The Web Settings allow you to set up what happens when a client connects to the device.
Under Services > Web, you can configure the AirLink OS Web settings as shown below:
The following settings can be configured for AirLink OS WAN access.
SETTING | DESCRIPTION | RANGE | DEFAULT |
---|---|---|---|
HTTP ACCESS | Configure HTTP AirLink OS WAN access | Enable, Disable, Redirect to HTTPS | Redirect to HTTPS (RECOMMENDED) |
HTTP PORT | Configure HTTP port for Airlink OS WAN access | 1 to 65535 | 80 |
HTTPS ACCESS | Configure HTTPS Airlink OS WAN access | Enable/Disable | Enable |
HTTPS PORT | Configure HTTPS port for Airlink OS WAN access | 1 to 65535 | 443 |
HTTPS CERTIFICATE | If using HTTPS, click to select and/or create a security certificate. See Security Certificates Documentation here on how to create a PEM certificate. For HTTPS, only a certificate and private key is required. Certificate, private key and root can be used, but root will be ignored. Root only certificates will not work. | N/A | N/A |
HSTS | HTTP Strict Transport Security | Off/On | On |
SETTING | DESCRIPTION | RANGE | DEFAULT |
---|---|---|---|
SESSION IDLE TIMEOUT | The amount of idle time required before the user is automatically logged out and redirected to the login screen. | 1 to 1440 mins | 5 mins |
MAXIMUM LOGIN ATTEMPTS | The number of failed login attempts allowed before the user account is temporarily locked for the length of time specified in the UNLOCK TIME field. Disabling this feature is not recommended. | 0(disabled) to 5 | 3 |
UNLOCK TIME | The length of time that the user account is locked after the maximum number of failed login attempts. Configured in MAXIMUM LOGIN ATTEMPTS field. | 1 to 3600 seconds (1 hour) | 120 seconds (2 minutes) |
The following settings can be used to configure login using secure LDAP, RADIUS, and TACACS+ authentication schemes. This enables enterprise IT managers to centrally manage access to AirLink routers and produce an audit trail showing which users logged into specific devices and when.
Note:
You can configure any or all of these schemes at the same time. When more than one scheme is configured, the authentication is successful if at least one of the schemes authenticates the user.
Successful authentication can take time. For example, if you have all three authentication schemes enabled, AirLink OS first attempts to reach the LDAP server. If it is unable to reach the LDAP server in the configured timeout period, it abandons the attempt and tries to reach the RADIUS server. If that server is unreachable after the timeout period, it then tries to reach the TACACS+ server. If none of the servers are reachable in the configured timeout periods, AirLink OS falls back to AirLink OS user name and password authentication.
AirLink OS uses LDAP, RADIUS, and TACACS+ to provide user authentication which will grant valid user administration rights to the AirLink router settings. Authorization is not configurable though these tools and therefore care should be taken to ensure that LDAP, RADIUS, and TACACS+ users are authorized to modify the device settings.
To begin configuring an authentication client, click the desired field and then click CREATE.
This section enables the configuration of LDAP version 3 servers for use by the AirLink router to perform user authentication.
The following settings can be used to configure LDAP authentication.
SETTING | DESCRIPTION | RANGE | DEFAULT |
---|---|---|---|
LABEL | Enter a name for your LDAP configuration. This will appear in the LDAP CLIENT field. | N/A | N/A |
SERVER | Required LDAP server IP address or resolvable domain name | N/A | N/A |
PORT | Port number | 1 to 65535 | 389 |
TIMEOUT |
The time limit for the server to respond. |
1 to 60 seconds | 30 seconds |
ENCRYPTION | Encryption type. |
|
start_tls |
BASE DN | The Base DN is the path in the LDAP tree to the list of users (e.g. dc=sierrawireless,dc=com). This is where the LDAP protocol searches for a matching user to authenticate. | N/A | N/A |
BIND | Choose how the LDAP search is done |
|
anonymous |
BIND DN | This field is available if you selected Explicit in the BIND field. The full path of the user authorized to perform requests in the LDAP | N/A | N/A |
BIND PASSWORD | This field is available if you selected Explicit in the BIND field. Password associated with the Bind DN | N/A | N/A |
This section enables the configuration of the Remote Authentication Dial In User Service (RADIUS) which uses UDP to perform user authentication with a shared key.
The following settings can be used to configure RADIUS authentication.
SETTING | DESCRIPTION | RANGE | DEFAULT |
---|---|---|---|
LABEL | Enter a name for your RADIUS configuration. This will appear in the RADIUS CLIENT field. | N/A | N/A |
SERVER | Required RADIUS server IP address or resolvable domain name | N/A | N/A |
PORT | Port number | 1 to 65535 | 1812 |
TIMEOUT |
The time limit for the server to respond Note: If the server does not respond during the timeout, the authentication fails and the next enabled authentication mechanism checks the credentials. |
1 to 60 seconds | 30 seconds |
SECRET | Shared secret for configured server | N/A | N/A |
This section describes the configuration settings for Terminal Access Controller Access-Control System Plus (TACACS+) that uses the TCP protocol to authenticate users.
The following settings listed below can be used to configure TACACS+ authentication.
SETTING | DESCRIPTION | RANGE | DEFAULT |
---|---|---|---|
LABEL | Enter a name for your TACACS+ configuration. This will appear in the TACACS+ CLIENT field. | N/A | N/A |
SERVER | Required TACACS+ server IP address or resolvable domain name | N/A | N/A |
PORT | Port number | 1 to 65535 | 49 |
TIMEOUT |
The time limit for the server to respond Note: If the server does not respond during the timeout, the authentication fails and the next enabled authentication mechanism checks the credentials. |
1 to 60 seconds | 30 seconds |
AUTHENTICATION PROTOCOL | Shared secret for configured server |
|
PAP |
SECRET | The type of bind used for authentication | N/A | N/A |
This section allows you to define up to two messages on the login screen. The messages support markdown.
Note: Any text shown on the login screen will be visible without authentication.
SETTING | DESCRIPTION |
---|---|
LEGAL TEXT INSIDE LOGIN ZONE | This will display the text inside the login zone under the SIGN IN button |
LEGAL TEXT OUTSIDE LOGIN ZONE | This will display the text outside the login zone |
Example: