Presentation is loading. Please wait.

Presentation is loading. Please wait.

Universal State Server (USS). All Rights Reserved © Alcatel-Lucent 2007 2 | USS Module Objetives Get to know the way it works and its utility How to configure.

Similar presentations


Presentation on theme: "Universal State Server (USS). All Rights Reserved © Alcatel-Lucent 2007 2 | USS Module Objetives Get to know the way it works and its utility How to configure."— Presentation transcript:

1 Universal State Server (USS)

2 All Rights Reserved © Alcatel-Lucent | USS Module Objetives Get to know the way it works and its utility How to configure counters and records data Information that can be stored and how to read it Indices: Configuration and use USS triggers to execute a PF on a USS transition How to invoke the USS from another VitalAAA server Statistics AI commands RAM needed by USS

3 All Rights Reserved © Alcatel-Lucent | USS Introduction The Universal State Server (USS) recollects information of users' sessions from 1 or more VitalAAA Front End servers This information may be used to monitor or limit users' connections based on: User-name, realm, DNIS, CLID, etc It is like a database "in memory" The USS used can be: in the same host as a VA front end In a separate host used only to process USS requests Only 1 USS can be active in the network, no matter how many VA front ends there are With HA-USS, we can have 1:1 redundancy

4 All Rights Reserved © Alcatel-Lucent | USS Network diagram RADIUS (Remote ISP) Front End AAA #1 Front End AAA #2 Universal StateServer LDAP Directories or Database Servers NAS User PSTN the Internet

5 All Rights Reserved © Alcatel-Lucent | USS Accounting Authentication Data Flow between VA and USS NASVitalAAAUSS USS QueryCheck LimitsSend Access Request Start sessionSend Access-AcceptACK Add Record Increment counters Send START record Notify USS of STARTPort In-Use Update Record Send STOP record Notify USS of STOP Release Port Delete Record Decrement counters Send Acct-ResponseACK Send Acct-ResponseACK

6 All Rights Reserved © Alcatel-Lucent | USS A deeper look (I) Authentication VitalAAA notifies the USS of an incoming auth request providing the NAS- IP-Address, NAS-Port and call info VitalAAA sends a request to the USS listing the NAS and Port, plus any other attribute User-Name, Called-Station-Id (DNIS), Realm, etc. For each item sent, a limit may be specified For Example: User-Name = auser UserLimit = 1 DNIS = DNISLimit = 500

7 All Rights Reserved © Alcatel-Lucent | USS A deeper look (II) Authentication The USS looks to see if the port is in use and notifies the PolicyFlow of the port status If the NAS and Port identified in the request are shown as busy the USS assumes an error has occurred and deletes the old entry A missed stop counter is incremented For each specified limit received, the USS checks to see if the current count for the item exceeds the specified limit If all specified items are under limit, an ACK is returned to PolicyFlow In any of the items are over the specified limit a NACK is returned instead

8 All Rights Reserved © Alcatel-Lucent | USS A deeper look (III) Authentication The USS temporarily marks the port as busy and records information about the port usage (User-Name, DNIS, etc.) Simultaneous to sending the ACK to VitalAAA, the USS does the following Adds an entry to the USS data table with session information, including –NAS IP Address + NAS Port –User-Name, etc. Increments the counters configured Marks the time the entry was received If an authentication entry is not validated within a pre-defined time (accounting start timeout) by a START of accounting record, it will be removed

9 All Rights Reserved © Alcatel-Lucent | USS A deeper look (IV) Accounting Start VitalAAA notifies the USS when the accounting START record is received An accounting START record provides positive proof that a user session has actually begun It is possible for a session to disconnect after the authentication request has been answered with an Access-Accept. A START of accounting record is only sent after the session has actually begun A PolicyFlow method using the StateClient/StateServer plug-in is placed in the accounting flow to send notification to the USS of the START record arrival The USS marks the port as in-use The temporary time stamp is removed from the USS record The record will not be deleted until a accounting STOP record is received or the maximum session time-to-live (session timeout) is exceeded

10 All Rights Reserved © Alcatel-Lucent | USS A deeper look (V) Accounting Stop The PolicyFlow notifies the USS when the accounting STOP record is received An accounting STOP record provides positive proof that a user session has ended A PolicyFlow method using the StateClient/StateServer Plug-in is placed in the accounting flow to send notification of the STOP record arrival to the USS The USS entry is deleted and counters are decremented

11 All Rights Reserved © Alcatel-Lucent | USS USS Operation (1) StateServer Plug-in params PolicyFlow = Authentication User-Name= auser NAS-IP-Addr= NAS-Port= 45 DNIS = Realm= eol-es Group= tot-eol Limit-User-Name= 1 Limit-Realm= 1 Limit-Group= auser...KeyUser... User Counter Realm Counter eol-es1 group Counter tot-eol1 Universal StateServer Packet Type = Access-Request User-Name= Called-Station-Id = NAS-IP-Addr= NAS-Port= 45 RADIUS Request ack A simple authentication under the limits configured.

12 All Rights Reserved © Alcatel-Lucent | USS USS Operation (2) StateServer Plug-in params PolicyFlow = Accounting User-Name= auser NAS-IP-Addr= NAS-Port= 45 KeyUser... User Counter Realm Counter eol-es1 group Counter tot-eol1 Universal StateServer Packet Type = Accounting START User-Name= NAS-IP-Addr= NAS-Port= 45 RADIUS Request auser auser... ack The START record confirms that the session has begun.

13 All Rights Reserved © Alcatel-Lucent | USS USS Operation (3) StateServer Plug-in params PolicyFlow = Authentication User-Name= buser NAS-IP-Addr= NAS-Port= 23 DNIS = Realm= eol-fr Group1Name= tot-eol Limit-User= 1 Limit-Realm= 1 Limit-Group= auser...KeyUser... User Counter Realm Counter eol-es1 group Counter tot-eol1 Universal StateServer Packet Type = Access-Request User-Name= Called-Station-Id = NAS-IP-Addr= NAS-Port= 23 RADIUS Request buser... ack Another simple access. Note that the group1 counter increases.

14 All Rights Reserved © Alcatel-Lucent | USS USS Operation (4) StateServer Plug-in params PolicyFlow = Accounting User-Name= buser NAS-IP-Addr= NAS-Port= 23 KeyUser... User Counter Realm Countergroup Counter Universal StateServer Packet Type = Accounting START User-Name= NAS-IP-Addr= NAS-Port= 23 RADIUS Request _45auser auser buser buser... ack Again, the START record confirms the access -- but does not increment the counters.. eol-fr1

15 All Rights Reserved © Alcatel-Lucent | USS USS Operation (5) StateServer Plug-in params PolicyFlow = Authentication User-Name= auser NAS-IP-Addr= NAS-Port= 38 Realm= eol-es Called-Station-Id = Group1Name= tot-eol Limit-User= 1 Limit-Realm= 1 Limit-Group= 2 KeyUser... User Counter Realm Countergroup Counter Universal StateServer Packet Type = Access Request User-Name= NAS-IP-Addr= NAS-Port= 38 Called-Station-Id = RADIUS Request _45auser auser _23buser buser... nack auser tries again, but this time note we have set a UserLimit of 1, which he exceeds.. eol-fr1

16 All Rights Reserved © Alcatel-Lucent | USS USS Operation (6) StateServer Plug-in params PolicyFlow = Authentication Called-Station-Id = User-Name= cuser NAS-IP-Addr= NAS-Port= 13 Realm= eol-es Group1Name= tot-eol Limit-User= 1 Limit-Realm= 1 Limit-Group= 2 KeyUser... User Counter Realm Countergroup Counter Universal StateServer Packet Type = Access Request User-Name= NAS-IP-Addr= NAS-Port= 13 Called-Station-Id = RADIUS Request _45auser auser _23buser buser... nack eol-es1 Limit = 1 is >= Realm total of 1 Now the Realm Limit is reached. Since cuser is the second user using eol-es, he is refused access eol-fr1eol-es1

17 All Rights Reserved © Alcatel-Lucent | USS USS Operation (7) StateServer Plug-in params PolicyFlow = Authentication User-Name= cuser NAS-IP-Addr= NAS-Port= 13 Called-Station-Id = Limit-User= 1 Limit-Realm= 1 Group1Name= tot-eol Limit-Group= 2 KeyUser... User Counter Realm Countergroup Counter Universal StateServer Packet Type = Access Request User-Name= NAS-IP-Addr= NAS-Port= 13 Called-Station-Id = RADIUS Request _45auser auser _23buser buser... nack cuser tries again, this time using a different realm -- but now we have a Group1Limit. eol-fr1 Counter = 2 is >= group1 Limit of 2 tot-eol2

18 All Rights Reserved © Alcatel-Lucent | USS Operational Key Points The USS only keeps track of counters and sessions info The USS doesn't store limit information The limits are set in the StateServer plug-in Reading them from a file, external source, etc We can established different limits for different users for the same counter Some users can have limits on certain attributes, and other users on different attributes One user may have limits based on User-Name Other on realm Other on DNIS + User-Name, etc.

19 All Rights Reserved © Alcatel-Lucent | USS USS Records (I) USS records store session information of connections It contains 5 main fields: Key: Identifies the session in a unique way Two different simultaneous connections can't have the same key By default, it is NAS-IP-Addr + NAS-Port –Though it can be changed The token at the left side of the "+" sign, is also called subkey NAS: Identifier of the NAS. Used for accounting-on/off, in case the key doesnt include the NAS-IP SessionId: to correlate if an event is for a new session or an existing one AVP's User-Name = DNIS = CLID= etc. KEY= NAS-IP-Addr + Port StatedatesNASSessionId

20 All Rights Reserved © Alcatel-Lucent | USS USS Records (II) State:It shows the state of this user's session (record) Inactive: this NAS-Port doesn't have a connection right now, but it had –Inactive records can be deleted from memory or not, if they are to be reused Waiting-for-start: An Access-Request has been received, and the USS is waiting for the Acct-start packet Active: the session has been successfully established Dates: of the last modification of the record, of the event (RADIUS request) and the expiration time Modification and Event timestamps can be different on Acct, if there have been retransmissions (Acct-Delay-Time attribute) Data, Resources or AVP's (attrs): any extra data related to this session provided by the PolicyFlow Used to be read later by the PolicyFlow or to update counters –User-Name, User-Realm, CLID, DNIS, groups, etc Also referenced as uss variables

21 All Rights Reserved © Alcatel-Lucent | USS Counters (I) A counter counts the number of occurrences of a specific resource Usually represents the active sessions using that resource There are 2 types of counters Access or restrictive: It is incremented upon receiving an Access-Request –If the Acct-Start is not received before a timer, it is assumed the session wasn't successfully completed, and the counter will be decremented A session which doesn't successfully completes, may limit another one which would have been successful if not refused by the USS Accounting or permissive It is incremented upon receiving an Acct-START –It doesn't include authenticated sessions, which haven't been established completely

22 All Rights Reserved © Alcatel-Lucent | USS Counters (II) Counters are costly to maintain in terms of memory and CPU Its not necessary to count every attribute of a session Only the counters specified in uss_counters will be maintained User-Name, User-Realm, Called-Station-Id, DNIS, CLID, POP, etc. Can have any name, not necessarily a RADIUS attribute COUNTER Type Resource counts Resource counts Resource counts DNIS Access User-Realm Acct terra 9004 arrakis 1205 able 106 etc. User-Name Access 1 1

23 All Rights Reserved © Alcatel-Lucent | USS Finite State Machine Regular transitions Non-exist. Waiting_for_start Inactive Active Modify record Create a new record ++ access counters Access- Request Access- Request -- counters ++ acct. count. Session Timeout -- access count. AcctStart Timeout Acct START Acct-Off Inactive Timeout Acct INTERIM Acct-On Acct STOP | Acct-Off Access- Request

24 All Rights Reserved © Alcatel-Lucent | USS Finite State Machine Irregular transitions The USS determines a packet has been lost Waiting_for_start Inactive Non-exist. Inactive Non-exist. Active -- counters ++ access count. ++ acct. count. ++ Missed- Auths -- access count. ++ Missed- Starts Access-Request with different Acct-Session-Id Acct-On Acct-Stop Acct-Start Acct-Interim ++ Missed- Stops

25 All Rights Reserved © Alcatel-Lucent | USS Timers Configuration … StateServer_AcctStartTimeout = StateServer_SessionTimeout = -1 StateServer_InactiveTimeout = -1 StateServer_KeySeparator = + … StateServer_AcctStartTimeout = StateServer_SessionTimeout = -1 StateServer_InactiveTimeout = -1 StateServer_KeySeparator = + … server_properties If the NAS's reuse their ports and there are no indices, this value should be -1 to reuse the entries. – It is faster to modify, than to delete an entry and create it later If the NAS's don't reuse their ports in a short amount of time (or there are indices) the USS records should be deleted as soon as possible Value=0 for GGSN, LNS of L2TP, Ipsec servers, etc. To determine if an ACCT STOP record has got lost To determine that the session didnt actually start, and the NAS hasnt sent an ACCT STOP record

26 All Rights Reserved © Alcatel-Lucent | USS Counters Configuration # Attribute Count Time # User-NameAccess User-RealmAccounting # Attribute Count Time # User-NameAccess User-RealmAccounting uss_counters

27 All Rights Reserved © Alcatel-Lucent | USS The StateServer plug-in It invokes the USS running in the same host This plug-in has 2 main functions: Authorize users' access based on the network use Provide the USS with information of access or acct, so that the USS updates the information it has about network usage

28 All Rights Reserved © Alcatel-Lucent | USS Info provided and retrieved to/from USS The StateServer exchanges information with the USS: Request Map:The USS is provided with all information needed for updating network resources and limiting the session To store info in the sessions record and to update counters Which counters limit this connection Specific timers for this record entry Reply Map:Optionally, the PF can read information stored in the USS data in the USS record for this connection (identified by the key) counters occurrences StateServer/ StateClient USS Request-Map Reply-Map

29 All Rights Reserved © Alcatel-Lucent | USS Info provided to USS (I): Request-Map In the variable mapping : The left side is a USS variable The right side is a VA variable The USS variables may be of 3 types: uss or attr uss or attr.An AVP to store in the record entry ${uss.User-Realm} = ${packet.User-Realm}; ${attr.User-Realm} = ${packet.User-Realm}; limit limit. The limit for this counter ocurrence It must be configured in the uss_counters file It must also have a uss counterpart variable, with the same name Two special values: –-1 : no limit – 0 : no access ${limit.User-Realm} = ${user.Realm_Limit:-1};

30 All Rights Reserved © Alcatel-Lucent | USS Info provided to USS (II): Request-Map timeout timeout.Specific timeouts for this entry, instead of the general ones acctstart, session, inactive ${timeout.session} = ${reply.Session-Timeout[increment(60),multiply(1000)]:- 1}; When specifying a limit, and the counter in that moment is at the limit, the StateServer plug-in will fail The PolicyFlow will go on with Method-on-Fail Example to limit to 10 connections by realm ${uss.User-Realm} = ${packet.User-Realm}; ${limit.User-Realm} = 10; Usually the limit is read from a file/database, to have different limits for different realms (customers) ${limit.User-Realm} = ${user.Realm_Limit};

31 All Rights Reserved © Alcatel-Lucent | USS Info retrieved from the USS: Reply-Map The info read is stored in VA variables The left part is a VA variable The right part is a USS variable of these 2 groups: uss uss. A value of an AVP store in a record entry, –which was previously stored in the request map ${user.POP_name} = ${uss.POP_name} count count.The value of a resource in a counter, passed in the Request-Map ${user.Realm-Count} = ${count.User-Realm}; –for the specific counter provided in the Request-Map ${user.tmp_var_name } = count.User-Realm.${packet.User-Realm} ; ${user.This-Realm-Count } = ${tmp_var_name[indirect]}; –for any dynamic specific counter *

32 All Rights Reserved © Alcatel-Lucent | USS StateServer Advanced Properties (I) Key-Attribute = how to identify uniquely different connections No two sessions can have simultaneously the same key If a new session starts with the same key (and different Acct-Session-Id), the previous session is supposed to have finished (and the Acct STOP packet was lost) Counters will also be decreased for the previous session Nas-Attribute = to be able to close all sessions on a NAS reboot (Acct-On & Acct-Off packets) Necessary if the Key-Attribute doesnt contain information about the NAS

33 All Rights Reserved © Alcatel-Lucent | USS StateServer Advanced Properties (II) SessionId-Attribute – to be able to distinguish from an update of an existing session, or from a new session with same key All packets of the same session, should have the same Acct-Session-Id (including Acct Interim-Update packets) Event-Time-Attribute – Time when the event took place in the NAS Can be different from the Receipt-Time if there have been retransmissions (Acct- Delay-Time AVP) User-Attribute – Only for support for the legacy ComOS-based NASs, where Acct-Session-Id=0

34 All Rights Reserved © Alcatel-Lucent | USS StateServer Advanced Properties (III): Event Event – What transition the USS should do: Auth, Start, Update, Stop, Boot, Shutdown, Timeout, None, AUTO The default value (AUTO) is automatically determined according to the RADIUS packet received AUTH for Access-Request with new Acct-Session-Id (or NULL) START for Acct-Start UPDATE for Acct-Interim STOP for Acct-Stop BOOT and SHUTDOWN should be used for Acct-On and Acct-Off packets NONE, to read values (reply-map), when no modification has to be made TIMEOUT, to simulate the expected packet hasnt arrived, and to decrease counters

35 All Rights Reserved © Alcatel-Lucent | USS StateServer example for authentication Limits the connection based on User-Name and realm limits If not specified, the limit for User-Name is 1, and no limit for realm checkLimits Method-Type = StateServer StateServer-RequestMap = "${uss.User-Name} = ${request.User-Name};" StateServer-RequestMap = "${limit.User-Name} = ${user.User-Limit:1};" StateServer-RequestMap = "${uss.User-Realm} = ${packet.User-Realm};" StateServer-RequestMap = "${limit.User-Realm} = ${user.Realm-Limit:-1}; checkLimits Method-Type = StateServer StateServer-RequestMap = "${uss.User-Name} = ${request.User-Name};" StateServer-RequestMap = "${limit.User-Name} = ${user.User-Limit:1};" StateServer-RequestMap = "${uss.User-Realm} = ${packet.User-Realm};" StateServer-RequestMap = "${limit.User-Realm} = ${user.Realm-Limit:-1};

36 All Rights Reserved © Alcatel-Lucent | USS StateServer example for accounting In the accounting PolicyFlow, no limits need to be fixed There is no possibility now to reject a user's connection The USS must know that a START | INTERIM | STOP | Acct-OFF has been received updateLimits Method-Type = StateServer Method-On-Success = writeCDR StateServer-RequestMap = "${uss.User-Name} = ${request.User-Name};" StateServer-RequestMap = "${uss.User-Realm} = ${packet.User-Realm};" updateLimits Method-Type = StateServer Method-On-Success = writeCDR StateServer-RequestMap = "${uss.User-Name} = ${request.User-Name};" StateServer-RequestMap = "${uss.User-Realm} = ${packet.User-Realm};"

37 All Rights Reserved © Alcatel-Lucent | USS Non-attribute counters (I) The counters names need not be an attribute, can be anything we want to count The meaning of these non-attribute counters is given by the application and the PolicyFlow definition. Examples: service class Each user is assigned a service class (gold, silver, bronze, etc) We want to limit the "bronze" users to , as more would degrade network performance for "gold" users Simultaneous connections by POP or geographic area There are several NAS's in a POP Simultaneous connections of users belonging to the same realm Simultaneous connections by a group of realms

38 All Rights Reserved © Alcatel-Lucent | USS Non-attribute counters (II) Example for a group of realms (I) We want to limit the total number of sessions of a customer, identified by a group of realms The counter name is defined as group We can read from a external source (file/database) the realm_group" name for each realm And even the limit for each one #Realm Provider Limit teleline terra1000 telelineb terra terra terra 5000 arrakis1arrakis-1 arrakis2arrakis-1 etc... Realm2Group.txt #ProviderLimit Terra70000 arrakis5000 etc... Group_limit.txt

39 All Rights Reserved © Alcatel-Lucent | USS Non-attribute counters (III) Example for a group of realms (II) ReadRealmInfo Method-Type = ReadColumnarTextMethod-On-Success = ReadGroupInfo ReadColumnarText-Text ReadColumnarText-Map = << ${user.group} = ${2}; ${user.realm_limit} = ${3}; >> ReadColumnarText-SearchKey = ${packet.User-Realm} ReadGroupInfoMethod-Type = ReadColumnarText Method-On-Success = CheckLimits ReadColumnarText-Text ReadColumnarText-Map = "${user.group_limit} = ${2};" ReadColumnarText-SearchKey = ${user.group} CheckLimitsMethod-Type = StateServer StateServer- RequestMap = << ${uss.User-Name} = ${request.User-Name}; ${uss.Realm} = ${packet.User-Realm}; ${limit.Realm} = ${user.realm_limit}; ${uss.group} = ${user.group}; ${limit.group} = ${user.group_limit}; >> uss_counters Realm Access group Access

40 All Rights Reserved © Alcatel-Lucent | USS Indices (I) Any value from the session record can be read searching by the key Only 1 possible entry will be returned Indices let us search entries from the records table searching by any AVP Many entries can be returned, if the searching value is not unique Having indices created, and reading data often using the indices, has a great impact on performance (CPU+memory) Should only be created when strictly necessary USS records based on index can be read from: PF: QueryUss plug-in CLI: index AI command external systems by LDAP Search Criteria = index User-Name = DNIS = CLID= etc. KEY= NAS-IP-Addr + Port StatedatesNASSessionId

41 All Rights Reserved © Alcatel-Lucent | USS Indices (II) Examples: by User-Name: What's the Calling-Number of a certain User-Name? Which NAS's have calls for a User-Name? by DNIS: Which user(s) have dialed to a certain DNIS/APN? By CLID Which User-Name is calling from a certain CLID? By IP address Which user has been assigned right now a certain IP address? By realm Which users and which CLIDs are connected to that realm? User-Name = DNIS = CLID= etc. KEY= NAS-IP-Addr + Port StatedatesNASSessionId

42 All Rights Reserved © Alcatel-Lucent | USS Indices configuration User-Name uss_indices

43 All Rights Reserved © Alcatel-Lucent | USS QueryUss plug-in Used to retrieve entries from the USS, searching based on an index. It is similar to the 'state index list' command All entries that match a given index/value combination are retrieved and stored in a multi-valued variable. Could be processed, for example, by using the Iterate plug-in Properties: Index - Which index to search Special values include KEY or NAS Value -of the index Result -(multi-valued) variable to store the USS record(s) matching the searching criteria. The USS fields of the record(s) are mapped as a subvariable –User.uss_result.State, user.uss_result.Key, user.uss_result.Event, user.uss_result.User-Name, etc *

44 All Rights Reserved © Alcatel-Lucent | USS USS triggers (I) A PF can also be started triggered by any USS transition. Usually: A USS timeout An Acct On/Off for NAS reset The starting method of that PF is determined by the method_dispatch file The PF itself can be stored in any file (with.pf extension) Those PFs have a lower priorities than those started based on a AAA packet # ProtocolStateEventFileMethod # triggeractivetimeoutaaaCloseCDR trigger activeshutdownaaaCloseCDR # ProtocolStateEventFileMethod # triggeractivetimeoutaaaCloseCDR trigger activeshutdownaaaCloseCDR method_dispatch

45 All Rights Reserved © Alcatel-Lucent | USS USS triggers (II) The triggered PF can use these extra variables: request.* - the contents of the USS entry before this event. reply.*- the contents of the USS entry after this event. packet.OldState - the state of the entry before the transition. Will match in method_dispatch file. packet.NewState packet.Event- the event causing the state transition. Will match in method_dispatch file. packet.OldTimestamp - the entry Event timestamp before this event. packet.NewTimestamp- the entry Event timestamp after this event. packet.DeltaSession- TRUE if the old and new entries refer to different sessions. Determined by Session-Id packet.Complete- FALSE if the entry is missing AUTH or ACCT data. *

46 All Rights Reserved © Alcatel-Lucent | USS Example 1 with USS triggers: Closed accounting records only To store into file/DB only CLOSED accounting records. Due to: Acct STOP packet received Acct On/Off received for all of the users of the NAS Timeout in the USS -> STOP packet was lost or 2 consecutive INTERIMS The Acct-Session-Time will be taken from the previous INTERIM The timers will be set during the AUTH PF, based on specific Session-Timeout for this user, specific Acct-Interim-Interval or a default of Interims every 1 hour If STOP is not received, will take: Acct-Input/Output-Octets from previous INTERIM Session-Time based on the: last interim for a timeout moment the Acct-On/Off arrived

47 All Rights Reserved © Alcatel-Lucent | USS Example 1 with USS triggers [ACCT]: Closed accounting records only radius Acct Accounting-Request uss_triggers UpdateUSSwithAcct radius Auth Access-Request uss_triggers ReadUserData trigger active timeout uss_triggers CalculateAcctSessionTime4Timeout trigger active shutdown uss_triggers CalculateAcctSessionTime4AcctOff trigger active boot uss_triggers CalculateAcctSessionTime4AcctOff

48 All Rights Reserved © Alcatel-Lucent | USS Example 1 with USS triggers [ACCT]: Closed accounting records only UpdateUSSwithAcctMethod-Type = StateServerMethod-On-Success = AckIfNotStop StateServer-RequestMap = << ${uss.Acct-Start-Time} = ${packet.Acct-Start-Time}; ${uss.Last-Interim-Time} = ${packet.Event-Timestamp}; ${uss.Acct-Session-Time} = ${request.Acct-Session-Time:0}; ${uss.User-Name} = ${request.User-Name}; ${uss.Calling-Station-Id} = ${request.Calling-Station-Id}; ${uss.Called-Station-Id} = ${request.Called-Station-Id}; ${uss.Nas-IP-Address} = ${request.Nas-IP-Address:request.Nas-Id:request.Origin-Host}; ${uss.Acct-Input-Octets} = ${request.Acct-Input-Octets:0}; ${uss.Acct-Output-Octets} = ${request.Acct-Output-Octets:0}; >> AckIfNotStopMethod-Type = CompareMethod-On-Failure = WriteUDR2File Compare-Input1 = ${request.Acct-Status-Type} Compare-Input2 = Stop Compare-Type = String Compare-Operator = "!= CalculateAcctSessionTime4AcctOff Method-Type = Calculate Method-On-Success = WriteUDR2File Calculate-Expression = "${request.Acct-Session-Time} := ${packet.NewTimestamp[fromDate,toUnsigned32]} - ${request.Acct-Start-Time[fromDate,toUnsigned32]}"

49 All Rights Reserved © Alcatel-Lucent | USS Example 1 with USS triggers [ACCT]: Closed accounting records only CalculateAcctSessionTime4Timeout Method-Type = Calculate Method-On-Success = WriteUDR2File Calculate-Expression = "${request.Acct-Session-Time} := ${request.Last-Interim- Time[fromDate,toUnsigned32]} - ${request.Acct-Start-Time[fromDate,toUnsigned32]}" WriteUDR2FileMethod-Type = WriteDelimitedFile WriteDelimitedFile-Filename = udr. WriteDelimitedFile-DelimitChar = "," WriteDelimitedFile-Map = << ${1} = ${packet.Acct-Start-Time: request.Acct-Start-Time }; ${2} = ${packet.Acct-Stop-Time:packet.Event-Timestamp: packet.NewTimestamp }; ${3} = ${request.Acct-Session-Time}; ${4} = ${ packet.Event[toUpper]: STOP}; ${5} = ${request.User-Name}; ${6} = ${request.Calling-Station-Id}; ${7} = ${request.Called-Station-Id}; ${8} = ${request.Nas-IP-Address:request.Nas-Id}; ${9} = ${request.Acct-Input-Octets:0}; ${10} = ${request.Acct-Input-Octets:0}; >> WriteDelimitedFile-FilenameExtension =.txt WriteDelimitedFile-RolloverMode = Hourly WriteDelimitedFile-IdleTime = 1000

50 All Rights Reserved © Alcatel-Lucent | USS Example 1 with USS triggers [AUTH]: Set USS timers, specific for each user ReadUserData Method-Type = ReadUserFileMethod-On-Success = CheckPassword ReadUserFile-Filename = users ReadUserFile-Map = << ${check.*}=${check.*}; ${reply.*}=${reply.*}; ${reply.Acct-Interim-Interval} = "3600"; >> CheckPassword Method-Type = AuthLocalMethod-On-Success = USSinAuth USSinAuth Method-Type = StateServer StateServer-RequestMap = << ${uss.User-Name} = ${request.User-Name}; ${timeout.session} = ${reply.Session-Timeout[increment(60),multiply(1000)]:reply.Acct-Interim- Interval[increment(30),multiply(2000)]}; >>

51 All Rights Reserved © Alcatel-Lucent | USS Example 2 with USS triggers: Release IP addresses to the DHCP server If having an external DHCP server, there is no DHCP message to bulk release all IP addresses of a pool (belonging to a NAS) DHCP was never intended to work with a RADIUS server and PPP users Was intended to work with individual users, over Ethernet If a NAS reboots and users IP addresses are not released, when the NAS boots up again and users reconnect, the DHCP server might run the risk to run out of IP addresses Specially true if the DHCP MAC address is generated from the Nas-Port AVP, and the NAS doesnt reuse the Nas-Ports The USS triggers should be used to generate 1 DHCP Release message for EVERY active user in that NAS, based on an Acct-On or Acct-Off packet 1 Acct-Off or/and 1 Acct-On N DHCP Release N users connected

52 All Rights Reserved © Alcatel-Lucent | USS Remote communication between VA and USS (I) There can only be 1 USS in the network Contains centralized information This VA's PolicyFlow will use the "StateServer" plug-in There can be several VA front ends in the network These VA's PolicyFlow will contact remotely the USS with the "StateClient" plug-in The protocol used to exchange information is the RADIUS protocol itself Uses non-standard packet with code 129, and Vendor-Specific attributes These AVPs transport non-standard attributes and limits

53 All Rights Reserved © Alcatel-Lucent | USS Remote communication between VA and USS (II) The VA server with the active USS, must be able to distinguish from: Regular RADIUS requests from a NAS Special RADIUS packets from a remote VA (a Front End) This may be achieved: in method_dispatch with Code = 129, or Inside the PF by assigning the Front End VA as a special client class And branching based on ${client.Client-Class} variable, etc RADIUS server #1 with USS = RADIUS #2 = RADIUS #3 = NAS

54 All Rights Reserved © Alcatel-Lucent | USS StateClient Syntax The StateClient generates a special RADIUS request towards the VA hosting the USS It is like a "Radius" plug-in, acting as proxy-radius Plug-in properties: Server-Address = IP address and port of the VA+USS host Secret = shared-key between this VA and the one in the USS host Timeout = ms. waiting for reply from USS (2000) Retries = # of retries before giving up (0) Request-Map = attributes to send to the VA+USS server (${*}=${request.*};) Reply-Map = specifies how data is read from the USS database (${reply.*} = ${*};) Client-Address = to choose a source IP addr. for this RADIUS packet (*)

55 All Rights Reserved © Alcatel-Lucent | USS StateClient example for authentication The PolicFlow in the VA with the active USS must also be configured properly checkRemoteLimitsMethod-Type = " StateClient " StateClient-Secret = "top-secret" StateClient-ServerAddress = " " StateClient-RequestMap = << ${User-Name} := ${request.User-Name}; ${VA-AVPair} += "Limit-User-Name=${reply.Connection-Limit:1}"; ${VA-AVPair} += "Uss-User-Realm=${packet.User-Realm}"; ${VA-AVPair} += "Limit-User-Realm=${user.Realm-Limit:1}"; ${NAS-IP-Address} := ${request.NAS-IP-Address}; ${NAS-Identifier} := ${request.NAS-Identifier}; ${NAS-Port} := ${request.NAS-Port :packet.Normalized-NAS-Port}; ${Acct-Session-Id} :=${request.Acct-Session-Id} >> checkRemoteLimitsMethod-Type = " StateClient " StateClient-Secret = "top-secret" StateClient-ServerAddress = " " StateClient-RequestMap = << ${User-Name} := ${request.User-Name}; ${VA-AVPair} += "Limit-User-Name=${reply.Connection-Limit:1}"; ${VA-AVPair} += "Uss-User-Realm=${packet.User-Realm}"; ${VA-AVPair} += "Limit-User-Realm=${user.Realm-Limit:1}"; ${NAS-IP-Address} := ${request.NAS-IP-Address}; ${NAS-Identifier} := ${request.NAS-Identifier}; ${NAS-Port} := ${request.NAS-Port :packet.Normalized-NAS-Port}; ${Acct-Session-Id} :=${request.Acct-Session-Id} >>

56 All Rights Reserved © Alcatel-Lucent | USS StateClient example for accounting checkRemoteLimitsMethod-Type = " StateClient " StateClient-Secret = "top-secret" StateClient-ServerAddress = " " StateClient-Timeout = "3000" StateClient-RequestMap = << ${User-Name} := ${request.User-Name}; ${VA-AVPair} += "Uss-User-Realm=${packet.User-Realm}"; ${NAS-IP-Address} := ${request.NAS-IP-Address}; ${NAS-Identifier} := ${request.NAS-Identifier}; ${NAS-Port} := ${packet.Normalized-NAS-Port:request.NAS-Port}; ${Acct-Status-Type} := ${request.Acct-Status-Type}; ${Acct-Session-Id} := ${request.Acct-Session-Id}; ${Acct-Delay-Time} := ${request.Acct-Delay-Time}; >> checkRemoteLimitsMethod-Type = " StateClient " StateClient-Secret = "top-secret" StateClient-ServerAddress = " " StateClient-Timeout = "3000" StateClient-RequestMap = << ${User-Name} := ${request.User-Name}; ${VA-AVPair} += "Uss-User-Realm=${packet.User-Realm}"; ${NAS-IP-Address} := ${request.NAS-IP-Address}; ${NAS-Identifier} := ${request.NAS-Identifier}; ${NAS-Port} := ${packet.Normalized-NAS-Port:request.NAS-Port}; ${Acct-Status-Type} := ${request.Acct-Status-Type}; ${Acct-Session-Id} := ${request.Acct-Session-Id}; ${Acct-Delay-Time} := ${request.Acct-Delay-Time}; >>

57 All Rights Reserved © Alcatel-Lucent | USS Configuration in VA with USS Example to limit on User-Name and User-Realm clients top-secret top-secret clients top-secret top-secret method_dispatch radius Auth NR-State-Request auth checkLocalLimits radius Acct NR-State-Request acct updateLocalLimits method_dispatch radius Auth NR-State-Request auth checkLocalLimits radius Acct NR-State-Request acct updateLocalLimits auth.pf checkLocalLimits Method-Type = StateServer StateServer-RequestMap = "${uss.User-Name} = ${request.User-Name};" StateServer-RequestMap = "${limit.User-Name} = ${packet.Limit-User-Name};" StateServer-RequestMap = "${uss.User-Realm} = ${packet.Uss-User-Realm};" StateServer-RequestMap = "${limit.User-Realm} = ${packet.Limit-User-Realm};" acct.pf updateLocalLimitsMethod-Type = "StateServer" StateServer-RequestMap = "${uss.User-Name} = ${request.User-Name};" StateServer-RequestMap = "${uss.User-Realm} = ${packet.Uss-User-Realm};" acct.pf updateLocalLimitsMethod-Type = "StateServer" StateServer-RequestMap = "${uss.User-Name} = ${request.User-Name};" StateServer-RequestMap = "${uss.User-Realm} = ${packet.Uss-User-Realm};"

58 All Rights Reserved © Alcatel-Lucent | USS Packet Flow for authentication RADIUS #2 = NAS RADIUS server #1 with USS = StateClient plug-in Method_dispatch Code=129 -> StateServer Method_dispatch Code=129 -> StateServer StateServer Success Access-Request (1) - ID=1 User-Name (1) = User-Password (2) = 5E%&gn)8 NAS-IP-Address (4) = NAS-Port (5) = VA-State-Request (129) - ID=5 User-Name(1) = VA-AVPair(26->831(2)) = "Limit-User-Name=1" VA-AVPair(26->831(2)) = "Uss-User-Realm=terra" VA-AVPair(26->831(2)) = "Limit-User-Realm=1000" NAS-IP-Address(4) = NAS-Port (5) = 20 VA-State-Accept (130) - ID=5 Access-Accept (2) - ID=1 Service-Type (6) = Framed (2) * variables request.NAS-IP-Address = request.NAS-Port = 20 Request.User-Name = packet.Limit-User-Name = 1 Packet.Uss-User-Realm = terra packet.Limit-User-Realm = 1000 VA stores the attributes VA- AVPair="X=Y" as variables ${packet.X}=Y The rest of the attributes are stored in regular request variables ${request.XXX}

59 All Rights Reserved © Alcatel-Lucent | USS Extra considerations (I) All authentication and accounting requests must be sent to the same USS Any manipulation/change of User-Name, Called-Station-Id or any other resource counted in the USS records, must be treated in the same way both in auth and acct In the accounting PolicyFlow, the USS should be invoked as soon as possible To decrement counters ASAP not to reject new legitimate users

60 All Rights Reserved © Alcatel-Lucent | USS Extra considerations (II) In the authentication PolicyFlow, the USS should be invoked as late as possible, especially after any method which could reject the user's access-request If the session is not finally established: the USS won't know until the AcctStartTimeout expires. the USS would have wasted CPU and memory, twice –Both to add a new record, and later to delete it In simple PolicyFlows, the CheckItems and AuthLocal should be executed explicitly as soon as possible. The VA option to automatically check password and check-items shouldn´t be used

61 All Rights Reserved © Alcatel-Lucent | USS USS Start-up and logging The USS is automatically started, as it is part of the VA PolicyServer If that USS is not to be used, the PolicyFlow will never invoke a StateServer plug-in And it will not take any RAM If the network has several VA servers, only 1 will invoke the USS locally (StateServer) The rest will invoke the StateClient plug-in The USS logs are stored in policy.log : This behavior can be changed with log_rules and log_channels

62 All Rights Reserved © Alcatel-Lucent | USS Exporting & Importing the USS records It could be useful to: dump to file the USS records on a clean shutdown import from that file when starting up Good idea if stopping the USS for a short period of time Valid not to lose the USS data during VA upgrades … StateServer_DataFile = uss_today.txt … StateServer_DataFile = uss_today.txt … server_properties

63 All Rights Reserved © Alcatel-Lucent | USS Statistics and monitoring (I) The SMT statistics (also accessible from the CLI) show: Amount of records and state (Sessions) To have an idea of the total load of the USS and the memory taken Statistics For requests received State changes in the Finite State Machine And events that generated those changes

64 All Rights Reserved © Alcatel-Lucent | USS Statistics and monitoring (II) Interim Stop Auth Start

65 All Rights Reserved © Alcatel-Lucent | USS Viewing the USS database (I) Counters: for each counter, the resources and values Ports (records): shows all the fields in a USS Searching by key (and subkey) Indices If there are many entries, this can load the USS and make it work slower

66 All Rights Reserved © Alcatel-Lucent | USS Viewing the USS database (II) A port can be released, decreasing the related counters

67 All Rights Reserved © Alcatel-Lucent | USS USS related AI commands (I) All AI commands related to the USS have the prefix state uss counts - output counter info uss entry - list a state database entry uss index list - list entries using index uss keys - list keys uss list - list a state entry uss load - restores a state database from a file uss naslist - list NASes uss save - save the state database to a file uss stats help - describe state database statistics uss stats - list state database statistics uss stats reset - reset state database statistics uss status - show state server replication state uss stop key - stop a state entry by key uss stop all - stop all entries uss stop nas - stop all entries for a NAS uss counts - output counter info uss entry - list a state database entry uss index list - list entries using index uss keys - list keys uss list - list a state entry uss load - restores a state database from a file uss naslist - list NASes uss save - save the state database to a file uss stats help - describe state database statistics uss stats - list state database statistics uss stats reset - reset state database statistics uss status - show state server replication state uss stop key - stop a state entry by key uss stop all - stop all entries uss stop nas - stop all entries for a NAS

68 All Rights Reserved © Alcatel-Lucent | USS USS related AI commands (II) The USS related commands are: uss counts [counter_name] To show counters and their values uss list [entry] Shows the USS records of user sessiones, all or selected ones ==> uss list 103 Multi-line response follows. entry: ACTIVE complete mod: Mon Apr 10 15:30:30 CEST 2006 ev: Mon Apr 10 15:30:30 CEST 2006 exp: Tue Apr 11 16:30:31 CEST 2006 User-Name = "user1_basic" … Calling-Station-Id = " " Called-Station-Id = " " Framed-IP-Address = NAS-Port-Type = Async ==> uss counts 103 Multi-line response follows. Counter Value User-Name 1 ==> uss counts User-Name 103 Multi-line response follows. user1_basic 1 *

69 All Rights Reserved © Alcatel-Lucent | USS USS related AI commands (III) uss entry [ key | complete | state | mode | ev | attrs ] Shows a specific record, with all the values or only the desired ones uss stop key | nas | all Simulates an Acct-Stop packet or an Acct-Off –Marks the USS record(s) as INACTIVE and decrement the counters Useful when the Acct-Stop or Acct-Off packet has got lost ==> uss entry attrs 103 Multi-line response follows. Acct-Status-Type = Start Acct-Session-Id = "1234" Calling-Station-Id = " " Called-Station-Id = " " Framed-IP-Address = NAS-Port-Type = Async User-Name = "user1_basic" ==> uss stop key Ok.

70 All Rights Reserved © Alcatel-Lucent | USS USS related AI commands (IV) uss keys [subkey] Shows the ID of all (or selected) session records in USS [for a NAS] Usually defined by: NAS_IP_Address+NAS_Port uss naslist | subkeys Shows the subkeys of session records Usually NAS_IP_Address ==> uss naslist 103 Multi-line response follows Ok.

71 All Rights Reserved © Alcatel-Lucent | USS USS related AI commands (V) uss load | save To import/export all USS information from/to a file Mainly for testing purposes or upgrades without losing USS info When loading data, in-memory records are not deleted; the new ones are added We could load different records from different files Counters are not saved to file. When loading, they are generated from USS records The file has "stanza" format and is compatible between different releases * NAS= Session-Id=1234 State=waiting-for-start Complete=false Modify="2006/04/10 15:30:30.890" Event="2006/04/10 15:30:30.000" Timeout="2006/04/11 16:30:31.000" User-Name = "user1_basic" NAS= Session-Id=1236 State=active Complete=true Modify="2006/04/10 14:30:30.890" Event="2006/04/10 14:30:20.000" Timeout="2006/04/11 16:30:31.000" User-Name = "user2_basic" NAS= Session-Id=1234 State=waiting-for-start Complete=false Modify="2006/04/10 15:30:30.890" Event="2006/04/10 15:30:30.000" Timeout="2006/04/11 16:30:31.000" User-Name = "user1_basic" NAS= Session-Id=1236 State=active Complete=true Modify="2006/04/10 14:30:30.890" Event="2006/04/10 14:30:20.000" Timeout="2006/04/11 16:30:31.000" User-Name = "user2_basic"

72 All Rights Reserved © Alcatel-Lucent | USS USS related AI commands (V) uss stats Statistical information about USS records and requests uss stats help To describe the previous statistical values == > uss stats Active-Active = 0 Active-Auth = 0 Active-Auth-Diff = 0 Active-Auth-Same = 0 Active-Auth-Unknown = 0 Active-Inactive = 0 WaitingStart-Update-Diff = 0 WaitingStart-Update-Same = 0 WaitingStart-Update-Unknown = 0 WaitingStart-WaitingStart = 0 Ok.

73 All Rights Reserved © Alcatel-Lucent | USS USS related AI commands (VI) uss index list [attr [value]] Shows created indices, and their values ==> uss index list User-Name user1_basic entry: ACTIVE INDEXED incomplete mod: 2007/11/28 11:41: ev: 2007/11/28 11:41: exp: NAS-IP-Address = NAS-Port = 20 Acct-Status-Type = Start Acct-Session-Id = "123" User-Name = "user1_basic" Full-User-Name = "user1_basic"

74 All Rights Reserved © Alcatel-Lucent | USS Sizing Guidelines for the USS host (I) The USS can optionally be run on a dedicated host Not receiving regular auth/acct requests from NASs Only receiving requests from other VA Front Ends The USS can be very CPU intensive, depending on: the # of events/sec the timers configured (SessionTimeout = -1 or not) PFs executed based on USS triggers Information read without events StateServer plug-in with Event=None, for entries or counters Indices read (QueryUss plug-in or the AI index command)

75 All Rights Reserved © Alcatel-Lucent | USS Sizing Guidelines for USS host (II) It may need a lot of RAM, depending on: the # of records to be kept simultaneous users connections with InactiveTimeout = 0 Total available ports in the network, with InactiveTimeout = -1 the amount of AVPs stored in each record the amount of counters configured the amount of indices configured The host needed (# and speed of CPUs & RAM) will greatly depend for every customer/site No simple guidelines can be given

76 All Rights Reserved © Alcatel-Lucent | USS RAM measurement The only way to foresee the average RAM/record, is by simulating active sessions, with all the counters and indices that will be needed Generate active entries (e.g: with NAS simulator) and check how much memory has been needed Based on the java memory AI command

77 All Rights Reserved © Alcatel-Lucent | USS Special RAM configuration in the JVM Under special conditions of huge amount of RAM needed, some extra parameters can be configured related the Java Virtual Machine Mainly to increase the initial & max. memory taken from the system With a 32-bit JVM, the maximum RAM that can be handled is 2 GB... com.lucent.aaa.PolicyServer -bg -cd –Xmx1500m –Xms1000m -XX:NewSize=100m -XX:MaxNewSize=100m -server -XX:+UseParNewGC -XX:+UseC oncMarkSweepGC -Dsun.rmi.dgc.server.gcInterval=0x7FFFFFFFFFFFFFFE -Dsun.rmi.dgc.client.gcInterval=0x7FFFFFFFFFFFFFFE... vaexec.cfg *

78 All Rights Reserved © Alcatel-Lucent | USS Huge USS deployments: Partitioning based on a hashing criteria If the amount of users is too big, or the performance in packets/sec. is too high, the USS can be split in several smaller USSs Each individual USS could also have redundancy: HA-USS Maybe only useful with 1 counter to count Front End #1 Front End #M USS_ USS_N USS_ Each USS (pair) store information for specific users /realms / CLIDs The NAS doesnt change anything, as it is unaware there is even an USS The Front End PF must know which user is stored in which USS (pair)

79 All Rights Reserved © Alcatel-Lucent | USS Huge USS deployments: Partitioning based on a hashing criteria The splitting criteria could be a hash algorithm to guarantee that: the same user (User-Name, Calling-Station-Id), or Realm, or Called-Station-Id (DNIS or APN), or other thing that is counted, is always sent to the same USS Different users are sent evenly (with a load balancing criteria) to different USS server The Front Ends MUST know to which USS to send the request to SelectUssBasedOnUserNameMethod-Type = ReadDelimitedText Method-On-Success = InvokeUss ReadDelimitedText-Text ReadDelimitedText-Map = "${user.Uss-Server} = ${1};" ReadDelimitedText-SelectMode = HASHCODE ReadDelimitedText-SearchKey = ${packet.Base-User-Name} InvokeUss Method-Type = StateClient StateClient-ServerAddress = ${user.Uss-Server} … Sample PF in the Front Ends USS_servers.txt


Download ppt "Universal State Server (USS). All Rights Reserved © Alcatel-Lucent 2007 2 | USS Module Objetives Get to know the way it works and its utility How to configure."

Similar presentations


Ads by Google