Template:Networking rutos manual administration: Difference between revisions
No edit summary |
No edit summary |
||
(32 intermediate revisions by 4 users not shown) | |||
Line 19: | Line 19: | ||
The <b>General</b> section is used to set up some of device managerial parameters, such as changing device name. For more information on the General section, refer to figure and table below. | The <b>General</b> section is used to set up some of device managerial parameters, such as changing device name. For more information on the General section, refer to figure and table below. | ||
{{#switch:{{{series}}} | {{#switch:{{{series}}} | ||
| TAP100|TAP200=[[File: | | TAP100|TAP200=[[File:Networking_rutos_manual_administration_general_tap100_v2.png|border|class=tlt-border]] | ||
| TCR1=[[File: | | TCR1=[[File:Networking_rutos_manual_administration_general_tcr_v3.png|border|class=tlt-border]] | ||
| TRB1|TRB2|TRB5=[[File: | | TRB1|TRB2|TRB5=[[File:Networking_rutos_manual_administration_general_trb_v3.png|border|class=tlt-border]] | ||
| #default=[[File: | | #default=[[File:Networking_rutos_manual_administration_general_rut_v4.png|border|class=tlt-border]] | ||
}} | }} | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 44: | Line 44: | ||
<td>Basic {{!}} Advanced; default: <b>Basic</b></td> | <td>Basic {{!}} Advanced; default: <b>Basic</b></td> | ||
<td>Mode determines what options and configurations are shown. In Basic mode only the essential configurations are shown. In Advanced mode there is greater freedom to configure and access more options.</td> | <td>Mode determines what options and configurations are shown. In Basic mode only the essential configurations are shown. In Advanced mode there is greater freedom to configure and access more options.</td> | ||
</tr>}} | </tr> | ||
<tr> | |||
<td>Data Analytics</td> | |||
<td>Off {{!}} On; default: <b>Off</b></td> | |||
<td>Enables the collection of data, which is used to improve the quality and user experience of our products. It includes sending information about the device and the usage of the Web interface. The data is collected in compliance with the Privacy policy.</td> | |||
</tr> | |||
}} | |||
<tr> | <tr> | ||
<th>Device name and hostname</th> | <th>Device name and hostname</th> | ||
Line 101: | Line 107: | ||
provides information about the fields contained in that section: | provides information about the fields contained in that section: | ||
[[File:Networking_rutos_ntp_general_gps_{{{gps}}}.png|border|class=tlt-border]] | [[File:Networking_rutos_ntp_general_gps_{{{gps}}}_v2.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 131: | Line 137: | ||
</tr>|}} | </tr>|}} | ||
</table> | </table> | ||
===NTP=== | ===NTP=== | ||
---- | ---- | ||
Line 192: | Line 199: | ||
This section is used to specify which time servers the device will use for time synchronization. To add more time servers to the list, click the 'Add' button. | This section is used to specify which time servers the device will use for time synchronization. To add more time servers to the list, click the 'Add' button. | ||
[[File:Networking_rutos_ntp_ntp_time_servers_v3.png|border|class=tlt-border]] | |||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
<tr> | <tr> | ||
Line 201: | Line 209: | ||
<tr> | <tr> | ||
<td>Hostname</td> | <td>Hostname</td> | ||
<td>ip {{!}} url; default: <b> | <td>ip {{!}} url; default: <b>time[x].google.com</b></td> | ||
<td>NTP servers that this device uses to sync time.</td> | <td>NTP servers that this device uses to sync time.</td> | ||
</tr> | </tr> | ||
Line 216: | Line 224: | ||
<b>Note:</b> NTPD is additional software that can be installed from the <b>System → [[{{{name}}} Package Manager|Package Manager]]</b> page. | <b>Note:</b> NTPD is additional software that can be installed from the <b>System → [[{{{name}}} Package Manager|Package Manager]]</b> page. | ||
[[File: | [[File:Networking_rutos_ntp_ntpd_v2.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 259: | Line 267: | ||
---- | ---- | ||
The <b>Access Control</b> page is used to manage {{#switch:{{{series}}}|TAP100|TAP200=|#default= remote and}} local access to device. | The <b>Access Control</b> page is used to manage {{#switch:{{{series}}}|TAP100|TAP200=|#default= remote and}} local access to device. | ||
{{#switch:{{{series}}} | |||
|TAP100|TAP200 = [[File:Networking rutos manual administration access control general tap v1.png|border|class=tlt-border]] | |||
|#default = [[File:Networking rutos manual administration access control general v1.png|border|class=tlt-border]]}} | |||
{{#switch:{{{series}}}|TAP100|TAP200=|#default=<b>Important</b>: turning on remote access leaves your device vulnerable to external attackers. Make sure you use a strong password. | {{#switch:{{{series}}}|TAP100|TAP200=|#default=<b>Important</b>: turning on remote access leaves your device vulnerable to external attackers. Make sure you use a strong password. | ||
Line 264: | Line 276: | ||
<b>SSH</b> | <b>SSH</b> | ||
----{{#switch:{{{series}}} | ----{{#switch:{{{series}}} | ||
|TAP100|TAP200 = [[File: | |TAP100|TAP200 = [[File:Networking_rutos_manual_administration_access_control_general_ssh_tap100_v3.png|border|class=tlt-border]] | ||
|#default = [[File: | |#default = [[File:Networking_rutos_manual_administration_access_control_general_ssh_v3.png|border|class=tlt-border]]}} | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 277: | Line 289: | ||
<td>off {{!}} on; default: <b>on</b></td> | <td>off {{!}} on; default: <b>on</b></td> | ||
<td>Turns SSH access from the local network (LAN) on or off.</td> | <td>Turns SSH access from the local network (LAN) on or off.</td> | ||
</tr>{{#switch:{{{series}}}|TAP100|TAP200=|#default | </tr>{{#switch:{{{series}}}|TAP100|TAP200=|#default= | ||
<tr> | <tr> | ||
<td>Remote SSH access</td> | <td>Remote SSH access</td> | ||
Line 289: | Line 301: | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td> | <td>Authentication type</td> | ||
<td> | <td>Password {{!}} <span style="color:blue">Key-based only</span> {{!}} <span style="color:blue">Use both</span>; default: <b>Password</b></td> | ||
<td>Use public keys for authentication.</td> | <td> | ||
<li><b>Password</b> - SSH access with password for root user</li> | |||
<li><b>Key-based only</b> - enables key-based authentication only and disables password authentication for root user</li> | |||
<li><b>Use Both</b> - use both password and public keys for authentication</li> | |||
</td> | |||
</tr> | |||
<tr> | |||
<td><span style="color:blue">Public keys</span></td> | |||
<td>-(input field)</td> | |||
<td>Public keys for ssh key-based authentication. Each individual key must be specified on a new line.</td> | |||
</tr> | </tr> | ||
</table> | </table> | ||
<br> | <br> | ||
<b> | <b>HTTP</b> | ||
----{{#switch:{{{series}}} | ----{{#switch:{{{series}}} | ||
|TAP100|TAP200 = [[File: | |TAP100|TAP200 = [[File:Networking rutos manual administration access control general http tap v1.png|border|class=tlt-border]] | ||
|#default = [[File: | |#default = [[File:Networking rutos manual administration access control general http v1.png|border|class=tlt-border]]}} | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 310: | Line 331: | ||
<td>off {{!}} on; default: <b>on</b></td> | <td>off {{!}} on; default: <b>on</b></td> | ||
<td>Turns HTTP access from the local network (LAN) to the device WebUI on or off.</td> | <td>Turns HTTP access from the local network (LAN) to the device WebUI on or off.</td> | ||
</tr>{{#switch:{{{series}}}|TAP100|TAP200=|#default= | |||
<tr> | |||
<td>Enable remote HTTP access</td> | |||
<td>off {{!}} on; default: <b>off</b></td> | |||
<td>Turns HTTP access from remote networks (WAN) to the device WebUI on or off.</td> | |||
</tr>}} | |||
<tr> | |||
<td>HTTP Port</td> | |||
<td>integer [0..65535]; default: <b>80</b></td> | |||
<td>Selects which port to use for HTTP access.</td> | |||
</tr>{{#switch:{{{series}}}|TAP100|TAP200=|#default= | |||
<tr> | |||
<td>Ignore private IPs on public interface</td> | |||
<td>off {{!}} on; default: <b>on</b></td> | |||
<td>Prevent access from private (RFC1918) IPs on an interface if it has an public IP address.</td> | |||
</tr>}} | |||
</table> | |||
<br> | |||
<b>HTTPS</b> | |||
----{{#switch:{{{series}}} | |||
|TAP100|TAP200 = [[File:Networking rutos manual administration access control general https tap v1.png|border|class=tlt-border]] | |||
|#default = [[File:Networking rutos manual administration access control general https v1.png|border|class=tlt-border]]}} | |||
<table class="nd-mantable"> | |||
<tr> | |||
<th>Field</th> | |||
<th>Value</th> | |||
<th>Description</th> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 320: | Line 370: | ||
<td>off {{!}} on; default: <b>off</b></td> | <td>off {{!}} on; default: <b>off</b></td> | ||
<td>Redirects connection attempts from HTTP to HTTPS.</td> | <td>Redirects connection attempts from HTTP to HTTPS.</td> | ||
</tr>{{#switch:{{{series}}}|TAP100|TAP200=|#default= | </tr>{{#switch:{{{series}}}|TAP100|TAP200=|#default= | ||
<tr> | <tr> | ||
Line 337: | Line 377: | ||
</tr>}} | </tr>}} | ||
<tr> | <tr> | ||
<td>Port</td> | <td>HTTPS Port</td> | ||
<td>integer [0..65535]; default: <b>443</b></td> | <td>integer [0..65535]; default: <b>443</b></td> | ||
<td>Selects which port to use for HTTPS access.</td> | <td>Selects which port to use for HTTPS access.</td> | ||
Line 361: | Line 401: | ||
<td>Server key file.</td> | <td>Server key file.</td> | ||
</tr>}} | </tr>}} | ||
<tr> | |||
<td>Certificate file</td> | |||
<td>.crt; default: <b>uhttpd.crt</b></td> | |||
<td>Download certificate file from device. Used for browsers to reach HTTPS connection.</td> | |||
</tr> | |||
</table> | </table> | ||
<br> | <br> | ||
<b>CLI</b> | <b>CLI</b> | ||
----{{#switch:{{{series}}} | ----{{#switch:{{{series}}} | ||
|TAP100|TAP200 = [[File: | |TAP100|TAP200 = [[File:Networking_rutos_manual_administration_access_control_general_cli_tap100_v2.png|border|class=tlt-border]] | ||
|#default = [[File: | |#default = [[File:Networking_rutos_manual_administration_access_control_general_cli_v2.png|border|class=tlt-border]]}} | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 398: | Line 444: | ||
<b>Telnet</b> | <b>Telnet</b> | ||
---- | ---- | ||
[[File:Networking_rutos_manual_administration_access_control_general_telnet.png|border|class=tlt-border]] | <b>Note:</b> Telnet is additional software that can be installed from the <b>System → [[{{{name}}} Package Manager|Package Manager]]</b> page. | ||
[[File:Networking_rutos_manual_administration_access_control_general_telnet v2.png|border|class=tlt-border]] | |||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 427: | Line 475: | ||
<b>Note:</b> PAM is additional software that can be installed from the <b>System → [[{{{name}}} Package Manager|Package Manager]]</b> page. | <b>Note:</b> PAM is additional software that can be installed from the <b>System → [[{{{name}}} Package Manager|Package Manager]]</b> page. | ||
[[File: | [[File:Networking_rutos_manual_administration_access_control_pam_v4.png|border|class=tlt-border]] | ||
====Modify PAM Auth==== | ====Modify PAM Auth==== | ||
---- | ---- | ||
[[File: | [[File:Networking_rutos_manual_administration_access_control_pam_modify_pam_auth_v2.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 451: | Line 499: | ||
<tr> | <tr> | ||
<td>Type</td> | <td>Type</td> | ||
<td>Required {{!}} Requisite {{!}} Sufficient {{!}} Optional; default: <b> | <td>Required {{!}} Requisite {{!}} Sufficient {{!}} Optional; default: <b>Optional </b></td> | ||
<td>Determines the continuation or failure behavior for the module</td> | <td>Determines the continuation or failure behavior for the module</td> | ||
</tr> | |||
<tr> | |||
<td><span style="color:teal">WebUI PAM auth option</span>: Enable for all users</td> | |||
<td>off {{!}} on; default: <b>off</b></td> | |||
<td>Turn on PAM authentication for all users. It will allow login with users that are not created on the device.</td> | |||
</tr> | |||
<tr> | |||
<td><span style="color:teal">WebUI PAM auth option</span>: Select users</td> | |||
<td>-(list)</td> | |||
<td>Select users for PAM authentication.</td> | |||
</tr> | |||
<tr> | |||
<td><span style="color:red">Radius</span>: Enable for all users</td> | |||
<td>off {{!}} on; default: <b>off</b></td> | |||
<td>Turn on PAM authentication for all users. It will allow login with users that are not created on the device.</td> | |||
</tr> | |||
<tr> | |||
<td><span style="color:red">Radius</span>: Require Message-Authenticator</td> | |||
<td>off {{!}} on; default: <b>on</b></td> | |||
<td>Require and validate Message-Authenticator RADIUS attribute on Access-Request replies.</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 466: | Line 534: | ||
<tr> | <tr> | ||
<td><span style="color:blue">TACACS+</span>/<span style="color:red">Radius</span>: Port</td> | <td><span style="color:blue">TACACS+</span>/<span style="color:red">Radius</span>: Port</td> | ||
<td>integer [0..65535]; default: <b>49/1812</b></td> | <td>integer [0..65535]; default: <b><span style="color:blue">49</span>/<span style="color:red">1812</span></b></td> | ||
<td>RADIUS server authentication port</td> | <td>RADIUS server authentication port</td> | ||
</tr> | </tr> | ||
Line 480: | Line 548: | ||
The <b>Security</b> tab provides the possibility to enable/disable blocking IP's service and delete blocked devices from the list. | The <b>Security</b> tab provides the possibility to enable/disable blocking IP's service and delete blocked devices from the list. | ||
<b> | <b>Login Attempts</b> | ||
---- | ---- | ||
[[File: | [[File:Networking_rutos_manual_administration_access_control_security_login_v3.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
<tr> | <tr> | ||
Line 490: | Line 558: | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td> | <td>Source</td> | ||
<td> | <td>IP address</td> | ||
<td> | <td>Shows the IP address from which the connection failed.</td> | ||
</tr> | |||
<tr> | |||
<td>Destination</td> | |||
<td>IP address</td> | |||
<td>Shows yours device IP adress</td> | |||
</tr> | |||
<tr> | |||
<td>Port (protocol)</td> | |||
<td>Port number</td> | |||
<td>Shows the port number from which the connection failed.</td> | |||
</tr> | |||
<tr> | |||
<td>Status</td> | |||
<td>Attempt count {{!}} Blocked</td> | |||
<td>Shows the number of failed attempts to connect to device. Indicates whether the source address is blocked or not.</td> | |||
</tr> | |||
<tr> | |||
<td>Reset</td> | |||
<td>Check box</td> | |||
<td>Allows you to select multiple IP addresses.</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td> | <td>Actions</td> | ||
<td> | <td>-(interactive button)</td> | ||
<td> | <td>Allows you to select multiple IP addresses.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td> | <td>Unblock all</td> | ||
<td> | <td>-(interactive button)</td> | ||
<td> | <td>Deletes instance.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td> | <td>Unblock selected</td> | ||
<td> | <td>-(interactive button)</td> | ||
<td> | <td>Unblocks selected source adresses from the list.</td> | ||
</tr> | </tr> | ||
</table> | </table> | ||
<b> | <b>IP Block Settings</b> | ||
---- | ---- | ||
[[File: | <b>IP Block Settings</b> can be found by pressing 'Settings' button under security tab: | ||
[[File:Networking rutos manual administration access control security settings ipblock button.png|border|class=tlt-border]] | |||
[[File:Networking rutos manual administration access control security settings ipblock.png|border|class=tlt-border]] | |||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
<tr> | <tr> | ||
Line 521: | Line 613: | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td> | <td>Enable</td> | ||
<td> | <td>off {{!}} on; default: <b>on</b></td> | ||
<td> | <td>Enable or disable blocking IP's if they have reached the set amount of failed times.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td> | <td>Type</td> | ||
<td> | <td>Timed blocking {{!}} Permanent blocking; default: <b>Timed blocking</b></td> | ||
<td> | <td>You can choose an option of a blocking type.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td> | <td>Fail count</td> | ||
<td> | <td>integer [1..1000]; default: <b>10</b></td> | ||
<td> | <td>An amount of times IP address can try to access SSH or WebUI before being blocked.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td> | <td>Clean after reboot</td> | ||
<td> | <td>off {{!}} on; default: <b>off</b></td> | ||
<td>If enabled, blocked loging attempts list will be cleared on device reboot.</td> | |||
<td> | |||
</tr> | </tr> | ||
</table> | </table> | ||
Line 569: | Line 636: | ||
{{#switch:{{{series}}}|TAP100|TAP200= ===Device Pairing=== | {{#switch:{{{series}}}|TAP100|TAP200= ===Device Pairing=== | ||
---- | ---- | ||
[[File: | [[File:Networking_rutos_manual_administration_access_control_pairing_v3.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
<tr> | <tr> | ||
Line 598: | Line 665: | ||
<li>Enter a custom name for the phone group into the 'Name' field.</li> | <li>Enter a custom name for the phone group into the 'Name' field.</li> | ||
<li>Click the 'Add' button.</li> | <li>Click the 'Add' button.</li> | ||
</ol> | </ol> | ||
[[File: | [[File:Networking_rutos_manual_administration_recipients_phone_groups_add_button.png|border|class=tlt-border]] | ||
After clicking 'Edit' you should be redirected to that phone group's configuration page where you can start adding phone numbers to it. | After clicking 'Edit' you should be redirected to that phone group's configuration page where you can start adding phone numbers to it. | ||
[[File: | [[File:Networking_rutos_manual_administration_recipients_phone_groups_modify_phone_group_v2.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 625: | Line 691: | ||
</table> | </table> | ||
===Email | ===Email Users=== | ||
---- | ---- | ||
When email related services{{#ifeq:{{{events_reporting}}}|0| | (such as [[{{{name}}} Events Reporting|Events Reporting]]) }}are used, the device logs in to the specified email account and reads the inbox (e.g., Email to SMS) or sends out a message (e.g., SMS to Email) depending on the configured service. In this context, an <b>Email Account</b> is an configuration instance that contains the necessary data required in order to log into an email account. | When email related services{{#ifeq:{{{events_reporting}}}|0| | (such as [[{{{name}}} Events Reporting|Events Reporting]]) }}are used, the device logs in to the specified email account and reads the inbox (e.g., Email to SMS) or sends out a message (e.g., SMS to Email) depending on the configured service. In this context, an <b>Email Account</b> is an configuration instance that contains the necessary data required in order to log into an email account. | ||
Line 634: | Line 700: | ||
<li>Enter a custom name for the email account into the 'Name' field.</li> | <li>Enter a custom name for the email account into the 'Name' field.</li> | ||
<li>Click the 'Add' button.</li> | <li>Click the 'Add' button.</li> | ||
</ol> | </ol> | ||
[[File: | [[File:Networking_rutos_manual_administration_recipients_email_accounts_groups_add_button_v1.png|border|class=tlt-border]] | ||
After clicking ' | After clicking 'Add' you should be redirected to that email account's settings page where you can start configuring the account. | ||
[[File: | [[File:Networking_rutos_manual_administration_recipients_email_accounts_modify_email_account_v3.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 651: | Line 716: | ||
<tr> | <tr> | ||
<td>Secure connection</td> | <td>Secure connection</td> | ||
<td>off | <td>off {{!}} on; default: <b>off</b></td> | ||
<td>Use if your SMTP server supports TLS or SSL encryption.</td> | <td>Use if your SMTP server supports TLS or SSL encryption.</td> | ||
</tr> | </tr> | ||
Line 666: | Line 731: | ||
<tr> | <tr> | ||
<td>Credentials</td> | <td>Credentials</td> | ||
<td>off {{!}} on; default: <b>off</b></td> | <td>off {{!}} <span style="color: blue;">on</span>; default: <b>off</b></td> | ||
<td>This options allows you to set username and password of email account.</td> | <td>This options allows you to set username and password of email account.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Username</td> | <td><span style="color: blue;">Username</span></td> | ||
<td>string; default: <b>none</b></td> | <td>string; default: <b>none</b></td> | ||
<td>Username | <td>Username for authentication on SMTP (Simple Mail Transfer Protocol) server. All characters are allowed except `' and space.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Password</td> | <td><span style="color: blue;">Password</span></td> | ||
<td>string; default: <b>none</b></td> | <td>string; default: <b>none</b></td> | ||
<td>Password | <td>Password for authentication on SMTP (Simple Mail Transfer Protocol) server. All characters are allowed except `' and space.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Sender's email address</td> | <td>Sender's email address</td> | ||
<td>string; default: <b>none</b></td> | <td>string; default: <b>none</b></td> | ||
<td> | <td>An address that will be used to send your email from. Allowed characters (a-zA-Z0-9._%+-@).</td> | ||
</tr> | |||
<tr> | |||
<td>Do not verify authenticity</td> | |||
<td><span style="color: red;">off</span> {{!}} on; default: <b>off</b></td> | |||
<td>When enabled peer's certificate authenticity will not be verified.</td> | |||
</tr> | |||
<tr> | |||
<td><span style="color: red;">Server's CA file</span></td> | |||
<td> - (interactive button)</td> | |||
<td>Upload server's CA file.</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 700: | Line 775: | ||
The <b>Certificate Generation</b> tab provides the possibility to generate TLS certificates required for secure authentication and communication encryption used by some of the devices services. | The <b>Certificate Generation</b> tab provides the possibility to generate TLS certificates required for secure authentication and communication encryption used by some of the devices services. | ||
There are | There are six distinct generation methods (denoted by the selected 'File Type'). | ||
<ol> | <ol> | ||
Line 715: | Line 790: | ||
<li><b>Client</b> - generates a client certificate and key. A client certificate validates a client's identity to the server that it's connecting to, while a key is responsible for encryption.</li> | <li><b>Client</b> - generates a client certificate and key. A client certificate validates a client's identity to the server that it's connecting to, while a key is responsible for encryption.</li> | ||
<li><b>DH Parameters</b> - generates a Diffie-Hellman (DH) parameters file. DH parameters are used in symmetric encryption to protect and define how OpenSSL key exchange is performed.</li> | <li><b>DH Parameters</b> - generates a Diffie-Hellman (DH) parameters file. DH parameters are used in symmetric encryption to protect and define how OpenSSL key exchange is performed.</li> | ||
<li><b>Let's encrypt</b> - generates SSL certificate.</li> | |||
<li><b>SCEP</b> - generates SCEP (Simple Certificate Enrollment Protocol) certificate.</li> | |||
</ol> | </ol> | ||
====Generation Parameters==== | ====Generation Parameters==== | ||
---- | ---- | ||
Generating each type of file | Generating each type of file requires setting some parameters. This section provides an overview for parameters used in Simple and TLS certificate generation. | ||
---- | ---- | ||
<b> | <b>Simple file parameters</b> | ||
[[File: | [[File:Networking_rutos_manual_administartion_certificates_certificates_generation_simple_parameters_v1.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | |||
<tr> | |||
<th>Field</th> | |||
<th>Value</th> | |||
<th>Description</th> | |||
</tr> | |||
<tr> | |||
<td>Hosts</td> | |||
<td>string; default: <b>none</b></td> | |||
<td>Appends hostnames to certificates.</td> | |||
</tr> | |||
<tr> | |||
<td>IP addresses</td> | |||
<td>IPv4 address; default: <b>none</b></td> | |||
<td>Appends IPv4 addresses to certificates.</td> | |||
</tr> | |||
</table> | |||
---- | |||
<b>TLS parameters</b> or simply parameters that apply to each (CA, Server, Client, DH) file type are the size and common name of the generated file(s). | |||
[[File:Networking_rutos_manual_administartion_certificates_certificates_generation_core_parameters_v2.png|border|class=tlt-border]] | |||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 745: | Line 844: | ||
<b>Subject information</b> is not mandatory but can be used as user-friendly way to identify the ownership of certificate files by including such information as the owner's location and company name. | <b>Subject information</b> is not mandatory but can be used as user-friendly way to identify the ownership of certificate files by including such information as the owner's location and company name. | ||
[[File: | [[File:Networking_rutos_manual_administartion_certificates_certificates_generation_subject_information_v2.png|border|class=tlt-border]] | ||
---- | ---- | ||
The <b>Sign the certificate</b> slider control whether the certificate will be signed automatically or manually after the generation is complete. | The <b>Sign the certificate</b> slider control whether the certificate will be signed automatically or manually after the generation is complete. | ||
[[File: | [[File:Networking_rutos_manual_administartion_certificates_certificates_generation_sign_the_certificate_v2.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 781: | Line 880: | ||
A <b>Private Key Decryption Password</b> is a parameter used to decrypt private keys protected by a password. | A <b>Private Key Decryption Password</b> is a parameter used to decrypt private keys protected by a password. | ||
[[File: | [[File:Networking_rutos_manual_administartion_certificates_certificates_generation_private_key_decryption_password_v2.png|border|class=tlt-border]] | ||
---- | |||
<b>Let's encrypt</b> - This section provides an overview of the parameters used to generate SSL certificates. | |||
---- | |||
[[File:Networking_rutos_manual_administartion_certificates_certificates_generation_lets_encrypt.png|border|class=tlt-border]] | |||
<table class="nd-mantable"> | |||
<tr> | |||
<th>Field</th> | |||
<th>Value</th> | |||
<th>Description</th> | |||
</tr> | |||
<tr> | |||
<td>Domain</td> | |||
<td>domain name; default: <b>none</b></td> | |||
<td>Hostname that is linked to the device's public IP address.</td> | |||
</tr> | |||
<tr> | |||
<td>Automatically renew</td> | |||
<td>off {{!}} on; default: <b>off</b></td> | |||
<td>Certificates will be automatically renewed every 60 days.</td> | |||
</tr> | |||
</table> | |||
---- | |||
<b>SCEP</b> - This section provides an overview of the parameters used to create certificates for the Simple Certificate Enrollment Protocol. | |||
---- | |||
[[File:Networking_rutos_manual_administartion_certificates_certificates_generation_scep.png|border|class=tlt-border]] | |||
<table class="nd-mantable"> | |||
<tr> | |||
<th>Field</th> | |||
<th>Value</th> | |||
<th>Description</th> | |||
</tr> | |||
<tr> | |||
<td>Key Size</td> | |||
<td>512 {{!}} 1024 {{!}} 2048 {{!}} 4096 {{!}} ; default: <b>none</b></td> | |||
<td>Certificate key size.</td> | |||
</tr> | |||
<tr> | |||
<td>Common name</td> | |||
<td>string; default: <b>none</b></td> | |||
<td>Common name of the certificate.</td> | |||
</tr> | |||
<tr> | |||
<td>SCEP server URL</td> | |||
<td>url; default: <b>none</b></td> | |||
<td>URL of the SCEP server.</td> | |||
</tr> | |||
<tr> | |||
<td>Challenge</td> | |||
<td>string; default: <b>none</b></td> | |||
<td>It's recommended to use a high-entropy shared-secret authentication string, such as a base64-encoded key from EAP or DNP3-SA protocols, for the initial SCEP certificate generation.</td> | |||
</tr> | |||
</table> | |||
====Certificate Signing==== | ====Certificate Signing==== | ||
Line 787: | Line 940: | ||
The <b>Certificate Signing</b> section is used to validate (sign) unsigned certificates. | The <b>Certificate Signing</b> section is used to validate (sign) unsigned certificates. | ||
[[File: | [[File:Networking_rutos_manual_administartion_certificates_certificates_generation_certificate_signing_v3.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 829: | Line 982: | ||
<td>off {{!}} on; default: <b>off</b></td> | <td>off {{!}} on; default: <b>off</b></td> | ||
<td>Generation creates additional 'signing request' files (which appear under the [[#Certificate_Manager|Certificate Manager]] tab) that are later used to sign the generated certificates. When this option is set to 'on', the device deletes the signing request files after the signing process is complete.</td> | <td>Generation creates additional 'signing request' files (which appear under the [[#Certificate_Manager|Certificate Manager]] tab) that are later used to sign the generated certificates. When this option is set to 'on', the device deletes the signing request files after the signing process is complete.</td> | ||
</tr> | |||
<tr> | |||
<td>Hosts</td> | |||
<td>string; default: <b>none</b></td> | |||
<td>Appends hostnames to certificates.</td> | |||
</tr> | |||
<tr> | |||
<td>IP addresses</td> | |||
<td>IPv4 address; default: <b>none</b></td> | |||
<td>Appends IPv4 addresses to certificates.</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 845: | Line 1,008: | ||
The <b>Certificate Import</b> section provides the possibility to import certificates and files generated on another machine. To upload such a file simply click 'Browse' and locate the file on your computer, it should then start uploading automatically. | The <b>Certificate Import</b> section provides the possibility to import certificates and files generated on another machine. To upload such a file simply click 'Browse' and locate the file on your computer, it should then start uploading automatically. | ||
[[File: | [[File:Networking_rutos_manual_administartion_certificates_certificates_manager_certificate_import_v3.png|border|class=tlt-border]] | ||
====Certificates, Keys & Requests==== | ====Certificates, Keys & Requests==== | ||
Line 853: | Line 1,016: | ||
By default, the lists are empty. A set certificates generated using 'Simple' file type would look something like this: | By default, the lists are empty. A set certificates generated using 'Simple' file type would look something like this: | ||
[[File: | [[File:Networking_rutos_manual_administartion_certificates_certificates_manager_certificate_list_v2.png|border|class=tlt-border]] | ||
The 'Export' buttons are used to download the files from the device onto your local machine. The 'X' buttons located to the right of each entry are used to delete related files. | The 'Export' buttons are used to download the files from the device onto your local machine. The 'X' buttons located to the right of each entry are used to delete related files. | ||
Line 859: | Line 1,022: | ||
===Root CA=== | ===Root CA=== | ||
---- | ---- | ||
The <b>Root CA</b> section is used to add a root CA certificate file to the device. There is a default file already preloaded on the device which will be overwritten by any uploaded file. The certificates must be in .pem format, maximum file size is | The <b>Root CA</b> section is used to add a root CA certificate file to the device. There is a default file already preloaded on the device which will be overwritten by any uploaded file. The certificates must be in .pem format, maximum file size is 10 KB. These certificates are only needed if you want to use HTTPS for your services and the default file should be sufficient in most cases. | ||
[[File: | [[File:Networking_rutos_manual_administration_access_control_root_ca_v2.png|border|class=tlt-border]]}} | ||
==Profiles== | ==Profiles== |
Latest revision as of 15:06, 24 October 2024
The information in this page is updated in accordance with firmware version .
Summary
This page is an overview of the Administration section of {{{name}}} devices.
General
The General section is used to set up some of device managerial parameters, such as changing device name. For more information on the General section, refer to figure and table below.
Field | Value | Description |
---|---|---|
General Settings | ||
Language | English | Turkish* | Spanish* | Portuguese* | German* | Japanese*; default: English | Changes the router's WebUI language. |
Configuration Mode | Basic | Advanced; default: Basic | Mode determines what options and configurations are shown. In Basic mode only the essential configurations are shown. In Advanced mode there is greater freedom to configure and access more options. |
Data Analytics | Off | On; default: Off | Enables the collection of data, which is used to improve the quality and user experience of our products. It includes sending information about the device and the usage of the Web interface. The data is collected in compliance with the Privacy policy. |
Device name and hostname | ||
Device name | string; default: {{{name}}} | Device model name. |
Hostname | string; default: Teltonika-{{{name}}}.com | Device hostname. This can be used for communication with other LAN hosts. |
LED Indication | ||
Enable | off | on; default: on | Manages signal strength, LAN and connection status indication LEDs. |
Reset Button Configuration | ||
Min time | integer [0..60]; default: none | Minimum time (in seconds) the button needs to be held to perform an action. |
Max time | integer [1..60]; default: none | Maximum time (in seconds) the button can be held to perform an action, after which no action will be performed. |
* Different language packages can be downloaded separately from the System → [[{{{name}}} Package Manager|Package Manager]] page.
Date & Time
Summary
Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. This chapter is an overview of the NTP section for {{{name}}} devices.
General
The Time Synchronization section lets you select time zone and synchronize the time.
The figure below is an example of the Time Synchronization section and the table below provides information about the fields contained in that section:
[[File:Networking_rutos_ntp_general_gps_{{{gps}}}_v2.png|border|class=tlt-border]]
Field | Value | Description |
---|---|---|
Current system time | time; default: none | Current local time of the device. |
Sync with browser | -(interactive button) | Click to synchronize device time and time zone to browsers, if your device time or time zone is not correct. |
Time zone | time zone; default: UTC | The device will sync time in accordance with the selected time zone. |
NTP
This section is used to configure NTP client, server and time servers.
Time Synchronization
This section is used to configure the device's time settings.
[[File:Networking_rutos_ntp_ntp_time_synchronization_{{{mobile}}}.png|border|class=tlt-border]]
Field | Value | Description |
---|---|---|
Enable NTP Client | off | on; default: on | Turns NTP on or off. |
Save time to flash | off | on; default: off | Saves last synchronized time to flash memory. |
Force Servers | off | on; default: off | Forces unreliable NTP servers. |
Update interval (in seconds) | integer; default: 86400 | How often the device will update the time. |
Offset frequency | integer; default: 0 | Adjusts the minor drift of the clock so that it will run more accurately. |
Count of time synchronizations | integer; default: none | The amount of times the device will perform time synchronizations. Leave empty in order to set to infinite. |
Time Servers
This section is used to specify which time servers the device will use for time synchronization. To add more time servers to the list, click the 'Add' button.
Field | Value | Description |
---|---|---|
Hostname | ip | url; default: time[x].google.com | NTP servers that this device uses to sync time. |
NTP Server
The device can also act as an NTP Server, providing clock synchronization to other devices in the network. From this section you can turn this feature on or off:
NTPD
The NTPD program is an operating system daemon that synchronizes the system clock to remote NTP time servers or local reference clocks. NTPD includes the ability to use this to keep your clock in sync and will run more accurately than a clock on a device not running NTPD. NTPD will also use several servers to improve accuracy. It is a complete implementation of NTP version 4 defined by RFC-5905, but also retains compatible with version 3 defined by RFC-1305 and versions 1 and 2, defined by RFC-1059 and RFC-1119, respectively.
Note: NTPD is additional software that can be installed from the System → [[{{{name}}} Package Manager|Package Manager]] page.
Field | Value | Description |
---|---|---|
Enable NTPD | off | on; default: off | Turns NTPD on or off. |
Enable NTP config from file | off | on; default: off | Run NTPD with uploaded configuration file. |
NTP configuration file | .conf file; default: none | Upload a custom configuration file. |
Server | ip | url; default: 0.openwrt.pool.ntp.org | NTP servers that this device uses to sync time. |
Enable Server | off | on; default: off | Enables NTPD server to make the router act as an NTP server so that it can provide time synchronization services for other network devices. |
User Settings
Change Password
The User settings section is used to change the password of the current user.
System Users
Summary
The System Users page is used to add new user accounts that can access the device with different user credentials than the default ones. The newly added users can be assigned to one of two groups, either of which can be modified to limit WebUI read/write access rights for users belonging to each specific group.
This page is unrelated to SSH users. By default, there is one SSH user named "root" and it shares the same password as the default WebUI user named "admin".
This manual page provides an overview of the Users page in {{{name}}} devices.
If you're having trouble finding this page or some of the parameters described here on your device's WebUI, you should turn on "Advanced WebUI" mode. You can do that by clicking the "Advanced" button, located at the top of the WebUI.
Groups
The Groups section lists available user groups of which there are three:
- root - highest level of authority. Key elements that define this group:
- has unlimited read/write access;
- additional users cannot be added to this group;
- access rights for this group cannot be modified.
- admin - second highest level of authority. Key elements that define this group:
- limited read access; by default, users belonging to this group cannot view these pages:
- System → Administration → Users Settings → System Users
- System → Administration → Profiles
- System → Maintenance → Backup
- System → Firmware
- System → Maintenance → CLI
- System → Setup Wizard
- System → Maintenance → Custom Scripts
- limited write access; by default, users belonging to this group cannot view these pages:
- System → Administration → Users Settings → System Users
- System → Maintenance → Backup
- System → Firmware
- System → Maintenance → CLI
- System → Setup Wizard
- System → Maintenance → Custom Scripts
- System → Administration → Access Control → General
- System → Administration → Profiles
- access rights can be modified.
- limited read access; by default, users belonging to this group cannot view these pages:
- user - lowest level of authority. Key elements that define this group:
- no write access;
- limited read access; by default, users belonging to this group cannot view these pages:
- System → Administration → Users Settings → System Users
- System → Firmware
- System → Maintenance → Backup
- System → Administration → Access Control
- System → Maintenance → CLI
- System → Maintenance → Custom Scripts
- System → Maintenance → Troubleshoot
- System → Package Manager
- Network
- System → Setup Wizard
- Services → Hotspot → General → Userscripts
- access rights can be modified.
Additional note: you can view and/or edit settings for each group by clicking the 'Edit' button next to them. More on information on how to edit group access settings is located in the following section of this manual page.
Group Settings (edit group)
A group's parameters can be set in its Group Settings page. To access the Groups Settings page, click the 'Edit' button next to the group's name. Below is an example of the Group Settings section:
Field | Value | Description |
---|---|---|
Write action | Allow | Deny; default: Allow | Specifies whether to deny or allow write access for users belonging the group. |
Write access | path(s) to page(s); default:
|
Controls the ability of users to change and execute the contents (e.g. Network > Lan). |
Read action | Allow | Deny; default: Deny | Specifies whether to deny or allow read access for users belonging the group. |
Read access | path(s) to page(s); default: in the picture above | Path(s) to the page(s) to which the selected "Read action" will be applied. Click the plus symbol to add more entries. |
Examples
The easiest way to master the syntax is to navigate to page that you want to generate a path for and the copy the path from the URL of that page.
For example, to specify the path to the Network → Mobile page, navigate to the page, copy the page's URL address starting from the symbol "#" and paste it into one of the access fields:
However, the VPN window contains links to many different types of VPN pages. If you want to specify only one of them, you can do it as well. For example, to to specify the path to the IPsec page, add "/ipsec" to the path string:
services/vpn/ipsec
An asterisk (*) in the path string means that the every page from that point on is included in that path. For example, to generate a path that includes pages in the Services menu tab:
services/*
Or to simply include everything in the entire WebUI (if this path is combined with Read action: Deny, users from that group will not be able to login to the WebUI):
*
Users
The Users section lists all created users and provides the possibility to change their passwords and the group they belong to (with the exception of the default user "admin" which always belongs to the root group).
By default, there is only one user called "admin":
User Settings (edit user)
Each user's password and group parameters can be set in their User Settings pages. To access the User Settings page, click the 'Edit' button next to the user's name.
However, you may want to add a new user at first. This can be done from the [[{{{name}}}_Users#Add_New_User|Add New User]] section below:
- create a username;
- create a password for the user (must contain at least 8 characters, including at least one upper case letter and one digit);
- click the 'Add' button;
- click the 'Edit' next to newly added user.
Below is an example of a newly added user's settings page:
Field | Value | Description |
---|---|---|
Username | string; default: none | Displays the user's name. |
New password | string; default: none | |
Confirm new password | string; default: none | Repeat the new password. |
Group | admin | user; default: user | The group to which the user belongs. |
Enable SSH access | off | on; default: off | Enables SSH access (only for 'root' users). |
Add New User
The Add New User section is used to create additional users that can access the WebUI. After a new user is added, it will appear in the [[{{{name}}} Users#Users|Users]] section.
Field | Value | Description |
---|---|---|
Username | string; default: none | A custom name for the new user. |
Password | string; default: none |
Access Control
General
The Access Control page is used to manage remote and local access to device.
Important: turning on remote access leaves your device vulnerable to external attackers. Make sure you use a strong password.
SSH
Field | Value | Description |
---|---|---|
Enable SSH access | off | on; default: on | Turns SSH access from the local network (LAN) on or off. |
Remote SSH access | off | on; default: off | Turns SSH access from remote networks (WAN) on or off. |
Port | integer [0..65535]; default: 22 | Selects which port to use for SSH access. |
Authentication type | Password | Key-based only | Use both; default: Password |
|
Public keys | -(input field) | Public keys for ssh key-based authentication. Each individual key must be specified on a new line. |
HTTP
Field | Value | Description |
---|---|---|
Enable HTTP access | off | on; default: on | Turns HTTP access from the local network (LAN) to the device WebUI on or off. |
Enable remote HTTP access | off | on; default: off | Turns HTTP access from remote networks (WAN) to the device WebUI on or off. |
HTTP Port | integer [0..65535]; default: 80 | Selects which port to use for HTTP access. |
Ignore private IPs on public interface | off | on; default: on | Prevent access from private (RFC1918) IPs on an interface if it has an public IP address. |
HTTPS
Field | Value | Description |
---|---|---|
Enable HTTPS access | off | on; default: on | Turns HTTPS access from the local network (LAN) to the device WebUI on or off. |
Redirect to HTTPS | off | on; default: off | Redirects connection attempts from HTTP to HTTPS. |
Enable remote HTTPS access | off | on; default: off | Turns HTTPS access from remote networks (WAN) to the device WebUI on or off. |
HTTPS Port | integer [0..65535]; default: 443 | Selects which port to use for HTTPS access. |
Ignore private IPs on public interface | off | on; default: on | Prevent access from private (RFC1918) IPs on an interface if it has an public IP address. |
Certificate files from device | off | on; default: on | Choose this option if you want to select certificate files from device. Certificate files can be generated in [[{{{name}}} Administration#Certificates|Certificates]] section. |
Server certificate | .crt; default: uhttpd.crt | Server certificate file. |
Server key | .key; default: uhttpd.key | Server key file. |
Certificate file | .crt; default: uhttpd.crt | Download certificate file from device. Used for browsers to reach HTTPS connection. |
CLI
Field | Value | Description |
---|---|---|
Enable CLI | off | on; default: on | Turns CLI access from the local network (LAN) on or off. |
Enable remote CLI | off | on; default: off | Turns CLI access from remote networks (WAN) on or off. |
Port range | range of integers [0..65534]-[1..65535]; default: 4200-4220 | Selects which ports to use for CLI access. |
Shell limit | integer [1..10]; default: 5 | Maximum number of active CLI connections. |
Telnet
Note: Telnet is additional software that can be installed from the System → [[{{{name}}} Package Manager|Package Manager]] page.
Field | Value | Description |
---|---|---|
Enable Telnet access | off | on; default: on | Turns Telnet access from the local network (LAN) on or off. |
Enable remote Telnet access | off | on; default: off | Turns Telnet access from remote networks (WAN) on or off. |
Port range | integer [0..65535]; default: 23 | Selects which port to use for Telnet access. |
PAM
Note: PAM is additional software that can be installed from the System → [[{{{name}}} Package Manager|Package Manager]] page.
Modify PAM Auth
Field | Value | Description |
---|---|---|
Enable | off | on; default: on | Turns the PAM auth on or off. |
Module | TACACS+ | Radius | Local; default: Local | Specifies the PAM module that implements the service. |
Type | Required | Requisite | Sufficient | Optional; default: Optional | Determines the continuation or failure behavior for the module |
WebUI PAM auth option: Enable for all users | off | on; default: off | Turn on PAM authentication for all users. It will allow login with users that are not created on the device. |
WebUI PAM auth option: Select users | -(list) | Select users for PAM authentication. |
Radius: Enable for all users | off | on; default: off | Turn on PAM authentication for all users. It will allow login with users that are not created on the device. |
Radius: Require Message-Authenticator | off | on; default: on | Require and validate Message-Authenticator RADIUS attribute on Access-Request replies. |
TACACS+/Radius: Server | ip4 | ip6; default: none | The IP address of the RADIUS server |
TACACS+/Radius: Secret | string; default: none | RADIUS shared secret |
TACACS+/Radius: Port | integer [0..65535]; default: 49/1812 | RADIUS server authentication port |
Radius: Timeout | integer [3..10]; default: 3 | Timeout in seconds waiting for RADIUS server reply. |
Security
The Security tab provides the possibility to enable/disable blocking IP's service and delete blocked devices from the list.
Login Attempts
Field | Value | Description |
---|---|---|
Source | IP address | Shows the IP address from which the connection failed. |
Destination | IP address | Shows yours device IP adress |
Port (protocol) | Port number | Shows the port number from which the connection failed. |
Status | Attempt count | Blocked | Shows the number of failed attempts to connect to device. Indicates whether the source address is blocked or not. |
Reset | Check box | Allows you to select multiple IP addresses. |
Actions | -(interactive button) | Allows you to select multiple IP addresses. |
Unblock all | -(interactive button) | Deletes instance. |
Unblock selected | -(interactive button) | Unblocks selected source adresses from the list. |
IP Block Settings
IP Block Settings can be found by pressing 'Settings' button under security tab:
Field | Value | Description |
---|---|---|
Enable | off | on; default: on | Enable or disable blocking IP's if they have reached the set amount of failed times. |
Type | Timed blocking | Permanent blocking; default: Timed blocking | You can choose an option of a blocking type. |
Fail count | integer [1..1000]; default: 10 | An amount of times IP address can try to access SSH or WebUI before being blocked. |
Clean after reboot | off | on; default: off | If enabled, blocked loging attempts list will be cleared on device reboot. |
Recipients
The Recipients section is used to configure phone groups and email users, which can later be used along with SMS or email related services, such as [[{{{name}}} Events Reporting|Events Reporting]].
Phone Groups
A Phone Group is a collection of phone numbers that can be used as the recipient in SMS & call related services instead of specifying every number individually. The phone group list is empty by default thus, you must first add at least one new group before you can add phone numbers to it. To create and begin editing a phone group, follow these steps:
- Enter a custom name for the phone group into the 'Name' field.
- Click the 'Add' button.
After clicking 'Edit' you should be redirected to that phone group's configuration page where you can start adding phone numbers to it.
Field | Value | Description |
---|---|---|
Group name | string; default: none | Name of this phone numbers group. |
Phone number | string; default: none | A phone number entry for this group. Numbers that consist of 0-9*+# characters are accepted. Click the plus symbol to add more entries. |
Email Users
When email related services (such as [[{{{name}}} Events Reporting|Events Reporting]]) are used, the device logs in to the specified email account and reads the inbox (e.g., Email to SMS) or sends out a message (e.g., SMS to Email) depending on the configured service. In this context, an Email Account is an configuration instance that contains the necessary data required in order to log into an email account.
The email accounts list is empty by default thus, you must first add at least one new account before you can configure it. To create and begin editing an email account, follow these steps:
- Enter a custom name for the email account into the 'Name' field.
- Click the 'Add' button.
After clicking 'Add' you should be redirected to that email account's settings page where you can start configuring the account.
Field | Value | Description |
---|---|---|
Secure connection | off | on; default: off | Use if your SMTP server supports TLS or SSL encryption. |
SMTP server | string; default: none | Name of the email service provider's SMTP server. |
SMTP server port | integer [0..65535]; default: none | Port of the email service provider's SMTP server. |
Credentials | off | on; default: off | This options allows you to set username and password of email account. |
Username | string; default: none | Username for authentication on SMTP (Simple Mail Transfer Protocol) server. All characters are allowed except `' and space. |
Password | string; default: none | Password for authentication on SMTP (Simple Mail Transfer Protocol) server. All characters are allowed except `' and space. |
Sender's email address | string; default: none | An address that will be used to send your email from. Allowed characters (a-zA-Z0-9._%+-@). |
Do not verify authenticity | off | on; default: off | When enabled peer's certificate authenticity will not be verified. |
Server's CA file | - (interactive button) | Upload server's CA file. |
Send test email | - (interactive button) | Sends an email based on the current configuration. This is used to test whether the configuration works as intended. |
Certificates
The Certificates page is used for convenient TLS certificate and key generation and management. Generated files can be exported and used on other machines or locally on this device with functions that use TLS/SSL, such as [[{{{name}}} MQTT|MQTT]], [[{{{name}}} VPN#OpenVPN|OpenVPN]], [[{{{name}}} VPN#IPsec|IPsec]] and others.
Certificate Generation
The Certificate Generation tab provides the possibility to generate TLS certificates required for secure authentication and communication encryption used by some of the devices services.
There are six distinct generation methods (denoted by the selected 'File Type').
- Simple - generates and signs a set of 2048 bit certificate and key files that include:
- Certificate Authority (CA)
- Server certificate & key
- Client certificate & key
- DH Parameters
- CA - generates a Certificate Authority (CA) file. A CA is a type of certificate file that certifies the ownership of a public key by the named subject of the certificate. In other words, it assures clients that they are connecting to a trusted server and vice versa.
- Server - generates a server certificate and key. A server certificate validates a server's identity to connecting clients, while a key is responsible for encryption.
- Client - generates a client certificate and key. A client certificate validates a client's identity to the server that it's connecting to, while a key is responsible for encryption.
- DH Parameters - generates a Diffie-Hellman (DH) parameters file. DH parameters are used in symmetric encryption to protect and define how OpenSSL key exchange is performed.
- Let's encrypt - generates SSL certificate.
- SCEP - generates SCEP (Simple Certificate Enrollment Protocol) certificate.
Generation Parameters
Generating each type of file requires setting some parameters. This section provides an overview for parameters used in Simple and TLS certificate generation.
Simple file parameters
Field | Value | Description |
---|---|---|
Hosts | string; default: none | Appends hostnames to certificates. |
IP addresses | IPv4 address; default: none | Appends IPv4 addresses to certificates. |
TLS parameters or simply parameters that apply to each (CA, Server, Client, DH) file type are the size and common name of the generated file(s).
Field | Value | Description |
---|---|---|
Key Size | integer; default: 2048 | Generated key size in bits. Larger keys provide more security but take longer to generate. A 2048 bit is the preferred option. |
Name (CN) | string; default: cert | Common Name (CN), aka Fully Qualified Domain Name (FQDN) is a parameter that defines the name of the certificate. It should be chosen with care as it is not only used for easier management. For example, the Common Name should typically hostname of the server. It may also be used to differentiate clients in order to apply client-specific settings. |
Subject information is not mandatory but can be used as user-friendly way to identify the ownership of certificate files by including such information as the owner's location and company name.
The Sign the certificate slider control whether the certificate will be signed automatically or manually after the generation is complete.
Field | Value | Description |
---|---|---|
Days Valid | integer; default: 3650 | Length of the signature's validity. |
CA File Name | filename; default: none | Selects which CA file will be used to sign the generated certificate. |
CA key | filename; default: none | Selects which CA key file will be used to sign the generated certificate. |
Delete Signing Request | off | on; default: off | Generation creates additional 'signing request' files (which appear under the Certificate Manager tab) that are later used to sign the generated certificates. When this option is set to 'on', the device deletes the signing request files after the signing process is complete. |
A Private Key Decryption Password is a parameter used to decrypt private keys protected by a password.
Let's encrypt - This section provides an overview of the parameters used to generate SSL certificates.
Field | Value | Description |
---|---|---|
Domain | domain name; default: none | Hostname that is linked to the device's public IP address. |
Automatically renew | off | on; default: off | Certificates will be automatically renewed every 60 days. |
SCEP - This section provides an overview of the parameters used to create certificates for the Simple Certificate Enrollment Protocol.
Field | Value | Description |
---|---|---|
Key Size | 512 | 1024 | 2048 | 4096 | ; default: none | Certificate key size. |
Common name | string; default: none | Common name of the certificate. |
SCEP server URL | url; default: none | URL of the SCEP server. |
Challenge | string; default: none | It's recommended to use a high-entropy shared-secret authentication string, such as a base64-encoded key from EAP or DNP3-SA protocols, for the initial SCEP certificate generation. |
Certificate Signing
The Certificate Signing section is used to validate (sign) unsigned certificates.
Field | Value | Description |
---|---|---|
Signed Certificate Name | string; default: none | Name of the signed certificate. |
Type of Certificate to Sign | Certificate Authority | Client Certificate | Server Certificate; default: Certificate Authority | Specifies what type of file will be signed. |
Certificate Request File | file; default: none | Specifies the signing request file linked to the certificate. |
Days Valid | integer; default: none | Length of the signature's validity. |
Certificate Authority File | filename; default: none | Selects which CA file will be used to sign the generated certificate. |
Certificate Authority Key | filename; default: none | Selects which CA key file will be used to sign the generated certificate. |
Delete Signing Request | off | on; default: off | Generation creates additional 'signing request' files (which appear under the Certificate Manager tab) that are later used to sign the generated certificates. When this option is set to 'on', the device deletes the signing request files after the signing process is complete. |
Hosts | string; default: none | Appends hostnames to certificates. |
IP addresses | IPv4 address; default: none | Appends IPv4 addresses to certificates. |
Sign | - (interactive button) | Signs the certificate on click. |
Certificate Manager
The Certificate Manager page displays information on all certificate and key files stored on the device and provides the possibility export these files for use on another machine or import files generated elsewhere.
Certificate Import
The Certificate Import section provides the possibility to import certificates and files generated on another machine. To upload such a file simply click 'Browse' and locate the file on your computer, it should then start uploading automatically.
Certificates, Keys & Requests
The Certificates, Keys and Requests section display files generated on or imported to the device along with the most important information related to them.
By default, the lists are empty. A set certificates generated using 'Simple' file type would look something like this:
The 'Export' buttons are used to download the files from the device onto your local machine. The 'X' buttons located to the right of each entry are used to delete related files.
Root CA
The Root CA section is used to add a root CA certificate file to the device. There is a default file already preloaded on the device which will be overwritten by any uploaded file. The certificates must be in .pem format, maximum file size is 10 KB. These certificates are only needed if you want to use HTTPS for your services and the default file should be sufficient in most cases.
Profiles
Summary
Configuration profiles provide a way to create multiple distinct device configuration sets and apply them to the device based on current user requirements. This chapter is an overview of the Profiles page in {{{name}}} devices.
Configuration Profiles
This section displays user defined configuration profiles:
To create a new profile, configure the device in accordance with your needs, go to this page, enter a custom name for the profile and click the 'Add' button. You can also choose to create a profile without any previous configurations. A new profile with the given name will appear in the "configuration profiles" list:
The 'Apply' button applies the adjacent configuration on the device.
Scheduler
The Profile Scheduler provides a possibility to set up a schedule of when the device should use one profile configuration or another.
Check Profile Scheduler Instance Example to get a better understanding at how Profile Scheduler Instances works.
General Configuration
The General Configuration section is used to enable the Scheduler itself. Created instances won't work unless this option is turned on.
Profile Scheduler Instances
The Profile Scheduler Instances section allows you to create profile Instances to be enabled during specific time intervals. To add a new Instance click Add button.
Note: new Instance can only be created if there is at least one custom profile created.
Profile Scheduler Instance Configuration
This page is used to configure profile, time and day of selected scheduler instance. Refer to the figure and table below for information on the Profile Scheduler Instance Configuration fields:
Field | Value | Description |
---|---|---|
Enable | off | on; default: off | Enable selected instance for scheduler. |
Profile | profiles; default: none | Select profile which will be applied during specified time interval. |
Interval Type | Weekdays | Month Days; default: Weekdays | Depending on your needs select whether you want to configure weekdays or specific month days. |
Start Time | time; default: 12:00 | Enter time of the start of interval in which scheduler will switch profiles. |
End Time | time; default: 12:00 | Enter time of the end of interval in which scheduler will switch profiles back. |
Interval Type: Weekdays | ||
Start Day | Weekday [Monday..Sunday]; default: Sunday | Select a day of the start of interval in which scheduler will switch profiles. |
End Day | Weekday [Monday..Sunday]; default: Sunday | Select a day of the end of interval in which scheduler will switch profiles back. |
Interval Type: Month Days | ||
Start Day | Day of month [1..31]; default: 1 | Select a day of the start of interval in which scheduler will switch profiles. |
End Day | Day of month [1..31]; default: 1 | Select a day of the end of interval in which scheduler will switch profiles back. |
Force last day | off | on; default: off | Force intervals to accept last day of month as valid option if selected day doesn't exist in ongoing month. |
Profile Scheduler Instance Example
Scheduler will use profile instance if it is enabled and it's time interval matches device's [[{{{name}}}_Administration#General_2|date]], otherwise default profile will be used.
Example - we have 3 profiles in total:
- default
- Profile A
- Profile B
We create profile instances for Profiles A and B:
- Profile A: 08:00 - 11:00
- Profile B: 13:00 - 20:00
During 11:00 - 13:00 and 20:00 - 08:00 default profile will be used.
Storage Memory Expansion
SSHFS
SSHFS is a tool, which allows you to mount a remote filesystem (in remote SSH server) to your {{{name}}} device using SSH. This service is safe to use as it authenticates connections and encrypts them.
SSHFS configuration consists of setting up authentication, port and mount information parameters. Below is an example oh the SSHFS configuration page.
Field | Value | Description |
---|---|---|
Enable | off | on; default: off | Turns the SSHFS service on or off. |
Hostname | string; default: none | Hostname of the remote SSH server. |
Port | integer [0..65535]; default: none | Port of the remote SSH server. |
Username | string; default: none | Username of the remote SSH server. |
Password | string; default: none | Password of the remote SSH server. |
Mount Point | filepath; default: /sshmount | Mount point of remote file system in the {{{name}}}. Remote file system has to be mounted at root / level. By default the remote file system will be mounted on /sshmount, directory will be automatically created if does not exist yet. |
Mount Path | filepath; default: /home/ | Mount path in the remote SSH server. For example, if SSH server is hosted on Ubuntu operating system, the Mount Path could look like this (depending on your needs): /home/username/ |
[[Category:{{{name}}} System section]]