Specifications
WebConsole - Security Options
28
NetLinx Integrated Controllers- WebConsole & Programming Guide (FMv3)
Access Options
Check the Enabled option on the left side of this page to make the Access options available for selection.
The Access options are described in the following table:
(System Security) Access Options
Option Description
Enabled: This option enables the Access options described below.
Note: If the Master Security checkbox is not enabled, all subordinate options are greyed-
out and not selectable, meaning that the Master is completely unsecured and can be
altered by any user (regardless of their rights).
Terminal (RS232)
Access:
If selected, a valid username and password is required for Terminal communication via
the Master’s RS232 Program port.
HTTP Access: If selected, a valid username and password is required for communication over HTTP or
HTTPS Ports, including accessing the WebConsole.
Telnet/SSH/SFTP
Access:
If selected, a valid username and password is required for Telnet Access. Telnet access
allows communication over either the Telnet and/or SSH Ports, and Secure FTP access.
Note: SSH version 2 (only) is supported.
To establish a secure Telnet connection, an administrator can decide to disable the
Telnet Port and then enable the SSH Port.
Refer to the Port Settings on page 49 for details.
Configuration: If selected, a valid username and password is required before allowing a group/user to
alter the current Master’s security and communication settings via NetLinx Studio.
This includes such things as: IP configuration/Reset, URL list settings, Master
communication settings, and security parameters.
ICSP Connectivity: If selected, a valid username and password is required to communicate with the NetLinx
Master via an ICSP connection (TCP/IP, UDP/IP, and RS-232).
• This feature allows communication amongst various AMX hardware and software
components. This feature works in tandem with the Require Encryption option (see
below) to require that any application or hardware communicating with the Master
must provide a valid username and password.
• In a Master-to-Master system, the Master which accepts the IP connection initiates the
authentication process. This configuration provides compatibility with existing
implementations and provides more flexibility for the implementation of other devices.
Note: The ICSP Connectivity option is required to allow authenticated and/or secure
communication between the Master and other AMX hardware/software. To establish an
authenticated ICSP connection (where the external AMX hardware/software has to pro-
vide a valid username and password), this option must be enabled.
Encrypt ICSP
Connection:
If selected, this option requires that any data being transmitted or received via an ICSP
connection (among the various AMX products) be encrypted, and that any application or
hardware communicating with the Master over ICSP must provide a valid username and
password.
Note: When enabled, this option requires more processor cycles to maintain.
ICSP uses a proprietary encryption based on RC4 and also requires CHAP-type
authentication including username and password.
CHAP (Challenge Handshake Authentication Protocol) authentication is an access
control protocol for dialing into a network that provides a moderate degree of security.
• When the client logs onto the network, the network access server (NAS) sends the
client a random value (the challenge).
• The client encrypts the random value with its password, which acts as an encryption
key. It then sends the encrypted value to the NAS, which forwards it along with the
challenge and username to the authentication server.
Encrypt ICSP
Connection:
• The CHAP server encrypts the challenge with the password stored in its database for
the user and matches its results with the response from the client. If they match, it
indicates the client has the correct password, but the password itself never left the
client's machine.