the server management tool (smt). all rights reserved © alcatel-lucent 2007 2 | smt module...
TRANSCRIPT
The Server Management Tool (SMT)
2 | SMT All Rights Reserved © Alcatel-Lucent 2007
Module Objectives SMT Overview and architecture
How to start the SMT client and server
Configuring server properties
Configuring clients and client properties
Configuring the IP address manager
Logging options
Viewing statistics
Editing files: text files and users files
Testing Tools for RADIUS
Viewing/modifying SQL databases
Modifying SMT preferences
3 | SMT All Rights Reserved © Alcatel-Lucent 2007
Overview
Server related configuration
Client related features
4 | SMT All Rights Reserved © Alcatel-Lucent 2007
Server Management Tool (SMT) Graphical interface in Java to do any administration task
Set 8950 AAA Server Properties
Add/Delete/Modify Client entries
Create/Manage PolicyFlows
Manage the Universal State Server (USS)
Edit “user” files
Access any SQL Database
View server statistics
Editing other configuration files
etc
5 | SMT All Rights Reserved © Alcatel-Lucent 2007
8950 AAA
Manual File Editing Mode
Configfiles
Configfiles
$ vi clients
6 | SMT All Rights Reserved © Alcatel-Lucent 2007
Local SMT
8950 AAA
Configfiles
Configfiles
$ vi clients
7 | SMT All Rights Reserved © Alcatel-Lucent 2007
Remote SMT
8950 AAA
Configfiles
Configfiles
$ vi clients
ConfigurationServer
ConfigurationServer
8 | SMT All Rights Reserved © Alcatel-Lucent 2007
SMT Local & Remote Mode The SMT can be run in local mode or remote mode
In remote mode, SMT requires the Configuration Server to be running on the server that you want to configure. The Configuration Server handles remote connections from SMT and allows
SMT to read and writes files from that server.
In local mode, a Configuration Server is not required but you may connect to a Configuration Server running locally if one is
available.
9 | SMT All Rights Reserved © Alcatel-Lucent 2007
Configuration Server Start-up The aaa start command starts both the Policy Server as well as
the configuration/SMT server This process can be started/stopped independently, with:
aaa start config
Only one process can be running by VA host This gui server can handle several SMT connections from several
remote hosts
The log file config.log reports: Connections Problems at start-up, etc.
If the SMT is run locally (without the "Configuration Server"), the logs are stored at smt.log
10 | SMT All Rights Reserved © Alcatel-Lucent 2007
SMT Start-up Execute aaa-smt located in the bin directory
Introduce a valid UserName/Password of a VA operator An admin user was created during installation process
These parameters can also be introduced in the command line > aaa-smt -user admin -pass hello -host 135.88.101.1
> aaa-smt -u admin -p hello -l
It is recommended to connect via the Configuration Server, even when connecting to the localhost
It is recommended to connect via the Configuration Server, even when connecting to the localhost
*
11 | SMT All Rights Reserved © Alcatel-Lucent 2007
Overview
Server related configuration
Client related features
12 | SMT All Rights Reserved © Alcatel-Lucent 2007
‘Server Properties’
This menu allows us to configure 8950 AAA server properties.
They are stored in several files: Server_properties
It is recommended to edit this file only via the SMT
Uss_counters, uss_indices
13 | SMT All Rights Reserved © Alcatel-Lucent 2007
Server Properties - Database
AAA has a built-in basic SQL database Hypersonic SQL - Developed by a 3rd party
Can be disabled by selecting “Database Address”=0
The database files are stored in <$VA>/run/db nr.script & nr.data
Database-Address = "*:9001"Database-Shutdown = NORMALDatabase-LogSize = "200"
Database-Address = "*:9001"Database-Shutdown = NORMALDatabase-LogSize = "200"
14 | SMT All Rights Reserved © Alcatel-Lucent 2007
SNMP agent To grant access to view statistical information
By default, the access is disabled (SNMP Address=0)
To enable it, just configure IP address and UDP port (*:9161) Be careful with port 161, as it might be taken by the OS to report CPU
utilization
Two files are used to store SNMP indices, so that they are consistent after a server restart radius-server-indices.mib &
radius-client-indices.mib
*
Enhanced 5.2
Since 5.2, the new RFC’s for IPv4 and IPv6 RADIUS clients/servers are supported
15 | SMT All Rights Reserved © Alcatel-Lucent 2007
SNMP Access - SNMPv3 users SNMPv3 requires configuration of the encryption and
authentication keys and algorithms Will be stored in the security_snmpusers file
16 | SMT All Rights Reserved © Alcatel-Lucent 2007
RADIUS properties
•To have several UDP ports for auth and acct•Possibility to bind to any IP address or only to a specific one
•A duplicate is a packet with the same source IP + source UDP port + RADIUS ID, as another one being processed.•Saves CPU by: - not processing a packet which is already being processed - giving extra time to the original request to finish its processing by increasing its Client-Timeout
•Not to consider the Authenticator field for accounting packets
•To set the TOS byte of the IP header in the outgoing RADIUS packets
*
17 | SMT All Rights Reserved © Alcatel-Lucent 2007
Queue and worker threads
A request can be: in the queue: waiting to start the execution of the PF
in a worker thread: executing a PF
suspended, in RAM: waiting for more information from an external system or process to go on with the PF proxy-radius, or Access-Challenge packets, etc.
New Request
0
1
9Detected as duplicate: log & discard, and update original timers
Add timestamp
queue size
max # of waiting items PolicyServer Worker Threads
new message for a suspended request
suspended requests
active requests
18 | SMT All Rights Reserved © Alcatel-Lucent 2007
Server Properties – AdvancedShouldn´t be modified unless told by the Lucent support
•To prevent loops in the execution of a Policy Flow
•To limit the size of the queue
•To support RADIUS dynamic authorization (RFC 3576) with proxy agents and/or Nas-Id
*
19 | SMT All Rights Reserved © Alcatel-Lucent 2007
More server properties
To derive the Base-User-Name and the Realm from the User-Name AVP•user@realm, •realm\user•realm/user
To show in the logs the attributes marked as “hidden” in the dictionary
20 | SMT All Rights Reserved © Alcatel-Lucent 2007
Intelligent Queue Management Improves overall performance with duplicate and stale request
deletion from queue 8950 AAA time-stamps each request on receipt.
The incoming request is then compared with all other active requests (in queue or being processed) to see if it is a duplicate. The older request is retained in its present location in queue or PolicyFlow,
but its activity time-stamp is updated.
The new incoming request is discarded.
t t
Original Request
Set Client-TimeoutExtend Client-Timeout
as the NAS is still waiting for a response
A response is generatedRetrans
mission
Nas-Retransmission-Timer
The request is discarded as VA thinks the NAS is no longer waiting for a response
Set Client-Timeout
21 | SMT All Rights Reserved © Alcatel-Lucent 2007
Server Properties - Timeouts Client Timeout:
If VA detects it has a request that hasn't been answered yet after the client timeout, it discards it Saves CPU, not processing a response the client is no longer expecting
Should be slightly higher than the NAS timeout
*
22 | SMT All Rights Reserved © Alcatel-Lucent 2007
Server Properties - Configuration Server
Configuration related to the SMT/Config server
23 | SMT All Rights Reserved © Alcatel-Lucent 2007
RADIUS Lawful Intercept (LI) - CALEA Service Providers must meet legal and regulatory requirements
for the interception of voice and data communications in IP networks Requirement vary from country to country
The CALEA name related to the USA specific requirements
Lawful intercept (LI) is a mechanism to know when: a user connects/disconnects from an IP network, and optionally
the data the users actually transmitted/received
A Data User (target) is identified by a well-known parameter: MSISDN (Calling-Station-Id)
IMSI: for GSM/GPRS/UMTS Mobile users
A LI must be authorized by a court order
24 | SMT All Rights Reserved © Alcatel-Lucent 2007
Proprietary solution Lawful intercept is always a vendor-specific mechanism
RFC 2804 explains why the IETF doesn’t standardize LI
The Lucent 8950 AAA solution has been designed to work with: SS8 Xcipio WDDF as IRI server
SS8 is a world leading company in LI solutions
Lucent Brick as IPSec server It behaves as a RADIUS client
25 | SMT All Rights Reserved © Alcatel-Lucent 2007
Lawful Intercept architecture
IAP (CC)
IRI IAP Provisioning
IRI Server(SS8 Xcipio WDDF)
User to be wiretapped =
target User Action IAP:CC (Status)IMSI:214071234567890 -> iri_only
Internet
MSISDN:34679123456 -> iri_and_cc 1.2.3.4 5678
Access-RequestUser-Name (1) = ”john@isp1"NAS-IP-Address (4) = 192.168.20.2.....Calling-Station-Id (31) = 34679123456
Attach
Access-Accept.....
Lucent-AAA-DF-CC-Address=1.2.3.4Lucent-AAA-DF-CC-Port=5678
* A failed auth attempt is also transmitted to the IRI server* In Acct, the IRI server must also be informed of when the user really starts the session (Start), and disconnects (Stop)
New 5.1
IRI = Intercept Related InformationLEA = Law Enforcement AgencyIAP = Intercept Access Point
IRI = Intercept Related InformationLEA = Law Enforcement AgencyIAP = Intercept Access Point
26 | SMT All Rights Reserved © Alcatel-Lucent 2007
Configuration of users to be intercepted
For a 3rd system to configure which users (targets) are to be wiretapped with a Lucent proprietary interface
For changes to be persistent across restarts, this info is saved to a binay file called: intercept_targets
New 5.1
27 | SMT All Rights Reserved © Alcatel-Lucent 2007
Client Panels - Clients New clients can be added without restarting the PolicyServer
Reload button
Specific parameters can be included: auth & acct timeouts, etc And to which client_class it belongs to
Enhanced 5.2
28 | SMT All Rights Reserved © Alcatel-Lucent 2007
Client Panels - Client Classes
To override general server_properties for some clients, if these properties haven’t been configured in the radius_clients file This information is stored in "client_properties" file
29 | SMT All Rights Reserved © Alcatel-Lucent 2007
Address Manager - Configuration To define IP pools for dynamic IP address assignment to users
by default: 65536 address can be defined Can be changed in server_properties
The pools definition is stored in the address_pools file VA has to be restarted to re-read this file, and consider new pools
*
30 | SMT All Rights Reserved © Alcatel-Lucent 2007
Address Manager – Monitoring & Statistics
The management of the IP addresses and pools is stored in memory the assignment is done by the
Address plug-in
Saved to file address_leases to be persistent upon VA restarts
*
31 | SMT All Rights Reserved © Alcatel-Lucent 2007
Logging Messages Automatically a log can be written when a user authentication
request is accepted, rejected, challenged and discarded Similarly with accounting
This configuration is stored in "server_properties" file
Specially useful for the PA With PF it can be configured directly in the method definition
32 | SMT All Rights Reserved © Alcatel-Lucent 2007
Logging in 8950 AAA It is one of the most important sources of information to
troubleshoot a user connection
log
_ru
les
Standard Output/Error
SNMP Trap
File
SQL database
Multiple dest.
syslog
0
9
otherthread
anotherthread
logs for an active request are buffered, and will be sent to the log_channel when the
request is completely processed
log_channels
*
ERRORWARNINGNOTICEINFOSALIENTDEBUGVERBOSEBLITHER
33 | SMT All Rights Reserved © Alcatel-Lucent 2007
Log Channels We can define different log channels to send information to.
These log channels will be referenced in the PolicyFlow plug-ins
Or when configuring the logging rules
Stored in log_channels file
34 | SMT All Rights Reserved © Alcatel-Lucent 2007
Rollover Modes For the “File with Time-Based File Switching” and some other
plug-in related to time-rollover, the following options are available: Minutes: 1,2,3,4,5,6,10,12,15,20,30
Hours: 1,2,3,4,6,8,12
Day: 1
Week: 1,2,3,4
Month: 1,2,3,4,6
Year: 1
35 | SMT All Rights Reserved © Alcatel-Lucent 2007
Logging Rules (I) We can configure different log levels for different areas in VA
The logging messages can be sent to different "log channels" For instance, USS logs can be sent to a different log file than regular VA
logs
Log levels are: 0 .- OFF
1 .- error
2 .- warning
3 .- notice
4 .- info
5 .- salient - Includes packets received (IP and UDP)
6 .- debug – includes the policyflow execution chain (methods)
7 .- verbose – includes variables used after each method, and HEX dump
8 .- blither – too much detail
*
36 | SMT All Rights Reserved © Alcatel-Lucent 2007
Logging Rules (II) The Startup Log Rules are stored in the file log_rules
The Active Log Rules will be taken initially from the Startup ones
Level=INFO Continue=false Channel=LogToFile
Level=INFO Continue=false Channel=LogToFile
37 | SMT All Rights Reserved © Alcatel-Lucent 2007
Logging Rules (III) –Log areas
Care should be taken when activating many traces They degrade server performance,
Especially important depending on the log level (debug, trace, ...)
38 | SMT All Rights Reserved © Alcatel-Lucent 2007
Log Rules (IV) We can filter the logs for any attribute coming in the RADIUS
request: specific users (request.User-Name),
Realms (packet.User-Realm)
Calling and Called numbers (request.Called-Station-Id, etc)
Type of RADIUS packet (packet.Packet-Type)
39 | SMT All Rights Reserved © Alcatel-Lucent 2007
Monitoring Logs
Stop / Start the file
Pause / Resume the tailing
Clears the screen content
Open the file in a text editor
Send to printer
Changes the log level
Selects the log file
40 | SMT All Rights Reserved © Alcatel-Lucent 2007
8950 AAA Statistics (I) To see the load the server has, both for
authentication as well as accounting Number of packets/s. received
Ratio of requests accepted and rejected
Duplicates and error packets
Memory use
Etc.
41 | SMT All Rights Reserved © Alcatel-Lucent 2007
8950 AAA Statistics (II)
42 | SMT All Rights Reserved © Alcatel-Lucent 2007
8950 AAA Statistics (III)
43 | SMT All Rights Reserved © Alcatel-Lucent 2007
8950 AAA Statistics (& IV) The Processing Period table shows how long each method has
taken to execute (ms /execution)
Useful to detect the bottleneck in our server, and be able to improve performance (SQL DB’s, LDAP servers, USS, etc.)
44 | SMT All Rights Reserved © Alcatel-Lucent 2007
File Tools To access files, without needing to have a telnet/ssh access to
the host
All files must be in the run directory
Several panels: User Files: It reads any file with a "classical" users format
Dictionary Editor
File Manager: to delete and copy files
Tail: to see the last lines inserted in a file Similar to ‘Monitor Log File’
45 | SMT All Rights Reserved © Alcatel-Lucent 2007
File Tools - Users files
To edit an users file without memorizing all dictionary attributes
There is a display list for check-itemscheck-items and reply itemsreply items This attr. list can be
configured in the "SMT properties"
Users' Names Check-items
Reply-Items
46 | SMT All Rights Reserved © Alcatel-Lucent 2007
File Tools - Dictionary Editor To view existing
attributes
To add any Vendor-Specific attribute (VSA)
New 5.2.1
47 | SMT All Rights Reserved © Alcatel-Lucent 2007
File Tools – File Manager
To delete, rename and copy files in the run directory
48 | SMT All Rights Reserved © Alcatel-Lucent 2007
File Tools = Property file editor
If the property to add is a RADIUS attribute, it can be selected from the dictionary without need to know it by heart
49 | SMT All Rights Reserved © Alcatel-Lucent 2007
Start/Stop of servers
To check the status, start or stop any 8950 AAA servers PolicyServer GUI config server
This check is made every 5 seconds (by default)
50 | SMT All Rights Reserved © Alcatel-Lucent 2007
Configuration Report
To see in a glance all 8950 AAA configuration
51 | SMT All Rights Reserved © Alcatel-Lucent 2007
Files to provide to Lucent Support In case it is necessary to
contact with Lucent Support Services, all important files needed can automatically be packaged in vacfg.zip file
in the server Hard Disk, not the SMT host
52 | SMT All Rights Reserved © Alcatel-Lucent 2007
Overview
Server related configuration
Client related features
53 | SMT All Rights Reserved © Alcatel-Lucent 2007
RADIUS Test Client
Equivalent to varc, but with graphical interface
Different Client Scenarios PAP=Basic
CHAP
Challenge
Simulator
etc.
54 | SMT All Rights Reserved © Alcatel-Lucent 2007
RADIUS NAS Load
Simulates a network of NAS's sending different type of requests, with a variety of User-Names, NAS-IP-Address, NAS-Port-Type, Session duration, etc
Equivalent to vasim, but with graphical interface
It is invoked from the RADIUS Test Client, with Scenario=NasLoad
It is a a very powerful tool for performance and stress tests Allows to heavily test the USS
55 | SMT All Rights Reserved © Alcatel-Lucent 2007
Database Tools
Built-in database client to connect to any database To create users in a users table
To see/modify any table by using views The views created are stored in the db_properties file in the server
The proper JDBC driver should be installed under <$VA>/lib
*
56 | SMT All Rights Reserved © Alcatel-Lucent 2007
User Profiles To easily manage users in a graphical way
Possibility to filter and to sort entries
Can import entries from a text file with users format, csv format, etc.
57 | SMT All Rights Reserved © Alcatel-Lucent 2007
Table Tool Possibility to define a view of any table for easy and quick access
Similarly to the Users Table
With sorting criteria
58 | SMT All Rights Reserved © Alcatel-Lucent 2007
SQL Tool To execute any SQL command
There is a list of existing tables And columns for each table
59 | SMT All Rights Reserved © Alcatel-Lucent 2007
Manage DB Users To create/delete DB operators
60 | SMT All Rights Reserved © Alcatel-Lucent 2007
SMT Preferences (I): Look & Feel
All SMT preferences are stored in "guiconfig_properties" file In the SMT host, not in the server host
61 | SMT All Rights Reserved © Alcatel-Lucent 2007
SMT Preferences (II): Attribute lists
We can configure what attributes will appear in the lists for: File Tools -> User Files
Check-Items and Reply-Items
Configuration Tools -> Clients -> Client Class For configuration of custom
variables
62 | SMT All Rights Reserved © Alcatel-Lucent 2007
SMT Preferences (III): Other panels
Some panels are only available when running the SMT in Expert Mode: Dictionary, some server Statistics...
We can select which programs will open certain files How often to check if the servers are up or down
63 | SMT All Rights Reserved © Alcatel-Lucent 2007
SMT Panel Loading
Some panels have no relationship with server files or CLI commands
Can only be shown/hidden by the SMT properties In smt_properties file in the SMT client host