Nlight-eclypse User Manual

nLight® ECLYPSE™

User Guide

Acuity Brands | One Lithonia Way Conyers, GA 30012 Phone: 800.535.2465 www.acuitycontrols.com © 2017-2019 Acuity Brands Lighting, Inc. All rights reserved.
Document Revision History

Document Revision History

£ Version 1.0 - September 2017
– Release to Market
£ Version 1.1 – July 2019
– Added SSO, Open ADR, nLight Air PTI
£ Version 1.2 – Dec 2019
– Updated images and screenshots
– Updated the Wireless Configuration section for security updates
Copyright
©, Acuity Brands Inc., 2017-2019. All rights reserved.
While all efforts have been made to verify the accuracy of information in this manual, Acuity Brands is not responsible for
damages or claims arising from the use of this manual. Persons using this manual are assumed to be trained lighting pro-
fessionals and are responsible for using the correct wiring procedures, correct override methods for equipment control and
maintaining safe working conditions in failsafe environments. Acuity Brands reserves the right to change, delete or add to
the information in this manual at any time without notice.
Acuity Brands, Distech Controls, the Acuity Brands logo, and the Distech Controls logo are registered trademarks of Acuity
Brands, Inc. BACnet is a registered trademark of ASHRAE. All other trademarks are property of their respective owners.
nLight ECLYPSE 2
TABLE OF CONTENTS
CHAPTER 1
Introduction........................................................................................................................................................................ 8
Overview................................................................................................................................................................... 8
About the nLight ECLYPSE Controller........................................................................................................... 8
About the IP Protocol Suite............................................................................................................................ 8
About BACnet®.............................................................................................................................................. 8
About This User Guide ............................................................................................................................................. 8
Purpose of the User Guide ............................................................................................................................ 8
Referenced Documentation ........................................................................................................................... 8
nLight ECLYPSE Introduction........................................................................................................................ 9
Network Security............................................................................................................................................ 9
Intended Audience ......................................................................................................................................... 9
Conventions Used in this Document.............................................................................................................. 9
Acronyms and Abbreviations Used in this Document............................................................................................. 10
CHAPTER 2
Internet Protocol Suite Fundamentals ............................................................................................................................. 11
About the Internet Network ..................................................................................................................................... 11
Internet Protocol Suite Overview ............................................................................................................................ 11
CHAPTER 3
IPv4 Communication Fundamentals................................................................................................................................ 12
DHCP Versus Manual Network Settings ................................................................................................................ 12
Dynamic Host Configuration Protocol (DHCP) ............................................................................................ 12
Fixed IP Address or Hostname Management .............................................................................................. 12
Networking Basics .................................................................................................................................................. 13
IP Addressing............................................................................................................................................... 13
About the Subnetwork Mask ........................................................................................................................ 13
CIDR Addressing ......................................................................................................................................... 14
Private IPv4 Address Ranges ...................................................................................................................... 14
Reserved Host Addresses ........................................................................................................................... 14
Default Gateway .......................................................................................................................................... 14
Domain Name System (DNS) ...................................................................................................................... 14
About Routers, Switches, and Hubs ....................................................................................................................... 15
Connecting a Router .................................................................................................................................... 15
Network Address Translation / Firewall ....................................................................................................... 16
IP Network Segmentation ............................................................................................................................ 16
CHAPTER 4
IP Network Protocols and Port Numbers......................................................................................................................... 17
About Port Numbers ............................................................................................................................................... 17
IP Network Port Numbers and Protocols ................................................................................................................ 17
ECLYPSE Services that Require Internet Connectivity .......................................................................................... 18
nLight ECLYPSE
CHAPTER 5
Connecting IP Devices to an IP Network......................................................................................................................... 19
Connecting the IP Network ..................................................................................................................................... 19
Wired Network Cable Requirements............................................................................................................ 19
About the Integrated Ethernet Switch .......................................................................................................... 20
Spanning Tree Protocol (STP)..................................................................................................................... 20
Connecting the Network Cable to the Controller.......................................................................................... 21
Wireless Network Connection................................................................................................................................. 21
About the 2.4 GHz ISM Band....................................................................................................................... 22
Distance Between the Wi-Fi Adapter and Sources of Interference.............................................................. 22
About Wi-Fi Network Channel Numbers ...................................................................................................... 22
Radio Signal Range ..................................................................................................................................... 23
Radio Signal Transmission Obstructions ..................................................................................................... 23
Where to Locate Wireless Adapters ............................................................................................................ 23
Transmission Obstructions and Interference ............................................................................................... 24
ECLYPSE Wi-Fi Adapter Mounting Tips...................................................................................................... 24
Planning a Wireless Network ....................................................................................................................... 25
ECLYPSE Wi-Fi Adapter Connection Modes .............................................................................................. 27
Wi-Fi Client Connection Mode ..................................................................................................................... 27
Wi-Fi Access Point....................................................................................................................................... 28
Wi-Fi Hotspot ............................................................................................................................................... 29
Wireless Bridge............................................................................................................................................ 29
Wireless Network Commissioning Architectures .................................................................................................... 31
Client to Access Point Configuration............................................................................................................ 31
Client to Hotspot Configuration .................................................................................................................... 32
CHAPTER 6
First Time Connection to an ECLYPSE Controller .......................................................................................................... 33
Connecting to the Controller ................................................................................................................................... 33
Controller Identification ................................................................................................................................ 33
Ethernet Network Connection................................................................................................................................. 34
Network Connections for ECLYPSE Controllers.......................................................................................... 34
Wi-Fi Network Connection ...................................................................................................................................... 35
Configuring the Controller....................................................................................................................................... 35
Default Credentials ...................................................................................................................................... 35
Using the Controller's Factory-default Hostname in the Web Browser ........................................................ 35
Using the Controller's IP Address in the Web Browser................................................................................ 36
Connecting to the Controller's Configuration Web Interface................................................................................... 36
Next Steps ................................................................................................................................................... 36
CHAPTER 7
Supported RADIUS Server Architectures........................................................................................................................ 37
Overview................................................................................................................................................................. 37
Authentication Fallback................................................................................................................................ 37
RADIUS Server and Enabling FIPS 140-2 Mode ................................................................................................... 37
RADIUS Server Architectures................................................................................................................................. 38
Local Credential Authentication ................................................................................................................... 38
nLight ECLYPSE
ECLYPSE-Based Centralized Credential Authentication............................................................................. 39
CHAPTER 8
ECLYPSE Web Interface................................................................................................................................................. 40
Overview................................................................................................................................................................. 40
Web Interface Main Menu............................................................................................................................ 40
Home Page .................................................................................................................................................. 41
User Profile and Login Credentials .............................................................................................................. 41
Network Settings..................................................................................................................................................... 42
Ethernet ....................................................................................................................................................... 42
Wireless Configuration................................................................................................................................. 43
Network Diagnostics .................................................................................................................................... 45
BACnet Settings ..................................................................................................................................................... 47
General ........................................................................................................................................................ 47
Routing......................................................................................................................................................... 48
Network IP Ports .......................................................................................................................................... 48
Network MS/TP Ports .................................................................................................................................. 50
Diagnostics .................................................................................................................................................. 51
User Management .................................................................................................................................................. 52
Server/Client User Configuration ................................................................................................................. 52
Password Policy........................................................................................................................................... 56
Radius Server/Client Settings................................................................................................................................. 57
RADIUS Server Settings.............................................................................................................................. 57
RADIUS Client Settings ............................................................................................................................... 58
Single Sign On (SSO) Settings............................................................................................................................... 59
SSO Server Settings.................................................................................................................................... 60
SSO Client Settings ..................................................................................................................................... 60
Setting Up the SSO Functionality ................................................................................................................ 62
Certificate Authentication with SSO ............................................................................................................. 64
System Settings...................................................................................................................................................... 65
Device Information ....................................................................................................................................... 65
Updating the Firmware................................................................................................................................. 66
Export Audit Log .......................................................................................................................................... 66
Location and Time ....................................................................................................................................... 67
Web Server Access ..................................................................................................................................... 68
Licenses....................................................................................................................................................... 72
FIPS 140-2 Mode......................................................................................................................................... 73
GSA IT Security Mode ................................................................................................................................. 74
Backup and Restore .................................................................................................................................... 75
Open ADR Virtual End Node (VEN)............................................................................................................. 79
nLight ECLYPSE BACnet Points ............................................................................................................................ 82
BACnet Object Mapping .............................................................................................................................. 82
nLight Air PTI ............................................................................................................................................... 83
CHAPTER 9
Configuring the ECLYPSE Wi-Fi Adapter Wireless Networks......................................................................................... 84
Setting up a Wi-Fi Client Wireless Network ............................................................................................................ 84
Setting up a Wi-Fi Access Point Wireless Network ................................................................................................ 86
nLight ECLYPSE
Setting up a Wi-Fi Hotspot Wireless Network......................................................................................................... 87
CHAPTER 10
Securing an ECLYPSE Controller ................................................................................................................................... 89
Introduction ............................................................................................................................................................. 89
Passwords .............................................................................................................................................................. 89
Change the Default Platform Credentials .................................................................................................... 89
Use Strong Passwords ................................................................................................................................ 89
Account Management and Permissions ................................................................................................................. 89
FIPS 140-2 Mode......................................................................................................................................... 90
Use a Different Account for Each User ........................................................................................................ 90
Use Unique Service Type Accounts for Each Project.................................................................................. 90
Disable Known Accounts When Possible .................................................................................................... 90
Assign the Minimum Required Permissions ................................................................................................ 90
Use Minimum Possible Number of Admin Users ......................................................................................... 90
HTTPS Certificates ................................................................................................................................................. 90
Certificates ................................................................................................................................................... 90
Additional Measures ............................................................................................................................................... 90
Update the Controller's Firmware to the Latest Release ............................................................................. 90
External Factors...................................................................................................................................................... 91
Install Controllers in a Secure Location ....................................................................................................... 91
Make Sure that Controllers are Behind a VPN ............................................................................................ 91
CHAPTER 11
BACnet MS/TP Communication Data Bus Fundamentals............................................................................................... 92
BACnet MS/TP Data Transmission Essentials ....................................................................................................... 92
BACnet MS/TP Data Bus is Polarity Sensitive............................................................................................. 92
Maximum Number of BACnet MS/TP Devices on a Data Bus Segment and Baud Rate ....................................... 93
Data Bus Segment MAC Address Range for BACnet MS/TP Devices........................................................ 93
Device Loading ............................................................................................................................................ 93
Data Bus Physical Specifications and Cable Requirements................................................................................... 95
Data Bus Topology and EOL Terminations ............................................................................................................ 95
Function of EOL Terminations ..................................................................................................................... 95
When to Use EOL Terminations .................................................................................................................. 96
When to use EOL Terminations with BACnet MS/TP Thermostats ............................................................. 96
About Setting Built-in EOL Terminations ..................................................................................................... 97
Only a Daisy-Chained Data Bus Topology is Acceptable ............................................................................ 97
Data Bus Shield Grounding Requirements............................................................................................................. 98
24V-Powered Controller Data Bus Shield Grounding Requirements........................................................... 98
Using Repeaters to Extend the Data Bus ............................................................................................................... 99
Device Addressing................................................................................................................................................ 101
About the MAC Address ............................................................................................................................ 102
BACnet MS/TP Data Bus Token-Passing Overview.................................................................................. 102
About Tuning the Max Info Frames Parameter.......................................................................................... 103
About Tuning the Max Master Parameter .................................................................................................. 103
Setting the Max Master and Max Info Frames ........................................................................................... 103
Default Device Instance Number Numbering System for nLight ECLYPSE Controllers............................ 104
nLight ECLYPSE
Adopting a Numbering System for MAC Addresses, Device Instance Numbers, and Network Numbers . 104
Setting the Controller’s MAC Address ....................................................................................................... 105
Inter-Building BACnet Connection ............................................................................................................. 105
BACnet/IP Broadcast Management Device Service (BBMD) .................................................................... 106
Power Supply Requirements for 24VAC-Powered Controllers............................................................................. 106
BACnet MS/TP is a Three-Wire Data Bus ................................................................................................. 106
Avoid Ground Lift ....................................................................................................................................... 107
Techniques to Reduce Ground Lift ............................................................................................................ 107
About External Loads................................................................................................................................. 107
Transformer Selection and Determining the Maximum Power Run Length............................................... 108
24VAC Power Supply Connection ............................................................................................................. 108
CHAPTER 12
Modbus TCP Configuration ........................................................................................................................................... 110
Controller Modbus Support................................................................................................................................... 110
Modbus TCP Device Connection.......................................................................................................................... 110
About Device Addressing........................................................................................................................... 110
CHAPTER 13
Modbus RTU Communication Data Bus Fundamentals................................................................................................ 111
Controller Modbus Support................................................................................................................................... 111
Modbus RTU Data Transmission Essentials ........................................................................................................ 111
Modbus RTU Data Bus is Polatiry Sensitive.............................................................................................. 111
Data Bus Physical Specifications and Cable Requirements................................................................................. 112
Data Bus Topology and EOL Terminations .......................................................................................................... 112
When to Use EOL Terminations ................................................................................................................ 112
About Setting Built-in EOL Terminations ................................................................................................... 113
Only a Daisy-Chained Data Bus Topology is Acceptable .......................................................................... 113
Data Bus Shield Grounding Requirements........................................................................................................... 114
Modbus RTU Data Bus Shield Grounding Requirements.......................................................................... 114
CHAPTER 14
Resetting or Rebooting the Controller ........................................................................................................................... 116
Resetting or Rebooting the Controller .................................................................................................................. 116
CHAPTER 15
ECLYPSE Controller Troubleshooting........................................................................................................................... 117
CHAPTER 16
Wi-Fi Network Troubleshooting Guide........................................................................................................................... 119
CHAPTER 17
Single Sign On (SSO) Troubleshooting......................................................................................................................... 120
nLight ECLYPSE
Introduction
CHAPTER 1
Introduction
Overview
This document describes best practices, specifications, wiring rules, and application information to implement robust and
reliable communications networks.
About the nLight ECLYPSE Controller

The nLight ECLYPSE Controller is a modular and scalable platform that is used to control a wide range of HVAC applica-
tions. It uses IP protocol to communicate on wired Ethernet networks and Wi-Fi to communication on wireless networks.
For this document, the nLight ECLYPSE will also be referred to as just ECLYPSE.
This user guide also explains how to connect to the ECLYPSE controller’s configuration interfaces.
About the IP Protocol Suite

Acuity Controls’ nLight ECLYPSE controllers use a widely used IP protocol to communicate with each other and with other
applications for control and supervision. What is commonly referred to as IP is actually a multilayered protocol suite that re-
liably transmits data over the public Internet and privately firewalled-off intranets. As integral part of our interconnected
world, this protocol is used by applications such as the World Wide Web, email, File Transfer Protocol (FTP), datashares,
and so on.
ECLYPSE controllers are able to work across geographic boundaries as a unified entity for control and administration pur-
poses.
About BACnet®
The BACnet® ANSI/ASHRAE™ Standard 135-2008 specifies a number of Local Area Network (LAN) transport types. Acu-
ity Controls’ controllers support both BACnet/IP and BACnet Master-Slave/Token-Passing (MS/TP) communications data
bus (based on the EIA‑485 medium) as a local network for inter-networking of supervisory controllers and field controllers.
About This User Guide
Purpose of the User Guide

This user guide does not provide and does not intend to provide instructions for safe wiring practices. It is the user’s re-
sponsibility to adhere to the safety codes, safe wiring guidelines, and safe working practices to conform to the rules and
regulations in effect in the job site jurisdiction. This user guide does not intend to provide all the information and knowledge
of an experienced HVAC technician or engineer.
This user guide shows you how to integrate ECLYPSE controllers into your IP network environment while enforcing stan-
dard network security practices.
Referenced Documentation
The follow documentation is referenced in this document.
£ Controller Hardware Installation Guides: These documents are available on Acuity Brands website
nLight ECLYPSE 8
Introduction
nLight ECLYPSE Introduction

The nLight ECLYPSE is a modular and scalable platform that is used to control a wide range of HVAC applications. It sup-
ports BACnet/IP communication and is a listed BACnet Building Controller (B-BC).
The nLight ECLYPSE consists of an automation and connectivity server, power supply, and an nLight Interface module.
This programmable controller provides advanced functionality such as customizable control logic, Web-based design and
visualization interface (ENVYSION embedded), logging, alarming, and scheduling.
This user guide also explains how to configure the nLight ECLYPSE controller’s configuration interfaces.
Network Security
Maintaining the highest level of network security, especially when IP devices are connected to the Internet requires spe-
cially-trained personnel who are aware of the necessary techniques to ensure continued protection. This must include the
implementation of a Virtual Private Network (VPN) to connect with IP controllers over the Internet. It is also important to co-
ordinate with Information Technology (IT) department personnel the use of shared network resources.
At the first connection to an nLight ECLYPSE Controller you will be forced to change the password to a strong password
for the admin account to protect access to the controller.
Intended Audience
This user guide is intended for system designers, integrators, electricians, and field technicians who have experience with
control systems, and who want to learn about how to make a successful IP network installation. It is recommended that
anyone installing and configuring the devices specified in this user guide have prior training in the usage of these devices.
Conventions Used in this Document

This is an example of Note text. Wherever the note-paper icon appears, it means the associated text is giving a time-saving tip or
a reference to associated information of interest.
This is an example of Caution or Warning text. Wherever the exclamation icon appears, it means that there may be an important
safety concern or that an action taken may have a drastic effect on the device, equipment, and/or network if it is improperly
carried out.
nLight ECLYPSE 9
Introduction
Acronyms and Abbreviations Used in this Document

Acronym Definition
ASHRAE American Society of Heating, Refrigeration, and Air-Conditioning Engineers
AP Access Point
APDU Application Protocol Data Units
API Application Programming Interface
ASCII American Standard Code for Information Interchange
BACnet® Building Automation and Control Networking Protocol
BAS Building Automation System
B-BC BACnet Building Controller
BBMD BACnet/IP Broadcast Management Device
CIDR Classless Inter-Domain Routing
DHCP Dynamic Host Configuration Protocol
DNS Domain Name System
EOL End Of Line
FTP File Transfer Protocol
HTML HyperText Markup Language
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure
HVAC Heating, Ventilating, and Air Conditioning
ID Identifier
IP Internet Protocol
IPv4 Internet Protocol version 4
ISP Internet Service Provider
IT Information Technology
LAN Local Area Network
MAC Media Access Control
MB Megabyte
MHz Megahertz
MS/TP Master-Slave/Token-Passing
NAT Network Address Translation
NTP Network Time Protocol
PC Personal Computer
RADIUS Remote Authentication Dial-In User Service
REST Representational State Transfer
RTU Remote Terminal Unit (for Modbus)
SSID Service Set IDentification
TCP Transmission Control Protocol
UDP User Datagram Protocol
URL Uniform Resource Locator
USB Universal Serial Bus
VPN Virtual Private Network
WAN Wide Area Network
WPA Wi-Fi Protected Access
WWW World Wide Web
nLight ECLYPSE 10
Internet Protocol Suite Fundamentals
CHAPTER 2
Internet Protocol Suite Fundamentals
This chapter describes the Internet protocol operating principles necessary to configure the IP parameters of an IP con-
troller.
About the Internet Network

The Internet is the world-wide interconnection of networks. At its root however, it is not one big network, but a group of net-
works that communicate between each other by using standard protocols and by using gateways between these networks
called routers.
The structure of the Internet is decentralized and non-hierarchical. On the Internet, all communication uses the Internet
Protocol (IP) to communicate and all connected devices are identified by their IP address. An Internet Registry allocates IP
addresses to internet service providers to be used by their users.
Data is sent across the network in packets. Each packet has a header that identifies the sender’s and intended receiver’s
IP addresses.
Internet Protocol Suite Overview

Internet Protocol (IP) is part of a multi-layered suite that together enables data communication. The following descriptions
are an overview of the IP suite protocol layers as used by IP devices:
£ Physical layer (bits): This is the physical and device-to-device electrical connection layer otherwise known as Ethernet.
This layer defines:
– The requirements for the physical connection between devices (the signal medium). For example, RJ-45 connec-
tors (attached per TIA/EIA-568-A,), using Cat 5e data cable. The maximum cable length between devices is 328 ft.
(100 m) at 100 MB/s data rate.
– The electrical signal requirements for data packet transport.
– The data packet structure including data payload and the source and destination device’s MAC addresses.
In the case of Wi-Fi connected devices, the link layer is the air interface defined by the Wi-Fi standard, such as radio fre-
quencies, data rates, authentication, data channel encryption, and so on.
£ Data Link layer: This layer implements the ability for two devices to exchange data with each other.
£ Network layer: This layer implements the ability to connect multiple distinct networks with each other. It provides the in-
ternetworking methods that allow data packets to travel from the source device to a destination device across network
boundaries, such as a router through the use of an IP address. See About Routers, Switches, and Hubs.
£ Transport Layer (segments): This layer provides end-to-end communication data stream connection between two or
more devices through a variety of protocols. However, it is the Transmission Control Protocol (TCP), the most com-
monly used internet transport protocol that is used by nLight ECLYPSE IP controllers to communicate with each other.
TCP creates a connection-oriented channel between two applications; that is to say the data stream is error-checked,
is sorted into the correct sequence (missing data packets are re-transmitted) and this data stream has a port number
for addressing a specific application at the destination host computer.
£ Session layer (data): This layer implements the protocol to open, close, and manage a session between applications
such that a dialog can occur.
£ Presentation layer: This layer implements the display of media such as images and graphics.
£ Applications layer: This layer implements the process-to-process communications protocol that includes among other
services the BACnet/IP protocol, programming, debugging, WWW, and so on.
All of the above IP suite protocol layers must be fully functional for any two devices or controllers to communicate with
each other.
nLight ECLYPSE 11
IPv4 Communication Fundamentals
CHAPTER 3
This chapter describes IPv4 Communication operating principles.
DHCP Versus Manual Network Settings

The following methods can be used to set the network settings:
£ Manually set network settings allow precise control over the network’s configuration. This option may require an in-
depth understanding of arcane networking details – much of which is covered in this guide. See Networking Basics.
£ Use the router’s DHCP setting to automatically connect devices to the network by negotiating the appropriate settings
with the device. This option may not be applicable to all networks; for example, the network administrator does not
want to use DHCP and has supplied information to manually configure the device’s IP interface.
No matter which option is chosen, it will be necessary to coordinate with Information Technology (IT) department person-
nel the use of shared network resources.
Dynamic Host Configuration Protocol (DHCP)

The Dynamic Host Configuration Protocol (DHCP) is a router feature that dynamically allocates configuration parameters
to connected devices such as IP, DNS, and default gateway addresses. Enabling DHCP on a router normally eliminates
the need to manually configure network settings on connected devices. The implementation of DHCP on most routers al-
lows a device to be assigned a fixed IP address by associating a specific IP address to a device’s MAC address.
Devices that use ECLYPSE’s internal router with the DHCP option (Hotspot/AP mode) cannot be assigned fixed IP addresses
according to the device’s MAC address.
Figure 1: Typical Router Configuration to Assign a Device’s MAC Address to a Fixed IP Address
If your router supports DHCP and you have access to the router’s configuration interface, this is the most straight-forward
way to configure your network. Ensure that all devices that require a fixed IP address use a manually assigned IP address.
Fixed IP Address or Hostname Management

Why Should ECLYPSE IP controllers use a fixed IP address or use hostname Management? To program or to access an
IP controller, you must be able to connect to it. Like a postal address, a fixed IP address that is always assigned to the
same device allows you to consistently connect to and work with the same device.
An alternative to using a fixed IP address is to use the controller’s Hostname Management which allows a controller to be
identified by a nickname such as Office_205 instead of the controller’s IP address. The hostname can be used in a Web
browser.
nLight ECLYPSE 12
Networking Basics
When manually configuring the TCP/IP interface on an ECLYPSE IP controller (the DHCP option is not used), an IP ad-
dress, subnetwork mask, and a default gateway are required in the Network Settings.
IP Addressing
The most widely used internet addressing scheme is IPv4. It codes an IP address in 32 bits.
An IPv4 address is made up of two parts defined by a subnetwork mask; the network portion (which identifies a specific
network or subnetwork) and the host portion (which identifies a specific device).
About the Subnetwork Mask

Devices on the same sub-network can address IP packets to each other directly without routing. The range of IP ad-
dresses available in a sub-network is defined by the subnetwork mask. This is also called the subnetwork mask’s ‘address
space’. The subnetwork mask is coded in 32 bits as follows.
An IP packet addressed to a device on another network portion will have to be routed through the router’s WAN port as
such an address is not local. BACnet/IP broadcast discovery messages such as “Who-Is” do not pass through network
routers that separate subnetworks. This means that BACnet/IP controllers on different subnetworks will not normally com-
municate with each other.
BBMD allows broadcast message to pass through a router: on each subnet, a single device has BBMD enabled. Each
BBMD device ensures BACnet/IP connectivity between subnets by forwarding broadcast messages found on its subnet-
work to each other, and then onto the local subnetwork as a broadcast message. See BBMD Settings.
Network Class CIDR Subnetwork Mask Block Number of Subnetworks Number of Hosts
Size according to the Network Type according to the Network Type
Class A Class B Class C Class A Class B Class C

/8 255.0.0.0 256 1 16777214
/9 255.128.0.0 128 2 8388606
/10 255.192.0.0 64 4 4194302
/11 255.224.0.0 32 8 2097150
/12 255.240.0.0 16 16 1048574
/13 255.248.0.0 8 32 525286
/14 255.252.0.0 4 64 262142
/15 255.254.0.0 2 128 131070
/16 255.255.0.0 256 256 1 65534 65534
←Class A Network→
/17 255.255.128.0 128 512 2 32766 32766

/18 255.255.192.0 64 1024 4 16382 16382
/19 255.255.224.0 32 2048 8 8190 8190
/20 255.255.240.0 16 4096 16 4094 4094
←Class B Network→
/21 255.255.248.0 8 8192 32 2046 2046

/22 255.255.252.0 4 16384 64 1022 1022
/23 255.255.254.0 2 32768 128 510 510
/24 255.255.255.0 256 65536 256 1 254 254 254
←Class C Network→
/25 255.255.255.128 128 131072 512 2 126 126 126

/26 255.255.255.192 64 262144 1024 4 62 62 62
/27 255.255.255.224 32 524288 2048 8 30 30 30
/28 255.255.255.240 16 1048576 4096 16 14 14 14
/29 255.255.255.248 8 2097152 8192 32 6 6 6
/30 255.255.255.252 4 4194304 16384 64 2 2 2
nLight ECLYPSE 13
CIDR Addressing
Another way to express the subnetwork mask is through CIDR addressing (Classless Inter-Domain Routing) which is writ-
ten as a slash and a number which represents the number of true bits set in the subnetwork mask. For example, the sub-
network mask 255.128.0.0 is 11111111 10000000 00000000 00000000 in binary or /9.
An IP address can be expressed with its CIDR subnetwork mask in the form of 192.168.0.0/24 for example.
Private IPv4 Address Ranges

Each IP address class has a private address range. Private IPv4 addresses cannot be routed over the Internet.
nLight ECLYPSE IP controllers will normally be assigned to a private IP address and are connected to the LAN ports of a
router, thereby keeping them behind a firewall from the internet while allowing them to freely communicate to each other
and to other trusted devices.
The following IPv4 address ranges are reserved for private networks.
Network Class IP Address Range Number of Addresses Largest CIDR Block (subnetwork mask)
A 10.0.0.0 - 10.255.255.255 16,777,216 10.0.0.0/8 (255.0.0.0)
B 172.16.0.0 - 172.31.255.255 1,048,576 172.16.0.0/12 (255.240.0.0)
C 192.168.0.0 - 192.168.255.255 65,536 192.168.0.0/16 (255.255.0.0)
Reserved Host Addresses

The first and the last IP addresses are reserved for special use on all subnetwork IP address ranges:
The first IP Address is the Network ID. Networks with different network IDs are considered to be distinct. By default, no di-
rect communication can take place between two networks that have different Network IDs. This prevents computers on
one network from being accessed by computers on another network. When one department or organization is on one net-
work, it is segregated from computers on other networks.
Last IP Address is the Broadcast Address: this is used for a specific type of network traffic that is destined to every host in
the subnetwork range of IP addresses. For example, the device’s DHCP client uses the broadcast address to find the net-
work’s DHCP server.
For Example, with a typical class C private network:
Subnetwork Mask = 255.255.255.0
Network ID = 192.168.1.0
Gateway = 192.168.1.1
Broadcast Address = 192.168.1.255
Usable IP Addresses = 192.168.1.2 - 192.168.1.254
Default Gateway
Two hosts on the same subnetwork can directly communicate with each other. When a host wants to communicate to an
IP address that is not in the subnetwork address range, the host sends the packet to the default gateway. The default gate-
way is usually the router’s IP address and is usually set in the routers administration interface. For more information about
IP routing, see About Routers, Switches, and Hubs.
Certain ECLYPSE controller services use the default gateway. See ECLYPSE Services that Require Internet Connectivity.
Domain Name System (DNS)

When you want to connect to another computer or service on the Internet (to a Website for example), rarely would you
want to use the IP address to make the connection as it would be a pain to remember the numeric IP address for each and
every site you want to visit. The Domain Name System (DNS) was created to allow internet users to take advantage of a
meaningful Uniform Resource Locator (URL) such as https://www.acuitybrands.com/ to connect to an IP address without
having to know the server’s or computer’s numerical IP address. The DNS does this by looking up the URL and providing
the numeric IP address to the requesting computer. Should the IP address of a computer/server be changed, the DNS
server can be updated with its new IP address, thereby ensuring that other networked computers can still find this com-
puter/server through its URL.
nLight ECLYPSE 14
Set the DNS IP address of the Domain Name System (DNS) servers in routers and in IP controllers that have manually-
configured IP parameters. Between one and three DNS IP address is usually provided by the Internet Service Provider
(ISP). The second and third DNS addresses are for failover should the first DNS become unavailable.
If you do not know the address of your DNS server(s), try the following publicly-available DNS server addresses: primary =
8.8.8.8 and secondary = 4.4.4.4
Some ECLYPSE controller services use DNS to resolve Web addresses thereby allowing the service to operate. See
ECLYPSE Services that Require Internet Connectivity.
About Routers, Switches, and Hubs

The differences between a hub, switch, and router are discussed in the table below.
Device Type Description
Every incoming data packet is repeated on every other port on the device. Due to this, all traffic is made available on all
Hub
ports which increase data packet collisions that affect the entire network, thus limiting its data carrying capacity.
A switch creates a one-to-one virtual circuit that directs IP packets directly to the port that the destination computer is
Switch
connected to.
Like a switch, a router learns the IP addresses of all devices connected to any of its RJ-45 ports to create a routing table. If
a data packet arrives at the router’s port with a destination IP address that is:
– Found in the router’s routing table, the router forwards the data packet to the appropriate
port for the device that has this IP address.
– For a network with a different network ID than the current network ID, the router forwards
Router
the data packet to the uplink port where the next router will again either recognize the net-
work ID and route the data packet locally or again forwards the data packet to the uplink
port. By being exposed to traffic, a router adds to its routing table the pathways necessary
to resolve a data packet's pathway to its final destination, by passing through one or more
routers if necessary.
Connecting a Router
The way a router is connected to other devices changes its function.
Connection to use ROUTER A as a router Connection to NOT use ROUTER A as a router
1 2 3 4 1 2 3 4
ROUTER ROUTER
B B
UPLINK UPLINK
To To To To To To To To
Device Device Device WAN Device Device Device WAN
1 2 3 4 1 2 3 4
ROUTER ROUTER
A A
UPLINK UPLINK
UPLINK
To To To To To To To Function is
Device Device Device Device Device Device Device Not Used
Figure 2: The Way a Router is Connected Changes its Function

On some routers, the uplink port is marked as WAN (Wide Area Network) and the numbered ports are to be connected to
the LAN (Local Area Network) devices.
nLight ECLYPSE 15
Network Address Translation / Firewall

A router’s uplink port provides Network Address Translation (NAT) and firewall functions.
NAT is a method to hide the private IP addresses of a range of devices (connected to LAN ports) behind a single IP ad-
dress presented at the WAN uplink port. NAT uses a mechanism to track requests to WAN IP addresses and readdresses
the outgoing IP packets on exit, so they appear to originate from the router itself. In the reverse communications path, NAT
again readdresses the IP packet’s destination address back to the original source private IP address.
Due to this tracking mechanism, only requests originating from the LAN side can initiate communications. A request from
the WAN to the router cannot be mapped into a private address as there is no outbound mapping for the router to use to
properly readdress it to a private IP address. This is why a NAT acts as a firewall that blocks unsolicited access to the
router’s LAN side.
Most routers allow you to open a port in the firewall so that WAN traffic received at a specific port number is always for-
warded to a specific LAN IP address. The standard port numbers used by ECLYPSE controllers is explained in chapter IP
Network Protocols and Port Numbers.
IP Network Segmentation
For efficient network planning, normally the IP controllers will be assigned to their own network segment of an IP network
or subnetwork. This is done as shown in the figure below.
To ISP Network
ISP Modem (Fiber, Cable, DSL)

LAN
Network
Gateway Router
1 2 3 4
Company
Computer
Network
UPLINK
To To To
Device Device Device
1 2 3 4
Router for
HVAC IP
Controllers
UPLINK
To IP To IP To IP To IP
Controller Controller Controller Controller
Figure 3: Network Segment for HVAC IP Controllers

For certain wireless topologies, a wireless router can be used to connect to the controller. In this scenario, a wireless oper-
ator interface (laptop or tablet) can be used for commissioning as shown in the figure below.
Figure 4: Network Segment for HVAC IP Controllers with a Wireless Access Point
If a wireless router is unavailable or is out-of-range, an ECLYPSE Wi-Fi adapter can be connected to an ECLYPSE con-
troller’s USB port to add wireless connectivity. See Wireless Network Connection.
nLight ECLYPSE 16
IP Network Protocols and Port Numbers
CHAPTER 4
This chapter describes the IP Network Protocols and Port Numbers used by the ECLYPSE controller.
About Port Numbers

In an IP packet, a port number is an extension of the packet’s IP address and completes the destination address for a
communications session. By convention, the packet’s port number is associated with a protocol used between software
applications and is used to uniquely identify a communications endpoint for a specific application or process running on a
computer. This allows a multitude of applications to share a single physical connection to the Internet while allowing dis-
tinct communication channels between different applications.
For example, your web browser listens to port 80 on your computer to receive HTML web pages sent from a web server on
port 80.
The standard port numbers used by controllers is explained in IP Network Port Numbers and Protocols.
Sometimes, two applications might use the same port number to communicate. To sort out this conflict, the following meth-
ods can be used.
£ In the configuration of some applications, the port number can be changed from its default setting. Should you change
it, you must also change it on the corresponding application also so that the port numbers will match.
£ Routers have features such as port forwarding that can change an incoming packet’s port number coming from the
Wide Area Network (WAN) to another port number on the Local Area Network or vice versa.
IP Network Port Numbers and Protocols

This section lists the IP Network Protocols to communicate over IPv4 networks. The corresponding default in-bound port
number is also shown.
Service Default Port Description Where can this port
Number (Protocol) number be changed?
SMTP 25 (TCP) Outgoing Email server port number
DNS 53 (TCP, UDP) Domain Name Server URL lookup –
The router’s DHCP service that allows a device to auto-configure a
DHCP 67 (UDP) –
devices’ IP settings.
ENVYSION: The ENVYSION server presents system status,
trending visualization, real-time equipment visualization, schedule
configuration, alarm monitoring, and dashboard functions to a Web
HTTP 80 (TCP) browser operator interface. See System Settings.
Web Configuration Interface: This is the network configuration
interface for wired and wireless IP network interfaces.
Secure ENVYSION: The ENVYSION server presents system
status, trending visualization, real-time equipment visualization,
schedule configuration, alarm monitoring, and dashboard functions
HTTPS 443 (TCP) to a Web browser operator interface. See System Settings.
Secure Web Configuration Interface: This is the network
configuration interface for wired and wireless IP network interfaces.
Authentication Port: This is the port on which authentication
Radius Server 1812 (UDP)
requests are made.
nLight ECLYPSE 17
Service Default Port Description Where can this port

Number (Protocol) number be changed?
Accounting Port: This is the port on which accounting requests are
Radius Server 1813 (UDP) made. This is only used to receive accounting requests from other
RADIUS servers.
Proxy Port: This is an internal port used to proxy requests between
Radius Server 1814 (UDP) See User Management.
a local server and a remote server.
BACnet/IP 47808 (UDP) The BACnet over IP protocol. See BACnet Settings.
Secure MQ Telemetry Transport. This is an internal port that
MQTT 8883 (TCP)
facilitates communication with the nLight Gateway.
This is an internal port used to access a device through the
zeroconf 5353 (UDP)
hostname.
Unknown 5551 (TCP) System configuration (inbound/outbound)
Echo 7 (UDP) Device identification on local subnet
Rplay 5555 (UDP) Device identification on local subnet
Freeciv 5556 (UDP) nLight Protocol over IP
Unknown 33312 (UDP)
Unknown 39631 (UDP)
ECLYPSE Services that Require Internet Connectivity

In order to operate, the following out-bound services require:
£ A working DNS. See Domain Name System (DNS).
£ The default gateway / router to be configured. See Default Gateway.
£ Internet connectivity.
The corresponding default out-bound port number is also shown.
Service Default Port Number (Protocol) Description
SMTP 25 (TCP) Outgoing Email server port number
Network Time Protocol (NTP) 123 (UDP) Used to set the controller’s real-time clock
Used to provide URL name resolution. The controller by default
DNS server 53 (UDP, TCP) uses an internet DNS. If the local network has a DNS, set its IP
address in Network Settings.
nLight ECLYPSE 18
Connecting IP Devices to an IP Network
CHAPTER 5
An IP network requires infrastructure such as Ethernet cable, routers, switches, or Wi-Fi hotspots in order to work. The fol-
lowing topics discuss the fundamentals of such a network.
Connecting the IP Network

There are two methods to connect a device to an IP Network:
£ Wired (Ethernet connection with the PRI and SEC ports).
£ Wireless (when the Wi-Fi Adapter is connected to the controller).
Wired Network Cable Requirements

Wired networks use commonly available Cat 5e structural cabling fitted with RJ‑45 connectors. If you make your own patch
cable, use Category 5e cable and crimp the RJ‑45 connectors at both ends of the cable either as T568A or T568B.
Parameter Details
Media Cat 5e Cable; four (4) pairs of wires with RJ-45 Connectors (standard straight patch cable)
Straight-through wiring. Crimp connectors as per T568A or T568B (both cable ends must be crimped the same
RJ-45 Pin Configuration
way).
Characteristic impedance 100-130 Ohms
Distributed capacitance Less than 100 pF per meter (30 pF per foot)
Maximum Cat 5e Cable length
328 ft. (100 m) maximum. See About the Integrated Ethernet Switch.
between IP devices
Polarity Polarity sensitive
Daisy-chain (no T-connections)
Multi-drop ECLYPSE IP devices have two RJ-45 female RJ-45 connectors that provide IP packet switching to support follow-
on devices.
Daisy-chain limit, ECLYPSE
Up to 20 devices can be daisy-chained per network switch port.
Controllers
Daisy-chain limit, VAV Controllers Up to 50 devices can be daisy-chained per network switch port.
EOL terminations Not applicable
Shield grounding Not applicable
Table 1: Wired Network Cable Physical Specifications and Requirements
Bus and Cable Types Non-Plenum Applications Plenum Applications (FT6)

(Use in Conduit - FT4)
O.D. (Ø)1 O.D. (Ø)1

300 m (1000 feet), Cat 5e Yellow Jacket
4.6mm (0.18in.) 4.6mm (0.18in.)
Cable - Without Connectors
100 Crimp RJ 45 Connectors N/A N/A
Table 2: Recommended Cable Types to use for the Cat 5e Cable Subnetwork Bus
1. Outer cable diameter – This does not take into account the RJ-45 connector.
nLight ECLYPSE 19
About the Integrated Ethernet Switch

The 2-port wired interface uses a switch to forward packets addressed to downstream IP devices connected to it. This al-
lows controllers to be daisy-chained together to extend the IP network’s physical range and to reduce the amount of net-
work cable required as each controller no longer has to make a home run to the network switch.
Figure 5: Wired Network Connection - Daisy-Chained
Spanning Tree Protocol (STP)

Switches and routers that support Spanning Tree Protocol (are IEEE 802.1D certified) are able to detect and eliminate a
loop from being formed on the network by disabling any port on the router that is causing a loop. Such switches can be
used to enhance network availability by allowing you to create a ring network of controllers that is resistant to a single point
network failure (a cut wire for example).
In this scenario, non-PoE controllers are connected in a loop (or ring) such that the last controller is connected back to the
switch / router. Under normal operation, the switch / router disables one of the ports to prevent a packet storm. This is
shown below.
To Other IP Devices
Wired Router / Switch

The Router / Switch’s Spanning Tree
X Protocol has Blocked this Port
Figure 6: Wired Network Connection: Spanning Tree Protocol – Normal Operation
nLight ECLYPSE 20
When a network wire is cut, the ring is split into two – the switch / router automatically enables the port to maintain service.
This is shown below.
To Other IP Devices
Wired Router / Switch
The Port is Automatically Enabled
Cut Network Wire
Figure 7: Wired Network Connection: Spanning Tree Protocol – Failover Operation

The switch / router can be configured to send an email message when port blocking is disabled thus signaling that a net-
work wire has been cut.
Connecting the Network Cable to the Controller

To connect controllers to an Ethernet network and then discover them, see chapter First Time Connection to an ECLYPSE
Controller.
Wireless Network Connection

The ECLYPSE Wi-Fi adapter connects to an ECLYPSE controller’s USB port.
Figure 8: Wi-Fi Adapter

It adds wireless IP connectivity to controllers and it can be used in many wireless topologies and applications.
To wirelessly connect to a controller for the first time, see First Time Connection to an ECLYPSE Controller.
To configure a Wi-Fi adapter, see Network Settings. See also chapter Configuring the ECLYPSE Wi-Fi Adapter Wireless Net-
works.
Recommendations are provided regarding the radio signal obstructions and factors that should be avoided to obtain the
best Wi-Fi radio signal transmission and reception. Walls attenuate radio wave propagation by an amount that varies with
the construction materials used. See Radio Signal Transmission Obstructions for more information on wall materials that can
reduce range transmission.
nLight ECLYPSE 21
About the 2.4 GHz ISM Band

The 2.4 GHz ISM (Industrial, Scientific and Medical) band has been allocated worldwide for the use of radio frequency en-
ergy by industrial, scientific, and medical purposes as part of the device’s method of internal operation and as such may
have powerful emissions that cause interference to radio communications.
For example, microwave ovens operate in the 2.4 GHz ISM band with about 1000W emitted power and a fraction of a per-
cent of that energy does leak from the oven. While this is not a health risk, Wi-Fi networks operate at even lower power
levels to communicate and can be overwhelmed by this source of interference.
When setting up a 2.4 GHz band Wi-Fi network, you must take into consideration any equipment that operates in the 2.4
GHz ISM band such as medical and laboratory equipment. Other sources of interference are other telecommunications
equipment such as cell phones, GSM/DECT, cordless phones, RFID reader, Bluetooth devices, walkie-talkies, baby moni-
tors, and so on. Note that equipment that transmits in other frequency bands do emit spurious emissions at low levels over
a wide spectrum so that a radio transmitter that is in close proximity to the ECLYPSE Wi-Fi adapter can cause interfer-
ence, even if its operating frequency is 1.9 GHz for example.
Transmitted Center
power Frequency
Power (Log)
Occupied
Bandwidth
Spurious
Emission
Amplitude
Frequency
Desired Signal Spurious Emissions
Figure 9: Typical Radio Transmitter Spurious Emissions
Distance Between the Wi-Fi Adapter and Sources of Interference

Unrelated transmitters should be more than 6.5 feet (2 m) away from the Wi-Fi Adapter to avoid possible interference.
About Wi-Fi Network Channel Numbers

Wi-Fi communications use a slice of radio spectrum or channel width for data transmission. In general terms, the amount
of channel width required is proportional to the data transmission rate. Wi-Fi networks operate in a number of different fre-
quency ranges or bands such as the 2.4 GHz band. Each band is divided into a number of industry-standard channels that
represent a center frequency for data transmission. In practice, the center frequency is the mid-point between the upper
and lower cutoff frequencies of the channel width.
When the channel width is larger than the channel spacing (the space between channels), overlap between the channels
can occur, resulting in inter-channel interference that lowers overall network throughput. This is shown in the diagram be-
low. For example, in the 2.4 GHz band using 802.11g, the channel width is 20 MHz while the channel spacing is 5 MHz. If
one Wi-Fi network is using channel 1 that is in close proximity to another Wi-Fi network that is using channel 2, there will
be significant inter-channel overlap and interference. Data throughput is reduced as a result.
nLight ECLYPSE 22
1 2 3 4 5 6 7 8 9 10 11 12 13 14 Channel
2.412 2.417 2.422 2.427 2.432 2.437 2.442 2.447 2.452 2.457 2.462 2.467 2.472 2.484 Center Frequency
(GHz)
22 MHz
Figure 10: 2.4 GHz Band 802.11g Radio Spectrum Showing Inter-Channel Overlap
For a 20 MHz channel width in the 2.4 GHz band using 802.11g, the best channels to use to avoid inter-channel overlap
are channels 1, 6, and 11. For a 40 MHz channel width in the 2.4 GHz band using 802.11g, the best channels to use to
avoid inter-channel overlap are channels 3 and 11.
For a 20 MHz channel width in the 2.4 GHz band using 802.11n, the best channels to use to avoid inter-channel overlap
are channels 1, 6, and 11. For a 40 MHz channel width in the 2.4 GHz band using 802.11g, the best channel to use to
avoid inter-channel overlap is channel 3.
For industrial / commercial environments, it is recommended to avoid using a 40 MHz channel width in the 2.4 GHz band
as it occupies a large part of the available radio spectrum. This means that it will be difficult to co-exist with other networks
while avoiding interference, especially from devices that use mixed mode 802.11 b/g which significantly degrades 802.11n
performance. One solution is to disable the 802.11 b/g mode on all hotspots to force all wireless clients to 802.11n mode,
thereby forbidding the use of legacy devices.
Radio Signal Range

Range is dependent upon many environmental variables that are present in buildings. In normal conditions, a radio signal
is transmitted at a maximum range between Wi-Fi Adapters of 50 feet (15 m) at 2.4 GHz (IEEE 802.11b/g/n).
In certain cases where there are obstructions, the range could be less.
Because radio signals and transmission range can vary according to building and office setup, you can troubleshoot Wi-Fi
network performance issues by running a Wi-Fi surveying or Wi-Fi stumbling tool on a laptop computer. This software
shows the currently operating Wi-Fi networks operating within range, their signal strength, and their channel number so as
to make the best configuration choices.
Radio Signal Transmission Obstructions

Radio signals are electromagnetic waves; hence the further they travel, the weaker the signal becomes thereby limiting ef-
fective range of operation. Coverage is further decreased by specific materials found in the direction of the transmission.
For example, while radio waves can penetrate a wall, they are dampened more than if the waves were on a direct line-of-
sight (LoS) path.
The following table shows the different types of building materials and range reduction:
Wall Material Range Reduction vs. LoS

Wood, drywall, glass (uncoated, without metal) 0 – 10%
Brick, particle board 5 – 35%
Metal, steel-reinforced concrete, mirrors.
10 – 90%
See Where to Locate Wireless Adapters
Where to Locate Wireless Adapters

When installing the wireless adapter, it is important to ensure that distances and obstructions do not impede transmission.
Metallic parts, such as steel reinforcement in walls, machinery, office furniture, etc. are major sources of field strength
dampening. Furthermore, supply areas and elevator shafts should be considered as complete transmission screens, see
following figure.
nLight ECLYPSE 23
Sheet
Metal
Figure 11: Screening of Radio Waves
Transmission Obstructions and Interference

One way to get around an obstruction, such as a duct, is to place the wireless adapter on the side of the obstruction that is
nearer to the coordinating wireless device, even if the controller is on the opposite side of the obstruction. But always keep
in mind that the wireless adapter performs best when it is away from metal objects or surfaces (more than 1" (2.5 cm)).
For more examples on how to position the wireless adapter, see ECLYPSE Wi-Fi Adapter Mounting Tips.
In addition to obstructions, the angle with which the transmission travels through the obstruction has a major influence on
the field strength. The steeper the angle through an obstruction, the radio wave has to travel through more material result-
ing in the field strength reduction (See figure below). Therefore, it is preferable that the transmission be arranged so that it
travels straight and perpendicularly through the obstruction.
High Angle of
Incidence
Figure 12: Angle of Radio Waves
A solution to avoid an obstruction is to add another wireless router located closer to the controller(s).
ECLYPSE Wi-Fi Adapter Mounting Tips

This section provides information and examples on how to properly position the Wi-Fi Adapter to ensure reliable wireless
communication. The most common guidelines to remember when installing the Wi-Fi Adapter is to keep it at least 1” (2.5
cm) away from metal, and never install the Wi-Fi Adapter inside a metal enclosure (relay panels, junction box, etc.).
Typical Metal Relay Panel/Utility Box Installation
The following image shows where to install an Wi-Fi Adapter on a metal relay panel or utility box with a controller inside the
panel/box. To maximize wireless range, the Wi-Fi Adapter must be installed on the top or side of the panel.
nLight ECLYPSE 24
Wireless Adapter
installed on top or
side of panel
Wireless Adapter
NOT to be installed
inside the panel
Figure 13: Wi-Fi Adapter Position with Metal Relay Panel/Utility Box
Planning a Wireless Network

A wireless network can be installed in many different types of floor spaces, large or small: office space, commercial space,
residential space, etc. The following provides an example on how to start planning a wireless network such as a large of-
fice space. This type of planning can also be used with smaller areas.
1. Retrieve a copy of your floor plans and a compass.
Figure 14: Copy of floor plan and a compass
2. Mark relevant radio shadings into floor plan such as: fire protection walls, lavatories, staircases, elevator shafts and
supply areas.
nLight ECLYPSE 25
Figure 15: Mark relevant radio shadings
3. Draw circles to locate the ideal positions for your Wi-Fi Adapter as shown below:
Up
Staircase
well
Radio Shading
Down
Wi-Fi Hotspot
Elevator Wi-Fi Hotspot Channel 6
Shaft
Channel 1
Down
Up
Elevator
Staircase Shaft
well Radio Shading
Up
Staircase
well
Radio Shading
Down
Wi-Fi Hotspot
Channel 11
Figure 16: Radio Wi-Fi Adapter Location
Make sure that the Wi-Fi Adapter is positioned in a way such that no screens block the connection to any corner inside the fire safety
section (potential sensor positions).
For reliable range planning, the unfavorable conditions should be detected at the beginning but often come from later changes to the
environment (room filled with people, alteration of partition walls, furniture, room plants, etc.).
Even after careful planning, range and signal tests should be done during installation to verify proper reception at the Wi-Fi Adapter
positions. Unfavorable conditions can be improved by changing the antenna position or by adding a router closer to the controller(s).
nLight ECLYPSE 26
ECLYPSE Wi-Fi Adapter Connection Modes

The Wi-Fi adapter supports a number of connection modes shown in the table below:
Connection Mode Description Max Number of Wireless
Clients or Nodes
This sets the mode of the Wi-Fi adapter to connect the controller as a client of a Wi-Fi
Client access point. This interface can auto-configure its IP parameters when the connected 16
network that has a DHCP server.
This sets the mode of the Wi-Fi adapter to be a Wi-Fi access point. This access point
operates off of the same subnetwork and has the same IP connectivity that the
Access Point controller has with its wired network connection. For example, if the controller’s wired 16
connection is to a network that has an active DHCP server, access point clients can
also use this DHCP server to automatically configure their IP connection parameters.
This sets the mode of the Wi-Fi adapter to be a Wi-Fi hotspot with a router. This puts
the hotspot into a separate subnetwork with a DHCP server to provide IP addresses to
Hotspot (default) 16
any connected device. Wide area network (WAN) connectivity is through the wired
connection.
Typical application examples are shown below.
Wi-Fi Client Connection Mode

Cut installation costs by leveraging existing wireless infrastructure and by eliminating the need for Ethernet cables. This ar-
chitecture is characterized by the point-to-point connection between an access point and a client-controller.
Leverage Existing Wireless Infrastructure:

Use Wi-Fi to Eliminate Ethernet Cables
Wireless Router
Interconnection Through Wi-Fi
Internet
Router
Eliminate Ethernet Cables

Figure 17: Leveraging Existing Wireless Infrastructure by Eliminating Ethernet Cables
To configure the Wi-Fi client connection mode, see Setting up a Wi-Fi Client Wireless Network.
nLight ECLYPSE 27
Wi-Fi Access Point

Should there be no available access point; an ECLYPSE controller can be configured as a wired-to-wireless bridge to cre-
ate an access point which can provide Wi-Fi access to other Wi-Fi enabled clients. This access point operates off of the
same subnetwork and has the same IP connectivity that the controller has with its wired network connection. The Wi-Fi
adapter can also be temporarily added to a controller for wireless commissioning purposes. A variety of software applica-
tions are available for system monitoring and override, commissioning, configuration and programming. To configure the
Wi-Fi access point connection mode, see Setting up a Wi-Fi Access Point Wireless Network.
Wi - Fi Access Point:
Use the Controller to Provide Wi - Fi Access to other Wireless Devices
Wireless Access Point

Internet
SiteView Energy
Router
DHCP Server
Web Browser
Wired- to - Wireless
Bridge
Sensor View
Figure 18: Using an ECLYPSE Controller to Create an Access Point

A second ECLYPSE controller can be configured as a wireless client. This can be used as a solution to ‘jump’ architectural
features that are not compatible with wires such as glass atrium and the like. To configure the Wi-Fi client connection
mode, see Setting up a Wi-Fi Access Point Wireless Network.
An access point can provide Wi-Fi access to other Wi-Fi enabled clients and controllers.
Controller-to- Controller Interconnection

:
Use Wi - Fi to Wirelessly Connect other Controllers
Wireless Access Point

Internet
Controller Interconnection
Through Wi - Fi
Router
Wired - to-
Wireless Bridge
Eliminate Ethernet Cables

Figure 19: Using an ECLYPSE Controller as a Wireless Bridge
nLight ECLYPSE 28
Wi-Fi Hotspot
Should the wired network not use a DHCP server (uses fixed IP addresses); an ECLYPSE controller can be configured to
create a hotspot with a router that creates its own subnet and DHCP server which can provide Wi-Fi access to other Wi-Fi
enabled clients. This is the default connection method when a Wi-Fi adapter is connected to an ECLYPSE controller. The
Wi-Fi adapter can also be temporarily added to an ECLYPSE controller for wireless commissioning purposes. A variety of
software applications are available for system monitoring and override, commissioning, configuration and programming. To
configure the Wi-Fi hotspot connection mode, see Setting up a Wi-Fi Hotspot Wireless Network.
A hotspot creates a subnetwork. As a result, any connected BACnet device will not be able to discover BACnet devices on any other
LAN subnetwork.
Wi - Fi Hotspot
:
Use the Controller to Provide Wi - Fi Access to the Controllers Configuration Interface
Wireless Hotspot
Internet
SiteView Energy
Router
Web Browser
Wireless Router
and DHCP Server
Sensor View
Figure 20: Using an ECLYPSE Controller to Create a Hotspot
Wireless Bridge
A second controller can be configured as a wired-to-wireless bridge to allow the connection of wired IP devices to the
bridged controller’s Ethernet ports. This can be used as a solution to ‘jump’ architectural features that are not compatible
with wires such as glass atrium and the like.
The access point / hotspot can provide Wi-Fi access to other Wi-Fi enabled clients.
nLight ECLYPSE 29
Wireless Bridge
Use Wi-Fi to Jump Open spaces
Internet
Wi-Fi Adapter in Wi-Fi Adapter in

Router Access Point Mode Client Mode
Wireless to
Wired IP Wired Bridge
Maximum Number of Wireless Clients or Nodes for an Access Point

A wireless access point can service a maximum of 16 clients or nodes in total. The following examples show what this limit
can be composed of:
Wi-Fi Adapter in Wi-Fi Adapter in
Access Point Mode Client Mode
Wireless to
Wired IP Wired Bridge Wired IP – Up to 15 Controllers
£ One wireless bridged controller is connected to as many as 15 daisy-chained wired devices.

Wi-Fi Adapter in Wi-Fi Adapter in Wi-Fi Adapter in Wi-Fi Adapter in
Access Point Mode Client Mode Access Point Mode Client Mode
Wireless to Wireless to Wired IP – Up to 13

Wired IP Wired Bridge Wired Bridge Controllers
£ One wireless bridged controller is connected to one wired controller that is wirelessly connected to one wireless bridge
that is then connected 13 daisy chained wired devices.
If the access point is a Wi-Fi router:
1. The number of devices is limited by the total number of clients the router is able to support.
2. It can support many controllers acting as wireless to wired bridges.
nLight ECLYPSE 30
3. Each wireless to wired bridge controller can support up to 15 controllers.
Wireless Network Commissioning Architectures
Client to Access Point Configuration

A laptop is connected through Wi-Fi, as a Wi-Fi client, to any ECLYPSE Connected VAV controller that has its wireless
settings configured as an Access Point. The other ECLYPSE Connected VAV controllers are configured as Wi-Fi Clients
and are wirelessly connected to the same Access Point.
With this configuration, the laptop and all the controllers are on the same subnet, so either laptop user has access to all
networked controllers.
Subnet 1
Wi-Fi
Wired IP Client
Daisy Chain
Wi-Fi
Wi-Fi Client
Access Point
Wi-Fi
Client
Wi-Fi
Client
Wi-Fi
Client
Wi - Fi Client
Wi-Fi
Client
Wi-Fi
Access Point
Wi-Fi
Client
Wi-Fi
Client
Figure 24: Client to Access Point Configuration
nLight ECLYPSE 31
Client to Hotspot Configuration

Laptop 1 is connected as a Wi-Fi client to an ECLYPSE Controller that has its wireless settings configured as a Hotspot
(Subnetwork 2). The ECLYPSE Connected VAV controllers that are part of the wired network are configured, on their wire-
less side as a Wi-Fi Access Point (Subnetwork 1).
The remaining ECLYPSE Connected VAV controllers are configured as a Wi-Fi Client and are wirelessly connected to a
VAV controller’s Access Point.
With this configuration, laptop 1 is on the same subnet as the ECLYPSE Connected System Controller (Subnetwork 2 cre-
ated by the Hotspot), but all the Connected VAV Controllers are on a different Subnet (Subnetwork 1), so the laptop 1 user
only has access to the Connected System Controller on its same subnet. This is because BACnet/IP broadcast discovery
messages such as “Who-Is” do not pass through network routers that separate subnetworks. In the example shown below,
the Connected System Controller acts as a router between the Wi-Fi hotspot clients and the wired network. This means
that BACnet/IP controllers on different subnetworks will not normally communicate with each other. The laptop 2 user has
access to both the Connected VAV controllers and the Connected System Controller. A solution is to use BBMD on both
Laptop 1 (using EC-Net for example) and on the Connected System Controller. See BACnet/IP Broadcast Management
Device Service (BBMD).
Subnetwork 2
Laptop 1 Wi- Fi Wi-Fi
Client Hotspot
Subnetwork 1
ECLYPSE Controller
Wi-Fi
Client
Wired IP Wi-Fi
Daisy Chain Client
Wi-Fi
Access Point
VAV
Wi -Fi
Client
Wi -Fi
Client
Wi -Fi
Client Laptop2
Wi-Fi
Client
Wi-Fi
Access Point
Wi-Fi
Client
Wi-Fi
Client
Figure 25: Client to Hotspot Configuration
nLight ECLYPSE 32
First Time Connection to an ECLYPSE Controller
CHAPTER 6
This chapter describes how to get started with an ECLYPSE controller. This includes connecting to the factory-default IP
address to gain access to the controller’s configuration interfaces.
Connecting to the Controller

When connecting to the controller for the first time, the goal is to gain access to the controller so that you can configure it
to work in its future network environment. To do so, you must connect the controller to form a network.
The ECLYPSE Controller configuration can be made through the controller’s configuration Web interface that is accessed
either through a direct ethernet connection to a PC, or via Wi-Fi connection. This Web interface is used to set all the con-
troller’s configuration parameters including the controller’s IP address according to your network planning. See ECLYPSE
Web Interface.
There are two networking methods to connect to a controller:
£ Wired (Ethernet connection) with a PC.
£ Wireless (when the Wi-Fi Adapter is connected to the controller) with a PC. See Wi-Fi Network Connection.
Once you have connected the controller(s) to a network, configure the controller. See Configuring the Controller.
Controller Identification
Controllers are uniquely identified on the network by their MAC address. This identifier is printed on a label located on the
side of the controller and another is on the controller’s box. Get a printed copy of the building’s floor plan. During controller
installation, peel the MAC address sticker off of the controller’s box and put it on the floor plan where the controller has
been installed.
This MAC address is used as part of the controller’s factory-default Wi-Fi access point name and its hostname.
Label
Bar Code
ID: MAC Address
Model: NECY-S1000
For example, for a MAC Address of : 76:a5:04:cd:4a:d1

The factory-default name for the Wi-Fi access point is nLight ECLYPSE- CD4AD1
The factory-default hostname is nLight eclypse-cd4ad1.local
Figure 26: Finding the Controller's MAC Address
nLight ECLYPSE 33
Ethernet Network Connection

Depending on the controller model, the way the controller is connected to the network will change according to whether the
controller is a Power over Ethernet (PoE) model or not.
£ For non-PoE controller models, see Network Connections for ECLYPSE Controllers.
See also Connecting IP Devices to an IP Network for network wiring considerations.
Network Connections for ECLYPSE Controllers

Connect the controller to the network as follows:
1. Connect your PC’s network card to the controller’s PRI Ethernet port using a Category 5e Ethernet cable.
If you are commissioning more than one controller, connect the controllers and PC to a network switch. Two or more con-
trollers can be connected to the network by daisy-chaining them together by using Cat 5e network Cables to connect the
Ethernet Switch Sec(ondary) connector of one controller to the Ethernet Switch Pri(mary) connector of the next controller.
Cat 5e
Network
RJ-45 Cable
Connector
To Next
To Router / Device
Next Device
Figure 27: nLight ECLYPSE Wired Network Connection: Cat 5e Cables with RJ-45 Connectors are used
2. Connect power to the controller(s). See the controller’s Hardware Installation Guide for how to do so.
nLight ECLYPSE 34
Wi-Fi Network Connection

Once the ECLYPSE Wi-Fi Adapter has been connected to a powered controller, a Wi-Fi hotspot becomes available that al-
lows you to connect to the controller’s configuration Web interface with your PC.
On your PC’s wireless networks, look for an access point named ECLYPSE-XXYYZZ where XXYYZZ are the last 6 hexa-
decimal characters of the controller’s MAC address.
To find the controller’s MAC address, see Controller Identification. The default password for the wireless network is:
eclypse1234.
Either of the controller’s two USB HOST ports can be used to connect the wireless adapter.
To Wireless
Adapter
Cable Assembly
USB Plug
Connected System Controller
Figure 28: Connecting the Wireless Adapter to the Controller’s USB HOST Port
Configuring the Controller

Any of the following methods can be used to connect to the controller’s interface in order to configure it:
£ Using the controller’s factory-default Hostname in the Web browser
£ Using the controller’s IP address in the Web browser
Default Credentials
If this is a first-time connection to an ECLYPSE controller, or if the controller has been reset to factory default settings, you
must use the default username and password.
– Default username:admin
– Default password: admin
Using the Controller's Factory-default Hostname in the Web Browser

Controllers have a factory-default hostname that you can use instead of an IP address to connect to it. The hostname can
be used in a Web browser’s address bar. The Bonjour service must be installed on your PC to allow your PC to discover
controllers by their hostname.
If your PC is unable to resolve the controller’s hostname, you must connect your PC to the controller through Ethernet or
Wi-Fi so that your PC only sees the controller network. For example, in this case, your PC must be disconnected from all
other networks such as a corporate network or the Internet. If necessary, temporarily disconnect your PC’s network cable
from its Ethernet port.
The controller’s factory-default hostname is eclypse-xxxxxx.local where xxxxxx is the last 6 characters of the MAC address
printed on a sticker located on the side of the controller. See Controller Identification.
For example, the sticker on the side of a controller shows that its MAC address is 76:a5:04:cd:4a:d1. Connect to the con-
troller’s Web interface as follows:
nLight ECLYPSE 35
1. Open your Web browser.

2. In the Web browser’s address bar, type https://nLight ECLYPSE-cd4ad1.local and click Go.
3. Log in to the controller. Then set the controller’s configuration parameters in the controller’s configuration Web inter-
face. See Connecting to the Controller's Configuration Web Interface.
The Hostname can be changed in the System Settings.
Using the Controller's IP Address in the Web Browser

Connect to a controller through its IP address as follows:
For a Wi-Fi network connection
2. In the Web browser’s address bar, type https://192.168.0.1 (the controller’s factory-default wireless hotspot IP ad-
dress) and click go.
Not all smart phones/mobile devices have the Bonjour service installed and thus cannot use the hostname mechanism.
For an Ethernet network connection

You must know the controller’s current IP address (from the DHCP server for example).
5. In the Web browser’s address bar enter the controller’s IP address and click go.
Connecting to the Controller's Configuration Web Interface

The ECLYPSE Controller configuration can be made through the controller’s configuration Web interface to set all the con-
troller’s configuration parameters including the controller’s IP address according to your network planning.
At the first connection to an ECLYPSE Controller you will be forced to change the password to a strong password for the
admin account to protect access to the controller.
It is important to create new user accounts with strong passwords to protect the controller from unauthorized access. See
User Management, Securing an ECLYPSE Controller, Supported RADIUS Server Architectures.
Next Steps
In Network Settings, configure the controller’s network parameters so that they are compatible with your network. See
ECLYPSE Web Interface.
nLight ECLYPSE 36
Supported RADIUS Server Architectures
CHAPTER 7
A RADIUS server is used to centralize user credentials (controller login username / password) across all devices. This
chapter describes the supported RADIUS server architectures and how to configure a RADIUS server in an ECLYPSE
controller.
Overview
When network connectivity allows, a user can connect directly to an ECLYPSE controller. No matter the connection
method, a user has to authenticate themselves with their user credential (controller login username / password combina-
tion).
When a user connects to an ECLYPSE controller, the ECLYPSE controller connects to the remote RADIUS server to au-
thenticate the user’s credential. A RADIUS server uses a challenge/response mechanism to authenticate a user’s login
credentials. An unrecognized username or a valid username with an invalid password receive an ‘access denied’ re-
sponse. A remote RADIUS server can be another ECLYPSE controller, or a Microsoft Windows Domain Active Directory
Server.
Authentication Fallback
Should the connection to the remote RADIUS server be temporarily lost, ECLYPSE controllers have a fall back authentica-
tion mode: users that have already authenticated themselves with the remote RADIUS server and then the connection to
the RADIUS server is lost, these users will still be able to log in to the controller as their successfully authenticated creden-
tials are locally cached.
The user profile cache is updated when the user authenticates themselves while there is a working RADIUS server connection. For this
reason, at a minimum, admin users should log in to each ECLYPSE controller at least once, so their login can be cached on that controller.
Otherwise, if there is a RADIUS server connectivity issue and a user who has never before connected to the ECLYPSE controller will be
locked out from the controller. It is particularly important for admin user credentials to be cached on each controller as an admin user can
change the controller’s network connection parameters that may be at cause for the loss of connectivity to the RADIUS server.
RADIUS Server and Enabling FIPS 140-2 Mode

On a project where the controllers have FIPS 140-2 mode enabled, a third-party Radius server cannot be used. If the use
of a Radius based authentication is required, an ECLYPSE controller must act as the Radius server. In addition, third party
Radius clients will not be able to connect to the ECLYPSE Radius server. For more information, see FIPS 140-2 Mode.
nLight ECLYPSE 37
RADIUS Server Architectures
Local Credential Authentication

Each device has its own credential database in the local credential authentication architecture. This approach is labor-in-
tensive as multiple credential database instances must be maintained.
User
1 2 3
Server ECLYPSE ECLYPSE

Controller A Controller B
4 4
A B C
Key:
Credential Database
Login Credential
Figure 29: Local Credential Authentication

This authentication method has the following components.
Component Description
Login Credential 1 This is the login credential used by a user to connect to the Server station. This credential is managed by the Server.
This is the login credential used by a user to connect to ECLYPSE controller A. This credential is managed in
Login Credential 2
controller’s A User Management credential database.
This is the login credential used by a user to connect to ECLYPSE controller B. This credential is managed in
Login Credential 3
controller’s B User Management credential database.
This is the login credential used by the Server’s Rest Service to connect to ECLYPSE controller A and B. This credential
Login Credential 4
is managed in this controller’s A and B User Management credential databases.
Credential Database A This is the Server’s user credential database.
This is the ECLYPSE controller A’s credential database and ECLYPSE controller B’s credential database. If the User
can to connect to either of these controllers through the Server, the controller’s credential database must have the
Credential Database B and C credentials for the Server’s RestService. Each credential database must also have the credentials for each user that will
log in to ECLYPSE controller A (for example, administrators, direct connection by users, ENVYSION users, etc.). See
User Management.
nLight ECLYPSE 38
ECLYPSE-Based Centralized Credential Authentication

The credential database is centralized in an ECLYPSE controller that is configured as a RADIUS server, to authenticate lo-
gin requests made directly to it, and by other subscribed ECLYPSE controllers.
User
1 2 2
Server ECLYPSE ECLYPSE

Controller A 3 Controller B
3
A RADIUS A Cache B
Optional Key:
RADIUS Server
RADIUS Credential Database
Cached Credential
Cache Database
Figure 30: ECLYPSE-Based Centralized Credential Authentication

This authentication method has the following components.
Component Description
Login Credential 1 This is the login credential used by a user to connect to the Server. This credential is managed by the Server.
This is the login credential used by a user to connect to ECLYPSE controller A. This credential is managed in controller’s
Login Credential 2
A User Management credential database.
This is the login credential used by the Server’s Rest Service to connect to any ECLYPSE controller. This credential is
Login Credential 3
managed in this ECLYPSE controller A's User Management RADIUS server credential database.
Credential Database A This is the Server’s user credential database. This credential database is independent of all other credential databases.
This is the ECLYPSE controller A’s RADIUS Server credential database. This credential database must also have the
RADIUS Server A Credential
credentials for each user that will log in to any ECLYPSE controller (for example, administrators, direct connection users,
Database
ENVYSION users, etc.). See User Management.
This is the ECLYPSE controller B’s cached credential database. If the connection to ECLYPSE controller A’s RADIUS
Credential Database Cache Server is lost, users that have previously authenticated themselves with the ECLYPSE controller A’s RADIUS Server
B credential database on a given controller will still be able to log in to those controllers as their credentials are locally
cached.
nLight ECLYPSE 39
ECLYPSE Web Interface
CHAPTER 8
This chapter describes the ECLYPSE controller’s Web interface.
Overview
The ECLYPSE controller has a web-based interface that allows you to view system status, configure the controller, update
the controller’s firmware, and access applications associated to your projects. Note that if you intend on enabling FIPS
140-2 mode, it should be done prior to configuring the controllers. See FIPS 140-2 Mode.
Figure 31: Example of an ECLYPSE Controller’s Web Interface Welcome Home Page (options may vary)
Web Interface Main Menu

The sidebar contains the configuration menus that allow you to view and set the controller’s configuration settings including
its IP address, Wi-Fi settings, users, controller’s firmware, and much more.
The menus may vary according to the associated device licenses and the user’s access level. These configuration param-
eters are password protected.
nLight ECLYPSE 40
Home Page
The web interface home page consists of the following items:
Item Description
Device Information Basic information on the device such as controller name, device instance, host ID, MAC address, time, and date
Copy icon that allows you to copy the Host Id and/or the MAC address of the device to that you can quickly paste
elsewhere as needed
Public IP Address IP address to access your ECLYPSE controller from a public network (e.g. Internet)
Connected/Not Connected to
ECLYPSE controller Internet connection status
Internet
Access different applications associated to your projects and controller license such as the following:
– ENVYSION: Embedded graphic design and visualization interface. Host system-based graphics for lighting
control systems and more, directly from the controller. See the ENVYSION User Guide.
– Space Utilization: The Space Utilization edge application allows building owners and property managers to
analyze where occupants spend their time throughout the day, to make data-driven decisions for renova-
Applications
tion, space planning and other expansions.
– SiteView™ Energy: The energy metering edge application gives building owners real-time, actionable data
about their facility’s energy consumption, making it easier to identify usage trends and savings.
– nLight Explorer: An edge application that gives a general system overview and system health of con-
nected nLight devices.
User Profile and Login Credentials

It is important to create new user accounts with strong passwords to protect the controller from unauthorized access.
The profile box is used to change your password and logout from your ECLYPSE controller.
On your first login to an ECLYPSE controller, you will be prompted to change the factory default password. We recom-
mend you choose a strong password for the 'admin' account as it gives full control over the controller.
See User Management, Securing an ECLYPSE Controller, and Supported RADIUS Server Architectures.
To Change Your Password

1. To change your password, click the profile icon and select Change Password.
2. Enter your current password and click Next.
3. Enter the new password twice to confirm and click Next. Your password is changed.
Click the show password icon to see the password you are entering.
nLight ECLYPSE 41
Network Settings
The Network menu is used to configure the ECLYPSE controller’s network interface and setup the wired and wireless net-
work configuration parameters. The available menus are:
£ Ethernet
£ Wireless
£ Diagnostic
Ethernet
The Ethernet screen is used for any wired IP connections that are made through either one of the controller’s Ethernet
Switch Pri(mary) connector or Ethernet Switch Sec(ondary) connector. See Network Connections for ECLYPSE Controllers.
The Wired IP parameters can be auto-configured when the connected network has a working DHCP server. The alterna-
tive is to manually configure the controller’s IP parameters.
Figure 32: Primary Ethernet Configuration in ECLYPSE Web Interface
Option DHCP Client: Enabled DHCP Client: Disabled

If the controller is connected to a network that If you want to manually configure the controller’s network settings (to have a
has an active DHCP server, enabling this option fixed IP address for example) or in the case where the network does not have a
will automatically configure the Wired IP DHCP server, disable this option. In this case, you must set the Wired IP
DHCP
connection parameters. The Wired IP connection parameters shown below to establish network connectivity.
parameters shown below are read only
(presented for information purposes only). See also DHCP Versus Manual Network Settings.
Set the IP address for this network device. See IPv4 Communication
IP Address provided by the network’s DHCP Fundamentals.
IP Address
server Ensure that this address is unique from all other device on the LAN including
any used for a hot spot’s IP addressing.
Subnet mask provided by the network’s DHCP Set the connected network’s subnetwork mask. See About the Subnetwork
Subnet Mask
server Mask.
Gateway IP address provided by the network’s The IP address of the default gateway to other networks. This is usually the IP
Gateway
DHCP server address of the connected network router. See Default Gateway.
Primary DNS Primary and secondary DNS IP Address The connected network’s primary and secondary IP address of the DNS
Secondary DNS provided by the network’s DHCP server servers. See Domain Name System (DNS).
When making changes to the network settings, click Apply to apply and save the changes. You can click refresh to re-
fresh the information in the screen.
nLight ECLYPSE 42
Wireless Configuration
This configuration interface is for any ECLYPSE Wi-Fi Adapter connected to the HOST connector.
A hotspot creates a subnetwork. As a result, any connected BACnet device will not be able to discover BACnet devices on any other LAN
subnetwork.
Figure 33: The Wi-Fi network operating modes: Hotspot, Access-Point, or Client.
The Wireless connection parameters can be set as follows.
Item Description
On / Off
Enable/disable the controller’s wireless features
Select the Wi-Fi network operating mode: Hotspot, Access-Point, or Client.

Hotspot: This creates a Wi-Fi hotspot with a router. See Setting up a Wi-Fi Hotspot Wireless Network for how to
configure this mode.
Wireless Mode Access-Point: This creates a Wi-Fi access point. See Setting up a Wi-Fi Access Point Wireless Network for how to
configure this mode.
Client: this connects the controller as a client of a Wi-Fi access point. See Setting up a Wi-Fi Client Wireless Network for
how to configure this mode. See also ECLYPSE Wi-Fi Adapter Connection Modes.
SSID Hidden Hide or show the Service Set IDentification (SSID)
The Service Set IDentification (SSID) for a Wi-Fi hotspot. This parameter is case sensitive. When this controller’s
active mode is configured as a:
Network Name For Hotspot: set a descriptive network name that other wireless clients will use to find this hotspot.
For Client: select an available hotspot from the lists of access point connections that are within range. Click the Wi-Fi
icon to select an available Wi-Fi network from the list of access points that are within range.
nLight ECLYPSE 43
Item Description
Set the encryption method to be used by the Wi-Fi network:
– Open: this option should be avoided as it does not provide any wireless security which allows any wireless
client to access the LAN
Encryption
– WPA2: select the Wi-Fi Protected Access II option to secure the Wi-Fi network with a password.
– WPA2E: Use this option if you are connecting to an enterprise network that has a working RADIUS authenti-
cation server. This RADIUS server provides user authentication.
When encryption is used, set the password to access the Wi-Fi network as a client or the password other clients will
use to access this hotspot. Passwords should be a long series of random alphanumeric characters and symbols that
are hard to guess. This parameter is case sensitive.
Password If using a Hotsopt connection, network access will be disabled until the default password is changed.
If using an Access Point connection, the default password must be changed before you can save and
apply your changes to this page.
Click to show or hide the password.
IP address for a Hotspot (or gateway address that wireless clients will connect to). Ensure that this address is:
IP Address – Not in the range of IP address set by First Address and Last Address.
– Not the same as the IP address set under IP Configuration for the wired network.
Subnet Mask The hotspot’s subnetwork mask. See About the Subnetwork Mask.
The range of IP addresses to be made available for Hotspot clients to use. The narrower the range, the fewer hotspot
First Address clients will be able to connect due to the lack of available IP addresses. For example, a range where First Address =
Last Address 192.168.0.22 and Last Address = 192.168.0.26 will allow a maximum of 5 clients to connect to the hotspot on a first-to-
connect basis.
When a Hotspot or Access-point is configured, this sets the channel width and number the hotspot is to use. The
Advanced
wireless mode can also be set. See below.
Sets the center frequency of the transmission. If there are other Wi-Fi networks are nearby, configure each Wi-Fi
Channel Number network to use different channel numbers to reduce interference and network drop-outs.
NOTE: The range of available channels may vary from country to country.
Sets the wireless mode (wireless G or wireless N). Wireless N mode is backwards compatible with wireless G and B.
Wi-Fi Mode
Wireless G mode is backwards compatible with wireless B.
Click to refresh the information in the list.
Apply Click Apply to apply and save the changes
nLight ECLYPSE 44
Network Diagnostics
The Diagnostic menu provides a number of tools to diagnose network connectivity issues between controllers.
£ Wi-Fi Monitor: shows the current performance of a Wi-Fi connection with another controller.
£ Ping Monitor: shows the round trip time it takes for a ping packet to go to an IP address and come back.
Figure 34: Network Diagnostics – Wi-Fi Monitor
Item Description
Disable Throughput Disables the Wi-Fi Monitoring throughput client service. For Wi-Fi monitor to work, this must be started.
Enable Throughput Activates the Wi-Fi Monitoring throughput client service. For Wi-Fi monitor to work, this must be started.
Device Target Select the corresponding controller’s MAC address in the Device Target list.
Ip Address Target Enter the corresponding controller’s IP address for its Wi-Fi interface in Ip Address Target.
Click to refresh the information in the Device Target list.
Start Starts graphing the monitored data
Clear Clears the graph
Throughput (Mbps) Transmit datarate to the target
Current average received signal strength.
Signal avg (dBm) Note: Signal strength is measured in negative units where the stronger the signal, the closer it is to zero. A weaker signal
strength will have a more negative number. For example, a receive signal strength of -35 dBm is much stronger than a
receive signal strength of -70 dBm.
RX rate (Mbps) Receiving data rate from the target
nLight ECLYPSE 45
Figure 35: Network Diagnostics – Ping Monitor
Item Description
Ip Address Target Enter the corresponding controller’s IP address for its Wi-Fi interface in Ip Address Target.
Start Starts graphing the monitored data
Clear Clears the graph
nLight ECLYPSE 46
BACnet Settings
This is where the BACnet interface parameters are set.
General
This sets the controller’s BACnet network parameters.
Figure 36: General BACnet Settings
Item Description
Controller Name Set a descriptive name by which this controller will be known to other BACnet objects.
Device ID Each controller on a BACnet intra-network (the entire BACnet BAS network) must have a unique Device ID.
Location Current controller’s physical location. This is exposed on the BACnet network as a device object property.
Description Description of the controller’s function. This is exposed on the BACnet network as a device object property.
Maximum amount of time the controller will wait for an acknowledgment response following a confirmed request sent to a
APDU Timeout (ms) BACnet device before re-sending the request again or moving onto the next request. This property is exposed on the
BACnet network as a device object property.
Maximum amount of time the controller will wait for an acknowledgment response following a confirmed segmented
APDU Segment Timeout
request sent to a BACnet device before re-sending the segmented request again or moving onto the next request. This
(ms)
property is exposed on the BACnet network as a device object property.
Sets the number of times to retry a confirmed request when no acknowledgment response has been received. This
APDU Retries
property is exposed on the BACnet network as a device object property.
Export BACnet Object List Export all controller BACnet variables to a file (.csv).
nLight ECLYPSE 47
Routing
This enables the routing of BACnet packets between BACnet MS/TP controllers connected to the ECLYPSE Controller’s
RS-485 port and BACnet/IP controllers connected to the ECLYPSE Controller’s Ethernet Switch ports. For example, rout-
ing must be enabled for a Server to discover the BACnet MS/TP controllers connected to the ECLYPSE Controller’s
RS-485 port.
Figure 37: BACnet Routing Configuration
Item Description
On / Off
Enables/disable the routing of BACnet packets between BACnet MS/TP controllers connected to the ECLYPSE
Controller’s RS-485 port and BACnet/IP controllers connected to the ECLYPSE Controller’s Ethernet Switch ports.
Network number that identifies a LAN for routing purposes. All controllers with the same network number are members of
Network Number
the same logical BACnet network. See Device Addressing.
Mac Address Device Mac address
Apply Click Apply to apply and save the changes.
Network IP Ports
This sets the IP network configuration parameters (on-board port) as well as the BACnet Broadcast Management Device
(BBMD) and Foreign Device for intranetwork connectivity.
Figure 38: BACnet IP Configuration - Network IP Ports
nLight ECLYPSE 48
On-Board Port
Item Description
On / Off
Enables/disables the routing of BACnet packets between BACnet MS/TP controllers connected to the ECLYPSE
Controller’s RS-485 port and BACnet/IP controllers connected to the ECLYPSE Controller’s Ethernet Switch ports.
Network number that identifies a LAN for routing purposes. All controllers with the same network number are members of
Network Number
the same logical BACnet network. See Device Addressing.
BACnet IP UDP Port Standard BACnet/IP port number (UDP 47808) used by BACnet devices to communicate.
BBMD allows broadcast message to pass through a router. See BBMD Settings.
Enable BBMD
To enable this feature, set Enable BBMD on only one device on each subnet.
Foreign Device Registration allows a BACnet/IP device to send broadcast messages to a device with BBMD enabled.
Enable Foreign Devices See Foreign Device Settings.
To enable this feature, set Enable Foreign Devices on only one device on each subnet.
BBMD Settings
BACnet/IP devices send broadcast discovery messages such as “Who-Is” as a means to discover other BACnet devices
on the network. However, when there are two or more BACnet/IP subnetworks, broadcast messages do not pass through
network routers that separate these subnetworks.
BBMD allows broadcast message to pass through a router: on each subnet, a single device has BBMD enabled. Each
BBMD device ensures BACnet/IP connectivity between subnets by forwarding broadcast messages found on its subnet-
work to each other, and then onto the local subnetwork as a broadcast message.
In the BBMD table, add the BBMD-enabled controllers located on other subnetworks. To add a BBMD:
1. Click .
Figure 39: Adding a BBMD
2. In the IP field, enter IP address of the BBMD located on the other subnetwork.
3. In the Mask field, enter the subnetwork mask for the other subnetwork.
4. In the Port field, enter the port number for the BACnet service of the BBMD located on the other subnetwork.
5. Click OK.
You can also edit or delete a BBMD selected from the list using the Edit icon or Delete icon provided.
nLight ECLYPSE 49
Foreign Device Settings

Some BACnet/IP devices also support a feature called Foreign Device Registration (FDR). FDR allows a BACnet/IP device
to send broadcast messages to a device with BBMD enabled. The BBMD-enabled device will then forward these broad-
cast messages to all other BBMDs and onto all other FDR devices. If a subnet has only FDR supported devices, then it
does not need a local BBMD. These devices can register directly with a BBMD on another subnetwork.
Item Description
IP IP address of a controller (foreign device) located on another subnetwork
Port Delay after which the foreign device is forgotten
Time to Live Time-to-live value that serves as a timestamp attached to the data. Once the timespan has elapsed, data is discarded.
Network MS/TP Ports

BACnet MS/TP and Modbus RTU communications are made by connecting directly to separate RS-485 ports. On-board
RS-485 Port is the controller’s onboard RS-485 port. The following network configuration parameters are for an RS-485
port that is used to communicate with BACnet MS/TP controllers.
Figure 40: Network MS/TP Ports
Item Description
On / Off
Enables/disables the controller’s BACnet MS/TP connection. If the controller has been configured to use Modbus RTU,
this option cannot be enabled.
Network number identifies a LAN for routing purposes. All controllers with the same network number are members of the
Network Number
same logical BACnet network. See Device Addressing.
Baud Rate Recommended baud rate setting is 38 400. See Baud Rate.
Mac Address The ECLYPSE controller’s MAC Address on the BACnet MS/TP Data Bus.
When commissioning a BACnet MS/TP Data Bus, it is useful to start with the Max Master set to 127 so as to be able to
discover all devices connected to the data bus. Then, once all devices have been discovered and the MAC Addressing is
Max Master finalized by eliminating any gaps in the address range, set the Max Master (the highest MAC Address) to the highest
Master device’s MAC Address number to optimize the efficiency of the data bus. See Setting the Max Master and Max Info
Frames.
Max Info Frames For the ECLYPSE controller, this should be set to 20. See Setting the Max Master and Max Info Frames.
nLight ECLYPSE 50
Diagnostics
BACnet MS/TP and Modbus RTU communications are made by connecting directly to separate RS-485 ports. On-board
RS-485 Port is the controller’s onboard RS-485 port.
The following Diagnostics tab provides information on live values passing through the RS-485 ports. By default, the live
values are displayed. You can stop and restart the streaming of the live values using the Stop Live Values/Start Live Val-
ues button.
Figure 41: BACnet Diagnostics
nLight ECLYPSE 51
User Management
User management is the control of who can access the controller by enforcing the authentication credentials users need to
access the controller. User management can either be managed in Server or Client mode. You can also set the Welcome
page a user will land on when they connect to the controller.
An ECLYPSE controller can manage users through several mechanisms. It can either be in Server mode that provides a
user database to other ECLYPSE controllers and itself, or in Client mode for access to a remote user database.
You can provide appropriate privileges to users depending on the clearance level desired for each role. You can also mod-
ify user properties and customize the user experience by assigning a Welcome page to each user.
Server/Client User Configuration

When you configure an ECLYPSE controller in server mode, you can add new users, select their roles, and choose their
custom Welcome page. This page will be the default page displayed after a user logs in to an ECLYPSE controller.
If you configure an ECLYPSE controller in client mode, you can only choose the Welcome page displayed to a user. Any
other information will be retrieved from the remote server. The Welcome page chosen in client mode has priority over the
one configured in the server.
Adding a User in Server Mode

Adding a user creates a user profile that allows a person to log in to the controller with a username / password combination
and to have access to certain controller software interfaces. These users will have login access to the controller. It is im-
portant to create new user accounts with strong passwords to protect the controller from unauthorized access. See also
Password Policy and/or Securing an ECLYPSE Controller.
Figure 42: Adding Users in Server Mode
1. Click the Add User icon to add a new user or select a user and click edit to edit an existing user. The User
Details window is displayed.
nLight ECLYPSE 52
Figure 43: Adding a User
2. Enter the information as shown below:
Item Description
Username User’s login credential
Password User’s password credential
Show/Hide the user’s password credential
User must change
Select to force user to change their password at the next login.
password at next login
3. Click Next. The Roles options are displayed.
Figure 44: User Details - Roles
nLight ECLYPSE 53
4. Select the access levels the user will be able to use. Set one or more options according to the user’s role:
ECLYPSE Roles Description

Allows user access to the ENVYSION studio and viewer. The user can also view and modify all configuration
Admin
interface parameters. When this option is chosen, the user also receives Admin access for BLE Room Device Roles.
Allows user access to the ENVYSION interface in viewing mode as well as gives partial access to the ECLYPSE
Operator Web Configuration Interface. Certain configuration interface screens are unavailable such as User Management,
Viewer Information, etc.
Allows user access to the ENVYSION interface in Viewing mode. The user is not allowed to access the ECLYPSE
Viewer
Web Configuration Interface.
Allows a user to program the controller with a RESTful API enabled programming tool. This user does not have
Rest
access to the ECLYPSE Web Configuration Interface or ENVYSION.
Table 3: ECLYPSE Roles
BLE Room Device Roles are not available on the nLight ECLYPSE and can be ignored.
5. Click Next. The Welcome Page screen is displayed allowing you to define the user’s landing page that will be dis-
played when they login to the controller.
Figure 45: User Details - Welcome Page
6. Enter the URL of the web page you want to define as the landing page. The URL is the one found after the controllers'
IP address or hostname. This should be copied from your Web browser’s address bar when you have navigated to the
target page.
For example if the address for the user default web page is HOSTNAME/eclypse/envysion/index.html OR
192.168.0.10/#/bacnet.html, remove the hostname or IP Address so that the URL becomes /eclypse/envysion/in-
dex.html, or /#/bacnet.
7. Click OK, and because authentication is required, enter your username and password.
The edit icon is used to edit a user’s information. When editing user information, the user password is not shown therefore the field
appears empty. You can leave the password as is or assign a new one.
nLight ECLYPSE 54
Defining a User Welcome Page in Client Mode

In Client mode, you can only add a Welcome page to your user considering that the rest of the data is stored on the
Server, essentially the credentials and roles (see Adding a User in Server Mode). This user’s Welcome page however will
have priority over the page defined in the Server mode.
Figure 46: Adding a User in Client Mode
1. Click to add a user and Welcome page. The User Details window is displayed.
Figure 47: User Details
2. In Username, enter the name of the user.

3. In Welcome Page, enter the URL of the web page you want to define as the landing page. The URL is the one found
after the controllers' IP address or hostname. This should be copied from your Web browser’s address bar when you
have navigated to the target page.
For example if the address for the user default web page is HOSTNAME/eclypse/envysion/index.html OR
192.168.0.10/#/bacnet, remove the hostname or IP Address so that the URL becomes /eclypse/envysion/index.html
or /#/bacnet.
4. Click Save.
To edit an existing user, select the user from the list and click the edit icon and to remove, click the delete icon .
nLight ECLYPSE 55
Password Policy
The password policy sets the minimum requirements for a valid password to help prevent common password cracking
techniques. By requiring long passwords with a well-rounded composition of elements (uppercase and lowercase letters,
numbers, and symbols) it makes the password harder to guess and makes a brute force attack less effective.
Click the key icon to display the Password Policy options:
Figure 48: Password Policy Options
Item Description
Minimum password length
Password length (>8)
See also FIPS 140-2 Mode for password settings.
Uppercase letters Minimum number of uppercase letters (A to Z) required to compose the password
Lowercase letters Minimum number of lowercase letters (a to z) required to compose the password
Numbers Minimum number of numbers (0 to 9) required to compose the password
Symbols Minimum number of symbols (for example, =, +, &, ^, $, etc.) required to compose the password
nLight ECLYPSE 56
Radius Server/Client Settings

You can use the network’s RADIUS Server for user authentication management.
RADIUS Server Settings

When Radius Server is selected in the Server Settings tab, this controller can be used as a RADIUS server by other con-
trollers on the network. In this scenario, the other controllers must be configured to use the Client RADIUS Server mode
with this controller’s IP address. This centralizes access management on this controller thereby saving time by eliminating
the need to add users to each controller individually. Set the port numbers and shared key that other controllers will use to
connect to this controller. See Supported RADIUS Server Architectures.
The port values of 1812 for authentication and 1813 for accounting are standard RADIUS port numbers. However, other
port numbers may be used. No matter which port numbers are used, make sure that the port numbers are unused by other
services on this controller and that both the RADIUS server and the RADIUS clients use the same port number values.
See also IP Network Port Numbers and Protocols.
Figure 49: Radius Server Settings

To setup the RADIUS server settings, complete the parameters as described in the following table:
Item Description
Authentication Port RADIUS server authentication port number
Accounting Port RADIUS server accounting port number
Encryption key that devices use to encrypt and decrypt user authentication credentials that are sent between devices. The
shared key should be a long string made up of 16 to 132 random alphanumeric characters and symbols that would be
Shared Key difficult to guess.
This same key must be copied to any RADIUS client.
Click to copy the shared key to the clipboard.

nLight ECLYPSE 57
RADIUS Client Settings

When Radius Server is selected in the Client Settings tab the following configuration parameters shown in the table below
are available. This centralizes access management on the RADIUS server thereby saving time by eliminating the need to
add users to each controller individually. The client RADIUS server can be another ECLYPSE controller or a Microsoft
Windows Domain Active Directory Server. See Supported RADIUS Server Architectures.
Figure 50: Radius Client Settings

To setup the RADIUS client settings, complete the parameters as described in the following table:
Item Description
IP address of the RADIUS server. This can be the IP address of an ECLYPSE controller that is set as the Server Radius or a
Server IP Address
suitably-configured RADIUS server on a Microsoft Windows Domain Active Directory Server.
Authentication Port Port on which authentication requests are made
Accounting Port Port on which accounting request are made. This is only used to receive accounting requests from other RADIUS servers.
Proxy Port Internal port used to proxy requests between a server mode and client mode
Encryption key that devices use to encrypt and decrypt user authentication credentials that are sent between devices. The
Shared Key shared key should be a long string made up of 16 to 132 random alphanumeric characters and symbols that would be
difficult to guess.
Click to copy the shared key to the clipboard.

Should the connection to the RADIUS server be temporarily lost, ECLYPSE controllers have a fall back authentication
mode: Users that have already authenticated themselves with the RADIUS server and then the connection to the RADIUS
server is lost, these users will still be able to log in to the controller as their successfully authenticated credentials are lo-
cally cached.
nLight ECLYPSE 58
The user profile cache is updated when the user authenticates themselves while there is a working RADIUS server connection. For this
reason, at a minimum, admin users should log in to each ECLYPSE controller at least once, so their login can be cached on that controller.
Otherwise, if there is a RADIUS server connectivity issue, and a user who has never connected to the ECLYPSE controller before will be
locked out from the controller. It is particularly important for admin user credentials to be cached on each controller as an admin user can
change the controller’s network connection parameters that may be at cause for the loss of connectivity to the RADIUS server.
The port values of 1812 for authentication and 1813 for accounting are RADIUS standard port numbers. However, other
port numbers may be used. No matter which port numbers are used, make sure that the port numbers are unused by other
services on this controller and that both the RADIUS server and the RADIUS clients use the same port number values.
See also IP Network Port Numbers and Protocols.
Single Sign On (SSO) Settings

The Single Sign On (SSO) service allows a user to use one set of login credentials (e.g.username and password) to ac-
cess multiple ECLYPSE controllers that are on the same network. This provides a secure centralized login method to au-
thenticate users.
The basic functionality behind an SSO service with ECLYPSE controllers is the Client-Server architecture where one con-
troller is defined as the Server dedicated to authentication/authorization purposes to access the Client controllers.
The SSO authenticates the user for all the controllers the user has been given rights to and eliminates further login
prompts when the user accesses other controllers within the same session.
The session ends if you close the web browser or you log out. It is recommended that you close your web browser after
logging out.
...
Figure 51: SSO Architecture

With the SSO service, you will be automatically redirected to the SSO server login page when you navigate to a SSO client
web page. Once you are authenticated by the server, you will be redirected to the web page you requested on the client. If
you requested the default page, you will be redirected to your Welcome page instead.
Enter the Client IP Redirected to the Login page Client IP

address (Server IP address) Welcome page
login page of the
or specific URL
(e.g.,192.168.0.22) server IP address (e.g.,192.168.0.10) (e.g.,192.168.0.22)
Figure 52: SSO Authentication Sequence
The SSO requires HTTPS to function properly. HTTP cannot be enabled and will automatically be disabled when SSO is activated.
See also Setting Up the SSO Functionality.
nLight ECLYPSE 59
SSO Server Settings

The Server Settings tab allows you to select the type of server mode for the Server controller. The available modes are
Single Sign On or Radius Server.
When Type is set to Single Sign On (SSO), the controller will be defined as the SSO Server dedicated to authentication
purposes. Therefore, a single login to the server will authenticate user access to multiple ECLYPSE controllers that are on
the same network.
An SSO server must be configured with a static IP address. If the SSO server IP address changes, you will have to reconfigure all SSO
clients with the new IP address. See Ethernet.
Figure 53: SSO Server Settings
Item Description
Server Mode (On/Off)
Enable or disable the functionality of the server. When set to OFF, the controller is no longer in server mode.
Type Server type

Identifier used by the server that is handling the protected resource to lookup the associated authorization information.
The access token is usually a long string made up of 16 to 132 random alphanumeric characters and symbols that would
Access Token be difficult to guess.
When the SSO service is selected, the access token ID is displayed by default. If required, you can generate a new code
using the generate icon or manually enter an access token.
Click to copy the access token to the clipboard.

See also Setting Up the SSO Functionality.
SSO Client Settings

The Client Settings tab allows you to select the type of client mode for the Client controller(s). When Type is set to Single
Sign On (SSO), the controller will use the SSO server for authentication.
Figure 54: Client Settings - Type
nLight ECLYPSE 60
When Type is set to Local, credentials are added to and managed by this controller.
Figure 55: Client Settings - SSO
Item Description
Type Server type
Server IP address of the SSO server. This is the IP address of the ECLYPSE controller that was configured as the server.
Server IP Address Note: An SSO server must be configured with a static IP address. If the SSO server IP address changes, you will have to
reconfigure all SSO clients with the new IP address. See Ethernet.
Server Https Port Server HTTPS port of the SSO server. By default, this port is set to 443.
Server access token of the SSO server. If the server access token changes, this parameter should be updated by the user
accordingly.
Access Token In the Access Token field, enter the access token belonging to the Server. To do so, go to Server Settings, copy the access
token using the copy icon and paste (CTRL+V) into the Access Token field in Client Settings.
Define a recovery password to access the controller in recovery mode if ever the server is unavailable. See Single Sign On
(SSO) Troubleshooting.
Recovery Password /
Click the show password icon to see the password you are entering.
Confirm Recovery
Password
In order for the recovery to work, we highly recommend you do not forget your recovery password. If so, a factory
reset will be required.
Click to copy the access token to the clipboard.

nLight ECLYPSE 61
Setting Up the SSO Functionality

This section explains how to setup the SSO functionality by setting up the SSO Server first, followed by the SSO Client.
For more information, see Single Sign On (SSO) Settings.
An SSO server must be configured with a static IP address. If the SSO server IP address changes, you will have to reconfigure all SSO
clients with the new IP address. See Ethernet.
SSO functionality is only available in HTTPS mode. See Web Server Access for more information on enabling HTTPS.
Setting up the SSO Server

1. Open a web browser.
2. Enter the IP address of the controller that will become the Server (e.g., 192.168.0.10). The ECLYPSE login page is dis-
played.
3. Enter your credentials to log in. The ECLYPSE home page is displayed.
4. In the Users menu, select the Server Settings tab and make sure the Server Mode is set to On.
Figure 56: SSO Server Settings
5. In Type, select Single Sign On (SSO).
6. In Access Token, an access token is displayed by default. If required, you can generate a new access token or
manually enter a custom access token. This exact access token will be needed to setup the Client server (see next pro-
cedure Setting Up the SSO Client).
7. Click Apply.
Setting Up the SSO Client

1. Open a web browser or a new tab in the current Web browser.
2. Enter the IP address of the controller that will become the Client (e.g., 192.168.0.22). The ECLYPSE login page is dis-
played.
3. Enter your credentials to log in. The ECLYPSE home page is displayed.
4. In the Users menu, select the Server Settings tab and make sure the Server Mode is set to Off. If not, set the Server
Mode to Off and click Apply before proceeding.
nLight ECLYPSE 62
Figure 57: SSO Server Settings - Server Mode Off
5. Select the Client Settings tab to setup the SSO client.

6. In Type, select Single Sign On. Additional fields are displayed.
Figure 58: SSO Client Settings
7. In Server IP Address, enter the server IP address of the controller that is configured as the Server (e.g.,
192.168.0.10).
8. In Server Https Port, verify that the port number matches the HTTPS port number of the SSO server in System >
Web Server (e.g., 443).
9. In Access Token, you must enter the access token from the SSO Server. Copy the access token from the Server
Settings (see above procedure Setting up the SSO Server) and paste in this field.
nLight ECLYPSE 63
10. In Recovery Password, enter a recovery password that you will use in a case where the server is no longer available.
11. In Confirm Recovery Password, enter the password again.
12. Click Apply to apply and save the configuration.
13. When setting up a new SSO connection, a message is displayed to notify you that a new certificate has been detected.
To validate the authenticity of the server, click Continue.
Figure 59: SSO New Certificate Detected
14. A new page is displayed confirming that the server settings are being applied. After approximately 1 minute, you can
refresh your browser manually using the F5 key or close and reopen your browser.
To switch from the SSO Mode to Radius or Local Mode, you will be asked to log in to the remote or local server. These credentials are the
ones associated to the server you wish to switch to.
Certificate Authentication with SSO

To avoid getting certificate authentication messages:
Also see Saving a Certificate.
1. Go to the System menu and select the Web Server tab.
2. Click Export Authority Public Key. A certificate is downloaded (.crt file) and can be found in the Downloads folder.
3. Go to your browser settings. For the purpose of this procedure, Google Chrome web browser is used.
4. Scroll down to the bottom of the Chrome Settings page and select Advanced.
5. Select Manage certificates. The Certificates window is displayed.
6. Select the Trusted Root Certification Authorities tab.
7. Click Import.
8. Click Next.
9. Browse to the Downloads folder and select the certificate file (.crt) that was previously downloaded.
10. Click Next throughout the next windows and then click Finish.
nLight ECLYPSE 64
11. A warning message is displayed. Click Yes to continue and apply the certificate.
12. Close all Google Chrome windows for the changes to be applied.
When restarting the Web browser, you will no longer get a message stating that your connection is NOT secure, but rather
a Secure green padlock icon will appear in the URL bar to indicate a secure connection.
System Settings
This is where you configure the controller’s date and time, Web interface, port numbers, secure web interface, and the li-
cense. A secure web interface requires a SSL certificate.
Device Information
This shows detailed information about the controller such as the firmware version, MAC address for each network inter-
face, extension modules versions, and Wi-Fi information.
Figure 60: General Device Information
Item Description
The controller’s firmware can be updated through the Firmware Update file upload interface. See Updating the Firmware.
Update
Also see Extensions.
Click to reboot the controller.
Reboot Note: Rebooting the controller will interrupt the operation of any connected equipment and the controller will be offline from the
network for the duration of the reboot.
Export an audit log in .csv format showing auditable events such as account logins, event ID and description, event type, etc.
Export Audit Log
See Export Audit Log for more information.
The Wired IP (wired Ethernet connection) and Wifi Key (wireless connection) sections provide information such as the IP
address, subnet mask, gateway and Mac address
The Mac Address is the same for both Primary (PRI) Wired Ethernet connection (ETH0) and the Secondary (SEC) Wired Ethernet connection.
nLight ECLYPSE 65
Updating the Firmware

The controller’s firmware can be updated through the Firmware Update file upload interface for an ECLYPSE series con-
troller.
1. In System settings under the Information tab, click Update located next to the firmware version. The Firmware Update
window is displayed:
Figure 61: The Firmware Update File Upload Interface
2. Upload the firmware file using one of the following firmware upload methods:
– Click Upload File to find the firmware file on your PC.
– In Windows Explorer, find the firmware file on your PC and drag and drop it in the dotted area.
The file upload starts followed by the firmware upgrade. Once the upgrade is complete, the controller will reboot. If you
click Cancel, not only will the upload processed be canceled, but also the upgrade.
Do not remove power from the controller or interrupt the network connection to the controller during the firmware upgrade process. Failing to
do so may render the controller unusable.
See also Extensions to update the ECLYPSE Controller’s I/O extension modules.
Export Audit Log

Auditable events are authentication and authorization failures and all operations done in the users’ configuration. The Ex-
port Audit Log is used to export a .csv file that details the auditable events that are audited by the device, and/or web appli-
cation (account logins, event ID and description, event type, etc).
The following device auditable events are logged:
Event Types Description
Authentication In When a user logs in. Only unauthorized logins will be logged
For the following event types, logging is done only on operations done in the users’ configuration:
Rest_Post When a user sends a write/update action on the Rest API
Rest_Put When a user sends an update action on the Rest API
Rest_Delete When a user sends a delete action on the Rest API
Rest_Get When a user sends a read action on the Rest API
Web_Interface When a user performs an action on the Web interface.
The .csv file displays the event details in the following information columns:
nLight ECLYPSE 66
Column Heading Description

eventID Sequential event number
timestamp Time of occurrence of a particular event (date and time of day) in GMT
user User ID or username
ipAddress IP address of the client making the request
type Event type as described in the previous table
description Event type description
result Result status for any of the event types: success, error, or unauthorized
Action performed by the user. For an authentication event, the event column will indicate a Web or Rest API authentication.
event Other events shown in this column relate to User Management events such as editing, adding, or updating data such as
passwords and users, and also unauthorized access attempts.
Figure 62: Example of an exported .csv file of auditable events
Location and Time

The Location/Time tab is used to configure the system date and time as well as the weather and current location.
Figure 63: System Settings – Location, Date, and Time
nLight ECLYPSE 67
Item Description
Set Time Automatically
Toggle On or Off to automatically set the time based on the NTP Server
Input the desired NTP Server that will be used to automatically fetch time and date information. A successful connection
NTP Server
will display the icon and an unsuccessful connection will display the icon.
Date Set the controller’s date.
Time and Time Zone Set the controller clock’s time and the time zone the controller is located in.
Get Current Computer Date Click to get the current time a date from an Internet time clock server. Internet connectivity is required for this feature to
Time work.
Weather On/Off
Weather service is not available for nLight ECLYPSE controllers.
City Set the city location from which the system will use weather data.
Current City Displays the currently selected city
Coordinate Displays the latitude and longitude coordinates of the currently selected city. Click the coordinate icon to display to
open the location in Google maps.
Web Server Access
Figure 64: System Settings – Web Server Access
nLight ECLYPSE 68
Item Description
Give this controller a label or nickname to identify it on the network. The hostname can be used in place of an IP address to
identify this controller on the network. This hostname can be used in a Web browser’s address.
Hostname A hostname may contain only the ASCII letters 'a' through 'z' (case-insensitive), the digits '0' through '9', and the hyphen ('-').
A hostname cannot start with a hyphen and must not end with a hyphen. No other symbols, punctuation characters, or white
space are permitted.
Set this to enable the standard Webserver on this controller.
HTTP When Single Sign On (SSO) is enabled, HTTP is not available.
See also FIPS 140-2 Mode.
Set this to enable the secure Webserver on this controller. Connections to this sever are encrypted which helps to prevent
HTTPS
eavesdropping thereby keeping passwords secure.
TLS minimum Protocol Version:
– Select the appropriate Transport Layer Protocol (TLSv1+, TLSv1.1+, or TLSv1.2) minimum version to be used for
server authentication and secure encryption and decryption of data over the Internet.
Cipher Suite Compatibility Level:
Security
– Legacy: This is the default value and is used only if you need to support outdated client and browser versions (e.g.,
Internet Explorer 6, Client in Java 6).
Recommended: This level provides a higher level of security but is only compatible with latest client and browser versions
(e.g., Firefox 27+, Chrome 30+, Client in Java 8).
Select the type of certificate (Internal or Custom) to be used by the ECLYPSE controller.
– Internal: Use a self-signed certificate that has been created automatically by the ECLYPSE controller.
Certificate Mode
– Custom: Use a custom certificate. In this case, the user must import the custom certificate into the ECLYPSE con-
troller.
For HTTPS connections, a certificate must have the controller’s current URL or IP address encoded into it to show to the
Certificate
Common Name connecting device that the connection corresponds to the certificate. Set the controller’s current IP address, hostname, or
Internal
DNS name.
For HTTPS connections, click to export the public key from the local authority that generates the internal certificate to a file
Export Authority
on your PC. You must import this certificate into all PCs that are going to connect to this controller as a trusted certificate.
Public Key
See Saving a Certificate.
Displays the certificate status:
Status – File not found: No certificate has been imported.
Certificate
Custom
– Present: A certificate has been imported.

Import Custom
Upload a custom certificate. You can also drag and drop a certificate file in the dotted area.
Certificate
Password The password for the imported certificate.
Saving a Certificate
When the HTTPS Certification has been configured, you can save the certificate on your PC. This certificate must be dis-
tributed to all PCs that will connect to this controller. It is this certificate that allows a trusted connection to be made be-
tween the two devices.
1. Enable Certificate Mode to Internal, and set this controller’s IP address or DNS name in the Common Name parame-
ter.
2. Click Export Authority Public Key to save the certificate on your PC.
3. Save the file on your PC.
4. Distribute this file to all PCs that will connect to this controller.
5. Install the certificate on the PC by double-clicking it in Microsoft Windows Explorer.
6. Click Open.
nLight ECLYPSE 69
Figure 65: Certificate Security Warning
7. Install the certificate in the Trusted Root Certification Authorities store. Click Install Certificate.
Figure 66: Installing the Certificate on the PC
8. Select Place all certificates in the following store. Click Browse.
Figure 67: Selecting the Store
nLight ECLYPSE 70
9. Select Trusted Root Certificate Authorities and click OK.
Figure 68: Selecting the Trusted Root Certification Authorities Store
10. Click Next. Click Finish.

11. Accept the warning. Click Yes.
Figure 69: Accept the Warning
nLight ECLYPSE 71
Removing a Certificate
After you hold the controller’s reset button for 20 seconds, the controller’s HTTPS security certificates will be regenerated.
If you use HTTPS to connect to the controller, you will no longer be able to connect to the controller from any PC that was
used in the past to connect to the controller unless you delete the old HTTPS security certificate from these PCs.
Security certificates are managed on a PC through the Certificate Manager. To delete an ECLYPSE controller’s HTTPS
security certificate from a PC, proceed as follows.
1. On the PC, open the Certificate Manager: click Start and type certmgr.msc into the search box and press Enter. If
you are prompted for an administrator password or confirmation, type the password or provide confirmation.
2. In the Certificate Manager, navigate to Certificates - Current User\Trusted Root Certification Authorities\Certifi-
cates. When you open this folder, certificates are displayed along with related details in the right pane.
3. Certificates for ECLYPSE controllers are named in the following ways:
– Local ECLYPSE Authority
– Local ECLYPSE-XXXXXX Authority where XXXXXX is the controller’s MAC address. See Controller Identifica-
tion.
Backup the certificate in case it will be needed: right-click the certificate and select All Tasks\Export.
4. Delete the certificate: right-click the certificate and select Delete.
When you connect to the controller, your browser will ask you to accept the new HTTPS security certificate.
Licenses
You can import licenses from your PC or a Web server, as well as export an existing license.
Figure 70: System Settings – Licenses
nLight ECLYPSE 72
Item Description
License Info Basic license information
License Host ID License host ID
Generated on License generation date
Name The name of the licensed feature
Mode The feature’s operating mode
Limit The quantity limited by the license. ‘None’ indicates that there is no limitation.
Imports a license file from your PC.
Import From PC 1. Click Import from PC.
2. Click Upload File to select a file from your PC or drag and drop the file in the dotted area.
Imports a license file directly from a Web server. Internet connectivity on the computer is required. Once connected to the Web
Import From Server
server the license is imported and a message is displayed to confirm the successful file import.
Export To PC Saves the controller’s license file to your PC. Select Export to PC to download a .zip file of the license.
FIPS 140-2 Mode

The FIPS 140-2 system setting enables FIPS 140-2 mode and resets configuration settings.
Figure 71: System Settings – FIPS 140-2 Mode

Federal Information Processing Standards 140-2 (FIPS) is a standard developed by the US Federal government, defining
specific encryption methods used to ensure computer security. The ECLYPSE controller web interface has an option to en-
able FIPS 140-2 mode within System settings.
When FIPS 140-2 mode is enabled on an ECLYPSE controller, several controller settings will be reset as part of the FIPS
140-2 compliance requirements. Therefore, it is strongly recommended to enable FIPS 140-2 mode, if required, before
configuring the controllers on the project.
When FIPS 140-2 mode is enabled, a notification is displayed to indicate that the controller is rebooting. You must manu-
ally refresh your browser once the reboot is finished.
The following controller settings will be reset when FIPS 140-2 mode is enabled:
£ Network settings
£ Web settings
£ Hostname
£ BACnet ports
£ Weather Information
£ Users reset
£ HTTPS Certificates will be lost
£ Default username and password
In addition, enabling FIPS 140-2 mode will have the following impact on the controller to respect compliance:
nLight ECLYPSE 73
£ FIPS 140-2 mode can’t be disabled without a factory reset: to disable FIPS 140-2 mode on an ECLYPSE controller, a
factory reset must be performed.
£ Wi-Fi is disabled: Enabling FIPS 140-2 mode will disable Wi-Fi. The controller can then be connected to a network only
via its Ethernet port, using an Ethernet cable.
£ Password requirements: When FIPS 140-2 mode is enabled, a stronger user password is required. The password
must be at least 14 characters long. As soon as FIPS 140-2 is enabled, the controller resets to a default username and
password, and the user will then be prompted to reset both.
– Default username: admin
– Default password: adminadminadmin
£ Radius server: On a project where the controllers have FIPS 140-2 mode enabled, a third-party Radius server cannot
be used. If the use of a Radius based authentication is required, an ECLYPSE controller must act as the Radius
server. In addition, third party Radius clients will not be able to connect to the ECLYPSE Radius server.
£ When GSA mode is active, the main ECLYPSE Configuration Portal login page can display a warning banner at the
top of the screen by setting the display banner option to ON.
The banner states the following message: “This is a U.S. General Services Administration Federal Government com-
puter system that is "FOR OFFICIAL USE ONLY.". This system is subject to monitoring. Therefore, no expectation of
privacy is to be assumed. Individuals found performing unauthorized activities are subject to disciplinary action includ-
ing criminal prosecution.”
GSA IT Security Mode

In the FIPS 140-2 menu, you can enable or disable the General Services Administration (GSA) IT Security mode. It is
mandatory to enable this option for all U.S. General Services Administration Federal Government buildings.
Figure 72: GSA IT Security Mode

Enabling this option will authorize only TLS1.2 encrypted communication and display a warning banner when connecting to
the Web server. A confirmation message is displayed to ensure that you really want to enable/disable the GSA IT Security
Mode.
When enabling or disabling the GSA IT Security mode, the Web server will be restarted.
nLight ECLYPSE 74
Backup and Restore

The Backup and Restore tab allows you to fully backup and restore the ECLYPSE controller such as the settings, exten-
sions firmware, ENVYSION project, etc. The backup file is created on an ECLYPSE controller and can then be down-
loaded to the PC using the download option. The backup file can also be created on a USB key and then restored in a
controller.
The backup file for an ECLYPSE controller can only be created on a FAT32-formatted USB flash drive.
The Backup and Restore window, shown below, is used to create a backup as well as import and restore a backup. When
a backup is created, the file appears in the list as shown in the following figure.
Figure 73: System Settings - Backup and Restore
Item Description
Click to eject the USB key. This is highly recommended in order to avoid data corruption.
Select the checkbox next to the file or files you wish to delete.
Checkbox Select the main selection checkbox at the top left corner of the list to select all or deselect all items in the list.
- Indicates that the backup is in the ECLYPSE controller

Target
- Indicates that the backup is in the USB key
Click to display a preview of the backup file information (name, status, model, firmware version, selected features, etc.). Directly
from this preview window, you can choose to restore the file.
Click to download the backup file (.ecybackup file) on your PC.
Filename Name of the backup file.

Restore Restore the selected backup file that is currently on your PC
Create Backup Start the backup. See Creating a Backup.
Import and Restore
Import on device and then restore the backup
Backup
nLight ECLYPSE 75
Creating a Backup
The backup functionality guides you through a series of well-defined steps to easily create the data backup.
1. In the Backup & Restore main screen, click Create Backup. The options to create a new backup are displayed.
Figure 74: Creating a New Backup
2. In the Backup File Name section, enter the backup file name, and click Next.
3. In the Features section, select the data you wish to backup and click Next.
Figure 75: Backup Features
4. Select the ENVYSION projects you wish to backup and click Next.
5. In the Target section, select to store the backup in the Device or on a USB key and click Next.
If no USB key is plugged in, the USB key option is grayed out. At this point you can insert a USB key but remember to refresh in order to
make the option available.
In the Confirmation section, an overview of the data you selected to backup is displayed. Click Finish to create the backup.
Keep in mind that space may be limited on your ECLYPSE controller therefore plan to remove the backup from the controller shortly after.
nLight ECLYPSE 76
Importing and Restoring a Backup

The restore functionality guides you through a series of well-defined steps to easily import and restore a backup.
1. In the Backup & Restore main screen, click Import and Restore Backup. The restore options are displayed.
Figure 76: Restoring a Backup
2. In the Select Backup File section, select to upload from the Device or USB Key.
3. Click Select File to select the backup file (.ecybackup) you wish to restore or drag and drop the backup file in the dot-
ted area.
4. Click Next.
5. In the Features section, select the data you wish to backup and click Next.
Figure 77: Restore Backup Features
6. Select the ENVYSION projects you wish to restore and click Next.
7. In the Confirmation section, an overview of the data you selected to restore is displayed and by default the Remove
backup file after restore option is selected. When selected, the backup file will be removed after the device reboots.
8. Click Finish to restore the backup. A status page is displayed to indicate that the data is being restored.
Do not power off the device or close the browser window. You will automatically be redirected to the login page once the
device is ready
nLight ECLYPSE 77
Restoring a Selected File

In the Backup & Restore main screen, a Restore button is available next to each backup file. This allows you to restore a
selected backup file on your PC.
1. In the Backup & Restore main screen, select the backup file(s) you wish to restore from the list.
Figure 78: Restoring a Selected Backup File
2. Click Restore. The restore options are displayed.
Figure 79: Restore Selected Backup File Features
3. Select the features you want to restore. By default, all features are selected. To unselect some of the features, simply
click the checkbox or use the Select All or Unselect All options.
4. Click Next.
5. Select the ENVYSION projects to restore and click Next.
Figure 80: Restoring ENVYSION Projects
nLight ECLYPSE 78
6. In the Confirmation section, review the selected features you selected and select Remove backup file after restore to
remove the backup file from the device after reboot.
7. Click Finish. The restore process may take a few minutes.
You cannot restore a “non-FIPS 140-2” to a FIPS 140-2 device because the file is not encrypted and therefore not compatible with the FIPS
140-2 mode.
You also cannot restore a backup which was created in a more recent firmware version than the one you are restoring to.
Open ADR Virtual End Node (VEN)

The nLight ECLYPSE is available with a software module that embeds Open Automated Demand Response (OpenADR)
2.0a Virtual End Node (VEN) capability directly into the controller, eliminating the requirement for a separate system com-
ponent that acts as a VEN. Ordering the nECY with the “ADR” option enables this software module and provides the nECY
with the ability to control nLight Wired and Air devices to reduced light levels during Demand Response (DR) events.
Figure 81: Open ADR configuration in the ECLYPSE web interface
nLight ECLYPSE 79
Item Description
Open ADR
Toggle On or Off the Open ADR functionality
Enter the URL of the Virtual Top Node (VTN).

VTN Url You must also choose between http:// or https:// connection. If using https://, you will be required to upload a public and private
certificate, as well as have the option of verifying the Hostname.
VTN ID Enter the VTN ID code.
VEN NAME Enter the Virtual End Node (VEN) name.
VEN ID Enter VEN ID code.
Active Event The Active Event button displays any active Open ADR events associated with the controller.
Opt Out This will signal the VEN to not participate in an event.
Click to start a test event. Test events demonstrate DR commissioning to the owner and/or commissioning agent. Each test
Start Test Event event lasts one minute and can be assigned an Automated Demand Response severity level of Normal, Low, Medium and Max.
Click the button again to stop the test event before the one minute is up.
Sequence of Operations – Embedded OpenADR

The following is the communication path between OpenADR VTN server and nLight networked devices:
1. The nECY receives a DR event signal from the OpenADR VTN server.
2. The nECY invokes the appropriate “Automated DR Level” setting in nLight devices connected to it which corresponds
to the severity of the event indicated in the DR signal.
3. Each nLight device is capped at its individual Automated DR Level setting; distributed control algorithms within each
device are capable of controlling light levels below the Automated DR Level setting (e.g., in response to daylight, occu-
pancy, or manual wall controls) but they cannot exceed this maximum output level.
4. At the end of the event, the Automated DR Level is released by the nECY allowing networked devices to output light
levels up to their normal High Trim setting.
The Automated DR Levels can be configured for specific luminaires, devices or zones using SensorView software interface.
£ Networked control devices supporting ECLYPSE Embedded OpenADR have ADR settings enabled out-of-box with the
following default settings (can be changed during system startup):
– Automated Demand Response: Enabled
– Automated Demand Response Low Level: 90% max light output
– Automated Demand Response Medium Level: 80% max light output
– Automated Demand Response Max Level: 70% max light output
£ Automated DR Level settings are individually configurable for specific luminaires, devices, or zones.
– Light outputs of 100% to 1% (in 1% increments) and “Off” can be configured for each severity level of Automated
DR.
– Luminaires can be enabled or disabled to respond to ADR events invoked by the nECY.
£ The nECY can issue a Test Event to demonstrate DR commissioning to the owner and/or commissioning agent.
nLight ECLYPSE 80
Figure 82: Device “Default Settings” Configuration for Embedded AutoDR Response in SensorView
The Automated DR Levels can be configured for specific luminaires, devices or zones using the SensorView software in-
terface.
Application Requirements
The utility VTN server must support OpenADR 2.0a VEN clients.
The nECY must have an outbound https connection to the OpenADR VTN IP address (TCP 443).
nLight ECLYPSE 81
nLight ECLYPSE BACnet Points

BACnet points for all nLight devices are automatically generated in the ECLYPSE controller once the network scan is
launched.
To optimize the automatic BACnet point generation, there is a filter function in the ECLYPSE web interface that will filter
certain types of nLight resources to be skipped in the BACnet resources creation process.
As an option, you can also customize the active and inactive text that is associated with certain objects directly from the
web interface.
To benefit from this feature, once the SensorView configuration is done and before configuring the ECLYPSE BACnet re-
sources, go on the ECLYPSE web interface and click on the nLight Icon from the navigation pane.
BACnet Object Mapping
Figure 83: BACnet Object Mapping

Once the BACnet Object Mapping page is open, toggle to the ON position all of the resources you want included the nLight
devices scan. The unwanted device points will be automatically filtered and will not appear in the devices points under the
nLight BACnet Data tree in ENVYSION.
nLight ECLYPSE 82
nLight Air PTI

The nLight Air Packet Trace Interface (PTI) will log information from nLight Air devices that are connected to the controller.
The duration of the PTI can be adjusted using the + and – icons. Click the Start button to begin logging. After the PTI is fin-
ished running, it creates a log file that can be downloaded using the Download Logs button.
Figure 84: nLight Air PTI
nLight ECLYPSE 83
Configuring the ECLYPSE Wi-Fi Adapter Wireless Networks
CHAPTER 9
Configuring the ECLYPSE Wi-Fi Adapter Wireless
Networks
The ECLYPSE Wi-Fi Adapter supports a number of wireless network connection modes. This chapter describes how to
configure a controller’s wireless network. See also ECLYPSE Wi-Fi Adapter Connection Modes.
Setting up a Wi-Fi Client Wireless Network

This connects the controller as a client of a Wi-Fi access point. See Wi-Fi Client Connection Mode for more information.
Figure 85: Client Wireless Network Settings
nLight ECLYPSE 84
Configure the controller’s ECLYPSE Wi-Fi adapter mode as a Wi-Fi client as follows.
1. Set Wireless to On.
2. Set the Mode to Client.
3. Click the Find Network icon to search for available access points that are within range. The access points are
listed on the right.
Figure 86: List of Available Access Points to Pair With
4. Select an access point to pair with from the Networks list. The Encryption mode is provided by the access point.
5. Enter the required Username and Password.
6. Choose the access point’s Extensible Authentication Protocol (EAP) and Phase2 type.
7. Click Apply.
nLight ECLYPSE 85
Setting up a Wi-Fi Access Point Wireless Network

This turns the controller into a Wi-Fi access point that other wireless clients can use to have network access. This access
point operates off of the same subnetwork and has the same IP connectivity that the controller has with its wired network
connection. For example, if the controller’s wired connection is to a network that has an active DHCP server, access point
clients can also use this DHCP server to automatically configure their IP connection parameters. See Wi-Fi Access Point for
more information.
Figure 87: Access Point Wireless Network Settings

Configure the controller’s ECLYPSE Wi-Fi adapter mode as a Wi-Fi access point as follows.
1. Under Wireless Configuration, set wireless to On.
2. Set the Mode to Access-Point.
3. Choose whether the SSID should be hidden or not.
4. Set the name for this access point by which wireless clients will identify it in Network Name.
5. Set the encryption mode to be used by this access point in Encryption:
– None: this option should be avoided as it does not provide any wireless security which allows any wireless client
to access the LAN.
– WPA2 Enterprise: Use this option if you are connecting to an enterprise network that has a working RADIUS au-
thentication server. This RADIUS server provides user authentication.
nLight ECLYPSE 86
6. Set the access point’s authentication password in Password. This is the password wireless clients will need to know in
order to connect to this access point. The default password must be changed before you can save and apply your
changes to this page.
7. Under Advanced, set the Channel Number and Wi-Fi Mode. See Wireless Configuration for an explanation of these
parameters.
8. Click Apply.
Setting up a Wi-Fi Hotspot Wireless Network

This turns the controller into a Wi-Fi hotspot with a router. This puts the hotspot into a separate subnetwork with a DHCP
server to provide IP addresses to any connected device. See Wi-Fi Hotspot for more information.
Wide area network (WAN) connectivity is through the wired connection. See Network Address Translation / Firewall.
Though BACnet/IP uses IP protocol to communicate, this hotspot acts as an IP router; it does not forward broadcast mes-
sages which are important in BACnet to identify services that are available within the BACnet internetwork. See BACnet/IP
Broadcast Management Device Service (BBMD).
Figure 88: Hotspot Wireless Network Settings

Configure the controller’s ECLYPSE Wi-Fi adapter mode as a Wi-Fi hotspot as follows.
1. Under Wireless Configuration, set wireless to On.
nLight ECLYPSE 87
2. Set the Mode to Hotspot.

3. Choose whether the SSID should be hidden or not.
4. Set the name for this access point by which wireless clients will identify it in Network Name.
5. Set the encryption mode to be used by this hotspot in Encryption:
– None: this option should be avoided as it does not provide any wireless security which allows any wireless client
to access the LAN.
– WPA2 Enterprise: Use this option if you are connecting to an enterprise network that has a working RADIUS au-
thentication server. This RADIUS server provides user authentication.
6. Set the hotspot’s authentication password in Password. This is the password wireless clients will need to know in or-
der to connect to this hotspot. Network access will be disabled until the default password is changed.
7. Set the hotspot’s IP address that wireless clients will connect to in Ip Address. Ensure that this address is:
– Not in the range of IP address set by First Address and Last Address.
– Not the same as the IP address set under IP Configuration for the wired network.
8. Set the hotspot’s subnet mask in Subnet Mask. See About the Subnetwork Mask.
9. Set the hotspot’s addressing range in First Address and Last Address. This defines the range of IP addresses to be
made available for hotspot clients to use. The narrower the range, the fewer hotspot clients will be able to connect due
to the lack of available IP addresses. For example, a range where First Address = 192.168.0.22 and Last Address =
192.168.0.26 will allow a maximum of 5 clients to connect to the hotspot on a first-to-connect basis.
10. Under Advanced, set the Channel Number, and Wi-Fi Mode. See Wireless Configuration for an explanation of these
parameters.
11. Click Apply.
nLight ECLYPSE 88
Securing an ECLYPSE Controller
CHAPTER 10
This section describes how to secure an ECLYPSE controller from unauthorized access and use.
Introduction
This chapter describes how to implement best security practices for ECLYPSE controllers. Security is built up layer upon
layer to make the system more resistant to attacks. This involves taking simple but effective steps to implement built-in se-
curity features.
Passwords
A username / password combination (or credentials) authenticates a user’s access rights to a controller. If an attacker
gains access to a user’s password, the attacker has access to carry out any action on the controller that is allowed by that
user’s permissions.
Change the Default Platform Credentials

At the first connection to an ECLYPSE you will be forced to change the password to a strong password for the admin ac-
count to protect access to the controller.
It is important to create new user accounts with strong passwords to protect the controller from unauthorized access. The
username / password can be changed in User Management and see also Supported RADIUS Server Architectures.
Use Strong Passwords

Passwords should be hard to guess. Avoid birth dates and common keyboard key sequences. A password should be com-
posed of a random combination of 8 or more uppercase and lowercase letters, numbers, and special characters.
If FIPS 140-2 mode is enabled, password must be a random combination of 14 or more uppercase and lowercase letters,
numbers, and special characters. The controller will reset to a default username and password when FIPS 140-2 is en-
abled, and the user will then be prompted to reset both. See FIPS 140-2 Mode.
Do not allow a browser to remember a user's login credentials

When logging into a controller with certain browsers, the browser asks to remember a user’s login credentials. When this
option is set, the next time the user logs in, the credentials will automatically be filled in. While this is convenient, anyone
with access to the computer can log in using those credentials. Do not set this option for administrator accounts or when
accessing an account from an unsecure computer.
Account Management and Permissions

User accounts must be properly managed to make it harder for an attacker to compromise security, and to make it easier
to detect that an attack has occurred. To set user account parameters, see User Management.
nLight ECLYPSE 89
FIPS 140-2 Mode

Enabling FIPS 140-2 mode has an effect on account management and permissions. Once FIPS 140-2 mode is enabled,
several controller settings are reset. Therefore, it is best to enable FIPS 140-2 mode before creating accounts and assign-
ing permissions. See FIPS 140-2 Mode.
Use a Different Account for Each User

Each user account should represent an individual user. Multiple users or user groups should not share an account.
Suspending an account shuts-off a single user’s access to the controller – it does not disrupt many users.
Permissions can be tailored to the needs of each user. A shared account may have more permissions than all users
should have.
A shared account has a shared password which is more likely to be leaked.
It is harder to implement password expiration requirements.
Use Unique Service Type Accounts for Each Project

System integrators should use different credentials for each job they do. Should an attacker gain access to one system,
they cannot readily access all systems installed by the same system integrator.
Disable Known Accounts When Possible

Create a new user admin account with new credentials. It is easier to attack the default admin account when an attacker
only has to guess the password.
Assign the Minimum Required Permissions

When creating a new user account, give that account only the minimum rights to access or modify the system needed for
that user.
Use Minimum Possible Number of Admin Users

A compromised admin account can be disastrous as it allows complete access to everything. Only give a user admin privi-
leges only when absolutely necessary.
HTTPS Certificates
HTTPS is a protocol which encrypts HTTP requests and their responses. This ensures that if someone were able to com-
promise the network, they would not be able to listen in or tamper with the communications.
Make sure that HTTPS is enabled. For more information on how to enable HTTPS, see Web Server Access.
Certificates
Generate and install a trusted SSL certificate. Refer to Web Server Access for information on how to import a custom certifi-
cate.
Additional Measures
Update the Controller's Firmware to the Latest Release

Always keep the ECLYPSE controller’s firmware up-to-date. The most recent firmware has the latest bug fixes, security
updates, and stability enhancements.
nLight ECLYPSE 90
External Factors
Install Controllers in a Secure Location

Ensure that the ECLYPSE controller is installed in a physically secure location, under lock and key. Through physical ac-
cess, an attacker can take over the controller to do with it what they please.
For example, the reset button can be used to reset the controller to its factory default settings. If FIPS 140-2 mode has
been enabled on the controller, resetting a controller to its factory default settings will turn FIPS 140-2 mode off.
Make Sure that Controllers are Behind a VPN

For off-site connections, ensure that users access the controllers through a Virtual Private Network (VPN). This helps to
prevent an attack through eavesdropping on the communications channel to steal user credentials.
nLight ECLYPSE 91
BACnet MS/TP Communication Data Bus Fundamentals
CHAPTER 11
BACnet MS/TP Communication Data Bus
Fundamentals
This chapter describes the BACnet MS/TP Communications Data Bus operating principles.
BACnet MS/TP Data Transmission Essentials

Certain ECLYPSE controllers support BACnet MS/TP to BACnet/IP routing. See the Controller’s datasheet for more infor-
mation. To enable BACnet MS/TP to BACnet/IP routing, see Routing.
The BACnet MS/TP or Modbus RTU network option is selected in the controller’s web interface. BACnet MS/TP and Mod-
bus RTU communications are made by connecting directly to separate RS-485 ports. When the ECLYPSE Controller is
configured for BACnet MS/TP, values from the connected BACnet MS/TP controllers can be used in ENVYSION graphics
hosted on the ECLYPSE Controller. Furthermore, the ECLYPSE Controller acts as a BACnet/IP to BACnet MS/TP bridge
that allows BACnet objects to be shared among BACnet intra-networks through BBMD. See BACnet/IP Broadcast Manage-
ment Device Service (BBMD).
The BACnet MS/TP data bus protocol is part of the BACnet® ANSI/ASHRAE™ Standard 135-2008 that uses the EIA-485
(RS-485) physical layer standard for data transmission (herein called the data bus). Multiple data buses can be logically
tied together as each BACnet MS/TP data bus is assigned a unique Network Instance that distinguishes it from other data
buses in the BACnet MS/TP Local Area Network (LAN). An example of an interconnected BACnet MS/TP data bus is
shown in Adopting a Numbering System for MAC Addresses, Device Instance Numbers, and Network Numbers.
EIA-485 is a standard that defines the electrical characteristics of the receivers and drivers to be used to transmit data in a
differential (balanced) multipoint data bus that provides high noise immunity with relatively long cable lengths which makes
it ideal for use in industrial environments. The transmission medium is inexpensive and readily-available twisted pair
shielded cable.
While there are many possible LAN topologies for an EIA-485 data bus, only devices that are daisy-chained together are
allowed with BACnet MS/TP (see Only a Daisy-Chained Data Bus Topology is Acceptable). A spur is only permitted when it
is connected to the data bus through a repeater (see Using Repeaters to Extend the Data Bus).
End-of-line (EOL) terminations are critical to error-free EIA-485 data bus operation. The impedance of the cable used for
the data bus should be equal to the value of the EOL termination resistors (typically 120 ohms). Cable impedance is usu-
ally specified by the cable manufacturer.
BACnet MS/TP Data Bus is Polarity Sensitive

The polarity of all devices that are connected to the two-wire BACnet MS/TP data bus must be respected. The markings to
identify the polarity can vary by manufacturer. The following table summarizes the most common identification labels for
BACnet MS/TP data bus polarity.
Device Manufacturer Typical Data Bus Connection Terminals
Inverting Non-inverting Reference

B A SC
– + G
TxD–/RxD– TxD+/RxD+ GND
Common identification labels for BACnet MS/TP data bus polarity by other
U– U+ COM
Manufacturers
RT– RT+ REF
Sig– Sig+ S
Data– Data+
Table 4: Common Identification Labels for BACnet MS/TP Data Bus Polarity for other Manufacturers
When interfacing with BACnet MS/TP devices from other manufacturers, refer to the documentation provided with the device to correctly wire
the device.
nLight ECLYPSE 92
Maximum Number of BACnet MS/TP Devices on a Data Bus

Segment and Baud Rate
The following technical parameters limit the number of devices on a BACnet MS/TP Data Bus Segment.
£ The BACnet MS/TP Data Bus Segment has a hard limit on the number of devices that can communicate due to the de-
vice addressing scheme (the MAC Address Range for BACnet MS/TP Devices). See Data Bus Segment MAC Address
Range for BACnet MS/TP Devices.
£ Each device presents an electrical load on the BACnet MS/TP Data Bus Segment. This is called device loading. The
number of devices that can be connected to a BACnet MS/TP Data Bus Segment is limited by the loading of each de-
vice. See Device Loading.
£ Choosing a low baud rate can cause BACnet MS/TP Data Bus congestion that can limit the amount of data that can be
efficiently exchanged between devices connected to the BACnet MS/TP Data Bus. For example, at 9600 baud, the
maximum number of devices is reduced to 25 due to the increased time it takes for token passing between devices.
The recommended baud rate is 38 400. See Baud Rate.
£ It is recommended that you connect no more than 50 ⅛ or ½-load devices on a single BACnet MS/TP Data Bus Seg-
ment when a baud rate of 19 200 or higher is used (preferably 38 400 baud). This is to ensure that the BACnet MS/TP
Data Bus has enough bandwidth to efficiently communicate network variables between controllers.
These parameters are described in greater detail below.
Data Bus Segment MAC Address Range for BACnet MS/TP Devices
The BACnet MS/TP data bus supports up 255 devices:
£ Up to 128 devices (with device MAC addresses in the range of 0 to 127) that are BACnet MS/TP Masters (that can ini-
tiate communication).
£ Up to 128 devices (with device MAC addresses in the range of 128 to 255) that are BACnet MS/TP Slaves (cannot ini-
tiate communication).
However, it is recommended that any given data bus segment have no more than 50 devices, when a baud rate of 19 200
or higher is used for the BACnet MS/TP Data Bus. A repeater counts as a device on each data bus segment to which it is
connected.
Device Loading
Each device presents an electrical load on the BACnet MS/TP Data Bus Segment. This is called device loading. The use
of full load devices limits the number of devices connected to a BACnet MS/TP Data Bus Segment to 32 devices.
If a data bus segment is interoperating with devices that are full-load, ½-load, ¼-load, or ⅛-load, then the device that sup-
ports the fewest devices on the same data bus is the one that sets the limit for the maximum total number of devices for
that data bus segment. For example, you plan to put on one data bus the following devices:
Manufacturer Quantity of devices Equivalent full- Maximum devices supported by the manufac-
(example) load devices turer
⅛-load devices 8 1 1281 Maximum 50 recommended
½-load devices 14 7 64 Maximum 50 recommended
full load devices 26 26 32
There are too many devices on the data bus. It is
Total Full-Load Devices 34
limited to a maximum of 32 devices.
Table 5: Device Loading Example
1. This is limited by the maximum number of master devices allowed on a BACnet MS/TP Data Bus.
The solution for the above example is to create two data bus segments connected together by a repeater and then split up
the devices between the data bus segments, ensuring again that the maximum number of devices on each separate data
bus is not exceeded. See Using Repeaters to Extend the Data Bus.
nLight ECLYPSE 93
Baud Rate
Most devices will have a range of baud rate settings and possibly an AUTO setting that detects the baud rate of other de-
vices transmitting on the data bus and adjusts the baud rate of the device accordingly. Typical baud rates are 9600, 19
200, 38 400, and 76 800. The baud rate setting determines the rate at which data is sent on the BACnet MS/TP data bus.
At 9600 baud, the maximum number of devices is reduced to 25 due to the increased time it takes for token passing between devices.
All devices on the data bus must be set to the same baud rate. Therefore, the chosen baud rate must be supported by all
devices connected to the data bus.
The recommended baud rate for an ECLYPSE Controller is 38 400.
We recommend that you:
£ Set the baud rate of two controllers on a BACnet MS/TP Data Bus Segment to the same baud rate to provide failover
protection.
£ For example, set the baud rate of the ECLYPSE Controller (if equipped) and one other controller to 38 400 baud. If the
ECLYPSE Controller becomes unavailable and there is a power cycle, the BACnet compatible controller will set the
baud rate for the BACnet MS/TP Data Bus.
£ Set all other devices to automatically detect the baud rate, if this option is available.
Baud: Auto (Factory Default) Baud: Auto (Factory Default) Baud: Auto (Factory Default) Baud: 38 400 Baud: 38 400
Typical BACnet Device Typical BACnet Device Typical BACnet Device Typical BACnet Device
ECLYPSE
EOL ON EOL OFF EOL OFF EOL OFF
EOL
ON
NET+
NET+
NET+
NET+
NET-
NET-
NET-
NET-
NET +
NET-
S
Data Bus: Shielded Twisted Pair Cable
Electrical
System
Ground
Figure 89: Setting the Baud rate on two Controllers on a BACnet MS/TP Data Bus Segment for Failover Protection
To set the baud rate for:
£ ECLYPSE Controllers, see Network MS/TP Ports.
nLight ECLYPSE 94
Data Bus Physical Specifications and Cable Requirements

Cables composed of stranded conductors are preferred over solid conductors as stranded conductor cable better resist
breakage during pulling operations. It is strongly recommended that the following data bus segment cable specifications be
respected.
Parameter Details
Media Twisted pair, 24 AWG
Shielding Foil or braided shield
The shield on each segment is connected to the electrical system ground at one
Shield grounding
point only; see Data Bus Shield Grounding Requirements.
Characteristic impedance 100-130 Ohms. The ideal is 100-120 Ohms.
Less than 100 pF per meter (30 pF per foot). The ideal is less than 60 pF per meter
Distributed capacitance between conductors
(18 pF per foot).
Distributed capacitance between conductors and shield Less than 200 pF per meter (60 pF per foot)
Maximum length per segment 1220 meters (4000 feet)
Data Rate 9600, 19 200, 38 400, and 76 800 baud
Multi-drop Daisy-chain (no T-connections)
EOL terminations 120 ohms at each end of each segment
Data bus bias resistors 510 ohms per wire (max. of two sets per segment)
Table 6: BACnet MS/TP Data Bus Segment Physical Specifications and Cable Requirements
Shielded cable offers better overall electrical noise immunity than non-shielded cable. Unshielded cable or cable of a differ-
ent gauge may provide acceptable performance for shorter data bus segments in environments with low ambient noise.
Cable Type O.D. (Ø)
300 meters (1000 feet), 24 AWG Stranded, Twisted Pair Shielded Cable – FT6, Rated for Plenum Applications 3.75mm (0.148 in.)
Table 7: Recommended Cable Types for BACnet MS/TP Data Buses
Data Bus Topology and EOL Terminations
Function of EOL Terminations

The first and last device on the data bus must have End-of-Line (EOL) termination resistors connected across the two data
lines/wires of the twisted pair. These resistors serve the following purposes:
£ EOL terminations dampen reflections on the data bus that result from fast-switching (high-speed rising and falling data
edges) that otherwise would cause multiple data edges to be seen on the data bus with the ensuing data corruption
that may result. The higher the baud rate a data bus is operating at, the more important that EOL terminations be prop-
erly implemented. Electrically, EOL terminations dampen reflections by matching the impedance to that of a typical
twisted pair cable.
£ EIA-485 data bus transmitters are tri-state devices. That is they can electrically transmit 1, 0, and an idle state. When
the transmitter is in the idle state, it is effectively off-line or disconnected from the data bus. EOL terminations serve to
bias (pull-down and pull-up) each data line/wire when the lines are not being driven by any device. When an un-driven
data bus is properly biased by the EOL terminations to known voltages, this provides increased noise immunity on the
data bus by reducing the likelihood that induced electrical noise on the data bus is interpreted as actual data.
nLight ECLYPSE 95
When to Use EOL Terminations

EOL terminations should only be enabled / installed on the two devices located at either end of the data bus. All other de-
vices must not have the EOL terminations enabled/installed.
Typical BACnet Device Typical BACnet Device Typical BACnet Device Typical BACnet Device
ECLYPSE
EOL ENABLED: When
EOL ON EOL OFF EOL OFF EOL OFF the ECLYPSE
controller is the first or
last daisy-chained
NET+
NET+
NET+
NET+
NET +
NET-
NET-
NET-
NET-
device: set the EOL
NET-
Termination internally
S
Electrical
First and last daisy-chained device: System
- EOL Terminations are ENABLED Ground
OR EOL resistor is installed
All other Devices:
- EOL Terminations are DISABLED
Figure 90: EOL Terminations Must be Enabled at Both the First and Last Device on the Data Bus
Devices with built-in EOL terminations are factory-set with the EOL termination disabled by default.
The BACnet/IP to MS/TP Adapter does not have EOL Termination (and BACnet MS/TP Data Bus biasing) capabilities to be used at the end
of a BACnet MS/TP data bus. Instead, use the BACnet/IP to MS/TP Router for this application.
When to use EOL Terminations with BACnet MS/TP Thermostats

BACnet MS/TP thermostats support external EOL termination resistors only. When a BACnet MS/TP thermostat is the first
or last daisy-chained device, add a 120 Ohm resistor across the – and + BACnet MS/TP data bus connections.
The BACnet MS/TP data bus must be biased. This bias can only be provided by built-in EOL termination resistors (ones
set with jumpers or DIP switches – refer to the controller’s Hardware Installation Guide for how to identify and set a con-
troller’s built-in EOL terminations). If a BACnet MS/TP data bus has a BACnet MS/TP thermostat at one end of the BACnet
MS/TP data bus and an ECLYPSE Controller at the other end, you must set the built-in EOL termination in the controller
so that proper biasing is provided to the BACnet MS/TP data bus.
Typical Typical Typical Typical EOL ENABLED: Use the
ECLYPSE
BACnet BACnet BACnet BACnet ECLYPSE controller as a
Device Device Device Device first or last daisy-chained
No Built-in EOL No Built-in EOL No Built-in EOL No Built-in EOL device: The internal EOL
Termination Termination Termination Termination
Termination MUST be set
NET +
NET+
NET+
NET+
NET+
to ON to provide bias to
NET-
NET-
NET-
NET-
NET-
BACnet MS/TP Data Bus
12
0Ω

EOL: Add a 120 Electrical
Ohm resistor as System
First and last daisy-chained device: Ground
shown here
- EOL Terminations are ENABLED
at one end, and EOL resistor is
installed at other end.
All other Devices:
- EOL Terminations are DISABLED.
Figure 91: Typical EOL Terminations with BACnet MS/TP Thermostats with Biasing Provided by the Controller’s Built-in EOL Termina-
tion set to ON
nLight ECLYPSE 96
About Setting Built-in EOL Terminations

ECLYPSE Controllers have built-in EOL terminations. These Controllers use jumpers or DIP switches to enable the EOL
resistors and biasing circuitry. These controllers have separate bias and EOL termination settings. This is useful in the fol-
lowing scenario: the controller is located in the middle of the data bus and either one or both controllers at the data bus
ends do not have biasing or EOL terminations. In this situation, set the bias on the controller and set the EOL termination
on the controllers at the end of the data bus. If a controller at the end of the data bus does not have a built-in EOL termina-
tion, then add a 120 Ohm resistor across the device’s terminals as shown at the left side of the previous figure.
ON
1 2 3 OFF
BIAS+ EOL BIAS-
Figure 92: Typical Controller with Separate EOL Termination and Bias Configuration Settings
Refer to the controller’s Hardware Installation Guide for how to identify and set a controller’s built-in EOL terminations.
Only a Daisy-Chained Data Bus Topology is Acceptable

Use a daisy-chained BACnet MS/TP data bus topology only. No other data bus topology is allowed.
BMS
EOL
ON ECLYPSE Controller Maximum of 32 nodes and 1200 meters.
EOL Internally Set
 MS/ TP Data Bus Segment
Segment 1
EOL
ON
EOL Internally Set to ON
Central Plant Air Handling Controllers

Figure 93: Typical BACnet MS/TP LAN Topology Showing How Devices are Daisy-Chained Together to Form One Data Bus Segment
Only linear, daisy-chained devices provide predictable data bus impedances required for reliable data bus operation.
Only a daisy-chained data bus topology should be specified during the planning stages of a project and implemented in the installation phase
of the project.
A spur is only permitted when it is connected to the data bus through a repeater (see Using Repeaters to Extend the Data Bus).
nLight ECLYPSE 97
ECLYPSE ECLYPSE
Figure 94: Unsupported BACnet MS/TP LAN Topologies
Data Bus Shield Grounding Requirements

The EIA-485 data bus standard requires that the data bus must be shielded against interference. A BACnet MS/TP data
bus must also be properly grounded.
For 24V-Powered Controllers:
The data bus’ cable shields must be twisted together and isolated with electrical tape at each device. Note that for 24V-
Powered Controllers, the power supply transformer’s secondary that is connected to the 24V COM terminal is usually
grounded. This provides the ground reference for the data bus (see BACnet MS/TP is a Three-Wire Data Bus). If the con-
troller is at the end of the BACnet MS/TP data bus, simply isolate the data bus shield with electrical tape.
ECLYPSE Series Controller:
The data bus’ cable shields must be twisted together and connected to the S terminal at each ECLYPSE Series Controller.
Keep the cable shield connections short and take steps at each device to isolate the cable shield from touching any metal
surface by wrapping them with electrical tape, for example. Note that for ECLYPSE Controllers, the data bus’ cable shield
provides the ground reference for the data bus (see BACnet MS/TP is a Three-Wire Data Bus). If the controller is at the end
of the BACnet MS/TP data bus, simply connect the data bus shield to the S terminal.
Grounding the shield of a data bus segment in more than one place will more than likely reduce shielding effectiveness.
24V-Powered Controller Data Bus Shield Grounding Requirements

The shield on each data bus segment must be connected to the electrical system ground at one point only, for example, at
the ECLYPSE Controller, as shown in the figures below.
Typical BACnet 24VAC- Typical BACnet 24VAC- Typical BACnet 24VAC- Typical BACnet 24VAC-
ECLYPSE Powered Controller Powered Controller Powered Controller Powered Controller
NET+
NET+
NET+
NET+
NET-
NET-
NET-
NET-
NET +
NET-
S
Data Bus Shield: Data Bus Shields: Twist Data Bus Shields: Twist Data Bus Shield:
Connect to the ‘S’ together and Isolate together and Isolate Isolate with
terminal with electrical tape with electrical tape electrical tape

Electrical The shield of the data bus must be connected to
System the electrical system ground at one point only –
Ground usually at the Building Controller, when present
Figure 95: Typical Cable-Shield Grounding Requirements for a BACnet MS/TP Data Bus Segment with an ECLYPSE Controller located
at the End of the Data Bus
nLight ECLYPSE 98
Typical BACnet 24VAC- Typical BACnet 24VAC- Typical BACnet 24VAC- Typical BACnet 24VAC-
Powered Controller Powered Controller ECLYPSE Powered Controller Powered Controller
NET+
NET+
NET+
NET+
NET-
NET-
NET-
NET-
NET +
NET-
Data Bus Shields:
S
Connect to the ‘S’
terminal
Data Bus Shield: Data Bus Shields: Twist Data Bus Shield:
Isolate with together and Isolate Isolate with
electrical tape with electrical tape electrical tape
Data Bus Shields: Twist Data Bus: Shielded Twisted Pair Cable
together and Isolate
with electrical tape Electrical The shield of the data bus must be connected to
Figure 96: Typical Cable-Shield Grounding Requirements for a BACnet MS/TP Data Bus Segment with an ECLYPSE Controller located
in the Middle of the Data Bus
Using Repeaters to Extend the Data Bus

A BACnet MS/TP data bus segment can be up to 1220 meters (4000 feet) long with up to a maximum of 50 devices. When
a greater length is required, a solution is to use a repeater. A repeater increases the maximum length of the data bus.
Using a Repeater to Extend the Length of the BACnet MS/TP Data Bus
Repeaters can be used to extend a BACnet MS/TP data bus up to 3660 meters maximum total length. Do not use more
than two repeaters on a BACnet MS/TP LAN.
A BACnet MS/TP repeater is a bi-directional device that regenerates and strengthens the electrical signals that pass
through it. It creates two electrically-isolated BACnet MS/TP data bus segments that transparently enable devices on one
side of the repeater to communicate with any device on the other side. The two BACnet MS/TP data bus segments have
the same requirements of an ordinary BACnet MS/TP data bus segment; that is, each BACnet MS/TP data bus segment:
£ Can be up to 1220 meters (4000 feet) long.
£ The first and last device on the data bus must have End-of-Line (EOL) termination resistors connected across the two
data lines/wires of the twisted pair.
£ Must respect the maximum limit for Device Loading.
£ Will have the same network number as they remain part of the same network or LAN.
It is recommended that you connect no more than 50 ⅛ or ½-load devices on all BACnet MS/TP Data Bus repeater seg-
ments when a baud rate of 19 200 or higher is used (preferably 38 400 baud). This is to ensure that the BACnet MS/TP
Data Bus has enough bandwidth to efficiently communicate network variables between controllers.
Do not use more than two repeaters on a BACnet MS/TP data bus.
A repeater can only connect two BACnet MS/TP data bus segments even if it has ports to support more than two BACnet MS/TP data bus
segments.
A repeater can be added anywhere to a data bus segment including the end of the segment as shown below.
nLight ECLYPSE 99
ECLYPSE
Figure 97: Using a Repeater to Extend the Range of the LAN

A repeater can be used to create a spur as shown below.
ECLYPSE
Figure 98: Adding a Spur by Using a Repeater

A repeater is counted as a device on each data bus to which it is connected.
When third party devices are connected to a data bus segment, the number of devices that can be connected to that data
bus segment may be reduced. See Device Loading.
nLight ECLYPSE 100

BACnet MS/TP data bus BACnet MS/TP data bus

Typical BACnet Device Typical Typical BACnet Device
Bias and EOL termination is Bias and EOL termination is
BACnet
provided by this controller’s provided by this controller’s
Device
EOL ON internal EOL Termination internal EOL Termination EOL ON
No Built-in EOL
being set to ON Termination being set to ON
NET+
NET+
NET+
NET-
NET-
NET-
Data Bus Shields: Twist
together and Isolate with
electrical tape
Data Bus Shields: Twist

together and Isolate
Repeater with electrical tape
Data + (1) Data + (20)
1 2
Data Bus: Shielded Data – (2) Data – (19)
Twisted Pair Cable
0Ω
< 7.6 m 12
< 25 ft The data bus shield must be connected to the electrical system ground at
one point only – usually at the Building Controller, when present
Figure 99: Repeater Connections when it is the First or Last Device on its Respective Data Bus Segment
The BACnet MS/TP Data Bus must be biased. This bias can only be provided by built-in EOL termination resistors (ones
set with a jumper or DIP switch). When a repeater is the first or last device on its respective data bus segment, use the fol-
lowing methods to provide MS/TP Data Bus biasing and EOL termination as applicable to your situation:
1. On the BACnet MS/TP data bus segment ❶ shown in the above figure, bias and EOL termination is provided by a con-
troller’s built-in EOL termination being set to ON. In this case the connection to the repeater cannot be more than 7.6
meters (25 feet) from this controller.
2. On the BACnet MS/TP data bus segment ❷ shown in the above figure, a 120Ω EOL Termination resistor is added to
the repeater’s terminals. Biasing for this BACnet MS/TP data bus segment is provided by the built-in EOL termination
being set to ON at the last controller at the other end of this data bus.
See When to Use EOL Terminations for more information. The shield of one data bus must be grounded at one point as
specified in Data Bus Shield Grounding Requirements. The shields of the two data buses must be connected together and
isolated with electrical tape as shown in the above figure. Refer to the controller’s Hardware Installation Guide for how to
identify and set a controller’s built-in EOL terminations.
Device Addressing
Device addressing allows the coordinated transfer of messages between the intended devices on the BACnet MS/TP data
bus and with devices connected to the internetwork. For this, each device connected to the BACnet MS/TP data bus is
identified by a MAC address, a Device Instance number, and a Network Number:
£ The MAC Address uniquely identifies a device on a Network (identified by a Network Number). Devices on another
Network can have the same MAC Address as messages are not passed at the internetwork level using the MAC Ad-
dress. The MAC Address also defines the devices on the data bus that are Masters and Slaves, among other cate-
gories (see About the MAC Address). The MAC Address is also used to share data bus bandwidth between devices
through token passing between Master devices.
£ The Device Instance uniquely identifies a device across the BACnet internetwork. The Device Instance is any number
between 0 and 4 194 303. It is with the Device Instance that messages are exchanged between BACnet devices. The
Device Instance is also used by routers to forward messages to devices located elsewhere in the internetwork. Unlike
a MAC Address, a Device Instance cannot be reused elsewhere in the BACnet internetwork (it must be unique for the
entire network).
£ The Network Number is any number between 1 and 65 534. A network number identifies a LAN for routing purposes.
Both the MAC Address and the Device Instance must be set for each device and are essential for proper BACnet LAN op-
eration.
For an example of how MAC address, Device Instance number, and Network Number apply to a typical BACnet network,
see Adopting a Numbering System for MAC Addresses, Device Instance Numbers, and Network Numbers.
nLight ECLYPSE 101

About the MAC Address

The MAC Address is a number from 0 to 255; however, we recommend reserving some MAC Addresses for common com-
missioning and maintenance tasks. For example, when a portable adapter is set to use one of these reserved MAC Ad-
dresses, it can be temporarily connected with certainty to any BACnet MS/TP data bus of any site without conflicting with
other devices already connected to the BACnet MS/TP data bus. We strongly recommend that the MAC address of
ECLYPSE Controller’s MS/TP port be always set to 0.
MAC Addresses should be used as shown in the following table.
MAC Address Value / Usage Devices
Range
0 Data Bus Master (ECLYPSE Controller) This address is invalid for other BACnet devices
1 Temporary commissioning connection This address is invalid for other BACnet devices
2 Reserved Other
Master devices: All master devices should be in this MAC Address
3-127 Master Range
range
128-254 Slave Range Slave devices and network sensors
255 Broadcast Do not apply address 255 to any device
Table 8: Recommended BACnet MS/TP Bus MAC Address Values / Ranges for BACnet MS/TP Data Bus Devices
BACnet MS/TP Data Bus Token-Passing Overview

The BACnet MS/TP data bus protocol is a peer-to-peer, multiple-master protocol that shares data bus bandwidth by pass-
ing a token between Master devices on the data bus that authorizes the device that is holding the token to initiate commu-
nications on the data bus. Once the device has completed its request(s), it closes the communications channel, passes the
token to the next Master device (making it the current Master), and liberates the data bus.
The token is passed through a short message from device to device on the BACnet MS/TP data bus in consecutive order
starting from the lowest MAC address (MAC Address = 0) to the next MAC Address.
Gaps or pockets of unassigned device MAC Addresses should be avoided as this reduces data bus performance. Once a
master has finished making its requests, it must poll for the next master that may exist on the Data Bus. It is the timeout for
each unassigned MAC Address that slows down the data bus.
The way MAC Addresses are assigned is not a physical requirement: Devices can be daisy-chained on the data bus in any
physical order regardless of their MAC Address sequence. The goal is to avoid gaps in the device MAC Address range.
Slave devices cannot accept the token, and therefore can never initiate communications. A Slave can only communicate
on the data bus to respond to a data request addressed to it from a Master device. Gaps in slave device MAC Addressing
have no impact on BACnet MS/TP data bus performance.
nLight ECLYPSE 102

ECLYPSE ECLYPSE
ECLYPSE
Figure 100: Setting the Max Master on the ECLYPSE Controller to the Highest MAC Address Used on the BACnet MS/TP Data Bus
About Tuning the Max Info Frames Parameter

Once a device has the token, it can make a number of information requests to other devices on the BACnet intranetwork.
The maximum number of requests is limited by the Max Info Frames parameter. Once the device has made the maximum
number of requests it is permitted to make according to the Max Info Frames parameter, the device passes the token to
the following device with the next higher MAC address. This makes the BACnet MS/TP Data Bus more reactive for all de-
vices by preventing a device from hanging on to the token for too long. Ordinary BACnet MS/TP devices should have the
Max Info Frames parameter set to between 2 and 4. The Data Bus Master (ECLYPSE Controller) should have the Max
Info Frames parameter set to 20.
About Tuning the Max Master Parameter

To prevent the passing of the token to unused MAC Addresses situated after the final Master device, the Max Master pa-
rameter must be set. By default, the Max Master for an ECLYPSE Controller or a Supervisor is set to 127 which allows for
the theoretical maximum of 127 devices besides the Data Bus Master to be connected to the data bus.
In practice, the actual number of devices connected to a data bus is far less, resulting in a gap between the highest MAC
Address of any device connected to the data bus and the value set for Max Master. This gap unnecessarily slows down
the data bus with Poll for Master requests.
When commissioning a BACnet MS/TP Data Bus, it is useful to start with the Max Master set to 127 so as to be able to
discover all devices connected to the data bus. Then, once all devices have been discovered and the MAC Addressing is
finalized by eliminating any gaps in the address range, set the Max Master (maximum MAC Address) in the ECLYPSE
Controller and in the Supervisor to the highest Master device’s MAC Address number to optimize the efficiency of the data
bus.
Setting the Max Master and Max Info Frames

The Max Master and Max Info Frames are parameters used to optimize a BACnet MS/TP Data Bus. This is set in the
ECLYPSE Controller and separately with the Supervisor for each connected BACnet MS/TP device.
nLight ECLYPSE 103

For the ECLYPSE Controller, set the Max Info Frames to 20 in the screen shown in BACnet Settings of the Network MS/TP
Ports as this is a device that will make more requests for service from other devices on the network. In general, according
to the way a device is programmed, the Max Info Frames may have to be set to a higher value than for other devices. For
example, when Roof Top Unit Controllers are used with VAV controllers that use specific code, they should also have their
Max Info Frames set to a higher value such as 5, as Roof Top Unit Controllers will poll many VAV controllers for informa-
tion.
To set the Max Master and Max Info Frames for BACnet MS/TP devices (for example, a BACnet controller), use a Supervi-
sor to do so.
Default Device Instance Number Numbering System for nLight ECLYPSE Controllers
By default, nLight ECLYPSE controllers automatically self-assign a Device Instance number generated from the unique
MAC Address assigned to the controller during installation. The Device Instance number is calculated as follows:
Device Instance number = 364 X 1000 + MAC Address
Where 364 is the nLight ECLYPSE controller’s unique BACnet Manufacturer ID.
This Numbering system is sufficient for a BACnet network that has only one nLight ECLYPSE Controller. For larger BAC-
net networks that have more than one controller (to form a BACnet intranetwork), set the MAC Addresses, Device Instance
Numbers and Network Numbers according to the numbering scheme below.
Adopting a Numbering System for MAC Addresses, Device Instance Numbers, and
Network Numbers
Good network planning requires a well-thought-out numbering scheme for device MAC Addresses, Device Instance Num-
bers (DI), and Network Numbers. We recommend the following scheme, as it reuses the MAC Address and Network Num-
ber in the Device Instance number to make it easier for a network administrator to know where a device is located in the
network. This is shown below.
Description Range Example
BACnet/IP Network Number 0 to 65 534 1
10 000
ECLYPSE Controller BACnet/IP Device Instance Numbers: Multiples of 10 000 10 000 to 4 190 000
20 000
10
BACnet MS/TP Network Number: ECLYPSE Controller BACnet/IP Device Instance
10 to 4190 20
Number/1000 + 0,1,2,3,4 (for each LAN)
30
BACnet MS/TP Device Instance Number = 10 000 to 4 190 256 10 006 where MAC = 6
Table 9: Recommended Numbering Scheme for MAC Addresses, Instance Numbers, and Network Numbers
An example of this numbering system is shown below.
nLight ECLYPSE 104

BMS
ECLYPSE ECLYPSE
Figure 101: BACnet MS/TP Numbering System for MAC Addresses, Device Instance Numbers, and Network Numbers
When discovering devices with a supervisor which has the routing option configured, it will discover all BACnet devices connected to all
ECLYPSE Controllers when routing is enabled (see Routing). Make sure to add only the devices connected to the MS/TP port of the specific
ECLYPSE Controller being configured. Using this numbering system will greatly help to identify those devices that should be added to a
given ECLYPSE Controller.
Setting the Controller’s MAC Address

The ECLYPSE Controller’s MAC address can be set in BACnet Settings of the ECLYPSE Web Interface.
Inter-Building BACnet Connection

BACnet network connections between buildings must be made using BACnet/IP as shown below.
nLight ECLYPSE 105

BMS
ECLYPSE ECLYPSE ECLYPSE
Figure 102: Typical Inter-Building Connection Using BACnet/IP or FOX
BACnet/IP Broadcast Management Device Service (BBMD)

Though BACnet/IP uses IP protocol to communicate, a standard IP router does not forward broadcast messages which are
important in BACnet to identify services that are available within the BACnet internetwork.
When two ECLYPSE Controllers communicate to each other over a standard IP connection that is separated by an IP
router, both controllers need the BACnet/IP Broadcast Management Device (BBMD) service to be configured and opera-
tional.
The BBMD service identifies BACnet messages on the BACnet MS/TP network that are intended for a device located on
another BACnet network. The BBMD service encapsulates these messages into an IP message to the appropriate BBMD
service of the other BACnet MS/TP network(s). The BBMD service on these networks strips out the encapsulation and
sends the BACnet message on to the appropriate devices.
When sending BACnet messages across a standard IP connection that has an IP router, there must be one BBMD service
running on each BACnet MS/TP network.
Power Supply Requirements for 24VAC-Powered Controllers
BACnet MS/TP is a Three-Wire Data Bus

Even though data is transmitted over a 2-wire twisted pair, all EIA-485 transceivers interpret the voltage levels of the trans-
mitted differential signals with respect to a third voltage reference common to all devices connected to the data bus (signal
reference). In practice, this common signal reference is provided by the building’s electrical system grounding wires that
are required by electrical safety codes worldwide. Without this signal reference, transceivers may interpret the voltage lev-
els of the differential data signals incorrectly, and this may result in data transmission errors.
The PS120 Power Supply is a double-insulated device and therefore is not grounded. The reference for the BACnet MS/TP data bus is
made by connecting the shield of the BACnet MS/TP data bus to the ECLYPSE Controller’s S terminal to provide a signal reference. This
shield is grounded at one point only – see Data Bus Shield Grounding Requirements.
nLight ECLYPSE 106

Avoid Ground Lift

24V Power wiring runs should not be too long, nor have too many devices connected to it. Wiring used to supply power to
devices has a resistance that is proportional to the length of the wiring run (See the table below).
AWG Diameter Area Copper wire resistance
Range (mm) (kcmil) (mm2) (Ω/km) (Ω/1000 ft.)

14 0.0641 1.628 4.11 2.08 8.286 2.525
16 0.0508 1.291 2.58 1.31 13.17 4.016
18 0.0403 1.024 1.62 0.823 20.95 6.385
Table 10: Resistance of Common Copper Wire Sizes
If the power run from the power supply is relatively long and it supplies power to many devices, a voltage will develop over
the length of wire. For example, a 1000 ft. of 18 AWG copper wire has a resistance of 6.4 Ohms. If this wire is supplying 1
Ampere of current to connected devices (See the figure below), the voltage developed across it will be 6.4 volts. This effect
is called ground lift.
Power Supply Electrical Power Run Length

AC Power Fuse: 4A Max. BACnet Device
Source Fast Acting
24 / 120 / 208 /
24V AC/DC
240 / 277 / 347 / 24 VAC
480 VAC, 1Ø, 2- 24V COM
Wire plus Ground Reqv I=1A
The equivalent resistance of a run of wire. For

example, a 1000 ft of 18 AWG copper wire
Electrical has a resistance of 6.4 Ohms. With 1 Ampere
System of current, the voltage developed along the
Ground – At length of the electrical power run for one
Transformer conductor will be 6.4 volts.
Only
Figure 103: Ground Lift from a Long Power Run with a 24VAC Device
Because the 24V COM terminal on BACnet MS/TP controllers is the signal reference point for the data bus, ground lift off-
sets the data bus voltage reference that is used to interpret valid data levels sent on the data bus. If the ground lift is more
than 7 volts peak, there is a risk of data corruption and offline events due to the device being incapable of correctly reading
data signals from the data bus. Thus, it is important to keep the power supply (transformer) as close to the controller as
possible.
Techniques to Reduce Ground Lift

Reduce the impact of ground lift as follows:
£ Use a heavier gauge wire.
£ Add more wire runs. Connect these wire runs to the power supply in a star pattern.
£ For controllers that accept DC power (that is, models without triac outputs): Specify a 24VDC power supply. The con-
tinuous and even voltage of a DC power supply makes more efficient use of the power handling capabilities of a power
run. A 24VDC power supply eliminates the 2.5 multiplication factor associated with the peak AC current being 2.5
times the average RMS AC current. See below.
About External Loads

When calculating a controller’s power consumption to size the 24VAC transformer, you must also add the external loads
the controller is going to supply, including the power consumption of any connected subnet module (for example, for com-
municating sensors). Refer to the respective module’s datasheet for related power consumption information.
nLight ECLYPSE 107

Transformer Selection and Determining the Maximum Power Run Length

To conform to Class 2 installation requirements, only use transformers of 100VA or less to power the device(s).
It is recommended to wire only one controller per 24VAC transformer.

For VAV devices, if only one 24VAC transformer is available, determine the maximum number of daisy-chained VAVs that
can be supplied on a single power cable supplied by a 100 VA transformer based on the controller’s expected power con-
sumption including external loads, the cable’s wire gauge, and the total cable length, using the following table. Any installa-
tion condition that is outside of the parameters of the following table should be avoided.
Daisy-chaining controllers is not permitted when a VAV controller’s expected power consumption including external loads
is over 15VA. In this case the controller must be connected to the 24VAC transformer in a star topology. The transformer
must be installed in close proximity to the controller.
AWG Power Run Total Maximum Number of Devices @ 7 Maximum Number of Devices @ Maximum Number of Devices @
Cable Length VA per device 10 VA per device 15 VA per device
141 75 m (250 ft.) 4 2 1
14 60 m (200 ft.) 5 3 2
14 45 m (150 ft.) 5 4 3
14 30 m (100 ft.) 5 5 4
16 60 m (200 ft.) 3 0 1
16 45 m (150 ft.) 5 3 2
16 30 m (100 ft.) 5 4 3
18 45 m (150 ft.) 3 2 1
18 30 m (100 ft.) 5 3 2
Table 11: Maximum Number of 24VAC VAV Devices on a Power Run with a 100 VA Transformer (Daisy-Chained)
1. Device terminals are not capable of accepting two 14 AWG wires (when daisy-chaining devices). Use a wire nut with a pig tail to make such a connection.
For non-VAV devices, determine the appropriate size transformer for the job as follows:
£ Add up the power requirements of all devices plus all external loads (see About External Loads). Multiply the total
power needed by a multiplier of 1.3, as a security 164margin. For example, to power five devices (15 VA each), the to-
tal load is 75 VA multiplied by 1.3 is 98 VA. Choose a size of transformer just over this amount: For example, a 100 VA
model.
£ When the total load of a number of devices requires a transformer with a rating greater than 100 VA, use two or more
transformers. Ensure that the load to be connected to each transformer follows the guideline of Step 1 above.
24VAC Power Supply Connection

Use an external fuse on the 24VAC side (secondary side) of the transformer, as shown in the figure below, to protect all
controllers against power line spikes.
The ECLYPSE Controller uses the S terminal as the signal reference point for the data bus (see Common Identification La-
bels for BACnet MS/TP Data Bus Polarity for other Manufacturers).
nLight ECLYPSE 108

Power Supply
AC Power BACnet Device
Fuse: 4A Max.
Source
Fast Acting
24 / 120 / 208 /
24V AC/DC
240 / 277 / 347 / 24 VAC
480 VAC, 1Ø, 2- 24V COM
Wire plus Ground
Maintain consistent
polarity when connecting BACnet Thermostat
Electrical controllers and devices to
System the transformer. RC
Ground – At The 24V COM / C C
Transformer terminals of all devices
Only must be connected to the
power supply bus that is
grounded.
Figure 104: The 24V COM / C Terminal of all Devices must be Connected to the Grounded Power Supply Bus
nLight ECLYPSE 109

Modbus TCP Configuration
CHAPTER 12
Modbus TCP Configuration
This chapter describes the Modbus TCP Configuration.
Controller Modbus Support

Certain ECLYPSE controller models support communication with Modbus devices. Refer to the controller’s datasheet for
more information.
Modbus TCP Device Connection

Modbus TCP devices are connected to the same subnet that the controller is connected to:
£ Connect the Modbus TCP device to the same network switch/router to which the controller is connected.
£ Connect the Modbus TCP device to either one of the controller’s Ethernet ports.
Device Addressing
Device addressing allows the coordinated transfer of messages between the master (the ECLYPSE Controller) and the
slave Modbus TCP device. For this, each Modbus TCP device is identified by its address.
About Device Addressing

Each slave device must have its own unique address number in the range from 1 to 254.
Refer to the device’s hardware installation guide for information about how to set its address number.
nLight ECLYPSE 110

Modbus RTU Communication Data Bus Fundamentals
CHAPTER 13
Modbus RTU Communication Data Bus
Fundamentals
This chapter describes the Modbus RTU Communications Data Bus operating principles.
Controller Modbus Support

Certain ECLYPSE controller models support communication with Modbus devices. Refer to the controller’s datasheet for
more information.
For controllers that support either BACnet MS/TP or Modbus RTU network options, this option is selected in the con-
troller’s web interface. Modbus RTU communications are made by connecting directly to the RS-485 port.
Modbus RTU Data Transmission Essentials

When the ECLYPSE Controller is configured for Modbus RTU, it acts as the Modbus master that initiates requests to any
slave device connected to this data bus. All slave devices must support Modbus RTU communications protocol. The
ECLYPSE Controller does not work with Modbus ASCII devices.
The Modbus RTU data bus protocol uses the EIA-485 (RS-485) 3-wire physical layer standard for data transmission.
EIA-485 is a standard that defines the electrical characteristics of the ECLYPSE Wi-Fi Adapters and drivers to be used to
transmit data in a differential (balanced) multipoint data bus that provides high noise immunity with relatively long cable
lengths which makes it ideal for use in industrial environments. The transmission medium is inexpensive and readily-avail-
able twisted pair shielded cable.
While there are many possible LAN topologies for an EIA-485 data bus, only devices that are daisy-chained together are
allowed with Modbus RTU.
End-of-line (EOL) terminations are critical to error-free EIA-485 data bus operation. The impedance of the cable used for
the data bus should be equal to the value of the EOL termination resistors (typically 120 ohms). Cable impedance is usu-
ally specified by the cable manufacturer.
Modbus RTU Data Bus is Polatiry Sensitive

The polarity of all devices that are connected to the Modbus RTU data bus must be respected. The markings to identify the
polarity can vary by manufacturer. The following table summarizes the most common identification labels for Modbus RTU
data bus polarity.
Controller Typical Data Bus Connection Terminals
Inverting Non-inverting Reference

D0 D1 SC, C, or C
Common identification labels for
A or A’ B or B’ Common
Modbus RTU data bus polarity
Data – Data + Data 0V
Table 12: Common Identification Labels for Modbus RTU Data Bus Polarity
When interfacing with Modbus RTU devices, refer to the documentation provided with the device to correctly wire the device.
nLight ECLYPSE 111

Data Bus Physical Specifications and Cable Requirements

Cables composed of stranded conductors are preferred over solid conductors as stranded conductor cable better resist
breakage during pulling operations. It is strongly recommended that the following data bus segment cable specifications be
respected.
Parameter Details
Media Twisted pair, 24 AWG
Shielding Foil or braided shield
The shield on each segment is connected to the electrical system ground at one point only; see Data Bus
Shield grounding
Shield Grounding Requirements.
Characteristic impedance 100-130 Ohms. The ideal is 100-120 Ohms
Distributed capacitance between
Less than 100 pF per meter (30 pF per foot). The ideal is less than 60 pF per meter (18 pF per foot)
conductors
Distributed capacitance between
Less than 200 pF per meter (60 pF per foot)
conductors and shield
Maximum length per segment 1220 meters (4000 feet)
Data Rate 9600, 19 200, 38 400, and 76 800 baud
Multi-drop Daisy-chain (no T-connections)
EOL terminations 120 ohms at each end of each segment
Data bus bias resistors 510 ohms per wire (max. of two sets per segment)
Table 13: Modbus RTU Data Bus Segment Physical Specifications and Cable Requirements
Shielded cable offers better overall electrical noise immunity than non-shielded cable. Unshielded cable or cable of a differ-
ent gauge may provide acceptable performance for shorter data bus segments in environments with low ambient noise.
Cable Type O.D. (Ø)
300 meters (1000 feet), 24 AWG Stranded, Twisted Pair Shielded Cable – FT6, Rated for Plenum
3.75mm (0.148 in.)
Applications
Table 14: Recommended Cable Types for Modbus RTU Data Buses
Data Bus Topology and EOL Terminations

Function of EOL Terminations
The first and last device on the data bus must have End-of-Line (EOL) termination resistors connected across the two data
lines/wires of the twisted pair. These resistors serve the following purposes:
£ EOL terminations dampen reflections on the data bus that result from fast-switching (high-speed rising and falling data
edges) that otherwise would cause multiple data edges to be seen on the data bus with the ensuing data corruption
that may result. The higher the baud rate a data bus is operating at, the more important that EOL terminations be prop-
erly implemented. Electrically, EOL terminations dampen reflections by matching the impedance to that of a typical
twisted pair cable.
£ EIA-485 data bus transmitters are tri-state devices. Meaning, they can electrically transmit 1, 0, and an idle state.
When the transmitter is in the idle state, it is effectively offline or disconnected from the data bus. EOL terminations
serve to bias (pull-down and pull-up) each data line/wire when the lines are not being driven by any device. When an
un-driven data bus is properly biased by the EOL terminations to known voltages, this provides increased noise immu-
nity on the data bus by reducing the likelihood that induced electrical noise on the data bus is interpreted as actual
data.
When to Use EOL Terminations

EOL terminations should only be enabled / installed on the two devices located at either end of the data bus. All other de-
vices must not have the EOL terminations enabled/installed. If a Modbus RTU device at the end of the data bus does not
have a built-in EOL termination, then add a 120 Ohm resistor across the device’s terminals.
nLight ECLYPSE 112

Baud: Auto (Factory Default) Baud: Auto (Factory Default) Baud: Auto (Factory Default) Baud: 38 400 Baud: 38 400
Typical Modbus RTU Typical Modbus RTU Typical Modbus RTU Typical Modbus RTU
Device Device Device Device ECLYPSE
EOL ON EOL OFF EOL OFF EOL OFF EOL

ON
NET +
NET +
NET +
NET +
NET +
NET-
NET-
NET-
NET-
NET-
S
S
Electrical
System
Ground
Figure 105: EOL Terminations Must be Enabled at Both the First and Last Device on the Data Bus
Devices with built-in EOL terminations are factory-set with the EOL termination disabled by default.
The BACnet/IP to MS/TP Adapter does not have EOL Termination (and Modbus RTU Data Bus biasing) capabilities to be used at the end of
a Modbus RTU data bus. Instead, use the BACnet/IP to MS/TP Router for this application.
About Setting Built-in EOL Terminations

ECLYPSE Controllers have built-in EOL terminations. These Controllers use jumpers or DIP switches to enable the EOL
resistors and biasing circuitry. These controllers have separate bias and EOL termination settings. This is useful in the fol-
lowing scenario: the ECLYPSE controller is located in the middle of the data bus and either one or both Modbus RTU de-
vices at the data bus ends do not have biasing or EOL terminations. In this situation, set the bias on the ECLYPSE con-
troller and set the EOL termination on the Modbus RTU devices at the end of the data bus. If a Modbus RTU device at the
end of the data bus does not have a built-in EOL termination, then add a 120 Ohm resistor across the device’s terminals.
Figure 106: Typical ECLYPSE Controller with Separate EOL Termination and Bias Configuration Settings
Refer to the Modbus RTU device’s Hardware Installation Guide for how to identify and set a device’s built-in EOL termina-
tions.
Only a Daisy-Chained Data Bus Topology is Acceptable

Use a daisy-chained Modbus RTU data bus topology only. No other data bus topology is allowed.
Only linear, daisy-chained devices provide predictable data bus impedances required for reliable data bus operation.
Only a daisy-chained data bus topology should be specified during the planning stages of a project and implemented in the installation phase
of the project.
nLight ECLYPSE 113

ECLYPSE ECLYPSE
Spur / Backbone
Star Topologies are
Topologies are
Unsupported
Unsupported
Figure 107: Unsupported Modbus RTU Data Bus Topologies
Data Bus Shield Grounding Requirements

The EIA-485 data bus standard requires that the data bus must be shielded against interference. A Modbus RTU data bus
must also be properly grounded.
The data bus’ cable shields must be twisted together and connected to the S or shield terminal at each ECLYPSE Con-
troller. Keep the cable shield connections short and take steps at each device to isolate the cable shield from touching any
metal surface by wrapping them with electrical tape, for example. Note that for ECLYPSE Controllers, the data bus’ cable
shield provides the ground reference for the data bus. If the controller is at the end of the BACnet MS/TP data bus, simply
connect the data bus shield to the S terminal.
Grounding the shield of a data bus segment in more than one place will more than likely reduce shielding effectiveness.
Modbus RTU Data Bus Shield Grounding Requirements

The shield on each data bus segment must be connected to the electrical system ground at one point only, for example, at
the ECLYPSE Controller, as shown below.
ECLYPSE Device Device Device Device
NET +
NET +
NET +
NET +
NET-
NET-
NET-
NET-
NET +
NET-
S
S
Data Bus Shield:

terminal

Figure 108: Typical Cable-Shield Grounding Requirements for a Modbus RTU Data Bus Segment with an ECLYPSE Controller located
at the End of the Data Bus
nLight ECLYPSE 114

Device Device ECLYPSE Device Device
NET +
NET +
NET +
NET +
NET +
NET-
NET-
NET-
NET-
NET-
S
S
Data Bus Shields:
S
terminal
2'-5 1/4"
Figure 109: Typical Cable-Shield Grounding Requirements for a Modbus RTU Data Bus Segment with an ECLYPSE Controller located
in the Middle of the Data Bus
Device Addressing
Device addressing allows the coordinated transfer of messages between the master (the ECLYPSE Controller) and the
slave Modbus RTU device. For this, each device connected to the Modbus RTU data bus is identified by its address.
About the Device Address
Each slave device must have its own unique address number in the range from 1 to 247.
Refer to the device’s hardware installation guide for information about how to set its address number.
nLight ECLYPSE 115

Resetting or Rebooting the Controller
CHAPTER 14
This chapter describes how to recover control over the controller by resetting it to the factory default settings.

The reset button is located between the RS-458 and Ethernet connectors on an nLight ECLYPSE controller. Depending on
the amount of time the reset button is held down, different actions are taken by the controller.
Hold reset for To
5 seconds Restart / reboot the controller.
10 seconds Reset both Ethernet and Wi-Fi IP addresses back to factory default settings.
Reset the controller to its factory default settings. User accounts (user names and passwords) will also be reset to the factory
20 seconds default settings and the controller’s license and HTTPS security certificates will be cleared.
If FIPS 140-2 mode has been enabled on the controller, this will turn FIPS 140-2 mode off.
Always backup the controller's license through the controller's Web interface before you hold the controller’s reset button for 20 seconds.
Once the controller reboots, you will have to install the license through the controller's Web interface.
To backup and install the license, see System Settings. Click Export To PC to backup the controller's license to your PC. Click Import From
PC to restore the controller's license file from your PC.
After you hold the controller’s reset button for 20 seconds, the controller’s HTTPS security certificates will be regenerated. If you use HTTPS
to connect to the controller, you will no longer be able to connect to the controller from any PC that was used in the past to connect to the
controller unless you delete the old HTTPS security certificate from these PCs. Removing a Certificate.
nLight ECLYPSE 116

ECLYPSE Controller Troubleshooting
CHAPTER 15
You can use this Troubleshooting Guide to help detect and correct issues with ECLYPSE controllers.
Symptom Possible Cause Solution
Fuse has blown (for 24V
Disconnect the power. Check the fuse integrity. Reconnect the power.
controllers)
Verify that consistent polarity is maintained between all controllers and the transformer.
Controller is powered but Power supply polarity Ensure that the COM terminal of each controller is connected to the same terminal on the
does not turn on secondary side of the transformer. See DHCP Versus Manual Network Settings.
The device does not have
Verify that the transformer used is powerful enough to supply all controllers. See
power / poor-quality power
Transformer Selection and Determining the Maximum Power Run Length.
(for 24V controllers)
1. Check power supply voltage between 24VAC/DC and 24V COM pins and ensure that it is
Absent or incorrect supply within acceptable limits (±15% for 24V controllers).
voltage (for 24V controllers)
2. Check for tripped fuse or circuit breaker.
Overloaded power
Verify that the transformer used is powerful enough to supply all controllers. See
transformer (for 24V
Transformer Selection and Determining the Maximum Power Run Length.
controllers)
Network not wired properly Double check that the wire connections are correct.
Absent or incorrect network
Check the network termination(s).
termination
Configure the Max Master to the highest MAC Address of any device on the MS/TP data
Max Master parameter
bus. See Setting the Max Master and Max Info Frames.
There is another controller
Each controller on a BACnet MS/TP data bus must have a unique MAC Address. Look at
with the same MAC
the MAC Address DIP switch on each controller. If it is set to 0 (all off), check the MAC
Address on the BACnet
Address.
MS/TP data bus
Device does not There is another controller Each controller on a BACnet intranetwork (the entire BACnet BAS network) must have a
communicate on the BACnet with the same Device ID on unique Device ID. See Adopting a Numbering System for MAC Addresses, Device Instance
MS/TP network the BACnet intranetwork Numbers, and Network Numbers.
BACnet data bus polarity is Ensure the polarity of the BACnet data bus is always the same on all devices. See BACnet
reversed. MS/TP Data Bus is Polarity Sensitive.
Cut or broken wire. Isolate the location of the break and pull a new cable.
The BACnet data bus has
See Adopting a Numbering System for MAC Addresses, Device Instance Numbers, and
one or more devices with
Network Numbers.
the same MAC Address.
The baud rate for all
At least one device must be set to a baud rate, usually the data bus master. See Baud Rate.
devices are set to AUTO
The device is set to a MAC See if the STATUS LED on the device is showing a fault condition. See the LED Fault
Address in the range of 128 Conditions provided by the manufacturer of your BACnet controller.
to 255. This range is for slave devices that cannot initiate communication.
The maximum number of
devices on a data bus Use a repeater to extend the BACnet data bus. See Maximum Number of BACnet MS/TP
segment has been Devices on a Data Bus Segment and Baud Rate.
exceeded.
The device has auto-
The STATUS LED is blinking See the LED Fault Conditions provided by the manufacturer of your BACnet controller.
diagnosed a fault condition
Network length See Data Bus Physical Specifications and Cable Requirements.
Controller communicates
well over a short network Wire type See Data Bus Physical Specifications and Cable Requirements.
BACnet MS/TP network, but Network wiring problem Double check that the wire connections are correct.
does not communicate on
Absent or incorrect network Check the network termination(s). Incorrect or broken termination(s) will make the
large network
termination communication integrity dependent upon a controller's position on the network.
nLight ECLYPSE 117


Number of controllers on The number of controllers on a channel should never exceed 50. Use a router or a repeater:
network segment exceeded See Data Bus Segment MAC Address Range for BACnet MS/TP Devices.
Configure the maximum number of master device on the MS/TP network in all devices to the
Max Master parameter controller's highest MAC address used on the MS/TP trunk. See BACnet MS/TP Data Bus
Token-Passing Overview.
Check that the wiring is correct according to the module's hardware installation manual and
Input wiring problem
according to the peripheral device's manufacturer recommendations.
Using a voltmeter, check the voltage on the input terminal. For example, for a digital input, a
Open circuit or short circuit short circuit shows approximately 0V and an open circuit shows approximately 5V. Correct
Hardware input is not wiring if at fault.
reading the correct value Using the controller configuration wizard, check the configuration of the input. Refer to the
Configuration problem
controller's user guide for more information.
An over-voltage or over-current at one input can affect the reading of other inputs. Respect
Over-voltage or over-
the allowed voltage / current range limits of all inputs. Consult the appropriate datasheet for
current at an input
controller input range limits.
Disconnect the power and outputs terminals. Then wait a few seconds to allow the auto-
Fuse has blown (Auto reset
reset fuse to cool down. Check the power supply and the output wiring. Reconnect the
fuse, for 24V controllers)
power.
Check that the wiring is correct according to the module's hardware installation manual and
Output wiring problem
Hardware output is not according to the peripheral device's manufacturer.
operating correctly Check the configuration of the output with an HVAC programming tool. For example, is it
Configuration problem
enabled?
0-10V output, 24VAC
Check the polarity of the 24VAC power supply connected to the actuator while connected to
powered actuator is not
the controller. Reverse the 24VAC wire if necessary.
moving
Table 15: Troubleshooting Controller Symptoms
Action Recommendation
EOL terminations must be enabled / installed at either end of the data bus only. See When to Use EOL
Properly terminate the BACnet MS/TP data bus
Terminations.
Verify that no device has a duplicate MAC Address by checking the MAC Address DIP switch settings
on all devices on the data bus, including segments connected by a repeater.
Avoid duplicate MAC Addresses
If necessary, isolate devices from the data bus to narrow-down the number of devices that may be at
fault.
When all devices are set to AUTO baud rate, at least one device must be set to a baud rate, usually
All devices must be set to the same baud rate the data bus master. See Maximum Number of BACnet MS/TP Devices on a Data Bus Segment and
Baud Rate.
Ensure that the polarity of all data bus wiring is consistent throughout the network. See BACnet MS/TP
The data bus is polarity sensitive
Data Bus is Polarity Sensitive.
COV reports create the most traffic on the BACnet MS/TP data bus. Set the COV report rate to the
largest value that provides acceptable performance. Only map COV reports for values that are
Do not overload the data bus with Change of
necessary. For mapped analog points that are continuously changing, try increasing the COV
Value (COV) reporting
increment on these points or set the COV minimum send time flag to true to send the value at a
regular frequency.
Assign MAC Address to device starting at 3, up to 127. Do not skip addresses. Set the maximum
Do not leave address holes in the device’s MAC MAC Address in the Controller to the final MAC Address number actually installed.
Address range NOTE: The physical sequence of the MAC Address of the devices on the data bus is unimportant: For
example, the MAC Address of devices on the data bus can be 5, 7, 3, 4, 6, and 8.
Only daisy-chained devices are acceptable Eliminate T-taps and star configurations. Use a router to connect a data bus spur.
Connect no more than five devices to a power BACnet MS/TP devices require good power quality. See Power Supply Requirements for 24VAC-
supply transformer (for 24V controllers) Powered Controllers.
Table 16: Verify that the Following Recommendations have been Carried Out Before Calling Technical Support
nLight ECLYPSE 118

Wi-Fi Network Troubleshooting Guide
CHAPTER 16
Wi-Fi Network Troubleshooting Guide
Any wireless system consists of two or more Wi-Fi transceivers and a radio propagation path (Radio Path). Problems en-
countered can be any of the following.
If the low power jammer is close to the transceiver antenna, move low power jammer (PC,
telephone, etc.) at least 6.5 feet (2 m) away from transceiver antenna.
Change the Wi-Fi channel on the router. Use a Wi-Fi surveying or Wi-Fi stumbling tool on a
Presence of a low power laptop computer to identify unused Wi-Fi channels that may provide a better interference-
jammer free radio path.
Move the Wi-Fi Adapter’s position where it has a clear line of sight to the router.
Move the wireless router’s position. Try moving the router to the center of the room where it
has a clear line of site to each wireless device.
Wi-Fi communications are Remove high power jammer if possible. If not, you will have to accept strong range
inexistent or intermittent Presence of a high-power reduction or add another wireless router closer to the controller(s).
jammer
Use a wired Ethernet connection to the controller.
Exchange the wireless dongle with another Wi-Fi Adapter. If the dongle is found to be
Defective Wi-Fi Adapter
defective, replace the dongle.
The maximum wireless
operating range has been Add another wireless router closer to the controller(s).
exceeded
The controller has a known
Upgrade the controller’s firmware. See User Management.
technical issue
No communications even Radio signal path might be If a new screening or metal separation wall has been installed since the network was set up,
though the Wi-Fi Adapter obstructed try moving the receiver to see if the issue is corrected.
has been tested functional
and there is no jammer in Router may have a known
the field to interfere with the Upgrade the router’s firmware. See the manufacturer’s Website.
technical issue
signal.
Table 17: Troubleshooting Wi-Fi Network Symptoms
nLight ECLYPSE 119

Single Sign On (SSO) Troubleshooting
CHAPTER 17
You can use this Troubleshooting Guide to help detect and correct issues with the SSO functionality. Even though the fol-
lowing table provides a work around to the issues, in general, we highly recommend that you always find the solution to
any problem you may encounter.
Symptom Possible Cause Work Arounds Solution
Verify the server status and server
connections.
Recovery password is SSO Server is down or a
requested in the Web networking or connection Enter your recovery password. Verify the network connectivity.
browser. issue has occured.
Reconfigure the SSO parameters. See
Setting Up the SSO Functionality
nLight ECLYPSE 120

nLight ECLYPSE 121

nLight ECLYPSE_UG_12_EN

Nlight-eclypse User Manual

Uploaded by

Copyright:

Available Formats

Nlight-eclypse User Manual

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Nlight-eclypse User Manual

Uploaded by

Copyright:

Available Formats

nLight® ECLYPSE™

Document Revision History

About the nLight ECLYPSE Controller

About the IP Protocol Suite

About This User Guide

Purpose of the User Guide

nLight ECLYPSE Introduction

Conventions Used in this Document

Acronyms and Abbreviations Used in this Document

About the Internet Network

Internet Protocol Suite Overview

DHCP Versus Manual Network Settings

Dynamic Host Configuration Protocol (DHCP)

Fixed IP Address or Hostname Management

About the Subnetwork Mask

Class A Class B Class C Class A Class B Class C

/17 255.255.128.0 128 512 2 32766 32766

/21 255.255.248.0 8 8192 32 2046 2046

/25 255.255.255.128 128 131072 512 2 126 126 126

Private IPv4 Address Ranges

Reserved Host Addresses

Domain Name System (DNS)

About Routers, Switches, and Hubs

Figure 2: The Way a Router is Connected Changes its Function

Network Address Translation / Firewall

ISP Modem (Fiber, Cable, DSL)

Figure 3: Network Segment for HVAC IP Controllers

About Port Numbers

IP Network Port Numbers and Protocols

Service Default Port Description Where can this port

ECLYPSE Services that Require Internet Connectivity

Connecting the IP Network

Wired Network Cable Requirements

Bus and Cable Types Non-Plenum Applications Plenum Applications (FT6)

O.D. (Ø)1 O.D. (Ø)1

About the Integrated Ethernet Switch

Figure 5: Wired Network Connection - Daisy-Chained

Spanning Tree Protocol (STP)

Wired Router / Switch

Figure 6: Wired Network Connection: Spanning Tree Protocol – Normal Operation

Wired Router / Switch

The Port is Automatically Enabled

Cut Network Wire

Figure 7: Wired Network Connection: Spanning Tree Protocol – Failover Operation

Connecting the Network Cable to the Controller

Wireless Network Connection

Figure 8: Wi-Fi Adapter

About the 2.4 GHz ISM Band

Distance Between the Wi-Fi Adapter and Sources of Interference

About Wi-Fi Network Channel Numbers

Radio Signal Range

Radio Signal Transmission Obstructions

Wall Material Range Reduction vs. LoS

Where to Locate Wireless Adapters

Figure 11: Screening of Radio Waves

Transmission Obstructions and Interference

ECLYPSE Wi-Fi Adapter Mounting Tips

Planning a Wireless Network

Figure 14: Copy of floor plan and a compass

Figure 15: Mark relevant radio shadings