Admin Password to log into phones webgui or in phone

Im probably overlooking something… What credentials do I use to log into ANY of my phones provisioned with Commercial Endpoint Manager?? Either from a webgui to the phones IP… Or going to Advanced Settings right on the phone when it asks for password??

Im running FreePBX 15.0.17.24 with Commerical EPM.

I can log into any of the phones defaulted no problem via webgui or in the phones Settings menu but once it auto provisions I cannot get in…

Example:

Yealink T46S

Can log into freshly defaulted phone with admin/admin…After autoprovision through EPM I cannot log in using Phone Admin Password or Phone User Password in EPM>Global Settings… I type in admin and my Phone Admin Password, incorrect. I type my extension number as username and Phone Admin Password, incorrect.

Same with my Sangoma S705 trying to log in via webgui or Settings>Advanced Settings right on the phone…

What am I doing wrong here? I know its something stupid

Admin password is as set in EPM global settings.

Yes, Im aware of that but it doesnt work… Thats why I made this post…

Do you see the admin password set in any of the config files stored in /tftpboot?

I’ll have to look…what is the username supposed to be after provisioning? Example T46S is User: admin Password: admin when defaulted…

After provisioning should I still be using admin username and global admin password? Or extension number as username and global admin password???

Its definitely changing it to something because it’s not admin/admin after auto provisioning

The username shouldn’t change. Password should be what you set in global settings, as @lgaetz stated but it doesn’t appear that’s working properly. You should be able view a config file in /tftpboot and since they’re Yealink see something like security.user_password = admin:1234

Cool. I’ll check that out and report back

Well…before digging into the /tftpboot config files I decided to change the Global Admin Password to a new number… I had it set as a 10 digit numerical so example: 0806107979 It would never let me log in with that…

I just changed it to a 6 digit number to test: 222222 Save…Apply Config… Save, Rebuild and Update Phone template to each of my 3 different phone models… S705, D65 and T46s… Bam… logs right in now with that 6 digit Global Admin Password. So I tried changing it back to 10 digits… wont log in… back to 6 digits… logs right in…

Is this a bug? Or does it HAVE to be 6 digits to work which seems to be the case?? Glad thats figured out now anyway. Was driving me nuts not being able to WEB GUI into the phones after provisioned…

Dunno if it’s a bug. May require additional testing - do all 10 character admin passwords fail to work? Anything more? What about 9 character password?

I know the documentation says it has to be a minimum of 6 characters but doesn’t say anything about maximum.

I understood the documentation as minimum 6 as well…thats why I never tested my password as being the problem… I tried 3 different 10 character doesn’t work on 3 different model phones…6 character works on all 3 different models…

I’ll test 8, 9 and 11 just to see and report back…

Just a hunch, don’t use 0 as the first digit.

Hmmm… thats a good suggestion. Even though the above 10 digit number was an example…the 10 digit I was using that wouldn’t work DID start with 0. Let me try that

That was it! No using 0 as the first digit. Changed it back to a 10 digit Global pin with the first digit not 0 and all phones log right in now with that 10 digit number. Thanks @dicko

1 Like

Perhaps file a bug report ?. Perhaps somewhere the php code is converting the string, if it starts with 0 then likely 01020304 is converted to 1020304

From dictionary.com for hunch , a feeling or guess based on intuition rather than known facts.

1 Like

Yep this is a bug. Looks straight forward, so can use the issues site for this:
https://issues.freepbx.org/

2 Likes

I have had similar issues with another device and it was corrected with a firmware update. I had switched to a shorter password and after a later firmware update realized I could use a longer password. I am sure there is still al limit. I like using really long passwords, some are like 30 characters.

That’s a false sense of security. If the attacker is limited to testing passwords online i.e. probing your system for each guess, then 8 characters is enough. Eight randomly chosen letters and digits have 62**8 combinations. Even if the attacker has a botnet and tries from many addresses, he can only test ~1000 passwords per second, taking an average of more than 3400 years to find the password.

Of course, you should also protect against offline cracking, where the attacker has somehow captured a SIP INVITE and can test guesses locally, with his purpose-built cracking hardware. The fastest GPUs can try almost 1,000,000,000 passwords per second. A rack of 32 could come close to 1e18 passwords per year and could crack a 15-character password in an average of 384 million years.

Of course, he wouldn’t even spend a day trying to crack your password – the rig is more valuable for mining bitcoin.

Strong passwords get stolen, not cracked (phishing, vulnerabilities, bribery, etc.)

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.