System Administration
23
web or telnet (for command line interface access) services (see Section 14.3 and Section 14.4), or any firewall
rules that affect web or telnet access to the FB2700 itself.
4.1.4.2. Logged in IP address
The FireBrick allows a general definition of IP groups which allow a name to be used in place of a range of
IP addresses. This is a very general mechanism that can be used for single IP addresses or groups of ranges
IPs, e.g. admin-machines may be a list or range of the IP addresses from which you want to allow some access.
The feature can also be useful even where only one IP is in the group just to give the IP a meaningful name
in an access list.
These named IP groups can be used in the allow list for a user login, along with specific IP addresses or ranges
if needed.
However, IP groups can also list one or more user names and implicitely include the current IP address from
which those users are logged in to the web interface. This can be useful for firewall rules where you may have
to log in to the FireBrick, even as a NOBODY level user, just to get your IP address in an access list to allow
further access to a network from that IP.
4.1.4.3. Restrict by profile
By specifying a profile name using the
profile
attribute, you can allow logins by the user only when the
profile is in the Active state (see Chapter 9). You can use this to, for example, restrict logins to be allowed
only during certain times of the day, or you can effectively suspend a user account by specifying an always-
Inactive profile.
4.1.5. One Time Password
Under the main config menu you will find an option to set up OTP (One Time Password). This allows details
of a OATH one time password such as a keyring OATN device, or an app on a mobile phone. The device/app
provides a series of digits which change automatically.
To set up an OATH device you will need to know a key, which is a long string of random hexadecimal digits.
Some apps can provide a random key for you to copy/paste in to the set up page. If you have means to generate
a suitably long random hex string you could enter in to the device settings and the setup page. As long as the
key matches then the AOTH device should work. For a pysical OATH device the key is pre-set and supplied
with the device. The key needs to be secret.
In order to link the OATH settings to a user you need a serial number. This is just a string of characters. If you
have a physical OATH device then it is likely to have a serial number on it. If using an app on a phone you
could make the serial number that of the phone, or just "fred's iphone" or some such.
You will also have to specify if the OATH device uses time or event coding. For time based you need to say the
time interval, e.g. 30 or 60 seconds. Time based tokens change automatically on time, but event based tokens
change every time you use them. If using the same device for more than one FireBrick then you should use
time based as the event based devices use up the codes when accessing one FireBrick and so can become out
of sync when going back to another FireBrick later. A time based device cannot get out of sync like that. You
also have to say how many digits are used. A common setting is time based, 60 seconds, and 6 digits.
As part of the set up you will ahve to enter a sequence of three codes. For time based tokens you have to wait
for the next code. Do not leave any out, put exactly three codes in order. If the details are all correct then the
FireBrick confirms the token is loaded. You cannot then access the details of the token, they are secret. You
can load many different tokens with different serial numbers.
Finally, to associate an OATH device with a user login, put the serial number in the otp setting for the user.
This then means that all logins with that username require the sequence of digits at the start of the password.
You can, in such cases, leave the password blank if you only want to use the digits to log in, but this is not