INSYS routers with icom OS require the configuration of an authentication method for productive use.

This “circumstance” forces the user to deal with the protection of the access to the router during configuration already.

1. Situation

No authentication is configured in default settings. Access to the web interface is possible without login. Modifications can be made. However, the modifications can only be activated after an authentication method has been configured.

If the router is commissioned with the startup wizard, a user must be configured in this process.

If the blinking gear in the title bar () is clicked to activate the profile and no authentication is configured, a user must be configured in this process.

The manual configuration of the different authentication methods is described in the following.

2. Solution

One of the following authentication methods must be configured:

  • User name and password: a user must be configured locally on the router for this

  • Certificate: the client authentication via certificate must be activated, a CA certificate must be stored on the router and a client certificate must be imported in the browser for this

  • RADIUS server: the authentication at an RADIUS server must be activated and a suer must be configured on the RADIUS server

It is recommended to disable authentication methods that are not used to increase security.

2.1. Authentication via user name and password

The security of this authentication method depends on complexity and non-disclosure of the selected password.

  1. Open the web interface of the router (192.168.1.1) using a browser.

  2. Click on (Display help text) in the title bar to show helpful information regarding the configuration options in the Inline Help.

  3. Click in the AdministrationUser menu on () to add a new user.

  4. Enter User name and Password

  5. Select User group.

  6. Click on Save settings to adopt the user.
    cg en m3 configuring authentication 01

  7. Activate the profile with a click on the blinking gear in the title bar ().

A typo during entry, forgetting the credentials stored here or not granting at least one user write privileges causes that the router cannot be accessed any more. Access is then only possible again by resetting the router to default settings under loss of all settings.

Permitted characters for the user name: 0-9, a-z, A-Z as well as the special characters - (minus), _ (underscore), . (full stop) Additionally permitted special characters for the password: !@#$%^&=* There are no special requirements to the password. The password should be long enough and hard to guess. The security is in the responsibility of the user. If no password is assigned, the user cannot log in to the router.

The password will be stored encrypted as a salted SHA-512 hash and cannot be made visible again. Instead of clear text, it can also be entered as hash; for example to be able to enter users with password without having to know this.
Example for a hash:
$6$ed81a2f486$LSbNLuCyoXieyfUvpg30Ew/chO55Cw.LL2Hol4sCo5xf75GT9Om4yxGEDYhifSlK0XKLMXM.GGOp9iCQeCaDS/ The hash must start with the string $6$ (indicates SHA-512) and have exactly 106 characters. The salt is the part between the second and the third Dollar symbol, here ed81a2f486.

2.2. Authentication via certificate

The following elements of a certificate structure must be present for this type of authentication:

  • CA certificate (is stored in the router)

  • Client certificate (is stored in the web browser)

The creation of a certificate structure is described in this Configuration Guide in detail.

The security of this authentication method depends on the protection of the certificate structure. Everybody who has access to the client certificate or is able to create a client certificate with this CA certificate can get access to the web interface. Therefore, the transmission of the client certificate must also be taken into account for protection. Considering this, this authentication method is very secure and should usually be preferred to an authentication with user name and password.

  1. Open the web interface of the router (192.168.1.1) using a browser.

  2. Click on (Display help text) in the title bar to show helpful information regarding the configuration options in the Inline Help.

  3. Select in the AdministrationCertificates menu under Import certificates or keys the CA certificate and click on Import certificates.
    cg en m3 configuring authentication 02

  4. Check the checkbox Activate web interface via HTTPS in the AdministrationWeb interface menu.

  5. Check the checkbox Activate client authentication via certificate.

  6. Select above imported CA certificate under CA certificate for client authentication.

  7. Click on Save settings to adopt the changes.
    cg en m3 configuring authentication 03

  8. Activate the profile with a click on the blinking gear in the title bar ().

  9. Import the client certificate in the web browser.

The import of the certificate in the web browser depends on the browser used. Usually, the functions for importing certificates can be found under SettingsData protection & security. It is possible that the browser has to be restarted. It may happen that security queries must be acknowledged with the first access to the web interface.

2.3. Authentication via RADIUS

The user management is taken over by a RADIUS server for this type of authentication. The router will forward the entered credentials to a RADIUS server, which will perform the authentication then.

The security of this authentication method depends on the security of the RADIUS server operated by the user and the complexity and non-disclosure of the credentials. The connection to the RADIUS server is protected using a 'Shared Secret'.

  1. Open the web interface of the router (192.168.1.1) using a browser.

  2. Click on (Display help text) in the title bar to show helpful information regarding the configuration options in the Inline Help.

  3. Check the option Additionally authenticate at Radius server in the AdministrationRadius menu.

  4. Enter the URI or IP address ad the port of the RADIUS server under Server and Port.

  5. Enter the 'Shared Secret' of the RADIUS server under Shared Secret.

  6. Select the Default usergroup for the login via the RADIUS server.

  7. Click on Save settings to adopt the changes.
    cg en m3 configuring authentication 04

  8. Activate the profile with a click on the blinking gear in the title bar ().

3. Important to know!

The following applies if more than one authentication method is configured:

  • If the authentication via certificate is configured, the authentication will always be made if the client certificate on the browser, which is used to access the router, has been created using the CA certificate, which is stored on the router, and is valid. Then, it is not necessary to enter credentials.

  • If a RADIUS server is configured for the authentication, it will always be tried to authenticate first using the users, which are configured locally in the router. Only in case a local authentication fails (if for example no user is configured, the entered user is disabled or the entered password is missing or wrong), the authentication against the configured RADIUS server will be attempted. If the RADIUS server authorises the request, the user rights configured for a locally entered user with the same user name will be used for this user. If the user is not entered locally at all, the authentication will be made by the RADIUS server and the user rights generally configured for the RADIUS server will be used.

The user management via a RADIUS server permits also access to the REST interface and the CLI (command line interface) besides access to the web interface.

4. Troubleshooting

  • When entering passwords it must be observed that the Shift-Lock or Num-Lock key has not been pressed accidentally.

  • When authenticating via a certificate, it must be observed that the certificate is not expired and date/time in the router are correct.

  • If an authentication against a RADIUS server is not possible, it is best to verify whether the RADIUS server can be accessed first.

  • If you have locked out yourself from the router due to a wrong configuration, this can be reset to default settings by pressing the reset key three times within 2 seconds. This will delete all settings.

Back to the Configuration Guides for icom OS Smart Devices

Back to overview