by Vlad Mencl REANNZ technical contribution · Icinga2 (originally based on Nagios) is the monitoring system Icingaweb2 provides the web interface to Icinga Use Icinga to monitor

1eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018

eduroam ancillary servicesREANNZ technical contribution

by Vlad Mencl

August 6, 2018 (XeAP-2 workshop day 2, session 1)


• About Me - Vlad Mencl• AdminTool (DjNRO) - user interface

○ After break: lab: deploying and configuring AdminTool with containers

• Metrics: ELK brief overview○ After break: lab: deploying and configuring ELK with

containers

Presentation Outline


• Software Engineer at REANNZ since August 2015○ Came with Tuakiri (NZ Identity Federation) merging into REANNZ○ Worked in R&E space at U of Canterbury for ~ 9 years

■ BeSTGRID, NeSI, PRAGMA

• My CS academic past (in Component based software development)○ Charles University (Prague, Czech Republic): PhD 2004○ United Nations University International Institute for Software

Technology (UNU-IIST) in Macao, China (2005-2006)○ University of New Hampshire, USA (2002)

Vlad Mencl: About me


Administration tool for the National Roaming Operator (NRO) to manage participating institutions● Tracks Institutions, Radius Servers, Locations● Self-administration by approved institutional administrators

○ Users can have externally managed accounts or internal accounts:■ SAML Federation login■ Social login (Google/Twitter/….)■ Internal accounts on in the application (last resort)

○ User’s identity gets linked with their institution by an NRO administrator

● Map of Service Locations for End users● XML of Service Locations to push upstream to eduroam Global

AdminTool (DjNRO)


● Name: Django (framework) + NRO● Comes from GRNET (Greece)● Collaborating with the GRNET team on DjNRO code

○ Several (minor) pull requests already merged

● REANNZ is using this tool internally at https://member.eduroam.net.nz○ So far for Service Locations only

■ (Radius was already fully configured when deploying this tool)

DjNRO: the code base


End-users see an interactive map of service locations

DjNRO - For users


DjNRO: Institutional administrators: self-service interface


DjNRO: NRO administration interface (super-user / DB access)

NRO Administrator can see and modify all objects(via the Django CRUD interface)


● Service Locations: /general/institution.xml● All locations globally: /services/allpoints… and more ...Future:● eduroam NRS config● monitoring config

DjNRO: Data Exports


AdminTool/DjNRO Benefits: your eduroam is visible

for your users to find you….


Let users find your eduroam site on the go with the eduroam companion App

Search for “eduroam companion” in

Google Play or the AppStore

AdminTool/DjNRO Benefits: eduroam companion app


● REANNZ Prod site: https://member.eduroam.net.nz/(uses Google + SAML login)

● XeAP-2 deployment: https://nz-rad1.tein.aarnet.edu.au/(newer version with Google login)

Demo


Planned enhancements to DjNRO:• More exports: generating NRS FreeRadius config, monitoring config• Tracking additional information

○ Radius server type and capabilities…○ Institutions identity store type and capabilities○ Institutional policy URLs○ Service location hardware type and capabilities○ Contact type + SMS capability

• Approval workflow○ NRO to approve sensitive actions (like adding a new realm) done by

institutional admins.

AdminTool Future Work


● We use the ELK stack (ElasticSearch, Logstash, Kibana)

○ ElasticSearch is the back-end search engine (and “database”)

○ Logstash is the pipeline to feed the data in:

■ Receive data from other systems

■ Pre-process (parse) known log formats into (semi-)structured data

■ Push into ElasticSearch

○ Kibana: data visualization platform

■ Explore the data in ElasticSearch

■ Value yet to be explored

Metrics services: ELK stack


Filebeat: forward logs to Logstash● AdminTool deployment comes with a forwarder of the

Apache logs○ More a proof-of-concept, but could be useful...

● Separate forwarder of Radius linelog○ Separate forwarders for freeradius and radsecproxy

● Just add another Docker container...

Metrics: importing data


● Icinga2 (originally based on Nagios) is the monitoring system

● Icingaweb2 provides the web interface to Icinga

● Use Icinga to monitor all Radius servers

○ NRS servers and institutional radius servers

○ Status checks and attempt logins with rad_eap_test

○ Send out alerts as appropriate

○ Credentials and other connection details available in DjNRO

■ And so are admin contact email addresses.

■ So it should be possible to generate the full configuration.

● So far, prototype configuration for a single host available

○ But still need to design a scalable approach to configuration.

Monitoring services: Icinga2 + Icingaweb2


Questions?

After break:● Deploying Admin Tool with Docker● Deploying Metrics (ELK) with Docker

Questions?


● Admintool athttps://nz-rad1.tein.aarnet.edu.au/

● Metrics athttps://nz-rad1.tein.aarnet.edu.au:9443

● Monitoring athttps://nz-rad1.tein.aarnet.edu.au:8443/

ALL: login: “admin” / “admin-password-XeAP2”

Explore now

by Vlad Mencl REANNZ technical contribution · Icinga2 (originally based on Nagios) is the monitoring system Icingaweb2 provides the web interface to Icinga Use Icinga to monitor

Documents