Specifications
WebConsole - Security Options
34
NI & DVX Central Controllers - WebConsole & Programming Guide
LDAP Options
Check the LDAP Enabled option on the right side of this page to make the LDAP options available for selection.
All parameters are case sensitive and must be entered exactly as they are entered into the LDAP database.
LDAP Client Configuration can also be done via terminal commands to the NetLinx Master’s Program Port
- see the
Enabling LDAP via the Program Port section on page 116 for details.
Refer to <$paratext> on page 123 for additional information on implementing LDAP on the NetLinx
Master.
The LDAP options are described in the following table:
(System Security) Access Options (Cont.)
Option Description
Configuration: If selected, a valid username and password is required before allowing a group/user to alter the
current Master’s security and communication settings via NetLinx Studio.
This includes such things as: IP configuration/Reset, URL list settings, Master communication
settings, and security parameters.
ICSP Connectivity: If selected, a valid username and password is required to communicate with the NetLinx Master
via an ICSP connection (TCP/IP, UDP/IP, and RS-232).
• This feature allows communication amongst various AMX hardware and software components.
This feature works in tandem with the Require Encryption option (see below) to require that any
application or hardware communicating with the Master must provide a valid username and
password.
• In a Master-to-Master system, the Master which accepts the IP connection initiates the
authentication process. This configuration provides compatibility with existing implementations
and provides more flexibility for the implementation of other devices.
Note: The ICSP Connectivity option is required to allow authenticated and/or secure
communication between the Master and other AMX hardware/software. To establish an
authenticated ICSP connection (where the external AMX hardware/software has to provide a valid
username and password), this option must be enabled.
Encrypt ICSP
Connection:
If selected, this option requires that any data being transmitted or received via an ICSP connection
(among the various AMX products) be encrypted, and that any application or hardware
communicating with the Master over ICSP must provide a valid username and password.
Note: When enabled, this option requires more processor cycles to maintain.
ICSP uses a proprietary encryption based on RC4 and also requires CHAP-type authentication
including username and password.
CHAP (Challenge Handshake Authentication Protocol) authentication is an access control protocol
for dialing into a network that provides a moderate degree of security.
• When the client logs onto the network, the network access server (NAS) sends the client a
random value (the challenge).
• The client encrypts the random value with its password, which acts as an encryption key. It then
sends the encrypted value to the NAS, which forwards it along with the challenge and username
to the authentication server.
Encrypt ICSP
Connection:
The CHAP server encrypts the challenge with the password stored in its database for the user and
matches its results with the response from the client. If they match, it indicates the client has the
correct password, but the password itself never left the client's machine.
LDAP Options
Option Description
LDAP Enabled: This parameter enables the LDAP configuration parameters described below.
LDAP URI: This parameter has the syntax ladp[s]://hostname:port.
• The ldap:// URL is used to connect to LDAP servers over unsecured connections.
• The ldaps:// URL is used to connect to LDAP server over Secure Sockets Layer (SSL)
connections.
• The hostname parameter is the name or IP address, in dotted format, of the LDAP
server (for example, LDAPServer01 or 192.202.185.90).
• The port parameter is the port number of the LDAP server (for example, 696).
Note: The standard unsecured port number is 389 and the standard secured port number is
636.