Table of Contents
Advertisement
Chapter 8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOC authentication - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 8
Addressing security concerns
It is important that the connection between the login application and the CN3000 be
secure to protect the exchange of customer authentication traffic. The following strategy
provides for complete connection security.
Securing the
messages on the customer's browser, the SSL certificate installed on the web server
remote login
should be signed by a well-known CA.
page
Authenticating
The connection between the login application and the CN3000 is secured using SSL.
When establishing the SSL connection with the CN3000, the login application must
with the login
supply its SSL certificate. In a standard SSL setup, the CN3000 would use the CA for
application
this certificate to validate the certificate's identity and authenticate the login application.
However, the CN3000 does not want to accept SSL connections from just any remote
entity with a valid certificate. Rather, it only wants to accept connections from a specific
entity: the login application.
To uniquely identify the login application, the ssl-noc-certificate attribute is defined in the
RADIUS profile for the CN3000. This attribute contains the URL of the login
application's SSL certificate. When the login application presents its SSL certificate, the
CN3000 retrieves ssl-noc-certificate and checks to make sure that they match.
For further authentication, a second attribute, ssl-noc-ca-certificate , is defined in the
RADIUS profile for the CN3000. This attribute contains the URL of the public key of the
certificate authority (CA) that signed the login application's SSL certificate. The CN3000
uses the public key to determine if the login application's SSL certificate can be trusted.
Authenticating
To identify itself, the CN3000 uses the SSL certificate configured on the Security >
Certificates page or via the ssl-certificate attibute (for details see
the CN3000
certificate" on page
this SSL certificate has been signed by the certificate authority for which the login
appplication has the public key certificate. The default certificate installed on the
CN3000, is not signed by a well-known CA and cannot be used for this purpose.
Instead, install new certificate must be installed on the CN3000. This certificate could be
signed by a well-known certificate authority, or your own CA.
NOC
Additional security is provided via the NOC authentication list on the CN3000 (page
247). You use this list to define the set of remote IP addresses that the CN3000 will
authentication
accept authentication requests from. If a request is received from an address not in this
list
list, it is discarded.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 178 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
HTTPS can be used on the web server to secure the login page. To avoid warning
158). For added security, the login application could also check that
"Custom SSL
- Quick Links:
- Introduction
- Wireless Radio
- Logging in
- Reset Button
Hide quick links:
Advertisement
Table of Contents
