Manualshelf

User's Manual

ManualsBrandsGE MDS ManualsElectronicsWimax Industrial Radio
11121314151617181920
10 MDS Mercury 16E Technical Manual MDS 05-6302A01, Rev. A
Authentication. User authentication allows a device to ensure that a user
may access the device's configuration and services. Device
authentication allows a network server to verify that a device may access
the network.
User Authentication
The Mercury transceiver requires user login with an account and
password in order to access the Device Manager. This process can be
managed locally in which the device stores the user account information
in its on-board non-volatile memory, or remotely in which a RADIUS
server is used. The transceiver has two local accounts: operator and
admin. The operator account has read-only access to configuration
parameters and performance data. The admin user has read-write access
to all parameters and data.
NOTE: The Operator account does not have access through the web
interface. An Operator account may be used with the console,
Telnet, or SSH.
To centralize the management of user accounts, a RADIUS server may
be used. Each Mercury transceiver must be configured with the IP
address, port, shared secret, and authentication protocol of a RADIUS
server. When a user attempts to login, the credentials will be forwarded
to the RADIUS server for validation.
PKMv2 Device Authentication
The IEEE 802.16-2005 WiMAX standard uses PKMv2 for securing the
wireless channel. PKMv2 stands for Privacy Key Management version
2. The Privacy Key Management protocol is used to exchange keying
material from the Base Station to the Subscriber. This keying material is
used to encrypt data so that it is secure during transport over the air. The
encryption keys are routinely rotated to ensure security.
Initial keying material is obtained during the device authentication
process. This occurs when a Subscriber attempts to join a Base Station.
The Base Station initiates an EAP-TLS negotiation with the Subscriber
to begin the device authentication process. The Subscriber is only
allowed to transmit EAP messages until the authentication has finished
successfully. The Base Station forwards messages to the RADIUS
server where the decision to allow the Subscriber to join is made. If the
Subscriber authenticates successfully and the RADIUS server allows
the Subscriber to join the network, then the data encryption keying
material is sent to the Base Station. The Base Station then continues the
PKM protocol to further derive keying material that is used to secure
transmissions between the Base Station and the Subscriber.