The Security Configuration dialog allows users to manage security settings such as viewing currently-applied security certificates, the status of 802.1x and settings associated with the web sever.
Note that unconfigured Qt X devices or devices and systems that have not been protected will be at risk from malicious attacks. Such attacks include denial of service, intentional mis-configuration and theft of credentials if deployed on a network that is not fire-walled or adequately protected. Qt X devices are shipped in an 'unprotected' state to allow installers to configure and use the device without requiring explicit authentication or authorization. Protected devices and systems will require authentication and authorization enabled by the user either through this software or via the WebUI.
The Certificates tab is accessed from the Device Information screen - Operations tab. Press the Certificate Management button.
(NPX certificate management will be enabled in a future release).
From the certificates tab, users may view the factory-installed security certificates attached to the device. Information provided includes the certificate expiration date, validation status if the certificate is self-signed, etc. Users have the options under the Commands tab to export or delete the security certificate. Users may also import a security certificate by clicking the Browse button. Enter the certificate pass phrase to import the security certificate.
The 802.1X Certificates tab allows configuring 802.1X security protocols for the Control and Media ports. 802.1X. is an IEEE standard for port-based Network Access Control (PNAC) and is part of the IEEE 802.1 group of networking protocols. 802.1X provides an authentication method for connecting devices to a Qt X system.
NOTE: There are exceptions to 802.1X functionality in certain modes (Single Cable, Dante, etc.). Refer to Cornerstone QtX articles here for specific information.
Users configuring 802.1X and choosing the EAP method should be knowledgeable in network security and the requirements of the enterprise network in which the Qt X devices are being installed.
802.1X security may be selected for the Control or Media ports on the selected Qt X sound masking controller. Connected devices must support 802.1X to enable the security protocol:
Users must choose which Mode to apply. Mode establishes the Extensible Authentication Protocol (EAP) by which authentication takes place and is disabled by default (EAP_NONE).
A brief description of each EAP method is given in the table that follows:
|
Mode |
Protocol |
|---|---|
|
EAP_NONE |
EAP is disabled |
|
EAP_PEAP_MSCHAPV2 |
Server authentication via certificate; Client authorization via user name and password |
|
EAP_TLS |
Certificate-based two-way authentication |
|
EAP_TTLS_EAP_MSCHAPV2 |
Server authentication via certificate; Client authorization via user name and password |
Users may select a Root or Client certificate based on the security requirements of the organization.
Root Certificate
The Qt X comes factory-equipped with a root certificate issued by Biamp (a trusted Certificate Authority (CA).) Users may choose to apply the Biamp Production Root certificate, or supply their own. Clicking 'Select Certificate' will allow the user to browse to available certificates. Users may upload their own certificate via the Certificates Tab.
Click Apply. The 802.1X Certificate Management window will reflect the applied certificate:
Client Certificate
The Qt X also comes factory-equipped with a client certificate, which is used to make authenticated requests to a remote server. Users may choose to apply the device client certificate, or supply their own. Clicking 'Select Certificate' will allow the user to browse to available certificates. Users may upload their own certificate via the Certificates Tab.
Click Apply. The 802.1X Certificate Management window will reflect the applied certificate:
The Web Server tab allows selecting the security certificate for the Qt X web interface (must be a client certificate). Client certificates are used to authenticate the client (user) identity to the server.
