The Server Management Tool (SMT)

All Rights Reserved © Alcatel-Lucent | SMT Module Objectives SMT Overview and architecture How to start the SMT client and server Configuring server properties Configuring clients and client properties Configuring the IP address manager Logging options Viewing statistics Editing files: text files and users files Testing Tools for RADIUS Viewing/modifying SQL databases Modifying SMT preferences

All Rights Reserved © Alcatel-Lucent | SMT Overview Server related configuration Client related features

All Rights Reserved © Alcatel-Lucent | SMT Server Management Tool (SMT) Graphical interface in Java to do any administration task Set 8950 AAA Server Properties Add/Delete/Modify Client entries Create/Manage PolicyFlows Manage the Universal State Server (USS) Edit user files Access any SQL Database View server statistics Editing other configuration files etc

All Rights Reserved © Alcatel-Lucent | SMT 8950 AAA Manual File Editing Mode Config files $ vi clients

All Rights Reserved © Alcatel-Lucent | SMT Local SMT 8950 AAA Config files $ vi clients

All Rights Reserved © Alcatel-Lucent | SMT Remote SMT 8950 AAA Config files $ vi clients Configuration Server

All Rights Reserved © Alcatel-Lucent | SMT SMT Local & Remote Mode The SMT can be run in local mode or remote mode In remote mode, SMT requires the Configuration Server to be running on the server that you want to configure. The Configuration Server handles remote connections from SMT and allows SMT to read and writes files from that server. In local mode, a Configuration Server is not required but you may connect to a Configuration Server running locally if one is available.

All Rights Reserved © Alcatel-Lucent | SMT Configuration Server Start-up The aaa start command starts both the Policy Server as well as the configuration/SMT server This process can be started/stopped independently, with: aaa start config Only one process can be running by VA host This gui server can handle several SMT connections from several remote hosts The log file config.log reports: Connections Problems at start-up, etc. If the SMT is run locally (without the "Configuration Server"), the logs are stored at smt.log

All Rights Reserved © Alcatel-Lucent | SMT SMT Start-up Execute aaa-smt located in the bin directory Introduce a valid UserName/Password of a VA operator An admin user was created during installation process These parameters can also be introduced in the command line > aaa-smt -user admin -pass hello -host > aaa-smt -u admin -p hello -l It is recommended to connect via the Configuration Server, even when connecting to the localhost *

All Rights Reserved © Alcatel-Lucent | SMT Overview Server related configuration Client related features

All Rights Reserved © Alcatel-Lucent | SMT Server Properties This menu allows us to configure 8950 AAA server properties. They are stored in several files: Server_properties It is recommended to edit this file only via the SMT Uss_counters, uss_indices

All Rights Reserved © Alcatel-Lucent | SMT Server Properties - Database AAA has a built-in basic SQL database Hypersonic SQL - Developed by a 3 rd party Can be disabled by selecting Database Address=0 The database files are stored in /run/db nr.script & nr.data Database-Address = "*:9001" Database-Shutdown = NORMAL Database-LogSize = "200" Database-Address = "*:9001" Database-Shutdown = NORMAL Database-LogSize = "200"

All Rights Reserved © Alcatel-Lucent | SMT SNMP agent To grant access to view statistical information By default, the access is disabled (SNMP Address=0) To enable it, just configure IP address and UDP port (*:9161) Be careful with port 161, as it might be taken by the OS to report CPU utilization Two files are used to store SNMP indices, so that they are consistent after a server restart radius-server-indices.mib & radius-client-indices.mib * Enhanced 5.2 Since 5.2, the new RFCs for IPv4 and IPv6 RADIUS clients/servers are supported

All Rights Reserved © Alcatel-Lucent | SMT SNMP Access - SNMPv3 users SNMPv3 requires configuration of the encryption and authentication keys and algorithms Will be stored in the security_snmpusers file

All Rights Reserved © Alcatel-Lucent | SMT RADIUS properties To have several UDP ports for auth and acct Possibility to bind to any IP address or only to a specific one A duplicate is a packet with the same source IP + source UDP port + RADIUS ID, as another one being processed. Saves CPU by: - not processing a packet which is already being processed - giving extra time to the original request to finish its processing by increasing its Client-Timeout Not to consider the Authenticator field for accounting packets To set the TOS byte of the IP header in the outgoing RADIUS packets *

All Rights Reserved © Alcatel-Lucent | SMT Queue and worker threads A request can be: in the queue: waiting to start the execution of the PF in a worker thread: executing a PF suspended, in RAM: waiting for more information from an external system or process to go on with the PF proxy-radius, or Access-Challenge packets, etc. New Request Detected as duplicate: log & discard, and update original timers Add timestamp queue size max # of waiting items PolicyServer Worker Threads new message for a suspended request suspended requests active requests

All Rights Reserved © Alcatel-Lucent | SMT Server Properties – Advanced Shouldn´t be modified unless told by the Lucent support To prevent loops in the execution of a Policy Flow To limit the size of the queue To support RADIUS dynamic authorization (RFC 3576) with proxy agents and/or Nas-Id *

All Rights Reserved © Alcatel-Lucent | SMT More server properties To derive the Base-User- Name and the Realm from the User-Name AVP realm\user realm/user To show in the logs the attributes marked as hidden in the dictionary

All Rights Reserved © Alcatel-Lucent | SMT Intelligent Queue Management Improves overall performance with duplicate and stale request deletion from queue 8950 AAA time-stamps each request on receipt. The incoming request is then compared with all other active requests (in queue or being processed) to see if it is a duplicate. The older request is retained in its present location in queue or PolicyFlow, but its activity time-stamp is updated. The new incoming request is discarded. tt Original Request Set Client-Timeout Extend Client-Timeout as the NAS is still waiting for a response A response is generated Retrans mission Nas-Retransmission-Timer The request is discarded as VA thinks the NAS is no longer waiting for a response Set Client-Timeout

All Rights Reserved © Alcatel-Lucent | SMT Server Properties - Timeouts Client Timeout: If VA detects it has a request that hasn't been answered yet after the client timeout, it discards it Saves CPU, not processing a response the client is no longer expecting Should be slightly higher than the NAS timeout *

All Rights Reserved © Alcatel-Lucent | SMT Server Properties - Configuration Server Configuration related to the SMT/Config server

All Rights Reserved © Alcatel-Lucent | SMT RADIUS Lawful Intercept (LI) - CALEA Service Providers must meet legal and regulatory requirements for the interception of voice and data communications in IP networks Requirement vary from country to country The CALEA name related to the USA specific requirements Lawful intercept (LI) is a mechanism to know when: a user connects/disconnects from an IP network, and optionally the data the users actually transmitted/received A Data User (target) is identified by a well-known parameter: MSISDN (Calling-Station-Id) IMSI: for GSM/GPRS/UMTS Mobile users A LI must be authorized by a court order

All Rights Reserved © Alcatel-Lucent | SMT Proprietary solution Lawful intercept is always a vendor-specific mechanism RFC 2804 explains why the IETF doesnt standardize LI The Lucent 8950 AAA solution has been designed to work with: SS8 Xcipio WDDF as IRI server SS8 is a world leading company in LI solutions Lucent Brick as IPSec server It behaves as a RADIUS client

All Rights Reserved © Alcatel-Lucent | SMT Lawful Intercept architecture IAP (CC) IRI IAP Provisioning IRI Server (SS8 Xcipio WDDF) User to be wiretapped = target UserActionIAP:CC(Status) IMSI: > iri_only Internet MSISDN: > iri_and_cc Access-Request User-Name (1) = NAS-IP-Address (4) = Calling-Station-Id (31) = Attach Access-Accept..... Lucent-AAA-DF-CC-Address= Lucent-AAA-DF-CC-Port=5678 * A failed auth attempt is also transmitted to the IRI server * In Acct, the IRI server must also be informed of when the user really starts the session (Start), and disconnects (Stop) New 5.1 IRI = Intercept Related Information LEA = Law Enforcement Agency IAP = Intercept Access Point IRI = Intercept Related Information LEA = Law Enforcement Agency IAP = Intercept Access Point

All Rights Reserved © Alcatel-Lucent | SMT Configuration of users to be intercepted For a 3rd system to configure which users (targets) are to be wiretapped with a Lucent proprietary interface For changes to be persistent across restarts, this info is saved to a binay file called: intercept_targets New 5.1

All Rights Reserved © Alcatel-Lucent | SMT Client Panels - Clients New clients can be added without restarting the PolicyServer Reload button Specific parameters can be included: auth & acct timeouts, etc And to which client_class it belongs to Enhanced 5.2

All Rights Reserved © Alcatel-Lucent | SMT Client Panels - Client Classes To override general server_properties for some clients, if these properties havent been configured in the radius_clients file This information is stored in " client_properties " file

All Rights Reserved © Alcatel-Lucent | SMT Address Manager - Configuration To define IP pools for dynamic IP address assignment to users by default: address can be defined Can be changed in server_properties The pools definition is stored in the address_pools file VA has to be restarted to re-read this file, and consider new pools *

All Rights Reserved © Alcatel-Lucent | SMT Address Manager – Monitoring & Statistics The management of the IP addresses and pools is stored in memory the assignment is done by the Address plug-in Saved to file address_leases to be persistent upon VA restarts *

All Rights Reserved © Alcatel-Lucent | SMT Logging Messages Automatically a log can be written when a user authentication request is accepted, rejected, challenged and discarded Similarly with accounting This configuration is stored in "server_properties" file Specially useful for the PA With PF it can be configured directly in the method definition

All Rights Reserved © Alcatel-Lucent | SMT Logging in 8950 AAA It is one of the most important sources of information to troubleshoot a user connection log_rules Standard Output/Error SNMP Trap File SQL database Multiple dest. syslog 0 9 other thread another thread logs for an active request are buffered, and will be sent to the log_channel when the request is completely processed log_channels * ERROR WARNING NOTICE INFO SALIENT DEBUG VERBOSE BLITHER

All Rights Reserved © Alcatel-Lucent | SMT Log Channels We can define different log channels to send information to. These log channels will be referenced in the PolicyFlow plug-ins Or when configuring the logging rules Stored in log_channels file

All Rights Reserved © Alcatel-Lucent | SMT Rollover Modes For the File with Time-Based File Switching and some other plug-in related to time-rollover, the following options are available: Minutes: 1,2,3,4,5,6,10,12,15,20,30 Hours:1,2,3,4,6,8,12 Day:1 Week:1,2,3,4 Month:1,2,3,4,6 Year:1

All Rights Reserved © Alcatel-Lucent | SMT Logging Rules (I) We can configure different log levels for different areas in VA The logging messages can be sent to different "log channels" For instance, USS logs can be sent to a different log file than regular VA logs Log levels are: 0.- OFF 1.- error 2.- warning 3.- notice 4.- info 5.- salient - Includes packets received (IP and UDP) 6.- debug – includes the policyflow execution chain (methods) 7.- verbose – includes variables used after each method, and HEX dump 8.- blither – too much detail *

All Rights Reserved © Alcatel-Lucent | SMT Logging Rules (II) The Startup Log Rules are stored in the file log_rules The Active Log Rules will be taken initially from the Startup ones Level=INFO Continue=false Channel=LogToFile Level=INFO Continue=false Channel=LogToFile

All Rights Reserved © Alcatel-Lucent | SMT Logging Rules (III) – Log areas Care should be taken when activating many traces They degrade server performance, Especially important depending on the log level (debug, trace,...)

All Rights Reserved © Alcatel-Lucent | SMT Log Rules (IV) We can filter the logs for any attribute coming in the RADIUS request: specific users (request.User-Name), Realms (packet.User-Realm) Calling and Called numbers (request.Called-Station-Id, etc) Type of RADIUS packet (packet.Packet-Type)

All Rights Reserved © Alcatel-Lucent | SMT Monitoring Logs Stop / Start the file Pause / Resume the tailing Clears the screen content Open the file in a text editor Send to printer Changes the log level Selects the log file

All Rights Reserved © Alcatel-Lucent | SMT 8950 AAA Statistics (I) To see the load the server has, both for authentication as well as accounting Number of packets/s. received Ratio of requests accepted and rejected Duplicates and error packets Memory use Etc.

All Rights Reserved © Alcatel-Lucent | SMT 8950 AAA Statistics (II)

All Rights Reserved © Alcatel-Lucent | SMT 8950 AAA Statistics (III)

All Rights Reserved © Alcatel-Lucent | SMT 8950 AAA Statistics (& IV) The Processing Period table shows how long each method has taken to execute (ms /execution) Useful to detect the bottleneck in our server, and be able to improve performance (SQL DBs, LDAP servers, USS, etc.)

All Rights Reserved © Alcatel-Lucent | SMT File Tools To access files, without needing to have a telnet/ssh access to the host All files must be in the run directory Several panels: User Files: It reads any file with a "classical" users format Dictionary Editor File Manager: to delete and copy files Tail: to see the last lines inserted in a file Similar to Monitor Log File

All Rights Reserved © Alcatel-Lucent | SMT File Tools - Users files To edit an users file without memorizing all dictionary attributes check-itemsreply items There is a display list for check-items and reply items This attr. list can be configured in the "SMT properties" Users' NamesCheck-items Reply-Items

All Rights Reserved © Alcatel-Lucent | SMT File Tools - Dictionary Editor To view existing attributes To add any Vendor- Specific attribute (VSA) New 5.2.1

All Rights Reserved © Alcatel-Lucent | SMT File Tools – File Manager To delete, rename and copy files in the run directory

All Rights Reserved © Alcatel-Lucent | SMT File Tools = Property file editor If the property to add is a RADIUS attribute, it can be selected from the dictionary without need to know it by heart

All Rights Reserved © Alcatel-Lucent | SMT Start/Stop of servers To check the status, start or stop any 8950 AAA servers PolicyServer GUI config server This check is made every 5 seconds (by default)

All Rights Reserved © Alcatel-Lucent | SMT Configuration Report To see in a glance all 8950 AAA configuration

All Rights Reserved © Alcatel-Lucent | SMT Files to provide to Lucent Support In case it is necessary to contact with Lucent Support Services, all important files needed can automatically be packaged in vacfg.zip file in the server Hard Disk, not the SMT host

All Rights Reserved © Alcatel-Lucent | SMT Overview Server related configuration Client related features

All Rights Reserved © Alcatel-Lucent | SMT RADIUS Test Client Equivalent to varc, but with graphical interface Different Client Scenarios PAP=Basic CHAP Challenge Simulator etc.

All Rights Reserved © Alcatel-Lucent | SMT RADIUS NAS Load Simulates a network of NAS's sending different type of requests, with a variety of User-Names, NAS-IP-Address, NAS-Port-Type, Session duration, etc Equivalent to vasim, but with graphical interface It is invoked from the RADIUS Test Client, with Scenario=NasLoad It is a a very powerful tool for performance and stress tests Allows to heavily test the USS

All Rights Reserved © Alcatel-Lucent | SMT Database Tools Built-in database client to connect to any database To create users in a users table To see/modify any table by using views The views created are stored in the db_properties file in the server The proper JDBC driver should be installed under /lib *

All Rights Reserved © Alcatel-Lucent | SMT User Profiles To easily manage users in a graphical way Possibility to filter and to sort entries Can import entries from a text file with users format, csv format, etc.

All Rights Reserved © Alcatel-Lucent | SMT Table Tool Possibility to define a view of any table for easy and quick access Similarly to the Users Table With sorting criteria

All Rights Reserved © Alcatel-Lucent | SMT SQL Tool To execute any SQL command There is a list of existing tables And columns for each table

All Rights Reserved © Alcatel-Lucent | SMT Manage DB Users To create/delete DB operators

All Rights Reserved © Alcatel-Lucent | SMT SMT Preferences (I): Look & Feel All SMT preferences are stored in " guiconfig_properties " file In the SMT host, not in the server host

All Rights Reserved © Alcatel-Lucent | SMT SMT Preferences (II): Attribute lists We can configure what attributes will appear in the lists for: File Tools -> User Files Check-Items and Reply-Items Configuration Tools -> Clients -> Client Class For configuration of custom variables

All Rights Reserved © Alcatel-Lucent | SMT SMT Preferences (III): Other panels Some panels are only available when running the SMT in Expert Mode: Dictionary, some server Statistics... We can select which programs will open certain files How often to check if the servers are up or down

All Rights Reserved © Alcatel-Lucent | SMT SMT Panel Loading Some panels have no relationship with server files or CLI commands Can only be shown/hidden by the SMT properties In smt_properties file in the SMT client host