ZXUN UniA Product Description


ZTE Confidential Proprietary © 2008 ZTE Corporation. All rights reserved. I


Version Date Author Approved By Remarks

V1.00 2008-12-18 Not open to the Third Party

© 2008 ZTE Corporation. All rights reserved.

ZTE CONFIDENTIAL: This document contains proprietary information of ZTE and is not to be disclosed or used without the prior written permission of ZTE.

Due to update and improvement of ZTE products and technologies, information of the document is subjected to change without notice.


II © 2008 ZTE Corporation. All rights reserved. ZTE Confidential Proprietary

TABLE OF CONTENTS

1 General Description ................................................................................................... 1 1.1 General Introduction .................................................................................................... 1 1.2 System Architecture..................................................................................................... 1 1.3 Standards Compliance ................................................................................................ 2

2 Product Features........................................................................................................ 3 2.1 Large-capacity and High Performance ........................................................................ 3 2.2 Abundant Network Access Capability.......................................................................... 4 2.3 Flexible Accounting Mechanism .................................................................................. 4 2.4 High Security and High Reliability Mechanism............................................................ 4 2.5 Easy-to-Operating and Easy-to-Manage ..................................................................... 5

3 AAA Functions Introduction ..................................................................................... 5 3.1 Data Integration ........................................................................................................... 5 3.1.1 Multi Network Convergence Access............................................................................ 5 3.1.2 Visited AAA/Broker AAA/Home AAA ........................................................................... 5 3.1.3 AAA and AN-AAA Database Fusion............................................................................ 6 3.2 Authentication and Authorization................................................................................. 6 3.2.1 Distributed Authentication and Accounting Processing............................................... 6 3.2.2 User Authentication Algorithm ..................................................................................... 6 3.2.3 User Authentication Strategy....................................................................................... 7 3.2.4 User Authorization ....................................................................................................... 7 3.2.5 Simple IP Access......................................................................................................... 8 3.2.6 CMIP Access ............................................................................................................... 9 3.2.7 PMIP Authorization .................................................................................................... 10 3.2.8 IP Accessibility Service.............................................................................................. 11 3.3 Accounting ................................................................................................................. 11 3.3.1 Postpaid Accounting .................................................................................................. 11 3.3.2 Prepaid Accounting of Radius Protocol ..................................................................... 11 3.3.3 Prepaid Accounting of Diameter Protocol.................................................................. 12 3.3.4 Content Accounting ................................................................................................... 12 3.3.5 CDR Management ..................................................................................................... 12 3.4 Agent Forward ........................................................................................................... 12 3.4.1 Choose Route Agent Based on Realm...................................................................... 13 3.4.2 Choose Route Agent Based on IMSI Prefix .............................................................. 13 3.4.3 Default Routing .......................................................................................................... 13 3.4.4 Routing Agent for Dynamic Authorization Messages ................................................ 13 3.5 Expansion Function ................................................................................................... 13 3.5.1 State Test of Adjacent Node...................................................................................... 13 3.5.2 WAP User Access ..................................................................................................... 14 3.5.3 Multi-WAP Gateway Access...................................................................................... 14 3.5.4 Different WAP Gateway Sharing IP Address............................................................. 14 3.5.5 1x/EVDO Access Control........................................................................................... 14 3.5.6 Access to Multi-PPS/SCP.......................................................................................... 14 3.5.7 LNS IP Address Mapping .......................................................................................... 15 3.5.8 LNS Redundancy and Load Sharing ......................................................................... 15 3.5.9 DM Dynamic Management ........................................................................................ 15 3.5.10 User Online Session Management............................................................................ 15 3.5.11 Automatic Binding between NAI and IMSI................................................................. 15 3.5.12 Binding Restriction of IMSI Number with NAI ............................................................ 16 3.5.13 Many-to-many Binding of IMSI and VPN................................................................... 16


ZTE Confidential Proprietary © 2008 ZTE Corporation. All rights reserved. III

3.5.14 Temporary Account ................................................................................................... 16 3.5.15 Period Access Control ............................................................................................... 16 3.5.16 User Lock................................................................................................................... 16 3.5.17 IPV6 and IPV4 Dual-stack ......................................................................................... 17 3.5.18 BCMCS Service Authorization, Authentication and Accounting................................ 17 3.6 Acceptance ................................................................................................................ 17 3.6.1 Acceptance Table ...................................................................................................... 17 3.6.2 BOSS Interface Acceptance...................................................................................... 18 3.7 Lawful Interception..................................................................................................... 18 3.8 Abnormality Handle Mechanism................................................................................ 18

4 AN-AAA Function Introduction............................................................................... 19 4.1 Data Fusion ............................................................................................................... 19 4.1.1 Visited AN-AAA/Broker AN-AAA /Home AN-AAA ..................................................... 19 4.1.2 AN-AAA and AAA Database Fusion.......................................................................... 19 4.2 Authentication and Authorization............................................................................... 19 4.2.1 User Authentication Algorithm ................................................................................... 19 4.2.2 User Free-of-Authentication....................................................................................... 20 4.2.3 Hardware Authentication ........................................................................................... 20 4.2.4 CAVE Authenticaiton Based on pESN ...................................................................... 20 4.2.5 MNID Authorization.................................................................................................... 20 4.2.6 Profile Authorization................................................................................................... 20 4.2.7 Customized Attribute Authentication ......................................................................... 20 4.3 Agent Forward Function ............................................................................................ 21 4.3.1 Choose RouteAgent Based on Realm....................................................................... 21 4.3.2 Choose Route Agent Based on IMSI Prefix .............................................................. 21 4.3.3 Default Routing .......................................................................................................... 21 4.4 Expansion Function ................................................................................................... 21 4.4.1 User Lock................................................................................................................... 21 4.4.2 Refuse Access In Permanently ................................................................................. 22 4.4.3 CAVE Authentication Synchronize Counter .............................................................. 22 4.4.4 Roaming Restriction .................................................................................................. 22

5 Interfaces and Communication............................................................................... 22 5.1 Physical Interfaces..................................................................................................... 22 5.2 Logic Interfaces ......................................................................................................... 22 5.2.1 Interface between AAA and PDSN/HA/AAA/WAP Gateway ..................................... 22 5.2.2 Interface between AAA and OCS .............................................................................. 23 5.2.3 Interface between AAA and PPS/SCP ...................................................................... 23 5.2.4 Interface between AAA and Accounting Center ........................................................ 23 5.2.5 Interface between AAA and ISPP.............................................................................. 24 5.2.6 Interface between AAA and LIC ................................................................................ 24 5.2.7 Interface between AN-AAA and AN........................................................................... 24 5.2.8 Interface between AN-AAA and HLR ........................................................................ 25 5.2.9 Interface between AN-AAA and ISPP ....................................................................... 25

6 System Architecture ................................................................................................ 25 6.1 Hardware Architecture ............................................................................................... 25 6.2 Software Architecture ................................................................................................ 27

7 System Security and Reliability.............................................................................. 29 7.1 Redundancy Mechanism ........................................................................................... 29 7.2 Dual-network Dual-plane Networking ........................................................................ 29 7.3 Automatic Monitoring Process................................................................................... 29 7.4 Overload Control........................................................................................................ 29 7.5 Security Management................................................................................................ 29


IV © 2008 ZTE Corporation. All rights reserved. ZTE Confidential Proprietary

8 Technical Indices and Regulations ........................................................................ 30 8.1 Capacity Indices ........................................................................................................ 30 8.2 Performance Indices.................................................................................................. 30 8.3 Electricity Indices ....................................................................................................... 30 8.3.1 Server Rack Indice .................................................................................................... 30 8.3.2 Alarm Box Indices...................................................................................................... 31 8.4 Working Environment ................................................................................................ 31 8.5 Environmental Indices ............................................................................................... 31 8.5.1 Cleanliness Requirement........................................................................................... 31 8.5.2 Lighting Requirement................................................................................................. 31 8.5.3 Barometric Pressure Reqirement .............................................................................. 32 8.5.4 Air Requirement......................................................................................................... 32 8.5.5 Fire Control Requirement .......................................................................................... 32 8.5.6 Shockproof Requirement ........................................................................................... 32 8.5.7 Lightning Protection Requirement ............................................................................. 32 8.5.8 Anti-Electromagnetic Radiation Requirement............................................................ 33 8.5.9 Antistatic Requirement............................................................................................... 33 8.6 Reliability Indices ....................................................................................................... 33

9 Operation and Maintenance .................................................................................... 34 9.1 Fault Management..................................................................................................... 34 9.2 Configuration Management ....................................................................................... 34 9.3 Statistics Function...................................................................................................... 34 9.4 Signaling Tracing ....................................................................................................... 34 9.5 Log Management....................................................................................................... 34 9.6 Network Management Interfaces............................................................................... 35 9.7 Security Management................................................................................................ 35 9.7.1 User Management ..................................................................................................... 35 9.7.2 Role Management ..................................................................................................... 35 9.7.3 Authentication and Authorization............................................................................... 35 9.7.4 Security Strategy Management ................................................................................. 36

10 Abbreviation ............................................................................................................. 37


ZTE Confidential Proprietary © 2008 ZTE Corporation. All rights reserved. V

FIGURES

Figure 1 Network Architecture Based on CDMA2000 1X/EV-DO System .................................. 1 Figure 2 Protocol Models of Interface between AAA and PDSN/HA/AAA/WAP Gateway ........ 23 Figure 3 Protocol Models of Interfaces between AAA and OCS ............................................... 23 Figure 4 Protocol Models of Interfaces between AAA and PPS/SCP ....................................... 23 Figure 5 Interface Protocol Model between AAA and LIC ......................................................... 24 Figure 6 Interface Protocol Model between AN-AAA and AN.................................................... 24 Figure 7 Interface Protocol Model between AN-AAA SS7 Front PC and HLR.......................... 25 Figure 8 AAA Hardware Architecture......................................................................................... 26 Figure 9 AAA Software Architecture .......................................................................................... 27

TABLES

Table 1 CN Packet System NE Function Introduction................................................................ 2 Table 2 Server Rack Indices..................................................................................................... 30 Table 3 Alarm Box Indices........................................................................................................ 31 Table 4 Temperature and Humidity .......................................................................................... 31 Table 5 Abbreviation ................................................................................................................. 37


ZTE Confidential Proprietary © 2008 ZTE Corporation. All rights reserved. 1

1 General Description

1.1 General Introduction ZXPDSS Packet data switch system is an important part of CDMA2000 1X/EV-DO digital cell mobile communication system. ZXUN UniA system supports AAA and AN-AAA function, which is capable of multi-network convergence, and realize CDMA1X/EV-DO, WLAN, WiMAX, WCDMA, fixed network access, it can provide perfect solutions.

1.2 System Architecture Please see Figure 1.

BTS BSC/PCF MSC/VLR

cdma2000 1X

HLR/AUC

BTS BSC/PCF

cdma2000 EV-DO

WLAN

AP

IP Network

ISPP

AN-AAA LNS

AAA

PSTN

Router

AC

PDSN/FA

HA

Firewall

Internet

FirewallIntranet

LIC(Option)PPS/SCP(Option)

OCSBillinCenter

Figure 1 Network Architecture Based on CDMA2000 1X/EV-DO System

ZTE CDMA2000 1X/EV-DO packet data switch system includes the following products:

ZXPDSS P200：Packet Data Serving Node（PDSN）

ZXPDSS H200：Home Agent（HA）

ZXPDSS B200：Broadcast service Node（BSN）


2 © 2008 ZTE Corporation. All rights reserved. ZTE Confidential Proprietary

ZXUN UniA：Authentication, Authorization, Accounting（AAA & AN-AAA）

Table 1 CN Packet System NE Function Introduction

Equipment Introduction PDSN PDSN（Packet Data Serving Node）: It bears wireless

and packet data network access gateway, provides Simple IP and Mobile IP access modes, and provides Internet or Intranet access service for CDMA2000 mobile station. When providing Mobile IP access service, PDSN is integrated with FA function.

HA HA（Home Agent）: it locates in MS home network, it maintains MS location information, establish corresponding relations between MS IP address and MS handover address. when mobile station leaves registered network, it needs to register in HA; after HA receives packet sent to mobile station, it will send the packet by tunnel between HA and FA, decapsulate it and sends to MS.

HA is needed only in Mobile IP service. BSN BSN（Broadcast Service Node）: It bears BCMCS

service, maintains broadcast channel with BSC/PCF, fulfills program registration and session information acquiring, and establishes and maintains bearer channel with content server. BSN applies stream processing mechanism authorized by BCMCS controller to multi-cast IP stream. It also receives copies and distributes broadcast media stream from content server. BSN is needed only BCMCS is available.

AAA AAA (Authentication, Accounting, and Authorization Server): Also called RADIUS server. AAA server implement authentication for packet data user, and authorization it according to subscription information, AAA server can also be capable of packet data call accounting.

AN-AAA AN-AAA（Access Network-AAA Server）：AN-AAA bears access authentication of AN-Level, and implement validation and authorization of EV-DO terminal ID legality.

1.3 Standards Compliance ZXPDSS CDMA2000 packet data switch system provides open interfaces based on 3GPP2.P.S001-A and RFC, which supports the following protocols and standards:

[1] RFC 2865, Remote Authentication Dial In User Service (RADIUS)

[2] 3GPP2 P.S0001-A V3.0.0 Wireless IP Network Standard，July 2001



[3] RFC 4282, the Network Access Identifier

[4] RFC 2104, HMAC: Keyed-Hashing for Message Authentication

[5] RFC 3748, Extensible Authentication Protocol (EAP)

[6] RFC 4017, Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs

[7] RFC 3579, RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)

[8] RFC 2869, RADIUS Extensions

[9] RFC 2866, RADIUS Accounting

[10] RFC 3344, IP Mobility Support for IPv4

MSCHAPv2, G. Zorn, Microsoft PPP CHAP Extensions, Version 2, RFC2759

[11] RFC 3576, Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)

[12] RFC 3775, Mobility Support in IPv6

[13] RFC 2868, RADIUS Attributes for Tunnel Protocol Support

[14] RFC 3012, Mobile IPv4 Challenge/Response Extensions

[15] draft-ietf-mip4-gen-ext-01.txt

[16] RFC 2548, Microsoft Vendor-specific RADIUS Attributes

[17] RFC 4372, Chargeable User Identity

[18] RFC2618, RADIUS Authentication Client MIB

[19] RFC 2619, RADIUS Authentication Server MIB

[20] RFC 2620, RADIUS Accounting Client MIB

[21] RFC 2621, RADIUS Accounting Server MIB

2 Product Features

2.1 Large-capacity and High Performance 1 It adopts distributed authentication, authorization, and provides large capacity and

high performance products.



2 It supports smooth upgrading to distributed architecture products of uniform user data management, and can offer natural redundant project and large-capacity redundant project for operators.

3 AAA supports the smooth evolution to the HSS, for the operators to offer a network with sustainable project development.

2.2 Abundant Network Access Capability 1 AAA strictly complies with 3GPP2, CCSA, China Telecom and China Unicom

related standards and interface specifications with perfect connectivity and compatibility characters.

2 In order to support CDMA, WLAN, WiMAX, WCDMA, and other fixed network access authentication, authorization and Accounting methods, which can realize AAA integration with multiple networks conveniently, AAA provides a variety of access modes and application scenarios for operators, and offers unified access network data management platform.

3 AAA supports unity or separation of deployment with AN-AAA flexibly and economically.

4 AAA supports multiple authentication methods CHAP, PAP, CAVE, UAM, EAP-AKA, EAP-TLS (PSK), EAP-TTLS and EAP-MD5, which meets the diversification of the end-user access authentication.

5 AAA supports rich Profile group configuration. The property information of each group can be flexibly configured to meet a variety of access requirements.

2.3 Flexible Accounting Mechanism 1 AAA supports customized CDR, flexible CDR Field and CDR with or without

attributes.

2 AAA supports CDR-file backup and CDR-database backup. Also AAA support CDR buffer to make the AAA system work normally in abnormal case and avoid CDR lost.

3 AAA supports all-round billing function including pre-paid, post-paid and content-paid. AAA is compliant with national and international billing interface specifications and it’s easy to make customized accounting strategy.

2.4 High Security and High Reliability Mechanism 1 AAA supports redundancy mechanism, two-node cluster hot backup networking

further ensures the system reliability through the disk array and cluster software.

2 Software watchdog is designed to monitor, auto-recovery and startup service processes, it enhances the AAA reliability.

3 AAA supports overload control function to ensure system stable in abnormal case.



4 AAA network is dual-net and dual-plane, which can avoid single-node failure.

5 AAA supports security control function and operator privilege management function.

2.5 Easy-to-Operating and Easy-to-Manage 1 Powerful local supporting team, having fast response and quick customization R&D

capability, can supply high-efficient technical support and service.

2 Support for local OMM and next higher level EMS management mechanism, and multi NBI(northbound interface) such as CORBA、SNMP and FTP etc. , which makes centralized network management much easier.

3 Support GUI (Graphical User Interface) and MML (Man Machine Language), which makes O&M easier and efficient.

4 Provide detailed performance statistics, which are used to analyze performance data, customer’s habit, network performance, and to make reasonable network development plan.

3 AAA Functions Introduction

3.1 Data Integration

3.1.1 Multi Network Convergence Access

AAA can support multi access such as WiMAX、CDMA、WLAN、WCDMA and PSTN for authentication, authorization and accounting. AAA can support uniform access network data management platform because multi network data fusion can meet multi access scenarios.

In CDMA network, AAA is connected with PDSN/HA for authentication, authorization and accounting.

In WLAN network, AAA is connected with BRAS/AC for authentication, authorization and accounting.

In WCDMA network, AAA is connected with GGSN for authentication, authorization and accounting.

In WiMAX network, AAA is connected with AGW/HA for authentication, authorization and accounting.

3.1.2 Visited AAA/Broker AAA/Home AAA

ZXUN UniA supports Visited AAA, Broker AAA and Home AAA function.



As a Visited AAA, it receives PDSN Radius massage, and transmits the massage to home network according to the agent transferring strategy.

As a Broker AAA, it receives and transfers AAA Radius massages from other AAAs, generally, multi-AAA share one Broker AAA to implement the interaction among areas and networks.

As a home AAA, it processes the authentication, authorization and accounting of the user access.

3.1.3 AAA and AN-AAA Database Fusion

It provides uniform management of user information and operation maintenance, it works as a logical functional entity to fulfill access network authentication and IP authentication, which can reduce investment.

AAA and AN-AAA can be separated or integrated when distributing with flexible networking mode.

3.2 Authentication and Authorization

3.2.1 Distributed Authentication and Accounting Processing

AAA system provides distributed authentication and accounting processing, the authentication, authorization and accounting can be implemented in different server nodes, and improve the processing performance and reliability.

AAA server takes charge for authentication and authorization, accounting server takes charge for accounting and generating CDR, AAA sever and Accounting server implement the distributed processing, which improves the AAA server response performance and safety. When AAA server receives the accounting message, it transfers to Accounting sever for processing, if there is any abnormality, AAA server stores the accounting message at local sever, and sends the stored accounting massage to Accounting sever after the recovery, it can avoid the user CDR massage drop through such abnormal protecting mechanisms.

The capacity and performance of AAA will be improved smoothly, while reusing the old equipments sufficiency and only adding one set of duel-array and without requiring any addition to OMC or agent sever.

3.2.2 User Authentication Algorithm

AAA support multi-authentication algorithm, such as CHAP,PAP,UAM,EAP-AKA,EAP-TLS(PSK),EAP-TTLS,EAP-MD5 and etc.

CHAP and PAP are mainly used in CDMA, WCDMA and fix network access authentication.

UAM、EAP-AKA and EAP-TLS(PSK) are mainly used in WLAN network access authentication.



EAP-AKA、EAP-TLS(PSK)、EAP-TTLS and EAP-MD5 are mainly used in WiMAX access authentication.

3.2.3 User Authentication Strategy

3.2.3.1 Public Account

It is set by AAA, the user name and password are all public, any legal terminal can access to the network by this account.

The public account does not need to establish association between account and terminal IMSI, the pubic attribute is configured in Profile associated with public account. AAA supports configuring Profiles for every terminal in order to provide differentiated services.

3.2.3.2 Private Account

It is set by AAA, the terminal uses private account to access to network. AAA also supports multiple terminals using one private account to access to the network, or one terminal uses different private account to the network.

3.2.3.3 Roaming Authentication

The user information is maintained by home AAA, when user roams outside, the serving AAA transfers user’s access requests to home AAA for authentication, home AAA implements authentication and authorize related Profile attributes.

The serving AAA implements router analyze according to realm information of User-Name or IMSI in users’ requests, and transfers access requests to home AAA.

3.2.3.4 User Free of Authentication

AAA supports free-of-authentication function, when user account (including public and private accounts) is set free-of-authentication, when users access for authentication, AAA directly pass the authentication without judging password, authorize related service attributes and go on with following procedures.

3.2.4 User Authorization

3.2.4.1 Profile Authorization

AAA can configure the profile information according to different sorts of users, the profile information includes: User’s QoS information, bandwidth, time, address allocation strategy and so on. AAA sends user profile information to PDSN, when the user finishes accessing; the PDSN limits the user network resource according to the user profile information which has been authorized.



NAI user in AAA belongs to service group, each group owns one profile template, the profile template can pre-set the authorization operation attribute (such as bandwidth, time or RADIUS that authorized the attribute), AAA licenses the user’s profile content to PDSN when user passes the access authorization.

3.2.4.2 Customized Attribute Authentication

Customized Attribute Authentication allows providers to support non-normally employed attribute extension and provide proprietary service.

Employing the configuration function of network management system, AAA is capable of customizing what kind of VSA shall be adopted to carry and distribute service attribute. In other words, Attributes like Vendor-ID, Vendor-Type and Vendor-Value of VSA can be customized dynamically according to different requirements.

3.2.4.3 L2TP VPN Authorization

Employing system access function, packet switch network carrying capacity, IP tunnel and IP Sec, The VPN service provides remote access to enterprise and group intra servers for packet data users who can enjoy all kinds of data services as usual without caring whether they access to local or remote servers.

When user accesses the network, realm part of User-Name message represents L2TP VPN domain name. AAA authenticates LNS IP address, tunnel password, tunnel type and tunnel media type according to local L2TP VPN domain name configuration.

3.2.4.4 Authorize User Attribute according to IMSI

When using public account, AAA supports IMSI to authorize user attribute, it will provide differentiated profile authorization.

The public account do not need to establish association between account and terminal IMSI, the subscription attribute is configured in the associated Profile, AAA supports configure Profile for every IMSI, after the terminal accesses and authenticate successfully, AAA can authorize user profile information according to IMSI.

3.2.4.5 Authorize User Attribute according to NAI+IMSI

AAA supports Profile authorization mode of IMSI+NAI, if user requests for accessing, AAA shall combine Profiles configured by IMSI and NAI together, and authorize to PDSN. After the combination, set one Profile attribute as a reference according to configuration strategy, and combine with another attribute, if there’s any confliction, the reference Profile attribute is preferred.

3.2.5 Simple IP Access

Simple IP is similar to the network access through dialing modem on the fixed telephone. The IP address assigned for the MS each time is dynamic and changeable. Simple IP can only implement the data communication with the MS as the calling party. Also, the



data communications will be interrupted for inter-PDSN handoff and will not be resumed until the call is initiated again.

AAA supports access authentication, authorization and accounting under simple IP mode.

3.2.5.1 Static IP Address Authorization

When customers applying service subscription to operators, it always needs to use static IP address (fixed IP address), AAA allows each account Profile to subscribe with static IP address attribute.

When terminal using this account to access to network, PDSN set special attribute which includes Ipv4 （Framed-IP-Address =255.255.255.255）in the accessing request, after requesting AAA for authorizing IP address, if AAA judges this account is local and not roaming, AAA will authorize static IP address subscripted in user profile to PDSN.

3.2.5.2 Dynamic IP Address Authorization

When each user is on-line, PDSN or AAA will dynamically distribute a vacant IP address for MS. This distribution mode is applied to distribute IP address for on-line users when the number of users is larger than IP address resource.

AAA support dynamic IP address authorization, when user is access, it will authorize IP address dynamically.

3.2.5.3 IP Address Pool Authorization

AAA is capable of configuring IP address pool for different types of users respectively, so as to deploy independent IP address pool for public network, office network and VAS users, and realize IP isolation for different users.

When terminal accesses to network, AAA authenticates an IP address pool to an PDSN which will authenticate an IP address to a user later. There are 3 types of AAA authentication modes listed as follows

1 AAA authenticates IP address pool to PDSN according to NAS-ID and NAI;

2 AAA authenticates IP address pool to PDSN according to the Profile of NAI;

3 AAA authenticates IP address pool to PDSN according to the Profile of IMSI.

3.2.6 CMIP Access

Mobile IP is the solution based on the RFC2002 protocol for providing mobile functions over the worldwide Internet. It features good expandability, high reliability and security. In addition, it keeps normal communications when the MS switches between PDSNs. Mobile IP provides a IP routing mechanism, which can help MS connect to IP public network or private network as a permanent IP address, it can also help MS work as called party.



AAA supports access authentication, authorization and accounting under mobile IP mode.

3.2.6.1 Dynamic Authorization HA

HA takes charge of mobility management of mobile IP and agent mobile IP. HA locates mobile users according to MS registration information and forward packet data to user’s currently-registered FA (in PDSN). Considering payload balance, several HAs can be deployed in home-zone.

AAA supports dynamic HA distribution defined in 3GPP2. AAA distributes HA address to PDSN dynamically when there are several HAs in home-zone.

3.2.6.2 MN-HA sharing Key Authorization

When mobile station uses MIP to access to network, it initiates MIP registration, after HA receives the registration request, home AAA shall authorize the MN-HA key to it.

3.2.6.3 DNS Address Distribution

MS needs to allocate the master/slave DNS server address during the PPP session setup, AAA supports that RADIUS Access-Accept information contains DNS server address VSA in order to response the RADIUS log on request from PDSN or HA.

If AAA server contains DNS server IP address VSA, it should include a master DNS server address and a slave DNS server address.

3.2.6.4 IPSec Attribute Authorization

By applying IPSec protocol in mobile IP, it can provide effective security service for mobile IP.

AAA support IPSec attribute which authorize to PDSN/HA, and IKE pre-sharing key distribution function. It receives RADIUS Access-Request message from PDSN, port IKE pre-sharing key request attribute. The users have rights to use IPSec service, home AAA server should distribute a key label and IKE pre-sharing key to PDSN by pre-sharing key and KeyID attribute of RADIUS Access-Accept message. HA should re-obtain”S” key from home AAA server to generate IKE, the lifecycle of this key can be configured, it is home RADIUS local strategy, and based on the encryption level of “S’key.

3.2.7 PMIP Authorization

If simple IP user signed proxy mobile IP, when the terminal access to the network, AAA server authorizes AGW as terminal to supply MIP services, to make the terminal requirement simpler. It means the terminal MIP client’s function can be replaced by PDSN.

PDSN takes PMIP FA functions, provides agent mobile IP service for users using simple IP terminals, it keeps service continuity when users implement handover between



PDSN/FA, initiate mobile simple IP session instead of MS, sends access request to AAA. After AAA passes the authentication, it shall authorize user PMIP service attributes according to subscribed PMIP ability.

3.2.8 IP Accessibility Service

AAA supports IP accessibility service function regulated in 3GPP2 protocol. When MS accesses to the network (adopting simple IP or mobile IP), if this MS can access itself by DNS host name, the home AAA of the MS can notify corresponding DNS server to dynamically update DNS. This function is in compliance DNS updating defined in RFC2136.

3.3 Accounting

3.3.1 Postpaid Accounting

AAA supports the accounting model based on Subscriber (or the accounting model based on IP session) and the accounting model based on packet data-flow, supports the option of the accounting model.

AAA supports for the accounting model based on the flow and the length of the billing.

3.3.2 Prepaid Accounting of Radius Protocol

Packet prepaid function is a packet data service which supports the function of "prepaid, post-consumed" for users, allows users to pre-purchase a certain amount of services (the flow or the length of the billing), foots the real-time fee for packet data service of the mobile users, According to the user's actual account balance, controls the user's data services to ensure the benefits of operators. The prepaid client sends the requests of the available quotas to the PPS, and monitors the use of quotas for services control, PPS Deducts the costs based on the use of services.

AAA supports enhanced 3GPP2 packet prepaid standard. The standard introduces SCP entity, which uniformly stores prepaid information of user audio, data and other services. PPS get prepaid account information from SCP by RADIUS interface. In order to simplify network architecture and convenient for uniform management of users, ZXUN UniA system supports integral setting mode of AAA and PPS, they adopts RADIUS interface to get prepaid account information from SCP.

AAA supports CCSA prepaid standard, which is the same as 3GPP2 packet prepaid, the network includes PPS and SCP entity, prepaid function is fulfilled by PPS/SCP and PDSN/PPC, HAAA is responsible for authentication and accounting information transferring between PPS/SCP and PPC.

AAA supports packet prepaid function of fixed network system, there is no PPS and SCP entity in the network, the prepaid function is fulfilled by HAAA and PDSN/PPC.HAAA fulfills authorization of RADIUS standard attribute Session-Timeout in reference to RFC2865）, PDSN is responsible for checking session time, when time is out, PDSN shall terminate user packet data service.



3.3.3 Prepaid Accounting of Diameter Protocol

AAA supports prepaid of Diameter protocol, it use OCS to finish fee calculation and quota allocation, the network architecture is as follows:

PDSN and AAA adopts Radius protocol interactively,OCS adopts Diameter protocol, AAA can realize conversion from Radius protocol to Diameter protocol.

3.3.4 Content Accounting

HA/CCG equipment initiate access authentication request to HAAA when mobile IP users access in, they distribute accounting attributes and MDN by HAAA. At the same time, when user is off-line, HA/CCG sends off-line billing to HAAA by Radius protocol.

AAA supports management of content accounting billing.

3.3.5 CDR Management

AAA supports the format of billing, provides a flexible billing fields, and provides the billing which shows the attributes of the billing and do not show it. The largest difference between the two CDRs lies in that the one displaying the attribute name records the attribute names of the billing attribute fields by the format of "attribute name = attribute value", so that it is greatly readable and yet occupies much space in the disk due to its large size, while the other one concealing the attribute name outputs the attribute names of each billing field in the order of the configured coding to save disk space.

The billings are generated in the HAAA, at the same time as the visited AAA. AAA can also generate the billings according to the configuration.

AAA supports the function which backups the original billing, and supports for two ways which are database backup and file backup.

AAA supports for NAI billing methods, for those multiple IMSI use the same access to a private account, it can implement billing according to private account.

AAA supports for the billing methods based on IMSI, and carries out on each MS billing.

AAA sends the billings to the billing center through the FTP interface

3.4 Agent Forward AAA supports agent forward function for authentication, billing and other dynamic authorization information.

Radius PDSN AAA OCS

Diameter



3.4.1 Choose Route Agent Based on Realm

Users can choose routing agent based on realm by carrying realm information in User-Name, e.g. NAI@Realm.

While performing as agent, AAA chooses routing based on the realm information in RADIUS attributes User-Name. The corresponding routing information of realm can be pre-configured in AAA.

3.4.2 Choose Route Agent Based on IMSI Prefix

Domain information of user’s home location can be analyzed by IMSI to realize agent forward of authentication and accounting requests.

In Radius request, RADIUS attributes User-Name does not include realm information, when AAA implements agent forward, it can select router forward according to IMSI information ported by RADIUS attribute Calling-Station-ID. The corresponding router configuration information to IMSI prefix can be pre-configured in AAA OMC.

3.4.3 Default Routing

When AAA can’t select routers, it can forward authentication and accounting information to local default router server for processing.

3.4.4 Routing Agent for Dynamic Authorization Messages

AAA in CDMA1x/EVDO network supports routing agent functionalities to Disconnect dynamic authorization (refer to RFC3576). When PDSN receives Disconnect Request, the user session release process will start.

AAA can implement agent forward this dynamic authorization to next destination according to NAS in the dynamic authorization information.

3.5 Expansion Function

3.5.1 State Test of Adjacent Node

AAA must transmit message to the adjacent nodes which include OCS、PPS/SCP、WAP gateway and the other AAA.

AAA could provide the following function while testing the adjacent node:

1 Testing the state of OCS, PPS/SCP, WAP gateway, other AAA and raise the warning timely.

2 When transmitting a message, the transmitted message will switch automatically between the main node and the backup when some abnormal situation occurred.



3 Link and services will be resumed automatically when the status of adjacent node is recovered.

3.5.2 WAP User Access

AAA supports WAP user access function, the Network Management Center (NMC) configures whether a public account belongs to a WAP user or not. When a WAP user accesses on line, an accounting-start message is sent out from PDSN to AAA, and transmitted from AAA to WAP gateway which judges user on line by the accounting-start message received and registers relation of user IP address and IMSI. WAP gateway judges the user as off line when receiving accounting-finish message from AAA.

3.5.3 Multi-WAP Gateway Access

AAA achieves load balance by transmitting accounting-start messages to one of them according to some rule, considering Multi-WAP gateways may be disposed.

After receiving PDSN accounting-start message, AAA transmits the message to the corresponding WAP gateway according to user’s MDN number analysis and configures relation of WAP gateway address and MDN number analysis

3.5.4 Different WAP Gateway Sharing IP Address

There may exists two sets of WAP gateway(new and old) simultaneously, and sharing one IP address, AAA sets different source IP address for two WAP gateway, and implement different forwarding by external router or local router strategy.

When different WAP gateway use the same IP address, AAA can select the right WAP gateway to forward accounting information according to user MDN attribute, and send information by corresponding source IP address.

3.5.5 1x/EVDO Access Control

AAA supports 1X/V-DO access control, the type includes: 1x access, EVDO access, 1X&EV-DO access, the accounting rate is different for different access control for users.

1x/EV-DO access control mode includes:

1 AAA can restrict the access type of account ( both public and private).

2 Based on Realm L2TP VPN control, AAA can restrict L2TP VPN access according to L2TP user’s subscription attributes as Visited AAA and Home AAA.

3.5.6 Access to Multi-PPS/SCP

Home location may allocate multi-PPS/SCP; AAA should transfer the accounting information to one of them according to some strategy to realize load sharing.



AAA transfers the user MDN analysis in accounting information to home PPS/SCP for pre-paid requests and processing, when pre-paid users accessing for authentication and authorization, corresponding relation between PPS/SCP and MDN is configured in AAA.

3.5.7 LNS IP Address Mapping

The operators can allocate two sets of AAA, such as in the swapping process, the new and old AAA can be coexists in order to realize smooth transition.

AAA supports LNS IP address replace control when forwarding Access Accept, and replace new IP address of old one.

3.5.8 LNS Redundancy and Load Sharing

AAA supports LNS redundancy+ load sharing, it can flexibly allocate VPN domain name corresponding to multi-LNS and to active/standby LNS IP, when AAA implements authentication and authorization, and it distributes LNS IP address according to polling, which includes applying active/standby LNS IP address to realize LNS redundancy+ load sharing.

3.5.9 DM Dynamic Management

AAA supports initiating Disconnect dynamic authorization and agent forward function. System sends Disconnect Message in order to disconnect user on line and release resource, for the sake of avoiding user arrearage and lawless possession of resource.

Disconnect Message trigger modes:

1 AAA sends Disconnect Message in terms of BOSS handling.

2 Agent forwards Disconnect Message from prepaid system.

3.5.10 User Online Session Management

AAA supports NAI maximum limitation of simultaneous sessions. When a station requests to access, AAA checks the number of current NAI on-line stations. If the number arrives at the maximum limitation supported, AAA refuses the request. Therefore, AAA registers user on-line information when a user accesses, updates parameters when receives accounting-start message or update request and deletes session information in register upon receiving accounting-stop message.

3.5.11 Automatic Binding between NAI and IMSI

When a user purchases a card, he can access to the network by using different IMSI and NAI (user name/password).

AAA supports automatic binding between NAI and IMSI. When accessing for authentication, if the terminals input correct user name and password and the number of



binding IMSI does not exceeds designated number, the binding relation will be automatically established and allowing access.

3.5.12 Binding Restriction of IMSI Number with NAI

For NAI, AAA can restrict the binding number of IMSI( NAI may not need to bind IMSI, it can restrict the number). By doing this, AAA can provide flexible NAI management function.

3.5.13 Many-to-many Binding of IMSI and VPN

AAA supports many-to-many binding of IMSI and VPN based on VPDN service.

AAA can restrict IMSI scope of some VPN, and its accessible VPN scope.

VPN user access authentication, after HAAA receives access request, it shall authorize corresponding VPN attributes according to the binding VPN domain information.

3.5.14 Temporary Account

AAA supports temporary accounts by using NAI valid accounts. The valid date will be initialed since the accounts have been activated (active moment is the moment the accounts log on for the first time and authenticate successfully). The expiry time can be configured. After the expiry time, the accounts will be locked and refused.

3.5.15 Period Access Control

AAA can limit the user access to the system based on time period. So the network resource can be utilized economically.

A day can be divided into several periods, and defined as access allow and access reject period. When user tries to connect to the network at the access reject period, AAA rejects the user directly. When the user connects to the network at the access allow period, AAA allows access and authorizes the expiry time, also apprizes NAS user about the maximum time of conversation.

3.5.16 User Lock

If a user has arrears or refuses user access to the network, user locking is applied.

AAA server can support user lock function in order to reject user access, the lock mode includes:

1 Account lock: that is NAI lock. It refuses terminals to use this NAI account to access the network;

2 IMSI lock: AAA refuses designated IMSI to access the system;



3 Association lock between account and IMSI: it refuses designated IMSI to use designated account to access the network.

3.5.17 IPV6 and IPV4 Dual-stack

AAA supports IPV4 and IPV6 dual-stack, and supports terminals use IPV4 and IPV6 access.

If the access requests includes specific attributes or VSA of IPv4 and IPv6, AAA shall authorize Ipv4 or Ipv6 attributes according to user subscription situation, such as Framed-Interface-Id，Framed-IPv6-Prefix and etc.

For IPv6 reachable support, home AAA requests DNS server to generate or delete resource record for IPv4 and IPv6.

3.5.18 BCMCS Service Authorization, Authentication and Accounting

AAA supports BCMCS registered session information requests, HTTP information abstract authentication algorithm, authorize related service attributes of BCMCS, and the CDR files include CMCS information.

3.6 Acceptance

3.6.1 Acceptance Table

3.6.1.1 Acceptance Rights Control

The maintenance and management of user information needs authority control, defines different level of authority operator to guarantee the safety of the user information. For example, if a user loses the password, only the operator who owns the authority can reset the password.

AAA can configure different authority for different operators, so that it can control the operator to open an account、account cancel、enquiry and password reset.

3.6.1.2 User Information Maintenance

AAA provides a user friendly interface to make the operations easier, such as opening and canceling accounts and making quires. So that user’s information can be managed and maintained.

Main process: IMSI adding, IMSI modification, IMSI deleting, individual/batch enquiry of IMSI, AAA_NAI adding, AAA_NAI modification, AAA_NAI deleting, AAA_NAI rename, the relationship between IMSI and AAA_NAI, AAA_NAI enquiry, set up user password, IMSI card replacement, IMSI number changing, user password reset and NAI misty enquiry and so on.



3.6.1.3 Batch Process

AAA supports open account、cancel account and update user information in batch to give a simple、 reliable and high efficiency management and maintenance. Batch process includes text format and continue number.

Text format batch process has detailed record, according to the record; the failure reason of process can be analyzed. Based on that, a remediation can be given out in time. Main operation of text batch process: batch addition、batch modification and batch deletion.

3.6.2 BOSS Interface Acceptance

AAA provides open interface to make BOSS subsystem access AAA. It can implement subscription, modification and query for all user services

3.7 Lawful Interception AAA supports the interfaces of X1 and X2, AAA also supports the operations of enactment, modification and deletion to the target, meanwhile it reports user event to LIC.

3.8 Abnormality Handle Mechanism Abnormality handling of AAA server is described as follows：

1 AAA adopts the mode of two small devices or one PC server and one disk array. Normally one server works on duty, the other is standby but need to monitor server on duty. When the server on duty goes wrong with some mistakes, the standby sever must relay as the server on duty.

2 Because AAA supports distributed authentication and accounting, the function of authentication, authorization and accounting can work at different service point, AAA server forwards the accounting messages to accounting server handle after it receives them, if some abnormality happens, Accounting server will not save the message of accounting for a while until the abnormality is solved. So information of CDR will not be lost with this mechanism.

3 AAA supports the function of original CDR files backup, meanwhile it supports two optional modes of database backup and files backup.

4 AAA can collect the alarm information, such as the disk space full and so on.

5 AAA adds the watchdog process which is used for monitoring all service processes and greatly enhances the system reliability. Meantime, when master process drops with abnormal reason, the watchdog process will resume to work and restart the service process.

6 The batch of file disposal function of AAA, logs the unsuccessful acceptance records. It can restart to handle with failure record.



4 AN-AAA Function Introduction

4.1 Data Fusion

4.1.1 Visited AN-AAA/Broker AN-AAA /Home AN-AAA

ZXUN UniA system supports as Visited AN-AAA、Broker AN-AAA and Home AN-AAA;

As Visited AN-AAA（visited AN-AAA or server AN-AAA） , it receives AN Radius information, and transmits the massage to home network according to the agent forwarding strategy.

As a Broker AAA, it receives and forwards AAA Radius massages from other AN-AAAs, generally, multi-AN-AAA share one Broker AN-AAA to implement the interaction among areas and networks.

As Home AN-AAA（home AN-AAA, it processes the authentication, authorization when users access in.

4.1.2 AN-AAA and AAA Database Fusion

It provides uniform user information management and operation maintenance, it works as a logical functional entity to fulfill access network authentication and IP authentication, which can reduce investment.

AAA and AN-AAA can be separated or integrated when distributing with flexible networking mode.

4.2 Authentication and Authorization

4.2.1 User Authentication Algorithm

AN-AAA supports CHAP authentication algorithm based on MD5.

AN-AAA supports CHAP authentication algorithm based on CAVE.

For CHAP authentication, key information does not need to be sent in communication channel, and the information is different for each time, which can effectively avoid interception attack.

The current CDAM2000 1x R-UIM card only supports CAVE algorithm, in order to ensure the mixed terminal users use traditional CDMA2000 1x R-UIM card can access to 1x EV-DO network, 3GPP2 regulation put forward CHAP authentication based on CAVE algorithm, here AN-AAA should support CAVE authentication algorithm. CAVE authentication adds interaction with HLR/AC to fulfill authentication for HRPD terminal equipment in CHAP authentication flow.



4.2.2 User Free-of-Authentication

AN-AAA supports free-of-authentication account, when AT uses free-of-account account to access to network, AN-AAA does not verify the password, and the authentication shall be passed if the account exists.

4.2.3 Hardware Authentication

According to operator’s configuration strategy, if the system adopts Hardware authentication, when AN-AAA implements access authentication, it needs to verify AT MEID or ESN in the requests.

If users perform Hardware authentication, the access request should port with Hardware ID（ESN/MEID）,AN-AAA verify whether the hardware ID is in accordance with local database, if yes, it will performs the following CHAP authentication, otherwise refuse access in.

4.2.4 CAVE Authenticaiton Based on pESN

The number of 32 bits ESN is limited; CAVE authentication needs to use MEID.

When implementing HRPD access authentication, if the user only stores MEID, and the users needs to be CAVE authenticated, AN-AAA supports change MEID to pESN（spurious ESN） and sends to HLR for authentication.

4.2.5 MNID Authorization

The information interface of wireless and network sides needs MNID（Mobile Node Identification）, when AN-AAA finishes authentication, it should return AT MNID to AN.

When AN-AAA supports HRPD access authentication, it can authorize terminal MNID. In AN-AAA system, IMSI works as MN ID.

4.2.6 Profile Authorization

AN-AAA can configure users’ Profile information according to different kinds of users. After users accessing in, AN-AAA sends Profile information to AN, AN shall control the access according to the Profile information.

AN-AAA users belongs to service group, each group is corresponding to one Profile module, Profile module can pre-set authorized service attributes, when users passes access authentication, AN-AAA can authorize users’ corresponding Profile to AN.

4.2.7 Customized Attribute Authentication

Customized Attribute Authentication allows providers to support non-normally employed attribute extension and provide proprietary service.



Employing the configuration function of network management system, AAA is capable of customizing what kind of VSA shall be adopted to carry and distribute service attribute. In other words, Attributes like Vendor-ID, Vendor-Type and Vendor-Value of VSA can be customized dynamically according to different requirements.

4.3 Agent Forward Function AN-AAA supports agent forward function for authentication.

4.3.1 Choose RouteAgent Based on Realm

Users can choose routing agent based on realm by carrying realm information in User-Name, e.g. NAI@Realm.

While performing as agent, AN-AAA chooses routing based on the realm information in RADIUS attributes User-Name. The corresponding routing information of realm can be pre-configured in AN-AAA.

4.3.2 Choose Route Agent Based on IMSI Prefix

Domain information of user’s home location can be analyzed by IMSI to realize agent forward of authentication and accounting requests.

In Radius request, RADIUS attributes User-Name does not include realm information, when AN-AAA implements agent forward, it can select router forward according to IMSI information ported by RADIUS attribute Calling-Station-ID. The corresponding router configuration information to IMSI prefix can be pre-configured in AN-AAA OMC.

4.3.3 Default Routing

When AN-AAA can not choose routing, it is possible to transmit authentication information to local default routing agent for processing.

4.4 Expansion Function

4.4.1 User Lock

User lock is performed when needs to restrict users access in AN.

AN-AAA support manually lock user account. When account is locked, AN-AAA shall refuse access in for authentication, and will not authorize. The account lock and unlock should be handled by acceptance table or manually by accounting interface.



4.4.2 Refuse Access In Permanently

The account will be locked when users input the wrong password to the threshold, and refuses the following access. The locked accounts should be unlocked by acceptance table and manually by BOSS interface.

4.4.3 CAVE Authentication Synchronize Counter

For the first authentication of users, if the download time of SSD from HLR/AC reaches some value（ that is synchronize Counter）, if it needs re-CAVE authentication, the SSD should be synchronized to ensure SSD stored in local AN-AAA is in accordance with that in HLR.

4.4.4 Roaming Restriction

AN-AAA supports roaming restriction of EVDO users. When users roaming outside, if they subscribed roaming restriction, home AN-AAA shall refuse terminals access in.

5 Interfaces and Communication

5.1 Physical Interfaces AAA/AN-AAA provides the following standard interfaces:

• E1 interface

• 100Base-TX/1000Base-TX interface

5.2 Logic Interfaces ZXUN UniA has the following interfaces:

5.2.1 Interface between AAA and PDSN/HA/AAA/WAP Gateway

AAA adopts RADIUS interface defined by GPP2 X.S0011-D, rfc2865, rfc2866, rfc2868 and rfc2869.

The protocol models of interfaces between AAA and PDSN/HA/AAA/WAP gateway is shown in Figure 2:



Figure 2 Protocol Models of Interface between AAA and PDSN/HA/AAA/WAP Gateway

5.2.2 Interface between AAA and OCS

Interface between AAA and OCS follows China Telecom packet pre-paid interface regulation.

Protocol models of interfaces between AAA and OCS is shown in Figure 3:

Figure 3 Protocol Models of Interfaces between AAA and OCS

5.2.3 Interface between AAA and PPS/SCP

Interface between AAA and PPS/SCP is compliant with Packet Pre-paid Interface Regulation defined by 3GPP2.

Protocol models of interfaces between AAA and PPS/SCP is shown in Figure 4:

Figure 4 Protocol Models of Interfaces between AAA and PPS/SCP

5.2.4 Interface between AAA and Accounting Center

Interface between AAA and Billing Center adopts FTP interface.



5.2.5 Interface between AAA and ISPP

Interface between AAA and OCS follows China Telecom ISPP Interface Regulation. ISPP communicate with AAA network element equipment thought NPI interface protocol which is based on HTTP / SOAP message. SOAP request and reply through the synchronization mode. XML is used for the semantic description of the protocol. ISPP send SOAP request to the AAA network element equipment, the network element equipment respond to the ISPP after the completion of operation corresponding.

5.2.6 Interface between AAA and LIC

Lawful interception Interface between AAA and LIC follows China interception Standard X1、X2 regulations.

X1 and X2 interfaces adopt TCP/IP protocol, the stack is: TCP/IP ISO/IEC 802.2, ISO/IEC 802.3, and adopts ASN.1 standard to decode and coe packet.

The interface protocol model between AAA and LIC is shown in Figure 5:

Figure 5 Interface Protocol Model between AAA and LIC

5.2.7 Interface between AN-AAA and AN

Interface between AN-AAA and AN adopts 3GPP2 A.S0008, CCSA YD/T 1579-2007, and RADIUS interface defined by rfc2865 and rfc2868.

The interface protocol model between AN-AAA and AN is shown in Figure 6:

Figure 6 Interface Protocol Model between AN-AAA and AN

LI Protocol

TCPIP

Link Layer PL

AAA

LI Protocol

TCPIP

Link LayerPLLIC



5.2.8 Interface between AN-AAA and HLR

Interface between AN-AAA and HLR adopts MAP interface defined by 3GPP2

The interface protocol model between AN-AAA SS7 front PC and HLR is shown in Figure 7

Figure 7 Interface Protocol Model between AN-AAA SS7 Front PC and HLR

5.2.9 Interface between AN-AAA and ISPP

Interface between AAA and ISPP follows China Telecom defined ISPP Interface Specification. ISPP communicate with AN-AAA network element equipment by NPI interface protocol which is based on HTTP / SOAP message. SOAP request and reply through the synchronization mode. XML is used for the semantic description of the protocol. ISPP send SOAP request to the AN-AAA network element equipment, the network element equipment respond to the ISPP after the completion of operation corresponding.

6 System Architecture AAA/AN-AAA system adopts RADIUS protocol based on IP standard to communicate with customer terminals, it supports large database(MSSQL, ORACLE）, and can be operated in many kinds of operating system platforms（Windows, SOLARIS）. System adopts some design which is capable of excellent expansibility and portability.

AAA/AN-AAA server can be applied in authentication, authorization and accounting of many IP access (CDMA,WLAN,WiMAX,WCDMA,fixed network) , which provides uniform network access data management platform.

6.1 Hardware Architecture AAA/AN-AAA hardware architecture is shown in Figure 8:

SCCP

MTP 3

MAP

TM

TCAP

MTP 1 MTP 2

Support

TCP

IP

MAP

TM

TCAP

SCCP

MTP 3

MTP 2

MTP 1

AN -AAA SS7 Front PC

HLR



Radius Server

1

Disk array

Server

2

Agent Client

AAA OMM

Server

AAA OMM Client

AAA DBIO

&BOSS Interface

Switch Switch

PDSN&HA

&BNAS&AGW&GGSN

&Wap GW

Alarm box

ISPP/BOSS&BillingCenter

&EMS

Accounting

Server 1

Disk array

Accounting

Server2

&OCS&PPS/SCP

Router

IP Network

firewall

SS7 Front

PC

HLR/AC

E1

AAARadius

Figure 8 AAA Hardware Architecture

Hardware architecture of AAA system consists of the following parts

1 Radius Server

Radius Server adopts dual-computer+array to perform RADIUS process, process authentication and accounting information, support transfer function. It also adopts commercial datbase to store subscription and service buffer information, Disk Array is used for commercial database physical storage.

Radius Server adopts two minicomputer or PC server and one disk array mode. One server is for active (host), the other is standby( reserve), the reserve one is always monitoring the operating status of host, once there is something wrong, it will take over and work as host.

2 Accounting Server

Accounting server adopts dual-computer+array to process CDR process. Disk array stores users’ accounting CDR information and etc. Accounting Server supports CDR output and backup for CDR file and database mode, when it only works as AN-AAA, there’s no Accounting Server.

Two PC servers (minicomputer) and one disk array mode. One server is for active (host), the other is standby( reserve), the reserve one is always monitoring the operating status of host, once there is something wrong, it will take over and work as host.

Accounting Server and AAA Server can be worked as one server.

3 AAA Agent Client

AAA local client terminal (acceptance table) processes local service. The hardware adopts PC compatible computer, it provides local users management.

4 AAA OMM Server



AAA OMM system provides operation and maintenance service, which includes fault and configuration management, performance statistics, signaling tracing, log management and network management interface and etc.

5 AAA OMM Client

AAA OMM Client fulfilles locla network maangement client terminal acceptance and operation.

6 AAA DBIO&BOSS Interface

It fulfills AAA acceptance and database access function, it also provides connection with BOSS system to realize remote acceptance. The accounting interface server adopts PC server to provide accounting interface for remote service acceptance in the business hall.

7 SS7 Front PC

SS7 front PC fulfills interaction between AN-AAA and HLR/AC. Suppose HRPD accesses to the network, when terminal use CAVE authentication, it needs AN-AAA to acquire authentication vector from HLR/AC.

8 Alarm box

Audible and visual alarm.

6.2 Software Architecture AAA software architecture is shown in Figure 9:

CDR handle sub-system

BOSS interface

sub-system

Database sub-system

RADIUSservice sub-

system

Agent sub-system

O&M sub-system

Watchdogsub-system

PDSN&AN&HA&GGSN&AGW

&Wap Gate&PPS/SCP

RADIUS

FTP

MML

Billing Ceneter

BOSS

Interceptionsub-system

LIC

LI interface

SS7Front PC

HLR/AC

SS7

Figure 9 AAA Software Architecture

AAA/AN-AAA system is composed of RADIUS, database, interception, CDR handling, BOSS interface, Watchdog, agent, O&M and SS7 sub-systems.

1 RADIUS Service Sub-system

It provides AAA for users and agent. For packet pre-paid service, RADIUS service sub-system interacts with OCS or PPS/SCP to get users’ packet pre-paid account information.



2 Database Sub-system

It includes: users service subscription data, backup accounting CDR database (optional) and OMM database. The three databases can be worked as one or separated.

3 Interception Sub-system

It is responsible for target AAA set, modify and delete for LIC, and reports events to LIC.

4 CDR Handling Sub-system

It interacts with RADIUS service sub-system, collects RADIUS accounting information, generate CDR, backup CDR files and primary accounting information to database timely according to the requirements, and process the out-of-data CDR backup files and database backup information.

It provides FTP server for accounting center and supports acquiring accounting CDR files.

5 BOSS Interface Sub-system

It provides corresponding MML instruction interface for remote service acceptance in BOSS system.

6 Watchdog Service Sub-system

It monitors the running status of AAA services. Once it detects an abnormality, it handles the abnormality and restarts the faulty subsystem according to requirement

7 Agent Sub-system

It provides GUI interface to realize basic packet service management. It has R&W interface with database sub-system, and delete, change users subscription information according to GUI interface or BOSS interface instructions.

8 Operation and Maintenance Sub-System

It implements the foreground operation and maintenance of AAA. It cooperates with background OMC to manage AAA server, including attribute, security association, number analysis, multi-IPS access and other basic system configuration and management functions as well as alarm management, performance management, service analysisand other functions.

9 SS7 Front PC

SS7 front PC fulfills interaction between AN-AAA and HLR/AC. Suppose HRPD accesses to the network, when terminal use CAVE authentication, it needs AN-AAA to acquire authentication vector from HLR/AC.



7 System Security and Reliability

7.1 Redundancy Mechanism ZXUN UniA server node supports redundancy mechanism, two-node cluster hot backup networking further ensures the system reliability through the disk array and cluster software. The key hardware adopts dual-backup, load sharing and equalization mechanism to ensure there’s no single-point fault.

7.2 Dual-network Dual-plane Networking It adopts networking backup system to enhance system reliability.

7.3 Automatic Monitoring Process The software design increases watchdog to monitor services process, which can highly enhance system reliability. When main process quits abnormally, watchdog will automatically modify it and restart the service process.

7.4 Overload Control It supports flexible overload control, which includes:

1 It supports control the number of access information by CPU load status, when system CPU exceeds threshold, it shall dispose some information, the load threshold of CPU can be configured in AAA/AN-AAA;

2 It supports overload control according to number of information, and disposes some part of concurrent information which exceeds threshold.

It ensures smooth operating by CPU load control and concurrent information control.

7.5 Security Management Security management module is applied to ensure legal use of system.

It includes user management, role management, security verification and strategy management; they can ensure legal use of system. Security management realize management of users and roles, it provides operator rights management by creating better relations between users and roles.



8 Technical Indices and Regulations

8.1 Capacity Indices Maximum number of users (single node): 10,000,000

Maximum supported Multi-nodes by AAA: 100,000,000,000

8.2 Performance Indices 1 Requests number for simultaneous processing

AAA can process RADIUS message requests number: 5000/S.

It refers to the number of request that AAA can process in unit time(1s). The authentication number is associated with hardware and software.

2 Authentication time

The time for AAA to process authentication is less than 50ms.

It’s a kind of performance indices to evaluate AAA authentication. It refers after RADIUS receives authentication request, the time from processing request to send authentication answer. The time is also related with hardware and software.

8.3 Electricity Indices

8.3.1 Server Rack Indice

Table 2 Server Rack Indices

Indices Value

Size 19", interior maximum space:42U

Dimension(H×W×

D) 2000 mm×600 mm×1000 mm

weight ≤ 350 kg ( single rack full configuration)

underground weight

capacity requirement ＞ 450 kg/m2

Power supply

AC220 V±10%，50Hz±5%

-48 VDC, -57 V~ -40 V

( or configure according to actual power supply )



Power consumption

Typical power consumption<2000 W ( take Sun

Netra440 dual-computer+ array ST6140A as an

example, Sun Netra single power consumption:570,

array Storage Tek 6140A power consumption:427)

8.3.2 Alarm Box Indices

Table 3 Alarm Box Indices

Indices value

Size(H×W×D) 220 mm×309 mm×56 mm

weight 2 kg

Power Supply -48 VDC:-57 V~ -40 V

Power Consumption 20 W

8.4 Working Environment

Table 4 Temperature and Humidity

Temperature Comparative Humidity Equipment Type

long-term working

condition

Short-term working

condition

long-term working

condition

Short-term

working condition

PDSS A100 0 ℃～40 ℃ -5 ℃～45 ℃ 20％～90％ 5％～95％

Note 1. The measured points for the working temperature and humidity in the equipment room refer to the points 0.4 m in front of the equipment and 1.5m above the floor.

Note 2. The short-term working conditions mean that the continuous operating period does not exceed 48 hours and the accumulative total period within a year does not exceed 15 days.

8.5 Environmental Indices

8.5.1 Cleanliness Requirement

The concentration of dust with particle diameter larger than 5μm: ≤3×104/M3

8.5.2 Lighting Requirement

Install incandescent lamps or emergency lighting devices at appropriate positions between racks to give lighting for equipment installation and maintenance. But the



equipment shall not be exposed to the lamplight or direct sunlight for a long time to avoid aging or deformation of circuit boards and components as a result of the ultra-high temperature caused by the lighting

It is recommended to install colored glass to the windows with non-light-color and opaque curtains.

The fluorescent lamps should be embedded in the ceiling with the average illumination of 150 lx–200 lx as the main lighting devices

8.5.3 Barometric Pressure Reqirement

No special requirements.

8.5.4 Air Requirement

There’s no dust that is explosive, conductive, magnetic and corrosive, and no gas that can corrode metal and disturbing the insulation.

8.5.5 Fire Control Requirement

The equipment room should be meet the requirement of fire control regulations, and be equipped with regulated appliances and leave enough fire passage, and hang “key unit of firefighting” sign in some places.

Inflammable and explosive dangerous goods is forbidden to be stored in machine room and auxiliary computer room, and there should put up some notices, like “ no smoking”, “NO Open Flames “. The effective fire-fighting equipment should be equipped and place in the position easy to get, and install effective Fire water facilities in appropriate places.

The fire water store should ensure two hours, but the feed pipe ( drainpipe, storm sewer) should not cross the equipment room, and fire hydrant should not be set in it.

There should install some alarm device for smoke and high temperature, and check it frequently.

8.5.6 Shockproof Requirement

The shockproof should design one degree higher than basic local construction regulation. The equipment room which does not meet the requirements should be strengthened. The equipment room shall be able to withstand a magnitude 7 earthquake

8.5.7 Lightning Protection Requirement

The equipment room or auxiliary facilities, such as chimney, antenna, water tower and some other higher than 15m should take some effective lightning protection measures in accordance with the requirements of buildings and structures Ⅱ.



The lightning protection design should include anti-lightning strike and anti-lightning incoming. The high-rise building should take some anti-side stroke measures.

The side stroke is very common in the area full of thunders. The design should adopt some effective protection measures.

8.5.8 Anti-Electromagnetic Radiation Requirement

The equipment room shall stay away from the high-power radio transmitter, radar transmitter, and high-frequency large-current device. The actual radiation energy to which the equipment room is exposed shall be below 300 mV/m, and the magnetic field intensity around the equipment room shall be less than 11 GS

8.5.9 Antistatic Requirement

The static influences and harms a lot to equipment. It shall cause intermittent defect or performance reduction, software fault, and make electronic switch and control circuit malfunction, even disoperation.

The static induction comes from:

• Outdoor high tension transmission line, lightning etc.

• Indoor environment, ground material and machine's structure.

• Static brought by the operator will put on the equipment.

In order to effectively eliminate damages brought by static, following measures can be done:

• Good ground connection.

• Lay anti-static floor and well-grounded.

• The operator should wear wrist strap, and it should be connected with Electrostatic discharge hole in the rack.

8.6 Reliability Indices System availability≥99.99964%（=MTBF/（MTBF+MTTR））

MTBF> 120000 hours

MTTR<30 mins.



9 Operation and Maintenance It provides management of performance faults, version, configuration, performance statistics. signaling tracing, failure observation and log.

9.1 Fault Management 1 Front alarm and fault diagnosis

2 Back alarm

3 Failure observation

9.2 Configuration Management 1 Support command line configuration mode, and script files, it provides batch orders

processing function.

2 Support Chinese-English interface configuration mode.

3 User rights management

AAA can authorize different rights to different groups of users. Super-user can modify rights of ordinary users.

4 Backup of configuration data and roll back of fault.

9.3 Statistics Function 1 Statistic of AAA front.

2 Provide statistic information of acceptance.

3 Flux/ occupancy rate of resources / load statistics

9.4 Signaling Tracing It provides signaling tracing of RADIUS protocol layer. AAA RADIUS protocol layer realize OMC signaling tracing interface, support tracing for single IMSI, NAI and all the users.

9.5 Log Management AAA is capable of log function, which can record operation status of current equipment, includes configuration, system fault alarm log and etc, as well as browse, copy and delete functions.



9.6 Network Management Interfaces 1 North Interface(CORBA interface)

It is connected with superior Network management interface.

2 SNMP Interface

9.7 Security Management The security management modules ensure legal use of system.

It consists of user management, role management, security validation and security strategy. It realizes management of user and role, and provides operator rights management.

9.7.1 User Management

It is an important part of security management, which provides user add/delete and user attribute inquiry/modify.

The rights is pre-setted according to different ID of users, they are separated into system administrator and ordinary users according to ID. System administrator has absolute rights, they can do anything except modify user name and role name; the system administrator can not be locked and log in without IP address restriction. The ordinary users can only inquire own information or modify own passwords.

9.7.2 Role Management

Role represents a set of specific rights (IP scope, command code, management object), system administrator can dynamically create, delete, inquire and modify roles, forms new right set to allocate to users.

9.7.3 Authentication and Authorization

It realizes security control by log-in authentication to prevent illegal users to access to some O&M functions.

In order to control operations of users, it can provide corresponding interfaces to support authentication for OMS and other functional modules.

Please see the detailed description:

1 Log-in

It should valify user information, such as password, user name, operation period and restrict or lock some users for accessing.

2 Security authentication



It is used to check whether the users should be capable of some operating rights.

After inputting user ID, orders and operation object parameters, it can check whether the users can have these rights.

9.7.4 Security Strategy Management

It can customize user account rules and inquire command set information for NE.

1 View command set

System has already divided command type according to NE service function type and operating mode, after users select target NE type and one command type of this NE, they can view all commands belongs to this command, it is open to all the users.

2 Customized user accounts rules

It includes following functions: set password length and period of validity , whether to lock/unlock account or not/unlock rules, allow system administrator to customize user account rule.



10 Abbreviation

Table 5 Abbreviation

Abbreviation Full Name 3G The third generation mobile communications 3GPP2 3rd Generation partenership Project 2 AAA Authentication, Authorization and Accounting ACK Acknowledgement AGW Access Gateway AH Authentication Header ATM Asynchronous Transfer Mode BAK Broadcast Access Key BCSN Backplane of Circuit Switch Network BCMCS Broadcast and Multicast Service BCTC Backplane of Control Center BNAS Broadband Network Access Server BOSS Business and Operation Support System BPSN Backplane of Packet Switch Network BS Base Station BSC Base Station Controller BSID Base station identifier BSN Broadcast Serving Node BSS Base Station Subsystem BTS Base Transceiver Station BUSN Backplane of Universal Switch Network CCG Content Charging Gateway CDMA Code Division Multiple Address CDMA2000-1X CDMA2000 Phase One CHAP Challenge Handshake Authentication Protocol CHUB Control HUB CLKD CLOCK Distributor CLKG CLOCK Generator CM Configuration Management COA Care Of Address CPLD Complex Programmable Logic Device DB Database DBA Database Agent DBIO Database Input & Output DBS Database Subsystem



Abbreviation Full Name DHCP Dynamic Host Configuration Protocol DRC Data Rate Control EAP Extensible Authentication Protocol EAP-AKA EAP Authentication and Key Agreement to be used with USIM EAP-MD5 EAP message-digestalgorithm5 EAP-TLS EAP with TLS EAP-TTLS EAP with TTLS EMC Electromagnetic Compatibility EMI Electromagnetic Interference EMS Element Management System ESN Electronic Serial Number FA Foreign Agent FE Fast Ethernet FTP File Transfer Protocol GE Giga Ethernet GLI GE Line Interface GPRS General Packet Radio Service GGSN Gateway GPRS Supporting Node GRE Generic Routing Encapsulation HA Home Agent HLR Home Location Register HSS Home Subscriber Server ICMP Internet Control Message Protocol IETF Internet Engineering Task Force IGPS Interface Ge of PDSS IKE Internet Key Exchange IMSI International Mobile Subscriber Identity IPCP IP Control Protocol IPSec IP Security Ipv6 IP Version 6 IRM International Roaming MIN ISDN Integrated Services Digital Network ISMP Integrated Services Management Platform iSPP Integrated Service Provisioning Platform ISP Internet Server Provider ISAKMP Internet Security Association and Key Management Protocol L2TP Layer2 Tunnel Protocol LAC L2TP Access Concentrator



Abbreviation Full Name LAN Local Area Network LCP Link Control Protocol LNS L2TP Network Server MAP Mobile Application Part MDN Mobile Directory Number MEID Mobile Equipment Identification MIP Mobile IP MPB Main Processing Board MS Mobile Station MSID Mobile Station Identifier NAI Network Access Identifier NCP Network Control Protocol NE Network Element NGN Next Generation Network NMC Network Management Center NMS Network Management Subsystem NPI Network Provisioning Interface OCS Online Charging System OMC Operations & Maintenance Center OMM Operation Maintenance Module PAP Password Authentication Protocol PCF Packet Control Function PDN Packet Data Network PDSN Packet Data Serving Node PDSS Packet Data Switching System pESN Pseudo Electronic Serial Number POMP PDSS Operation and Maintenance Processing board PPC Prepaid Client PPP Point to Point Protocol PPS Prepaid Server PPSN PDSS Packet Switching Network board PPTP PPP Tunnel Protocol PSI PCF Session Identity PSMP PDSS Service Main Processing board PSN Packet Switch Network PSPDN Packet Switched Public Data Network PUIM PDSS Universal Interface Module QoS Quality of Service



Abbreviation Full Name RADIUS Remote Authentication Dial In User Service RSVP resource Reservation Protocol SCP Service Control Point SNMP Simple Network Management Protocol SO Service Option SOAP Simple Object Access Protocol SPI Service Provisioning Interface TCP Transfer Control Protocol TOS Type Of Service UAM Universal Access Method UDP User Datagram Protocol UDR Usage Data Record URPM PDSS Subscriber Data Processing Module at RP Side VPN Virtual Private Network VSA Vendor Specific Attribute WVPN Wireless Virtual Private Network XML eXtensible Markup Language

ZXUN UniA Product Description

Documents

Transcript of ZXUN UniA Product Description