Lucent 8950 AAA™ version 5.1 provides lawful intercept functionality to support court ordered monitoring of data communications. 8950 AAA™ receives target administrative messages from an external provisioning client, sends intercept related information (IRI) messages to an external server, and returns the address and port of a content collection server to a network access server. 8950 AAA™ uses a proprietary ASN.1 protocol for administrative and IRI messages. Lucent partner SS8 Networks™ supports this proprietary protocol and provides provisioning as well as data collection services for a 8950 AAA™ server. Three functional areas added for lawful intercept support are: Lawful Intercept Target Manager, Lawful Intercept Plug-in, and a Lawful Intercept Administration Listener.
The Lawful Intercept Target Manager manages a database of targets requiring data collection. A target is identified by the MSISDN of the device or the IMSI of the subscriber account. Data collection for a target includes information related to the start and end of data sessions and may include the actual data transfered during the session. 8950 AAA™ can collect the session start and end information based on RADIUS requests it receives. Since 8950 AAA™ does not see session data it must notify the network access server to collect session data. Notification occurs by sending vendor specific attributes to the network access server which identify a network address to send CC messages to. Targets are stored in memory and in an encrypted file to allow persistence across reboots. The 16 byte key used to encrypt the file should be unique per installation and is store as a hexadecimal value in the Lawful_Intercept_Target_File_Key security property. Target data can be manipulated by administrative messages received by the Lawful Intercept Administrative Listener or by li commands sent to the telnet or ssh administrative interfaces. In practice administrative commands will be received from a provisioning system, the li commands are provided for testing when a provisioning system is not available.
Example of adding a target through admin interface:
900 Login required. login admin admin 102 2 records. Alcatel-Lucent 8950 AAA PolicyServer Copyright (c) 2006-2008 Alcatel-Lucent. Inc. All rights reserved. ==> li 204 7 records. Command ambiguous: try one of li add - lawful intercept add target li delete - lawful intercept delete target li list - lawful intercept list targets li modify - lawful intercept modify target li reset - lawful intercept rest targets ==> li add 202 Usage: li add msisdn | imsi <target_identity> iri_only | iri_and_cc [<cc_add ress> <cc_port>] ==> li add msisdn 012345678901234 iri_and_cc 123.123.123.123 456 101 Target added ==> li list 103 Multi-line response follows. identityType=0, identity=9110325476981032F4, interceptType=1, ccAddress=123.123. 123.123, ccPort=456, isActive=false, offset=512 identityType=0, identity=9121436500000000F6, interceptType=1, ccAddress=123.123. 123.123, ccPort=456, isActive=false, offset=0 100 Ok. ==> |
The Lawful Intercept Plug-in checks if request is from a target and sends IRI messages to a specified IRI server and returns the address and port of a server to receive call content messages if call content collection is specified for the target. The plug-in needs to be used for authentication as well as accounting requests.
For more information see the plug-in reference documentation:
The Lawful Intercept Administration Listener allows an external client to connect and manage entries in the target database. The protocol used by the listener is a Lucent proprietary interface. This interface supports that adding, deleting, modifying, and listing of targets in target database. To enable the Lawful Intercept Listener, the Lawful_Intercept_Admin_Address server property must be set to address:port value or just a port value.
A simple sample used to domonstrate the new lawful intercept features is included in the run/samples/lawful-intercept directory. The sample is just the quick-start sample with the addition of the LawfulIntercept plug-in. Included with the sample is an Ant build.xml file which can be used with aaa-ant to test the sample. A number of requirements are required for the sample to work:
Lawful_Intercept_Target_File_Key
security property to a 32 hexadecimal character value (16
bytes).
Lawful_Intercept_Admin_Address.
127.0.0.1:9876. If you want to send IRI
messages to an alternate address, the aaa.pf file copied
from the lawful-intercept directory will need to changed.
aaa-exec com.lucent.aaa.li.LawfulInterceptIriServer
-address 127.0.0.1:9876 -loglevel debug
Below is a trace of testing the sample:
C:\va\run>..\bin\aaa-ant
Unable to locate tools.jar. Expected to find it in C:\Program Files\Java\jre1.5.
0_07\lib\tools.jar
Buildfile: build.xml
tasks:
start-iri-server:
load-target-data:
[adminclient] Statistic Value
[adminclient] --------- -----
[adminclient] requests 1
[adminclient] responses 1
[adminclient] errors 0
[adminclient] ACK_SINGLE 1
[adminclient] transactionCount 1
[adminclient] elapsedTime 31
[adminclient] transPerSec 32.25806451612903
[adminclient] secsPerTran 0.031
[adminclient] Result-Text = 101 Targets reset
[adminclient] Result-Code = 101 (ACK_SINGLE)
[adminclient] Statistic Value
[adminclient] --------- -----
[adminclient] requests 1
[adminclient] responses 1
[adminclient] errors 0
[adminclient] ACK_SINGLE 1
[adminclient] transactionCount 1
[adminclient] elapsedTime 31
[adminclient] transPerSec 32.25806451612903
[adminclient] secsPerTran 0.031
[adminclient] Result-Text = 101 Target added
[adminclient] Result-Code = 101 (ACK_SINGLE)
all:
tasks:
start-iri-server:
load-target-data:
radius-test-msisdn-is-target:
[newradiusclient] Xmit: Access-Request
[newradiusclient] User-Name = "steve"
[newradiusclient] User-Password = "testing"
[newradiusclient] NAS-Identifier = "ap1.example.com"
[newradiusclient] NAS-IP-Address = 10.1.1.1
[newradiusclient] NAS-Port = 101
[newradiusclient] Calling-Station-Id = "123456000000006"
[newradiusclient] Call to processAccept with /127.0.0.1:1351
[newradiusclient] Processing 71 byte message...
[newradiusclient] Recv: Access-Accept after 360 ms.
[newradiusclient] Service-Type = Framed-User
[newradiusclient] Framed-Protocol = PPP
[newradiusclient] Framed-IP-Address = 192.168.10.6
[newradiusclient] Framed-IP-Netmask = 255.255.255.255
[newradiusclient] Framed-Routing = Broadcast-Listen
[newradiusclient] Filter-Id = "std.ppp"
[newradiusclient] Framed-MTU = 1500
[newradiusclient] Framed-Compression = Van-Jacobson-TCP-IP
[newradiusclient] Lucent-AAA-DF-CC-Address = 123.123.123.123
[newradiusclient] Lucent-AAA-DF-CC-Port = 456
[newradiusclient] Statistic Value
[newradiusclient] --------- -----
[newradiusclient] initialRequests 1
[newradiusclient] totalRequests 1
[newradiusclient] finalReplies 1
[newradiusclient] totalReplies 1
[newradiusclient] timeouts 0
[newradiusclient] errors 0
[newradiusclient] retries 0
[newradiusclient] Access-Accept 1
[newradiusclient] transactionCount 1
[newradiusclient] elapsedTime 359
[newradiusclient] transPerSec 2.785515320334262
[newradiusclient] secsPerTran 0.359
[newradiusclient] TEST SUCCESS: RADIUS-AUTH
[newradiusclient] Xmit: Accounting-Request
[newradiusclient] User-Name = "steve"
[newradiusclient] NAS-Identifier = "ap1.example.com"
[newradiusclient] NAS-IP-Address = 10.1.1.1
[newradiusclient] NAS-Port = 101
[newradiusclient] Calling-Station-Id = "123456000000006"
[newradiusclient] Acct-Session-Id = "USS-006"
[newradiusclient] Acct-Status-Type = Start
[newradiusclient] 3GPP-Charging-Id = 1234567890
[newradiusclient] Framed-IP-Address = 135.140.160.100
[newradiusclient] Recv: Accounting-Response after 78 ms.
[newradiusclient] Lucent-AAA-DF-CC-Address = 123.123.123.123
[newradiusclient] Lucent-AAA-DF-CC-Port = 456
[newradiusclient] Statistic Value
[newradiusclient] --------- -----
[newradiusclient] initialRequests 1
[newradiusclient] totalRequests 1
[newradiusclient] finalReplies 1
[newradiusclient] totalReplies 1
[newradiusclient] timeouts 0
[newradiusclient] errors 0
[newradiusclient] retries 0
[newradiusclient] Accounting-Response 1
[newradiusclient] transactionCount 1
[newradiusclient] elapsedTime 63
[newradiusclient] transPerSec 15.873015873015873
[newradiusclient] secsPerTran 0.063
[newradiusclient] TEST SUCCESS: RADIUS-START
[newradiusclient] Xmit: Accounting-Request
[newradiusclient] User-Name = "steve"
[newradiusclient] NAS-Identifier = "ap1.example.com"
[newradiusclient] NAS-IP-Address = 10.1.1.1
[newradiusclient] NAS-Port = 101
[newradiusclient] Calling-Station-Id = "123456000000006"
[newradiusclient] Acct-Session-Id = "USS-006"
[newradiusclient] Acct-Status-Type = Interim-Update
[newradiusclient] 3GPP-Charging-Id = 1234567890
[newradiusclient] Framed-IP-Address = 135.140.160.100
[newradiusclient] Recv: Accounting-Response after 0 ms.
[newradiusclient] Lucent-AAA-DF-CC-Address = 123.123.123.123
[newradiusclient] Lucent-AAA-DF-CC-Port = 456
[newradiusclient] Statistic Value
[newradiusclient] --------- -----
[newradiusclient] initialRequests 1
[newradiusclient] totalRequests 1
[newradiusclient] finalReplies 1
[newradiusclient] totalReplies 1
[newradiusclient] timeouts 0
[newradiusclient] errors 0
[newradiusclient] retries 0
[newradiusclient] Accounting-Response 1
[newradiusclient] transactionCount 1
[newradiusclient] elapsedTime 16
[newradiusclient] transPerSec 62.5
[newradiusclient] secsPerTran 0.016
[newradiusclient] TEST SUCCESS: RADIUS-INTERIM
[newradiusclient] Xmit: Accounting-Request
[newradiusclient] User-Name = "steve"
[newradiusclient] NAS-Identifier = "ap1.example.com"
[newradiusclient] NAS-IP-Address = 10.1.1.1
[newradiusclient] NAS-Port = 101
[newradiusclient] Calling-Station-Id = "123456000000006"
[newradiusclient] Acct-Session-Id = "USS-006"
[newradiusclient] Acct-Status-Type = Stop
[newradiusclient] 3GPP-Charging-Id = 1234567890
[newradiusclient] Framed-IP-Address = 135.140.160.100
[newradiusclient] Message decoded as:
[newradiusclient] value LIMessage ::= iriMessage : attach : {
[newradiusclient] targetIdentity {
[newradiusclient] msisdn '9121436500000000F6'H
[newradiusclient] },
[newradiusclient] timeStamp generalizedTime : "20060821153607.693Z",
[newradiusclient] cgiorlai '0000000000'H,
[newradiusclient] routingAreaCode '00'H,
[newradiusclient] serviceAreaCode '0000'H,
[newradiusclient] reason 0,
[newradiusclient] iapSystemIdentity "VitalAAA"
[newradiusclient] }
[newradiusclient] Processing 129 byte message...
[newradiusclient] Recv: Accounting-Response after 47 ms.
[newradiusclient] Statistic Value
[newradiusclient] --------- -----
[newradiusclient] initialRequests 1
[newradiusclient] totalRequests 1
[newradiusclient] finalReplies 1
[newradiusclient] totalReplies 1
[newradiusclient] timeouts 0
[newradiusclient] errors 0
[newradiusclient] retries 0
[newradiusclient] Accounting-Response 1
[newradiusclient] transactionCount 1
[newradiusclient] elapsedTime 47
[newradiusclient] transPerSec 21.27659574468085
[newradiusclient] secsPerTran 0.047
[newradiusclient] TEST SUCCESS: RADIUS-STOP
Message decoded as:
value LIMessage ::= iriMessage : contextActivation : {
targetIdentity {
msisdn '9121436500000000F6'H
},
timeStamp generalizedTime : "20060821153607.896Z",
observedPartyAddr iPAddress : "135.140.160.100",
correlationNumb {
chargingId 1217790418,
ggsnAddress "10.1.1.1"
},
accessPointName "ap1.example.com",
pdpType '0121'H,
cgiorlai '0000000000'H,
routingAreaCode '00'H,
serviceAreaCode '0000'H,
sessionInitiator originating-Target,
iapSystemIdentity "VitalAAA"
}
Message decoded as:
value LIMessage ::= iriMessage : contextDeactivation : {
targetIdentity {
msisdn '9121436500000000F6'H
},
observedPartyAddr iPAddress : "135.140.160.100",
timeStamp generalizedTime : "20060821153608.036Z",
correlationNumb {
chargingId 1217790418,
ggsnAddress "10.1.1.1"
},
accessPointName "ap1.example.com",
cgiorlai '0000000000'H,
routingAreaCode '00'H,
serviceAreaCode '0000'H,
iapSystemIdentity "VitalAAA"
}
Processing 68 byte message...
Message decoded as:
value LIMessage ::= iriMessage : detach : {
targetIdentity {
msisdn '9121436500000000F6'H
},
timeStamp generalizedTime : "20060821153608.036Z",
cgiorlai '0000000000'H,
routingAreaCode '00'H,
serviceAreaCode '0000'H,
iapSystemIdentity "VitalAAA"
}
tasks:
start-iri-server:
load-target-data:
radius-test-msisdn-is-not-target:
[newradiusclient] Xmit: Access-Request
[newradiusclient] User-Name = "steve"
[newradiusclient] User-Password = "testing"
[newradiusclient] NAS-Identifier = "ap1.example.com"
[newradiusclient] NAS-IP-Address = 10.1.1.1
[newradiusclient] NAS-Port = 101
[newradiusclient] Calling-Station-Id = "123456000000007"
[newradiusclient] Recv: Access-Accept after 0 ms.
[newradiusclient] Service-Type = Framed-User
[newradiusclient] Framed-Protocol = PPP
[newradiusclient] Framed-IP-Address = 192.168.10.6
[newradiusclient] Framed-IP-Netmask = 255.255.255.255
[newradiusclient] Framed-Routing = Broadcast-Listen
[newradiusclient] Filter-Id = "std.ppp"
[newradiusclient] Framed-MTU = 1500
[newradiusclient] Framed-Compression = Van-Jacobson-TCP-IP
[newradiusclient] Statistic Value
[newradiusclient] --------- -----
[newradiusclient] initialRequests 1
[newradiusclient] totalRequests 1
[newradiusclient] finalReplies 1
[newradiusclient] totalReplies 1
[newradiusclient] timeouts 0
[newradiusclient] errors 0
[newradiusclient] retries 0
[newradiusclient] Access-Accept 1
[newradiusclient] transactionCount 1
[newradiusclient] elapsedTime 15
[newradiusclient] transPerSec 66.66666666666667
[newradiusclient] secsPerTran 0.015
[newradiusclient] TEST SUCCESS: RADIUS-AUTH
[newradiusclient] Xmit: Accounting-Request
[newradiusclient] User-Name = "steve"
[newradiusclient] NAS-Identifier = "ap1.example.com"
[newradiusclient] NAS-IP-Address = 10.1.1.1
[newradiusclient] NAS-Port = 101
[newradiusclient] Calling-Station-Id = "123456000000007"
[newradiusclient] Acct-Session-Id = "USS-006"
[newradiusclient] Acct-Status-Type = Start
[newradiusclient] 3GPP-Charging-Id = 1234567890
[newradiusclient] Framed-IP-Address = 135.140.160.100
[newradiusclient] Recv: Accounting-Response after 16 ms.
[newradiusclient] Statistic Value
[newradiusclient] --------- -----
[newradiusclient] initialRequests 1
[newradiusclient] totalRequests 1
[newradiusclient] finalReplies 1
[newradiusclient] totalReplies 1
[newradiusclient] timeouts 0
[newradiusclient] errors 0
[newradiusclient] retries 0
[newradiusclient] Accounting-Response 1
[newradiusclient] transactionCount 1
[newradiusclient] elapsedTime 16
[newradiusclient] transPerSec 62.5
[newradiusclient] secsPerTran 0.016
[newradiusclient] TEST SUCCESS: RADIUS-START
[newradiusclient] Xmit: Accounting-Request
[newradiusclient] User-Name = "steve"
[newradiusclient] NAS-Identifier = "ap1.example.com"
[newradiusclient] NAS-IP-Address = 10.1.1.1
[newradiusclient] NAS-Port = 101
[newradiusclient] Calling-Station-Id = "123456000000007"
[newradiusclient] Acct-Session-Id = "USS-006"
[newradiusclient] Acct-Status-Type = Interim-Update
[newradiusclient] 3GPP-Charging-Id = 1234567890
[newradiusclient] Framed-IP-Address = 135.140.160.100
[newradiusclient] Recv: Accounting-Response after 16 ms.
[newradiusclient] Statistic Value
[newradiusclient] --------- -----
[newradiusclient] initialRequests 1
[newradiusclient] totalRequests 1
[newradiusclient] finalReplies 1
[newradiusclient] totalReplies 1
[newradiusclient] timeouts 0
[newradiusclient] errors 0
[newradiusclient] retries 0
[newradiusclient] Accounting-Response 1
[newradiusclient] transactionCount 1
[newradiusclient] elapsedTime 16
[newradiusclient] transPerSec 62.5
[newradiusclient] secsPerTran 0.016
[newradiusclient] TEST SUCCESS: RADIUS-INTERIM
[newradiusclient] Xmit: Accounting-Request
[newradiusclient] User-Name = "steve"
[newradiusclient] NAS-Identifier = "ap1.example.com"
[newradiusclient] NAS-IP-Address = 10.1.1.1
[newradiusclient] NAS-Port = 101
[newradiusclient] Calling-Station-Id = "123456000000007"
[newradiusclient] Acct-Session-Id = "USS-006"
[newradiusclient] Acct-Status-Type = Stop
[newradiusclient] 3GPP-Charging-Id = 1234567890
[newradiusclient] Framed-IP-Address = 135.140.160.100
[newradiusclient] Recv: Accounting-Response after 0 ms.
[newradiusclient] Statistic Value
[newradiusclient] --------- -----
[newradiusclient] initialRequests 1
[newradiusclient] totalRequests 1
[newradiusclient] finalReplies 1
[newradiusclient] totalReplies 1
[newradiusclient] timeouts 0
[newradiusclient] errors 0
[newradiusclient] retries 0
[newradiusclient] Accounting-Response 1
[newradiusclient] transactionCount 1
[newradiusclient] elapsedTime 16
[newradiusclient] transPerSec 62.5
[newradiusclient] secsPerTran 0.016
[newradiusclient] TEST SUCCESS: RADIUS-STOP
tasks:
start-iri-server:
load-target-data:
radius-test-msisdn-is-target-fail:
[newradiusclient] Xmit: Access-Request
[newradiusclient] User-Name = "steve"
[newradiusclient] User-Password = "bad"
[newradiusclient] NAS-Identifier = "ap1.example.com"
[newradiusclient] NAS-IP-Address = 10.1.1.1
[newradiusclient] NAS-Port = 101
[newradiusclient] Calling-Station-Id = "123456000000006"
[newradiusclient] Processing 71 byte message...
[newradiusclient] Message decoded as:
[newradiusclient] value LIMessage ::= iriMessage : attach : {
[newradiusclient] targetIdentity {
[newradiusclient] msisdn '9121436500000000F6'H
[newradiusclient] },
[newradiusclient] timeStamp generalizedTime : "20060821153608.911Z",
[newradiusclient] cgiorlai '0000000000'H,
[newradiusclient] routingAreaCode '00'H,
[newradiusclient] serviceAreaCode '0000'H,
[newradiusclient] reason 29,
[newradiusclient] iapSystemIdentity "VitalAAA"
[newradiusclient] }
[newradiusclient] Recv: Access-Reject after 15 ms.
[newradiusclient] Reply-Message = "Invalid Password."
[newradiusclient] Statistic Value
[newradiusclient] --------- -----
[newradiusclient] initialRequests 1
[newradiusclient] totalRequests 1
[newradiusclient] finalReplies 1
[newradiusclient] totalReplies 1
[newradiusclient] timeouts 0
[newradiusclient] errors 0
[newradiusclient] retries 0
[newradiusclient] Access-Reject 1
[newradiusclient] transactionCount 1
[newradiusclient] elapsedTime 15
[newradiusclient] transPerSec 66.66666666666667
[newradiusclient] secsPerTran 0.015
[newradiusclient] TEST SUCCESS: RADIUS-AUTH
tasks:
start-iri-server:
load-target-data:
radius-test-msisdn-is-not-target-fail:
[newradiusclient] Xmit: Access-Request
[newradiusclient] User-Name = "steve"
[newradiusclient] User-Password = "bad"
[newradiusclient] NAS-Identifier = "ap1.example.com"
[newradiusclient] NAS-IP-Address = 10.1.1.1
[newradiusclient] NAS-Port = 101
[newradiusclient] Calling-Station-Id = "123456000000007"
[newradiusclient] Recv: Access-Reject after 16 ms.
[newradiusclient] Reply-Message = "Invalid Password."
[newradiusclient] Statistic Value
[newradiusclient] --------- -----
[newradiusclient] initialRequests 1
[newradiusclient] totalRequests 1
[newradiusclient] finalReplies 1
[newradiusclient] totalReplies 1
[newradiusclient] timeouts 0
[newradiusclient] errors 0
[newradiusclient] retries 0
[newradiusclient] Access-Reject 1
[newradiusclient] transactionCount 1
[newradiusclient] elapsedTime 16
[newradiusclient] transPerSec 62.5
[newradiusclient] secsPerTran 0.016
[newradiusclient] TEST SUCCESS: RADIUS-AUTH
BUILD SUCCESSFUL
Total time: 5 seconds
C:\va\run>
|