8950 aaa overview. all rights reserved © alcatel-lucent 2007 2 | introduction to 8950 aaa module...

8950 AAA Overview

2 | Introduction to 8950 AAA All Rights Reserved © Alcatel-Lucent 2007

Module Objectives

Supported platforms

History

8950 AAA Features

Standards Compliance & Awards


8950 AAA

A AAA (Authentication, Authorization & Accounting) software package Compliance with RADIUS and Diameter IETF RFC’s

pronounced “Triple A”

Formerly known as: Vital AAA,

and NavisRadius

Based on Java Platform independent

Flexible and extensible


8950 AAA Evolution (I)

FreeRadius 1.1©Livingston

Ascend Access Control©Ascend

Ascendbuys

Livingston

NavisRadius 1.3Based on

FreeRadius

PortAuthority 2.1©Lucent

Lucent buys Ascend

NavisRadius 3.xWith Java, multiplatform

and new engine (PolicyFlow)

NavisRadius 3.xWith Java, multiplatform

and new engine (PolicyFlow)

2000

1999

1992


8950 AAA Evolution (II)

NavisRadius 4.0= NR3.2 + GUI enhancements

NavisRadius 4.0= NR3.2 + GUI enhancements

2001

NavisRadius 4.2= Change in USS architecture

+ dictionary in XML

NavisRadius 4.2= Change in USS architecture

+ dictionary in XML

NavisRadius 4.3->4.5= Wi-Fi support (MD5, GTC, TLS,

TTLS/PEAP, SIM, etc.)

NavisRadius 4.3->4.5= Wi-Fi support (MD5, GTC, TLS,

TTLS/PEAP, SIM, etc.)

VitalAAA 5.0= Diameter support +

HTTPS/SSH

VitalAAA 5.0= Diameter support +

HTTPS/SSH

3/200612/2006

Alcatel merges with Lucent

VitalAAA 5.1= IPAMv2 + TACACS +

Lawful Intercept

VitalAAA 5.1= IPAMv2 + TACACS +

Lawful Intercept

VitalAAA 5.2= DHCPv6 + IPv6 MIB’s +

cron-based PF + EAP-FAST

VitalAAA 5.2= DHCPv6 + IPv6 MIB’s +

cron-based PF + EAP-FAST

4/2007

8950 AAA 6.0= UUS2 + File Replication

+ WiMAX policy flow

8950 AAA 6.0= UUS2 + File Replication

+ WiMAX policy flow

3/2008


AAA Components and communication ports

aaa-cmdaaa-cmd

Policy Server +

USS

Policy Server +

USS

SMT/Config Server

SMT/Config Server Plug-Ins

Data I/O• DHCP• JDBC• Password file• etc.

Data I/O• DHCP• JDBC• Password file• etc.

Logical Flow and decision Making

Logical Flow and decision Making

UtilitiesUtilities

GUIGUIGUI = SMTGUI = SMT

TCP:9020

UDP:1812, 1813, 3799

TCP:9023

AdmAdm

AdmAdm

TCP:9097,9099

SNMP Ag.SNMP Ag.UDP: 9161SNMP client

Web ServWeb ServBrowser (HTTP[S]) TCP: 9080

Other AAA servers

Other AAA servers

TCP:3868

RADIUS Test ClientRADIUS Test Client

Diam. Test ClientDiam. Test Client

telnet client

ssh client TCP:9023

TCP:9022

SQL DBSQL DBTCP: 9001

LDAP USSLDAP USSTCP: 9389SQL client (SMT)SQL client (SMT)

LDAP/LDIF clientLDAP/LDIF client

Lawful Intercept Server

Lawful Intercept Server

TACACS+ Test ClientTACACS+ Test Client TCP:49

TCP:9021


RADIUS / Diameter / TACACS+

PolicyServer

Functionality Overview

• Processes authentication & accounting requests

• Invokes the method engine• Starts the web server• Starts the Telnet/SSH CLI servers • Logs events

USS+IPAM

• Maintain port usage information

• Identify session limit violations

• Monitor user sessions

• May assigns IP’s


Logical System View

AAARemote ISP

Local AAA server #1

Local AAA server #2

UniversalStateServer

LDAP Directoriesor

Database Servers

NAS

...User

PSTN

the Internet


Management and Control Features

8950 AAA Server Management Tool (SMT) Graphical User interface (GUI)

Provides server administration and statistics

Local or Remote (via Configuration Server)

Remote Management Via telnet/ssh and modifying

configuration files

Using the SMT

With a Command Line Interface (CLI)

All remote management traffic can be encrypted with SSH or SSL


PolicyFlow and PolicyAssistant

PolicyFlow (PF) extensible plug-in software architecture

enabling the construction of flexible AAA policies to be able to meet any AAA requirements

you design exactly the processing steps you need, in the order you need them.

PolicyAssistant (PA) Simplifies configuration, for small ISP or

companies (predefined policy flow plus predefined provisioning)

Handles 80% of simple configuration needs Otherwise, use PolicyFlow

Has a graphical wizard to define policies

Configuration Time

What can be done PF

PA


8950 AAA Major Features (I)

Storage of users’ profiles Local text files

SQL server (local built-in (HSQL) or remote)

LDAP server

HTTP server

RADIUS server (proxy RADIUS)

Storage of accounting logs Local text files

Allows definition of any file format (Classic, Delimited or Fixed)

Remote servers Remote database (SQL) or RADIUS servers (proxy-RADIUS)


8950 AAA Major Features (II) Proxy-RADIUS

Ability to modify/add/remove any attribute sent/received from the remote server

Secure external authentication in token card servers SecurID/ACE (RSA)

SafeWord (Secure Computing)

Time-of-Day restrictions And automatic calculation of Session-Timeout

Wide EAP support EAP-MD5, EAP-GTC, EAP-LEAP, EAP-MsChapV2, EAP-TLS (and TTLS and PEAP),

EAP-SIM/AKA, EAP-FAST

Multiple Dictionaries To meet specific characteristics of each NAS or remote RADIUS server (when

proxying)


8950 AAA Major Features (III)

Pre-authentication for dial-up

SNMP support for statistics (v1, v2 & v3) Standard RFCs for RADIUS auth+acct (server and client):

4668, 4669, 4670, 4671

Built-in SQL database for users and accounting data storage


Troubleshooting facilities

Complete customizable logging facilities per message area

Conditional logging based on AAA attributes for specific users-name, realms, calling numbers, called numbers…

Multiple logging levels

Multiple places where logs can be sent (file, syslog, SNMP trap, …)

Client Testing tools, with CLI and GUI To simulate the connection of any user from any NAS with any

condition (any AAA AVP) RADIUS TestClient & NAS-simulator,

TACACS+ TestClient

Diameter TestClient


IP address assignment for users

Local management by the NAS

Simple built-in address manager

USS-based advanced IP Address Manager (IPAM) With optional redundancy and High-Availability

Pools can be defined without restarting the server

Different pools can have overlapping IP addresses

IPv4 addresses and IPv6 prefixes

External DHCP server selecting any DHCP option for a pool selection

DHCPRADIUSPPP

[HA-]IPAM

Simple Address Manager

DHCP

server

Local in NAS


AAA protocol translator and proxy

Any translation can be made between different protocols RADIUS <-> TACACS+

RADIUS <-> Diameter

TACACS+ <-> Diameter

Due to the flexibility of the PolicyFlow language Can receive AAA information in any protocol, and can generate

outgoing AAA packets in any protocol

RADIUS

Diameter

TACACS+

RADIUS

Diameter

TACACS+

Translation AgentProxy


Supported Platforms

Server + SMT (GUI): Solaris SPARC & x86: from 2.7 to 2.10

HP-UX 11.0

Compaq/DEC TRU-64 UNIX

RedHat Enterprise Linux

Windows 2000, 2003 & XP

MacOS: from 10.2 to 10.4

Java Virtual Machine (JRE, SDK or J2SE) J2SE 5.0


Universal StateServer (USS) = Session Manager

Keeps a database of NAS and Port usage To maintain sessions information

Maintains counters for resource usage: User Name

Called Number (DNIS)

Realm

Arbitrary criteria: ISP Name, Department, Region, Affinity group, etc.

May enforce limits on any of these counters

Optionally, it can have redundancy (HA-USS)

Optionally, the session and counters info can also be read via LDAP interface

Optionally, it can assign dynamic IP addresses (IPAM)


Best Authentication Server&

Security Product of the Year

8950 AAA awards (I)

Network Computing “Best Authentication Server”, for 2 years in

a row (2004 & 2005)

“Well-Connected Award” for outstanding networking products and services. (2004)

Overall “Security product of the year” (2005) from more than 27 security products in 9

different security categories.

“Editor’s Choice” and “Best Value” for the Enterprise RADIUS servers. (2005)

Best Authentication Server


8950 AAA awards (II)

3GSM World Congress (2006) in Barcelona (Spain), “Highly Commended Award for

Innovation in GSM Roaming”. by enabling a GSM operator to deliver a

service that allows GSM mobile users to use their home broadband network to initiate and accept and roam between the home and GSM networks without dropping the call!

*


Installed base

8950 AAA is deployed in over 4,000 service providers, enterprise and government networks around the world.

Customers range from: small businesses and enterprises and universities

offering remote dial-in and wireless access services, to

government departments and agencies,

wholesale operators selling ports to downstream customers, major wireless service providers, and

global Internet service providers.


Standards Compliance (I)

http:// 802.1x

1XEV-DO


RADIUS Standards Compliance (II)


RADIUS Standards Compliance (III)

8950 aaa overview. all rights reserved © alcatel-lucent 2007 2 | introduction to 8950 aaa module...

Documents

aaa aaa components

aaa policyflow

aaa management

aaa authentication

aaa evolution

aaa servers tcp

aaa requirements

vital aaa