Specifications
WebConsole - Security Options
25
NX-Series Controllers - WebConsole & Programming Guide
LDAP Options
Check the LDAP Enabled option on the right side of this page to make the LDAP options available for selection.
All parameters are case sensitive and must be entered exactly as they are entered into the LDAP database.
LDAP Client Configuration can also be done via terminal commands to the NetLinx Master’s Program Port -
see the Enabling LDAP via the Program Port section on page 112 for details.
See Appendix A: LDAP Implementation Details on page 119 for additional information on implementing
LDAP on the NetLinx Master.
The LDAP options are described in the following table:
(System Security) Access Options (Cont.)
Option Description
Configuration: If selected, a valid user name and password is required before allowing a group/user to alter the
current Master’s security and communication settings via NetLinx Studio.
This includes such things as: IP configuration/Reset, URL list settings, Master communication
settings, and security parameters.
ICSP Connectivity: If selected, a valid user name and password is required to communicate with the NetLinx Master
via an ICSP connection (TCP/IP, UDP/IP, and RS-232).
• This feature allows communication amongst various AMX hardware and software components.
This feature works in tandem with the Require Encryption option (see below) to require that any
application or hardware communicating with the Master must provide a valid user name and
password.
• In a Master-to-Master system, the Master which accepts the IP connection initiates the
authentication process. This configuration provides compatibility with existing implementations
and provides more flexibility for the implementation of other devices.
Note: The ICSP Connectivity option is required to allow authenticated and/or secure
communication between the Master and other AMX hardware/software. To establish an
authenticated ICSP connection (where the external AMX hardware/software has to provide a valid
user name and password), this option must be enabled.
Encrypt ICSP
Connection:
If selected, this option requires that any data being transmitted or received via an ICSP connection
(among the various AMX products) be encrypted, and that any application or hardware
communicating with the Master over ICSP must provide a valid user name and password.
Note: When enabled, this option requires more processor cycles to maintain.
ICSP uses a proprietary encryption based on RC4 and also requires CHAP-type authentication
including user name and password.
CHAP (Challenge Handshake Authentication Protocol) authentication is an access control protocol
for dialing into a network that provides a moderate degree of security. The CHAP server encrypts
the challenge with the password stored in its database for the user and matches its results with the
response from the client. If they match, it indicates the client has the correct password, but the
password itself never left the client's machine.
• When the client logs onto the network, the network access server (NAS) sends the client a
random value (the challenge).
• The client encrypts the random value with its password, which acts as an encryption key. It then
sends the encrypted value to the NAS, which forwards it along with the challenge and user
name to the authentication server.
LDAP Options
Option Description
LDAP Enabled: This parameter enables the LDAP configuration parameters described below.
LDAP URI: This parameter has the syntax ldap[s]://hostname:port.
• The ldap:// URL is used to connect to LDAP servers over unsecured connections.
• The ldaps:// URL is used to connect to LDAP server over Secure Sockets Layer (SSL)
connections.
• The hostname parameter is the name or IP address, in dotted format, of the LDAP
server (for example, LDAPServer01 or 192.202.185.90).
• The port parameter is the port number of the LDAP server (for example, 696).
Note: The standard unsecured port number is 389 and the standard secured port number is
636.