Cisco Rfgw1d Manual

							 
 
 Authentication 
 
78-4025112-01 Rev H0 207 
 
 Single user access is supported and a successful login attempt from a different 
network web client IP address results in terminating the previous session, 
allowing one RF Gateway user at a time. The following message provides a 
warning before this action is taken. 
 
 
Remote Authentication 
Muliple-user authentication is provided using the RADIUS protocol for network 
authentication. A RADIUS server needs to be accessible on the RF Gateway 1 
management network for multiple user authentications. Standard RADIUS servers 
are readily available. For example, WinRadius and FreeRADIUS.  
To Setup Remote Authentication 
Follow the instructions below to setup remote authentication. 
1 Navigate to the System/Authentication page. 
2 In the Mode drop-down box, select Remote. 
Result: The following screen is displayed. 
 
3 Enter Server IP, Server port and Secret key. 
4 Click Apply. 
5 Click Save on the main menu bar to save your settings. 
6 Click Logout on the main menu bar.  
						

							 
Chapter 14    Secuirty Features  
 
 
208 78-4025112-01 Rev H0 
Result: The following window is displayed. 
 
7 Click OK. 
8 Click Login on the main menu bar. 
The following screen is displayed. 
 
9 Enter User Name and Password provisioned on the RADIUS server.  
Remote User Management 
 When logged in as rfgw1 or any RADIUS user (in Remote mode), the user can 
access all configurable RF Gateway 1 web pages.  
 In the Radius users configuration file in RADIUS server, set the cisco-avpair as 
cisco-avpair = shell:priv-lvl=15” in order to allow read-write access of the 
RFGW1 web pages for that Radius user. 
 Operators can configure the default user ID (rfgw1) as a Local and/or RADIUS 
user. The RF Gateway 1 uses one or the other for its authentication credentials. 
 Operators use their RADIUS server interface to setup and change RADIUS based 
users and passwords.  
 Local password capability is also enabled in Remote (multi-user) mode. Hence, 
the Local user and its password are still valid. For this reason, it is essential to 
change the factory default password as soon as possible. Also, while in Remote 
mode, System/Authentication/Change Password feature can be used to change 
a Local user password only. The RF Gateway 1 operator must use the RADIUS 
server interface to make changes to its remote user credentials. This cannot be 
performed using the RF Gateway 1 management interface. 
 If remote authentication does not succeed using the user credentials entered,  
						

							 
 
 Authentication 
 
78-4025112-01 Rev H0 209 
 
then local authentication will be tried with the same user credential details 
entered.  
 Single read-write user access is supported and a successful login attempt from a 
different network web client IP address results in terminating the previous 
session, allowing one user at a time to be logged in and make changes. The 
following message box provides a warning before action is taken. 
 
 
Password Recovery 
A password reset and recovery feature is available using the RF Gateway 1 front 
panel.   
To Reset the Default Password 
1 On the front panel, press the LEFT & UP buttons together. 
2 On the front panel, press the LEFT & DOWN buttons together.  
Result:The following screen is displayed. 
 
3 Select Yes. 
Note: This procedure resets the default password to 1111.  To change your 
password, refer to To Change Default Password (on page 205).   
						

							 
Chapter 14    Secuirty Features  
 
 
210 78-4025112-01 Rev H0 
Enabling HTTPS on the RF Gateway 1 
Steps for Enabling HTTPS 
The following steps for enabling HTTPS are explained in detail in the following 
sections. 
 Create a CA  
 Create a unique key and CSR for each RF Gateway 1 unit required to support 
HTTPS 
 Sign each CSR with the CA 
 Download each key and certificate from the FTP server to each RF Gateway 1 
unit  
 Import the CA certificate into each browser that you plan to use with your RF 
Gateway 1 unit 
In the following steps, the command prompt is shown in italics, the user input is 
shown in bold, and the computer response is show in normal typeface.  
Creating a CA Certificate 
Create a CA certificate named ca.crt: 
OpenSSL> req -new -x509 -days 365 -key ca.key -out ca.crt 
Enter pass phrase for ca.key: 
Loading screen into random state - done 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter ., the field will be left blank. 
----- 
Country Name (2 letter code) [AU]:US 
State or Province Name (full name) [Some-State]:Kentucky 
Locality Name (eg, city) []:LaRue 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Sinking Spring Farm  
						

							 
 
 Enabling HTTPS on the RF Gateway 1 
 
78-4025112-01 Rev H0 211 
 
Organizational Unit Name (eg, section) []:Log Cabin 
Common Name (eg, YOUR name) []:Abraham 
Email Address []:[email protected] 
OpenSSL>  
Creating a Server Key 
Create a server.key and an unprotected server key name server.pem.  
Server.pem, which youll create below, is not password protected. Guard it well 
because it contains your private RSA key in the clear for all to see. 
OpenSSL> genrsa -des3 -out server.key 4096 
Loading screen into random state - done 
Generating RSA private key, 4096 bit long modulus 
................................................................................ 
................................................................................ 
.................++ 
......................................++ 
e is 65537 (0x10001) 
Enter pass phrase for server.key: 
Verifying - Enter pass phrase for server.key: 
OpenSSL> rsa -in server.key -out server.pem 
Enter pass phrase for server.key: 
writing RSA key 
OpenSSL>  
  
Creating a CSR 
Create a Certificate Signing Request named server.csr: 
Recall that when using HTTPS, your browser requires that the site name match the 
Common Name on the certificate. Therefore you must use the IP Address of the 
RFGW-1 as the certificate Common Name below. 
OpenSSL> req -new -key server.key -out server.csr 
Enter pass phrase for server.key:  
						

							 
Chapter 14    Secuirty Features  
 
 
212 78-4025112-01 Rev H0 
Loading screen into random state - done 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter ., the field will be left blank. 
----- 
Country Name (2 letter code) [AU]:US 
State or Province Name (full name) [Some-State]:Indiana 
Locality Name (eg, city) []:West Lafayette 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Purdue University 
Organizational Unit Name (eg, section) []:Delta Chi Fraternity 
Common Name (eg, YOUR name) []:10.90.149.80 
Email Address []:[email protected] 
Please enter the following extra attributes 
to be sent with your certificate request 
A challenge password []: 
An optional company name []:Boilermakers Inc. 
OpenSSL> 
  
Sign the CSR 
Sign the Certificate Signing Request with the self-created CA made earlier and name 
it public.crt: Browsers such as Firefox are very picky about serial numbers and check 
for duplicates. Serial numbers must be unique for each signing. 
OpenSSL> x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -
out public.crt 
Loading screen into random state - done 
Signature ok 
subject=/C=US/ST=Indiana/L=West Lafayette/O=Purdue University/OU=Delta 
Chi Frate  
						

							 
 
 Enabling HTTPS on the RF Gateway 1 
 
78-4025112-01 Rev H0 213 
 
rnity/CN=10.90.149.80/[email protected] 
Getting CA Private Key 
Enter pass phrase for ca.key: 
OpenSSL> 
  
Downloading Key and Certificate Files to the RF Gateway 1 
The SSL Configuration menu is used to set the FTP server IP address, user name, 
and password. It is also used to set the path to the key and certificate file and the key 
and certificate filename. The Server Key(server.pem) must not be password 
protected. 
Follow the instructions below to configure the SSL settings. 
1 Navigate to the System/SSL Configuration page. 
Result: The following screen is displayed. 
 
2 In the Server Key Information box, enter the Server Key Path and Server Key 
Name. 
Note: It is recommended that the Server Key be named server.pem. 
3 Click Download Server Key.  
						

							 
Chapter 14    Secuirty Features  
 
 
214 78-4025112-01 Rev H0 
Result: The following details can be noted. 
 
 
 
4 In the SSL Certificate File Information box, enter SSL Certificate File Path and the 
SSL Certificate File Name. 
Note: It is recommended that the file be named public.crt. 
5 Click Download SSL Certificate. 
Result: The status window indicates whether the files are valid or invalid. 
 
 
 
6 Once the files are validated, click Install Certificate to restart the server.  
						

							 
 
 Enabling HTTPS on the RF Gateway 1 
 
78-4025112-01 Rev H0 215 
 
Result: After a few seconds, firewall permitting, the server responds to both 
HTTP and HTTPS requests.  
Note: Invalid files are automatically deleted. 
 
 
 
7 Click UnInstall/Delete Certificate to disable HTTPS.  
Result: The key and certificate files are deleted and the web server restarts.  
Importing the CA Certificate 
Follow the instructions below to import the CA certificate into Firefox. 
1 Launch Firefox. 
Result: The following screen is displayed. 
  
						

							 
Chapter 14    Secuirty Features  
 
 
216 78-4025112-01 Rev H0 
2 Click Tools - Options - Advanced - Encryption - View Certificates - Authorities. 
Result: The following screen is displayed. 
 
3 Click Import. 
Result: The following screen is displayed. 
 
4 Search for and select your ca.crt file. 
5 Click Open. 
Result: The following screen is displayed.