Installation

All Rights Reserved © Alcatel-Lucent | Installation Module Objectives  Installation  Startup and process monitoring  Uninstallation  Licensing models

All Rights Reserved © Alcatel-Lucent | Installation System Requirements  Have one of the supported platforms:  Solaris SPARC & x86: from 2.7 to 2.10  HP-UX 11.0  Compaq/DEC TRU-64 UNIX  RedHat Enterprise Linux  Windows 2000, 2003 & XP  MacOS: from 10.2 to 10.4  Java Virtual Machine (JRE, SDK ó J2SE)  J2SE 5.0  100 MB of free disk (without considering the accounting data)  256 MB of RAM per CPU (minimum)  512 MB recommended  A valid license file (Temporal or Permanent) *

All Rights Reserved © Alcatel-Lucent | Installation Installation process  The installation is completely guided  With or without graphical interface  8950 AAA software is the same for all platforms as it is based in Java  The Java JRE will be different based on the Operating system  The installation process is launched with:  setup.sh as “root” in UNIX/Linux  setup.sh –gui for graphical interface  setup.exe as “Administrator” in Windows

All Rights Reserved © Alcatel-Lucent | Installation Initial Installation Screen

All Rights Reserved © Alcatel-Lucent | Installation Java Version Check

All Rights Reserved © Alcatel-Lucent | Installation License Agreement

All Rights Reserved © Alcatel-Lucent | Installation Installation Directory  All of the files will be inside that directory

All Rights Reserved © Alcatel-Lucent | Installation Installation Type  It is possible to install both the SMT client and the 8950 AAA servers, or to install the SMT client only

All Rights Reserved © Alcatel-Lucent | Installation License File Location  The license is not necessary for the “SMT only” installation

All Rights Reserved © Alcatel-Lucent | Installation Login/Password for super-administrator

All Rights Reserved © Alcatel-Lucent | Installation * PolicyFlow vs. PolicyAssistant  There are many sample PolicyFlows, useful for learning

All Rights Reserved © Alcatel-Lucent | Installation Certificate Configuration  Necessary for SMT encryption, EAP-TLS/TTLS/PEAP and Diameter  By default, the country, state,.... are taken from the license.txt

All Rights Reserved © Alcatel-Lucent | Installation Setup Complete

All Rights Reserved © Alcatel-Lucent | Installation Automatic installation  The installation process can be done without any interaction from the user  Providing all installation parameters in the command line  If needing digital certificates for HTTPS/SSH/SSL, they will have to be generated later (with SMT or aaa-cert)  Example for Solaris: # mkdir /opt/AAA #./setup.sh -agree -adminUser admin -adminPass admin -server -dir /opt/AAA -license /tmp/license.txt -policySet quick-start -quiet

All Rights Reserved © Alcatel-Lucent | Installation Upgrading to another release  To upgrade, simply install the new version on the same directory, and select to keep existing configuration

All Rights Reserved © Alcatel-Lucent | Installation Manual start-up/shutdown of the servers  From the OS shell, in any platform:  /bin/aaa start, starts both server processes  /bin/aaa start policy - only for the PolicyServer  /bin/aaa start config- only for the SMT server  /bin/aaa stop, starts both server processes  From Windows, also from the Start Menu

All Rights Reserved © Alcatel-Lucent | Installation Automatic start-up/shutdown of the servers (Windows)  8950 AAA automatic start-up on the boot process, will vary depending on the platform  Windows:  8950 AAA servers will start as Windows services  It must be enabled manually to be started-up  Via the Services Window

All Rights Reserved © Alcatel-Lucent | Installation Automatic start-up/shutdown of the servers (Solaris)  Solaris  Create a shell script in the right directory as root #!/sbin/sh AAA_HOME=/opt/AAA [ ! -f $AAA_HOME/bin/va ] && exit case "$1" in 'start') cd $AAA_HOME bin/va start ;; 'stop') cd $AAA_HOME bin/va stop ;; *) echo "Usage: $0 { start | stop }" exit 1 ;; esac #!/sbin/sh AAA_HOME=/opt/AAA [ ! -f $AAA_HOME/bin/va ] && exit case "$1" in 'start') cd $AAA_HOME bin/va start ;; 'stop') cd $AAA_HOME bin/va stop ;; *) echo "Usage: $0 { start | stop }" exit 1 ;; esac # chmod u+x /etc/init.d/AAA # ln -s /etc/init.d/AAA /etc/rc3.d/S03AAA # ln -s /etc/init.d/AAA /etc/rc0.d/K03AAA # chmod u+x /etc/init.d/AAA # ln -s /etc/init.d/AAA /etc/rc3.d/S03AAA # ln -s /etc/init.d/AAA /etc/rc0.d/K03AAA /etc/init.d/AAA

All Rights Reserved © Alcatel-Lucent | Installation Check the servers are running  There are several ways to do it.  Some of them can vary depending on the platform aaa list 101 Server active 8950 AAA Policy Server: responding The server could not be reached: Connection refused 8950 AAA Configuration Server: not responding aaa list 101 Server active 8950 AAA Policy Server: responding The server could not be reached: Connection refused 8950 AAA Configuration Server: not responding /usr/ucb/ps -axww |grep –i AAA | grep java pts/2 S 0:58 java -Xmx512m -server -XX:+UseParNewGC -XX:+UseConcMarkSweepGC –D sun.rmi.dgc.server.gcInterval=0x7FFFFFFFFFFFFFFE -Dsun.rmi.dgc.client.gcInterval=0x7FFFFFFFFFFFFFFE - Dva.base=/opt/AAA -Dva.run=/opt/Lucent/AAA/run -Dva.bin=/opt/Lucent/AAA/bin -Dva.lib=/opt/Lucent/AAA/lib - Dva.native=/opt//AAA/lib/SunOS-sparc com.lucent.aaa. PolicyServer pts/2 S 0:14 java -Dva.base=/opt/Lucent/AAA -Dva.run=/opt/Lucent/AAA/run Dva.bin=/opt/Lucent/AAA/bin - Dva.lib=/opt/Lucent/AAA/lib -Dva.native=/opt/Lucent/AAA/lib/SunOS-sparc com.lucent.aaa. ConfigServer /usr/ucb/ps -axww |grep –i AAA | grep java pts/2 S 0:58 java -Xmx512m -server -XX:+UseParNewGC -XX:+UseConcMarkSweepGC –D sun.rmi.dgc.server.gcInterval=0x7FFFFFFFFFFFFFFE -Dsun.rmi.dgc.client.gcInterval=0x7FFFFFFFFFFFFFFE - Dva.base=/opt/AAA -Dva.run=/opt/Lucent/AAA/run -Dva.bin=/opt/Lucent/AAA/bin -Dva.lib=/opt/Lucent/AAA/lib - Dva.native=/opt//AAA/lib/SunOS-sparc com.lucent.aaa. PolicyServer pts/2 S 0:14 java -Dva.base=/opt/Lucent/AAA -Dva.run=/opt/Lucent/AAA/run Dva.bin=/opt/Lucent/AAA/bin - Dva.lib=/opt/Lucent/AAA/lib -Dva.native=/opt/Lucent/AAA/lib/SunOS-sparc com.lucent.aaa. ConfigServer : / run# cat policy.pid : / run# cat policy.pid : / run# cat config.pid : / run# cat config.pid 28520

All Rights Reserved © Alcatel-Lucent | Installation Running the servers as a non-root user  For extra security, some people prefer to run processes as a non-root user  The TCP/UDP ports should be above Be careful with:  Enabling the SNMP agent with the default UDP 161 port,  Using the DHCP plug-in (by default it uses UDP ports 67 or 68)  Using TACACS+ (TCP port 49)  Typical steps:  Create the non-root user with any name (I.e: aaa, va, etc)  Change the ownership of the 8950 AAA directories  root# chown – R aaa /opt/AAA  Start the 8950 AAA processes as the non-root user  root# su – aaa – c “ /opt/AAA/bin/aaa start ”

All Rights Reserved © Alcatel-Lucent | Installation Uninstallation  From Windows :  Startup Menu -> Configuration -> Control Pannel -> Add & Remove Programs  From UNIX, uninstallation process is launched using the same command as for installation, but using the "uninstall" option  cd /dir_with_AAA_installation_software ./setup.sh – uninstall, or ./setup.sh -uninstall -dir -quiet  Remove any file that may remain in the installation directory  All files are stored in the same directory *

All Rights Reserved © Alcatel-Lucent | Installation Version numbering  The version format is..  Major is a major release with new features  Minor is a minor release with some minor new features  Micro is a bug fix only release normally and may contain new customer specific / debugging features only.  Examples:    Licenses are bound to the major. If you upgrade to another major, you need a new license.

All Rights Reserved © Alcatel-Lucent | Installation license.txt  File containing the 8950 AAA license  Represents the customer rights to use  Without a valid license file, the PolicyServer won´t start  The same license is valid for every "major release" (1st number in the version)  A license for 4.5 won´t be valid for 5.1  A license for 5.0 will be valid for 5.1  To install a new license, simply put it under the /run directory, and restart the PolicyServer  The license validity is checked at startup and every day at midnight (00:00) * -----BEGIN 8950 AAA LICENSE----- Akk7PLLoXkEPXbkgmk59Dhh/HhIwALfTgjfRt+Ri/Rseh4LkDLrgoOVWwPo+pE1I tNeWvN0INeeefVJ7DHCWUkStHsiQBx4qrDZE0FWTjmctiWhER3zQSflG8fT6wXX5 ALTyihciszBWqD2VPBAReWFiJxBSZkyhkoatBiQjF8tOTHVjZW50IFRlY2hub2xv Z2llcwBodHRwOi8vd3d3Lmx1Y2VudC5jb20AQXZkYS4gQnJ1c2VsYXMgOABBbGNv YmVuZGFzAE1hZHJpZAAyODEwOABlcwBQZWRybyBWaXRvbgB2aXRvbkBsdWNlbnQu Y29tACszNCA5MSA3MTQgODY5MgAAAABFdmFsdWF0aW9uIExpY2Vuc2UAbHVjZW50 AAAA -----END 8950 AAA LICENSE BEGIN 8950 AAA LICENSE----- Akk7PLLoXkEPXbkgmk59Dhh/HhIwALfTgjfRt+Ri/Rseh4LkDLrgoOVWwPo+pE1I tNeWvN0INeeefVJ7DHCWUkStHsiQBx4qrDZE0FWTjmctiWhER3zQSflG8fT6wXX5 ALTyihciszBWqD2VPBAReWFiJxBSZkyhkoatBiQjF8tOTHVjZW50IFRlY2hub2xv Z2llcwBodHRwOi8vd3d3Lmx1Y2VudC5jb20AQXZkYS4gQnJ1c2VsYXMgOABBbGNv YmVuZGFzAE1hZHJpZAAyODEwOABlcwBQZWRybyBWaXRvbgB2aXRvbkBsdWNlbnQu Y29tACszNCA5MSA3MTQgODY5MgAAAABFdmFsdWF0aW9uIExpY2Vuc2UAbHVjZW50 AAAA -----END 8950 AAA LICENSE-----

All Rights Reserved © Alcatel-Lucent | Installation Licensing models  There are several types of licenses:  BP (Base Product): license per server (Ip address or host name)  For a redundant platform, at least 2 licenses are needed  Changing the host IP address means generating a new license –Not necessary if the license is bound to the host name, and the host name is maintained  SP (Service Provider), price independent of number of VA servers  Wi-Fi Edition: license for 2 servers  Evaluation: For 30 days and less than 15 NAS's  PolicyAssistant only: Without the option to create custom PolicyFlows  The price also depends on:  Number of clients (NAS|AP)  Number of ports (possible simultaneous sessions) and users  Special features enabled: HA-USS, EAP-SIM, EAP-AKA, LDAP interface on USS, possibility to modify the PF (not necessary if using the PA), Diameter, TACACS+, Lawful Intercept, etc.

All Rights Reserved © Alcatel-Lucent | Installation License.txt decoded