8950 AAA Overview. All Rights Reserved © Alcatel-Lucent 2007 2 | Introduction to 8950 AAA Module...
-
Upload
sierra-flanagan -
Category
Documents
-
view
244 -
download
8
Transcript of 8950 AAA Overview. All Rights Reserved © Alcatel-Lucent 2007 2 | Introduction to 8950 AAA Module...
8950 AAA Overview
2 | Introduction to 8950 AAA All Rights Reserved © Alcatel-Lucent 2007
Module Objectives
Supported platforms
History
8950 AAA Features
Standards Compliance & Awards
3 | Introduction to 8950 AAA All Rights Reserved © Alcatel-Lucent 2007
8950 AAA
A AAA (Authentication, Authorization & Accounting) software package Compliance with RADIUS and Diameter IETF RFC’s
pronounced “Triple A”
Formerly known as: Vital AAA,
and NavisRadius
Based on Java Platform independent
Flexible and extensible
4 | Introduction to 8950 AAA All Rights Reserved © Alcatel-Lucent 2007
8950 AAA Evolution (I)
FreeRadius 1.1©Livingston
Ascend Access Control©Ascend
Ascendbuys
Livingston
NavisRadius 1.3Based on
FreeRadius
PortAuthority 2.1©Lucent
Lucent buys Ascend
NavisRadius 3.xWith Java, multiplatform
and new engine (PolicyFlow)
NavisRadius 3.xWith Java, multiplatform
and new engine (PolicyFlow)
2000
1999
1992
5 | Introduction to 8950 AAA All Rights Reserved © Alcatel-Lucent 2007
8950 AAA Evolution (II)
NavisRadius 4.0= NR3.2 + GUI enhancements
NavisRadius 4.0= NR3.2 + GUI enhancements
2001
NavisRadius 4.2= Change in USS architecture
+ dictionary in XML
NavisRadius 4.2= Change in USS architecture
+ dictionary in XML
NavisRadius 4.3->4.5= Wi-Fi support (MD5, GTC, TLS,
TTLS/PEAP, SIM, etc.)
NavisRadius 4.3->4.5= Wi-Fi support (MD5, GTC, TLS,
TTLS/PEAP, SIM, etc.)
VitalAAA 5.0= Diameter support +
HTTPS/SSH
VitalAAA 5.0= Diameter support +
HTTPS/SSH
3/200612/2006
Alcatel merges with Lucent
VitalAAA 5.1= IPAMv2 + TACACS +
Lawful Intercept
VitalAAA 5.1= IPAMv2 + TACACS +
Lawful Intercept
VitalAAA 5.2= DHCPv6 + IPv6 MIB’s +
cron-based PF + EAP-FAST
VitalAAA 5.2= DHCPv6 + IPv6 MIB’s +
cron-based PF + EAP-FAST
4/2007
8950 AAA 6.0= UUS2 + File Replication
+ WiMAX policy flow
8950 AAA 6.0= UUS2 + File Replication
+ WiMAX policy flow
3/2008
6 | Introduction to 8950 AAA All Rights Reserved © Alcatel-Lucent 2007
AAA Components and communication ports
aaa-cmdaaa-cmd
Policy Server +
USS
Policy Server +
USS
SMT/Config Server
SMT/Config Server Plug-Ins
Data I/O• DHCP• JDBC• Password file• etc.
Data I/O• DHCP• JDBC• Password file• etc.
Logical Flow and decision Making
Logical Flow and decision Making
UtilitiesUtilities
GUIGUIGUI = SMTGUI = SMT
TCP:9020
UDP:1812, 1813, 3799
TCP:9023
AdmAdm
AdmAdm
TCP:9097,9099
SNMP Ag.SNMP Ag.UDP: 9161SNMP client
Web ServWeb ServBrowser (HTTP[S]) TCP: 9080
Other AAA servers
Other AAA servers
TCP:3868
RADIUS Test ClientRADIUS Test Client
Diam. Test ClientDiam. Test Client
telnet client
ssh client TCP:9023
TCP:9022
SQL DBSQL DBTCP: 9001
LDAP USSLDAP USSTCP: 9389SQL client (SMT)SQL client (SMT)
LDAP/LDIF clientLDAP/LDIF client
Lawful Intercept Server
Lawful Intercept Server
TACACS+ Test ClientTACACS+ Test Client TCP:49
TCP:9021
7 | Introduction to 8950 AAA All Rights Reserved © Alcatel-Lucent 2007
RADIUS / Diameter / TACACS+
PolicyServer
Functionality Overview
• Processes authentication & accounting requests
• Invokes the method engine• Starts the web server• Starts the Telnet/SSH CLI servers • Logs events
USS+IPAM
• Maintain port usage information
• Identify session limit violations
• Monitor user sessions
• May assigns IP’s
8 | Introduction to 8950 AAA All Rights Reserved © Alcatel-Lucent 2007
Logical System View
AAARemote ISP
Local AAA server #1
Local AAA server #2
UniversalStateServer
LDAP Directoriesor
Database Servers
NAS
...User
PSTN
the Internet
9 | Introduction to 8950 AAA All Rights Reserved © Alcatel-Lucent 2007
Management and Control Features
8950 AAA Server Management Tool (SMT) Graphical User interface (GUI)
Provides server administration and statistics
Local or Remote (via Configuration Server)
Remote Management Via telnet/ssh and modifying
configuration files
Using the SMT
With a Command Line Interface (CLI)
All remote management traffic can be encrypted with SSH or SSL
10 | Introduction to 8950 AAA All Rights Reserved © Alcatel-Lucent 2007
PolicyFlow and PolicyAssistant
PolicyFlow (PF) extensible plug-in software architecture
enabling the construction of flexible AAA policies to be able to meet any AAA requirements
you design exactly the processing steps you need, in the order you need them.
PolicyAssistant (PA) Simplifies configuration, for small ISP or
companies (predefined policy flow plus predefined provisioning)
Handles 80% of simple configuration needs Otherwise, use PolicyFlow
Has a graphical wizard to define policies
Configuration Time
What can be done PF
PA
11 | Introduction to 8950 AAA All Rights Reserved © Alcatel-Lucent 2007
8950 AAA Major Features (I)
Storage of users’ profiles Local text files
SQL server (local built-in (HSQL) or remote)
LDAP server
HTTP server
RADIUS server (proxy RADIUS)
Storage of accounting logs Local text files
Allows definition of any file format (Classic, Delimited or Fixed)
Remote servers Remote database (SQL) or RADIUS servers (proxy-RADIUS)
12 | Introduction to 8950 AAA All Rights Reserved © Alcatel-Lucent 2007
8950 AAA Major Features (II) Proxy-RADIUS
Ability to modify/add/remove any attribute sent/received from the remote server
Secure external authentication in token card servers SecurID/ACE (RSA)
SafeWord (Secure Computing)
Time-of-Day restrictions And automatic calculation of Session-Timeout
Wide EAP support EAP-MD5, EAP-GTC, EAP-LEAP, EAP-MsChapV2, EAP-TLS (and TTLS and PEAP),
EAP-SIM/AKA, EAP-FAST
Multiple Dictionaries To meet specific characteristics of each NAS or remote RADIUS server (when
proxying)
13 | Introduction to 8950 AAA All Rights Reserved © Alcatel-Lucent 2007
8950 AAA Major Features (III)
Pre-authentication for dial-up
SNMP support for statistics (v1, v2 & v3) Standard RFCs for RADIUS auth+acct (server and client):
4668, 4669, 4670, 4671
Built-in SQL database for users and accounting data storage
14 | Introduction to 8950 AAA All Rights Reserved © Alcatel-Lucent 2007
Troubleshooting facilities
Complete customizable logging facilities per message area
Conditional logging based on AAA attributes for specific users-name, realms, calling numbers, called numbers…
Multiple logging levels
Multiple places where logs can be sent (file, syslog, SNMP trap, …)
Client Testing tools, with CLI and GUI To simulate the connection of any user from any NAS with any
condition (any AAA AVP) RADIUS TestClient & NAS-simulator,
TACACS+ TestClient
Diameter TestClient
15 | Introduction to 8950 AAA All Rights Reserved © Alcatel-Lucent 2007
IP address assignment for users
Local management by the NAS
Simple built-in address manager
USS-based advanced IP Address Manager (IPAM) With optional redundancy and High-Availability
Pools can be defined without restarting the server
Different pools can have overlapping IP addresses
IPv4 addresses and IPv6 prefixes
External DHCP server selecting any DHCP option for a pool selection
DHCPRADIUSPPP
[HA-]IPAM
Simple Address Manager
DHCP
server
Local in NAS
16 | Introduction to 8950 AAA All Rights Reserved © Alcatel-Lucent 2007
AAA protocol translator and proxy
Any translation can be made between different protocols RADIUS <-> TACACS+
RADIUS <-> Diameter
TACACS+ <-> Diameter
Due to the flexibility of the PolicyFlow language Can receive AAA information in any protocol, and can generate
outgoing AAA packets in any protocol
RADIUS
Diameter
TACACS+
RADIUS
Diameter
TACACS+
Translation AgentProxy
17 | Introduction to 8950 AAA All Rights Reserved © Alcatel-Lucent 2007
Supported Platforms
Server + SMT (GUI): Solaris SPARC & x86: from 2.7 to 2.10
HP-UX 11.0
Compaq/DEC TRU-64 UNIX
RedHat Enterprise Linux
Windows 2000, 2003 & XP
MacOS: from 10.2 to 10.4
Java Virtual Machine (JRE, SDK or J2SE) J2SE 5.0
18 | Introduction to 8950 AAA All Rights Reserved © Alcatel-Lucent 2007
Universal StateServer (USS) = Session Manager
Keeps a database of NAS and Port usage To maintain sessions information
Maintains counters for resource usage: User Name
Called Number (DNIS)
Realm
Arbitrary criteria: ISP Name, Department, Region, Affinity group, etc.
May enforce limits on any of these counters
Optionally, it can have redundancy (HA-USS)
Optionally, the session and counters info can also be read via LDAP interface
Optionally, it can assign dynamic IP addresses (IPAM)
19 | Introduction to 8950 AAA All Rights Reserved © Alcatel-Lucent 2007
Best Authentication Server&
Security Product of the Year
8950 AAA awards (I)
Network Computing “Best Authentication Server”, for 2 years in
a row (2004 & 2005)
“Well-Connected Award” for outstanding networking products and services. (2004)
Overall “Security product of the year” (2005) from more than 27 security products in 9
different security categories.
“Editor’s Choice” and “Best Value” for the Enterprise RADIUS servers. (2005)
Best Authentication Server
20 | Introduction to 8950 AAA All Rights Reserved © Alcatel-Lucent 2007
8950 AAA awards (II)
3GSM World Congress (2006) in Barcelona (Spain), “Highly Commended Award for
Innovation in GSM Roaming”. by enabling a GSM operator to deliver a
service that allows GSM mobile users to use their home broadband network to initiate and accept and roam between the home and GSM networks without dropping the call!
*
21 | Introduction to 8950 AAA All Rights Reserved © Alcatel-Lucent 2007
Installed base
8950 AAA is deployed in over 4,000 service providers, enterprise and government networks around the world.
Customers range from: small businesses and enterprises and universities
offering remote dial-in and wireless access services, to
government departments and agencies,
wholesale operators selling ports to downstream customers, major wireless service providers, and
global Internet service providers.
22 | Introduction to 8950 AAA All Rights Reserved © Alcatel-Lucent 2007
Standards Compliance (I)
http:// 802.1x
1XEV-DO
23 | Introduction to 8950 AAA All Rights Reserved © Alcatel-Lucent 2007
RADIUS Standards Compliance (II)
24 | Introduction to 8950 AAA All Rights Reserved © Alcatel-Lucent 2007
RADIUS Standards Compliance (III)