WebConsole - Security Options
55
NX-Series Controllers - WebConsole & Programming Guide
If an administrator password change is desired, LDAP must be disabled, the password changed and saved and then LDAP re-
enabled.
Users may not be added or deleted via the web pages when LDAP is enabled.
User access privileges cannot be changed via the web pages.
As users log onto a NetLinx Master, their user name and access privileges are displayed on the User Security Details page
section on page 51). This information is stored in the master's RAM but is not written to non-
volatile memory, and is lost after rebooting the Master.
If a user is removed from the LDAP directory tree, access is denied, and if that user name is on the master's User Security
Details web page it is removed.
Accepting Changes
Click the
Accept/Test
button to save changes on this page. Accepting changes is instantaneous and does not require rebooting the
Master.
Testing the Connection to the LDAP Server
After entering and accepting the parameters, the
Accept/Test
button can be used to test the connection to the LDAP server. This
test does a bind to the BIND DN using the Search Password entered.
If the bind is successful, the message
Connection successful
is displayed.
If the server could not be reached or the bind is unsuccessful, the message
Could not connect to server -- Please check
LDAP URI, BIND DN and Search Password settings
is displayed.
Refer to
Appendix A: LDAP Implementation Details
on page 127 for additional information.
IMPORTANT:
For the NX-series Masters to work with LDAP over SSL (LDAPS), you must upload a CA server certificate in .pem format
to the Master’s FTP server. The certificate’s file name must be "ldap_ad.pem" and the file must be saved in a folder named "certs".
Once the file is uploaded, you must reboot the Master for the certificate file to be read and employed by the system. LDAPS requires
Master Firmware version 1.3.78 or greater.
Wired 802.1X support
IEEE 802.1X is an IEEE Standard for Port-based Network Access Control (PNAC). PNAC provides the ability to grant or deny
network access to devices wishing to attach to a LAN based on credentials tied to the device rather than to a user. Until the device
has been verified and permitted access, no network traffic is passed through the connected port, effectively keeping the device
disconnected from the network.
The NX-Series controller acts as a supplicant (client device) to a wired 802.1X enabled network and presents customer-provided
X.509 certificates to be allowed access to protected networks. The following EAP Encryption Methods are supported.
PEAPv0/MSCHAPv2
TTLS/MSCHAPv2
TTLS/PAP
MD5
Customer provided X.509 certificates are uploaded to the NX-Series controller using NetLinx Studio, and 802.1x is configured via
the Command Line Interface and the syntax:
DOT1X[status|enable|disable]
Once you add the certificate file to your workspace, NetLinx Studio transfers the file to the appropriate directory on the controller.
1.
Click to select (highlight) a System (in the Workspace tab of the Workspace Bar).
2.
Right-click on the
Other
folder to access the Other File Folder context menu, and select
Add Existing Other File
.
3.
In the Add Existing Other File dialog, locate and select the certificate file (.crt) that you want to add to the selected System.
Change the Files of Type option to All Files (*.*) to look for other file types, if necessary.
4.
Click
Open
to access the File Properties dialog, where you can view/edit general file information for the selected file.
5.
Click
OK
to add the file to the selected System. The file should now appear in the Other folder under the selected System.
