AAA2.0 Manual

Capitel AAA2.
0 system user manual
Catalog
Forward................................................................................ 1
Welcome............................................................................................................................1
Relational products............................................................................................................2
System configuration requirements...................................................................................2
Permission.........................................................................................................................2
Documents ........................................................................................................................2
Technical support ..............................................................................................................2
Conventions ......................................................................................................................3
The texts and marks of software level.......................................................................3
User interaction .........................................................................................................3
Variable text ..............................................................................................................3
1 AAA2.0 System brief introduction .................................. 4

1.1 AAA main program .....................................................................................................4
1.2 AAA peripheral system ...............................................................................................4
2 System installation............................................................ 5
2.1 Installation overview...................................................................................................5
2.1.1 Directory structure of the installation CD ........................................................5
2.1.2 Directory structure after installation.................................................................5
2.1.3 Installation steps description ............................................................................6
2.2 Program installation and configuration .......................................................................6
2.2.1 Installation script description ...........................................................................6
2.3 Database initialization .................................................................................................6
2.3.1 Mysql initialization ..........................................................................................7
2.3.2 Oracle initialization ..........................................................................................7
2.3.3 Oracle initialization(FOR PPS) ........................................................................7
2.4 Obtaining AAA authorization......................................................................................8
2.5 Starting the server........................................................................................................9
2.5.1 Starting and stopping the AAA main program .................................................9
2.5.2 Starting and stoping AAAEAS.........................................................................9
3 Basic concepts of AAA ................................................... 10

3.1 RADIUS basic...........................................................................................................10
3.1.1 RADIUS Packets.................................................................................................... 11
3.1.2 RADIUS configuration .................................................................................. 11
3.2 Authentication ...........................................................................................................12
3.2.1 Authentication method ...................................................................................13
3.2.2 Configuration of authentication method.........................................................14
3.3 Password protocol .....................................................................................................14
Capitel AAA2.0 system user manual
3.3.1 PAP.................................................................................................................14
3.3.2 CHAP .............................................................................................................15
3.4 Accounting ................................................................................................................15
3.4.1 Charge file divided by Tab .............................................................................16
3.4.2 Accounting roaming .......................................................................................16
3.5 Attributes...................................................................................................................17
3.5.1 Attribute dictionary ........................................................................................17
3.5.2 User attributes lists .........................................................................................17
3.5.3 Attribute value................................................................................................18
3.6 RADIUS proxy..........................................................................................................19
3.6.1 RADIUS authentication proxy .......................................................................20
3.6.2 RADIUS accounting proxy ............................................................................20
3.6.3 RADIUS realm group.....................................................................................20
3.7 Tunnels ......................................................................................................................21
3.7.1Tunnel authentication process .........................................................................22
3.8 SNMP........................................................................................................................22
3.8.1 SNMP management information databaseMIB......................................23
3.8.2 Management of the workstation and agent..................................................23
3.8.3 SNMP subagent..............................................................................................23
3.8.4 The SNMP trap message and alarm message .................................................24
3.9 Allocating IP address.................................................................................................24
4 System management....................................................... 25
4.1 Command line management tool...............................................................................25
4.1.1 Using the command line management tool ....................................................25
4.1.2 System parameters configurationsysconf ...............................................30
4.1.3 Call bill information configurationacctconf ........................................31
4.1.4 CallerID management ....................................................................................31
4.1.5 Database connection configurationsqlconf.............................................34
4.1.6 AAA user group management ........................................................................35
4.1.7 Management the corresponding relation between the AAA system number
segment and roaming realm server..........................................................................38
4.1.8 Management of the corresponding relation between IMSI and MDN
imsimmdn........................................................................................................40
4.1.9 LNS server configuration ...............................................................................41
4.1.10 clients configuration.....................................................................................42
4.1.11 Roaming proxy configurationproxyconf ..............................................44
4.1.12 Realm server configuration ..........................................................................44
4.1.13 AAA user management.................................................................................47
4.1.14 The AAA system management of the running Stat information...................50
4.1.15 The prepay parameter configuration ............................................................52
4.1.16 Other categories of command.......................................................................55
4.2.1 Graphic management terminal ...............................................................................57
Starting graphic management terminal....................................................................58
II
Management of the AAAEAS User ........................................................................60

Configuration management .....................................................................................62
Client management..................................................................................................66
Realm management.................................................................................................67
Client management..................................................................................................70
Realm management.................................................................................................71
VPN management ...................................................................................................74
AAA group management.........................................................................................77
AAA user management ...........................................................................................81
Setup for the prepay service ....................................................................................88
AAAEAS logs management....................................................................................95
5 log, monitor and report forms ....................................... 97

5.1 Authentication log .....................................................................................................98
5.1.1The illumination for the level of the log..........................................................98
5.2 The log for accounting ..............................................................................................99
5.2.1 The format of the log for accounting..............................................................99
III

Forward
Welcome
Thank you for choosing the Capitel AAA2.0 system produced by Putian Capitel Co. Ltd.
The RADIUSRemote Authentication Dial-In User Serviceprotocol of IETF has already
been widely used in the field of remote access. The Capitel AAA 2.0 system completely
implements the RADIUS protocol, and at the same time it can interoperate with most of the
popular Network Access Server s (NAS) for authenticating the remote end or/and WLAN users.
Capitel AAA2.0 system supports various background databases, and enables you to easily manage
the remote end users and WLAN users all together, without distinguishing how the users are
connected to your network.
Capitel AAA2.0 system provides an extendable complete RADIUS solution for the large
company who owns complicated global networks. Its powerful functions and flexibility enable
you to provide value added services to end-user conveniently, it integrated many functions such as
the user authentication, service management, and fare record etc.
The main functions of the Capitel AAA2.0 system include

z Advanced roaming function can easily authenticate the users stored in other RADIUS
servers
You can choose a user name structure; in that way you can configure your router
according to the user names format, IMSI number or other attribute values.
For the sake of enhancing performance and reliability, you can configure a group of
roaming servers to handle roaming requests according to the load balance principle
and retry strategy.
z Advanced exterior authentication character enables you to use different background
database for storing user information.
z Dual-machine hot backup solution ensures uninterrupted service.
z Its support to SNMP enables you to do centralized monitoring of the AAA systems
running status through graphic management terminal, as well as the running status of
other services and devices on the net. Capitel AAA2.0 system provides all the support to
SNMP, including the Trap information and alarm information of SNMP.
z Capitel AAA2.0 system uses the performance analysis function to enable real-time
monitoring of the user authentication situation.
z Advanced DEBUG tracing function can easily trace the authentication process of
specific user according to the tracing condition you set.
Relational products
Contacting the data communication development department of Capitel Co. Ltd to inquire the
relational products of the Capitel AAA2.0 system. The relational products include billing statistics
system and report class.
System configuration requirements

Capitel AAA2.0 system software includes: one AAA RADIUS daemon process, one exterior
daemon process, one command line management tool and one graphic management terminal based
on JAVA.
Capitel AAA2.0 system requires Solaris 2.607 or higher version, running on SPARC Ultra
5, and requires at least 128M RAM. The installation of Capitel AAA2.0 system requires at least
100M-harddisk spaces.
Capitel AAA2.0 system supports the following databases as background to store the user
authentication and accounting information:
Oracle8i Enterprise Edition Release 8.1.7.0.0 - 64bit Production or higher version

MySql Server v4.0Max or higher version
Permission
The Capitel AAA2.0 system can be installed on workstations and servers.
For more detailed permission information, see the permission agreements in the package, or
contact directly with the Capitel Co. L td.
Documents
This manual introduces how to install, configure and manage the Capitel AAA2.0 system. Most
of the contents in this manual can be found by using the online help in command line management
tool.
For the latest information not included in this manual, we will write it in the readme.txt in the
package.
Technical support
If you have any difficulty when installing or using the Capitel AAA2.0 system, you can get
some help in the ways as following
This manual and the readme.txt file may contain the information for solving your problem,
reread the relational chapters, and you may find some methods you neglected before.
If you have already read the manual carefully, please fill out the product register card
carefully and send it to us, at the same time, please confirm that the product got the latest update
2
as well.
If the problem still exists, please contact directly with the technical supporters of the Capitel
Co. L td.
Conventions
For the sake of easy reading and understanding, the system adopts the following
typographical conventions:
The texts and marks of software level

The texts and marks of software level adopt common font type; this font can be used in
displaying the information of the computer files content and help information.
User interaction
The text used for instructing users to carry out interaction in command line management
tool and graphic management terminal will be displayed in overstriking font, this font is
used for marking the special keys on the keyboard (such as [ESC]), as well as marking a
string (such as input yes), and the button in the graphic management terminal (such as
please choose OK).
Menu command uses the menu's name, and is denoted by a symbol > after the name,
for example the cut command under the edit menu is denoted as: Edit> cut.
Variable text
Sometimes this document will refer to various variable texts, such as user name, time,
and the values chosen by user, and they will be marked by italic font.
For example when the computer screen prompts you to input user name and password,
the interaction process can be described as follow:
input user nameadmin
passwordtesting123
If the file name and some texts are shown in italic, it means the values represented by
these texts can be changed, and need to be provides by the users.
1 AAA2.0 System brief introduction

1.1 AAA main program
Capitel AAA2.0 system is the carrier level remote user connection authentication and
accounting system, based on standard RADIUS architecture. it implements the user authentication
and accounting with PDSN or NAS by using RADIUS messages, and implements user roaming
between AAAs via Proxy mechanism of RADIUS.
Capitel AAA2.0 system has a flexible system structure. It can vary the system structure and
hardware & software configuration to provide the best solution for the carrier and satisfy the
whole net authentication and accounting requirement, based on the situation of the carrier. The
system has nice expansibility, and can meet the need of increasing user number by adding
hardware modules.
Based on the architecture and criterions of the China United Telecommunications
Corporations integrated business system, Capitel AAA2.0 system provides the interface to the
integrated business system and the billing system, and this ensures that the system is independent,
secure and an open system.
Capitel AAA2.0 system can provide various kinds of business modes, it can provide solutions
to the VPN services and the WAP services, it can assign special IP address to the user according to
the requirements of the services. It can satisfy the requirements of different services through
flexible system configuration.
The system architecture is shown in the following figure
Figure1 System architecture of the AAA server
1.2 AAA peripheral system

AAA peripheral system, AAAEAS for short, is the management daemon process of the Capitel
AAA2.0 system, and it is written in java and runs on the same machine of the AAA main program.
Command line tool and graphic management terminal are two clients of the AAAEAS, and the
AAAEAS can fulfill the following tasks by accepting the commands sent by the client:
z
z
z
z
z
z
z
Modifying and checking the configuration parameters of the AAA main program
Managing the AAAs user information
Providing the interface to the business system
Providing dynamic debug level configuration and runtime information tracing
Providing SNMPsupport to AAA main program
Real-time monitoring of the status of the AAA main program
Providing access permission management of AAAEAS
4
z
z
Checking the real time statistic information of the AAA main program.
Providing the log function for recording and checking the operating information of the
AAAEAS users.
The system architecture of the AAAEAS is shown in the following figure
Figure 2 System architecture of the AAAEAS
2 System installation
2.1 Installation overview
2.1.1 Directory structure of the installation CD
The directory structure of the installation CD is shown as follows, install.sh is the installation
script, aaa is the location of the AAA server installation package, eas is the location of the
management tool. The sql scripts for database initialization are stored in the db directory.
aaa
db
ui
install.sh install.inc configure
2.1.2 Directory structure after installation

After installation, the AAA system mostly contains the following parts: AAA Server, AAA
command line management tool, AAA graphic management terminal. After installation, all the
programs are stored in the /usr/local/capitel directory, please refer to the following table:
Table 1 Directory structure after installation
Program name
Directory
AAA Server
/usr/local/capitel/aaa
AAA management
tool
server
program
/usr/local/capitel/eas/server
AAA management
tool command line
management tool
/usr/local/capitel/eas/server
AAA
graphic
management
terminal
/usr/local/capitel/eas/term
2.1.3 Installation steps description

The installation of the system includes 4 steps: program installation, program
configuration,database initialization and acquiring authorization. Enter the installation CD
directory cd /cdrom/cdrom0
1 After executing the install script ./install, the system installation and configuration
steps will be finished by following the instruction of the script.
2 Executing database script, and initializing database user and table structure.
3 Generating host information file and obtaining the authorization fileradiusd.cer.
2.2 Program installation and configuration

Through running the install.sh script in the installation CD the system can automatically
finish the installation of the AAA system and the configuration of the main parameters.for detailed
steps, please read the prompt of the installation script carefully.
#cd /cdrom/cdrom0
#./install.sh sh install.sh
2.2.1 Installation script description

The command syntax of the script install.sh is: install.sh [optional information], the
parameters supported by the installation script are as follows:
[ -i | -I ] Setting up the script to run in interaction mode or not. When using ./install.sh I
parameters for installing, the system will install and setup parameters according
to the input of the user.
[ -a | -A ] Setting up the script to run in automatic mode. In this mode, the system will
finish the installation according to the parameters from the configure script.
[ -l
] Setting up the prompt format, when set to OFF, the prompt will not be
displayed, when set to ON, the prompt will be displayed.
[ -h
] Displaying the help.
2.3 Database initialization

After program installation and system configuration, the next step is the database
initialization. The database initialization includes three aspects: creating database (table space) and
user, creating table structure and triggers, creating storage procedures. Database initialization are
implemented by running database initialization scripts. Under the DB directory in the installation
CD, scripts are stored according to database type. For example the oracle database initialization
scripts are stored under the db/oracle directory.Among them, sys.sql is run by the super user for
executing system operations (initialization database, table space, users), table_***.sql is used for
creating table space and triggers, func_***.sql is used for creating storage procedures.
2.3.1 Mysql initialization

When using the mysql database, this initialization will be executed.
1. Entering the bin sub directory of mysql installation directory
2. Entering the following command at the prompt
# ./mysql uroot < /cdrom/cdrom0/db/mysql/sys.sql (creat user and database)
#./mysql
uradius
pradius
radius
</cdrom/cdrom0/db/mysql/
table_structure_of_aaa_for_mysql.sql initialization table structure
Annotation The script name here should contain the absolute path of the
table_structure_of_aaa_for_mysql.sql file.
2.3.2 Oracle initialization

When using the mysql database, this initialization will be executed.
1. Switching to oracle user
su - oracle
2.Entering the bin sub directory of oracle installation directory
cd /export/home/ora817/bin
3.Running the SQL script using sqlplus tool, and the detailed commands are as
follows
# ./sqlplus internal
SQL> @/cdrom/cdrom0/db/oracle/sys.sql
4.Reconnecting to the database asthe new user
SQL> conn radius/radius
SQL> @/cdrom/cdrom0/db/oracle/table_structure_of_aaa_for_oracle.sql
SQL> quit
Annotation: The script name here should contain the absolute path of the
table_structure_of_aaa_for_oracle.sql file
2.3.3 Oracle initialization(FOR PPS)

For the PPS version, you should replace the initialization in the 2.3.2 with the this
initialization process:
1. Switching to oracle user
su - oracle
Entering the bin sub directory of oracle installation directory
cd /export/home/ora817/bin
2. Running the SQL script using sqlplus tool, and the detailed commands are as
follows
7
# ./sqlplus internal
SQL> @/cdrom/cdrom0/db/oracle/sys.sql
3. Reconnecting to the database as the new user
SQL> conn radius/radius
SQL> @/cdrom/cdrom0/db/oracle/table_structure_of_aaa_for_oracle.sql
SQL> @/cdrom/cdrom0/db/oracle/table_pps_for_oracle.sql
SQL> @/cdrom/cdrom0/db/oracle/func_pps_for_oracle.sql
SQL> quit
Annotation: The script name here should contain the absolute path of
table_structure_of_aaa_for_oracle.sql file
the
2.4 Obtaining AAA authorization

After installing the AAA server, you must obtain authorization in order to start up the AAA
normally. AAA authorization is determined by the authorization file radiusd.cer. There are two
kinds of authorization file, standard authorization file and trial authorization file. Standard
authorization file, after system installation, will never become invalid, and is bound to the specific
host.The authorization is invalid on other hosts and the AAA server will not run on them. Trial
authorization file will become invalid after a period of time from the day the user
registered(usually 3 moths). When the authorization becomes invalid, the AAA server will
automatically exit and cannot be restart. The trial authorization has no relation with the specific
host.
Steps for obtaining standard authorization are:1) generating the host information file license.txt
on the host to install AAA, 2) sending the file license.txt to the installation engineers, and they will
create authorization file radiusd.cer for the specific system, 3) copy the authorization file to the
sbin directory of the AAA server
1) Generating license.txt file
#cd /usr/local/capitel/aaa/bin
# ./genlicense (will get the license.txt file)
2)Sending the license.txt to the installation engineers and obtaining the authorization file
radiusd.cer
3) After obtaining the authorization file radiusd.cer. , copy the authorization file to the sbin
directory of the aaa server; if the file already exists, then overwrite it.
#cp radiusd.cer /usr/local/capitel/aaa/sbin
NOTICE: license.txt and radiusd.cer are both text files, but they absolutely should not
be changed after they are generated. For example, if you transfer them between unix and
windows using FTP, you must remember to use Binary mode. And, youd beter not open and
do SAVEAS operation at Windows system.
2.5 Starting the server

2.5.1 Starting and stopping the AAA main program
Using the following commands to start AAA server
# cd /usr/local/capitel/aaa/sbin
#./radiusd
Using the following commands to stop AAA server
# pkill radiusd
2.5.2 Starting and stoping AAAEAS

The eas file under the AAAEAS installation directory is the AAAEAS service script, after
confirming that AAAEAS has been installed successfully, run the eas script with START
parameters to start AAAEAS; run the eas script with STOP parameters to stop AAAEAS; run the
eas script with restart parameter to restart the AAAEAS quickly.
The AAAEAS service script can use 3 parameters and their meanings are as follow:
start
starting AAAEAS
stop
stopping AAAEAS
restart
stopping AAAEAS and starting it for a second time.
If you want to start the AAAEAS as a background process, you can add the & after the
parameters
The interaction process to start AAAEAS as a background process is as follows:
[root@radius aaaeas]$ ./aaaeas start
[1] 776
AAAEAS starting......
Commands for stopping AAAEAS are:
[root@radius aaaeas]$ ./aaaeas stop
killing AAAEAS...
AAAEAS is killed
The service script of the command line tool is aaatool, and the starting and stopping process
are as follows:
[root@radius aaaeas]$ ./aaatool
User ID: admin
Password: change_on_install
Connected to AAAEAS: Release 1.0 - Production on 2003
log successfully
CAPITEL AAA /> quit
Disconnected from AAAEAS: Release 1.0 - Production on 2003
The starting and stopping process for graphic management terminal are described in system
9
management>graphic management terminal> using graphic management terminal>starting

graphic management terminal
3 Basic concepts of AAA

3.1 RADIUS basic
The RADIUS (Remote Authentication Dial In User Service) protocol is a standard
method for information exchange between user access equipment(RADUIS client) and
equipment to store user authentication information (RADIUS server)
Remote access environment based on RADIUS commonly comprises three main
components: access client, network access server, RADIUS server.
Figure3: Remote access environment based on RADIUS
Access Client may be a user connecting to Internet websites by dialing to a service

provider network (This is the most common user role). Access client may also be a device,
such as an ISDN router, which is commonly used in small offices or family to provide access
to the network for multiple users.
NAS is the abbreviation of Network Access Server, it is an equipment identifying and
processing access request form the boundary of networks. boundary can be a WLAN
access point, a ISDN bridge, or a modem pool, when NAS receives a access request from a
user, it will negotiate with the user to determine the connect approach(EAPPPP or
SLIP),some information will be obtained through the negotiation(for instance, user name,
password, NAS Equipment Identifier, NAS port number),and then NAS will transmit these
information to the RADIUS Server and request authentication of this user.
Figure4: Access Client, Information exchange between NAS and RADIUS Server
RADIUS Server will authenticate this request and authorize service on this connection.
RADIUS Server do it by matching information from the request of NAS and that is stored in the
database.
If the information matches, RADUIS Server will accept this user, or else, this user will be rejected.
According to the response from the RADIUS Server, NAS will decide whether setup a connection
for the user or terminate this users access intention. At last, NAS will send an accounting request
to the RADIUS Server to record this transaction; RADIUS Server can record the transaction or
send the request to other servers for charging this service.
10
3.1.1 RADIUS Packets

RADIUS Client exchanges information with RADIUS Server through RADIUS packets. The
format of RADIUS packet is specified in technical document RFC2865 Remote Authentication
Dial In User Service (RADIUS) and RFC 2866 RADIUS Accounting.
In order to config Capitels AAA2.0 system, some important notes about RADIUS packet as
described below should be understood:
RADIUS packet takes information that exchanges between RADIUS Server and
RADIUS Client.
RADIUS packet conforms to the mechanism of request/response: client sends a request
to server, waiting for a response from the server, if client does not receive a response, it
will resend this request periodically.
Every packet contain particular purposes: authentication or accounting
A packet could contains values which are called attributes
Attributes included in a packet are restricted by packet type or the equipment (such as
NASs producer and model) used to send this packet
More details about RADIUS packets type and contents can be found in RFC2865. This
manual also provides some common attributes and their possible values, for the Attributes of
accounting packet, please refer to RFC2866.
3.1.2 RADIUS configuration
It is required to config the RADUIS Server and RADUIS Client before the communication
setup, as the Figure shows above. If the RADIUS Client is a network access equipment (NAS)
which belongs to the same network segment as the RADIUS Server, the same network
administrator may be authorized to config the server and client. On the other hand, two network
administrators should negotiate about the details in the configuration of the server and client.
RADIUS server configuration

You must tell the RADIUS server how to respond to every RADIUS client. You need to start
the command-line config tool or GUI management terminal contained in the peripheral
system (AAAEAS) to config the Capitel AAA 2.0 RADIUS server. If the command-line
comfig tool is used, commands related to clients could be utilized to set up the
configurations (as shown in system management>command-line config tool>config the
clients), if GUI management terminal is used, you can config the clients in the config dialogs.
After configuration of each client, RADIUS server will response to requests from clients
accordingly. Client information required to config include:
IP address or host name of the client
11
Shared secret between Capitel AAA2.0s RADUIS server and the client.
Shortname of the client
Type of the client
RADIUS client configuration

You must tell the RADIUS client how to communicate with the server. When a client need to
cooperate with the Capitel AAA 2.0 RADIUS server, you must login on the machine where
the RADIUS client is located, information as below should be entered from the management
program on the client:
z IP address or host name of the RADIUS server
z Shared secret between the server and the client
RADIUS shared secret

RADIUS shared secret is used to verify RADIUS packets between two equipments. It is a
character string with alphabetic characters or numbers, and it will not take effect unless the same
secret is set on both the client and the server.
Annotation: secret is case sensitive.
For simplicity, each client need only one secret to communicate with the Capitel AAA 2.0
RADIUS Server, that is to say, the same secret is used for authentication and accounting.
Using the shared secret

In one transaction for authentication, users password must be transmitted securely
between RADIUS client and server, the security of the password can be guaranteed by PAP,
CHAP, MS-CHAP or other protocols. When PAP protocol is used, shared secret will be used
to encrypt and decrypt the attributes of the users password.
Refer to fundamental concept of AAA>protocol of password
Accounting packets are sent without encryption between RADIUS client and server, and
shared secret is used to verify received RADIUS packets, that is to say, whether the received
accounting packet is sent by a valid equipment (RADIUS client or server).
3.2 Authentication
In order to understand the procedure of Authentication, we should have a basic understanding
of the authentication message. The form below provides the scenarios of e RADIUS messages,
attributes that could be contained accordingly and the function of these attributes.
12
Scenario
Function of attributes
When NAS receives a connect request from the

user, NAS will send a Access-Request message
to RADIUS server to authenticate this users
request
Authenticating user
Describe the type of connection that the user
request
When RADIUS server can authenticate this

connection request, it will return an
Access-Accept message to the client (NAS
generally)
Allow NAS to finish the access negotiation

Set up details of connection, e.g. provide an
IP address for NAS, this IP address will be
allocated to the user
Set a time limit or other service information for
this connection
When RADIUS server couldnt authenticate

this connection request, an Access-Reject
message will be returned to the client (NAS)
Stop access negotiation

Give reason for authentication failure
If the initial condition meets, and RADIUS

server still need extra information given by the
user, the server will send an Access-Challenge
message to the client (NAS)
Make NAS capable of prompting the user for

more information to be authenticated.
Respond to current Access-Accept message,
thus NAS could reconstruct a request
3.2.1 Authentication method
When a RADIUS server received an Access-Request message, it is the begin of an authentication

transaction. In the authentication process, Capitel AAA2.0 system retrieves the user name and the
password from the Access-Request packet, then authenticate the request according to the method
configured. Capitel AAA2.0 system now support the following authentication method:
RADIUS authentication proxy

Capitel AAA2.0 system can send Access-Request packets to other RADIUS servers, in this way,
the RADIUS server which receives the request may 1) authenticate the request according to its
strategy; 2) send back a response. Here Capitel AAA2.0 system acts as a relay, just return the
received response to the NAS. In this architecture the Capitel AAA2.0 system that sends the
request to other RADIUS server is called client RADIUS server.
Annotation: Capitel AAA2.0 system provides powerful authentication options to control client
13
RADIUS servers and realms.

Please refer to realm configuration
SQL authentication
According to the configurations, SQL authentication method enables the Capitel AAA2.0 system
to authenticate users by 1) communicating with popular database systems, 2) retrieving
information for authentication from database, 3) constructing authentication response packet.
the Capitel AAA2.0 system sends the response packet back to client . At present, the Capitel
AAA2.0 system can support databases such as mysql, oracle and Sybase.
Please refers to configuration database connection
3.2.2 Configuration of authentication method

As described above, the Capitel AAA2.0 system has several authentication methods, each of
which is to try to find the information correspond to the Access-Request request in the user profile.
These methods differ as below:
z Storage of data source
z Syntax to communicate with different data source
3.3 Password protocol

In an authentication transaction, sending password information between RADIUS client and
server is required. Password information is always obtained from the user, for example, when a
user connects to NAS, he will be prompt to enter his password. The Capitel AAA2.0 system
supports two protocols to retrieve password from the NAS, which are PAP and CHAP. In addition,
Capitel AAA2.0 system also supports Extensible Authentication Protocol.
3.3.1 PAP
In PAP (Password Authentication Protocol), the user and the NAS negotiate in clean text; that is to
say, the user sends the password to NAS without encryption.
The NAS gets enough information from the user to construct an Access Request packet. When
Access Request packet is sent to the RADIUS server, the NAS will use the shared secret to
encrypt the password attribute.
When the Capitel AAA2.0 RADIUS server receives an Access Request packet, the NAS Identifier
is retrieved from it, and the NASinformation in the server will be found according to the NAS
identifier. Thus the corresponding shared secret is found, and the password will be decrypted with
14
the secret.
3.3.2 CHAP
CHAP (Challenge Handshake Authentication Protocol) can avoid passwordsending in clear
text in any network segment.
In CHAP protocol, when negotiating password, the NAS will generate a random character string
as the challenge to user, the PPP client of the user will use the challenge and the password to
construct a digest (this process is non-reversible), and then send the digest to the RADIUS server.
The NAS sends the digest as the password attribute in the Access-Request packet.
Because the encryption process is non-reversible, the Capitel AAA2.0 RADIUS server cannot get
clear text password from the digest.. What it can do is just using the challenge (contained in the
Access-Request packet) and the user password (stored in the server) to perform the same
computation as the NAS does when generating the digest. If the two digest is identical, the two
passwords are the same as well.
3.4 Accounting
In order to understand the whole procedure of accounting of Capitel AAA2.0 system, we
should have a basic knowledge of the accounting message. The form below gives the scenarios of
RADIUS accounting messages, attributes that could be contained accordingly and the function
of these attributes.
Scenario
Function of attributes
RADIUS client send accounting message to the

server using Accounting-Request message.
Clients of different equipment producers may
send different Accounting-Request messages,
but the most common circumstances will be
described here.
To ensure the RADIUS server receive
accounting request packet is the responsibility
of the client. Most clients will apply a
mechanism of resending packets periodically to
guarantee that the
server receive the
accounting packets.
After the receipt of the Access-Accept packet
by the RADIUS server, NAS will finish the
access negotiation with the user, then NAS will
send a accounting start message to the server
According to the value of

the
Acct-Status-Type attribute, accounting message
can be divided into several categories: Start,
Stop, Interim-Acct, Accounting-On and
Accounting-Off.
Connection information may include: user
name, NAS identifier, NAS port number, port
type, connection start time
15
After the termination of connection, NAS will

send a accounting stop message to server
Record the information about this connection.

This message contain the final statistics
attribute which NAS could record
In about every 6 minutes, NAS will send a

interim accounting messageInterim-Acct
to server
Record a snapshot about the statistics

information of this connection, this message
contains the current value of the statistics
attribute that NAS can record
Each time a client goes online (no matter it

went offline because of system crash or
normal system shutdown), it will send an
Accounting-On message to server
Indicate that this equipment is online
Each time a client is shut down normally, it will

send an Accounting-Off message to server
Indicate that this equipment is offline
After
the
server
receives
an
Accounting-Request message, it will send an
Accounting-Response message to the client
Finish the circle of request-response
NAS will send an Accounting-Request message actively at proper time, as a connection is set
up successfully. When the RADIUS server receives this Accounting-Request message, an
accounting transaction starts.In an accounting transaction, the RADIUS server will respond
differently according to the Acct-Status-Type and other attributes in this message.
3.4.1 Charge file divided by Tab

When the Capitel AAA2.0 system uses file to record accounting information, all the
RADIUS accounting attributes received by the server will be formatted and written to Tab(also
called \t)divided billing file. The billing file is easy to import to excel, or import to database by
program, so it is convenient to generate reports or statistics.
3.4.2 Accounting roaming

The Capitel AAA2.0 system can be used as relay to send Accounting-Request messages to
other RADIUS servers, making it possible for other RADIUS servers to process the accounting
request packets according to their own strategies. (The Capitel AAA2.0 system also enable you to
record locally the information about the packets when you send them to other servers). The whole
process of relaying RADIUS packets between cooperative RADIUS servers is called RADIUS
proxy, and this mechanism is described in details in RADIUS protocols.
16
Attention: The Capitel AAA2.0 system provides powerful accounting options to config RADIUS
agents or realms
Please refer to realm server configuration
3.5 Attributes
3.5.1 Attribute dictionary
The Capitel AAA2.0 system adopts Attribute Dictionaries to organize all attributes into
attribute lists to use. The main Attribute dictionary file used by the Capitel AAA2.0 system is
named: dictionary, it contains standard attribute lists that RADIUS protocols specify.
Vendor-Specific Attributes
Besides RADIUS standard attribute lists, at the time of connection setup, many RADIUS
clients(NAS) also adopt some extra Vendor-Specific AttributesVSAs. The Capitel AAA2.0
system can support different kinds of NAS equipment by adding these NASs Vendor-Specific
Attributes to the corresponding attribute lists. Frequently these vendor-specific attribute
dictionaries are stored under the same directory as the main attribute dictionary, and adopt the
vendors name as the file extension.
Update Attribute Information

If you receive an update information about a product from your NAS vendor, such as a new
attribute or a new value for a specific attribute, you can add this information to the Capitel
AAA2.0 system by:
z Editing the dictionary whose file extension is the same as the vendor, and adding the
new attribute or value to the file and saving it
z Or creating a new file, and writing the new information into it. Of course you should
add an INCLUDE line in the main dictionary to include this new attribute dictionary.
3.5.2 User attributes lists

Information corresponding to users stored in the Capitel AAA2.0 system is required in the
authentication of the connection request. We can examine this user information via command-line
tool or visual management terminal.
In the authentication, we can config to examine other attributes besides the user name /
password couple. If you want to control the authentication process more accurately, Check-List
and Return-List according to users stored in the database provide a powerful tool to authenticating
17
and authorizing users. When authenticating a connection request, this information indicates to the
RADIUS server how to handle the attributes.
Attenttion: all the information here is optional
Attribute check listCheck-List

Check-List provides some additional information to the user when authenticating the connect
request and is used to provide more accurate control of the connection. When the NAS sends a
connect request to the Capitel AAA2.0 system, it will retrieve the information that is related with
this user from the database and fill it into the attribute check list, and do some further processing
of this connect request according to the items in the attribute check list.
In order to use the Check-List function correctly, we should consider some frequently used
rules. The following function can be implemented using the Check-List: if you want to prevent a
user from pass the authentication, you can set the value of the Auth-Forbidden attribute to yes and
add it to the baleful attribute checklist of this user. In this way even this users user name and
password are both correct, the Capitel AAA2.0 system will still reject the connect request of this
user.
All the RADIUS attributes supported by the Capitel AAA2.0 system can be included in the
Check-List; of course, the Check-List can contain the attribute provided by the vendors (VSAs)
Attribute return listReturn-List

The Return-List is an attribute list, the attributes in which will be send to the NAS after
successful authentication. The Return-List usually provides some additional attributes required by
the NAS to complete the connection. So the Return-List can be called authorization
configuration parameters
We can apply different connection strategies based on different Return-Lists. Certain user can
be assigned specific IP address or IPX address; can be configured to use the IP header
compression or not; can be assigned a time limit for connection.
All the RADIUS attributes supported by the Capitel AAA2.0 system can be included in the
Return-List; of course, the Return-List can contain the attribute provided by the vendors (VSAs)
3.5.3 Attribute value

Each RADIUS attribute has a specific data type, now types supported are: number, string and
IP/IPX address, time and hex string.
For example: the value of the attribute Callback-Number is a phone number, and the
corresponding data type is string; the attribute NAS-Port-Type is a value in an enumeration list of
18
Synchronous or Asynchronous, and the data type is number .
Multi-instance attribute
Attributes can be divided as single-instance attribute and multi-instance attribute, in other
words, some attribute can only appear once in the Check-List or Return-List, while others can
appear more than one time.
If the Replicate-To-Realm attribute appears in the Check-List for many times, it means when
the Capitel AAA2.0 system receives an Accounting-Request packet, it will replicate this packet
many times and send them to all the destinations designated by the Replicate-To-Realm attribute
If an attribute appears in the Return-List for many times, it will cause the responding packet
sent by the RADIUS server to the NAS to contain all instances of this attribute appeared in the
Return-List. For example, a user will use IP header compression and IPX header compression at
the same time, so the attribute Framed-Compression will appear in the Return-List for 2 times, in
which one for VJ-TCP-IP-header-compression and another for IPX-header-compression
Attribute sequence
In the Return-List, some multi-instance attributes have sequence restrictions, that is, in the
RADIUS response packet, an attribute will appear more than one time, and the sequence cannot be
changed arbitrarily.
For example, the attribute Reply-Message is used for sending text to the user when it is
required to send multi-line information, we can implement it by containing multiply instances of
the Reply-Message attribute in the Return-List. The Reply-Message will be displayed in the
same order as in the Return-List.
3.6 RADIUS proxy

The Capitel AAA2.0 system can send packets to other RADIUS server to be processed, and
act as repeater to send back the result from the server to its clients. In this case, we call this Capitel
AAA2.0 system an proxy of the destination server
The Capitel AAA2.0 system completely supports RADIUS proxy. The host on which the
Capitel AAA2.0 system is running can be used as a RADIUS server and proxy at the same time.
(The fact that the packet is an authentication or accounting packet doesnt matter)
19
3.6.1 RADIUS authentication proxy

The proxy process of the RADIUS authentication message is
1. The RADIUS server receives an Access-Request message
2. The first server (RADIUS proxy server) sends this request to the second server
(destination RADIUS server)
3. The Destination RADIUS server authenticates the request and send back the reply
to the proxy server
4. The proxy server sends the reply to the initial RADIUS client
3.6.2 RADIUS accounting proxy

The proxy process of the RADIUS Accounting message is
1. The RADIUS server receives an Accounting-Request message
2. The accounting proxy configuration of the server will determine the processing of the
request, which can be:
a) Sending this accounting request to the destination server
b) Or recording the accounting data in the accounting request locally.
c) Both a and b
3. If the proxy server does not receive any reply for the accounting request packet sent, it
will periodically resend this accounting request according to its resending policy.
3.6.3 RADIUS realm group

Basic concepts of the realm group
RADIUS realm group is a RADIUS server pool as the destination server, to which the proxy
server can send requests. You can implement load balancing and server redundancy with
RADIUS realm groups, you can also configure the proxy server to send authentication and
accounting requests to different servers.
Please refer to realm server configuration
Figure 5 RADIUS server and realm group
Load balance and destination server redundancy
The approach the proxy server sends requests to the destination which is a realm group is
determined by the field in the realm configuration, which can be set to fail_over or round_robin.
20
If this field is set to fail_over, when the proxy server receives a request, it will send this
packet to the server with min index in the realm group and whose status is active. If the resend
count reaches the maximum value (retry_count) configured and the proxy server doesnt receive
any reply yet, this request will be rejected, and the Capitel AAA2.0 system will mark this server as
inactive, thus when the next request is coming, the Capitel AAA2.0 system will change the
destination to the server with max index in the realm group and whose status is active for the sake
of destination server redundancy. The Capitel AAA2.0 system will change the status of the
inactive server to be active after the dead time (dead_time) defined in the configuration.
If this field is set to round_robin, the proxy server will distribute requests to all active
destination servers in the group circularly, in this way, load balance is implemented. The more
servers in the realm group, the less load on each server.
3.7 Tunnels
This section describes the background of the tunnels and how to configure the Capitel
AAA2.0 system to support tunnels.
Attention: The Capitel AAA2.0 system does not add tunnels to your network, it is used only to
satisfy the need of any type tunnel that you already set up in authentication or accounting.
A tunnel is an exclusive secure remote connection approach. Through the tunnel, you can
transmit data between an enterprise website and a remote website. When transmitting data, for
security, the tunnel will pack the data with an encryption layer. The authentication and encryption
attributes provided by the tunnel will enhance the security of the connection, thus prevent the
network wiretapping and baleful demolishing effectively. In addition, the tunnel can provide the
characteristics of service quality, such as connection bandwidth.
All the management and configuration work of the tunnel must be done on the remote
websites, which is the end that request remote access and open the tunnel. The administrator of the
remote website need to configure some attributes of the tunnel: the IP address of the tunnels
destination, the security protocol supported by the tunnel and tunnel password. This information is
stored in a database and retrieved when needed. It is very useful to store these tunnel information
in the RADIUS server for centralized management.
If a RADIUS server can store the tunnel information and can retrieve them when they are
required by the NAS, we say that this RADIUS server has tunnel function. The RADIUS server
with tunnel function can
z Determine whether this connection contains tunnel or not according to the received
request, if it contains, find out the tunnel type.
z Save and retrieve the attribute values of the tunnels configurations
z Trace the already set up and occupied tunnel number, and compare it with the max
number of tunnels allowed to be created, if the value is bigger than the max, refuse
21
the connect request.
3.7.1Tunnel authentication process

When the Capitel AAA2.0 system received an Access-Request packet,
a tunnel
authentication process begin.
The Capitel AAA2.0 system check the format of the user name attribute in the Access-Request
message to see whether the format is: <user name><separator><tunnel name> or <tunnel name>
<user name> <separator> or not
<Separator> is a letter; and it must be the same as the tunnel separator configured on the
server. The sequence of the tunnel name and the user name must be the same as the configuration
rule on the server (prefix or postfix). These configurations are server level (that is, all the tunnels
on the same server must use the same format) .
The Capitel AAA2.0 system will search in the database to find the tunnel record matching
the entered tunnel name. If it can find the matching record, the Capitel AAA2.0 system will use
the information in the tunnel record to construct an Access-Accept packet.
If the Capitel AAA2.0 system can find tunnel record matching the tunnel name in the
request, the NAS will use the tunnel information supplied by the Access-Accept and set up a
tunnel to connect to the enterprise website through it. Usually, authentication of user name will
be done in the enterprise website. If the authentication is successful, the connection is set up.
Otherwise, the users request will be rejected. If no matching record is found in previous steps, the
Capitel AAA2.0 system assumes that this request is not a tunnel request, and it will continue the
resolving process of the user name, and authenticate it with next configured authentication
method.
Please refer to LNS server configuration
3.8 SNMP
Simple Network Management Protocol, SNMP for short is the IETF standards of the
communication between centralized management workstation and multiple devices and
services on the network.
SNMP implements the communication between devices with certain type, producer and
model. Each device on the network must receive the SNMP request sent by the management
workstation, and reply the corresponding status information to the management workstation in
SNMP format. The device can satisfy this requirement is called SNMP support. All the SNMP
support devices and services can be configured to report their status information to the same
management workstation, this way the graphic user interface compatible with SNMP can view and
analyze these data on the management workstation.
Any management software capable with SNMPv1 can cooperate with the Capitel AAA2.0
system; the Capitel AAA 2.0 system supports all kinds of RADIUS standard authentication and
22
accounting MIB.
3.8.1 SNMP management information databaseMIB

The information reported by the SNMP is stored in a tree-structure database, which is called
MIB. The Capitel AAA2.0 system supports the standard MIB for RADIUS authentication and
accounting. If you want to check the MIB database used by the SNMP sub-agent of the Capitel
AAA2.0 system, you can find it in the snmp subdirectory under the installation directory of the
server.
The names of used SNMP MIBs are:
z RADIUS-AUTH-SERVER-MIB authentication MIB of the RADIUS server
z RADIUS-ACCT-SERVER-MIB accounting MIB of the RADIUS server
3.8.2 Management of
the workstation and agent
The main components of the network management model used for TCP/IP network
management include:
z Management of workstation
z Management of agent
Crucial platforms (such as mainframe, bridge, router and hub) are all capable of running the
SNMP agent to manage from the management workstation. SNMP agent responds to the query
request or operation request sent by the management workstation, and SNMP agent can provide
important TRAP messages to the management workstation asynchronously. The management
software can be configured to acquire information from any SNMP agent on the network. The
network management model usually is: run the management software on a management
workstation, and run the SNMP agent (include RADIUS server) on other remote devices to be
monitored. The management software can check a group of the status information from the agents
by turns at specific time or in specific time intervals. Network administrators can filter and
process these status information through a user interface program with SNMP support.
3.8.3 SNMP subagent

In independent devices, SNMP agents may be divided into two categories: one main agent
and some subagents. Any service running on the device can be designed to have a subagent,
through which it reports to the main agent. All subagents on the device send their SNMP data to
the main agent, then the main agent sends the information to the SNMP management workstation
via the network. For the management workstation, the main agent represents the devices to be
monitored, the management workstation need not to know any information about the subagent.
That is to say, in the view of the management workstation, there is only one agent on the
monitored device, that is the main agent.
23
The Capitel AAA2.0 system supports the SNMP by providing a sub agent, and the sub
agent is designed to cooperate with the UCD-SNMP main agent.
3.8.4 The SNMP trap message and alarm message

Although the SNMP agent can respond to the SNMP query request initiated by the
management workstation, sometimes the SNMP agent should send the information forwardly to
the management workstation. Trap messages are sent by SNMP agents forwardly to the
management workstation under certain conditions. When something important happens (such as
system busy, system fault), the SNMP agent should report forwardly to the management
workstation.
When the subagent detects some TRAP condition is satisfied, it will report this to the main
agent, then the main agent will send the message to all configured destinations using the alarm
signal.
The Capitel AAA 2.0 system supports all the trap and alarm messages defined by standard
RADIUS MIBs , and these messages can be divided into three categories
z Information messages- They are used to report important RADIUS information, and
not failure or alarm, for example, starting or stopping the RADIUS server process.
They will also be sent when some values get beyond their thresholds.
z Alarm messages - They report possible problems or problems already exist in the
RADIUS server, for example, RADIUS server has difficulty to connect to the SQL
database, and the disk space is going to be exhausted.
z Failure messages - They report problems in the RADIUS server, for example when the
RADIUS start up, one or more modules initialize unsuccessfully. Most of these
messages indicate that the RADIUS server cannot start normally due to some reason,
such as memory allocation failure.
3.9 Allocating IP address

The Capitel AAA2.0 system supports the following centralized IP allocating method
z
Static allocation Each time the user applies for setting up a connection, it will get a
static IP address, and the addresses are always the same. For example, if the
Framed-IP-Address attribute assigned to the user test is172.16.31.201, then each time
the user test connects to the network, the IP address allocated is always 172.16.31.201.
Allocating from the IP address pool of the client (NAS): each time the user begins to
connect, the client will choose an unused IP address from the IP address pool managed
by itself and allocate it to the user. For example
24
One clients name is NAS1 using the IP address pool A

Another clients name is NASI2 using the IP address pool B
A user (test), the value of its Framed-Pool attribute is assigned with the name of the address pool
which is related to the NAS
In this case, if the user test is connecting to the network through a port of the
client NAS1, the address allocated to the user will come from the IP address pool
A. In the next call, the user test may connect to the network through a port of the
client NAS2, and in this case the IP address will be allocated from the IP address
pool B.
Please refer to the AAA user management for information about setting the value of the
Framed-IP-Address attribute for the user.
4 System management
4.1 Command line management tool
4.1.1 Using the command line management tool
Starting and exiting the command line management tool
The aaatool file under the AAAEAS installation directory is the starting script of command
line tool, after confirming the right AAAEAS installation and the right starting of the AAAEAS
watching process, run the aaatool starting script with to start the command line tool.
The command line tool authenticates the user name and password for logging the periphery
management system. After the user entering right user name and password, theCAPITEL AAA
/>prompt will be shown on the screen. Up to now the command line tool is started and can be
used to do some work by executing the commands provided by AAAEASA.
[root@radius aaaeas]$ ./cmdtool
User ID: admin
Password: change_on_install
Connected to AAAEAS: Release 1.0 Production on 2003
Log successfully
CAPITEL AAA />
Caution: after installing the AAAEAS, the system will automatically add an AAAEAS user
with administrator level, its user name is adminand password ischange_on_install. After first
logging, please modify the user password and add other users.
25
If you want to exit from the command line management tool, input the quitcommand after
the command management tool promptCAPITEL AAA /> or just input a q. The process is as
follows:
CAPITEL AAA /> q
Disconnected from AAAEAS: Release 1.0 Production on 2003
[root@radius aaaeas]$
Caution: this command just ends the current command line management tool, and the AAA
main program and the AAAEAS watching process is still running on the RADIUS server.l
Command overview
The commands of the command line management tool can be divided into two classes based
on managed objects1AAAEAS management command2Management commands of AAA
main program
The AAAEAS management command includes:
z Using the command help
z User management of AAAEAS
z Log management of AAAEAS
z outputting the operation information of AAAEASspool
The usage of these commands will not influence the authentication and accounting functions
of the Capitel AAA2.0 system. We can say these commands are independent from AAA main
program, only for the sake of fulfilling the AAA main program management commands
introduced in the following paragraph more safely and conveniently
The help command can view all the command supported by AAAEAS; the user management
class commands are used for safety setup when logging the AAAEAS, the user with the
administrator role has the right to execute any supported commands after his logging, including
modifying the setup information of the AAA main program, managing AAA users (adding and
deleting), while the user with the users role can not execute some high safety level commands
after his logging.
The management commands of AAA main program includes:
z Parameters management of the AAA main program
z User management of AAA
z Statistical information management of AAA
z Other management command
Parameters management of the AAA main program command class has the maximum
commands, including system parameters setup, database connection management and roaming
strategy setup etc. using these commands, we can control the actions of the AAA program and
authentication & accounting principles. Thus, when executing these commands to modify the
parameters of the AAA main program, you must completely understand your actions.
26
Since the AAA user information is stored in the background database, the AAA user
management commands mostly implement the maintenance of this information; statistical AAA
information management class command can display the real-time information of the various
function indexes of the AAA main program.
caution1. Each command should be ended by a ;
2After using the parameters management of the AAA main program for modifying the
parameters, if you want the parameters go into effect at once, you should send out the
reloadcfg command to inform the main program to reread the configuration file.
Using the help

Entering the helpat the command line management prompt, this command will display
the list of the names and their overviews of the commands that can be used currently. For example
CAPITEL AAA /> help
acctconf displaying and setting up the call bill information of the AAA
system
attrshow inquiring the opening usable attributes and their value ranges.
calleridadd adding callerid
calleriddel deleting CallerID relational information
calleridshow displaying CallerID relational information
omit
If you need the detailed description of one command, you can use the help command
titlehelp information usually includes 4 parts: Title, grammar, description and example. You can
use the help esusershowcommand when you want to view the using explanation of the
esusershow command, the interaction process are as follows:
CAPITEL AAA /> help esusershow
Title
esusershow inquiring about the AAA periphery system user
Grammar
esusershow [username]
Description
Inquiring about the general information of all the AAA periphery system
user
Detailed information of the user
Username
27
Example
Inquiring about the general information of all the AAA periphery system user
esusershow;
Inquiring detailed information of the user
esusershow test;
Outputting the information to filesspool

Initial authority is the common user
Grammar
spool filename
spool off
Description
In order to preserve the operating information, we can use this command to store the
information displayed on the screen to appointed files.
Filename Displaying the destination file name in which stored the information.
AAAEAS user management

Adding AAA periphery system user(esuseradd)
Grammar
esuseradd u username p password r role
Description
Only the AAA periphery system user with administrator authority can execute this
command. Role express the authority of the AAA periphery system user, its value is
[admin|user]. Administrator authority can execute any command provided by the system,
including modifying the passwords of other users. And the user authority only can modify
itself password and do some daily querying and maintaining working
Modifying AAA periphery system user attributes (esuserchg)

Grammar
Esuserchg username {-r role | -nn new_username | -op oldpassword | -np newpassword}
Description
28
Modifiable user attributes includes: user name password and authority

username
user to be modified
-r role
user authority, its value is admin or user, relogging in when
modifying your roles
-nn new_ assword new user name
-op oldpassword
old user password, if the modifier only has user authority, the
correct old password must be provided, if the modifier has
administrator authority, then the old password is needless.
-np newpassword
new password of the user
Querying AAA periphery system user (esusershow)

Grammar
esusershow [username]
Description
Querying the overview information of all the AAA periphery system user, as well as
querying detailed information of the appointed user
Username
Deleting AAA periphery system user (esuserdel)

Grammar
esuserdel username
Description
Only the AAA periphery system user with administrator authority can execute this
command
AAA periphery system log management

Querying AAA periphery system log
(eslogshow)

Grammar
eslogshow [-u username] [-b begindatetime] [-e enddatetime]
Description
You can determine the query field by using parameters such as user name start time and
end time
-u username
username
-b begindatetime
begindatetime, checking the operation log after this time point,
the time can be expressed by or .
29
-e enddatetime
enddatetime, checking the operation log before this time point,

the time can be expressed by or .
The time format is YYYY-MM-DD HH:MM:SS, notice that the time parameters
should be putted in the , and with no parameter means to check todays log.
Clearing AAA periphery system log (eslogclear)

Initial authority is the administrator
Grammar
eslogclear year
Description
Deleting AAA periphery system log by year unit
year
the year of which the log will be deleted, format YYYY
4.1.2 System parameters configurationsysconf

Grammar
sysconf s
sysconf {-m max_request_time | -c cleanup_delay | -I bind_address
-o port | -l logdir | -a radacctdir | -p proxy_requests}
Description
Displaying or modifying the AAA system parameters, the parameters explanations are as
follows:
-s
if this tag is given, then display all the parameters and their
values that can be modified by this command
-m max_request_time the max time(5-120s) for system to process a request, if the
processing time is longer than this appointed time and the request
will be rejected.
-c cleanup_delay
after sending a reply message to the NAS, AAA system will clear
the delay time (2-10s)of this message
-I bind_address
the IP address for AAA system to intercept the message
-o port
the port for AAA system to intercept the message, default port
number is 1812, the port number of the interception accounting
information port is 1 figure bigger than authentication ports
while the port number of the interception roaming information
port is 1 figure bigger than accounting ports.
-a radacctdiraaa
-l logdir
the storing path of the AAA system accounting file.

the storing path of the AAA system log file.
30
-p proxy_requests
4.1.3
the usable status of the AAA system roaming function, value is

{yes|no}
Call bill information configurationacctconf

Grammar
acctconf s
acctconf {-m srotemode | -t interval | -n records_num}
Description
This command is used for define the naming rule, generating style and stored location of
the call bill
Configurable parameters are
-s
displaying call bill information of the AAA system
-m storemode
the systems mode of generating the call bill, optional values are
{time|size|both}, and their meanings are
time
generating new call bill in the time interval manner
size
generating new call bill in the appointed file size manner.
both
generating new call bill in the time interval and appointed file
size manner.
-t interval
-n records_num
the time interval of generating the call bill file, it is effective

when appointed bill generating manner is time or both, ans its
value range is 1-59 min
current bill file record, it is effective when the generating manner
is size or both, ans its min value is 100 pieces
4.1.4 CallerID management

Adding callerid(calleridadd)
Grammar
calleridadd callerid t base [-u username] m mdn_code
calleridadd callerid t checks {check_attr1 | check_attr2 | ...}
calleridadd callerid t replies {reply_attr1 | reply_attr2 | ...}
Description
Callerid is mark of the mobile terminal, but here it refers to the IMSI number.
This command will set up a callerid or add attributes to callerid
31
This command carrying the following keywords for implementing different tasks
callerid
the callerid to be added, IMSI number
-t base
adding a new callerid and deciding its basic information
-u username
the affiliated callerid to the user name, its is effective to base
operation mode
-m mdn_code
he MDN number corresponding to the callerid, its is effective to
base operation mode
-t checks
check_attr
-t replies
reply_attr
adding configuration attributes to specific callerid, the useable

configuration attributes are listed in command attrshow
checking the attribute pair, the format is attribute name+
operators+ attribute value, and the space key is used for dividing
the multi-attributes.
adding reversion attribute to specific callerid, the useable
replying attributes are listed in command attrshow
replying attribute pair, the format is attribute name+ operators+
attribute value, and the space key is used for dividing the
multi-attributes.
Deleting callerid relational information (calleriddel)

Grammar
calleriddel callerid t base
calleriddel callerid t user
calleriddel callerid t checks {check_attr1 | check_attr2 | ...}
calleriddel callerid t replies {reply_attr1 | reply_attr2 | ...}
Description
used for deleting appointed callerid or deleting attribute of the appointed callerid
this command carrying the following keywords for implementing different tasks
allerid
-t base
-t user
-t checks
check_attr
-t replies
the callerid number to be done

deleting this callerid and all its relational information
deleting the affiliated callerid from its user, it only deletes the
user corresponding of the callerid
deleting the configuration attribute appointed by this callerid
deleting the replaying attribute appointed by this callerid
32
reply_attr
replying attribute pair, the format is attribute name+ operators+

multi-attributes.
Displaying callerid relational information(calleridshow)

Grammar
calleridshow
calleridshow callerid [-q | -t type]
Description
For displaying the existing callerid number information
Using the calleridshow command with no parameters for displaying all the callerid
number, using the callerid command can display appointed callerids relational
information, specific information type is appointed bu the type keyword.
Cllerid
appointing the callerid to de queried, if not input callerid number,
all the callerid number will be displayed, you can input a few
front bit of the callerid number and combining with P to query
the callerid number accorded with the condition
-q
the switch of the query command , listing out all the callerid
number containing the numbers ascertained by the callerid.
-t type
displaying the information type mark, the usable value are
checks|replies
checks
displaying the callerid configuration attribute values
replies
displaying the callerid replying attribute values
Modifying the callerid basic information(callidchg)

Grammar
calleridchg callerid t base {-nn new_callerid | -u username}
calleridchg callerid t checks {check_attr1 | check_attr2 | ...}
calleridchg callerid t replies {reply_attr1 | reply_attr2 | ...}
Description
using for modifying the callerid number and callerid attribute
allerid
current callerid number
-t base
modifying specific callerid basic information
-nn new_callerid
new callerid number
-u username
the affiliated callerid to the user name
33
-t checks
check_attr
modifying the callerid configuration attribute, if the attribute

needed to de modified allows multi value, please delet the
corresponding value first and then add the new value
check the attribute pair, the format is attribute name+ operators+
multi-attributes, if the attribute allows only one value then just
input the attribute name.
-t replies
modifying the callerid replying attribute, if the attribute needed to

de modified allows multi value, please delete the corresponding
value first and then add the new value
reply_attr

the multi-attributes, if the attribute allows only one value then
just input the attribute name.
4.1.5 Database connection configurationsqlconf

Grammar
sqlconf s
sqlconf { -h host | -u username | -p password | -d dbname |
-n conn_numbers | -r retry_delay}
Description
When AAA system uses the database to store the user information and accounting
information, the parameters of the connecting database are need to be configured.
The configurable parameters are
-s
displaying the database connection information of the aaa system
-h host
the mainframe name and IP address of the database server
-u username
the user name for logging the database server
-p password
the password for logging the database server
-d dbname
-n conn_numbers
-r retry_delay
database instance name

the number of the intercurrent connecting link (1-256) between
the AAA system and database when the system starts up.
The reconnecting delay time of the AAA system when the first
connection is failed, the time should <180 s
34
4.1.6 AAA user group management

Adding AAA user group(groupadd)
Grammar
groupadd groupname
groupadd groupname t users {username1 | username2 | ...}
groupadd groupname t checks {check_attr1 | check_attr2 | ...}
groupadd groupname t replies {reply_attr1 | reply_attr2 | ...}
Description
Set up an AAA user group or add attribute to specific group, this command can also be
used for adding user to specific group; there are many users in one user group, and the
attribute is effective on all the group members.
groupname
-t users
username
-t checks
check_attr
-t replies
reply_attr
group name
add some user to specific group, the users must already exist
the name of the user adding to the group, the space key is used
for dividing the multi-names.
attrshow add specific configuration attribute to specific group
the usable configuration attributes are listed in the command
attrshow
the check attribute pair, the format is attribute name+ operators+
multi-attributes.
attrshow add specific reply attribute to specific group the usable
reply attributes are listed in the command attrshow
the reply attribute pair, the format is attribute name+ operators+
multi-attributes.
Deleting user group relational information(groupdel)

Grammar
groupdel groupname t base/>
35
groupdel groupname t users {username1 | username2 | ...}/>

groupdel groupname t checks {check_attr1 | check_attr2 | ...}
groupdel groupname t replies {reply_attr1 | reply_attr2 | ...}/
Description
Delete an appointed AAA user group or delete users, realm or attributes in the appointed
user group,
groupname
-t base
-t users
the name of the operation group

delete the group and the relational information
delete the users in the group and here is only deletes out the
corresponding relation between the user and group.
username
delete the user name of the group and the space key is used for
dividing the multi-names
delete the configuration attribute of the group
-t checks
check_attr

-t replies
delete the reply attribute appointed by the group
reply_attr
check the reply pair, the format is attribute name+ operators+

Displaying the user group relational information(groupshow)

Grammar
groupshow
groupshow groupname [-q | -t type]
Description
Used for displaying the information of the aaa user group
Using the groupshow command with no parameters for displaying all the group names,
using the groupname command can display appointed user group relational information,
specific information type is appointed by the type tag.
36
Goupname
appointing the user group name to de queried, if not input user

group name, all the group names will be displayed, you can input
a few front letters of the user group name and combining with q
to query the group accorded with the condition
-q
-t type
the switch of the query command , listing out all the group name
containing the letters ascertained by the groupname
displaying the information type mark, the usable value are
users|checks|replies, no specific tag means display all the
information of this user group
users
checks
displaying the user names in the user group

displaying the configuration attribute in the user group
replies
displaying the reply attribute in the user group
Modifying the basic information of the user group (groupchg)

Grammar
groupchg groupname nn new_groupname
groupchg groupname t checks {check_attr1 | check_attr2 | ...}
groupchg groupname t replies {reply_attr1 | reply_attr2 | ...}
Description
Using for modifying the name of the user group and its attribute
groupname
groupname
-nn new_groupname name of the group to be modified
-t checks
modifying the group configuration attribute, if the attribute
needed to de modified allows multi value, please delete the
corresponding value first and then add the new value
check_attr

-t
modifying the group replying attribute, if the attribute needed to

de modified allows multi value, please delete the corresponding
value first and then add the new value
replies
37
reply_attr

4.1.7 Management the corresponding relation between the AAA

system number segment and roaming realm server
Adding number segment corresponding information (imsi2realmadd)
Grammar
imsi2realmadd [-n module_instance_name] [-z zone_name] value1 value2
Description
For determine the number segment corresponding information through two parameters
module_instance_name and zone_name. The aaa system may contain multi module
instance, and one module instance can contain many zones.usually, the AAA system has
only one module_instance_name and zone_name, and them can be omitted in this case.
-n module_instance_name determine the imsi2realm processing module instance
name, if only have one instance name it can be omitted
-z zone_name
realm name, if has only one zone and this zone is not exist, then
adding a zone and appending the number segment corresponding
information to the new zone.
values[n]
The number segment corresponding to the realm name, the
format is realm name = start number end number, and the
length of the number must equal to the value of the length when
using imsi2realmshow
Deleting number segment corresponding information (imsi2realmdel)

Grammar
imsi2realmdel [-n module_instance_name] [-z zone_name] [-a] [value1 value2 ...]
Description
For locate the number segment corresponding information through two parameters
module_instance_name and zone_name. The aaa system has only one
38
module_instance_name and zone_name, and them can be omitted in this case.

-n module_instance_name determine the imsi2realm processing module instance
name, if only have one instance name it can be omitted
-z zone_name
realm name, if has only one zone and this can be omitted to mean
operate this default zone,
-a
delete the zone completely
values[n]
The number segment corresponding to the realm name, the
format is realm name = start number end number, and the
length of the number must equal to the value of the length when
using imsi2realmshow, and you can only fill the realm name to
delete all the numbers accorded with this realm name
Displaying
number
segment
corresponding
information
(imsi2realmshow)
Grammar
imsi2realmshow [-n module_instance_name] [-z zone_name]
Description
imsi2realmshow without any parameters will display all the module instance name of the
AAA system, if the AAA system has only one module instance, then it equals to the
imsi2realmshow command with n parameters; the n parameters will display the
detailed information of the appointed module instance, z parameters will display all the
number segment corresponding information of the appointed zone.
-n module_instance_name module
instance
name,
if
has
only
one
module_instance_name and, and it can be omitted in this case.
-z zone_name
zone name
Modifying number segment prefixion (imsi2realmchg)

Grammar
imsi2realmchg [-n module_instance_name] prefix
Description
Modify the number prefixion of the appointed module instance
-n module_instance_name module
instance
name,
if
has
only
one
module_instance_name and, and it can be omitted in this case.
39
prefix
number prefixion
4.1.8 Management of the corresponding relation between IMSI and

MDNimsimmdn
Grammar
imsimmdn add I imsi_code m mdn_code s if_auth_forbidden
imsimmdn del {-I imsi_code | -m mdn_code}
imsimmdn chg {-I imsi_code [-nm new_mdn_code] | -m mdn_code [-ni new_imsi_code] }
[-s if-auth-forbidden]
imsimmdn show {-I imsi_code | -m mdn_code}
Description
The operation function used for maintaining the corresponding relation between IMSI
and MDN. When demanding the one to one corresponding, this function implements the
coherence of the MDN and IMSIs attributes in the corresponding relation (now, only
implements the coherence of the auth-forbidden attributes)
Corresponding relation between MDN and IMSI has 4 basic operations, and the
operation content is distinguished by the key words
The meanings of the keywords are
add
add the appointed corresponding relation between MDN and
IMSI, and give out its usable status
del
delete the appointed corresponding relation between MDN and

IMSI, you can give any one of the MDN and IMSI
chg
modify the appointed corresponding relation between MDN and

IMSI
show
display the appointed corresponding relation between MDN and

IMSI
-I imsi_code
the IMSI number being operated
-m mdn_code
the Mdn number being operated
-s if_auth_forbidden the usable status in the corresponding relation
-nm new_mdn_code new MDN number
-ni new_imsi_code new IMSI number
40
4.1.9 LNS server configuration

Adding LNS information(lnsadd)
Grammar
lnsadd lnsname
-t tunnel_type m tunnel_medium_type I ipaddr

-p password s status [-a server_auth_id] [-d desc]
Description
Add LNS server to AAA system, and the following parameters need to be provided
lnsname
LNS server name ,with no ;
-d desc
description information of this LNS
-t tunnel_type
tunnel type of this LNS, and the optional values are {PPTP | L2F
| L2TP | ATMP | VTP | AH | IP | MIN-IP | ESP | GRE | DVS}
-m tunnel_medium_type LNS tunnel carrier type of this LNS, optional values are
{IP|X25|ATM|Frame-Relay}
-I ipaddr
the IP address of this LNS server
-p password
the tunnel password of this LNS server
-s status
usable status of this LNS server, optional values are
{active|inactive}
-a server_auth_id
the authentication ID of this server
Deleting LNS information(lnsdel)

Grammar
lnsdel lnsname
Description
Delete the LNS server appointed by the AAA system
lnsname
name of the LNS
Querying LNS information (lnsshow)

Initial authority is the common use
Grammar
lnsshow [lnsname]
Description
Displaying the information of the LNS already configured by the AAA system. Using
41
the lnsshow command with no parameters for displaying all the LNS names, giving the
lnsname system can display detailed information of the appointed LNS
Lnsname
appoint the name of the VPN to be displayed
Modifying LNS information (lnschg)

Initial authority is the common use
Grammar
lnschg lnsname {-d desc | -t tunnel_type | -m tunnel_medium_type | -I ipaddr |
-p password | -s status | -a server_auth_id}
Description
Modify the LNS attribute appointed by the AAA system, using the lnsname to determine
the LNS to be modified, and the modifiable parameters are
-d desc
description information of this LNS
-t tunnel_type
tunnel type of this LNS,and the optional values are {PPTP | L2F |
L2TP | ATMP | VTP | AH | IP | MIN-IP | ESP | GRE | DVS}
-m tunnel_medium_type LNS tunnel carrier type of this LNS, optional values are
{IP|X25|ATM|Frame-Relay}
-I ipaddr
-p password
-s status
the IP address of this LNS server

the tunnel password of this LNS server
usable status of this LNS server, optional values are
{active|inactive}
-a server_auth_id
the authentication ID of this server
4.1.10 clients configuration

Adding client information (clientadd)
Grammar
clientadd clientname se secret sn short_name [-t client_type]
Description
Add a client to AAA system, and the following parameters need to be provided
clientname
-se secret
client name, in the form of effective IP address

the shared secret key of client and AAA system
42
-sn short_name
-t client_type
the aid name of the cilent

the type of the client, value(aaa|nas),and the default value is nas
Deleting client information (clientdel)

Grammar
clientdel clientname
Description
Delete an appointed client from the AAA system
clientname
client name, in the form of a valid IP address
Querying client information (clientshow)

Grammar
clientshow [clientname]
Description
Displaying the information of the client already configured by the AAA system, using
the clientshow command with no parameters for displaying all the client names is a list,
giving the clientname and system can display detailed information of the appointed
client
Clientname
appoint the name of the client to be displayed
Modifying client information (clientchg)

Grammar
clientchg clientname {-se secret | -sn short_name | -t client_type}
Description
Modify the client attribute appointed by the AAA system, using the clientname to
determine the client to be modified, and the modifiable parameters are
-se secret
the shared secret key of client and AAA system
-sn short_name
-t client_type
the aid name of the cilent

the type of the client, value(aaa|nas),and the default value is
nas
43
4.1.11 Roaming proxy configurationproxyconf

Grammar
proxyconf s
proxyconf {-t if_sync | -d delay_seconds | -c retry_counts | -f dead_time}
Description
This command display and configure the roaming information of the AAA system, the
configurable parameters for defining the roaming resending proxy are:
-s
display the parameters which are relational with the roaming
proxy of the AAA system
-t if_sync
setup the aaa will synchronously resend the NAS roaming request
or not, the optional values are {yes|no}
no
the AAA system resend the roaming request according to itself
policy
yes
AAA system will resend the roaming request to the destination
server according to the NAS resend request
-d delay_seconds
resend delay, range 1-59 seconds
-c retry_counts
resend times range 1-9 times
-f dead_time
.setup the time interval of the realm which is failed in roaming
configuration can be used again. (60-3600s)
4.1.12 Realm server configuration

Adding realm information (realmadd)
Grammar
realmadd realmname new [creation_number] au authhost_ipaddr ac accthost_ipaddr
-se secret l ldflag is if_strip
realmadd realmname new [creation_number] au local ac local
realmadd realmname copy [creationnumber]
Description
add the realm information to AAA system, and the configurable parameters are
realmname
new|copy
name of the realm to be added

The manner of creating realm, new means to create new realm, if
44
Creationnumber
-au authhost_ipaddr
-ac accthost_ipaddr
-se secret
-l ldflag
fail_over
round_robin
-is if_strip
the au and ac are not local at the same time, then the parameter
-au ac se l is must be determined, copy means find the same
name realm in the already existing realm configuration, and copy
the information of the first homonymic realm, expect the index
number changed to be the max, other options are all came from
the first homonymic realm
the number of the realms to be created, default value is 1
adscription authentication server address, valid Internet address,
its value can be local meaning authentication request does not
need roaming
adscription accounting server address, valid Internet address, its
value can be local meaning accounting request does not need
roaming
the shared secret key between AAA system and realm
load balanced sign, value is {round_robin|fail_over}, default
value is fail_over
the realm whose number is 0 is first to be used, if the NO 1 can
not be used, turn to the next one
circularly use the homonymic realm
divest the realm name or not, values are {yes|no} default value is
no
Caution: if the adscription authentication server address and the adscription accounting server
address of the appointed realm are all LOCAL, then the other parameters of this realm are useless.
Deleting realm information (realmdel)

Grammar
realmdel realmname [-id indexnumber]
Description
Since you can configure the main backup realm in the AAA system, so there will be
some homonymic servers, so the realm localization needs two parameters indexnmuber
and realmname, if only given the realmname when localizing, the system assumes that
the operated realms indexnumber is 0
this command is used for deleting the realm information appointed by the aaa system
configuration,the parameters for localization are
realmname
the name of the realm to delete
-id indexnumber
point out the indexnumber sequence of the realm, used for
localizing homonymic realm, and expressing the roaming PRI of
the realm, 0 denoting the highest PRI and the default value is 0. If
has no, you may not appoint this item.
45
Displaying realm information (realmshow)

Grammar
realmshow [realmname] [-id indexnumber]
Description
Displaying the information of the realm already configured by the AAA system, Using
the realmshow command with no parameters for displaying all the realm names is a list,
giving the realmname and index parameters and system can display detailed information
of the appointed realm; if only give the realmname then display detailed information of
the realm with 0 index.
Realmname
-id indexnumber
realm name
has no main equipment roaming, you may not appoint this item.
Modifying realm information (realmchg)

Grammar
realmchg realmname [-id indexnumber] {-au authhost_ipaddr | -ac accthost_ipaddr |
-se secret | -l ldflag | -is if_strip}
Description
Modify the realm parameters appointed by the aaa system
Caution: if the adscription authentication server address and the adscription accounting server
address of the appointed realm are all LOCAL, then the other parameters of this realm are
meaningless and unconfigurable.
The configurable parameters are

realmname
-id indexnumber
name of the realm to be modified

has no main equipment roaming, you may not appoint this item.
46
-au authhost_ipaddr
adscription authentication server address, valid Internet address,

its value can be local meaning authentication request does not
need roaming
-ac accthost_ipaddr
adscription accounting server address, valid Internet address, its

value can be local meaning accounting request does not need
roaming
-se secret
the shared secret key between AAA system and realm
-l ldflag
load balance sign, value is {round_robin|fail_over}, default value

is fail_over
fail_over
the realm whose number is 0 is first to be used, if the NO 1 can

not be used, turn to the next one
round_robin
-is if_strip
circularly use the homonymic realm

divest the realm name or not, values are {yes|no} default value is
no
4.1.13 AAA user management

Adding AAA user (useradd)
Grammar
useradd username t base p password [-g groupname]
useradd username t checks {check_attr1 | check_attr2 | ...}
useradd username t replies {reply_attr1 | reply_attr2 | ...}
useradd username t clrids {callerid1 | callerid2 | ...}
Description
Create an AAA user or add attributes to particular user
In order to accomplish different tasks, this command contain keywords as below
username
add names of users
-t base
add new users and confirm basic information of users
-p password
user password, valid for base operation type, mandatary in base
operation type
-g groupname
groups which user belongs to ,valid for base operation type
-t checks
config attribution to specific user, available configuration refers
to command attrshow
check_attr
check the pair of the attributes, the form is attribute
47
-t replies
reply_attr
-t clrids
callerid
name+operation symbol+attribute value, among the multies fill in

with the blank.
add the attribute of reply to the special user; the usable attributes
of reply can be seen attrshow
pairs of reply attributes, the forms are attribute name+ operation
symbol+attribute value, among the multies fill in with the blank;
add the IMSI number to the special user, it show the mapping
between users and IMSI;
the corresponding IMSI number to the users, among the multies
fill in with the blank
Deleting the relational information of the users (userdel)

Initial authority is the common users
Grammar
userdel username t base
userdel username t group
userdel username t checks {check_attr1 | check_attr2 | ...}
userdel username t replies {reply_attr1 | reply_attr2 | ...}
userdel username t clrids {callerid1 | callerid2 | ...}
Description
In order to delete the assignment AAA users, or delete the corresponding user groups,
configure attributes, reply attributes, IMSI number. In order to finish
the different assignments, there are some keywords in the command.
username
the name for the user
-t base
delete the relative information of the users
-t group
delete the user from what is affiliated with, only delete the
corresponding group.
-t checks
configure attributes that are not assigned by the user
check_attr
check the pairs of the attributes, the form is attribute
names+operation symbol+attribute number, among the multies it
can be filled with blanks, if the attributes is allowed only one,
you can input the attribute name.
-t replies
delete the reply attribute that is not assigned by the user
reply_attr
reply attribute pairs, the form is attribute name+ operation
symbol+attribute number, among the multies it can be filled with
blanks, if the attributes is allowed only one, you can input the
attribute name.
-t clrids
delete corresponding IMSI except the user
callerid
IMSI number corresponding to the user, among the multies it can
be filled with blanks
48
Show the correlated information of the AAA user (usershow)

The initial authority is the common users
Grammar
usershow
usershow username [-q | -t type]
Description
It is used for showing the existence AAA users information. Using the usershow with no
Parameters can show all the names of the AAA users.
Username can be used to show the correlative information of the appointed AAA user.
The style of the information can be specified by the keyword type
Uername
The username of the query, if not input the username, then show all the
username, or input former alphabet in the username and combine
the p to query the valid username.
-q
the switch for the query command, list the username of the
alphabet in the username.
-t type
the label show the information type, the value is
clrids|checks|replies, if not ensure the label it shows all the
information of the user.
clrids
the corresponding IMSI information to the user
checks
the configure attribute pairs of the user
replies
the reply attribute pairs of the user
Modifying the basic information of the users (userchg)

grammar
userchg username t base [-op old_password] {-nn new_username
| -np new_ assword | -g groupname }
userchg username t checks [-f] {check_attr1 | check_attr2 | ...}
userchg username t replies [-f] {reply_attr1 | reply_attr2 | ...}
Description
Using to amend the name of the user (and/or) the basic attributes
Uername
the name of the user before modification
-t base
modify the basic information of the users
-op old_password
The old password for the AAA users,when the periphery system
common AAA users logging in ,use this command to amend the
49
-np new_password
-nn new_username
-g groupname
-t checks
check_attr
password but must supply the old password.

users new password;
users new name
the groupname of the users
modify the configure attributes of the users, if it is allowed for
the amending attributes to have several value, please delete the
corresponding value at first then add the new one.
check the attribute pairs, the form is attribute name+ operation
blanks
-t replies
modify the reply attribute of the users, if it is allowed for the

amending attributes to have several value, please delete the
corresponding value at first then add the new one.
reply_attr
reply attribute pairs, the form is attribute name+ operation

blanks
-f
Add command switch, if the attribute to be modified is not exist

than add the attribute
4.1.14 The AAA system management of the running Stat

information
show the AAA system itvstatshow (itvstatshow)
Grammar
itvstatshow type [-b begin_date_time] [-e end_date_time]
Description
Show the accumulative Stat information in the hours on a day through setting
parameters
The parameters, which can be settled, are:
type
check the type of the information, the value is s|p
s
the Stat service
p
the Stat roaming
-b begin_date_time the start time of the time segmentcheck the Stat information
after the time till the end of the day, the time need be included by
50
-e end_date_time
inverted comma or the double comma.

The finish time of the time segmentcheck the Stat information
before the time till the head of the day, it will be considered it is
the finished time on the day if only input the date, the time need
be included by inverted comma or the double comma.
The format of the time is YYYY-MM-DD HH:MM:SS, notice that the time parameter
must be included by the double comma. The parameters without time restrict mean to
check the todays log.
AAA The real-time statistical information reset commandrtstatreset
The initial authority is the administrator

Grammar
Description
The command can reset the counter of the AAA real-time statistical information, type is
the operating style, the configurable value is (auth|acct|realm),
they will reset the authentication and accounting counter
Auth
only reset the Stat authentication information
Acct
only reset the Stat accounting information
show AAA real-time statistical informationrtstatshow

Grammar
rtstatshow [type]
Description
The command show the authentication in real time typically, the information of
accounting or roaming, the type is the style, the configurable value is (auth|acct|realm), if
they are not shown, it will show all the Stat information
auth
only show the authentication Stat information
acct
only show the accounting Stat information
realm
only show the roaming Stat information
51
4.1.15 The prepay parameter configuration

Show or modify the SMPP parameter
Grammar
smppconf -s
smppconf { -o port | -c resend_count | -u username | -p password
| -ei enquire_interval | -n pending_number | -t timeout }
Description
Show or modify the PrePPS parameter, the explain of the parameters as the follows:
-s
If the Tag is shown, it means that the command can amend all the
parameters and the values.
-o port
AAA system detects the port is waiting for collecting by SCP
-c resend_count
when the I/O is wrong, the number of the SMPP can be sent out
again, value in one to nine.
-u username
bind the username of SMPP
-p password
bind the password of SMPP
-ei enquire_interval link the inquire interval.In order to assure the linking naturely,
SMPP can sent a massage in every some time to enquire if the
linking is ok.
-n pending_number The most number of the SMPP which allowed hanged. The hanged
SMPP massage are the not successfully send SMPP massages.
The AAA system can resend them in its own policy.
-t timeout
the overtime of the SMPP massages.In real time, if it has not
received the SCP, then the massage is lost.
Show or modify the PrePPS

Grammar
preppsconf -s
preppsconf { -pps bind_address | -t switch_of_imsi_to_mdn }
Description
Show or amend the PrePPS, the explain of the parameters are as follows:
-s
If the Tag is shown, it means that the command can amend all the
parameters and the values.
52
-pps bind_address
when the user use the prepay service, the binded prepay server.
Caution: 1 if the value is 1,it means that the prepay service is dealt with in local computer.
If it is the other binded server, it must be the configured
realm.
-t
switch_of_imsi_to_mdn
the switch from IMSI to MDN ,the value is yes or no.
PPS service configuration

Grammer
ppssvr {add | del | chg | show} -name serviceName [-desc description] -at {vq|dq}
-mget mget -mt Moneythreshold {-vq VQDET -dovt DoVT| -dq DQDET -dodt
DQDET} [-titsu TITSU]
Description
Supplying the configure function for PPS, it can add, delete, reconfigure and examine.
The meanings of the parameters as follows:
-name
the service name
-desc
the simple description aim at the service
-at
The type of the accounting, vq or dq can be chosen. When it is vq, it
means the user is billed at flux, while the dq means it is billed at
time.
-mget
the fee for the SCP every time
-mt
threshold for accounting
-vq
the quota of the flux (it is effective only when the accounting type is
vq)
-dovt
the dispersion between the flux threshold and the flux quota.
-dq
when assign the quota for user for the first time or when the PPC
online request report the time of the users usage exceeds the
threshold, the time length that PPC should allocated to the user(it is
valid only when the charge type is dp)
-dodt
the dispersion between the time length threshold and the time length
quota;
-titsu
After passing the cost rate switch point, before the next cost rate
switch point, PDSN should send an on-line RADIUS
Access-Request
Massage at this switch point.
Adding PPS cost rate

Grammar
rateadd -n servicename -t switchtime {-v vrates|-d drates}
53
Description
The command is used to append cost rate to PPS. Using -v to set the flux cost rate, the
unit is fen/KB, using d to set the time length conversely, the unit is fen/min. Choosing
v or d is based on the PPS setting the accounting type for this service.
The explanations of the parameters
-n servicename the existent service name on PPS
-t switchtime
the switch point for cost rate
the format is :HH:MM:SS
Deleting the PPS cost rate

Grammar
ratedel [-a] {-n servicename| -t switchtime}
Description
The command is to delete the settled cost rate, while unlocks a, all the cost rate of
appointed service name or switch time is deleted.
The explanations of the parameters
-n
servicename
-t switch point for the cost rate
Querying PPS cost rate

Grammar
rateshow
{-n servicename| -t switchtime}
Description
The command is to query the cost rate of PPS; the cost rate can be seen by the service
mark or the switch point of the cost rate.
The meanings of the parameters
-n servicename servicename
-t switchtime
switch point for the cost rate
54
4.1.16 Other categories of command

Inquire the active state of AAA server (qryalive)
Initial authority is common user

Grammar
qryalive
Description
This command has no parameter. It used to examine whether the AAA system is shut
down.
Management of debug information of AAA system (debugshow)

Grammar
debugshow debuglevel [-u username] [-I imsinumber]
Description
It can examine the debug information of AAA system and decide the precision display
of the debug information.
Parameters can be set are:
debuglevel
precision of the debug information
0 - Detail
1 - Summary
-u username
-I imsinumber
user name, denote that only check the debug information of this
user
IMSI numberdenote that only check the debug information of
this IMSI
Caution: Stop the output of debug information by click key combination -ctrl+h.
55
Inform AAA system to reread the configuration files (reloadcfg)
Initial authority is administrator

Grammar
reloadcfg
Description
This command has not any parameter. After modify the parameters of AAA system by
peripheral system this command can make the parameters that has been modified take effect.
Inform peripheral system of AAA (EAS) to reread the configuration

files of command (reloadcmd)
Initial authority is administrator

Grammar
reloadcmd
Description
This command has not any parameter. After modify the configuration files of command in
peripheral system of AAA system this command can make the parameters that has been modified
take effect.
Inquire the usable attributes and corresponding value regions

(attrshow)

Grammar:
attrshow [attribute_name]
Description:
This command can display the attributes that can be used by user and inquire the value
region of attribute according to the name of attribute has given name. A list that displays attribute
56
names of all attributes will be got when you use this command without parameters. A list will
display the available value of this attribute if the attribute name has given.
Attribute_name
attribute name of this value region to be inquired
4.2.1 Graphic management terminal

It will appear that the main interface of graphic management terminal (console) as fig 7 when
the management terminal started up and user logged in. The whole consol can be divided into four
parts that you can see the signs on the figure.
Introduction of these four parts:
z Menu: mostly it configures and manages the terminal itself such as configure RMI server
and manage the end-user. etc.
System log user operation help

Options in system menu: configure RMI server, log off and exit system
Options in log menu: options of checking log
Options in user menu: options of user management
Options in operate menu: reload the AAA configuration file and makes it effect.
Options in help menu: show help information
Caution: The functions provided by the menu are not point to AAA server.
Tools bar: provide some shortcut keys of management terminal. The user needs not to
find corresponding commands in the menu every time.
Icons
Corresponding command in
menu
Description of function
system | configure RMI

Server
Shortcut key to configure RMI Server
system | log off
Log off the logging in this time
System | exit
Exit the management terminal
operate | take effect
Reload the AAA configuration file and make it

effect.
help | about
Provide the information of the management

terminal
Navigation bar: The command button of parameters to configure the AAA server. The
57
user can choose corresponding command according to the configuration of AAAs need.
If you want to examine the information of AAA you can click the button of information
statistics. Here we will not give unnecessary details of functions of the navigation bar
you can examine the section of configuration of AAA server in this reference.
z
Function window: the operation of configuring AAA server will be done in this window.
This window is the main workaround of configuration of AAA.
Fig 7 The terminal interface of figure management
Starting graphic management terminal
Management terminal and AAAEAS server communicate through RMI protocol. Before use
the management terminal you must sure that the configuration of this protocol is correct.
When the management terminal is working, the management terminal maybe not find the
corresponding AAAEAS server because the incorrect IP address was configured to the server or
other reasons. Management terminal will pop-up a dialog box as follow to prompt user to
configure the RMI server correctly.
Fig 8 the informing box of error in configuration of graphic management terminal

58
A dialog box will pop-up as follow when the user click yes button
Fig 9 Configuration of RMI server

Detailed introduction of every parameters in this dialog as follow:
z
Protocol: the protocol use in the communication between management terminal and ES
server. The RMI is only one that user can choose in the combo box because RMI is only
supported. User cannot consider this item except that a new communication protocol can
be used.
z IP address: the IP address of AAAEAS server.
z Port: the port that used by RMI protocol. Maybe many AAAEAS servers running on the
same computer and every server has a individual port, So you must configure the port
correctly to ensure that the management terminal can have correct service.
z Proxy: This item takes charge of sending the requirement of management terminal to
AAAEAS server. This parameter is a system parameter. Recommend strongly that do not
change this parameter if system has not great change.
After finish configuration click confirm button to make the change available. Before the
change takes effect system will prompt user to restart management terminal. Click cancel button
the parameters will not change. Click close button will exit this widow (before configure the
management terminal correctly the procedure of management terminal will exit when click the
close button.).
After you have logged in the management terminal you can startup this window anytime. This
window not only can examine the configuration between management and AAAEAS server and
also change the configuration. User can click menu system | configure RMI Server to use this
dialog box.
After finish configuring the communication protocol a dialog box will pop-up to prompt user
to log in when the terminal begin to work.
59
Fig 10 The dialog box of logging in

Only the legal user can use this management terminal. When the user name or password is
incorrect,the system will popup a window to prompt the user to provide valid username and
password.
Fig 11 The informing box of error of logging in
For the convenient, the login dialog will clear the username and password field when user click
the retry button. If user click the exit button the management terminal will be closed..
Management of the AAAEAS User

Only the legal user can use this management terminal. After the user logged in, he can use it
to configure AAA Server. The user of AAAEAS has been divided to two kinds: administrator and
common user.
Administrator can use all of the functions provided by AAAEAS, but common user only can
achieve some regular operations. How to add, delete and modify the user of AAAEAS can be done
by two ways: first way is to use the tools of command line, second way is use tools of user
management provided by management terminal. Operation of the GUI tools is simple and friendly.
After logged in successful choose user>user management in the menu of the main
interface. The interface will be displayed as fig 12.
Caution: The operator must be an administrator to the operation of adding or deleting user of
AAAEAS.
Fig 12 The interface of user management of AAAEAS
The user management displays all users of EAS, and users roles,it provides many operations
on these users. How to use these functions will be expressed one by one.
add EAS User
60
Click add button in user management window will pop-up add user.dialog
Fig 13 The interface of adding a user of AAAEAS

The user only needs to input the user name, password and assign a role to this user. and then
click Add button, a new user will be created. If you want to close this dialog, you should only
click the cancel button.
Delete user of AAAEAS
Choose the user that you want to delete in the list of user, then click delete button. A confirm
window will pop-up. If you decide to delete the user you should choose confirm button, otherwise
choose the cancel button to terminate this operation.
Edit AAAEAS user
The administrator can edit any user that exists in the list of user, but the common user can
only edit his own information but cannot edit his own role. Fig 14 display the difference between
an administrator and a common user.
Fig 14 The dialog box of modifying the AAAEAS user

You can modify the logging name and logging role in the dialog box used to modify AAAEAS
user.
61
You can see that the color of the box to assign role is gray when someone logged in as a common
user. It means that a common has no privilege to assign role to itself and the extra information has
give clear indication that you are a common user; you cannot change your role.
The user whose role is administrator can change his role from an administrator to a common user,
but this change will take effect until this user log in next time.
Change the user password of AAAEAS
The administrator can change any password of the user who is on the list of user, but a common
user can change his password only. Only when a common user chooses his own name in the list of
user name change password button is available, in other condition the color of button is gray. It
means this button is unavailable. When you click the change password button a dialog will be
displayed as follow:
Fig 15 The dialog of change the password of user of AAAEAS

When you will change the password you should input the old password firstly. If an
administrator changes a users password he should input the password of administrator. Secondly
fill in the new password and confirm the new password, and then click confirm button to confirm
this change or click cancel button to terminate this operation.
Configuration management
Configuration of database and configuration of Proxy can be finished by configuration

management.
Configuration of Proxy: When you click the configuration management button on the navigation
bar, the management window of configuration of Proxy will display on the function window of
management terminal as follow:
62
Fig 16 The management window of configuration of Proxy

Annotation: The meaning of every parameter can be seen at the basic concept of
AAA>RADIUS proxy>RADIUS region group>load proportionsupport for redundancy of the
object server.
If you want to modify the parameters of the Proxy you can click modify button and a dialog box
will pop-up as follow:
63
Fig 17 The dialog box of configure Proxy

You can adjust any parameter according to the condition. Please pay attention to the range of
every parameter that has given in gray text region. When you finish modifying the parameters you
can click the confirm button to make the modification in operation or click cancel button to
terminate the operation.
Configuration of database: While the AAA server is working the users information of
AAA will be read from database. So you must configure the corresponding
parameters to make the connection between database and server of AAA. If
you want to configure database you should click configuration management
button on the navigation bar, then click configuration of database label. A
window will appear as follow:
64
Fig 18 The window of configuration of database connection

Default state is display the information of configuration last time. The confirm button and
cancel button cannot use means that the configuration has not any change.
host computer of database
logging name in a database
logging password in a database
database name
connection number
interval time of connection
the IP address of database server or the name of host

computer
user name that connect to database, commonly we
can got it from the administrator of database
the password of user who use the database
name of all of the database
appoint the number of connection
when the connection from AAA to database we
need some times to connect again. How long time
connect again is decided by the parameters of the
interval time
Annotation: The unit is second here.

While you are modifying the confirm button and cancel button become to available state.
This change means that you have changed the parameters. You can click confirm button to submit
65
the modification and make the change take effect or click cancel button to resume the parameters.
Client management
Client management mainly provide the function of add, delete, modify and show RADIUS
client. When you click Client management button on navigation bar the main interface of Client
management will display on the function window of management terminal.
Fig 19 The main interface of Client management

Detailed functions as follow:
Inquire the existing Client information:

Client name is a combo box. You can choose other Client name by click the
downward arrowhead to display the other Client information.
Add a new client:

If you want to add a new Client, click add button please. A dialog box of add a new
66
Client will pop-up as follow:
Fig 20 the dialog box of add a Client

You can input corresponding information according to the prompt information by
dialog. Attention, Client name cannot duplicate. If the Client name you entered has
existed system will give you a message to tell you choose another name.
After you finish filling informations you can click confirm button to submit your
action or click cancel button to cancel this action.
z
Modify the existing client information
If you want to modify the Realm information existed, you can edit the Clients information
you have chosen on the main interface. The confirm button and cancel button is gray before your
edit means that you have not do anything After your edit the confirm button and cancel button
become available. If you want to cancel this edit during your edit process you can click cancel
button and then the button will return to the state before edit. You clicked the confirm button after
your edit. It means that you have confirmed your edit action. After this confirm button and cancel
button will become to gray. It means your action has been submitted.
Annotation: The Client name cannot be modified.

Delete the Realm information existed
Choose the Client name from the downward draw box and click delete button. The
Client information will be deleted.
Annotation: The action of delete cannot be resumed.
Realm management
Realm management mainly provide the function of add, delete, modify and check to Realm.
67
When you click Realm management button on navigation bar the main interface of Realm
Fig 21 the main interface of Realm management

z Inquire the existing Realm information:
Realm name is a combo box. You can choose other Realm name by click the
downward arrowhead to display the other Realm information.
z
Add a new Realm:
If you want to add a new Realm, click add button please. A dialog box of add a new Realm will
pop-up as follow:
68
Fig 18 The window of configuration of database connection

Default state is display the information of configuration last time. The confirm button and
cancel button cannot use means that the configuration has not any change.
host computer of database
logging name in a database
logging password in a database
database name
connection number
interval time of connection
the IP address of database server or the name of host

computer
user name that connect to database, commonly we
can got it from the administrator of database
the password of user who use the database
name of all of the database
appoint the number of connection
when the connection from AAA to database we
need some times to connect again. How long time
connect again is decided by the parameters of the
interval time
Annotation: The unit is second here.

While you are modifying the confirm button and cancel button become to available state.
This change means that you have changed the parameters. You can click confirm button to submit
69
the modification and make the change take effect or click cancel button to resume the parameters.
Client management
Client management mainly provide the function of add, delete, modify and show RADIUS
client. When you click Client management button on navigation bar the main interface of Client
Fig 19 The main interface of Client management

Inquire the existing Client information:

Client name is a combo box. You can choose other Client name by click the
downward arrowhead to display the other Client information.
Add a new client:

If you want to add a new Client, click add button please. A dialog box of add a new
70
Client will pop-up as follow:
Fig 20 the dialog box of add a Client

dialog. Attention, Client name cannot duplicate. If the Client name you entered has
existed system will give you a message to tell you choose another name.
After you finish filling informations you can click confirm button to submit your
action or click cancel button to cancel this action.
z
Modify the existing client information
If you want to modify the Realm information existed, you can edit the Clients information
you have chosen on the main interface. The confirm button and cancel button is gray before your
edit means that you have not do anything After your edit the confirm button and cancel button
become available. If you want to cancel this edit during your edit process you can click cancel
button and then the button will return to the state before edit. You clicked the confirm button after
your edit. It means that you have confirmed your edit action. After this confirm button and cancel
button will become to gray. It means your action has been submitted.
Annotation: The Client name cannot be modified.

Delete the Realm information existed
Choose the Client name from the downward draw box and click delete button. The
Client information will be deleted.
Realm management
Realm management mainly provide the function of add, delete, modify and check to Realm.
71
When you click Realm management button on navigation bar the main interface of Realm
Fig 21 the main interface of Realm management

z Inquire the existing Realm information:
Realm name is a combo box. You can choose other Realm name by click the
downward arrowhead to display the other Realm information.
z
Add a new Realm:
If you want to add a new Realm, click add button please. A dialog box of add a new Realm will
pop-up as follow:
72
Fig 22 The dialog box of add a Realm

You can input corresponding information according to the prompt information by dialog.
Attention, Realm name cannot duplicate. If the Realm name you entered has existed system will
give you a message to tell you choose another Realm name.
After you finish filling this information you can click confirm button to submit
your action or click cancel button to cancel this action.
Annotation: if you want to authenticate and charge on this computer you can
configure the host name of authenticate and charge as local.
z Modify the existing Realm information existed
If you want to modify the Realm information existed, click modify button on the main
interface. A dialog box will appear as follow:
73
Fig 23 The dialog box of modifying Realm
In this dialog box you can adjust the corresponding parameters. After modify the
parameters you can click the confirm button to submit the action or click the cancel
button to break down the action.
Annotation: The Realm name cannot be modified.
Delete the existing Realm information
Choose the Realm name from the downward draw box and click delete button. The
Realm information will be deleted.
VPN management
VPN management mainly provide the function of add, delete, modify and check to VPN.
When you click VPN management button on navigation bar the main interface of VPN
74
Fig 24 the main interface of VPN management

z Inquire the existing VPN information:
VPN name is a combo box, you can choose other VPN name by click the
downward arrowhead to display the other VPN information.
Add a new VPN
If you want to add a new VPN, click add button please. A dialog box of add a new
VPN will pop-up as fig 25.
dialog. Attention, VPN name cannot duplicate. If the VPN name you entered has existed
system will give you a message to tell you choose another VPN name.
After you finish filling this information you can click confirm button to submit
your action or click cancel button to cancel this action.
75
Fig 25 The dialog box of add a VPN

Modify the existing VPN information existed
If you want to modify the VPN information existed, click modify button on the main interface.
A dialog box will appear as follow:
76
Fig 26 The dialog box of modifying VPN
In this dialog box you can adjust the corresponding parameters. After modify the
parameters you can click the confirm button to submit the action or click the cancel
button to cancel the action.
Annotation: The VPN name cannot be modified.
Delete the VPN information existed
Choose the VPN name from the downward draw box and click delete button. The
VPN information will be deleted.
AAA group management

AAA group management mainly provide the function of add, delete, modify and check group.
When you click group management button on navigation bar group management window of AAA
will display on the function window of management terminal.
Fig 26 The main interface of group management of AAA

The main interface includes two sub-windows, left and right. The left window is list box that
display all groups. If you choose a group in left window the details of the attributes of this group
will display on the right window.
77
Right window has three labels. Member label can display the members of this group.
Configure attribute label display the chosen groups attribute of configuration. Reply attribute
label display the chosen groups responsive attribute. In addition, some function buttons are placed
on the base of the window, each button corresponds to different operation. The usage of these
buttons will be expressed as follow.
z Create new group
Create a new user group. After click add new group button a dialog box of create a new group
will pop-up:
Fig 26 Dialog box of create a new group

After fill in the name of the group that you want to create, you can configure the
members attribute of configuration and reply attribute. If you want to configure the
attributes click the corresponding label please, then a corresponding selective window
will pop-up when you click the add button.
After configure the information of this group you click the confirm button a new
group will be created.
For example, if you want to create an group named Group3 and this group includes
User3 member and some attribute of configuration and reply attribute, you should click
create group button, dialog box as fig 26 will pop-up. Fill Group3 in the textbox of
group name, then click member label and create button to browse usable user, as follow:
78
Fig 27 The dialog box of choose user

After choose User3 in the list box of user click add button, User2 will be added to
the list of member tag. Similarly if you want to add attribute of configuration and reply
attribute you can do it follow the same steps, but when you choose attribute a dialog
box as fig 28 will pop-up.
Fig 28 The dialog box of choose attribute

Choose the attributes from the list of attributes and choose the corresponding
attribute, then click add button.
Annotation: The meaning of chosen attributes has given in the window of attributes
description.
Modify group name
Choose the group, which you want to modify its name, then click, modify group
name button, a dialog box of modifying group name.
79
Fig 29 The dialog box of modifying group name

Fill in the new group name in the textbox, then click confirm button to submit the
action of modifying.
Edit group
If you want to modify the information of user group has existed, click edit button, a
dialog box of modifying group will pop-up, as follow:
Fig 30 The dialog box of modifying group

This dialog box is similar to create group dialog box, however, the attribute of
configuration has list on the label of group attribute. On this base you can add or delete
these groups.
In addition, you should notice that edit of group name is forbidden in this dialog
box, and you can use the function of modifying group name if you want to modify the
group name.
Delete group
Choose group name in the list, then click delete group button, a dialog box will
pop-up. This dialog box notices you that if you delete this group attributes of this group
will be deleted and the attribute of configuration and responsive attribute inherit from
the user that belongs to this group will be deleted too.
80
AAA user management

AAA user management mainly provide the function of create, delete, modify and check user.
When you click user management button on navigation bar user management window of AAA
will display on the function window of management terminal.
Fig 31 The main interface of user management of AAA

The main interface divided into two windows, left and right. The left window is list of user
displays the user existed. Choose user from left window, properties will display in right window.
The right window has three labels such as CallerID label expresses the CallerID of the user chosen,
it will display by name of CallerID. Configure attribute label expresses the attributes of
configuration of the chosen user. Responsive attribute label displays the responsive attribute of the
chosen user. In addition, some function buttons are placed on the base of the window, each button
corresponds to different operation. On the right hand of the function buttons the group that this
user belongs to is displayed.
How to use these function button will explained as follow:
z Create new user
Create a new user. After click create new user button the window of create new
group display as fig 32 will pop-up.
After you have filled in the user and code that you want to add you can configure
81
other attributes such as CallerID which binded this user, this users attribute of
configuration, responsive attribute and the group that it belongs to. If you want to
operate on these attributes click corresponding label please, then click add button. After
choose the attributes in pop-up window, a new user will be created by click confirm
button.
Fig 32 Dialog box of create an user

For example, if you want to create a user named User5 and this user include
Proxy-To-Realm an attribute of configuration, you should click create user button,
dialog box of create a user will pop-up. Fill User5 in the textbox of user name and
password of User5 in the textbox of Password and Confirm Password, then click
configure attributes button, you can check configurative attributes after click create
button, as follow:
82
Fig 33 The dialog of configuration attributes

Choose the attributes what you want to add from the list of attributes and choose
the corresponding attribute, then click add button.
Annotation: The meaning of chosen attributes has given in the window of attributes
description.
Modify user name
Choose the user that you want to modify, then click modify user name button, a
dialog box of modifying user name will pop-up:
Fig 34 The dialog box of modifying user name
Fill in the new user name in textbox, click confirm button to submit the action of
modifying.
Edit user
If you want to modify a user existed you can click edit user button please, then a
dialog box of edit user will pop-up.
83
Fig 35 The dialog box of edit user

This dialog box is similar to the dialog box of create a new user, the different
between them is that the attribute of configuration has been configured by user has been
listed on users attribute label, you can add or delete these attributes on the base. In
addition, it should be noticed that the user name couldnt be edited. If you want to
modify the user name you should use the function of modifying user name.
Delete user
Choose the user which will be deleted from the list of user. A suggestive window
will pop-up when you click delete user button. This widow suggest you that if you
delete the user, the attribute that this user configured will be delete too, in other words,
the CallerID binded this user will be deleted from the attribute of config and reversional
attribute which inherits from this user.
CallerID management
CallerID management provides the ability of management of CallerID number.
This ability includes add, delete and modify the name of CallerID. Further more, modify
and delete the user to the special CallerID, change MDN number, add or delete config
and reversional attribute. Following fig displays the main management interface of
CallerID.
84
Fig 36 The main managements interface of CallerID

When a user operate the CallerID, he should input the CallerID number in CallerID textbox and
use the enter button or click orientational button. If this number is exists, it will display the
information of this CallerID. He can input a few bit number to inquire the accurate number. The
list of CallerID will be pop-up.
Fig 37 The list of CallerID

Choose the number that want to operate, then click add button then you can examine and edit
in the main window. The list, which shows the attribute, will display the valid attributes now.
85
These attributes maybe inherit from user or group, and the list will mark this.
z IMSI2Realm management
IMSI2Realm management mainly provides the ability that add, delete, modify and inquire the
domain name to an especially number segment. After click the management button of the
navigation bar the function window of management terminal will display the main management
interface of IMSI2Realm, as follow:
Fig 38 the main management interface of IMSI2Realm

You can add several domain name to one number segment, and one domain name can
correspond to several IMSI number range. You can map different IMSI number range to
correspond domain name by config prefix.
Annotation: number segment name has been configured before leave factory; user cannot be
modified, deleted and added but inquired.
z
Inquire the domain name that correspond to IMSI number segment which
included in the domain name that has been existed:
Domain name is a check box, the information that included in IMSI number and
domain name, which belongs to other domain name, can be displayed through click the
downward arrowhead.
86
Add the new domain name and the domain that correspond to the new IMSI
number segment:
If you want to add a new domain name, click the add button please. Then a
dialog box for add IMSI number segment and the corresponding relationship of the
Realm will pop-up as follow:
Fig 39 The dialog of add the relationship between the number and the domain
In this dialog box, you can not only input a new domain name in the textbox of
domain name and also add a new domain under the domain name that has been exited,
then you can input the correct domain name in the domain textbox (You can see the
legal domain name in the management of the Realm), after this you should input a
beginning number segment and terminative number segment. After this, you have
finished the relationship between IMSI number segment and domain. If you have
inputted a new domain name in domain textbox, the corresponding relationship, which
you have added, will display in the new domain name. If you use an existed domain
name, the corresponding relationship will display in the domain, which you have chose.
When you have filled in the information, click the confirm button to submit your
action or click cancel button to cancel your action.
z
Modify the prefix of IMSI2Realm

If you want to modify the prefix of IMSI2Realm in a specifically domain, click the
modify prefix button, the dialog of modifying will display as follow:
87
Figure 40 dialog box for prefix amend

In this dialog box, you can input the new prefix, after amending, clickconfirmto
submit, or you can click cancel to finish the operation.
z
Delete the domain name

Click the delete area botton, the the area will be canceled.
Annotation: the corresponding of: the IMSI number segment and the domain name
in this area will be canceled too.
Delete the corresponding between the number segment and the domain name
First. Choose the area, the find the corresponding item between the IMSI number
segment and the domain name, select the item, click the cancel botanist is ok.
Setup for the prepay service
Annotation: the edition with the prepay module contained with the configure interface
Service configuration
In navigation menu choose the PPS, and choose the service tab, the operation interface is as
follows:
88
Figure42.main interface for the configure service

The accession, delete and update service can be finished by this interface
Add a new service
Click the add button a dialog will be shown:
89
Add new service

Fill the service name in the serviceID field, ie. there is a service named Test, select a accounting
type in the accounting type field, fill up the parameter according to the selected accounting type.
and in the other setting field fill up the free for the SCP per-requisition and threashold.The
description is mainly for identified this service, it is simply describe what function the service
provide,it can remain blank. You can click OK button when all the parameter is filled up and a
service setup is complished.
Delete an existent service
Select the service name in the service list, click the delete button, a confirm dialog will appear and
click the confirm,button to delete the selected service.
Update an existent service
Select the name of the service in the service name list click the update button, the dialog box will
appear as below
90
Figure44 main interface for the update service

After change the parameter. Click the update button
Setup rate
Setup rate for the settled service
Select the rates tab ,the configure interface of rates will be shown
91
Figure45.setting rates
Click Rates setting button, a dialog box for adding rates is shown, as follows:
Figure46.main interface for adding cost rate

choose the settled service name in the service list, fill up the switching time of the rates and the
new rates after the node, click the addition ottoman item of cost rate is setted. After this, in the
rates interface, the chosen service rates, which have been settled, are shown. See it in the figure:
92
Rates show
Delete the settled rates
By default, the delete rate is ashy. If you want to delete an item of settled rates, you can select it in
the list, and press delete rate button
93
Figure 48 delete cost rate interface

If you click the Delete ID button, all the rates will be deleted in this service, In fact, it abolish the
rates setting for the selected service.
SMPP setup
Choose the SMPP Config tab , SMPP setup panel is shown, as fellows:
94
Figure49. Setup interface

In the interface, you can amend any parameter directly, after the amending, choose the Ok button.
AAAEAS logs management
The periphery of AAA system logs management supplies the full notes of the user who once
operated the AAA sever. Using the system of the log, first run the manage terminal, the choose the
menu log>management of log, as figure42:
Figure42.menu of the logs

Click the logs management, it will show you the dialog box as follows as figure43
95
Figure43.the log viewer frame
Review the log
In the log browser, choose the operator who operated the AAA, then fill the time of start and
finished(the format as:yyyy-mm-dd hh:mm:ss),if you can not fill it, the system will consider it is
todays log. Click the browse,it will show you the the log fitting with your condition.
Figure 44 have shown an interface, in it, the meanings of the notes have been shown in the
figure
96
Figure44. Show the operation log of the user
Cleanup the log

Cleanup AAAEAS log is very simple,you only need fill the year you want to remove in the
log remove field,and click the Reomve button. Ps: now the log system can only remove the log
record year by year.
Caution:that, the operation is not reversible. that is once you deleted it, it cannot be resumed.
5 log, monitor and report forms

The Capitel AAA2.0 system supple series characters of diagnose:
z Authentication and the accounting notes every RADIUS particular in the RADIUS server;
z The manage tool of the command lines supply the interrelated commands, the terminal of
graphic management supply the Stat dialog box, all the tools can make you refer to the
important Stat data interrelated to the authentication accounting and roaming;
z The system can inform the terminal of the graphic management timely that it is still active.
97
5.1 Authentication log

For every log of the RADIUS, the system will write it in the authentication log. The typical
log just as follows:
z Deliver the Accept to NAS-NAME for the USERNAME;
z Can not find the key suited to the USERNAME;
z Deliver the Reject response;
z Startup authentication server;
z Shut the authentication server;
In order to be easy to the administrator, the authentication is used in ASCII. Every line of the
log is started with time and date, following with event information.
The default of the log locates in the $RADIUS_HOME/var/log/radius, you can amend the
parameter logdir in main configuration files radiusd.conf to reconfigure the path of the log
5.1.1The illumination for the level of the log

You can control the degree of the particular of the attestation log through assigning the
parameter log_level.
The parameter log_level determines the particular level of the attestation log.
Log_level can be 0 to 5,0 shows there are only the least important information, the more
great show the information more particular. The parameter is located in the main
configuration file radiusd.conf of the system.
You can amend the parameter log_level of the main configuration files radiusd.conf though
the editor directly. After amending them, you can make the parameter become effective by using
the follows and not restarting the system:
In shell of Unix:
Kill-HUP pid
Also you can use command lines to execute reloadcfg.
See also inform the AAA system to reread the config files
In the process of the system, we can remend the level of the attestation log in
dynatic. It can be carried out by running the debugshow. The order use RADIUS directly
to inform the system to change the level of the log, and export the debug to the terminal.
See also AAA system Debug information manage
98
5.2 The log for accounting

For every
accountingthe system usually write them in the log, we used to assign the log
as the original call bill files. The model of the call bill files are noted as follows:
z The start of the accounting, show the start of a link;
z The end of the accountingshow the end of a link;
z The message of bosom, is produced by NAS in interval in time, it show that the user is
still active.
The original call bill files are noted in ASCII, the property of every call bill is arranged, each
attribute is compacted by t for the further managing. The format of the jaccounting will be seen
in the next section.
The default of the original located in the $RADIUS_HOME/var/log/radius/radacct,you can
amend the parameter radacctdir in main configuration files radiusd.conf to reconfigure the path of
the original call bill
The AAA2.0 system of Capitel Co. Ltd can support the relevant parameter to control the
happening ways of the original call billthere are two ways:
Enact the numbers of the original call billIf the numbers of the information of the call bill
have reached to the enacted number, the system can set up a new one.
Enact the interval for the original call billThe original call bill files can be produced in
minute, unconsidering the size of the files; the produced time can be configured. If there are no
notes for the accounting in an interval, the system can produce an empty file.
We can assign the way for producing original call bill as both, when there is a condition
meet to one of above ,the system can produce a new call bill
see also in information for configuring call bill
5.2.1 The format of the log for accounting

Every original call bill file of the AAA2.0 system of Capitel Co. Ltd is composed with the
file head and the file body .
Head of files
The head of the files correspond to the first line of the original call billit note the time ,the
type, the edition of the original call billThe format can be seen below:
Num
1.
2.
3.
Attribute name
Type of the note
serial number of files
version number of the file
Most length
CHAR (2)
CHAR (4)
CHAR (2)
99
Remark
head note=01
Taxis from ooo1,if full restart
00
4.
Produce date of the file
CHAR (8)
YYYYMMDD
5.
6.
First conversation date

First conversation time
CHAR (8)
CHAR (6)
YYYYMMDD
HHMMSS
7.
8.
Last conversation date

Last conversation date
CHAR (8)
CHAR (6)
9.
10.
Note number of the call bill CHAR (10)

newline
CHAR (1)
YYYYMMDD
HHMMSS
Flush rightleft with 0
Files trunk
There is a piece of information of accounting for every line of the file truckes. The attributes
which need to be noted can modify the main configure files of the AAA 2.0 system of the
Capitel Co. Ltd. It is an advanced function. The tools of the command lines and the end of graphic
management
Not support the configurable command, it need advanced administrator to rework in manual. This
is the tolerant attribute of the system.
Num
1.
2.
3.
Attribute name
Most length
remark
serial number
CHAR (10)
P Accounting Status Type
CHAR (10)
Continuous call bill serial

1start call bill2.end call bill
3middle call bill
CHAR (15)
IMSI
(A)
(W)
MSID
CHAR (15)
CHAR (64)
decimalist
Account for user for internet
6.
7.
P IP Address
P NAI
P Account Session ID
P Correlation ID
CHAR (8)
CHAR (8)
Mark a link connect

Mark a PPP connect
8.
P Session Continue
CHAR (10)
Marking the current Accounting

Stop is the end of a connection
or not, 0 means end and1
means continue, only appear in
ending call bill
CHAR (15)
IP address for HA
CHAR (15)
For common user is the PDSN

address and the value is the IP
address of the VPN negative
for the VPN business
4.
5.
P MIP Home Agent

10. P PDSN/FA Address
9.
11. (W)
12. (W)
Serving PCF
BSID
CHAR (15)
CHAR (12)
PCFaddress
SID+NID+BSC ID
13. (W)
User Zone
CHAR (10)
Mark of the user in which zoon
100
14. (W)
Forward Mux Option
CHAR (10)
Forward multi use
15. (W)
16. (W)
Reverse Mux Option

Service Option
CHAR (10)
CHAR (10)
Reverse multi use

CDMA 1Xdata operation 33
17. (W)
18. (W)
Forward Traffic Type

Reverse Traffic Type
CHAR (10)
CHAR (10)
Positive communication type

Reverse communication type
19. (W)
20. (W)
Fundamental Frame Size

Forward Fundamental RC
CHAR (10)
CHAR (10)
Size of the basic channel frame

Positive basic resource grade
21. (W) Reverse Fundamental RC

22. P IP Technology
23. P Compulsory Tunnel
24. P Release Indicator
CHAR (10)
CHAR (10)
Reverse basic resource grade

IP technical type
CHAR (10)
CHAR (10)
Forced tunnel type

Reason for sending Accounting
CHAR (20)
Focus on control the channel

frame
26. P Data Octet Count

27. P Data Octet Count
28. P Bad PPP Frame Count
CHAR (10)
CHAR (10)
Bytes sent to the user

Initiate byte by the user
CHAR (10)
Wrong frame rejected by PDSN
29. P Event Time
CHAR (10)
The start time of the

conversation
In star call bill. The end time of
The conversation in end call bill
Start from 1970.1.1 00:00:00
30. (W) Active Time

31. P Number of Active
Transitions
32. (W) SDB Octet Count
(Terminating)
CHAR (10)
CHAR (10)
CHAR (10)
Time of the PCF Stat

Time of from dormancy to
activation in PPP connection
Bytes the user received by SDB
33. (W)
SDB Octet Count

(Originating)
CHAR (10)
The bytes the user sent by SDB
34. (W)
Number of SDBs
(Terminating)
CHAR (10)
The time of the user received

by SDB
35. (W)
Number of SDBs
(Originating)
Number of HDLC layer
bytes received
In-Bound Mobile IP
Signaling Octet Count
Outbound Mobile IP
Signaling Octet Count
IP Quality of Service (QOS)
CHAR (10)
The time of the user sending

SDB
HDLC received by PDS
25. (W)
36. P
37. P
38. P
39. P
DCCH Frame Format
CHAR (10)
CHAR (10)
CHAR (10)
CHAR (10)
101
The flux of mobile IP the user

sent the byte
The flux of mobile Ip the byte
the user received
Ipnet the user quality grade
code
40. (W)
Airlink Quality of Service
CHAR (10)
41. (W)
42. (W)
Airlink Record Type

R-P Session ID
CHAR (10)
CHAR (10)
Wireless link quality class mark

1setup the connect2=alive
RPconversation ID
43. (W)
44. (W)
Airlink Sequence Number

Mobile Originated / Mobile
CHAR (10)
CHAR (10)
serial number for wireless link

0 start1end
0local1flow in2flow out
45. (A)
sign for roaming
CHAR (1)
46. (A)
unused
CHAR (10)
obligate
unused
container for acconuting
CHAR (10)
obligate
can not use
47. (A)
48. P
49. (A)
P
(W)
(A)
newline
1
the attribute produced by PDSN
the attribute produced by wireless side
the attribute produced by AAA
\n
Tab placeholder
Tab placeholder
While writing the information of the accounting into the original call bill files, something will
happen that, it is not that all the attribute information of accounting for the files are existed. If this
happen, the AAA2.0 system of the Capitel Co. Ltd. Can use Tab (\tcan be used too) as the
placeholder to replace the default attribute, and this can ensure that every call bill can keep the
same format as the files of the list before.
102

AAA2.0 Manual

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

AAA2.0 Manual

Transféré par

Droits d'auteur :

Formats disponibles

Capitel AAA2.

0 system user manual

1 AAA2.0 System brief introduction .................................. 4

3 Basic concepts of AAA ................................................... 10

Capitel AAA2.0 system user manual

Capitel AAA2.0 system user manual

Management of the AAAEAS User ........................................................................60

5 log, monitor and report forms ....................................... 97

Capitel AAA2.0 system user manual

Capitel AAA2.0 system user manual

The main functions of the Capitel AAA2.0 system include

Capitel AAA2.0 system user manual

System configuration requirements

Oracle8i Enterprise Edition Release 8.1.7.0.0 - 64bit Production or higher version

Capitel AAA2.0 system user manual

The texts and marks of software level

Capitel AAA2.0 system user manual

1 AAA2.0 System brief introduction

Figure1 System architecture of the AAA server

1.2 AAA peripheral system

Capitel AAA2.0 system user manual

Figure 2 System architecture of the AAAEAS

install.sh install.inc configure

2.1.2 Directory structure after installation

Capitel AAA2.0 system user manual

2.1.3 Installation steps description

2.2 Program installation and configuration

2.2.1 Installation script description

2.3 Database initialization

Capitel AAA2.0 system user manual

2.3.1 Mysql initialization

2.3.2 Oracle initialization

2.3.3 Oracle initialization(FOR PPS)

Capitel AAA2.0 system user manual

2.4 Obtaining AAA authorization

Capitel AAA2.0 system user manual

2.5 Starting the server

2.5.2 Starting and stoping AAAEAS

Capitel AAA2.0 system user manual

management>graphic management terminal> using graphic management terminal>starting

3 Basic concepts of AAA

Figure3: Remote access environment based on RADIUS

Access Client may be a user connecting to Internet websites by dialing to a service

Capitel AAA2.0 system user manual

3.1.1 RADIUS Packets

3.1.2 RADIUS configuration

RADIUS server configuration

Capitel AAA2.0 system user manual

RADIUS client configuration

RADIUS shared secret

Using the shared secret

Capitel AAA2.0 system user manual

When NAS receives a connect request from the

When RADIUS server can authenticate this

Allow NAS to finish the access negotiation

When RADIUS server couldnt authenticate

Stop access negotiation

If the initial condition meets, and RADIUS

Make NAS capable of prompting the user for

3.2.1 Authentication method

When a RADIUS server received an Access-Request message, it is the begin of an authentication

RADIUS authentication proxy

Capitel AAA2.0 system user manual

RADIUS servers and realms.