Searching...

Matching results

    Configuring Web Settings

    The Web Settings allow you to set up what happens when a client connects to the device.

    Under Services > Web, you can configure the AirLink OS Web settings as shown below:

    Initializing Table Of Contents...

    WAN Access Settings

    The following settings can be configured for AirLink OS WAN access.

    SETTING DESCRIPTION RANGE DEFAULT
    HTTP ACCESS Configure HTTP AirLink OS WAN access Enable, Disable, Redirect to HTTPS Redirect to HTTPS (RECOMMENDED)
    HTTP PORT Configure HTTP port for Airlink OS WAN access 1 to 65535 80
    HTTPS ACCESS Configure HTTPS Airlink OS WAN access Enable/Disable Enable
    HTTPS PORT Configure HTTPS port for Airlink OS WAN access 1 to 65535 443
    HTTPS CERTIFICATE If using HTTPS, click to select and/or create a security certificate. See Security Certificates Documentation here on how to create a PEM certificate. For HTTPS, only a certificate and private key is required. Certificate, private key and root can be used, but root will be ignored. Root only certificates will not work. N/A N/A
    HSTS HTTP Strict Transport Security Off/On On

    Session Settings

    SETTING DESCRIPTION RANGE DEFAULT
    SESSION IDLE TIMEOUT The amount of idle time required before the user is automatically logged out and redirected to the login screen. 1 to 1440 mins 5 mins
    MAXIMUM LOGIN ATTEMPTS The number of failed login attempts allowed before the user account is temporarily locked for the length of time specified in the UNLOCK TIME field. Disabling this feature is not recommended. 0(disabled) to 5 3
    UNLOCK TIME The length of time that the user account is locked after the maximum number of failed login attempts. Configured in MAXIMUM LOGIN ATTEMPTS field. 1 to 3600 seconds (1 hour) 120 seconds (2 minutes)

    Remote Authentication Settings

    The following settings can be used to configure login using secure LDAP, RADIUS, and TACACS+ authentication schemes. This enables enterprise IT managers to centrally manage access to AirLink routers and produce an audit trail showing which users logged into specific devices and when.

    Note:

    • You can configure any or all of these schemes at the same time. When more than one scheme is configured, the authentication is successful if at least one of the schemes authenticates the user.

    • Successful authentication can take time. For example, if you have all three authentication schemes enabled, AirLink OS first attempts to reach the LDAP server. If it is unable to reach the LDAP server in the configured timeout period, it abandons the attempt and tries to reach the RADIUS server. If that server is unreachable after the timeout period, it then tries to reach the TACACS+ server. If none of the servers are reachable in the configured timeout periods, AirLink OS falls back to AirLink OS user name and password authentication.

    • AirLink OS uses LDAP, RADIUS, and TACACS+ to provide user authentication which will grant valid user administration rights to the AirLink router settings. Authorization is not configurable though these tools and therefore care should be taken to ensure that LDAP, RADIUS, and TACACS+ users are authorized to modify the device settings.

    To begin configuring an authentication client, click the desired field and then click CREATE.

    LDAP Client Settings

    This section enables the configuration of LDAP version 3 servers for use by the AirLink router to perform user authentication.

    The following settings can be used to configure LDAP authentication.

    SETTING DESCRIPTION RANGE DEFAULT
    LABEL Enter a name for your LDAP configuration. This will appear in the LDAP CLIENT field. N/A N/A
    SERVER Required LDAP server IP address or resolvable domain name N/A N/A
    PORT Port number 1 to 65535 389
    TIMEOUT

    The time limit for the server to respond.
    Note: If the server does not respond during the timeout, the authentication fails and the next enabled authentication mechanism checks the credentials.

    1 to 60 seconds 30 seconds
    ENCRYPTION Encryption type.
    • Off - None
    • On - SSL (Secured Sockets Layer protocol) - Non-standard legacy (pre-LDAPv3) encryption type
    • start_tls - Secure mechanism integrated into the LDAPv3 protocol (RECOMMENDED)

    start_tls
    BASE DN The Base DN is the path in the LDAP tree to the list of users (e.g. dc=sierrawireless,dc=com). This is where the LDAP protocol searches for a matching user to authenticate. N/A N/A
    BIND Choose how the LDAP search is done
    • anonymous - A password is not required to perform requests in the database
    • explicit - A password is required to perform requests in the database

    anonymous
    BIND DN This field is available if you selected Explicit in the BIND field. The full path of the user authorized to perform requests in the LDAP N/A N/A
    BIND PASSWORD This field is available if you selected Explicit in the BIND field. Password associated with the Bind DN N/A N/A

    RADIUS Client

    This section enables the configuration of the Remote Authentication Dial In User Service (RADIUS) which uses UDP to perform user authentication with a shared key.

    The following settings can be used to configure RADIUS authentication.

    SETTING DESCRIPTION RANGE DEFAULT
    LABEL Enter a name for your RADIUS configuration. This will appear in the RADIUS CLIENT field. N/A N/A
    SERVER Required RADIUS server IP address or resolvable domain name N/A N/A
    PORT Port number 1 to 65535 1812
    TIMEOUT

    The time limit for the server to respond Note: If the server does not respond during the timeout, the authentication fails and the next enabled authentication mechanism checks the credentials.

    1 to 60 seconds 30 seconds
    SECRET Shared secret for configured server N/A N/A

    TACACS+ Client

    This section describes the configuration settings for Terminal Access Controller Access-Control System Plus (TACACS+) that uses the TCP protocol to authenticate users.

    The following settings listed below can be used to configure TACACS+ authentication.

    SETTING DESCRIPTION RANGE DEFAULT
    LABEL Enter a name for your TACACS+ configuration. This will appear in the TACACS+ CLIENT field. N/A N/A
    SERVER Required TACACS+ server IP address or resolvable domain name N/A N/A
    PORT Port number 1 to 65535 49
    TIMEOUT

    The time limit for the server to respond Note: If the server does not respond during the timeout, the authentication fails and the next enabled authentication mechanism checks the credentials.

    1 to 60 seconds 30 seconds
    AUTHENTICATION PROTOCOL Shared secret for configured server
    • PAP - Password Authentication Protocol
    • CHAP - Challenge Handshake Authentication Protocol The stronger of the two protocols. Recommended, provided it is supported by all the client devices.
    • Login - User name and pasword

    PAP
    SECRET The type of bind used for authentication N/A N/A

    This section allows you to define up to two messages on the login screen. The messages support markdown.

    Note: Any text shown on the login screen will be visible without authentication.

    SETTING DESCRIPTION
    LEGAL TEXT INSIDE LOGIN ZONE This will display the text inside the login zone under the SIGN IN button
    LEGAL TEXT OUTSIDE LOGIN ZONE This will display the text outside the login zone

    Example:

    TOP