Specifications
Authentication Server Configuration 363
Chapter 16
The AOS-W Solution
All the problems outlined above are solved using the Advanced AAA feature
pack for Alcatel AOS-W. The feature pack is a collection of authentication-
and authorization-related enhancements conveniently packaged together. The
feature pack includes the following solutions:
Per-SSID Selection of Authentication Server
In wireless networks, the SSID (Service Set Identifier) is used to differentiate
between different types of services. For example, corporate users may
connect to an SSID labeled “Corp” while guest users may connect to “Guest”.
Each SSID may support different authentication and encryption schemes, and
may provide access to different wired networks as well.
The per-SSID selection of authentication server feature in AOS-W permits one
or more authentication servers to be mapped to each SSID configured in the
system. All users connecting to one SSID will be authenticated against one
set of servers, while all users connecting to second SSID will be authenticated
against a different set of servers. One application for this in enterprise
networks is the ability to set up test networks or migration networks, where
users must be supported on an existing authentication database while new
authentication databases are set up on alternate SSIDs. The two systems can
operate concurrently without interfering with each other.
Another major application for this feature is in service provider networks,
where each SSID represents a completely different userbase. Many wireless
hotspot providers resell their access services to national service providers.
The national providers own the customers and handle billing and marketing of
their service, while local hotspot companies provide the “pipes” to the
network, managing and installing physical equipment at hotspot premises.
These service providers can use a different SSID for each national ISP, and
then authenticate the users against each respective provider’s own
authentication servers.
Domain and Realm Selection of Authentication Servers
Realms and domains are commonly used in authentication systems. A realm
is normally the first part of a username, separated from the actual username
by a leading slash. In a Windows Active Directory network, the Active
Directory domain is used as the realm. For example, Acme Corporation’s
domain may be “ACME”, and a user named Bob within that domain may be
identified on the network as “ACME/bob”. Usernames also often appear in
fully-qualified domain name (FQDN) format. These addresses appear similar to
an email address, for example “bob@acme.com”. For either format, Alcatel’s
Advanced AAA feature pack enables AOS-W to select different authentication
servers based on domain or realm.