Jump to content
  • EN

Template:Networking rutos manual administration: Difference between revisions

← Older edit
VisualWikitext
No edit summary
No edit summary
 
(42 intermediate revisions by 4 users not shown)
Line 8: Line 8:
  }}
  }}
}}
}}
{{#ifeq: {{{series}}} | RUT9 |<br><i><b>Note</b>: <b>[[{{{name}}} Administration (legacy WebUI)|click here]]</b> for the old style WebUI (FW version {{Template: Networking_device_manual_latest_fw | series = RUT9XX}} and earlier) user manual page.</i>|}}
 
{{#ifeq: {{{series}}} | RUT2 |<br><i><b>Note</b>: <b>[[{{{name}}} Administration (legacy WebUI)|click here]]</b> for the old style WebUI (FW version {{Template: Networking_device_manual_latest_fw | series = RUT2XX}} and earlier) user manual page.</i>|}}
__TOC__
__TOC__
==Summary==
==Summary==
Line 19: Line 18:
The <b>General</b> section is used to set up some of device managerial parameters, such as changing device name. For more information on the General section, refer to figure and table below.
The <b>General</b> section is used to set up some of device managerial parameters, such as changing device name. For more information on the General section, refer to figure and table below.
{{#switch:{{{series}}}
{{#switch:{{{series}}}
  | TAP100|TAP200=[[File:Networking_rutos_manual_administration_general_tap100_v1.png|border|class=tlt-border]]
  | TAP100|TAP200=[[File:Networking_rutos_manual_administration_general_tap100_v3.png|border|class=tlt-border]]
| TCR1=[[File:Networking_rutos_manual_administration_general_tcr_v2.png|border|class=tlt-border]]
  | #default=[[File:Networking_rutos_manual_administration_general_rutx_v1.png|border|class=tlt-border]]
| TRB1|TRB2|TRB5=[[File:Networking_rutos_manual_administration_general_trb_v2.png|border|class=tlt-border]]
  | #default=[[File:Networking_rutos_manual_administration_general_rut_v2.png|border|class=tlt-border]]
}}
}}
<table class="nd-mantable">
<table class="nd-mantable">
Line 37: Line 34:
     <tr>
     <tr>
       <td>Language</td>
       <td>Language</td>
       <td>English {{!}} Turkish<span class="asterisk">*</span> {{!}} Spanish<span class="asterisk">*</span> {{!}} Portuguese<span class="asterisk">*</span> {{!}} German<span class="asterisk">*</span> {{!}} Japanese<span class="asterisk">*</span>; default: <b>English</b></td>
       <td>English {{!}} Turkish<span class="asterisk">*</span> {{!}} Spanish<span class="asterisk">*</span> {{!}} Portuguese<span class="asterisk">*</span> {{!}} German<span class="asterisk">*</span> {{!}} Japanese<span class="asterisk">*</span> {{!}} Ukrainian<span class="asterisk">*</span>; default: <b>English</b></td>
       <td>Changes the router's WebUI language.</td>
       <td>Changes the router's WebUI language.</td>
     </tr>
     </tr>
     <tr>
     <tr>
       <td>Configuration Mode</td>
       <td>Data Analytics</td>
       <td>Basic {{!}} Advanced; default: <b>Basic</b></td>
       <td>Off {{!}} On; default: <b>Off</b></td>
       <td>Mode determines what options and configurations are shown. In Basic mode only the essential configurations are shown. In Advanced mode there is greater freedom to configure and access more options.</td>
       <td>Enables the collection of data, which is used to improve the quality and user experience of our products. It includes sending information about the device and the usage of the Web interface. The data is collected in compliance with the [https://teltonika-networks.com/about-us/policies-certificates/privacy-policy Privacy policy].</td>
     </tr>}}
     </tr>}}
     <tr>
     <tr>
Line 57: Line 54:
     <tr>
     <tr>
       <td>Hostname</td>
       <td>Hostname</td>
       <td>string; default: <b>Teltonika-{{{name}}}.com</b></td>
       <td>string; default: <b>{{{name}}}</b></td>
       <td>Device hostname. This can be used for communication with other LAN hosts.</td>
       <td>Device hostname. This can be used for communication with other LAN hosts.</td>
    </tr>{{#switch:{{{series}}}|#default=|TAP100|TAP200=
    <tr>
      <td>Data Analytics</td>
      <td>Off {{!}} On; default: <b>Off</b></td>
      <td>Enables the collection of data, which is used to improve the quality and user experience of our products. It includes sending information about the device and the usage of the Web interface. The data is collected in compliance with the [https://teltonika-networks.com/about-us/policies-certificates/privacy-policy Privacy policy].</td>
    </tr>}}
    <tr>
      <th>Notification settings</th>
        <th></th>
        <th></th>   
    </tr>
    <tr>
  <td>Show notifications</td>
        <td>off {{!}} on; default: <b>on</b></td>
        <td>Notifications are brief, page specific messages or warnings that provide information about functionalities and statuses.</td>
    </tr>
    <tr>
  <td>Show alerts</td>
        <td>off {{!}} on; default: <b>on</b></td>
        <td>Alerts are high-importance system or page messages that usually require immediate attention and action. They may inform about updates, expiring functionalities, and similar events.</td>
    </tr>
    <tr>
      <th>Login banner message</th>
        <th></th>
        <th></th>   
    </tr>
    <tr>
  <td>Enable</td>
        <td>off {{!}} <span style="color:blue">on</span>; default: <b>on</b></td>
        <td>This login banner message appears during the login process. It helps to ensure that all users are aware of the rules and guidelines they must follow before accessing the system.</td>
    </tr>
    <tr>
  <td><span style="color:blue">Message title</span></td>
        <td>string; default: <b>Unauthorized access prohibited</b></td>
        <td>Login banner message title.</td>
    </tr>
    <tr>
  <td><span style="color:blue">Message text</span></td>
        <td>string; default: <b>This system is for authorized use only. All activities on this system are logged and monitored. By using this system, you consent to such monitoring. Unauthorized access or misuse may result in disciplinary action, civil and criminal penalties, or both.
If you are not authorized to use this system, disconnect immediately.</b></td>
        <td>Login banner message text</td>
     </tr>
     </tr>
     <tr>
     <tr>
       <th>LED Indication</th>
       <th>LED indication</th>
         <th></th>
         <th></th>
         <th></th>     
         <th></th>     
Line 68: Line 107:
   <td>Enable</td>
   <td>Enable</td>
         <td>off {{!}} on; default: <b>on</b></td>
         <td>off {{!}} on; default: <b>on</b></td>
         <td>Manages signal strength{{#ifeq:{{{series}}}|RUTX||, LAN}} and connection status indication LEDs.</td>
         <td>Turns on/off LEDs indication.</td>
     </tr>
     </tr>
     <tr>
     <tr>
Line 101: Line 140:
provides information about the fields contained in that section:
provides information about the fields contained in that section:


[[File:Networking_rutos_ntp_general_gps_{{{gps}}}.png|border|class=tlt-border]]
[[File:Networking_rutos_ntp_general_gps_{{{gps}}}_v2.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 127: Line 166:
     <tr>
     <tr>
     <td>GPS Synchronization</td>
     <td>GPS Synchronization</td>
         <td>off {{!}} on; default: <b>off</b></td>
         <td>off {{!}} <span style="color:blue">on</span>; default: <b>off</b></td>
         <td>Enables periodic time synchronization for the system using the GPS module which does not require an Internet connection.</td>
         <td>Enables periodic time synchronization for the system using the GPS module which does not require an Internet connection.{{#ifeq:{{{name}}}|TRB256|GPS will be enabled. Device may lose WWAN connection due to GNSS|}}</td>
    </tr>
    <tr>
    <td>GPS time update interval</td>
        <td>period; default: <b>Every 24 hours</b></td>
        <td>How often the device will update the time using the GPS module.</td>
     </tr>|}}
     </tr>|}}
</table>
</table>
===NTP===
===NTP===
----
----
Line 139: Line 184:
This section is used to configure the device's time settings.
This section is used to configure the device's time settings.


[[File:Networking_rutos_ntp_ntp_time_synchronization_{{{mobile}}}.png|border|class=tlt-border]]
[[File:Networking_rutos_ntp_ntp_time_synchronization_{{{mobile}}}_v1.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 179: Line 224:
     <tr>
     <tr>
     <td>Operator Station Synchronization</td>
     <td>Operator Station Synchronization</td>
         <td>off {{!}} on; default: <b>off</b></td>
         <td>off {{!}} <span style="color:blue">on</span>; default: <b>on</b></td>
         <td>Synchronizes time with mobile operator's base station.</td>
         <td>Synchronizes time with mobile operator's base station.</td>
     </tr>
     </tr>
Line 186: Line 231:
         <td>off {{!}} on; default: <b>off</b></td>
         <td>off {{!}} on; default: <b>off</b></td>
         <td>Sync time data with mobile operator.</td>
         <td>Sync time data with mobile operator.</td>
    </tr>
    <tr>
    <td><span style="color:blue">Count of failed NTP requests</span></td>
        <td>unsigned integer; default: <b>none</b></td>
        <td>How many times should NTP client fail before permanently switching to operator station synchronization (empty value - 5).</td>
     </tr>|}}
     </tr>|}}
</table>
</table>
Line 192: Line 242:
This section is used to specify which time servers the device will use for time synchronization. To add more time servers to the list, click the 'Add' button.
This section is used to specify which time servers the device will use for time synchronization. To add more time servers to the list, click the 'Add' button.


{{#switch:{{{series}}}|TAP100|TAP200=[[File:Networking_rutos_ntp_ntp_time_servers_tap100_v2.png|border|class=tlt-border]]|#default=[[File:Networking_rutos_ntp_ntp_time_servers_v2.png|border|class=tlt-border]]}}
[[File:Networking_rutos_ntp_ntp_time_servers_v3.png|border|class=tlt-border]]
 
<table class="nd-mantable">
<table class="nd-mantable">
     <tr>
     <tr>
Line 201: Line 252:
     <tr>
     <tr>
       <td>Hostname</td>
       <td>Hostname</td>
       <td>ip {{!}} url; default: <b>0.openwrt.pool.ntp.org</b></td>
       <td>ip {{!}} url; default: <b>time[x].google.com</b></td>
       <td>NTP servers that this device uses to sync time.</td>
       <td>NTP servers that this device uses to sync time.</td>
     </tr>
     </tr>
Line 259: Line 310:
----
----
The <b>Access Control</b> page is used to manage {{#switch:{{{series}}}|TAP100|TAP200=|#default= remote and}} local access to device.
The <b>Access Control</b> page is used to manage {{#switch:{{{series}}}|TAP100|TAP200=|#default= remote and}} local access to device.
{{#switch:{{{series}}}
|TAP100|TAP200 = [[File:Networking rutos manual administration access control general tap v2.png|border|class=tlt-border]]
|#default = [[File:Networking rutos manual administration access control general v3.png|border|class=tlt-border]]}}


{{#switch:{{{series}}}|TAP100|TAP200=|#default=<b>Important</b>: turning on remote access leaves your device vulnerable to external attackers. Make sure you use a strong password.
{{#switch:{{{series}}}|TAP100|TAP200=|#default=<b>Important</b>: turning on remote access leaves your device vulnerable to external attackers. Make sure you use a strong password.
Line 264: Line 319:
<b>SSH</b>
<b>SSH</b>
----{{#switch:{{{series}}}
----{{#switch:{{{series}}}
|TAP100|TAP200 = [[File:Networking_rutos_manual_administration_access_control_general_ssh_tap100_v1.png|border|class=tlt-border]]
|TAP100|TAP200 = [[File:Networking_rutos_manual_administration_access_control_general_ssh_tap100_v3.png|border|class=tlt-border]]
|#default = [[File:Networking_rutos_manual_administration_access_control_general_ssh_v1.png|border|class=tlt-border]]}}
|#default = [[File:Networking_rutos_manual_administration_access_control_general_ssh_v3.png|border|class=tlt-border]]}}


<table class="nd-mantable">
<table class="nd-mantable">
Line 280: Line 335:
     <tr>
     <tr>
         <td>Remote SSH access</td>
         <td>Remote SSH access</td>
         <td>off {{!}} on; default: <b>off</b></td>
         <td>off {{!}} <span style="color:blue">on</span>; default: <b>off</b></td>
         <td>Turns SSH access from remote networks (WAN) on or off.</td>
         <td>Turns SSH access from remote networks (WAN) on or off.</td>
     </tr>}}
     </tr>}}
     <tr>
     <tr>
         <td>Port</td>
         <td>Port (LAN)</td>
         <td>integer [0..65535]; default: <b>22</b></td>
         <td>integer [0..65535]; default: <b>22</b></td>
         <td>Selects which port to use for SSH access.</td>
         <td>Selects which port to use for SSH access from local network.</td>
    </tr>{{#switch:{{{series}}}|TAP100|TAP200=|#default=
    <tr>
        <td><span style="color:blue">Port (WAN)</span></td>
        <td>integer [0..65535]; default: <b>22</b></td>
        <td>Selects which port to use for SSH access from remote networks.</td>
    </tr>}}
    <tr>
        <td>Authentication type</td>
        <td>Password {{!}} <span style="color:blue">Key-based only</span> {{!}} <span style="color:blue">Use both</span>; default: <b>Password</b></td>
        <td>
            <li><b>Password</b> - SSH access with password for root user</li>
            <li><b>Key-based only</b> - enables key-based authentication only and disables password authentication for root user</li>
            <li><b>Use Both</b> - use both password and public keys for authentication</li>
        </td>
     </tr>
     </tr>
     <tr>
     <tr>
         <td>Enable key-based authentication</td>
         <td><span style="color:blue">Public keys</span></td>
         <td>off {{!}} on; default: <b>off</b></td>
         <td>-(input field)</td>
         <td>Use public keys for authentication.</td>
         <td>Public keys for ssh key-based authentication. Each individual key must be specified on a new line.</td>
     </tr>
     </tr>
</table>
</table>
<br>
<br>
<b>WebUI</b>
<b>HTTP</b>
----{{#switch:{{{series}}}
----{{#switch:{{{series}}}
|TAP100|TAP200 = [[File:Networking_rutos_manual_administration_access_control_general_webui_tap100_v1.png|border|class=tlt-border]]
|TAP100|TAP200 = [[File:Networking rutos manual administration access control general http tap v2.png|border|class=tlt-border]]
|#default = [[File:Networking_rutos_manual_administration_access_control_general_webui_v1.png|border|class=tlt-border]]}}
|#default = [[File:Networking rutos manual administration access control general http v2.png|border|class=tlt-border]]}}


<table class="nd-mantable">
<table class="nd-mantable">
Line 310: Line 379:
         <td>off {{!}} on; default: <b>on</b></td>
         <td>off {{!}} on; default: <b>on</b></td>
         <td>Turns HTTP access from the local network (LAN) to the device WebUI on or off.</td>
         <td>Turns HTTP access from the local network (LAN) to the device WebUI on or off.</td>
    </tr>{{#switch:{{{series}}}|TAP100|TAP200=|#default=
    <tr>
        <td>Enable remote HTTP access</td>
        <td>off {{!}} <span style="color:blue">on</span>; default: <b>off</b></td>
        <td>Turns HTTP access from remote networks (WAN) to the device WebUI on or off.</td>
    </tr>}}
    <tr>
        <td>HTTP Port (LAN)</td>
        <td>integer [0..65535]; default: <b>80</b></td>
        <td>Selects which port to use for HTTP access from local network.</td>
    </tr>{{#switch:{{{series}}}|TAP100|TAP200=|#default=
    <tr>
        <td><span style="color:blue">HTTP Port (WAN)</span></td>
        <td>integer [0..65535]; default: <b>80</b></td>
        <td>Selects which port to use for HTTP access from remote networks.</td>
    </tr>}}{{#switch:{{{series}}}|TAP100|TAP200=|#default=
    <tr>
        <td>Ignore private IPs on public interface</td>
        <td>off {{!}} on; default: <b>on</b></td>
        <td>Prevent access from private (RFC1918) IPs on an interface if it has an public IP address.</td>
    </tr>}}{{#switch:{{{series}}}|TAP100|TAP200=|#default=
    <tr>
        <td>Enable JSON-RPC</td>
        <td>off {{!}} on; default: <b>off</b></td>
        <td>Turns JSON-RPC access on or off. <b>Note:</b> JSON-RPC is additional software that can be installed from the <b>System → [[{{{name}}} Package Manager|Package Manager]]</b> page.</td>
    </tr>}}
</table>
<br>
<b>HTTPS</b>
----{{#switch:{{{series}}}
|TAP100|TAP200 = [[File:Networking rutos manual administration access control general https tap v2.png|border|class=tlt-border]]
|#default = [[File:Networking rutos manual administration access control general https v3.png|border|class=tlt-border]]}}
<table class="nd-mantable">
    <tr>
        <th>Field</th>
      <th>Value</th>
      <th>Description</th>
     </tr>
     </tr>
     <tr>
     <tr>
Line 318: Line 426:
     <tr>
     <tr>
         <td>Redirect to HTTPS</td>
         <td>Redirect to HTTPS</td>
         <td>off {{!}} on; default: <b>off</b></td>
         <td>off {{!}} on; default: <b>{{#switch:{{{series}}}|TAP100|TAP200=off|#default=on}}</b></td>
         <td>Redirects connection attempts from HTTP to HTTPS.</td>
         <td>Redirects connection attempts from HTTP to HTTPS.</td>
    </tr>{{#switch:{{{series}}}|TAP100|TAP200=|#default=
    <tr>
        <td>Enable remote HTTP access</td>
        <td>off {{!}} on; default: <b>off</b></td>
        <td>Turns HTTP access from remote networks (WAN) to the device WebUI on or off.</td>
    </tr>}}
    <tr>
        <td>Port</td>
        <td>integer [0..65535]; default: <b>80</b></td>
        <td>Selects which port to use for HTTP access.</td>
     </tr>{{#switch:{{{series}}}|TAP100|TAP200=|#default=
     </tr>{{#switch:{{{series}}}|TAP100|TAP200=|#default=
     <tr>
     <tr>
         <td>Enable remote HTTPS access</td>
         <td>Enable remote HTTPS access</td>
         <td>off {{!}} on; default: <b>off</b></td>
         <td>off {{!}} <span style="color:blue">on</span>; default: <b>off</b></td>
         <td>Turns HTTPS access from remote networks (WAN) to the device WebUI on or off.</td>
         <td>Turns HTTPS access from remote networks (WAN) to the device WebUI on or off.</td>
     </tr>}}
     </tr>}}
     <tr>
     <tr>
         <td>Port</td>
         <td>HTTPS Port (LAN)</td>
         <td>integer [0..65535]; default: <b>443</b></td>
         <td>integer [0..65535]; default: <b>443</b></td>
         <td>Selects which port to use for HTTPS access.</td>
         <td>Selects which port to use for HTTPS access from local network.</td>
     </tr>{{#switch:{{{series}}}|TAP100|TAP200=|#default=
     </tr>{{#switch:{{{series}}}|TAP100|TAP200=|#default=
    <tr>
        <td><span style="color:blue">HTTPS Port (WAN)</span></td>
        <td>integer [0..65535]; default: <b>443</b></td>
        <td>Selects which port to use for HTTPS access from remote networks.</td>
    </tr>}}{{#switch:{{{series}}}|TAP100|TAP200=|#default=
     <tr>
     <tr>
         <td>Ignore private IPs on public interface</td>
         <td>Ignore private IPs on public interface</td>
         <td>off {{!}} on; default: <b>on</b></td>
         <td>off {{!}} on; default: <b>on</b></td>
         <td>Prevent access from private (RFC1918) IPs on an interface if it has an public IP address.</td>
         <td>Prevent access from private (RFC1918) IPs on an interface if it has an public IP address.</td>
    </tr>}}{{#switch:{{{series}}}|TAP100|TAP200=|#default=
    <tr>
        <td>Enable JSON-RPC</td>
        <td>off {{!}} on; default: <b>off</b></td>
        <td>Turns JSON-RPC access on or off. <b>Note:</b> JSON-RPC is additional software that can be installed from the <b>System → [[{{{name}}} Package Manager|Package Manager]]</b> page.</td>
     </tr>}}{{#switch:{{{series}}}|TAP100|TAP200=|#default=
     </tr>}}{{#switch:{{{series}}}|TAP100|TAP200=|#default=
     <tr>
     <tr>
Line 361: Line 469:
         <td>Server key file.</td>
         <td>Server key file.</td>
     </tr>}}
     </tr>}}
    <tr>
        <td>Certificate file</td>
        <td>.crt; default: <b>uhttpd.crt</b></td>
        <td>Download certificate file from device. Used for browsers to reach HTTPS connection.</td>
    </tr>
</table>
</table>
<br>
<br>
<b>CLI</b>
<b>CLI</b>
----{{#switch:{{{series}}}
----{{#switch:{{{series}}}
|TAP100|TAP200 = [[File:Networking_rutos_manual_administration_access_control_general_cli_tap100.png|border|class=tlt-border]]
|TAP100|TAP200 = [[File:Networking_rutos_manual_administration_access_control_general_cli_tap100_v2.png|border|class=tlt-border]]
|#default = [[File:Networking_rutos_manual_administration_access_control_general_cli.png|border|class=tlt-border]]}}
|#default = [[File:Networking_rutos_manual_administration_access_control_general_cli_v2.png|border|class=tlt-border]]}}


<table class="nd-mantable">
<table class="nd-mantable">
Line 381: Line 495:
     <tr>
     <tr>
         <td>Enable remote CLI</td>
         <td>Enable remote CLI</td>
         <td>off {{!}} on; default: <b>off</b></td>
         <td>off {{!}} <span style="color:blue">on</span>; default: <b>off</b></td>
         <td>Turns CLI access from remote networks (WAN) on or off.</td>
         <td>Turns CLI access from remote networks (WAN) on or off.</td>
     </tr>}}
     </tr>}}
     <tr>
     <tr>
         <td>Port range</td>
         <td>Port range (LAN)</td>
         <td>range of integers [0..65534]-[1..65535]; default: <b>4200-4220</b></td>
         <td>range of integers [0..65534]-[1..65535]; default: <b>4200-4220</b></td>
         <td>Selects which ports to use for CLI access.</td>
         <td>Selects which ports to use for CLI access from local network.</td>
     </tr>
     </tr>{{#switch:{{{series}}}|TAP100|TAP200=|#default=
    <tr>
        <td><span style="color:blue">Port range (WAN)</span></td>
        <td>range of integers [0..65534]-[1..65535]; default: <b>4200-4220</b></td>
        <td>Selects which ports to use for CLI access from remote networks.</td>
    </tr>}}
     <tr>
     <tr>
         <td>Shell limit</td>
         <td>Shell limit</td>
Line 398: Line 517:
<b>Telnet</b>
<b>Telnet</b>
----
----
[[File:Networking_rutos_manual_administration_access_control_general_telnet.png|border|class=tlt-border]]
<b>Note:</b> Telnet is additional software that can be installed from the <b>System → [[{{{name}}} Package Manager|Package Manager]]</b> page.
 
[[File:Networking_rutos_manual_administration_access_control_general_telnet v2.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 413: Line 534:
     <tr>
     <tr>
         <td>Enable remote Telnet access</td>
         <td>Enable remote Telnet access</td>
         <td>off {{!}} on; default: <b>off</b></td>
         <td>off {{!}} <span style="color:blue">on</span>; default: <b>off</b></td>
         <td>Turns Telnet access from remote networks (WAN) on or off.</td>
         <td>Turns Telnet access from remote networks (WAN) on or off.</td>
     </tr>
     </tr>
     <tr>
     <tr>
         <td>Port range</td>
         <td>Port (LAN)</td>
         <td>integer [0..65535]; default: <b>23</b></td>
         <td>integer [0..65535]; default: <b>23</b></td>
         <td>Selects which port to use for Telnet access.</td>
         <td>Port to listen for Telnet access from local network.</td>
    </tr>
    <tr>
        <td><span style="color:blue">Port (WAN)</span></td>
        <td>integer [0..65535]; default: <b>23</b></td>
        <td>Port to listen for Telnet access from remote networks.</td>
     </tr>
     </tr>
</table>
</table>
Line 427: Line 553:
<b>Note:</b> PAM is additional software that can be installed from the <b>System → [[{{{name}}} Package Manager|Package Manager]]</b> page.
<b>Note:</b> PAM is additional software that can be installed from the <b>System → [[{{{name}}} Package Manager|Package Manager]]</b> page.


[[File:Networking_rutos_manual_administration_access_control_pam_v2.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_administration_access_control_pam_v4.png|border|class=tlt-border]]


====Modify PAM Auth====
====Modify PAM Auth====
----
----
[[File:Networking_rutos_manual_administration_access_control_pam_modify_pam_auth_v1.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_administration_access_control_pam_modify_pam_auth_v2.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 453: Line 579:
         <td>Required {{!}} Requisite {{!}} Sufficient {{!}} Optional; default: <b>Optional </b></td>
         <td>Required {{!}} Requisite {{!}} Sufficient {{!}} Optional; default: <b>Optional </b></td>
         <td>Determines the continuation or failure behavior for the module</td>
         <td>Determines the continuation or failure behavior for the module</td>
    </tr>
        <tr>
        <td><span style="color:teal">WebUI PAM auth option</span>: Enable for all users</td>
        <td>off {{!}} on; default: <b>off</b></td>
        <td>Turn on PAM authentication for all users. It will allow login with users that are not created on the device.</td>
    </tr>
    <tr>
        <td><span style="color:teal">WebUI PAM auth option</span>: Select users</td>
        <td>-(list)</td>
        <td>Select users for PAM authentication.</td>
    </tr>
    <tr>
        <td><span style="color:red">Radius</span>: Enable for all users</td>
        <td>off {{!}} on; default: <b>off</b></td>
        <td>Turn on PAM authentication for all users. It will allow login with users that are not created on the device.</td>
    </tr>
    <tr>
        <td><span style="color:red">Radius</span>: Require Message-Authenticator</td>
        <td>off {{!}} on; default: <b>on</b></td>
        <td>Require and validate Message-Authenticator RADIUS attribute on Access-Request replies.</td>
     </tr>
     </tr>
     <tr>
     <tr>
Line 479: Line 625:
----  
----  
The <b>Security</b> tab provides the possibility to enable/disable blocking IP's service and delete blocked devices from the list.
The <b>Security</b> tab provides the possibility to enable/disable blocking IP's service and delete blocked devices from the list.
<b>IP Block Settings</b>
----
[[File:Networking_rutos_manual_administration_access_control_security_v4.png|border|class=tlt-border]]
<table class="nd-mantable">
    <tr>
        <th>Field</th>
      <th>Value</th>
      <th>Description</th>
    </tr>
    <tr>
        <td>Enable</td>
        <td>off {{!}} on; default: <b>on</b></td>
        <td>Enable or disable blocking IP's if they have reached the set amount of failed times.</td>
    </tr>
    <tr>
        <td>Type</td>
        <td>Timed blocking {{!}} Permanent blocking; default: <b>Timed blocking</b></td>
        <td>You can choose an option of a blocking type.</td>
    </tr>
    <tr>
        <td>Fail count</td>
        <td>integer [1..1000]; default: <b>10</b></td>
        <td>An amount of times IP address can try to access SSH or WebUI before being blocked.</td>
    </tr>
    <tr>
        <td>Clean after reboot</td>
        <td>off {{!}} on; default: <b>off</b></td>
        <td>If enabled, blocked loging attempts list will be cleared on device reboot.</td>
    </tr>
</table>


<b>Login Attempts</b>
<b>Login Attempts</b>
----
----
[[File:Networking_rutos_manual_administration_access_control_security_login_v2.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_administration_access_control_security_login_v3.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
     <tr>
     <tr>
Line 559: Line 674:
         <td>-(interactive button)</td>
         <td>-(interactive button)</td>
         <td>Unblocks selected source adresses from the list.</td>
         <td>Unblocks selected source adresses from the list.</td>
    </tr>
</table>
<b>IP Block Settings</b>
----
<b>IP Block Settings</b> can be found by pressing 'Settings' button under security tab:
[[File:Networking rutos manual administration access control security settings ipblock button.png|border|class=tlt-border]]
[[File:Networking rutos manual administration access control security settings ipblock.png|border|class=tlt-border]]
<table class="nd-mantable">
    <tr>
        <th>Field</th>
      <th>Value</th>
      <th>Description</th>
    </tr>
    <tr>
        <td>Enable</td>
        <td>off {{!}} on; default: <b>on</b></td>
        <td>Enable or disable blocking IP's if they have reached the set amount of failed times.</td>
    </tr>
    <tr>
        <td>Type</td>
        <td>Timed blocking {{!}} Permanent blocking; default: <b>Timed blocking</b></td>
        <td>You can choose an option of a blocking type.</td>
    </tr>
    <tr>
        <td>Fail count</td>
        <td>integer [1..1000]; default: <b>10</b></td>
        <td>An amount of times IP address can try to access SSH or WebUI before being blocked.</td>
    </tr>
    <tr>
        <td>Clean after reboot</td>
        <td>off {{!}} on; default: <b>off</b></td>
        <td>If enabled, blocked loging attempts list will be cleared on device reboot.</td>
     </tr>
     </tr>
</table>
</table>
Line 564: Line 714:
{{#switch:{{{series}}}|TAP100|TAP200= ===Device Pairing===
{{#switch:{{{series}}}|TAP100|TAP200= ===Device Pairing===
----
----
[[File:Networking_rutos_manual_administration_access_control_pairing_v2.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_administration_access_control_pairing_v3.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
     <tr>
     <tr>
Line 670: Line 820:
       <td><span style="color: blue;">Password</span></td>
       <td><span style="color: blue;">Password</span></td>
       <td>string; default: <b>none</b></td>
       <td>string; default: <b>none</b></td>
       <td>Password for authentication on SMTP (Simple Mail Transfer Protocol) server. All characters are allowed except `' and space.</td>
       <td>Password for authentication on SMTP (Simple Mail Transfer Protocol) server. All characters are allowed except `' and space. Maximum length of value is 128.</td>
     </tr>
     </tr>
     <tr>
     <tr>
Line 701: Line 851:
===Certificate Generation===
===Certificate Generation===
----
----
The <b>Certificate Generation</b> tab provides the possibility to generate TLS certificates required for secure authentication and communication encryption used by some of the devices services.
The <b>Create</b> function provides the possibility to generate TLS certificates required for secure authentication and communication encryption used by some of the devices services.
 
[[File:Networking_rutos_manual_administartion_certificates_create.png|border|class=tlt-border]]


There are five distinct generation methods (denoted by the selected 'File Type').  
There are seven distinct generation methods (denoted by the selected 'File Type').  


<ol>
<ol>
Line 718: Line 870:
     <li><b>Client</b> - generates a client certificate and key. A client certificate validates a client's identity to the server that it's connecting to, while a key is responsible for encryption.</li>
     <li><b>Client</b> - generates a client certificate and key. A client certificate validates a client's identity to the server that it's connecting to, while a key is responsible for encryption.</li>
     <li><b>DH Parameters</b> - generates a Diffie-Hellman (DH) parameters file. DH parameters are used in symmetric encryption to protect and define how OpenSSL key exchange is performed.</li>
     <li><b>DH Parameters</b> - generates a Diffie-Hellman (DH) parameters file. DH parameters are used in symmetric encryption to protect and define how OpenSSL key exchange is performed.</li>
     <li><b>Let's encrypt</b> - generates SSL certificate.</li>
     <li><b>Let's encrypt</b> - generates SSL certificate. {{#switch: {{{series}}}|RUT2M|RUT9M|TRB2|TRB2M|RUT30X|RUT301|RUT36X|RUT361|TCR1|OTD140|RUT14X|RUT206|DAP14X=<u><b>Note:</b> Let's encrypt is additional software that can be installed from the <b>System → [[{{{name}}} Package Manager|Package Manager]]</b> page.</u>|#default=}}</li>
    <li><b>SCEP</b> - generates SCEP (Simple Certificate Enrollment Protocol) certificate. {{#switch: {{{series}}}|RUT2M|RUT9M|TRB2|TRB2M|RUT30X|RUT301|RUT36X|RUT361|TCR1|TRB1|TRB16|TRB500|OTD140|RUT14X|RUT206|DAP14X=<u><b>Note:</b> SCEP is additional software that can be installed from the <b>System → [[{{{name}}} Package Manager|Package Manager]]</b> page.</u>|#default=}}</li>
</ol>
</ol>


Line 727: Line 880:
<b>Simple file parameters</b>
<b>Simple file parameters</b>


[[File:Networking_rutos_manual_administartion_certificates_certificates_generation_simple_parameters.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_administartion_certificates_certificates_generation_simple_parameters_v1.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 749: Line 902:
<b>TLS parameters</b> or simply parameters that apply to each (CA, Server, Client, DH) file type are the size and common name of the generated file(s).
<b>TLS parameters</b> or simply parameters that apply to each (CA, Server, Client, DH) file type are the size and common name of the generated file(s).


[[File:Networking_rutos_manual_administartion_certificates_certificates_generation_core_parameters_v1.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_administartion_certificates_certificates_generation_core_parameters_v2.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 771: Line 924:
<b>Subject information</b> is not mandatory but can be used as user-friendly way to identify the ownership of certificate files by including such information as the owner's location and company name.
<b>Subject information</b> is not mandatory but can be used as user-friendly way to identify the ownership of certificate files by including such information as the owner's location and company name.


[[File:Networking_rutos_manual_administartion_certificates_certificates_generation_subject_information_v1.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_administartion_certificates_certificates_generation_subject_information_v2.png|border|class=tlt-border]]
----
----
The <b>Sign the certificate</b> slider control whether the certificate will be signed automatically or manually after the generation is complete.
The <b>Sign the certificate</b> slider control whether the certificate will be signed automatically or manually after the generation is complete.


[[File:Networking_rutos_manual_administartion_certificates_certificates_generation_sign_the_certificate_v1.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_administartion_certificates_certificates_generation_sign_the_certificate_v2.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 807: Line 960:
A <b>Private Key Decryption Password</b> is a parameter used to decrypt private keys protected by a password.
A <b>Private Key Decryption Password</b> is a parameter used to decrypt private keys protected by a password.


[[File:Networking_rutos_manual_administartion_certificates_certificates_generation_private_key_decryption_password_v1.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_administartion_certificates_certificates_generation_private_key_decryption_password_v2.png|border|class=tlt-border]]
----
<b>Let's encrypt</b> - This section provides an overview of the parameters used to generate SSL certificates.
----
[[File:Networking_rutos_manual_administartion_certificates_certificates_generation_lets_encrypt.png|border|class=tlt-border]]
 
<table class="nd-mantable">
    <tr>
        <th>Field</th>
      <th>Value</th>
      <th>Description</th>
    </tr>
    <tr>
      <td>Domain</td>
      <td>domain name; default: <b>none</b></td>
      <td>Hostname that is linked to the device's public IP address.</td>
    </tr>
    <tr>
      <td>Automatically renew</td>
      <td>off {{!}} on; default: <b>off</b></td>
      <td>Certificates will be automatically renewed every 60 days.</td>
    </tr>
</table>
----
<b>SCEP</b> - This section provides an overview of the parameters used to create certificates for the Simple Certificate Enrollment Protocol.
----
[[File:Networking_rutos_manual_administartion_certificates_certificates_generation_scep.png|border|class=tlt-border]]
 
<table class="nd-mantable">
    <tr>
        <th>Field</th>
      <th>Value</th>
      <th>Description</th>
    </tr>
    <tr>
      <td>Key Size</td>
      <td>512 {{!}} 1024 {{!}} 2048 {{!}} 4096 {{!}} ; default: <b>none</b></td>
      <td>Certificate key size.</td>
    </tr>
    <tr>
      <td>Common name</td>
      <td>string; default: <b>none</b></td>
      <td>Common name of the certificate.</td>
    </tr>
    <tr>
      <td>SCEP server URL</td>
      <td>url; default: <b>none</b></td>
      <td>URL of the SCEP server.</td>
    </tr>
    <tr>
      <td>Challenge</td>
      <td>string; default: <b>none</b></td>
      <td>It's recommended to use a high-entropy shared-secret authentication string, such as a base64-encoded key from EAP or DNP3-SA protocols, for the initial SCEP certificate generation.</td>
    </tr>
</table>


====Certificate Signing====
===Certificate Signing===
----
----
The <b>Certificate Signing</b> section is used to validate (sign) unsigned certificates.
The <b>Certificate Signing</b> function is used to validate (sign) unsigned certificates.
 
[[File:Networking_rutos_manual_administartion_certificates_sign.png|border|class=tlt-border]]


[[File:Networking_rutos_manual_administartion_certificates_certificates_generation_certificate_signing_v3.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_administartion_certificates_certificates_generation_certificate_signing_v4.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 828: Line 1,037:
     <tr>
     <tr>
       <td>Type of Certificate to Sign</td>
       <td>Type of Certificate to Sign</td>
       <td>Certificate Authority {{!}} Client Certificate {{!}} Server Certificate; default: <b>Certificate Authority</b></td>
       <td>Authority {{!}} Server {{!}} Client; default: <b>Authority</b></td>
       <td>Specifies what type of file will be signed.</td>
       <td>Specifies what type of file will be signed.</td>
     </tr>
     </tr>
Line 839: Line 1,048:
       <td>Days Valid</td>
       <td>Days Valid</td>
       <td>integer; default: <b>none</b></td>
       <td>integer; default: <b>none</b></td>
       <td>Length of the signature's validity.</td>
       <td>Days until certificate expires.</td>
    </tr>
    <tr>
      <td>Certificate Authority File</td>
      <td>filename; default: <b>none</b></td>
      <td>Selects which CA file will be used to sign the generated certificate.</td>
     </tr>
     </tr>
     <tr>
     <tr>
       <td>Certificate Authority Key</td>
       <td>Certificate authority Key</td>
       <td>filename; default: <b>none</b></td>
       <td>filename; default: <b>none</b></td>
       <td>Selects which CA key file will be used to sign the generated certificate.</td>
       <td>Selects which CA key file will be used to sign the generated certificate.</td>
Line 873: Line 1,077:
</table>
</table>


===Certificate Manager===
===Certificate Import===
----
----
The <b>Certificate Manager</b> page displays information on all certificate and key files stored on the device and provides the possibility export these files for use on another machine or import files generated elsewhere.
The <b>Certificate Import</b> function provides the possibility to import certificates and files generated on another machine. To upload such a file simply click 'Browse' and locate the file on your computer, it should then start uploading automatically.


====Certificate Import====
[[File:Networking_rutos_manual_administartion_certificates_import.png|border|class=tlt-border]]
----
The <b>Certificate Import</b> section provides the possibility to import certificates and files generated on another machine. To upload such a file simply click 'Browse' and locate the file on your computer, it should then start uploading automatically.


[[File:Networking_rutos_manual_administartion_certificates_certificates_manager_certificate_import_v3.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_administartion_certificates_certificates_manager_certificate_import_v3.png|border|class=tlt-border]]


====Certificates, Keys & Requests====
===Configure Root CA===
----
----
The <b>Certificates</b>, <b>Keys</b> and <b>Requests</b> section display files generated on or imported to the device along with the most important information related to them.  
The <b>Root CA</b> function is used to add a root CA certificate file to the device. There is a default file already preloaded on the device which will be overwritten by any uploaded file. The certificates must be in .pem format, maximum file size is 10 KB. These certificates are only needed if you want to use HTTPS for your services and the default file should be sufficient in most cases.


By default, the lists are empty. A set certificates generated using 'Simple' file type would look something like this:
[[File:Networking_rutos_manual_administartion_certificates_root.png|border|class=tlt-border]]


[[File:Networking_rutos_manual_administartion_certificates_certificates_manager_certificate_list_v2.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_administration_access_control_root_ca_v2.png|border|class=tlt-border]]


The 'Export' buttons are used to download the files from the device onto your local machine. The 'X' buttons located to the right of each entry are used to delete related files.
===Move key to TPM2===
----
The <b>Move key to TPM2</b> function is used to move key files to TPM chip. <b>Note:</b> this function is only supported in devices with TPM module.


===Root CA===
[[File:Networking_rutos_manual_administartion_certificates_tpm2.png|border|class=tlt-border]]
----
The <b>Root CA</b> section is used to add a root CA certificate file to the device. There is a default file already preloaded on the device which will be overwritten by any uploaded file. The certificates must be in .pem format, maximum file size is 300 KB. These certificates are only needed if you want to use HTTPS for your services and the default file should be sufficient in most cases.


[[File:Networking_rutos_manual_administration_access_control_root_ca_v1.png|border|class=tlt-border]]}}
[[File:Networking_rutos_manual_administration_certificates_manager_tpm2.png|border|class=tlt-border]]}}


==Profiles==
==Profiles==
Line 968: Line 1,170:
<b>SSHFS</b> configuration consists of setting up authentication, port and mount information parameters. Below is an example oh the SSHFS configuration page.
<b>SSHFS</b> configuration consists of setting up authentication, port and mount information parameters. Below is an example oh the SSHFS configuration page.


[[File:Networking_rutos_manual_sshfs_v3.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_sshfs_v6.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 975: Line 1,177:
       <th>Value</th>
       <th>Value</th>
       <th>Description</th>
       <th>Description</th>
    </tr>
    <tr>
      <td>Status</td>
      <td>State</td>
      <td>Indicates whether the SSHFS service is active.</td>
     </tr>
     </tr>
     <tr>
     <tr>
Line 983: Line 1,190:
     <tr>
     <tr>
       <td>Hostname</td>
       <td>Hostname</td>
       <td>string; default: <b>none</b></td>
       <td>domain or IP adress (IPv4, IPv6); default: <b>none</b></td>
       <td>Hostname of the remote SSH server.</td>
       <td>Connection address.</td>
     </tr>
     </tr>
     <tr>
     <tr>
       <td>Port</td>
       <td>Port</td>
       <td>integer [0..65535]; default: <b>none</b></td>
       <td>integer [0..65535]; default: <b>none</b></td>
       <td>Port of the remote SSH server.</td>
       <td>Port for the connection. If left empty a default of 22 will be used.</td>
     </tr>
     </tr>
     <tr>
     <tr>
Line 1,004: Line 1,211:
       <td>Mount Point</td>
       <td>Mount Point</td>
       <td>filepath; default: <b>/sshmount</b></td>
       <td>filepath; default: <b>/sshmount</b></td>
       <td>Mount point of remote file system <b>in the {{{name}}}</b>. Remote file system has to be mounted at root <b>/</b> level.
       <td>A folder in the <b>{{{name}}}</b> device. Mount points will reside in system's provided folder. Remote file system has to be mounted in <b>/tmp/sshfs/</b> path and <b>/sshmount</b> directory will be automatically created if does not exist yet.</td>
          By default the remote file system will be mounted on <b>/sshmount</b>, directory will be automatically created if does not exist yet.</td>
     </tr>
     </tr>
     <tr>
     <tr>
Retrieved from "https://wiki.teltonika-networks.com/view/Template:Networking_rutos_manual_administration"