Analyze AAA/PCRF logs without Kubernetes and ELK

This document focuses on the logs generated by the AAA Server.This document is written for the System administrators who can easily understand & interpret the logs so that he can troubleshoot all the event failures.

Introduction

Whether you are dealing with the system failure or just want to monitor your network activities, the best way is to look in its log and track the network events.

A log file is a record of events occurring within the network. Logs are an important aspect of troubleshooting. It keeps an eye on what is happening in the network. Interpreting the logs help the administrators to analyze the network events and resolve the error quickly.

Using these logs, you can find out about various events, such as when a user connected to the server, when a session is created, which Service policy is applied to a user , the number of concurrent logins by a user, why the request has been dropped etc. Sometimes you'll also see warnings that don't indicate that a problem has occurred yet, but advise you that a particular event or configuration could cause problems later.

Collection and storage of these logs are important for reasons like traceability, statistics and identifying security events. Logs serve many functions in today's computer systems, such as troubleshooting problems, investigating malicious activity and recording the actions of users and systems.

Interpreting the logs

The default log file is generated by the AAA server at location $EliteAAA_Home/logs and named as elite-aaa-server.log This log file contains information related to specific events that have occurred within the network.

Log reviews can help in :

Identifying the Packet Type(E.g: Access-Request, Access-Reject,Access-Challenge etc.)
Identifying the source and destination address
Identifying the Service policies applied to a particular user
Finding out the attributes in the Request/Response packet
Identifying the operational problems

The entire log file is split into fragments and is explained as below.

1> Access-Request

For EAP-TTLS

The above fragment of log file indicates:

It is a Access-Request(EAP-TTLS)packet for Radius Authentication.

Since the Username = IMSI i.e 404100123826362, it is EAP-TTLS request.

Received from source IP 10.226.205.30 and port 32769.

The request is originated from (Calling-Station-Id) 5c-0a-5b-58-6f-89 to Called-Station-Id 00-1f-6d-ba-7e-b0:airtel hangout

You can see the list of attributes like NAS Port, NAS IP Address, NAS Port Type, EAP message etc are included in the Access-Request packet.

For EAP-SIM

The above fragment of log file indicates:

It is a Access-Request(EAP-SIM) packet for Radius Authentication

Since the Username is of the form 1*@wlan i.e 1404100121899239@wlan.mnc010.mcc404.3gppnetwork.org, it is EAP-SIM request.

Received from source IP 10.226.205.30 and port 32769.

The request is originated from (Calling-Station-Id)60-c5-47-bd-01-66 to Called-Station-Id 00-24-14-8e-37-50:airtel hangout

You can see the list of attributes like Airespace-Wlan-Id, NAS Port, NAS IP Address etc.are included in the Access-Request packet.

2> Policy Check

For EAP-TTLS

The above fragment of log file indicates:

The Access-Request packet reaches EliteAAA. On receiving this authentication request, the ruleset configured in the different Service policies are checked.

Since the Ruleset(0:1=4041001*) is satisfied(true), the EAP-TTLS-AUTH Service policy is applied for this Access-Request.

For EAP-SIM

The above fragment of log file indicates:

The Access-Request packet reaches EliteAAA. On receiving this authentication request, the ruleset configured in the different Service policies are checked.

Since the Ruleset(0:1=4041001*) is satisfied(true), the EAP-SIM-AUTH Service policy is applied for this Access-Request.

3> Configuring the Service Driver

For EAP-TTLS

The above fragment of log file indicates:

In the EAP-TTLS-AUTH Service policy, MAP Gateway Auth driver is configured. So, AAA will fetch the subscriber details from the HLR using the MAP Gateway Auth Driver.

MAP Gateway driver requests HLR to lookup the subscriber profile with IMSI 404100123826362 for authentication.

For EAP-SIM

The above fragment of log file indicates:

In the EAP-SIM-AUTH Service policy, MAP Gateway Auth driver is configured. So, AAA will fetch the subscriber details from the HLR using the MAP Gateway Auth Driver.

MAP Gateway driver requests the triplets for IMSI 404100121899239 for authentication.

Using the Auth Gateway, RAND, SRES and KC are received as triplets from the HLR.

MAP Gateway driver requests HLR to lookup the subscriber profile with IMSI 404100121899239 and receives MSISDN in the restore data packet.

4> Sesssion Manager ( before sending Access -Accept to controller)

For EAP-TTLS

The above fragment of log file indicates:

For further authentication, the request is processed by the Session Manager. Here, local session manager has been configured and has behavior type as Authentication.

Session Manager checks if any concurrent policy has been configured. But, no concurrent policy is configured in the subscriber profile.

A session for authentication request is created.

All the values of attributes like CONCUSERID, START_TIME, SESSION_TIMEOUT, USER_NAME, NAS_PORT_TYPE etc are inserted into tblmconcurrentusers.

You can use this session for DHCP Discover request that comes from BNG to AAA after successful EAP-Authentication.

For EAP-SIM

The above fragment of log file indicates:

For further authentication, the request is processed by the Session Manager. Here, local session manager has been configured and has behavior type as Authentication.

Session Manager checks if any concurrent policy has been configured. But, no concurrent policy is configured in the subscriber profile.

Response time attribute is added in the Access-Accept response packet.

A session for authentication request is created.

All the values of attributes like CONCUSERID, START_TIME, SESSION_TIMEOUT, USER_NAME, NAS_PORT_TYPE etc are inserted into tblmconcurrentusers.

You can use this session for DHCP Discover request that comes from BNG to AAA after successful EAP-Authentication.

5> Sending Access-Accept back to the controller

For EAP-TTLS

The above fragment of log file indicates:

EliteAAA sends Access-Accept packet back to the controller having IP 10.226.205.30 and port 32769.

The Access-Accept packet structure of EAP-TTLS can be seen as above. The packet contains attributes like Reply-Message=Authentication Success, EAP-Message, Class Attribute, Service-Type etc.

For EAP-SIM

The above fragment of log file indicates:

EliteAAA sends Access-Accept packet back to the controller having IP 10.226.205.27 and port 32769.

The Access-Accept packet structure of EAP-SIM can be seen as above. The packet contains attributes like Reply-Message=Authentication Success, EAP-Message, Class Attribute, Service-Type etc.

6> Request to lease IP ( from DHCP of BNG)

DHCP REQUEST

The above fragment of log file indicates:

It is a Access-Request (DHCP Discover) packet for leasing IP Address.

Received from source IP 223.239.176.1(BNG) and port 1812.

Received from Username = d4:5d:42:f5:2d:88(MAC ID) & NAS-IP-Address=223.239.176.1

You can see the list of attributes like Identifier, Length, Username, User-Password, NAS Port, NAS IP Address, NAS Port Type etc. are included in the Access-Request packet.

POLICY VERIFICATION

The above fragment of log file indicates:

On receiving this request, the ruleset configured in the Service policies are checked.

Since the Ruleset(0:1=*) is satisfied(true), the Walkin Authentication Service policy is selected.

STRING PLUGIN

The above fragment of log file indicates:

With the help of String plugin, the value of Username is changed from d4:5d:42:f5:2d:88 to d4-5d-42-f5-2d-88

FETCHING THE USER PROFILE

The above fragment of log file indicates:

Using the DHCPReqDriver, the profile for user identity d4-5d-42-f5-2d-88 is fetched.

You can see the user profile above.

The User profile has username = d4-5d-42-f5-2d-88, User-Identity = d4-5d-42-f5-2d-88, IMSI= 404100212041197 , MSISDN= 919910222531 and Authorization policy as dhcpradiuspolicy.

Since, the check item for dhcpradiuspolicy is satisfied, dhcpradiuspolicy is applied.

ACCESS-ACCEPT PACKET FOR DHCP REQUEST

The above fragment of log file indicates:

The Access-Accept packet structure of DHCP can be seen as above.

The packet contains attributes like Packet Type=Access-accept, Reply-Message=Authentication Success, Class Attribute, satisfied Policies,Response Time etc.

Thus, after successful authentication, IP has been released.

7> First Accounting-Start from BNG to Main AAA

The above fragment of log file indicates:

It is an Accounting -Request packet send from BNG to EliteAAA.

Received from source IP 223.239.176.1(BNG) and port 1812.

Received from Username=d4:5d:42:f5:2d:88(MAC ID) & NAS-IP-Address=223.239.176.1

Acct-Status-Type = Start and Acct-Session-Id = 0001FFFF78007C2B-50BDC814

You can see the list of attributes like Identifier, Length, Username, NAS Port, NAS IP Address, NAS Port Type, Calling Station Id, Idle-Timeout, Class etc. are included in the Accounting-Request packet.

8> Universal Plugin (Accounting-Request)

The above fragment of log file indicates:

With the help of Universal plugin, Src-Addr attribute = 223.239.176.1:1812 , Dst-Addr attribute = 10.226.205.6:1813 and Server Instance Id attribute = 0000005 has been added in the Accounting-Request packet.

Some VSA and Framed-IP-Address has also been added in the Accounting-Request packest as shown above.

9> Applying Accounting Policy & Service Driver

The above fragment of log file indicates:

Since the packet type is 4, it indicates the Accounting-Request.

The ruleset configured in the different Service policies are checked.

Since the Ruleset(0:87=*4023*clip*)is satisfied(true), the EAP-SIM-Acct-Policy is applied for this Accounting -Request.

In the EAP-SIM-Acct-Policy, Open Db Acct Driver is configured. So, the request is processed by the Open Db Accounting Driver.

10> Accounting session creation

The above fragment of log file indicates:

Further, the request is processed by the Session Manager. Here, EAP SIM Accounting session manager has been configured and has behavior type as Accounting.

A session for Accounting request is created.

Cdr details are stored in the tblradiusinterimcdr.

All the values of attributes like CONCUSERID, START_TIME, Acct_Status_TYPE, IDLE_TIMEOUT, Acct_SESSION_ID, NAS_PORT_TYPE,SESSION_STATUS etc. are inserted into tblmconcurrentusers.

11> AAA sends proxy Accounting start to proxy AAA

The above fragment of log file indicates:

It is an Accounting -Request packet send from main AAA to proxy AAA(10.226.205.6:1913).

Received from Username=d4:5d:42:f5:2d:88(MAC ID) & NAS-IP-Address=223.239.176.1

Acct-Status-Type = Start and the Source Address is 223.239.176.1:1812 (main AAA) and Destination Address is (10.226.205.6:1813) proxy AAA.

All the other attributes like 3GPP Charging ID, 3GPP-IMEISV, Proxy state, Calling Station ID etc. are included in the above Accounting request packet.

12 > Proxy AAA Receives Acct-Start Request from main AAA

The above fragment of log file indicates:

It is an Accounting -Request packet received by proxy AAA(10.226.205.6:1913).

Received from main AAA having IP 10.226.205.6 and Accounting port 42505.

Received from Username=d4:5d:42:f5:2d:88(MAC ID) & NAS-IP-Address=223.239.176.1

Acct-Status-Type = Start and the Source Address is 223.239.176.1:1812 (main AAA) and Destination Address is (10.226.205.6:1813) proxy AAA.

All the other attributes like 3GPP Charging ID, 3GPP-IMEISV, Proxy state, Calling Station ID etc. are included in the above Accounting request packet.

13> Applying Universal Plugin

The above fragment of log file indicates:

This is the packet generated after adding the attributes and plugins.

Source and destination Address attributes are added in the Accounting Request packet.

Universal Accounting Plugin i.e HOLD_START is applied to the Accounting packet. The action that is to be taken is Accept.

14> Sending the Accounting-Response

The above fragment of log file indicates:

It is an Accounting-Response packet send to main AAA(10.226.205.6:42505).

After adding the Response time, the Response packet is send back to main AAA.

15>Main AAA sends Accounting Iterim to Proxy AAA

The above fragment of log file indicates:

It is the 1st Interim-Update packet send from main AAA to proxy AAA.

The structure of the Interim-update packet can be seen above. It includes various attributes like Acct-Status-Type, NAS-Port-Id, REDBACK RB_MAC Address etc.

Further, this interim-update packet will be converted to Accounting-Start packet and send to SASN and LI-IMS.

16>Interim Update is changed to Accounting-Start

The above fragment of log file indicates:

This is the Accounting-Start packet which is derived from the interim-update packet.

Source and destination Address attributes are added in the interim-update packet.

Universal Accounting Plugin i.e CHANGE_INTERIM is applied to the interim packet

Further, some attributes like 3GPP-RAT-Type, 3GPP-SGSN_Address, 3GPP-GGSN-Address etc. are added and the Above Accounting-Start packet is generated.

17>Applying the Accounting Service policy

The above fragment of log file indicates:

On receiving this Accounting-Start request, the ruleset configured in the different Accounting Service policies are checked.

Proxy-AAA-Act-Service policy is applied. The CUI attribute is added to the request packet. You can see this in the above Accounting-Start packet.

18>Sending Accounting-Request to LI-IMS Server

The above fragment of log file indicates:

The Accounting Request is processed by the Classic CSV Accounting Driver.

Configured attributes are dumped through the Acct-CSV- Driver and the location Of dumped File:/opt/PROXY_AAA/data/csvfiles/223.239.176.1

Since the Ruleset(0:40=*) is satisfied(true), the Accounting Request is send to the External System i.e LI_IMS Server.

The above is an Accounting Request packet send to LI_IMS Server(192.168.206.2:18000)

19>Sending Accounting-Request to SASN

The above fragment of log file indicates:

Since the Ruleset(0:40=*) is satisfied(true), the Accounting Request is send to the External System i.e SASN.

The above is an Accounting Request packet send to SASN-ACCT_POLICY(10.2.0.39:1813

Choose files or drag and drop files

Tags:

Was this article helpful?

Yes

Dushyant Dave
Posted
Updated

Analyze AAA/PCRF logs without Kubernetes and ELK

Dushyant Dave

Comments