Académique Documents
Professionnel Documents
Culture Documents
Table of Contents
1 Overview.......................................................................................................................... 1 1.1 1.2 2 Background ............................................................................................................. 1 Objectives................................................................................................................ 2
Authentication Technology and Realization ............................................................... 2 2.1 PPP Authentication ................................................................................................ 5 Basic Principles ................................................................................................. 5 Details of Realization ........................................................................................ 6
Authorization Technology and Realization ............................................................... 16 3.1 User Static Authorization ..................................................................................... 16 Basic Principles ............................................................................................... 16 Details of Realization ...................................................................................... 16
3.2.1 3.2.2 4
4.1
Local Accounting Protection ............................................................................... 20 Basic Principles ............................................................................................... 20 Details of Realization ...................................................................................... 21
4.4.1 4.4.2 5
Typical Application Cases........................................................................................... 22 5.1 5.2 5.3 Typical PPPoE User Networking Applications .................................................. 22 Typical IPoE User Networking Application ........................................................ 23 Multi-Play Service Typical Networking Applications ........................................ 24 Abbreviation ..................................................................................................... 25
Appendix
ii
1 Overview
1.1 Background
The traditional IP network pertains to common communications resources that deliver the best-effort services, pursue a simple and open architecture, and offer users an open communications platform instead of conducting user-based operation and management. In the telecom IP bearer network, however, delivering operable and manageable network services holds key to networking, and as a result the telecom IP bearer network needs to provide AAA capabilities, including: Authentication: validating the identity of users when they log on to network; Authorization: granting users access to network resources in network applications; Accounting: recording and providing accurate bill data on users network access or usage. To ensure network access for authorized users, identifying their identity is required. Authentication is a process of identifying user identity; authorization is a process of accessing the preconfigured user profile after identifying user identity through authentication, granting users the corresponding power of access to network based on their user profile, including bandwidth limitation, access list, and service strategy, and thus delivering committed network services to users; accounting is a process of billing users based on their network access lists and data, and collecting fees by strength of supporting bills. A statistical record of accounting information can be made per user accessed services, duration, and traffic.
The authentication, authorization and accounting (AAA) technologies are both mutually independent and closely related. Authentication is the identification of a user as a genuine one and a precondition for granting user access. Authorization is an important means of rigorous user service management and control. Accounting offers technical assurance for service providers to garner profitability.
1.2 Objectives
In network operation, AAA technologies abound in variety, and carriers also pose stark discrepant AAA requirements for different users and services. Based on the large volume of services furnished over years for globally operating networks, Huawei Corporation makes an analysis and summary of the following mature and sophisticated AAA solutions, which have been implemented to effectively enhance broadband network operation and evolution. At the core of AAA solution is a multi-service control gateway (MSCG) located at the edge of IP/MPLS multi-service bearer network convergence. MSCG has satisfied the diverse needs of different levels of customers by seamlessly integrating the various features of user/terminal management, service control, and security control. This paper introduces Huawei MSCG AAA technologies and solutions available for application in broadband operating networks. Huaweis representative AAA products are MA5200G and ME60 Series.
Authentication Technology PAP, CHAP Authentication based on users location information EAP
802.1X authentication
The technical specifications for authentication are listed in the table below:
Table 2 A Summary of Authentication Technologies
Description
PAP authentication is a two-way handshake authentication method using transparent password. The authenticated user sends username and password to authenticator who views the user profile to see whether the user exists and whether the password is correct before returning a response (Acknowledge or Not Acknowledge). PAP transparently interacts or forwards authentication password, resulting in a compromise of security to some extent.
CHAP authentication is a three-way handshake authentication method under which password is encrypted text (key). The authenticator sends some randomly generated challenge to the authenticated user; the authenticated user uses his/her password and MD5 algorithm to encrypt the message, and sends the encrypted text back to the authenticator (Response); the authenticator uses the authenticated users password and MD5 algorithm stored to encrypt the original random message, compares their encrypted texts, and then responds with Acknowledge or Not Acknowledge based on the results of comparison. Using encrypted text to interact password delivers a higher level of security than PAP.
MSCHAP is an authentication protocol of Microsoft derived after extending CHAP. MSCHAP integrates cryptographic algorithm and hash algorithm and is suitable for LAN users. MSCHAP
Authentication Technology
Description
includes V1 and V2 versions.
A general protocol supporting multiple authentication mechanisms. Unlike the PPP authentication process, EAP does not negotiate a specific authentication method such as PAP or CHAP at the stage of LCP, but wait until the authentication stage to make a choice based on specific situations. This method allows the authenticator to first send more requests to the requesting terminal and determine which mechanism to use after receiving a response. Under the EAP method, the authenticator (for example, MSCG) does not have to pay attention to the authentication process, but instead directly send EAP authentication request and response transparently to the authentication server (for example, AAA Server). The authenticator can decide whether to allow user access only by judging over the authentication result (success/failure) returned by the authentication server.
The user authorization methods used today usually include static user authorization and dynamic user authorization. Static authorization is to pre-configure access limitation on the AAA server under which the system issues network access authorization for users when they become online and thus carries out strategic control over their access to network; dynamic authorization is a process in which the AAA server dynamically modifies the network access authorization for users when they become online and use network services. The charging modes used in real-world network operation mainly include: monthly fee charging, duration based charging, traffic based charging and destination based charging. Based on the methods of payment, the charging modes can be further divided into prepaid charging and postpaid charging. The two accounting methods used to implement such charging modes are: remote accounting and local accounting. Remote accounting is to send the original accounting information from MSCG through RADIUS to AAA server, which is then connected with the billing system to issue CDRs or bills; local
accounting is to store the original information at an accounting point through the local protocol such as an internal interface and subsequently import such information through file transfer into the accounting system. Local accounting is not a standalone accounting method, and it is simply used for protection purposes in the event of remote accounting failure. To enhance accounting accuracy, MSCG supports real-time accounting capability, which trigger periodically to send CDR data through RADIUS to AAA server on a real-time basis. To ensure accounting reliability and facilitate accounting settlement between networks, MSCG supports accounting CDR copying functionality by which accounting CDRs are simultaneously sent to two AAA servers.
broadcast links. The ensuing description is made based on the PPPoE protocol.
Figure 2
Figure 3
1)
A PPPoE client sends a PADI message to the PPPoE server and starts PPPoE access;
2) 3) 4) 5)
The PPPoE server sends a PADO message to the client; In response, the client initiates a PADR request to the PPPoE server; The PPPoE server generates a session ID and sends through PADS to the client; PPP LCP negotiation is made between the client and PPPoE server to establish link layer communications;
6) 7)
The PPPoE server sends a 128bit Challenge to the authentication client; After receiving the challenge, the client first performs MD5 algorithm on and Challenge, and then send in the response to the PPPoE server; password
8)
The PPPoE server sends challenge, challenge-password and username through RADIUS to the AAA server for authentication;
9)
The AAA server determines whether the user is an authorized user based on user information and then responds with authentication success/failure to the PPPoE server. In the event of authentication success, the response carries the negotiation
parameters and user specific service properties as necessary to grant user authorization. In the case of authentication failure, the process comes to an end. 10) 11) The PPPoE server returns the authentication result to the client. When making NCP (for example, IPCP) negotiation, the user obtains such parameters as the planned IP address through the PPPoE server. 12) 13) In the case of authentication success, the PPPoE server initiates an accounting start request to the RADIUS user authentication server. The RADIUS user authentication server responds to the accounting start request.
By then, the user has passed authentication and received valid authorization, and as a result, can conduct network services as usual.
server and device work together to carry out user authentication. The default username authentication process is included in the WEB authentication process. This paper focuses on the WEB authentication process. Additionally, MSCG supports configuring the corresponding WEB server IP address under the user authentication domain and enabling users in different authentication domains to push the personalized mandatory WEB authentication page.
WEB Access Authentication Process Prior to WEB authentication, a user must obtain an IP address through DHCP and static configuration. If configured as mandatory WEB authentication, the user only needs to open the browser and access any web page; MSCG will automatically redirect the user to PORTAL authentication page. After the user submits username and password, MSCG collaborates with the WEB server to conduct user authentication. The specific procedures taking DHCP user as an example are as follows:
Figure 5
(1)~(4) refers to the process in which a dynamic user obtains an IP address through DHCP (an static user can manually configure IP address); (5) The user accesses WEB servers authentication page, enters username and password on the page, then clicks login button (in the case of MSCG generating username in default, MSCG generates username and password in a specific format based on user access physical location information such as slot, port, VLAN/PVC and Option82) ; (6) The WEB server notifies MSCG of user information through PORTAL Protocol; (7) MSCG goes to the corresponding AAA server to authenticate the user; (8) The AAA server returns authentication results to MSCG; (9) MSCG notifies WEB server of authentication results; (10) The WEB server notifies the user of authentication results through HTTP page; (11) In the cases of authentication success, the user can access network resources as usual.
card number, port number, VLAN/PVC and DHCP Option82 information), and conducts user authentication accordingly. The binding authentication process further guarantees user service security since users are unaware of the authentication process.
11
In this architecture, the system consists of an authentication requestor, an authentication and an authentication server in the tripartite structure. Authentication requestor corresponds to client; authentication point corresponds to MSCG; authentication server corresponds to AAA server. The 802.1X Access Authentication Process The 802.1X based authentication system can select different authentication algorithms by leveraging EAP extension capability. Take EAP-MD5 as an example:
Figure 7
The process is described as follows: 1) After the user and MSCG are physically connected, the user client sends to MSCG
12
an EAPoL-Start message (or likely a DHCP request message if the user is dynamically allocated an IP address; or likely an ARP request message if the user is manually allocated an IP address), and starts 802.1X access; 2) MSCG sends to client an EAP-Request/Identity message requesting the client to send username; 3) The client responds to MSCGs request with an EAP-Response/Identity, including username; 4) MSCG sends an Access-Request in the EAP Over RADIUS format which contains the EAP-Response/Identity sent by client to MSCG, and submits username to the RADIUS authentication server; 5) 6) AAA server generates a 128 bit Challenge;
The AAA server responds to MSCG with an Access-Challenge which contains the EAP-Request/MD5-Challenge, and sends to MSCG user the corresponding Challenge;
7)
MSCG sends to the authentication client through EAP-Request/MD5-Challenge, and sends Challenge to the user;
8)
After receiving the EAP-Request/MD5-Challenge, the client performs MD5 algorithm on password and Challenge, and sends to MSCG the resulting Challenge-Password in EAP-Response/MD5-Challenge;
9)
MSCG sends Challenge-Password through Access-Request to the AAA server which then conducts authentication;
10) The AAA server determines whether the user is an authorized user based on user information and then responds with authentication success/failure to the MSCG. In the event of authentication success, the response carries the negotiation parameters and user specific service properties as necessary to grant user authorization. 11) MSCG responds to user within EAP-Success/EAP-Failure based on the authentication result, and notifies the user of authentication result. In the event of authentication failure, the process then comes to an end. In the case of success, go ahead with subsequent authorization and accounting processes.
13
2.5
Authentication Method Access control granularity IP address allocation method IP address allocation process
IPCP
EAP authentication before DHCP address allocation; or DHCP address allocation before EAP authentication Vendors proprietary client (WinXP limited support)
Client support
Standard browser
Multicast support
Multicast message/packet may not be encapsulated through PPPoE PPP Encapsulation mega-packet fragmentation No
Support
Support
Support
Encapsulation overhead
Ethernet Encapsulation
Ethernet Encapsulation
Ethernet Encapsulation
No
No
14
Authentication Method
PPPoE Authentication
WEB Authentication
Binding Authentication
Protocol standard
Standard protocol
Proprietary protocol
Standard protocol
Standard protocol
Standard protocol
Standard protocol
Additional devices
RADIUS Server
RADIUS Server
ARP detection
Mature
Mature
Mature
New technology
VPDN Support
Free resources access in the past Authentication interface advertisement service Service selection Service customization
No
Binding authentication can be conducted after the aforesaid authentication methods are passed.
15
Figure 8
16
1) 2)
A user initiates to MSCG an online request; MSCG conducts local authorization or initiates through RADIUS an authorization request to the AAA server (the user authorization process and authentication process bundled);
3) 4)
The AAA server returns user authorization results to MSCG; MSCG responds to user online response results by allowing the user to go online and authorizing the user to user network services.
3.2
17
1)
When a user goes online, the AAA Server sends through CoA (Change of Authorization) a user authorization information request to MSCG;
2) 3) 4)
MSCG dynamically modifies the online users authorization information ; MSCG returns COA results to the AAA Server; The user uses network services as per the modified authorization phase; the user will not go offline or get aware of any COA throughout the dynamic COA process.
18
Figure 10
1)
After a user passes authentication and authorization when going online, MSCG sends through Radius an accounting start request to the AAA server;
2)
The AAA server responds to MSCGs accounting request, indicating it is okay to take user accounting action;
3) 4)
When the user goes offline, MSCG notifies the AAA server to stop accounting; The AAA server stops user accounting action, and responds to MSCG with an accounting stop response.
If MSCG fails to receive a response after sending an accounting message to the remote AAA server, MSCG can keep the user online or take the user offline through configuration; in default, MSCG takes the user offline after failing to start accounting.
4.2
Real-time Accounting
19
Figure 11
When a user goes online to use network services, MSCG sends accounting messages to the AAA server on a real-time basis to enhance accounting accuracy. The time interval of real-time accounting CDR transmission can be configure on MSCG. After receiving from MSCG real-time accounting messages, the AAA server returns responses accordingly. If MSCG fails to receive any response after sending a real-time accounting message to the remote AAA server, MSCG can configure the times of resending a failed real-time accounting message; in the case of resending failure, MSCG can keep the user online or takes the user offline through configuration; in default, resend an real-time accounting message three times, and keep the user online after real-time accounting failure.
4.3
20
accounting server. At present, the local accounting information can meet duration and traffic accounting requirements, but does not support prepaid services.
4.4
Accounting Copy
21
Physical accounting is to install and configure an accounting copy server on the user accessed MSCG port, and find out the accounting copy server on the corresponding port after a user goes online to copy the accounting messages to the accounting server. 2) Two-Level Accounting
Two-level accounting is to install and configure a primary accounting server and an accounting copy server which will copy the accounting messages to the accounting copy server in the accounting process.
Figure 12
After MSCG receives users request for online connection when the user goes online through PPPoE dialup, MSCG will forward such request to the AAA server for authentication and authorization. In the absence of any AAA server in a small network, MSCG can directly conduct local authentication and authorization. After passing authentication and authorization, the user can access the external network, and user authorized network services. User accounting messages can be send through RADIUS to the AAA server on a real-time basis, and the AAA server and carriers accounting system will carry out original CDR interaction. In the case of any irregularity in links with
Huawei Technologies Co., Ltd. All Rights Reserved http://datacomm.huawei.com 22
the AAA server, MSCG enables the local accounting protection feature, and temporarily save the generated CDRs in local storage. The accounting system can upload through TFTP the accounting original CDR information stored locally by MSCG to the accounting server.
Figure 13
An IPoE user usually gets an IP address through DHCP; when opening the IE browser, the user will be redirected by MSCG to the WEB server; the user then enters username and password on Portal page; the WEB server sends through Portal Protocol the username and password to MSCG for authentication; MSCG sends username and password through RADIUS to the AAA server for authenticating and authorizing (in a small network, MSCG can also directly conduct local authentication and authorization); after passing authentication and authorization, the user can use network services; any accounting message will be send through RADIUS to the AAA server on a real-time basis; in the case of remote AAA link failure, enable MSCG local accounting protection feature to ensure no losses of CDR. In multi-play applications, IPTV STB (Set-Top-Box) cannot open the IR browser through manual interaction after getting an IP address through DHCP; on WEB Portal page, users enter username and password information; MSCG then performs binding
23
authentication for such IPoE users, and automatically generates username and password as per user access location information (slot number, card number, port number, VLAN/PVC, and DHCP Option82) for remote AAA authentication (or local authentication).
Figure 14
In typical multi-play service applications, the home gateway integrated access device (IAD) is connected underneath to IPTV STB, VoIP terminals and HIS Service PC terminals to expand IPTV, VoIP and HIS services respectively. STB and VoIP terminals get their IP addresses through DHCP; MSCG generally adopts bundle authentication; PC terminals use PPP dialup connection and PPP authentication; PC terminals can also allocates IP addresses using DHCP and adopt WEB authentication. After passing authentication, the user terminals get their corresponding service entitlement; in typical multi-play applications, the accounting method is monthly fee per home or IAD.
24
Appendix
Abbreviations MSCG RADIUS PAP
CHAP
Abbreviation
Full spelling Multi-Service Control Gateway Remote Authentication Dial-In User Service
Password Authentication Protocol Password Changing Protocol Extensible Authentication Protocol Comprehensive Access Management Server
Change of Authorization Set-Top-Box High Speed Internet service Integrated Access Device
25