Specifications
OmniAccess Reference: AOS-W System Reference
362 Part 031652-00 May 2005
Notes on Advanced AAA Features
The Advanced AAA feature pack for AOS-W unlocks a number of extended
authentication and authorization features for enterprise and service provider
networks. With the Advanced AAA feature pack, the standard AOS-W
authentication features are augmented with the following:
z Per-SSID selection of authentication server for wireless networks
z Domain and realm selection of authentication server
z Dynamic authorization and authentication API using RFC 3576
The Problem
Most enterprise networks have a single authentication infrastructure, typically
based on directory services such as Microsoft Active Directory or Novell NDS.
For these enterprise networks, the standard authentication capabilities of
AOS-W are sufficient because all users on the system can be found in the
same authentication database. However, a number of occasions arise where
multiple distinct authentication infrastructures must be supported. For
example, when two companies merge it often takes months or even years for
the IT infrastructure to consolidate, meaning that user identity is often
contained in multiple different user databases. For these networks, the ability
to support multiple authentication systems is critical.
For service providers, there also exists a requirement for multiple
authentication systems. Service providers often provide wholesale access
service for many different companies – for example, a virtual hotspot service
provider that resells service for three different national ISPs. Service providers
also typically offer roaming agreements with other service providers, whereby
customers of one service provider are able to connect to the networks of other
service providers using their own access credentials. For these service
providers, the ability to authenticate against multiple databases is essential.
Finally, some enterprise networks also require the ability to provide
fine-grained authorization (meaning what a user is permitted to do on the
network) control on a per-user basis, where that authorization may change
dynamically during a session. For example, an enterprise may wish to enable
guest access to the network, but have the ability to shut off guest access to a
given user as soon as that user checks out with the front lobby receptionist. In
this situation, the lobby receptionist would log the user out through visitor log
software, which would then dynamically instruct the Alcatel grid controller to
disconnect the user. For this application, a standard API (Application
Programming Interface) is required to interface the grid controller to a number
of different software packages.