You are on page 1of 16

AAA Overview

Aug, 2009

Futureinfonet
Proposed AAA system is …

Supplied at 2nd International Certification Center of


WiMAX Forum

Mainly Conformed to Focusing

Global Standard Characteristics

WiMAX NWG  Scalability


IETF  High performance
3GPP  High availability
 Modula architecture
 Stable Service

Global Standards Product


References
 Major Service Reference sites
Experiences for interface
 Development Experience : Interface Technical
•Diameter and RADIUS
•SOAP over HTTP, XML, HTTPS/HTTP, SNMP, TCP, UDP

 Interface Systems
•Samsung ASN-GW
•Multi vender ASN-GW, Simultaneously
•Multi protocol, Simultaneously
•Proxy / Server Mode, Simultaneously
•Cisco HA
•Verint LI Server
•Billing: Oracle, Geneva, Darnet Baltic UAB, Netup, ESKADENIA,
Crescent
•OpenNet AAA
•Mformation OMA-DM
•Cisco SME/SCE
•Hot lining ( ASN-GW Hot lining, HA Hot lining)
•CPEs in the world (by 2nd International Certification Center)
AAA Key Features
 Standard Features
•High preference memory database
•Multi-Profile support, i.e. Bronze, Silver, Gold, roamer vs. non-roamer
•Configurable Peer management
•Intelligent Routing Features i.e. Realm / NAI / User-Name / App ID based
routing
•Extensible via Plug-in capabilities
•High functionality, high performance
•Multiple business model supported, i.e. wholesale/MVNO/retail
(need customizing for interwork with VNO’s systems)
•Simultaneous Radius and Diameter support

 WiMAX Features
•Multiple EAP methods (TLS, TTLS, AKA, MSCHAPv2)
•Mobility Key Generation and Management
•Active Session State, i.e. Pseudo and Real Identity
•Mobility Control
•Fixed & Mobile WiMAX support
•Convert Pseudo-ID to Real-ID in accounting record
•WiMAX Forum Compliant and committed to Standards
AAA Components
 Key Components
•Support Multiple Access Network – Non performance impact
•Support Multi-vender Access Network– Non performance impact
•Dual Stack (RADIUS and DIAMETER)
•Proxy & Server mode support
•Intelligent Routing Features i.e. Realm / NAI / User-Name / App ID based
routing
•OAM
•Accounting Interface
•Subscriber Management Management Layer
•Modula software Log Manager
Configure Statistics Alarm/Status
Admin Control
Manager Manager Control

Application Layer

EAP-AKA EAP-TLS/TTLS MSCHAP2 MIPv4

RADIUS-Diameter Accounting Subscriber & QoS


Session Manager
Protocol Translator Processor Manager

Interface Layer

Diameter Core RADIUS Core Socket Manager HTTP(S)

Other AAA Any Access-GW ASN-GW Billing Provisioning Server


RADIUS/Diameter Proxy
 Powerful Proxy Support
•Rule-based proxy allows unparalleled control in both home network and
roaming scenarios ASN-GW ASN-GW
Samsung Cisco

Diameter RADIUS
Protocol Protocol

 Key Components Diameter TR GW RADIUS

•Inbound / Outbound Roamer Processing EAP App Accounting App AAA System

•Accounting with local billing


•Mirroring Account message to other venders billing Billing System

•Accounting Interface : Diameter, RADIUS or CDR


(need customizing for interwork with other MNO)
IP Network
Border Router
WiMAX BS AAA
Server Provisioning Customer Care
RADIUS
Or Accounting
Diamete Billing System
ASN-GW r
Home Network
WiMAX BS

Provisioning Customer Care


RADIUS
AAA Accounting
Or
Proxy Billing System
Diamete
ASN-GW r
Visited Network
WiMAX BS
Postpaid & Prepaid Accounting
 Real Time Processing
•RADIUS & Diameter accounting messages are sent to the AAA Service
Controller which forwards them to Billing system in Real time

 Support Postpaid & Prepaid Charging


•Collects RADIUS & Diameter records
•Provides secure storage to prevent loss of valuable accounting data
•Correlates RADIUS/Diameter and WiMAX start, interims and stop session
records as well as flow base accounting, saving to billing system
•Formats records for specific billing system, reducing integration costs
•High performance capable and real time processing

 Various interface with Billing system


CPE ACR-GW AAA Billing

•RADIUS EAP-Auth. Success

•Diameter
DIAMETER ACR (Start) RADIUS Accounting Req. (Start) Quota
DIAMETER ACA RADIUS Accounting Response remaining

•CDR
Quota
•CDR File
DIAMETER ACR (Interim) RADIUS Accounting Req
DIAMETER ACA
(Interim) debit and
remaining
RADIUS Accounting Response

DIAMETER ACR (Interim) RADIUS Accounting Req Quota


debit and
DIAMETER ACA (Interim)
remaining
RADIUS Accounting Response
EAP-Auth. Termination Request
DIAMETER ACR (Stop) RADIUS Accounting Req (Stop) Quota
DIAMETER ACA RADIUS Accounting Response debit and
remaining
EAP-Auth. Termination
Provisioning
 Administration
•Administrators control
•Command
addUser / deleteUser / modifyUser / abortSession

 Various interface
•HTTP
•HTTPS – Secure channel
•DB API
•TCP Message

 Benefits
•Flexibility and Control
•Fast implementation
DB
Service HTTP/S Subscriber & Service Info.
Connection
Function Service (ID, Password, Service etc)
Manager
MS Auth. Key Info.
(Fixid, K)
Environment Log
Manager Manager
Operation, Administration and Maintenance
 Administration
•Administrator Register / Management
•Peer Configuration Inquiry/Addition/Delete
•Realm-Routing Configuration Inquiry/Add/Delete
•EAP Configuration Inquiry / Change
•Pseudo Key Inquiry/Addition
•Alarm Manager
•Subscriber Inquiry / Change / Modify / Delete
•Statistics & History

•GUI Based OAM (Default)


•Web Based OAM (Optional)
Annex

Authentication / Authorization Flow


Basic Data Flow & Accounting Flow
Quality Of Service
Authentication / Authorization Flow
MS ASN-GW AAA AAA DB
EAP-START_

EAP-REQUEST / IDENTITY_

EAP-RESPONSE / IDENTITY_ EAP-RESPONSE / IDENTITY_

EAP-REQ / TLS:_ EAP-REQUEST / TLS_


TLS-Start TLS-Start

EAP-RES / TLS:_ EAP-RESPONSE / TLS:_


ClientHello ClientHello

Verify EAP-REQUEST / TLS:_ EAP-REQUEST / TLS:_


ServerHello ServerHello
AAA
AAA Server Certificate AAA Server Certificate
Server CertificateRequest CertificateRequest
Certificate ServerHelloDone ServerHelloDone

EAP-RESPONSE / TLS:_ EAP-RESPONSE / TLS:_


Device Certificate Device Certificate Verify
ClientKeyExchange ClientKeyExchange
Device
CertificateVerify CertificateVerify
ChangeCiperSpec ChangeCiperSpec Certificate
Finished Finished

EAP-REQUEST / TLS:_ EAP-REQUEST / TLS:_


ChangeCiperSpec ChangeCiperSpec
Finished Finished

EAP-RESPONSE / TLS:_ EAP-RESPONSE / TLS:_


NoData NoData
Device Authentication Done

User Authentication_
Check Calling-Station-Id_
(MS’s Real MAC-ID)

EAP-SUCCESS_ EAP-SUCCESS_
Authentication / Authorization Flow

MS/SS ACR AAA


EAP-START_

EAP-REQUEST / IDENTITY_

EAP-RESPONSE / IDENTITY_ DER / EAP-RESPONSE / IDENTITY_

EAP-REQ / TTLS:_ DEA / EAP-REQUEST / TTLS_


TTLS-Start TTLS-Start

EAP-RES / TTLS:_ DER / EAP-RESPONSE / TTLS:_


ClientHello ClientHello

EAP-REQUEST / TTLS:_ DEA / EAP-REQUEST / TTLS:_


ServerHello ServerHello
Certificate Certificate
*CertificateRequest *CertificateRequest
ServerHelloDone ServerHelloDone

EAP-RESPONSE / TTLS:_ DER / EAP-RESPONSE / TTLS:_


*Certificate *Certificate
ClientKeyExchange ClientKeyExchange
*CertificateVerify *CertificateVerify
ChangeCiperSpec ChangeCiperSpec
Finished Finished

EAP-REQUEST / TTLS:_ DEA / EAP-REQUEST / TTLS:_


ChangeCiperSpec ChangeCiperSpec
Finished Finished

User Authentication
EAP-RESPONSE / TTLS:_ DER / EAP-RESPONSE / TTLS:_
UserName UserName
MS-CHAP-Challenge MS-CHAP-Challenge
MS-CHAP2-Response MS-CHAP2-Response

EAP-REQUEST / TTLS:_ DEA / EAP-REQUEST / TTLS:_


MS-CHAP2-Success MS-CHAP2-Success

EAP-RESPONSE / TTLS:_ DER / EAP-RESPONSE / TTLS:_


NoData NoData

EAP-SUCCESS_ DEA / EAP-SUCCESS_


Authentication / Authorization Flow

MS ASN-GW AAA Billing

Authentication Request

Authorization Request
( Access-Request )

Access-Accept with
Class, QV, QT

Store Subscriber’s Quota information

Authentication Success
Basic Data Flow & Accounting Flow

Internet
ASN-GW Billing
AAA
MS Accounting START Accounting START
ACTIVE Acct-Multi-Seesion-Id = Class

Accounting INTERIM Accounting INTERIM


Acct-Multi-Seesion-Id = Class
ice
erv
In-S
Accounting INTERIM Accounting INTERIM
Acct-Multi-Seesion-Id = Class

Accounting STOP Accounting STOP


Acct-Multi-Seesion-Id = Class

Disconnect
Quality Of Service

MS BS ASN-GW AAA EMS CRM

Per-Flow QoS profile & Classification rule


Network entry configuration (configured by operator)
Pre-Provisioning
QoS ID per User

Authentication

Service flow (SF) provisioning:


Download per-flow QoS (Profile) ID list
per user

Diameter
Extract Per-SF
QoS Profile

DSA-REQ
R6 SF setup
DSA-RSP
Service Flow Based Accounting Start
DSA-ACK

Per-SF QoS enforcement


DSA : Dynamic Service Addition

You might also like