Linksys SPA932 Automatic In-House Preprovisioning, Configuration Access Control, Using HTTPS

Provisioning Basics

Automatic In-House Preprovisioning

Automatic In-House Preprovisioning

Using the web UI and issuing a resync URL is convenient for a customer in the retail deployment model, but it is not as convenient for preprovisioning a large number of units.

The SPA9x2 supports a more convenient mechanism for in-house preprovisioning. With the factory default configuration, a SPA9x2 automatically tries to resync to a specific file on a TFTP server, whose IP address is offered as one of the DHCP-provided parameters. This lets a service provider connect each new SPA9x2 to a LAN environment configured to preprovision SPAs. Any new SPA9x2 connected to this LAN automatically resyncs to the local TFTP server, initializing its internal state in preparation for deployment. Among other parameters, this preprovisioning step configures the URL of the SPA9x2 provisioning server.

Subsequently, when a new customer signs up for service, the preprovisioned SPA9x2 can be simply bar-code scanned, to record its MAC address or serial number, before being shipped to the customer. Upon receiving the unit, the customer connects the unit to the broadband link, possibly through a router. On power-up the SPA9x2 already knows the server to contact for its periodic resync update.

Configuration Access Control

Besides configuration parameters that control resync and upgrade behavior, the SPA9x2 provides mechanisms for restricting end-user access to various parameters.

The SPA9x2 firmware provides specific privileges for login to a User account and an Admin account. The Admin account is designed to give the service provider or VAR configuration access to the SPA9x2, while the User account is designed to give limited and configurable control to the end user of the device.

The User and Admin accounts can be independently password protected. The configuration parameters available to the User account are completely configurable in the SPA, on a parameter-by-parameter basis. Optionally, user access to the SPA9x2 web UI can be totally disabled.

The Internet domains accessed by the SPA9x2 for resync, upgrades, and SIP registration for Line 1 can be restricted.

Using HTTPS

The SPA9x2 provides a reliable and secure provisioning strategy based on HTTPS requests from the SPA9x2 to the provisioning server, using both server and client certificates for authenticating the client to the server and the server to the client.

To use HTTPS with Linksys SPA9x2 phones, you must generate a Certificate Signing Request (CSR) and submit it to Linksys. Linksys generates a certificate for installation on the provisioning server that is accepted by SPA9x2 phones when they seek to establish an HTTPS connection with the provisioning server.