Non-Cisco device support - Cisco Knowledge Network

Cisco Knowledge Network 

AAA Services Are No Joke 

When Your Customer Calls! 

Introduction to Cisco Prime Access Registrar 

Sudhir Parasuram - Product Manager 

Karthikeyan Dachanamoorthy - Technical Marketing Engineer 

Cloud & Systems Management Technology Group 

March 6, 2013 

C97-688793-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 

1

click here 

© © 2010 Cisco and/or its its affiliates. All All rights reserved. 

Cisco Confidential 2

Design 

• Rapid time to revenue 

• Differentiated 

services 

Analyze 

• Grow ARPU 

• Increase loyalty 

Fulfill 

• Low-cost operator 

• Zero touch 

• Lowest cost 

Assure 

• Improve QoS 

• Reduce turnover 

• Lowest cost 

Domain Managers 

Provide core information for devices and technologies 

Automated discovery and configuration management 

Network visibility 

C97-688793-00 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

Analytics • Cisco Prime Analytics 

Service Fulfillment 

Cloud Automation 

Voice and Video Collaboration 

Carrier Management 

IT Management 

Subscriber Management 

• Cisco Prime Order Management 

• Cisco Prime Active Catalog 

• Cisco Prime Service Inventory 

• Cisco Prime Provisioning 

• Cisco ® Cloud Portal (newScale) 

• Cisco Process Orchestrator 

• Cisco Server Provisioner 

• Cisco Network Services Manager 

• Cisco Prime Collaboration 

Provisioning, Real-Time Monitoring, 

Fault Detection and Isolation, Advanced Diagnostics, Dashboards, and Reports 

• Cisco Prime Provisioning 

• Cisco Prime Central 

• Cisco Prime Network 

• Cisco Prime Performance Manager 

• Cisco Prime Optical 

• Cisco Prime Infrastructure Lifecycle, Assurance, and Compliance 

• Cisco Prime Network Analysis Module 

• Cisco NetFlow Generation Appliance 

• Cisco Prime Home 

• Cisco Prime Network Registrar 

• Cisco Prime Cable Provisioning 

• Cisco Prime Access Registrar 


The Access Management Challenge 

Introducing Cisco Prime Access Registrar 

Live Demonstration 

Resources 

Q&A 


Authentication, Authorization and 

Accounting (AAA) are missioncritical 

in today’s service provider 

networks 

New subscriber services & 

delivery models must be 

rapidly introduced for 

competitive advantage 

Network operators need to 

support new service delivery 

models like MVNO/wholesaling 

and roaming 

Network operators need to 

support multiple access 

technologies including latest – 

SP-WiFi, Femtocell, 

SmartGrid and more 

Resources such as session 

limits and IP addresses need 

to be managed efficiently 

Scalability demands are 

increasing 

Network operators are under 

pressure to reduce operating 

expenses (OpEx) 


• High performance carrier class 

RADIUS/Diameter platform 

• Provides intelligent 

Authentication, Authorization 

and Accounting services 

• Across variety of access 

technologies 

Performance Scalability Flexibility 


Application Server 

XML Over UDP 

Service Provisioning (OSS) 

Network Monitoring 

Configuration Interface 

Session Caching and Authorization 

Flow-through Service & Subscriber Provisioning 

ODBC/OCI 

User/Accounting Database 

Dial, DSL, Wireless LAN, 

CDMA, GPRS, UMTS, 

iDen, WiMAX, SP-WiFi, 

Femto, 

Smart Grid 

RADIUS/ 

Diameter 

Rules Engine 

Extensible Authentication 

Protocol 

Local 

LDAP 

Authentication 

Authorization 

Accounting 

Proxy AAA 

Prepaid Billing 

M3UA/Sigtran 

RADIUS/ 

Diameter 

Directory of User Data 

Third Party Billing System 

RADIUS/Diameter Server 

HLR 

Access Technologies 

Custom Service 

Extension Points 

Cisco ® Prime Access Registrar 

Custom Logic 

(C/C++/Tcl/Java) 


• Market leading RADIUS performance: 

over 125 million transactions per hour. 

• Provides scalability to support large service 

deployments. An external session manager 

allows tens of millions of simultaneous 

active sessions. Multithreaded architecture 

provides performance that scales with 

additional processing power. 

• Investment Protection - Grows with your 

business. 

Flexible to adapt to virtually any network size 

40000 

32000 

24000 

16000 

8000 

0 

30000 

25000 

20000 

15000 

10000 

5000 

0 

Local Authentication 

AA 

AAA 

UCS 

Proxy Authentication 

AA 

AAA 

UCS 


• Supports RADIUS and Diameter 

access protocols, TACACS+ for device 

management 

• Extensive interoperability with multiple 

network equipment vendor types 

• IPv4 and IPv6 support 

• Virtualization support: Oracle VM 

Server for SPARC and VMware for 

scale and availability, server 

footprint reduction, and efficient 

use of resources 

NAS 

NAS 

Oracle, AD, 

MySQL, 

OpenLDAP 

AA 

A 

Remote 

Server 


Multiple Access Technologies 

. 

Dial, DSL, Wireless LAN, CDMA, GPRS, 

UTMS, iDEN, WiMAX, SP-WiFi, 

Femtocell, Smart Grid 

• Delivers OpEx and CapEx 

savings by enabling 

standardization on a common 

AAA server platform 

• Helps future-proof a service 

provider’s choice in AAA for 

competitive advantage 

Rich Set of Corresponding Authentication Protocols 

Standard Support: Inner Methods: Other: 

MD5 TLS PAP 

LEAP TTLS CHAP 

PEAPv0 SIM MS-CHAPv2 

PEAP v1 AKA Any EAP 

FAST 

GTC 

EAP Proxy 

EAP-Negotiate – At runtime, 

select the EAP service to be 

used to authenticate the client 

CRL support for EAP services 

Diameter NASREQ 


• Simplifies deployment and operations 

• Provides OpEx savings 

• Helps support networks with tens of 

millions of subscribers 

AA Request 

Accounting Request 

LDAP v3 Directory 

RADIUS / 

Diameter Server 

Oracle 

MySQL 

• RDBMS support with any external 

accounting database by implementing 

a set of defined API functions 

• Scriptable configuration interfaces 

• Reduces operational costs and speeds 

service rollout 

• Billing interface allows billing vendors to 

integrate their systems for prepaid 

functionality 

Internal DB 

Local Flat File 

Microsoft AD 


Extension point scripting (EPS) and a rich set of APIs allow users to add custom 

logic to the call flow and manipulate response and request attributes 

EXAMPLES 

• Create Custom Authentication Methods: Create custom mechanisms for 

authenticating with roaming partners that use POP3 

• Filtering responses from roaming partners: Inspect responses from a 

remote RADIUS server of a roaming partner to filter out (delete) or translate 

unacceptable attributes before forwarding the response to the client. 

• Controlling Debugging: An EPS allows debugging to be turned on and off 

selectively; e.g., turned on only for requests with username bob@cisco.com 

– to speed up request processing and save on disk space. 


Access-Request 

= Extension Point 

Access-Accept/Access-Reject 

Cisco Prime Access Registrar 

(optional) 

Vendor (Ascend, Cisco, USR…) 

Client (NAS-1, NAS-2, …) 

Custom Authentication Authentication & Authorization 

Service 

Service 

Session 

Manager 

External Plug-in 

Library 

• External plug-in written in C++ does QChat specific BAK 

generation and digest authentication 

• POP3 authentication for a Cable customer 


User Session Tracking and 

Resource Allocation: e.g., IP 

addresses per user and session 

limits per user or group 

Centralized IP 

administration and 

session limit enforcement 

Session Query: Allows real-time 

query from external applications 

Single sign-on 

IP address mapping for mobile 

operators 

Helps meet regulatory 

requirements for tracking 

usage 


• Centralized administration via replication 

Ease of multi-machine configuration with GUI or CLI for simple administration 

• Clustering for high availability: Veritas (for Solaris, Linux 

systems), Oracle/Sun (for Solaris), RedHat Cluster Suite (for 

RHEL) 

Safeguard against unplanned outages 

Master AR 

NAS 

Replication 

Replication 

Replication 

Active AR 

Member AR-1 Member AR-2 Member AR-3 

Centralized Administration 

Clustering 

Solution 

Standby AR 

Clustering - High Availability 


Cisco ® Prime Access Registrar 

preinstalled and configured 

on a Cisco Unified Computing 

System server 

Easy to buy 

Benefits 

• Fast 

• Easy startup 

• Rapid time to value 

Grows with 

business 

Extensible 

Access Registrar 

Jumpstart 

RADIUS / Diameter AAA 

Future Proof 

Easy to 

deploy 

• Single-vendor solution 

Easy to use 

* Available May 2013 


• Subset of Cisco Access Registrar functional units—built for intelligent 

RADIUS load balancing and proxy 

Enabled with proxy, scripting and accounting functionality ONLY 

Redirects packets based on policy engine or customization using extension points 

Optionally maintains session association with back-end servers, helping to ensure 

proper billing and tracking of service and application usage 

• Attractive price point for operators who only need this subset of 

functionality – compared to full-blown AAA of similar scale. 

Use Case Examples 

• Duplicate RADIUS packets to multiple destinations 

• Intelligent RADIUS packet routing (load balancing, forwarding) – roaming 

scenarios 


Cisco ® Prime Access Registrar supports the PWLAN / Wi-Fi data 

offload market with the following: 

• A wide variety of EAP authentication protocols 

• SIM and USIM authentication against an HLR via the use of M3UA/SIGTRAN connectivity 

for a seamless authentication experience 

• SIM and USIM authentication for data access against an HSS via a Diameter interface 

• Easy customization of he RADIUS-to-Diameter translation (and vice versa) to meet any 

specific requirements 

NAS 

M3UA/Sigtran 

HLR 

RADIUS 

(EAP-SIM/EAP-AKA ) 

AR 

DIAMETER 

HSS 



North America 

• 75+ million subscriber base 

• One of the largest smartphone network in the world 

• Uses: 

- Mobile data access authentication 

- IP address allocation, LDAP integration 

Europe 

• Over 6+ million subscriber base, providing 99% coverage across country 

• Leading telecom service provider in country 

• Uses: 

- Mobile data access authentication 

- Prepaid integration, SP-WiFi (hotspot), EAP-SIM authentication 

Asia Pacific 

• Largest mobile service provider, offering fixed-line broadband services in country 

• Uses: 

- Managed VPN service 

- Authentication against MS-Active Directory, RSA token card server 



User 1test@xyz.com logs in and undergoes the following: 

• Authenticate against local data base 

• Authorize against LDAP 

• Accounting information 

Proxied to roaming partner 

Written to local flat file (for redundancy) 

User disconnected administratively by sending POD 

Radclient performance test 


• In carrier grade SP market for more than a decade 

• Over 200+ SP’s across the globe 

• Customers are using successfully to cater to 100K to 75+ Million subscriber 

base 

• Multi threaded architecture 

• Proven AAA in terms of stability, performance and scalability 

• Strong roadmap towards the SP market to include next generation access 

technologies 

• Easy integration points 

• Virtualization support 

• Proven Cisco customer support 

• Cisco Advanced Services support for complete implementation or painless 

migration 

• Key component in multiple Cisco end to end solutions 

• Single point of contact - Cisco UCS (Hardware), Cisco Prime Access Registrar 

(Application), and Cisco Services (Implementation and Support) 


• Cisco ® Prime Access Registrar on Cisco.com: 

www.cisco.com/go/accessregistrar/ 

• Cisco Prime Access Registrar Tech Center developer support: 

http://developer.cisco.com/web/car/home 

• For additional information, please contact: 

ar-tme@cisco.com for presales/business queries 

or cs-ar@cisco.com for technical queries 



www.cisco.com/go/prime-sp 

Cisco Prime Demo Webinar Series 

March 6th 2013 Prime Performance Manager 

March 13th 2013 Prime Network Registrar 

March 20th 2013 Prime Carrier Management 

March 27th 2013 Prime for Mobility 

April 3rd 2013 Prime Optical 

All sessions 8:00 AM PST; Webex; Meeting#: 203 850 378; Password: prime 

Cisco Knowledge Network 

OSS & Network Management 

April 3, 2013 Introduction to Service Fulfillment 

May 1, 2013 Multi-Vendor Services Fulfillment 

June 5, 2013 Multi-Domain Service Fulfillment 

Register: www.ciscoknowledgenetwork.com 


Thank you.

Non-Cisco device support - Cisco Knowledge Network

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?