Diameter protocol

Abstract: A system and method for authenticating and authorizing user access to a computer network. An AAA server comprises a plurality of Authentication transport protocol modules that interface with one or more clients using a native authentication transport protocol. The AAA server is coupled with a DBMS system that stores user authentication, authorization and accounting information in a standard format. Authentication and authorization are performed using a five phase process comprising the phases: Augmentation; Selection; Authentication; Authorization and Confirmation. During the Augmentation phase, client requests are translated into a standard internal format. The requests are parsed into a set of attribute/value pairs according to a parse rules table. In the Selection phase, the AAA server determines the details of the access request and identifies the permit required to authorize access. A rules table is used, wherein a particular row in the rules table is selected according to the attribute/value pairs from the Augmentation phase. The rules table provides the necessary details for the AAA server to formulate a proper response to the client. In the Authentication phase, the AAA server determines if the log in information provided by the user matches information stored in the user record. In the Authorization phase, the AAA server determines if the user is authorized to access the requested service by determining if the permit retrieved in the Selection phase matches the permit stored in the user database. In the Confirmation phase, the AAA server determines if a port limit has been exceeded and checks the client request for inconsistencies.

Abstract: A single database maintained centrally hosts both proxy service data and authentication, authorization and accounting (AAA) data. Data is then copied to storage used locally by each system when both systems are instantiated. Therefore the ISP/Telco need not maintain two different data bases. A protocol gateway (PGW) is used to determine if the incoming user is a wholesale or retail user. The PGW filters the domain portion of the access request to locate a remote AAA service. If one such service is found, the PGW routes the communication via the proxy service to proxy it to the remote AAA service. The returned packet from the remote AAA service is then searched for an IP address to be assigned to the incoming user. If one is not found the PGW obtains a dynamically allocated IP address from a DHCP server (using an IP-Pool-ID if supplied in the returned packet from the remote AAA service). The same mechanism is used to forward accounting event packets from the NAS to the remote AAA server. The PGW may monitor more than one proxy and/or AAA service and load balance among them.

Abstract: A method for providing single step log-on access for a subscriber to a computer network. The computer network is differentiated into public and private areas. Secure access to the private areas is provided by a Service Selection Gateway (SSG) Server, introduced between a conventional Network Access Server (NAS) and an Authentication Authorization and Accounting (AAA) Server. The SSG Server intercepts and manipulates packets of data exchanged between the NAS and the AAA Server to obtain all the information it needs to automatically log the user on when the user logs on to the NAS. An authorized user is thus spared the task of having to re-enter username and password data or launch a separate application in order to gain secure access to private areas of the network.

Abstract: This document describes the Diameter protocol application used for Authentication, Authorization, and Accounting services in the Network Access Server (NAS) environment; it obsoletes RFC 4005. When combined with the Diameter Base protocol, Transport Profile, and Extensible Authentication Protocol specifications, this application specification satisfies typical network access services requirements.