Presentation is loading. Please wait.

Presentation is loading. Please wait.

8950 AAA Overview. All Rights Reserved © Alcatel-Lucent 2007 2 | Introduction to 8950 AAA Module Objectives Supported platforms History 8950 AAA Features.

Similar presentations


Presentation on theme: "8950 AAA Overview. All Rights Reserved © Alcatel-Lucent 2007 2 | Introduction to 8950 AAA Module Objectives Supported platforms History 8950 AAA Features."— Presentation transcript:

1 8950 AAA Overview

2 All Rights Reserved © Alcatel-Lucent | Introduction to 8950 AAA Module Objectives Supported platforms History 8950 AAA Features Standards Compliance & Awards

3 All Rights Reserved © Alcatel-Lucent | Introduction to 8950 AAA 8950 AAA A AAA (Authentication, Authorization & Accounting) software package Compliance with RADIUS and Diameter IETF RFCs pronounced Triple A Formerly known as: Vital AAA, and NavisRadius Based on Java Platform independent Flexible and extensible

4 All Rights Reserved © Alcatel-Lucent | Introduction to 8950 AAA 8950 AAA Evolution (I) FreeRadius 1.1 ©Livingston Ascend Access Control ©Ascend Ascend buys Livingston NavisRadius 1.3 Based on FreeRadius PortAuthority 2.1 ©Lucent Lucent buys Ascend NavisRadius 3.x With Java, multiplatform and new engine (PolicyFlow) NavisRadius 3.x With Java, multiplatform and new engine (PolicyFlow)

5 All Rights Reserved © Alcatel-Lucent | Introduction to 8950 AAA 8950 AAA Evolution (II) NavisRadius 4.0 = NR3.2 + GUI enhancements NavisRadius 4.0 = NR3.2 + GUI enhancements 2001 NavisRadius 4.2 = Change in USS architecture + dictionary in XML NavisRadius 4.2 = Change in USS architecture + dictionary in XML NavisRadius 4.3->4.5 = Wi-Fi support (MD5, GTC, TLS, TTLS/PEAP, SIM, etc.) NavisRadius 4.3->4.5 = Wi-Fi support (MD5, GTC, TLS, TTLS/PEAP, SIM, etc.) VitalAAA 5.0 = Diameter support + HTTPS/SSH VitalAAA 5.0 = Diameter support + HTTPS/SSH 3/ /2006 Alcatel merges with Lucent VitalAAA 5.1 = IPAMv2 + TACACS + Lawful Intercept VitalAAA 5.1 = IPAMv2 + TACACS + Lawful Intercept VitalAAA 5.2 = DHCPv6 + IPv6 MIBs + cron-based PF + EAP-FAST VitalAAA 5.2 = DHCPv6 + IPv6 MIBs + cron-based PF + EAP-FAST 4/ AAA 6.0 = UUS2 + File Replication + WiMAX policy flow 8950 AAA 6.0 = UUS2 + File Replication + WiMAX policy flow 3/2008

6 All Rights Reserved © Alcatel-Lucent | Introduction to 8950 AAA AAA Components and communication ports aaa-cmd Policy Server + USS SMT/Config Server Plug-Ins Data I/O DHCP JDBC Password file etc. Data I/O DHCP JDBC Password file etc. Logical Flow and decision Making Utilities GUI GUI = SMT TCP:9020 UDP:1812, 1813, 3799 TCP:9023 Adm TCP:9097,9099 SNMP Ag. UDP: 9161 SNMP client Web Serv Browser (HTTP[S]) TCP: 9080 Other AAA servers TCP:3868 RADIUS Test Client Diam. Test Client telnet client ssh client TCP:9023 TCP:9022 SQL DB TCP: 9001 LDAP USS TCP: 9389 SQL client (SMT) LDAP/LDIF client Lawful Intercept Server TACACS+ Test Client TCP:49 TCP:9021

7 All Rights Reserved © Alcatel-Lucent | Introduction to 8950 AAA RADIUS / Diameter / TACACS+ PolicyServer Functionality Overview Processes authentication & accounting requests Invokes the method engine Starts the web server Starts the Telnet/SSH CLI servers Logs events USS+ IPAM Maintain port usage information Identify session limit violations Monitor user sessions May assigns IPs

8 All Rights Reserved © Alcatel-Lucent | Introduction to 8950 AAA Logical System View AAA Remote ISP Local AAA server #1 Local AAA server #2 Universal StateServer LDAP Directories or Database Servers NAS User PSTN the Internet

9 All Rights Reserved © Alcatel-Lucent | Introduction to 8950 AAA Management and Control Features 8950 AAA Server Management Tool (SMT) Graphical User interface (GUI) Provides server administration and statistics Local or Remote (via Configuration Server) Remote Management Via telnet/ssh and modifying configuration files Using the SMT With a Command Line Interface (CLI) All remote management traffic can be encrypted with SSH or SSL

10 All Rights Reserved © Alcatel-Lucent | Introduction to 8950 AAA PolicyFlow and PolicyAssistant PolicyFlow (PF) extensible plug-in software architecture enabling the construction of flexible AAA policies to be able to meet any AAA requirements you design exactly the processing steps you need, in the order you need them. PolicyAssistant (PA) Simplifies configuration, for small ISP or companies (predefined policy flow plus predefined provisioning) Handles 80% of simple configuration needs Otherwise, use PolicyFlow Has a graphical wizard to define policies Configuration Time What can be done PF PA

11 All Rights Reserved © Alcatel-Lucent | Introduction to 8950 AAA 8950 AAA Major Features (I) Storage of users profiles Local text files SQL server (local built-in (HSQL) or remote) LDAP server HTTP server RADIUS server (proxy RADIUS) Storage of accounting logs Local text files Allows definition of any file format (Classic, Delimited or Fixed) Remote servers Remote database (SQL) or RADIUS servers (proxy-RADIUS)

12 All Rights Reserved © Alcatel-Lucent | Introduction to 8950 AAA 8950 AAA Major Features (II) Proxy-RADIUS Ability to modify/add/remove any attribute sent/received from the remote server Secure external authentication in token card servers SecurID/ACE (RSA) SafeWord (Secure Computing) Time-of-Day restrictions And automatic calculation of Session-Timeout Wide EAP support EAP-MD5, EAP-GTC, EAP-LEAP, EAP-MsChapV2, EAP-TLS (and TTLS and PEAP), EAP-SIM/AKA, EAP-FAST Multiple Dictionaries To meet specific characteristics of each NAS or remote RADIUS server (when proxying)

13 All Rights Reserved © Alcatel-Lucent | Introduction to 8950 AAA 8950 AAA Major Features (III) Pre-authentication for dial-up SNMP support for statistics (v1, v2 & v3) Standard RFCs for RADIUS auth+acct (server and client): 4668, 4669, 4670, 4671 Built-in SQL database for users and accounting data storage

14 All Rights Reserved © Alcatel-Lucent | Introduction to 8950 AAA Troubleshooting facilities Complete customizable logging facilities per message area Conditional logging based on AAA attributes for specific users-name, realms, calling numbers, called numbers… Multiple logging levels Multiple places where logs can be sent (file, syslog, SNMP trap, …) Client Testing tools, with CLI and GUI To simulate the connection of any user from any NAS with any condition (any AAA AVP) RADIUS TestClient & NAS-simulator, TACACS+ TestClient Diameter TestClient

15 All Rights Reserved © Alcatel-Lucent | Introduction to 8950 AAA IP address assignment for users Local management by the NAS Simple built-in address manager USS-based advanced IP Address Manager (IPAM) With optional redundancy and High-Availability Pools can be defined without restarting the server Different pools can have overlapping IP addresses IPv4 addresses and IPv6 prefixes External DHCP server selecting any DHCP option for a pool selection DHCPRADIUSPPP [HA-]IPAM Simple Address Manager DHCP server Local in NAS

16 All Rights Reserved © Alcatel-Lucent | Introduction to 8950 AAA AAA protocol translator and proxy Any translation can be made between different protocols RADIUS TACACS+ RADIUS Diameter TACACS+ Diameter Due to the flexibility of the PolicyFlow language Can receive AAA information in any protocol, and can generate outgoing AAA packets in any protocol RADIUS Diameter TACACS+ RADIUS Diameter TACACS+ Translation Agent Proxy

17 All Rights Reserved © Alcatel-Lucent | Introduction to 8950 AAA Supported Platforms Server + SMT (GUI): Solaris SPARC & x86: from 2.7 to 2.10 HP-UX 11.0 Compaq/DEC TRU-64 UNIX RedHat Enterprise Linux Windows 2000, 2003 & XP MacOS: from 10.2 to 10.4 Java Virtual Machine (JRE, SDK or J2SE) J2SE 5.0

18 All Rights Reserved © Alcatel-Lucent | Introduction to 8950 AAA Universal StateServer (USS) = Session Manager Keeps a database of NAS and Port usage To maintain sessions information Maintains counters for resource usage: User Name Called Number (DNIS) Realm Arbitrary criteria: ISP Name, Department, Region, Affinity group, etc. May enforce limits on any of these counters Optionally, it can have redundancy (HA-USS) Optionally, the session and counters info can also be read via LDAP interface Optionally, it can assign dynamic IP addresses (IPAM)

19 All Rights Reserved © Alcatel-Lucent | Introduction to 8950 AAA Best Authentication Server & Security Product of the Year 8950 AAA awards (I) Network Computing Best Authentication Server, for 2 years in a row (2004 & 2005) Well-Connected Award for outstanding networking products and services. (2004) Overall Security product of the year (2005) from more than 27 security products in 9 different security categories. Editors Choice and Best Value for the Enterprise RADIUS servers. (2005) Best Authentication Server

20 All Rights Reserved © Alcatel-Lucent | Introduction to 8950 AAA 8950 AAA awards (II) 3GSM World Congress (2006) in Barcelona (Spain), Highly Commended Award for Innovation in GSM Roaming. by enabling a GSM operator to deliver a service that allows GSM mobile users to use their home broadband network to initiate and accept and roam between the home and GSM networks without dropping the call! *

21 All Rights Reserved © Alcatel-Lucent | Introduction to 8950 AAA Installed base 8950 AAA is deployed in over 4,000 service providers, enterprise and government networks around the world. Customers range from: small businesses and enterprises and universities offering remote dial-in and wireless access services, to government departments and agencies, wholesale operators selling ports to downstream customers, major wireless service providers, and global Internet service providers.

22 All Rights Reserved © Alcatel-Lucent | Introduction to 8950 AAA Standards Compliance (I) x 1XEV-DO

23 All Rights Reserved © Alcatel-Lucent | Introduction to 8950 AAA RADIUS Standards Compliance (II)

24 All Rights Reserved © Alcatel-Lucent | Introduction to 8950 AAA RADIUS Standards Compliance (III)


Download ppt "8950 AAA Overview. All Rights Reserved © Alcatel-Lucent 2007 2 | Introduction to 8950 AAA Module Objectives Supported platforms History 8950 AAA Features."

Similar presentations


Ads by Google