Escolar Documentos
Profissional Documentos
Cultura Documentos
TABLE OF CONTENTS
2 Product Features........................................................................................................ 3
2.1 Large-capacity and High Performance ........................................................................ 3
2.2 Abundant Network Access Capability.......................................................................... 4
2.3 Flexible Accounting Mechanism .................................................................................. 4
2.4 High Security and High Reliability Mechanism ............................................................ 4
2.5 Easy-to-Operating and Easy-to-Manage ..................................................................... 5
ZTE Confidential Proprietary © 2008 ZTE Corporation. All rights reserved. III
ZXUN UniA Product Description
10 Abbreviation ............................................................................................................. 37
FIGURES
TABLES
1 General Description
PSTN
cdma2000 1X
HA
cdma2000 EV-DO AAA Internet
Router
IP Firewall
BTS BSC/PCF PDSN/FA Network
AN-AAA
Firewall LNS
Intranet
WLAN
ZTE CDMA2000 1X/EV-DO packet data switch system includes the following products:
Equipment Introduction
PDSN PDSN(Packet Data Serving Node): It bears wireless
and packet data network access gateway, provides
Simple IP and Mobile IP access modes, and provides
Internet or Intranet access service for CDMA2000
mobile station.
When providing Mobile IP access service, PDSN is
integrated with FA function.
HA HA(Home Agent): it locates in MS home network, it
maintains MS location information, establish
corresponding relations between MS IP address and
MS handover address. when mobile station leaves
registered network, it needs to register in HA; after HA
receives packet sent to mobile station, it will send the
packet by tunnel between HA and FA, decapsulate it
and sends to MS.
HA is needed only in Mobile IP service.
BSN BSN(Broadcast Service Node): It bears BCMCS
service, maintains broadcast channel with BSC/PCF,
fulfills program registration and session information
acquiring, and establishes and maintains bearer channel
with content server. BSN applies stream processing
mechanism authorized by BCMCS controller to multi-
cast IP stream. It also receives copies and distributes
broadcast media stream from content server.
BSN is needed only BCMCS is available.
AAA AAA (Authentication, Accounting, and Authorization
Server): Also called RADIUS server. AAA server
implement authentication for packet data user, and
authorization it according to subscription information,
AAA server can also be capable of packet data call
accounting.
AN-AAA AN-AAA(Access Network-AAA Server) :AN-AAA
bears access authentication of AN-Level, and implement
validation and authorization of EV-DO terminal ID
legality.
[7] RFC 3579, RADIUS (Remote Authentication Dial In User Service) Support For
Extensible Authentication Protocol (EAP)
[15] draft-ietf-mip4-gen-ext-01.txt
2 Product Features
3 AAA supports the smooth evolution to the HSS, for the operators to offer a network
with sustainable project development.
2 In order to support CDMA, WLAN, WiMAX, WCDMA, and other fixed network
access authentication, authorization and Accounting methods, which can realize
AAA integration with multiple networks conveniently, AAA provides a variety of
access modes and application scenarios for operators, and offers unified access
network data management platform.
4 AAA supports multiple authentication methods CHAP, PAP, CAVE, UAM, EAP-AKA,
EAP-TLS (PSK), EAP-TTLS and EAP-MD5, which meets the diversification of the
end-user access authentication.
5 AAA supports rich Profile group configuration. The property information of each
group can be flexibly configured to meet a variety of access requirements.
2 AAA supports CDR-file backup and CDR-database backup. Also AAA support CDR
buffer to make the AAA system work normally in abnormal case and avoid CDR lost.
3 AAA supports all-round billing function including pre-paid, post-paid and content-
paid. AAA is compliant with national and international billing interface specifications
and it’s easy to make customized accounting strategy.
3 AAA supports overload control function to ensure system stable in abnormal case.
4 AAA network is dual-net and dual-plane, which can avoid single-node failure.
5 AAA supports security control function and operator privilege management function.
2 Support for local OMM and next higher level EMS management mechanism, and
multi NBI(northbound interface) such as CORBA、SNMP and FTP etc. , which
makes centralized network management much easier.
3 Support GUI (Graphical User Interface) and MML (Man Machine Language), which
makes O&M easier and efficient.
In WLAN network, AAA is connected with BRAS/AC for authentication, authorization and
accounting.
In WCDMA network, AAA is connected with GGSN for authentication, authorization and
accounting.
As a Visited AAA, it receives PDSN Radius massage, and transmits the massage to
home network according to the agent transferring strategy.
As a Broker AAA, it receives and transfers AAA Radius massages from other AAAs,
generally, multi-AAA share one Broker AAA to implement the interaction among areas
and networks.
AAA and AN-AAA can be separated or integrated when distributing with flexible
networking mode.
AAA server takes charge for authentication and authorization, accounting server takes
charge for accounting and generating CDR, AAA sever and Accounting server
implement the distributed processing, which improves the AAA server response
performance and safety. When AAA server receives the accounting message, it
transfers to Accounting sever for processing, if there is any abnormality, AAA server
stores the accounting message at local sever, and sends the stored accounting
massage to Accounting sever after the recovery, it can avoid the user CDR massage
drop through such abnormal protecting mechanisms.
The capacity and performance of AAA will be improved smoothly, while reusing the old
equipments sufficiency and only adding one set of duel-array and without requiring any
addition to OMC or agent sever.
CHAP and PAP are mainly used in CDMA, WCDMA and fix network access
authentication.
UAM 、 EAP-AKA and EAP-TLS(PSK) are mainly used in WLAN network access
authentication.
It is set by AAA, the user name and password are all public, any legal terminal can
access to the network by this account.
The public account does not need to establish association between account and
terminal IMSI, the pubic attribute is configured in Profile associated with public account.
AAA supports configuring Profiles for every terminal in order to provide differentiated
services.
It is set by AAA, the terminal uses private account to access to network. AAA also
supports multiple terminals using one private account to access to the network, or one
terminal uses different private account to the network.
The user information is maintained by home AAA, when user roams outside, the serving
AAA transfers user’s access requests to home AAA for authentication, home AAA
implements authentication and authorize related Profile attributes.
The serving AAA implements router analyze according to realm information of User-
Name or IMSI in users’ requests, and transfers access requests to home AAA.
AAA supports free-of-authentication function, when user account (including public and
private accounts) is set free-of-authentication, when users access for authentication,
AAA directly pass the authentication without judging password, authorize related service
attributes and go on with following procedures.
AAA can configure the profile information according to different sorts of users, the profile
information includes: User’s QoS information, bandwidth, time, address allocation
strategy and so on. AAA sends user profile information to PDSN, when the user finishes
accessing; the PDSN limits the user network resource according to the user profile
information which has been authorized.
NAI user in AAA belongs to service group, each group owns one profile template, the
profile template can pre-set the authorization operation attribute (such as bandwidth,
time or RADIUS that authorized the attribute), AAA licenses the user’s profile content to
PDSN when user passes the access authorization.
Employing system access function, packet switch network carrying capacity, IP tunnel
and IP Sec, The VPN service provides remote access to enterprise and group intra
servers for packet data users who can enjoy all kinds of data services as usual without
caring whether they access to local or remote servers.
When user accesses the network, realm part of User-Name message represents L2TP
VPN domain name. AAA authenticates LNS IP address, tunnel password, tunnel type
and tunnel media type according to local L2TP VPN domain name configuration.
When using public account, AAA supports IMSI to authorize user attribute, it will provide
differentiated profile authorization.
The public account do not need to establish association between account and terminal
IMSI, the subscription attribute is configured in the associated Profile, AAA supports
configure Profile for every IMSI, after the terminal accesses and authenticate
successfully, AAA can authorize user profile information according to IMSI.
AAA supports Profile authorization mode of IMSI+NAI, if user requests for accessing,
AAA shall combine Profiles configured by IMSI and NAI together, and authorize to
PDSN. After the combination, set one Profile attribute as a reference according to
configuration strategy, and combine with another attribute, if there’s any confliction, the
reference Profile attribute is preferred.
data communications will be interrupted for inter-PDSN handoff and will not be resumed
until the call is initiated again.
When customers applying service subscription to operators, it always needs to use static
IP address (fixed IP address), AAA allows each account Profile to subscribe with static
IP address attribute.
When terminal using this account to access to network, PDSN set special attribute which
includes Ipv4 (Framed-IP-Address =255.255.255.255)in the accessing request, after
requesting AAA for authorizing IP address, if AAA judges this account is local and not
roaming, AAA will authorize static IP address subscripted in user profile to PDSN.
When each user is on-line, PDSN or AAA will dynamically distribute a vacant IP address
for MS. This distribution mode is applied to distribute IP address for on-line users when
the number of users is larger than IP address resource.
AAA support dynamic IP address authorization, when user is access, it will authorize IP
address dynamically.
AAA is capable of configuring IP address pool for different types of users respectively,
so as to deploy independent IP address pool for public network, office network and VAS
users, and realize IP isolation for different users.
HA takes charge of mobility management of mobile IP and agent mobile IP. HA locates
mobile users according to MS registration information and forward packet data to user’s
currently-registered FA (in PDSN). Considering payload balance, several HAs can be
deployed in home-zone.
When mobile station uses MIP to access to network, it initiates MIP registration, after HA
receives the registration request, home AAA shall authorize the MN-HA key to it.
MS needs to allocate the master/slave DNS server address during the PPP session
setup, AAA supports that RADIUS Access-Accept information contains DNS server
address VSA in order to response the RADIUS log on request from PDSN or HA.
If AAA server contains DNS server IP address VSA, it should include a master DNS
server address and a slave DNS server address.
By applying IPSec protocol in mobile IP, it can provide effective security service for
mobile IP.
AAA support IPSec attribute which authorize to PDSN/HA, and IKE pre-sharing key
distribution function. It receives RADIUS Access-Request message from PDSN, port IKE
pre-sharing key request attribute. The users have rights to use IPSec service, home
AAA server should distribute a key label and IKE pre-sharing key to PDSN by pre-
sharing key and KeyID attribute of RADIUS Access-Accept message. HA should re-
obtain”S” key from home AAA server to generate IKE, the lifecycle of this key can be
configured, it is home RADIUS local strategy, and based on the encryption level of
“S’key.
PDSN takes PMIP FA functions, provides agent mobile IP service for users using simple
IP terminals, it keeps service continuity when users implement handover between
PDSN/FA, initiate mobile simple IP session instead of MS, sends access request to AAA.
After AAA passes the authentication, it shall authorize user PMIP service attributes
according to subscribed PMIP ability.
3.3 Accounting
AAA supports for the accounting model based on the flow and the length of the billing.
AAA supports enhanced 3GPP2 packet prepaid standard. The standard introduces SCP
entity, which uniformly stores prepaid information of user audio, data and other services.
PPS get prepaid account information from SCP by RADIUS interface. In order to simplify
network architecture and convenient for uniform management of users, ZXUN UniA
system supports integral setting mode of AAA and PPS, they adopts RADIUS interface
to get prepaid account information from SCP.
AAA supports CCSA prepaid standard, which is the same as 3GPP2 packet prepaid, the
network includes PPS and SCP entity, prepaid function is fulfilled by PPS/SCP and
PDSN/PPC, HAAA is responsible for authentication and accounting information
transferring between PPS/SCP and PPC.
AAA supports packet prepaid function of fixed network system, there is no PPS and
SCP entity in the network, the prepaid function is fulfilled by HAAA and
PDSN/PPC.HAAA fulfills authorization of RADIUS standard attribute Session-Timeout in
reference to RFC2865), PDSN is responsible for checking session time, when time is
out, PDSN shall terminate user packet data service.
Radius Diameter
PDSN AAA OCS
PDSN and AAA adopts Radius protocol interactively,OCS adopts Diameter protocol,
AAA can realize conversion from Radius protocol to Diameter protocol.
The billings are generated in the HAAA, at the same time as the visited AAA. AAA can
also generate the billings according to the configuration.
AAA supports the function which backups the original billing, and supports for two ways
which are database backup and file backup.
AAA supports for NAI billing methods, for those multiple IMSI use the same access to a
private account, it can implement billing according to private account.
AAA supports for the billing methods based on IMSI, and carries out on each MS billing.
AAA sends the billings to the billing center through the FTP interface
While performing as agent, AAA chooses routing based on the realm information in
RADIUS attributes User-Name. The corresponding routing information of realm can be
pre-configured in AAA.
In Radius request, RADIUS attributes User-Name does not include realm information,
when AAA implements agent forward, it can select router forward according to IMSI
information ported by RADIUS attribute Calling-Station-ID. The corresponding router
configuration information to IMSI prefix can be pre-configured in AAA OMC.
AAA can implement agent forward this dynamic authorization to next destination
according to NAS in the dynamic authorization information.
AAA must transmit message to the adjacent nodes which include OCS、PPS/SCP、
WAP gateway and the other AAA.
AAA could provide the following function while testing the adjacent node:
1 Testing the state of OCS, PPS/SCP, WAP gateway, other AAA and raise the
warning timely.
3 Link and services will be resumed automatically when the status of adjacent node is
recovered.
After receiving PDSN accounting-start message, AAA transmits the message to the
corresponding WAP gateway according to user’s MDN number analysis and configures
relation of WAP gateway address and MDN number analysis
When different WAP gateway use the same IP address, AAA can select the right WAP
gateway to forward accounting information according to user MDN attribute, and send
information by corresponding source IP address.
1 AAA can restrict the access type of account ( both public and private).
2 Based on Realm L2TP VPN control, AAA can restrict L2TP VPN access according
to L2TP user’s subscription attributes as Visited AAA and Home AAA.
AAA transfers the user MDN analysis in accounting information to home PPS/SCP for
pre-paid requests and processing, when pre-paid users accessing for authentication and
authorization, corresponding relation between PPS/SCP and MDN is configured in AAA.
AAA supports LNS IP address replace control when forwarding Access Accept, and
replace new IP address of old one.
AAA supports automatic binding between NAI and IMSI. When accessing for
authentication, if the terminals input correct user name and password and the number of
binding IMSI does not exceeds designated number, the binding relation will be
automatically established and allowing access.
AAA can restrict IMSI scope of some VPN, and its accessible VPN scope.
VPN user access authentication, after HAAA receives access request, it shall authorize
corresponding VPN attributes according to the binding VPN domain information.
A day can be divided into several periods, and defined as access allow and access
reject period. When user tries to connect to the network at the access reject period, AAA
rejects the user directly. When the user connects to the network at the access allow
period, AAA allows access and authorizes the expiry time, also apprizes NAS user about
the maximum time of conversation.
AAA server can support user lock function in order to reject user access, the lock mode
includes:
1 Account lock: that is NAI lock. It refuses terminals to use this NAI account to access
the network;
3 Association lock between account and IMSI: it refuses designated IMSI to use
designated account to access the network.
If the access requests includes specific attributes or VSA of IPv4 and IPv6, AAA shall
authorize Ipv4 or Ipv6 attributes according to user subscription situation, such as
Framed-Interface-Id,Framed-IPv6-Prefix and etc.
For IPv6 reachable support, home AAA requests DNS server to generate or delete
resource record for IPv4 and IPv6.
3.6 Acceptance
The maintenance and management of user information needs authority control, defines
different level of authority operator to guarantee the safety of the user information. For
example, if a user loses the password, only the operator who owns the authority can
reset the password.
AAA can configure different authority for different operators, so that it can control the
operator to open an account、account cancel、enquiry and password reset.
AAA provides a user friendly interface to make the operations easier, such as opening
and canceling accounts and making quires. So that user’s information can be
managed and maintained.
Main process: IMSI adding, IMSI modification, IMSI deleting, individual/batch enquiry of
IMSI, AAA_NAI adding, AAA_NAI modification, AAA_NAI deleting, AAA_NAI rename,
the relationship between IMSI and AAA_NAI, AAA_NAI enquiry, set up user password,
IMSI card replacement, IMSI number changing, user password reset and NAI misty
enquiry and so on.
AAA supports open account、cancel account and update user information in batch to
give a simple 、 reliable and high efficiency management and maintenance. Batch
process includes text format and continue number.
Text format batch process has detailed record, according to the record; the failure
reason of process can be analyzed. Based on that, a remediation can be given out in
time. Main operation of text batch process: batch addition、batch modification and batch
deletion.
1 AAA adopts the mode of two small devices or one PC server and one disk array.
Normally one server works on duty, the other is standby but need to monitor server
on duty. When the server on duty goes wrong with some mistakes, the standby
sever must relay as the server on duty.
3 AAA supports the function of original CDR files backup, meanwhile it supports two
optional modes of database backup and files backup.
4 AAA can collect the alarm information, such as the disk space full and so on.
5 AAA adds the watchdog process which is used for monitoring all service processes
and greatly enhances the system reliability. Meantime, when master process drops
with abnormal reason, the watchdog process will resume to work and restart the
service process.
6 The batch of file disposal function of AAA, logs the unsuccessful acceptance
records. It can restart to handle with failure record.
ZXUN UniA system supports as Visited AN-AAA、Broker AN-AAA and Home AN-AAA;
As a Broker AAA, it receives and forwards AAA Radius massages from other AN-AAAs,
generally, multi-AN-AAA share one Broker AN-AAA to implement the interaction among
areas and networks.
AAA and AN-AAA can be separated or integrated when distributing with flexible
networking mode.
For CHAP authentication, key information does not need to be sent in communication
channel, and the information is different for each time, which can effectively avoid
interception attack.
The current CDAM2000 1x R-UIM card only supports CAVE algorithm, in order to
ensure the mixed terminal users use traditional CDMA2000 1x R-UIM card can access
to 1x EV-DO network, 3GPP2 regulation put forward CHAP authentication based on
CAVE algorithm, here AN-AAA should support CAVE authentication algorithm. CAVE
authentication adds interaction with HLR/AC to fulfill authentication for HRPD terminal
equipment in CHAP authentication flow.
If users perform Hardware authentication, the access request should port with Hardware
ID(ESN/MEID),AN-AAA verify whether the hardware ID is in accordance with local
database, if yes, it will performs the following CHAP authentication, otherwise refuse
access in.
When implementing HRPD access authentication, if the user only stores MEID, and the
users needs to be CAVE authenticated, AN-AAA supports change MEID to pESN
(spurious ESN) and sends to HLR for authentication.
The information interface of wireless and network sides needs MNID(Mobile Node
Identification), when AN-AAA finishes authentication, it should return AT MNID to AN.
When AN-AAA supports HRPD access authentication, it can authorize terminal MNID. In
AN-AAA system, IMSI works as MN ID.
AN-AAA users belongs to service group, each group is corresponding to one Profile
module, Profile module can pre-set authorized service attributes, when users passes
access authentication, AN-AAA can authorize users’ corresponding Profile to AN.
While performing as agent, AN-AAA chooses routing based on the realm information in
RADIUS attributes User-Name. The corresponding routing information of realm can be
pre-configured in AN-AAA.
In Radius request, RADIUS attributes User-Name does not include realm information,
when AN-AAA implements agent forward, it can select router forward according to IMSI
information ported by RADIUS attribute Calling-Station-ID. The corresponding router
configuration information to IMSI prefix can be pre-configured in AN-AAA OMC.
AN-AAA support manually lock user account. When account is locked, AN-AAA shall
refuse access in for authentication, and will not authorize. The account lock and unlock
should be handled by acceptance table or manually by accounting interface.
• E1 interface
• 100Base-TX/1000Base-TX interface
X1 and X2 interfaces adopt TCP/IP protocol, the stack is: TCP/IP ISO/IEC 802.2,
ISO/IEC 802.3, and adopts ASN.1 standard to decode and coe packet.
The interface protocol model between AAA and LIC is shown in Figure 5:
LI Protocol LI Protocol
TCP TCP
IP IP
Link Layer Link Layer
PL PL
AAA LIC
The interface protocol model between AN-AAA SS7 front PC and HLR is shown in
Figure 7
MAP MAP
TM TM
Support
TCAP TCAP
SCCP SCCP
TCP
MTP 3 MTP 3
MTP 2 MTP 2
IP
MTP 1 MTP 1
AN -AAA
HLR
SS7 Front PC
Figure 7 Interface Protocol Model between AN-AAA SS7 Front PC and HLR
6 System Architecture
AAA/AN-AAA system adopts RADIUS protocol based on IP standard to communicate
with customer terminals, it supports large database(MSSQL, ORACLE), and can be
operated in many kinds of operating system platforms(Windows, SOLARIS). System
adopts some design which is capable of excellent expansibility and portability.
PDSN&HA
&OCS&PPS/SCP ISPP/BOSS
&BNAS&AGW&GGSN &BillingCenter
&Wap GW &EMS
HLR/AC
IP Network
Router
firewall
E1
Switch
Switch
Accounti Accounti
Radius Radius AAA AAA AAA AAA Alarm
SS7 ng ng
Front Server Server Server Server Agent OMM OMM DBIO box
PC 1 2 1 2 Client Server Client &BOSS
Interface
Disk array Disk array
1 Radius Server
Radius Server adopts two minicomputer or PC server and one disk array mode. One
server is for active (host), the other is standby( reserve), the reserve one is always
monitoring the operating status of host, once there is something wrong, it will take over
and work as host.
2 Accounting Server
Two PC servers (minicomputer) and one disk array mode. One server is for active (host),
the other is standby( reserve), the reserve one is always monitoring the operating status
of host, once there is something wrong, it will take over and work as host.
AAA local client terminal (acceptance table) processes local service. The hardware
adopts PC compatible computer, it provides local users management.
AAA OMM system provides operation and maintenance service, which includes fault
and configuration management, performance statistics, signaling tracing, log
management and network management interface and etc.
AAA OMM Client fulfilles locla network maangement client terminal acceptance and
operation.
It fulfills AAA acceptance and database access function, it also provides connection with
BOSS system to realize remote acceptance. The accounting interface server adopts PC
server to provide accounting interface for remote service acceptance in the business hall.
7 SS7 Front PC
SS7 front PC fulfills interaction between AN-AAA and HLR/AC. Suppose HRPD
accesses to the network, when terminal use CAVE authentication, it needs AN-AAA to
acquire authentication vector from HLR/AC.
8 Alarm box
PDSN&AN&HA
RADIUS RADIUS BOSS
&GGSN&AGW Database sub- MML
service sub- interface BOSS
&Wap Gate system
system sub-system
&PPS/SCP
LI
SS7
interf FTP
ace
It provides AAA for users and agent. For packet pre-paid service, RADIUS service sub-
system interacts with OCS or PPS/SCP to get users’ packet pre-paid account
information.
2 Database Sub-system
It includes: users service subscription data, backup accounting CDR database (optional)
and OMM database. The three databases can be worked as one or separated.
3 Interception Sub-system
It is responsible for target AAA set, modify and delete for LIC, and reports events to LIC.
It provides FTP server for accounting center and supports acquiring accounting CDR
files.
It monitors the running status of AAA services. Once it detects an abnormality, it handles
the abnormality and restarts the faulty subsystem according to requirement
7 Agent Sub-system
It provides GUI interface to realize basic packet service management. It has R&W
interface with database sub-system, and delete, change users subscription information
according to GUI interface or BOSS interface instructions.
9 SS7 Front PC
SS7 front PC fulfills interaction between AN-AAA and HLR/AC. Suppose HRPD
accesses to the network, when terminal use CAVE authentication, it needs AN-AAA to
acquire authentication vector from HLR/AC.
1 It supports control the number of access information by CPU load status, when
system CPU exceeds threshold, it shall dispose some information, the load
threshold of CPU can be configured in AAA/AN-AAA;
It ensures smooth operating by CPU load control and concurrent information control.
It refers to the number of request that AAA can process in unit time(1s). The
authentication number is associated with hardware and software.
2 Authentication time
It’s a kind of performance indices to evaluate AAA authentication. It refers after RADIUS
receives authentication request, the time from processing request to send authentication
answer. The time is also related with hardware and software.
Note 1. The measured points for the working temperature and humidity in the equipment
room refer to the points 0.4 m in front of the equipment and 1.5m above the floor.
Note 2. The short-term working conditions mean that the continuous operating period
does not exceed 48 hours and the accumulative total period within a year does not
exceed 15 days.
equipment shall not be exposed to the lamplight or direct sunlight for a long time to avoid
aging or deformation of circuit boards and components as a result of the ultra-high
temperature caused by the lighting
The fluorescent lamps should be embedded in the ceiling with the average illumination
of 150 lx–200 lx as the main lighting devices
The fire water store should ensure two hours, but the feed pipe ( drainpipe, storm sewer)
should not cross the equipment room, and fire hydrant should not be set in it.
There should install some alarm device for smoke and high temperature, and check it
frequently.
The lightning protection design should include anti-lightning strike and anti-lightning
incoming. The high-rise building should take some anti-side stroke measures.
The side stroke is very common in the area full of thunders. The design should adopt
some effective protection measures.
• The operator should wear wrist strap, and it should be connected with Electrostatic
discharge hole in the rack.
MTTR<30 mins.
2 Back alarm
3 Failure observation
AAA can authorize different rights to different groups of users. Super-user can modify
rights of ordinary users.
2 SNMP Interface
The rights is pre-setted according to different ID of users, they are separated into system
administrator and ordinary users according to ID. System administrator has absolute
rights, they can do anything except modify user name and role name; the system
administrator can not be locked and log in without IP address restriction. The ordinary
users can only inquire own information or modify own passwords.
1 Log-in
It should valify user information, such as password, user name, operation period and
restrict or lock some users for accessing.
2 Security authentication
It is used to check whether the users should be capable of some operating rights.
After inputting user ID, orders and operation object parameters, it can check whether the
users can have these rights.
System has already divided command type according to NE service function type and
operating mode, after users select target NE type and one command type of this NE,
they can view all commands belongs to this command, it is open to all the users.
It includes following functions: set password length and period of validity , whether to
lock/unlock account or not/unlock rules, allow system administrator to customize user
account rule.
10 Abbreviation
Table 5 Abbreviation