Contents
1 Introduction
This section is an introduction to this document. It contains information about the prerequisites, purpose, scope, and target group for the document. This section also contains explanations of typographic conventions used in this document.
1.1 Purpose and Scope
This document gives a brief introduction to the Layered Authentication, Authorization, and Accounting (AAA) Data in IPWorks provisioning solution, provided by Ericsson™ Dynamic Activation (EDA).
1.2 Target Group
The target group for this document is as follows:
- Application Administrator
- Marketing
- Network Administrator
- System Administrator
- Network Supervision Administrator
- Application Designer
For more information regarding the different target groups, see Library Overview Reference [1].
1.3 Typographic Conventions
Typographic conventions are described in Library Overview Reference [1]. In addition to the writing conventions mentioned above, the following applies:
2 Layered AAA Provisioning Solution
Data Layered Architecture (DLA) is an Ericsson architecture that provides a layered structure for network elements. This allows separation of traffic logic and data storage into different nodes.
2.1 Overview
An overview of the layered AAA provisioning and including nodes is shown in Figure 1. For detailed information about AAA FE configuration, refer to User Guide for Resource Activation, Reference [4] and Configuration Manual for Resource Activation, Reference [7].
- BSS - Initiates the provisioning request towards Dynamic Activation.
- Dynamic Activation - A provisioning system that provides a single provisioning
interface towards the Business Support System (BSS), by hiding the
complexities of provisioning multiple underlying network elements.
For more information about configuration of Dynamic Activation in the deployment, see Configuration Manual for Resource Activation, Reference [7].
- CUDB - The Back-End database offered by the Ericsson realization of DLA, which decouples the user data storage from the application logic in the Front-Ends (FEs).
- AAA FE - Realizes Authentication, Authorization and Accounting function to handle user requests for access to network resources as for example: GPRS, Wi-Fi, and LTE/EPC. AAA supports both RADIUS and Diameter protocol, which makes it compliant to legacy scenarios and 3GPP trend proof.
2.2 Data Model AAA
The following figure shows the AAA provisioning data model in Centralized User Database (CUDB).
Figure 2 Data Model AAA
Dynamic Activation is responsible to:
- Map the CAI3G order to the LDAP objects in the data model for a subscriber. There are attributes that have a different format in the CAI3G interface and in the LDAP schema.
- Check and add default values to attributes that are required (mandatory) in CUDB but optional in CAI3G.
- Handle identities and alias under root identities entry, generate identity for MultiSC (USERNAME, IMSI and MultiSC ID) and validate their relations for a given subscriber.
- Create the service object AAA each time a MultiSC is created in the CUDB. The AAA object (and optional objects below AAA) is removed each time a MultiSC is deleted. AAA specific data is added below AAA object and an IP address alias is added by applications during traffic. The IP address is not managed by Dynamic Activation.
2.3 Atomicity and Integrity Handling
Atomicity means ensuring that any operations performed on the system are either all completed successfully or all reversed successfully to keep the data consistency.
One CAI3G CSO can imply several LDAP orders towards the CUDB. Dynamic Activation will provide atomicity in AAA provisioning as below:
- Parses and validates the whole CSO before any LDAP order is sent towards the CUDB to minimize the LDAP errors received from the CUDB.
- Retry the LDAP order when some LDAP errors are returned from CUDB, for example Function Busy. The number of retries is configurable. For more information about retry setting, see User Guide for Resource Activation, Reference [4].
- Support fault tolerance and rollback when LDAP errors are returned from CUDB and retry failed. For more information about fault tolerance and rollback on AAA operations, see Function Specification Resource Activation, Reference [6].
If rollback is still failed, the atomicity is not achieved; the CUDB integrity is not assured. Dynamic Activation raised an alarm and sends back error information about inconsistent data in the CUDB.
For more information about AAA alarm, see Event and Alarm Handling, Reference [5]
For more information about rollback failed error, see Layered IPWorks/AAA Provisioning over CAI3G Reference [2].
In case of data inconsistency, manual action is needed. For more information about AAA actions, see Function Specification Resource Activation, Reference [6].
- Note:
- Simultaneously Create, Set and Delete the same subscriber can result in inconsistent data in the CUDB, reserve sufficient time duration, with consideration to retry behavior, between the different operations.
2.4 AAA Provisioning
CAI3G is offered for provisioning of Layered AAA data. Through the CAI3G provisioning interface, it is possible to perform the following Customer Service Orders (CSOs):
- Create/Set/Get/Delete AAAUser
- Create/Set/Get/Delete AAAGroup
- Create/Set/Get/Delete AAAPolicy
For more information, refer to Layered IPWorks/AAA Provisioning over CAI3G Reference [2].
CLI is offered for massive print and end of the AAA users, groups and the policies by using the following commands:
- AAMSUIP
- AAMSUGP
- AAMSUPP
- AAMSUGE
- AAMSUPE
For more information, refer to Layered IPWorks/AAA Massive Provisioning over CLI , Reference [3].
2.4.1 AAA User
This MO is used to handle the provisioning of AAA User.
When initiating AAA User, following entries are created in CUDB:
- Alias USERNAME entry pointing to mscId entry under username identities entry;
- Identities entry with USERNAME and usernameMask attributes under mscId entry;
- AA entry with profile object under mscId entry;
- If individual policies, add individual policy entries under AA entry;
- If multiple shared policies, add alias shared policy name entries under AA entry;
- If multiple groups, add alias group name entries under AA entry;
When modifying AAA User, perform following operations in CUDB:
- Modify profile object and individual policy objects in AA entry;
- If individual policies, add or delete individual policy entries under AA entry;
- If multiple shared policies, add or delete alias shared policy name entries under AA entry;
- If multiple groups, add or delete alias group name entries under AA entry;
2.4.2 AAA Group
The MO is used to handle the provisioning of AAA Group.
When initiating AAA Group, following entries are created in CUDB:
- Group name entry under Groups entry in mscCommonData;
- If multiple shared policies, add alias shared policy name entries under group name entry.
When modifying AAA Group, do following operations in CUDB:
- If multiple shared policies, add or delete alias shared policy name entries under group name entry.
2.4.3 AAA Policy
The MO is used to handle the provisioning of AAA Policy.
When initiating AAA Policy, add policy name entry under Policies entry in mscCommonData object, with PolicyChecklist and PolicyReplylist attributes.
When modifying AAA Policy, modify policy name entry under Policies entry.
2.4.4 AAA Massive Operation
- AAMSUIP – Command for print AAA Users
- AAMSUGP – Command for print AAA Groups
- AAMSUPP – Command for print AAA Policies
- AAMSUGE – Command for end AAA Group
- AAMSUPE – Command for end AAA Policy
Reference List
| Ericsson Documents |
|---|
| [1] Library Overview, 18/1553-CSH 109 628 Uen |
| [2] Layered IPWorks/AAA Provisioning over CAI3G, 19/155 19-CSH 109 628 Uen |
| [3] Layered IPWorks/AAA Massive Provisioning over CLI, 21/155 19-CSH 109 628 Uen |
| [4] User Guide for Resource Activation, 1/1553-CSH 109 628 Uen |
| [5] Event and Alarm Handling, 3/1553-CSH 109 628 Uen |
| [6] Function Specification Resource Activation, 3/155 17-CSH 109 628 Uen |
| [7] Configuration Manual for Resource Activation, 2/1543-CSH 109 628 Uen |