8950 AAA Overview

Module Objectives
Supported platforms History

8950 AAA Features

Standards Compliance & Awards

2 | Introduction to 8950 AAA

All Rights Reserved Alcatel-Lucent 2007

8950 AAA
A AAA (Authentication, Authorization & Accounting) software package
Compliance with RADIUS and Diameter IETF RFCs pronounced Triple A

Formerly known as:

Vital AAA, and NavisRadius

Based on Java
Platform independent
Flexible and extensible

3 | Introduction to 8950 AAA

All Rights Reserved Alcatel-Lucent 2007

8950 AAA Evolution (I)

FreeRadius 1.1
Livingston
1992 Ascend buys Livingston

NavisRadius 1.3
Based on FreeRadius

Ascend Access Control

Ascend
Lucent buys Ascend 1999

NavisRadius 3.x
With Java, multiplatform and new engine (PolicyFlow) 2000

PortAuthority 2.1
Lucent

4 | Introduction to 8950 AAA

All Rights Reserved Alcatel-Lucent 2007

8950 AAA Evolution (II)

VitalAAA 5.2
= DHCPv6 + IPv6 MIBs + cron-based PF + EAP-FAST 4/2007 3/2008

8950 AAA 6.0

= UUS2 + File Replication + WiMAX policy flow

VitalAAA 5.1
= IPAMv2 + TACACS + Lawful Intercept 12/2006

Alcatel merges with Lucent

VitalAAA 5.0
= Diameter support + HTTPS/SSH 3/2006

NavisRadius 4.0
= NR3.2 + GUI enhancements

NavisRadius 4.2
= Change in USS architecture + dictionary in XML

NavisRadius 4.3->4.5
= Wi-Fi support (MD5, GTC, TLS, TTLS/PEAP, SIM, etc.)

2001

5 | Introduction to 8950 AAA

All Rights Reserved Alcatel-Lucent 2007

AAA Components and communication ports

TCP:9097,9099
GUIGUI = SMT Adm TCP:9020 TCP:9021 TCP:9023 TCP:9022 aaa-cmd TCP:9023 TCP: Web Serv 9080 TCP:49 TCP:3868 UDP:1812, 1813, 3799
SNMP Ag. SQL DB LDAP USS
All Rights Reserved Alcatel-Lucent 2007

SMT/Config Server

Plug-Ins
Data I/O DHCP JDBC Password file etc. Logical Flow and decision Making Other AAA servers

telnet client
ssh client

Adm

Browser (HTTP[S])

TACACS+ Test Client

Diam. Test Client

RADIUS Test Client SNMP client SQL client (SMT) LDAP/LDIF client
6 | Introduction to 8950 AAA

Policy Server +
USS

UDP: 9161 TCP: 9001

Utilities
Lawful Intercept Server

TCP: 9389

Functionality Overview
Processes authentication & accounting requests Invokes the method engine Starts the web server Starts the Telnet/SSH CLI servers Logs events Maintain port usage information Identify session limit violations Monitor user RADIUS / sessions USS+ May assigns IPs Diameter /

TACACS+ PolicyServer
7 | Introduction to 8950 AAA

IPAM

All Rights Reserved Alcatel-Lucent 2007

Logical System View

the Internet
NAS

Local AAA server #1 Universal StateServer

User

PSTN

. . .

AAA Remote ISP Local AAA server #2 LDAP Directories or Database Servers

8 | Introduction to 8950 AAA

All Rights Reserved Alcatel-Lucent 2007

Management and Control Features

8950 AAA Server Management Tool (SMT)
Graphical User interface (GUI) Provides server administration
and statistics

Local or Remote (via Configuration Server)

Remote Management
Via telnet/ssh and modifying configuration files Using the SMT With a Command Line Interface (CLI) All remote management traffic can be encrypted with SSH or SSL
9 | Introduction to 8950 AAA
All Rights Reserved Alcatel-Lucent 2007

PolicyFlow and PolicyAssistant

PolicyFlow (PF)
extensible plug-in software architecture enabling the construction of flexible AAA policies
to be able to meet any AAA requirements
What can be done

PF

PA
Configuration Time

you design exactly the processing steps you need, in the order you need them.

PolicyAssistant (PA)
Simplifies configuration, for small ISP or companies (predefined policy flow plus predefined provisioning) Handles 80% of simple configuration needs
Otherwise, use PolicyFlow

Has a graphical wizard to define policies

10 | Introduction to 8950 AAA

All Rights Reserved Alcatel-Lucent 2007

8950 AAA Major Features (I)

Storage of users profiles
Local text files SQL server (local built-in (HSQL) or remote) LDAP server HTTP server RADIUS server (proxy RADIUS)

Storage of accounting logs

Local text files
Allows definition of any file format (Classic, Delimited or Fixed)

Remote servers
Remote database (SQL) or RADIUS servers (proxy-RADIUS)

11 | Introduction to 8950 AAA

All Rights Reserved Alcatel-Lucent 2007

8950 AAA Major Features (II)

Proxy-RADIUS
Ability to modify/add/remove any attribute sent/received from the remote server

Secure external authentication in token card servers

SecurID/ACE (RSA) SafeWord (Secure Computing)

Time-of-Day restrictions
And automatic calculation of Session-Timeout

Wide EAP support

EAP-MD5, EAP-GTC, EAP-LEAP, EAP-MsChapV2, EAP-TLS (and TTLS and PEAP), EAP-SIM/AKA, EAP-FAST

Multiple Dictionaries
To meet specific characteristics of each NAS or remote RADIUS server (when proxying)
12 | Introduction to 8950 AAA
All Rights Reserved Alcatel-Lucent 2007

8950 AAA Major Features (III)

Pre-authentication for dial-up SNMP support for statistics (v1, v2 & v3)
Standard RFCs for RADIUS auth+acct (server and client):
4668, 4669, 4670, 4671

Built-in SQL database for users and accounting data storage

13 | Introduction to 8950 AAA

All Rights Reserved Alcatel-Lucent 2007

Troubleshooting facilities
Complete customizable logging facilities
per message area Conditional logging based on AAA attributes
for specific users-name, realms, calling numbers, called numbers

Multiple logging levels Multiple places where logs can be sent (file, syslog, SNMP trap, )

Client Testing tools, with CLI and GUI

To simulate the connection of any user from any NAS with any condition (any AAA AVP)
RADIUS TestClient & NAS-simulator, TACACS+ TestClient Diameter TestClient

14 | Introduction to 8950 AAA

All Rights Reserved Alcatel-Lucent 2007

IP address assignment for users

Local management by the NAS Simple built-in address manager

USS-based advanced IP Address Manager (IPAM)

With optional redundancy and High-Availability Pools can be defined without restarting the server Different pools can have overlapping IP addresses IPv4 addresses and IPv6 prefixes

External DHCP server

selecting any DHCP option for a pool selection
Simple Address Manager PPP RADIUS DHCP DHCP

server
Local in NAS
15 | Introduction to 8950 AAA

[HA-]IPAM
All Rights Reserved Alcatel-Lucent 2007

AAA protocol translator and proxy

Any translation can be made between different protocols
RADIUS RADIUS TACACS+ <-> TACACS+ <-> Diameter <-> Diameter

Due to the flexibility of the PolicyFlow language

Can receive AAA information in any protocol, and can generate outgoing AAA packets in any protocol

RADIUS Diameter TACACS+

RADIUS Diameter TACACS+

Translation Agent Proxy

16 | Introduction to 8950 AAA
All Rights Reserved Alcatel-Lucent 2007

Supported Platforms
Server + SMT (GUI):
Solaris SPARC & x86: from 2.7 to 2.10 HP-UX 11.0 Compaq/DEC TRU-64 UNIX RedHat Enterprise Linux Windows 2000, 2003 & XP

MacOS: from 10.2 to 10.4

Java Virtual Machine (JRE, SDK or J2SE)

J2SE 5.0

17 | Introduction to 8950 AAA

All Rights Reserved Alcatel-Lucent 2007

Universal StateServer (USS) = Session Manager

Keeps a database of NAS and Port usage
To maintain sessions information

Maintains counters for resource usage:

User Name Called Number (DNIS) Realm

Arbitrary criteria: ISP Name, Department, Region, Affinity group, etc.

May enforce limits on any of these counters Optionally, it can have redundancy (HA-USS) Optionally, the session and counters info can also be read via LDAP interface Optionally, it can assign dynamic IP addresses (IPAM)
18 | Introduction to 8950 AAA
All Rights Reserved Alcatel-Lucent 2007

8950 AAA awards (I)

Network Computing
Best Authentication Server, for 2 years in a row (2004 & 2005) Well-Connected Award for outstanding networking products and services. (2004) Overall Security product of the year (2005)
from more than 27 security products in 9 different security categories.
Best Authentication Server Security Product of the Year
&

Editors Choice and Best Value for the Enterprise RADIUS servers. (2005)

Best Authentication Server 19 | Introduction to 8950 AAA

All Rights Reserved Alcatel-Lucent 2007

8950 AAA awards (II)

3GSM World Congress (2006) in Barcelona (Spain),
Highly Commended Award for Innovation in GSM Roaming.
by enabling a GSM operator to deliver a service that allows GSM mobile users to use their home broadband network to initiate and accept and roam between the home and GSM networks without dropping the call!

*
20 | Introduction to 8950 AAA
All Rights Reserved Alcatel-Lucent 2007

Installed base
8950 AAA is deployed in over 4,000 service providers, enterprise and government networks around the world. Customers range from:
small businesses and enterprises and universities
offering remote dial-in and wireless access services, to

government departments and agencies,

wholesale operators selling ports to downstream customers, major wireless service providers, and
global Internet service providers.

21 | Introduction to 8950 AAA

All Rights Reserved Alcatel-Lucent 2007

Standards Compliance (I)

1XEV-DO

http://

802.1x

22 | Introduction to 8950 AAA

All Rights Reserved Alcatel-Lucent 2007

RADIUS Standards Compliance (II)

23 | Introduction to 8950 AAA

All Rights Reserved Alcatel-Lucent 2007

RADIUS Standards Compliance (III)

24 | Introduction to 8950 AAA

All Rights Reserved Alcatel-Lucent 2007