One of the main components of the network is AAA Server. AAA Server provides authentication, authorization and account management, and real-time subscriber session management for mobility, roaming, security, and control over services and services used. AAA Server supports prepaid and postpaid schemes. In some specialized scenarios AAA Server acts as a proxy server and provides access to subscriber's session information.
AAA Server main features:
AAA Server supports authentication based on one or more attributes (attribute set is configurable) such as IMSI, MSISDN, IMEI, NAI, Realm/Domain, username, etc.
Combinations of these parameters are configured in the Policy Engine, which defines the static rules applied during the authentication procedure.
AAA Server supports multiple authentication policies that can be configured in the Policy Engine.
An ordered list of rules is configured in the Policy Engine. Each rule consists of one condition and one action.
AAA Server supports the following methods: CHAP, PAP, MSCHAPv1/v2, EAP (EAP-MD5), Microsoft PEAP, EAP-MSCHAP-v2 for PEAP, EAP-AKA, EAP-SIM, and EAP-TLS
AAA Server supports the Blacklist feature. If a user enters incorrect passwords during authentication, when a certain number of unsuccessful attempts are reached, AAA Server can block the user. For a certain period of time, AAA Server will fail to authenticate the user even if a correct password is provided. This feature, the allowed number of authentication attempts, and the duration of the lockout are fully configurable parameters.
Blacklist functionality can be configurable by APN, realm\domain, NAS, etc.
AAA Server supports the following protocols to implement real-time billing:
AAA Server supports generation, delivery and storage of CDR records for all events that need to be prorated. The CDR format and set of fields in the records can vary depending on operator requirements. For example: CSV, ASN.1, XML, etc.
AAA Server supports the following interfaces (Billing Collection Interfaces): FTP, SFTP, FTPS, ssh, XML over HTTP(S), 3GPP API Charging Subset.
Additional interfaces can be developed according to customer requirements.
The AAA Server includes a database that is used for the following purposes:
AAA Server provides a provisioning interface (SOAP) for BSS/OSS systems to be able to manage subscriber profiles. Additional interfaces can be configured/developed according to customer requirements. Database, parameter list and values can be customized according to customer requirements. The AAA server can be integrated with an external database via the standard LDAP protocol (v3).
The database for used traffic is populated according to the account messages of user sessions, including sessions that have been proxied to external servers.
The database containing active subscriber sessions. After a user establishes a connection, the AAA Server stores information about the open session. Session information includes MSISDN, IP address, IMSI, and many other parameters. External systems, such as a call center, may request session information through an HTTP interface. In this case the search can be performed by MSISDN, IMSI, IMEI or other ID.
AAA Server includes a high-performance Proxy Engine.
The Proxy Engine supports request balancing, fault detection and failover mechanisms.
The Proxy Engine can use different servers to proxy authentication and account messages.
Interaction between RADIUS servers is in accordance with RFC 2865. For authentication and encryption a shared key (shared secret) is used.
Conditions under which AAA Server proxies ACCESS or ACCOUNTING messages to an external server are set in Policy Engine rules. Proxying conditions can be set based on any attributes present in the ACCESS or ACCOUNTING message, such as domain, NAS, APN, subscriber id, etc.
Multiple external AAA servers can be grouped together in failover or load balancing mode. Failover mode ensures high availability of the authentication process by using alternate servers from the group in case the primary server is unavailable or responds with delays. If the first server in the group fails to respond within the set time, AAA Server will resend the request to the next server in the group. If no response is received from any server in the group, then according to the configured rules, a negative response (reject) or positive (accept) with local user authorization can be sent in response to the request.
Grouping external servers in load-sharing mode allows distributing ACCESS and ACCOUNTING requests between several servers according to a round-robin algorithm.
Before sending a request to an external AAA server, AAA Server can modify any RADIUS attribute in the request. For example, if the values of certain attributes satisfy a specified condition, the AAA Server may include a new attribute in the request, remove an existing attribute from the request, or change the value of an existing attribute.
AAA Server uses CoA messages to dynamically change the active user session. RADIUS attributes in CoA can contain instructions for the NAS to create, modify, or terminate a subscriber's service. CoA messages contain information to dynamically reauthorize the subscriber's session.
The following command codes are used for CoA messages: CoA-Request (43), CoA-ACK (44), CoA-NAK (45).
Similarly, AAA Server sends PoD messages to NAS when it receives messages from OCS about deletion of subscriber, change of subscriber's status, etc. Rules for generating and sending PoD and CoA messages are configured in Policy Engine.
AAA Server provides a mechanism for centralized IP address management. The centralized mechanism simplifies IP address pool management procedures, for example, by eliminating the need to configure address pools on each NAS. IP address pools can be created for each individual NAS or for a group of NASes. When a subscriber establishes a connection, an IP address is assigned to that session. The subscriber can have a static IP address, or an IP address can be assigned from an address pool by the AAA Server or NAS. IP address pools can be defined in AAA Server for each NAS.