View
222
Download
0
Category
Preview:
Citation preview
connect • communicate • collaborate
RADIUS and WLAN Infrastructure
Monitoring
Jovana Palibrk, AMRES
NA3 T2, Sofia, 19.06.2014.
connect • communicate • collaborate
eduroam in Serbia
eduroam project in Serbia started at the end of 2009
Process of connecting AMRES institutions to eduroam service and
installation of equipment started in 2010
AMRES applied for donation from NATO SPS NIG program (Networking
Infrastructure Grant) with project “AMRES Access Infrastructure
Establishment” and got donation in 2010
Academic Network of Serbia www.amres.ac.rs
connect • communicate • collaborate
RP – Novi Sad
RP – Belgrade
FTLR
RP – Kragujevac
RP – Nis
NATO donation enabled
procurement of:
5 Cisco 5508 Wireless
Controllers that are
installed in 4 University
computing centers
190 access points that
have been installed in
more than 80 AMRES
member institutions in
17 cities
eduroam in Serbia
connect • communicate • collaborate
What is being monitored?
eduroam monitoring system is incorporated into our in-house network
monitoring system – NetIIS
AMRES institutions network administrators are already using NetIIS in their
every day technical activities
Monitoring and reporting
RADIUS servers (institutional RADIUS servers and Federation Top
Level RADIUS – FTLR server)
Network Access Infrastructure (wireless access points and controllers)
Academic Network of Serbia www.amres.ac.rs
connect • communicate • collaborate
NetIIS – Networking Information and
Monitoring System
NetIIS is web based networking
information and monitoring system
In NetIIS all object from external
world are presented in easily
understandable way
Objects are hierarchically organized
and presented by a tree
folder
location users and group of users
groups
device
monitor alarm
action Academic Network of Serbia www.amres.ac.rs
connect • communicate • collaborate
NetIIS – Networking Information and
Monitoring System
Every institution has its own
location in NetIIS infrastructure,
under which eduroam folder is
placed
eduroam data and infrastructure
elements that are being monitored
are stored in that folder
Academic Network of Serbia www.amres.ac.rs
connect • communicate • collaborate
Monitoring and reporting :
RADIUS servers
Testing availability of a RADIUS server over the network
Ping RADIUS server IP address
Testing operability of RADIUS servers :
eapol_test program from the wpa supplicant software is used
http://deployingradius.com/scripts/eapol_test/
Shell script on the NetIIS runs the eapol_test
Eap-ttls and peap tunnels can be tested
In case that some test fails, the alarm is being activated and mail
notifications are send to the technical contacts of the corresponding
institution
Academic Network of Serbia www.amres.ac.rs
connect • communicate • collaborate
Monitoring and reporting:
RADIUS Ping
Academic Network of Serbia www.amres.ac.rs
connect • communicate • collaborate
NetIIS FTLR
IdP RADIUS RP RADIUS
Monitoring and reporting : RADIUS operability testing
eap ttls IdP + FTLR
eap ttls RP
eap ttls IdP
eap ttls Proxy
connect • communicate • collaborate
eap-ttls test@inst.ac.rs
Monitoring and reporting:
RADIUS IdP
NetIIS inst.ac.rs IdP RADIUS
Operability of eap tunnel established directly to the IdP RADIUS server
is tested
eapol_test
Academic Network of Serbia www.amres.ac.rs
connect • communicate • collaborate
Monitoring and reporting:
RADIUS IdP
Radius Status and Delay graphs (period of 15 days)
Academic Network of Serbia www.amres.ac.rs
connect • communicate • collaborate
Monitoring and reporting:
RADIUS IdP + FTLR
Operability of eap tunnel established over the FTLR server to the IdP
RADIUS server is tested eap-ttls
test@inst.ac.rs eapol_test eapol_test
NetIIS FTLR
Academic Network of Serbia www.amres.ac.rs
inst.ac.rs IdP RADIUS
connect • communicate • collaborate
Academic Network of Serbia www.amres.ac.rs
Radius Status and Delay graphs (period of 15 days)
Monitoring and reporting:
RADIUS IdP + FTLR
connect • communicate • collaborate
Operability of eap tunnel established over the institutional RADIUS sever and
FTLR server to the monitor RADIUS server is tested
RP RADIUS
monitor RADIUS
FTLR
eap-ttls test@monitor.eduroam.ac.rs
eapol_test
NetIIS monitor.eduroam.ac.rs
RADIUS
Academic Network of Serbia www.amres.ac.rs
Monitoring and reporting:
RADIUS RP
connect • communicate • collaborate
Academic Network of Serbia www.amres.ac.rs
Radius Status and Delay graphs (period of 15 days)
Monitoring and reporting:
RADIUS RP
connect • communicate • collaborate
The availability and operability of FTLR server are tested
monitor RADIUS
FTLR
eapol_test
NetIIS monitor.eduroam.ac.rs
IdP RADIUS
eap-ttls test@monitor.eduroam.ac.rs
Academic Network of Serbia www.amres.ac.rs
Monitoring and reporting:
FTLR
connect • communicate • collaborate
Usage statistics –
eduroam usage monitor
Total number of successfully authenticated users on given RP institution
taken for:
The same IdP institution – local users
Other IdP institution from the same country – national users
IdP institution from other countries – international users
script
3 numbers
radius.log
SNMP
RP RADIUS NetIIS
eduroam usage monitor
3 numbers
Academic Network of Serbia www.amres.ac.rs
connect • communicate • collaborate
Academic Network of Serbia www.amres.ac.rs
Usage statistics –
eduroam usage monitor
connect • communicate • collaborate
eduroam_usage monitor –
local users
Academic Network of Serbia www.amres.ac.rs
Number of local users (period of 30 days)
connect • communicate • collaborate
eduroam_usage monitor –
national users
Academic Network of Serbia www.amres.ac.rs
Number of national users (period of 30 days)
connect • communicate • collaborate
Academic Network of Serbia www.amres.ac.rs
Number of international users (period of 30 days)
eduroam_usage monitor –
international users
connect • communicate • collaborate
Usage statistics – Splunk software
RP radius servers send syslog messages to splunk server which is used
for making statistics
For easier analysis , messages are formatted on RP radius servers
using radius line log and syslog-ng
Messages collected on splunk server:
connect • communicate • collaborate
Number of AMRES user devices, on
all AP in Belgrade
connect • communicate • collaborate
Number of international user devices,
on AP in Belgrade
connect • communicate • collaborate
Monitoring and reporting –
Access Points
Ping
Number of the connected users
Academic Network of Serbia www.amres.ac.rs
connect • communicate • collaborate
Monitoring and reporting –
Wireless LAN Controllers
Ping
Number of DHCP clients:
Bad alarm – more than 100
addresses are being used
Good alarm – less than 100
addresses are being used
Academic Network of Serbia www.amres.ac.rs
connect • communicate • collaborate
Groups of monitors –
Access Points
Academic Network of Serbia www.amres.ac.rs
connect • communicate • collaborate
Groups of monitors –
Institutional RADIUS Servers
Academic Network of Serbia www.amres.ac.rs
connect • communicate • collaborate
Academic Network of Serbia www.amres.ac.rs
Groups of monitors –
FTLR
connect • communicate • collaborate
Questions?
connect • communicate • collaborate
Thank you!
Recommended