160 | Managing the Radio
QoS
QoS > Summary
This page provides a summary of the QoS Settings.
See ‘QoS > Traffic Priority’ and ‘QoS > Traffic Classification’ for configuration options.
Aprisa SR+ User Manual 1.6.0 PO
Managing the Radio | 161
QoS > Traffic Priority
TRAFFIC PRIORITY
Default Management Data Priority
The Default Management Data Priority controls the priority of the Ethernet management traffic relative to Ethernet customer traffic. It can be set to Very High, High, Medium and Low. The default setting is Medium.
This priority is also used for traffic if the remote serial port is not available for the radio hardware data port option e.g. if the base station is 2E2S and a remote radio is 4E0S.
SERIAL PRIORITY
This parameter controls the per port priority of the serial customer traffic relative to the Ethernet customer traffic. If equal priority is required to Ethernet traffic, this setting must be the same as the Ethernet Data Priority setting.
The serial data priority can be set to Very High, High, Medium and Low. The default setting is Low.
A queuing system is used to prioritize traffic from the serial and Ethernet interfaces for over the air transmission. A weighting may be given to each data type and this is used to schedule the next transmission over the air e.g. if there are pending data packets in multiple buffers but serial data has a higher weighting it will be transmitted first. The serial buffer is 20 serial packets (1 packet can be up to 512 bytes).
There are four priority queues in the Aprisa SR: Very High, High, Medium and Low. Data is added to one of these queues depending on the priority setting. Data leaves the queues from highest priority to lowest: the Very High queue is emptied first, followed by High then Medium and finally Low.
Aprisa SR+ User Manual 1.6.0 PO
162 | Managing the Radio
ETHERNET PRIORITY
This parameter controls the per port priority of the Ethernet customer traffic relative to the serial customer traffic. If equal priority is required to serial traffic, this setting must be the same as the Serial Data Priority setting.
The Ethernet Priority enables users to set the priority of Ethernet port ingress frames. The priority for each port can be:
1.From PCP priority bits (VLAN priority) in VLAN tagged frames or priority tag (VLAN 0) frames
2.From DSCP priority bits in an IP packet (DSCP in IPv4 TOS field)
3.All frames are set to ‘very high’ priority
4.All frames are set to ‘high’ priority
5.All frames are set to ‘medium’ priority
6.All frames are set to ‘low’ priority
The default setting is Low.
A queuing system is used to prioritize customer traffic from the serial and Ethernet interfaces for over the air transmission. A weighting may be given to each data type and this is used to schedule the next transmission over the air e.g. if there are pending data packets in multiple buffers but serial data has a higher weighting it will be transmitted first. The Ethernet buffer is 10 Ethernet packets (1 packet can be up to Ethernet MTU, 1536 bytes).
There are four priority queues in the Aprisa SR+: Very High, High, Medium and Low. Data is added to one of these queues depending on the priority setting. Data leaves the queues from highest priority to lowest: the Very High queue is emptied first, followed by High then Medium and finally Low.
Default Priority
When the priority of an Ethernet port uses the PCP bits (VLAN priority) values the ‘Default Priority’ option is enabled, allowing the priority of untagged VLAN frames to be set.
When the priority of an Ethernet port uses the DSCP priority (in IPv4 TOS field) values the ‘Default Priority’ option is enabled, allowing the priority of ARP frames to be set.
Aprisa SR+ User Manual 1.6.0 PO
Managing the Radio | 163
PRIORITY DEFINITIONS
PCP (Priority Code Point)
These settings provide priority translation / mapping between the external radio LAN VLAN priority network and the radio internal VLAN priority network, using the VLAN tagged PCP (Priority Code Point) priority field in the Ethernet/VLAN frame.
The IEEE 802.1Q specification defines a standards-based mechanism for providing VLAN tagging and class of service (CoS) across Ethernet networks. This is accomplished through an additional VLAN tag, which carries VLAN tag ID and frame prioritization information (PCP field), inserted within the header of a Layer 2 Ethernet frame.
Priority Code Point (PCP) is a 3-bit field that indicates the frame priority level (or CoS). The operation of the PCP field is defined within the IEEE 802.1p standard, which is an extension of 802.1Q. The standard establishes eight levels of priority, referred to as CoS values, where CoS 7 (‘111’ in PCP filed) is the highest priority and CoS 0 (‘000’) is the lowest priority.
The radio in bridge mode used the PCP value in the VLAN tag to prioritize packets and provide the appropriate QoS treatment per traffic type. The radio implements 4 priority queuing techniques that base its QoS on the VLAN priority (PCP). Based on VLAN priority bits, traffic can be put into a particular Class of Service (CoS) queue. Packets with higher CoS will always serve first for OTA transfer and on ingress/egress Ethernet ports.
The ‘PCP priority definition’ tab is used to map ingress VLAN packet with PCP priority to the radio internal
CoS (priority). Since, in most of the cases the radio VLAN network is connected to the corporate VLAN networks, the network administrator might like to have a different VLAN priority scheme of the radio network CoS. For example, management traffic in the multi-gigabit corporate VLAN network might be prioritize with priority 7 (highest priority) and SCADA traffic with priority 5, but in the narrow bandwidth radio network, SCADA traffic will be map to radio very high CoS / priority (i.e. set PCP 5 = Very high) and management traffic might will be map to radio medium CoS / priority (i.e. set PCP 7 = medium) in order to serve first the mission-critical SCADA traffic over the radio network.
Aprisa SR+ User Manual 1.6.0 PO
164 | Managing the Radio
This is done by mapping the external radio network VLAN priority to the internal radio CoS / priority using the ‘PCP priority definition’ tab. The radio support 4 queues, thus at maximum an 8 -> 4 VLAN priority / CoS mapping is done.
Default mapping of ingress packet VLAN priority to radio CoS / priority shown in the ‘PCP priority definition’ tab.
Aprisa SR+ User Manual 1.6.0 PO
Managing the Radio | 165
DSCP (Differentiated Services Code Point)
These settings provide translation / mapping between the external radio IP priority network and the radio internal IP priority network, using the DSCP (DiffServ Code Point) priority field in the IP packet header.
Differentiated Services (DiffServ) is a new model in which traffic is treated by routers with relative priorities based on the IPv4 type of services (ToS) field. DSCP (DiffServ Code Point) standard defined in RFC 2474 and RFC 2475. DiffServ increases the number of definable priority levels by reallocating bits of an IP packet for priority marking.
The DiffServ architecture defines the DiffServ (DS) field, which supersedes the ToS field in IPv4 to make per-hop behaviour (PHB) decisions about packet classification and traffic scheduling functions. The six most significant bits of the DiffServ field (in the IPv4 TOS field) is called as the DSCP. The standardized DiffServ field of the packet is marked with a value so that the packet receives a particular routing/forwarding treatment or PHB, at each router node. Using DSCP packet classification, traffic can be partition into multiple priority levels.
The radio in router mode uses the DSCP value in the IP header to select a PHB behaviour for the packet and provide the appropriate QoS treatment. The radio implements 4 priority queuing techniques that base its PHB on the DSCP in the IP header of a packet. Based on DSCP, traffic can be put into a particular priority / CoS (Class of Service) queue. Packets with higher CoS will always serve first for OTA transfer and on ingress / egress Ethernet ports.
The ‘DSCP priority definition’ tab is used to map ingress IP packet with DSCP priority to the radio internal priority / CoS. Since, in most of the cases the radio routed network is connected to the corporate routed networks, the network administrator might like to have a different routed network priority scheme of the radio network, for example management traffic in the multi-gigabit corporate routed network might be prioritize with DSCP EF (expedite forwarding) code (DSCP highest priority), and SCADA traffic with DSCP AF11 (assured forwarding) code (high priority), but in the narrow bandwidth radio network, SCADA traffic will be map to radio very high CoS / priority (i.e. set AF11 = Very high) and management traffic might map to radio low CoS / priority (i.e. set EF = Low) in order to serve first the mission-critical SCADA traffic over the radio network.
Aprisa SR+ User Manual 1.6.0 PO
166 | Managing the Radio
This is done by mapping the external radio network DSCP priority to the internal radio CoS / priority levels using the ‘DSCP priority definition’ tab. The radio support four queues, thus at maximum a 64 -> 4 CoS / priority mapping is done.
Default mapping of ingress packet DSCP priority to radio CoS shown in the ‘DSCP priority definition’ tab.
The radio maps all 64 DSCP values. The user can configure most common used 21 DSCP codes and the rest are mapped by default to low CoS / priority.
Aprisa SR+ User Manual 1.6.0 PO
Managing the Radio | 167
QoS > Traffic Classification
These settings provide multiple traffic classification profiles based on classification rules. Profiles for a specific traffic type, protocol or application can be assigned to a particular VLAN and CoS / priority in bridge mode or to CoS / priority in router mode to provide the appropriate QoS treatment.
For example SCADA traffic, management traffic, FTP traffic, can each have its own profile build with a set of classification rules. A profile can be build using multiple classification rules based on ports, Ethernet, IP, TCP / UDP headers fields (i.e. L1/2/3/4 header fields) such as: Ethernet port #1, VLAN ID, VLAN priority, IP DSCP Priority, MAC/IP address, TCP / UDP port fields to identify and classify the specific traffic type. When an ingress packet matches the profile L2/3/4 header fields settings, the packet is assigned to a particular VLAN and CoS / priority in bridge mode or to CoS / priority in router mode to provide the appropriate QoS treatment.
The radio supports four CoS / priority queues: very high, high, medium and low. These queues are connected to a strict priority scheduler which dispatches packets from the queues out to the egress port by always serving first the ‘very high’ priority queue, whenever there is a packet in this queue. When the highest priority queue empties, the scheduler will serve the next high priority queues and so on. So when SCADA traffic is assigned to a ‘Very high’ priority, it will always served first and send over-the-air (OTA) whenever SCADA traffic enters to the radio, giving it the highest priority over other traffic type.
These settings are different for Bridge Mode and Router Mode.
Aprisa SR+ User Manual 1.6.0 PO
168 | Managing the Radio
Bridge Mode Traffic Classification Settings
TRAFFIC CLASSIFICATION
VLAN bridge mode traffic classification settings provide mapping / assigning of profiles (set by rules to match a specific traffic type) to a VLAN ID and VLAN CoS / priority. The profile which is used to match to a specific traffic type will be identified in the radio network by its associated VLAN ID and VLAN CoS / priority to provide the appropriate QoS treatment. CoS / Priority can be set to very high, high, medium, low priority.
Profile name
A free form field to enter the profile name with a maximum of 32 chars.
Assigned Priority
Traffic packets that match the applied profile rules will be assigned to the selected ‘assigned priority’ setting of Very High, High, Medium and Low. This field cannot be set to Don’t Care.
This applies profile rule mapping to the VLAN CoS / Priority with the appropriate internal radio assigned priority setting of Very High, High, Medium and Low.
Aprisa SR+ User Manual 1.6.0 PO
Managing the Radio | 169
Assigned VLAN ID
Traffic packets that match the applied profile rules will be assigned to the selected ‘assigned VLAN ID’ setting of VLAN ID in the range of 0 to 4095.
A VLAN ID of an ingress packet matching the classification rule (see ‘VLAN ID’ rule in next page) shall be changed to the ‘assigned VLAN ID’ setting, if below conditions are met:
1.The VLAN ID of Ingress packet is same as PVID of the ingress port.
2.Packet is received untagged at the port
If the VLAN ID of the tagged ingress packet is not the same as the PVID of the ingress port, then it shall not be changed and the ‘assigned VLAN ID’ setting is ignored i.e. ingress VLANs will pass-through unchanged.
If ‘assigned VLAN ID’ value is set in the ‘port VLAN membership’ under Ethernet > VLAN (port x tab), then this VLAN will be available for ingress and egress on the Ethernet and RF ports, otherwise this VLAN will only be available in one direction on the egress RF port.
For example, if the base station Ethernet port 1 ‘assigned VLAN ID’ = 100 (VLAN-100) and it is also defined in the ‘port VLAN membership’ under Ethernet > VLAN (port 1 tab) and the remote sends a packet to the base with a VLAN of 100, this packet will be egress out to Ethernet port 1 (tagged or untagged based on the ‘egress action’ definition). If the VLAN-100 wasn’t set in the ‘port VLAN membership’, then the base station will drop a packet from the remote.
This setting parameter can be ‘Don’t Care’ (Assigned VLAN ID = 0) which means that the VLAN ID of ingress frame will never be modified.
Active
Activates or deactivates the profile rule.
Controls
The Save button saves all profiles to the radio.
The Cancel button removes all changes since the last save or first view of the page if there has not been any saves. This button will un-select all the Select radio buttons.
The Edit button will show the next screen for the selected profile where the profile can be configured. This button will be disabled unless a profile is selected.
The Add button adds a new profile,
If no profile was selected then the new profile is added to the end of the list,
If a profile is selected the new profile is added after that profile.
The Delete button will delete the selected profile. The button will be disabled unless a profile has been selected.
The Delete All button will delete all the profiles. A pop-up will ask if the action is correct. If the answer is yes, then all profiles are deleted in SuperVisor. The Save button must be pressed to delete all the profiles in the radio.
The Move up button will move the selected profile up one in the order of profiles
The Move Down button will move the selected profile down one in the order of profiles
The Previous button displays the previous page in the list of profiles. A pop up will be displayed if any profile has been modified and not saved, preventing the previous page being displayed.
The Next button will display the next page in the list of profiles.
Aprisa SR+ User Manual 1.6.0 PO
170 | Managing the Radio
To edit a traffic classification, select the profile and click on the Edit button
ETHERNET PORT CRITERIA
Ethernet Port
Set the layer 1 Ethernet port number or all Ethernet ports in the selected profile classification rule.
VLAN ID
Sets the layer 2 packet Ethernet header VLAD ID field in the selected profile classification rule. Valid values are between 0 and 4095. This VLAN ID should be enabled in the system for using this parameter during classification.
Enable this VLAN in the network by setting the same VLAN ID value in PVID (port VLAN ID) and in the PORT VLAN MEMBERSHIP under ‘VLAN PORT SETTINGS – Port 1’ on page 144. If the VLAN ID is set to zero, all VLAN IDs will meet the criteria.
Aprisa SR+ User Manual 1.6.0 PO
Managing the Radio | 171
PRIORITY CRITERIA
Priority Type
Set the layer 2 Ethernet or layer 3 IP packet header priority type fields in the selected profile classification rules.
Priority Type |
Description |
|
|
None |
Do not use any layer 2 / 3 Ethernet or IP header |
|
priority fields in the selected profile classification |
|
rules. |
|
|
PCP |
Use the layer 2 Ethernet header priority field of |
|
PCP (Priority Code Point) VLAN priority bits (per |
|
IEEE 802.1p/q) in the selected profile |
|
classification rules. |
|
|
DSCP |
Use the layer 3 IP header TOS field used as DSCP |
|
(Differentiated Services Code Point per RFC 2474 |
|
and RFC 2475) priority bit in the selected profile |
|
classification rules. |
|
|
PCP / DSCP Range
As per the ‘priority type’ selection, this parameter sets the PCP priority value/s or DSCP priority value/s fields in the selected profile classification rule. The value can be set to a single priority or a single range (no multiple ranges are allowed), for example, the PCP selected priority value can be 7 or a range of priority values like 4-7.
The following table shows the layer 2 packet VLAN tag header PCP priority field values
PCP Value |
PCP Priority |
Priority Level |
(Decimal) |
|
|
|
|
|
7 |
Priority [7] |
Highest |
|
|
|
6 |
Priority [6] |
|
|
|
|
5 |
Priority [5] |
|
|
|
|
4 |
Priority [4] |
|
|
|
|
3 |
Priority [3] |
|
|
|
|
2 |
Priority [2] |
|
|
|
|
1 |
Priority [1] |
|
|
|
|
0 |
Priority [0] |
Lowest |
|
|
|
Aprisa SR+ User Manual 1.6.0 PO
172 | Managing the Radio
The following table shows the layer 3 packet IP header DSCP priority field values
DSCP Value |
DSCP Priority |
(Decimal) |
|
|
|
46 |
EF (Expedited Forwarding) |
|
|
10 |
AF11 (Assured Forwarding) |
|
|
12 |
AF12 |
|
|
14 |
AF13 |
|
|
18 |
AF21 |
|
|
20 |
AF22 |
|
|
22 |
AF23 |
|
|
26 |
AF31 |
|
|
28 |
AF32 |
|
|
30 |
AF33 |
|
|
34 |
AF41 |
|
|
36 |
AF42 |
|
|
38 |
AF43 |
|
|
0 |
CS0/Best Effort (BE) |
|
|
8 |
CS1 (Class Selector ) |
|
|
16 |
CS2 |
|
|
24 |
CS3 |
|
|
32 |
CS4 |
|
|
40 |
CS5 |
|
|
48 |
CS6 |
|
|
56 |
CS7 |
|
|
Aprisa SR+ User Manual 1.6.0 PO
Managing the Radio | 173
Click on More Options if more Layer 2/3/4 (Ethernet / IP / TCP or UDP) packet header fields are required for the selected profile classification rule. This page describes all the possible fields that can be used for the classification rules in bridge mode.
ETHERNET CRITERIA
Source MAC Address
This parameter sets the Layer 2 Ethernet packet header Source MAC Address field in the selected profile classification rule in the format of ‘hh:hh:hh:hh:hh:hh’.
Source MAC Wildcard Mask
This parameter sets the wildcard mask of the ‘Source MAC Address’. If the Source MAC Address is set to ‘FF:FF:FF:FF:FF:FF’, all source MAC addresses will meet the criteria.
Destination MAC Address
This parameter sets the Layer 2 Ethernet packet header Destination MAC Address field in the selected profile classification rule in the format of ‘hh:hh:hh:hh:hh:hh’.
Destination MAC Wildcard Mask
This parameter sets the wildcard mask of the ‘Destination MAC Address’. If the Destination MAC Address is set to ‘FF:FF:FF:FF:FF:FF’, all destination MAC addresses will meet the criteria.
Aprisa SR+ User Manual 1.6.0 PO
174 | Managing the Radio
EtherType (Hex)
This parameter sets the Layer 2 Ethernet packet header EtherType field in the selected profile classification rule. EtherType is a 16 bit (two octets) field in an Ethernet frame. It is used to indicate which protocol is encapsulated in the payload of an Ethernet Frame.
EtherType Examples:
Protocol |
EtherType Value |
|
(Hexadecimal) |
|
|
IPv4 |
0800 |
|
|
ARP |
0806 |
|
|
IPv6 |
86DD |
|
|
VLAN |
8100 |
|
|
IP CRITERIA
Source IP Address
This parameter sets the Layer 3 IP packet header Source IP Address field in the selected profile classification rule. This parameter is written in the standard IPv4 format of ‘xxx.xxx.xxx.xxx’.
Source IP Wildcard Mask
This parameter sets the wildcard mask applied to the ‘Source IP Address’. This parameter is written in the standard IPv4 format of ‘xxx.xxx.xxx.xxx’.
0 means that it must be a match. If the wildcard mask is set to 0.0.0.0, the complete Source IP Address will be evaluated for the classification rule.
If the wildcard mask is set to 0.0.255.255, the first 2 octets of the Source IP Address will be evaluated for the classification rule.
If the wildcard mask is set to 255.255.255.255, none of the Source IP Address will be evaluated for the classification rule.
Note: The wildcard mask operation is the inverse of subnet mask operation
Destination IP Address
This parameter sets the Layer 3 IP packet header Destination IP Address field in the selected profile classification rule. This parameter is written in the standard IPv4 format of ‘xxx.xxx.xxx.xxx’.
Destination IP Wildcard Mask
This parameter sets the wildcard mask applied to the ‘Destination IP Address’. This parameter is written in the standard IPv4 format of ‘xxx.xxx.xxx.xxx’.
0 means that it must be a match. If the wildcard mask is set to 0.0.0.0, the complete Destination IP Address will be evaluated for the classification rule.
If the wildcard mask is set to 0.0.255.255, the first 2 octets of the Destination IP Address will be evaluated for the classification rule.
If the wildcard mask is set to 255.255.255.255, none of the Destination IP Address will be evaluated for the classification rule.
Note: The wildcard mask operation is the inverse of subnet mask operation
Aprisa SR+ User Manual 1.6.0 PO
Managing the Radio | 175
IP Protocol Number
This parameter sets the Layer 3 IP packet header ‘Protocol’ field in the selected profile classification rule. This field defines the protocol used in the data portion of the IP datagram.
Protocol number Examples:
Protocol |
Protocol value |
|
(decimal) |
|
|
ICMP |
1 |
|
|
TCP |
6 |
|
|
UDP |
17 |
|
|
TCP / UDP PORT CRITERIA
Source Range
This parameter sets the Layer 4 TCP / UDP packet header Source Port or Source Port range field in the selected profile classification rule. To specify a range, insert a dash between the ports e.g. 1000-2000. If the source port range is set to 1-65535, traffic from any source port will meet the criteria.
Destination Range
This parameter sets the Layer 4 TCP / UDP packet header Destination Port or Destination Port range field in the selected profile classification rules. To specify a range, insert a dash between the ports e.g. 10002000. If the source port range is set to 1-65535, traffic from any source port will meet the criteria.
Examples for TCP / UDP Port Numbers:
Protocol |
TCP / UDP Port # |
|
(decimal) |
|
|
Modbus |
502 |
|
|
IEC 60870-5-104 |
2,404 |
|
|
DNP 3 |
20,000 |
|
|
SNMP |
161 |
|
|
SNMP TRAP |
162 |
|
|
Aprisa SR+ User Manual 1.6.0 PO
176 | Managing the Radio
Router Mode Traffic Classification Settings
TRAFFIC CLASSIFICATION
Router Mode traffic classification settings provide mapping / assigning of profiles (set by rules to match a specific traffic type) to a CoS / priority. The profile which is used to match to a specific traffic type will be identified in the radio network by its associated CoS / priority to provide the appropriate QoS treatment. CoS / Priority can be set to very high, high, medium, low priority.
Profile name
A free form field to enter the profile name with a maximum of 32 chars.
Assigned Priority
Traffic packets that match the applied profile rules will be assigned to the selected ‘assigned priority’ setting of Very High, High, Medium and Low. This field cannot be set to Don’t Care.
Active
Activated or deactivate the profile rule.
Aprisa SR+ User Manual 1.6.0 PO
Managing the Radio | 177
Controls
The Save button saves all profiles to the radio.
The Cancel button removes all changes since the last save or first view of the page if there has not been any saves. This button will un-select all the Select radio buttons.
The Edit button will show the next screen for the selected profile where the profile can be configured. This button will be disabled unless a profile is selected.
The Add button adds a new profile,
If no profile was selected then the new profile is added to the end of the list,
If a profile is selected the new profile is added after that profile.
The Delete button will delete the selected profile. The button will be disabled unless a profile has been selected.
The Delete All button will delete all the profiles. A pop-up will ask if the action is correct. If the answer is yes, then all profiles are deleted in SuperVisor. The Save button must be pressed to delete all the profiles in the radio.
The Move up button will move the selected profile up one in the order of profiles
The Move Down button will move the selected profile down one in the order of profiles
The Previous button displays the previous page in the list of profiles. A pop up will be displayed if any profile has been modified and not saved, preventing the previous page being displayed.
The Next button will display the next page in the list of profiles.
Aprisa SR+ User Manual 1.6.0 PO
178 | Managing the Radio
To edit a traffic classification, select the profile and click on the Edit button
ETHERNET PORT CRITERIA
Ethernet Port
Set the layer 1 Ethernet port number or all Ethernet ports in the selected profile classification rules.
PRIORITY CRITERIA
DSCP Range
Sets the DSCP priority value/s field in the selected profile classification rule. The value can be set to a single priority or a single range (no multiple range are allowed), for example, priority value can be 46 (EF) or a range of priority values like 10-14.
Aprisa SR+ User Manual 1.6.0 PO
Managing the Radio | 179
The following table shows the layer 3 packet IP header DSCP priority field values
DSCP Value |
DSCP Priority |
(Decimal) |
|
|
|
46 |
EF (Expedited Forwarding) |
|
|
10 |
AF11 (Assured Forwarding) |
|
|
12 |
AF12 |
|
|
14 |
AF13 |
|
|
18 |
AF21 |
|
|
20 |
AF22 |
|
|
22 |
AF23 |
|
|
26 |
AF31 |
|
|
28 |
AF32 |
|
|
30 |
AF33 |
|
|
34 |
AF41 |
|
|
36 |
AF42 |
|
|
38 |
AF43 |
|
|
0 |
CS0/Best Effort (BE) |
|
|
8 |
CS1 (Class Selector ) |
|
|
16 |
CS2 |
|
|
24 |
CS3 |
|
|
32 |
CS4 |
|
|
40 |
CS5 |
|
|
48 |
CS6 |
|
|
56 |
CS7 |
|
|
Aprisa SR+ User Manual 1.6.0 PO
180 | Managing the Radio
Click on More Options if more Layer 3/4 packet header fields are required for the selected profile classification rule. This page describes all the possible fields that can be used for the classification rules in router mode.
IP CRITERIA
Source IP Address
This parameter sets the Layer 3 packet IP header Source IP Address field in the selected profile classification rules. This parameter is written in the standard IPv4 format of ‘xxx.xxx.xxx.xxx’.
Source IP Wildcard Mask
This parameter sets the wildcard mask applied to the ‘Source IP Address’. This parameter is written in the standard IPv4 format of ‘xxx.xxx.xxx.xxx’.
0 means that it must be a match. If the wildcard mask is set to 0.0.0.0, the complete Source IP Address will be evaluated for the classification rules.
If the wildcard mask is set to 0.0.255.255, the first 2 octets of the Source IP Address will be evaluated for the classification rules.
If the wildcard mask is set to 255.255.255.255, none of the Source IP Address will be evaluated for the classification rules.
Note: The wildcard mask operation is the inverse of subnet mask operation
Destination IP Address
This parameter sets the Layer 3 packet IP header Destination IP Address field in the selected profile classification rules. This parameter is written in the standard IPv4 format of ‘xxx.xxx.xxx.xxx’.
Aprisa SR+ User Manual 1.6.0 PO
Managing the Radio | 181
Destination IP Wildcard Mask
This parameter sets the wildcard mask applied to the ‘Destination IP Address’. This parameter is written in the standard IPv4 format of ‘xxx.xxx.xxx.xxx’.
0 means that it must be a match. If the wildcard mask is set to 0.0.0.0, the complete Destination IP Address will be evaluated for the classification rules.
If the wildcard mask is set to 0.0.255.255, the first 2 octets of the Destination IP Address will be evaluated for the classification rules.
If the wildcard mask is set to 255.255.255.255, none of the Destination IP Address will be evaluated for the classification rules.
Note: The wildcard mask operation is the inverse of subnet mask operation
Protocol Number
This parameter sets the Layer 3 IP packet header ‘Protocol’ field in the selected profile classification rule.
This field defines the protocol used in the data portion of the IP datagram. Protocol number Examples:
Protocol |
Protocol value |
|
(decimal) |
|
|
ICMP |
1 |
|
|
TCP |
6 |
|
|
UDP |
17 |
|
|
TCP / UDP Port Criteria
Source Range
This parameter sets the Layer 4 TCP / UDP packet header Source Port or Source Port range field in the selected profile classification rule. To specify a range, insert a dash between the ports e.g. 1000-2000. If the source port range is set to 1-65535, traffic from any source port will meet the criteria.
Destination Range
This parameter sets the Layer 4 TCP / UDP packet header Destination Port or Destination Port range field in the selected profile classification rule. To specify a range, insert a dash between the ports e.g. 10002000. If the source port range is set to 1-65535, traffic from any source port will meet the criteria.
Examples for TCP / UDP Port Numbers:
Protocol |
TCP / UDP Port # |
|
(decimal) |
|
|
Modbus |
502 |
|
|
IEC 60870-5-104 |
2,404 |
|
|
DNP 3 |
20,000 |
|
|
SNMP |
161 |
|
|
SNMP TRAP |
162 |
|
|
Aprisa SR+ User Manual 1.6.0 PO
182 | Managing the Radio
Security
Security > Summary
This page displays the current settings for the Security parameters.
See ‘Security > Setup’ and ‘Security > Manager’ for configuration options.
Aprisa SR+ User Manual 1.6.0 PO
Managing the Radio | 183
Security > Setup
PAYLOAD SECURITY PROFILE SETTINGS
Security Profile Name
This parameter enables the user to predefine a security profile with a specified name.
Security Scheme
This parameter sets the security scheme to one of the values in the following table:
Security Scheme
Disabled (No encryption and no Message Authentication Code)
AES Encryption + CCM Authentication 128 bit
AES Encryption + CCM Authentication 64 bit
AES Encryption + CCM Authentication 32 bit
AES Encryption only
CCM Authentication 128 bit
CCM Authentication 64 bit
CCM Authentication 32 bit
The default setting is Disabled.
Aprisa SR+ User Manual 1.6.0 PO
184 | Managing the Radio
Payload Encryption Key Type
This parameter sets the Payload Encryption Key Type:
|
Option |
Function |
|
|
|
|
Pass Phrase |
Use the Pass Phrase password format for standard security. |
|
|
|
|
Raw Hexadecimal |
Use the Raw Hexadecimal key format for better security. It |
|
|
must comply with the specified encryption key size e.g. if |
|
|
Encryption Type to AES128, the encryption key must be 16 |
|
|
bytes (32 chars) |
|
|
|
The default setting is Pass Phrase. |
|
Payload Encryption Key Size
This parameter sets the Encryption Type to AES128, AES192 or AES256. The default setting is AES128.
The higher the encryption size the better the security.
Payload Encryption Key
This parameter sets the Payload Encryption password. This key is used to encrypt the payload.
Pass Phrase
Good password policy:
contains at least eight characters, and
contains at least one upper case letter, and
contains at least one lower case letter, and
contains at least one digit or another character such as @+... , and
is not a term in a familiar language or jargon, and
is not identical to or derived from the accompanying account name, from personal characteristics or from information from one’s family/social circle, and
is easy to remember, for instance by means of a key sentence
Raw Hexadecimal
The Raw Hexadecimal key must comply with the specified encryption key size e.g. if Encryption Type to AES128, the encryption key must be 16 bytes (32 chars).
Aprisa SR+ User Manual 1.6.0 PO
Managing the Radio | 185
KEY ENCRYPTION KEY SETTINGS
The Key Encryption Key provides the ability to encrypt the Payload Encryption Key so it can be safely transmitted over the radio link to remote radios.
The Key Encryption Key Type, Key Encryption Key Size and Key Encryption Key must be the same on all radios in the network.
Key Encryption Key Type
This parameter sets the Payload Encryption Key Type:
|
Option |
Function |
|
|
|
|
Pass Phrase |
Use the Pass Phrase password format for standard security. |
|
|
|
|
Raw Hexadecimal |
Use the Raw Hexadecimal key format for better security. It |
|
|
must comply with the specified encryption key size |
|
|
e.g. if Encryption Type to AES128, the encryption key must |
|
|
be 16 bytes (32 chars) |
|
|
|
The default setting is Pass Phrase. |
|
Key Encryption Key Size
This parameter sets the Encryption Type to AES128, AES192 or AES256. The default setting is AES128.
The higher the encryption type the better the security.
Key Encryption Key
This parameter sets the Key Encryption Key. This is used to encrypt the payload encryption key.
USB Transaction Status
This parameter shows if a USB flash drive is plugged into the radio host port .
Option |
Function |
|
|
USB Storage Not Detected |
A USB flash drive is not plugged into the radio host port. |
|
|
USB Storage Detected |
A USB flash drive is plugged into the radio host port. |
|
|
Note: Some brands of USB flash drives may not work with 4RF radios.
Controls
The ‘Save’ button saves the Key Encryption Key settings to the radio. If the Security Level is set to Strong
(see ‘Security Level’ on page 191), this button will be grayed out.
The ‘Load From USB’ button loads the Key Encryption Key settings from the USB flash drive. If a USB flash drive is not detected, this button will be grayed out
The ‘Copy To USB’ button copies the Key Encryption Key settings to a file called ‘asrkek.txt’ on the USB flash drive. This settings file can be used to load into other radios. If a USB flash drive is not detected or the Security Level is set to Strong (see ‘Security Level’ on page 191), this button will not be shown.
Aprisa SR+ User Manual 1.6.0 PO
186 | Managing the Radio
Key Encryption Key Summary
The security of over-the-air-rekeying depends on a truly random Key Encryption Key. This is why the use of a Raw Hexadecimal key is recommended as a plain text phrase based on known spelling and grammar constructs is not very random. The default Key Encryption Key is provided only to allow testing of the security mechanism and is not intended for operational use. Using the default Key Encryption Key undermines the security of the AES payload encryption because an attacker using the default Key Encryption Key would immediately recover the AES payload key after the first over-the-air-rekeying event.
When the Security Level is set to Strong, various protections are applied to the Key Encryption Key setting to prevent tampering. In addition, the Key Encryption Key Type, Key Encryption Key Size, and the Key Encryption Key itself are all loaded from a customer prepared USB key. This is a one way operation to prevent key recovery from radios. While the ability to save a Key Encryption Key to USB exists in Standard Security Level, the Strong Security Level Key Encryption Key is not compromised because the Strong Key Encryption Key is not the same as the Standard Security Level Key Encryption Key.
Aprisa SR+ User Manual 1.6.0 PO
Managing the Radio | 187
PROTOCOL SECURITY SETTINGS
Telnet option
This parameter option determines if you can manage the radio via a Telnet session. The default setting is disabled.
ICMP option (Internet Control Message Protocol)
This parameter option determines whether the radio will respond to a ping. The default setting is disabled.
HTTPS option
This parameter option determines if you can manage the radio via a HTTPS session (via a Browser). The default setting is enabled.
SNMP Proxy Support
This parameter option enables an SNMP proxy server in the base station. This proxy server reduces the radio link traffic during SNMP communication to remote / repeater stations. This option applies to the base station only. The default setting is disabled.
This option can also be used if the radio has Serial Only interfaces.
SNMP Protocol
This parameter sets the SNMP Protocol:
|
Option |
Function |
|
|
|
|
Disabled |
All SNMP functions are disabled. |
|
|
|
|
All Versions |
Allows all SNMP protocol versions. |
|
|
|
|
SNMPv3 Only |
Only SNMPv3 transactions will be accepted. |
|
|
|
|
SNMPv3 With |
Only SNMPv3 transactions authenticated using HMAC-MD5 or |
|
Authentication Only |
HMAC-SHA will be accepted (as per table below). |
|
|
|
|
SNMPv3 With Encryption |
Only SNMPv3 transactions with an encrypted type of DES or |
|
Only |
AES will be accepted (as per table below). |
|
|
|
The default setting is All Versions. |
|
The default SNMPv3 with Authentication User Details provided are:
User Name |
Encryption |
Authentication |
Context |
Authentication |
Encryption |
|
Type |
Type |
Name |
Passphrase |
Passphrase |
|
|
|
|
|
|
noAuthUser |
- |
- |
noAuth |
noAuthUser |
noAuthUser |
|
|
|
|
|
|
desUserMD5 |
DES |
MD5 |
priv |
desUserMD5 |
desUserMD5 |
|
|
|
|
|
|
desUserSHA |
DES |
SHA |
priv |
desUserSHA |
desUserSHA |
|
|
|
|
|
|
authUserMD5 |
- |
MD5 |
auth |
authUserMD5 |
authUserMD5 |
|
|
|
|
|
|
authUserSHA |
- |
SHA |
auth |
authUserSHA |
authUserSHA |
|
|
|
|
|
|
privUserMD5 |
AES |
MD5 |
priv |
privUserMD5 |
privUserMD5 |
|
|
|
|
|
|
privUserSHA |
AES |
SHA |
priv |
privUserSHA |
privUserSHA |
|
|
|
|
|
|
Aprisa SR+ User Manual 1.6.0 PO
188 | Managing the Radio
SNMPv3 Authentication Passphrase
The SNMPv3 Authentication Passphrase can be changed via the SNMPv3 secure management protocol interface (not via SuperVisor).
When viewing / managing the details of the users via SNMPv3, the standard SNMP-USER-BASED-SM-MIB interface is used. This interface can be used to change the SNMPv3 Authentication Passphrase of the users.
The SNMPv3 Authentication Passphrase of a user required to be changed cannot be changed by the same user i.e. a different user must be used for the transactions.
Generate New Keys from SNMPv3 USM User Passphrases
Net-SNMP is a suite of open source software for using and deploying the SNMP protocol. Similar functionality is built into many commercial SNMP managers.
This next step of loading the Aprisa SR+ radios with keys generated from USM user passphrases requires the SNMPv3 USM Management utility provided as part of NET-SNMP.
The utility is called ‘snmpusm’. It provides a range of commands including the management of changing passwords for SNMPv3 users. In order to use this utility, the user will need to install NET-SNMP on a Linux (or Windows®) or machine. The examples below are from the Linux environment. This tool automatically obtains the engine ID from the target radio before generating the keys and loading them into the target.
To change a user authentication passphrase:
The following are examples of:
Changing the privUserSHA user encryption key / password from privUserSHA to privUserSHANew:
c:\usr\bin>snmpusm -v 3 -u privUserSHA -n priv -l authPriv -a SHA -A privUserSHA -x AES -X privUserSHA -Cx 172.17.70.17 passwd privUserSHA privUserSHANew
Changing the privUserSHA user authentication key / password from privUserSHA to privUserSHANew:
c:\usr\bin>snmpusm -v 3 -u privUserSHA -n priv -l authPriv -a SHA -A privUserSHA -x AES -X privUserSHANew -Ca 172.17.70.17 passwd privUserSHA privUserSHANew
Changing the desUserSHA user encryption key / password from desUserSHA to desUserSHANew:
c:\usr\bin>snmpusm -v 3 -u desUserSHA -n priv -l authPriv -a SHA -A desUserSHA -x DES -X desUserSHA -Cx 172.17.70.17 passwd desUserSHA desUserSHANew
Changing the desUserSHA user authentication key / password from desUserSHA to desUserSHANew:
c:\usr\bin>snmpusm -v 3 -u desUserSHA -n priv -l authPriv -a SHA -A desUserSHA -x DES -X desUserSHANew -Ca 172.17.70.17 passwd desUserSHA desUserSHANew
Changing the privUserMD5 user encryption key / password from privUserMD5 to privUserMD5New:
c:\usr\bin>snmpusm -v 3 -u privUserMD5 -n priv -l authPriv -a MD5 -A privUserMD5 -x AES -X privUserMD5 -Cx 172.17.70.17 passwd privUserMD5 privUserMD5New
Changing the privUserMD5 user authentication key / password from privUserMD5 to privUserMD5New:
c:\usr\bin>snmpusm -v 3 -u privUserMD5 -n priv -l authPriv -a MD5 -A privUserMD5 -x AES -X privUserMD5New -Ca 172.17.70.17 passwd privUserMD5 privUserMD5New
Aprisa SR+ User Manual 1.6.0 PO
Managing the Radio | 189
Changing the desUserMD5 user encryption key / password from desUserMD5 to desUserMD5New:
c:\usr\bin>snmpusm -v 3 -u desUserMD5 -n priv -l authPriv -a MD5 -A desUserMD5 -x DES -X desUserMD5 -Cx 172.17.70.17 passwd desUserMD5 desUserMD5New
Changing the desUserMD5 user authentication key / password from desUserMD5 to desUserMD5New:
c:\usr\bin>snmpusm -v 3 -u desUserMD5 -n priv -l authPriv -a MD5 -A desUserMD5 -x DES -X desUserMD5New -Ca 172.17.70.17 passwd desUserMD5 desUserMD5New
Changing the authUserSHA user authentication key / password from authUserSHA to authUserSHANew:
c:\usr\bin>snmpusm -v 3 -u authUserSHA -n auth -l authNoPriv -a SHA -A authUserSHA -Ca 172.17.70.17 passwd authUserSHA authUserSHANew
Changing the authUserMD5 user authentication key / password from authUserMD5 to authUserMD5New:
c:\usr\bin>snmpusm -v 3 -u authUserMD5 -n auth -l authNoPriv -a MD5 -A authUserMD5 -Ca 172.17.70.17 passwd authUserMD5 authUserMD5New
Notes
-Cx option is to change the Encryption key/password
-Ca option is to change the Authentication key/password
Other information on this utility can be obtained from the utility command help itself or online
Summary
It is necessary to record the new passphrases loaded into the Aprisa SR+ radios and then load the passphrases into the SNMP manager. There is a separate passphrase for the two supported forms of authentication (MD5 and SHA1) only as well as the two forms of authentication used in combination the two forms of encryption (DES and AES). It is vital to change all passphrases even if the depreciated mechanism are not used (MD5 and DES) otherwise an attacker could still use the default passphrases.
Aprisa SR+ User Manual 1.6.0 PO
190 | Managing the Radio
Reset Unknown Passphrases with the Command Line Interface
As it is not possible for users to read previously set passphrases, a CLI command is available from Aprisa SR+ software release 1.4.0 to ‘reset’ the SNMPv3 USM users back to defaults.
Note: USM users are not related to CLI and SuperVisor users. This command will only be accessible to the CLI ‘admin’ user logins.
To reset unknown passphrases:
1. Telnet into each radio in the network and via the CLI reset the passphrases
2.Login to the radio with: Login: admin Password: *********
3.Set all SNMP3 users to default values with the ‘snmpusm reset’ command (see ‘SNMP3 users to default values’ below for the list of default values).
4.Reboot the radio with the ‘reboot’ command.
Aprisa SR+ User Manual 1.6.0 PO
Managing the Radio | 191
SECURITY LEVEL SETTINGS
Security Level
This parameter sets the Security Level active security features. The default setting is Standard.
Option |
Payload |
HTTPS |
SNMPv3 |
USB KEK Only |
|
Encryption |
|
|
|
|
|
|
|
|
Standard |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Strong |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If the Security Level is reduced, there will be a pop up message warning that Key Encryption Key will be reset to the default value.
If the Security Level is increased, there will be a pop up message reminding user to enter a new Key Encryption Key.
If the Security Level is set to Strong, the ‘Save’ button will be grayed out and the ‘Copy To USB’ button will not be shown.
SNMPv3 Context Addressing
SNMPv3 is not user configurable and user can use this option with any NMS. The radio SNMP management interface supports SNMPv3/2 context addressing. The SNMv3 context addressing allows the user to use secure SNMPv3 management while improving NMS performance.
A NMS (Network Management System) can access any remote radio directly by using its IP address or via the base / master station SNMPv3 context addressing. The SNMPv3 context addressing can compress the SNMPv3 management traffic OTA (Over The Air) to the remote station by up to 90% relative to direct OTA SNMPv3 access to remote station, avoiding the radio narrow bandwidth traffic loading.
Aprisa SR+ User Manual 1.6.0 PO
192 | Managing the Radio
Security > Users
Note: You must login with ‘admin’ privileges to add, disable, delete a user or change a password.
USER DETAILS
Shows a list of the current users setup in the radio.
ADD NEW USER
To add a new user:
1. Enter the Username.
A username can be up to 32 characters but cannot contain back slashes, forward slashes, spaces, tabs, single or double quotes. Usernames are case sensitive.
2. Enter the Password.
A password can be 8 to 32 printable characters but cannot contain a tab. Passwords are case sensitive.
Good password policy:
contains at least eight characters, and
contains at least one upper case letter, and
contains at least one lower case letter, and
contains at least one digit or another character such as !@#$%^&(){}[]<>... , and
is not a term in a familiar language or jargon, and
is not identical to or derived from the accompanying account name, from personal characteristics or from information from one’s family/social circle, and
is easy to remember, for instance by means of a key sentence
3.Select the User Privileges
Aprisa SR+ User Manual 1.6.0 PO
Managing the Radio | 193
There are four pre-defined User Privilege settings to allocate access rights to users. These user privileges have associated default usernames and passwords of the same name.
The default login is ‘admin’.
This login has full access to all radio parameters including the ability to add and change users. There can only be a maximum of two usernames with admin privileges and the last username with admin privileges cannot be deleted.
User |
Default |
Default |
User Privileges |
Privilege |
Username |
Password |
|
|
|
|
|
View |
|
|
Users in this group can only view the summary |
|
|
|
pages. |
|
|
|
|
Technician |
|
|
Users in this group can view and edit parameters |
|
|
|
except Security > Users and Security > Setup. |
|
|
|
|
Engineer |
|
|
Users in this group can view and edit parameters |
|
|
|
except Security > Users. |
|
|
|
|
Admin |
admin |
admin |
Users in this group can view and edit all |
|
|
|
parameters. |
|
|
|
|
See ‘SuperVisor Menu Access’ on page 80 for the list of SuperVisor menu items versus user privileges.
4. Click ‘Add’
To delete a user:
1.Select Terminal Settings > Security > Users
2.Click on the Select button for the user you wish to delete.
3.Click ‘Delete
To change a Password:
1.Select Terminal Settings > Security > Users
2.Click on the Select button for the user you wish to change the Password.
3.Enter the Password.
A password can be 8 to 32 characters but cannot contain back slashes, forward slashes, spaces, tabs, single or double quotes.
Aprisa SR+ User Manual 1.6.0 PO
194 | Managing the Radio
Security > SNMP
In addition to web-based management (SuperVisor), the network can also be managed using the Simple Network Management Protocol (SNMP) using any version of SNMP v1/2/3. MIB files are supplied, and these can be used by a dedicated SNMP Manager, such as Castle Rock’s SNMPc, to access most of the radio’s configurable parameters.
For communication between the SNMP manager and the radio, Access Controls and Community strings must be set up as described in the following sections.
A SNMP Community String is used to protect against unauthorized access (similar to a password). The SNMP agent (radio or SNMP manager) will check the community string before performing the task requested in the SNMP message.
ACCESS CONTROL SETUP
A SNMP Access Control is the IP address of the radio used by an SNMP manager or any other SNMP device to access the radio. The Aprisa SR+ allows access to the radio from any IP address.
Read Only
The default Read Only community string is public.
Read Write
The default ReadWrite community string is private.
Aprisa SR+ User Manual 1.6.0 PO
Managing the Radio | 195
SNMP Manager Setup
The SNMP manager community strings must be setup to access the base station and remote / repeater stations.
To access the base station, a community string must be setup on the SNMP manager the same as the community string setup on the radio (see ‘Security > SNMP’ on page 194).
SNMP access to remote / repeater stations can be achieved by using the radio’s IP address and the normal community string or by proxy in the base station.
SNMP Access via Base Station Proxy
To access the remote / repeater stations via the base station proxy, the community strings must be setup on the SNMP manager in the format:
ccccccccc:bbbbbb
Where:
ccccccccc is the community string of the base station
and
bbbbbb is the last 3 bytes of the remote station MAC address (see ‘Network Status > Network Table’ on page 271).
The SNMP Proxy Support must be enabled for this method of SNMP access to operate (see ‘SNMP Proxy Support’ on page 187).
Aprisa SR+ User Manual 1.6.0 PO
196 | Managing the Radio
Security > RADIUS
This page displays the current settings for the Security RADIUS.
RADIUS - Remote Authentication Dial In User Service
RADIUS is a client / server system that secures the radio link against unauthorized access. It is based on open standard RFCs: RFC 2865/6, 5607, 5080 and 2869. It is used for remote user Authorization, Authentication and Accounting.
When a user logs into a radio with RADIUS enabled, the user’s credentials are sent to the RADIUS server for authentication of the user.
Transactions between the RADIUS client and RADIUS server are authenticated through the use of a shared secret, which is never sent over the network.
For a RADIUS server to respond to the radio, it must configured with and respond to the following
Management-Privilege-level attributes:
Admin Level = 4
Technician Level = 2
Viewer Level = 1
A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers.
Aprisa SR+ User Manual 1.6.0 PO
Managing the Radio | 197
RADIUS AUTHENTICATION SETTINGS
Authentication Mode
This parameter sets the Authentication Mode.
Option |
Function |
|
|
Local Authentication |
No radius Authentication – allows any local user privilege |
|
|
Radius Authentication |
Only radius Authentication – no local user privilege |
|
|
Radius Authentication |
Uses radius Authentication if it is available. |
and Local admin |
If radius Authentication is not available, uses local Admin login |
|
|
|
|
Radius Then Local |
If the user is not authenticated in the radius server, it allows any |
Authentication |
local user privilege. |
|
|
Local Then Radius |
If the user is not allowed in the local user privilege, radius |
Authentication |
authentication is used. |
|
|
Primary Server
This parameter sets which radius server is used as the primary server for authentication. Select one of the possible authentication servers setup in Radius Server Settings.
Secondary Server
This parameter sets which radius server is used as the secondary server for authentication. Select one of the possible authentication servers setup in Radius Server Settings.
RADIUS ACCOUNTING SETTINGS
Primary Server
This parameter sets which radius server is used as the primary server for accounting (log of user activity). Select one of the possible accounting servers setup in Radius Server Settings.
Secondary Server
This parameter sets which radius server is used as the secondary server for accounting. Select one of the possible accounting servers setup in Radius Server Settings.
RADIUS ADVANCED SETTINGS
Initial Transaction Timeouts (IRT) (seconds)
This parameter sets the initial time to wait before the retry mechanism starts when the server is not responding.
Default Transaction Timeouts (MRT) (seconds)
This parameter sets the maximum time between retries.
Maximum Retries (MRC)
This parameter sets the maximum number of retry attempts when the server is not responding.
Aprisa SR+ User Manual 1.6.0 PO
198 | Managing the Radio
Maximum Retries Duration (MRD) (seconds)
This parameter sets the maximum duration it will attempt retries when the server is not responding.
Unknown Transaction Attributes
This parameter sets the radio’s response to unknown attributes received from the radius server.
Option |
Function |
|
|
Ignore and Authenticate |
Ignore the unknown attributes and accept the authentication |
|
received from the radius server |
|
|
Reject and Deny |
Reject the authentication received from the radius server |
|
|
RADIUS SERVER SETTINGS
Server Name
You can enter up to four radius servers 1-4.
IP Address
The IP address of the Radius server.
Port Number
The Port Number of the Radius server. RADIUS uses UDP as the transport protocol.
UDP port 1812 is used for authentication / authorization
UDP port 1813 is used for accounting.
Old RADIUS servers may use unofficial UDP ports 1645 and 1646.
Encryption Key
The password of the Radius server.
Aprisa SR+ User Manual 1.6.0 PO
Managing the Radio | 199
Security > Manager
CURRENT PAYLOAD SECURITY PROFILE
Profile Name
This parameter shows the predefined security profile active on the radio.
Status
This parameter displays the status of the predefined security profile on the radio (always active).
PREVIOUS PAYLOAD SECURITY PROFILE
Profile Name
This parameter displays the security profile that was active on the radio prior to the current profile being activated.
Status
This parameter displays the status of the security profile that was active on the radio prior to the current profile being activated.
Option |
Function |
|
|
Active |
The security profile is active on the radio. |
|
|
Inactive |
The security profile is not active on the radio but could be |
|
activated if required. |
|
|
Aprisa SR+ User Manual 1.6.0 PO
200 | Managing the Radio
Activate
This parameter activates the previous security profile (restores to previous version).
PREDEFINED PAYLOAD SECURITY PROFILE
Profile Name
This parameter displays the new security profile that could be activated on the radio or distributed to all remote radios with Security > Distribution.
Status
This parameter displays the status of the new security profile.
Option |
Function |
|
|
Unavailable |
A predefined security profile is not available on this radio. |
|
To create a predefined security profile, go to ‘Security > Setup’ on |
|
page 183. |
|
|
Available |
A predefined security profile is available on this radio for |
|
distribution and activation. |
|
|
Aprisa SR+ User Manual 1.6.0 PO
Managing the Radio | 201
Security > Distribution
REMOTE PAYLOAD SECURITY PROFILE DISTRIBUTION
Predefined Profile Name
This parameter displays the predefined security profile available for distribution to remote stations.
Status
This parameter shows if a predefined security profile is available for distribution to remote stations.
Option |
Function |
|
|
Unavailable |
A predefined payload security profile is not available on this radio. |
|
|
Available |
A predefined payload security profile is available on this radio for |
|
distribution and activation. |
|
|
Start Transfer
This parameter when activated distributes (broadcasts) the new payload security profile to all remote stations in the network.
Note: The distribution of the payload security profile to remote stations does not stop customer traffic from being transferred.
Payload security profile distribution traffic is classified as ‘management traffic’ but does not use the Ethernet management priority setting. Security profile distribution traffic priority has a fixed priority setting of ‘very low’.
Aprisa SR+ User Manual 1.6.0 PO