1. Manuals
  2. Brands
  3. Cradlepoint Manuals
  4. Gateway
  5. COR IBR350
  6. Manual

Cradlepoint COR IBR350 Manual

4g lte gateway
Hide thumbs Also See for COR IBR350:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Manual
Cradlepoint COR IBR350 Manual
Highly Available, Cloud-Managed M2M Gateway
The Cradlepoint COR IBR350 Series is an affordable, compact, high performance 4G LTE* gateway designed for mission critical connectivity to the
Internet of Things.
Ideal for kiosks and digital signs, this cloud-managed solution provides organizations the ability to scale deployments quickly and manage their
distributed networks easily in real-time.
Designed with form & function in mind for the cost-conscious consumer, COR IBR350 is perfect to get your applications online.
Key Features
Cloud-managed for zero-touch deployment and intelligent management
Internal LTE-only, HSPA+, or multi-carrier/software-defined radio (LTE/HSPA+/EVDO) modem
Compact
Integrated mounting holes
One 10/100 Ethernet port
Connectors for external cellular modem antennas (two)
Introduction
Package Contents
System Requirements
Specifications
Hardware
LEDs
Quick Start
Basic Setup
Accessing the Administration Pages
First Time Setup Wizard
Using Enterprise Cloud Manager
Administration Pages
The COR IBR350 administration pages include the following five tabs:
See
Navigating the Administration Pages
NOTE: The manual content for the following administration pages sections is generic across multiple devices. Therefore, some details may not apply to
the COR IBR350 because they are specific to another device. For example, CP Secure Threat Management is only available for the AER 2100. Also, the
configuration pages within
Enterprise Cloud Manager
because they are not relevant in the ECM environment. For example, the entire Status tab is absent in ECM because status information is presented in
other ways (Dashboard, Devices list, etc.).
Getting Started
Enterprise Cloud Manager Registration
First Time Setup
for helpful information about how to use the device's GUI-based management interface.
(ECM) are very similar to the local router administration pages, but some items are missing

Advertisement

Table of Contents
loading

Related Manuals for Cradlepoint COR IBR350

Summary of Contents for Cradlepoint COR IBR350

  • Page 1 NOTE: The manual content for the following administration pages sections is generic across multiple devices. Therefore, some details may not apply to the COR IBR350 because they are specific to another device. For example, CP Secure Threat Management is only available for the AER 2100. Also, the...

  • Page 2: Package Contents

    Quick Start Guide with warranty and regulatory information System Requirements At least one Internet source: a CradlePoint integrated 3G/4G modem with an active data plan, or an Ethernet-based modem. Windows 2000/XP/7/8, Mac OS X, or Linux computer. Internet Explorer v6.0 or higher, Firefox v2.0 or higher, Safari v1.0 or higher, or Google Chrome.
  • Page 3 WAN port speed control, several levels of basic and advanced logging for troubleshooting VPN (IPsec) – Tunnel, NAT-T, and transport modes; connect to Cradlepoint, Cisco/Linksys, CheckPoint, Watchguard, Juniper, SonicWall, Adtran and others; certificate support; Hash (MD5, SHA128, SHA256, SHA384, SHA512), Cipher (AES, 3DES, DES); support for 2 concurrent connections,...
  • Page 4 PDF in the Resources section of antenna and router product pages. Business-Grade Modem Specifications COR IBR350 models include an integrated 4G LTE or HSPA+ or LTE/HSPA+/EVDO modem – specific model names include a specific modem (e.g., the COR IBR350L-VZ includes a Verizon LTE modem).
  • Page 5 Antennas: two SMA male (plug), finger tighten only (maximum torque spec is 7 kgf-cm) Industry Standards & Certs: PTCRB, FCC, IC, UL SIM: two 2FF slots GPS: standalone GPS support COR IBR350LPE-GN – 4G LTE/HSPA+/EVDO (generic – for use on T-Mobile in the U.S. and Rogers, Bell, & TELUS in Canada) Technology: LTE, HSPA+, EVDO Rev A Downlink Rates: LTE 100 Mbps, HSPA+ 21.1 Mbps, EVDO 3.1 Mbps (theoretical)

  • Page 6: Quick Start

    1. Insert an activated SIM. A wireless broadband data plan must be added to your Cradlepoint COR IBR350. Wireless broadband data plans are available from wireless carriers such as Verizon, AT&T, Sprint, EE, and Vodafone. The SIM must be provisioned with the carrier. Contact your carrier for details about selecting a data plan and about the process for provisioning your SIM.
  • Page 7 Attach the included modem antennas (finger tight only). 3. Connect to a power source. The Cradlepoint COR IBR350 includes a 12VDC 1A power adapter. Plug this into the device and to a power outlet. 4. Connect to a computer or other network equipment.
  • Page 8 Manager, Cradlepoint’s next generation management and application platform. Enterprise Cloud Manager (ECM) integrates cloud management with your Cradlepoint devices to improve productivity, increase reliability, reduce costs, and enhance the intelligence of your network and business operations. Click here to sign up for a free 30-day ECM trial.
  • Page 9 Once you have registered your device, go to cradlepointecm.com and log in using your ECM credentials. For more information about how to use Cradlepoint Enterprise Cloud Manager, see the following: Getting Started ECM on the Knowledge Base Navigating the Administration Pages To access the administration pages, open a web browser and type the hostname “cp/”...
  • Page 10 Password. Quick Links The Cradlepoint logo in the top left corner of all the administration pages is a link to the Dashboard (Status → Dashboard), which displays fundamental information about the router. The bar across the top provides quick access to important information and controls: Internet Connections –...

  • Page 11: Table Of Contents

    Cradlepoint Enterprise Cloud Manager is Cradlepoint’s next generation management and application platform. Enterprise Cloud Manager (ECM) integrates cloud management with your Cradlepoint devices to improve productivity, increase reliability, reduce costs, and enhance the intelligence of your network and business operations.

  • Page 12: Getting Started

    Failure Check Administrator Password Cradlepoint recommends that you change the router’s ADMINISTRATOR PASSWORD, which is used to log into the administration pages. The administrator password is separate from the WiFi security password, although initially the Default Password is used for both.

  • Page 13: Time Zone

    Access Point Name (APN) If you are using a SIM-based modem (LTE/GSM/HSPA) with your Cradlepoint router, you may need to configure the APN before it will properly connect to your carrier. Wireless carriers offer several APNs, so check with your carrier to confirm the appropriate one to use. Some examples include: AT&T: "broadband"...

  • Page 14: Status

    Idle Check Interval: Set the number of seconds the router will wait between checks to see if the WAN is still available. (Default: 30 seconds. Range: 10- 3600 seconds.) Monitor while connected: Select from the dropdown menu. (Default: Off.) Active Ping: A ping request will be sent to the Ping Target. If no data is received, the ping request will be retried 4 times at 5-second intervals. If still no data is received, the device will be disconnected and failover will occur.

  • Page 15: Client List

    Client List The Client List displays the specifications of each device connected to your router, including wireless and wired clients. Wired Clients For each device using a wired connection to your router, the following information is displayed: Hostname, IP, and MAC. Client List Fields Hostname: The name by which each computer or device in a network is known.

  • Page 16: Gps

    After the initial setup of the router, every time you log in you will automatically be directed to this Dashboard. Also, you can click on the Cradlepoint logo in the upper left-hand corner to return to the Dashboard from any page.

  • Page 17: Gre Tunnels

    location. See the GPS section in System Settings → Administration to enable GPS support. GPS information is only displayed if 1) the modem supports GPS, 2) your carrier allows the GPS functionality, and 3) the modem has sufficient GPS signal strength. If no information is displayed, check that both the modem and your carrier support GPS. If GPS is supported, make sure the modem is in an area where it can receive a signal from the GPS satellites.

  • Page 18: Qos

    Select the device to see detailed information about it. <!--There is only one possible device on the IBR350: LTE Modem --> The information displayed varies greatly depending on the technology, especially for 3G/4G modems. Cradlepoint passes on the information provided by the modems, which is specific to the carrier (e.g. Verizon) and technology (e.g. LTE).

  • Page 19: Statistics

    There are also tables displaying information for GRE Routes, VPN Routes, and NEMO Routes. Configure the settings for these routes under the Internet tab. Statistics The Statistics submenu option displays basic traffic statistics. Wireless Statistics: View the signal strength and other wireless modem information. The wireless device’s signal strength will only be displayed as long as it supports “Live Diagnostics.”...

  • Page 20: Vpn Tunnels

    utility. Auto Update: The logs automatically refresh whenever the router creates a new message. Update: Click to check for new router messages. Clear Log: Clear the log file. Save Log: This will open a dialog in your browser that will allow you to save the router's log to your computer. Search: Enter keywords to find specific events.

  • Page 21: Network Settings

    To set up or edit a VPN tunnel, go to Internet → VPN Tunnels. Network Settings The Network Settings section of the Administration Pages provides access to tools for controlling the LAN (Local Area Networks). The Network Settings tab has the following dropdown menu items: Content Filtering DHCP Server Firewall...
  • Page 22 Click Add or Edit to open the Filter Rule Editor. Assigned Network: Select either “All Networks” or one of your LAN networks from the dropdown list. Domain/URL/IP: Enter the Domain Name or URL (address) of the website you wish to control access for, e.g. www.google.com. To make sure the full domain is blocked, enter the most inclusive domain (e.g.
  • Page 23 The settings for the MAC Address WebFilter Rules section match those for the Network WebFilter Rules, except that you must assign a MAC address instead of a network to each rule. See the Network WebFilter Rules section (above) for more configuration details. MAC Address WebFilter Defaults Use MAC Address WebFilter Defaults together with MAC Address WebFilter Rules to control website access for specific MAC addresses.

  • Page 24: Dhcp Server

    Force All DNS Requests To Router: Enabling this will redirect all DNS requests from LAN clients to the router's DNS server. This will allow the router even more control over IP Addresses even when the client might have their own DNS servers statically set. OpenDNS ISP Filter Bypass Algorithm: It is possible that your Internet Service Provider (ISP) uses the port that OpenDNS is configured to access, port 53, which will prevent OpenDNS filtering.

  • Page 25: Dns

    Active Leases section and click “Reserve.” The selected device’s information will automatically be added under Reservations. DNS, or Domain Name System, is a naming system that translates between domain names (www.cradlepoint.com, for example) and Internet IP addresses (206.207.82.197).
  • Page 26 Enable Dynamic DNS: Enable this option only if you have purchased your own domain name and registered with a Dynamic DNS service provider. Server Type. Select a dynamic DNS service provider from the dropdown list: DynDNS DNS-O-Matic ChangeIP NO-IP Custom Server (DynDNS clone) Custom Server Address.

  • Page 27: Firewall

    EXAMPLE: a personal laptop with IP address 192.168.0.164 could be assigned the name “MyLaptop”. Since the assigned name is mapped to an IP address, the device’s IP address should not change. To ensure that the device keeps the same IP address, go to Network Settings →...
  • Page 28 Add/Edit Port Forwarding Rule Name: Name your rule. Enabled: Toggle whether your rule is enabled. Selected by default. Use Port Range: Changes the selection options to allow you to input a range of ports (if desired). Internet Port(s): The port number(s) as you want it defined on the Internet. Typically these will be the same as the local port numbers, but they do not have to be.
  • Page 29 IETF. NPT can help to keep internal network ranges consistent across various IPv6 providers, but it cannot be used effectively in all situations. The primary purpose for Cradlepoint’s NPT implementation is for failover/failback and load balancing setups. LAN clients can potentially retain the original IPv6 lease information and may experience a more seamless transition when WAN connectivity changes than if not utilizing NPT.

  • Page 30: Firewall Options

    Enabling an application gateway makes pinholes through the firewall. This may be required for some applications to function, or for an application to improve functionality or add features. Exercise caution in enabling application gateways as they impact the security of your network. Enable any of the following types of application gateways: PPTP: For virtual private network access using Point-to-Point Tunneling Protocol.
  • Page 31 Field 2: Choose one of the following: Port – Select by the physical port on the router (e.g., "Modem 1"). Manufacturer – Select by the modem manufacturer (e.g., "Cradlepoint Inc."). Model – Select according to the specific model of modem.
  • Page 32 A Filter Policy is a one-way filter applied to initialized network traffic flowing from one zone to another. A Filter Policy needs to be assigned to a Forwarding for it to take effect. Filter Policies can either be Added, Edited, Removed, or Cloned. Cloning a Policy will copy the entire policy. The name of the cloned policy will include the name plus “Clone”.

  • Page 33: Local Networks

    IP Source / IP Destination IP Negation: Match on any IP address that is NOT in the specified IP network range. Network IP: Optional field to specify a matching network IP address for this rule to match against. Netmask: Use this to define a subnet size this rule will match against. Port Negation: Match on any port that is NOT in the specified port range.
  • Page 34 Local IP Networks displays the following information for each network: Network Name and IP address/Netmask (along the top bar) Enabled: Yes/No Multicast Proxy (Enabled/Disabled) DHCP Server (Enabled/Disabled) Schedule (Enabled/Disabled – See the Schedule tab in the Local Network Editor) VRRP Failover State (Disabled, Backup, or Master) IPv4 Routing Mode (NAT, Standard, Hotspot, Disabled) IPv6 Addressing Mode (SLAAC Only, SLAAC with DHCP, Disable SLAAC and DHCP) Access Control (Admin Access, UPnP Gateway, LAN Isolation)
  • Page 35 Name: This primarily helps to identify this network during other administration tasks. Hostname: [Default: cp (for Cradlepoint)] The hostname is the DNS name associated with the router's local area network IP address. NOTE: You can access the router’s administration pages by typing the hostname into your browser, so if you change “cp” to another hostname, you can access the administration pages through the new hostname.
  • Page 36 IPv6 Address Source: By default, this is set to Delegated, which means the IPv6 address range for the LAN is passed through from the WAN side. Change this to Static to input your own IPv6 address range here, or select None to explicitly disable IPv6 LAN connectivity. Interfaces Select network interfaces to attach to this network.
  • Page 37 Tune the access control settings of this network to match the intended use. Simply select or deselect any of the following: LAN Isolation: When checked, this network will NOT be allowed to communicate with other local networks. UPnP Gateway: Select the UPnP (Universal Plug and Play) option if you want to enable the UPnP Gateway service for computers on this network. Admin Access: When enabled, users may access these administration pages on this network.
  • Page 38 Address Configuration Mode: Select from the following dropdown options: SLAAC Only – SLAAC stands for stateless address autoconfiguration. The router regularly generates a router advertisement that includes network prefix and routing information, allowing clients to autogenerate an address and start communicating on the network. Clients utilize neighbor discovery protocols to ensure multiple clients on the subnet have not chosen an identical address.
  • Page 39 Schedule Set up a schedule for this network interface. This allows an interface to be enabled or disabled during specific hours of a day. For example, use this to limit a Hotspot network to business hours. Schedule Service: (Default: Disabled.) Select to enable. This will open a configurable chart for setting the schedule. Each hour of the week is represented by a black or gray square.
  • Page 40 keep the same settings via the virtual router. Enable VRRP: Select to enable VRRP configuration options. Virtual Router IP: IP address of the virtual router. This must be distinct from the IP address of any physical router associated with the virtual router. Virtual Router ID: Identifying number of the virtual router.
  • Page 41 Wired 802.1X: (requires hardware version 2.0) This allows you to configure an authentication server that will accept authentication requests from devices attached to wired Ethernet ports. IEEE 802.1X defines the encapsulations of the Extensible Authentication Protocol (EAP). Click Enable 802.1X to require IEEE 802.1X authorization for the Ethernet ports associated with this network. Reauthentication Period: EAP re-authentication period in seconds.
  • Page 42 WPA Enterprise WEP Auto Open Select “Open” to create a hotspot: otherwise select the best security that your devices will support (Cradlepoint recommends WPA2). Depending on which Security Mode you select, there are different setup options. “Personal” security modes require passwords.
  • Page 43 Enterprise. In order to protect your network from hackers and unauthorized users, Cradlepoint highly recommends WPA2/AES for security if your attached devices can support it. WEP and WPA/TKIP are obsolete and have been replaced by WPA/AES. Using those security settings will cause the Wi-Fi to limit to 802.11g modes.
  • Page 44 text phrase to describe this group, such as "main", "guestports", "backup_wan", etc. This must be unique. Select one or more ports to create a port group that you can subsequently attach to a network in the Local Network Editor. Double-click on any of the Ethernet ports shown on the left in the Available section to move them to the Selected section on the right (or highlight a port and click the + button).
  • Page 45 User Selection – Manually set the channel. Random Selection – The router randomly sets the channel. Smart Selection (Default) – Scans to determine the lowest interference WiFi channel. Channel Selection Schedule: When using the "Smart" channel selection, this controls whether the router will periodically rescan for a better channel and change to it.

  • Page 46: Mac Filter

    802.11 b/g 802.11 a/b/g/n 802.11 b/g/n 802.11 n 5 GHz options 802.11 a/b/g/n/ac 802.11 g/n/ac 802.11 n/ac 802.11 ac 802.11 n 802.11 g 802.11 b Protection: In Auto mode the device will use protection to improve performance in mixed mode networks. Turn protection off to maximize throughput with 802.11n clients.

  • Page 47: Qos

    You can configure the router to send an alert if a connected device has a MAC address that the router doesn’t recognize. Go to System Settings → Device Alerts to set up these email alerts. Ignored MAC Addresses: This is the list of MAC addresses that will not produce an alert or a log entry when they are connected to the router. These should be MAC addresses that you expect to be connected to the router.
  • Page 48 Click Add to create a new Traffic Shaping/QoS queue. Queue Name: Choose a name that is meaningful to you. Upload Bandwidth Enable Upload QoS: (Default: Enabled.) Deselect if you want your rule to apply to download traffic only. Leave this selected to include upload restrictions with this queue.
  • Page 49 Lowest Lower Below Normal Normal Above Normal High Higher Highest DSCP (DiffServ) Tag: Differentiated Services Code Point (DSCP) is the successor to TOS (Type of Service). Use this field to 'tag' the traffic by putting the value in the DSCP header of each IP packet that flows through this queue. Use the value of '0' to clear the existing DSCP value in the packet header. DSCP Tagging is sometimes used so that other networking equipment, upstream or post-NAT, can do traffic shaping based on the DSCP Tags as opposed to IP addresses or ports.

  • Page 50: Routing

    Use ports and/or IP addresses to define the type(s) of traffic attached to this rule. Leaving any field blank will match all values; all fields are optional. Source Port(s) and/or Destination Port(s): Enter a port number between 1 and 65535. To enter a single port number, input the number into the left box.

  • Page 51: Internet

    of addresses. Netmask: The Netmask, along with the IPv4 address, defines the network the computer belongs to and which other IP addresses the computer can see in the same LAN. An IP address of 192.168.0.1 along with a Netmask of 255.255.255.0 defines a network with 256 available IP addresses from 192.168.0.0 to 192.168.0.255.

  • Page 52: Wan Configuration

    Selecting a device reveals the following information: State (Connected, Available, etc.) Port UID (Unique identifier. This could be a name or number/letter combination.) IP Address Gateway Netmask Stats: bytes in, bytes out Uptime Click “Edit” to view configuration options for the selected device. For 3G/4G modems, click “Control” to view options to activate or update the device. WAN Configuration Select a WAN interface and click on Edit to open the WAN Configuration editor.
  • Page 53 Idle Check Interval: The amount of time between each check. (Default: 30 seconds. Range: 10-3600 seconds.) Monitor while connected: (Default: Off) Select from the following dropdown options: Passive DNS (modem only): The router will take no action until data is detected that is destined for the WAN. When this data is detected, the data will be sent and the router will check for received data for two seconds.
  • Page 54 IP Overrides IP overrides allow you to override IP settings after a device’s IP settings have been configured. Only the fields that you fill out will be overridden. Override any of the following fields: IP Address Subnet Mask Gateway IP Primary DNS Server Secondary DNS Server IPv6 Settings...
  • Page 55 PD Request Size – Prefix Delegation request size. This is the size of IPv6 network that will be requested from the ISP to delegate to LAN networks. (Default: 63) Primary IPv6 DNS Server – (optional) Depending on your provider, this may be required. This only takes effect if the default global DNS setting on the Network Settings →...
  • Page 56 tunnel brokers provide a facility to request delegated networks for use through the tunnel. Tunnel Server IP – Input the tunnel server IP address provided by your tunnel service. Local IPv6 Address – Input the local IPv6 address provided by your tunnel service. Primary IPv6 DNS Server –...
  • Page 57 connection. DHCP automatically assigns dynamic IP addresses to devices in your networks. This is preferable in most circumstances. Static allows you to input a specific IP address for your WAN connection; this should be provided by the ISP if supported. PPPoE should be configured with the username, password, and other settings provided by your ISP.
  • Page 58 On Demand: When this mode is selected a connection to the Internet is made as needed. When this mode is not selected a connection to the Internet is always maintained. IP WAN Subnet Filter: This feature will filter out any packets going to the modem that do not match the network (address and netmask). Aggressive Reset: When Aggressive Reset is enabled the system will attempt to maintain a good modem connection.
  • Page 59 Network-Initiated Alerts: This field controls whether the Sprint network can disconnect the modem to apply updates, such as for PRL, modem firmware, or configuration events. These activities do not change any router settings, but the modem connection may be unavailable for periods of time while these updates occur.
  • Page 60 Active Profile: Select a number from 0-5 from the dropdown list. The following fields can be left blank. If left blank they will remain unchanged in the modem. NAI (Username@realm): Network Access Identifier. NAI is a standard system of identifying users who attempt to connect to a network. AAA Shared Secret (Password): “Authentication, Authorization, and Accounting”...
  • Page 61 Preferred Roaming List (PRL) Update Firmware Update Management Object (FUMO) Click the appropriate icon to start the process. If the modem is connected when you start an operation the router will automatically disconnect it. The router may start another modem as a failover measure.
  • Page 62 The Configuration Rules list shows all rules that you have created, as well as all of the default rules. These are listed in the order they will be applied. The most general rules are listed at the top, and the most specific rules are at the bottom. The router goes down the list and applies all rules that fit for attached Internet sources.

  • Page 63: Client Data Usage

    When you select Enable Data Usage, you will see the Data Usage Agreement shown below. The purpose of this agreement is to ensure that you understand that the data numbers for your router might not perfectly match those of your carrier: Cradlepoint cannot be held responsible. You must accept the agreement by clicking "Yes"...
  • Page 64 Click Add to configure a new Data Usage Rule. Data Usage Rule – page 1 Rule Name: Give your rule a name for later recognition. WAN Selection: Select from the dropdown list of currently attached WAN devices. Assigned Usage in MB: Enter a cap amount in megabytes. 1024 megabytes equals 1 gigabyte. Rule Enabled: (Default: Enabled.) Click to disable.
  • Page 65 Shutdown WAN on Cap: If selected, the WAN device will shut down when the assigned usage is reached. A cycle reset or a rule deletion will re-enable the device. Send Alert on Cap: An email alert will be generated and sent when the assigned usage is reached. WARNING: The SMTP mail server must be configured in System Settings →...

  • Page 66: Gre Tunnels

    GRE Tunnels Generic Routing Encapsulation (GRE) tunnels can be used to create a connection between two private networks. Most Cradlepoint routers are enabled for both GRE and VPN tunnels. GRE tunnels are simpler to configure and more flexible for different kinds of packet exchanges, but VPN tunnels are much more secure.
  • Page 67 Port – Select by the physical port on the router that you are plugging the modem into (e.g., "USB Port 2"). Manufacturer – Select by the modem manufacturer (e.g., "Cradlepoint Inc."). Model – Set your rule according to the specific model of modem.

  • Page 68: Network Mobility

    Enabled: Select to enable GRE Keep Alive to continually send keep-alive packets to the remote peer. Rate: Choose the length of time in seconds for each check (Default: 10 seconds. Range: 2 – 3600 seconds). Retry: Select the number of attempts before the GRE tunnel is considered down or up (Default: 3. Range: 1 – 255). Failover Tunnel and Failback Tunnel: Use these settings to create two tunnels –...

  • Page 69: Vpn Tunnels

    (Internet Protocol security) to authenticate and encrypt packets exchanged across the tunnels. To set up a VPN tunnel with a Cradlepoint router on one end, there must be another device (usually a router) that also supports IPsec on the other end.
  • Page 70 Tunnel Enabled: Enabled or Disabled. MBR1200 Quick Connect: VPN tunnels in more advanced Cradlepoint devices have more choices than they did in the MBR1200, so they are more complex to configure now. Check this box to simplify setup by streamlining your options to match the old settings from the Cradlepoint MBR1200.
  • Page 71 Port – Select by the physical port on the router that you are plugging the modem into (e.g., "USB Port 2"). Manufacturer – Select by the modem manufacturer (e.g., "Cradlepoint Inc."). Model – Set your rule according to the specific model of modem.
  • Page 72 security, select only the most secure options that your devices support. Exchange Mode: The IKE protocol has two modes of negotiating phase 1 – Main (also called Identity Protection) and Aggressive. In Main mode, IKE separates the key information from the identities, allowing for the identities of peers to be secure at the expense of extra packet exchanges.
  • Page 73 Perfect Forward Secrecy (PFS): Enabling this feature will require IKE to generate a new set of keys in Phase 2 rather than using the same key generated in Phase 1. Additionally, with this option enabled the new keys generated in Phase 2 are exchanged in an encrypted session. Enabling this feature affords the policy greater security.

  • Page 74: System Settings

    Global VPN Settings These settings apply to all configured VPN tunnels. Enable Certificate Support: Enabling Certificate Support will allow you to load a certificate for VPN to the router. Click the “Upload Certificate” button to browse for a certificate on a local device. Disabling certificate support will no longer use any previously loaded certificate but will not delete it from the router.
  • Page 75 Router Security Advanced Security Mode – Select to enable the following additional security features and options: TACACS+ and RADIUS server authentication options Option for multiple users Increase password security: minimum 7 characters at least 1 alpha and 1 numeric character 30-minute lockout after 6 failed login attempts Admin Password –...

  • Page 76: System Clock

    using Local Users mode to prevent users from being locked out. Authentication Service – Choose from: ASCII / Login CHAP Server Address – This can be either an IP address in the form of "1.2.3.4", or a DNS name in form of "host.domain.com". Only lower case letters are allowed for a DNS name.

  • Page 77: Remote Management

    SIM-based models with GPS support require that the SIM be inserted. Some carriers disable GPS support in otherwise supported modems. If you encounter issues with obtaining a fix, contact your carrier and ensure that GPS is supported. Some of the following GPS options are specific to Cradlepoint COR devices, particularly the COR IBR1100 Series.
  • Page 78 General Settings Enable GPS – Enable support for querying GPS information from capable modems. TAIP Vehicle ID # – Assign a 4-character ID (default ID is 0000) to use with TAIP. TAIP options are available for the COR IBR1100 Series only. See TAIP section below for more information.
  • Page 79 (in addition to the standard sentences): $PCPTI,{System ID},{router timestamp},{GGA timestamp},{GGA checksum}*{checksum} “PCPTI” stands for Proprietary, CradlePoinT, Identification (P-CPT-I). TAIP The Trimble ASCII Interface Protocol (TAIP) was designed for vehicle tracking. For more information about TAIP, see these instructions from Trimble.
  • Page 80 (Disable by setting this value to 0.) Stationary Time Interval (seconds) – Set the interval in seconds between periodic GPS sentence reports when the device is stationary. This overrides the Default Time Interval as long as the unit is stationary. Use this with the Stationary Distance Threshold to define "stationary". (Disable by setting this value to 0.) Stationary Distance Threshold (meters) –...
  • Page 81 4916.450,N Latitude 49 deg. 16.450 min North 12311.127,W Longitude 123 deg. 11.127 min West Fix quality: 0 = fix not available; 1 = GPS fix; 2 = Differential GPS fix; 3 = PPS fix; 4 = Real Time Kinematic; 5 = Float RTK; 6 = estimated (dead reckoning);...
  • Page 82 White List – This list is blank by default, which means that the router will accept SMS messages from any phone number. Leaving this blank is unsecure, so Cradlepoint recommends that you add phone numbers to this list. Once any numbers are listed, only those numbers have the ability to connect to the router via SMS.
  • Page 83 NOTE: The trailing comma on the command is important to allow the SMS engine to distinguish the final argument from other information the SMS client might append to the message without your knowledge. Supported Commands reboot – Reboot the router (not the modem) Syntax: <password>,reboot, Example:...
  • Page 84 Examples: 1234,apn,myapn@apn.com, //set APN of highest priority modem 1234,apn,myapn@apn.com,usb1, //set APN for modem in port usb1 userpass – Set the modem's authentication username and password (port parameter optional) Syntax: <password>,userpass,<username>,<userpassword>,[port,] Examples: 1234,userpass,joe,mypassword, //set information of highest priority modem 1234,userpass,joe,mypassword,usb3, //set information on modem in port usb3 simpin –...
  • Page 85 BOM as ASCII text, which will appear as garbled characters in the log. If this occurs, disable this option. Log to attached USB stick: Only enable this option if instructed by a Cradlepoint support agent. This will write a very verbose log file to the root level of an attached USB stick.

  • Page 86: Certificate Management

    (ITU-T standard) PKCS #12 Digital certificates have multiple possible uses in a Cradlepoint networking setup. For example, a digital certificate is a much more secure option for VPN tunnel authentication than a pre-shared key. Go to the following sections for more information about specific certificate management options: Create Certificates –...
  • Page 87 Not all Certificate Management options displayed here are currently available via the Enterprise Cloud Manager configuration pages. Create Certificates Complete the following fields to create certificates locally, including (certificate authority) certificates. To create local certificates without sending signature requests to a third-party CA, first create a CA certificate with this interface and then create additional certificates that you sign with your CA: Step 1: Create a CA certificate.

  • Page 88: Local Certificates

    Organization Unit: Company division name Common Name: Must be unique; if used for authentication, this must match the configured Common Name (CN) on the third-party authenticator Email Address Validity Days: Input the number of days the certificate should remain valid (999 days maximum). Public Key Algorithm Type: Select one of the following: Digest: The following...
  • Page 89 NOTE: This article may contain links that direct you to non-Cradlepoint, Inc. owned websites, and these links are not under the control of Cradlepoint, Inc. or any of its representatives. Cradlepoint, Inc. is not responsible for the content of any linked site or any link contained in a linked site or any changes or updates to such sites outside of cradlepoint.com.

  • Page 90: Device Alerts

    Device Alerts The Device Alerts submenu choice allows you to receive email notifications of specific system events. YOU MUST ENABLE AN SMTP EMAIL SERVER TO RECEIVE ALERTS. Alerts can be included for the following: Firmware Upgrade Available: A firmware update is available for this device. System Reboot Occurred: This router has rebooted.

  • Page 91: Enterprise Cloud

    Maximum Alerts Buffer: The maximum number of alerts to buffer when offline. Feature Licenses Some Cradlepoint features may require a license. These features are disabled by default. To obtain a feature license, contact your Cradlepoint sales representative.

  • Page 92: Snmp Configuration

    SNMP, or Simple Network Management Protocol, is an Internet standard protocol for remote management. You might use this instead of Enterprise Cloud Manager if you want to remotely manage a set of routers that include both Cradlepoint and non-Cradlepoint products.

  • Page 93: System Information

    SHA with no encryption MD5 with DES encryption SHA with DES encryption MD5 with AES encryption SHA with AES encryption Username: Enter the Username configured on your SNMP host in the username field. Password: Enter the Password for your SNMP host in the password and verify password fields. This password must be at least 8 characters long. Enable SNMP traps: Enabling traps will allow you to configure a destination server, community, and port for trap notifications.

  • Page 94: System Software

    This allows the administrator to load new firmware onto the router to add new features or fix defects. If you are happy with the operation of the router, you may not want to upgrade just because a new version is available. Check the firmware release notes (cradlepoint.com/firmware) for information to decide if you should upgrade.

Table of Contents