Embed Size (px)
Citation preview
1eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
eduroam ancillary servicesREANNZ technical contribution
by Vlad Mencl
August 6, 2018 (XeAP-2 workshop day 2, session 1)
2eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
• About Me - Vlad Mencl• AdminTool (DjNRO) - user interface
○ After break: lab: deploying and configuring AdminTool with containers
• Metrics: ELK brief overview○ After break: lab: deploying and configuring ELK with
containers
Presentation Outline
3eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
• Software Engineer at REANNZ since August 2015○ Came with Tuakiri (NZ Identity Federation) merging into REANNZ○ Worked in R&E space at U of Canterbury for ~ 9 years
■ BeSTGRID, NeSI, PRAGMA
• My CS academic past (in Component based software development)○ Charles University (Prague, Czech Republic): PhD 2004○ United Nations University International Institute for Software
Technology (UNU-IIST) in Macao, China (2005-2006)○ University of New Hampshire, USA (2002)
Vlad Mencl: About me
4eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
Administration tool for the National Roaming Operator (NRO) to manage participating institutions● Tracks Institutions, Radius Servers, Locations● Self-administration by approved institutional administrators
○ Users can have externally managed accounts or internal accounts:■ SAML Federation login■ Social login (Google/Twitter/….)■ Internal accounts on in the application (last resort)
○ User’s identity gets linked with their institution by an NRO administrator
● Map of Service Locations for End users● XML of Service Locations to push upstream to eduroam Global
AdminTool (DjNRO)
5eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
● Name: Django (framework) + NRO● Comes from GRNET (Greece)● Collaborating with the GRNET team on DjNRO code
○ Several (minor) pull requests already merged
● REANNZ is using this tool internally at https://member.eduroam.net.nz○ So far for Service Locations only
■ (Radius was already fully configured when deploying this tool)
DjNRO: the code base
6eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
End-users see an interactive map of service locations
DjNRO - For users
7eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
DjNRO: Institutional administrators: self-service interface
8eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
DjNRO: NRO administration interface (super-user / DB access)
NRO Administrator can see and modify all objects(via the Django CRUD interface)
9eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
● Service Locations: /general/institution.xml● All locations globally: /services/allpoints… and more ...Future:● eduroam NRS config● monitoring config
DjNRO: Data Exports
10eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
AdminTool/DjNRO Benefits: your eduroam is visible
for your users to find you….
11eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
Let users find your eduroam site on the go with the eduroam companion App
Search for “eduroam companion” in
Google Play or the AppStore
AdminTool/DjNRO Benefits: eduroam companion app
12eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
● REANNZ Prod site: https://member.eduroam.net.nz/(uses Google + SAML login)
● XeAP-2 deployment: https://nz-rad1.tein.aarnet.edu.au/(newer version with Google login)
Demo
13eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
Planned enhancements to DjNRO:• More exports: generating NRS FreeRadius config, monitoring config• Tracking additional information
○ Radius server type and capabilities…○ Institutions identity store type and capabilities○ Institutional policy URLs○ Service location hardware type and capabilities○ Contact type + SMS capability
• Approval workflow○ NRO to approve sensitive actions (like adding a new realm) done by
institutional admins.
AdminTool Future Work
14eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
● We use the ELK stack (ElasticSearch, Logstash, Kibana)
○ ElasticSearch is the back-end search engine (and “database”)
○ Logstash is the pipeline to feed the data in:
■ Receive data from other systems
■ Pre-process (parse) known log formats into (semi-)structured data
■ Push into ElasticSearch
○ Kibana: data visualization platform
■ Explore the data in ElasticSearch
■ Value yet to be explored
Metrics services: ELK stack
15eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
Filebeat: forward logs to Logstash● AdminTool deployment comes with a forwarder of the
Apache logs○ More a proof-of-concept, but could be useful...
● Separate forwarder of Radius linelog○ Separate forwarders for freeradius and radsecproxy
● Just add another Docker container...
Metrics: importing data
16eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
● Icinga2 (originally based on Nagios) is the monitoring system
● Icingaweb2 provides the web interface to Icinga
● Use Icinga to monitor all Radius servers
○ NRS servers and institutional radius servers
○ Status checks and attempt logins with rad_eap_test
○ Send out alerts as appropriate
○ Credentials and other connection details available in DjNRO
■ And so are admin contact email addresses.
■ So it should be possible to generate the full configuration.
● So far, prototype configuration for a single host available
○ But still need to design a scalable approach to configuration.
Monitoring services: Icinga2 + Icingaweb2
17eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
Questions?
After break:● Deploying Admin Tool with Docker● Deploying Metrics (ELK) with Docker
Questions?
18eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
● Admintool athttps://nz-rad1.tein.aarnet.edu.au/
● Metrics athttps://nz-rad1.tein.aarnet.edu.au:9443
● Monitoring athttps://nz-rad1.tein.aarnet.edu.au:8443/
ALL: login: “admin” / “admin-password-XeAP2”
Explore now
