Configuring Web Settings

The Web Settings allow you to setup what happens when a client connects to the device.

Under Services > Web, you can configure the AirLink OS Web settings as shown below:

Initializing Table Of Contents...

WAN Access Settings

The following settings can be configured for AirLink OS WAN access.

SETTING	DESCRIPTION	RANGE	DEFAULT
HTTP ACCESS	Configure HTTP AirLink OS WAN access	Enable, Disable, Redirect to HTTPS	Redirect to HTTPS (RECOMMENDED)
HTTP PORT	Configure HTTP port for Airlink OS WAN access	1 to 65535	80
HTTPS ACCESS	Configure HTTPS Airlink OS WAN access	Enable/Disable	Enable
HTTPS PORT	Configure HTTPS port for Airlink OS WAN access	1 to 65535	443
HTTPS CERTIFICATE	If using HTTPS, select and/or create a security certificate. See Security Certificates Documentation here on how to create a PEM certificate. For HTTPS, only a certificate and private key is required. Certificate, private key and root can be used, but root will be ignored. Root only certificates will not work.	N/A	N/A
HSTS	HTTP Strict Transport Security	Off/On	Off

Session Settings

SETTING	DESCRIPTION	RANGE	DEFAULT
SESSION IDLE TIMEOUT	The amount of idle time required before the user is automatically logged out and redirected to the login screen.	1 to 1440 mins	5 mins
MAXIMUM LOGIN ATTEMPTS	The number of failed login attempts allowed before the user account is temporarily locked for the length of time specified in the UNLOCK TIME field. Disabling this feature is not recommended.	0(disabled) to 5	3
UNLOCK TIME	The length of time that the user account is locked after the maximum number of failed login attempts MAXIMUM LOGIN ATTEMPTS.	1 to 3600 seconds (1 hour)	120 seconds (2 minutes)

Remote Authentication Settings

The following settings can be used to configure login using secure LDAP, RADIUS, and TACACS+ authentication schemes. This enables enterprise IT managers to centrally manage access to AirLink routers and produce an audit trail showing which users logged into specific devices and when.

Note:

• You can configure any or all of these schemes at the same time. When more than one scheme is configured, the authentication is successful if at least one of the schemes authenticates the user.

• Successful authentication can take time. For example, if you have all three authentication schemes enabled, AirLink OS first attempts to reach the LDAP server. If it is unable to reach the LDAP server in the configured timeout period, it abandons the attempt and tries to reach the RADIUS server. If that server is unreachable after the timeout period, it then tries to reach the TACACS+ server. If none of the servers are reachable in the configured timeout periods, AirLink OS falls back to AirLink OS user name and password authentication.

• AirLink OS uses LDAP, RADIUS, and TACACS+ to provide user authentication which will grant valid user administration rights to the AirLink router settings. Authorization is not configurable though these tools and therefore care should be taken to ensure that LDAP, RADIUS, and TACACS+ users are authorized to modify the device settings.

• LDAP, RADIUS, and TACACS+ are supported for AirLink OS logins, but are not supported by other AirLink router services such as Telnet, SSH, etc.

LDAP Client Settings

This section enables the configuration of LDAP version 3 servers for use by the AirLink router to perform user authentication.

The following settings can be used to configure LDAP authentication.

SETTING	DESCRIPTION	RANGE	DEFAULT
FILE NAME	Required file name	N/A	N/A
SERVER	Required LDAP server IP address or resolvable domain name	N/A	N/A
PORT	Port number	1 to 65535	389
TIMEOUT	The time limit for the server to respond. Note: If the server does not respond during the timeout, the authentication fails and the next enabled authentication mechanism checks the credentials.	1 to 60 seconds	30 seconds
ENCRYPTION	Encryption type.	Off - None On - SSL (Secured Sockets Layer protocol) - Non-standard legacy (pre-LDAPv3) encryption type start_tls - Secure mechanism integrated into the LDAPv3 protocol (RECOMMENDED)	start_tls
BASE DN	The Base DN is the path in the LDAP tree to the list of users (e.g. dc=sierrawireless,dc=com). This is where the LDAP protocol searches for a matching user to authenticate.	N/A	N/A
BIND	Choose how the LDAP search is done	anonymous - A password is not required to perform requests in the database explicit - A password is required to perform requests in the database	anonymous
BIND DN	This field only appears if you selected Explicit in the BIND field. The full path of the user authorized to perform requests in the LDAP	N/A	N/A
BIND PASSWORD	This field only appears if you selected Explicit in the BIND field. Password associated with the Bind DN	N/A	N/A

RADIUS Client

This section enables the configuration of the Remote Authentication Dial In User Service (RADIUS) which uses UDP to perform user authentication with a shared key.

The following settings can be used to configure RADIUS authentication.

SETTING	DESCRIPTION	RANGE	DEFAULT
CONFIGURATION FILE NAME	Required configuration file name	N/A	N/A
SERVER	Required RADIUS server IP address or resolvable domain name	N/A	N/A
PORT	Port number	1 to 65535	1812
TIMEOUT	The time limit for the server to respond Note: If the server does not respond during the timeout, the authentication fails and the next enabled authentication mechanism checks the credentials.	1 to 60 seconds	30 seconds
SECRET	Shared secret for configured server	N/A	N/A

TACACS+ Client

This section describes the configuration settings for Terminal Access Controller Access-Control System Plus (TACACS+) that uses the TCP protocol to authenticate users.

The following settings listed below can be used to configure TACACS+ authentication.