NOC authentication
Setting up the certificates
D-6
Authenticating with the login application
The connection between the login application and the controller is secured using SSL. When
establishing the SSL connection with the controller, the login application must supply its SSL
certificate. In a standard SSL setup, the controller uses the CA for this certificate to validate
the certificate’s identity and authenticate the login application.
However, the controller does not want to accept SSL connections from just any remote
entity with a valid certificate. Rather, it only wants to accept connections from a specific
entity: the login application.
To uniquely identify the login application, the ssl-noc-certificate attribute is defined in the
RADIUS profile for the controller. This attribute contains the URL of the login application’s
SSL certificate. When the login application presents its SSL certificate, the controller
retrieves ssl-noc-certificate and checks to make sure that they match.
For further authentication, a second attribute, ssl-noc-ca-certificate, is defined in the
RADIUS profile for the controller. This attribute contains the URL of the public key of the
certificate authority (CA) that signed the login application’s SSL certificate. The controller
uses the public key to determine if the login application’s SSL certificate can be trusted.
Authenticating the controller
To identify itself, the controller uses the SSL certificate configured on the Security >
Certificate Stores page or via the ssl-certificate attribute.
For added security, the login application could also check that this SSL certificate has been
signed by the certificate authority for which the login application has the public key
certificate. The default certificate installed on the controller is not signed by a well-known CA
and cannot be used for this purpose. Instead, a new certificate must be installed on the
controller. This certificate could be signed by a well-known certificate authority or your own
CA.
NOC authentication list
Additional security is provided via the Security list on the Public access > Web server page.
You use this list to define the set of remote IP addresses that the controller accepts
authentication requests from. If a request is received from an address not in this list, it is
discarded.
Setting up the certificates
This section presents an overview of the certificates you need to install to secure
communication between the remote login page and the controller. For detailed discussion of
the issues, see Addressing security concerns on page D-5.
To Next Page
Loading...
