Post on 10-Aug-2015
description
8950 AAA Overview
All Rights Reserved © Alcatel-Lucent 20072 | Introduction to 8950 AAA
Module Objectives
Supported platforms
History
8950 AAA Features
Standards Compliance & Awards
All Rights Reserved © Alcatel-Lucent 20073 | Introduction to 8950 AAA
8950 AAA
A AAA (Authentication, Authorization & Accounting) software package Compliance with RADIUS and Diameter IETF RFC’s
pronounced “Triple A”
Formerly known as: Vital AAA,
and NavisRadius
Based on Java Platform independent
Flexible and extensible
All Rights Reserved © Alcatel-Lucent 20074 | Introduction to 8950 AAA
8950 AAA Evolution (I)
FreeRadius 1.1©Livingston
Ascend Access Control©Ascend
Ascendbuys
Livingston
NavisRadius 1.3Based on
FreeRadius
PortAuthority 2.1©Lucent
Lucent buys Ascend
NavisRadius 3.xWith Java, multiplatform
and new engine (PolicyFlow)
NavisRadius 3.xWith Java, multiplatform
and new engine (PolicyFlow)
2000
1999
1992
All Rights Reserved © Alcatel-Lucent 20075 | Introduction to 8950 AAA
8950 AAA Evolution (II)
NavisRadius 4.0= NR3.2 + GUI enhancements
NavisRadius 4.0= NR3.2 + GUI enhancements
2001
NavisRadius 4.2= Change in USS architecture
+ dictionary in XML
NavisRadius 4.2= Change in USS architecture
+ dictionary in XML
NavisRadius 4.3->4.5= Wi-Fi support (MD5, GTC, TLS,
TTLS/PEAP, SIM, etc.)
NavisRadius 4.3->4.5= Wi-Fi support (MD5, GTC, TLS,
TTLS/PEAP, SIM, etc.)
VitalAAA 5.0= Diameter support +
HTTPS/SSH
VitalAAA 5.0= Diameter support +
HTTPS/SSH
3/200612/2006
Alcatel merges with Lucent
VitalAAA 5.1= IPAMv2 + TACACS +
Lawful Intercept
VitalAAA 5.1= IPAMv2 + TACACS +
Lawful Intercept
VitalAAA 5.2= DHCPv6 + IPv6 MIB’s +
cron-based PF + EAP-FAST
VitalAAA 5.2= DHCPv6 + IPv6 MIB’s +
cron-based PF + EAP-FAST
4/2007
8950 AAA 6.0= UUS2 + File Replication
+ WiMAX policy flow
8950 AAA 6.0= UUS2 + File Replication
+ WiMAX policy flow
3/2008
All Rights Reserved © Alcatel-Lucent 20076 | Introduction to 8950 AAA
AAA Components and communication ports
aaa-cmdaaa-cmd
Policy Server +
USS
Policy Server +
USS
SMT/Config Server
SMT/Config Server Plug-Ins
Data I/O• DHCP• JDBC• Password file• etc.
Data I/O• DHCP• JDBC• Password file• etc.
Logical Flow and decision Making
Logical Flow and decision Making
UtilitiesUtilities
GUIGUIGUI = SMTGUI = SMT
TCP:9020
UDP:1812, 1813, 3799
TCP:9023
AdmAdm
AdmAdm
TCP:9097,9099
SNMP Ag.SNMP Ag.UDP: 9161SNMP client
Web ServWeb ServBrowser (HTTP[S]) TCP: 9080
Other AAA servers
Other AAA servers
TCP:3868
RADIUS Test ClientRADIUS Test Client
Diam. Test ClientDiam. Test Client
telnet client
ssh client TCP:9023
TCP:9022
SQL DBSQL DBTCP: 9001
LDAP USSLDAP USSTCP: 9389SQL client (SMT)SQL client (SMT)
LDAP/LDIF clientLDAP/LDIF client
Lawful Intercept Server
Lawful Intercept Server
TACACS+ Test ClientTACACS+ Test Client TCP:49
TCP:9021
All Rights Reserved © Alcatel-Lucent 20077 | Introduction to 8950 AAA
RADIUS / Diameter / TACACS+
PolicyServer
Functionality Overview
• Processes authentication & accounting requests
• Invokes the method engine• Starts the web server• Starts the Telnet/SSH CLI servers • Logs events
USS+IPAM
• Maintain port usage information
• Identify session limit violations
• Monitor user sessions
• May assigns IP’s
All Rights Reserved © Alcatel-Lucent 20078 | Introduction to 8950 AAA
Logical System View
AAARemote ISP
Local AAA server #1
Local AAA server #2
UniversalStateServer
LDAP Directoriesor
Database Servers
NAS
...User
PSTN
the Internet
All Rights Reserved © Alcatel-Lucent 20079 | Introduction to 8950 AAA
Management and Control Features
8950 AAA Server Management Tool (SMT) Graphical User interface (GUI)
Provides server administration and statistics
Local or Remote (via Configuration Server)
Remote Management Via telnet/ssh and modifying
configuration files
Using the SMT
With a Command Line Interface (CLI)
All remote management traffic can be encrypted with SSH or SSL
All Rights Reserved © Alcatel-Lucent 200710 | Introduction to 8950 AAA
PolicyFlow and PolicyAssistant
PolicyFlow (PF) extensible plug-in software architecture
enabling the construction of flexible AAA policies to be able to meet any AAA requirements
you design exactly the processing steps you need, in the order you need them.
PolicyAssistant (PA) Simplifies configuration, for small ISP or
companies (predefined policy flow plus predefined provisioning)
Handles 80% of simple configuration needs Otherwise, use PolicyFlow
Has a graphical wizard to define policies
Configuration Time
What can be done PF
PA
All Rights Reserved © Alcatel-Lucent 200711 | Introduction to 8950 AAA
8950 AAA Major Features (I)
Storage of users’ profiles Local text files
SQL server (local built-in (HSQL) or remote)
LDAP server
HTTP server
RADIUS server (proxy RADIUS)
Storage of accounting logs Local text files
Allows definition of any file format (Classic, Delimited or Fixed)
Remote servers Remote database (SQL) or RADIUS servers (proxy-RADIUS)
All Rights Reserved © Alcatel-Lucent 200712 | Introduction to 8950 AAA
8950 AAA Major Features (II) Proxy-RADIUS
Ability to modify/add/remove any attribute sent/received from the remote server
Secure external authentication in token card servers SecurID/ACE (RSA)
SafeWord (Secure Computing)
Time-of-Day restrictions And automatic calculation of Session-Timeout
Wide EAP support EAP-MD5, EAP-GTC, EAP-LEAP, EAP-MsChapV2, EAP-TLS (and TTLS and PEAP),
EAP-SIM/AKA, EAP-FAST
Multiple Dictionaries To meet specific characteristics of each NAS or remote RADIUS server (when
proxying)
All Rights Reserved © Alcatel-Lucent 200713 | Introduction to 8950 AAA
8950 AAA Major Features (III)
Pre-authentication for dial-up
SNMP support for statistics (v1, v2 & v3) Standard RFCs for RADIUS auth+acct (server and client):
4668, 4669, 4670, 4671
Built-in SQL database for users and accounting data storage
All Rights Reserved © Alcatel-Lucent 200714 | Introduction to 8950 AAA
Troubleshooting facilities
Complete customizable logging facilities per message area
Conditional logging based on AAA attributes for specific users-name, realms, calling numbers, called numbers…
Multiple logging levels
Multiple places where logs can be sent (file, syslog, SNMP trap, …)
Client Testing tools, with CLI and GUI To simulate the connection of any user from any NAS with any
condition (any AAA AVP) RADIUS TestClient & NAS-simulator,
TACACS+ TestClient
Diameter TestClient
All Rights Reserved © Alcatel-Lucent 200715 | Introduction to 8950 AAA
IP address assignment for users
Local management by the NAS
Simple built-in address manager
USS-based advanced IP Address Manager (IPAM) With optional redundancy and High-Availability
Pools can be defined without restarting the server
Different pools can have overlapping IP addresses
IPv4 addresses and IPv6 prefixes
External DHCP server selecting any DHCP option for a pool selection
DHCPRADIUSPPP
[HA-]IPAM
Simple Address Manager
DHCP
server
Local in NAS
All Rights Reserved © Alcatel-Lucent 200716 | Introduction to 8950 AAA
AAA protocol translator and proxy
Any translation can be made between different protocols RADIUS <-> TACACS+
RADIUS <-> Diameter
TACACS+ <-> Diameter
Due to the flexibility of the PolicyFlow language Can receive AAA information in any protocol, and can generate
outgoing AAA packets in any protocol
RADIUS
Diameter
TACACS+
RADIUS
Diameter
TACACS+
Translation AgentProxy
All Rights Reserved © Alcatel-Lucent 200717 | Introduction to 8950 AAA
Supported Platforms
Server + SMT (GUI): Solaris SPARC & x86: from 2.7 to 2.10
HP-UX 11.0
Compaq/DEC TRU-64 UNIX
RedHat Enterprise Linux
Windows 2000, 2003 & XP
MacOS: from 10.2 to 10.4
Java Virtual Machine (JRE, SDK or J2SE) J2SE 5.0
All Rights Reserved © Alcatel-Lucent 200718 | Introduction to 8950 AAA
Universal StateServer (USS) = Session Manager
Keeps a database of NAS and Port usage To maintain sessions information
Maintains counters for resource usage: User Name
Called Number (DNIS)
Realm
Arbitrary criteria: ISP Name, Department, Region, Affinity group, etc.
May enforce limits on any of these counters
Optionally, it can have redundancy (HA-USS)
Optionally, the session and counters info can also be read via LDAP interface
Optionally, it can assign dynamic IP addresses (IPAM)
All Rights Reserved © Alcatel-Lucent 200719 | Introduction to 8950 AAA
Best Authentication Server&
Security Product of the Year
8950 AAA awards (I)
Network Computing “Best Authentication Server”, for 2 years in
a row (2004 & 2005)
“Well-Connected Award” for outstanding networking products and services. (2004)
Overall “Security product of the year” (2005) from more than 27 security products in 9
different security categories.
“Editor’s Choice” and “Best Value” for the Enterprise RADIUS servers. (2005)
Best Authentication Server
All Rights Reserved © Alcatel-Lucent 200720 | Introduction to 8950 AAA
8950 AAA awards (II)
3GSM World Congress (2006) in Barcelona (Spain), “Highly Commended Award for
Innovation in GSM Roaming”. by enabling a GSM operator to deliver a
service that allows GSM mobile users to use their home broadband network to initiate and accept and roam between the home and GSM networks without dropping the call!
*
All Rights Reserved © Alcatel-Lucent 200721 | Introduction to 8950 AAA
Installed base
8950 AAA is deployed in over 4,000 service providers, enterprise and government networks around the world.
Customers range from: small businesses and enterprises and universities
offering remote dial-in and wireless access services, to
government departments and agencies,
wholesale operators selling ports to downstream customers, major wireless service providers, and
global Internet service providers.
All Rights Reserved © Alcatel-Lucent 200722 | Introduction to 8950 AAA
Standards Compliance (I)
http:// 802.1x
1XEV-DO
All Rights Reserved © Alcatel-Lucent 200723 | Introduction to 8950 AAA
RADIUS Standards Compliance (II)
All Rights Reserved © Alcatel-Lucent 200724 | Introduction to 8950 AAA
RADIUS Standards Compliance (III)