AAA: More Than Just RADIUS Servers

Today’s authentication, authorization and accounting (AAA) options allow service providers to manage resources for networks that have anywhere from a few thousand ports to several million, regardless of the underlying equipment and applications. They also enable ISPs to track and control who their users are, when they’re accessing the network and which applications they’re using. Probably most importantly, AAA enables billing for these applications.

The current generation of AAA products will be gradually replaced by Diameter, which is now being finalized by the Internet Engineering Task Force (IETF). In fact, because of its broad industry support, it is expected to be completed later this year and rolled out in service provider networks. Diameter is more extensible than RADIUS and will include many of the features that vendors have already implemented. It unifies accounting more closely within its structure, works with reliable transport protocols such as Stream Control Transmission Protocol, and is an open, IP-centric protocol that will enable network vendor choice and other improvements that will benefit billing. Diameter will most likely have its primary applications in new network designs, such as wireless AAA, rather than in applications where RADIUS is well established.

While the IETF’s Diameter standard is likely to play a major role in the future, most carrier network components do not comply with it today.

Traditional AAA systems distribute information across a multitude of RADIUS and accounting servers. This mass of non-correlated data—accounting records from each use of every service offering—has resulted in inconsistent data formats, administrative headaches, and an inability to control resources and services across the network. These problems are further magnified when the information is stored not only in multiple servers, but also across multiple applications and types of systems (RADIUS servers, accounting servers, billing systems).

In order to meet fluctuating demands of service offerings and packages, service providers should opt for a logically centralized, physically distributed system—one that eliminates data duplication, reduces administrative requirements and benefits the bottom line.

The AAA Choice

Most deployed AAA systems have evolved from one or two public versions of the RADIUS protocol; they were often built for the enterprise market and offer neither the Internet scalability nor the performance or speed demanded by major POPs. These systems scale by adding more servers with non-replicated customer and service information. Ideally, an AAA system will grow with the service provider’s business—without the need for high-end hardware to boost performance. In today’s volatile economy, it’s critical that service providers implement a system that has a good cost-to-performance ratio.

AAA is not a standalone entity; rather it’s tied into business and customer processes—from LDAP directories to billing systems, QoS and countless other applications. Service providers should look for AAA systems that offer more than standard RADIUS capabilities, which could include revenue recovery, port allocation and enforcement of service level agreements (SLAs) so they can offer more competitive advantages.

Sophisticated AAA provides support for millions of subscribers and eliminates multiple RADIUS servers located at various POPs. In order to offer roaming and corporate services, an AAA system should have a replicated, fault-tolerant architecture. This ensures greater service availability, automatic synchronization of data across servers and automatic support for roaming users. The system should include support for all users, regardless of access method, time of day or other parameters specific to customers’ needs. To ensure that Internet services are always up and running, full peer-to-peer replication and redundancy are necessary.

A scalable and fully meshed configuration will ensure support for millions of subscribers and avoids the need to have RADIUS servers at every POP. A multivendor system is another important consideration, as is easy setup of multiple RADIUS service connection profiles for assigning to single users, multiple users, groups or domains—thus allowing service providers to significantly reduce their service turn-up time. Finally an AAA system should include a comprehensive proxy RADIUS for roaming services by standard proxy (login name and domain name), group domain or fail-over proxy.

Accounting Data Key for Billing

Service providers require accounting files that accurately track all usage on their network. That means accounting files must correlate to RADIUS records and resource management records, in order for the accounting records to be used for usage-based customer billing, auditing of SLAs, cost-recovery, verification and usage measurement. In addition, the accounting files must be transferable to any billing system for processing. The accounting server communicates with the RADIUS server to retrieve the accounting messages. These servers may or may not reside on the same box.

Through integration with any commercial or custom-built billing system, service providers can synchronize services and pricing plans, perform real-time, flow through account provisioning and transfer accounting data. Integration also eliminates duplicate data entry and ensures consistency of customer and service information. A centralized collection of RADIUS call records and content metering records for application services will provide a complete accounting picture.

Redundancy, which eliminates a single point of failure, as well as usage-based reporting, which gives administrators a real-time summary of active users and historical usage information per user, group or domain, are also key points. Flexible formatting, which provides standard formats such as RADIUS and AMA as well as custom formats, also should be considered when evaluating AAA systems.

Resource Management and Session Control

Traditionally, trying to offer extensive wholesale services or limit fraudulent use of retail services meant having to choose, user by user, between offering session management and simultaneous session control. Previous schemes required service providers to manage multiple types of resources (ports, session counts, IP addresses) at multiple levels (user, domain, network access server, POP)—not an ideal situation for the growing provider.

Policy-based resource management should allow system administrators to define simultaneous session policies that are stored and correlated with other policies residing in a database. These can be used flexibly to limit the number of users, organizations or domains that can use the account for simultaneous sessions.

Overflow call management allows service providers to provision and enforce multiple quotas and bill for them at different rates. This enables flat-rate providers to bill customers for reserved ports, and then bill per ports used beyond their reserved number. Administrators can set an overflow allowance to a percentage of a customer’s reserved ports.

A key requirement for service providers is the ability to enforce SLAs, monitor roaming patterns, and set quota limits by customer, day, POP or network. They also need to be able to offer and charge for flexible overflow call management, in order to meet peak or special customer demands.

To support vendor choice, a system should be able to integrate with all existing and future network access server (NAS) equipment, regardless of vendor or release. Virtual pooling for optimized use of critical NAS resources is an important consideration. Flexibility in tracking real-time status and resource usage will allow service providers to make intelligent access decisions based on current usage levels—by user, organization, NAS or domain. The ability to track customer access and application usage by time, day, POP or entire network is a final consideration.

Management and Administration

Typical service providers have a few key teams that are responsible for most network operations, service delivery and control. Due to the dynamic environment, these groups are often stretched to their capacity. Their stress is further elevated because information is distributed across multiple servers, regions and departments.

Service providers also have a fleet of agents to handle new account creation, billing inquiries, moves, adds and changes, along with the full suite of other administrative tasks. Streamlined management systems can help introduce new services faster. Such tools should enable the management of user and service profiles, network resources and associated policies.

Because service providers can experience rapid growth, they should strongly consider a partitioned management interface, which effectively distributes management control across multiple groups and regions. Partitioned management can be further extended to a service provider’s customer.

Providers should consider several criteria. They include support for a given business model, be it wholesale services, franchise/retail ISPs or acquisitions, through a flexible and hierarchical structure. Also crucial is a single point of entry for user information, which propagates information to the other servers and applications, thereby decreasing administration time and facilitating the launch of new services.

Multi-tiered administration for distributed management, which is an effective way to extend self-management capabilities, should also be considered. Customizable administrator privileges, which ensure delineation for both the scope and span of control among multiple users, are another important criterion. On-line reports that include active users, usage history and NAS utilization will offer service providers and their customers real-time system information that is crucial to billing. Secure communication between system components (such as RADIUS, resource management and billing elements) is a final decision factor.

Open System Integration and Industry Standards

Service providers require an open architecture that can leverage their current investment without locking them into a proprietary structure. An open, flexible, RADIUS-based system offers a centrally managed infrastructure to rapidly introduce new services and manage access to the variety of devices on the network without committing to one vendor.

A vendor-agnostic management platform allows service providers to select “best-of-breed” equipment across systems. It also allows them to acquire other ISPs, knowing they will be able to manage whatever network devices the acquired ISP has purchased.

A good approach is to use a combination of industry standard interfaces and purpose-built APIs. This strategy offers the utmost flexibility in choosing new equipment or applications as well as the shortest education time for new administrative staff, and it speeds up deploying new services. APIs can ensure flow-through (bidirectional) management across many IP services. This method ensures that integrating new services does not require system downtime.

Service providers should ensure that their systems comply with industry standards, including RADIUS, LDAP, DHCP and CORBA. In addition, well-defined APIs and toolkits will enable them to work directly with the systems. Integration with new applications should not be a long, laborious process, nor should it require scheduled system downtime. To ensure the integrity and performance of system data, the system architecture must have built-in rules and security, so that new applications cannot make unauthorized changes to existing data. APIs must be purpose-built for what they need to do.

Evolving With Business Needs

As service providers ready themselves for increased competition and market challenges, they require a flexible and robust AAA system that will adapt to the fluctuating market demands placed on their network and enable them to bill for future services.

Traditional architectures, with a mass of non-correlated data distributed across a multitude of systems, magnify the problems faced in today’s tough environment. But a logically centralized, physically distributed system gives today and tomorrow’s service providers a business opportunity and market advantage.