the server management tool (smt). all rights reserved © alcatel-lucent 2007 2 | smt module...

The Server Management Tool (SMT)

2 | SMT All Rights Reserved © Alcatel-Lucent 2007

Module Objectives SMT Overview and architecture

How to start the SMT client and server

Configuring server properties

Configuring clients and client properties

Configuring the IP address manager

Logging options

Viewing statistics

Editing files: text files and users files

Testing Tools for RADIUS

Viewing/modifying SQL databases

Modifying SMT preferences


Overview

Server related configuration

Client related features


Server Management Tool (SMT) Graphical interface in Java to do any administration task

Set 8950 AAA Server Properties

Add/Delete/Modify Client entries

Create/Manage PolicyFlows

Manage the Universal State Server (USS)

Edit “user” files

Access any SQL Database

View server statistics

Editing other configuration files

etc


8950 AAA

Manual File Editing Mode

Configfiles

Configfiles

$ vi clients


Local SMT

8950 AAA

Configfiles

Configfiles

$ vi clients


Remote SMT

8950 AAA

Configfiles

Configfiles

$ vi clients

ConfigurationServer

ConfigurationServer


SMT Local & Remote Mode The SMT can be run in local mode or remote mode

In remote mode, SMT requires the Configuration Server to be running on the server that you want to configure. The Configuration Server handles remote connections from SMT and allows

SMT to read and writes files from that server.

In local mode, a Configuration Server is not required but you may connect to a Configuration Server running locally if one is

available.


Configuration Server Start-up The aaa start command starts both the Policy Server as well as

the configuration/SMT server This process can be started/stopped independently, with:

aaa start config

Only one process can be running by VA host This gui server can handle several SMT connections from several

remote hosts

The log file config.log reports: Connections Problems at start-up, etc.

If the SMT is run locally (without the "Configuration Server"), the logs are stored at smt.log


SMT Start-up Execute aaa-smt located in the bin directory

Introduce a valid UserName/Password of a VA operator An admin user was created during installation process

These parameters can also be introduced in the command line > aaa-smt -user admin -pass hello -host 135.88.101.1

> aaa-smt -u admin -p hello -l

It is recommended to connect via the Configuration Server, even when connecting to the localhost

It is recommended to connect via the Configuration Server, even when connecting to the localhost

*


Overview




‘Server Properties’

This menu allows us to configure 8950 AAA server properties.

They are stored in several files: Server_properties

It is recommended to edit this file only via the SMT

Uss_counters, uss_indices


Server Properties - Database

AAA has a built-in basic SQL database Hypersonic SQL - Developed by a 3rd party

Can be disabled by selecting “Database Address”=0

The database files are stored in <$VA>/run/db nr.script & nr.data

Database-Address = "*:9001"Database-Shutdown = NORMALDatabase-LogSize = "200"

Database-Address = "*:9001"Database-Shutdown = NORMALDatabase-LogSize = "200"


SNMP agent To grant access to view statistical information

By default, the access is disabled (SNMP Address=0)

To enable it, just configure IP address and UDP port (*:9161) Be careful with port 161, as it might be taken by the OS to report CPU

utilization

Two files are used to store SNMP indices, so that they are consistent after a server restart radius-server-indices.mib &

radius-client-indices.mib

*

Enhanced 5.2

Since 5.2, the new RFC’s for IPv4 and IPv6 RADIUS clients/servers are supported


SNMP Access - SNMPv3 users SNMPv3 requires configuration of the encryption and

authentication keys and algorithms Will be stored in the security_snmpusers file


RADIUS properties

•To have several UDP ports for auth and acct•Possibility to bind to any IP address or only to a specific one

•A duplicate is a packet with the same source IP + source UDP port + RADIUS ID, as another one being processed.•Saves CPU by: - not processing a packet which is already being processed - giving extra time to the original request to finish its processing by increasing its Client-Timeout

•Not to consider the Authenticator field for accounting packets

•To set the TOS byte of the IP header in the outgoing RADIUS packets

*


Queue and worker threads

A request can be: in the queue: waiting to start the execution of the PF

in a worker thread: executing a PF

suspended, in RAM: waiting for more information from an external system or process to go on with the PF proxy-radius, or Access-Challenge packets, etc.

New Request

0

1

9Detected as duplicate: log & discard, and update original timers

Add timestamp

queue size

max # of waiting items PolicyServer Worker Threads

new message for a suspended request

suspended requests

active requests


Server Properties – AdvancedShouldn´t be modified unless told by the Lucent support

•To prevent loops in the execution of a Policy Flow

•To limit the size of the queue

•To support RADIUS dynamic authorization (RFC 3576) with proxy agents and/or Nas-Id

*


More server properties

To derive the Base-User-Name and the Realm from the User-Name AVP•user@realm, •realm\user•realm/user

To show in the logs the attributes marked as “hidden” in the dictionary


Intelligent Queue Management Improves overall performance with duplicate and stale request

deletion from queue 8950 AAA time-stamps each request on receipt.

The incoming request is then compared with all other active requests (in queue or being processed) to see if it is a duplicate. The older request is retained in its present location in queue or PolicyFlow,

but its activity time-stamp is updated.

The new incoming request is discarded.

t t

Original Request

Set Client-TimeoutExtend Client-Timeout

as the NAS is still waiting for a response

A response is generatedRetrans

mission

Nas-Retransmission-Timer

The request is discarded as VA thinks the NAS is no longer waiting for a response

Set Client-Timeout


Server Properties - Timeouts Client Timeout:

If VA detects it has a request that hasn't been answered yet after the client timeout, it discards it Saves CPU, not processing a response the client is no longer expecting

Should be slightly higher than the NAS timeout

*


Server Properties - Configuration Server

Configuration related to the SMT/Config server


RADIUS Lawful Intercept (LI) - CALEA Service Providers must meet legal and regulatory requirements

for the interception of voice and data communications in IP networks Requirement vary from country to country

The CALEA name related to the USA specific requirements

Lawful intercept (LI) is a mechanism to know when: a user connects/disconnects from an IP network, and optionally

the data the users actually transmitted/received

A Data User (target) is identified by a well-known parameter: MSISDN (Calling-Station-Id)

IMSI: for GSM/GPRS/UMTS Mobile users

A LI must be authorized by a court order


Proprietary solution Lawful intercept is always a vendor-specific mechanism

RFC 2804 explains why the IETF doesn’t standardize LI

The Lucent 8950 AAA solution has been designed to work with: SS8 Xcipio WDDF as IRI server

SS8 is a world leading company in LI solutions

Lucent Brick as IPSec server It behaves as a RADIUS client


Lawful Intercept architecture

IAP (CC)

IRI IAP Provisioning

IRI Server(SS8 Xcipio WDDF)

User to be wiretapped =

target User Action IAP:CC (Status)IMSI:214071234567890 -> iri_only

Internet

MSISDN:34679123456 -> iri_and_cc 1.2.3.4 5678

Access-RequestUser-Name (1) = ”john@isp1"NAS-IP-Address (4) = 192.168.20.2.....Calling-Station-Id (31) = 34679123456

Attach

Access-Accept.....

Lucent-AAA-DF-CC-Address=1.2.3.4Lucent-AAA-DF-CC-Port=5678

* A failed auth attempt is also transmitted to the IRI server* In Acct, the IRI server must also be informed of when the user really starts the session (Start), and disconnects (Stop)

New 5.1

IRI = Intercept Related InformationLEA = Law Enforcement AgencyIAP = Intercept Access Point

IRI = Intercept Related InformationLEA = Law Enforcement AgencyIAP = Intercept Access Point


Configuration of users to be intercepted

For a 3rd system to configure which users (targets) are to be wiretapped with a Lucent proprietary interface

For changes to be persistent across restarts, this info is saved to a binay file called: intercept_targets

New 5.1


Client Panels - Clients New clients can be added without restarting the PolicyServer

Reload button

Specific parameters can be included: auth & acct timeouts, etc And to which client_class it belongs to

Enhanced 5.2


Client Panels - Client Classes

To override general server_properties for some clients, if these properties haven’t been configured in the radius_clients file This information is stored in "client_properties" file


Address Manager - Configuration To define IP pools for dynamic IP address assignment to users

by default: 65536 address can be defined Can be changed in server_properties

The pools definition is stored in the address_pools file VA has to be restarted to re-read this file, and consider new pools

*


Address Manager – Monitoring & Statistics

The management of the IP addresses and pools is stored in memory the assignment is done by the

Address plug-in

Saved to file address_leases to be persistent upon VA restarts

*


Logging Messages Automatically a log can be written when a user authentication

request is accepted, rejected, challenged and discarded Similarly with accounting

This configuration is stored in "server_properties" file

Specially useful for the PA With PF it can be configured directly in the method definition


Logging in 8950 AAA It is one of the most important sources of information to

troubleshoot a user connection

log

_ru

les

Standard Output/Error

SNMP Trap

File

SQL database

Multiple dest.

syslog

0

9

otherthread

anotherthread

logs for an active request are buffered, and will be sent to the log_channel when the

request is completely processed

log_channels

*

ERRORWARNINGNOTICEINFOSALIENTDEBUGVERBOSEBLITHER


Log Channels We can define different log channels to send information to.

These log channels will be referenced in the PolicyFlow plug-ins

Or when configuring the logging rules

Stored in log_channels file


Rollover Modes For the “File with Time-Based File Switching” and some other

plug-in related to time-rollover, the following options are available: Minutes: 1,2,3,4,5,6,10,12,15,20,30

Hours: 1,2,3,4,6,8,12

Day: 1

Week: 1,2,3,4

Month: 1,2,3,4,6

Year: 1


Logging Rules (I) We can configure different log levels for different areas in VA

The logging messages can be sent to different "log channels" For instance, USS logs can be sent to a different log file than regular VA

logs

Log levels are: 0 .- OFF

1 .- error

2 .- warning

3 .- notice

4 .- info

5 .- salient - Includes packets received (IP and UDP)

6 .- debug – includes the policyflow execution chain (methods)

7 .- verbose – includes variables used after each method, and HEX dump

8 .- blither – too much detail

*


Logging Rules (II) The Startup Log Rules are stored in the file log_rules

The Active Log Rules will be taken initially from the Startup ones

Level=INFO Continue=false Channel=LogToFile

Level=INFO Continue=false Channel=LogToFile


Logging Rules (III) –Log areas

Care should be taken when activating many traces They degrade server performance,

Especially important depending on the log level (debug, trace, ...)


Log Rules (IV) We can filter the logs for any attribute coming in the RADIUS

request: specific users (request.User-Name),

Realms (packet.User-Realm)

Calling and Called numbers (request.Called-Station-Id, etc)

Type of RADIUS packet (packet.Packet-Type)


Monitoring Logs

Stop / Start the file

Pause / Resume the tailing

Clears the screen content

Open the file in a text editor

Send to printer

Changes the log level

Selects the log file


8950 AAA Statistics (I) To see the load the server has, both for

authentication as well as accounting Number of packets/s. received

Ratio of requests accepted and rejected

Duplicates and error packets

Memory use

Etc.


8950 AAA Statistics (II)


8950 AAA Statistics (III)


8950 AAA Statistics (& IV) The Processing Period table shows how long each method has

taken to execute (ms /execution)

Useful to detect the bottleneck in our server, and be able to improve performance (SQL DB’s, LDAP servers, USS, etc.)


File Tools To access files, without needing to have a telnet/ssh access to

the host

All files must be in the run directory

Several panels: User Files: It reads any file with a "classical" users format

Dictionary Editor

File Manager: to delete and copy files

Tail: to see the last lines inserted in a file Similar to ‘Monitor Log File’


File Tools - Users files

To edit an users file without memorizing all dictionary attributes

There is a display list for check-itemscheck-items and reply itemsreply items This attr. list can be

configured in the "SMT properties"

Users' Names Check-items

Reply-Items


File Tools - Dictionary Editor To view existing

attributes

To add any Vendor-Specific attribute (VSA)

New 5.2.1


File Tools – File Manager

To delete, rename and copy files in the run directory


File Tools = Property file editor

If the property to add is a RADIUS attribute, it can be selected from the dictionary without need to know it by heart


Start/Stop of servers

To check the status, start or stop any 8950 AAA servers PolicyServer GUI config server

This check is made every 5 seconds (by default)


Configuration Report

To see in a glance all 8950 AAA configuration


Files to provide to Lucent Support In case it is necessary to

contact with Lucent Support Services, all important files needed can automatically be packaged in vacfg.zip file

in the server Hard Disk, not the SMT host


Overview




RADIUS Test Client

Equivalent to varc, but with graphical interface

Different Client Scenarios PAP=Basic

CHAP

Challenge

Simulator

etc.


RADIUS NAS Load

Simulates a network of NAS's sending different type of requests, with a variety of User-Names, NAS-IP-Address, NAS-Port-Type, Session duration, etc

Equivalent to vasim, but with graphical interface

It is invoked from the RADIUS Test Client, with Scenario=NasLoad

It is a a very powerful tool for performance and stress tests Allows to heavily test the USS


Database Tools

Built-in database client to connect to any database To create users in a users table

To see/modify any table by using views The views created are stored in the db_properties file in the server

The proper JDBC driver should be installed under <$VA>/lib

*


User Profiles To easily manage users in a graphical way

Possibility to filter and to sort entries

Can import entries from a text file with users format, csv format, etc.


Table Tool Possibility to define a view of any table for easy and quick access

Similarly to the Users Table

With sorting criteria


SQL Tool To execute any SQL command

There is a list of existing tables And columns for each table


Manage DB Users To create/delete DB operators


SMT Preferences (I): Look & Feel

All SMT preferences are stored in "guiconfig_properties" file In the SMT host, not in the server host


SMT Preferences (II): Attribute lists

We can configure what attributes will appear in the lists for: File Tools -> User Files

Check-Items and Reply-Items

Configuration Tools -> Clients -> Client Class For configuration of custom

variables


SMT Preferences (III): Other panels

Some panels are only available when running the SMT in Expert Mode: Dictionary, some server Statistics...

We can select which programs will open certain files How often to check if the servers are up or down


SMT Panel Loading

Some panels have no relationship with server files or CLI commands

Can only be shown/hidden by the SMT properties In smt_properties file in the SMT client host

the server management tool (smt). all rights reserved © alcatel-lucent 2007 2 | smt module...

Documents

smt remote smt

smt local smt

smt smt startup

smt client

smt uss

smt connections

smt queue

smt preferences