4RF Aprisa SR User Manual

0 (0)

98 | Managing the Radio

Packet Size (Bytes)

This parameter sets the maximum over-the-air packet size in bytes. A smaller maximum Packet Size is beneficial when many remote stations or repeater stations are trying to access the channel. The default setting is 1550 bytes.

As radios dispatched from the factory have a Packet Size set to the maximum value of 1550 bytes, if a new radio is installed in an existing Field Access Network (network), the Packet Size must be changed to ensure it is the same value for all radios in the network. The new radio will not register an existing network if the Packet Size is not the same as the other radios in the network.

This packet size includes the wireless protocol header and security payload (0 to 16 bytes). The length of the security header depends on the level of security selected.

When the security setting is 0, the maximum user data transfer over-the-air is 1516 bytes.

When encryption is enabled, the entire packet of user data (payload) is encrypted. If authentication is being used, the security frame will be added (up to 16 bytes). The wireless protocol header is then added which is proprietary to the Aprisa SR. This is not encrypted.

Packet Time to Live (ms)

This Time To Live (TTL) parameter sets the time a packet is allowed to live in the system before being dropped if it cannot be transmitted over the air. It is used to prevent old, redundant packets being transmitted through the Aprisa SR network. The default setting is 1500 ms.

In the case of serial poll SCADA networks such as MODBUS and IEC 60870.50.101, it is important to ensure the replies from the RTU are in the correct sequence and are not timed out replies from Master requests. If the TTL value is too long, the SCADA master will detect sequence errors.

It is recommended to use a TTL which is half the serial SCADA timeout. This is commonly called the ‘scan timeout’ or ‘link layer time out’ or ‘retry timeout’.

When using TCP protocols, a TTL of 1500 ms is recommended because a TCP re-transmission usually occurs after approximately 3 second.

In SCADA networks which use both serial and Ethernet, it is recommended that the TTL is set to half the serial SCADA timeout for serial remotes, and 1500 ms for Ethernet (TCP) remotes. For example, if the serial SCADA timeout is 1000 ms, a remote radio which is connected to the serial RTU should be set to 500 ms, a remote radio which is connected to a Ethernet (TCP) RTU should have a 1500 ms timeout.

In this case, the base station TTL should be set to 1500 ms as well; or which ever is the longer TTL of serial or Ethernet.

Aprisa SR User Manual

Managing the Radio | 99

Packet Filtering

Each Aprisa SR radio can filter packets not destined for itself. The Packet Filtering parameter controls this functionality.

In an Aprisa SR network, all communication from remote stations is destined for the base station in the Aprisa SR network communication protocol. In a repeater network, a remote station will send a message to the base station. The repeater station will receive this and then repeat the message. The repeated message will then be received by the base station. Other remote stations connected to the repeater station will receive this message and depending on the Packet Filtering parameter, either forward this packet or discard it.

This filtering capability can provide the ability for remote stations to communicate with each other when connected to a repeater, particularly useful in the event of losing communication with a SCADA Master, assuming the Aprisa SR network is still operational.

Note: IP Header Compression must be disabled for this feature to operate correctly (see ‘IP Header Compression Ratio’ on page 101).

Option

Function

 

 

Disabled

Every packet received by the radio will be forwarded to the

 

relevant interface.

 

 

Automatic

The radio will filter (discard) packets not destined for itself

 

according to the Aprisa SR traffic protocols

 

 

The default setting is Automatic.

Note: The Aprisa SR network is transparent to the protocol being transmitted; therefore the Packet Filtering parameter is based on the Aprisa SR addressing and network protocols, not the user (SCADA, etc.) traffic protocols.

Serial Data Stream Mode

This parameter controls the traffic flow in the radio serial ports.

Option

Function

 

 

Broadcast

Serial port traffic from the network is broadcast on all serial ports

 

on this radio. This will include the RS-232 port derived from the

 

USB port.

 

 

Segregate

Serial port traffic from the network from a specific port number is

 

directed to the respective serial port only.

 

 

The default setting is Broadcast.

Aprisa SR User Manual

100 | Managing the Radio

TRAFFIC SETTINGS

Serial Data Priority

The Serial Data Priority controls the priority of the serial customer traffic relative to the Ethernet customer traffic. If equal priority is required to Ethernet traffic, this setting must be the same as the

Ethernet Data Priority setting (see ‘Ethernet Data Priority’ on page 100).

The serial data priority can be set to Very High, High, Medium and Low. The default setting is Very High.

A queuing system is used to prioritize traffic from the serial and Ethernet interfaces for over the air transmission. A weighting may be given to each data type and this is used to schedule the next transmission over the air e.g. if there are pending data packets in multiple buffers but serial data has a higher weighting it will be transmitted first. The serial buffer is 20 serial packets (1 packet can be up to 512 bytes).

There are four priority queues in the Aprisa SR: Very High, High, Medium and Low. Data is added to one of these queues depending on the priority setting. Data leaves the queues from highest priority to lowest: the Very High queue is emptied first, followed by High then Medium and finally Low.

Ethernet Data Priority

The Ethernet Data Priority controls the priority of the Ethernet customer traffic relative to the serial customer traffic. If equal priority is required to serial traffic, this setting must be the same as the Serial

Data Priority setting (see ‘Serial Data Priority’ on page 100)

The Ethernet Data Priority can be set to Very High, High, Medium and Low. The default setting is Very High.

A queuing system is used to prioritize customer traffic from the serial and Ethernet interfaces for over the air transmission. A weighting may be given to each data type and this is used to schedule the next transmission over the air e.g. if there are pending data packets in multiple buffers but serial data has a higher weighting it will be transmitted first. The Ethernet buffer is 10 Ethernet packets (1 packet can be up to Ethernet MTU, 1500 bytes).

There are four priority queues in the Aprisa SR: Very High, High, Medium and Low. Data is added to one of these queues depending on the priority setting. Data leaves the queues from highest priority to lowest: the Very High queue is emptied first, followed by High then Medium and finally Low.

Ethernet Management Priority

The Ethernet Management Priority controls the priority of the Ethernet management traffic relative to Ethernet customer traffic.

The Ethernet Management Priority can be set to Very High, High, Medium and Low. The default setting is Medium.

Aprisa SR User Manual

Managing the Radio | 101

Background Bulk Data Transfer Rate

This parameter sets the data transfer rate for large amounts of management data.

 

Option

Function

 

 

 

 

High

Utilizes more of the available capacity for large amounts of

 

 

management data. Highest impact on user traffic.

 

 

 

 

Medium

Utilizes a moderate of the available capacity for large amounts of

 

 

management data. Medium impact on user traffic.

 

 

 

 

Low

Utilizes a minimal of the available capacity for large amounts of

 

 

management data. Lowest impact on user traffic.

 

 

 

The default setting is high.

 

DATA COMPRESSION

 

IP Header Compression Ratio

 

The IP Header Compression implements TCP/IP ROHC v2 (Robust Header Compression v2. RFC4995, RFC5225, RFC4996) to compress the IP header. IP Header Compression allows for faster point to point transactions, but only in a star network.

IP Header Compression module comprises of two main components, Compressor and Decompressor. Both these components maintain some state information for an IP flow to achieve header compression. However, for reasons like packet drops or station reboots this state information can go out of sync between compressor and decompressor resulting in compression and/or decompression failure resulting in loss of packets.

The Compression Ratio controls the rate at which compressor and decompressor synchronize state information with each other. Frequent synchronization results in reduced ratio.

 

Option

Function

 

 

 

 

Compression

Disables IP Header Compression.

 

Disabled

 

 

 

 

 

High

State information is synchronized less frequently thus achieving

 

 

the best compression ratio.

 

 

 

 

Medium

State information is synchronization less frequently than ‘High’

 

 

setting but more frequently than ‘Low’ setting.

 

 

 

 

Low

State information is synchronized frequently thus reducing the

 

 

compression ratio.

 

 

 

The default setting is High.

 

When IP Header Compression is enabled, it is important that the Network Radius is set correctly. If it was incorrectly set to 1, header compression could not be interpreted by radius 2 radios.

Aprisa SR User Manual

102 | Managing the Radio

Serial

Serial > Summary

This page displays the current settings for the serial port parameters.

See ‘Serial > Port Setup’ on page 103 for configuration options.

Aprisa SR User Manual

Managing the Radio | 103

Serial > Port Setup

This page provides the setup for the serial port settings.

SERIAL PORTS SETTINGS

Note: The current Aprisa SR has one serial port so there will be only one record.

Name

This parameter sets the port name which can be up to 32 characters.

Option

Function

 

 

 

SerialPort1

This is the normal RS-232 serial port provided with the RJ45

 

connector.

 

 

USB Serial Port

This is the additional RS-232 serial port provided with the USB Host

 

Port

connector with a USB to RS-232 RJ45 converter cable

 

(see ‘USB RS-232 Serial Port’ on page 43).

 

 

 

Mode

This parameter defines the mode of operation of the serial port. The default setting is Standard.

 

Option

Function

 

 

 

 

 

 

Disabled

The serial port is not required.

 

 

 

 

 

 

Standard

The serial port is communicating with serial ports on other

 

 

 

stations.

 

 

 

 

 

 

Terminal Server

A base station Ethernet port can communicate with both Ethernet

 

 

 

ports and serial ports on remote stations.

 

 

 

RS-232 traffic is encapsulated in IP packets (see ‘Serial > Port

 

 

 

Setup’ TERMINAL SERVER SETTINGS on page 105).

 

 

 

 

 

 

 

 

 

 

 

Aprisa SR User Manual

 

 

 

 

104 | Managing the Radio

Baud Rate (bit/s)

This parameter sets the baud rate to 300, 1200, 2400, 4800, 9600, 19200, 38400, 57600 or 115200 bit/s. The default setting is 115200 bit/s.

Character Length (bits)

This parameter sets the character length to 7 or 8 bits. The default setting is 8 bits.

Parity

This parameter sets the parity to Even, Odd or None. The default setting is None.

Stop Bits (bits)

This parameter sets the number of stop bits to 1 or 2 bits. The default setting is 1 bit.

Flow Control

This parameter sets the flow control of the serial port. The default setting is Disabled.

Option

Function

 

 

None

The Aprisa SR radio port (DCE) CTS is in a permanent ON (+ve)

 

state.

 

This does not go to OFF if the radio link fails.

 

 

CTS-RTS

CTS / RTS hardware flow control between the DTE and the Aprisa

 

SR radio port (DCE) is enabled.

 

If the Aprisa SR buffer is full, the CTS goes OFF.

 

In the case of radio link failure the signal goes to OFF (-ve) state.

 

 

In terminal server mode, the serial packet is no different from an Ethernet packet and travels through various packet queues before being transmitted over the air. Thus, the serial flow control has no affect in terminal server mode.

Inter-Frame Gap (chars)

This parameter defines the gap between successive serial data frames. It is used to delimit the serial data to define the end of a packet. The Inter-Frame Gap limits are 0.5 to 16 chars. The default setting is 3.5 chars.

Aprisa SR User Manual

Managing the Radio | 105

TERMINAL SERVER SETTINGS

This menu item is only applicable if the serial port has an operating mode of Terminal Server.

The Terminal Server operating mode provides encapsulation of serial data into an IP packet (TCP or UDP).

A server connected to a base station Ethernet port can communicate with all remote station Ethernet ports and serial ports.

Note: The current Aprisa SR has one serial port so there will be only one record.

Local Address

This parameter displays the IP address of this radio.

Port

This parameter sets the port number of the local serial port.

The valid port number range is greater than or equal to 1024 and less than or equal to 49151 but with exclusions of 0, 5445, 6445, 9930 or 9931. The default setting is 20000.

Remote Address

This parameter sets the IP address of the server connected to the base station Ethernet port.

Port

This parameter sets the port number of the server connected to the base station Ethernet port. The default setting is 0.

Aprisa SR User Manual

106 | Managing the Radio

Protocol

This parameter sets the IP protocol used for terminal server operation. The default setting is TCP.

Mode

This parameter defines the mode of operation of the terminal server connection. The default setting is Client and Server.

Option

Function

 

 

Client

The radio will attempt to establish a TCP connection with the

 

specified remote unit.

 

 

Server

The radio will listen for a TCP connection on the specified local

 

port.

 

Data received from any client shall be forwarded to the associated

 

serial port while data received from that serial port shall be

 

forwarded to every client with an open TCP connection.

 

If no existing TCP connections exist, all data received from the

 

associated serial port shall be discarded.

 

 

Client and Server

The radio will listen for a TCP connection on the specified local

 

port and if necessary, establish a TCP connection with the

 

specified remote unit.

 

Data received from any client shall be forwarded to the associated

 

serial port while data received from that serial port shall be

 

forwarded to every client with an open TCP connection.

 

 

Inactivity Timeout (seconds)

This specifies the duration (in seconds) to automatically terminate the connection with the remote TCP server if no data has been received from either the remote TCP server or its associated serial port for the duration of the configured inactivity time.

TCP Keep Alive

A TCP keepalive is a message sent by one device to another to check that the link between the two is operating, or to prevent the link from being broken.

If the TCP Keep Alive is enabled, the radio will be notified if the TCP connection fails.

If the TCP Keep Alive is disabled, the radio relies on the Inactivity Timeout to detect a TCP connection failure. The default setting is disabled.

Note: An active TCP Keep Alive will generate a small amount of extra network traffic.

Aprisa SR User Manual

Managing the Radio | 107

Ethernet

Ethernet > Summary

This page displays the current settings for the Ethernet port parameters and the status of the ports.

See ‘Ethernet > Port Setup’ for configuration options.

Aprisa SR User Manual

108 | Managing the Radio

Ethernet > Port Setup

This page provides the setup for the Ethernet ports settings.

ETHERNET PORT SETTINGS

Mode

This parameter controls the Ethernet traffic flow. The default setting is Standard.

Option

Function

 

 

Standard

Enables Ethernet data communication over the radio link.

 

 

Switch

Ethernet traffic is switched locally between the two

 

Ethernet ports and communicated over the radio link

 

 

Disabled

Disables Ethernet data communication over the radio link.

 

 

Speed (Mbit/s)

This parameter controls the traffic rate of the Ethernet port. The default setting is Auto.

Option

Function

 

 

Auto

Provides auto selection of Ethernet Port Speed

 

 

10

The Ethernet Port Speed is manualy set to 10 Mbit/s

 

 

100

The Ethernet Port Speed is manualy set to 100 Mbit/s

 

 

Aprisa SR User Manual

Managing the Radio | 109

Duplex

This parameter controls the transmission mode of the Ethernet port. The default setting is Auto.

Option

Function

 

 

Auto

Provides auto selection of Ethernet Port duplex setting.

 

 

Half Duplex

The Ethernet Port is manualy set to Half Duplex.

 

 

Full Duplex

The Ethernet Port is manualy set to Full Duplex.

 

 

Function

This parameter controls the use for the Ethernet port. The default setting is Management and User.

Option

Function

 

 

Management Only

The Ethernet port is only used for management of the

 

network.

 

 

Management and User

The Ethernet port is used for management of the network

 

and User traffic over the radio link.

 

 

User Only

The Ethernet port is only used for User traffic over the radio

 

link.

 

 

Aprisa SR User Manual

110 | Managing the Radio

Ethernet > L2 Filtering

This page is only available if the Ethernet traffic option has been licensed (see ‘Maintenance > Licence’ on page 140).

FILTER DETAILS

L2 Filtering provides the ability to filter radio link traffic based on specified Layer 2 MAC addresses.

Traffic originating from specified Source MAC Addresses destined for specified Destination MAC Addresses that meets the protocol type criteria will be transmitted over the radio link.

Traffic that does not meet the filtering criteria will not be transmitted over the radio link.

Source MAC Address

This parameter sets the filter to the Source MAC address of the packet in the format ‘hh:hh:hh:hh:hh:hh’.

If the Source MAC Address is set to ‘FF:FF:FF:FF:FF:FF’, traffic will be accepted from any source MAC address.

Destination MAC Address

This parameter sets the filter to the Destination MAC address of the packet in the format ‘hh:hh:hh:hh:hh:hh’.

If the Destination MAC Address is set to ‘FF:FF:FF:FF:FF:FF’, traffic will be delivered to any destination

MAC address.

Protocol Type

This parameter sets the Ethernet Type accepted ARP, VLAN, IPv4, IPv6 or Any type.

Aprisa SR User Manual

Managing the Radio | 111

Example:

In the screen shot, the rules are configured in the base station which controls the radio link traffic from base station to remote / repeater stations.

Traffic from a device with the MAC address 00:01:50:c2:01:00 is forwarded over the radio link if it meets the criteria:

Rule 1 If the Ethernet Type is ARP going to any destination MAC address or

Rule 2 If the Ethernet Type is Any and the destination MAC address is 01:00:50:c2:01:02 or Rule 3 If the Ethernet Type is VLAN tagged packets going to any destination MAC address

Special L2 Filtering Rules:

Unicast Only Traffic

This L2 filtering allows for Unicast only traffic and drop broadcast and multicast traffic. This filtering is achieved by adding the two rules:

Rule

Source

Destination

Protocol Type

 

MAC Address

MAC Address

 

 

 

 

 

Allow ARPS

FF:FF:FF:FF:FF:FF

FF:FF:FF:FF:FF:FF

ARP

 

 

 

 

Allow Unicasts from Any source

FF:FF:FF:FF:FF:FF

FE:FF:FF:FF:FF:FF

Any

 

 

 

 

To delete a L2 Filter:

1.Click on an existing rule ‘Select’.

2.Click on Delete.

3. Click on OK.

ADD NEW FILTER

To add a L2 Filter:

1.Enter the Rule ID number. This is a unique rule number between 1 and 25.

2.Enter the Source MAC address of the packet or ‘FF:FF:FF:FF:FF:FF’ to accept traffic from any MAC address.

3.Enter the Destination MAC address of the packet or ‘FF:FF:FF:FF:FF:FF’ to deliver traffic to any MAC address.

4.Select the Protocol Type to ARP, VLAN, IPv4, IPv6 or Any type.

5.Click on Add.

Aprisa SR User Manual

112 | Managing the Radio

Networking

Networking > IP Summary

This page displays the current settings for the Networking IP Settings.

See ‘Networking > IP Setup’ for configuration options.

Aprisa SR User Manual

Managing the Radio | 113

Networking > IP Setup

This page provides the setup for the Networking IP Settings.

NETWORKING IP SETTINGS

IP Address

Set the static IP Address of the radio assigned by your site network administrator using the standard format xxx.xxx.xxx.xxx. The default IP address is in the range 169.254.50.10.

Subnet Mask

Set the Subnet Mask of the radio using the standard format xxx.xxx.xxx.xxx. The default subnet mask is 255.255.0.0.

Gateway

Set the Gateway address of the radio, if required, using the standard format xxx.xxx.xxx. The default Gateway is 0.0.0.0.

Aprisa SR User Manual

114 | Managing the Radio

Networking > L3 Filtering

This page is only available if the Ethernet traffic option has been licensed (see ‘Maintenance > Licence’ on page 140).

NETWORKING L3 FILTER SETTINGS

L3 Filtering provides the ability to evaluate traffic and take specific action based on the filter criteria.

This filtering can also be used for L4 TCP/UDP port filtering which in most cases relates to specific applications as per IANA official and unofficial well-known ports.

Entering a * into any to field will automatically enter the wildcard values when the data is saved.

Priority

This parameter shows the priority order in which the filters are processed.

Action

This parameter defines the action taken on the packet when it meets the filter criteria.

Option

Function

 

 

Process

Processes the packet if it meets the filter criteria

 

 

Discard

Discards the packet if it meets the filter criteria

 

 

Source IP Address

If the source IP address is set to 0.0.0.0, any source IP address will meet the filter criteria.

Aprisa SR User Manual

Managing the Radio | 115

Source Wildcard Mask

This parameter defines the mask applied to the Source IP Address. 0 means that it must be a match.

If the Source Wildcard Mask is set to 0.0.0.0, the complete Source IP Address will be evaluated for the filter criteria.

If the Source Wildcard Mask is set to 0.0.255.255, the first 2 octets of the Source IP Address will be evaluated for the filter criteria.

If the Source Wildcard Mask is set to 255.255.255.255, none of the Source IP Address will be evaluated for the filter criteria.

Note: The Source Wildcard Mask operation is the inverse of subnet mask operation

Source Port Range

This parameter defines the port or port range for the source. To specify a range, insert a dash between the ports e.g 1000-2000. If the Source Port Range is set to 1-65535, traffic from any source port will meet the filter criteria.

Destination IP Address

This parameter defines the destination IP address of the filter. If the destination IP address is set to 0.0.0.0, any destination IP address will meet the filter criteria.

Destination Wildcard Mask

This parameter defines the mask applied to the Destination IP Address. 0 means that it must be a match.

If the Destination Wildcard Mask is set to 0.0.0.0, the complete Destination IP Address will be evaluated for the filter criteria.

If the Destination Wildcard Mask is set to 0.0.255.255, the first 2 octets of the Destination IP Address will be evaluated for the filter criteria.

If the Destination Wildcard Mask is set to 255.255.255.255, none of the Destination IP Address will be evaluated for the filter criteria.

Note: The Destination Wildcard Mask operation is the inverse of subnet mask operation

Destination Port Range

This parameter defines the port or port range for the destination. To specify a range, insert a dash between the ports e.g 1000-2000. If the destination port range is set to 1-65535, traffic to any destination port will meet the filter criteria.

Protocol

This parameter defines the Ethernet packet type that will meet the filter criteria.

Controls

The Delete button deletes the selected entry.

The Move Up button moves the selected entry above the entry above it increasing it’s process priority.

The Move Down button moves the selected entry below the entry above it reducing it’s process priority.

Aprisa SR User Manual

116 | Managing the Radio

Security

Security > Summary

This page displays the current settings for the Security parameters.

See ‘Security > Setup’ and ‘Security > Manager’ for configuration options.

Aprisa SR User Manual

4RF Aprisa SR User Manual

Managing the Radio | 117

Security > Setup

PAYLOAD SECURITY PROFILE SETUP

Security Profile Name

This parameter enables the user to predefine a security profile with a specified name.

Security Scheme

This parameter sets the security scheme to one of the values in the following table:

Security Level

Disabled (No encryption and no Message Authentication Code)

AES Encryption + CCM Authentication 128 bit

AES Encryption + CCM Authentication 64 bit

AES Encryption + CCM Authentication 32 bit

AES Encryption only

CCM Authentication 128 bit

CCM Authentication 64 bit

CCM Authentication 32 bit

The default setting is Disabled.

Aprisa SR User Manual

118 | Managing the Radio

Payload Encryption Key Type

This parameter sets the Payload Encryption Key Type:

 

Option

Function

 

 

 

 

Pass Phrase

Use the Pass Phrase password format for standard security.

 

 

 

 

Raw Hexidecimal

Use the Raw Hexidecimal password format for better

 

 

security. It must comply with the specified encryption key

 

 

size e.g. if Encryption Type to AES128, the encryption key

 

 

must be 16 bytes (32 chars)

 

 

 

The default setting is Pass Phrase.

 

Payload Encryption Key Size

This parameter sets the Encryption Type to AES128, AES192 or AES256. The default setting is AES128.

The higher the encryption size the better the security.

Payload Encryption Key

This parameter sets the Payload Encryption password. This key is used to encrypt the payload.

Pass Phrase

Good password policy:

contains at least eight characters, and contains at least one upper case letter, and contains at least one lower case letter, and

contains at least one digit or another character such as !@#$%^&(){}[]<>... , and is not a term in a familiar language or jargon, and

is not identical to or derived from the accompanying account name, from personal characteristics or from information from one’s family/social circle, and

is easy to remember, for instance by means of a key sentence

Raw Hexidecimal

The Raw Hexidecimal password must comply with the specified encryption key size e.g. if Encryption Type to AES128, the encryption key must be 16 bytes (32 chars).

Aprisa SR User Manual

Managing the Radio | 119

KEY ENCRYPTION KEY SETUP

The Key Encryption Key provides the ability to encrypt the Payload Encryption Key so it can be safely transmitted over the radio link to remote radios.

The Key Encryption Key Type, Key Encryption Key Size and Key Encryption Key must be the same on all radios in the network.

Key Encryption Key Type

This parameter sets the Payload Encryption Key Type:

 

Option

Function

 

 

 

 

Pass Phrase

Use the Pass Phrase password format for standard security.

 

 

 

 

Raw Hexidecimal

Use the Raw Hexidecimal password format for better

 

 

security. It must comply with the specified encryption key

 

 

size

 

 

e.g. if Encryption Type to AES128, the encryption key must

 

 

be 16 bytes (32 chars)

 

 

 

The default setting is Pass Phrase.

 

Key Encryption Key Size

This parameter sets the Encryption Type to AES128, AES192 or AES256. The default setting is AES128.

The higher the encryption type the better the security.

Key Encryption Key

This parameter sets the Key Encryption password. This is used to encrypt the payload encryption key.

Aprisa SR User Manual

120 | Managing the Radio

PROTOCOL SETUP

Telnet option

This parameter option determines if you can manage the radio via a Telnet session. The default setting is disabled.

ICMP option (Internet Control Message Protocol)

This parameter option determines whether the radio will respond to a ping. The default setting is disabled.

HTTPS option

This parameter option determines if you can manage the radio via a HTTPS session (via a Browser). The default setting is enabled.

SNMP Proxy Support

This parameter option enables an SNMP proxy server in the base station. This proxy server reduces the radio link traffic during SNMP communication to remote / repeater stations. This option applies to the base station only. The default setting is disabled.

This option can also be used if the radio has Serial Only interfaces.

SNMP Protocol

This parameter sets the SNMP Protocol:

 

Option

Function

 

 

 

 

Disabled

All SNMP functions are disabled.

 

 

 

 

All Versions

Allows all SNMP protocol versions.

 

 

 

 

SNMPv3 Only

Only SNMPv3 transactions will be accepted.

 

 

 

 

SNMPv3 With

Only SNMPv3 transactions authenticated using HMAC-MD5 or

 

Authentication Only

HMAC-SHA will be accepted.

 

 

 

The default setting is All Versions.

 

The default SNMPv3 with Authentication User Details provided are:

User Name

Authentication

Context Name

Authentication

 

Type

 

Passphrase

 

 

 

 

noAuthUser

-

noAuth

noAuthUser

 

 

 

 

authUserMD5

MD5

auth

authUserMD5

 

 

 

 

authUserSHA

SHA

auth

authUserSHA

 

 

 

 

Aprisa SR User Manual

Managing the Radio | 121

SNMPv3 Authentication Passphrase

The Authentication Passphrases can be changed via SNMP (not SuperVisor).

When viewing / managing the details of the users via SNMP, the standard SNMP-USER-BASED-SM-MIB interface is used. This interface can be used to change the Authentication Passphrase of the users.

The Authentication Passphrase of the user required to be changed cannot be changed by the same user i.e a different user must be used for the transactions.

To change a user authentication passphrase:

1.SET the usmUserStatus object for that user to ‘Not In Service’

2.GET the usmUserSpinLockobject

3.SET the usmUserSpinLockobject with the value that was just GOT in the previous step

4.SET the usmUserAuthKeyChange to the new Authentication key string

5.SET the usmUserPrivKeyChangeto the new Privacy key string

6.SET the usmUserStatus object for that user to ‘Active’

Note that the key string for steps 4 and 5 are 32 octet hexadecimal values. This string is generated based on the ‘old passphrase’ and ‘new passphrase’ as specified in RFC2274.

The utility ‘encode_keychange.exe’, available from NET-SNMP open source applications, can be used to generate this string.

An example command to generate a new Authentication key string for the default desUserMD5 is:

encode_keychange –t md5 –O “desUserMD5” –N “desUserMD5Auth” –E 0x0100DC

An example command to generate a new Privacy key string for the default desUserMD5 is:

encode_keychange –t md5 –O “desUserMD5” –N “desUserMD5Priv” –E 0x0100DC

These command executions will return a 32 Octet Hexadecimal string that can be used in steps 4 and 5 above.

Aprisa SR User Manual

122 | Managing the Radio

Security > Users

Note: You must login with ‘admin’ privileges to add, disable, delete a user or change a password.

USER DETAILS

Shows a list of the current users setup in the radio.

ADD NEW USER

To add a new user:

1. Enter the Username.

A username can be up to 32 characters but cannot contain back slashes, forward slashes, spaces, tabs, single or double quotes. Usernames are case sensitive.

2. Enter the Password.

A password can be 8 to 32 characters but cannot contain back slashes, forward slashes, spaces, tabs, single or double quotes. Passwords are case sensitive.

Good password policy:

contains at least eight characters, and contains at least one upper case letter, and contains at least one lower case letter, and

contains at least one digit or another character such as !@#$%^&(){}[]<>... , and is not a term in a familiar language or jargon, and

is not identical to or derived from the accompanying account name, from personal characteristics or from information from one’s family/social circle, and

is easy to remember, for instance by means of a key sentence

Aprisa SR User Manual

Managing the Radio | 123

3. Select the User Privileges

There are four pre-defined User Privilege settings to allocate access rights to users. These user privileges have associated default usernames and passwords of the same name.

The default login is ‘admin’.

This login has full access to all radio parameters including the ability to add and change users. There can only be a maximum of two usernames with admin privileges and the last username with admin privileges cannot be deleted.

User

Default

Default

User Privileges

Privilege

Username

Password

 

 

 

 

 

View

view

view

Users in this group can only view the summary

 

 

 

pages.

 

 

 

 

Technician

technician

technician

Users in this group can view and edit parameters

 

 

 

except Security > Users, Security > Settings and

 

 

 

Advanced settings.

 

 

 

 

Engineer

engineer

engineer

Users in this group can view and edit parameters

 

 

 

except Security > Users.

 

 

 

 

Admin

admin

admin

Users in this group can view and edit all

 

 

 

parameters.

 

 

 

 

See ‘SuperVisor Menu Access’ on page 76 for the list of SuperVisor menu items versus user privileges.

4. Click ‘Add’

To delete a user:

1.Select Terminal Settings > Security > Users

2.Click on the Select button for the user you wish to delete.

3.Click ‘Delete

To change a Password:

1.Select Terminal Settings > Security > Users

2.Click on the Select button for the user you wish to change the Password.

3.Enter the Password.

A password can be 8 to 32 characters but cannot contain back slashes, forward slashes, spaces, tabs, single or double quotes.

Aprisa SR User Manual

124 | Managing the Radio

Security > SNMP

In addition to web-based management (SuperVisor), the network can also be managed using the Simple Network Management Protocol (SNMP). MIB files are supplied, and these can be used by a dedicated SNMP Manager, such as Castle Rock’s SNMPc, to access most of the radio’s configurable parameters.

For communication between the SNMP manager and the radio, Access Controls and Community strings must be set up as described in the following sections.

A SNMP Community String is used to protect against unauthorized access (similar to a password). The SNMP agent (radio or SNMP manager) will check the community string before performing the task requested in the SNMP message.

ACCESS CONTROL SETUP

A SNMP Access Control is the IP address of the radio used by an SNMP manager or any other SNMP device to access the radio. The Aprisa SR allows access to the radio from any IP address.

Read Only

The default Read Only community string is public.

Read Write

The default ReadWrite community string is private.

Aprisa SR User Manual

Managing the Radio | 125

SNMP Manager Setup

The SNMP manager community strings must be setup to access the base station and remote / repeater stations.

To access the base station, a community string must be setup on the SNMP manager the same as the community string setup on the radio (see ‘Security > SNMP’ on page 124).

SNMP access to remote / repeater stations can be achieved by using the radio’s IP address and the normal community string or by proxy in the base station.

SNMP Access via Base Station Proxy

To access the remote / repeater stations via the base station proxy, the community strings must be setup on the SNMP manager in the format:

ccccccccc:bbbbbb

Where:

ccccccccc is the community string of the base station

and

bbbbbb is the last 3 bytes of the remote station MAC address (see ‘Network Status > Network Table’ on page 167) for the remote station MAC address.

The SNMP Proxy Support must be enabled for this method of SNMP access to operate (see ‘SNMP Proxy Support’ on page 120).

Aprisa SR User Manual

126 | Managing the Radio

Security > Manager

CURRENT PAYLOAD SECURITY PROFILE

Profile Name

This parameter shows the predefined security profile active on the radio.

Status

This parameter displays the status of the predefined security profile on the radio (always active).

PREVIOUS PAYLOAD SECURITY PROFILE

Profile Name

This parameter displays the security profile that was active on the radio prior to the current profile being activated.

Status

This parameter displays the status of the security profile that was active on the radio prior to the current profile being activated.

Option

Function

 

 

Active

The security profile is active on the radio.

 

 

Inactive

The security profile is not active on the radio but could be

 

activated if required.

 

 

Aprisa SR User Manual

Managing the Radio | 127

Activate

This parameter activates the previous security profile (restores to previous version).

PREDEFINED PAYLOAD SECURITY PROFILE

Profile Name

This parameter displays the new security profile that could be activated on the radio or distributed to all remote radios with Security > Distribution.

Status

This parameter displays the status of the new security profile.

Option

Function

 

 

Unavailable

A predefined security profile is not available on this radio.

 

To create a predefined security profile, go to ‘Security > Setup’ on

 

page 117.

 

 

Available

A predefined security profile is available on this radio for

 

distribution and activation.

 

 

Aprisa SR User Manual

Loading...
+ 116 hidden pages