A grande vantagem de trabalhar em um integrador é a possibilidade de deparar com um número muito grande de soluções de rede. Eu já conhecia, através de leituras, o Cisco MSE mas apenas recentemente tive a oportunidade de configurar um.
O MSE é uma ferramenta incrível mas que não encontramos a toda hora nos clientes. Talvez porque a função do mesmo não é vital para o ambiente. A função básica de um MSE é realizar Location e wIPS. Location é a habilidade de localizar usuários dentro da rede Wireless e IPS é voltado para segurança de rede.
O MSE está disponível em máquina virtual e appliance e roda sobre um RedHat. Eu tive a oportunidade de configurar um appliance. Interessante que eu recebi a tarefa devido a um problema encontrado no MSE appliance recem instalado. Por algum motivo ele não se comportava como esperado.
Realizando pesquisas identifiquei que algumas outras pessoas relatavam a mesma condição, desta forma eu suponho que não seja tão raro, o que torna esse post útil.
No caso que encontrei, o appliance apresentava um erro ao tentarmos ver o status do software através dos comandos:
-/etc/init.d/msed status ou getserverinfo.
O resultado vinha como segue:
[root@mse installers]# /etc/init.d/msed status
STATUS:
Health Monitor is running
Starting MSE Platform, Waiting to check the status.
Starting MSE Platform, Waiting to check the status.
Starting MSE Platform, Waiting to check the status.
Starting MSE Platform, Waiting to check the status.
Starting MSE Platform, Waiting to check the status.
Starting MSE Platform, Waiting to check the status.
Starting MSE Platform, Waiting to check the status.
Starting MSE Platform, Waiting to check the status.
Isso não é indicativo que tudo está errado, mas é no mínimo estranho. Baseado nesse erro e na impossibilidade de integrar o MSE ao Prime foi o ponto de partida para o trabalho executado.
Outro indicativo de que as coisas não estavam bem, era o erro apresentado após rodar o script de setup:
ERROR: Error in invoking Operation sendAuditLogMsg on mbean
javax.management.InstanceNotFoundException: mse-admin:name=cmdSetupAuditLog
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.getMBean(DefaultMBeanServerInterceptor.java:1094)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.getClassLoaderFor(DefaultMBeanServerInterceptor.java:1438)
at com.sun.jmx.mbeanserver.JmxMBeanServer.getClassLoaderFor(JmxMBeanServer.java:1276)
at javax.management.remote.rmi.RMIConnectionImpl$5.run(RMIConnectionImpl.java:1326)
at java.security.AccessController.doPrivileged(Native Method)
at javax.management.remote.rmi.RMIConnectionImpl.getClassLoaderFor(RMIConnectionImpl.java:1323)
at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:771)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:303)
at sun.rmi.transport.Transport$1.run(Transport.java:159)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Transport.java:155)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:535)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:790)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:649)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:255)
at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:233)
at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:142)
at com.sun.jmx.remote.internal.PRef.invoke(Unknown Source)
at javax.management.remote.rmi.RMIConnectionImpl_Stub.invoke(Unknown Source)
at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:993)
at com.cisco.mse.common.util.JMXClient.performOperation(JMXClient.java:187)
at com.cisco.mse.common.util.JMXClient.objectInvoke(JMXClient.java:153)
at com.cisco.mse.common.util.JMXClient.performOperationFromUserInput(JMXClient.java:39)
at com.cisco.mse.common.util.JMXClient.main(JMXClient.java:14)
O erro é aparentemente de Java.
A maior parte dos arquivos do MSE estão em /opt/mse. Três subdiretórios eu gostaria de destacar que é: /opt/mse/installer, /opt/mse/unistall e /opt/mse/setup.
No primeiro encontramos a Base de dados e a ISO e no segundo uma série de script de configuração sendo o script setup.sh o principal deles.
Após algum tempo de verificação e a conclusão de que não era possível progredir, decidi por reinstalar.
A partir de uma máquina conectada via serial ao appliance, entrei no diretório /opt/mse/uninstall e executei o comando:
[root@mse uninstall]# ./uninstall.
É observado a seguinte saída:
About to uninstall...
Cisco Mobility Services Engine
This will remove features installed by InstallAnywhere. It will not remove
files and folders created after the installation.
PRESS <ENTER> TO CONTINUE:
===============================================================================
MSE is stopped, continuing uninstall operation...
===============================================================================
Retain High Availability Configuration
--------------------------------------
Do you wish to preserve High Availability role and pair configuration ?
->1- Yes
2- No
ENTER THE NUMBER FOR YOUR CHOICE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT:
: 2
===============================================================================
Uninstall Database, License Files and Map Images
------------------------------------------------
Do you want to remove the database, license files, remote syslog server configuration and map images?
1- Yes
2- No
ENTER THE NUMBER FOR YOUR CHOICE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT:
: 1
===============================================================================
Confirm Uninstallation - Primary MSE
------------------------------------
Uninstall options selected:
Preserve High Availability Configuration - No
Uninstall Database, License Files and Map Images - Yes
->1- OK to continue
2- Cancel
ENTER THE NUMBER OF THE DESIRED CHOICE, OR PRESS <ENTER> TO ACCEPT THE
DEFAULT:
===============================================================================
Uninstalling...
---------------
...*
*
*************************
*************************
*************************
************************
...*
*
*************************
*************************
*************************
************************
...*
*
*************************
*************************
*************************
*************************
===============================================================================
Uninstall Complete
------------------
Com isso, desinstalamos o MSE de nosso .
Após a desinstalação, vem a re-instalação. Para isso temos que navegar para /opt/mse/installers .Dentro desse diretório temos os seguintes arquivos:
[root@mse installers]# ls
CISCO-MSE-L-K9-7-4-100-0-64bit.bin database_installer_part3of4.zip
database_installer_part1of4.zip database_installer_part4of4.zip
database_installer_part2of4.zip dbinstaller
Para re-instalar basta rodar o arquivo .bin desta forma:
./CISCO-MSE-L-K9-7-4-100-0-64bit.bin
A saída é como se segue:
Preparing to install...
Extracting the JRE from the installer archive...
Unpacking the JRE...
Extracting the installation resources from the installer archive...
Configuring the installer for this system's environment...
Launching installer...
Preparing CONSOLE Mode Installation...
===============================================================================
Cisco Mobility Services Engine (created with InstallAnywhere by Macrovision)
-------------------------------------------------------------------------------
===============================================================================
Introduction
------------
InstallAnywhere will guide you through the installation of Cisco Mobility
Services Engine.
It is strongly recommended that you quit all programs before continuing with
this installation.
Respond to each prompt to proceed to the next step in the installation. If you
want to change something on a previous step, type 'back'.
Licensing on the Mobility Services Engine is enforced with the release of
software version 6.x and greater. Please have the Product Authorization Key
(PAK) and refer to the instructions in the User Guide to enable licensing.
PRESS <ENTER> TO CONTINUE:
===============================================================================
Installing MSE version: 7.4.100.0
===============================================================================
High Availability Role
----------------------
Select a high availability role for this server
->1- Primary
2- Secondary
ENTER THE NUMBER FOR YOUR CHOICE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT:
:
===============================================================================
MSE Startup
-----------
Would you like the Cisco Mobility Services Engine to startup automatically at
system boot up?
->1- Yes
2- No
ENTER THE NUMBER OF THE DESIRED CHOICE, OR PRESS <ENTER> TO ACCEPT THE
DEFAULT:
===============================================================================
Pre-Installation Summary
------------------------
Please Review the Following Before Continuing:
Product Name:
Cisco Mobility Services Engine
Install Folder:
/opt/mse
Link Folder:
/tmp
Disk Space Information (for Installation Target):
Required: 2,531,801,347 bytes
Available: 515,381,497,856 bytes
PRESS <ENTER> TO CONTINUE:
===============================================================================
Installing...
-------------
[==================|==================|==================|==================]
[------------------|------------------|------------------|------------------]
===============================================================================
Database Installation
---------------------
The installer will now install the database. This may take a long time (up to
30 minutes). Do not cancel the installer.
PRESS <ENTER> TO CONTINUE:
===============================================================================
!!!! IMPORTANT NOTE !!!! :
--------------------------
The system is minimally configured right now. It is strongly recommended that
you run the setup script under /opt/mse/setup/setup.sh to configure all
appliance related parameters immediately after installation is complete.
The hostname must be set correctly on the system. The Cisco MSE platform will
NOT start if it is configured incorrectly or not configured at all.
Additionally, it is strongly recommended that the Cisco MSE be configured to
use the same NTP servers as the controllers with which it will be synchronized.
This is essential to the correct operation of the Cisco Mobility Services
Engine.
Both these parameters may be configured as part of the setup script.
PRESS <ENTER> TO CONTINUE:
===============================================================================
Installation Complete
---------------------
Congratulations. Cisco Mobility Services Engine has been successfully installed
Por hora temos um MSE re-instalado em um Appliance 3355 sobre um RedHat. Vamos ver os próximos passos
Após a instalação, temos que executar o script de configuração. Para isso temos que navegar até o diretório /opt/mse/setup:
[root@mse-bsb setup]# ./setup.sh
--------------------------------------------------------------
Welcome to the appliance setup.
Please enter the requested information. At any prompt,
enter ^ to go back to the previous prompt. You may exit at
any time by typing <Ctrl+C>.
You will be prompted to choose whether you wish to configure a
parameter, skip it, or reset it to its initial default value.
Skipping a parameter will leave it unchanged from its current
value.
Changes made will only be applied to the system once all the
information is entered and verified.
--------------------------------------------------------------
Current hostname=[hostname]
Configure hostname? (Y)es/(S)kip/(U)se default [Skip]:
Current domain=[domain]
Configure domain name? (Y)es/(S)kip/(U)se default [Skip]:
Current role=[Primary]
Configure High Availability? (Y)es/(S)kip/(U)se default [Skip]:
Current IP address=[IP]
Current eth0 netmask=[MASK]
Current gateway address=[GW]
Configure eth0 interface parameters? (Y)es/(S)kip/(U)se default [Skip]:
The second ethernet interface is currently disabled for this machine.
Configure eth1 interface parameters? (Y)es/(S)kip/(U)se default [Skip]:
Domain Name Service (DNS) Setup
DNS is currently enabled.
Current DNS server 1=[DNS]
Configure DNS related parameters? (Y)es/(S)kip/(U)se default [Skip]:
Current timezone=[Time Zone]
Configure timezone? (Y)es/(S)kip/(U)se default [Skip]:
Enter whether you would like to specify the
day and time when you want the MSE to be restarted. If you don't specify anything, then
Saturday 1 AM will be taken as default.
Configure future restart day and time ? (Y)es/(S)kip [Skip]:
Configure Remote Syslog Server to publish/MSE logs MSE logs.
A Remote Syslog Server has not been configured for this machine.
Configure Remote Syslog Server Configuration parameters? (Y)es/(S)kip/(U)se default [Skip]:
Enter whether or not you would like to change the
iptables for this machine (giving access to certain host).
Configure Host access control settings ? (Y)es/(S)kip [Skip]: y
Choose to add/delete/clear host for access control(add/delete/clear): add
Enter IP address of the host / subnet for access to MSE : 10.0.0.0
Network Time Protocol (NTP) Setup.
If you choose to enable NTP, the system time will be
configured from NTP servers that you select. Otherwise,
you will be prompted to enter the current date and time.
NTP is currently enabled.
Current NTP server 1=[NTP Server]
A second NTP server has not been defined.
Configure NTP related parameters? (Y)es/(S)kip/(U)se default [Skip]:
Audit rules Setup.
Configure audit rules and enable Audit daemon? (Y)es/(S)kip/(U)se default [Skip]:
Current Login Banner = [Cisco Mobility Service Engine]
Configure login banner (Y)es/(S)kip/(U)se default [Skip]:
System console is not restricted.
Configure system console restrictions? (Y)es/(S)kip/(U)se default [Skip]:
SSH root access is currently enabled.
Configure ssh access for root (Y)es/(S)kip/(U)se default [Skip]:
Single user mode password check is currently disabled.
Configure single user mode password check (Y)es/(S)kip/(U)se default [Skip]:
Configure root password? (Y)es/(S)kip/(U)se default [Skip]:
Login and password strength related parameter setup
Maximum number of days a password may be used : 99999
Minimum number of days allowed between password changes : 0
Minimum acceptable password length : disabled
Login delay after failed login : 5
Checking for strong passwords is currently enabled.
Configure login/password related parameters? (Y)es/(S)kip/(U)se default [Skip]:
GRUB password is not currently configured.
Configure GRUB password (Y)es/(D)isable/(S)kip/(U)se default [Skip]:
Configure NCS communication username? (Y)es/(S)kip/(U)se default [Skip]: U
The NCS communication username will be reset to "admin"
Configure NCS communication password? (Y)es/(S)kip/(U)se default [Skip]:
Please verify the following setup information.
-------BEGIN--------
Update MSE Host access control settings=Yes, Add/Delete host=add Server=10.0.0.0
NCS username is changed.
-------END--------
You may enter "yes" to proceed with configuration, "no" to make
more changes, or "^" to go back to the previous step.
Configuration Changed
Is the above information correct (yes, no, or ^): yes
------------------------------------------------------------
Setup will now attempt to apply the configuration.
Changing Firewall for the given server
Setting ncs username.
Restarting network services with new settings.
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
***Configuration successful***
Restarting MSE framework service.
Stopping MSE Platform
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Starting MSE Platform
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Starting Health Monitor, Waiting to check the status.
Health Monitor successfully started
Starting Admin process...
Started Admin process.
Database started successfully. Starting framework and services ...
Database started successfully. Starting framework and services .............
Framework and services successfully started
Exiting setup script...
Update MSE Host access control settings=Yes, Add/Delete host=add Server=10.0.0.0, NCS username is changed.
Success
[root@mse setup]#
[root@mse setup]# /etc/init.d/msed status
STATUS:
Health Monitor is running
Starting MSE Platform, Waiting to check the status.
MSE services are up, getting the status
-------------
Server Config
-------------
Product name: Cisco Mobility Service Engine
Version: 7.4.100.0
Health Monitor Ip Address: 1.1.1.1
High Availability Role: 1
Hw Version: V02
Hw Product Identifier: AIR-MSE-3355-K9
Hw Serial Number:
Use HTTP: false
Legacy HTTPS: false
Legacy Port: 8001
Log Modules: -1
Log Level: INFO
Days to keep events: 2
Session timeout in mins: 30
DB backup in days: 2
[7m--More-- [m
[K
[7m--More-- [m
-------------
Services
-------------
Service Name: Context Aware Service
Service Version: 7.4.0.38
Admin Status: Enabled
Operation Status: Up
Service Name: WIPS
Service Version: 1.0.4041.0
Admin Status: Disabled
Operation Status: Down
Service Name: Mobile Concierge Service
Service Version: 2.0.0.37
Admin Status: Disabled
Operation Status: Down
Service Name: Location Analytics Service
Service Version: 1.0.0.12
Admin Status: Disabled
Operation Status: Down
[7m--More-- [m
[K
[7m--More-- [m
--------------
Server Monitor
--------------
Server start time: //////////////////////////////////////
Server current time: //////////////////////////////////////
Server timezone: //////////////////////////////////////
Server timezone offset: -10800000
Restarts: 0
Used Memory (bytes): 96994096
Allocated Memory (bytes): 514523136
Max Memory (bytes): 514523136
DB virtual memory (kbytes): 0
DB virtual memory limit (bytes): 0
DB disk memory (bytes): 2022057536
DB free size (kbytes): 0
-------------
Context Aware Service
-------------
Total Active Elements(Wireless Clients, Tags, Rogue APs, Rogue Clients, Interfer
[7m--More-- [m
ers, Wired Clients): 0
Active Wireless Clients: 0
Active Tags: 0
Active Rogue APs: 0
Active Rogue Clients: 0
Active Interferers: 0
Active Wired Clients: 0
Active Elements(Wireless Clients, Rogue APs, Rogue Clients, Interferers, Wired C
lients, Tags) Limit: 100
Active Sessions: 0
Wireless Clients Not Tracked due to the limiting: 0
Tags Not Tracked due to the limiting: 0
Rogue APs Not Tracked due to the limiting: 0
Rogue Clients Not Tracked due to the limiting: 0
Interferers Not Tracked due to the limiting: 0
Wired Clients Not Tracked due to the limiting: 0
Total Elements(Wireless Clients, Rogue APs, Rogue Clients, Interferers, Wired Cl
ients) Not Tracked due to the limiting: 0
-------------------------
Context Aware Sub Services
-------------------------
[7m--More-- [m
Subservice Name: Aeroscout Tag Engine
Admin Status: Disabled
Operation Status: Down
Subservice Name: Cisco Tag Engine
Admin Status: Enabled
Operation Status: Up
Tudo correto. Algumas informações foram modificadas intencionalmente.
Entretanto isso não é tudo. Ter um MSE up and running na rede não servirá de nada. Para que ele seja útil, é preciso integrá-lo aos demais componentes da rede wireless.
A imagem abaixo localizará o MSE na arquitetura:
Como visto acima, o MSE ocupa uma posição entre as WLC´s e o Cisco Prime. Ele se comunica com as WLC´s usando o protocolo NMSP (Network Mobility Service Protocol) e com o Prime através de SNMP (Simple Network Management Protocol).
Até a versão 8, o MSE não possui sequer uma interface gráfica. Ele é estritamente acessado e configurado via CLI.
Não existe, entretanto, um local no MSE onde configuramos a WLC ou vice-versa. Quem orquestra toda a comunicação é o Prime. É esperado que o Prime faça seu trabalho, porém, existe algo que pode ser feito manualmente, como veremos abaixo:
[root@mse ~]# cmdshell
cmd> show server-auth-info
invoke command: com.aes.server.cli.CmdGetServerAuthInfo
AesLog queue high mark: 50000
AesLog queue low mark: 500
----------------
Server Auth Info
----------------
MAC Address: 00:50:56:89:2b:4a
SHA1 Key Hash: b45bfbec4db0403c55a9d094963ed259b108a243
SHA2 Key Hash: a471b440b7dd6d972de9d4fe0733434ea6e0344ec2531d879a86df425ff1da39
Certificate Type: SSC
Essas informações devem ser obtidas no MSE. Na WLC precisamos fazer o seguinte:
(5508-1) >config auth-list add sha256-lbs-ssc 00:50:56:89:2b:4a a471b440b7dd6d972de9d4fe0733434ea6e0344ec2531d879a86df425ff1da3
Existe uma comunicação segura em SSL entre ambos.
A adição do MSE no Prime é simples e requer os seguintes parâmetros:
-Hostname
-IP
-Usuário
-Senha
Como sempre a informação de Contato é opcional. Não vou mostrar aqui porque não tenho acesso a um Prime nesse momento. Mas é muito simples e intuitivo.
Assim chegamos ao fim do artigo. Eu o considero muito útil porque ao ter deparado com o problema, não encontrei nenhuma informação em português para ajudar. Fica,então, essa fonte como referência.