Server Side openNAC Core Configuration

1. openNAC Core as DHCP Server

By default openNAC has a DHCP Server installed (this is optional, the customer can use its own network services). To enable the DHCP service runs the following command:

Depending on the version installed:

#service dhcpd start

#systemctl start dhcpd

There have been created three DHCP scopes to be provided IP configuration to Quarantine, Registry and users VLANs (Service VLANs), this last scope is created in case service VLANs are configured by openNAC Core.

If the VLANS ID are changed during initial configuration wizard or manually this VLANS must be changed in every DHCP scope file.

For registry services (Guest User/ Partner User, BYOD user cases), Quarantine services (End user devices that doenst comply with the security policy) there is a dependency with DNS Services, all the user that are configured with the DHCP server should have the proper DNS server which must configured to answers all the DNS queries with the captive portal IP (DNS Poisoning)

If is used the DHCP server provided by openNAC, for this is not required to configure IP Helpers or DHCP relay agents to forward this information to the openNAC.

Is possible that DHCP scopes required to be used by clients are out of the scope of the current openNAC Core IPs. The Daemon DHCPD will never start if this is not solved.

For instance, if we have tree scopes (REGISTRY, SERVICE, QUARANTINE) out of the openNAC Core’s Network is required to define Core’s IP as a simple range. In the example bellow the IP for openNAC Core is 172.16.3.15 and this can be defined at /etc/dhcp/dhcpd.conf to avoid this configuration problem.

subnet 172.16.3.15 netmask 255.255.255.255 {
}

2. openNAC Core as DNS Server

By default openNAC has a DNS Server installed (this is optional, the customer can use its own network services). To enable the DNS service runs the following command:

Depending on the version installed:

#service named start

#systemctl start named

For registry services (Guest User/ Partner User, BYOD user cases), Quarantine services (End user devices that doesn’t comply with the security policy) there is a dependency with DNS Services, all the user that are configured with the DHCP server should have the proper DNS server which must configured to answers all the DNS queries with the captive portal IP (DNS Poisoning), in that way we are able to capture any communication and forward it to the proper captive portal.

Following the initial configuration wizard is not required to configure anything about User portal parameters but if is required to change its configuration during deployment, the FQDN name associated with it or its IP, first change graphically going to the Step 1 and Step 2.

At the openNAC DNS Server is required to change NS records and A records through ssh console.

Going to /etc/named.opennac we can identity that a few DNS Zones and its configuration are created (is possible to use this DNS Server for many use cases, for instance hotspot, quarantine, registry), as a reference and editing db.registry-master.conf as shown by step 4 and step 5.

3. openNAC Notifications

openNAC Technologies have multiples types of notifications:

Note

Remember that SMTP servers must be configured on openNAC Server to be used by Notifications services.

3.1 OTP Notifications

• When openNAC Technologies work as OTP Server, it needs to have configured the notifications, this means that is needed to define from where email account is sent those. Remember that openNAC sends to the users the QR Code to be scanned by users as part of Token seed distribution process.

  • Mail from can be changed as soon as you notify any user during the process. Please, Go to Configuration -> Configuration Vars -> OTP

3.2 Policy Notifications

• When openNAC Technologies through its Policy Engine match o deny any access or interact in some way with Network access requests can send email notifications.

  • This can be used for instance when a Policy violation happens, when a threat events appearss or by any policy components is trigered.
  • Please Go to ON NAC -> Policies -> Add

• As you can see above in this case, the end user is sent to Quarentine Network and is sent an email for furtner security investigation.

3.3 Sponsor Notifications

• When openNAC Technologies is being used as Guest Management Platform a list of sponsor must be filled up on openNAC Core, the mail from must be configured at /etc/postfix/main.cf in openNAC Core Server.
• As soon as any guest user is sent to the captive portal this should indicate which is its sponsor.
• Frist is validated user email account sending a link for validation and after that is sent an email to the sponsor for the approval.

Note

Remember that for users and sponsors the validation URL must be accesible so in some cases is required to publish it on Internet.