Manualshelf

User's Manual

ManualsBrandsGE MDS ManualsElectronicsWiMax Industrial Radio
11121314151617181920
10 MDS Mercury 16E Technical Manual MDS 05-6302A01, Rev. B
Authentication
Authentication is the process by which one network entity verifies that
another entity is who or what it claims to be and has the right to join the
network and use its services. Authentication in wireless SCADA
networks has two primary forms: User Authentication and Device
Authentication. User authentication allows a device to ensure that a user
may access the device's configuration and services. Device
authentication allows a network server to verify that a hardware device
may access the network.
User Authentication
The Mercury transceiver requires user login with an account and
password in order to access the Device Manager menu. This process can
be managed locally in which the device stores the user account
information in its on-board non-volatile memory, or remotely in which
a RADIUS server is used. The transceiver has two local accounts:
operator and admin. The operator account has read-only access to
configuration parameters and performance data. The admin account has
read-write access to all parameters and data.
NOTE: The Operator account has access through the web, console,
Telnet, or SSH interfaces, but settings may only be viewed, not
changed.
To centralize the management of user accounts, a RADIUS server may
be used. Each Mercury transceiver must be configured with the IP
address, port, shared secret, and authentication protocol of a RADIUS
server. When a user attempts to login, the credentials are forwarded to
the RADIUS server for validation.
PKMv2 Device Authentication
The IEEE 802.16e-2005 WiMAX standard uses PKMv2 for securing
the wireless channel. PKMv2 stands for Privacy Key Management
version 2. The Privacy Key Management protocol is used to exchange
keying material from the Base Station to the Subscriber. This keying
material is used to encrypt data so that it is secure during transport over
the air. The encryption keys are routinely rotated to ensure security.
Initial keying material is obtained during the device authentication
process. This occurs when a Subscriber attempts to join a Base Station.
The Base Station initiates an EAP-TLS negotiation with the Subscriber
to begin the device authentication process. The Subscriber is only
allowed to transmit EAP messages until the authentication has finished
successfully. The Base Station forwards messages to the RADIUS
server where the decision to allow the Subscriber to join is made. If the
Subscriber authenticates successfully and the RADIUS server allows