AAA protocol

Triple - A system ( or AAA systems, short- AAA) are widely used in wired and mobile network operators and Internet service providers. The three A stand for authentication (English authentication), authorization ( engl. authorization ) and accounting (English accounting) network access of customers (end users).

The triple-A system takes in principle not in the data transfer part, it controls. It uses the protocol hierarchy of the Internet and basically used the publicly available on the network time information to generate authentic event messages and event data (pairwise kommt-Zeiten/geht-Zeiten ).

The triple-A priority system has to grant the task of controlling network elements in the transport network and to gain recognized from these network elements use data or access thereto or to deny. The data that transmits the authenticated client are, on the other hand transferred from the transport network (eg, the public, global IP transport network, which is called the " Internet ").

• 3.1 See also

Server function

Incoming connection requests, calls, requests for IP address assignments and other service requests are processed by a central server function for an entire network (eg, intranet or VPN) or a cellular network, answered, refused and / or redirected - often many hundreds per second or more.

When temporary Internet access Internet service provider needs its customers

• Identify ( authenticate )
• Can specify which services are provided to the customer (authorization)
• And ultimately determine the extent to which services were used ( attribution, accounting)

Simply put the questions "who", "what" and "how much" answer. ( Here, a AAA server provides in principle the data for the internal allocation to defined accounts, however, for lack of pricing scheme and control scheme except the evidence does not support the third party billing. )

The influence on the transport network include, among other things, allow / deny a connection ( Authorization: only authorized users are allowed), enabling certain services (such as access to only certain IP addresses ) and assigning the IP address for the end user.

The triple-A system can now grant access to these internal data structures and thus provide external systems such as an e -mail server or proxy server to an IP address associated with the account.

Application

Most data on the triple-A systems are used by time recording systems ( Time & Attendance ), billing systems ( accounting, billing ) and updated by customer management systems ( CRM Customer Relationship Management ).

Identity Management Server refer to the customer and contract data or manage the commercial aspects and data users or end customers.

Triple -A systems are generally for each application specifically designed, and often use more specific requirements: for example, mobile data communications, such as authentication on SIM cards, dynamic (in this case within an existing IP session or connection ) Control of Inter / intranet access and the like. Traditional RADIUS systems here are often not powerful or flexible enough. In the context of special products and the access to SS7 networks is possible.

A more recent application of triple-A system utilizes the fact that such a system into its internal data structures book, which customers are currently online. The triple-A system has indeed authenticates the customer and assigned him its IP address. This assignment ( IP client ) is stored until the end of line connection the customer, transmits the user data at the end of the link to the network element that is. RADIUS for a transmission of user data while the connection is rather unusual as the original standard provided for only one transmission of the connection end.

Context control

In modern triple-A systems, the identities with complex access policy ( context-sensitive authorization).

Safety and Security

Triple -A systems are the central element to the objectives of data protection and data security from the perspective of network operators like from the perspective of their contractors. The protocols meet the requirements for certification for the ITSEC security and the TCSEC security according to the rules of the art, in particular to the international standard ISO / IEC 15408 ( Common Criteria for Information Technology Security Evaluation ).

History

An early application was the newly emerged service " dial-up Internet," in which a computer only temporarily - is part of the Internet and therefore receives an IP address only on time - for the duration of a connection. This first " exotic " viewed as a variant of the Internet connection is very common today.

Standards

The standard protocols for operations, edited by IETF RADIUS ( protocol) and Diameter (protocol ) can be used. Limitations inherent in the protocol of RADIUS (especially encryption only a subset of the content ) led, among other things in the development of diameter. However, RADIUS is mainly for local area networks in use. The other known alternative TACACS is a proprietary protocol from Cisco Systems, which was derived from TACACS and XTACACS and the essential features for mobile services are lacking.

Mostly proprietary protocols and SOAP, LDAP, DNS to access this data and functions of a network are also used.