Establishing Secure Administration {Access Control - Nomadix Access Gateways User Manual

A G
CCESS ATEWAY
HASH-CRC32

HMAC-MD5

Not all parameters that are part of the URL redirection string need to be included in the
signature calculation. The following parameters are considered sensitive and can be selected:
UI (the ID of the NSE)

MA (the subscriber's MAC address)

RN (the Room Number)

PORT (the port number the subscriber is connected to)

SIP (the subscriber IP address)

The desired secret key simply needs to be entered in the field. Once entered, it is not visible to
the user.
Information that indicates which parameters were signed, along with the resultant hash value,
are then included in some additional parameters that are appended to the redirection string.
In order to utilize the parameter signing feature, the EWS or Portal Page Server used must be
configured to correctly parse and verify the signing information. Documentation that includes
guidelines for configuring a server to support signing can be obtained by contacting Nomadix
Technical Support.

Establishing Secure Administration {Access Control}

The Access Gateway allows you to block administrator access to interfaces (Telnet, WMI and
FTP, SSH and SFTP) and incorporates a master access control list that checks the source (IP
address) of administrator logins. A login is permitted only to the interfaces that have not been
blocked, and only if a match is made with the master "Source IP" list contained on the Access
Gateway. If a match is not made with the "Source IP list," the login is denied, even if a correct
login name and password are supplied. The access control list for source IPs supports up to 50
(fifty) entries in the form of a specific IP address or range of IP addresses.
This procedure allows you to enable the "Access Control" feature and block administrator
access to specific interfaces, and add or remove administrator "Source IP" addresses.
The NSE supports secure https connections to the Web Management Interface (WMI). Correct
certificates must be installed on the NSE flash memory for these connections to function
properly. The same certificate set that is used to support SSL connections for subscribers is
used for this purpose. For documentation about configuring the system to support secure
connections, contact technical support. See
In addition, corresponding options to block https connections (independent of http) are
included in the NSE's Access Control functionality, for both the network and subscriber sides.
System Administration
Appendix A: Technical Support.
63