ОAAA is an acronym of Authentication, Authorization, and Accounting. As a core component of the network, the AAA Server performs the user authentication, authorization, and accounting function. In some special scenario, it also provides the maintenance management, proxy and session information query functions.

The main features of the AAA Server are as follows:

  • All Network and Multi-Services – The AAA Server supports various networks such as narrowband, broadband, WCDMA/GRPS, CDMA450/1X/2000/EV-DO, WiMAX simultaneously. The ability of the AAA Server to simultaneously support various networks and services allows carriers with multiple licenses to save investments and operating costs. Carriers can build only one AAA system to implement authentication, authorization and accounting for all the data users on their fixed and mobile network, achieving centralized user management and unified service provision.
  • Carrier Grade and High Capacity – The AAA Server adopts two-node backup for the critical hardware and it adopts the load sharing and balancing mechanism, thereby eliminating single point failures. Meanwhile, the AAA Server comes with a traffic control and overload protection mechanism, enabling it to implement smooth capacity expansion for millions of users capacity.
Supported standards

The AAA Server complies with the following standards:

  • IETF standards:
    • RADIUS – RFC2865
    • RADIUS Accounting – RFC2866
    • RADIUS Extensions – RFC2869
    • RADIUS Attributes Tunnelling Protocol Support – RFC 2868
    • RADIUS Accounting Modifications for Tunnel Protocol Support – RFC2867
    • RADIUS Authentication Server MIB – RFC2619, RFC2620
    • RADIUS Accounting Server MIB – RFC2621, RFC2622
    • RADIUS Dynamic Authorization Support – RFC3576
    • RADIUS EAP Support – RFC 3579
    • EAP-AKA – RFC4187
    • EAP-TLS – RFC 2716
    • EAP-TTLS
    • Microsoft Vendor Specific Radius Attributes – RFC 2548
    • HTTP Digest Authentication Support – RFC 2617
    • RADIUS Extension for Digest Authentication – RFC 5090
    • Diameter Base Protocol Support – RFC3588
    • Diameter EAP Extension Support – RFC4072
    • Diameter NASReq Extension Support – RFC4005
    • Diameter MIPv4 Extension Support – RFC4004
    • Diameter Credit-Control Application– RFC4006
  • TIA / EIA standards:
    • IS835 CDMA2000 extensions (Mobile IP)
    • IS878 CDMA2000 RAN 1xEV-DO A12 Support
  • 3GPP2
    • X.S0011-D v1.0 CDMA2000 Wireless IP Network Standard
    • X.S0028-100-0 Wireless Local Area Network Interworking
    • X.S.R0087-A v1.0 CDMA 2000 WLAN Interworking
  • 3GPP / ETSI
    • TS 29.061 GPRS – PLMN Inter-working
    • TS 23.234 WLAN Interworking – System Description

Functional Description

Configurable Authentication

The AAA server supports authentication based on single and/or multiple attributes (fully configurable) such as IMSI, MSISDN, IMEI, NAI, Realm/Domain, user name/login …

Combinations of these parameters are configured into the Policy engine that defines the static rules that will be applied for instance when authenticating.

AThe AAA Server supports multiple Authentication policies that can be configured in the Policy Engine.

Ordered list of policy rules is defined for Policy engine. Each rule consists of one condition and one action.

  • The condition specifies an attribute-value pair that must appear in the access or accounting message. Decisions can be made based on any attribute value pair for maximum flexibility.
  • The action, with one or more action-modifiers, specifies what the AAA Server should do with the request if the condition is met. The action can also reference another policy file to define complex policy rules with embedded conditions.
Authentication methods

The AAA Server supports CHAP, PAP, MSCHAPv1/v2, EAP (EAP-MD5), Microsoft PEAP, EAP-MSCHAP-v2 for PEAP, EAP-AKA, EAP-SIM, and EAP-TLS.

The AAA Server supports ‘Black List’ function. If during authentication a user enters wrong password, after a certain amount of failed attempts the AAA Server is able to block the user. After a specified amount of time the AAA Server does not authenticate the user even if the correct password was provided. This functional, allowed number of authentication attempts and duration of account lockout is fully configurable.

The ‘Black List’ functional is configurable by APN, realm\domain, NAS…

Integration with IN and Billing systems (prepaid and postpaid)

AThe AAA Server supports the following protocols for online charging:

  • DIAMETER DCCA
  • SOAP (OSA/Parlay)

The AAA Server supports generation, download and storage of CDR records for all the events and logs for all the events subject to charging.

CDR format and content are fully customizable. For example: CSV, ASN.1, XML, etc

AThe AAA server supports the following Billing Collection Interfaces: FTP, SFTP, FTPS, ssh, XML over HTTP(S), 3GPP API Charging Subset. Additional interfaces could be developed according to Customer’s requirements.

SPR

The AAA Server has a RDBMS as a part of Solution. This database is used as:

  • Subscriber ‘s profile database
  • Usage database
  • Database of active subscriber’s sessions

Subscriber Database contains user’s profiles. The AAA Server has provisioning interface (SOAP) with BSS\OSS to enable management of the subscriber’s profiles. Additional interfaces could be configured/developed according to customer’s needs. The Database, the list of parameters and their values is configurable according to customer’s requirements. The AAA Server could be integrated with external database repository over standard LDAP (v3) protocol.

The Usage Database provides centralized repository for information about subscriber’s system usage. This usage data is based on accounting records for every user session, including sessions for which it proxies accounting messages to a proxy target server.

Database of active subscriber’s sessions
After a user goes online, the AAA Server will store the user session information in database, such as: MSISDN, IP address, IMSI, etc. The external systems (such as Call Center, etc) can query the information from the AAA Server through the HTTP interface based on the IP address, MSISDN, IMSI and IMEI or any other ID. The Database, the list of parameters and their values is configurable according to customer’s requirements.

Proxy

The AAA Server includes an intelligent, load balancing, high-performance engine. It supports fault detection and recovery as well as sophisticated attribute manipulation features that ensure efficient message flow.

The AAA Server can define separate target servers for authentication and accounting. Communication between the RADIUS Servers is secure, as defined in RFC 2865. A shared secret can be used to provide data authentication and encryption. Policy rules (supported by the Policy Engine) specify when the AAA Server should proxy access or accounting requests to another server. The proxy condition can be based on any attribute value in the access or accounting message, such as domain, called number NAS, or even on different criteria such as APNs, subscriber id …

Proxy target groups can be configured with fail-over and load-sharing policies. Proxy target fail-over ensures high-availability authentication through ordered lists of alternative proxy targets, when a proxy target is unreachable or is not responding reliably. If the first target server in the group fails to respond within a defined time, the AAA Server forwards the access or accounting request to the second server listed. If no response is received from any of the servers in the group, the policy rule can be configured to reject the access request or to accept the request and authorize the user locally.

Proxy target load-sharing allows the AAA Server to distribute authentication and accounting requests on a round-robin basis across a group of target servers. The ability to apply policies on a per-proxy target or a per-proxy target group basis allows the tailoring of service level agreements to meet individual customer requirements.

Before proxying message to EXT AAA, AAA Server could modify (add, delete, modify) Radius attributes in the request. For example if combination of specific attributes and values exist, AAA Server could add some new attribute, delete some existing attribute and modify value for some other existing attribute.

PoD and CoA

The AAA Server uses CoA messages to dynamically modify active subscriber sessions. A typical example, RADIUS attributes in CoA messages might instruct the NAS to create, modify, or terminate a subscriber service. CoA-Request packets contain information for dynamically changing session authorizations. RADIUS-initiated CoA messages use the following codes in request and response messages: CoA-Request (43), CoA-ACK (44), CoA-NAK (45).

In the same way, the AAA Server generates Disconnect Messages (PoD) to the network access gateway on reception of OCS order or based on different criteria: when the subscriber is removed from the subscriber profile database, when his status has changed, etc. These criteria are configurable using the policy engine supported by the AAA Server.

IP management

The AAA Server provides centralized management of IP addresses, eliminating the time and expense of assigning and managing IP address pools for each NAS (for instance).
This prevents the loss and duplication of IP addresses. IP Address pools can be created for individual NASs or groups of NASs (multiple IP Pools are managed in parallel). When a user connects to the NAS, they are often assigned an IP address for the session. A user can have a static IP address, or an IP address can be dynamically allocated by either the NAS or the AAA Server. IP address pools for each NAS can be defined centrally on the AAA Server.

Management Function

The AAA Server contains a complete management systemAll management functions are implemented by the service management software. The management function consists of the following parts:

  • Operator and log management
  • System management
  • User management

Operator and log management

An operator is a person who performs operations on the AAA Server. Operators have different operation rights. The AAA Server controls operation rights by level, role, and operator. The operators in the upper layer can create the operators in the lower layer.

All the operators’ operations to the system are recorded in the logs. The log information includes operator name, login time, IP address, operation task, task status, logout time, log level and so on. The AAA Server stores all the operator logs, the log is stored at least 3 months (configurable parameter). The log can be set into different levels.

System management

Through the management interface provided by the AAA Server, the operator can manage the system parameters. Such as: parameter setting management, domain management, template management, access policy, IP address management, proxy rule and copy rule management etc.

User management

If the AAA Server provides the authentication function, the user profiles will be stored in AAA’s database. Through the management interface provided by the AAA Server, the operator can manage user information.The user management includes:

  • Adding a user
  • Deleting a user
  • Querying user information
  • Changing user password or other attributes

The AAA Server supports to manage the user base on user group, if a user is a member of a user group. The AAA Server can authenticate and charge users from the same user group using the same authentication policy and charging policy.

O&M

The AAA Server supports the standard SNMP V2 protocol. Through this protocol, the AAA Server reports the information including the system alarm and performance information, which includes number of received authentication/accounting messages, number of sent authentication reject messages, and number of sent authentication success messages, etc.

Please refer to the following RFC:

    The hardware reliability of the AAA Server is ensured by:

    • Host reliability
    • Disk reliability
    • Power and network reliability
    • Data backup

    Host Reliability

    The AAA Server usually is deployed on two hosts in Active-Active or Active-Standby mode. Optionally the AAA Server could be deployed on RHEL HA Cluster.

    Disk Reliability

    Regarding disk reliability, the AAA Server ensures high reliability and availability of data by using internal disks in RAID 1+0 configuration. RAID 1+0 is the combination of RAID 0 and RAID 1. As a scheme that has taken both storage performance and data security into consideration, RAID 1+0 provides data security guarantee equivalent to that of RAID 1, and storage performance approximate to that of RAID 0. The replications is used to syncronize the data in the database on different nodes.Optionally the AAA Server could operate in centralized storage array mode.

    Power and Network Reliability

    All the power supplies and data networks of the AAA Seerver host are backed up to guarantee the normal operation of the system in case any fault occurs on the active node.

    Data Backup

    The AAA Server backups some important data, such as: configuration file, database data etc. The automatic script is running on the AAA and it will backup the data and store the data in fixed directory automatically by a schedule, the backup data will be compressed and ftp to the customer’s backup server.