dmazan Posted July 6, 2016 Share Posted July 6, 2016 I have a bunch of devices on my local network where I'd like to have open access to lighting control (and no administrative access). How can I allow non-administrative access from my local network without having to sign on? Link to comment
Michel Kohanim Posted July 6, 2016 Share Posted July 6, 2016 Hi dmazan, Unfortunately you cannot. With kind regards, Michel Link to comment
KeviNH Posted July 6, 2016 Share Posted July 6, 2016 I have a bunch of devices on my local network where I'd like to have open access to lighting control (and no administrative access). How can I allow non-administrative access from my local network without having to sign on? There is no supported way to do this with just the ISY by itself. Do you have any sort of a server on your local network, something like a Raspberry Pi or another Unix-like machine that is always on? If so, you can make this work by running a listener on that machine that forwards lighting commands but blocks admin commands. It's not trivial, but it is possible. Link to comment
PurdueGuy Posted July 6, 2016 Share Posted July 6, 2016 You can expose the REST interface with Transparent ISY Proxy running on a RaspberryPi. https://sites.google.com/site/isyajax/other-tools-php-code Link to comment
dmazan Posted July 6, 2016 Author Share Posted July 6, 2016 Thanks for the ideas. I currently have multiple locations with multiple Windows boxes running HomeSeer. The idea with the ISY is to reduce complexity and the number of potential failure points. Writing my own interface to replace one that I paid money for isn't in the cards. Hopefully the ISY will become a fully usable production out of the box. Link to comment
KeviNH Posted July 6, 2016 Share Posted July 6, 2016 I didn't write my own interface. You can expose the REST interface with Transparent ISY Proxy running on a RaspberryPi. https://sites.google.com/site/isyajax/other-tools-php-code That's basically what I did; took a commercially available proxy and wrote about 5 lines of configuration settings to: Deny requests for admin Deny requests not coming from specific internal IPs Permit requests for the WebUI and certain REST commands (RunIf, RunThen, etc). Insert an authentication header with the ISY username,password. forward permitted requests to the ISY. Took me about an hour to set up and test. Link to comment
dmazan Posted July 6, 2016 Author Share Posted July 6, 2016 I understand. Something just strikes me as wrong about adding a piece of hardware and spending time configuring some software because a piece of commercial equipment is missing a pretty basic feature. (Okay maybe it's not basic but Homeseer and several other HA products I've looked at as replacement do.) The ISY is the most competent system I've worked with in terms of interfacing with the devices--much better than Homeseer. I just wish it was better at interfacing with the humans. I may try MisterHouse on that RasperryPi. Link to comment
KeviNH Posted July 6, 2016 Share Posted July 6, 2016 I've gotten used to it. Might even say I've gotten so good at working around it that I've stopped taing notice. The sentence "adding a piece of hardware and spending time configuring some software because a piece of commercial equipment is missing a pretty basic feature" describes a significant source of my income for the past two decades. If you think it's annoying to spend a couple hundred bucks and find out the features you need are not only not implemented but aren't on the vendor's roadmap, imagine how corporate directors feel when that happens in relation to a six figure software package? I'm not saying it's the way things should be, but it's a living. Link to comment
Michel Kohanim Posted July 7, 2016 Share Posted July 7, 2016 Hi dmazan, Thanks so very much for the feedback. I think we are a little paranoid when it comes to security and perhaps to a fault. In 5.0.x we have already added support for multi-user. I am going to checkout and see whether or not we can make one not require any passwords WITH BIG WARNINGS AND DISCLAIMERS! With kind regards, Michel Link to comment
dmazan Posted July 7, 2016 Author Share Posted July 7, 2016 That would be great. Remember that access without a password would be restricted to source IP addresses on the local network(s) (preferred to be entered as a parameter list as there may be multiple local LAN subnets or remote LAN subnets via VPN, as opposed to allowing access based only on the Universal Device's LAN configuration). Although it is technically feasible to spoof a LAN IP, no self-respecting firewall is going to pass a packet on it's WAN port that claims to be from it's LAN port. Granted, there might be a compromised inside host but (a) that's not on you and ( nobody is doing that to to gain control of my lighting. Link to comment
stusviews Posted July 7, 2016 Share Posted July 7, 2016 No one looking for profit will play with your ISY controlled devices, but there are those who do it for fun, not funds. Link to comment
Michel Kohanim Posted July 7, 2016 Share Posted July 7, 2016 Hi dmazan, Thank you. #279. With kind regards, Michel Link to comment
Recommended Posts
Archived
This topic is now archived and is closed to further replies.