Jun 18 2009

Reset SST Password with no Reboot

Published by under AS400

SST password is required to access iSeries maintenance section and IBM systematically needs it. However, it is also not unusual to lose the password.
Most SST password reset procedures require you to run an IPL (reboot) in degraded mode. This is not absolutely needed if you have an HMC server.
 
Open a 5250 session to connect to the IBM i and launch under QSECOFR

CHGDSTPWD PASSWORD(*DEFAULT)

Connect to the HMC in 5250 as well
ID: Q#hmc, Port: 2300
And leave the session open

5250 HMC Session

 
Now connect to the HMC with the WEB-based System Manager. We’ll run on version 6 in here but the method remains the same on newer versions.
Navigate in “Service Applications”
-> “Service Focus Point”
-> “Maintenance Utilities”

Select your system
In the menu, click on “Selected”, “Service Control Panel Functions”
and select appropriate partition
In the menu, click on “Partition Functions” -> “Dedicated Service Tools Activation”
Click on OK
 
Back to the HMC 5250 session, a new menu is showing up:
Dedicated Service Tools (DST) – Opening
Log in as QSECOFR/QSECOFR
Now reset the SST password.
 
SST menu is now reachable with the new password
Under a AS400 session as QSECOFR run:

STRSST
 

Tags: , , ,

No responses yet

May 30 2009

Daily Accounting in Freeradius

Published by under Cisco,Freeradius

We have seen a few posts on Freeradius user list and other forums asking how to collect accounting periodically. The Radius protocol provides accounting but not in the way that many would like. Here’s a short list of things we would like to modify or improve:

  • Traffic is not collected at regular intervals
    As a result, it is impossible to generate daily graphs with download/upload. Traffic will be corrupted because it is again, impossible to compute traffic over a given period of time with accuracy
  • The active session doesn’t appear because the database only contains null values after a start record has been inserted
  • Some records may be lost on the way (between routers and the Radius server). The Radius protocol runs on UDP, which doesn’t support acknowledgements.
  • Any usage over 4GB is reset to 0 if the session is not interrupted before then. The format of the field is a 32 bit unsigned value as defined in the RFC.

A number of issues arise for those who want to extract this data and do something out of it. No restrictions can be applied for example. Nor collect values and export them to a billing software. Graphs display nul values if the user hasn’t disconnected for a while. Even though there are some ways to send updates from the Network Access Server (NAS), we weren’t happy with this as the stop record time remains 00-00-00 and a query might become complicated and time-consuming if previous stop-records were lost on the way. In the best scenario, traffic can be collected (including the active session), but it remains impossible to know your Freeradius daily accounting accurately for instance.


Method

Some suggested to reset all connections at regular intervals but why should customers be disconnected to collect a fair amount of traffic? How could we justify this for an always-on connection? Some simple modifications can fix these small issues. Let’s check briefly what can be done:
Traffic is not collected at regular intervals. We could send updates from the router every so often which is a good step. But that’s not sufficient as the new data overwrites the previous amount of traffic. A fair way to proceed is to create a new stop and start record instead from this update. This would minimize the missing last record impact if the time period is small enough. Lost records wouldn’t be a problem either if we compare the new value against the last received.
Finally, we can work around the 4GB limit with Acct-Input-Gigawords and Acct-Input-Gigawords Radius extension attributes if your router supports it (Method we are going to use here). If your hardware doesn’t support it, a few modifications in the SQL code below would do. It’s been tested in a live environment with 3 Radius servers and over 5000 customers. Data is then transferred to a billing software.


Before You Start

We have applied these changes on Fedora Core and Solaris with Freeradius 1.1.3. The operating system shouldn’t really matter as most changes are made on SQL queries. You will need a running setup of Freeradius and Mysql. You need a Mysql version that supports stored procedures. Make also sure your router (NAS) supports Radius accounting updates and Acct-Input-Gigawords attributes (usually the case for Cisco).


Adding Support for Radius Extension Attributes

As mentionned in RFC2869, additional attributes were created to answer certain needs through various useful functions. Acct-Input-Gigawords and Acct-Output-Gigawords attributes indicate how many times Acct-Input-Octets and Acct-Output-Octets counters were reset to 0 after reaching 2^32. They are present in Stop and Interim-Update records, which is just what we want.
You can activate this on a Cisco router by entering

aaa accounting gigawords

We don’t need to create extra columns in the Radius database; We’ll calculate the new amount of traffic on the fly. The benefits are it keeps the original structure of the database and accounting scripts you may have written don’t need to be modified. On the other hand, it saves a lot of extra space.
The second modification is done in the SQL query.

Note You will be asked to reload the router to apply the new settings. Do this at a convenient time.


Configuring the NAS to send accounting update

There are 2 ways to achieve this. You either configure your router (NAS) to send regular accounting updates to the Radius server, either add an extra parameter in the customer’s details. We’d rather do it on the router as it takes precedence over the Radius parameter. We are using a Cisco router for which the command is:

aaa accounting update periodic 180

This sends an update every 3 hours which should be sufficient to get your Freeradius daily accounting. I should mention that this applies when the customer’s connection is established, meaning you need to reset appropriate interfaces if you don’t want to wait for the connections to reset.

Caution Using the aaa accounting update periodic command can cause heavy congestion when many users are logged in to the network.


Defining New Queries for Update and Stop Records

The SQL code for update and stop queries needs to be replaced. We call stored procedures because there’s a bit of processssing to be done. Insert into Mysql Radius database these 2 procedures.

DROP PROCEDURE IF EXISTS radius.acct_update;
delimiter //
CREATE PROCEDURE radius.acct_update(
  IN S DATETIME,
  IN Acct_Session_Time INT(12),
  IN Acct_Input_Octets BIGINT(20),
  IN Acct_Output_Octets BIGINT(20),
  IN Acct_Terminate_Cause VARCHAR(32),
  IN Acct_Session_Id varchar(64),
  IN SQL_User_Name VARCHAR(64),
  IN NAS_IP_Address VARCHAR(15),
  IN Acct_Unique_Session_Id VARCHAR(32),
  IN Realm VARCHAR(64),
  IN NAS_Port VARCHAR(15),
  IN NAS_Port_Type VARCHAR(32),
  IN Acct_Authentic VARCHAR(32),
  IN Called_Station_Id VARCHAR(50),
  IN Calling_Station_Id VARCHAR(50),
  IN Service_Type VARCHAR(32),
  IN Framed_Protocol VARCHAR(32),
  IN Framed_IP_Address VARCHAR(15)
)
BEGIN
  DECLARE Prev_Acct_Input_Octets BIGINT(20);
  DECLARE Prev_Acct_Output_Octets BIGINT(20);
  DECLARE Prev_Acct_Session_Time INT(12);

  # Collect traffic previous values
  SELECT SUM(AcctInputOctets), SUM(AcctOutputOctets), SUM(AcctSessionTime)
    INTO Prev_Acct_Input_Octets, Prev_Acct_Output_Octets, Prev_Acct_Session_Time
    FROM radacct
    WHERE AcctSessionId = Acct_Session_Id
    AND UserName = SQL_User_Name
    AND NASIPAddress = NAS_IP_Address
    AND ( AcctStopTime > 0);

  # Set values to 0 when no previous records
  IF (Prev_Acct_Session_Time IS NULL) THEN
    SET Prev_Acct_Session_Time = 0;
    SET Prev_Acct_Input_Octets = 0;
    SET Prev_Acct_Output_Octets = 0;
  END IF;

  # Update record with new traffic
  UPDATE radacct SET AcctStopTime = S,
    AcctSessionTime = (Acct_Session_Time - Prev_Acct_Session_Time),
    AcctInputOctets = (Acct_Input_Octets - Prev_Acct_Input_Octets),
    AcctOutputOctets = (Acct_Output_Octets - Prev_Acct_Output_Octets),
    AcctTerminateCause = Acct_Terminate_Cause
    WHERE AcctSessionId = Acct_Session_Id
    AND UserName = SQL_User_Name
    AND NASIPAddress = NAS_IP_Address
    AND (AcctStopTime IS NULL OR AcctStopTime = 0);

  # Create new record
  INSERT INTO radacct
   (AcctSessionId, AcctUniqueId, UserName,
    Realm, NASIPAddress, NASPortId, NASPortType,
    AcctStartTime, AcctStopTime, AcctSessionTime,
    AcctAuthentic, AcctInputOctets, AcctOutputOctets,
    CalledStationId, CallingStationId, AcctTerminateCause,
    ServiceType, FramedProtocol, FramedIPAddress,
    AcctStartDelay, AcctStopDelay)
  VALUES
   (Acct_Session_Id, Acct_Unique_Session_Id, SQL_User_Name,
    Realm, NAS_IP_Address, NAS_Port, NAS_Port_Type,
    S, '0', '0',
    Acct_Authentic, '0', '0',
    Called_Station_Id, Calling_Station_Id, '',
    Service_Type, Framed_Protocol, Framed_IP_Address,
    '0', '0');
END;
//
delimiter ;

Note You need to update the table names if they have been changed in sql.conf. We use the default value from the file and database structure “Radacct”.

We need to retrieve the traffic from previous updates because the router sends a counter and not the amount of traffic sent during that period of time. A stop record is then created with the traffic difference. The stop query needs to be modified as well:

DROP PROCEDURE IF EXISTS radius.acct_stop;
delimiter //
CREATE PROCEDURE radius.acct_stop(
  IN S DATETIME,
  IN Acct_Session_Time INT(12),
  IN Acct_Input_Octets BIGINT(20),
  IN Acct_Output_Octets BIGINT(20),
  IN Acct_Terminate_Cause VARCHAR(32),
  IN Acct_Delay_Time INT(12),
  IN Connect_Info VARCHAR(32),
  IN Acct_Session_Id varchar(64),
  IN SQL_User_Name VARCHAR(64),
  IN NAS_IP_Address VARCHAR(15)
)
BEGIN
  DECLARE Prev_Acct_Input_Octets BIGINT(20);
  DECLARE Prev_Acct_Output_Octets BIGINT(20);
  DECLARE Prev_Acct_Session_Time INT(12);

  # Collect traffic previous values
  SELECT SUM(AcctInputOctets), SUM(AcctOutputOctets), SUM(AcctSessionTime)
    INTO Prev_Acct_Input_Octets, Prev_Acct_Output_Octets, Prev_Acct_Session_Time
    FROM radacct
    WHERE AcctSessionId = Acct_Session_Id
    AND UserName = SQL_User_Name
    AND NASIPAddress = NAS_IP_Address
    AND ( AcctStopTime > 0);

  # Set values to 0 when no previous records
  IF (Prev_Acct_Session_Time IS NULL) THEN
    SET Prev_Acct_Session_Time = 0;
    SET Prev_Acct_Input_Octets = 0;
    SET Prev_Acct_Output_Octets = 0;
  END IF;

  # Update record with new traffic
  UPDATE radacct SET AcctStopTime = S,
    AcctSessionTime = (Acct_Session_Time - Prev_Acct_Session_Time),
    AcctInputOctets = (Acct_Input_Octets - Prev_Acct_Input_Octets),
    AcctOutputOctets = (Acct_Output_Octets - Prev_Acct_Output_Octets),
    AcctTerminateCause = Acct_Terminate_Cause,
    AcctStopDelay = Acct_Delay_Time,
    ConnectInfo_stop = Connect_Info
    WHERE AcctSessionId = Acct_Session_Id
    AND UserName = SQL_User_Name
    AND NASIPAddress = NAS_IP_Address
    AND (AcctStopTime IS NULL OR AcctStopTime=0);
END;
//
delimiter ;


This is the same as the original query except that it retrieves the previous traffic again. If you don’t use accounting updates, this will do the same as before.


Updating sql.conf on Freeradius

The last bit is to replace the SQL code in sql.conf, to call the 2 procedures above.
Replace accounting_update_query with

accounting_update_query = " \
 CALL acct_update( \
          '%S', \
          '%{Acct-Session-Time}', \
          '%{%{Acct-Input-Gigawords}:-0}'  << 32 | '%{%{Acct-Input-Octets}:-0}', \
          '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', \
          'Acct-Update', \
          '%{Acct-Session-Id}', \
          '%{SQL-User-Name}', \
          '%{NAS-IP-Address}', \
          '%{Acct-Unique-Session-Id}', \
          '%{Realm}', \
          '%{NAS-Port}', \
          '%{NAS-Port-Type}', \
          '%{Acct-Authentic}', \
          '%{Called-Station-Id}', \
          '%{Calling-Station-Id}', \
          '%{Service-Type}', \
          '%{Framed-Protocol}', \
          '%{Framed-IP-Address}')"

 
and accounting_stop_query with

accounting_stop_query = " \
CALL acct_stop( \
          '%S', \
          '%{Acct-Session-Time}', \
          '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', \
          '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', \
          '%{Acct-Terminate-Cause}', \
          '%{%{Acct-Delay-Time}:-0}', \
          '%{Connect-Info}', \
          '%{Acct-Session-Id}', \
          '%{SQL-User-Name}', \
          '%{NAS-IP-Address}')"

Reboot the radius server to apply the new settings, and you will now get Freeradius daily accounting records splitting traffic from long sessions!

 

Tags: , , , ,

33 responses so far

May 18 2009

Export NFS shares in AIX

Published by under Aix

Here are pretty simple steps required to export NFS shares in AIX.

Export NFS Shares on Server

Edit /etc/exports (or create it if it doesn’t exist) and add folders you would like to share:

/home/public -access=client1,root=client1

Option access restricts the list of clients, root allows to mount the share by root user on the remote system.
 
Start related services nfsd and mountd:

startsrc -s nfsd
startsrc -s mountd

 
Now that services have been started, check daemons are actually running:

AIX_NFS_Server $ lssrc -s nfsd
Sub-system      Group           PID     State
 nfsd           nfs             36540   active

AIX_NFS_Server $ lssrc -s portmap
Sub-system      Group           PID     State
 portmap        portmap         3890    active
AIX_NFS_Server $ lssrc -s biod

Sub-system      Group           PID     State
 biod           nfs             6454    active

 
You can then export all directories listed in /etc/exports at once

exportfs -a

They should be visible running “exportfs” on the command line with no option.

Mount NFS Shares on Client

Check from the client that RPC services are reachable:

Linux_NFS_Client $ rpcinfo -p $NFS_Server_IP | egrep "(mountd|nfs)"
    150001    1   udp  32773  pcnfsd
    150001    2   udp  32773  pcnfsd
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100005    1   udp  41863  mountd
    100005    2   udp  41863  mountd
    100005    3   udp  41863  mountd
    100005    1   tcp  41489  mountd
    100005    2   tcp  41489  mountd
    100005    3   tcp  41489  mountd

 
If you got results from the previous command, NFS shares should be visible with showmount on a Linux client for example:

Linux_NFS_Client $ showmount -e $Server_IP
Export list for $SERVER_IP:
/home/public (everyone)

 
You can now mount the share:

Linux_NFS_Client $ mount -t nfs $Server_IP:/home/public /mnt
 

Tags: ,

2 responses so far

May 16 2009

Graph Number of Freeradius Sessions with MRTG

Published by under Freeradius,Monitoring

You can easily graph Freeradius number of active sessions with a simple shell script, if you store accounting data in a SQL database.

Use the script below for Mysql that you can easily adapt to other databases like Oracle or PostgreSQL. Check the complete list of supported databases by Freeradius.
 

#!/bin/bash

SQL_USERNAME=radius_username
SQL_DATABASE=radius
SQL_PASSWORD=your_password
SQL_SERVER=127.0.0.1
SQL_ACCOUNTING_TABLE=radacct
BACK_DAYS=5

SESSIONS=`mysql -BN -u$SQL_USERNAME -p$SQL_PASSWORD -h $SQL_SERVER $SQL_DATABASE -e \
  "SELECT COUNT(*) FROM $SQL_ACCOUNTING_TABLE \
  WHERE acctstoptime IS NULL \
  AND Acctstarttime > NOW() - INTERVAL $BACK_DAYS DAY;"`

echo $SESSIONS


A certain number of sessions remain unclosed due to random packet losses, or network disconnections between the NAS and the Radius server. Sessions older than $BACK_DAYS are ignored to get the most accurate value.

Freeradius active session graph


The script returns the number of active sessions. It is then possible to graph this one value in MRTG that normally ask for two of them.

Offer you users upload/download graphs of their Internet network usage as well.

 

Tags: , , ,

One response so far

Apr 27 2009

Initiate VPN connection on Cisco PIX

Published by under Cisco

Having set up VPN parameters on two Cisco PIX, you need to generate a traffic flow from a network to another to bring the connection up. This can be annoying if want to make sure the tunnel is active before you connect the network.
 
Let’s take 2 sub-networks 192.168.2.0/24 and 192.168.3.0/24.
Once VPN connections are configured on the Cisco PIX, double-check you have these:
 
On PIX1:

PIX1#show run
access-list VPN_TO_PIX2 permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
...
ip address inside 192.168.2.1 255.255.255.0
...
management-access inside

 
Same on PIX2 for all, but the IP address indeed.
Management-access allows the PIX to send the ping back from the internal interface.
 
To activate the VPN connection, you just need to ping the remote Cisco’s internal interface from the internal local interface. In a nutshell:

PIX1#ping inside 192.168.3.1
        192.168.3.1 response received -- 60ms
        192.168.3.1 response received -- 50ms
        192.168.3.1 response received -- 50ms

 
Check the VPN has been created:

PIX1# show crypto isakmp sa
Total     : 1
Embryonic : 0
        dst	     src        state        pending      created
      PIX2_IP      PIX1_IP      QM_IDLE      0            2
 

Tags: , ,

No responses yet

« Prev - Next »