5-24 G30 GENERATOR PROTECTION SYSTEM – INSTRUCTION MANUALPRODUCT SETUP CHAPTER 5: SETTINGS5FAILED AUTHENTICATE — If this setting is Enabled then the number of failed authentications is compared with the SessionLockout threshold. When the Session Lockout threshold is exceeded, this minor alarm indication comes up.FIRMWARE LOCK — If this setting is Enabled, then any firmware upgrade operation attempt when the Lock Relay setting isenabled brings up this self test alarm.SETTINGS LOCK — If this setting is Enabled then an unauthorized write attempt to a setting for a given role activates this selftest.SETTINGS PRODUCT SETUP SECURITY SUPERVISORY SELF TESTS FAILED AUTHENTICATECyberSentry setupWhen first using CyberSentry security, use the following procedure for setup.1. Log in to the relay as Administrator by using the VALUE keys on the front panel to enter the default password"ChangeMe1#". Note that the Lock Relay setting needs to be disabled in the Security > Supervisory menu. When thissetting is disabled, configuration and firmware upgrade are possible. By default, this setting is disabled.2. Enable the Supervisor role if you have a need for it.3. Make any required changes in configuration, such as setting a valid IP address for communication over Ethernet.4. Log out of the Administrator account by choosing None.5. Next, Device or Server authentication can be chosen on the login screen, but the choice is available only in EnerVista.Use Device authentication to log in using the five pre-configured roles (Administrator, Supervisor, Engineer, Operator,Observer). When using a serial connection, only Device authentication is supported. When Server authentication isrequired, characteristics for communication with a RADIUS server must be configured. This is possible only in theEnerVista software. The RADIUS server itself also must be configured. The appendix called RADIUS Server at the end ofthis instruction manual gives an example of how to set up a simple RADIUS server. Once both the RADIUS server andthe parameters for connecting the UR to the server have been configured, you can choose Server authentication onthe login screen of EnerVista.To configure Server authentication:1. In the EnerVista software, choose Device authentication and log in as Administrator.2. Configure the following RADIUS server parameters: IP address, authentication port, shared secret, and vendor ID.3. On the RADIUS server, configure the user accounts. Do not use the five pre-defined roles as user names (Administrator,Supervisor, Engineer, Operator, Observer) in the RADIUS server. If you do, the UR relay automatically provides theauthentication from the device.4. In the EnerVista software, choose Server authentication and log in using the user name and password configured onthe RADIUS server for Server authentication login. FIRMWARE LOCK:EnabledRange: Enabled, Disabled SETTINGS LOCK:EnabledRange: Enabled, Disabled FAILED AUTHENTICATE FAILED AUTHENTICATE:EnabledRange: Enabled, DisabledThe use of CyberSentry for devices communicating through an Ethernet-to-RS485 gateway is notsupported. Because these gateways do not support the secure protocols necessary to communicatewith such devices, the connection cannot be established. Use the device as a non-CyberSentrydevice.Users logged in through the front panel are not timed out and cannot be forcefully logged out by asupervisor. Roles logged in through the front panel that do no allow multiple instances (Administrator,Supervisor, Engineer, Operator) must switch to None (equivalent to a logout) when they are done inorder to log out.For all user roles except Observer, only one instance can be logged in at a time, for both login by frontpanel and software.