Domain Management

A domain or an AAA server manages users by configuring service attributes for the users.

Domain management includes access management and service management.

Access management

In a domain, you can configure the authorization, authentication, and accounting schemes and corresponding server that are used when a user accesses the BAS interface;

configure the authentication mode used in user authentication; specify the IP address pool and the DNS server that are used to assign an IP address to a user; and control the user access by setting a limit on access number and setting the alarm threshold of IP addresses.

The following functions are highlighted:

− Time period control

In a specified time period, a domain automatically enters the blocked state. At this time, the users in the domain cannot get online, and the online users are forced to get offline. When the time period expires, the domain is activated and users in the domain can get online. Four time periods can be set in a domain, and all of them can take effect independent of each other.

− Mandatory PPP authentication

Generally, the authentication mode (PAP/CHAP/MSCHAP) for PPP users is determined through the negotiation between the PPP client and the virtual template (VT) interface. After an authentication mode is configured in a domain for PPP users, the PPP users are authenticated according to the configured authentication mode.

− IP address alarm

After the upper threshold (in percentage) of IP addresses is set, the CX600 sends a trap to the NMS when the IP address utilization exceeds the upper threshold. If the threshold of IP addresses is not set, the CX600 does not generate any alarm no matter how the IP addresses in the domain are used.

− Mandatory Web authentication

Mandatory Web authentication: If the user that requires Web authentication or fast authentication attempts to access an unauthorized address before authentication, the CX600 redirects the access request to the mandatory Web authentication server for the user to be authenticated.

Service management

After a user gets online, the user can be managed through a domain in terms of basic access services (such as access the Internet) or the right, bandwidth, and QoS of the value-added services.

The involved service attributes include: QoS profile, user priority, captive portal, multicast group, time period, traffic statistics, accounting packet copy, and idle-cut. The following functions are described:

− Captive portal

Captive portal means that when a user accesses the external network for the first time after passing the authentication, the CX600 forcibly redirects the access request to a certain server, which is usually the portal server of a carrier. In this manner, a service

1 AAA and User Management

HUAWEI CX600 Metro Services Platform Feature Description - User Access

1-16 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

Issue 01 (2010-06-25) provided by the carrier is immediately accessed after the user is connected to the Internet.

− Idle-cut

Idle-cut means that when the traffic from a user is smaller than the lower threshold in a certain time period, the CX600 considers that the user is idle, and thus cut off the connection with the user. In the configuration of the idle-cut function, you need to specify two parameters, namely, the time period and the traffic.

− Traffic statistics collection

This function can be classified into two categories: function of collecting total traffic in a domain and function of collecting the upstream and downstream traffic of a user.

1.6 Applications

1.6.1 RADIUS Authentication and Accounting

1.6.2 HWTACACS Authentication, Accounting, and Authorization

1.6.1 RADIUS Authentication and Accounting

User 1, user 2, and user 3 access the Internet through the CX600. The users send

authentication packets to the RADIUS server for authentication and authorization. When the master server goes Down, the packets are switched to the backup server for authentication or accounting. After the authentication succeeds, the RADIUS server delivers corresponding rights to the users, and thus the users can access the Internet.

Figure 1-4 Network diagram of RADIUS authentication and accounting

user1@isp1

user2@isp2

user3@isp3

CX600 RADIUS

(master)

RADIUS (backup)

Internet 129.7.66.67 129.7.66.66

1.6.2 HWTACACS Authentication, Accounting, and Authorization

User 1, user 2, and user 3 access the Internet through the CX600. The users send

authentication packets to the HWTACACS server for authentication and authorization. When the master server goes Down, the packets are switched to the backup server for authentication or accounting. After the authentication succeeds, the HWTACACS server delivers

corresponding rights to the users, and then the users can access the Internet. The accounting bills can also be copied to the bill server the same time they are being sent to the

HWTACACS server.

Figure 1-5 Networking diagram of HWTACACS authentication, accounting, and authorization

user1@isp1

user2@isp2

user3@isp3

CX600 HWTACACS

(master)

HWTACACS (backup)

Internet 130.7.66.67 130.7.66.66

Bill sever 10.10.10.1

1.7 Impact

1.7.1 On the System Performance 1.7.2 On Other Features

1.7.3 Defects

1.7.1 On the System Performance

None.

1.7.2 On Other Features

None.

1.7.3 Defects

None.

1.8 Terms and Abbreviations

Abbreviation Full Spelling

AAA Authentication Authorization Accounting

RADIUS Remote Authentication Dial In User Service

1 AAA and User Management

HUAWEI CX600 Metro Services Platform Feature Description - User Access

1-18 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

Issue 01 (2010-06-25) Abbreviation Full Spelling

HWTACACS HUAWEI Terminal Access Controller Access Control System

2 Plug-and-Play