THANKS for posting this.
-jcw
[UA Logo]
John Watters The University of Alabama
Office of Information Technology
205-348-3992
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Walter Reynolds
Sent: Friday, October 16, 2015 7:00 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Measuring RADIUS Auths
The script (which was actually created by a co-worker) is run by adding the IP
address of the WLC and the the SNMP community string. You will obviously need
to change the path from /home/waltr/bin/radiusstats/ to something that works
for you. I attached the script and the MIB file
First thing it does is add the date to the output file (output file is the WLC
IP address appended by .stats)
The join command combines the output of the filtered snmp queries
Next comes the snmptable command.
The tail removes unneeded lines from the query
awk says to give you the columns you need
Second snmptable command
Again tail removes unneeded lines
The sed replaces header with something shorter to better fit on a screen
The column command formats for better readability
Finally we paste the output into the output file.
As far as determining how many Auths overall it is easier to do this on the
radius server as the cisco stats just keep growing and you would need to run
this script every minute and then find the difference between the values....
With freeradius you can just run something like this to get a second by second
count
grep "Login OK" /usr/local/var/log/radius/radlog.archive/radius.log-20151016 |
grep TLS | cut -d " " -f 4 | uniq -c
12 10:44:59
16 10:45:00
18 10:45:01
21 10:45:02
To get a minute by minute
grep "Login OK" /usr/local/var/log/radius/radlog.archive/radius.log-20151016 |
grep TLS | cut -d " " -f 4 | cut -d: -f 1,2 | uniq -c
890 10:44
925 10:45
------------------------
Walter Reynolds
Principal Systems Security Development Engineer
Information and Technology Services
University of Michigan
(734) 615-9438
On Fri, Oct 16, 2015 at 12:46 AM, Watters, John
<john.watt...@ua.edu<mailto:john.watt...@ua.edu>> wrote:
Please send this stuff out. I would love to use it with our Cisco 8510s and our
FreeRadius servers.
Thanks.
Sent from my iPhone
> On Oct 15, 2015, at 9:54 PM, Walt Reynolds
> <wa...@umich.edu<mailto:wa...@umich.edu>> wrote:
>
> We have Cisco controllers and have a script that polls the radius table and
> then queries the radius stats table to combine the address of the radius
> servers with their stats. This is done on a Unix box with snmpwalk and the
> like. I will send that out in the morning if you want.
>
> I also did some work and got these same stats into cacti.
>
>
>
> Walter Reynolds
> University of Michigan
>
>> On Oct 15, 2015, at 7:36 PM, Jason Cook
>> <jason.c...@adelaide.edu.au<mailto:jason.c...@adelaide.edu.au>> wrote:
>>
>> There are some stats on the controllers but we haven't been able to work out
>> how to poll them via snmp which would be ideal. The other option would be
>> scripting SSH to run the command and pull the relevant information for
>> graphing.
>>
>>
>> (Cisco Controller) >show radius auth statistics
>> Authentication Servers:
>>
>> Server Index..................................... 1
>> Server Address................................... xxxxxxxxx
>> Msg Round Trip Time.............................. 0 (msec)
>> First Requests................................... 0
>> Retry Requests................................... 0
>> Accept Responses................................. 0
>> Reject Responses................................. 0
>> Challenge Responses.............................. 0
>> Malformed Msgs................................... 0
>> Bad Authenticator Msgs........................... 0
>> Pending Requests................................. 0
>> Timeout Requests................................. 0
>> Consecutive Drops ............................... 0
>> Unknowntype Msgs................................. 0
>> Other Drops...................................... 0
>>
>>
>> Server Index..................................... 3
>> Server Address................................... xxxxxxxxx
>> Msg Round Trip Time.............................. 66 (msec)
>> First Requests................................... 2406297
>> Retry Requests................................... 936
>> Accept Responses................................. 244593
>> Reject Responses................................. 10527
>> Challenge Responses.............................. 2151076
>> Malformed Msgs................................... 0
>> Bad Authenticator Msgs........................... 0
>> Pending Requests................................. 9
>> Timeout Requests................................. 1037
>> Consecutive Drops ............................... 0
>> Unknowntype Msgs................................. 0
>> Other Drops...................................... 0
>>
>>
>> Server Index..................................... 4
>> Server Address................................... xxxxxxxxx
>> Msg Round Trip Time.............................. 32 (msec)
>> First Requests................................... 1242604
>> Retry Requests................................... 2373
>> Accept Responses................................. 117933
>> Reject Responses................................. 8209
>> Challenge Responses.............................. 1116035
>> Malformed Msgs................................... 0
>> Bad Authenticator Msgs........................... 0
>> Pending Requests................................. 0
>> Timeout Requests................................. 2800
>> Consecutive Drops ............................... 0
>> Unknowntype Msgs................................. 0
>> Other Drops...................................... 0
>>
>>
>> Server Index..................................... 5
>> Server Address................................... xxxxxxxxx
>> Msg Round Trip Time.............................. 14 (msec)
>> First Requests................................... 248129
>> Retry Requests................................... 34
>> Accept Responses................................. 23145
>> Reject Responses................................. 2192
>> Challenge Responses.............................. 222790
>> Malformed Msgs................................... 0
>> Bad Authenticator Msgs........................... 0
>> Pending Requests................................. 0
>> Timeout Requests................................. 36
>> Consecutive Drops ............................... 0
>> Unknowntype Msgs................................. 0
>> Other Drops...................................... 0
>>
>>
>>
>> --
>>
>>
>> Jason Cook
>> The University of Adelaide, AUSTRALIA 5005
>> Ph : +61 8 8313 4800
>>
>> -----Original Message-----
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
>> On Behalf Of Wang, Yu
>> Sent: Friday, 16 October 2015 9:23 AM
>> To:
>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
>> Subject: Re: [WIRELESS-LAN] Measuring RADIUS Auths
>>
>> One way is to parse through radius logs (each controller has its unique
>> client name) and generate stats for auth/sec, auth/min, auth/day. You can
>> also generate graphs from scripts. I wrote a few to generate and mail
>> graphic reports daily.
>>
>>
>> Yu Wang
>> CS, FSU
>> ________________________________________
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
>> [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
>> on behalf of Jeremy Gibbs [jlgi...@utica.edu<mailto:jlgi...@utica.edu>]
>> Sent: Thursday, October 15, 2015 5:28 PM
>> To:
>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
>> Subject: Re: [WIRELESS-LAN] Measuring RADIUS Auths
>>
>> Hmm, I am interested to hear how you might accomplish that. My first
>> instinct is to port mirror the controller to a large enough box to handle
>> the traffic and have a filter looking for port 1645/1812 (whatever your
>> RADIUS AUTH port is) so you only capture that traffic (I would use tcpdump).
>> Then you might be able to do some stats on it if you capture for an hour or
>> so.
>>
>>
>> --
>>
>> Jeremy L. Gibbs
>> Sr. Network Engineer
>> Utica College IITS
>>
>> T: (315) 223-2383<tel:%28315%29%20223-2383>
>> F: (315) 792-3814<tel:%28315%29%20792-3814>
>> E:
>> jlgi...@utica.edu<mailto:jlgi...@utica.edu><mailto:jlgi...@utica.edu<mailto:jlgi...@utica.edu>>
>> http://www.utica.edu
>>
>> On Thu, Oct 15, 2015 at 5:13 PM, Charles Rumford
>> <charl...@isc.upenn.edu<mailto:charl...@isc.upenn.edu><mailto:charl...@isc.upenn.edu<mailto:charl...@isc.upenn.edu>>>
>> wrote:
>> We are using FreeRADIUS, but I want to measure independent of the RADIUS
>> server.
>>
>> --
>> Charles Rumford
>> Network Engineer/Senior Wireless Engineer ISC Network Operations University
>> of Pennsylvania OpenPGP Key ID: 0xF3D8215A
>> (p) 215-746-2808<tel:215-746-2808><tel:215-746-2808<tel:215-746-2808>>
>>
>> Sent from my phone
>>
>> On Oct 15, 2015, at 17:12, Jeremy Gibbs
>> <jlgi...@utica.edu<mailto:jlgi...@utica.edu><mailto:jlgi...@utica.edu<mailto:jlgi...@utica.edu>>>
>> wrote:
>>
>> What are you using for a RADIUS server?
>>
>>
>> --
>>
>> Jeremy L. Gibbs
>> Sr. Network Engineer
>> Utica College IITS
>>
>> T: (315) 223-2383<tel:%28315%29%20223-2383><tel:%28315%29%20223-2383>
>> F: (315) 792-3814<tel:%28315%29%20792-3814><tel:%28315%29%20792-3814>
>> E:
>> jlgi...@utica.edu<mailto:jlgi...@utica.edu><mailto:jlgi...@utica.edu<mailto:jlgi...@utica.edu>>
>> http://www.utica.edu
>>
>> On Thu, Oct 15, 2015 at 5:08 PM, Charles Rumford
>> <charl...@isc.upenn.edu<mailto:charl...@isc.upenn.edu><mailto:charl...@isc.upenn.edu<mailto:charl...@isc.upenn.edu>>>
>> wrote:
>> I'm currently embarking on a project to determine the number of RADIUS auths
>> per minute each one of my controllers is generating to plan for the capacity
>> I need for my RADIUS servers.
>>
>> I was curious if anyone has embarked on a similar journey and tried to
>> measure auth rates coming from their controllers?
>>
>> I have a couple of ideas that I'm up for sharing, but I wanted to see if
>> anyone else has done this.
>>
>> Thanks!
>>
>> ----
>> Charles Rumford
>> Network Engineer/Senior Wireless Engineer ISC Network Operations University
>> of Pennsylvania OpenPGP Key ID: 0xF3D8215A
>> (p) 215-746-2808<tel:215-746-2808><tel:215-746-2808<tel:215-746-2808>>
>>
>>
>> **********
>> Participation and subscription information for this EDUCAUSE Constituent
>> Group discussion list can be found at http://www.educause.edu/groups/.
>>
>>
>> ********** Participation and subscription information for this EDUCAUSE
>> Constituent Group discussion list can be found at
>> http://www.educause.edu/groups/.
>>
>> ********** Participation and subscription information for this EDUCAUSE
>> Constituent Group discussion list can be found at
>> http://www.educause.edu/groups/.
>>
>> ********** Participation and subscription information for this EDUCAUSE
>> Constituent Group discussion list can be found at
>> http://www.educause.edu/groups/.
>>
>> **********
>> Participation and subscription information for this EDUCAUSE Constituent
>> Group discussion list can be found at http://www.educause.edu/groups/.
>>
>> **********
>> Participation and subscription information for this EDUCAUSE Constituent
>> Group discussion list can be found at http://www.educause.edu/groups/.
>
> **********
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
