The Server Management Tool SMT Module Objectives

The Server Management Tool (SMT)

Module Objectives · SMT Overview and architecture · How to start the SMT client and server · Configuring server properties · Configuring clients and client properties · Configuring the IP address manager · Logging options · Viewing statistics · Editing files: text files and users files · Testing Tools for RADIUS · Viewing/modifying SQL databases · Modifying SMT preferences 2 All Rights Reserved © Alcatel-Lucent 2007

· Overview Server related configuration Client related features 3 All Rights Reserved © Alcatel-Lucent

Server Management Tool (SMT) · Graphical interface in Java to do any administration task § Set 8950 AAA Server Properties § Add/Delete/Modify Client entries § Create/Manage Policy. Flows § Manage the Universal State Server (USS) § Edit “user” files § Access any SQL Database § View server statistics § Editing other configuration files § etc 4 All Rights Reserved © Alcatel-Lucent 2007

Manual File Editing Mode 8950 AAA Config files $ vi clients 5 All Rights

Local SMT 8950 AAA Config files $ vi clients 6 All Rights Reserved ©

Remote SMT 8950 AAA Configuration Server Config files $ vi clients 7 All Rights

SMT Local & Remote Mode · The SMT can be run in local mode or remote mode § In remote mode, SMT requires the Configuration Server to be running on the server that you want to configure. The Configuration Server handles remote connections from SMT and allows SMT to read and writes files from that server. § In local mode, a Configuration Server is not required but you may connect to a Configuration Server running locally if one is available. 8 All Rights Reserved © Alcatel-Lucent 2007

Configuration Server Start-up · The aaa start command starts both the Policy Server as well as the configuration/SMT server · This process can be started/stopped independently, with: § aaa start config · Only one process can be running by VA host § This gui server can handle several SMT connections from several remote hosts · The log file config. log reports: § Connections § Problems at start-up, etc. · If the SMT is run locally (without the "Configuration Server"), the logs are stored at smt. log 9 All Rights Reserved © Alcatel-Lucent 2007

SMT Start-up · Execute aaa-smt located in the bin directory § Introduce a valid User. Name/Password of a VA operator An admin user was created during installation process · These parameters can also be introduced in the command line § > aaa-smt -user admin -pass hello -host 135. 88. 101. 1 § > aaa-smt -u admin -p hello -l It is recommended to connect via the Configuration Server, even when connecting to the localhost * 10 All Rights Reserved © Alcatel-Lucent 2007

Overview · Server related configuration Client related features 11 All Rights Reserved © Alcatel-Lucent

‘Server Properties’ · This menu allows us to configure 8950 AAA server properties. · They are stored in several files: § Server_properties It is recommended to edit this file only via the SMT § Uss_counters, uss_indices 12 All Rights Reserved © Alcatel-Lucent 2007

Server Properties - Database · AAA has a built-in basic SQL database Database-Address = "*: 9001" Database-Shutdown = NORMAL Database-Log. Size = "200" § Hypersonic SQL - Developed by a 3 rd party · Can be disabled by selecting “Database Address”=0 · The database files are stored in <$VA>/run/db § nr. script & nr. data 13 All Rights Reserved © Alcatel-Lucent 2007

SNMP agent Enhanced 5. 2 · To grant access to view statistical information § By default, the access is disabled (SNMP Address=0) § To enable it, just configure IP address and UDP port (*: 9161) Be careful with port 161, as it might be taken by the OS to report CPU utilization · Two files are used to store SNMP indices, so that they are consistent after a server restart § radius-server-indices. mib & § radius-client-indices. mib · Since 5. 2, the new RFC’s for IPv 4 and IPv 6 RADIUS clients/servers are supported * 14 All Rights Reserved © Alcatel-Lucent 2007

SNMP Access - SNMPv 3 users · SNMPv 3 requires configuration of the encryption and authentication keys and algorithms § Will be stored in the security_snmpusers file 15 All Rights Reserved © Alcatel-Lucent 2007

RADIUS properties • To have several UDP ports for auth and acct • Possibility to bind to any IP address or only to a specific one • A duplicate is a packet with the same source IP + source UDP port + RADIUS ID, as another one being processed. • Saves CPU by: - not processing a packet which is already being processed - giving extra time to the original request to finish its processing by increasing its Client. Timeout • Not to consider the Authenticator field for accounting packets * 16 • To set the TOS byte of the IP header in the outgoing RADIUS packets All Rights Reserved © Alcatel-Lucent 2007

Queue and worker threads new message for a suspended request 0 Add timestamp New Request 1 Detected as duplicate: log queue size & discard, and update original max # of waiting items timers · A request can be: 9 Policy. Server Worker Threads suspended requests active requests § in the queue: waiting to start the execution of the PF § in a worker thread: executing a PF § suspended, in RAM: waiting for more information from an external system or process to go on with the PF proxy-radius, or Access-Challenge packets, etc. 17 All Rights Reserved © Alcatel-Lucent 2007

Server Properties – Advanced Shouldn´t be modified unless told by the Lucent support • To prevent loops in the execution of a Policy Flow • To limit the size of the queue • To support RADIUS dynamic authorization (RFC 3576) with proxy agents and/or Nas-Id * 18 All Rights Reserved © Alcatel-Lucent 2007

More server properties To show in the logs the attributes marked as “hidden” in the dictionary 19 All Rights Reserved © Alcatel-Lucent 2007 To derive the Base. User-Name and the Realm from the User. Name AVP • user@realm, • realmuser • realm/user

Intelligent Queue Management · Improves overall performance with duplicate and stale request deletion from queue § 8950 AAA time-stamps each request on receipt. § The incoming request is then compared with all other active requests (in queue or being processed) to see if it is a duplicate. The older request is retained in its present location in queue or Policy. Flow, but its activity time-stamp is updated. The new incoming request is discarded. Nas-Retransmission-Timer Origin al Reque st Retran smissi on A response is generated t Set Client-Timeout Extend Client-Timeout as the NAS is still waiting for a response 20 The request is discarded as VA thinks the NAS is no longer waiting for a response All Rights Reserved © Alcatel-Lucent 2007 t Set Client-Timeout

Server Properties - Timeouts · Client Timeout: § If VA detects it has a request that hasn't been answered yet after the client timeout, it discards it Saves CPU, not processing a response the client is no longer expecting § Should be slightly higher than the NAS timeout 21 * All Rights Reserved © Alcatel-Lucent 2007

Server Properties - Configuration Server · Configuration related to the SMT/Config server 22 All

RADIUS Lawful Intercept (LI) - CALEA · Service Providers must meet legal and regulatory requirements for the interception of voice and data communications in IP networks § Requirement vary from country to country § The CALEA name related to the USA specific requirements · Lawful intercept (LI) is a mechanism to know when: § a user connects/disconnects from an IP network, and optionally § the data the users actually transmitted/received · A Data User (target) is identified by a well-known parameter: § MSISDN (Calling-Station-Id) § IMSI: for GSM/GPRS/UMTS Mobile users · A LI must be authorized by a court order 23 All Rights Reserved © Alcatel-Lucent 2007

Proprietary solution · Lawful intercept is always a vendor-specific mechanism § RFC 2804 explains why the IETF doesn’t standardize LI · The Lucent 8950 AAA solution has been designed to work with: § SS 8 Xcipio WDDF as IRI server SS 8 is a world leading company in LI solutions § Lucent Brick as IPSec server It behaves as a RADIUS client 24 All Rights Reserved © Alcatel-Lucent 2007

Lawful Intercept architecture New 5. 1 ta IAP (CC) At User to be wiretappe d = target ch * A failed auth attempt is also transmitted to the IRI server * In Acct, the IRI server must also be informed of when the user really starts the session (Start), and disconnects (Stop) IRI Server (SS 8 Xcipio WDDF) User Action IAP: CC (Status) IMSI: 214071234567890 -> iri_only MSISDN: 34679123456 -> iri_and_cc 1. 2. 3. 4 5678 Access-Request User-Name (1) = ”john@isp 1"Internet NAS-IP-Address (4) = 192. 168. 20. 2. . . Calling-Station-Id (31) = 34679123456 Access-Accept. . . Lucent-AAA-DF-CC-Address=1. 2. 3. 4 Lucent-AAA-DF-CC-Port=5678 25 IRI = Intercept Related Information LEA = Law Enforcement Agency IAP = Intercept Access Point All Rights Reserved © Alcatel-Lucent 2007 IRI IAP Provisionin g

Configuration of users to be intercepted New 5. 1 · For a 3 rd system to configure which users (targets) are to be wiretapped § with a Lucent proprietary interface · For changes to be persistent across restarts, this info is saved to a binay file called: intercept_targets 26 All Rights Reserved © Alcatel-Lucent 2007

Client Panels - Clients Enhanced 5. 2 · New clients can be added without restarting the Policy. Server § Reload button · Specific parameters can be included: auth & acct timeouts, etc § And to which client_class it belongs to 27 All Rights Reserved © Alcatel-Lucent 2007

Client Panels - Client Classes · To override general server_properties for some clients, if these properties haven’t been configured in the radius_clients file § This information is stored in "client_properties" file 28 All Rights Reserved © Alcatel-Lucent 2007

Address Manager - Configuration · To define IP pools for dynamic IP address assignment to users § by default: 65536 address can be defined Can be changed in server_properties · The pools definition is stored in the address_pools file § VA has to be restarted to re-read this file, and consider new pools * 29 All Rights Reserved © Alcatel-Lucent 2007

Address Manager – Monitoring & Statistics · The management of the IP addresses and pools is stored in memory § the assignment is done by the Address plug-in · Saved to file address_leases § to be persistent upon VA restarts 30 All Rights Reserved © Alcatel-Lucent 2007 *

Logging Messages · Automatically a log can be written when a user authentication request is accepted, rejected, challenged and discarded § Similarly with accounting · This configuration is stored in "server_properties" file · Specially useful for the PA § With PF it can be configured directly in the method definition 31 All Rights Reserved © Alcatel-Lucent 2007

Logging in 8950 AAA · It is one of the most important sources of information to troubleshoot a user connection another thread 0 Standard Output/Error log_rules other thread ERROR WARNING NOTICE INFO SALIENT DEBUG VERBOSE BLITHER log_channels SNMP Trap File SQL database 9 Multiple dest. * 32 logs for an active request are buffered, and will be sent to the log_channel when the request is completely processed All Rights Reserved © Alcatel-Lucent 2007 syslog

Log Channels · We can define different log channels to send information to. § These log channels will be referenced in the Policy. Flow plug-ins § Or when configuring the logging rules · Stored in log_channels file 33 All Rights Reserved © Alcatel-Lucent 2007

Rollover Modes · For the “File with Time-Based File Switching” and some other plug-in related to time-rollover, the following options are available: § Minutes: 1, 2, 3, 4, 5, 6, 10, 12, 15, 20, 30 § Hours: 1, 2, 3, 4, 6, 8, 12 § Day: 1 § Week: 1, 2, 3, 4 § Month: 1, 2, 3, 4, 6 § Year: 1 34 All Rights Reserved © Alcatel-Lucent 2007

Logging Rules (I) · We can configure different log levels for different areas in VA · The logging messages can be sent to different "log channels" § For instance, USS logs can be sent to a different log file than regular VA logs · Log levels are: § 0. - OFF § 1. - error § 2. - warning § 3. - notice § 4. - info § 5. - salient - Includes packets received (IP and UDP) § 6. - debug – includes the policyflow execution chain (methods) § 7. - verbose – includes variables used after each method, and HEX dump § 8. - blither – too much detail * 35 All Rights Reserved © Alcatel-Lucent 2007

Logging Rules (II) · The Startup Log Rules are stored in the file log_rules · The Active Log Rules will be taken initially from the Startup ones Level=INFO Continue=false Channel=Log. To. File 36 All Rights Reserved © Alcatel-Lucent 2007

Logging Rules (III) – Log areas · Care should be taken when activating many traces § They degrade server performance, § Especially important depending on the log level (debug, trace, . . . ) 37 All Rights Reserved © Alcatel-Lucent 2007

Log Rules (IV) · We can filter the logs for any attribute coming in the RADIUS request: § specific users (request. User-Name), § Realms (packet. User-Realm) § Calling and Called numbers (request. Called-Station-Id, etc) § Type of RADIUS packet (packet. Packet-Type) 38 All Rights Reserved © Alcatel-Lucent 2007

Monitoring Logs Stop / Start the file Pause / Resume the tailing Clears the screen content Open the file in a text editor Send to printer Changes the log level Selects the log file 39 All Rights Reserved © Alcatel-Lucent 2007

8950 AAA Statistics (I) · To see the load the server has, both for authentication as well as accounting § Number of packets/s. received § Ratio of requests accepted and rejected § Duplicates and error packets § Memory use § Etc. 40 All Rights Reserved © Alcatel-Lucent 2007

8950 AAA Statistics (II) 41 All Rights Reserved © Alcatel-Lucent 2007

8950 AAA Statistics (III) 42 All Rights Reserved © Alcatel-Lucent 2007

8950 AAA Statistics (& IV) · The Processing Period table shows how long each method has taken to execute (ms /execution) · Useful to detect the bottleneck in our server, and be able to improve performance (SQL DB’s, LDAP servers, USS, etc. ) 43 All Rights Reserved © Alcatel-Lucent 2007

File Tools · To access files, without needing to have a telnet/ssh access to the host · All files must be in the run directory · Several panels: § User Files: It reads any file with a "classical" users format § Dictionary Editor § File Manager: to delete and copy files § Tail: to see the last lines inserted in a file Similar to ‘Monitor Log File’ 44 All Rights Reserved © Alcatel-Lucent 2007

File Tools - Users files · To edit an users file without memorizing all dictionary attributes Users' Names Check-items · There is a display list for check-items and reply items § This attr. list can be configured in the "SMT properties" Reply-Items 45 All Rights Reserved © Alcatel-Lucent 2007

File Tools - Dictionary Editor · To view existing attributes · To add any

File Tools – File Manager · To delete, rename and copy files in the

File Tools = Property file editor · If the property to add is a

Start/Stop of servers · To check the status, start or stop any 8950 AAA servers § Policy. Server § GUI config server · This check is made every 5 seconds (by default) 49 All Rights Reserved © Alcatel-Lucent 2007

Configuration Report · To see in a glance all 8950 AAA configuration 50 All

Files to provide to Lucent Support · In case it is necessary to contact with Lucent Support Services, all important files needed can automatically be packaged § in vacfg. zip file § in the server Hard Disk, not the SMT host 51 All Rights Reserved © Alcatel-Lucent 2007

Overview Server related configuration · Client related features 52 All Rights Reserved © Alcatel-Lucent

RADIUS Test Client · Equivalent to varc, but with graphical interface · Different Client

RADIUS NAS Load · Simulates a network of NAS's sending different type of requests, with a variety of User-Names, NAS-IP-Address, NAS-Port-Type, Session duration, etc · Equivalent to vasim, but with graphical interface · It is invoked from the RADIUS Test Client, with Scenario=Nas. Load · It is a a very powerful tool for performance and stress tests § Allows to heavily test the USS 54 All Rights Reserved © Alcatel-Lucent 2007

Database Tools · Built-in database client to connect to any database § To create users in a users table § To see/modify any table by using views The views created are stored in the db_properties file in the server § The proper JDBC driver should be installed under <$VA>/lib 55 * All Rights Reserved © Alcatel-Lucent 2007

User Profiles · To easily manage users in a graphical way § Possibility to filter and to sort entries · Can import entries from a text file § with users format, csv format, etc. 56 All Rights Reserved © Alcatel-Lucent 2007

Table Tool · Possibility to define a view of any table for easy and

SQL Tool · To execute any SQL command · There is a list of

Manage DB Users · To create/delete DB operators 59 All Rights Reserved © Alcatel-Lucent

SMT Preferences (I): Look & Feel · All SMT preferences are stored in "guiconfig_properties"

SMT Preferences (II): Attribute lists · We can configure what attributes will appear in the lists for: § File Tools -> User Files Check-Items and Reply-Items § Configuration Tools -> Client Class For configuration of custom variables 61 All Rights Reserved © Alcatel-Lucent 2007

SMT Preferences (III): Other panels · Some panels are only available when running the SMT in Expert Mode: Dictionary, some server Statistics. . . · We can select which programs will open certain files · How often to check if the servers are up or down 62 All Rights Reserved © Alcatel-Lucent 2007

SMT Panel Loading · Some panels have no relationship with server files or CLI commands · Can only be shown/hidden by the SMT properties § In smt_properties file in the SMT client host 63 All Rights Reserved © Alcatel-Lucent 2007