MSM7xx Controllers Configuration Guide v6.4.0
Authenticating with the login application
The connection between the login application and the controller is secured using SSL. When
establishing the SSL connection with the controller, the login application must supply its SSL
certificate. In a standard SSL setup, the controller uses the CA for this certificate to validate the
certificates identity and authenticate the login application.
However, the controller does not want to accept SSL connections from just any remote entity with
a valid certificate. Rather, it only wants to accept connections from a specific entity: the login
application.
To uniquely identify the login application, the ssl-noc-certificate attribute is defined in the RADIUS
profile for the controller. This attribute contains the URL of the login applications SSL certificate.
When the login application presents its SSL certificate, the controller retrieves ssl-noc-certificate
and checks to make sure that they match.
For further authentication, a second attribute, ssl-noc-ca-certificate, is defined in the RADIUS profile
for the controller. This attribute contains the URL of the public key of the certificate authority (CA)
that signed the login applications SSL certificate. The controller uses the public key to determine if
the login applications SSL certificate can be trusted.
Authenticating the controller
To identify itself, the controller uses the SSL certificate configured on the Security > Certificate stores
page or via the ssl-certificate attribute.
For added security, the login application could also check that this SSL certificate has been signed
by the certificate authority for which the login application has the public key certificate. The default
certificate installed on the controller is not signed by a well-known CA and cannot be used for this
purpose. Instead, a new certificate must be installed on the controller. This certificate could be
signed by a well-known certificate authority or your own CA.
NOC authentication list
Additional security is provided via the Security list on the Public access > Web server page. You
use this list to define the set of remote IP addresses that the controller accepts authentication requests
from. If a request is received from an address not in this list, it is discarded.
Setting up the certificates
This section presents an overview of the certificates you need to install to secure communication
between the remote login page and the controller. For detailed discussion of the issues, see
“Addressing security concerns” (page 551).
Install certificates on the Web server
Install an SSL certificate and its matching CA certificate into a folder on the Web server hosting
the remote login page. The login application and the controller access the certificates from this
location.
The SSL certificate is used by the login application to secure communications with the controller.
Define attributes
Add the following attributes to the Configured attributes table on the Public access > Attributes
page. (You can also define these attributes in the RADIUS profile for the controller if you are using
a RADIUS server.) This enables it to retrieve the SSL and CA certificates from the Web server:
ssl-noc-certificate = URL_of_the_Certificate
Certificate issued to the application on the Web server that sends user info to the controller for authentication.
ssl-noc-ca-certificate = URL_of_the_certificate
552 NOC authentication