Where can I find more information about controlling router functions?

Select the Administration submenu item in order to control any of the following functions:

Router Security

image

Advanced Security Mode – When the router is configured to use the advanced security mode, several aspects of the router’s configuration and networking functionality will be extended to support high security environments. This includes support for multiple user accounts, increased password security, and additional network spoofing filters. If you plan to use your router in a PCI DSS compliant environment this option is mandatory. See below for more details.

Admin Password – Enter a password for the administrator who will have full access to the router’s management interface. You can use the default password on the back of your product, or you can create a custom Administrator Password.

Advanced Security Mode

When you enable Advanced Security Mode, you have three different options for the Authentication Mode:

  • Local Users
  • TACACS+
  • RADIUS

Local Users

Create users with administrative privileges by inputting usernames and passwords in the Advanced User Management table. The default username is “admin,” but you can edit this name, or delete it once you create other users (you can’t delete the user you are currently signed in as).

image

In TACACS+ and RADIUS modes, if the servers cannot be reached, either because the WAN is down or a response is not received within the selected Server Timeout, the router will automatically fall back to using Local Users mode to prevent any potential of being locked out.

TACACS+

TACACS+ stands for “Terminal Access Controller Access-Control System plus”. The router will use a TACACS+ server (or two, optionally) to authorize administration.

image

  • Server Timeout – If the servers are not reached within the set time (possibly because the WAN is down), the router will automatically fall back to using Local Users mode to prevent users from being locked out.
  • Authentication Service – Choose from:
    • ASCII / Login
    • PAP
    • CHAP
  • Server Address – This can be either an IP address in the form of “1.2.3.4”, or a DNS name in form of “host.domain.com”. Only lower case letters are allowed for a DNS name.
  • Port – Port 49 is default for TACACS+.
  • Shared Secret

RADIUS

RADIUS stands for “Remote Authentication Dial In User Service”. The router will use a RADIUS server (or two, optionally) to authorize administration.

image

  • Server Timeout – If the servers are not reached within the set time (possibly because the WAN is down), the router will automatically fall back to using Local Users mode to prevent users from being locked out.
  • Server Address – This can be either an IP address in the form of “1.2.3.4”, or a DNS name in form of “host.domain.com”. Only lower case letters are allowed for a DNS name.
  • Port – Port 1812 is common for RADIUS servers.
  • Shared Secret

System Clock

image

Enabling NTP will tell the router to get its system time from a remote server on the Internet. If you do not enable NTP then the router time will be based on when the router firmware was built, which is guaranteed to be wrong. Whenever the Internet connection is re-established and once a week thereafter the router will ask the server for the current time so it can correct itself.

You then have the option of selecting an NTP server and adjusting the NTP server port. Select the NTP server from the dropdown list. Any of the given NTP servers will be sufficient unless, for example, you need to synchronize your router’s time with other devices in a network.

  • Time Zone – Select from a dropdown list. Setting your Time Zone is required to properly show time in your router log.
  • Daylight Savings Time – Select this checkbox if your location observes daylight savings time.

Local Management

functions

  • Enable Internet Bounce Pages – Bounce pages show up in your web browser when the router is not connected to the Internet. They inform you that you are not connected and try to explain why. If you disable bounce pages then you will just get the usual browser timeout. In the normal case when the router is connected to the Internet you don’t see them at all.
  • Disable Attention LED – This disables the Attention LED. This will take effect at the next reboot.
  • Local Domain – The local domain is used as the suffix for DNS entries of local hosts. This is tied to the hostnames of DHCP clients as DHCP_HOSTNAME.LOCAL_DOMAIN.
  • System Identifier – This is a customizable identity that will be used in router reporting and alerting. The default value is the product name and the last three characters of the MAC address of the router.
  • Require HTTPS Connection – Check this box if you want to encrypt all router administration communication.
  • Secure HTTPS Port – Enter the port number you want to use. The default is 443.
  • Enable SSH Server – When the router’s SSH server is enabled you may access the router’s command line interface (CLI) using the standards-based SSH protocol. Use the username “admin” and the standard system password to log in.
  • SSH Server Port – Default: 22.

Remote Management

Remote Management allows a user to enable incoming WAN pings or change settings for the router from the Internet using the router’s Internet address.

functions

Allow WAN pings – When enabled the functionality allows an external WAN client to ping the router.

Allow Remote Web Administration – When remote administration is enabled it allows access to these administration web pages from the Internet. With it disabled, you must be a client on the local network to access the administration website. For security, remote access is usually done via a non-standard http port. Additionally, encrypted connections can be required for an added level of security.

  • Require HTTPS Connection – Requiring a secure (https) connection is recommended.
  • HTTP Port: Default – 8080. This option is disabled if you select “Require Secure Connection”.
  • Secure HTTPS Port – Default: 8443.

NOTE: You can restrict remote access to only specified IP addresses in Network Settings → Firewall under Remote Administration Access Control.

Allow Remote SSH Access – This will enable SSH access to the router from the Internet. It is only available when SSH access is enabled in the Local Management tab.

Some carriers block the remote SSH access ports. If a ping to the router’s WAN port does not work, it is unlikely that remote SSH access will work.

GPS

If you have an attached device with GPS support (SIM-based models with GPS support require that the SIM is inserted), you can enable a graphical view of your router’s location which will appear in Status → GPS.

Users can configure GPS NMEA GGA format sentence reporting, available through a router-based server and/or a remote server.

NOTE: Some carriers disable GPS support in otherwise supported modems. If you encounter issues with obtaining a fix, contact your carrier and ensure that GPS is supported.

image

  • Enable GPS support – Enables support for querying GPS information from supported modems.
  • Enable GPS server on WAN – Enables a TCP server on the WAN side of the firewall, which will periodically send GPS NMEA sentences to connected clients.
  • Enable GPS server on LAN – Enables a TCP server on the LAN side of the firewall, which will periodically send GPS NMEA sentences to connected clients.
    • GPS server port number
  • Enable GPS reporting to remote server – Enables periodic reporting of GPS NMEA sentences to a remote server. The router will buffer NMEA data if errors are encountered or if the Internet connection goes down and send the buffered sentences when the connection is restored.
    • Remote server hostname or IP
    • Remote server port
    • Report only over specific time interval – Restricts the NMEA sentence reporting to a remote server to a specific time interval.

GPS NMEA GGA Reporting

The device reports GPS information with the NMEA (National Marine Electronics Association) GGA sentence format. GGA provides essential fix data.

Example:

$GPGGA,1753405,4916.450,N,12311.127,W,2,06,1.5,117.3,M,−26.574,M,6.0,0138*47

Sample Data Description
1753405 Time of fix – 17:34:05 UTC
4916.450,N Latitude 49 deg. 16.450 min North
12311.127,W Longitude 123 deg. 11.127 min West
2 Fix quality: 0 = fix not available; 1 = GPS fix; 2 = Differential GPS fix; 3 = PPS fix; 4 = Real Time Kinematic; 5 = Float RTK; 6 = estimated (dead reckoning); 7 = Manual input mode; 8 = Simulation mode
06 Number of satellites being tracked
1.5 Horizontal dilution of precision (HDOP) – relative accuracy of horizontal position
117.312,M Altitude in meters above mean sea level
−26.574,M Geoidal separation: height of mean sea level above WGS-84 earth ellipsoid (negative value means mean sea level is below ellipsoid)
6.0 Time in seconds since last update from differential reference stations
0138 Differential reference station ID number
*47 Checksum – used by program to check for transmission errors

For more examples and information about NMEA GGA, see the following websites:

SMS

SMS (Short Message Service, or text messaging) requires a cellular modem with an active data plan. SMS is not designed to be a full remote management feature: SMS allows you to connect to the router for a few simple queries or commands with a text messaging service (e.g., from your phone). A modem that does not have an active data connection may still be reachable by SMS because Internet traffic and SMS traffic operate on separate channels, so SMS can be used to bring on offline router back online.

SMS is enabled on the router by default. However, it only works if SMS is supported and enabled on the modem. Most modems have SMS enabled by default, but the carrier may charge a fee for each text message sent or received. Contact your carrier to review these fees and/or to enable an SMS plan.

Important notes about SMS:

  • Messages are limited to 160 characters.
  • SMS is not a guaranteed delivery protocol. The carriers do not guarantee that the SMS message will be delivered to the modem or that the modem’s response will be delivered to the sender. This means an administrator might have to send messages multiple times before the desired action is performed.
  • SMS is a slow protocol. It can take seconds or up to a few minutes for messages to be delivered.
  • SMS messages are not encrypted; they are sent in full readable text over the network.

image

Enable SMS support – SMS support is enabled by default on the router. Deselect this to disable.

Password – By default, the password is the last 8 characters of the router’s MAC address (i.e., the Default Password on the product label). You can change this password to anything between 1 and 16 characters. It should be long enough to be useful for security but short enough to easily type into your phone (or other texting client).

White List – This list is blank by default, which means that the router will accept SMS messages from any phone number. Leaving this blank is unsecure, so CradlePoint recommends that you add phone numbers to this list. Once any numbers are listed, only those numbers have the ability to connect to the router via SMS.

NOTE: You cannot add email addresses to the White list. When a phone number is added to the White List, email SMS messages will be rejected.

How to Send an SMS Message

You can send SMS messages to the router via phone or email. The key elements are:

  1. the modem’s MDN
  2. the SMS password (defined above)
  3. the command

You must know the MDN (Mobile Directory Number) of the modem to send SMS messages to the router. This is a phone number that can be found under Status → Internet Connections in the router administration pages or under Devices → Network Interfaces in Enterprise Cloud Manager.

How to Text from a Phone
  1. Open the text messaging tool on your phone and start a new message.
  2. In the To field, enter the modem’s MDN.
  3. In the Subject field, enter the SMS password and command.
  4. Click Send.
How to Text from an Email Account

NOTE: There are limitations with sending texts via email. The SMS engine is currently only compatible with GSM-based carrier operators.

  1. Start a new email message.
  2. In the To field, enter the modem’s MDN plus the modem’s carrier domain name (e.g., 2085555555@txt.att.net).
  3. Enter the password and command in either the Subject field or Body of the email message. If you use the subject field, leave the body blank, and if you use the body, leave the subject blank.

NOTE: The subject field may be limited to a certain number of characters, so if you get an error when sending the command on the subject line, switch to using the body instead.)

SMS Commands

Below is a list of supported SMS messages and the syntax format.

Due to security concerns, the set of commands are intentionally limited to those that can configure a modem’s connection, but cannot lock the administrator out due to malicious modem changes. Therefore, if an unsolicited request adjusts the modem’s configuration via SMS, an administrator can still access the modem via SMS.

Command syntax:

<password>,<command>,[arg1,][arg2,] 

All commands start with the password – either the default of the last 8 digits of the router’s MAC address or the administrator-configured password. Commands can have an optional number of arguments.

NOTE: The trailing comma on the command is important to allow the SMS engine to distinguish the final argument from other information the SMS client might append to the message without your knowledge.

Supported Commands

reboot – Reboot the router (not the modem)

Syntax:

<password>,reboot, 

Example:

1234,reboot, 

restore – Restore the router to factory defaults

Syntax:

<password>,restore, 

Example:

1234,restore, 

rstatus – Get router status

Syntax:

<password>,rstatus, 

Example:

1234,rstatus, 

mstatus – Get modem status (port parameter optional)

Syntax:

<password>,mstatus,[port,] 

Examples:

1234,mstatus, //return status of highest priority modem 1234,mstatus,usb1, //return status of modem plugged into port usb1 

This command returns info about the indicated modem’s status. The resulting data reflects the modem model number, service type, and connection status and values.

Sample response:

Model: MC200P Service: HSPA+ SIM Status: READY RSSI: -62 dbm ECIO: -4 APN: wwan.ccs IP Addr: 166.136.142.172 

mreboot – Reboot the modem (port parameter optional)

Syntax:

<password>,mreboot,[port,] 

Examples:

1234,mreboot, //reboot the highest priority modem 1234,mreboot,usb1, //reboot the modem plugged into port usb1 

apn – Reboot the modem (port parameter optional)

Syntax:

<password>,apn,<new APN>,[port,] 

Examples:

1234,apn,myapn@apn.com, //set APN of highest priority modem 1234,apn,myapn@apn.com,usb1, //set APN for modem in port usb1 

userpass – Set the modem’s authentication username and password (port parameter optional)

Syntax:

<password>,userpass,<username>,<userpassword>,[port,] 

Examples:

1234,userpass,joe,mypassword, //set information of highest priority modem 1234,userpass,joe,mypassword,usb3, //set information on modem in port usb3 

simpin – Set the SIM’s PIN (port parameter optional)

Syntax:

<password>,simpin,<pin>,[port,] 

Examples:

1234,simpin,5678, //set simpin in highest priority modem 1234,simpin,5678,usb2 //set simpin in modem on port usb2 

log – Return a portion of the router log

Syntax:

<password>,log,[start,] 

Examples:

1234,log, //return the first 10 items of the log (items 0 through 9) 1234,log,10, //return items 10 through 19 of the log 1234,log,20, //return items 20 through 29 of the log 

Sending log information via SMS messages likely results in several resulting texts. Please be aware of the costs of text messages on the modem’s account, and use this command only if necessary.

* The “port” parameter is optional. It specifies which port – and therefore which modem – to perform the action on. If not given, the action will happen on the highest priority modem.

Sample Debug Session

The following is an example of a debug session to discover a modem’s APN is misconfigured and needs to be set.

Figure out the state of the modems on the router:

1234,rstatus, 

Receive the modem’s status and settings:

1234,mstatus, 

Set the modem’s APN to the correct setting:

1234,apn,broadband, 

Verify the APN was set properly:

1234,mstatus, 

Continue to verify the status periodically to ensure that the modem connects:

1234,rstatus, 

System Logging

image

Logging Level: Setting the log level controls which messages are stored or filtered out. A log level of Debug will record the most information while a log level of Critical will only record the most urgent messages. Each level includes all messages from all of the levels below it on the list (e.g. “Warning” includes all “Error” and “Critical” messages as well).

  • Debug
  • Info
  • Warning
  • Error
  • Critical

Enable Logging to a Syslog Server: Enabling this option will send log messages to a specified Syslog server. After enabling, type the Hostname or IP address of the Syslog server (or select from the dropdown menu).

  • Syslog Server Address: Select the Hostname or IP address from the dropdown menu, or type this in manually.
  • Include System ID: This option will include the router’s “System ID” at the beginning of every log message. This is often useful when a single remote Syslog server is handling logs for several routers.
  • Include UTF8 Byte Order Mark: The log message is sent using UTF-8 encoding. By default the router will attach the Unicode Byte Order Mark (BOM) to the Syslog message in compliance with the Syslog protocol, RFC5424. Some Syslog servers may not fully support RFC5424 and will treat the BOM as ASCII text, which will appear as garbled characters in the log. If this occurs, disable this option.

Log to attached USB stick: Only enable this option if instructed by a CradlePoint support agent. This will write a very verbose log file to the root level of an attached USB stick. Please disable the feature before removing the USB stick, or you may lose some logging data.

Verbose modem logging: Only enable this option if instructed by a CradlePoint support agent.

Create support log: This functionality allows for a quick collection of system logging. Create this log file when instructed by a CradlePoint support agent.

Router Services

By default, router services (Enterprise Cloud Manager, NTP, etc.) connect to the router via the WAN. In some setups it makes sense to use the LAN instead. For example, if your router is used strictly for 3G/4G failover behind another router, you may not want to use 3G/4G data unnecessarily. Select Use LAN Gateway to set your router services to connect via the LAN.

image

LAN Gateway Address: Input the IP address of the LAN side connection. If this is a 3G/4G failover router operating behind another router, the LAN Gateway Address is the IP address of that other router.

DNS Server and Secondary DNS Server: The primary and secondary DNS server numbers match the static DNS values (set at Network Settings → DNS). You can leave the default values or set them manually here. (Changing these values also changes the static DNS values.)


← FAQs