ZXUN UniA Product Description

ZXUN UniA Product Description
Version Date Author Approved By Remarks
V1.00 2008-12-18 Not open to the Third Party
© 2008 ZTE Corporation. All rights reserved.

ZTE CONFIDENTIAL: This document contains proprietary information of ZTE and is not to be
disclosed or used without the prior written permission of ZTE.
Due to update and improvement of ZTE products and technologies, information of the document is
subjected to change without notice.
ZTE Confidential Proprietary © 2008 ZTE Corporation. All rights reserved. I

TABLE OF CONTENTS
1 General Description ................................................................................................... 1

1.1 General Introduction .................................................................................................... 1
1.2 System Architecture..................................................................................................... 1
1.3 Standards Compliance ................................................................................................ 2
2 Product Features........................................................................................................ 3
2.1 Large-capacity and High Performance ........................................................................ 3
2.2 Abundant Network Access Capability.......................................................................... 4
2.3 Flexible Accounting Mechanism .................................................................................. 4
2.4 High Security and High Reliability Mechanism ............................................................ 4
2.5 Easy-to-Operating and Easy-to-Manage ..................................................................... 5
3 AAA Functions Introduction ..................................................................................... 5

3.1 Data Integration ........................................................................................................... 5
3.1.1 Multi Network Convergence Access............................................................................ 5
3.1.2 Visited AAA/Broker AAA/Home AAA ........................................................................... 5
3.1.3 AAA and AN-AAA Database Fusion............................................................................ 6
3.2 Authentication and Authorization................................................................................. 6
3.2.1 Distributed Authentication and Accounting Processing............................................... 6
3.2.2 User Authentication Algorithm ..................................................................................... 6
3.2.3 User Authentication Strategy ....................................................................................... 7
3.2.4 User Authorization ....................................................................................................... 7
3.2.5 Simple IP Access......................................................................................................... 8
3.2.6 CMIP Access ............................................................................................................... 9
3.2.7 PMIP Authorization .................................................................................................... 10
3.2.8 IP Accessibility Service.............................................................................................. 11
3.3 Accounting ................................................................................................................. 11
3.3.1 Postpaid Accounting .................................................................................................. 11
3.3.2 Prepaid Accounting of Radius Protocol ..................................................................... 11
3.3.3 Prepaid Accounting of Diameter Protocol.................................................................. 12
3.3.4 Content Accounting ................................................................................................... 12
3.3.5 CDR Management ..................................................................................................... 12
3.4 Agent Forward ........................................................................................................... 12
3.4.1 Choose Route Agent Based on Realm...................................................................... 13
3.4.2 Choose Route Agent Based on IMSI Prefix .............................................................. 13
3.4.3 Default Routing .......................................................................................................... 13
3.4.4 Routing Agent for Dynamic Authorization Messages ................................................ 13
3.5 Expansion Function ................................................................................................... 13
3.5.1 State Test of Adjacent Node...................................................................................... 13
3.5.2 WAP User Access ..................................................................................................... 14
3.5.3 Multi-WAP Gateway Access ...................................................................................... 14
3.5.4 Different WAP Gateway Sharing IP Address............................................................. 14
3.5.5 1x/EVDO Access Control........................................................................................... 14
3.5.6 Access to Multi-PPS/SCP.......................................................................................... 14
3.5.7 LNS IP Address Mapping .......................................................................................... 15
3.5.8 LNS Redundancy and Load Sharing ......................................................................... 15
3.5.9 DM Dynamic Management ........................................................................................ 15
3.5.10 User Online Session Management............................................................................ 15
3.5.11 Automatic Binding between NAI and IMSI................................................................. 15
3.5.12 Binding Restriction of IMSI Number with NAI ............................................................ 16
3.5.13 Many-to-many Binding of IMSI and VPN................................................................... 16
II © 2008 ZTE Corporation. All rights reserved. ZTE Confidential Proprietary

3.5.14 Temporary Account ................................................................................................... 16

3.5.15 Period Access Control ............................................................................................... 16
3.5.16 User Lock................................................................................................................... 16
3.5.17 IPV6 and IPV4 Dual-stack ......................................................................................... 17
3.5.18 BCMCS Service Authorization, Authentication and Accounting................................ 17
3.6 Acceptance ................................................................................................................ 17
3.6.1 Acceptance Table ...................................................................................................... 17
3.6.2 BOSS Interface Acceptance ...................................................................................... 18
3.7 Lawful Interception..................................................................................................... 18
3.8 Abnormality Handle Mechanism................................................................................ 18
4 AN-AAA Function Introduction............................................................................... 19

4.1 Data Fusion ............................................................................................................... 19
4.1.1 Visited AN-AAA/Broker AN-AAA /Home AN-AAA ..................................................... 19
4.1.2 AN-AAA and AAA Database Fusion.......................................................................... 19
4.2 Authentication and Authorization............................................................................... 19
4.2.1 User Authentication Algorithm ................................................................................... 19
4.2.2 User Free-of-Authentication....................................................................................... 20
4.2.3 Hardware Authentication ........................................................................................... 20
4.2.4 CAVE Authenticaiton Based on pESN ...................................................................... 20
4.2.5 MNID Authorization.................................................................................................... 20
4.2.6 Profile Authorization................................................................................................... 20
4.2.7 Customized Attribute Authentication ......................................................................... 20
4.3 Agent Forward Function ............................................................................................ 21
4.3.1 Choose RouteAgent Based on Realm....................................................................... 21
4.3.2 Choose Route Agent Based on IMSI Prefix .............................................................. 21
4.3.3 Default Routing .......................................................................................................... 21
4.4 Expansion Function ................................................................................................... 21
4.4.1 User Lock................................................................................................................... 21
4.4.2 Refuse Access In Permanently ................................................................................. 22
4.4.3 CAVE Authentication Synchronize Counter .............................................................. 22
4.4.4 Roaming Restriction .................................................................................................. 22
5 Interfaces and Communication............................................................................... 22

5.1 Physical Interfaces..................................................................................................... 22
5.2 Logic Interfaces ......................................................................................................... 22
5.2.1 Interface between AAA and PDSN/HA/AAA/WAP Gateway ..................................... 22
5.2.2 Interface between AAA and OCS .............................................................................. 23
5.2.3 Interface between AAA and PPS/SCP ...................................................................... 23
5.2.4 Interface between AAA and Accounting Center ........................................................ 23
5.2.5 Interface between AAA and ISPP.............................................................................. 24
5.2.6 Interface between AAA and LIC ................................................................................ 24
5.2.7 Interface between AN-AAA and AN........................................................................... 24
5.2.8 Interface between AN-AAA and HLR ........................................................................ 25
5.2.9 Interface between AN-AAA and ISPP ....................................................................... 25
6 System Architecture ................................................................................................ 25

6.1 Hardware Architecture ............................................................................................... 25
6.2 Software Architecture ................................................................................................ 27
7 System Security and Reliability.............................................................................. 29

7.1 Redundancy Mechanism ........................................................................................... 29
7.2 Dual-network Dual-plane Networking ........................................................................ 29
7.3 Automatic Monitoring Process ................................................................................... 29
7.4 Overload Control........................................................................................................ 29
7.5 Security Management................................................................................................ 29
ZTE Confidential Proprietary © 2008 ZTE Corporation. All rights reserved. III
8 Technical Indices and Regulations ........................................................................ 30

8.1 Capacity Indices ........................................................................................................ 30
8.2 Performance Indices.................................................................................................. 30
8.3 Electricity Indices ....................................................................................................... 30
8.3.1 Server Rack Indice .................................................................................................... 30
8.3.2 Alarm Box Indices...................................................................................................... 31
8.4 Working Environment ................................................................................................ 31
8.5 Environmental Indices ............................................................................................... 31
8.5.1 Cleanliness Requirement........................................................................................... 31
8.5.2 Lighting Requirement................................................................................................. 31
8.5.3 Barometric Pressure Reqirement .............................................................................. 32
8.5.4 Air Requirement......................................................................................................... 32
8.5.5 Fire Control Requirement .......................................................................................... 32
8.5.6 Shockproof Requirement ........................................................................................... 32
8.5.7 Lightning Protection Requirement ............................................................................. 32
8.5.8 Anti-Electromagnetic Radiation Requirement............................................................ 33
8.5.9 Antistatic Requirement............................................................................................... 33
8.6 Reliability Indices ....................................................................................................... 33
9 Operation and Maintenance .................................................................................... 34

9.1 Fault Management..................................................................................................... 34
9.2 Configuration Management ....................................................................................... 34
9.3 Statistics Function...................................................................................................... 34
9.4 Signaling Tracing ....................................................................................................... 34
9.5 Log Management....................................................................................................... 34
9.6 Network Management Interfaces............................................................................... 35
9.7 Security Management................................................................................................ 35
9.7.1 User Management ..................................................................................................... 35
9.7.2 Role Management ..................................................................................................... 35
9.7.3 Authentication and Authorization............................................................................... 35
9.7.4 Security Strategy Management ................................................................................. 36
10 Abbreviation ............................................................................................................. 37
IV © 2008 ZTE Corporation. All rights reserved. ZTE Confidential Proprietary

FIGURES
Figure 1 Network Architecture Based on CDMA2000 1X/EV-DO System .................................. 1

Figure 2 Protocol Models of Interface between AAA and PDSN/HA/AAA/WAP Gateway ........ 23
Figure 3 Protocol Models of Interfaces between AAA and OCS ............................................... 23
Figure 4 Protocol Models of Interfaces between AAA and PPS/SCP ....................................... 23
Figure 5 Interface Protocol Model between AAA and LIC ......................................................... 24
Figure 6 Interface Protocol Model between AN-AAA and AN.................................................... 24
Figure 7 Interface Protocol Model between AN-AAA SS7 Front PC and HLR .......................... 25
Figure 8 AAA Hardware Architecture......................................................................................... 26
Figure 9 AAA Software Architecture .......................................................................................... 27
TABLES
Table 1 CN Packet System NE Function Introduction................................................................ 2

Table 2 Server Rack Indices..................................................................................................... 30
Table 3 Alarm Box Indices ........................................................................................................ 31
Table 4 Temperature and Humidity .......................................................................................... 31
Table 5 Abbreviation ................................................................................................................. 37
ZTE Confidential Proprietary © 2008 ZTE Corporation. All rights reserved. V

1 General Description
1.1 General Introduction

ZXPDSS Packet data switch system is an important part of CDMA2000 1X/EV-DO
digital cell mobile communication system. ZXUN UniA system supports AAA and AN-
AAA function, which is capable of multi-network convergence, and realize CDMA1X/EV-
DO, WLAN, WiMAX, WCDMA, fixed network access, it can provide perfect solutions.
1.2 System Architecture

Please see Figure 1.
PSTN
cdma2000 1X
BTS BSC/PCF MSC/VLR HLR/AUC
HA
cdma2000 EV-DO AAA Internet
Router
IP Firewall
BTS BSC/PCF PDSN/FA Network
AN-AAA
Firewall LNS
Intranet
WLAN
AP OCS ISPP PPS/SCP LIC(Option)

AC
BillinCenter (Option)
Figure 1 Network Architecture Based on CDMA2000 1X/EV-DO System
ZTE CDMA2000 1X/EV-DO packet data switch system includes the following products:
ZXPDSS P200：Packet Data Serving Node（PDSN）
ZXPDSS H200：Home Agent（HA）
ZXPDSS B200：Broadcast service Node（BSN）
ZTE Confidential Proprietary © 2008 ZTE Corporation. All rights reserved. 1

ZXUN UniA：Authentication, Authorization, Accounting（AAA & AN-AAA）
Table 1 CN Packet System NE Function Introduction
Equipment Introduction
PDSN PDSN（Packet Data Serving Node）: It bears wireless
and packet data network access gateway, provides
Simple IP and Mobile IP access modes, and provides
Internet or Intranet access service for CDMA2000
mobile station.
When providing Mobile IP access service, PDSN is
integrated with FA function.
HA HA（Home Agent）: it locates in MS home network, it
maintains MS location information, establish
corresponding relations between MS IP address and
MS handover address. when mobile station leaves
registered network, it needs to register in HA; after HA
receives packet sent to mobile station, it will send the
packet by tunnel between HA and FA, decapsulate it
and sends to MS.
HA is needed only in Mobile IP service.
BSN BSN（Broadcast Service Node）: It bears BCMCS
service, maintains broadcast channel with BSC/PCF,
fulfills program registration and session information
acquiring, and establishes and maintains bearer channel
with content server. BSN applies stream processing
mechanism authorized by BCMCS controller to multi-
cast IP stream. It also receives copies and distributes
broadcast media stream from content server.
BSN is needed only BCMCS is available.
AAA AAA (Authentication, Accounting, and Authorization
Server): Also called RADIUS server. AAA server
implement authentication for packet data user, and
authorization it according to subscription information,
AAA server can also be capable of packet data call
accounting.
AN-AAA AN-AAA（Access Network-AAA Server）：AN-AAA
bears access authentication of AN-Level, and implement
validation and authorization of EV-DO terminal ID
legality.
1.3 Standards Compliance

ZXPDSS CDMA2000 packet data switch system provides open interfaces based on
3GPP2.P.S001-A and RFC, which supports the following protocols and standards:
[1] RFC 2865, Remote Authentication Dial In User Service (RADIUS)
[2] 3GPP2 P.S0001-A V3.0.0 Wireless IP Network Standard，July 2001
2 © 2008 ZTE Corporation. All rights reserved. ZTE Confidential Proprietary

[3] RFC 4282, the Network Access Identifier
[4] RFC 2104, HMAC: Keyed-Hashing for Message Authentication
[5] RFC 3748, Extensible Authentication Protocol (EAP)
[6] RFC 4017, Extensible Authentication Protocol (EAP) Method Requirements

for Wireless LANs
[7] RFC 3579, RADIUS (Remote Authentication Dial In User Service) Support For
Extensible Authentication Protocol (EAP)
[8] RFC 2869, RADIUS Extensions
[9] RFC 2866, RADIUS Accounting
[10] RFC 3344, IP Mobility Support for IPv4
MSCHAPv2, G. Zorn, Microsoft PPP CHAP Extensions, Version 2, RFC2759
[11] RFC 3576, Dynamic Authorization Extensions to Remote Authentication Dial

In User Service (RADIUS)
[12] RFC 3775, Mobility Support in IPv6
[13] RFC 2868, RADIUS Attributes for Tunnel Protocol Support
[14] RFC 3012, Mobile IPv4 Challenge/Response Extensions
[15] draft-ietf-mip4-gen-ext-01.txt
[16] RFC 2548, Microsoft Vendor-specific RADIUS Attributes
[17] RFC 4372, Chargeable User Identity
[18] RFC2618, RADIUS Authentication Client MIB
[19] RFC 2619, RADIUS Authentication Server MIB
[20] RFC 2620, RADIUS Accounting Client MIB
[21] RFC 2621, RADIUS Accounting Server MIB
2 Product Features
2.1 Large-capacity and High Performance

1 It adopts distributed authentication, authorization, and provides large capacity and
high performance products.

2 It supports smooth upgrading to distributed architecture products of uniform user

data management, and can offer natural redundant project and large-capacity
redundant project for operators.
3 AAA supports the smooth evolution to the HSS, for the operators to offer a network
with sustainable project development.
2.2 Abundant Network Access Capability

1 AAA strictly complies with 3GPP2, CCSA, China Telecom and China Unicom
related standards and interface specifications with perfect connectivity and
compatibility characters.
2 In order to support CDMA, WLAN, WiMAX, WCDMA, and other fixed network
access authentication, authorization and Accounting methods, which can realize
AAA integration with multiple networks conveniently, AAA provides a variety of
access modes and application scenarios for operators, and offers unified access
network data management platform.
3 AAA supports unity or separation of deployment with AN-AAA flexibly and

economically.
4 AAA supports multiple authentication methods CHAP, PAP, CAVE, UAM, EAP-AKA,
EAP-TLS (PSK), EAP-TTLS and EAP-MD5, which meets the diversification of the
end-user access authentication.
5 AAA supports rich Profile group configuration. The property information of each
group can be flexibly configured to meet a variety of access requirements.
2.3 Flexible Accounting Mechanism

1 AAA supports customized CDR, flexible CDR Field and CDR with or without
attributes.
2 AAA supports CDR-file backup and CDR-database backup. Also AAA support CDR
buffer to make the AAA system work normally in abnormal case and avoid CDR lost.
3 AAA supports all-round billing function including pre-paid, post-paid and content-
paid. AAA is compliant with national and international billing interface specifications
and it’s easy to make customized accounting strategy.
2.4 High Security and High Reliability Mechanism

1 AAA supports redundancy mechanism, two-node cluster hot backup networking
further ensures the system reliability through the disk array and cluster software.
2 Software watchdog is designed to monitor, auto-recovery and startup service

processes, it enhances the AAA reliability.
3 AAA supports overload control function to ensure system stable in abnormal case.

4 AAA network is dual-net and dual-plane, which can avoid single-node failure.
5 AAA supports security control function and operator privilege management function.
2.5 Easy-to-Operating and Easy-to-Manage

1 Powerful local supporting team, having fast response and quick customization R&D
capability, can supply high-efficient technical support and service.
2 Support for local OMM and next higher level EMS management mechanism, and
multi NBI(northbound interface) such as CORBA、SNMP and FTP etc. , which
makes centralized network management much easier.
3 Support GUI (Graphical User Interface) and MML (Man Machine Language), which
makes O&M easier and efficient.
4 Provide detailed performance statistics, which are used to analyze performance

data, customer’s habit, network performance, and to make reasonable network
development plan.
3 AAA Functions Introduction
3.1 Data Integration
3.1.1 Multi Network Convergence Access
AAA can support multi access such as WiMAX、CDMA、WLAN、WCDMA and PSTN

for authentication, authorization and accounting. AAA can support uniform access
network data management platform because multi network data fusion can meet multi
access scenarios.
In CDMA network, AAA is connected with PDSN/HA for authentication, authorization

and accounting.
In WLAN network, AAA is connected with BRAS/AC for authentication, authorization and
accounting.
In WCDMA network, AAA is connected with GGSN for authentication, authorization and
accounting.
In WiMAX network, AAA is connected with AGW/HA for authentication, authorization

and accounting.
3.1.2 Visited AAA/Broker AAA/Home AAA

ZXUN UniA supports Visited AAA, Broker AAA and Home AAA function.

As a Visited AAA, it receives PDSN Radius massage, and transmits the massage to
home network according to the agent transferring strategy.
As a Broker AAA, it receives and transfers AAA Radius massages from other AAAs,
generally, multi-AAA share one Broker AAA to implement the interaction among areas
and networks.
As a home AAA, it processes the authentication, authorization and accounting of the

user access.
3.1.3 AAA and AN-AAA Database Fusion

It provides uniform management of user information and operation maintenance, it
works as a logical functional entity to fulfill access network authentication and IP
authentication, which can reduce investment.
AAA and AN-AAA can be separated or integrated when distributing with flexible
networking mode.
3.2 Authentication and Authorization
3.2.1 Distributed Authentication and Accounting Processing

AAA system provides distributed authentication and accounting processing, the
authentication, authorization and accounting can be implemented in different server
nodes, and improve the processing performance and reliability.
AAA server takes charge for authentication and authorization, accounting server takes
charge for accounting and generating CDR, AAA sever and Accounting server
implement the distributed processing, which improves the AAA server response
performance and safety. When AAA server receives the accounting message, it
transfers to Accounting sever for processing, if there is any abnormality, AAA server
stores the accounting message at local sever, and sends the stored accounting
massage to Accounting sever after the recovery, it can avoid the user CDR massage
drop through such abnormal protecting mechanisms.
The capacity and performance of AAA will be improved smoothly, while reusing the old
equipments sufficiency and only adding one set of duel-array and without requiring any
addition to OMC or agent sever.
3.2.2 User Authentication Algorithm

AAA support multi-authentication algorithm, such as CHAP,PAP,UAM,EAP-AKA,EAP-
TLS(PSK),EAP-TTLS,EAP-MD5 and etc.
CHAP and PAP are mainly used in CDMA, WCDMA and fix network access
authentication.
UAM 、 EAP-AKA and EAP-TLS(PSK) are mainly used in WLAN network access
authentication.

EAP-AKA、EAP-TLS(PSK) 、EAP-TTLS and EAP-MD5 are mainly used in WiMAX

access authentication.
3.2.3 User Authentication Strategy
3.2.3.1 Public Account
It is set by AAA, the user name and password are all public, any legal terminal can
access to the network by this account.
The public account does not need to establish association between account and
terminal IMSI, the pubic attribute is configured in Profile associated with public account.
AAA supports configuring Profiles for every terminal in order to provide differentiated
services.
3.2.3.2 Private Account
It is set by AAA, the terminal uses private account to access to network. AAA also
supports multiple terminals using one private account to access to the network, or one
terminal uses different private account to the network.
3.2.3.3 Roaming Authentication
The user information is maintained by home AAA, when user roams outside, the serving
AAA transfers user’s access requests to home AAA for authentication, home AAA
implements authentication and authorize related Profile attributes.
The serving AAA implements router analyze according to realm information of User-
Name or IMSI in users’ requests, and transfers access requests to home AAA.
3.2.3.4 User Free of Authentication
AAA supports free-of-authentication function, when user account (including public and
private accounts) is set free-of-authentication, when users access for authentication,
AAA directly pass the authentication without judging password, authorize related service
attributes and go on with following procedures.
3.2.4 User Authorization
3.2.4.1 Profile Authorization
AAA can configure the profile information according to different sorts of users, the profile
information includes: User’s QoS information, bandwidth, time, address allocation
strategy and so on. AAA sends user profile information to PDSN, when the user finishes
accessing; the PDSN limits the user network resource according to the user profile
information which has been authorized.

NAI user in AAA belongs to service group, each group owns one profile template, the
profile template can pre-set the authorization operation attribute (such as bandwidth,
time or RADIUS that authorized the attribute), AAA licenses the user’s profile content to
PDSN when user passes the access authorization.
3.2.4.2 Customized Attribute Authentication
Customized Attribute Authentication allows providers to support non-normally employed

attribute extension and provide proprietary service.
Employing the configuration function of network management system, AAA is capable of

customizing what kind of VSA shall be adopted to carry and distribute service attribute.
In other words, Attributes like Vendor-ID, Vendor-Type and Vendor-Value of VSA can be
customized dynamically according to different requirements.
3.2.4.3 L2TP VPN Authorization
Employing system access function, packet switch network carrying capacity, IP tunnel
and IP Sec, The VPN service provides remote access to enterprise and group intra
servers for packet data users who can enjoy all kinds of data services as usual without
caring whether they access to local or remote servers.
When user accesses the network, realm part of User-Name message represents L2TP
VPN domain name. AAA authenticates LNS IP address, tunnel password, tunnel type
and tunnel media type according to local L2TP VPN domain name configuration.
3.2.4.4 Authorize User Attribute according to IMSI
When using public account, AAA supports IMSI to authorize user attribute, it will provide
differentiated profile authorization.
The public account do not need to establish association between account and terminal
IMSI, the subscription attribute is configured in the associated Profile, AAA supports
configure Profile for every IMSI, after the terminal accesses and authenticate
successfully, AAA can authorize user profile information according to IMSI.
3.2.4.5 Authorize User Attribute according to NAI+IMSI
AAA supports Profile authorization mode of IMSI+NAI, if user requests for accessing,
AAA shall combine Profiles configured by IMSI and NAI together, and authorize to
PDSN. After the combination, set one Profile attribute as a reference according to
configuration strategy, and combine with another attribute, if there’s any confliction, the
reference Profile attribute is preferred.
3.2.5 Simple IP Access

Simple IP is similar to the network access through dialing modem on the fixed telephone.
The IP address assigned for the MS each time is dynamic and changeable. Simple IP
can only implement the data communication with the MS as the calling party. Also, the

data communications will be interrupted for inter-PDSN handoff and will not be resumed
until the call is initiated again.
AAA supports access authentication, authorization and accounting under simple IP

mode.
3.2.5.1 Static IP Address Authorization
When customers applying service subscription to operators, it always needs to use static
IP address (fixed IP address), AAA allows each account Profile to subscribe with static
IP address attribute.
When terminal using this account to access to network, PDSN set special attribute which
includes Ipv4 （Framed-IP-Address =255.255.255.255）in the accessing request, after
requesting AAA for authorizing IP address, if AAA judges this account is local and not
roaming, AAA will authorize static IP address subscripted in user profile to PDSN.
3.2.5.2 Dynamic IP Address Authorization
When each user is on-line, PDSN or AAA will dynamically distribute a vacant IP address
for MS. This distribution mode is applied to distribute IP address for on-line users when
the number of users is larger than IP address resource.
AAA support dynamic IP address authorization, when user is access, it will authorize IP
address dynamically.
3.2.5.3 IP Address Pool Authorization
AAA is capable of configuring IP address pool for different types of users respectively,
so as to deploy independent IP address pool for public network, office network and VAS
users, and realize IP isolation for different users.
When terminal accesses to network, AAA authenticates an IP address pool to an PDSN

which will authenticate an IP address to a user later. There are 3 types of AAA
authentication modes listed as follows
1 AAA authenticates IP address pool to PDSN according to NAS-ID and NAI;
2 AAA authenticates IP address pool to PDSN according to the Profile of NAI;
3 AAA authenticates IP address pool to PDSN according to the Profile of IMSI.
3.2.6 CMIP Access

Mobile IP is the solution based on the RFC2002 protocol for providing mobile functions
over the worldwide Internet. It features good expandability, high reliability and security.
In addition, it keeps normal communications when the MS switches between PDSNs.
Mobile IP provides a IP routing mechanism, which can help MS connect to IP public
network or private network as a permanent IP address, it can also help MS work as
called party.

AAA supports access authentication, authorization and accounting under mobile IP

mode.
3.2.6.1 Dynamic Authorization HA
HA takes charge of mobility management of mobile IP and agent mobile IP. HA locates
mobile users according to MS registration information and forward packet data to user’s
currently-registered FA (in PDSN). Considering payload balance, several HAs can be
deployed in home-zone.
AAA supports dynamic HA distribution defined in 3GPP2. AAA distributes HA address to

PDSN dynamically when there are several HAs in home-zone.
3.2.6.2 MN-HA sharing Key Authorization
When mobile station uses MIP to access to network, it initiates MIP registration, after HA
receives the registration request, home AAA shall authorize the MN-HA key to it.
3.2.6.3 DNS Address Distribution
MS needs to allocate the master/slave DNS server address during the PPP session
setup, AAA supports that RADIUS Access-Accept information contains DNS server
address VSA in order to response the RADIUS log on request from PDSN or HA.
If AAA server contains DNS server IP address VSA, it should include a master DNS
server address and a slave DNS server address.
3.2.6.4 IPSec Attribute Authorization
By applying IPSec protocol in mobile IP, it can provide effective security service for
mobile IP.
AAA support IPSec attribute which authorize to PDSN/HA, and IKE pre-sharing key
distribution function. It receives RADIUS Access-Request message from PDSN, port IKE
pre-sharing key request attribute. The users have rights to use IPSec service, home
AAA server should distribute a key label and IKE pre-sharing key to PDSN by pre-
sharing key and KeyID attribute of RADIUS Access-Accept message. HA should re-
obtain”S” key from home AAA server to generate IKE, the lifecycle of this key can be
configured, it is home RADIUS local strategy, and based on the encryption level of
“S’key.
3.2.7 PMIP Authorization

If simple IP user signed proxy mobile IP, when the terminal access to the network, AAA
server authorizes AGW as terminal to supply MIP services, to make the terminal
requirement simpler. It means the terminal MIP client’s function can be replaced by
PDSN.
PDSN takes PMIP FA functions, provides agent mobile IP service for users using simple
IP terminals, it keeps service continuity when users implement handover between

PDSN/FA, initiate mobile simple IP session instead of MS, sends access request to AAA.
After AAA passes the authentication, it shall authorize user PMIP service attributes
according to subscribed PMIP ability.
3.2.8 IP Accessibility Service

AAA supports IP accessibility service function regulated in 3GPP2 protocol. When MS
accesses to the network (adopting simple IP or mobile IP), if this MS can access itself by
DNS host name, the home AAA of the MS can notify corresponding DNS server to
dynamically update DNS. This function is in compliance DNS updating defined in
RFC2136.
3.3 Accounting
3.3.1 Postpaid Accounting

AAA supports the accounting model based on Subscriber (or the accounting model
based on IP session) and the accounting model based on packet data-flow, supports the
option of the accounting model.
AAA supports for the accounting model based on the flow and the length of the billing.
3.3.2 Prepaid Accounting of Radius Protocol

Packet prepaid function is a packet data service which supports the function of "prepaid,
post-consumed" for users, allows users to pre-purchase a certain amount of services
(the flow or the length of the billing), foots the real-time fee for packet data service of the
mobile users, According to the user's actual account balance, controls the user's data
services to ensure the benefits of operators. The prepaid client sends the requests of the
available quotas to the PPS, and monitors the use of quotas for services control, PPS
Deducts the costs based on the use of services.
AAA supports enhanced 3GPP2 packet prepaid standard. The standard introduces SCP
entity, which uniformly stores prepaid information of user audio, data and other services.
PPS get prepaid account information from SCP by RADIUS interface. In order to simplify
network architecture and convenient for uniform management of users, ZXUN UniA
system supports integral setting mode of AAA and PPS, they adopts RADIUS interface
to get prepaid account information from SCP.
AAA supports CCSA prepaid standard, which is the same as 3GPP2 packet prepaid, the
network includes PPS and SCP entity, prepaid function is fulfilled by PPS/SCP and
PDSN/PPC, HAAA is responsible for authentication and accounting information
transferring between PPS/SCP and PPC.
AAA supports packet prepaid function of fixed network system, there is no PPS and
SCP entity in the network, the prepaid function is fulfilled by HAAA and
PDSN/PPC.HAAA fulfills authorization of RADIUS standard attribute Session-Timeout in
reference to RFC2865）, PDSN is responsible for checking session time, when time is
out, PDSN shall terminate user packet data service.

3.3.3 Prepaid Accounting of Diameter Protocol

AAA supports prepaid of Diameter protocol, it use OCS to finish fee calculation and
quota allocation, the network architecture is as follows:
Radius Diameter
PDSN AAA OCS
PDSN and AAA adopts Radius protocol interactively,OCS adopts Diameter protocol,
AAA can realize conversion from Radius protocol to Diameter protocol.
3.3.4 Content Accounting

HA/CCG equipment initiate access authentication request to HAAA when mobile IP
users access in, they distribute accounting attributes and MDN by HAAA. At the same
time, when user is off-line, HA/CCG sends off-line billing to HAAA by Radius protocol.
AAA supports management of content accounting billing.
3.3.5 CDR Management

AAA supports the format of billing, provides a flexible billing fields, and provides the
billing which shows the attributes of the billing and do not show it. The largest difference
between the two CDRs lies in that the one displaying the attribute name records the
attribute names of the billing attribute fields by the format of "attribute name = attribute
value", so that it is greatly readable and yet occupies much space in the disk due to its
large size, while the other one concealing the attribute name outputs the attribute names
of each billing field in the order of the configured coding to save disk space.
The billings are generated in the HAAA, at the same time as the visited AAA. AAA can
also generate the billings according to the configuration.
AAA supports the function which backups the original billing, and supports for two ways
which are database backup and file backup.
AAA supports for NAI billing methods, for those multiple IMSI use the same access to a
private account, it can implement billing according to private account.
AAA supports for the billing methods based on IMSI, and carries out on each MS billing.
AAA sends the billings to the billing center through the FTP interface
3.4 Agent Forward

AAA supports agent forward function for authentication, billing and other dynamic
authorization information.

3.4.1 Choose Route Agent Based on Realm

Users can choose routing agent based on realm by carrying realm information in User-
Name, e.g. NAI@Realm.
While performing as agent, AAA chooses routing based on the realm information in
RADIUS attributes User-Name. The corresponding routing information of realm can be
pre-configured in AAA.
3.4.2 Choose Route Agent Based on IMSI Prefix

Domain information of user’s home location can be analyzed by IMSI to realize agent
forward of authentication and accounting requests.
In Radius request, RADIUS attributes User-Name does not include realm information,
when AAA implements agent forward, it can select router forward according to IMSI
information ported by RADIUS attribute Calling-Station-ID. The corresponding router
configuration information to IMSI prefix can be pre-configured in AAA OMC.
3.4.3 Default Routing

When AAA can’t select routers, it can forward authentication and accounting information
to local default router server for processing.
3.4.4 Routing Agent for Dynamic Authorization Messages

AAA in CDMA1x/EVDO network supports routing agent functionalities to Disconnect
dynamic authorization (refer to RFC3576). When PDSN receives Disconnect Request,
the user session release process will start.
AAA can implement agent forward this dynamic authorization to next destination
according to NAS in the dynamic authorization information.
3.5 Expansion Function
3.5.1 State Test of Adjacent Node
AAA must transmit message to the adjacent nodes which include OCS、PPS/SCP、
WAP gateway and the other AAA.
AAA could provide the following function while testing the adjacent node:
1 Testing the state of OCS, PPS/SCP, WAP gateway, other AAA and raise the
warning timely.
2 When transmitting a message, the transmitted message will switch automatically

between the main node and the backup when some abnormal situation occurred.

3 Link and services will be resumed automatically when the status of adjacent node is
recovered.
3.5.2 WAP User Access

AAA supports WAP user access function, the Network Management Center (NMC)
configures whether a public account belongs to a WAP user or not. When a WAP user
accesses on line, an accounting-start message is sent out from PDSN to AAA, and
transmitted from AAA to WAP gateway which judges user on line by the accounting-start
message received and registers relation of user IP address and IMSI. WAP gateway
judges the user as off line when receiving accounting-finish message from AAA.
3.5.3 Multi-WAP Gateway Access

AAA achieves load balance by transmitting accounting-start messages to one of them
according to some rule, considering Multi-WAP gateways may be disposed.
After receiving PDSN accounting-start message, AAA transmits the message to the
corresponding WAP gateway according to user’s MDN number analysis and configures
relation of WAP gateway address and MDN number analysis
3.5.4 Different WAP Gateway Sharing IP Address

There may exists two sets of WAP gateway(new and old) simultaneously, and sharing
one IP address, AAA sets different source IP address for two WAP gateway, and
implement different forwarding by external router or local router strategy.
When different WAP gateway use the same IP address, AAA can select the right WAP
gateway to forward accounting information according to user MDN attribute, and send
information by corresponding source IP address.
3.5.5 1x/EVDO Access Control

AAA supports 1X/V-DO access control, the type includes: 1x access, EVDO access,
1X&EV-DO access, the accounting rate is different for different access control for users.
1x/EV-DO access control mode includes:
1 AAA can restrict the access type of account ( both public and private).
2 Based on Realm L2TP VPN control, AAA can restrict L2TP VPN access according
to L2TP user’s subscription attributes as Visited AAA and Home AAA.
3.5.6 Access to Multi-PPS/SCP

Home location may allocate multi-PPS/SCP; AAA should transfer the accounting
information to one of them according to some strategy to realize load sharing.

AAA transfers the user MDN analysis in accounting information to home PPS/SCP for
pre-paid requests and processing, when pre-paid users accessing for authentication and
authorization, corresponding relation between PPS/SCP and MDN is configured in AAA.
3.5.7 LNS IP Address Mapping

The operators can allocate two sets of AAA, such as in the swapping process, the new
and old AAA can be coexists in order to realize smooth transition.
AAA supports LNS IP address replace control when forwarding Access Accept, and
replace new IP address of old one.
3.5.8 LNS Redundancy and Load Sharing

AAA supports LNS redundancy+ load sharing, it can flexibly allocate VPN domain name
corresponding to multi-LNS and to active/standby LNS IP, when AAA implements
authentication and authorization, and it distributes LNS IP address according to polling,
which includes applying active/standby LNS IP address to realize LNS redundancy+
load sharing.
3.5.9 DM Dynamic Management

AAA supports initiating Disconnect dynamic authorization and agent forward function.
System sends Disconnect Message in order to disconnect user on line and release
resource, for the sake of avoiding user arrearage and lawless possession of resource.
Disconnect Message trigger modes:
1 AAA sends Disconnect Message in terms of BOSS handling.
2 Agent forwards Disconnect Message from prepaid system.
3.5.10 User Online Session Management

AAA supports NAI maximum limitation of simultaneous sessions. When a station
requests to access, AAA checks the number of current NAI on-line stations. If the
number arrives at the maximum limitation supported, AAA refuses the request.
Therefore, AAA registers user on-line information when a user accesses, updates
parameters when receives accounting-start message or update request and deletes
session information in register upon receiving accounting-stop message.
3.5.11 Automatic Binding between NAI and IMSI

When a user purchases a card, he can access to the network by using different IMSI
and NAI (user name/password).
AAA supports automatic binding between NAI and IMSI. When accessing for
authentication, if the terminals input correct user name and password and the number of

binding IMSI does not exceeds designated number, the binding relation will be
automatically established and allowing access.
3.5.12 Binding Restriction of IMSI Number with NAI

For NAI, AAA can restrict the binding number of IMSI( NAI may not need to bind IMSI, it
can restrict the number). By doing this, AAA can provide flexible NAI management
function.
3.5.13 Many-to-many Binding of IMSI and VPN

AAA supports many-to-many binding of IMSI and VPN based on VPDN service.
AAA can restrict IMSI scope of some VPN, and its accessible VPN scope.
VPN user access authentication, after HAAA receives access request, it shall authorize
corresponding VPN attributes according to the binding VPN domain information.
3.5.14 Temporary Account

AAA supports temporary accounts by using NAI valid accounts. The valid date will be
initialed since the accounts have been activated (active moment is the moment the
accounts log on for the first time and authenticate successfully). The expiry time can be
configured. After the expiry time, the accounts will be locked and refused.
3.5.15 Period Access Control

AAA can limit the user access to the system based on time period. So the network
resource can be utilized economically.
A day can be divided into several periods, and defined as access allow and access
reject period. When user tries to connect to the network at the access reject period, AAA
rejects the user directly. When the user connects to the network at the access allow
period, AAA allows access and authorizes the expiry time, also apprizes NAS user about
the maximum time of conversation.
3.5.16 User Lock

If a user has arrears or refuses user access to the network, user locking is applied.
AAA server can support user lock function in order to reject user access, the lock mode
includes:
1 Account lock: that is NAI lock. It refuses terminals to use this NAI account to access
the network;
2 IMSI lock: AAA refuses designated IMSI to access the system;

3 Association lock between account and IMSI: it refuses designated IMSI to use
designated account to access the network.
3.5.17 IPV6 and IPV4 Dual-stack

AAA supports IPV4 and IPV6 dual-stack, and supports terminals use IPV4 and IPV6
access.
If the access requests includes specific attributes or VSA of IPv4 and IPv6, AAA shall
authorize Ipv4 or Ipv6 attributes according to user subscription situation, such as
Framed-Interface-Id，Framed-IPv6-Prefix and etc.
For IPv6 reachable support, home AAA requests DNS server to generate or delete
resource record for IPv4 and IPv6.
3.5.18 BCMCS Service Authorization, Authentication and Accounting

AAA supports BCMCS registered session information requests, HTTP information
abstract authentication algorithm, authorize related service attributes of BCMCS, and the
CDR files include CMCS information.
3.6 Acceptance
3.6.1 Acceptance Table
3.6.1.1 Acceptance Rights Control
The maintenance and management of user information needs authority control, defines
different level of authority operator to guarantee the safety of the user information. For
example, if a user loses the password, only the operator who owns the authority can
reset the password.
AAA can configure different authority for different operators, so that it can control the
operator to open an account、account cancel、enquiry and password reset.
3.6.1.2 User Information Maintenance
AAA provides a user friendly interface to make the operations easier, such as opening
and canceling accounts and making quires. So that user’s information can be
managed and maintained.
Main process: IMSI adding, IMSI modification, IMSI deleting, individual/batch enquiry of
IMSI, AAA_NAI adding, AAA_NAI modification, AAA_NAI deleting, AAA_NAI rename,
the relationship between IMSI and AAA_NAI, AAA_NAI enquiry, set up user password,
IMSI card replacement, IMSI number changing, user password reset and NAI misty
enquiry and so on.

3.6.1.3 Batch Process
AAA supports open account、cancel account and update user information in batch to
give a simple 、 reliable and high efficiency management and maintenance. Batch
process includes text format and continue number.
Text format batch process has detailed record, according to the record; the failure
reason of process can be analyzed. Based on that, a remediation can be given out in
time. Main operation of text batch process: batch addition、batch modification and batch
deletion.
3.6.2 BOSS Interface Acceptance

AAA provides open interface to make BOSS subsystem access AAA. It can implement
subscription, modification and query for all user services
3.7 Lawful Interception

AAA supports the interfaces of X1 and X2, AAA also supports the operations of
enactment, modification and deletion to the target, meanwhile it reports user event to
LIC.
3.8 Abnormality Handle Mechanism

Abnormality handling of AAA server is described as follows：
1 AAA adopts the mode of two small devices or one PC server and one disk array.
Normally one server works on duty, the other is standby but need to monitor server
on duty. When the server on duty goes wrong with some mistakes, the standby
sever must relay as the server on duty.
2 Because AAA supports distributed authentication and accounting, the function of

authentication, authorization and accounting can work at different service point,
AAA server forwards the accounting messages to accounting server handle after it
receives them, if some abnormality happens, Accounting server will not save the
message of accounting for a while until the abnormality is solved. So information of
CDR will not be lost with this mechanism.
3 AAA supports the function of original CDR files backup, meanwhile it supports two
optional modes of database backup and files backup.
4 AAA can collect the alarm information, such as the disk space full and so on.
5 AAA adds the watchdog process which is used for monitoring all service processes
and greatly enhances the system reliability. Meantime, when master process drops
with abnormal reason, the watchdog process will resume to work and restart the
service process.
6 The batch of file disposal function of AAA, logs the unsuccessful acceptance
records. It can restart to handle with failure record.

4 AN-AAA Function Introduction
4.1 Data Fusion
4.1.1 Visited AN-AAA/Broker AN-AAA /Home AN-AAA
ZXUN UniA system supports as Visited AN-AAA、Broker AN-AAA and Home AN-AAA;
As Visited AN-AAA（ visited AN-AAA or server AN-AAA） , it receives AN Radius

information, and transmits the massage to home network according to the agent
forwarding strategy.
As a Broker AAA, it receives and forwards AAA Radius massages from other AN-AAAs,
generally, multi-AN-AAA share one Broker AN-AAA to implement the interaction among
areas and networks.
As Home AN-AAA（home AN-AAA, it processes the authentication, authorization when

users access in.
4.1.2 AN-AAA and AAA Database Fusion

It provides uniform user information management and operation maintenance, it works
as a logical functional entity to fulfill access network authentication and IP authentication,
which can reduce investment.
AAA and AN-AAA can be separated or integrated when distributing with flexible
networking mode.
4.2 Authentication and Authorization
4.2.1 User Authentication Algorithm

AN-AAA supports CHAP authentication algorithm based on MD5.
AN-AAA supports CHAP authentication algorithm based on CAVE.
For CHAP authentication, key information does not need to be sent in communication
channel, and the information is different for each time, which can effectively avoid
interception attack.
The current CDAM2000 1x R-UIM card only supports CAVE algorithm, in order to
ensure the mixed terminal users use traditional CDMA2000 1x R-UIM card can access
to 1x EV-DO network, 3GPP2 regulation put forward CHAP authentication based on
CAVE algorithm, here AN-AAA should support CAVE authentication algorithm. CAVE
authentication adds interaction with HLR/AC to fulfill authentication for HRPD terminal
equipment in CHAP authentication flow.

4.2.2 User Free-of-Authentication

AN-AAA supports free-of-authentication account, when AT uses free-of-account account
to access to network, AN-AAA does not verify the password, and the authentication shall
be passed if the account exists.
4.2.3 Hardware Authentication

According to operator’s configuration strategy, if the system adopts Hardware
authentication, when AN-AAA implements access authentication, it needs to verify AT
MEID or ESN in the requests.
If users perform Hardware authentication, the access request should port with Hardware
ID（ESN/MEID）,AN-AAA verify whether the hardware ID is in accordance with local
database, if yes, it will performs the following CHAP authentication, otherwise refuse
access in.
4.2.4 CAVE Authenticaiton Based on pESN

The number of 32 bits ESN is limited; CAVE authentication needs to use MEID.
When implementing HRPD access authentication, if the user only stores MEID, and the
users needs to be CAVE authenticated, AN-AAA supports change MEID to pESN
（spurious ESN） and sends to HLR for authentication.
4.2.5 MNID Authorization
The information interface of wireless and network sides needs MNID（Mobile Node
Identification）, when AN-AAA finishes authentication, it should return AT MNID to AN.
When AN-AAA supports HRPD access authentication, it can authorize terminal MNID. In
AN-AAA system, IMSI works as MN ID.
4.2.6 Profile Authorization

AN-AAA can configure users’ Profile information according to different kinds of users.
After users accessing in, AN-AAA sends Profile information to AN, AN shall control the
access according to the Profile information.
AN-AAA users belongs to service group, each group is corresponding to one Profile
module, Profile module can pre-set authorized service attributes, when users passes
access authentication, AN-AAA can authorize users’ corresponding Profile to AN.
4.2.7 Customized Attribute Authentication

Customized Attribute Authentication allows providers to support non-normally employed
attribute extension and provide proprietary service.

Employing the configuration function of network management system, AAA is capable of

customizing what kind of VSA shall be adopted to carry and distribute service attribute.
In other words, Attributes like Vendor-ID, Vendor-Type and Vendor-Value of VSA can be
customized dynamically according to different requirements.
4.3 Agent Forward Function

AN-AAA supports agent forward function for authentication.
4.3.1 Choose RouteAgent Based on Realm

Users can choose routing agent based on realm by carrying realm information in User-
Name, e.g. NAI@Realm.
While performing as agent, AN-AAA chooses routing based on the realm information in
RADIUS attributes User-Name. The corresponding routing information of realm can be
pre-configured in AN-AAA.
4.3.2 Choose Route Agent Based on IMSI Prefix

Domain information of user’s home location can be analyzed by IMSI to realize agent
forward of authentication and accounting requests.
In Radius request, RADIUS attributes User-Name does not include realm information,
when AN-AAA implements agent forward, it can select router forward according to IMSI
information ported by RADIUS attribute Calling-Station-ID. The corresponding router
configuration information to IMSI prefix can be pre-configured in AN-AAA OMC.
4.3.3 Default Routing

When AN-AAA can not choose routing, it is possible to transmit authentication
information to local default routing agent for processing.
4.4 Expansion Function
4.4.1 User Lock

User lock is performed when needs to restrict users access in AN.
AN-AAA support manually lock user account. When account is locked, AN-AAA shall
refuse access in for authentication, and will not authorize. The account lock and unlock
should be handled by acceptance table or manually by accounting interface.

4.4.2 Refuse Access In Permanently

The account will be locked when users input the wrong password to the threshold, and
refuses the following access. The locked accounts should be unlocked by acceptance
table and manually by BOSS interface.
4.4.3 CAVE Authentication Synchronize Counter

For the first authentication of users, if the download time of SSD from HLR/AC reaches
some value（ that is synchronize Counter）, if it needs re-CAVE authentication, the
SSD should be synchronized to ensure SSD stored in local AN-AAA is in accordance
with that in HLR.
4.4.4 Roaming Restriction

AN-AAA supports roaming restriction of EVDO users. When users roaming outside, if
they subscribed roaming restriction, home AN-AAA shall refuse terminals access in.
5 Interfaces and Communication
5.1 Physical Interfaces

AAA/AN-AAA provides the following standard interfaces:
• E1 interface
• 100Base-TX/1000Base-TX interface
5.2 Logic Interfaces

ZXUN UniA has the following interfaces:
5.2.1 Interface between AAA and PDSN/HA/AAA/WAP Gateway

AAA adopts RADIUS interface defined by GPP2 X.S0011-D, rfc2865, rfc2866, rfc2868
and rfc2869.
The protocol models of interfaces between AAA and PDSN/HA/AAA/WAP gateway is

shown in Figure 2:

Figure 2 Protocol Models of Interface between AAA and PDSN/HA/AAA/WAP Gateway
5.2.2 Interface between AAA and OCS

Interface between AAA and OCS follows China Telecom packet pre-paid interface
regulation.
Protocol models of interfaces between AAA and OCS is shown in Figure 3:
Figure 3 Protocol Models of Interfaces between AAA and OCS
5.2.3 Interface between AAA and PPS/SCP

Interface between AAA and PPS/SCP is compliant with Packet Pre-paid Interface
Regulation defined by 3GPP2.
Protocol models of interfaces between AAA and PPS/SCP is shown in Figure 4:
Figure 4 Protocol Models of Interfaces between AAA and PPS/SCP
5.2.4 Interface between AAA and Accounting Center

Interface between AAA and Billing Center adopts FTP interface.

5.2.5 Interface between AAA and ISPP

Interface between AAA and OCS follows China Telecom ISPP Interface Regulation.
ISPP communicate with AAA network element equipment thought NPI interface protocol
which is based on HTTP / SOAP message. SOAP request and reply through the
synchronization mode. XML is used for the semantic description of the protocol. ISPP
send SOAP request to the AAA network element equipment, the network element
equipment respond to the ISPP after the completion of operation corresponding.
5.2.6 Interface between AAA and LIC

Lawful interception Interface between AAA and LIC follows China interception Standard
X1、X2 regulations.
X1 and X2 interfaces adopt TCP/IP protocol, the stack is: TCP/IP ISO/IEC 802.2,
ISO/IEC 802.3, and adopts ASN.1 standard to decode and coe packet.
The interface protocol model between AAA and LIC is shown in Figure 5:
LI Protocol LI Protocol
TCP TCP
IP IP
Link Layer Link Layer
PL PL
AAA LIC
Figure 5 Interface Protocol Model between AAA and LIC
5.2.7 Interface between AN-AAA and AN

Interface between AN-AAA and AN adopts 3GPP2 A.S0008, CCSA YD/T 1579-2007,
and RADIUS interface defined by rfc2865 and rfc2868.
The interface protocol model between AN-AAA and AN is shown in Figure 6:
Figure 6 Interface Protocol Model between AN-AAA and AN

5.2.8 Interface between AN-AAA and HLR

Interface between AN-AAA and HLR adopts MAP interface defined by 3GPP2
The interface protocol model between AN-AAA SS7 front PC and HLR is shown in
Figure 7
MAP MAP
TM TM
Support
TCAP TCAP
SCCP SCCP
TCP
MTP 3 MTP 3
MTP 2 MTP 2
IP
MTP 1 MTP 1
AN -AAA
HLR
SS7 Front PC
Figure 7 Interface Protocol Model between AN-AAA SS7 Front PC and HLR
5.2.9 Interface between AN-AAA and ISPP

Interface between AAA and ISPP follows China Telecom defined ISPP Interface
Specification. ISPP communicate with AN-AAA network element equipment by NPI
interface protocol which is based on HTTP / SOAP message. SOAP request and reply
through the synchronization mode. XML is used for the semantic description of the
protocol. ISPP send SOAP request to the AN-AAA network element equipment, the
network element equipment respond to the ISPP after the completion of operation
corresponding.
6 System Architecture
AAA/AN-AAA system adopts RADIUS protocol based on IP standard to communicate
with customer terminals, it supports large database(MSSQL, ORACLE）, and can be
operated in many kinds of operating system platforms（Windows, SOLARIS）. System
adopts some design which is capable of excellent expansibility and portability.
AAA/AN-AAA server can be applied in authentication, authorization and accounting of

many IP access (CDMA,WLAN,WiMAX,WCDMA,fixed network) , which provides uniform
network access data management platform.
6.1 Hardware Architecture

AAA/AN-AAA hardware architecture is shown in Figure 8:

PDSN&HA
&OCS&PPS/SCP ISPP/BOSS
&BNAS&AGW&GGSN &BillingCenter
&Wap GW &EMS
HLR/AC
IP Network
Router
firewall
E1
Switch
Switch
Accounti Accounti
Radius Radius AAA AAA AAA AAA Alarm
SS7 ng ng
Front Server Server Server Server Agent OMM OMM DBIO box
PC 1 2 1 2 Client Server Client &BOSS
Interface
Disk array Disk array
Figure 8 AAA Hardware Architecture
Hardware architecture of AAA system consists of the following parts
1 Radius Server
Radius Server adopts dual-computer+array to perform RADIUS process, process

authentication and accounting information, support transfer function. It also adopts
commercial datbase to store subscription and service buffer information, Disk Array is
used for commercial database physical storage.
Radius Server adopts two minicomputer or PC server and one disk array mode. One
server is for active (host), the other is standby( reserve), the reserve one is always
monitoring the operating status of host, once there is something wrong, it will take over
and work as host.
2 Accounting Server
Accounting server adopts dual-computer+array to process CDR process. Disk array

stores users’ accounting CDR information and etc. Accounting Server supports CDR
output and backup for CDR file and database mode, when it only works as AN-AAA,
there’s no Accounting Server.
Two PC servers (minicomputer) and one disk array mode. One server is for active (host),
the other is standby( reserve), the reserve one is always monitoring the operating status
of host, once there is something wrong, it will take over and work as host.
Accounting Server and AAA Server can be worked as one server.
3 AAA Agent Client
AAA local client terminal (acceptance table) processes local service. The hardware
adopts PC compatible computer, it provides local users management.
4 AAA OMM Server

AAA OMM system provides operation and maintenance service, which includes fault
and configuration management, performance statistics, signaling tracing, log
management and network management interface and etc.
5 AAA OMM Client
AAA OMM Client fulfilles locla network maangement client terminal acceptance and
operation.
6 AAA DBIO&BOSS Interface
It fulfills AAA acceptance and database access function, it also provides connection with
BOSS system to realize remote acceptance. The accounting interface server adopts PC
server to provide accounting interface for remote service acceptance in the business hall.
7 SS7 Front PC
SS7 front PC fulfills interaction between AN-AAA and HLR/AC. Suppose HRPD
accesses to the network, when terminal use CAVE authentication, it needs AN-AAA to
acquire authentication vector from HLR/AC.
8 Alarm box
Audible and visual alarm.
6.2 Software Architecture

AAA software architecture is shown in Figure 9:
Watchdog O&M sub- Agent sub-

sub-system system system
PDSN&AN&HA
RADIUS RADIUS BOSS
&GGSN&AGW Database sub- MML
service sub- interface BOSS
&Wap Gate system
system sub-system
&PPS/SCP
SS7 Interception CDR handle

Front PC sub-system sub-system
LI
SS7
interf FTP
ace
HLR/AC LIC Billing Ceneter
Figure 9 AAA Software Architecture
AAA/AN-AAA system is composed of RADIUS, database, interception, CDR handling,

BOSS interface, Watchdog, agent, O&M and SS7 sub-systems.
1 RADIUS Service Sub-system
It provides AAA for users and agent. For packet pre-paid service, RADIUS service sub-
system interacts with OCS or PPS/SCP to get users’ packet pre-paid account
information.

2 Database Sub-system
It includes: users service subscription data, backup accounting CDR database (optional)
and OMM database. The three databases can be worked as one or separated.
3 Interception Sub-system
It is responsible for target AAA set, modify and delete for LIC, and reports events to LIC.
4 CDR Handling Sub-system
It interacts with RADIUS service sub-system, collects RADIUS accounting information,

generate CDR, backup CDR files and primary accounting information to database timely
according to the requirements, and process the out-of-data CDR backup files and
database backup information.
It provides FTP server for accounting center and supports acquiring accounting CDR
files.
5 BOSS Interface Sub-system
It provides corresponding MML instruction interface for remote service acceptance in

BOSS system.
6 Watchdog Service Sub-system
It monitors the running status of AAA services. Once it detects an abnormality, it handles
the abnormality and restarts the faulty subsystem according to requirement
7 Agent Sub-system
It provides GUI interface to realize basic packet service management. It has R&W
interface with database sub-system, and delete, change users subscription information
according to GUI interface or BOSS interface instructions.
8 Operation and Maintenance Sub-System
It implements the foreground operation and maintenance of AAA. It cooperates with

background OMC to manage AAA server, including attribute, security association,
number analysis, multi-IPS access and other basic system configuration and
management functions as well as alarm management, performance management,
service analysisand other functions.
9 SS7 Front PC
SS7 front PC fulfills interaction between AN-AAA and HLR/AC. Suppose HRPD
accesses to the network, when terminal use CAVE authentication, it needs AN-AAA to
acquire authentication vector from HLR/AC.

7 System Security and Reliability
7.1 Redundancy Mechanism

ZXUN UniA server node supports redundancy mechanism, two-node cluster hot backup
networking further ensures the system reliability through the disk array and cluster
software. The key hardware adopts dual-backup, load sharing and equalization
mechanism to ensure there’s no single-point fault.
7.2 Dual-network Dual-plane Networking

It adopts networking backup system to enhance system reliability.
7.3 Automatic Monitoring Process

The software design increases watchdog to monitor services process, which can highly
enhance system reliability. When main process quits abnormally, watchdog will
automatically modify it and restart the service process.
7.4 Overload Control

It supports flexible overload control, which includes:
1 It supports control the number of access information by CPU load status, when
system CPU exceeds threshold, it shall dispose some information, the load
threshold of CPU can be configured in AAA/AN-AAA;
2 It supports overload control according to number of information, and disposes some

part of concurrent information which exceeds threshold.
It ensures smooth operating by CPU load control and concurrent information control.
7.5 Security Management

Security management module is applied to ensure legal use of system.
It includes user management, role management, security verification and strategy

management; they can ensure legal use of system. Security management realize
management of users and roles, it provides operator rights management by creating
better relations between users and roles.

8 Technical Indices and Regulations
8.1 Capacity Indices

Maximum number of users (single node): 10,000,000
Maximum supported Multi-nodes by AAA: 100,000,000,000
8.2 Performance Indices

1 Requests number for simultaneous processing
AAA can process RADIUS message requests number: 5000/S.
It refers to the number of request that AAA can process in unit time(1s). The
authentication number is associated with hardware and software.
2 Authentication time
The time for AAA to process authentication is less than 50ms.
It’s a kind of performance indices to evaluate AAA authentication. It refers after RADIUS
receives authentication request, the time from processing request to send authentication
answer. The time is also related with hardware and software.
8.3 Electricity Indices
8.3.1 Server Rack Indice
Table 2 Server Rack Indices

Indices Value
Size 19", interior maximum space:42U
Dimension(H×W×
2000 mm×600 mm×1000 mm
D)
weight ≤ 350 kg ( single rack full configuration)
underground weight
＞ 450 kg/m2
capacity requirement
AC220 V±10%，50Hz±5%
Power supply -48 VDC, -57 V~ -40 V
( or configure according to actual power supply )

Typical power consumption<2000 W ( take Sun

Netra440 dual-computer+ array ST6140A as an
Power consumption
example, Sun Netra single power consumption:570,
array Storage Tek 6140A power consumption:427)
8.3.2 Alarm Box Indices
Table 3 Alarm Box Indices

Indices value
Size(H×W×D) 220 mm×309 mm×56 mm
weight 2 kg
Power Supply -48 VDC:-57 V~ -40 V
Power Consumption 20 W
8.4 Working Environment
Table 4 Temperature and Humidity

Equipment Type Temperature Comparative Humidity
long-term working Short-term working long-term working Short-term
condition condition condition working condition
PDSS A100 0 ℃～40 ℃ -5 ℃～45 ℃ 20％～90％ 5％～95％
Note 1. The measured points for the working temperature and humidity in the equipment
room refer to the points 0.4 m in front of the equipment and 1.5m above the floor.
Note 2. The short-term working conditions mean that the continuous operating period
does not exceed 48 hours and the accumulative total period within a year does not
exceed 15 days.
8.5 Environmental Indices
8.5.1 Cleanliness Requirement

The concentration of dust with particle diameter larger than 5μm: ≤3×104/M3
8.5.2 Lighting Requirement

Install incandescent lamps or emergency lighting devices at appropriate positions
between racks to give lighting for equipment installation and maintenance. But the

equipment shall not be exposed to the lamplight or direct sunlight for a long time to avoid
aging or deformation of circuit boards and components as a result of the ultra-high
temperature caused by the lighting
It is recommended to install colored glass to the windows with non-light-color and

opaque curtains.
The fluorescent lamps should be embedded in the ceiling with the average illumination
of 150 lx–200 lx as the main lighting devices
8.5.3 Barometric Pressure Reqirement

No special requirements.
8.5.4 Air Requirement

There’s no dust that is explosive, conductive, magnetic and corrosive, and no gas that
can corrode metal and disturbing the insulation.
8.5.5 Fire Control Requirement

The equipment room should be meet the requirement of fire control regulations, and be
equipped with regulated appliances and leave enough fire passage, and hang “key unit
of firefighting” sign in some places.
Inflammable and explosive dangerous goods is forbidden to be stored in machine room

and auxiliary computer room, and there should put up some notices, like “ no smoking”, “NO Open
Flames “. The effective fire-fighting equipment should be equipped and place in the position
easy to get, and install effective Fire water facilities in appropriate places.
The fire water store should ensure two hours, but the feed pipe ( drainpipe, storm sewer)
should not cross the equipment room, and fire hydrant should not be set in it.
There should install some alarm device for smoke and high temperature, and check it
frequently.
8.5.6 Shockproof Requirement

The shockproof should design one degree higher than basic local construction
regulation. The equipment room which does not meet the requirements should be
strengthened. The equipment room shall be able to withstand a magnitude 7 earthquake
8.5.7 Lightning Protection Requirement

The equipment room or auxiliary facilities, such as chimney, antenna, water tower and
some other higher than 15m should take some effective lightning protection measures in
accordance with the requirements of buildings and structures Ⅱ.

The lightning protection design should include anti-lightning strike and anti-lightning
incoming. The high-rise building should take some anti-side stroke measures.
The side stroke is very common in the area full of thunders. The design should adopt
some effective protection measures.
8.5.8 Anti-Electromagnetic Radiation Requirement

The equipment room shall stay away from the high-power radio transmitter, radar
transmitter, and high-frequency large-current device. The actual radiation energy to
which the equipment room is exposed shall be below 300 mV/m, and the magnetic field
intensity around the equipment room shall be less than 11 GS
8.5.9 Antistatic Requirement

The static influences and harms a lot to equipment. It shall cause intermittent defect or
performance reduction, software fault, and make electronic switch and control circuit
malfunction, even disoperation.
The static induction comes from:
• Outdoor high tension transmission line, lightning etc.
• Indoor environment, ground material and machine's structure.
• Static brought by the operator will put on the equipment.
In order to effectively eliminate damages brought by static, following measures can be

done:
• Good ground connection.
• Lay anti-static floor and well-grounded.
• The operator should wear wrist strap, and it should be connected with Electrostatic
discharge hole in the rack.
8.6 Reliability Indices

System availability≥99.99964%（=MTBF/（MTBF+MTTR））
MTBF> 120000 hours
MTTR<30 mins.

9 Operation and Maintenance

It provides management of performance faults, version, configuration, performance
statistics. signaling tracing, failure observation and log.
9.1 Fault Management

1 Front alarm and fault diagnosis
2 Back alarm
3 Failure observation
9.2 Configuration Management

1 Support command line configuration mode, and script files, it provides batch orders
processing function.
2 Support Chinese-English interface configuration mode.
3 User rights management
AAA can authorize different rights to different groups of users. Super-user can modify
rights of ordinary users.
4 Backup of configuration data and roll back of fault.
9.3 Statistics Function

1 Statistic of AAA front.
2 Provide statistic information of acceptance.
3 Flux/ occupancy rate of resources / load statistics
9.4 Signaling Tracing

It provides signaling tracing of RADIUS protocol layer. AAA RADIUS protocol layer
realize OMC signaling tracing interface, support tracing for single IMSI, NAI and all the
users.
9.5 Log Management

AAA is capable of log function, which can record operation status of current equipment,
includes configuration, system fault alarm log and etc, as well as browse, copy and
delete functions.

9.6 Network Management Interfaces

1 North Interface(CORBA interface)
It is connected with superior Network management interface.
2 SNMP Interface
9.7 Security Management

The security management modules ensure legal use of system.
It consists of user management, role management, security validation and security

strategy. It realizes management of user and role, and provides operator rights
management.
9.7.1 User Management

It is an important part of security management, which provides user add/delete and user
attribute inquiry/modify.
The rights is pre-setted according to different ID of users, they are separated into system
administrator and ordinary users according to ID. System administrator has absolute
rights, they can do anything except modify user name and role name; the system
administrator can not be locked and log in without IP address restriction. The ordinary
users can only inquire own information or modify own passwords.
9.7.2 Role Management

Role represents a set of specific rights (IP scope, command code, management object),
system administrator can dynamically create, delete, inquire and modify roles, forms
new right set to allocate to users.
9.7.3 Authentication and Authorization

It realizes security control by log-in authentication to prevent illegal users to access to
some O&M functions.
In order to control operations of users, it can provide corresponding interfaces to support

authentication for OMS and other functional modules.
Please see the detailed description:
1 Log-in
It should valify user information, such as password, user name, operation period and
restrict or lock some users for accessing.
2 Security authentication

It is used to check whether the users should be capable of some operating rights.
After inputting user ID, orders and operation object parameters, it can check whether the
users can have these rights.
9.7.4 Security Strategy Management

It can customize user account rules and inquire command set information for NE.
1 View command set
System has already divided command type according to NE service function type and
operating mode, after users select target NE type and one command type of this NE,
they can view all commands belongs to this command, it is open to all the users.
2 Customized user accounts rules
It includes following functions: set password length and period of validity , whether to
lock/unlock account or not/unlock rules, allow system administrator to customize user
account rule.

10 Abbreviation
Table 5 Abbreviation
Abbreviation Full Name

3G The third generation mobile communications
3GPP2 3rd Generation partenership Project 2
AAA Authentication, Authorization and Accounting
ACK Acknowledgement
AGW Access Gateway
AH Authentication Header
ATM Asynchronous Transfer Mode
BAK Broadcast Access Key
BCSN Backplane of Circuit Switch Network
BCMCS Broadcast and Multicast Service
BCTC Backplane of Control Center
BNAS Broadband Network Access Server
BOSS Business and Operation Support System
BPSN Backplane of Packet Switch Network
BS Base Station
BSC Base Station Controller
BSID Base station identifier
BSN Broadcast Serving Node
BSS Base Station Subsystem
BTS Base Transceiver Station
BUSN Backplane of Universal Switch Network
CCG Content Charging Gateway
CDMA Code Division Multiple Address
CDMA2000-1X CDMA2000 Phase One
CHAP Challenge Handshake Authentication Protocol
CHUB Control HUB
CLKD CLOCK Distributor
CLKG CLOCK Generator
CM Configuration Management
COA Care Of Address
CPLD Complex Programmable Logic Device
DB Database
DBA Database Agent
DBIO Database Input & Output
DBS Database Subsystem


DHCP Dynamic Host Configuration Protocol
DRC Data Rate Control
EAP Extensible Authentication Protocol
EAP-AKA EAP Authentication and Key Agreement to be used with USIM
EAP-MD5 EAP message-digestalgorithm5
EAP-TLS EAP with TLS
EAP-TTLS EAP with TTLS
EMC Electromagnetic Compatibility
EMI Electromagnetic Interference
EMS Element Management System
ESN Electronic Serial Number
FA Foreign Agent
FE Fast Ethernet
FTP File Transfer Protocol
GE Giga Ethernet
GLI GE Line Interface
GPRS General Packet Radio Service
GGSN Gateway GPRS Supporting Node
GRE Generic Routing Encapsulation
HA Home Agent
HLR Home Location Register
HSS Home Subscriber Server
ICMP Internet Control Message Protocol
IETF Internet Engineering Task Force
IGPS Interface Ge of PDSS
IKE Internet Key Exchange
IMSI International Mobile Subscriber Identity
IPCP IP Control Protocol
IPSec IP Security
Ipv6 IP Version 6
IRM International Roaming MIN
ISDN Integrated Services Digital Network
ISMP Integrated Services Management Platform
iSPP Integrated Service Provisioning Platform
ISP Internet Server Provider
ISAKMP Internet Security Association and Key Management Protocol
L2TP Layer2 Tunnel Protocol
LAC L2TP Access Concentrator


LAN Local Area Network
LCP Link Control Protocol
LNS L2TP Network Server
MAP Mobile Application Part
MDN Mobile Directory Number
MEID Mobile Equipment Identification
MIP Mobile IP
MPB Main Processing Board
MS Mobile Station
MSID Mobile Station Identifier
NAI Network Access Identifier
NCP Network Control Protocol
NE Network Element
NGN Next Generation Network
NMC Network Management Center
NMS Network Management Subsystem
NPI Network Provisioning Interface
OCS Online Charging System
OMC Operations & Maintenance Center
OMM Operation Maintenance Module
PAP Password Authentication Protocol
PCF Packet Control Function
PDN Packet Data Network
PDSN Packet Data Serving Node
PDSS Packet Data Switching System
pESN Pseudo Electronic Serial Number
POMP PDSS Operation and Maintenance Processing board
PPC Prepaid Client
PPP Point to Point Protocol
PPS Prepaid Server
PPSN PDSS Packet Switching Network board
PPTP PPP Tunnel Protocol
PSI PCF Session Identity
PSMP PDSS Service Main Processing board
PSN Packet Switch Network
PSPDN Packet Switched Public Data Network
PUIM PDSS Universal Interface Module
QoS Quality of Service


RADIUS Remote Authentication Dial In User Service
RSVP resource Reservation Protocol
SCP Service Control Point
SNMP Simple Network Management Protocol
SO Service Option
SOAP Simple Object Access Protocol
SPI Service Provisioning Interface
TCP Transfer Control Protocol
TOS Type Of Service
UAM Universal Access Method
UDP User Datagram Protocol
UDR Usage Data Record
URPM PDSS Subscriber Data Processing Module at RP Side
VPN Virtual Private Network
VSA Vendor Specific Attribute
WVPN Wireless Virtual Private Network
XML eXtensible Markup Language

ZXUN UniA Product Description

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

ZXUN UniA Product Description

Загружено:

Авторское право:

Доступные форматы

ZXUN UniA Product Description

ZXUN UniA Product Description

ZXUN UniA Product Description

Version Date Author Approved By Remarks

V1.00 2008-12-18 Not open to the Third Party

© 2008 ZTE Corporation. All rights reserved.

ZTE Confidential Proprietary © 2008 ZTE Corporation. All rights reserved. I

1 General Description ................................................................................................... 1

3 AAA Functions Introduction ..................................................................................... 5

II © 2008 ZTE Corporation. All rights reserved. ZTE Confidential Proprietary

3.5.14 Temporary Account ................................................................................................... 16

4 AN-AAA Function Introduction............................................................................... 19

5 Interfaces and Communication............................................................................... 22

6 System Architecture ................................................................................................ 25

7 System Security and Reliability.............................................................................. 29

8 Technical Indices and Regulations ........................................................................ 30

9 Operation and Maintenance .................................................................................... 34

IV © 2008 ZTE Corporation. All rights reserved. ZTE Confidential Proprietary

Figure 1 Network Architecture Based on CDMA2000 1X/EV-DO System .................................. 1

Table 1 CN Packet System NE Function Introduction................................................................ 2

ZTE Confidential Proprietary © 2008 ZTE Corporation. All rights reserved. V

1.1 General Introduction

1.2 System Architecture

BTS BSC/PCF MSC/VLR HLR/AUC

AP OCS ISPP PPS/SCP LIC(Option)

Figure 1 Network Architecture Based on CDMA2000 1X/EV-DO System

ZXPDSS P200：Packet Data Serving Node（PDSN）

ZXPDSS H200：Home Agent（HA）

ZXPDSS B200：Broadcast service Node（BSN）

ZTE Confidential Proprietary © 2008 ZTE Corporation. All rights reserved. 1

ZXUN UniA：Authentication, Authorization, Accounting（AAA & AN-AAA）

Table 1 CN Packet System NE Function Introduction

1.3 Standards Compliance

[1] RFC 2865, Remote Authentication Dial In User Service (RADIUS)

[2] 3GPP2 P.S0001-A V3.0.0 Wireless IP Network Standard，July 2001

2 © 2008 ZTE Corporation. All rights reserved. ZTE Confidential Proprietary

[3] RFC 4282, the Network Access Identifier

[4] RFC 2104, HMAC: Keyed-Hashing for Message Authentication

[5] RFC 3748, Extensible Authentication Protocol (EAP)

[6] RFC 4017, Extensible Authentication Protocol (EAP) Method Requirements

[8] RFC 2869, RADIUS Extensions

[9] RFC 2866, RADIUS Accounting

[10] RFC 3344, IP Mobility Support for IPv4

MSCHAPv2, G. Zorn, Microsoft PPP CHAP Extensions, Version 2, RFC2759

[11] RFC 3576, Dynamic Authorization Extensions to Remote Authentication Dial

[12] RFC 3775, Mobility Support in IPv6

[13] RFC 2868, RADIUS Attributes for Tunnel Protocol Support

[14] RFC 3012, Mobile IPv4 Challenge/Response Extensions

[16] RFC 2548, Microsoft Vendor-specific RADIUS Attributes

[17] RFC 4372, Chargeable User Identity

[18] RFC2618, RADIUS Authentication Client MIB

[19] RFC 2619, RADIUS Authentication Server MIB

[20] RFC 2620, RADIUS Accounting Client MIB

[21] RFC 2621, RADIUS Accounting Server MIB

2.1 Large-capacity and High Performance

ZTE Confidential Proprietary © 2008 ZTE Corporation. All rights reserved. 3

2 It supports smooth upgrading to distributed architecture products of uniform user

2.2 Abundant Network Access Capability

3 AAA supports unity or separation of deployment with AN-AAA flexibly and

2.3 Flexible Accounting Mechanism

2.4 High Security and High Reliability Mechanism

2 Software watchdog is designed to monitor, auto-recovery and startup service

4 © 2008 ZTE Corporation. All rights reserved. ZTE Confidential Proprietary