4RF Aprisa SR User Manual
98 | Managing the Radio
Packet Size (Bytes)
This parameter sets the maximum over-the-air packet size in bytes. A smaller maximum Packet Size is beneficial when many remote stations or repeater stations are trying to access the channel. The default setting is 1550 bytes.
As radios dispatched from the factory have a Packet Size set to the maximum value of 1550 bytes, if a new radio is installed in an existing Field Access Network (network), the Packet Size must be changed to ensure it is the same value for all radios in the network. The new radio will not register an existing network if the Packet Size is not the same as the other radios in the network.
This packet size includes the wireless protocol header and security payload (0 to 16 bytes). The length of the security header depends on the level of security selected.
When the security setting is 0, the maximum user data transfer over-the-air is 1516 bytes.
When encryption is enabled, the entire packet of user data (payload) is encrypted. If authentication is being used, the security frame will be added (up to 16 bytes). The wireless protocol header is then added which is proprietary to the Aprisa SR. This is not encrypted.
Packet Time to Live (ms)
This Time To Live (TTL) parameter sets the time a packet is allowed to live in the system before being dropped if it cannot be transmitted over the air. It is used to prevent old, redundant packets being transmitted through the Aprisa SR network. The default setting is 1500 ms.
In the case of serial poll SCADA networks such as MODBUS and IEC 60870.50.101, it is important to ensure the replies from the RTU are in the correct sequence and are not timed out replies from Master requests. If the TTL value is too long, the SCADA master will detect sequence errors.
It is recommended to use a TTL which is half the serial SCADA timeout. This is commonly called the ‘scan timeout’ or ‘link layer time out’ or ‘retry timeout’.
When using TCP protocols, a TTL of 1500 ms is recommended because a TCP re-transmission usually occurs after approximately 3 second.
In SCADA networks which use both serial and Ethernet, it is recommended that the TTL is set to half the serial SCADA timeout for serial remotes, and 1500 ms for Ethernet (TCP) remotes. For example, if the serial SCADA timeout is 1000 ms, a remote radio which is connected to the serial RTU should be set to 500 ms, a remote radio which is connected to a Ethernet (TCP) RTU should have a 1500 ms timeout.
In this case, the base station TTL should be set to 1500 ms as well; or which ever is the longer TTL of serial or Ethernet.
Aprisa SR User Manual
Managing the Radio | 99
Packet Filtering
Each Aprisa SR radio can filter packets not destined for itself. The Packet Filtering parameter controls this functionality.
In an Aprisa SR network, all communication from remote stations is destined for the base station in the Aprisa SR network communication protocol. In a repeater network, a remote station will send a message to the base station. The repeater station will receive this and then repeat the message. The repeated message will then be received by the base station. Other remote stations connected to the repeater station will receive this message and depending on the Packet Filtering parameter, either forward this packet or discard it.
This filtering capability can provide the ability for remote stations to communicate with each other when connected to a repeater, particularly useful in the event of losing communication with a SCADA Master, assuming the Aprisa SR network is still operational.
Note: IP Header Compression must be disabled for this feature to operate correctly (see ‘IP Header Compression Ratio’ on page 101).
Option |
Function |
|
|
Disabled |
Every packet received by the radio will be forwarded to the |
|
relevant interface. |
|
|
Automatic |
The radio will filter (discard) packets not destined for itself |
|
according to the Aprisa SR traffic protocols |
|
|
The default setting is Automatic.
Note: The Aprisa SR network is transparent to the protocol being transmitted; therefore the Packet Filtering parameter is based on the Aprisa SR addressing and network protocols, not the user (SCADA, etc.) traffic protocols.
Serial Data Stream Mode
This parameter controls the traffic flow in the radio serial ports.
Option |
Function |
|
|
Broadcast |
Serial port traffic from the network is broadcast on all serial ports |
|
on this radio. This will include the RS-232 port derived from the |
|
USB port. |
|
|
Segregate |
Serial port traffic from the network from a specific port number is |
|
directed to the respective serial port only. |
|
|
The default setting is Broadcast.
Aprisa SR User Manual
100 | Managing the Radio
TRAFFIC SETTINGS
Serial Data Priority
The Serial Data Priority controls the priority of the serial customer traffic relative to the Ethernet customer traffic. If equal priority is required to Ethernet traffic, this setting must be the same as the
Ethernet Data Priority setting (see ‘Ethernet Data Priority’ on page 100).
The serial data priority can be set to Very High, High, Medium and Low. The default setting is Very High.
A queuing system is used to prioritize traffic from the serial and Ethernet interfaces for over the air transmission. A weighting may be given to each data type and this is used to schedule the next transmission over the air e.g. if there are pending data packets in multiple buffers but serial data has a higher weighting it will be transmitted first. The serial buffer is 20 serial packets (1 packet can be up to 512 bytes).
There are four priority queues in the Aprisa SR: Very High, High, Medium and Low. Data is added to one of these queues depending on the priority setting. Data leaves the queues from highest priority to lowest: the Very High queue is emptied first, followed by High then Medium and finally Low.
Ethernet Data Priority
The Ethernet Data Priority controls the priority of the Ethernet customer traffic relative to the serial customer traffic. If equal priority is required to serial traffic, this setting must be the same as the Serial
Data Priority setting (see ‘Serial Data Priority’ on page 100)
The Ethernet Data Priority can be set to Very High, High, Medium and Low. The default setting is Very High.
A queuing system is used to prioritize customer traffic from the serial and Ethernet interfaces for over the air transmission. A weighting may be given to each data type and this is used to schedule the next transmission over the air e.g. if there are pending data packets in multiple buffers but serial data has a higher weighting it will be transmitted first. The Ethernet buffer is 10 Ethernet packets (1 packet can be up to Ethernet MTU, 1500 bytes).
There are four priority queues in the Aprisa SR: Very High, High, Medium and Low. Data is added to one of these queues depending on the priority setting. Data leaves the queues from highest priority to lowest: the Very High queue is emptied first, followed by High then Medium and finally Low.
Ethernet Management Priority
The Ethernet Management Priority controls the priority of the Ethernet management traffic relative to Ethernet customer traffic.
The Ethernet Management Priority can be set to Very High, High, Medium and Low. The default setting is Medium.
Aprisa SR User Manual
Managing the Radio | 101
Background Bulk Data Transfer Rate
This parameter sets the data transfer rate for large amounts of management data.
|
Option |
Function |
|
|
|
|
High |
Utilizes more of the available capacity for large amounts of |
|
|
management data. Highest impact on user traffic. |
|
|
|
|
Medium |
Utilizes a moderate of the available capacity for large amounts of |
|
|
management data. Medium impact on user traffic. |
|
|
|
|
Low |
Utilizes a minimal of the available capacity for large amounts of |
|
|
management data. Lowest impact on user traffic. |
|
|
|
The default setting is high. |
|
|
DATA COMPRESSION |
|
|
IP Header Compression Ratio |
|
|
The IP Header Compression implements TCP/IP ROHC v2 (Robust Header Compression v2. RFC4995, RFC5225, RFC4996) to compress the IP header. IP Header Compression allows for faster point to point transactions, but only in a star network.
IP Header Compression module comprises of two main components, Compressor and Decompressor. Both these components maintain some state information for an IP flow to achieve header compression. However, for reasons like packet drops or station reboots this state information can go out of sync between compressor and decompressor resulting in compression and/or decompression failure resulting in loss of packets.
The Compression Ratio controls the rate at which compressor and decompressor synchronize state information with each other. Frequent synchronization results in reduced ratio.
|
Option |
Function |
|
|
|
|
Compression |
Disables IP Header Compression. |
|
Disabled |
|
|
|
|
|
High |
State information is synchronized less frequently thus achieving |
|
|
the best compression ratio. |
|
|
|
|
Medium |
State information is synchronization less frequently than ‘High’ |
|
|
setting but more frequently than ‘Low’ setting. |
|
|
|
|
Low |
State information is synchronized frequently thus reducing the |
|
|
compression ratio. |
|
|
|
The default setting is High. |
|
|
When IP Header Compression is enabled, it is important that the Network Radius is set correctly. If it was incorrectly set to 1, header compression could not be interpreted by radius 2 radios.
Aprisa SR User Manual
102 | Managing the Radio
Serial
Serial > Summary
This page displays the current settings for the serial port parameters.
See ‘Serial > Port Setup’ on page 103 for configuration options.
Aprisa SR User Manual
Managing the Radio | 103
Serial > Port Setup
This page provides the setup for the serial port settings.
SERIAL PORTS SETTINGS
Note: The current Aprisa SR has one serial port so there will be only one record.
Name
This parameter sets the port name which can be up to 32 characters.
Option |
Function |
|
|
|
|
SerialPort1 |
This is the normal RS-232 serial port provided with the RJ45 |
|
|
connector. |
|
|
|
|
USB Serial Port |
This is the additional RS-232 serial port provided with the USB Host |
|
|
Port |
connector with a USB to RS-232 RJ45 converter cable |
|
(see ‘USB RS-232 Serial Port’ on page 43). |
|
|
|
|
Mode
This parameter defines the mode of operation of the serial port. The default setting is Standard.
|
Option |
Function |
|
|
|
|
|
|
Disabled |
The serial port is not required. |
|
|
|
|
|
|
Standard |
The serial port is communicating with serial ports on other |
|
|
|
stations. |
|
|
|
|
|
|
Terminal Server |
A base station Ethernet port can communicate with both Ethernet |
|
|
|
ports and serial ports on remote stations. |
|
|
|
RS-232 traffic is encapsulated in IP packets (see ‘Serial > Port |
|
|
|
Setup’ TERMINAL SERVER SETTINGS on page 105). |
|
|
|
|
|
|
|
|
|
|
|
Aprisa SR User Manual |
|
|
|
|
|
104 | Managing the Radio
Baud Rate (bit/s)
This parameter sets the baud rate to 300, 1200, 2400, 4800, 9600, 19200, 38400, 57600 or 115200 bit/s. The default setting is 115200 bit/s.
Character Length (bits)
This parameter sets the character length to 7 or 8 bits. The default setting is 8 bits.
Parity
This parameter sets the parity to Even, Odd or None. The default setting is None.
Stop Bits (bits)
This parameter sets the number of stop bits to 1 or 2 bits. The default setting is 1 bit.
Flow Control
This parameter sets the flow control of the serial port. The default setting is Disabled.
Option |
Function |
|
|
None |
The Aprisa SR radio port (DCE) CTS is in a permanent ON (+ve) |
|
state. |
|
This does not go to OFF if the radio link fails. |
|
|
CTS-RTS |
CTS / RTS hardware flow control between the DTE and the Aprisa |
|
SR radio port (DCE) is enabled. |
|
If the Aprisa SR buffer is full, the CTS goes OFF. |
|
In the case of radio link failure the signal goes to OFF (-ve) state. |
|
|
In terminal server mode, the serial packet is no different from an Ethernet packet and travels through various packet queues before being transmitted over the air. Thus, the serial flow control has no affect in terminal server mode.
Inter-Frame Gap (chars)
This parameter defines the gap between successive serial data frames. It is used to delimit the serial data to define the end of a packet. The Inter-Frame Gap limits are 0.5 to 16 chars. The default setting is 3.5 chars.
Aprisa SR User Manual
Managing the Radio | 105
TERMINAL SERVER SETTINGS
This menu item is only applicable if the serial port has an operating mode of Terminal Server.
The Terminal Server operating mode provides encapsulation of serial data into an IP packet (TCP or UDP).
A server connected to a base station Ethernet port can communicate with all remote station Ethernet ports and serial ports.
Note: The current Aprisa SR has one serial port so there will be only one record.
Local Address
This parameter displays the IP address of this radio.
Port
This parameter sets the port number of the local serial port.
The valid port number range is greater than or equal to 1024 and less than or equal to 49151 but with exclusions of 0, 5445, 6445, 9930 or 9931. The default setting is 20000.
Remote Address
This parameter sets the IP address of the server connected to the base station Ethernet port.
Port
This parameter sets the port number of the server connected to the base station Ethernet port. The default setting is 0.
Aprisa SR User Manual
106 | Managing the Radio
Protocol
This parameter sets the IP protocol used for terminal server operation. The default setting is TCP.
Mode
This parameter defines the mode of operation of the terminal server connection. The default setting is Client and Server.
Option |
Function |
|
|
Client |
The radio will attempt to establish a TCP connection with the |
|
specified remote unit. |
|
|
Server |
The radio will listen for a TCP connection on the specified local |
|
port. |
|
Data received from any client shall be forwarded to the associated |
|
serial port while data received from that serial port shall be |
|
forwarded to every client with an open TCP connection. |
|
If no existing TCP connections exist, all data received from the |
|
associated serial port shall be discarded. |
|
|
Client and Server |
The radio will listen for a TCP connection on the specified local |
|
port and if necessary, establish a TCP connection with the |
|
specified remote unit. |
|
Data received from any client shall be forwarded to the associated |
|
serial port while data received from that serial port shall be |
|
forwarded to every client with an open TCP connection. |
|
|
Inactivity Timeout (seconds)
This specifies the duration (in seconds) to automatically terminate the connection with the remote TCP server if no data has been received from either the remote TCP server or its associated serial port for the duration of the configured inactivity time.
TCP Keep Alive
A TCP keepalive is a message sent by one device to another to check that the link between the two is operating, or to prevent the link from being broken.
If the TCP Keep Alive is enabled, the radio will be notified if the TCP connection fails.
If the TCP Keep Alive is disabled, the radio relies on the Inactivity Timeout to detect a TCP connection failure. The default setting is disabled.
Note: An active TCP Keep Alive will generate a small amount of extra network traffic.
Aprisa SR User Manual
Managing the Radio | 107
Ethernet
Ethernet > Summary
This page displays the current settings for the Ethernet port parameters and the status of the ports.
See ‘Ethernet > Port Setup’ for configuration options.
Aprisa SR User Manual
108 | Managing the Radio
Ethernet > Port Setup
This page provides the setup for the Ethernet ports settings.
ETHERNET PORT SETTINGS
Mode
This parameter controls the Ethernet traffic flow. The default setting is Standard.
Option |
Function |
|
|
Standard |
Enables Ethernet data communication over the radio link. |
|
|
Switch |
Ethernet traffic is switched locally between the two |
|
Ethernet ports and communicated over the radio link |
|
|
Disabled |
Disables Ethernet data communication over the radio link. |
|
|
Speed (Mbit/s)
This parameter controls the traffic rate of the Ethernet port. The default setting is Auto.
Option |
Function |
|
|
Auto |
Provides auto selection of Ethernet Port Speed |
|
|
10 |
The Ethernet Port Speed is manualy set to 10 Mbit/s |
|
|
100 |
The Ethernet Port Speed is manualy set to 100 Mbit/s |
|
|
Aprisa SR User Manual
Managing the Radio | 109
Duplex
This parameter controls the transmission mode of the Ethernet port. The default setting is Auto.
Option |
Function |
|
|
Auto |
Provides auto selection of Ethernet Port duplex setting. |
|
|
Half Duplex |
The Ethernet Port is manualy set to Half Duplex. |
|
|
Full Duplex |
The Ethernet Port is manualy set to Full Duplex. |
|
|
Function
This parameter controls the use for the Ethernet port. The default setting is Management and User.
Option |
Function |
|
|
Management Only |
The Ethernet port is only used for management of the |
|
network. |
|
|
Management and User |
The Ethernet port is used for management of the network |
|
and User traffic over the radio link. |
|
|
User Only |
The Ethernet port is only used for User traffic over the radio |
|
link. |
|
|
Aprisa SR User Manual
110 | Managing the Radio
Ethernet > L2 Filtering
This page is only available if the Ethernet traffic option has been licensed (see ‘Maintenance > Licence’ on page 140).
FILTER DETAILS
L2 Filtering provides the ability to filter radio link traffic based on specified Layer 2 MAC addresses.
Traffic originating from specified Source MAC Addresses destined for specified Destination MAC Addresses that meets the protocol type criteria will be transmitted over the radio link.
Traffic that does not meet the filtering criteria will not be transmitted over the radio link.
Source MAC Address
This parameter sets the filter to the Source MAC address of the packet in the format ‘hh:hh:hh:hh:hh:hh’.
If the Source MAC Address is set to ‘FF:FF:FF:FF:FF:FF’, traffic will be accepted from any source MAC address.
Destination MAC Address
This parameter sets the filter to the Destination MAC address of the packet in the format ‘hh:hh:hh:hh:hh:hh’.
If the Destination MAC Address is set to ‘FF:FF:FF:FF:FF:FF’, traffic will be delivered to any destination
MAC address.
Protocol Type
This parameter sets the Ethernet Type accepted ARP, VLAN, IPv4, IPv6 or Any type.
Aprisa SR User Manual
Managing the Radio | 111
Example:
In the screen shot, the rules are configured in the base station which controls the radio link traffic from base station to remote / repeater stations.
Traffic from a device with the MAC address 00:01:50:c2:01:00 is forwarded over the radio link if it meets the criteria:
Rule 1 If the Ethernet Type is ARP going to any destination MAC address or
Rule 2 If the Ethernet Type is Any and the destination MAC address is 01:00:50:c2:01:02 or Rule 3 If the Ethernet Type is VLAN tagged packets going to any destination MAC address
Special L2 Filtering Rules:
Unicast Only Traffic
This L2 filtering allows for Unicast only traffic and drop broadcast and multicast traffic. This filtering is achieved by adding the two rules:
Rule |
Source |
Destination |
Protocol Type |
|
MAC Address |
MAC Address |
|
|
|
|
|
Allow ARPS |
FF:FF:FF:FF:FF:FF |
FF:FF:FF:FF:FF:FF |
ARP |
|
|
|
|
Allow Unicasts from Any source |
FF:FF:FF:FF:FF:FF |
FE:FF:FF:FF:FF:FF |
Any |
|
|
|
|
To delete a L2 Filter:
1.Click on an existing rule ‘Select’.
2.Click on Delete.
3. Click on OK.
ADD NEW FILTER
To add a L2 Filter:
1.Enter the Rule ID number. This is a unique rule number between 1 and 25.
2.Enter the Source MAC address of the packet or ‘FF:FF:FF:FF:FF:FF’ to accept traffic from any MAC address.
3.Enter the Destination MAC address of the packet or ‘FF:FF:FF:FF:FF:FF’ to deliver traffic to any MAC address.
4.Select the Protocol Type to ARP, VLAN, IPv4, IPv6 or Any type.
5.Click on Add.
Aprisa SR User Manual
112 | Managing the Radio
Networking
Networking > IP Summary
This page displays the current settings for the Networking IP Settings.
See ‘Networking > IP Setup’ for configuration options.
Aprisa SR User Manual
Managing the Radio | 113
Networking > IP Setup
This page provides the setup for the Networking IP Settings.
NETWORKING IP SETTINGS
IP Address
Set the static IP Address of the radio assigned by your site network administrator using the standard format xxx.xxx.xxx.xxx. The default IP address is in the range 169.254.50.10.
Subnet Mask
Set the Subnet Mask of the radio using the standard format xxx.xxx.xxx.xxx. The default subnet mask is 255.255.0.0.
Gateway
Set the Gateway address of the radio, if required, using the standard format xxx.xxx.xxx. The default Gateway is 0.0.0.0.
Aprisa SR User Manual
114 | Managing the Radio
Networking > L3 Filtering
This page is only available if the Ethernet traffic option has been licensed (see ‘Maintenance > Licence’ on page 140).
NETWORKING L3 FILTER SETTINGS
L3 Filtering provides the ability to evaluate traffic and take specific action based on the filter criteria.
This filtering can also be used for L4 TCP/UDP port filtering which in most cases relates to specific applications as per IANA official and unofficial well-known ports.
Entering a * into any to field will automatically enter the wildcard values when the data is saved.
Priority
This parameter shows the priority order in which the filters are processed.
Action
This parameter defines the action taken on the packet when it meets the filter criteria.
Option |
Function |
|
|
Process |
Processes the packet if it meets the filter criteria |
|
|
Discard |
Discards the packet if it meets the filter criteria |
|
|
Source IP Address
If the source IP address is set to 0.0.0.0, any source IP address will meet the filter criteria.
Aprisa SR User Manual
Managing the Radio | 115
Source Wildcard Mask
This parameter defines the mask applied to the Source IP Address. 0 means that it must be a match.
If the Source Wildcard Mask is set to 0.0.0.0, the complete Source IP Address will be evaluated for the filter criteria.
If the Source Wildcard Mask is set to 0.0.255.255, the first 2 octets of the Source IP Address will be evaluated for the filter criteria.
If the Source Wildcard Mask is set to 255.255.255.255, none of the Source IP Address will be evaluated for the filter criteria.
Note: The Source Wildcard Mask operation is the inverse of subnet mask operation
Source Port Range
This parameter defines the port or port range for the source. To specify a range, insert a dash between the ports e.g 1000-2000. If the Source Port Range is set to 1-65535, traffic from any source port will meet the filter criteria.
Destination IP Address
This parameter defines the destination IP address of the filter. If the destination IP address is set to 0.0.0.0, any destination IP address will meet the filter criteria.
Destination Wildcard Mask
This parameter defines the mask applied to the Destination IP Address. 0 means that it must be a match.
If the Destination Wildcard Mask is set to 0.0.0.0, the complete Destination IP Address will be evaluated for the filter criteria.
If the Destination Wildcard Mask is set to 0.0.255.255, the first 2 octets of the Destination IP Address will be evaluated for the filter criteria.
If the Destination Wildcard Mask is set to 255.255.255.255, none of the Destination IP Address will be evaluated for the filter criteria.
Note: The Destination Wildcard Mask operation is the inverse of subnet mask operation
Destination Port Range
This parameter defines the port or port range for the destination. To specify a range, insert a dash between the ports e.g 1000-2000. If the destination port range is set to 1-65535, traffic to any destination port will meet the filter criteria.
Protocol
This parameter defines the Ethernet packet type that will meet the filter criteria.
Controls
The Delete button deletes the selected entry.
The Move Up button moves the selected entry above the entry above it increasing it’s process priority.
The Move Down button moves the selected entry below the entry above it reducing it’s process priority.
Aprisa SR User Manual
116 | Managing the Radio
Security
Security > Summary
This page displays the current settings for the Security parameters.
See ‘Security > Setup’ and ‘Security > Manager’ for configuration options.
Aprisa SR User Manual
Managing the Radio | 117
Security > Setup
PAYLOAD SECURITY PROFILE SETUP
Security Profile Name
This parameter enables the user to predefine a security profile with a specified name.
Security Scheme
This parameter sets the security scheme to one of the values in the following table:
Security Level
Disabled (No encryption and no Message Authentication Code)
AES Encryption + CCM Authentication 128 bit
AES Encryption + CCM Authentication 64 bit
AES Encryption + CCM Authentication 32 bit
AES Encryption only
CCM Authentication 128 bit
CCM Authentication 64 bit
CCM Authentication 32 bit
The default setting is Disabled.
Aprisa SR User Manual
118 | Managing the Radio
Payload Encryption Key Type
This parameter sets the Payload Encryption Key Type:
|
Option |
Function |
|
|
|
|
Pass Phrase |
Use the Pass Phrase password format for standard security. |
|
|
|
|
Raw Hexidecimal |
Use the Raw Hexidecimal password format for better |
|
|
security. It must comply with the specified encryption key |
|
|
size e.g. if Encryption Type to AES128, the encryption key |
|
|
must be 16 bytes (32 chars) |
|
|
|
The default setting is Pass Phrase. |
|
|
Payload Encryption Key Size
This parameter sets the Encryption Type to AES128, AES192 or AES256. The default setting is AES128.
The higher the encryption size the better the security.
Payload Encryption Key
This parameter sets the Payload Encryption password. This key is used to encrypt the payload.
Pass Phrase
Good password policy:
contains at least eight characters, and contains at least one upper case letter, and contains at least one lower case letter, and
contains at least one digit or another character such as !@#$%^&(){}[]<>... , and is not a term in a familiar language or jargon, and
is not identical to or derived from the accompanying account name, from personal characteristics or from information from one’s family/social circle, and
is easy to remember, for instance by means of a key sentence
Raw Hexidecimal
The Raw Hexidecimal password must comply with the specified encryption key size e.g. if Encryption Type to AES128, the encryption key must be 16 bytes (32 chars).
Aprisa SR User Manual
Managing the Radio | 119
KEY ENCRYPTION KEY SETUP
The Key Encryption Key provides the ability to encrypt the Payload Encryption Key so it can be safely transmitted over the radio link to remote radios.
The Key Encryption Key Type, Key Encryption Key Size and Key Encryption Key must be the same on all radios in the network.
Key Encryption Key Type
This parameter sets the Payload Encryption Key Type:
|
Option |
Function |
|
|
|
|
Pass Phrase |
Use the Pass Phrase password format for standard security. |
|
|
|
|
Raw Hexidecimal |
Use the Raw Hexidecimal password format for better |
|
|
security. It must comply with the specified encryption key |
|
|
size |
|
|
e.g. if Encryption Type to AES128, the encryption key must |
|
|
be 16 bytes (32 chars) |
|
|
|
The default setting is Pass Phrase. |
|
|
Key Encryption Key Size
This parameter sets the Encryption Type to AES128, AES192 or AES256. The default setting is AES128.
The higher the encryption type the better the security.
Key Encryption Key
This parameter sets the Key Encryption password. This is used to encrypt the payload encryption key.
Aprisa SR User Manual
120 | Managing the Radio
PROTOCOL SETUP
Telnet option
This parameter option determines if you can manage the radio via a Telnet session. The default setting is disabled.
ICMP option (Internet Control Message Protocol)
This parameter option determines whether the radio will respond to a ping. The default setting is disabled.
HTTPS option
This parameter option determines if you can manage the radio via a HTTPS session (via a Browser). The default setting is enabled.
SNMP Proxy Support
This parameter option enables an SNMP proxy server in the base station. This proxy server reduces the radio link traffic during SNMP communication to remote / repeater stations. This option applies to the base station only. The default setting is disabled.
This option can also be used if the radio has Serial Only interfaces.
SNMP Protocol
This parameter sets the SNMP Protocol:
|
Option |
Function |
|
|
|
|
Disabled |
All SNMP functions are disabled. |
|
|
|
|
All Versions |
Allows all SNMP protocol versions. |
|
|
|
|
SNMPv3 Only |
Only SNMPv3 transactions will be accepted. |
|
|
|
|
SNMPv3 With |
Only SNMPv3 transactions authenticated using HMAC-MD5 or |
|
Authentication Only |
HMAC-SHA will be accepted. |
|
|
|
The default setting is All Versions. |
|
|
The default SNMPv3 with Authentication User Details provided are:
User Name |
Authentication |
Context Name |
Authentication |
|
Type |
|
Passphrase |
|
|
|
|
noAuthUser |
- |
noAuth |
noAuthUser |
|
|
|
|
authUserMD5 |
MD5 |
auth |
authUserMD5 |
|
|
|
|
authUserSHA |
SHA |
auth |
authUserSHA |
|
|
|
|
Aprisa SR User Manual
Managing the Radio | 121
SNMPv3 Authentication Passphrase
The Authentication Passphrases can be changed via SNMP (not SuperVisor).
When viewing / managing the details of the users via SNMP, the standard SNMP-USER-BASED-SM-MIB interface is used. This interface can be used to change the Authentication Passphrase of the users.
The Authentication Passphrase of the user required to be changed cannot be changed by the same user i.e a different user must be used for the transactions.
To change a user authentication passphrase:
1.SET the usmUserStatus object for that user to ‘Not In Service’
2.GET the usmUserSpinLockobject
3.SET the usmUserSpinLockobject with the value that was just GOT in the previous step
4.SET the usmUserAuthKeyChange to the new Authentication key string
5.SET the usmUserPrivKeyChangeto the new Privacy key string
6.SET the usmUserStatus object for that user to ‘Active’
Note that the key string for steps 4 and 5 are 32 octet hexadecimal values. This string is generated based on the ‘old passphrase’ and ‘new passphrase’ as specified in RFC2274.
The utility ‘encode_keychange.exe’, available from NET-SNMP open source applications, can be used to generate this string.
An example command to generate a new Authentication key string for the default desUserMD5 is:
encode_keychange –t md5 –O “desUserMD5” –N “desUserMD5Auth” –E 0x0100DC
An example command to generate a new Privacy key string for the default desUserMD5 is:
encode_keychange –t md5 –O “desUserMD5” –N “desUserMD5Priv” –E 0x0100DC
These command executions will return a 32 Octet Hexadecimal string that can be used in steps 4 and 5 above.
Aprisa SR User Manual
122 | Managing the Radio
Security > Users
Note: You must login with ‘admin’ privileges to add, disable, delete a user or change a password.
USER DETAILS
Shows a list of the current users setup in the radio.
ADD NEW USER
To add a new user:
1. Enter the Username.
A username can be up to 32 characters but cannot contain back slashes, forward slashes, spaces, tabs, single or double quotes. Usernames are case sensitive.
2. Enter the Password.
A password can be 8 to 32 characters but cannot contain back slashes, forward slashes, spaces, tabs, single or double quotes. Passwords are case sensitive.
Good password policy:
contains at least eight characters, and contains at least one upper case letter, and contains at least one lower case letter, and
contains at least one digit or another character such as !@#$%^&(){}[]<>... , and is not a term in a familiar language or jargon, and
is not identical to or derived from the accompanying account name, from personal characteristics or from information from one’s family/social circle, and
is easy to remember, for instance by means of a key sentence
Aprisa SR User Manual
Managing the Radio | 123
3. Select the User Privileges
There are four pre-defined User Privilege settings to allocate access rights to users. These user privileges have associated default usernames and passwords of the same name.
The default login is ‘admin’.
This login has full access to all radio parameters including the ability to add and change users. There can only be a maximum of two usernames with admin privileges and the last username with admin privileges cannot be deleted.
User |
Default |
Default |
User Privileges |
Privilege |
Username |
Password |
|
|
|
|
|
View |
view |
view |
Users in this group can only view the summary |
|
|
|
pages. |
|
|
|
|
Technician |
technician |
technician |
Users in this group can view and edit parameters |
|
|
|
except Security > Users, Security > Settings and |
|
|
|
Advanced settings. |
|
|
|
|
Engineer |
engineer |
engineer |
Users in this group can view and edit parameters |
|
|
|
except Security > Users. |
|
|
|
|
Admin |
admin |
admin |
Users in this group can view and edit all |
|
|
|
parameters. |
|
|
|
|
See ‘SuperVisor Menu Access’ on page 76 for the list of SuperVisor menu items versus user privileges.
4. Click ‘Add’
To delete a user:
1.Select Terminal Settings > Security > Users
2.Click on the Select button for the user you wish to delete.
3.Click ‘Delete
To change a Password:
1.Select Terminal Settings > Security > Users
2.Click on the Select button for the user you wish to change the Password.
3.Enter the Password.
A password can be 8 to 32 characters but cannot contain back slashes, forward slashes, spaces, tabs, single or double quotes.
Aprisa SR User Manual
124 | Managing the Radio
Security > SNMP
In addition to web-based management (SuperVisor), the network can also be managed using the Simple Network Management Protocol (SNMP). MIB files are supplied, and these can be used by a dedicated SNMP Manager, such as Castle Rock’s SNMPc, to access most of the radio’s configurable parameters.
For communication between the SNMP manager and the radio, Access Controls and Community strings must be set up as described in the following sections.
A SNMP Community String is used to protect against unauthorized access (similar to a password). The SNMP agent (radio or SNMP manager) will check the community string before performing the task requested in the SNMP message.
ACCESS CONTROL SETUP
A SNMP Access Control is the IP address of the radio used by an SNMP manager or any other SNMP device to access the radio. The Aprisa SR allows access to the radio from any IP address.
Read Only
The default Read Only community string is public.
Read Write
The default ReadWrite community string is private.
Aprisa SR User Manual
Managing the Radio | 125
SNMP Manager Setup
The SNMP manager community strings must be setup to access the base station and remote / repeater stations.
To access the base station, a community string must be setup on the SNMP manager the same as the community string setup on the radio (see ‘Security > SNMP’ on page 124).
SNMP access to remote / repeater stations can be achieved by using the radio’s IP address and the normal community string or by proxy in the base station.
SNMP Access via Base Station Proxy
To access the remote / repeater stations via the base station proxy, the community strings must be setup on the SNMP manager in the format:
ccccccccc:bbbbbb
Where:
ccccccccc is the community string of the base station
and
bbbbbb is the last 3 bytes of the remote station MAC address (see ‘Network Status > Network Table’ on page 167) for the remote station MAC address.
The SNMP Proxy Support must be enabled for this method of SNMP access to operate (see ‘SNMP Proxy Support’ on page 120).
Aprisa SR User Manual
126 | Managing the Radio
Security > Manager
CURRENT PAYLOAD SECURITY PROFILE
Profile Name
This parameter shows the predefined security profile active on the radio.
Status
This parameter displays the status of the predefined security profile on the radio (always active).
PREVIOUS PAYLOAD SECURITY PROFILE
Profile Name
This parameter displays the security profile that was active on the radio prior to the current profile being activated.
Status
This parameter displays the status of the security profile that was active on the radio prior to the current profile being activated.
Option |
Function |
|
|
Active |
The security profile is active on the radio. |
|
|
Inactive |
The security profile is not active on the radio but could be |
|
activated if required. |
|
|
Aprisa SR User Manual
Managing the Radio | 127
Activate
This parameter activates the previous security profile (restores to previous version).
PREDEFINED PAYLOAD SECURITY PROFILE
Profile Name
This parameter displays the new security profile that could be activated on the radio or distributed to all remote radios with Security > Distribution.
Status
This parameter displays the status of the new security profile.
Option |
Function |
|
|
Unavailable |
A predefined security profile is not available on this radio. |
|
To create a predefined security profile, go to ‘Security > Setup’ on |
|
page 117. |
|
|
Available |
A predefined security profile is available on this radio for |
|
distribution and activation. |
|
|
Aprisa SR User Manual
Loading...