Secure Device Provisioning Files with a Password
By default, provisioning profiles are openly available by HTTP if you know the specific MAC ID of a phone. For added protection, it is also possible to lock down device provisioning files with a username and password. These credentials must be configured in the NDP per device.
While the practice of allowing provisioning files to be reachable unauthenticated may seem to be a security risk, we have taken precautions to thwart abuse by malicious users. Specifically, we monitor all IP addresses that scan the provisioning server and automatically block any endpoint that makes fraudulent attempts to reach provisioning files. We have found that this practice achieves the optimal balance of protection and ease of provisioning.
Adding HTTP Auth to NDP
To secure device provisioning profiles with a username and password, follow these steps:
A. Locate the device to be configured in NDP.
B. Enter a username and password for the device.
If the password field is not set, then requests will not be authenticated. If the password field is set, then the SIP device will not be able to retrieve a provisioning file if the username and password do not match what has been entered in the NDP.
How to set the Provisioning Username and Password on the Phone(s)
You can set the provisioning Username and Password in the GUI of the device in their auto-provisioning tabs, or by including it in your DHCP Option string (if all devices are using the same username and password combination).
DHCP Option 43/66/160
A DHCP Option string example is below.
Vtech ET Series
For Vtech phones, the Auth URL must be included in the provisioning String.
Grandstream GXP Phones