Since the appearance of network, the Authentication, Authorization and Accounting (AAA) system has been the foundation of network operation. The use of all kinds of resources in network should be managed by authorization, authentication, and accounting, wherein:
Authentication refers to the verification of subscriber identity when the subscriber uses resource in the network system. During the process, the subscriber identity information (e.g., acquisition of combination of user name—password, and biological characteristics, etc.) is obtained through intercommunication with the subscriber; then the information is submitted to the authentication server (AAA server 3), which verifies and processes the identity information and the subscriber information stored in the database and verify whether the subscriber identity is correct according to the processing result. For example, the GSM mobile communication system can identify network terminal IDs and user IDs in the network.
Authorization refers that the network system authorizes a subscriber to use the resource in it in a specific manner. This process specifies the available services and right (e.g., allocated IP address, etc.) of the subscriber after the subscriber logs in the network. For example, in the case of a GSM mobile communication system, the service right (whether international telephone call service is available, etc.) of an authenticated legal subscriber is defined in the agreement between the subscriber and the operator.
Accounting refers that the network system collects and records subscriber's use of network resources, so as to charge the subscriber for resource use or for auditing purpose, etc. For example, in the case of an Internet Service Provider (ISP), the subscriber's network access and use activities can be recorded accurately by traffic or by time.
To use services provided by the network normally, a network subscriber has to possess the access capability to network resources (i.e., network infrastructure) and network service resources. Therefore, AAA is required on two layers: on the layer of network resources, authentication, authorization and accounting of the subscriber is performed by an Internet Access Providers (IAP); on the layer of network service, authentication, authorization and accounting of the subscriber is performed by an ISP.
There are two classes of services in current network: the first class involves common data services, such as Web access, FTP (File Transfer Protocol), and e-mail, etc; this class of services is provided by ISPs in a free of charge manner (income is earned on advertisements, or the services are used internally in the organization); accordingly, for Internet access providers, accounting is basically performed by traffic, duration, or combination of both; the authentication of subscriber identity is accomplished by AAA facilities of network infrastructure providers at the edge of network; in addition, there is no service-related identity authentication, authorization and accounting. This class of services usually has low requirements for Quality of Service (QoS), and the requirements can be met by the network through forwarding data in best-effort delivery mode; due to the low degree of coupling between the services and the network, subscribers are only charged for network access by the network infrastructure providers. For ISPs, the cost of provision of services can be covered through charging for advertisements, providing authentication and accounting at service providing locations, or providing service for own organizations.
The second class in the network involves services requiring QoS assurance, such as IP Phone, NGN (Next Generation Network, Videoconference, Online Broadcast/TV and VOD (Video On Demand), etc; this class of services requires the network to provide different levels of QoS protection; otherwise such services can't be provided normally. Due to the special requirements for network resources, cooperation with Internet access providers is required to provide such a class of services. At present, a basic pattern of providing this class of services is: set up an independent network that provides only this class of services and bind services and network access together, such as VoIP (Voice over IP).
At present, the AAA technology usually uses RADIUS (Remote Authentication Dial-In User Service) protocol as the back end protocol (protocol between Network Access Server (NAS) 2 and AAA server 3), and a corresponding technology is used as the front end protocol (protocol between the subscriber device and NAS) according to the access technology, for example, in Ethernet and WLAN (Wireless LAN), 802.1x is used as the front end protocol. The existing AAA frame structure is shown in FIG. 1: when receiving a connection request from the subscriber device 1, the access server 2 (i.e., NAS) encapsulates the request message into a protocol message supported by the AAA server 3, and then sends the message to the AAA server 3; Through many times of intercommunication between the subscriber device 1 and the AAA server 3, the AAA server 3 sends an instruction for permitting subscriber access to the access server 2. In this way, the authorized subscriber device 1 can access the network 4.
In the above solution, for the first class of services, the network per se cannot control the services; instead, it can control only the access. For the second class of services, the service access control is combined with the access control, and the Access Server 2 is both the EP (enhanced point, a device that performs access control) for network access and the EP for service access; therefore, the categories of services that can be provided in the network are limited; in addition, if a new second class of services are to be provided in the network, the Access Server 2 and the AAA server 3 have to be upgraded, e.g., in the case of VoIP.
Another possible solution is to separate service access from network access completely, i.e., both the service provider and Internet access provider have their own AAA server 3 and facilities respectively, so that subscriber authentication, authorization, and accounting are separated from each other.
However, it is difficult to assure QoS since service is separated completely from network. In addition, the subscribers have to maintain multiple sets of identity information, and there are multiple AAA facilities in the network, resulting in degraded accessibility. Particularly, when the Internet access provider and the service provider are not the same entity, it is more inconvenient for settlement.