Skip to end of metadata
Go to start of metadata


Description:
You have the option to configure your LANCOM router with several administrators, each with different access rights and function rights.

This document describes how you can add additional administrators and it also explains the meaning and effect of the different access rights and function rights.


Requirements:


1) Procedure:

1.1) Open the configuration for the LANCOM router in LANconfig and switch to the menu item Management -> Admin -> Further administrators.



1.2) Create a new entry and enter a user name and password in the upper part of the dialog.

    Note:
    You can use the button Generate password to select a password strength and then automatically generate a password corresponding to this strength. We recommend that you use the setting Maximum here.

    If you select User defined , you can influence the automatically generated password in the Settings pane, although for security reasons you should not change the default settings .



1.3) The rights for administrators are divided into two areas:
  • Access rights: Each administrator belongs to a certain group that has globally defined rights assigned to it.

Name Rights description
All Supervisor. Is a member of all groups and has full access to the configuration of the LANCOM router.
Restr. and trace Local administrator with read/write rights.

Has full access to the configuration, although the following options are blocked:

· Upload firmware onto the device
· Upload configuration onto the device
· Configuration by LANconfig
Limited Local administrator with read and write access but without trace rights

Has full access to the configuration, although the following options are blocked:

· Upload firmware onto the device
· Upload configuration onto the device
· Configuration by LANconfig
· Trace output via the command line or LANmonitor
Read and trace Local administrator with read access but no write access.
Can read the configuration from the command line, but cannot change any values.
Read only Local administrator with read access but no write access and no trace rights.

Can read the configuration from the command line, but cannot change any values or request trace output.
None Has no access to the configuration.
  • Function rights: Each administrator can be given "function rights" that determine personal access to certain functions such as the Setup Wizards.

    The functional rights are different depending on the capabilities of the device (router, access point, software options, etc.).

Name Rights description
Basic Wizard Setup Wizard for the basic configuration of the device may be used.
Internet Connection Wizard Setup Wizard for configuring the Internet connection may be used.
RAS Account Wizard Setup Wizard for setting up a dial-in account
(RAS, VPN) may be used.
Rollout Wizard Setup Wizard for setting up a roll-out configuration may be used. *
Content-Filter Wizard Setup Wizard for setting up the Content Filter may be used.
Setting date and time Setting the date and time (also applies for Telnet/SSH and TFTP
is allowed.
Search for other devices in the LAN Search for other devices in local and
remote networks may be performed. *
SSH client Establishing an SSH / Telnet connection from your
device to other LCOS devices or SSH / Telnet servers is allowed.
Security Settings Wizard Setup Wizard used to check the security settings can be used.
LAN-LAN Wizard Setup Wizard for connecting two local area networks
(VPN) may be used.
WLAN Wizard Setup Wizard for setting up the WLAN may be used.
Dynamic DNS Wizard Setup Wizard for configuring dynamic DNS may be used.
WLAN link test The WLAN link test can be run * (also applies to
Telnet/SSH)
Public Spot Wizard
(Public Spot configuration)
Setup Wizard for configuring a Public Spot may be used.
Public Spot Wizard
(create account)
Setup Wizard for configuring a Public Spot users/accounts may be used *
Public Spot Wizard
(manage users)
Setup Wizard for managing Public Spot users/accounts may be used *
Public Spot XML interface Access to the XML interface of the Public Spot module is allowed.

Note:
A 'normal' Public Spot administrator does not require this right. This right is intended for the implementation of complex authentication scenarios, such as when an external gateway
(e.g. a machine or a program such as a Web server, script, etc.) needs to
communicate with the module.
SMS-Transmit Sending SMS text messages via the 3G/4G WWAN module in the device is allowed.
WLC Profile Wizard Setup Wizard for setting up a WLC profile may be used.
VoIP Provider Wizard Wizard for setting up access to your
VoIP (All-IP) provider may be used.

*) The permissions for and/or the execution of these Wizards or features relates
exclusively to WEBconfig—unless otherwise stated. The Wizard or feature is either only available there
(e.g. setting up and managing Public Spot users) or can only be restricted there (e.g. searching for devices)


2) Configuration examples:

2.1) Permission to read out passwords:
  • To do this, at least read-only must be set as an access right. The administrator can read the configuration settings for a device in the LANconfig/WEBconfig interface and also via the command line. It is not possible to change the configuration or generate trace output.


2.2) Permission to read out the status tree:
  • To do this, read-only must be set as an access right. The administrator can read the status tree for a device in the WEBconfig interface and also via the command line. It is not possible to add, change, or delete any values.


2.3) Permission to use show commands:
  • To do this, at least read-only must be set as an access right. The only show command that can be run exclusively by users with all access rights is the show script command.


2.4) Permission to use an SSH client:
  • The permission for command-line access to the LANCOM router via SSH client must be set globally in the menu item Management -> Admin -> Access rights -> From the local network / From remote networks.




2.5) Permission to create a TCP/HTTP tunnel:
  • To create a TCP/HTTP-tunnel, you must have the access right all.