OpenNAC Proxy-Radius and Multiple Active Directory Domain¶
When you have several independent Active Directory domains, without any relationship between them, you need use a proxy-radius as a frontend to dispatch request to backends connected to each Active Directory, because the radius server only can be associated with one Active Directory domain.
1. Configure Proxy-radius server¶
This node will be the dispatcher for all radius requests, except that requests without domain associated (usually IP phones and MAC Address Bypass), but policy evaluation will be done on it, with the backends responses. So all policies have to be defined on this openNAC server.
2. FreeRadius proxy configuration¶
First of all, we have to know all the domain names to be configured and which backend server manage them. Typically, each Active Directory has two domain representation: Windows domain name, as known as short domain name, and realm or fully qualified domain name (FQDN), and both have to be configured to be proxied by radius.
These domains will be associated with a pool of radius servers, to manage fail-over and load-balancing, and each pool will contain one or more radius servers.
The /etc/raddb/proxy.conf file contains this configuration, like is shown in the following example, using the domain names mycompany and mycompany.com:
home_server server1 {
type = auth+acct
ipaddr = 192.168.1.2
port = 1812
secret = testing123
#optional
require_message_authenticator = yes
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
max_outstanding = 65536
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool pool.mycompany {
type = fail-over
home_server = server1
}
realm mycompany.com {
nostrip
pool = pool.mycompany
}
realm mycompany {
nostrip
pool = pool.mycompany
}
3. Configure collectd server¶
Collectd is the server who manage the information displayed in “Trending” option from “Status” section. If we configure this server to receive the backend servers information, we will show all nodes information from openNAC user interface.
We can create the network.conf file in /etc/collectd.d/ directory, with the following content, where 192.168.1.1 is the server IP and 25826 the UDP port:
LoadPlugin network
<Plugin network>
Listen "192.168.1.1" "25826"
MaxPacketSize 1024
</Plugin>
After the file creation, we have to restart the service:
/etc/init.d/collectd restart
Now, we have to configure firewall to open the UDP port, in order to allow clients connections. We could edit the /etc/sysconfig/iptables file uncommenting the following line or adding it:
-A INPUT -p udp -m state --state NEW -m udp --dport 25826 -j ACCEPT
We can enable only the clients IP as source.
And finally, restart the iptables service:
/etc/init.d/iptables restart
You can get more information of how use Active Directory from openNAC in the following wiki doc: Use Active Directory from openNAC
4. Configure Backend servers¶
Backend servers only manage the authentication to Active Directory servers from FreeRadius, so some specific openNAC configuration can be disabled to increase performance and the following considerations can be taken.
5. Configure FreeRadius with Active Directory¶
You can integrate openNAC with Active Directory manually, but we recommend to use the ref:Active Directory integration wizard <ad_wizard>
6. FreeRadius server certificate¶
Take care about FreeRadius server certificate, because this certificate will be used to establish TLS tunnel inside PEAP connection with Windows clients, so if your clients are checking server certificate won’t use the frontend certificate to allow or not the request, and this server certificate must be generated by an authorized client CA.
7. FreeRadius general configuration¶
Proxy-radius needs access password to request to this server, so in /etc/raddb/clients.conf file we have to include the connection values:
client 192.168.1.1 {
secret = testing123
shortname = proxy-radius
}
Policy evaluation must not be done in this server, because it's evaluated by frontend node, who will push the response packets. For this reason, python module won't be executed in /etc/raddb/sites-available/default file, commenting this line.
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
...
#
# Opennac policy
# python
...
}
8. Disable unnecessary services¶
If we are using openNAC server as backend node, we could disable some unnecessary services.
The list of these services is: - Named - DHCPD - SLAPD - Gearmand - SNMPTrapd - HTTPD - MySQLD - MemCached - openNAC workers - DHCPReader
To disable them, we can use these commands:
chkconfig named off; /etc/init.d/named stop
chkconfig dhcpd off; /etc/init.d/dhcpd stop
chkconfig slapd off; /etc/init.d/slapd stop
chkconfig gearmand off; /etc/init.d/gearmand stop
chkconfig snmptrapd off; /etc/init.d/snmptrapd stop
chkconfig httpd off; /etc/init.d/httpd stop
chkconfig mysqld off; /etc/init.d/mysqld stop
chkconfig memcached off; /etc/init.d/memcached stop
chkconfig openNAC off; /etc/init.d/opennac stop
We can disable openNAC crons, removing the following files:
/etc/cron.d/opennac-health
/etc/cron.d/opennac-scheduler
9. Configure collectd server¶
From backend server, we can send information to frontend by collectd.
We can create the network.conf file in /etc/collectd.d/ directory, with the following content, where 192.168.1.1 is the server IP and 25826 the UDP port:
LoadPlugin network
<Plugin network>
Server "192.168.1.1" "25826"
</Plugin>
Remove the following files from /etc/collectd.d/ directory:
- curl_json.conf
- mysql.conf
- rrdtool.conf
After these changes, we have to restart the service:
/etc/init.d/collectd restart
If you want, you can remove the /var/lib/collectd subdirectories, because these contain the RRD files generated by collectd until now, and this information won’t be accessible from frontend server.