AAA Introduction and Overview


AAA Introduction and Overview
 
 
This reference describes the procedures to configure the AAA interface to enable authentication, authorization, and accounting (AAA) functionality for your core network service subscribers in a wireless carrier network.
Procedures to configure and administer core network services are described in detail in the respective product Administration Guides, and system-related configuration procedures are described in detail in the System Administration Guide. Before using the procedures in this chapter, it is recommended to refer the respective product Administration Guide along with the System Administration Guide.
Important: This reference provides procedure to configure basic AAA interface functionality or your service. Some of the RADIUS and Diameter interface support are license enabled. Contact your sales representative for more information.
 
Supported Products and License
AAA interface support is available for all services running on the ASR 5000.
Some of the functionality pertaining to prepaid accounting or Diameter-based support are part of enhanced feature support. For more information on these features, refer the System Enhanced Feature Configuration Guide.
Important: Information to configure product-specific AAA interfaces are provided in the respective Administration Guides.
 
Overview
The Authentication, authorization, and accounting (AAA) subsystem on the chassis provides the basic framework to configure access control on your network. The AAA subsystem in core network supports Remote Authentication Dial-In User Service (RADIUS) and Diameter protocol based AAA interface support. The AAA subsystem also provides a wide range of configurations for AAA servers in groups, which in effect contain a series of RADIUS/Diameter parameters for each application. This allows a single group to define a mix of Diameter and RADIUS servers for the various application functions.
Although AAA functionality is available through AAA subsystem, the chassis provides onboard access control functionality for simple access control through subscriber/APN authentication methods.
AAA functionality provides capabilities to operator to enable authentication and authorization for a subscriber or a group of subscriber through domain or APN configuration. The AAA interface provides the following AAA support to a network service:
 
Authentication: It is the method of identifying users, including login and password, challenge and response, messaging support, and encryption. Authentication is the way to identify a subscriber prior to being allowed access to the network and network services. An operator can configure AAA authentication by defining a list of authentication methods, and then applying that list to various interfaces.
All authentication methods, except for chassis-level authentication, must be defined through AAA configuration.
Authorization: It is the method to provide access control, including authorization for a subscriber or domain profile. AAA authorization sends a set of attributes to the service describing the services that the user can access. These attributes determine the user’s actual capabilities and restrictions.
Accounting: Collects and sends subscriber usage and access information used for billing, auditing, and reporting, such as user identities, start and stop times, performed actions, number of packets, and number of bytes.
Accounting enables operator to analyze the services users are accessing as well as the amount of network resources they are consuming. Accounting records are comprised of accounting AVPs and are stored on the accounting server. This accounting information can then be analyzed for network management, client billing, and/or auditing.
Advantages of using AAA are:
 
The following figure shows a typical AAA server group configuration that includes three AAA servers (RADIUS and Diameter).
 
AAA Server Group Configuration in a Core Network
 
Diameter Proxy
The proxy acts as an application gateway for Diameter. It gets the configuration information at process startup and decides which Diameter peer has to be contacted for each application. It establishes the peer connection if no peer connection already exists. Upon receiving the answer, it uses the Diameter session ID to identify to which application the message is intended.
Each PSC has a Diameter proxy identified by the IPv6 origin host address. If the number of configured origin hosts is lesser than the number of active PSCs, some (i.e. those number where no origin hosts associated with) PSCs will not activate Diameter processing at all, and instead notify administrators of the erroneous configuration with syslog/traps.
If the number of configured origin hosts is greater than the number of active PSCs, the application will automatically select which configured host is to be used per PSC.
 
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883