8950 AAA 6.6.3 Release Notes

Last revised: August 13, 2010

Product Name Change

The VitalAAA product has been rebranded as 8950 AAA. The product was also known as NavisRadius.

Java Version

8950 AAA requires Java 2 Standard Edition (J2SE) version 6.0 (also known as version 1.6.0) or later to run on all platforms. Both the J2SE JDK and the JRE are supported. Please see http://java.sun.com to get the latest version of Java.

64-bit Operating Systems

Several of the supported operating systems have 64-bit versions. Currently 8950 AAA has full 64 bit support on Solaris (both Sparc, and X86), Linux on x64, and Microsoft Windows. The following limitations exists when using a 64 bit JVM on an unsupported platform.

• GetPWNam does not work on Unix systems. (Except Solaris and Linux)
• Kill does not work. (Except Solaris, Linux and Windows)

Contents

These release notes are intended for 8950 AAA 6 programmers and administrators. They cover the following information:

• New Product Features
• Known Issues
• Diameter Implementation Limitations
• StateServer (USS) Changes
• Changes to accommodate addition of the TACACS+ protocol
• Changes to AuthLocal plug-in to support MS-CHAPv2 with user names with realms

These release notes supersede all other included documentation for the 8950 AAA product. Further information can be found at http://www.8950aaa.com/.

New Product Features

8950 AAA 6.6.0 includes the following features:

• Added support of digest authentication with AKAv1 algorithms per RFC 3310.
• Allow the configuration of which 'supported-vendor-id' AVPs are sent in the Diameter CER/CEA exchange.

8950 AAA 6.5.0 includes the following features:

• Now supports LDAP workflow injection. This allows one to write a policyFlow that processes an LDAP request. Possible uses include proxy, and protocol conversion.
• TAL: Support reference indirection. Each addition of a '$' to the reference adds a level of indirection. The indirect value may either be the full reference, or the id list.

8950 AAA 6.4.0 includes the following features:

• Add a 'binary packing' feature to the USS2, which reduces both the memory footprint and the object count needed to record entries.
• Add a light-weight alert monitoring system that can inform the operator when certain conditions have been exceeded. Any variable available through the statistics collector can be monitored this way.

8950 AAA 6.3.0 includes the following features:

• Now supports the 64 bit Java Virtual Machine (JVM) on Linux hosted on AMD/Intel platforms.
• USS2 Resource Broker: A major feature was added to the 8950 AAA in 6.3 called the USS2 Resource Broker. The Broker is a function that manages allotment of resources to a set of USS2 clients. Currently, there are two types of resources that can be managed: prefixes and counter limits. As part of this implementation, USS2 will be integrated with the current IPAMv2 to allow USS2 to allocate IP prefixes. The USS2 IPAMv2 client allocates "chunks" from the broker and the AAA clients subsequently allocate physical prefixes from the USS2 IPAMv2.
• IPAM Configuration Support: This feature will allow the customer to configure the current IPAM module with in the USS2. The goal is to move this functionality from the PolicyServer using LDAP as the update protocol, to reside within the Config Server, and to be accessed using either SOAP or the Command Line. The support of SOAP within the Config Server requires including our Tomcat feature within this process.
• Diameter State Model For USS2: This feature enhances the diameter work flow that is needed for USS2 functionality. The primary difference between 'diameter' and 'radius' state models is that unlike 'radius' the 'diameter' model is not driven by accounting events. Instead, 'Session-Terminate' and 'Re-Auth' messages are used.
• WiMAX W4.2 Support Ph 1: Release 6.3.0 provides improvements to our ALU WiMAX W4 solution to provide basic support for release W4.2 features including roaming and wholesale deployments. In addition, our ALU WiMAX W4 solution was redesigned to allow additional flexibility in selecting different policies based on data received in requests.
• WiMAX Assistant for W3: This feature will add the functionality in the current 6.2.0 W4 PolicyFlow into the WiMAX Assistant. The WiMAX assistant now supports EAP-SIM and EAP-AKA.
• WiMAX migration: The purpose of this feature is to automate the migration from our 8950 AAA W3, and W4 Standalone to the new WiMAX Assistant, and migrate W4 Compact WAC solutions to the latest W4 Compact WAC solution. This migration includes multiple property file migration, database schema migration, User Provisioning system migration, and SMT and Setup program UI migration.
• Remote Configuration: Release 6.3.0 provides enhancements to the Remote Configuration feature to add the ability to notify slave servers to update their configuration, server startup optimizations, and SMT integration enhancements.
• User Provisioning System: Release 6.3.0 provides enhancements to the web-based User Provisioning System to allow better administrative control for User and Device records, and better validation of Users, Devices and Services.
• Motive Integration The Motive Integration Feature will allow Motive Device Provisioning Server and 8950 AAA to work with each other, specifically the support of WiMAX Over-The-Air (OTA) Device Management. A custom notification protocol will need to be designed and implemented to allow Motive Device Provisioning Server to register for network status events for specific WiMAX devices so that these devices can be reconfigured over the air. Also required is the provisioning of new WiMAX devices that have not been provisioned along with new subscriber data entered in AAA database by Motive subscription portal.
• USS Trigger Support: Allow per-model trigger handlers.

• Iterate plug-in: Make the Iterate-Method property optional.
• ReadPropertyFile plug-in: Allow multiple occurrences of the same property.
• ReadUserFile, ReadPropertyFile, ReadStanzaText plug-ins: Add a property 'CacheMap' that allows a hook to manipulate the file data as it is cached for later use.

8950 AAA 6.2.0 includes the following features:

• Diameter can be now transported over SCTP or TLS/SCTP.
• The internal database (Derby) now support a replicated (redundant) deployment model.
• The WiMAX Assistant solution has been added. A solution is a policy flow and support GUI for configuration. This solution is intended to address the RAN share problem, and to simplify configuration of the older W3 policy flow.
• The radius tool has been re-architected to allow better utilization of multi-CPU hardware, and to allow alternative authentication types within the NasLoad scenario.

8950 AAA 6.1.5 includes the following features:

• Responses to feedback on the WiMAX W4.1 pkg 2 delivery.

8950 AAA 6.1.4 includes the following features:

• Responses to feedback on the WiMAX W4.1 pkg 2 delivery.

8950 AAA 6.1.3 includes the following features:

• Responses to feedback on the WiMAX W4.1 pkg 2 delivery.

8950 AAA 6.1.2 includes the following features:

• Responses to feedback on the WiMAX W4.1 pkg 1 delivery.
• Remainder of the WiMAX W4.1 pkg 2 delivery.

8950 AAA 6.1.1 includes the following features:

• Responses to feedback on the WiMAX W4.1 pkg 1 milestone.
• Portions of the WiMAX W4.1 pkg 2 milestone.
• A custom dictionary that will not be over-written during an upgrade install.

8950 AAA 6.1.0 includes the following features:

• The WiMAX W4.1 pkg 1 milestone.
• A graphic interface to the WiMAX W3 policy set.

8950 AAA 6.0.0 includes the following features:

• USSv2 now available. This second generation USS supports active/active deployment scenario, and allows multiple instances of the session database.
• Remote Configuration file load available. Allows centralizing of server configuration.
• Derby has replaced Hypersonic as the embedded database.
• Tomcat server container technology has been integrated into the policy server.
• A web-based user provisioning feature is available.
• The PolicyAssistant now supports a more general rule based policy selection phase.
• Alcatel-Lucent WiMAX support is now more fully integrated.
• SMT PolicyFlow editor enhancements.
• SMT->Server, and HA-USS replicas connections can be secured using TLS.

Known Issues

• Windows UAC (User Access Control) issues.

  Installing AAA using setup.exe will always prompt with UAC and access is needed to install services. If installing using setup.bat UAC will not prompt for access and fail to install service on Windows Vista, 7, and Server 2008.

  In order to start or stop services from SMT then either it is needed to start the SMT using aaa-smt from elevated console window or using pwaaa-smt.

• SCR-6151 - USSv2: Race condition on repeating keys - It is recommended that if repeating session keys are used for USSv2 entries that inactive timeouts not be used on multiple node setups. If a session key is being reused on one node while a deletion event is occurring on another node, both events may be replicated and processed in a different order on other nodes.
• SCR-6160 - USSv2: On shutdown replication is not stopped so persisted data incorrect. At this time shutdown persistence is not recommended as the last sync time will not match the persisted file.
• SCR-6162 - USS2: If acknowledged entries are not written to disk then resync is not correct. Persistence should only be used on systems where the disk I/O sub system can keep up with all data and not allow the persistence queue to fill. Windows NTFS and some older ufs file systems appear to not be able to do random file access under high load.
• SCR-6138 - USSv2: Shutdown after persistence overflow takes a long time. If the file system is not able to keep up with the rate needed to do persistence and the persistence queue overflows, it may take the server shutdown a long amount of time for the persistence queue to empty.
• SCR-6053 - Reports: Can not generate reports for data in files based on method names that contain "_" characters.
• SCR-5777 USS2 Radius state model server statistics are not reset by the reset button in the SMT.
• USS2 IPAM may fail auth requests if one of the pools in a pool-selector is disabled.
• The left hand side assignment of IP prefixes used during IP Address handover scenarios in USS2 IPAM doesn't work.
• Modified Granularity value not always honored.
• USS2 commands are not available if USS2 is not active.

Diameter Implementation Restrictions

This initial Diameter release has some limitations that may be removed in subsequent releases.

• TCP/IP, TLS/TCP/IP are the only transports generally available. SCTP/IP and TLS/SCTP/IP are available only on Solaris 10 systems. Any of these transports can be run over IPSEC, if available.
• Dynamic peer discovery is not supported.

StateServer (USS) Changes

In versions of VitalAAA (NavisRadius) before 5.0, the StateServer plug-in automatically copied a few attributes into the USS entry, even if they were not specified in the requestMap property. In 5.0, in order to accommodate the new Diameter feature, only entries explicitly in the requestMap will be copied.

The upgrade process will automatically convert the requestMap if converting from a pre-5.0 version.

The attributes involved are Acct-Status-Type, Acct-Session-Id, and Acct-Delay-Time.

TACACS+ accommodation changes

• The RADIUS clients file has been renamed 'radius_clients', and is now in the user file format, rather than the traditional columnar format.
• The TACACS+ clients file has been added as 'tacacsplus_clients', and is in same format as 'radius_clients'.
• The admin interface command 'file reload clients' retains the ability to read the old format RADIUS clients file 'clients'.
• The Diameter peers file has been renamed 'diameter_peers'. This file has always been in the user file format.

Changes to AuthLocal plug-in to support MS-CHAPv2 with user names with realms

Before VitalAAA release 5.2.7, the default value used in calculating MS-CHAP2-Response was ${packet.base-user-name}. This value was fine if user-name was EXAMPLE\bob but is not okay if user-name is in the form bob@example.com. Testing with Microsoft IAS RADIUS server showed that user names with realm must be used 'as is' in calculation of MS-CHAP2-Response. In VitalAAA release 5.2.7, the default value for method property AuthLocal-UserName was changed to ${request.user-name} and AuthLocal-StripMsDomain method property was added to strip DOMAIN\ from the value provided by AuthLocal-UserName. The default for the AuthLocal-StripMsDomain method property is true. If upgrading to release 5.2.7 breaks existing policies, old behavior can be restored by setting AuthLocal-UserName to ${packet.base-user-name} and AuthLocal-StripMsDomain to false. The change in calculating MS-CHAP2-Response in VitalAAA release 5.2.7 should also match how FreeRADIUS generates MS-CHAP2-Response when authenticating users.