P O Z NA N UN I V E R S ITY O F TE C H N O LO GY A C A D E M IC J O U R N AL S O
N SERIA 2007
Sylwester Kaczmarek*, Urszula Orłowska**
IMPLEMENTATION OF AAA SERVER
LABORATORY MODEL
The purpose of the paper is to show educative aspects of created AAA (Authorization, Authentication and Accounting) sever laboratory model. This paper is arranged in the fol-lowing way. Section 2 presents created concept of AAA system based on H.323 protocols. There are introduced functions that each module performs as well as all open source solu-tions used for modules implementation. There is also presented the way of practical estab-lishment of laboratory set together with configuration steps for every module. There are several tests listed which were done on created system. In section 3 there are discussed skills and knowledge that each student should gain after performing all proposed experi-ments. Both chapters are preceded by introduction.
Keywords: NGN, AAA server, RADIUS, Linux, Education
1. INTRODUCTION
Standardization of AAA system has begun in the end of 1990s when IETF (The Internet Engineering Task Force) set up a special group called ‘The AAA
working group’. Before AAA system architecture was introduced, each piece of
equipment was authenticating users making use of its resources by itself. Consider-ing the fact there was no standard, each machine was usConsider-ing different authentication method. The main problem coming from that approach was poor scalability and lack of universality.
The necessity of bringing AAA system into life came together with the con-cept of using Internet as a platform for handling telecommunication services. The concept of NGN networks is characterized not only by convergence of techniques and technologies, but also by functional divergence. The system of sending and exchanging information in NGN networks can be organized in different ways, with usage of different techniques and technologies, depending on provided services. In NGN networks, very important is the issue of integration many services on one equipment platform. Integration in terms of telecommunication means
independ-__________________________________________
2007
Poznańskie Warsztaty Telekomunikacyjne Poznań 6 - 7 grudnia 2007 POZNAN UNIVERSITY OF TECHNOLOGY ACADEMIC JOURNALS
ence of offered serviced from access method used and forwarding protocol. All that led to necessity of introducing standardized method which would allow for au-thorization, authentication and monitoring users making use of the variety of ser-vices. Hence, there appeared the concept of AAA system architecture.
1.1. The functionality of AAA system
The functional structure of NGN networks is visible in the layer model of tele-communication network (Figure 1). AAA system, which is the subject of this pa-per, is located in call control servers layer.
2 1
call control servers layer
Operator 1 Operator 2 1 2 3 4
connection control servers layer
resources layer
Operator 2 Operator 1
Fig. 1. Layer model of NGN networks [4]
Controlling is important issue is terms of quality which is brought to clients. The fact that NGN network has to provide real time services forces strict functional and time requirements for controlling. Functions performed by AAA system be-long to the set of request service functions. The name of system is an abbreviation coming from words describing system’s functionalities: Authentication, Authoriza-tion and Accounting. AuthenticaAuthoriza-tion is a process during which endpoint declared identity is verified. The result of this process is the base to give or refuse user the network access rights. Authorization process is a set of rules according to which there is a decision made if user can receive rights and services requested [7]. Au-thorization process can be done only if the user already has guarantee for the net-work access received in preceding authentication process. Accounting means the methodology of collecting information about all resources used by endpoints [8].
1.2. AAA System architecture
The schematic diagram of AAA system architecture is depicted in Figure 2.
Authentication Authorization Accounting AAA server
Network
AAA client NAS
endpoint
Fig. 2. AAA System architecture [5]
In discussed example the basic network architecture is extended by introducing AAA functionality performed by:
– AAA server – it is the equipment located in network’s core; it performs AAA function directly by itself or forwards all requests to another AAA server.
– AAA client (NAS) – it is the equipment located in network’s edge; it con-trols the access to the network (acts as access point). It requests access to resources for itself or its users.
2. DESCRIPTION OF LABORATORY SET
There AAA system concept was received on basis of open sources. The labora-tory set was established afterwards as a proof that the concept is correct and fulfils assumed functionalities.
2.1. The concept of AAA system on basis of open sources
The concept of AAA system discussed in this paper was created in agreement with DGT Sp. z o. o. As basic functionality it assumes VoIP working with the use of H.323 protocol. Block diagram of discussed concept is presented in Figure 3.
GnuGK ATK – DGT 7410 ATK – DGT 7410 IBSng RADIUS xSQL Postgre SQL Data Base H.323 (R AS) H.323 (RAS ) AAA Server Gatekeeper
Fig. 3. The concept of AAA system
End users connected to the IP network via ATK-DGT 7410 device. This device is using H.323 signaling (RAS) and communicates with GnuGK (gatekeeper – AAA system client - NAS). The gatekeeper asks IBSng application (IBSng is a server performing AAA system services) using RADIUS protocol [6] if particular endpoints are the ones which they seem to be (authentication) and if they have the right to initiate and receive incoming calls (authorization). IBSng verifies end-points rights by sending requests in SQL do external data base PostgreSQL where information about all H.323 endpoints belonging to the system is located. Account-ing functionality is performed usAccount-ing gatekeeper which sends to the IBSng applica-tion all essential informaapplica-tion about established connecapplica-tions (start/stop/connecapplica-tion’s length) and it’s work session (gatekeeper’s application start/stop). All data is saved by IBSng application in PostgreSQL data base. The part of data referring to the users is treated as billing records CDR (Call Details Records).
AAA system modules were created in the following way:
– ATK-DGT7410 – standalone device which allows for access to IP network and usage of basic POTSservices
– GNU-Gatekeeper – it is gatekeeper implementation based on open source solutions available at http://www.gnugk.org
– IBSng – it is AAA server implementation based on open source solutions available at http://ibs.sourceforge.net/
– PostgreSQL – it is relation data base management system solution with freeware.
2.2. AAA system establishment in Linux environment
Laboratory set was created on basis of following equipment requirements: – PC computer with Linux OS, Mandriva distribution 2005 (Mandrake 10.2),
– Hub (with Internet access),
– ATK – DGT 7410 based on H.323 standard,
– 2 analogue telephones with cables ended with RJ11 on both ends. The schematic diagram of test laboratory set is depicted in Figure 4.
In order to establish the system it was necessary to install Apache server, php5, XML, Python and PostgreSQL as well as ATK, GnuGK and IBSng (and configure mention modules).
ATK configuration can be done in two ways: via RS port or via www browser [1]. ATK configuration includes:
– general settings configuration: ATK IP address (ipaddr), subnet mask
(netmask), Gateway IP address (gatewayip), Gatekeeper IP address (GK),
turn-ing on access to ATK via http (WWW=1).
– ports configuration which endpoints are connected to (port state = on, tele-phone number, select en-block), setting passwords for each port.
GnuGK configuration should allow for communication between terminals and
IBSng application. Configuration file located in /dgt/gk/gnugk.ini used in
that purpose. Values for each gatekeeper configuration sections have to be set manually. Sections allow for e.g.: selecting call signaling and H.245 signaling for-warding mode; define access rules to gatekeeper status ports and gatekeeper au-thentication mechanisms, define configuration settings which allow for authentica-tion via RADIUS protocol, describe accounting module which forwards accounting (billing) data to RADIUS server [2].
IBSng configuration is done via website. Configuration steps are as below [9]: – add radius server (Add New RAS),
– create new tariff for VoIP (Add New Tariff ), – create new charge (Add New Charge), – add new users’ group (Add New Group), – add new user (Add New User).
After all steps are done system should work correctly. Described situation will take place if connection is established and the user is charged.
2.3. Test performed in laboratory environment
In order to verify if all modules work as desired and if communication between modules is correct, several tests on established AAA system were performed. Tests were divided into three verification stages.
Stage 1: correctness of forwarded H.323 signaling frames.
The purpose of first test was to verify if endpoints register correctly. Four connec-tion scenarios were performed afterwards. Scenarios were differentiated by the route which each signaling channel (call signaling and H.245 signaling) was estab-lished by (connection directly between endpoints or routed via gatekeeper).
Stage 2: correctness of frames forwarded via RADIUS protocol.
The purpose of first test was to verify correctness of RADIUS protocol messages exchange. Structure of following messages was analyzed afterwards: Access – Request, Access – Accept, Access – Reject, Accounting – Request, Accounting – Response [3].
Stage 3: correctness of AAA server functionalities. Conducted tests were divided in subjects groups:
– Logging in via www and verification of all action available or restricted for a user,
– Correctness of functions connected with reporting, – Correctness of charging.
Tests referring to forwarded H.323 signaling messages and RADIUS protocol were performed with the use of Ethereal. In case of AAA system server tests fol-lowing issues were analyzed: values saved in data base via IBSng application, mes-sages appearing on gatekeeper status port, protocols frames via Ethereal.
3. EDUCATIVE ASPECTS OF AAA SERVER
LABORATORY MODEL
There are two experiments proposed. They will be conducted on separate labo-ratory sets because of differences in their subjects. The experiments titles are as follows:
– Configuration of AAA system elements, – Functionality tests of AAA server.
Schematic diagram of laboratory set is depicted in Figure 4. The purpose of both experiments is to gain knowledge about implemented on basis of H.323 protocols AAA system as well as to get familiar with Linux OS and also to acquire skills in usage of Ethereal (tool used for analyzing frames). Experiments were set up in the way so that student performing discussed experiments will learn how to configure AAA system at first and run functionality tests on already configured system af-terwards. While conducting experiments student acquires also other skills:
– Configuration of AAA system elements
While performing this experiment student learns how the AAA system is build, what are it’s functions and functionalities. Student acquires skills in configuring:
a) ATK DGT 7410 from bootloader level or from www browser level, b) Gatekeeper using gnugk.ini configuration file,
c) AAA Server for H.323 using IBSng application.
Student can notice the essence of communication between particular elements and the need to establish each element, which is integral part of the whole system.
In order to check the correctness of experiment done, student should establish connection, observe messages on gatekeeper status port and user presence on AAA
server via Report → Online Users. Student should comment on received results. ATK – DGT 7410 Internet hub or switch endpoint endpoint
PC computer with installed: Apache server
GnuGK application IBSng application PostgreSQL data base
Fig. 4. Schematicdiagram of laboratory set prepared for students
– Functionality tests of AAA server
While performing this experiment student learns how the processes of Authori-zation, Authentication and Accounting proceed via RADIUS protocol (it uses off-line filtration of frames observed via Ethereal). Student can observe the process of exchanging messages, analyzes how each frame is build and compare results with theoretical assumptions. Student should comment on observations afterwards. Stu-dent gains knowledge about capabilities of presented based on H.323 protocol AAA system:
a) Student checks system’s reaction for establishment of connection at-tempt after the password is change for incorrect, comments on solution observed and presents own suggestions.
b) Student checks the correctness of accounting depending on used rate and prefixes. He also observes systems reaction for modifications of particular parameters and again comments on received results.
c) Student checks the correctness of real time graph creation. Graphs should be analyzed and results should be commented.
d) Student establishes connection which is too long for money resources collected on users account. Student's comments on system’s reaction using IBSng application and RADIUS protocol frame analysis.
e) Students tries to establish connection in case when there are no money resources collected on users account, observes system’s reaction and suggests solution.
After conducting described experiments student should have theoretical knowl-edge about AAA system, should be able to configure system, analyze RADIUS protocol frames using Ethereal tool, modify AAA system configuration parameters using IBSng application. Student should know system’s reactions for introduced modifications and also should be able to observe these reactions on gatekeeper status port, on AAA server (using IBSng application) and with use of RADIUS protocol messages. Student should analyze received results and suggest own
solu-tions.
4. CONCLUSIONS
In this paper the educative aspects of AAA sever laboratory model were pre-sented. There was shown the way of creating the system from concepts to practical implementation in Linux environment. Configuration of the most important ele-ments together with performed tests was discussed. It is necessary that this system appears in NGN networks. Each telecommunication company which exist on the market tries to provide AAA system solution in it’s offer. This makes AAA system even more interesting for students. They should know issues connected with AAA system and understand processes between system’s elements. Experiments pre-sented in this paper allow gaining such knowledge. To extend already established laboratory set, there could be system configuration added so that not only voice but also data could be transferred. To implement such a system, there has to be special device used which supports data transfer. It can be RuterOS™ V2.9 made by Mi-croTik. The device enables set up of wireless network as well. It would allow creat-ing wireless AAA system.
REFERENCES
[1] Company materials, Samodzielny Abonencki Terminal Kablowy ATK – DGT 7410. Operating manual. DGT Sp.z.o.o., Gdańsk 2005.
[2] Documentation for GnuGK,
http://heanet.dl.sourceforge.net/sourceforge/openh323gk/gnugk-manual-2.2.4.pdf
[3] Hassell J., RADIUS, Publisher O’Reilly, October 2002
[4] Kaczmarek S., Next Generation Networks Architectures, Lecture materials, PG WETI, Gdańsk 2004.
[5] Metz Ch., AAA PROTOCOLS: Authentication, Authorization and Accounting for the Internet, IEEE Internet Computing, November – December 1999.
[6] RFC 2865, Remote Authentication Dial In User Service (RADIUS), Network Work-ing Group, June 2000.
[7] RFC 2904, AAA Authorization Framework, Network Working Group, August 2000. [8] RFC 2975, Introduction to Accounting Management, Network Working Group,
October 2000.
