We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byThomas Hutchinson
Modified over 2 years ago
The Server Management Tool (SMT)
All Rights Reserved © Alcatel-Lucent | SMT Module Objectives SMT Overview and architecture How to start the SMT client and server Configuring server properties Configuring clients and client properties Configuring the IP address manager Logging options Viewing statistics Editing files: text files and users files Testing Tools for RADIUS Viewing/modifying SQL databases Modifying SMT preferences
All Rights Reserved © Alcatel-Lucent | SMT Overview Server related configuration Client related features
All Rights Reserved © Alcatel-Lucent | SMT Server Management Tool (SMT) Graphical interface in Java to do any administration task Set 8950 AAA Server Properties Add/Delete/Modify Client entries Create/Manage PolicyFlows Manage the Universal State Server (USS) Edit user files Access any SQL Database View server statistics Editing other configuration files etc
All Rights Reserved © Alcatel-Lucent | SMT 8950 AAA Manual File Editing Mode Config files $ vi clients
All Rights Reserved © Alcatel-Lucent | SMT Local SMT 8950 AAA Config files $ vi clients
All Rights Reserved © Alcatel-Lucent | SMT Remote SMT 8950 AAA Config files $ vi clients Configuration Server
All Rights Reserved © Alcatel-Lucent | SMT SMT Local & Remote Mode The SMT can be run in local mode or remote mode In remote mode, SMT requires the Configuration Server to be running on the server that you want to configure. The Configuration Server handles remote connections from SMT and allows SMT to read and writes files from that server. In local mode, a Configuration Server is not required but you may connect to a Configuration Server running locally if one is available.
All Rights Reserved © Alcatel-Lucent | SMT Configuration Server Start-up The aaa start command starts both the Policy Server as well as the configuration/SMT server This process can be started/stopped independently, with: aaa start config Only one process can be running by VA host This gui server can handle several SMT connections from several remote hosts The log file config.log reports: Connections Problems at start-up, etc. If the SMT is run locally (without the "Configuration Server"), the logs are stored at smt.log
All Rights Reserved © Alcatel-Lucent | SMT SMT Start-up Execute aaa-smt located in the bin directory Introduce a valid UserName/Password of a VA operator An admin user was created during installation process These parameters can also be introduced in the command line > aaa-smt -user admin -pass hello -host > aaa-smt -u admin -p hello -l It is recommended to connect via the Configuration Server, even when connecting to the localhost *
All Rights Reserved © Alcatel-Lucent | SMT Overview Server related configuration Client related features
All Rights Reserved © Alcatel-Lucent | SMT Server Properties This menu allows us to configure 8950 AAA server properties. They are stored in several files: Server_properties It is recommended to edit this file only via the SMT Uss_counters, uss_indices
All Rights Reserved © Alcatel-Lucent | SMT Server Properties - Database AAA has a built-in basic SQL database Hypersonic SQL - Developed by a 3 rd party Can be disabled by selecting Database Address=0 The database files are stored in /run/db nr.script & nr.data Database-Address = "*:9001" Database-Shutdown = NORMAL Database-LogSize = "200" Database-Address = "*:9001" Database-Shutdown = NORMAL Database-LogSize = "200"
All Rights Reserved © Alcatel-Lucent | SMT SNMP agent To grant access to view statistical information By default, the access is disabled (SNMP Address=0) To enable it, just configure IP address and UDP port (*:9161) Be careful with port 161, as it might be taken by the OS to report CPU utilization Two files are used to store SNMP indices, so that they are consistent after a server restart radius-server-indices.mib & radius-client-indices.mib * Enhanced 5.2 Since 5.2, the new RFCs for IPv4 and IPv6 RADIUS clients/servers are supported
All Rights Reserved © Alcatel-Lucent | SMT SNMP Access - SNMPv3 users SNMPv3 requires configuration of the encryption and authentication keys and algorithms Will be stored in the security_snmpusers file
All Rights Reserved © Alcatel-Lucent | SMT RADIUS properties To have several UDP ports for auth and acct Possibility to bind to any IP address or only to a specific one A duplicate is a packet with the same source IP + source UDP port + RADIUS ID, as another one being processed. Saves CPU by: - not processing a packet which is already being processed - giving extra time to the original request to finish its processing by increasing its Client-Timeout Not to consider the Authenticator field for accounting packets To set the TOS byte of the IP header in the outgoing RADIUS packets *
All Rights Reserved © Alcatel-Lucent | SMT Queue and worker threads A request can be: in the queue: waiting to start the execution of the PF in a worker thread: executing a PF suspended, in RAM: waiting for more information from an external system or process to go on with the PF proxy-radius, or Access-Challenge packets, etc. New Request Detected as duplicate: log & discard, and update original timers Add timestamp queue size max # of waiting items PolicyServer Worker Threads new message for a suspended request suspended requests active requests
All Rights Reserved © Alcatel-Lucent | SMT Server Properties – Advanced Shouldn´t be modified unless told by the Lucent support To prevent loops in the execution of a Policy Flow To limit the size of the queue To support RADIUS dynamic authorization (RFC 3576) with proxy agents and/or Nas-Id *
All Rights Reserved © Alcatel-Lucent | SMT More server properties To derive the Base-User- Name and the Realm from the User-Name AVP realm\user realm/user To show in the logs the attributes marked as hidden in the dictionary
All Rights Reserved © Alcatel-Lucent | SMT Intelligent Queue Management Improves overall performance with duplicate and stale request deletion from queue 8950 AAA time-stamps each request on receipt. The incoming request is then compared with all other active requests (in queue or being processed) to see if it is a duplicate. The older request is retained in its present location in queue or PolicyFlow, but its activity time-stamp is updated. The new incoming request is discarded. tt Original Request Set Client-Timeout Extend Client-Timeout as the NAS is still waiting for a response A response is generated Retrans mission Nas-Retransmission-Timer The request is discarded as VA thinks the NAS is no longer waiting for a response Set Client-Timeout
All Rights Reserved © Alcatel-Lucent | SMT Server Properties - Timeouts Client Timeout: If VA detects it has a request that hasn't been answered yet after the client timeout, it discards it Saves CPU, not processing a response the client is no longer expecting Should be slightly higher than the NAS timeout *
All Rights Reserved © Alcatel-Lucent | SMT Server Properties - Configuration Server Configuration related to the SMT/Config server
All Rights Reserved © Alcatel-Lucent | SMT RADIUS Lawful Intercept (LI) - CALEA Service Providers must meet legal and regulatory requirements for the interception of voice and data communications in IP networks Requirement vary from country to country The CALEA name related to the USA specific requirements Lawful intercept (LI) is a mechanism to know when: a user connects/disconnects from an IP network, and optionally the data the users actually transmitted/received A Data User (target) is identified by a well-known parameter: MSISDN (Calling-Station-Id) IMSI: for GSM/GPRS/UMTS Mobile users A LI must be authorized by a court order
All Rights Reserved © Alcatel-Lucent | SMT Proprietary solution Lawful intercept is always a vendor-specific mechanism RFC 2804 explains why the IETF doesnt standardize LI The Lucent 8950 AAA solution has been designed to work with: SS8 Xcipio WDDF as IRI server SS8 is a world leading company in LI solutions Lucent Brick as IPSec server It behaves as a RADIUS client
All Rights Reserved © Alcatel-Lucent | SMT Lawful Intercept architecture IAP (CC) IRI IAP Provisioning IRI Server (SS8 Xcipio WDDF) User to be wiretapped = target UserActionIAP:CC(Status) IMSI: > iri_only Internet MSISDN: > iri_and_cc Access-Request User-Name (1) = NAS-IP-Address (4) = Calling-Station-Id (31) = Attach Access-Accept..... Lucent-AAA-DF-CC-Address= Lucent-AAA-DF-CC-Port=5678 * A failed auth attempt is also transmitted to the IRI server * In Acct, the IRI server must also be informed of when the user really starts the session (Start), and disconnects (Stop) New 5.1 IRI = Intercept Related Information LEA = Law Enforcement Agency IAP = Intercept Access Point IRI = Intercept Related Information LEA = Law Enforcement Agency IAP = Intercept Access Point
All Rights Reserved © Alcatel-Lucent | SMT Configuration of users to be intercepted For a 3rd system to configure which users (targets) are to be wiretapped with a Lucent proprietary interface For changes to be persistent across restarts, this info is saved to a binay file called: intercept_targets New 5.1
All Rights Reserved © Alcatel-Lucent | SMT Client Panels - Clients New clients can be added without restarting the PolicyServer Reload button Specific parameters can be included: auth & acct timeouts, etc And to which client_class it belongs to Enhanced 5.2
All Rights Reserved © Alcatel-Lucent | SMT Client Panels - Client Classes To override general server_properties for some clients, if these properties havent been configured in the radius_clients file This information is stored in " client_properties " file
All Rights Reserved © Alcatel-Lucent | SMT Address Manager - Configuration To define IP pools for dynamic IP address assignment to users by default: address can be defined Can be changed in server_properties The pools definition is stored in the address_pools file VA has to be restarted to re-read this file, and consider new pools *
All Rights Reserved © Alcatel-Lucent | SMT Address Manager – Monitoring & Statistics The management of the IP addresses and pools is stored in memory the assignment is done by the Address plug-in Saved to file address_leases to be persistent upon VA restarts *
All Rights Reserved © Alcatel-Lucent | SMT Logging Messages Automatically a log can be written when a user authentication request is accepted, rejected, challenged and discarded Similarly with accounting This configuration is stored in "server_properties" file Specially useful for the PA With PF it can be configured directly in the method definition
All Rights Reserved © Alcatel-Lucent | SMT Logging in 8950 AAA It is one of the most important sources of information to troubleshoot a user connection log_rules Standard Output/Error SNMP Trap File SQL database Multiple dest. syslog 0 9 other thread another thread logs for an active request are buffered, and will be sent to the log_channel when the request is completely processed log_channels * ERROR WARNING NOTICE INFO SALIENT DEBUG VERBOSE BLITHER
All Rights Reserved © Alcatel-Lucent | SMT Log Channels We can define different log channels to send information to. These log channels will be referenced in the PolicyFlow plug-ins Or when configuring the logging rules Stored in log_channels file
All Rights Reserved © Alcatel-Lucent | SMT Rollover Modes For the File with Time-Based File Switching and some other plug-in related to time-rollover, the following options are available: Minutes: 1,2,3,4,5,6,10,12,15,20,30 Hours:1,2,3,4,6,8,12 Day:1 Week:1,2,3,4 Month:1,2,3,4,6 Year:1
All Rights Reserved © Alcatel-Lucent | SMT Logging Rules (I) We can configure different log levels for different areas in VA The logging messages can be sent to different "log channels" For instance, USS logs can be sent to a different log file than regular VA logs Log levels are: 0.- OFF 1.- error 2.- warning 3.- notice 4.- info 5.- salient - Includes packets received (IP and UDP) 6.- debug – includes the policyflow execution chain (methods) 7.- verbose – includes variables used after each method, and HEX dump 8.- blither – too much detail *
All Rights Reserved © Alcatel-Lucent | SMT Logging Rules (II) The Startup Log Rules are stored in the file log_rules The Active Log Rules will be taken initially from the Startup ones Level=INFO Continue=false Channel=LogToFile Level=INFO Continue=false Channel=LogToFile
All Rights Reserved © Alcatel-Lucent | SMT Logging Rules (III) – Log areas Care should be taken when activating many traces They degrade server performance, Especially important depending on the log level (debug, trace,...)
All Rights Reserved © Alcatel-Lucent | SMT Log Rules (IV) We can filter the logs for any attribute coming in the RADIUS request: specific users (request.User-Name), Realms (packet.User-Realm) Calling and Called numbers (request.Called-Station-Id, etc) Type of RADIUS packet (packet.Packet-Type)
All Rights Reserved © Alcatel-Lucent | SMT Monitoring Logs Stop / Start the file Pause / Resume the tailing Clears the screen content Open the file in a text editor Send to printer Changes the log level Selects the log file
All Rights Reserved © Alcatel-Lucent | SMT 8950 AAA Statistics (I) To see the load the server has, both for authentication as well as accounting Number of packets/s. received Ratio of requests accepted and rejected Duplicates and error packets Memory use Etc.
All Rights Reserved © Alcatel-Lucent | SMT 8950 AAA Statistics (II)
All Rights Reserved © Alcatel-Lucent | SMT 8950 AAA Statistics (III)
All Rights Reserved © Alcatel-Lucent | SMT 8950 AAA Statistics (& IV) The Processing Period table shows how long each method has taken to execute (ms /execution) Useful to detect the bottleneck in our server, and be able to improve performance (SQL DBs, LDAP servers, USS, etc.)
All Rights Reserved © Alcatel-Lucent | SMT File Tools To access files, without needing to have a telnet/ssh access to the host All files must be in the run directory Several panels: User Files: It reads any file with a "classical" users format Dictionary Editor File Manager: to delete and copy files Tail: to see the last lines inserted in a file Similar to Monitor Log File
All Rights Reserved © Alcatel-Lucent | SMT File Tools - Users files To edit an users file without memorizing all dictionary attributes check-itemsreply items There is a display list for check-items and reply items This attr. list can be configured in the "SMT properties" Users' NamesCheck-items Reply-Items
All Rights Reserved © Alcatel-Lucent | SMT File Tools - Dictionary Editor To view existing attributes To add any Vendor- Specific attribute (VSA) New 5.2.1
All Rights Reserved © Alcatel-Lucent | SMT File Tools – File Manager To delete, rename and copy files in the run directory
All Rights Reserved © Alcatel-Lucent | SMT File Tools = Property file editor If the property to add is a RADIUS attribute, it can be selected from the dictionary without need to know it by heart
All Rights Reserved © Alcatel-Lucent | SMT Start/Stop of servers To check the status, start or stop any 8950 AAA servers PolicyServer GUI config server This check is made every 5 seconds (by default)
All Rights Reserved © Alcatel-Lucent | SMT Configuration Report To see in a glance all 8950 AAA configuration
All Rights Reserved © Alcatel-Lucent | SMT Files to provide to Lucent Support In case it is necessary to contact with Lucent Support Services, all important files needed can automatically be packaged in vacfg.zip file in the server Hard Disk, not the SMT host
All Rights Reserved © Alcatel-Lucent | SMT Overview Server related configuration Client related features
All Rights Reserved © Alcatel-Lucent | SMT RADIUS Test Client Equivalent to varc, but with graphical interface Different Client Scenarios PAP=Basic CHAP Challenge Simulator etc.
All Rights Reserved © Alcatel-Lucent | SMT RADIUS NAS Load Simulates a network of NAS's sending different type of requests, with a variety of User-Names, NAS-IP-Address, NAS-Port-Type, Session duration, etc Equivalent to vasim, but with graphical interface It is invoked from the RADIUS Test Client, with Scenario=NasLoad It is a a very powerful tool for performance and stress tests Allows to heavily test the USS
All Rights Reserved © Alcatel-Lucent | SMT Database Tools Built-in database client to connect to any database To create users in a users table To see/modify any table by using views The views created are stored in the db_properties file in the server The proper JDBC driver should be installed under /lib *
All Rights Reserved © Alcatel-Lucent | SMT User Profiles To easily manage users in a graphical way Possibility to filter and to sort entries Can import entries from a text file with users format, csv format, etc.
All Rights Reserved © Alcatel-Lucent | SMT Table Tool Possibility to define a view of any table for easy and quick access Similarly to the Users Table With sorting criteria
All Rights Reserved © Alcatel-Lucent | SMT SQL Tool To execute any SQL command There is a list of existing tables And columns for each table
All Rights Reserved © Alcatel-Lucent | SMT Manage DB Users To create/delete DB operators
All Rights Reserved © Alcatel-Lucent | SMT SMT Preferences (I): Look & Feel All SMT preferences are stored in " guiconfig_properties " file In the SMT host, not in the server host
All Rights Reserved © Alcatel-Lucent | SMT SMT Preferences (II): Attribute lists We can configure what attributes will appear in the lists for: File Tools -> User Files Check-Items and Reply-Items Configuration Tools -> Clients -> Client Class For configuration of custom variables
All Rights Reserved © Alcatel-Lucent | SMT SMT Preferences (III): Other panels Some panels are only available when running the SMT in Expert Mode: Dictionary, some server Statistics... We can select which programs will open certain files How often to check if the servers are up or down
All Rights Reserved © Alcatel-Lucent | SMT SMT Panel Loading Some panels have no relationship with server files or CLI commands Can only be shown/hidden by the SMT properties In smt_properties file in the SMT client host
PolicyFlow. All Rights Reserved © Alcatel-Lucent | PolicyFlow Module Objectives PolicyFlow syntax and files Understand the way a PolicyChain is.
Universal State Server (USS). All Rights Reserved © Alcatel-Lucent | USS Module Objetives Get to know the way it works and its utility How to configure.
Database Controls 2012 National State Auditors Association Information Technology Conference September 2012.
VMware vCenter Server High Availability Product Support Engineering VMware Confidential.
The ESC-QuickBooks Integration For Use with ESC Version 12.
Funk Software Preside Radius 1. Funk Software Preside Radius 2 Main Menu w Introduction and Overview Introduction and Overview.
CTT Corp. Derechos reservados CHANNEL READINESS PROGRAM FOR CISCO PARTNERS Selling Cisco SMB Solutions Advanced Security Selling SMB Solutions.
8950 AAA Overview. All Rights Reserved © Alcatel-Lucent | Introduction to 8950 AAA Module Objectives Supported platforms History 8950 AAA Features.
© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Command View XP 2.0 HP Restricted.
CSC Proprietary 2/11/2014 3:44:12 AM 008_P2_CSC_white 1 Active Server Pages (ASP)
SpiderAlert Software Training June This list covers the basic steps to follow when designing a new project: Install Software Install new DLLs.
© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public ROUTE v6 Chapter 5 1 Chapter 5: Implement Path Control CCNP ROUTE: Implementing IP.
1 GREY BOX TESTING Web Apps & Networking Session 1 Boris Grinberg
Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 2: Operating-System Structures.
Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 3: Processes.
Expand Networks Confidential and Proprietary1 April 2004 ExpandView 3.0.
1 GREY BOX TESTING Web Apps & Networking Session 3 Boris Grinberg
1. 2 Cisco IOS Cisco technology is built around the Cisco Internetwork Operating System (IOS), which is the software that controls the routing and switching.
Variables. All Rights Reserved © Alcatel-Lucent | Variables Module Objectives Variables definition and use Variable groups Modifiers Maps to assign.
PrevNext | Slide 1 Michigan Electronic Grants System MEGS MEGS Overview and Updates for DLEG Adult Education.
1 ©2006, Stanley Associates. All rights reserved. 1 U.S. Marine Corps Parts Inventory Management Garrison Mobile Equipment (GME) Fleet Management System.
Silberschatz, Galvin and Gagne ©2010 Operating System Concepts Essentials – 8 th Edition Chapter 16: Windows 7.
PrevNext | Slide 1 Welcome to MEGS The Michigan Electronic Grants System Comprehensive School Reform Application Last.
2 Welcome To Defect Management Training Objective: The objective of this course is to learn about standards that emphasize a best practice approach for.
Chapter 2: Operating-System Structures. 2.2 Chapter 2: Operating-System Structures Operating System Services User Operating System Interface System Calls.
© 2009 Wellsource, Inc. All rights reserved. ONLINE.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: Operating-System Structures.
Introduction to the RADIUS protocol. All Rights Reserved © Alcatel-Lucent | RADIUS protocol Overview Module Objetives Identify the elements and.
© 2016 SlidePlayer.com Inc. All rights reserved.