|
Home > Archive > Voice over IP Cisco > October 2007 > user access to ccmuser web pages
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
user access to ccmuser web pages
|
|
| Eric Pedersen 2007-09-28, 1:11 pm |
| I'm using callmanager 5.1. I want to enable general user access to the
callmanager ccmuser web pages. I have not seen any way to allow this
without also giving access to ccmadmin/osadmin/etc. web pages, which I
don't want to do for obvious security reasons. Is there a way to do
this?
Thanks,
Eric
| |
| Patrick Diener 2007-09-28, 7:11 pm |
| just assign the users to the "Standard CCMUser" (or something like it)
User Group that should work...
Regards
Patrick
On 9/28/07, Eric Pedersen <eric.pedersen@sait.ca> wrote:
>
>
> I'm using callmanager 5.1. I want to enable general user access to the
> callmanager ccmuser web pages. I have not seen any way to allow this
> without also giving access to ccmadmin/osadmin/etc. web pages, which I don't
> want to do for obvious security reasons. Is there a way to do this?
>
> Thanks,
> Eric
> ________________________________________
_______
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
| |
|
|
| Fred Nielsen 2007-09-28, 7:11 pm |
| It *sure* would be nice if there were a way to do this by default, i.e. as
new user accounts are synced from LDAP have them automatically assigned to a
user group, or alternatively have a user group that can be assigned as
"default" without explicit membership.
For day to day MAC work this had added one more step that needs to be looked
after for new-hires etc.
-Fred Nielsen
On 9/28/07, Wes Sisk <wsisk@cisco.com> wrote:
>
> check out the "Standard CCM End Users" group.
>
> Eric Pedersen wrote:
>
> I'm using callmanager 5.1. I want to enable general user access to the
> callmanager ccmuser web pages. I have not seen any way to allow this
> without also giving access to ccmadmin/osadmin/etc. web pages, which I don't
> want to do for obvious security reasons. Is there a way to do this?
>
> Thanks,
> Eric
>
> ------------------------------
>
> ________________________________________
_______
> cisco-voip mailing listcisco-voip@puck.nether.nethttps://puck.nether.net/mailman/listinfo/cisco-voip
>
>
> ________________________________________
_______
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
| |
| Eric Pedersen 2007-09-28, 7:11 pm |
| I wasn't clear enough. We have a limited range of IP addresses that are
trusted for callmanager administration, and we have larger IP ranges
where our general user population reside. I would like to filter what
networks can access ccmadmin, os admin, etc. so that the general user
population can't even get to the login screen. Because ccmadmin and
ccmuser use the same tcp ports, and I haven't found any way to change
this, I cannot simply filter admin access with router ACLs.
Simple username and password authentication isn't a particularly secure
way to protect such a key piece of infrastructure ... you're just one
accidental password disclosure or web server bug away from a hacked
callmanager.
________________________________
From: Wes Sisk [mailto:wsisk@cisco.com]
Sent: September 28, 2007 12:14
To: Eric Pedersen
Cc: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] user access to ccmuser web pages
check out the "Standard CCM End Users" group.
Eric Pedersen wrote:
I'm using callmanager 5.1. I want to enable general user access
to the callmanager ccmuser web pages. I have not seen any way to allow
this without also giving access to ccmadmin/osadmin/etc. web pages,
which I don't want to do for obvious security reasons. Is there a way
to do this?
Thanks,
Eric
________________________________
________________________________________
_______
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
| |
|
|
| Lelio Fulgenzi 2007-09-28, 7:11 pm |
| With IIS, you can modify the IIS controls. You have to be very careful of this though since you can break things quite easily.
The one other reason I wanted to do this was to 'hide' the corporate directory, which needs no userID/password at all. If you had some unlisted numbers, users could easily find them.
----- Original Message -----
From: Eric Pedersen
To: Wes Sisk
Cc: cisco-voip@puck.nether.net
Sent: Friday, September 28, 2007 2:31 PM
Subject: Re: [cisco-voip] user access to ccmuser web pages
I wasn't clear enough. We have a limited range of IP addresses that are trusted for callmanager administration, and we have larger IP ranges where our general user population reside. I would like to filter what networks can access ccmadmin, os admin, etc. so that the general user population can't even get to the login screen. Because ccmadmin and ccmuser use the same tcp ports, and I haven't found any way to change this, I cannot simply filter admin access with router ACLs.
Simple username and password authentication isn't a particularly secure way to protect such a key piece of infrastructure ... you're just one accidental password disclosure or web server bug away from a hacked callmanager.
------------------------------------------------------------------------------
From: Wes Sisk [mailto:wsisk@cisco.com]
Sent: September 28, 2007 12:14
To: Eric Pedersen
Cc: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] user access to ccmuser web pages
check out the "Standard CCM End Users" group.
Eric Pedersen wrote:
I'm using callmanager 5.1. I want to enable general user access to the callmanager ccmuser web pages. I have not seen any way to allow this without also giving access to ccmadmin/osadmin/etc. web pages, which I don't want to do for obvious security reasons. Is there a way to do this?
Thanks,
Eric
----------------------------------------------------------------------------
________________________________________
_______
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
------------------------------------------------------------------------------
________________________________________
_______
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
| |
| Eric Pedersen 2007-09-28, 7:11 pm |
| Thanks Wes. Filtering management IP address is standard security
practice on routers and switches, and is easy to implement. Do you know
if there is a feature request for something similar in callmanager?
________________________________
From: Wes Sisk [mailto:wsisk@cisco.com]
Sent: September 28, 2007 13:03
To: Eric Pedersen
Cc: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] user access to ccmuser web pages
Eric,
Good clarification. Nothing built into the product to allow this, but
sounds like a good use of a proxy server. AONS/firewall would not work
because it's https and encrypted on the wire.
/Wes
Eric Pedersen wrote:
I wasn't clear enough. We have a limited range of IP addresses
that are trusted for callmanager administration, and we have larger IP
ranges where our general user population reside. I would like to filter
what networks can access ccmadmin, os admin, etc. so that the general
user population can't even get to the login screen. Because ccmadmin
and ccmuser use the same tcp ports, and I haven't found any way to
change this, I cannot simply filter admin access with router ACLs.
Simple username and password authentication isn't a particularly
secure way to protect such a key piece of infrastructure ... you're just
one accidental password disclosure or web server bug away from a hacked
callmanager.
________________________________
From: Wes Sisk [mailto:wsisk@cisco.com]
Sent: September 28, 2007 12:14
To: Eric Pedersen
Cc: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] user access to ccmuser web pages
check out the "Standard CCM End Users" group.
Eric Pedersen wrote:
I'm using callmanager 5.1. I want to enable general
user access to the callmanager ccmuser web pages. I have not seen any
way to allow this without also giving access to ccmadmin/osadmin/etc.
web pages, which I don't want to do for obvious security reasons. Is
there a way to do this?
Thanks,
Eric
________________________________
________________________________________
_______
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
| |
|
|
| Anderson, Ian 2007-10-15, 1:11 pm |
| Hi
We route all requests for ccmuser through a squid reverse proxy running
under linux... Works fine and achieves what you are after
/Ian
From: cisco-voip-bounces@puck.nether.net
[mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Eric Pedersen
Sent: 28 September 2007 21:07
To: Wes Sisk
Cc: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] user access to ccmuser web pages
Thanks Wes. Filtering management IP address is standard security
practice on routers and switches, and is easy to implement. Do you know
if there is a feature request for something similar in callmanager?
________________________________
From: Wes Sisk [mailto:wsisk@cisco.com]
Sent: September 28, 2007 13:03
To: Eric Pedersen
Cc: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] user access to ccmuser web pages
Eric,
Good clarification. Nothing built into the product to allow this, but
sounds like a good use of a proxy server. AONS/firewall would not work
because it's https and encrypted on the wire.
/Wes
Eric Pedersen wrote:
I wasn't clear enough. We have a limited range of IP addresses that are
trusted for callmanager administration, and we have larger IP ranges
where our general user population reside. I would like to filter what
networks can access ccmadmin, os admin, etc. so that the general user
population can't even get to the login screen. Because ccmadmin and
ccmuser use the same tcp ports, and I haven't found any way to change
this, I cannot simply filter admin access with router ACLs.
Simple username and password authentication isn't a particularly secure
way to protect such a key piece of infrastructure ... you're just one
accidental password disclosure or web server bug away from a hacked
callmanager.
________________________________
From: Wes Sisk [mailto:wsisk@cisco.com]
Sent: September 28, 2007 12:14
To: Eric Pedersen
Cc: cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] user access to ccmuser web pages
check out the "Standard CCM End Users" group.
Eric Pedersen wrote:
I'm using callmanager 5.1. I want to enable general user access to the
callmanager ccmuser web pages. I have not seen any way to allow this
without also giving access to ccmadmin/osadmin/etc. web pages, which I
don't want to do for obvious security reasons. Is there a way to do
this?
Thanks,
Eric
________________________________
________________________________________
_______
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
|
|
|
|
|