Alcatel-Lucent 8950 AAA User Manual

0 (0)

Alcatel-Lucent

8950 AAA (Authorization, Authentication, Accounting)

User’s Guide | Release 6.0

365-360-001R6.0 ISSUE 1 DEC 2008

Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners.. The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein.

Contents

About this information product
Where to go First .......................................................................................................................................	1-ii
How This Manual Is Organized ...............................................................................................................	1-iii
Conventions ..............................................................................................................................................	1-vi
Recommended Reading ...........................................................................................................................	1-vii
Obtaining Technical Support ...................................................................................................................	1-vii

Part 1: Configuration Tools Navigation Pane

1	Introduction to 8950 AAA
	What is 8950 AAA? ..................................................................................................................................	1-1
	RADIUS Terms Explained ........................................................................................................................	1-3
2	8950 AAA Server Management Tool Overview
	Purpose of the Server Management Tool ..................................................................................................	2-1
	Starting the Server Management Tool .......................................................................................................	2-2
	The Server Management Tool User Interface ...........................................................................................	2-4
3	Server Management Tool Command Set
	SMT menus and their commands ..............................................................................................................	3-1
	Managing Data in SMT Panels ...............................................................................................................	3-11
	Sizing Table Columns .............................................................................................................................	3-13
	Installing the PolicyAssistant and the Policy Flow Editor ......................................................................	3-13
4	Managing 8950 AAA Servers
	Configuring Server Properties ...................................................................................................................	4-1
	Policy Server tab .......................................................................................................................................	4-2
	Universal State Server tab .......................................................................................................................	4-28
	Configuration Server tab .........................................................................................................................	4-38
5	Configuring 8950 AAA Client Properties
	Introduction ...............................................................................................................................................	5-1
	Configuring Clients ...................................................................................................................................	5-2
	The Radius Clients tab ..............................................................................................................................	5-4

............................................................................................................................................................................................................................................................

365-360-001R6.0	i i i
Issue 1 December 2008

Contents

	The Diameter Peers tab .............................................................................................................................	5-8
	The TACACS+ Clients tab ......................................................................................................................	5-11
	The Client Classes tab .............................................................................................................................	5-14
6	Configuring 8950 AAA Realm Routing Table Properties
	Configuring Realm Routing Table ............................................................................................................	6-1
7	Configuring 8950 AAA Remotely
	Remote Configuration ...............................................................................................................................	7-1
8	Using the 8950 AAA Policy Flow Editor
	Policy Flow Editor ....................................................................................................................................	8-1
	Policy Flow Files .......................................................................................................................................	8-3
	Method Configuration ...............................................................................................................................	8-4
	Method Dispatch Section ..........................................................................................................................	8-9
9	Using the 8950 AAA Policy Assistant in Server Management Tool
	Understanding PolicyFlow, the PolicyAssistant, and the Policy Wizard ..................................................	9-2
	Installing the PolicyAssistant ....................................................................................................................	9-2
	Preparing to Create Your First Policy .......................................................................................................	9-3
	Using the Policy Wizard ...........................................................................................................................	9-4
	Understanding and Creating Attribute Sets ............................................................................................	9-16
	Adding Attribute Sets to Your Policy ......................................................................................................	9-19
	Creating Attribute Sets ............................................................................................................................	9-20
	Defining a Failure Mode .........................................................................................................................	9-23
	Reviewing Your Policy ............................................................................................................................	9-25
	Using the PolicyAssistant ........................................................................................................................	9-25
	Saving Your Policies ...............................................................................................................................	9-30
	Advanced Authentication Options ..........................................................................................................	9-30
	Advanced Attribute Set Options .............................................................................................................	9-37
10	Configuring 8950 AAA USSv2
	USSv2 Configuration ..............................................................................................................................	10-1
11	Configuring 8950 AAA Operators
	Administering the 8950 AAA System ....................................................................................................	11-1
	8950 AAA Operators Panel ....................................................................................................................	11-3
	Adding an Operator ...............................................................................................................................	11-11

i v	365-360-001R6.0
Issue 1	December 2008

Contents

	Adding an Access Rule .........................................................................................................................	11-13
	Modifying a System Operator ...............................................................................................................	11-16
12	Configuring Simple Address Manager
	Simple Address Manager Configuration .................................................................................................	12-1
13	Configuring USS Address Manager
	USS Address Manager Configuration .....................................................................................................	13-1

Part II: Stats Collecting Navigation Pane

14	Stats Collector
	The Stats Collector ..................................................................................................................................	14-1
	Stats Collector Panel ...............................................................................................................................	14-2
15	Configuring Reports
	The Configure Reports Panel ..................................................................................................................	15-1

Part III: Logging Tools Navigation Pane

16	Message Logging
	8950 AAA Message Overview ................................................................................................................	16-1
	Logging Tools ..........................................................................................................................................	16-2
	Server Log Messages ..............................................................................................................................	16-3
	Log Channels ...........................................................................................................................................	16-6
	Log Channel Configuration Panel Tabs ................................................................................................	16-14
	Notes on the Naming of Size Based Files .............................................................................................	16-19
	Notes on the Naming of Time Based Files ............................................................................................	16-21
	Log Rules ..............................................................................................................................................	16-32

Part IV: Monitoring Tools Navigation Pane

17	Server Statistics
	Monitoring Server Statistics ....................................................................................................................	17-1
	Server Statistics Panel .............................................................................................................................	17-2
	Sessions/ Counters/ Indices Panel .........................................................................................................	17-28
	USS Address Statistics Panel ................................................................................................................	17-31

18	Using LiveAdministrator
	8950 AAA LiveAdministrator .................................................................................................................	18-2
	Accessing the LiveAdministrator Panel ..................................................................................................	18-2

365-360-001R6.0	v
Issue 1 December 2008

Contents

General Info ............................................................................................................................................	18-3
License Information ................................................................................................................................	18-4
System Information .................................................................................................................................	18-5
Garbage Collection .................................................................................................................................	18-6
Files in Use ..............................................................................................................................................	18-8
Admin Scripts .........................................................................................................................................	18-9
Properties ..............................................................................................................................................	18-10
Cache Entries ........................................................................................................................................	18-11
Peer Control ..........................................................................................................................................	18-12
Advanced ..............................................................................................................................................	18-13

Part V: File Tools Navigation Pane

19	Creating and Managing User Profiles with Files
	The User File ...........................................................................................................................................	19-2
	The PolicyAssistant and User Files .........................................................................................................	19-2
	The SMT User Files Panel ......................................................................................................................	19-3
	Creating an Attribute Set File ...............................................................................................................	19-16

20	8950 AAA Dictionary Editor
	Accessing the Dictionary Editor Panel ...................................................................................................	20-1
	Vendors Tab .............................................................................................................................................	20-2
	Attributes Tab ..........................................................................................................................................	20-4
	Diameter Applications Tab .....................................................................................................................	20-9

21	Managing files
	The File Manager Panel ..........................................................................................................................	21-1
	Tail panel ...............................................................................................................................................	21-10
22	8950 AAA Certificate Manager
	Types of Certificates ...............................................................................................................................	22-1
	The Certificate Manager Panel ................................................................................................................	22-2
	Requirements for Using the Certificate Manager ...................................................................................	22-8
	Types of Certificates in Certificate Manager ..........................................................................................	22-9
	Procedures for Creating Certificates .....................................................................................................	22-18
	Notes on Using Certificates ..................................................................................................................	22-20
	How to Configure for a TLS Demo Out of the Box .............................................................................	22-21

v i	365-360-001R6.0
Issue 1	December 2008

Contents

Part VI: Database Tools Navigation Pane

23	Creating and Managing User Profiles with the Built-in Database
	Understanding Database Users ................................................................................................................	23-1
	Logging in to the Database ......................................................................................................................	23-2
	Creating and Managing User Profiles .....................................................................................................	23-3
	Understanding Database SQL Tool .......................................................................................................	23-19
	Managing Hypersonic Database Users .................................................................................................	23-22

Part VII: Other chapters

24	Server Diagnostics and Control Commands
	Server Diagnostics and Control ...............................................................................................................	24-1
	List of Server Commands ........................................................................................................................	24-2

Part VIII: Appendix

A	Supplementary Information
	Displaying the Built-in Web Interface ......................................................................................................	A-1
	Displaying the RADIUS Server Administration Interface .......................................................................	A-2
	Displaying the Configuration Server Administration Interface ...............................................................	A-3
GL	Glossary
IN	Index

365-360-001R6.0	v i i
Issue 1 December 2008

Contents

v i i i	365-360-001R6.0
Issue 1	December 2008

About this information product

Overview

Purpose

Welcome, you are about to embark on a course to set up secure access to your network with the industry’s leading RADIUS server, 8950 AAA. It provides you the highest level of control and management of a wide range of access services. These services range from simple dial-up remote access using Point-to-Point Protocol (PPP), Local Area Network (LAN) access, wireless (Wi-Fi) and wired, and even access to core network elements such as switches and routers.

RADIUS, or Remote Authentication Dial-In User Service, enables network operators to authenticate, authorize and account (AAA) for users. The RADIUS protocol defines communications between an access device or server and the RADIUS server. RADIUSbased security ensures that only users who meet your access criteria will be allowed access to a resource. The 8950 AAA server provides this functionality within an extensible, easy-to-use environment.

This manual introduces you to 8950 AAA through its friendly user interface, the Server Management Tool (SMT) and its integrated policy configuration tool, the PolicyAssistant. These tools provide a simple way to configure 8950 AAA for the most common AAA applications.

The PolicyAssistant creates, manages, and applies policies to control how and when users access your network. A policy is a set of rules that 8950 AAA uses to determine how users are authenticated, how access is authorized and configured, and how accounting data is stored.

The PolicyAssistant can be configured to support as many access policies as your network may require. You decide how many policies are necessary based on your business needs. These needs can include the type of services your network provides, your equipment requirements, your customers’ requirements, or the geographic location of your customers.

365-360-001R6.0	i
Issue 1, December 2008

Where to go First

Audience

This guide is designed to be used by qualified system administrators and network managers. Knowledge of basic networking concepts is required to successfully install 8950 AAA. You should be familiar with RADIUS server installation, configuration, and use.

Where to go First

How to Start

For more information about installing 8950 AAA and general software and hardware requirements, read the 8950 AAA Quick Start Guide.

If you are new to 8950 AAA, the links below should help determine where to go first:

Ready to configure 8950 AAA?

With the Server Management Tool (SMT) running, you should see the Policy Flow Editor in the Navigation pane as shown in Figure 1-1.

Figure 1-1 Server Management Tool-Navigation Screen

If you have already installed 8950 AAA and know how to launch the SMT, refer to the section “Using the Policy Wizard” on 9-4 to begin configuring your RADIUS environment.

ii	365-360-001R6.0
	Issue 1, December 2008

How This Manual Is Organized

Looking for the PolicyAssistant?

If you cannot find the PolicyAssistant in the Navigation pane when the Server Management Tool is running, refer to the section “Installing the PolicyAssistant and the Policy Flow Editor” on 3-13 to learn how to install the PolicyAssistant.

Attempting to start the Server Management Tool?

If you need help launching the Server Management Tool (SMT), refer to the section “Preparing to Create Your First Policy” on 9-3 to learn more about the SMT.

What is RADIUS?

If you are new to the RADIUS world of access control, refer to “RADIUS Terms Explained” on 1-3 to learn more about 8950 AAA and RADIUS terminology.

How This Manual Is Organized

Manual organization

This manual covers the steps necessary to set up your 8950 AAA server, clients, and user profiles to process user requests for network access. The manual is organized as follows:

Chapter 1, “Introduction to 8950 AAA”

This section provides an introduction to 8950 AAA and some of the terms that you will encounter when working with the 8950 AAA product.

Chapter 2, “8950 AAA Server Management Tool Overview”

This chapter covers the Server Management Tool layout and how to install the

PolicyAssistant.

Chapter 3, “Server Management Tool Command Set”

This chapter discusses the Server Management Tool commands that are accessible from the menu bar, toolbar, and navigation pane of the user interface.

Chapter 4, “Managing 8950 AAA Servers”

This chapter addresses methods in controlling the behavior of 8950 AAA Servers.

Chapter 5, “Configuring 8950 AAA Client Properties”

This chapter discusses the process of configuring clients such as Network Access Servers (NASs) or other access points with the 8950 AAA SMT.

365-360-001R6.0	iii
Issue 1, December 2008

How This Manual Is Organized

Chapter 6, “Configuring 8950 AAA Realm Routing Table Properties”

This chapter discusses the process of configuring the Realm Routing Table.

Chapter 7, “Configuring 8950 AAA Remotely”

This chapter discusses the process of configuring the 8950 AAA remotely.

Chapter 8, “Using the 8950 AAA Policy Flow Editor”

This chapter discusses the process of configuring and creating necessary entities for the Policy Flow Editor in the 8950 AAA Server Management Tool.

Chapter 9, “Using the 8950 AAA Policy Assistant in Server Management Tool”

This chapter discusses the process of how to use, configure, and create necessary entities for the PolicyAssistant in the 8950 AAA Server Management Tool.

Chapter 10, “Configuring 8950 AAA USSv2”

This chapter discusses the process of configuring the 8950 AAA USSv2 functionality.

Chapter 11, “Configuring 8950 AAA Operators”

This chapter provides information about defining administrator access to 8950 AAA. It defines different administrator roles and functions. It also provides information on how to use the SMT Operators panel.

Chapter 12, “Configuring Simple Address Manager”

This chapter discusses the tools that are used for the configuration and management of address pool by the Simple Address Manager. Simple Address Manager provides dynamic address pool management.

Chapter 13, “Configuring USS Address Manager”

This chapter discusses the tools that are available for the configuration and management of address pools of 8950 AAA, using Universal State server.

Chapter 14, “Stats Collector”

This chapter discusses about the various parts of 8950 AAA tool that collects statistical information of 8950 AAA.

Chapter 15, “Configuring Reports”

This chapter discusses about the reports configurator for the 8950 AAA tool.

iv	365-360-001R6.0
	Issue 1, December 2008

How This Manual Is Organized

Chapter 16, “Message Logging”

This chapter discusses how to determine the information that is logged, the format for logging it, and the destination for the logged information.

Chapter 17, “Server Statistics”

This chapter covers how to collect statistics for the 8950 AAA server.

Chapter 18, “Using LiveAdministrator”

This chapter discusses how to use the LiveAdministrator panel to manage, diagnose and control the 8950 AAA server.

Chapter 19, “Creating and Managing User Profiles with Files”

This chapter covers how to create a user file and add and edit user profiles.

Chapter 20, “8950 AAA Dictionary Editor”

This chapter provides information about the 8950 AAA Data Dictionary and some of the terms that you will encounter when working with the 8950 AAA product.

Chapter 21, “Managing files”

This chapter discusses 8950 AAA files and how to create and manage them using the File manager panel.

Chapter 22, “8950 AAA Certificate Manager”

This chapter discusses the 8950 AAA Certificate Manager, also known as nrcert. Root certificates generated with nrcert are self-signed certificates.

Chapter 23, “Creating and Managing User Profiles with the Built-in Database”

This chapter discusses how to manage user profiles stored in a Structured Query Language (SQL) database, besides managing database users, administrators, and 8950 AAA tables.

Chapter 24, “Server Diagnostics and Control Commands”

This chapter describes the 8950 AAA server control commands.

Appendix A, “Supplementary Information”

The appendix contains examples of 6 SMT text files that are produced through SMT activity.

365-360-001R6.0	v
Issue 1, December 2008

Conventions

Table 1-1 lists the typographical conventions used throughout this manual.

Table 1-1 Conventions used in the document or manual

Convention	Meaning	Example

boldface	Names of items on screens.	Click the Enable check box.
	Names of commands,	The AuthLocal plug-in
	properties and plug-ins.	compares password attributes.
	Names of buttons you should	Click Validate to check the
	click.	syntax of the method.

Arial boldface	Names of keys you should	Press Enter to continue.
	press.

<angle brackets>	Variables that require you to	http://<server IP address or
	substitute another value.	name>
		where <server IP address or
		name> is the address of name
		of the 8950 AAA server.

italics	Names of manuals or the first	Refer to the 8950 AAA 6.0
	occurrence of a glossary	User’s Guide and
	term.	Reference for more
		information.

Arial italic	Directories, paths, file	The 8950 AAA Web site is
	names, email addresses, and	http://www.8950AAA.com
	Uniform Resource Locators
	(URLs).

click	Press the left mouse button	To view the online help, click
	once.	the book icon on the 8950
		AAA toolbar.

right-click	Press the right mouse button	Right-click a Selector Type to
	once.	view a list of selector types
		for method selection.

double-click	Press the left mouse button	To open the Accounting
	twice.	Method Configuration panel,
		double-click anywhere on the
		tab display.

vi	365-360-001R6.0
	Issue 1, December 2008

Obtaining Technical Support

Technical Support

To contact Alcatel-Lucent for technical support, select the support channel that applies to you.

Support Channel 1: If you have purchased a 8950 AAA support contract, contact Alcatel-Lucent World-Wide Services (LWS):

365-360-001R6.0	vii
Issue 1, December 2008

Obtaining Technical Support

•Customers in the USA and Canada, call 1-866-LUCENT8, Prompt 3. If you are not registered, use Prompt 7.

•Customers in other international locations, call +1-510-74 2000 or +1-410-381-3484

•Alcatel-Lucent Customer Support Web Site: http://www.alcatel-lucent.com/support/

•Alcatel-Lucent Customer Support Web Site: http://support.lucent.com

Support Channel 2: If you have purchased 8950 AAA within the last 90 days, you can contact Lucent Technologies World-Wide Services (LWS) for email support:

•Alcatel-Lucent Customer Support Web Site: http://support.lucent.com

Important! If you are a first time LWS support user OR if you have not yet registered your 8950 AAA service contract, contact LWS.

Support Channel 3: If you are evaluating 8950 AAA for purchase or need sales information or technical support (but do not have a support contract), contact us for:

•Technical support questions, review the 8950 AAA Discussion Forum:

http://www.8950AAA.com/cgi-bin/dcforum/dcboard.cgi

•Pre-sales product questions, send an email to: tech-sales@8950AAA.com

•Sales information, send an email to sales@8950AAA.com

•Queries from Alcatel-Lucent employees, Sales Teams, VARS and Resellers, send an

email to: radius-internal@8950AAA.com

•Other non-technical requests, send an email to: tech-sales@8950AAA.com

How to Comment

To comment on this information product, Online(<http://www.lucent-info.com/comments>http://www.lucent-

info.com/comments/) email your comments to the Comments Hotline: comments@alcatellucent.com.

viii	365-360-001R6.0
	Issue 1, December 2008

Part 1: Configuration Tools

Navigation Pane

Overview

Purpose

This part consolidates the chapters related to Configuration Tools in the SMT Navigation pane.

Contents

This part includes the following chapters.

Chapter 1, “Introduction to 8950 AAA”		1-1

Chapter 2, “8950 AAA Server Management Tool Overview”		2-1

Chapter 3, “Server Management Tool Command Set”		3-1

Chapter 4, “Managing 8950 AAA Servers”		4-1

Chapter 5, “Configuring 8950	AAA Client Properties”	5-1

Chapter 6, “Configuring 8950	AAA Realm Routing Table Properties”	6-1

Chapter 7, “Configuring 8950	AAA Remotely”	7-1

Chapter 8, “Using the 8950 AAA Policy Flow Editor”		8-1

Chapter 9, “Using the 8950 AAA Policy Assistant in Server Management Tool”		9-1

Chapter 10, “Configuring 8950 AAA USSv2”		10-1

Chapter 11, “Configuring 8950 AAA Operators”		11-1

Chapter 12, “Configuring Simple Address Manager”		12-1

Chapter 13, “Configuring USS Address Manager”		13-1

365-360-001R6.0	1-1
Issue 1, December 2008

1-2	365-360-001R6.0
	Issue 1, December 2008

1 Introduction to 8950 AAA

Overview

Purpose

This chapter provides an introduction to 8950 AAA and some of the terms that you will encounter when working with the 8950 AAA product.

The following topics are included in this chapter:

What is 8950 AAA?	1-1

RADIUS Terms Explained	1-3

What is 8950 AAA?

Overview

8950 AAA is server software that is used to manage secure access to networks, servers, and information services. Network elements that use a RADIUS server to manage access are known as clients. An example of a RADIUS client might be a network access server (NAS), a Wi-Fi access point, or even a Web page. 8950 AAA is a tool that promotes system integrity not only for the network server, but also for the client-server relationship.

The next section provides a scenario showing the role that 8950 AAA plays within a network.

Overview of Client-Server Access

8950 AAA provides access management for a client system. Figure 1-1 illustrates basically how this is done. The term Network Access Server (NAS) is a term for a network element that provides dial-up access services to a network. After the user connects to the NAS, the NAS receives the user name and password from the user’s computer.

365-360-001 R6.0	1-1
Issue 1, December 2008

Introduction to 8950 AAA

What is 8950 AAA?

............................................................................................................................................................................................................................................................
	Figure 1-1 Accessing a Service
	REQUEST		ACCESS-
	FOR		REQUEST	Radius	UNIVERSAL
	FOR		REQUEST		STATE
	SERVICE	NETWORK		Server	SERVER
		NETWORK
		ACCESS
		SERVER			USSV2
	SESSION	(NAS)	ACCESS	Configuration	USSV2
USER	SESSION		ACCESS	Server	Configuration
USER	STARTS		RESPONSE	Server	Server
	STARTS		RESPONSE
				8950 AAA SERVER

The NAS places this information into a RADIUS data packet called an Access-Request. This data packet identifies the NAS, the port used for connection, the user name, the password, and other information about the session.

The Access-Request is sent from the client to the server and asks the server if the user is allowed to use the requested services and access the network.

The process the server then follows may include the following actions, although none are required:

•Finding information about the user

•Validating the user’s identity against information in a user profile

•Returning an answer (accept or reject) to the RADIUS client

A user profile contains information about a user that 8950 AAA uses to process a RADIUS request. The information usually includes the user name and password, and might include other information needed to implement local access policies. User profiles can be stored in files, databases, directories, Web-based services, etc. We call the location of the user profile the user source.

If local policy requirements are met then an authentication acknowledgement called an Access-Accept, is sent to the NAS along with other information defining specific settings for the user session. If local policy requirements are not matched, then the Access-Request is rejected by sending an Access-Reject message to the NAS.

1-2	365-360-001 R6.0
	Issue 1, December 2008

Introduction to 8950 AAA RADIUS Terms Explained

RADIUS Terms Explained

Radius Overview

RADIUS is a client-server data communications protocol. The RADIUS protocol defines the types and contents of messages that can be exchanged in order to successfully access a system or service. The term RADIUS is an acronym that stands for Remote Authentication Dial-In User Services.

A RADIUS server is an example of an authentication, authorization and accounting

(AAA-pronounced as “triple-A”) server because it authenticates a user, authorizes network access, records usage:

•Authentication–validating the user’s identity

•Authorization –validating that the user is allowed to do what was requested

•Accounting – recording information about a user’s session

The AAA environment is based on a client/server relationship. 8950 AAA implements the server functions and communicates with clients, such as Network Access Servers (NASs). The client is responsible for passing user information to RADIUS servers and acting on the response it receives. RADIUS servers are responsible for receiving user connection requests, authenticating the user, and authorizing access, and then returning configuration information necessary for the client to deliver service to the user.

The RADIUS client controls the access protocols that are used. Within the protocol, RADIUS Attributes provide the vocabulary used for communication between RADIUS clients and servers. They provide authentication and authorization information, define session parameters, and record session accounting information. In the RADIUS protocol, attributes are defined by a number, a name, and a data type. For example, attribute number 1 is called User-Name and contains string, that is, character data. Each attribute contained in a RADIUS packet is assigned a value. For example, User-Name = Bob. This combination of an attribute name and an associated value is called an Attribute Value Pair (AVP).

When configuring 8950 AAA, attributes are used in two ways: to return session settings to the client and to provide access check data in the authorization process. When used in these two ways, attributes are often called reply-items and check-items, respectively.

8950 AAA uses policies to define a set of rules that the server uses to determine access rights, user privileges, and accounting practices based on information contained in the Access-Request and information about the user who is requesting access. A policy defines the rules and steps the server follows to complete the process described above.

365-360-001 R6.0	1-3
Issue 1, December 2008

Introduction to 8950 AAA RADIUS Terms Explained

8950 AAA requires that at least one policy be defined, but it can be configured to handle many policies. You decide how many policies are necessary based on your business needs. The needs can range from the type and level of services you provide, equipment requirements, and customer requirements, to the geographic location of your customers and the time of day.

This document will describe use of the 8950 AAA PolicyAssistant to define access policies. It is also possible to create custom access policies using the 8950 AAA PolicyFlow programming language. Please refer to the 8950 AAA Programmer’s Reference Manual.

Authentication and Authorization Activities

As mentioned previously, a user source is a data repository that contains user information called user profiles. 8950 AAA can access information stored in a variety of user sources. A user source might be one of the following:

•Standard text files, such as a RADIUS User file commonly used in publicly available RADIUS servers

•SQL databases, such as Oracle, Sybase, MySQL, or the built-in database

•An LDAP (Lightweight Directory Access Protocol) server or a server that supports LDAP queries, for example, Microsoft Active Directory or Novell NetWare directory

A user profile typically contains the user’s name and password. Some user profiles may also contain information that describes the connection type, allowed services, authentication means, and session limits specific to a user.

The term authentication source refers to the place where the user’s authentication information, typically a password, is stored, for example, the user’s profile, or an external service that authenticates the user. An example of an external service is a secure token server.

Table 1-1 provides a list of supported sources for user profiles and a description of each. It is possible to read a user profile from one source and use a different source for authentication. For example, the user profile might be stored in LDAP while an RSA ACE (SecurID) might be used for authentication.

Table 1-1 Supported Sources for User Profiles

User Source	Description

RADIUS User File	A text file that conforms to a traditional format as
	used in many freeware RADIUS servers

1-4	365-360-001 R6.0
	Issue 1, December 2008

Introduction to 8950 AAA RADIUS Terms Explained

User Source	Description

SQL Database	A database that accepts SQL (Structured Query
	Language) queries, for example, the built-in 8950
	AAA database, and has a JDBC (Java Database
	Connectivity) driver

LDAP Directory	A directory service supporting LDAP (Lightweight
	Directory Access Protocol)

Microsoft Active Directory via LDAP	Directory service that is a part of Windows 2000,
	Windows XP, and Window 2003 Servers, using an
	LDAP interface.

Windows SAM	Windows Security Accounts Manager server that sits
	on top of the Windows 2000, Windows XP, and
	Window 2003 operating systems. This is only
	available when 8950 AAA is running on a Windows
	platform, local account, Windows domain, or
	Windows Active Directory.

UNIX System	When running on a supported UNIX or Linux system, 8950
	AAA can retrieve user name and password
	information using the operating system.

Password File	8950 AAA can read the UNIX /etc/shadow or
	/etc/passwd files to access passwords for
	authentication.

ACE/Server	8950 AAA acts as a client for communicating with an
	RSA ACE/Server.

SafeWord	8950 AAA can communicate with a SafeWord server.

Proxy	8950 AAA can proxy (forward) data to another server
	that verifies the user name and password for
	authentication. It then waits for a response.

Accounting Activities

In addition, the 8950 AAA server can collect and store session and billing data. The server can save this data to text files (RADIUS Detail file), the built-in database, or any SQL database that supports a Java Database Connectivity (JDBC) driver, or forward the data to another RADIUS server.

E N D O F S T E P S

........................................................................................................................................................

365-360-001 R6.0	1-5
Issue 1, December 2008

Introduction to 8950 AAA RADIUS Terms Explained

1-6	365-360-001 R6.0
	Issue 1, December 2008

2 8950 AAA Server

Management Tool Overview

Overview

Purpose

This section describes how to utilize the 8950 AAA Server Management Tool. It contains information about how to start and how to navigate through the application. It describes the look and feel of the graphical user interface and lists the commands that are available to interact with 8950 AAA successfully.

The following topics are included in this chapter:

Purpose of the Server Management Tool	2-1

Starting the Server Management Tool	2-2

The Server Management Tool User Interface	2-4

Purpose of the Server Management Tool

Overview

The 8950 AAA Server Management Tool (SMT) is an application that is used for configuring and managing 8950 AAA servers. It utilizes a graphical user interface or GUI that interfaces to the 8950 AAA server. It can be used to manage all aspects of server operation. The SMT also displays real-time statistical information from the RADIUS servers and Universal State Server (USS) systems.

The SMT is a standalone application that is started and run independently of the 8950 AAA server. The SMT may be run on the same computer as 8950 AAA or on a different computer. When the SMT is not run on the same platform as 8950 AAA then a small application called the 8950 AAA server must be started on the 8950 AAA platform before the SMT can be used.

365-360-001 R6.0	2-1
Issue 1, December 2008

8950 AAA Server Management Tool Overview Starting the Server Management Tool

Figure 2-1 illustrates the 8950 AAA SMT architecture.

Figure 2-1 8950 AAA System with SMT

REQUEST		ACCESS-
FOR		ACCESS-
SERVICE		REQUEST	RADIUS	UNIVERSAL
	NETWORK		RADIUS	STATE
SESSION	ACCESS		SERVER	SERVER
	ACCESS	ACCESS		SERVER
	SERVER
STARTS	SERVER
STARTS	(NAS)	RESPONSE	8950 AAA	USSV2
		RESPONSE	8950 AAA	USSV2
			SERVER	CONFIGURATION
				SERVER
			8950 AAA SERVER
	ADMINISTRATOR
8950 AAA SMT

The SMT contains a variety of tools including a menu bar, toolbar, navigation tools, and windows that provide the means to make server requests.

The following sections describe how to start the application and a basic overview of the GUI tools and commands.

Starting the Server Management Tool

How to start

To open the SMT, execute either of the following procedures:

2-2	365-360-001 R6.0
	Issue 1, December 2008

8950 AAA Server Management Tool Overview Starting the Server Management Tool

1. On a Windows platform:

From the Windows desktop, double-click the Server Management Tool icon/click the Start button to display the Start Menu. Select Programs to display the Programs Menu. Select 8950 AAA 6.0. Click Server Management Tool.

On a UNIX/Linux platform:

Run the following command in the bin directory.

aaa-smt -u <user_name> -p <password>

For example, enter the following command line at the command prompt:

/AAA/bin/aaa-smt

Result: The 8950 AAA SMT Window opens and the login panel appears as shown in Figure 2-2.

Figure 2-2 SMT Login Panel

2.Enter the appropriate 8950 AAA User Name and Password.

Important! This can be an administrator name or a user configured for operator access.

3.Select the appropriate Connect option for your 8950 AAA server.

You can open and edit files locally or connect to a remote 8950 AAA Server with the SMT.

Result: When the SMT is not running on the same platform as the 8950 AAA server, the Configuration Server is used to execute commands issued by the SMT. In this case, the Configuration Server must be running on the 8950 AAA server. Enter the Host name or IP address to connect to a remote 8950 AAA server as shown in Figure 2-3.

365-360-001 R6.0	2-3
Issue 1, December 2008

8950 AAA Server Management Tool Overview The Server Management Tool User Interface

Figure 2-3 SMT Login Panel–Connecting to Configuration Server

Important! Each instance of the SMT can only manage one 8950 AAA server at a time.

4.Choose the appropriate Host/IP address to connect to the appropriate 8950 AAA server.

5.Click Connect to connect to the mentioned host or 8950 AAA server.

Important! Appropriate certificates are installed during the initial installation of 8950 AAA server to use the Use Secure Connection option.

Important! Command to start the config server on Solaris is:

../bin/aaa start config

The Server Management Tool User Interface

SMT Interface

When you run the SMT, a window appears such as in the example in Figure 2-4. The following screen shows an example of the default screen.

2-4	365-360-001 R6.0
	Issue 1, December 2008

8950 AAA Server Management Tool Overview The Server Management Tool User Interface

Figure 2-4 The SMT User Interface–Default screen

Navigation pane

The main frame of the window, located below the taskbar, is called the Data pane. The following screen shows an example of a Data pane when clicked on one of the menu options from the Navigation Pane.

365-360-001 R6.0	2-5
Issue 1, December 2008

8950 AAA Server Management Tool Overview The Server Management Tool User Interface

Figure 2-5 SMT–Data Pane with example

Data pane

Important! A pane is a portion of a Window that behaves as a container. It can hold objects. A panel is a Window that can have GUI components such as tabs, text fields, buttons, and panes. Panels can be resized, minimized, and maximized within the SMT.

On the left side of the SMT window, beneath the toolbar, the Navigation pane lists 5 groups of configuration and management panels. If the user selects an item from the Navigation pane, a panel is displayed in the Data pane. The Data pane can display multiple panels simultaneously.

SMT Menu Bar

The 8950 AAA SMT menu bar appears at the top of the SMT interface as a list of menus as shown in Figure 2-6.

2-6	365-360-001 R6.0
	Issue 1, December 2008

+ 446 hidden pages

Alcatel-Lucent 8950 AAA User Manual

About this information product

Where to go First

How This Manual Is Organized

Conventions

Recommended Reading

Obtaining Technical Support

1 Introduction to 8950 AAA

What is 8950 AAA?

RADIUS Terms Explained

Purpose of the Server Management Tool

Starting the Server Management Tool

The Server Management Tool User Interface