dmazan Posted July 6, 2016 Posted July 6, 2016 I have a bunch of devices on my local network where I'd like to have open access to lighting control (and no administrative access). How can I allow non-administrative access from my local network without having to sign on?
Michel Kohanim Posted July 6, 2016 Posted July 6, 2016 Hi dmazan, Unfortunately you cannot. With kind regards, Michel
KeviNH Posted July 6, 2016 Posted July 6, 2016 I have a bunch of devices on my local network where I'd like to have open access to lighting control (and no administrative access). How can I allow non-administrative access from my local network without having to sign on? There is no supported way to do this with just the ISY by itself. Do you have any sort of a server on your local network, something like a Raspberry Pi or another Unix-like machine that is always on? If so, you can make this work by running a listener on that machine that forwards lighting commands but blocks admin commands. It's not trivial, but it is possible.
PurdueGuy Posted July 6, 2016 Posted July 6, 2016 You can expose the REST interface with Transparent ISY Proxy running on a RaspberryPi. https://sites.google.com/site/isyajax/other-tools-php-code
dmazan Posted July 6, 2016 Author Posted July 6, 2016 Thanks for the ideas. I currently have multiple locations with multiple Windows boxes running HomeSeer. The idea with the ISY is to reduce complexity and the number of potential failure points. Writing my own interface to replace one that I paid money for isn't in the cards. Hopefully the ISY will become a fully usable production out of the box.
KeviNH Posted July 6, 2016 Posted July 6, 2016 I didn't write my own interface. You can expose the REST interface with Transparent ISY Proxy running on a RaspberryPi. https://sites.google.com/site/isyajax/other-tools-php-code That's basically what I did; took a commercially available proxy and wrote about 5 lines of configuration settings to: Deny requests for admin Deny requests not coming from specific internal IPs Permit requests for the WebUI and certain REST commands (RunIf, RunThen, etc). Insert an authentication header with the ISY username,password. forward permitted requests to the ISY. Took me about an hour to set up and test.
dmazan Posted July 6, 2016 Author Posted July 6, 2016 I understand. Something just strikes me as wrong about adding a piece of hardware and spending time configuring some software because a piece of commercial equipment is missing a pretty basic feature. (Okay maybe it's not basic but Homeseer and several other HA products I've looked at as replacement do.) The ISY is the most competent system I've worked with in terms of interfacing with the devices--much better than Homeseer. I just wish it was better at interfacing with the humans. I may try MisterHouse on that RasperryPi.
KeviNH Posted July 6, 2016 Posted July 6, 2016 I've gotten used to it. Might even say I've gotten so good at working around it that I've stopped taing notice. The sentence "adding a piece of hardware and spending time configuring some software because a piece of commercial equipment is missing a pretty basic feature" describes a significant source of my income for the past two decades. If you think it's annoying to spend a couple hundred bucks and find out the features you need are not only not implemented but aren't on the vendor's roadmap, imagine how corporate directors feel when that happens in relation to a six figure software package? I'm not saying it's the way things should be, but it's a living.
Michel Kohanim Posted July 7, 2016 Posted July 7, 2016 Hi dmazan, Thanks so very much for the feedback. I think we are a little paranoid when it comes to security and perhaps to a fault. In 5.0.x we have already added support for multi-user. I am going to checkout and see whether or not we can make one not require any passwords WITH BIG WARNINGS AND DISCLAIMERS! With kind regards, Michel
dmazan Posted July 7, 2016 Author Posted July 7, 2016 That would be great. Remember that access without a password would be restricted to source IP addresses on the local network(s) (preferred to be entered as a parameter list as there may be multiple local LAN subnets or remote LAN subnets via VPN, as opposed to allowing access based only on the Universal Device's LAN configuration). Although it is technically feasible to spoof a LAN IP, no self-respecting firewall is going to pass a packet on it's WAN port that claims to be from it's LAN port. Granted, there might be a compromised inside host but (a) that's not on you and ( nobody is doing that to to gain control of my lighting.
stusviews Posted July 7, 2016 Posted July 7, 2016 No one looking for profit will play with your ISY controlled devices, but there are those who do it for fun, not funds.
Michel Kohanim Posted July 7, 2016 Posted July 7, 2016 Hi dmazan, Thank you. #279. With kind regards, Michel
Recommended Posts