Security Options

A VoiceConsole On Prem deployment provides support for several authentication and encryption methods.

  • To keep networks secure, Honeywell recommends authentication combined with a protocol that supports authentication methods.
  • Authentication is simply verifying that the user who is attempting to contact the network is the actual user. Server certificates provide verification that the user is connecting to the proper network.
  • Encryption is a way of changing data into a secret code. The recipient of the data requires a pre-supplied key to decode it.
  • To secure web server communications, VoiceConsole On Prem deployment supports HTTPS. To secure the device connectivity on a wireless network, VoiceConsole On Prem deployment uses Extensible Authentication Protocol (EAP). This section provides a brief description of these options. See Configure Security for setup information.
  • You can set up the following types of authentication and encryption in device profiles:
    • WEP: Wired Equivalent Privacy
    • WPA/PSK and WPA2/PSK: Wi-Fi Protected Access with a Pre-shared Key

Hypertext Transfer Protocol Secure (HTTPS)

HTTPS is a networking protocol that secures web- or browser-based transactions over a network that is not secure. All HTTPS user connections are encrypted with digital certificates that tell the browser to use encryption to protect data transmissions.

For VoiceConsole On Prem deployment, this protection is effective only if the browser verifies a certificate as valid and issued by a trusted authority. Therefore, you must ensure that the server certificate is installed correctly and the browser used for VoiceConsole On Prem deployment administration is configured to accept the certificate.

What You Need for VoiceConsole On Prem deployment

If you are configuring VoiceConsole On Prem deployment for HTTPS, you need:

  • Java keytool utility to create a certificate request
  • A signed certificate

See Create and Install a Certificate for HTTPS for more information.

Extensible Authentication Protocol

VoiceConsole On Prem deployment distributes credentials to devices in the device profile. Once these credentials are on the devices, the devices use them to connect to the wireless network. Credentials only need to be entered once per site, operator, or device until the credentials need to be changed. When necessary, VoiceConsole On Prem deployment manages the distribution of the new credentials.

How to configure EAP in VoiceConsole On Prem deployment is described in detail in Configure EAP for the Site.

Site-wide Configuration

Although VoiceConsole On Prem deployment offers three credential association types - site-based, device-based, and operator-based - each of these must be configured on a site-wide basis. That is, even if the client selects to have device- or operator-based security, all devices and operators at a particular site must use the same type of security. This is reinforced by the User Interface, which requires that you select one and only one EAP type per site. See the section labeled Association Types for more information on these types.

Restricted User

If EAP authentication is selected for the restricted user, the device connects to the network with a restricted set of credentials, identifying itself as a Honeywell device. It can only connect to VoiceConsole On Prem deployment for the purpose of loading the proper credentials. You can further restrict this user's access by assigning it to a different SSID that only has access to a portion of the network. This different SSID may be on an open network. In this case, you would not need credentials for the restricted user. Without the restricted user solution, Honeywell would require that the credentials be loaded onto each device through the serial port if the credentials expire or become obsolete when the password is changed.

The restricted user also has the following roles:

  • When the device is in the charger, the restricted user logs onto the network.
  • Credentials are distributed through the restricted user through TouchConfig or over the network.
  • The restricted user can load tasks and operators.

If you are using static IP addresses rather than DHCP, the restricted user must be on the same network as the non-restricted network, because devices cannot support two static IP addresses.

You can configure the following Extensible Authentication Protocol methods for each site:

  • EAP-TLS: EAP-Transport Layer Security
  • EAP-TTLS/MSCHAPv2: EAP-Tunneled Transport Layer Security/Microsoft Challenge Handshake Authentication Protocol
  • PEAPv0/EAP-MSCHAPv2: Protected Extensible Authentication Protocol/Microsoft Challenge Handshake Authentication Protocol
  • PEAPv1/EAP-GTC: Protected Extensible Authentication Protocol/Generic Token Card
  • LEAP: Lightweight Extensible Authentication Protocol

Association Types

Because the devices do not provide a user interface for entering usernames, passwords, and Personal Identification Numbers, Honeywell developed the concept of Association Types. Association types determine the point at which credentials are required.

For each site, you can select one of the following:

Site Based

There is a single username and password or certificate for all operators and devices at a given site.

Device Based

Each device has its own username and password or certificate. In this configuration, operators don't need to be involved in the authentication process, because all authentication is between the device and the authentication server.

Operator Based

Each operator must log onto VoiceConsole On Prem deployment to enter a username and password and, optionally, a PIN. The operator must enter that password (and PIN, if selected) on the device before the user can connect to the full network.

The EAP options are either configured by or with significant input from an IT professional. It is this person who makes the decision as to which type of configuration is used at this site and has the needed information.

What You Need

If you are configuring VoiceConsole On Prem deployment for EAP, you need the following information.

  • The EAP type used.
  • Association type.
  • Type of credentials that the client wants the device to use to authenticate to the network.
  • Whether the user needs to enter a PIN to get onto the network.
  • Whether the device logs off when it goes into the charger.
  • The username and password or certificate of the restricted user that the device uses when it is in the charger in order to communicate to VoiceConsole On Prem deployment.
  • If Certificate is selected, Honeywell strongly recommends using PEM or base 64 formatted certificates.
  • The PIN that the user must enter to log onto the network.

LDAP settings are optional for site- and device-based association types. They are required for the operator-based association type. If you choose to use LDAP, you also need:

  • The hostname of the machine on which the LDAP server is running.
  • The port on which the LDAP server is listening.
  • The username that VoiceConsole On Prem deployment uses when attempting to find the distinguished name of an operator in the Directory Service.
  • The password that VoiceConsole On Prem deployment uses when attempting to find the distinguished name of an operator in the Directory Service.
  • The search base that VoiceConsole On Prem deployment uses when trying to find a particular user in the Directory Service.
  • The attribute that VoiceConsole On Prem deployment searches on when trying to find a particular user in the Directory Service.
  • The attribute that VoiceConsole On Prem deployment modifies when changing the password of a user in the Directory Service.