Thanks for all the feedback... Summarizing below:

1) Exposing this info via SNMP would require us to put SNMP on the CASs
where it doesn't exist today.  Shouldn't be a problem in itself but
would require some effort on our end to make sure that we only expose
the appropriate information. 

2) 2 kinds of reporting data in the system that you care about (this is
a coarse division):  a) networking metrics in the CAS (i.e. interface
info, click info, pptp/l2tp/ipsec info, nating info) and b) system
metrics in the CAM (user info, certified device info, role info, etc.)  

3) Less interested in pretty graphs, more interested in the data (format
is less important - CSV or XML should be fine). 

4) SNMP is preferred.  API is welcome but not necessary. 

Does that cover everything?

-Rajesh.

-----Original Message-----
From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of Jason Richardson
Sent: Thursday, October 13, 2005 7:43 AM
To: [log in to unmask]
Subject: Re: CCA Metrics and Reporting (was Re: WGA validation
incomplete)

Agreed.  As Ryan said, these aren't just app servers, they are core
routers for our Res Hall network and they can't continue to be black
boxes to us any more than we could afford to allow that for our other
network equipment.  The data is there with industry standard, and
securable, methods available for accessing it and we need to be able to
do so without going off the reservation where we can no longer rely on
support from Cisco.

Thanks,

---
Jason Richardson
Manager, IT Security and Client Development Enterprise Systems Support
Northern Illinois University

>>> [log in to unmask] 10/13/2005 8:59:07 AM >>>
Rajesh-

I agree with Michael.  While I realize that read/write access to CCA
with snmp is a security risk (although couldn't' you use SNMP v3
authPriv?) getting read only access to attributes within CCA I think
should be a priority.  I would really like to plug this into one of my
graphing systems in order to provide data for monthly statistics and
reports.  In addition to the user based data that Michael requested,
providing traffic data for what is going on inside the click daemon
would be helpful.  Since this is essentially a "core router" for our
ResNet I need to be able to view better traffic statistics through it
beyond just hacking the SNMP daemon on it to provide in/out stats on the
physical interfaces.

--
Ryan Dorman, CCNP
Network Engineering Specialist
Millersville University
717.871.5883


On 10/13/05 12:39 AM, "Michael Grinnell" <[log in to unmask]>
wrote:

> Rajesh,
> 
> I'm having trouble understanding your reasoning here.  Most MIBs
have
> large sections of read-only data.  A good example that corresponds
to
> the online users table is IP-MIB::ipNetToMediaPhysAddress.  Making
> this type of OID read-write is meaningless.  In any case, merely
> having metrics on the numbers of devices in a specific role
available
> via SNMP would be a big, very useful, step.  Here is a list of
> metrics that I am currently pulling out of the database:
> Certified Users by Role
> Online Users by Role
> Online Users by Server
> Online Users by Operating System
> Online Users by VLAN
> 
> Metrics that I think would also be good to collect are:
> Online Users by Access Point
> Online Users by Switch (OOB)
> 
> These metrics are comparable to standard interface counters used by
> countless administrators with tools like MRTG and Cricket.  I would
> strongly argue that SNMP is the proper way to expose this data
> because of this.  Exposing this data via the API would be nice, but
> it shouldn't be the only way that you make it available, because
> querying the API requires some programming/scripting to get the data
> out.
> 
> Regarding your worries about pushing large amounts of data through
> SNMP, if you can do it for ARP tables  on routers (OID above), then
I
> don't see why you can't do it for CCA.
> 
> Thank you for taking the time to ask us about these issues.
> Regards,
> 
> Michael Grinnell
> Network Security Administrator
> The American University
> e-mail: [log in to unmask] 
> 
> On Oct 12, 2005, at 8:49 PM, Rajesh Nair (rajnair) wrote:
> 
>> John,
>> 
>> There has been a reluctance in general to open up any information
via
>> SNMP because the read/write permission feature request usually
follow
>> the read request, if you know what I mean.  And it would worry us
to
>> open up any kind of write through SNMP.
>> 
>> One other thing I am also worried about is that SNMP is good for
>> smaller
>> pieces of data but if we try pushing large pieces of data through
it
>> (e.g. user lists such as online user list, certified devices list,
>> etc.), it may not be very reliable.
>> 
>> Thoughts?
>> 
>> I have an alternate suggestion - let me know what your thoughts
>> are.  If
>> we can extend the API (https://<cam-adress-or-name>/admin/
>> cisco_api.jsp)
>> with these additional data gathering functions, would that satisfy
>> your
>> needs?  Output this data as XML or CSV?
>> 
>> -Rajesh.
>> 
>> -----Original Message-----
>> From: Perfigo SecureSmart and CleanMachines Discussion List
>> [mailto:[log in to unmask]] On Behalf Of John Stauffacher
>> Sent: Wednesday, October 12, 2005 5:15 PM
>> To: [log in to unmask] 
>> Subject: Re: WGA validation incomplete
>> 
>> Rajesh,
>> 
>> Why not -- as a stop gap, open up more of the data via snmpd.
Create
>> some custom scripts to pull data out of the pgsql databases and
feed
>> back through snmpd so we can query with our own NMS systems and get
>> stuff like "Users in Quarentine Role", "Users in Temporary Role".
>> These
>> are the most common things I look at on a daily basis and I just
>> wish I
>> could integrate into my NMS which I am already staring at far too
long
>> during the day. Obviously if your Temporary or Qtine roles are
>> climbing
>> exponentially over time, you can predict there might be an issue at
>> hand, thats usually when I start calling users in their rooms and
ask
>> them if they are having issues (it spooks a few of them, but most
like
>> the 'proactive' approach).
>> 
>> Rajesh Nair (rajnair) wrote:
>> 
>> 
>>> Mike,
>>> 
>>> Yes, it would be good to have but at this point, it will not make
it
>>> into the 3.6 release.  We have already begun the testing cycle and
>>> only
>>> 
>> 
>> 
>>> minor enhancements can be made at this stage...
>>> 
>>> But yes, we are strongly considering reporting for the following
>>> release.  One approach we are thinking of taking is that of a set
of
>>> canned reports.  While probably not as useful as a full-fledged
>>> reporting package, if we can hit the 80-20 rule, i.e. provide
canned
>>> reports that satisfy 80% of the requirements, we would consider it
a
>>> success.  It would be interesting to hear from people as to types
of
>>> reports you would like to see.
>>> 
>>> Regards,
>>> -Rajesh.
>>> 
>>> P.S. Please don't expect immediate turnaround though.  Please
>>> remember
>>> that this will not make it into 3.6 and I am requesting input for
the
>>> following release.  Thanks.
>>> 
>>> -----Original Message-----
>>> From: Perfigo SecureSmart and CleanMachines Discussion List
>>> [mailto:[log in to unmask]] On Behalf Of King, Michael
>>> Sent: Wednesday, October 12, 2005 4:38 PM
>>> To: [log in to unmask] 
>>> Subject: Re: WGA validation incomplete
>>> 
>>> Hey Bob,
>>> 
>>> How'd you make the nifty graphic?  (High level overview, But I'm
sure
>>> We'll want the nitty gritty later.)
>>> 
>>> Hey Rajash, this would be a great feature to put into 3.6,
Reports!
>>> 
>>> ________________________________
>>> 
>>> From: Perfigo SecureSmart and CleanMachines Discussion List on
behalf
>>> of Bob Black
>>> Sent: Wed 10/12/2005 7:11 PM
>>> To: [log in to unmask] 
>>> Subject: Re: WGA validation incomplete
>>> 
>>> 
>>> 
>>> Hi Marilee,
>>> 
>>> It looks like you picked a tough week to roll this out.
>>> 
>>> We're having the same problem with the newest round of windows
>>> updates.
>>> It appears to be a problem on their end. It's possible it's
>>> malware/borked-IE related. I'm sure that information will calm the
>>> frustrated student masses.
>>> 
>>> I've attached a graphic of our "Quarantine role" since yesterday
>>> afternoon.
>>> X-axis is time in hours. Y-Axis is the number of unique machines
>>> failing one or more CCA rules.
>>> 
>>> If this is your first roll-out, you might want to consider setting
>>> the
>>> windows update rule you have to not enforce while MS fixes the
issues
>>> on their end.
>>> 
>>> Hope this helps,
>>> 
>>> Bob
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>>> -----Original Message-----
>>>> From: Perfigo SecureSmart and CleanMachines Discussion List
>>>> [mailto:[log in to unmask]] On Behalf Of Marilee Collins
>>>> Sent: Wednesday, October 12, 2005 3:47 PM
>>>> To: [log in to unmask] 
>>>> Subject: WGA validation incomplete
>>>> 
>>>> We're attempting to roll out the Clean Access agent, but many of
the
>>>> students are unable to validate Windows.
>>>> 
>>>> They get "Validation Incomplete: Unable to Perform Validation."
We
>>>> have checked that the system time/zone is correct.They say
they're
>>>> installing ActiveX, but the installation period reported to me is
so
>>>> quick I wonder if it's really installed.
>>>> 
>>>> I've got all the Microsoft hosts allowed from the lists that were
>>>> posted earlier this year.
>>>> 
>>>> We're running CAS 3.5.3.1 with the 3.5.3 agent.
>>>> 
>>>> Has anyone else seen this?  Anyone have some suggestions?
>>>> 
>>>> Thanks!
>>>> 
>>>> Marilee Collins
>>>> Information Technology Services
>>>> Northern Arizona University
>>>> 
>>>> 
>>>> 
>> 
>> 
>> --
>> John Stauffacher, CISSP
>> Network Administrator
>> Chapman University
>> [log in to unmask] 
>> ph: 714.628.7249
>> "It's amazing how much you take for granted when you already know
what
>> you are doing."
>> "there is no /usr/local on my C:\ drive!"
>>