Wednesday, December 28, 2005

Monitor and Alert Systems I - Concept of Instrumentation

We have been building solutions for monitoring and alerts that is centered around the Service Level Management (SLM) architecture through the concept of instrumentation.
Instrumentation is used to describe the technologies and processes for monitoring and measuring the performance and availability of system components. Through instrumentation, we are then able to monitor the system behavior and assess the impact of changing operation.

Instrumentation takes on two forms:
  1. Element Instrumentation, which tracks the status and behavior of individual components, such as network devices, servers and applications.
  2. Service Instrumentation, which tracks the behavior of services using active and passive collectors.

Difference Between Element and Service Instrumentation

Element Instrumentation is used to collect data for monitoring threshold, such as the CPU busy percentage and the percentage of received packets that contains transmission errors.

One of most commonly used protocol is Simple Network Management Protocol (SNMP), where the configuration and performance monitoring instrumentation is organized in a standardized naming directory called Management Information Base (MIB). The MIB provides a universal directory of names for configuration and performance data of standard system and network elements. An agent embedded in an element enables a remote Instrumentation Manager to access and manipulate MIB variables at the element via the SNMP protocol. The SNMP protocol provides mechanisms to

  1. read (GET) performance and status variables from an element MIB,
  2. change (SET) configuration parameters, and
  3. report events (TRAP).

Service Instrumentation, on the other hand, tracks the behavior of services using active and passive collectors, typically to measure the end-to-end response of an application transaction.

Active collectors add to the traffic of a system, essentially perform a small experiment to validate compliance with key parameters. For example, the “ping” tool that sends a single packet to a remote system component, which then immediately returns a copy. The tool can measures the time delay between when the packet went out and the copy returned, and if multiple packets are sent out, the tool also reports the percentage that returns

Passive collectors rely on system traffic and facilities that are already there to provide performance data. For example, the use of existing log files to measure workload and server response time.

Instrumentation Manager

A lot of our clients have already made substantial investments in both elements and service instrumentation, but lack a centralized platform to monitor the status, collect operational statistics and receive real-time alarms when immediate attention is required.

In the next session, we will talk more on Instrumentation Manager.

Thursday, December 22, 2005

FreeRADIUS III

Picking up where we left off yesterday, we continued with our FreeRADIUS trilogy. Today, we will hands-on to integrate CISCO VPN 3000 Concentrator with the FreeRADIUS server.
The CISCO VPN concentrator is the access point, through which remote users gain access to protected network resources, while the FreeRADIUS server acts as the centralized platform to service authentication and accounting requests.
Typical services offered by Internet Service Providers and Corporations to their clients are either:
  1. system shell accounts, that allow access to the command line interface of a remote server using rlogin or telnet sessions; or
  2. direct connect accounts, that use a framed remote access protocol, usually PPP for support dialin for its remote, mobile and home users.

RADIUS Protocol

RADIUS (Remote Access Dialin User Service) Protocol is defined in the IETF RFC 2865 to provide a framework for AAA (Authentication, Authorization, and Accounting). It is a UDP-based connectionless client/server protocol.

The RADIUS client in this case, is our VPN Concentrator, that act as NAS (Network Access Server). If the NAS receives a user-connection requests, it passes them to the FreeRADIUS server.

If the username is found and the password is correct, the FreeRADIUS server returns an Access-Accept response that grants access of the resource(s) to the user.

RADIUS Attributes and Values

RADIUS transaction is built around passing to and from the client and server attribute-value pairs (AVP) that contain virtually every property and characteristics of the AAA transaction.

For Cisco VPN Concentrator, vendor-specfic attributes are already defined in a dictionary file: dictionary.cisco.vpn3000. The dictionary file contains the attribute-value pairs (AVPs) that can be used in our FreeRADIUS configuration, information such as service type, protocol type, IP address to assign the user, the access control list (ACL) etc.

RADIUS Accounting

FreeRADIUS also support a full-featured accounting protocol subset, allowing logging of session statistics and usage information, and is used for authorisation control, billing, trend analysis, resource utilisation, and capacity planning activities.

RADIUS Configuration

We have previously installed our FreeRADIUS server and verified it is working. Now, to configure it.

The configuration files are found in the ~/etc/raddb folder.

  1. Configure the server by editing the radiusd.conf file
  2. Configure the client by editing the clients.conf file. NAS can be grouped by IP subnet or by hostname or IP address.
  3. Configure the user by editing the user file. This file contains authentication and configuration information for each user.

RADIUS User Authorisation

Next, we configure the authentication server AVP for user authorisation. So that an administrator login request is returned to the NAS after authentication is accepted.

NAS Configuration

Lastly, configuration for the NAS. Typically, we will need to work through the following steps:

  1. Enable AAA
  2. Configure the authentication
  3. Configure the authorisation
  4. Configure the accounting. To send account records to the RADIUS server.

In summary, hopefully, I have provide a useful insight on AAA concepts with a simple scenario for installation and implementation to put the solution into context. The entire process has been simplified by hiding the details to provide instructions on installing and configuring the RADIUS server as well as configuring the NAS server.

Wednesday, December 21, 2005

Know the Fish?

Talked with a friend this morning on MSN, on the topic of "Being Happy". Part of the conversation, we touched on motivational books...

And I recalled a story from Chuang Tse (庄子), a famous philosopher in ancient China:

Zhuang Zi claimed: "Look, what happy fish!"
Hui Zi asked: "You are not a fish, how do you know they are happy?"
Zhuang Zi retorted: "You are not me, how do you know I don't know the fish are happy?"

庄子与惠子游于濠梁之上。庄子曰:“鱼出游从容,是鱼之乐也。”
惠子曰∶“子非鱼,安知鱼之乐?”
庄子曰:“子非我,安知我不知鱼之乐?”

So what is definition of "being happy"?

Nowadays, I seldom read any motivational books, I simply do not have the patience or the time, probably the books are too wordy. Ironically, I got this book, titled "First Thing First", sitting in a corner of my bookshelf collecting dust for years, but I never manage to read past the first few chapters.

Someone told me that enterprenuers are an optimistic lot, they live for today and worry about tomorrow when tommorow comes. Perhaps so.

FreeRADIUS II

We continued with the installation of FreeRADIUS on Solaris 10...

We downloaded and reinstalled the gcc, glib, gmake, openssl, zlib and all related software components. But we missed out one very important step during recompilation, that is, to run

# make distclean

Then we executed the freeRADIUS configure again:

# ./configure --prefix=/opt/freeradius ----with-openssl-includes=/usr/local/ssl/include --with-openssl-libraries=/usr/local/ssl/lib

# /usr/local/bin/make

# /usr/local/bin/make install


Everything look good. We made some minor changes to the configuration files. Then we proceed to start up the freeRADIUS daemon:

#/opt/freeradius/sbin/radiusd

Bingo!! We have the freeRADIUS listening to port 1645

#ps -aux grep radiusd

We also downloaded NTRadPing 1.5 RADIUS Test Utility from: http://www.novell.com/coolsolutions/tools/14377.html

A free Windows-based GUI utility tool to test out our freeRADIUS setup.

We keyed in the IP address of the freeRADIUS machine, the port number, the secret key and our user name-password in the fields, select "Authentication Request" from the "Request Type" drop-down list. Click "Send".

Response from our freeRADIUS server read:

Sending authentication request to server xx.xxx.xxx.xx:1645
Transmitting packet, code=1 id=1 length=47
Received response from the server in 20 milliseconds
Response: Access-Accept


Now our freeRADIUS server is working properly. Next step, configuring the CISCO Network Access Server (NAS) equipment to work with the freeRADIUS server...

Meanwhile, the team will take a coffee break for it is a job well-done in a day:)

Tuesday, December 20, 2005

FreeRADIUS

My team is hands-on on the latest version of FreeRADIUS on Solaris 10. Hit snag. Darn!!Compilation errors. Solaris 10 has been a real headache:(

It has been a long time since I last implemented a older version FreeRADIUS on Linux.

RADIUS stands for Remote Access Dialin User Service. It is one of the essential components for the AAA framework (Authentication-Authorisation-Accounting).

Yes, FreeRADIUS is open-source but it is a piece of amazing software, that fit the AAA solution perfectly. Kudos to the open-source developers!! It's kind of late, probably I will talk more about AAA next time.

Excuse me, who is this?

Probably few of you have heard anything about a small commercial outfit named "1000 Miles Network"...

1000 Miles Network was first established as 1000 Miles in 1999 as a partnership by a group of young IT professionals from the now defunct POSB Computer Services Pte Ltd. Through its co-ownership and partnership with a local education service provider, 1000 Miles Network provided a ready pool of teaching staff to conduct IT courses and computer holiday camps for schools. At the same time, providing the necessary IT systems and network consultancy services to them.

Facing lowering margins, 1000 Miles exited the highly competitive IT education market in 2001, and renamed itself as 1000 Miles Network, to concentrate on its core distribution and retail business of network and cabling products and provision of system consultancy along with the lines of products.

1000 Miles Network was incorporated as 1000 Miles Network Pte Ltd in Jan 2005, a strategic move that will position the company as an appropriate legal entity, catering for its future expansion and capital structure. The legal form is also important in terms of control and corporate governance.

An wise, old sage once says "Journey of a thousand miles start with a single step". It has been a long way since we started off, change seems to be only constant... It has been never easy been on our own, we have come so far, yet so little accomplished.