How it Works
Alcatel-Lucent
Loading...
8950 AAA
User Manual
476 pgs6.81 Mb0
Table of contents
Loading...

Alcatel-Lucent 8950 AAA User Manual

Alcatel-Lucent
8950 AAA (Authorization, Authentication, Accounting) User’s Guide | Release 6.0
365-360-001R6.0
DEC 2008
ISSUE 1
Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners.. The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein. Copyright © 2008 Alcatel-Lucent. All Rights Reserved.
Contents
About this information product
Where to go First .......................................................................................................................................1-ii
How This Manual Is Organized ...............................................................................................................1-iii
Conventions ..............................................................................................................................................1-vi
Recommended Reading ...........................................................................................................................1-vii
Obtaining Technical Support ...................................................................................................................1-vii
Part 1: Configuration Tools Navigation Pane
1 Introduction to 8950 AAA
What is 8950 AAA? ..................................................................................................................................1-1
RADIUS Terms Explained ........................................................................................................................1-3
2 8950 AAA Server Management Tool Overview
Purpose of the Server Management Tool ..................................................................................................2-1
Starting the Server Management Tool .......................................................................................................2-2
The Server Management Tool User Interface ...........................................................................................2-4
3 Server Management Tool Command Set
SMT menus and their commands ..............................................................................................................3-1
Managing Data in SMT Panels ...............................................................................................................3-11
Sizing Table Columns .............................................................................................................................3-13
Installing the PolicyAssistant and the Policy Flow Editor ...................... ..... ...........................................3-13
4 Managing 8950 AAA Servers
Configuring Server Properties ...................................................................................................................4-1
Policy Server tab .......................................................................................................................................4-2
Universal State Server tab .......................................................................................................................4-28
Configuration Server tab ................................................................ ..... ....................................................4-38
5 Configuring 8950 AAA Client Properties
Introduction ...............................................................................................................................................5-1
Configuring Clients ...................................................................................................................................5-2
The Radius Clients tab ..............................................................................................................................5-4
............................................................................................................................................................................................................................................................
365-360-001R6.0 Issue 1 December 2008
iii
Contents
............................................................................................................................................................................................................................................................
The Diameter Peers tab ...................................................................................... .... ..... .............................. 5-8
The TACACS+ Clients tab ...................................................................................................................... 5-11
The Client Classes tab ............................................................................................................................. 5-14
6 Configuring 8950 AAA Realm Routing Table Properties
Configuring Realm Routing Table ............................................................................................................ 6-1
7 Configuring 8950 AAA Remotely
Remote Configuration ............................................................................................................................... 7-1
8 Using the 8950 AAA Policy Flow Editor
Policy Flow Editor .................................................................................................................................... 8-1
Policy Flow Files ....................................................................................................................................... 8-3
Method Configuration ............................................................................................................................... 8-4
Method Dispatch Section .......................................................................................................................... 8-9
9 Using the 8950 AAA Policy Assistant in Server Management Tool
Understanding PolicyFlow, the PolicyAssistant, and the Policy Wizard ..................................................9-2
Installing the PolicyAssistant ............................................................................................... ..................... 9-2
Preparing to Create Your First Policy ....................................................................................................... 9-3
Using the Policy Wizard ........................................................................................................................... 9-4
Understanding and Creating Attribute Sets ............................................................................................ 9-16
Adding Attribute Sets to Your Policy ...................................................................................................... 9-19
Creating Attribute Sets ............................................................................................................................ 9-20
Defining a Failure Mode ......................................................................................................................... 9-23
Reviewing Your Policy ............................................................................................................................ 9-25
Using the PolicyAssistant ........................................................................................................................ 9-25
Saving Your Policies ............................................................................................................................... 9-30
Advanced Authentication Options .......................................................................................................... 9-30
Advanced Attribute Set Options ............................................................................................................. 9-37
10 Configuring 8950 AAA USSv2
USSv2 Configuration .............................................................................................................................. 10-1
11 Configuring 8950 AAA Operators
Administering the 8950 AAA System .................................................................................................... 11-1
8950 AAA Operators Panel .................................................................................................................... 11-3
Adding an Operator ...............................................................................................................................11-11
............................................................................................................................................................................................................................................................
iv
365-360-001R6.0
Issue 1 December 2008
Contents
............................................................................................................................................................................................................................................................
Adding an Access Rule .........................................................................................................................11-13
Modifying a System Operator ...............................................................................................................11-16
12 Configuring Simple Address Manager
Simple Address Manager Configuration .................................................................................................12-1
13 Configuring USS Address Manager
USS Address Manager Configuration .....................................................................................................13-1
Part II: Stats Collecting Navigation Pane
14 Stats Collector
The Stats Collector ................................................... .... .................................................... .......................14-1
Stats Collector Panel ...............................................................................................................................14-2
15 Configuring Reports
The Configure Reports Panel ....................................................................... ...........................................15-1
Part III: Logging Tools Navigation Pane
16 Message Logging
8950 AAA Message Overview ................................................................................................................ 16-1
Logging Tools ..........................................................................................................................................16-2
Server Log Messages ..............................................................................................................................16-3
Log Channels ...........................................................................................................................................16-6
Log Channel Configuration Panel Tabs ................................................................................................16-14
Notes on the Naming of Size Based Files .............................................................................................16-19
Notes on the Naming of Time Based Files ............................................................................................16-21
Log Rules ..............................................................................................................................................16-32
Part IV: Monitoring Tools Navigation Pane
17 Server Statistics
Monitoring Server Statistics ....................................................................................................................17-1
Server Statistics Panel .............................................................................................................................17-2
Sessions/ Counters/ Indices Panel .........................................................................................................17-28
USS Address Statistics Panel ........................................................................... ..... ................................17-31
18 Using LiveAdministrator
8950 AAA LiveAdministrator .................................................................................................................18-2
Accessing the LiveAdministrator Panel ..................................................................................................18-2
............................................................................................................................................................................................................................................................
365-360-001R6.0 Issue 1 December 2008
v
Contents
............................................................................................................................................................................................................................................................
General Info ............................................................................................................................................ 18-3
License Information ................................................................................................................................ 18-4
System Information ................................................................................................................................. 18-5
Garbage Collection ................................................................................................................................. 18-6
Files in Use .............................................................................................................................................. 18-8
Admin Scripts ......................................................................................................................................... 18-9
Properties .............................................................................................................................................. 18-10
Cache Entries ........................................................................................................................................ 18-11
Peer Control .......................................................................................................................................... 18-12
Advanced .............................................................................................................................................. 18-13
Part V: File Tools Navigation Pane
19 Creating and Managing User Profiles with Files
The User File ............................................................................... ............................................................ 19-2
The PolicyAssistant and User Files ...................................................................................... ................... 19-2
The SMT User Files Panel ...................................................................................................................... 19-3
Creating an Attribute Set File ............................................................................................................... 19-16
20 8950 AAA Dictionary Editor
Accessing the Dictionary Editor Panel ................................................................................................... 20-1
Vendors Tab ............................................................................................................................................. 20-2
Attributes Tab ............................................................................................ .............................................. 20-4
Diameter Applications Tab ..................................................................................................................... 20-9
21 Managing files
The File Manager Panel .......................................................................................................................... 21-1
Tail panel ............................................................................................................................................... 21-10
22 8950 AAA Certificate Manager
Types of Certificates ........................................ ....................................................................................... 22-1
The Certificate Manager Panel .................................. ..... ...................................................... ................... 22-2
Requirements for Using the Certificate Manager ................................................................................... 22-8
Types of Certificates in Certificate Manager .......................................................................................... 22-9
Procedures for Creating Certificates ..................................................................................................... 22-18
Notes on Using Certificates .................................................................................................................. 22-20
How to Configure for a TLS Demo Out of the Box ............................................................................. 22-21
............................................................................................................................................................................................................................................................
vi
365-360-001R6.0
Issue 1 December 2008
Contents
............................................................................................................................................................................................................................................................
Part VI: Database Tools Navigation Pane
23 Creating and Managing User Profiles with the Built-in Database
Understanding Database Users ................................................................................................................23-1
Logging in to the Database ......................................................................................................................23-2
Creating and Managing User Profiles .....................................................................................................23-3
Understanding Database SQL Tool .......................................................................................................23-19
Managing Hypersonic Database Users .................................................................................................23-22
Part VII: Other chapters
24 Server Diagnostics and Control Commands
Server Diagnostics and Control ...............................................................................................................24-1
List of Server Commands ........................................................................................................................24-2
Part VIII: Appendix
A Supplementary Information
Displaying the Built-in Web Interface ...................................................................................................... A-1
Displaying the RADIUS Server Administration Interface .......................................................................A-2
Displaying the Configuration Server Administration Interface ............................................................... A-3
GL Glossary
IN Index
............................................................................................................................................................................................................................................................
365-360-001R6.0 Issue 1 December 2008
vii
Contents
............................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................
viii
365-360-001R6.0
Issue 1 December 2008
About this information
product
Overview
Purpose
Welcome, you are about to embark on a course to set up secure access to your network with the industry’s leading RADIUS server, 8950 AAA. It provides you the highest level of control and management of a wide range of access services. These services range from simple dial-up remote access using Point-to-Point Protocol (PPP), Local Area Network (LAN) access, wireless (Wi-Fi) and wired, and even access to core network elements such as switches and routers.
RADIUS, or Remote Authentication Dial-In User Service, enables network operators to authenticate, authorize and account (AAA) for users. The RADIUS protocol defines communications between an access device or server and the RADIUS server. RADIUS­based security ensures that only users who meet your access criteria will be allowed access to a resource. The 8950 AAA server provides this functionality within an extensible, easy-to-use environment.
This manual introduces you to 8950 AAA through its friendly user interface, the Server Management Tool (SMT) and its integrated polic y conf iguration tool, the PolicyAssistant. These tools provide a simple way to conf igure 8950 AAA for the most common AAA applications.
The PolicyAssistant creates, manages, and applies policies to control how and when users access your network. A policy is a set of rules that 8950 AAA uses to determine ho w users are authenticated, how access is authorized and configured, and how accounting data is stored.
The PolicyAssistant can be conf igured to support as man y access policies as your netw ork may require. You decide how many policies are necessary based on your business needs. These needs can include the type of services your network provides, your equipment requirements, your customers’ requirements, or the geographic location of your customers.
............................................................................................................................................................................................................................................................
365-360-001R6.0 Issue 1, December 2008
i

Where to go First

............................................................................................................................................................................................................................................................
Audience
This guide is designed to be used by qualified system administrators and network managers. Knowledge of basic networking concepts is required to successfully install 8950 AAA. You should be familiar with RADIUS server installation, configuration, and use.
Where to go First
How to Start
For more information about installing 8950 AAA and general software and hardware requirements, read the 8950 AAA Quick Start Guide.
If you are new to 8950 AAA, the links below should help determine where to go first:
Ready to configure 8950 AAA?
With the Server Management Tool (SMT) running, you should see the Policy Flow Editor in the Navigation pane as shown in Figure 1-1.
Figure 1-1 Server Management Tool-Navigation Screen
If you have already installed 8950 AAA and know how to launch the SMT, refer to the section “Using the Policy Wizard” on 9-4 to begin configuring your RADIUS environment.
............................................................................................................................................................................................................................................................
ii
365-360-001R6.0
Issue 1, December 2008

How This Manual Is Organized

............................................................................................................................................................................................................................................................
Looking for the PolicyAssistant?
If you cannot find the PolicyAssistant in the Navigation pane when the Server Management Tool is running, refer to the section “Installing the PolicyAssistant and the
Policy Flow Editor” on 3-13 to learn how to install the PolicyAssistant.
Attempting to start the Server Management Tool?
If you need help launching the Server Management Tool (SMT), refer to the section
“Preparing to Create Your First Policy” on 9-3 to learn more about the SMT.
What is RADIUS?
If you are new to the RADIUS world of access control, refer to “RADIUS Terms
Explained” on 1-3 to learn more about 8950 AAA and RADIUS terminology.
How This Manual Is Organized
Manual organization
This manual covers the steps necessary to set up your 8950 AAA server, clients, and user profiles to process user requests for network access. The manual is organized as follows:
Chapter 1, “Introduction to 8950 AAA”
This section provides an introduction to 8950 AAA and some of the terms that you will encounter when working with the 8950 AAA product.
Chapter 2, “8950 AAA Server Management Tool Overview”
This chapter covers the Server Management Tool layout and how to install the PolicyAssistant.
Chapter 3, “Server Management Tool Command Set”
This chapter discusses the Server Management Tool commands that are accessible from the menu bar, toolbar, and navigation pane of the user interface.
Chapter 4, “Managing 8950 AAA Servers”
This chapter addresses methods in controlling the behavior of 8950 AAA Servers.
Chapter 5, “Configuring 8950 AAA Client Properties”
This chapter discusses the process of configuring clients such as Network Access Servers (NASs) or other access points with the 8950 AAA SMT.
............................................................................................................................................................................................................................................................
365-360-001R6.0 Issue 1, December 2008
iii
How This Manual Is Organized
............................................................................................................................................................................................................................................................
Chapter 6, “Configuring 8950 AAA Realm Routing Table Properties”
This chapter discusses the process of configuring the Realm Routing Table.
Chapter 7, “Configuring 8950 AAA Remotely”
This chapter discusses the process of configuring the 8950 AAA remotely.
Chapter 8, “Using the 8950 AAA Policy Flow Editor”
This chapter discusses the process of configuring and creating necessary entities for the Policy Flow Editor in the 8950 AAA Server Management Tool.
Chapter 9, “Using the 8950 AAA Policy Assistant in Server Management Tool”
This chapter discusses the process of how to use, configure, and create necessary entities for the PolicyAssistant in the 8950 AAA Server Management Tool.
Chapter 10, “Configuring 8950 AAA USSv2”
This chapter discusses the process of configuring the 8950 AAA USSv2 functionality.
Chapter 11, “Configuring 8950 AAA Operators”
This chapter provides information about defining administrator access to 8950 AAA. It defines different administrator roles and functions. It also provides information on how to use the SMT Operators panel.
Chapter 12, “Configuring Simple Address Manager”
This chapter discusses the tools that are used for the configuration and management of address pool by the Simple Address Manager . Simple Address Manager pro vides dynamic address pool management.
Chapter 13, “Configuring USS Address Manager”
This chapter discusses the tools that are available for the conf iguration and management of address pools of 8950 AAA, using Universal State server.
Chapter 14, “Stats Collector”
This chapter discusses about the various parts of 8950 AAA tool that collects statistical information of 8950 AAA.
Chapter 15, “Configuring Reports”
This chapter discusses about the reports configurator for the 8950 AAA tool.
............................................................................................................................................................................................................................................................
iv
365-360-001R6.0
Issue 1, December 2008
How This Manual Is Organized
............................................................................................................................................................................................................................................................
Chapter 16, “Message Logging”
This chapter discusses how to determine the information that is logged, the format for logging it, and the destination for the logged information.
Chapter 17, “Server Statistics”
This chapter covers how to collect statistics for the 8950 AAA server.
Chapter 18, “Using LiveAdministrator”
This chapter discusses how to use the LiveAdministrator panel to manage, diagnose and control the 8950 AAA server.
Chapter 19, “Creating and Managing User Profiles with Files”
This chapter covers how to create a user file and add and edit user profiles.
Chapter 20, “8950 AAA Dictionary Editor”
This chapter provides information about the 8950 AAA Data Dictionary and some of the terms that you will encounter when working with the 8950 AAA product.
Chapter 21, “Managing files”
This chapter discusses 8950 AAA files and how to create and manage them using the File manager panel.
Chapter 22, “8950 AAA Certificate Manager”
This chapter discusses the 8950 AAA Certificate Manager, also known as nrcert. Root certificates generated with nrcert are self-signed certificates.
Chapter 23, “Creating and Managing User Profiles with the Built-in Database”
This chapter discusses how to manage user profiles stored in a Structured Query Language (SQL) database, besides managing database users, administrators, and 8950 AAA tables.
Chapter 24, “Server Diagnostics and Control Commands”
This chapter describes the 8950 AAA server control commands.
Appendix A, “Supplementary Information”
The appendix contains examples of 6 SMT text files that are produced through SMT activity.
............................................................................................................................................................................................................................................................
365-360-001R6.0 Issue 1, December 2008
v

Conventions

............................................................................................................................................................................................................................................................
Conventions
Table 1-1 lists the typographical conventions used throughout this manual.
Table 1-1 Conventions used in the document or manual
Convention Meaning Example
boldface Names of items on screens.
Names of commands, properties and plug-ins. Names of buttons you should click.
Arial boldface
Names of keys you should press.
<angle brackets> Variables that require you to
substitute another value.
italics
Names of manuals or the first occurrence of a glossary term.
Arial italic
Directories, paths, file names, email addresses, and Uniform Resource Locators (URLs).
Click the Enable check box. The AuthLocal plug-in compares password attributes. Click Validate to check the syntax of the method.
Press Enter to continue.
http://<server IP address or name>
where <server IP address or name> is the address of name of the
8950 AAA server.
Refer to the 8950 AAA 6.0
User’s Guide and Reference for more
information. The 8950 AAA Web site is
http://www.8950AAA.com
click Press the left mouse button
once.
To view the online help, click the book icon on the
8950
AAA toolbar.
right-click Press the right mouse button
once.
double-click Press the left mouse button
twice.
............................................................................................................................................................................................................................................................
vi
Right-click a Selector T ype to view a list of selector types for method selection.
To open the Accounting Method Configuration panel, double-click anywhere on the tab display.
365-360-001R6.0
Issue 1, December 2008

Recommended Reading

............................................................................................................................................................................................................................................................
Recommended Reading
Reference reading
The following books cover a variety of topics that you might encounter while working with 8950 AAA. These books provide more information on the vast number of protocols and applications that 8950 AAA supports.
Building Internet Firewalls (2nd ed.). Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman, and Deborah Russell. O'Reilly & Associates, Inc., 2000. (ISBN 1-56592-871-
7) Firewalls and Internet Security: Repelling the Wily Hacker (2nd ed.). William P.
Cheswick, Steven M. Bellovin, and Aviel D. Rubin. Addison-Wesley Publishing Company, February, 2003. (ISBN 0-20163-466-X)
Internetworking with TCP/IP, Volume 1: Principles, Protocols, and Ar chitecture (4th ed.). Douglas E. Comer. Pearson Education, February, 2000. (ISBN 0-13018-380-6)
Mastering Regular Expr essions (2nd ed.). Jef fre y E. F. Friedl. O'Reilly & Associates, Inc., July, 2002. (ISBN 0-59600-289-0)
RADIUS: Securing Public Access to Private Resources. Jonathan Hassell. O'Reilly & Associates, Inc., October, 2002. (ISBN 0-596-00289-6)
The DHCP Handbook (2nd ed.). Ralph E. Droms and Ted Lemon. Pearson Education, October 2002. (ISBN 0-67232-32 3)
Understanding PKI: Concepts, Standards, and Deployment Considerations (2nd ed.). Carlisle Adams and Steve Lloyd. Pearson Education, May 2002. (ISBN 0-67232-391-5)
Understanding and Deploying LDAP Directory Services (2nd ed.). Timothy A. Howes, Gordon S. Good, and Mark C. Smith. Addison-W esle y, May, 2003. (ISBN 1-67232-316-8)
UNIX in a Nutshell: A Desktop Quick Refer ence for SVR 4 and Solaris 7 (3rd ed.). Arnold Robbins. O'Reilly & Associates, Inc., August, 1999. (ISBN 1-56592-42 4)

Obtaining Technical Support

Technical Support
To contact Alcatel-Lucent for technical support, select the support channel that applies to you.
Support Channel 1: If you have purchased a 8950 AAA support contract, contact Alcatel-Lucent World-Wide Services (LWS):
............................................................................................................................................................................................................................................................
365-360-001R6.0 Issue 1, December 2008
vii
Obtaining Technical Support
............................................................................................................................................................................................................................................................
Customers in the USA and Canada, call 1-866-LUCENT8, Prompt 3. If you are not
registered, use Prompt 7.
Customers in other international locations, call +1-510-74 2000 or
+1-410-381-3484
Alcatel-Lucent Customer Support Web Site: http://www.alcatel-lucent.com/support/
Alcatel-Lucent Customer Support Web Site: http://support.lucent.com
Support Channel 2: If you have purchased 8950 AAA within the last 90 days, you can contact Lucent Technologies World-Wide Services (LWS) for email support:
Alcatel-Lucent Customer Support Web Site: http://support.lucent.com
Important! If you are a first time LWS support user OR if you have not yet
registered your 8950 AAA service contract, contact LWS.
Support Channel 3: If you are evaluating 8950 AAA for purchase or need sales information or technical support (but do not have a support contract), contact us for:
Technical support questions, review the 8950 AAA Discussion Forum:
http://www.8950AAA.com/cgi-bin/dcforum/dcboard.cgi
Pre-sales product questions, send an email to: tech-sales@8950AAA.com
Sales information, send an email to sales@8950AAA.com
Queries from Alcatel-Lucent employees, Sales Teams, VARS and Resellers, send an
Other non-technical requests, send an email to: tech-sales@8950AAA.com
How to Comment
To comment on this information product, Online(<http://www.lucent-info.com/comments>http://www.lucent-
info.com/comments/)
lucent.com.
email to: radius-internal@8950AAA.com
email your comments to the Comments Hotline: comments@alcatel-
............................................................................................................................................................................................................................................................
viii
365-360-001R6.0
Issue 1, December 2008
Part 1: Configuration Tools
Navigation Pane
Overview
Purpose
This part consolidates the chapters related to Configuration Tools in the SMT Navigation pane.
Contents
This part includes the following chapters.
Chapter 1, “Introduction to 8950 AAA” 1-1 Chapter 2, “8950 AAA Server Management Tool Overview” 2-1 Chapter 3, “Server Management Tool Command Set” 3-1 Chapter 4, “Managing 8950 AAA Servers” 4-1 Chapter 5, “Configuring 8950 AAA Client Properties” 5-1 Chapter 6, “Configuring 8950 AAA Realm Routing Table Properties” 6-1 Chapter 7, “Configuring 8950 AAA Remotely” 7-1 Chapter 8, “Using the 8950 AAA Policy Flow Editor” 8-1 Chapter 9, “Using the 8950 AAA Policy Assistant in Server Management Tool” 9-1 Chapter 10, “Configuring 8950 AAA USSv2” 10-1 Chapter 11, “Configuring 8950 AAA Operators” 11-1 Chapter 12, “Configuring Simple Address Manager” 12-1 Chapter 13, “Configuring USS Address Manager” 13-1
............................................................................................................................................................................................................................................................
365-360-001R6.0 Issue 1, December 2008
1-1
............................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................
1-2
365-360-001R6.0
Issue 1, December 2008
1 Introduction to 8950
AAA
Overview
Purpose
This chapter provides an introduction to 8950 AAA and some of the terms that you will encounter when working with the 8950 AAA product.
The following topics are included in this chapter:
What is 8950 AAA? RADIUS Terms Explained

What is 8950 AAA?

Overview
8950 AAA is server software that is used to manage secure access to networks, servers, and information services. Network elements that use a RADIUS server to manage access are known as clients. An example of a RADIUS client might be a network access server (NAS), a Wi-Fi access point, or even a Web page. 8950 AAA is a tool that promotes system integrity not only for the network server, but also for the client-server relationship.
The next section provides a scenario showing the role that 8950 AAA plays within a network.
Overview of Client-Server Access
8950 AAA provides access management for a client system. Figure 1-1 illustrates basically how this is done. The term Network Access Server (NAS) is a term for a netw ork element that provides dial-up access services to a network. After the user connects to the NAS, the NAS receives the user name and password from the user’s computer.
1-1
1-3
............................................................................................................................................................................................................................................................
365-360-001 R6.0 Issue 1, December 2008
1-1
What is 8950 AAA?Introduction to 8950 AAA
............................................................................................................................................................................................................................................................
Figure 1-1 Accessing a Service
USER
REQUEST FOR SERVICE
SESSION STARTS
NETWORK
ACCESS
SERVER
(NAS)
ACCESS­REQUEST
ACCESS RESPONSE
Radius
Server
Configuration
Server
UNIVERSAL
STATE
SERVER
USSV2
Configuration
Server
8950 AAA SERVER
The NAS places this information into a RADIUS data packet called an Access-Request. This data packet identifies the NAS, the port used for connection, the user name, the password, and other information about the session.
The Access-Request is sent from the client to the server and asks the server if the user is allowed to use the requested services and access the network.
The process the server then follows may include the following actions, although none are required:
Finding information about the user
Validating the user’s identity against information in a user profile
Returning an answer (accept or reject) to the RADIUS client
A user profile contains information about a user that 8950 AAA uses to process a RADIUS request. The information usually includes the user name and password, and might include other information needed to implement local access policies. User profiles can be stored in files, databases, directories, Web-based services, etc. We call the location of the user profile the user source.
If local policy requirements are met then an authentication acknowledgement called an Access-Accept, is sent to the NAS along with other information defining specific settings for the user session. If local policy requirements are not matched, then the Access-Request is rejected by sending an Access-Reject message to the NAS.
............................................................................................................................................................................................................................................................
1-2
365-360-001 R6.0
Issue 1, December 2008
RADIUS Terms ExplainedIntroduction to 8950 AAA
............................................................................................................................................................................................................................................................

RADIUS Terms Explained

Radius Overview
RADIUS is a client-server data communications protocol. The RADIUS protocol defines the types and contents of messages that can be exchanged in order to successfully access a system or service. The term RADIUS is an acronym that stands for Remote Authentication Dial-In User Services.
A RADIUS server is an example of an authentication, authorization and accounting (AAA-pronounced as “triple-A”) server because it authenticates a user, authorizes network access, records usage:
Authentication–validating the user’s identity
Authorization–validating that the user is allowed to do what was requested
Accounting – recording information about a user’s session
The AAA environment is based on a client/serv er relationship. 8950 AAA implements the server functions and communicates with clients, such as Network Access Servers (N ASs). The client is responsible for passing user information to RADIUS servers and acting on the response it receives. RADIUS servers are responsible for receiving user connection requests, authenticating the user, and authorizing access, and then returning configuration information necessary for the client to deliver service to the user.
The RADIUS client controls the access protocols that are used. Within the protocol, RADIUS Attributes provide the vocabulary used for communication between RADIUS clients and servers. They provide authentication and authorization information, define session parameters, and record session accounting information. In the RADIUS protocol, attributes are defined b y a number, a name, and a data type. For e xample, attrib ute number 1 is called User-Name and contains string, that is, character data. Each attribute contained in a RADIUS packet is assigned a value. For example, User-Name = Bob. This combination of an attribute name and an associated valu e is called an Attr ibute Value P air (AVP).
When configuring 8950 AAA, attributes are used in tw o ways: to return session settings to the client and to provide access check data in the authorization process. When used in these two ways, attributes are often called reply-items and check-items, respectively.
8950 AAA uses policies to define a set of rules that the server uses to determine access rights, user privileges, and accounting practices based on information contained in the Access-Request and information about the user who is requesting access. A policy defines the rules and steps the server follows to complete the process described above.
............................................................................................................................................................................................................................................................
365-360-001 R6.0 Issue 1, December 2008
1-3
RADIUS Terms ExplainedIntroduction to 8950 AAA
............................................................................................................................................................................................................................................................
8950 AAA requires that at least one policy be defined, but it can be configured to handle many policies. You decide how many policies are necessary based on your business needs. The needs can range from the type and level of services you provide, equipment requirements, and customer requirements, to the geographic location of your customers and the time of day.
This document will describe use of the 8950 AAA PolicyAssistant to define access policies. It is also possible to create custom access policies using the 8950 AAA PolicyFlow programming language. Please refer to the 8950 AAA Programmer’s Reference Manual.
Authentication and Authorization Activities
As mentioned previously, a user source is a data repository that contains user information called user profiles. 8950 AAA can access information stored in a variety of user sources. A user source might be one of the following:
Standard text files, such as a RADIUS User file commonly used in publicly available
RADIUS servers
SQL databases, such as Oracle, Sybase, MySQL, or the built-in database
An LDAP (Lightweight Directory Access Protocol) server or a server that supports
LDAP queries, for example, Microsoft Active Directory or Novell NetWare directory
A user profile typically contains the user’s name and password. Some user profiles may also contain information that describes the connection type, allowed services, authentication means, and session limits specific to a user.
The term authentication source refers to the place where the user’s authentication information, typically a password, is stored, for example, the user’s profile, or an external service that authenticates the user. An example of an external service is a secure token server.
Table 1-1 provides a list of supported sources for user profiles and a description of each. It
is possible to read a user profile from one source and use a different source for authentication. For example, the user prof ile might be stored in LDAP while an RSA A CE (SecurID) might be used for authentication.
Table 1-1 Supported Sources for User Profiles
User Source Description
RADIUS User File A text file that conforms to a traditional format as
used in many freeware RADIUS servers
............................................................................................................................................................................................................................................................
1-4
365-360-001 R6.0
Issue 1, December 2008
RADIUS Terms ExplainedIntroduction to 8950 AAA
............................................................................................................................................................................................................................................................
User Source Description
SQL Database A database that accepts SQL (Structured Query
Language) queries, for example, the built-in 8950 AAA database, and has a JDBC (
Connectivity)
driver
Java Database
LDAP Directory A directory service supporting LDAP (Lightweight
Directory Access Protocol)
Microsoft Active Directory via LDAP Directory service that is a part of Windows 2000,
Windows XP, and Window 2003 Servers, using an LDAP interface.
Windows SAM Windows Security Accounts Manager server that sits
on top of the Windows 2000, Windows XP, and Window 2003 operating systems. This is only available when 8950 AAA is running on a Windows platform, local account, Windows domain, or Windows Active Directory.
UNIX System
Password File
ACE/Server
SafeWord Proxy
Accounting Activities
In addition, the 8950 AAA server can collect and store session and billing data. The server can save this data to text files (RADIUS Detail file), the built-in database, or any SQL database that supports a Java Database Connectivity (JDBC) driver, or forward the data to another RADIUS server.
When running on a supported UNIX or Linux system, 8950 AAA
can retrieve user name and password
information using the operating system.
8950 AAA can read the UNIX /etc/shadow or
/etc/passwd files to access passwords for
authentication.
8950 AAA acts as a client for communicating with an
RSA ACE/Server.
8950 AAA can communicate with a SafeWord server. 8950 AAA can proxy (forward) data to another server
that verifies the user name and password for authentication. It then waits for a response.
E ND OF STEPS
........................................................................................................................................................
............................................................................................................................................................................................................................................................
365-360-001 R6.0 Issue 1, December 2008
1-5
RADIUS Terms ExplainedIntroduction to 8950 AAA
............................................................................................................................................................................................................................................................
............................................................................................................................................................................................................................................................
1-6
365-360-001 R6.0
Issue 1, December 2008
2 8950 AAA Server
Management Tool Overview
Overview
Purpose
This section describes how to utilize the 8950 AAA Server Management Tool. It contains information about how to start and how to navigate through the application. It describes the look and feel of the graphical user interface and lists the commands that are available to interact with 8950 AAA successfully.
The following topics are included in this chapter:
Purpose of the Server Management Tool 2-1 Starting the Server Management Tool 2-2 The Server Management Tool User Interface 2-4

Purpose of the Server Management Tool

Overview
The 8950 AAA Server Management Tool (SMT) is an application that is used for configuring and managing 8950 AAA servers. It utilizes a graphical user interface or GUI that interfaces to the 8950 AAA server. It can be used to manage all aspects of server operation. The SMT also displays real-time statistical information from the RADIUS servers and Universal State Server (USS) systems.
The SMT is a standalone application that is started and run independently of the 8950 AAA server. The SMT may be run on the same computer as 8950 AAA or on a different computer. When the SMT is not run on the same platform as 8950 AAA then a small application called the 8950 AAA server must be started on the 8950 AAA platform before the SMT can be used.
............................................................................................................................................................................................................................................................
365-360-001 R6.0 Issue 1, December 2008
2-1
Starting the Server Management Tool8950 AAA Server Management Tool Overview
............................................................................................................................................................................................................................................................
Figure 2-1 illustrates the 8950 AAA SMT architecture.
Figure 2-1 8950 AAA System with SMT
REQUEST
FOR SERVICE
SESSION STARTS
NETWORK
ACCESS
SERVER
(NAS)
ACCESS­REQUEST
ACCESS RESPONSE
RADIUS SERVER
8950 AAA
SERVER
UNIVERSAL
STATE
SERVER
USSV2
CONFIGURATION
SERVER
8950 AAA SERVER
ADMINISTRATOR
8950 AAA SMT
The SMT contains a variety of tools including a menu bar, toolbar, navigation tools, and windows that provide the means to make server requests.
The following sections describe how to start the application and a basic overview of the GUI tools and commands.

Starting the Server Management Tool

How to start
To open the SMT, execute either of the following procedures:
............................................................................................................................................................................................................................................................
2-2
365-360-001 R6.0
Issue 1, December 2008
Starting the Server Management Tool8950 AAA Server Management Tool Overview
............................................................................................................................................................................................................................................................
1. On a Windows platform:
From the Windo ws desktop, double-click the Server Management Tool icon/click the Start button to display the Start Menu. Select Programs to display the Programs Menu. Select 8950 AAA 6.0. Click Server Management Tool.
OR On a UNIX/Linux platform: Run the following command in the bin directory.
aaa-smt -u <user_name> -p <password>
For example, enter the following command line at the command prompt:
/AAA/bin/aaa-smt
Result:
The 8950 AAA SMT Window opens and the login panel appears as shown in
Figure 2-2.
Figure 2-2 SMT Login Panel
2. Enter the appropriate 8950 AAA User Name and Password.
Important! This can be an administrator name or a user configured for operator
access.
3. Select the appropriate Connect option for your 8950 AAA server.
You can open and edit files locally or connect to a remote 8950 AAA Server with the SMT.
Result: When the SMT is not running on the same platform as the 8950 AAA server,
the Configuration Server is used to ex ecute commands issued by the SMT. In this case, the Configuration Server must be running on the 8950 AAA server. Enter the Host name or IP address to connect to a remote 8950 AAA server as shown in Figure 2-3.
............................................................................................................................................................................................................................................................
365-360-001 R6.0 Issue 1, December 2008
2-3
The Server Management Tool User Interface8950 AAA Server Management Tool Overview
............................................................................................................................................................................................................................................................
Figure 2-3 SMT Login Panel–Connecting to Configuration Server
Important!
Each instance of the SMT can only manage one 8950 AAA server at a
time.
4. Choose the appropriate Host/IP address to connect to the appropriate 8950 AAA server.
5. Click Connect to connect to the mentioned host or 8950 AAA server.
Important! Appropriate certificates are installed during the initial installation of
8950 AAA server to use the Use Secure Connection option.
Important! Command to start the config server on Solaris is:
../bin/aaa start config

The Server Management Tool User Interface

SMT Interface
When you run the SMT, a window appears such as in the example in Figure 2-4. The following screen shows an example of the default screen.
............................................................................................................................................................................................................................................................
2-4
365-360-001 R6.0
Issue 1, December 2008
The Server Management Tool User Interface8950 AAA Server Management Tool Overview
............................................................................................................................................................................................................................................................
Figure 2-4 The SMT User Interface–Default screen
Navigation pane
The main frame of the window, located below the taskbar, is called the Data pane. The following screen shows an example of a Data pane when clicked on one of the menu options from the Navigation Pane.
............................................................................................................................................................................................................................................................
365-360-001 R6.0 Issue 1, December 2008
2-5
The Server Management Tool User Interface8950 AAA Server Management Tool Overview
............................................................................................................................................................................................................................................................
Figure 2-5 SMT–Data Pane with example
SMT Menu Bar
Data pane
Important!
A pane is a portion of a Window that behaves as a container. It can hold objects. A panel is a Window that can have GUI components such as tabs, text fields, buttons, and panes. Panels can be resized, minimized, and maximized within the SMT.
On the left side of the SMT window, beneath the toolbar, the Navigation pane lists 5 groups of configuration and management panels. If the user selects an item from the Navigation pane, a panel is displayed in the Data pane. The Data pane can display multiple panels simultaneously.
The 8950 AAA SMT menu bar appears at the top of the SMT interface as a list of menus as shown in Figure 2-6.
............................................................................................................................................................................................................................................................
2-6
365-360-001 R6.0
Issue 1, December 2008
Loading...
+ 446 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use