What is a AAA Server?
AAA is an abbreviation of the three English words of Authentication, Authorization, and Accounting. It is a server program capable of processing user access requests, providing authentication and authorization, and account services. The main purpose is to manage users' access to network servers. Provide services to users with access.
AAA server
- . How to bill users who are using network resources? Specifically:
- 1. Authentication: Verify whether the user can get access.
- RADIUS protocol
- Protocol overview
- Diameter basic protocol
- The Diameter basic protocol provides the most basic services for applications such as Mobile IP and Network Access Services (NAS), such as user sessions, billing, etc., with functions such as capability negotiation and error notification. Protocol elements are composed of numerous commands and AVPs (Attribute Value Pairs).
- In a mobile communication system, to access network resources, users must first perform user authentication on the network so that users can access network resources. The authentication process is to verify the legitimacy of the user's identity; after the authentication is completed, the user's access to network resources can be authorized, and the user's access to network resources can be charged and managed. Generally speaking, the authentication process is performed by three entities. User (Client), Authenticator (Authentication), AAA server (Authentication, Authorization, and Accounting Server). In the early version of the third generation mobile communication system, users were also called MN (mobile node), Authenticator was implemented in NAS (Network Access Server), PPP protocol was used between them, and AAA protocol was used between authenticator and AAA server (The previous method used Remote Access Dial-up User Service ( RADIUS ); Radius (Remote Access Dial-up User Service ) English originally meant a radius. The original purpose was to authenticate and charge dial-up users. Later Several improvements have resulted in a universal authentication and accounting protocol).
- RADIUS is a C / S structured protocol. Its client is initially a NAS (Net Access Server) server. Any computer running RADIUS client software can become a RADIUS client. The RADIUS protocol authentication mechanism is flexible and can use PAP, CHAP, or Unix login authentication. RADIUS is an extensible protocol. All its work is based on the Attribute-Length-Value vector. The basic working principle of RADIUS is: users access the NAS, and the NAS submits user information, including user name and password, to the RADIUS server using Access-Require packets. The user password is encrypted by MD5, and both parties use a shared key. This key does not propagate through the network; the RADIUS server checks the validity of the user name and password, and if necessary, can propose a Challenge to require further user authentication, or similar authentication to the NAS. If it is valid, return an Access-Accept packet to the NAS to allow the user to do the next work, otherwise return an Access-Reject packet to deny the user access; if the access is allowed, the NAS makes an accounting request to the RADIUS server. Account-Accept, the user's billing starts, and at the same time the user can perform their own related operations.
- RADIUS is one of the most commonly used authentication and accounting protocols. It is simple, secure, easy to manage, and extensible, so it is widely used. However, due to the shortcomings of the protocol, such as UDP-based transmission, simple packet loss mechanism, no provisions on retransmissions, and centralized charging services, it is not very suitable for the development of the current network and needs further improvement.
- With the introduction of new access technologies (such as wireless access, DSL, mobile IP, and Ethernet) and the rapid expansion of access networks, more and more complex routers and access servers have been put into use in large numbers. The new requirements make the disadvantages of the traditional RADIUS structure increasingly obvious. 3G networks are gradually evolving to all-IP networks. Not only are IP-enabled network entities used in core networks, but also IP-based technologies are used in access networks, and mobile terminals have become active IP clients. For example, in the R6 version currently planned for WCDMA, the following features are added: UTRAN and CN transmission enhancements; wireless interface enhancements; multimedia broadcast and multicast (MBMS); digital rights management (DRM); WLAN-UMTS interworking; priority services; general users Information (GUP); network sharing; intercommunication between different networks, etc. In such a network, Mobile IP will be widely used. Terminals that support Mobile IP can move in the registered home network or roam to the networks of other operators. When the terminal wants to access the network and use various services provided by the operator, a strict AAA process is required. The AAA server must authenticate the mobile terminal, authorize the services that the user is allowed to use, and collect the user's use of resources to generate billing information. This requires the use of a new generation of AAA protocols-Diameter. In addition, in the draft proposal of the IEEE's wireless local area network protocol 802.16e, the network reference model also includes an authentication and authorization server ASA Server; to support mobile station handover between different base stations. It can be seen that in the future mobile communication system, the AAA server occupies a very important position.
- After discussion, the IETF's AAA working group agreed to use the Diameter protocol as the next-generation AAA protocol standard. Diameter (diameter means that the Diameter protocol is an upgraded version of the RADIUS protocol). The protocol includes basic protocols, NAS (Network Access Service) protocol, EAP (Extensible Authentication) protocol, MIP (Mobile IP) protocol, and CMS (password message). Syntax) protocol, etc. The Diameter protocol supports mobile IP, NAS requests, and authentication, authorization, and accounting of mobile agents. The implementation of the protocol is similar to RADIUS, and it is also implemented using AVP and attribute value pairs (in the form of Attribute-Length-Value triples), but It specifies error handling, failover mechanism in detail, adopts TCP protocol, supports distributed accounting, overcomes many shortcomings of RADIUS, and is the most suitable AAA protocol for future mobile communication systems. [2]