1

Copyright 2016 by AVSystem

AVSystem AAA

AVSYSTEM AAA

www.avsystem.com

AVSystem AAA2

Copyright 2016 by AVSystem

Every day telecommunication operators are facing new challenges and threats. In this fast and constantly evolving environment, there is a growing demand for fl exible, versatile and secure solutions, which, at the same time, can be easily adjusted to changing hard-ware-park, new services and statutory requirements. Both access control and accounting are the areas that need such solutions the most. In response, AVSystem has created its latest product, AVSystem AAA.

Introduction

3

Copyright 2016 by AVSystem

AVSystem AAA

KEY FEATURES

PIPELINE-ORIENTED PROCESSING

From the very initial stage, AVSystem AAA has been designed for fl exible, fast and adaptable operations. Pipeline-oriented processing turned out to be the key to achieve this goal. Instead of presenting a well-de-fi ned (hard-coded) processing fl ow including all the after-eff ects, options, possibilities and corner-cases, AVSystem AAA allows the administrator to defi ne both the desired pipeline and the fl ow of operations. More-over, the administrator can decide in detail what data is to be parsed, transformed or discarded to speed up processing. A great eff ort was put into the design of a pipeline defi nition, tools and helpers allowing the user to focus on business logic, requirements, data and se-curity rather than on spending endless time investigat-ing the undocumented fl ows in monolithic solutions. Last but not least, multiple-protocol support off ered by AVSystem AAA enables full integration with external billing, marketing, monitoring and reporting systems.

LIGHTWEIGHT RADIUS

IMPLEMENTATION

What diff erentiates AVSystem AAA from other solu-tions available on the market is its proprietary, light-weight and robust implementation of Radius Authenti-cator, which enables extremely fast and effi cient parsing and creation of Radius responses. It is a crucial element to provide extremely high throughputs necessary for handling both day-to-day high-demand operations in a present network and high-density accounting and monitoring.

MULTI-MASTER ARCHITECTURE

AVSystem AAA provides full out-of-the-box support for multi-node & multi-master oriented architec-tures. Moreover, unique clustering and visualization technologies enable a free and unobstructed fl ow of information between nodes as well as full syn-chronization of both operational and historicaldata.AVSystem AAA also provides additional Data Safe House, a redundant database that enables recov-ery of the vital network data in case of disaster.

Figure 1 System layout

AVSystem AAA4

Copyright 2016 by AVSystem

USER-FRIENDLY UI

The system is delivered with Web-based, user-friendly UI allowing system configuration and maintenance as well as providing access to:

• Authentication and accounting data

• Account details

• Historical information

• Current state of the network

• Troubleshooting views for network issues

• Group and domain management

• GIS integration for supported networks

• CDR policy/format configuration

• Reporting system

• Online user management

MULTIPLE DATA SOURCES

Thanks to a flexible definition of pipeline, which can be tailored to specific needs of the network, the operator gains a great market advantage and ability to define all the delivered services. Furthermore, the pipeline de-

scription engine provides multiple data sources ena-bling import of data from external systems (LDAP or BSS servers), export of data to external storage (e.g. detailed logs required by a local jurisdiction) or ad-vanced integration with existing third-party systems (e.g. invoicing or policy enforcement solution).Built-in default internal storage allows the operator to quickly deploy services without the need for any exter-nal sources or components. Internal storage will also enable long-term retention and an overview of histor-ical data.

Examples:

• Numbers of sessions and their data load

• User login history, times, lengths, data loads ora physical line the authentication was performed upon

• Current active sessions

Figure 2 Internal architecture of system components

5

Copyright 2016 by AVSystem

AVSystem AAA

BUILT-IN TROUBLESHOOTING

MODULE

Thanks to an built-in troubleshooting engine, the ad-ministrator can fully monitor every action, message or transfer of data to AAA system. Due to the unique position of the system in the network, such a module makes monitoring and troubleshooting of the network problems, even those related to CPE which are nor-mally very difficult to find, much easier in enterprise networks.

ANY ACCESS TECHNOLOGY

AVSystem AAA was designed to flexibly adapt to the used hardware-park and constant demand for ser-vices. Thanks to such design, it can be safely used in heterogeneous environments in which multiple tech-nologies such as DSL, WiMAX, LTE, WiFi, VoIP, FAP are being orchestrated.

MODULAR TECHNOLOGY

Even though the pipeline description engine is ex-tremely versatile, its usage would have been extreme-ly complicated without tools and helpers hiding all or most of the technological hurdle from the user. AVSys-tem AAA provides such helpers in multiple tool-orient-ed modules.

Helpers:

• INTERNAL DATA STORAGE for system operations,authentication data, logs and accounting

• RADIUS AUTHENTICATOR (Radius+basedsouth-bound interface)

• UI (Web-based User Interface)

• LDAP CONNECTOR (verification of credentialsagainst third party LDAP-based storage)

• SQL CONNECTOR (verification of credentials andexport of authentication and accounting data to ex-ternal SQL-based storage)

• IP ASSIGNER (assignment and tracking of IP

address usage based on defined pools and dynamic transfer of pool-chunks between NASes)

• IP TRACKER (helper enabling easy storage of IPassignment history, automatic rolling of such data aswell as set of tools for searching in the dataset)

• LOGGER (logging of both authentication and accounting data to multiple file formats, including logrolling)

• DICTIONARY (definition of human-readable labelsand value parsing/serializing for vendor-specific at-tributes)

• DIAMETER AUTHENTICATOR (diame-ter-based south-bound interface)

• TACACS AUTHENTICATOR (TACACS-basedsouth-bound interface)

• KERBEROS CONNECTOR (verification of creden-tials against existing kerberos-based infrastructure)

• REST CONNECTOR (verification of credentialsand data import/export from/to external third-partysystem via REST)

• TR101 (support for PPPoE intermediate agent,TR-101 parameters)

• PAP/CHAP credentials processor

• EAP credentials processor

• CHARGING MEDIATION (for pre/postpaidaccounting by integration with external billingsystem)

• Other modules and tools

REPORTING CAPABILITIES

Universal data-mining and reporting engine enables periodic creation of reports related to end users’ activ-ity and provides a useful source of information about the utilization of resources. Accounting mistake pre-vention mechanisms are also delivered thanks to de-tailed logs and increased redundancy.

AVSystem AAA6

Copyright 2016 by AVSystem

INTEGRATION WITH

AVSYSTEM UMP

AVSystem AAA integrates seamlessly with AVSystem’s fl agship product - Unifi ed Device Management Plat-form (UMP). End-to-end service deployment, analysis of all the data within the scope of single reference, usage of DHCP option 82 as well as TR-101 data en-hancements in zero-touch provisioning scenarios are only some of the benefi ts resulting from this integra-tion.

ENTERPRISE WIFI:In a modern IT infrastructure, security is an extremely important factor. However, end users also require a high degree of mobility as well as unlimited access to every-day resources. That is the reason why WiFi Networks are becoming so popular nowadays. Most of present access points can easily support secure authentication technologies such as WPA2-Enterprise; however, they also require an external server to confi rm user rights to access the network and/or additional arguments to manage such access.

AVSystem AAA is an ideal solution for WiFi Networks since it provides:

• Secure authentication in the networks of multipleaccess points

• Easy-to-use and fl exible GUI allowing registrationof accounts, access points as well as tracking the user activity

• Out of the box high-availability for demanding mission-critical networks

• Ability to track user location and restrict it

• Overview of current activity

• Detailed accounting of traffi c / connection

7

Copyright 2016 by AVSystem

AVSystem AAA

DSL Network

• End-user authentication based on: previous logginghistory, connection location, BRAS/DSLAM used

• Authentication of both PPPoE/PPPoAand RFC1483-based connections

• Secure setup of 4Play environments with Data, VoIP,IPTV and Femtocells

• IP-Addresses assignment based on various internalpolicies

• Detailed tracking of user authentication compliantwith local statutory requirements

Mobile Environments

• Secure end-to-end authentication and authorization of the users

• Central authentication for both WiMAX and LTE

• Support for EAP-TLS and EAP-TTLS authenticationschemes

• Out-of-the-box support for vendor-specific parameters

• Location tracking/locking for mobile users

WiFi Environments

• Secure authentication and authorization

• Support for open and enterprise access points

• Support for WPA2-Enterprise

• Support for WiFi Off-Load

• Detailed tracking of user authentication and localization

VoIP Environments

• Decrease in soft-switch load by external authentication

• Location tracking/locking for mobile users

• Detailed accounting of the user resources

• Denial of access for pre-paid / suspicious users

SUPPORTED ENVIRONMENTSAVSystem AAA can simultaneously support multiple service structures and environments.

AVSystem HQ , R&D Department

Radzikowskiego 47d31-315 Kraków, Poland

+48 12 619 47 00 sales@avsystem.com www.avsystem.com

AVSYSTEM AAA