connect communicate collaborate radius and wlan infrastructure monitoring jovana palibrk, amres na3...
TRANSCRIPT
connect • communicate • collaborate
RADIUS and WLAN Infrastructure Monitoring
Jovana Palibrk, AMRES
NA3 T2, Sofia, 19.06.2014.
connect • communicate • collaborate
eduroam in Serbia
eduroam project in Serbia started at the end of 2009
Process of connecting AMRES institutions to eduroam service and installation of equipment started in 2010
AMRES applied for donation from NATO SPS NIG program (Networking Infrastructure Grant) with project “AMRES Access Infrastructure Establishment” and got donation in 2010
Academic Network of Serbiawww.amres.ac.rs
connect • communicate • collaborate
RP – Novi Sad
RP – Belgrade
FTLR
RP – Kragujevac
RP – Nis
NATO donation enabled procurement of:
5 Cisco 5508 Wireless Controllers that are installed in 4 University computing centers
190 access points that have been installed in more than 80 AMRES member institutions in 17 cities
eduroam in Serbia
connect • communicate • collaborate
What is being monitored?
eduroam monitoring system is incorporated into our in-house network monitoring system – NetIIS
AMRES institutions network administrators are already using NetIIS in their every day technical activities
Monitoring and reporting
RADIUS servers (institutional RADIUS servers and Federation Top Level RADIUS – FTLR server)
Network Access Infrastructure (wireless access points and controllers)
Academic Network of Serbiawww.amres.ac.rs
connect • communicate • collaborate
NetIIS – Networking Information and Monitoring System
NetIIS is web based networking information and monitoring system
In NetIIS all object from external world are presented in easily understandable way
Objects are hierarchically organized and presented by a tree
folderlocation
users andgroup of users
groups
devicemonitor
alarm
actionAcademic Network of Serbia
www.amres.ac.rs
connect • communicate • collaborate
NetIIS – Networking Information and Monitoring System
Every institution has its own location in NetIIS infrastructure, under which eduroam folder is placed
eduroam data and infrastructure elements that are being monitored are stored in that folder
Academic Network of Serbiawww.amres.ac.rs
connect • communicate • collaborate
Monitoring and reporting : RADIUS servers
Testing availability of a RADIUS server over the network
Ping RADIUS server IP address
Testing operability of RADIUS servers :
eapol_test program from the wpa supplicant software is used http://deployingradius.com/scripts/eapol_test/
Shell script on the NetIIS runs the eapol_test
Eap-ttls and peap tunnels can be tested
In case that some test fails, the alarm is being activated and mail notifications are send to the technical contacts of the corresponding institution
Academic Network of Serbiawww.amres.ac.rs
connect • communicate • collaborate
Monitoring and reporting: RADIUS Ping
Academic Network of Serbiawww.amres.ac.rs
connect • communicate • collaborate
NetIIS FTLR
IdP RADIUSRP RADIUS
Monitoring and reporting : RADIUS operability testing
eap ttls IdP + FTLR
eap ttls RPeap ttls IdP
eap ttls Proxy
connect • communicate • collaborate
eap-ttls [email protected]
Monitoring and reporting: RADIUS IdP
NetIIS inst.ac.rsIdP RADIUS
Operability of eap tunnel established directly to the IdP RADIUS server is tested
eapol_test
Academic Network of Serbiawww.amres.ac.rs
connect • communicate • collaborate
Monitoring and reporting: RADIUS IdP
Radius Status and Delay graphs (period of 15 days)
Academic Network of Serbiawww.amres.ac.rs
connect • communicate • collaborate
Monitoring and reporting: RADIUS IdP + FTLR
Operability of eap tunnel established over the FTLR server to the IdP RADIUS server is tested
eap-ttls [email protected]
eapol_testeapol_test
NetIIS FTLR
Academic Network of Serbiawww.amres.ac.rs
inst.ac.rsIdP RADIUS
connect • communicate • collaborate
Academic Network of Serbiawww.amres.ac.rs
Radius Status and Delay graphs (period of 15 days)
Monitoring and reporting: RADIUS IdP + FTLR
connect • communicate • collaborate
Operability of eap tunnel established over the institutional RADIUS sever and FTLR server to the monitor RADIUS server is tested
RP RADIUS
monitorRADIUS
FTLR
eap-ttls [email protected]
eapol_test
NetIISmonitor.eduroam.ac.rs
RADIUS
Academic Network of Serbiawww.amres.ac.rs
Monitoring and reporting: RADIUS RP
connect • communicate • collaborate
Academic Network of Serbiawww.amres.ac.rs
Radius Status and Delay graphs (period of 15 days)
Monitoring and reporting: RADIUS RP
connect • communicate • collaborate
The availability and operability of FTLR server are tested
monitorRADIUS
FTLR
eapol_test
NetIISmonitor.eduroam.ac.rs
IdP RADIUS
eap-ttls [email protected]
Academic Network of Serbiawww.amres.ac.rs
Monitoring and reporting: FTLR
connect • communicate • collaborate
Usage statistics – eduroam usage monitor
Total number of successfully authenticated users on given RP institution taken for:
The same IdP institution – local users
Other IdP institution from the same country – national users
IdP institution from other countries – international users
script
3 numbers
radius.log
SNMP
RP RADIUSNetIIS
eduroam usage monitor
3 numbers
Academic Network of Serbiawww.amres.ac.rs
connect • communicate • collaborate
Academic Network of Serbiawww.amres.ac.rs
Usage statistics –eduroam usage monitor
connect • communicate • collaborate
eduroam_usage monitor – local users
Academic Network of Serbiawww.amres.ac.rs
Number of local users (period of 30 days)
connect • communicate • collaborate
eduroam_usage monitor – national users
Academic Network of Serbiawww.amres.ac.rs
Number of national users (period of 30 days)
connect • communicate • collaborate
Academic Network of Serbiawww.amres.ac.rs
Number of international users (period of 30 days)
eduroam_usage monitor – international users
connect • communicate • collaborate
Usage statistics – Splunk software
RP radius servers send syslog messages to splunk server which is used for making statistics
For easier analysis , messages are formatted on RP radius servers using radius line log and syslog-ng
Messages collected on splunk server:
connect • communicate • collaborate
Number of AMRES user devices, on all AP in Belgrade
connect • communicate • collaborate
Number of international user devices, on AP in Belgrade
connect • communicate • collaborate
Monitoring and reporting – Access Points
Ping
Number of the connected users
Academic Network of Serbiawww.amres.ac.rs
connect • communicate • collaborate
Monitoring and reporting – Wireless LAN Controllers
Ping
Number of DHCP clients:
Bad alarm – more than 100 addresses are being used
Good alarm – less than 100 addresses are being used
Academic Network of Serbiawww.amres.ac.rs
connect • communicate • collaborate
Groups of monitors – Access Points
Academic Network of Serbiawww.amres.ac.rs
connect • communicate • collaborate
Groups of monitors – Institutional RADIUS Servers
Academic Network of Serbiawww.amres.ac.rs
connect • communicate • collaborate
Academic Network of Serbiawww.amres.ac.rs
Groups of monitors – FTLR
connect • communicate • collaborate
Questions?
connect • communicate • collaborate
Thank you!