B
Configuration • RADIUS Authentication
APEX1000 All-Purpose Edge QAM Software Version 2.4.x • Installation and Operation Manual
91
573408-001-a
Redundancy Overview
Two Authentication and Authorization servers are supported, a primary and a backup.
Each must be configured with an IP address, UDP port, and a shared secret.
Authentication Operation
If configured to authenticate by way of RADIUS, the communication flow follows this
sequence:
1.
The operator enters credentials into the EM, such as username and password.
2.
The APEX transmits an Access-Request message to the RADIUS server.
3.
The RADIUS server replies with an Access-Accept, Access-Reject, or Access-
Challenge message.
4.
The EM sends the user a message indicating success, reject, or challenge.
5.
If the headend device receives the Access-Challenge message, the EM prompts the
user for additional information, which is sent to the headend device.
6.
The Headend device issues an Access-Request message with new information
retrieved from the operator.
Note: Following an APEX reboot, users must be re-authorized by re-logging into the
APEX-EM.
Idle Timeout
The idle timeout is defined on the RADIUS server, and indicates how long the user
session may be idle before the connection is closed (activity is defined as an SNMP GET
or SET operation initiated by the EM).
If the idle timeout expires, the EM informs the APEX that the timeout has expired, and
logs the user out of the EM.
Note: To properly interoperate with RSA SecurID, the timeout window must be wider
than two seconds.
Concurrent Sessions
Each user logon is authenticated by the headend device. There is no limit to the number
of users which may be authenticated by RADIUS.
Local Fallback
After failing to authenticate against both primary and backup RADIUS authentication
servers, the headend device reverts to local authentication (if so configured).
Local authentication is the same as the current log in, with
root
and
other
users.