AAA Server

Solution Overview

One of the main components of the network is AAA Server. AAA Server provides authentication, authorization and account management, and real-time subscriber session management for mobility, roaming, security, and control over services and services used. AAA Server supports prepaid and postpaid schemes. In some specialized scenarios AAA Server acts as a proxy server and provides access to subscriber's session information.

AAA Server main features:

  • Supports all types of networks. AAA Server supports a variety of access networks. AAA Server's ability to support multiple networks and services simultaneously saves operators who are licensed to provide services over multiple types of networks, saving investment and operating costs. Operators can build a single AAA system to implement authentication, authorization and accounting of all user data for fixed and mobile networks, providing centralized management of users and their services.
  • A carrier-class solution with high performance and reliability**. The solution includes redundancy for core components and nodes. Load balancing and distribution mechanisms eliminate the single point of failure. The AAA Server comes with traffic monitoring and congestion protection, allowing it to be scalable to serve millions of subscribers.

AAA Server functionality

Flexible authentication

AAA Server supports authentication based on one or more attributes (attribute set is configurable) such as IMSI, MSISDN, IMEI, NAI, Realm/Domain, username, etc.

Combinations of these parameters are configured in the Policy Engine, which defines the static rules applied during the authentication procedure.

AAA Server supports multiple authentication policies that can be configured in the Policy Engine.

An ordered list of rules is configured in the Policy Engine. Each rule consists of one condition and one action.

  • A condition specifies an attribute and its value that must be present in requests with the Access or Accounting type. For maximum flexibility, any attributes from the query can be used.
  • The action specifies what the AAA Server should do with the query when the condition is met. The action can also reference another rule, for the ability to create complex authentication rules with nested conditions.

Authentication Methods

AAA Server supports the following methods: CHAP, PAP, MSCHAPv1/v2, EAP (EAP-MD5), Microsoft PEAP, EAP-MSCHAP-v2 for PEAP, EAP-AKA, EAP-SIM, and EAP-TLS

AAA Server supports the Blacklist feature. If a user enters incorrect passwords during authentication, when a certain number of unsuccessful attempts are reached, AAA Server can block the user. For a certain period of time, AAA Server will fail to authenticate the user even if a correct password is provided. This feature, the allowed number of authentication attempts, and the duration of the lockout are fully configurable parameters.

Blacklist functionality can be configurable by APN, realm\domain, NAS, etc.

Integration with IN and Billing systems (prepaid and postpaid)

AAA Server supports the following protocols to implement real-time billing:

  • DCCA
  • SOAP (OSA/Parlay)

AAA Server supports generation, delivery and storage of CDR records for all events that need to be prorated. The CDR format and set of fields in the records can vary depending on operator requirements. For example: CSV, ASN.1, XML, etc.

AAA Server supports the following interfaces (Billing Collection Interfaces): FTP, SFTP, FTPS, ssh, XML over HTTP(S), 3GPP API Charging Subset.

Additional interfaces can be developed according to customer requirements.


The AAA Server includes a database that is used for the following purposes:

  • A database of subscriber profiles.
  • Database of used services (traffic/service counters) of subscribers
  • Database containing active sessions of subscribers

AAA Server provides a provisioning interface (SOAP) for BSS/OSS systems to be able to manage subscriber profiles. Additional interfaces can be configured/developed according to customer requirements. Database, parameter list and values can be customized according to customer requirements. The AAA server can be integrated with an external database via the standard LDAP protocol (v3).

The database for used traffic is populated according to the account messages of user sessions, including sessions that have been proxied to external servers.

The database containing active subscriber sessions. After a user establishes a connection, the AAA Server stores information about the open session. Session information includes MSISDN, IP address, IMSI, and many other parameters. External systems, such as a call center, may request session information through an HTTP interface. In this case the search can be performed by MSISDN, IMSI, IMEI or other ID.

Proxy mode

AAA Server includes a high-performance Proxy Engine.

The Proxy Engine supports request balancing, fault detection and failover mechanisms.

The Proxy Engine can use different servers to proxy authentication and account messages.

Interaction between RADIUS servers is in accordance with RFC 2865. For authentication and encryption a shared key (shared secret) is used.

Conditions under which AAA Server proxies ACCESS or ACCOUNTING messages to an external server are set in Policy Engine rules. Proxying conditions can be set based on any attributes present in the ACCESS or ACCOUNTING message, such as domain, NAS, APN, subscriber id, etc.

Multiple external AAA servers can be grouped together in failover or load balancing mode. Failover mode ensures high availability of the authentication process by using alternate servers from the group in case the primary server is unavailable or responds with delays. If the first server in the group fails to respond within the set time, AAA Server will resend the request to the next server in the group. If no response is received from any server in the group, then according to the configured rules, a negative response (reject) or positive (accept) with local user authorization can be sent in response to the request.

Grouping external servers in load-sharing mode allows distributing ACCESS and ACCOUNTING requests between several servers according to a round-robin algorithm.

Before sending a request to an external AAA server, AAA Server can modify any RADIUS attribute in the request. For example, if the values of certain attributes satisfy a specified condition, the AAA Server may include a new attribute in the request, remove an existing attribute from the request, or change the value of an existing attribute.

PoD and CoA Packages

AAA Server uses CoA messages to dynamically change the active user session. RADIUS attributes in CoA can contain instructions for the NAS to create, modify, or terminate a subscriber's service. CoA messages contain information to dynamically reauthorize the subscriber's session.

The following command codes are used for CoA messages: CoA-Request (43), CoA-ACK (44), CoA-NAK (45).

Similarly, AAA Server sends PoD messages to NAS when it receives messages from OCS about deletion of subscriber, change of subscriber's status, etc. Rules for generating and sending PoD and CoA messages are configured in Policy Engine.

IP address management

AAA Server provides a mechanism for centralized IP address management. The centralized mechanism simplifies IP address pool management procedures, for example, by eliminating the need to configure address pools on each NAS. IP address pools can be created for each individual NAS or for a group of NASes. When a subscriber establishes a connection, an IP address is assigned to that session. The subscriber can have a static IP address, or an IP address can be assigned from an address pool by the AAA Server or NAS. IP address pools can be defined in AAA Server for each NAS.