of the box is used. So the parameter is only needed if users and devices are members of different realms.

Disable local authentication

If this option is selected only users from the Kerberos server are accepted. Logins using local administrator accounts will be rejected. Activating this feature together with "Protect configuration at phone" option will disable you to make any changes on the phone.

Additional Kerberos encryption types

Additional to the default DES encryption the admin can enable RC4 and AES.

Authentication Servers

The addresses of Kerberos servers have to be configured locally on each host or client device.

If there is no server configured for a realm, the device will try to locate it using DNS. The Kerberos server is looked up in the following SRV record.

_kerberos._udp.REALM  (e.g. _kerberos._udp.example.com)

Normally this should work for Windows servers in the LAN.

The Kerberos admin service for joining and leaving realms is located using:

_kpasswd._udp.REALM  (e.g. _kpasswd._udp.example.com)

Debugging

If you have trouble you may want to set config add CMD0 /kerberos-trace (and activate it) on the device you try to log-in to. On the kerberos server (if it is an innovaphone box), you can set the Kerberos Server check marks in Maintenance/Diagnostics/Logging and Maintenance/Diagnostics/Tracing. Also keep in mind that kerberos-based authentication is only available with HTTPS.