Non-Cisco device support - Cisco Knowledge Network
Non-Cisco device support - Cisco Knowledge Network
Non-Cisco device support - Cisco Knowledge Network
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Cisco</strong> <strong>Knowledge</strong> <strong>Network</strong><br />
AAA Services Are No Joke<br />
When Your Customer Calls!<br />
Introduction to <strong>Cisco</strong> Prime Access Registrar<br />
Sudhir Parasuram - Product Manager<br />
Karthikeyan Dachanamoorthy - Technical Marketing Engineer<br />
Cloud & Systems Management Technology Group<br />
March 6, 2013<br />
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential<br />
1
click here<br />
© © 2010 <strong>Cisco</strong> and/or its its affiliates. All All rights reserved.<br />
<strong>Cisco</strong> Confidential 2
Design<br />
• Rapid time to revenue<br />
• Differentiated<br />
services<br />
Analyze<br />
• Grow ARPU<br />
• Increase loyalty<br />
Fulfill<br />
• Low-cost operator<br />
• Zero touch<br />
• Lowest cost<br />
Assure<br />
• Improve QoS<br />
• Reduce turnover<br />
• Lowest cost<br />
Domain Managers<br />
Provide core information for <strong>device</strong>s and technologies<br />
Automated discovery and configuration management<br />
<strong>Network</strong> visibility<br />
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential 3
Analytics • <strong>Cisco</strong> Prime Analytics<br />
Service Fulfillment<br />
Cloud Automation<br />
Voice and Video Collaboration<br />
Carrier Management<br />
IT Management<br />
Subscriber Management<br />
• <strong>Cisco</strong> Prime Order Management<br />
• <strong>Cisco</strong> Prime Active Catalog<br />
• <strong>Cisco</strong> Prime Service Inventory<br />
• <strong>Cisco</strong> Prime Provisioning<br />
• <strong>Cisco</strong> ® Cloud Portal (newScale)<br />
• <strong>Cisco</strong> Process Orchestrator<br />
• <strong>Cisco</strong> Server Provisioner<br />
• <strong>Cisco</strong> <strong>Network</strong> Services Manager<br />
• <strong>Cisco</strong> Prime Collaboration<br />
Provisioning, Real-Time Monitoring,<br />
Fault Detection and Isolation, Advanced Diagnostics, Dashboards, and Reports<br />
• <strong>Cisco</strong> Prime Provisioning<br />
• <strong>Cisco</strong> Prime Central<br />
• <strong>Cisco</strong> Prime <strong>Network</strong><br />
• <strong>Cisco</strong> Prime Performance Manager<br />
• <strong>Cisco</strong> Prime Optical<br />
• <strong>Cisco</strong> Prime Infrastructure Lifecycle, Assurance, and Compliance<br />
• <strong>Cisco</strong> Prime <strong>Network</strong> Analysis Module<br />
• <strong>Cisco</strong> NetFlow Generation Appliance<br />
• <strong>Cisco</strong> Prime Home<br />
• <strong>Cisco</strong> Prime <strong>Network</strong> Registrar<br />
• <strong>Cisco</strong> Prime Cable Provisioning<br />
• <strong>Cisco</strong> Prime Access Registrar<br />
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential 4
The Access Management Challenge<br />
Introducing <strong>Cisco</strong> Prime Access Registrar<br />
Live Demonstration<br />
Resources<br />
Q&A<br />
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential 5
Authentication, Authorization and<br />
Accounting (AAA) are missioncritical<br />
in today’s service provider<br />
networks<br />
New subscriber services &<br />
delivery models must be<br />
rapidly introduced for<br />
competitive advantage<br />
<strong>Network</strong> operators need to<br />
<strong>support</strong> new service delivery<br />
models like MVNO/wholesaling<br />
and roaming<br />
<strong>Network</strong> operators need to<br />
<strong>support</strong> multiple access<br />
technologies including latest –<br />
SP-WiFi, Femtocell,<br />
SmartGrid and more<br />
Resources such as session<br />
limits and IP addresses need<br />
to be managed efficiently<br />
Scalability demands are<br />
increasing<br />
<strong>Network</strong> operators are under<br />
pressure to reduce operating<br />
expenses (OpEx)<br />
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential 6
• High performance carrier class<br />
RADIUS/Diameter platform<br />
• Provides intelligent<br />
Authentication, Authorization<br />
and Accounting services<br />
• Across variety of access<br />
technologies<br />
Performance Scalability Flexibility<br />
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential 7
Application Server<br />
XML Over UDP<br />
Service Provisioning (OSS)<br />
<strong>Network</strong> Monitoring<br />
Configuration Interface<br />
Session Caching and Authorization<br />
Flow-through Service & Subscriber Provisioning<br />
ODBC/OCI<br />
User/Accounting Database<br />
Dial, DSL, Wireless LAN,<br />
CDMA, GPRS, UMTS,<br />
iDen, WiMAX, SP-WiFi,<br />
Femto,<br />
Smart Grid<br />
RADIUS/<br />
Diameter<br />
Rules Engine<br />
Extensible Authentication<br />
Protocol<br />
Local<br />
LDAP<br />
Authentication<br />
Authorization<br />
Accounting<br />
Proxy AAA<br />
Prepaid Billing<br />
M3UA/Sigtran<br />
RADIUS/<br />
Diameter<br />
Directory of User Data<br />
Third Party Billing System<br />
RADIUS/Diameter Server<br />
HLR<br />
Access Technologies<br />
Custom Service<br />
Extension Points<br />
<strong>Cisco</strong> ® Prime Access Registrar<br />
Custom Logic<br />
(C/C++/Tcl/Java)<br />
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential 8
• Market leading RADIUS performance:<br />
over 125 million transactions per hour.<br />
• Provides scalability to <strong>support</strong> large service<br />
deployments. An external session manager<br />
allows tens of millions of simultaneous<br />
active sessions. Multithreaded architecture<br />
provides performance that scales with<br />
additional processing power.<br />
• Investment Protection - Grows with your<br />
business.<br />
Flexible to adapt to virtually any network size<br />
40000<br />
32000<br />
24000<br />
16000<br />
8000<br />
0<br />
30000<br />
25000<br />
20000<br />
15000<br />
10000<br />
5000<br />
0<br />
Local Authentication<br />
AA<br />
AAA<br />
UCS<br />
Proxy Authentication<br />
AA<br />
AAA<br />
UCS<br />
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential 9
• Supports RADIUS and Diameter<br />
access protocols, TACACS+ for <strong>device</strong><br />
management<br />
• Extensive interoperability with multiple<br />
network equipment vendor types<br />
• IPv4 and IPv6 <strong>support</strong><br />
• Virtualization <strong>support</strong>: Oracle VM<br />
Server for SPARC and VMware for<br />
scale and availability, server<br />
footprint reduction, and efficient<br />
use of resources<br />
NAS<br />
NAS<br />
Oracle, AD,<br />
MySQL,<br />
OpenLDAP<br />
AA<br />
A<br />
Remote<br />
Server<br />
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential 10
Multiple Access Technologies<br />
.<br />
Dial, DSL, Wireless LAN, CDMA, GPRS,<br />
UTMS, iDEN, WiMAX, SP-WiFi,<br />
Femtocell, Smart Grid<br />
• Delivers OpEx and CapEx<br />
savings by enabling<br />
standardization on a common<br />
AAA server platform<br />
• Helps future-proof a service<br />
provider’s choice in AAA for<br />
competitive advantage<br />
Rich Set of Corresponding Authentication Protocols<br />
Standard Support: Inner Methods: Other:<br />
MD5 TLS PAP<br />
LEAP TTLS CHAP<br />
PEAPv0 SIM MS-CHAPv2<br />
PEAP v1 AKA Any EAP<br />
FAST<br />
GTC<br />
EAP Proxy<br />
EAP-Negotiate – At runtime,<br />
select the EAP service to be<br />
used to authenticate the client<br />
CRL <strong>support</strong> for EAP services<br />
Diameter NASREQ<br />
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential 11
• Simplifies deployment and operations<br />
• Provides OpEx savings<br />
• Helps <strong>support</strong> networks with tens of<br />
millions of subscribers<br />
AA Request<br />
Accounting Request<br />
LDAP v3 Directory<br />
RADIUS /<br />
Diameter Server<br />
Oracle<br />
MySQL<br />
• RDBMS <strong>support</strong> with any external<br />
accounting database by implementing<br />
a set of defined API functions<br />
• Scriptable configuration interfaces<br />
• Reduces operational costs and speeds<br />
service rollout<br />
• Billing interface allows billing vendors to<br />
integrate their systems for prepaid<br />
functionality<br />
Internal DB<br />
Local Flat File<br />
Microsoft AD<br />
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential 12
Extension point scripting (EPS) and a rich set of APIs allow users to add custom<br />
logic to the call flow and manipulate response and request attributes<br />
EXAMPLES<br />
• Create Custom Authentication Methods: Create custom mechanisms for<br />
authenticating with roaming partners that use POP3<br />
• Filtering responses from roaming partners: Inspect responses from a<br />
remote RADIUS server of a roaming partner to filter out (delete) or translate<br />
unacceptable attributes before forwarding the response to the client.<br />
• Controlling Debugging: An EPS allows debugging to be turned on and off<br />
selectively; e.g., turned on only for requests with username bob@cisco.com<br />
– to speed up request processing and save on disk space.<br />
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential 13
Access-Request<br />
= Extension Point<br />
Access-Accept/Access-Reject<br />
<strong>Cisco</strong> Prime Access Registrar<br />
(optional)<br />
Vendor (Ascend, <strong>Cisco</strong>, USR…)<br />
Client (NAS-1, NAS-2, …)<br />
Custom Authentication Authentication & Authorization<br />
Service<br />
Service<br />
Session<br />
Manager<br />
External Plug-in<br />
Library<br />
• External plug-in written in C++ does QChat specific BAK<br />
generation and digest authentication<br />
• POP3 authentication for a Cable customer<br />
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential 14
User Session Tracking and<br />
Resource Allocation: e.g., IP<br />
addresses per user and session<br />
limits per user or group<br />
Centralized IP<br />
administration and<br />
session limit enforcement<br />
Session Query: Allows real-time<br />
query from external applications<br />
Single sign-on<br />
IP address mapping for mobile<br />
operators<br />
Helps meet regulatory<br />
requirements for tracking<br />
usage<br />
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential 15
• Centralized administration via replication<br />
Ease of multi-machine configuration with GUI or CLI for simple administration<br />
• Clustering for high availability: Veritas (for Solaris, Linux<br />
systems), Oracle/Sun (for Solaris), RedHat Cluster Suite (for<br />
RHEL)<br />
Safeguard against unplanned outages<br />
Master AR<br />
NAS<br />
Replication<br />
Replication<br />
Replication<br />
Active AR<br />
Member AR-1 Member AR-2 Member AR-3<br />
Centralized Administration<br />
Clustering<br />
Solution<br />
Standby AR<br />
Clustering - High Availability<br />
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential 16
<strong>Cisco</strong> ® Prime Access Registrar<br />
preinstalled and configured<br />
on a <strong>Cisco</strong> Unified Computing<br />
System server<br />
Easy to buy<br />
Benefits<br />
• Fast<br />
• Easy startup<br />
• Rapid time to value<br />
Grows with<br />
business<br />
Extensible<br />
Access Registrar<br />
Jumpstart<br />
RADIUS / Diameter AAA<br />
Future Proof<br />
Easy to<br />
deploy<br />
• Single-vendor solution<br />
Easy to use<br />
* Available May 2013<br />
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential 17
• Subset of <strong>Cisco</strong> Access Registrar functional units—built for intelligent<br />
RADIUS load balancing and proxy<br />
Enabled with proxy, scripting and accounting functionality ONLY<br />
Redirects packets based on policy engine or customization using extension points<br />
Optionally maintains session association with back-end servers, helping to ensure<br />
proper billing and tracking of service and application usage<br />
• Attractive price point for operators who only need this subset of<br />
functionality – compared to full-blown AAA of similar scale.<br />
Use Case Examples<br />
• Duplicate RADIUS packets to multiple destinations<br />
• Intelligent RADIUS packet routing (load balancing, forwarding) – roaming<br />
scenarios<br />
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential 18
<strong>Cisco</strong> ® Prime Access Registrar <strong>support</strong>s the PWLAN / Wi-Fi data<br />
offload market with the following:<br />
• A wide variety of EAP authentication protocols<br />
• SIM and USIM authentication against an HLR via the use of M3UA/SIGTRAN connectivity<br />
for a seamless authentication experience<br />
• SIM and USIM authentication for data access against an HSS via a Diameter interface<br />
• Easy customization of he RADIUS-to-Diameter translation (and vice versa) to meet any<br />
specific requirements<br />
NAS<br />
M3UA/Sigtran<br />
HLR<br />
RADIUS<br />
(EAP-SIM/EAP-AKA )<br />
AR<br />
DIAMETER<br />
HSS<br />
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential 19
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential 20
North America<br />
• 75+ million subscriber base<br />
• One of the largest smartphone network in the world<br />
• Uses:<br />
- Mobile data access authentication<br />
- IP address allocation, LDAP integration<br />
Europe<br />
• Over 6+ million subscriber base, providing 99% coverage across country<br />
• Leading telecom service provider in country<br />
• Uses:<br />
- Mobile data access authentication<br />
- Prepaid integration, SP-WiFi (hotspot), EAP-SIM authentication<br />
Asia Pacific<br />
• Largest mobile service provider, offering fixed-line broadband services in country<br />
• Uses:<br />
- Managed VPN service<br />
- Authentication against MS-Active Directory, RSA token card server<br />
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential 21
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential 22
User 1test@xyz.com logs in and undergoes the following:<br />
• Authenticate against local data base<br />
• Authorize against LDAP<br />
• Accounting information<br />
Proxied to roaming partner<br />
Written to local flat file (for redundancy)<br />
User disconnected administratively by sending POD<br />
Radclient performance test<br />
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential 23
• In carrier grade SP market for more than a decade<br />
• Over 200+ SP’s across the globe<br />
• Customers are using successfully to cater to 100K to 75+ Million subscriber<br />
base<br />
• Multi threaded architecture<br />
• Proven AAA in terms of stability, performance and scalability<br />
• Strong roadmap towards the SP market to include next generation access<br />
technologies<br />
• Easy integration points<br />
• Virtualization <strong>support</strong><br />
• Proven <strong>Cisco</strong> customer <strong>support</strong><br />
• <strong>Cisco</strong> Advanced Services <strong>support</strong> for complete implementation or painless<br />
migration<br />
• Key component in multiple <strong>Cisco</strong> end to end solutions<br />
• Single point of contact - <strong>Cisco</strong> UCS (Hardware), <strong>Cisco</strong> Prime Access Registrar<br />
(Application), and <strong>Cisco</strong> Services (Implementation and Support)<br />
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential 24
• <strong>Cisco</strong> ® Prime Access Registrar on <strong>Cisco</strong>.com:<br />
www.cisco.com/go/accessregistrar/<br />
• <strong>Cisco</strong> Prime Access Registrar Tech Center developer <strong>support</strong>:<br />
http://developer.cisco.com/web/car/home<br />
• For additional information, please contact:<br />
ar-tme@cisco.com for presales/business queries<br />
or cs-ar@cisco.com for technical queries<br />
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential 25
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential 26
www.cisco.com/go/prime-sp<br />
<strong>Cisco</strong> Prime Demo Webinar Series<br />
March 6th 2013 Prime Performance Manager<br />
March 13th 2013 Prime <strong>Network</strong> Registrar<br />
March 20th 2013 Prime Carrier Management<br />
March 27th 2013 Prime for Mobility<br />
April 3rd 2013 Prime Optical<br />
All sessions 8:00 AM PST; Webex; Meeting#: 203 850 378; Password: prime<br />
<strong>Cisco</strong> <strong>Knowledge</strong> <strong>Network</strong><br />
OSS & <strong>Network</strong> Management<br />
April 3, 2013 Introduction to Service Fulfillment<br />
May 1, 2013 Multi-Vendor Services Fulfillment<br />
June 5, 2013 Multi-Domain Service Fulfillment<br />
Register: www.ciscoknowledgenetwork.com<br />
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential 27
Thank you.<br />
C97-688793-00 © 2011 <strong>Cisco</strong> and/or its affiliates. All rights reserved. <strong>Cisco</strong> Confidential 28