Académique Documents
Professionnel Documents
Culture Documents
Catalog
Forward................................................................................ 1
Welcome............................................................................................................................1
Relational products............................................................................................................2
System configuration requirements...................................................................................2
Permission.........................................................................................................................2
Documents ........................................................................................................................2
Technical support ..............................................................................................................2
Conventions ......................................................................................................................3
The texts and marks of software level.......................................................................3
User interaction .........................................................................................................3
Variable text ..............................................................................................................3
2 System installation............................................................ 5
2.1 Installation overview...................................................................................................5
2.1.1 Directory structure of the installation CD ........................................................5
2.1.2 Directory structure after installation.................................................................5
2.1.3 Installation steps description ............................................................................6
2.2 Program installation and configuration .......................................................................6
2.2.1 Installation script description ...........................................................................6
2.3 Database initialization .................................................................................................6
2.3.1 Mysql initialization ..........................................................................................7
2.3.2 Oracle initialization ..........................................................................................7
2.3.3 Oracle initialization(FOR PPS) ........................................................................7
2.4 Obtaining AAA authorization......................................................................................8
2.5 Starting the server........................................................................................................9
2.5.1 Starting and stopping the AAA main program .................................................9
2.5.2 Starting and stoping AAAEAS.........................................................................9
3.3.1 PAP.................................................................................................................14
3.3.2 CHAP .............................................................................................................15
3.4 Accounting ................................................................................................................15
3.4.1 Charge file divided by Tab .............................................................................16
3.4.2 Accounting roaming .......................................................................................16
3.5 Attributes...................................................................................................................17
3.5.1 Attribute dictionary ........................................................................................17
3.5.2 User attributes lists .........................................................................................17
3.5.3 Attribute value................................................................................................18
3.6 RADIUS proxy..........................................................................................................19
3.6.1 RADIUS authentication proxy .......................................................................20
3.6.2 RADIUS accounting proxy ............................................................................20
3.6.3 RADIUS realm group.....................................................................................20
3.7 Tunnels ......................................................................................................................21
3.7.1Tunnel authentication process .........................................................................22
3.8 SNMP........................................................................................................................22
3.8.1 SNMP management information databaseMIB......................................23
3.8.2 Management of the workstation and agent..................................................23
3.8.3 SNMP subagent..............................................................................................23
3.8.4 The SNMP trap message and alarm message .................................................24
3.9 Allocating IP address.................................................................................................24
4 System management....................................................... 25
4.1 Command line management tool...............................................................................25
4.1.1 Using the command line management tool ....................................................25
4.1.2 System parameters configurationsysconf ...............................................30
4.1.3 Call bill information configurationacctconf ........................................31
4.1.4 CallerID management ....................................................................................31
4.1.5 Database connection configurationsqlconf.............................................34
4.1.6 AAA user group management ........................................................................35
4.1.7 Management the corresponding relation between the AAA system number
segment and roaming realm server..........................................................................38
4.1.8 Management of the corresponding relation between IMSI and MDN
imsimmdn........................................................................................................40
4.1.9 LNS server configuration ...............................................................................41
4.1.10 clients configuration.....................................................................................42
4.1.11 Roaming proxy configurationproxyconf ..............................................44
4.1.12 Realm server configuration ..........................................................................44
4.1.13 AAA user management.................................................................................47
4.1.14 The AAA system management of the running Stat information...................50
4.1.15 The prepay parameter configuration ............................................................52
4.1.16 Other categories of command.......................................................................55
4.2.1 Graphic management terminal ...............................................................................57
Starting graphic management terminal....................................................................58
II
III
Relational products
Contacting the data communication development department of Capitel Co. Ltd to inquire the
relational products of the Capitel AAA2.0 system. The relational products include billing statistics
system and report class.
Permission
The Capitel AAA2.0 system can be installed on workstations and servers.
For more detailed permission information, see the permission agreements in the package, or
contact directly with the Capitel Co. L td.
Documents
This manual introduces how to install, configure and manage the Capitel AAA2.0 system. Most
of the contents in this manual can be found by using the online help in command line management
tool.
For the latest information not included in this manual, we will write it in the readme.txt in the
package.
Technical support
If you have any difficulty when installing or using the Capitel AAA2.0 system, you can get
some help in the ways as following
This manual and the readme.txt file may contain the information for solving your problem,
reread the relational chapters, and you may find some methods you neglected before.
If you have already read the manual carefully, please fill out the product register card
carefully and send it to us, at the same time, please confirm that the product got the latest update
2
as well.
If the problem still exists, please contact directly with the technical supporters of the Capitel
Co. L td.
Conventions
For the sake of easy reading and understanding, the system adopts the following
typographical conventions:
User interaction
The text used for instructing users to carry out interaction in command line management
tool and graphic management terminal will be displayed in overstriking font, this font is
used for marking the special keys on the keyboard (such as [ESC]), as well as marking a
string (such as input yes), and the button in the graphic management terminal (such as
please choose OK).
Menu command uses the menu's name, and is denoted by a symbol > after the name,
for example the cut command under the edit menu is denoted as: Edit> cut.
Variable text
Sometimes this document will refer to various variable texts, such as user name, time,
and the values chosen by user, and they will be marked by italic font.
For example when the computer screen prompts you to input user name and password,
the interaction process can be described as follow:
input user nameadmin
passwordtesting123
If the file name and some texts are shown in italic, it means the values represented by
these texts can be changed, and need to be provides by the users.
Modifying and checking the configuration parameters of the AAA main program
Managing the AAAs user information
Providing the interface to the business system
Providing dynamic debug level configuration and runtime information tracing
Providing SNMPsupport to AAA main program
Real-time monitoring of the status of the AAA main program
Providing access permission management of AAAEAS
4
z
z
Checking the real time statistic information of the AAA main program.
Providing the log function for recording and checking the operating information of the
AAAEAS users.
The system architecture of the AAAEAS is shown in the following figure
2 System installation
2.1 Installation overview
2.1.1 Directory structure of the installation CD
The directory structure of the installation CD is shown as follows, install.sh is the installation
script, aaa is the location of the AAA server installation package, eas is the location of the
management tool. The sql scripts for database initialization are stored in the db directory.
aaa
db
ui
Directory
AAA Server
/usr/local/capitel/aaa
AAA management
tool
server
program
/usr/local/capitel/eas/server
AAA management
tool command line
management tool
/usr/local/capitel/eas/server
AAA
graphic
management
terminal
/usr/local/capitel/eas/term
# ./sqlplus internal
SQL> @/cdrom/cdrom0/db/oracle/sys.sql
3. Reconnecting to the database as the new user
SQL> conn radius/radius
SQL> @/cdrom/cdrom0/db/oracle/table_structure_of_aaa_for_oracle.sql
SQL> @/cdrom/cdrom0/db/oracle/table_pps_for_oracle.sql
SQL> @/cdrom/cdrom0/db/oracle/func_pps_for_oracle.sql
SQL> quit
Annotation: The script name here should contain the absolute path of
table_structure_of_aaa_for_oracle.sql file
the
Figure4: Access Client, Information exchange between NAS and RADIUS Server
RADIUS Server will authenticate this request and authorize service on this connection.
RADIUS Server do it by matching information from the request of NAS and that is stored in the
database.
If the information matches, RADUIS Server will accept this user, or else, this user will be rejected.
According to the response from the RADIUS Server, NAS will decide whether setup a connection
for the user or terminate this users access intention. At last, NAS will send an accounting request
to the RADIUS Server to record this transaction; RADIUS Server can record the transaction or
send the request to other servers for charging this service.
10
More details about RADIUS packets type and contents can be found in RFC2865. This
manual also provides some common attributes and their possible values, for the Attributes of
accounting packet, please refer to RFC2866.
It is required to config the RADUIS Server and RADUIS Client before the communication
setup, as the Figure shows above. If the RADIUS Client is a network access equipment (NAS)
which belongs to the same network segment as the RADIUS Server, the same network
administrator may be authorized to config the server and client. On the other hand, two network
administrators should negotiate about the details in the configuration of the server and client.
Shared secret between Capitel AAA2.0s RADUIS server and the client.
Shortname of the client
Type of the client
3.2 Authentication
In order to understand the procedure of Authentication, we should have a basic understanding
of the authentication message. The form below provides the scenarios of e RADIUS messages,
attributes that could be contained accordingly and the function of these attributes.
12
Scenario
Function of attributes
Authenticating user
Describe the type of connection that the user
request
SQL authentication
According to the configurations, SQL authentication method enables the Capitel AAA2.0 system
to authenticate users by 1) communicating with popular database systems, 2) retrieving
information for authentication from database, 3) constructing authentication response packet.
the Capitel AAA2.0 system sends the response packet back to client . At present, the Capitel
AAA2.0 system can support databases such as mysql, oracle and Sybase.
Please refers to configuration database connection
3.3.1 PAP
In PAP (Password Authentication Protocol), the user and the NAS negotiate in clean text; that is to
say, the user sends the password to NAS without encryption.
The NAS gets enough information from the user to construct an Access Request packet. When
Access Request packet is sent to the RADIUS server, the NAS will use the shared secret to
encrypt the password attribute.
When the Capitel AAA2.0 RADIUS server receives an Access Request packet, the NAS Identifier
is retrieved from it, and the NASinformation in the server will be found according to the NAS
identifier. Thus the corresponding shared secret is found, and the password will be decrypted with
14
the secret.
3.3.2 CHAP
CHAP (Challenge Handshake Authentication Protocol) can avoid passwordsending in clear
text in any network segment.
In CHAP protocol, when negotiating password, the NAS will generate a random character string
as the challenge to user, the PPP client of the user will use the challenge and the password to
construct a digest (this process is non-reversible), and then send the digest to the RADIUS server.
The NAS sends the digest as the password attribute in the Access-Request packet.
Because the encryption process is non-reversible, the Capitel AAA2.0 RADIUS server cannot get
clear text password from the digest.. What it can do is just using the challenge (contained in the
Access-Request packet) and the user password (stored in the server) to perform the same
computation as the NAS does when generating the digest. If the two digest is identical, the two
passwords are the same as well.
3.4 Accounting
In order to understand the whole procedure of accounting of Capitel AAA2.0 system, we
should have a basic knowledge of the accounting message. The form below gives the scenarios of
RADIUS accounting messages, attributes that could be contained accordingly and the function
of these attributes.
Scenario
Function of attributes
15
After
the
server
receives
an
Accounting-Request message, it will send an
Accounting-Response message to the client
NAS will send an Accounting-Request message actively at proper time, as a connection is set
up successfully. When the RADIUS server receives this Accounting-Request message, an
accounting transaction starts.In an accounting transaction, the RADIUS server will respond
differently according to the Acct-Status-Type and other attributes in this message.
16
Attention: The Capitel AAA2.0 system provides powerful accounting options to config RADIUS
agents or realms
Please refer to realm server configuration
3.5 Attributes
3.5.1 Attribute dictionary
The Capitel AAA2.0 system adopts Attribute Dictionaries to organize all attributes into
attribute lists to use. The main Attribute dictionary file used by the Capitel AAA2.0 system is
named: dictionary, it contains standard attribute lists that RADIUS protocols specify.
Vendor-Specific Attributes
Besides RADIUS standard attribute lists, at the time of connection setup, many RADIUS
clients(NAS) also adopt some extra Vendor-Specific AttributesVSAs. The Capitel AAA2.0
system can support different kinds of NAS equipment by adding these NASs Vendor-Specific
Attributes to the corresponding attribute lists. Frequently these vendor-specific attribute
dictionaries are stored under the same directory as the main attribute dictionary, and adopt the
vendors name as the file extension.
and authorizing users. When authenticating a connection request, this information indicates to the
RADIUS server how to handle the attributes.
Attenttion: all the information here is optional
Multi-instance attribute
Attributes can be divided as single-instance attribute and multi-instance attribute, in other
words, some attribute can only appear once in the Check-List or Return-List, while others can
appear more than one time.
If the Replicate-To-Realm attribute appears in the Check-List for many times, it means when
the Capitel AAA2.0 system receives an Accounting-Request packet, it will replicate this packet
many times and send them to all the destinations designated by the Replicate-To-Realm attribute
If an attribute appears in the Return-List for many times, it will cause the responding packet
sent by the RADIUS server to the NAS to contain all instances of this attribute appeared in the
Return-List. For example, a user will use IP header compression and IPX header compression at
the same time, so the attribute Framed-Compression will appear in the Return-List for 2 times, in
which one for VJ-TCP-IP-header-compression and another for IPX-header-compression
Attribute sequence
In the Return-List, some multi-instance attributes have sequence restrictions, that is, in the
RADIUS response packet, an attribute will appear more than one time, and the sequence cannot be
changed arbitrarily.
For example, the attribute Reply-Message is used for sending text to the user when it is
required to send multi-line information, we can implement it by containing multiply instances of
the Reply-Message attribute in the Return-List. The Reply-Message will be displayed in the
same order as in the Return-List.
19
The approach the proxy server sends requests to the destination which is a realm group is
determined by the field in the realm configuration, which can be set to fail_over or round_robin.
20
If this field is set to fail_over, when the proxy server receives a request, it will send this
packet to the server with min index in the realm group and whose status is active. If the resend
count reaches the maximum value (retry_count) configured and the proxy server doesnt receive
any reply yet, this request will be rejected, and the Capitel AAA2.0 system will mark this server as
inactive, thus when the next request is coming, the Capitel AAA2.0 system will change the
destination to the server with max index in the realm group and whose status is active for the sake
of destination server redundancy. The Capitel AAA2.0 system will change the status of the
inactive server to be active after the dead time (dead_time) defined in the configuration.
If this field is set to round_robin, the proxy server will distribute requests to all active
destination servers in the group circularly, in this way, load balance is implemented. The more
servers in the realm group, the less load on each server.
3.7 Tunnels
This section describes the background of the tunnels and how to configure the Capitel
AAA2.0 system to support tunnels.
Attention: The Capitel AAA2.0 system does not add tunnels to your network, it is used only to
satisfy the need of any type tunnel that you already set up in authentication or accounting.
A tunnel is an exclusive secure remote connection approach. Through the tunnel, you can
transmit data between an enterprise website and a remote website. When transmitting data, for
security, the tunnel will pack the data with an encryption layer. The authentication and encryption
attributes provided by the tunnel will enhance the security of the connection, thus prevent the
network wiretapping and baleful demolishing effectively. In addition, the tunnel can provide the
characteristics of service quality, such as connection bandwidth.
All the management and configuration work of the tunnel must be done on the remote
websites, which is the end that request remote access and open the tunnel. The administrator of the
remote website need to configure some attributes of the tunnel: the IP address of the tunnels
destination, the security protocol supported by the tunnel and tunnel password. This information is
stored in a database and retrieved when needed. It is very useful to store these tunnel information
in the RADIUS server for centralized management.
If a RADIUS server can store the tunnel information and can retrieve them when they are
required by the NAS, we say that this RADIUS server has tunnel function. The RADIUS server
with tunnel function can
z Determine whether this connection contains tunnel or not according to the received
request, if it contains, find out the tunnel type.
z Save and retrieve the attribute values of the tunnels configurations
z Trace the already set up and occupied tunnel number, and compare it with the max
number of tunnels allowed to be created, if the value is bigger than the max, refuse
21
3.8 SNMP
Simple Network Management Protocol, SNMP for short is the IETF standards of the
communication between centralized management workstation and multiple devices and
services on the network.
SNMP implements the communication between devices with certain type, producer and
model. Each device on the network must receive the SNMP request sent by the management
workstation, and reply the corresponding status information to the management workstation in
SNMP format. The device can satisfy this requirement is called SNMP support. All the SNMP
support devices and services can be configured to report their status information to the same
management workstation, this way the graphic user interface compatible with SNMP can view and
analyze these data on the management workstation.
Any management software capable with SNMPv1 can cooperate with the Capitel AAA2.0
system; the Capitel AAA 2.0 system supports all kinds of RADIUS standard authentication and
22
accounting MIB.
3.8.2 Management of
The main components of the network management model used for TCP/IP network
management include:
z Management of workstation
z Management of agent
Crucial platforms (such as mainframe, bridge, router and hub) are all capable of running the
SNMP agent to manage from the management workstation. SNMP agent responds to the query
request or operation request sent by the management workstation, and SNMP agent can provide
important TRAP messages to the management workstation asynchronously. The management
software can be configured to acquire information from any SNMP agent on the network. The
network management model usually is: run the management software on a management
workstation, and run the SNMP agent (include RADIUS server) on other remote devices to be
monitored. The management software can check a group of the status information from the agents
by turns at specific time or in specific time intervals. Network administrators can filter and
process these status information through a user interface program with SNMP support.
The Capitel AAA2.0 system supports the SNMP by providing a sub agent, and the sub
agent is designed to cooperate with the UCD-SNMP main agent.
Static allocation Each time the user applies for setting up a connection, it will get a
static IP address, and the addresses are always the same. For example, if the
Framed-IP-Address attribute assigned to the user test is172.16.31.201, then each time
the user test connects to the network, the IP address allocated is always 172.16.31.201.
Allocating from the IP address pool of the client (NAS): each time the user begins to
connect, the client will choose an unused IP address from the IP address pool managed
by itself and allocate it to the user. For example
24
In this case, if the user test is connecting to the network through a port of the
client NAS1, the address allocated to the user will come from the IP address pool
A. In the next call, the user test may connect to the network through a port of the
client NAS2, and in this case the IP address will be allocated from the IP address
pool B.
Please refer to the AAA user management for information about setting the value of the
Framed-IP-Address attribute for the user.
4 System management
4.1 Command line management tool
4.1.1 Using the command line management tool
Starting and exiting the command line management tool
The aaatool file under the AAAEAS installation directory is the starting script of command
line tool, after confirming the right AAAEAS installation and the right starting of the AAAEAS
watching process, run the aaatool starting script with to start the command line tool.
The command line tool authenticates the user name and password for logging the periphery
management system. After the user entering right user name and password, theCAPITEL AAA
/>prompt will be shown on the screen. Up to now the command line tool is started and can be
used to do some work by executing the commands provided by AAAEASA.
[root@radius aaaeas]$ ./cmdtool
User ID: admin
Password: change_on_install
Connected to AAAEAS: Release 1.0 Production on 2003
Log successfully
CAPITEL AAA />
Caution: after installing the AAAEAS, the system will automatically add an AAAEAS user
with administrator level, its user name is adminand password ischange_on_install. After first
logging, please modify the user password and add other users.
25
If you want to exit from the command line management tool, input the quitcommand after
the command management tool promptCAPITEL AAA /> or just input a q. The process is as
follows:
CAPITEL AAA /> q
Disconnected from AAAEAS: Release 1.0 Production on 2003
[root@radius aaaeas]$
Caution: this command just ends the current command line management tool, and the AAA
main program and the AAAEAS watching process is still running on the RADIUS server.l
Command overview
The commands of the command line management tool can be divided into two classes based
on managed objects1AAAEAS management command2Management commands of AAA
main program
The AAAEAS management command includes:
z Using the command help
z User management of AAAEAS
z Log management of AAAEAS
z outputting the operation information of AAAEASspool
The usage of these commands will not influence the authentication and accounting functions
of the Capitel AAA2.0 system. We can say these commands are independent from AAA main
program, only for the sake of fulfilling the AAA main program management commands
introduced in the following paragraph more safely and conveniently
The help command can view all the command supported by AAAEAS; the user management
class commands are used for safety setup when logging the AAAEAS, the user with the
administrator role has the right to execute any supported commands after his logging, including
modifying the setup information of the AAA main program, managing AAA users (adding and
deleting), while the user with the users role can not execute some high safety level commands
after his logging.
The management commands of AAA main program includes:
z Parameters management of the AAA main program
z User management of AAA
z Statistical information management of AAA
z Other management command
Parameters management of the AAA main program command class has the maximum
commands, including system parameters setup, database connection management and roaming
strategy setup etc. using these commands, we can control the actions of the AAA program and
authentication & accounting principles. Thus, when executing these commands to modify the
parameters of the AAA main program, you must completely understand your actions.
26
Since the AAA user information is stored in the background database, the AAA user
management commands mostly implement the maintenance of this information; statistical AAA
information management class command can display the real-time information of the various
function indexes of the AAA main program.
caution1. Each command should be ended by a ;
2After using the parameters management of the AAA main program for modifying the
parameters, if you want the parameters go into effect at once, you should send out the
reloadcfg command to inform the main program to reread the configuration file.
27
Example
Inquiring about the general information of all the AAA periphery system user
esusershow;
Inquiring detailed information of the user
esusershow test;
(eslogshow)
29
-e enddatetime
The time format is YYYY-MM-DD HH:MM:SS, notice that the time parameters
should be putted in the , and with no parameter means to check todays log.
30
-p proxy_requests
4.1.3
-n records_num
This command carrying the following keywords for implementing different tasks
callerid
the callerid to be added, IMSI number
-t base
adding a new callerid and deciding its basic information
-u username
the affiliated callerid to the user name, its is effective to base
operation mode
-m mdn_code
he MDN number corresponding to the callerid, its is effective to
base operation mode
-t checks
check_attr
-t replies
reply_attr
-t replies
reply_attr
-t checks
check_attr
-t replies
reply_attr
34
check_attr
-t replies
reply_attr
group name
add some user to specific group, the users must already exist
the name of the user adding to the group, the space key is used
for dividing the multi-names.
attrshow add specific configuration attribute to specific group
the usable configuration attributes are listed in the command
attrshow
the check attribute pair, the format is attribute name+ operators+
attribute value, and the space key is used for dividing the
multi-attributes.
attrshow add specific reply attribute to specific group the usable
reply attributes are listed in the command attrshow
the reply attribute pair, the format is attribute name+ operators+
attribute value, and the space key is used for dividing the
multi-attributes.
username
delete the user name of the group and the space key is used for
dividing the multi-names
delete the configuration attribute of the group
-t checks
check_attr
-t replies
reply_attr
36
Goupname
-q
-t type
the switch of the query command , listing out all the group name
containing the letters ascertained by the groupname
displaying the information type mark, the usable value are
users|checks|replies, no specific tag means display all the
information of this user group
users
checks
replies
-t
replies
37
reply_attr
Grammar
imsi2realmdel [-n module_instance_name] [-z zone_name] [-a] [value1 value2 ...]
Description
For locate the number segment corresponding information through two parameters
module_instance_name and zone_name. The aaa system has only one
38
Displaying
number
segment
corresponding
information
(imsi2realmshow)
Initial authority is the common user
Grammar
imsi2realmshow [-n module_instance_name] [-z zone_name]
Description
imsi2realmshow without any parameters will display all the module instance name of the
AAA system, if the AAA system has only one module instance, then it equals to the
imsi2realmshow command with n parameters; the n parameters will display the
detailed information of the appointed module instance, z parameters will display all the
number segment corresponding information of the appointed zone.
-n module_instance_name module
instance
name,
if
has
only
one
module_instance_name and, and it can be omitted in this case.
-z zone_name
zone name
prefix
number prefixion
chg
show
40
Description
Add LNS server to AAA system, and the following parameters need to be provided
lnsname
LNS server name ,with no ;
-d desc
description information of this LNS
-t tunnel_type
tunnel type of this LNS, and the optional values are {PPTP | L2F
| L2TP | ATMP | VTP | AH | IP | MIN-IP | ESP | GRE | DVS}
-m tunnel_medium_type LNS tunnel carrier type of this LNS, optional values are
{IP|X25|ATM|Frame-Relay}
-I ipaddr
the IP address of this LNS server
-p password
the tunnel password of this LNS server
-s status
usable status of this LNS server, optional values are
{active|inactive}
-a server_auth_id
the authentication ID of this server
the lnsshow command with no parameters for displaying all the LNS names, giving the
lnsname system can display detailed information of the appointed LNS
Lnsname
-a server_auth_id
-sn short_name
-t client_type
realmname
new|copy
Creationnumber
-au authhost_ipaddr
-ac accthost_ipaddr
-se secret
-l ldflag
fail_over
round_robin
-is if_strip
the au and ac are not local at the same time, then the parameter
-au ac se l is must be determined, copy means find the same
name realm in the already existing realm configuration, and copy
the information of the first homonymic realm, expect the index
number changed to be the max, other options are all came from
the first homonymic realm
the number of the realms to be created, default value is 1
adscription authentication server address, valid Internet address,
its value can be local meaning authentication request does not
need roaming
adscription accounting server address, valid Internet address, its
value can be local meaning accounting request does not need
roaming
the shared secret key between AAA system and realm
load balanced sign, value is {round_robin|fail_over}, default
value is fail_over
the realm whose number is 0 is first to be used, if the NO 1 can
not be used, turn to the next one
circularly use the homonymic realm
divest the realm name or not, values are {yes|no} default value is
no
Caution: if the adscription authentication server address and the adscription accounting server
address of the appointed realm are all LOCAL, then the other parameters of this realm are useless.
45
realm name
point out the indexnumber sequence of the realm, used for
localizing homonymic realm, and expressing the roaming PRI of
the realm, 0 denoting the highest PRI and the default value is 0. If
has no main equipment roaming, you may not appoint this item.
-au authhost_ipaddr
-ac accthost_ipaddr
-se secret
-l ldflag
fail_over
round_robin
-is if_strip
-t replies
reply_attr
-t clrids
callerid
Grammar
usershow
usershow username [-q | -t type]
Description
It is used for showing the existence AAA users information. Using the usershow with no
Parameters can show all the names of the AAA users.
Username can be used to show the correlative information of the appointed AAA user.
The style of the information can be specified by the keyword type
Uername
The username of the query, if not input the username, then show all the
username, or input former alphabet in the username and combine
the p to query the valid username.
-q
the switch for the query command, list the username of the
alphabet in the username.
-t type
the label show the information type, the value is
clrids|checks|replies, if not ensure the label it shows all the
information of the user.
clrids
the corresponding IMSI information to the user
checks
the configure attribute pairs of the user
replies
the reply attribute pairs of the user
grammar
userchg username t base [-op old_password] {-nn new_username
| -np new_ assword | -g groupname }
userchg username t checks [-f] {check_attr1 | check_attr2 | ...}
userchg username t replies [-f] {reply_attr1 | reply_attr2 | ...}
Description
Using to amend the name of the user (and/or) the basic attributes
Uername
the name of the user before modification
-t base
modify the basic information of the users
-op old_password
The old password for the AAA users,when the periphery system
common AAA users logging in ,use this command to amend the
49
-np new_password
-nn new_username
-g groupname
-t checks
check_attr
-t replies
reply_attr
-f
Grammar
itvstatshow type [-b begin_date_time] [-e end_date_time]
Description
Show the accumulative Stat information in the hours on a day through setting
parameters
The parameters, which can be settled, are:
type
check the type of the information, the value is s|p
s
the Stat service
p
the Stat roaming
-b begin_date_time the start time of the time segmentcheck the Stat information
after the time till the end of the day, the time need be included by
50
-e end_date_time
The format of the time is YYYY-MM-DD HH:MM:SS, notice that the time parameter
must be included by the double comma. The parameters without time restrict mean to
check the todays log.
51
52
-pps bind_address
when the user use the prepay service, the binded prepay server.
Caution: 1 if the value is 1,it means that the prepay service is dealt with in local computer.
If it is the other binded server, it must be the configured
realm.
-t
switch_of_imsi_to_mdn
Description
The command is used to append cost rate to PPS. Using -v to set the flux cost rate, the
unit is fen/KB, using d to set the time length conversely, the unit is fen/min. Choosing
v or d is based on the PPS setting the accounting type for this service.
The explanations of the parameters
-n servicename the existent service name on PPS
-t switchtime
the switch point for cost rate
the format is :HH:MM:SS
Description
The command is to query the cost rate of PPS; the cost rate can be seen by the service
mark or the switch point of the cost rate.
The meanings of the parameters
-n servicename servicename
-t switchtime
switch point for the cost rate
54
Description
This command has no parameter. It used to examine whether the AAA system is shut
down.
user name, denote that only check the debug information of this
user
IMSI numberdenote that only check the debug information of
this IMSI
Caution: Stop the output of debug information by click key combination -ctrl+h.
55
names of all attributes will be got when you use this command without parameters. A list will
display the available value of this attribute if the attribute name has given.
Attribute_name
attribute name of this value region to be inquired
Caution: The functions provided by the menu are not point to AAA server.
Tools bar: provide some shortcut keys of management terminal. The user needs not to
find corresponding commands in the menu every time.
Icons
Corresponding command in
menu
Description of function
System | exit
help | about
Navigation bar: The command button of parameters to configure the AAA server. The
57
user can choose corresponding command according to the configuration of AAAs need.
If you want to examine the information of AAA you can click the button of information
statistics. Here we will not give unnecessary details of functions of the navigation bar
you can examine the section of configuration of AAA server in this reference.
z
Function window: the operation of configuring AAA server will be done in this window.
This window is the main workaround of configuration of AAA.
Management terminal and AAAEAS server communicate through RMI protocol. Before use
the management terminal you must sure that the configuration of this protocol is correct.
When the management terminal is working, the management terminal maybe not find the
corresponding AAAEAS server because the incorrect IP address was configured to the server or
other reasons. Management terminal will pop-up a dialog box as follow to prompt user to
configure the RMI server correctly.
A dialog box will pop-up as follow when the user click yes button
Protocol: the protocol use in the communication between management terminal and ES
server. The RMI is only one that user can choose in the combo box because RMI is only
supported. User cannot consider this item except that a new communication protocol can
be used.
z IP address: the IP address of AAAEAS server.
z Port: the port that used by RMI protocol. Maybe many AAAEAS servers running on the
same computer and every server has a individual port, So you must configure the port
correctly to ensure that the management terminal can have correct service.
z Proxy: This item takes charge of sending the requirement of management terminal to
AAAEAS server. This parameter is a system parameter. Recommend strongly that do not
change this parameter if system has not great change.
After finish configuration click confirm button to make the change available. Before the
change takes effect system will prompt user to restart management terminal. Click cancel button
the parameters will not change. Click close button will exit this widow (before configure the
management terminal correctly the procedure of management terminal will exit when click the
close button.).
After you have logged in the management terminal you can startup this window anytime. This
window not only can examine the configuration between management and AAAEAS server and
also change the configuration. User can click menu system | configure RMI Server to use this
dialog box.
After finish configuring the communication protocol a dialog box will pop-up to prompt user
to log in when the terminal begin to work.
59
Click add button in user management window will pop-up add user.dialog
61
You can see that the color of the box to assign role is gray when someone logged in as a common
user. It means that a common has no privilege to assign role to itself and the extra information has
give clear indication that you are a common user; you cannot change your role.
The user whose role is administrator can change his role from an administrator to a common user,
but this change will take effect until this user log in next time.
Change the user password of AAAEAS
The administrator can change any password of the user who is on the list of user, but a common
user can change his password only. Only when a common user chooses his own name in the list of
user name change password button is available, in other condition the color of button is gray. It
means this button is unavailable. When you click the change password button a dialog will be
displayed as follow:
Configuration management
62
63
64
65
the modification and make the change take effect or click cancel button to resume the parameters.
Client management
Client management mainly provide the function of add, delete, modify and show RADIUS
client. When you click Client management button on navigation bar the main interface of Client
management will display on the function window of management terminal.
If you want to modify the Realm information existed, you can edit the Clients information
you have chosen on the main interface. The confirm button and cancel button is gray before your
edit means that you have not do anything After your edit the confirm button and cancel button
become available. If you want to cancel this edit during your edit process you can click cancel
button and then the button will return to the state before edit. You clicked the confirm button after
your edit. It means that you have confirmed your edit action. After this confirm button and cancel
button will become to gray. It means your action has been submitted.
Realm management
Realm management mainly provide the function of add, delete, modify and check to Realm.
67
When you click Realm management button on navigation bar the main interface of Realm
management will display on the function window of management terminal.
If you want to add a new Realm, click add button please. A dialog box of add a new Realm will
pop-up as follow:
68
69
the modification and make the change take effect or click cancel button to resume the parameters.
Client management
Client management mainly provide the function of add, delete, modify and show RADIUS
client. When you click Client management button on navigation bar the main interface of Client
management will display on the function window of management terminal.
If you want to modify the Realm information existed, you can edit the Clients information
you have chosen on the main interface. The confirm button and cancel button is gray before your
edit means that you have not do anything After your edit the confirm button and cancel button
become available. If you want to cancel this edit during your edit process you can click cancel
button and then the button will return to the state before edit. You clicked the confirm button after
your edit. It means that you have confirmed your edit action. After this confirm button and cancel
button will become to gray. It means your action has been submitted.
Realm management
Realm management mainly provide the function of add, delete, modify and check to Realm.
71
When you click Realm management button on navigation bar the main interface of Realm
management will display on the function window of management terminal.
If you want to add a new Realm, click add button please. A dialog box of add a new Realm will
pop-up as follow:
72
73
In this dialog box you can adjust the corresponding parameters. After modify the
parameters you can click the confirm button to submit the action or click the cancel
button to break down the action.
Annotation: The Realm name cannot be modified.
Delete the existing Realm information
Choose the Realm name from the downward draw box and click delete button. The
Realm information will be deleted.
Annotation: The action of delete cannot be resumed.
VPN management
VPN management mainly provide the function of add, delete, modify and check to VPN.
When you click VPN management button on navigation bar the main interface of VPN
management will display on the function window of management terminal.
74
VPN name is a combo box, you can choose other VPN name by click the
downward arrowhead to display the other VPN information.
Add a new VPN
If you want to add a new VPN, click add button please. A dialog box of add a new
VPN will pop-up as fig 25.
You can input corresponding information according to the prompt information by
dialog. Attention, VPN name cannot duplicate. If the VPN name you entered has existed
system will give you a message to tell you choose another VPN name.
After you finish filling this information you can click confirm button to submit
your action or click cancel button to cancel this action.
75
If you want to modify the VPN information existed, click modify button on the main interface.
A dialog box will appear as follow:
76
In this dialog box you can adjust the corresponding parameters. After modify the
parameters you can click the confirm button to submit the action or click the cancel
button to cancel the action.
Annotation: The VPN name cannot be modified.
Delete the VPN information existed
Choose the VPN name from the downward draw box and click delete button. The
VPN information will be deleted.
Annotation: The action of delete cannot be resumed.
Right window has three labels. Member label can display the members of this group.
Configure attribute label display the chosen groups attribute of configuration. Reply attribute
label display the chosen groups responsive attribute. In addition, some function buttons are placed
on the base of the window, each button corresponds to different operation. The usage of these
buttons will be expressed as follow.
z Create new group
Create a new user group. After click add new group button a dialog box of create a new group
will pop-up:
78
79
In addition, you should notice that edit of group name is forbidden in this dialog
box, and you can use the function of modifying group name if you want to modify the
group name.
Delete group
Choose group name in the list, then click delete group button, a dialog box will
pop-up. This dialog box notices you that if you delete this group attributes of this group
will be deleted and the attribute of configuration and responsive attribute inherit from
the user that belongs to this group will be deleted too.
80
81
other attributes such as CallerID which binded this user, this users attribute of
configuration, responsive attribute and the group that it belongs to. If you want to
operate on these attributes click corresponding label please, then click add button. After
choose the attributes in pop-up window, a new user will be created by click confirm
button.
82
Annotation: The meaning of chosen attributes has given in the window of attributes
description.
Modify user name
Choose the user that you want to modify, then click modify user name button, a
dialog box of modifying user name will pop-up:
Fill in the new user name in textbox, click confirm button to submit the action of
modifying.
Edit user
If you want to modify a user existed you can click edit user button please, then a
dialog box of edit user will pop-up.
83
84
85
These attributes maybe inherit from user or group, and the list will mark this.
z IMSI2Realm management
IMSI2Realm management mainly provides the ability that add, delete, modify and inquire the
domain name to an especially number segment. After click the management button of the
navigation bar the function window of management terminal will display the main management
interface of IMSI2Realm, as follow:
Annotation: number segment name has been configured before leave factory; user cannot be
modified, deleted and added but inquired.
Detailed functions as follow:
z
Inquire the domain name that correspond to IMSI number segment which
included in the domain name that has been existed:
Domain name is a check box, the information that included in IMSI number and
domain name, which belongs to other domain name, can be displayed through click the
downward arrowhead.
86
Add the new domain name and the domain that correspond to the new IMSI
number segment:
If you want to add a new domain name, click the add button please. Then a
dialog box for add IMSI number segment and the corresponding relationship of the
Realm will pop-up as follow:
Fig 39 The dialog of add the relationship between the number and the domain
In this dialog box, you can not only input a new domain name in the textbox of
domain name and also add a new domain under the domain name that has been exited,
then you can input the correct domain name in the domain textbox (You can see the
legal domain name in the management of the Realm), after this you should input a
beginning number segment and terminative number segment. After this, you have
finished the relationship between IMSI number segment and domain. If you have
inputted a new domain name in domain textbox, the corresponding relationship, which
you have added, will display in the new domain name. If you use an existed domain
name, the corresponding relationship will display in the domain, which you have chose.
When you have filled in the information, click the confirm button to submit your
action or click cancel button to cancel your action.
z
87
Delete the corresponding between the number segment and the domain name
First. Choose the area, the find the corresponding item between the IMSI number
segment and the domain name, select the item, click the cancel botanist is ok.
Annotation: the edition with the prepay module contained with the configure interface
Service configuration
In navigation menu choose the PPS, and choose the service tab, the operation interface is as
follows:
88
89
90
Setup rate
Setup rate for the settled service
Select the rates tab ,the configure interface of rates will be shown
91
Figure45.setting rates
Click Rates setting button, a dialog box for adding rates is shown, as follows:
92
Rates show
Delete the settled rates
By default, the delete rate is ashy. If you want to delete an item of settled rates, you can select it in
the list, and press delete rate button
93
SMPP setup
Choose the SMPP Config tab , SMPP setup panel is shown, as fellows:
94
The periphery of AAA system logs management supplies the full notes of the user who once
operated the AAA sever. Using the system of the log, first run the manage terminal, the choose the
menu log>management of log, as figure42:
95
In the log browser, choose the operator who operated the AAA, then fill the time of start and
finished(the format as:yyyy-mm-dd hh:mm:ss),if you can not fill it, the system will consider it is
todays log. Click the browse,it will show you the the log fitting with your condition.
Figure 44 have shown an interface, in it, the meanings of the notes have been shown in the
figure
96
97
In the process of the system, we can remend the level of the attestation log in
dynatic. It can be carried out by running the debugshow. The order use RADIUS directly
to inform the system to change the level of the log, and export the debug to the terminal.
See also AAA system Debug information manage
98
Head of files
The head of the files correspond to the first line of the original call billit note the time ,the
type, the edition of the original call billThe format can be seen below:
Num
1.
2.
3.
Attribute name
Type of the note
serial number of files
version number of the file
Most length
CHAR (2)
CHAR (4)
CHAR (2)
99
Remark
head note=01
Taxis from ooo1,if full restart
00
4.
CHAR (8)
YYYYMMDD
5.
6.
CHAR (8)
CHAR (6)
YYYYMMDD
HHMMSS
7.
8.
CHAR (8)
CHAR (6)
9.
10.
YYYYMMDD
HHMMSS
Flush rightleft with 0
Files trunk
There is a piece of information of accounting for every line of the file truckes. The attributes
which need to be noted can modify the main configure files of the AAA 2.0 system of the
Capitel Co. Ltd. It is an advanced function. The tools of the command lines and the end of graphic
management
Not support the configurable command, it need advanced administrator to rework in manual. This
is the tolerant attribute of the system.
Num
1.
2.
3.
Attribute name
Most length
remark
serial number
CHAR (10)
CHAR (10)
CHAR (15)
IMSI
(A)
(W)
MSID
CHAR (15)
CHAR (64)
decimalist
Account for user for internet
6.
7.
P IP Address
P NAI
P Account Session ID
P Correlation ID
CHAR (8)
CHAR (8)
8.
P Session Continue
CHAR (10)
CHAR (15)
IP address for HA
CHAR (15)
4.
5.
11. (W)
12. (W)
Serving PCF
BSID
CHAR (15)
CHAR (12)
PCFaddress
SID+NID+BSC ID
13. (W)
User Zone
CHAR (10)
100
14. (W)
CHAR (10)
15. (W)
16. (W)
CHAR (10)
CHAR (10)
17. (W)
18. (W)
CHAR (10)
CHAR (10)
19. (W)
20. (W)
CHAR (10)
CHAR (10)
CHAR (10)
CHAR (10)
CHAR (10)
CHAR (10)
CHAR (20)
CHAR (10)
CHAR (10)
CHAR (10)
CHAR (10)
CHAR (10)
CHAR (10)
CHAR (10)
33. (W)
CHAR (10)
34. (W)
Number of SDBs
(Terminating)
CHAR (10)
35. (W)
Number of SDBs
(Originating)
Number of HDLC layer
bytes received
In-Bound Mobile IP
Signaling Octet Count
Outbound Mobile IP
Signaling Octet Count
IP Quality of Service (QOS)
CHAR (10)
25. (W)
36. P
37. P
38. P
39. P
CHAR (10)
CHAR (10)
CHAR (10)
CHAR (10)
101
40. (W)
CHAR (10)
41. (W)
42. (W)
CHAR (10)
CHAR (10)
43. (W)
44. (W)
CHAR (10)
CHAR (10)
45. (A)
CHAR (1)
46. (A)
unused
CHAR (10)
obligate
unused
container for acconuting
CHAR (10)
obligate
can not use
47. (A)
48. P
49. (A)
P
(W)
(A)
newline
1
the attribute produced by PDSN
the attribute produced by wireless side
the attribute produced by AAA
\n
Tab placeholder
Tab placeholder
While writing the information of the accounting into the original call bill files, something will
happen that, it is not that all the attribute information of accounting for the files are existed. If this
happen, the AAA2.0 system of the Capitel Co. Ltd. Can use Tab (\tcan be used too) as the
placeholder to replace the default attribute, and this can ensure that every call bill can keep the
same format as the files of the list before.
102