98 | Managing the Radio
Aprisa SR User Manual
Packet Size (Bytes)
This parameter sets the maximum over-the-air packet size in bytes. A smaller maximum Packet Size is
beneficial when many remote stations or repeater stations are trying to access the channel. The default
setting is 1550 bytes.
As radios dispatched from the factory have a Packet Size set to the maximum value of 1550 bytes, if a new
radio is installed in an existing Field Access Network (network), the Packet Size must be changed to ensure
it is the same value for all radios in the network. The new radio will not register an existing network if the
Packet Size is not the same as the other radios in the network.
This packet size includes the wireless protocol header and security payload (0 to 16 bytes). The length of
the security header depends on the level of security selected.
When the security setting is 0, the maximum user data transfer over-the-air is 1516 bytes.
When encryption is enabled, the entire packet of user data (payload) is encrypted. If authentication is
being used, the security frame will be added (up to 16 bytes). The wireless protocol header is then added
which is proprietary to the Aprisa SR. This is not encrypted.
Packet Time to Live (ms)
This Time To Live (TTL) parameter sets the time a packet is allowed to live in the system before being
dropped if it cannot be transmitted over the air. It is used to prevent old, redundant packets being
transmitted through the Aprisa SR network. The default setting is 1500 ms.
In the case of serial poll SCADA networks such as MODBUS and IEC 60870.50.101, it is important to ensure
the replies from the RTU are in the correct sequence and are not timed out replies from Master requests.
If the TTL value is too long, the SCADA master will detect sequence errors.
It is recommended to use a TTL which is half the serial SCADA timeout. This is commonly called the ‘scan
timeout’ or ‘link layer time out’ or ‘retry timeout’.
When using TCP protocols, a TTL of 1500 ms is recommended because a TCP re-transmission usually occurs
after approximately 3 second.
In SCADA networks which use both serial and Ethernet, it is recommended that the TTL is set to half the
serial SCADA timeout for serial remotes, and 1500 ms for Ethernet (TCP) remotes. For example, if the
serial SCADA timeout is 1000 ms, a remote radio which is connected to the serial RTU should be set to
500 ms, a remote radio which is connected to a Ethernet (TCP) RTU should have a 1500 ms timeout.
In this case, the base station TTL should be set to 1500 ms as well; or which ever is the longer TTL of
serial or Ethernet.
Managing the Radio | 99
Aprisa SR User Manual
Option
Function
Disabled
Every packet received by the radio will be forwarded to the
relevant interface.
Automatic
The radio will filter (discard) packets not destined for itself
according to the Aprisa SR traffic protocols
Option
Function
Broadcast
Serial port traffic from the network is broadcast on all serial ports
on this radio. This will include the RS-232 port derived from the
USB port.
Segregate
Serial port traffic from the network from a specific port number is
directed to the respective serial port only.
Packet Filtering
Each Aprisa SR radio can filter packets not destined for itself. The Packet Filtering parameter controls this
functionality.
In an Aprisa SR network, all communication from remote stations is destined for the base station in the
Aprisa SR network communication protocol. In a repeater network, a remote station will send a message
to the base station. The repeater station will receive this and then repeat the message. The repeated
message will then be received by the base station. Other remote stations connected to the repeater
station will receive this message and depending on the Packet Filtering parameter, either forward this
packet or discard it.
This filtering capability can provide the ability for remote stations to communicate with each other when
connected to a repeater, particularly useful in the event of losing communication with a SCADA Master,
assuming the Aprisa SR network is still operational.
Note: IP Header Compression must be disabled for this feature to operate correctly (see ‘IP Header
Compression Ratio’ on page 101).
The default setting is Automatic.
Note: The Aprisa SR network is transparent to the protocol being transmitted; therefore the Packet
Filtering parameter is based on the Aprisa SR addressing and network protocols, not the user (SCADA, etc.)
traffic protocols.
Serial Data Stream Mode
This parameter controls the traffic flow in the radio serial ports.
The default setting is Broadcast.
100 | Managing the Radio
Aprisa SR User Manual
TRAFFIC SETTINGS
Serial Data Priority
The Serial Data Priority controls the priority of the serial customer traffic relative to the Ethernet
customer traffic. If equal priority is required to Ethernet traffic, this setting must be the same as the
Ethernet Data Priority setting (see ‘Ethernet Data Priority’ on page 100).
The serial data priority can be set to Very High, High, Medium and Low. The default setting is Very High.
A queuing system is used to prioritize traffic from the serial and Ethernet interfaces for over the air
transmission. A weighting may be given to each data type and this is used to schedule the next
transmission over the air e.g. if there are pending data packets in multiple buffers but serial data has a
higher weighting it will be transmitted first. The serial buffer is 20 serial packets (1 packet can be up to
512 bytes).
There are four priority queues in the Aprisa SR: Very High, High, Medium and Low. Data is added to one of
these queues depending on the priority setting. Data leaves the queues from highest priority to lowest:
the Very High queue is emptied first, followed by High then Medium and finally Low.
Ethernet Data Priority
The Ethernet Data Priority controls the priority of the Ethernet customer traffic relative to the serial
customer traffic. If equal priority is required to serial traffic, this setting must be the same as the Serial
Data Priority setting (see ‘Serial Data Priority’ on page 100)
The Ethernet Data Priority can be set to Very High, High, Medium and Low. The default setting is Very
High.
A queuing system is used to prioritize customer traffic from the serial and Ethernet interfaces for over the
air transmission. A weighting may be given to each data type and this is used to schedule the next
transmission over the air e.g. if there are pending data packets in multiple buffers but serial data has a
higher weighting it will be transmitted first. The Ethernet buffer is 10 Ethernet packets (1 packet can be
up to Ethernet MTU, 1500 bytes).
There are four priority queues in the Aprisa SR: Very High, High, Medium and Low. Data is added to one of
these queues depending on the priority setting. Data leaves the queues from highest priority to lowest:
the Very High queue is emptied first, followed by High then Medium and finally Low.
Ethernet Management Priority
The Ethernet Management Priority controls the priority of the Ethernet management traffic relative to
Ethernet customer traffic.
The Ethernet Management Priority can be set to Very High, High, Medium and Low. The default setting is
Medium.
Managing the Radio | 101
Aprisa SR User Manual
Option
Function
High
Utilizes more of the available capacity for large amounts of
management data. Highest impact on user traffic.
Medium
Utilizes a moderate of the available capacity for large amounts of
management data. Medium impact on user traffic.
Low
Utilizes a minimal of the available capacity for large amounts of
management data. Lowest impact on user traffic.
Option
Function
Compression
Disabled
Disables IP Header Compression.
High
State information is synchronized less frequently thus achieving
the best compression ratio.
Medium
State information is synchronization less frequently than ‘High’
setting but more frequently than ‘Low’ setting.
Low
State information is synchronized frequently thus reducing the
compression ratio.
Background Bulk Data Transfer Rate
This parameter sets the data transfer rate for large amounts of management data.
The default setting is high.
DATA COMPRESSION
IP Header Compression Ratio
The IP Header Compression implements TCP/IP ROHC v2 (Robust Header Compression v2. RFC4995,
RFC5225, RFC4996) to compress the IP header. IP Header Compression allows for faster point to point
transactions, but only in a star network.
IP Header Compression module comprises of two main components, Compressor and Decompressor. Both
these components maintain some state information for an IP flow to achieve header compression.
However, for reasons like packet drops or station reboots this state information can go out of sync
between compressor and decompressor resulting in compression and/or decompression failure resulting in
loss of packets.
The Compression Ratio controls the rate at which compressor and decompressor synchronize state
information with each other. Frequent synchronization results in reduced ratio.
The default setting is High.
When IP Header Compression is enabled, it is important that the Network Radius is set correctly. If it was
incorrectly set to 1, header compression could not be interpreted by radius 2 radios.
102 | Managing the Radio
Aprisa SR User Manual
Serial
Serial > Summary
This page displays the current settings for the serial port parameters.
See ‘Serial > Port Setup’ on page 103 for configuration options.
Managing the Radio | 103
Aprisa SR User Manual
Option
Function
SerialPort1
This is the normal RS-232 serial port provided with the RJ45
connector.
USB Serial Port
This is the additional RS-232 serial port provided with the USB Host
Port connector with a USB to RS-232 RJ45 converter cable
(see ‘USB RS-232 Serial Port’ on page 43).
Option
Function
Disabled
The serial port is not required.
Standard
The serial port is communicating with serial ports on other
stations.
Terminal Server
A base station Ethernet port can communicate with both Ethernet
ports and serial ports on remote stations.
RS-232 traffic is encapsulated in IP packets (see ‘Serial > Port
Setup’ TERMINAL SERVER SETTINGS on page 105).
Serial > Port Setup
This page provides the setup for the serial port settings.
SERIAL PORTS SETTINGS
Note: The current Aprisa SR has one serial port so there will be only one record.
Name
This parameter sets the port name which can be up to 32 characters.
Mode
This parameter defines the mode of operation of the serial port. The default setting is Standard.
104 | Managing the Radio
Aprisa SR User Manual
Option
Function
None
The Aprisa SR radio port (DCE) CTS is in a permanent ON (+ve)
state.
This does not go to OFF if the radio link fails.
CTS-RTS
CTS / RTS hardware flow control between the DTE and the Aprisa
SR radio port (DCE) is enabled.
If the Aprisa SR buffer is full, the CTS goes OFF.
In the case of radio link failure the signal goes to OFF (-ve) state.
Baud Rate (bit/s)
This parameter sets the baud rate to 300, 1200, 2400, 4800, 9600, 19200, 38400, 57600 or 115200 bit/s.
The default setting is 115200 bit/s.
Character Length (bits)
This parameter sets the character length to 7 or 8 bits. The default setting is 8 bits.
Parity
This parameter sets the parity to Even, Odd or None. The default setting is None.
Stop Bits (bits)
This parameter sets the number of stop bits to 1 or 2 bits. The default setting is 1 bit.
Flow Control
This parameter sets the flow control of the serial port. The default setting is Disabled.
In terminal server mode, the serial packet is no different from an Ethernet packet and travels through
various packet queues before being transmitted over the air. Thus, the serial flow control has no affect in
terminal server mode.
Inter-Frame Gap (chars)
This parameter defines the gap between successive serial data frames. It is used to delimit the serial data
to define the end of a packet. The Inter-Frame Gap limits are 0.5 to 16 chars. The default setting is 3.5
chars.
Managing the Radio | 105
Aprisa SR User Manual
TERMINAL SERVER SETTINGS
This menu item is only applicable if the serial port has an operating mode of Terminal Server.
The Terminal Server operating mode provides encapsulation of serial data into an IP packet (TCP or UDP).
A server connected to a base station Ethernet port can communicate with all remote station Ethernet
ports and serial ports.
Note: The current Aprisa SR has one serial port so there will be only one record.
Local Address
This parameter displays the IP address of this radio.
Port
This parameter sets the port number of the local serial port.
The valid port number range is greater than or equal to 1024 and less than or equal to 49151 but with
exclusions of 0, 5445, 6445, 9930 or 9931. The default setting is 20000.
Remote Address
This parameter sets the IP address of the server connected to the base station Ethernet port.
Port
This parameter sets the port number of the server connected to the base station Ethernet port. The
default setting is 0.
106 | Managing the Radio
Aprisa SR User Manual
Option
Function
Client
The radio will attempt to establish a TCP connection with the
specified remote unit.
Server
The radio will listen for a TCP connection on the specified local
port.
Data received from any client shall be forwarded to the associated
serial port while data received from that serial port shall be
forwarded to every client with an open TCP connection.
If no existing TCP connections exist, all data received from the
associated serial port shall be discarded.
Client and Server
The radio will listen for a TCP connection on the specified local
port and if necessary, establish a TCP connection with the
specified remote unit.
Data received from any client shall be forwarded to the associated
serial port while data received from that serial port shall be
forwarded to every client with an open TCP connection.
Protocol
This parameter sets the IP protocol used for terminal server operation. The default setting is TCP.
Mode
This parameter defines the mode of operation of the terminal server connection. The default setting is
Client and Server.
Inactivity Timeout (seconds)
This specifies the duration (in seconds) to automatically terminate the connection with the remote TCP
server if no data has been received from either the remote TCP server or its associated serial port for the
duration of the configured inactivity time.
TCP Keep Alive
A TCP keepalive is a message sent by one device to another to check that the link between the two is
operating, or to prevent the link from being broken.
If the TCP Keep Alive is enabled, the radio will be notified if the TCP connection fails.
If the TCP Keep Alive is disabled, the radio relies on the Inactivity Timeout to detect a TCP connection
failure. The default setting is disabled.
Note: An active TCP Keep Alive will generate a small amount of extra network traffic.
Managing the Radio | 107
Aprisa SR User Manual
Ethernet
Ethernet > Summary
This page displays the current settings for the Ethernet port parameters and the status of the ports.
See ‘Ethernet > Port Setup’ for configuration options.
108 | Managing the Radio
Aprisa SR User Manual
Option
Function
Standard
Enables Ethernet data communication over the radio link.
Switch
Ethernet traffic is switched locally between the two
Ethernet ports and communicated over the radio link
Disabled
Disables Ethernet data communication over the radio link.
Option
Function
Auto
Provides auto selection of Ethernet Port Speed
10
The Ethernet Port Speed is manualy set to 10 Mbit/s
100
The Ethernet Port Speed is manualy set to 100 Mbit/s
Ethernet > Port Setup
This page provides the setup for the Ethernet ports settings.
ETHERNET PORT SETTINGS
Mode
This parameter controls the Ethernet traffic flow. The default setting is Standard.
Speed (Mbit/s)
This parameter controls the traffic rate of the Ethernet port. The default setting is Auto.
Managing the Radio | 109
Aprisa SR User Manual
Option
Function
Auto
Provides auto selection of Ethernet Port duplex setting.
Half Duplex
The Ethernet Port is manualy set to Half Duplex.
Full Duplex
The Ethernet Port is manualy set to Full Duplex.
Option
Function
Management Only
The Ethernet port is only used for management of the
network.
Management and User
The Ethernet port is used for management of the network
and User traffic over the radio link.
User Only
The Ethernet port is only used for User traffic over the radio
link.
Duplex
This parameter controls the transmission mode of the Ethernet port. The default setting is Auto.
Function
This parameter controls the use for the Ethernet port. The default setting is Management and User.
110 | Managing the Radio
Aprisa SR User Manual
Ethernet > L2 Filtering
This page is only available if the Ethernet traffic option has been licensed (see ‘Maintenance > Licence’ on
page 140).
FILTER DETAILS
L2 Filtering provides the ability to filter radio link traffic based on specified Layer 2 MAC addresses.
Traffic originating from specified Source MAC Addresses destined for specified Destination MAC Addresses
that meets the protocol type criteria will be transmitted over the radio link.
Traffic that does not meet the filtering criteria will not be transmitted over the radio link.
Source MAC Address
This parameter sets the filter to the Source MAC address of the packet in the format ‘hh:hh:hh:hh:hh:hh’.
If the Source MAC Address is set to ‘FF:FF:FF:FF:FF:FF’, traffic will be accepted from any source MAC
address.
Destination MAC Address
This parameter sets the filter to the Destination MAC address of the packet in the format
‘hh:hh:hh:hh:hh:hh’.
If the Destination MAC Address is set to ‘FF:FF:FF:FF:FF:FF’, traffic will be delivered to any destination
MAC address.
Protocol Type
This parameter sets the Ethernet Type accepted ARP, VLAN, IPv4, IPv6 or Any type.
Managing the Radio | 111
Aprisa SR User Manual
Rule
Source
MAC Address
Destination
MAC Address
Protocol Type
Allow ARPS
FF:FF:FF:FF:FF:FF
FF:FF:FF:FF:FF:FF
ARP
Allow Unicasts from Any source
FF:FF:FF:FF:FF:FF
FE:FF:FF:FF:FF:FF
Any
Example:
In the screen shot, the rules are configured in the base station which controls the radio link traffic from
base station to remote / repeater stations.
Traffic from a device with the MAC address 00:01:50:c2:01:00 is forwarded over the radio link if it meets
the criteria:
Rule 1 If the Ethernet Type is ARP going to any destination MAC address or
Rule 2 If the Ethernet Type is Any and the destination MAC address is 01:00:50:c2:01:02 or
Rule 3 If the Ethernet Type is VLAN tagged packets going to any destination MAC address
Special L2 Filtering Rules:
Unicast Only Traffic
This L2 filtering allows for Unicast only traffic and drop broadcast and multicast traffic. This filtering is
achieved by adding the two rules:
To delete a L2 Filter:
1. Click on an existing rule ‘Select’.
2. Click on Delete.
3. Click on OK.
ADD NEW FILTER
To add a L2 Filter:
1. Enter the Rule ID number. This is a unique rule number between 1 and 25.
2. Enter the Source MAC address of the packet or ‘FF:FF:FF:FF:FF:FF’ to accept traffic from any MAC
address.
3. Enter the Destination MAC address of the packet or ‘FF:FF:FF:FF:FF:FF’ to deliver traffic to any MAC
address.
4. Select the Protocol Type to ARP, VLAN, IPv4, IPv6 or Any type.
5. Click on Add.
112 | Managing the Radio
Aprisa SR User Manual
Networking
Networking > IP Summary
This page displays the current settings for the Networking IP Settings.
See ‘Networking > IP Setup’ for configuration options.
Managing the Radio | 113
Aprisa SR User Manual
Networking > IP Setup
This page provides the setup for the Networking IP Settings.
NETWORKING IP SETTINGS
IP Address
Set the static IP Address of the radio assigned by your site network administrator using the standard
format xxx.xxx.xxx.xxx. The default IP address is in the range 169.254.50.10.
Subnet Mask
Set the Subnet Mask of the radio using the standard format xxx.xxx.xxx.xxx. The default subnet mask is
255.255.0.0.
Gateway
Set the Gateway address of the radio, if required, using the standard format xxx.xxx.xxx. The default
Gateway is 0.0.0.0.
114 | Managing the Radio
Aprisa SR User Manual
Option
Function
Process
Processes the packet if it meets the filter criteria
Discard
Discards the packet if it meets the filter criteria
Networking > L3 Filtering
This page is only available if the Ethernet traffic option has been licensed (see ‘Maintenance > Licence’ on
page 140).
NETWORKING L3 FILTER SETTINGS
L3 Filtering provides the ability to evaluate traffic and take specific action based on the filter criteria.
This filtering can also be used for L4 TCP/UDP port filtering which in most cases relates to specific
applications as per IANA official and unofficial well-known ports.
Entering a * into any to field will automatically enter the wildcard values when the data is saved.
Priority
This parameter shows the priority order in which the filters are processed.
Action
This parameter defines the action taken on the packet when it meets the filter criteria.
Source IP Address
If the source IP address is set to 0.0.0.0, any source IP address will meet the filter criteria.
Managing the Radio | 115
Aprisa SR User Manual
Source Wildcard Mask
This parameter defines the mask applied to the Source IP Address. 0 means that it must be a match.
If the Source Wildcard Mask is set to 0.0.0.0, the complete Source IP Address will be evaluated for the
filter criteria.
If the Source Wildcard Mask is set to 0.0.255.255, the first 2 octets of the Source IP Address will be
evaluated for the filter criteria.
If the Source Wildcard Mask is set to 255.255.255.255, none of the Source IP Address will be evaluated for
the filter criteria.
Note: The Source Wildcard Mask operation is the inverse of subnet mask operation
Source Port Range
This parameter defines the port or port range for the source. To specify a range, insert a dash between
the ports e.g 1000-2000. If the Source Port Range is set to 1-65535, traffic from any source port will meet
the filter criteria.
Destination IP Address
This parameter defines the destination IP address of the filter. If the destination IP address is set to
0.0.0.0, any destination IP address will meet the filter criteria.
Destination Wildcard Mask
This parameter defines the mask applied to the Destination IP Address. 0 means that it must be a match.
If the Destination Wildcard Mask is set to 0.0.0.0, the complete Destination IP Address will be evaluated
for the filter criteria.
If the Destination Wildcard Mask is set to 0.0.255.255, the first 2 octets of the Destination IP Address will
be evaluated for the filter criteria.
If the Destination Wildcard Mask is set to 255.255.255.255, none of the Destination IP Address will be
evaluated for the filter criteria.
Note: The Destination Wildcard Mask operation is the inverse of subnet mask operation
Destination Port Range
This parameter defines the port or port range for the destination. To specify a range, insert a dash
between the ports e.g 1000-2000. If the destination port range is set to 1-65535, traffic to any destination
port will meet the filter criteria.
Protocol
This parameter defines the Ethernet packet type that will meet the filter criteria.
Controls
The Delete button deletes the selected entry.
The Move Up button moves the selected entry above the entry above it increasing it’s process priority.
The Move Down button moves the selected entry below the entry above it reducing it’s process priority.
116 | Managing the Radio
Aprisa SR User Manual
Security
Security > Summary
This page displays the current settings for the Security parameters.
See ‘Security > Setup’ and ‘Security > Manager’ for configuration options.
Managing the Radio | 117
Aprisa SR User Manual
Security Level
Disabled (No encryption and no Message Authentication Code)
AES Encryption + CCM Authentication 128 bit
AES Encryption + CCM Authentication 64 bit
AES Encryption + CCM Authentication 32 bit
AES Encryption only
CCM Authentication 128 bit
CCM Authentication 64 bit
CCM Authentication 32 bit
Security > Setup
PAYLOAD SECURITY PROFILE SETUP
Security Profile Name
This parameter enables the user to predefine a security profile with a specified name.
Security Scheme
This parameter sets the security scheme to one of the values in the following table:
The default setting is Disabled.
118 | Managing the Radio
Aprisa SR User Manual
Option
Function
Pass Phrase
Use the Pass Phrase password format for standard security.
Raw Hexidecimal
Use the Raw Hexidecimal password format for better
security. It must comply with the specified encryption key
size e.g. if Encryption Type to AES128, the encryption key
must be 16 bytes (32 chars)
Payload Encryption Key Type
This parameter sets the Payload Encryption Key Type:
The default setting is Pass Phrase.
Payload Encryption Key Size
This parameter sets the Encryption Type to AES128, AES192 or AES256. The default setting is AES128.
The higher the encryption size the better the security.
Payload Encryption Key
This parameter sets the Payload Encryption password. This key is used to encrypt the payload.
Pass Phrase
Good password policy:
contains at least eight characters, and
contains at least one upper case letter, and
contains at least one lower case letter, and
contains at least one digit or another character such as !@#$%^&(){}[]<>... , and
is not a term in a familiar language or jargon, and
is not identical to or derived from the accompanying account name, from personal characteristics
or from information from one’s family/social circle, and
is easy to remember, for instance by means of a key sentence
Raw Hexidecimal
The Raw Hexidecimal password must comply with the specified encryption key size e.g. if Encryption Type
to AES128, the encryption key must be 16 bytes (32 chars).
Managing the Radio | 119
Aprisa SR User Manual
Option
Function
Pass Phrase
Use the Pass Phrase password format for standard security.
Raw Hexidecimal
Use the Raw Hexidecimal password format for better
security. It must comply with the specified encryption key
size
e.g. if Encryption Type to AES128, the encryption key must
be 16 bytes (32 chars)
KEY ENCRYPTION KEY SETUP
The Key Encryption Key provides the ability to encrypt the Payload Encryption Key so it can be safely
transmitted over the radio link to remote radios.
The Key Encryption Key Type, Key Encryption Key Size and Key Encryption Key must be the same on all
radios in the network.
Key Encryption Key Type
This parameter sets the Payload Encryption Key Type:
The default setting is Pass Phrase.
Key Encryption Key Size
This parameter sets the Encryption Type to AES128, AES192 or AES256. The default setting is AES128.
The higher the encryption type the better the security.
Key Encryption Key
This parameter sets the Key Encryption password. This is used to encrypt the payload encryption key.
120 | Managing the Radio
Aprisa SR User Manual
Option
Function
Disabled
All SNMP functions are disabled.
All Versions
Allows all SNMP protocol versions.
SNMPv3 Only
Only SNMPv3 transactions will be accepted.
SNMPv3 With
Authentication Only
Only SNMPv3 transactions authenticated using HMAC-MD5 or
HMAC-SHA will be accepted.
User Name
Authentication
Type
Context Name
Authentication
Passphrase
noAuthUser
-
noAuth
noAuthUser
authUserMD5
MD5
auth
authUserMD5
authUserSHA
SHA
auth
authUserSHA
PROTOCOL SETUP
Telnet option
This parameter option determines if you can manage the radio via a Telnet session. The default setting is
disabled.
ICMP option (Internet Control Message Protocol)
This parameter option determines whether the radio will respond to a ping. The default setting is
disabled.
HTTPS option
This parameter option determines if you can manage the radio via a HTTPS session (via a Browser). The
default setting is enabled.
SNMP Proxy Support
This parameter option enables an SNMP proxy server in the base station. This proxy server reduces the
radio link traffic during SNMP communication to remote / repeater stations. This option applies to the
base station only. The default setting is disabled.
This option can also be used if the radio has Serial Only interfaces.
SNMP Protocol
This parameter sets the SNMP Protocol:
The default setting is All Versions.
The default SNMPv3 with Authentication User Details provided are:
Managing the Radio | 121
Aprisa SR User Manual
SNMPv3 Authentication Passphrase
The Authentication Passphrases can be changed via SNMP (not SuperVisor).
When viewing / managing the details of the users via SNMP, the standard SNMP-USER-BASED-SM-MIB
interface is used. This interface can be used to change the Authentication Passphrase of the users.
The Authentication Passphrase of the user required to be changed cannot be changed by the same user i.e
a different user must be used for the transactions.
To change a user authentication passphrase:
1. SET the usmUserStatus object for that user to ‘Not In Service’
2. GET the usmUserSpinLockobject
3. SET the usmUserSpinLockobject with the value that was just GOT in the previous step
4. SET the usmUserAuthKeyChange to the new Authentication key string
5. SET the usmUserPrivKeyChangeto the new Privacy key string
6. SET the usmUserStatus object for that user to ‘Active’
Note that the key string for steps 4 and 5 are 32 octet hexadecimal values. This string is generated based
on the ‘old passphrase’ and ‘new passphrase’ as specified in RFC2274.
The utility ‘encode_keychange.exe’, available from NET-SNMP open source applications, can be used to
generate this string.
An example command to generate a new Authentication key string for the default desUserMD5 is:
encode_keychange –t md5 –O “desUserMD5” –N “desUserMD5Auth” –E 0x0100DC
An example command to generate a new Privacy key string for the default desUserMD5 is:
encode_keychange –t md5 –O “desUserMD5” –N “desUserMD5Priv” –E 0x0100DC
These command executions will return a 32 Octet Hexadecimal string that can be used in steps 4 and 5
above.
122 | Managing the Radio
Aprisa SR User Manual
Security > Users
Note: You must login with ‘admin’ privileges to add, disable, delete a user or change a password.
USER DETAILS
Shows a list of the current users setup in the radio.
ADD NEW USER
To add a new user:
1. Enter the Username.
A username can be up to 32 characters but cannot contain back slashes, forward slashes, spaces, tabs,
single or double quotes. Usernames are case sensitive.
2. Enter the Password.
A password can be 8 to 32 characters but cannot contain back slashes, forward slashes, spaces, tabs,
single or double quotes. Passwords are case sensitive.
Good password policy:
contains at least eight characters, and
contains at least one upper case letter, and
contains at least one lower case letter, and
contains at least one digit or another character such as !@#$%^&(){}[]<>... , and
is not a term in a familiar language or jargon, and
is not identical to or derived from the accompanying account name, from personal characteristics
or from information from one’s family/social circle, and
is easy to remember, for instance by means of a key sentence
Managing the Radio | 123
Aprisa SR User Manual
User
Privilege
Default
Username
Default
Password
User Privileges
View
view
view
Users in this group can only view the summary
pages.
Technician
technician
technician
Users in this group can view and edit parameters
except Security > Users, Security > Settings and
Advanced settings.
Engineer
engineer
engineer
Users in this group can view and edit parameters
except Security > Users.
Admin
admin
admin
Users in this group can view and edit all
parameters.
3. Select the User Privileges
There are four pre-defined User Privilege settings to allocate access rights to users. These user privileges
have associated default usernames and passwords of the same name.
The default login is ‘admin’.
This login has full access to all radio parameters including the ability to add and change users. There can
only be a maximum of two usernames with admin privileges and the last username with admin privileges
cannot be deleted.
See ‘SuperVisor Menu Access’ on page 76 for the list of SuperVisor menu items versus user privileges.
4. Click ‘Add’
To delete a user:
1. Select Terminal Settings > Security > Users
2. Click on the Select button for the user you wish to delete.
3. Click ‘Delete
To change a Password:
1. Select Terminal Settings > Security > Users
2. Click on the Select button for the user you wish to change the Password.
3. Enter the Password.
A password can be 8 to 32 characters but cannot contain back slashes, forward slashes, spaces, tabs,
single or double quotes.
124 | Managing the Radio
Aprisa SR User Manual
Security > SNMP
In addition to web-based management (SuperVisor), the network can also be managed using the Simple
Network Management Protocol (SNMP). MIB files are supplied, and these can be used by a dedicated SNMP
Manager, such as Castle Rock’s SNMPc, to access most of the radio’s configurable parameters.
For communication between the SNMP manager and the radio, Access Controls and Community strings
must be set up as described in the following sections.
A SNMP Community String is used to protect against unauthorized access (similar to a password). The
SNMP agent (radio or SNMP manager) will check the community string before performing the task
requested in the SNMP message.
ACCESS CONTROL SETUP
A SNMP Access Control is the IP address of the radio used by an SNMP manager or any other SNMP device
to access the radio. The Aprisa SR allows access to the radio from any IP address.
Read Only
The default Read Only community string is public.
Read Write
The default ReadWrite community string is private.
Managing the Radio | 125
Aprisa SR User Manual
SNMP Manager Setup
The SNMP manager community strings must be setup to access the base station and remote / repeater
stations.
To access the base station, a community string must be setup on the SNMP manager the same as the
community string setup on the radio (see ‘Security > SNMP’ on page 124).
SNMP access to remote / repeater stations can be achieved by using the radio’s IP address and the normal
community string or by proxy in the base station.
SNMP Access via Base Station Proxy
To access the remote / repeater stations via the base station proxy, the community strings must be setup
on the SNMP manager in the format:
ccccccccc:bbbbbb
Where:
ccccccccc is the community string of the base station
and
bbbbbb is the last 3 bytes of the remote station MAC address (see ‘Network Status > Network Table’
on page 167) for the remote station MAC address.
The SNMP Proxy Support must be enabled for this method of SNMP access to operate (see ‘SNMP Proxy
Support’ on page 120).
126 | Managing the Radio
Aprisa SR User Manual
Option
Function
Active
The security profile is active on the radio.
Inactive
The security profile is not active on the radio but could be
activated if required.
Security > Manager
CURRENT PAYLOAD SECURITY PROFILE
Profile Name
This parameter shows the predefined security profile active on the radio.
Status
This parameter displays the status of the predefined security profile on the radio (always active).
PREVIOUS PAYLOAD SECURITY PROFILE
Profile Name
This parameter displays the security profile that was active on the radio prior to the current profile being
activated.
Status
This parameter displays the status of the security profile that was active on the radio prior to the current
profile being activated.
Managing the Radio | 127
Aprisa SR User Manual
Option
Function
Unavailable
A predefined security profile is not available on this radio.
To create a predefined security profile, go to ‘Security > Setup’ on
page 117.
Available
A predefined security profile is available on this radio for
distribution and activation.
Activate
This parameter activates the previous security profile (restores to previous version).
PREDEFINED PAYLOAD SECURITY PROFILE
Profile Name
This parameter displays the new security profile that could be activated on the radio or distributed to all
remote radios with Security > Distribution.
Status
This parameter displays the status of the new security profile.
Loading...