User + Password

  1. Is recommended to follow and read the overview about openNAC solution.
  2. To deploy an openNAC technologies is required to understand and follow network requirements.
  3. As soon as you have deployed the openNAC is recommended to select the proper use case that fits with you requirements.
  4. Selecting the use case, an scenario must be configured to covert as much as possible customer needs.

This page shows which steps are required to configure UNAC Radius User and Password based on.

1. DEFINITION

This scenario allows to authenticate the assets connected to your corporate network using the internal users credentials from your local user Database as LDAP, AD or even openNAC DDBB. However here you find two options to deploy the lab, you can use external user database repository or local repository.

2. MECHANISMS (How does it work?)

Using AAA (Authentication, Authorization and Accounting) approach openNAC can perform a Network Access Control.

  1. When the host is connected to a switch interface the switch asks if the host has supplicant. If the host has supplicant, it’s sends authentication data of the supplicant.
  2. The switch sends authentication package for openNAC Core. Then openNAC executes the authentication and authorization process, answering to network device if the host has allowed access and, in addition, the assignment corresponding access vlan defined in the policy, but this will be discuss later in ref:read about openNAC Segmentation use case<usecase_ns>.
  3. Switch fixes the port in the vlan received by openNAC.
  4. The host ask for DHCP and continues with the normal process of accessing the network.

3. DASHBOARD (How do we display the information?)

For each authenticated device that connects to the network, openNAC displays the following information.

../../../_images/dashboard802show.png

4. DEPLOYMENT (Do it yourself)

The following is a light guide to deploy UNAC 802.1x mode based on basic lab.

Basic LAB deployment

4.1 REQUIREMENTS

  1. openNAC Core.
  2. Network device 802.1x (switch, ap..) in the following scenario will be used Cisco switch with IOS 12.2.55 or higher.
  3. openNAC Analytics. (For graphic output)
  4. Client PC, in the following scenario will be used Windows 10.
  5. User Database as LDAP, AD server or local user database in openNAC core, when is using supplicant users, with MAB users database is no needed. For more information read about openNAC MAB UNAC use case.

4.2 SCENARIO ARCHITECTURE

../../../_images/8021x_Arch.png ../../../_images/8021x_Flow.png
  1. The client is connected to switch and start the process for network access
  2. The switch send an authentication request to host
  3. The host send the response with user credentials, in this case we are using an AD server as a user credentials repository
  4. The switch send the radius access request to ON Core.
  5. ON Core re-send the access request to AD Server
  6. AD Server response with a radius access challenge to ON Core
  7. ON Core re-send the challenge to Switch
  8. The Switch send a EAP-Request to host
  9. The host send an EAP-Response to Switch

4.3 SETTINGS

On Switch

The following link contains the required configuration on switch for UNAC use case.

Basic 802.1x Cisco Switch Configuration

On Core

The first step is define if your are going to use a local or external database, for testing propose we recommend use local database.

Using Local Database

Create the user into openNAC local database using web console. Go to ON CMDB –> Security –> Users. Select Add New option.

../../../_images/Users_Localdb.png

This user will be use the credentials later in EndPoint client for testing.

Using External User Database

For this step review Join Domain

Policy Configuration

Before configure the policy rule enable Discover plugin. For visibility propose, openNAC use a plugin knows as Discover, this plugin runs a “scan” over each endpoint which can reach trough IP address. So the first step is enable the plugin.

Go to Configuration –> Configuration vars, select plugin tab and enable Discover plugin.

../../../_images/Policy_8021_plugin.png

Policy for Local Database

Go to ON NAC –> Policies, click the option Add New. Named the policy in General Tab, Set the users database in Preconditions: User Tab.

../../../_images/Policy_8021_LDB.png

In this case the assigned VLan will be the same, so set Switch default VLan.

../../../_images/Policy_8021_LDB1.png

Optional Enable plugin Discover into policy rule. This is to gain assets visibility. To get more assets information as output.

../../../_images/Policy_8021_LDB3.png

If this is the last policy or the only one you can check the option Auto Learn of User Device to add the devices to openNAC core database.

../../../_images/Policy_8021_LDB2.png

On EndPoint

You can verify the 802.1x EndPoint configuration for different devices in 801.X Clients Configuration

4.4 TESTING

Turn on the client VM, use the 802.1x configured interface on switch to connect the host. An authentication will be required.

../../../_images/Segmentation_test8.png

After authentication process.

Go to ON NAC –> Business Profiles –> Default View. In this section you can see in real time the access from endpoints.

../../../_images/802_1testing.png

Is important to capture the IP address, using it openNAC will run the plugin over each know asset which match with the previous configured policy.

Access control can be done validating the user identity, at first point with user credentials from local or remote repository, using 802.1x protocol.

../../../_images/bp_uc_1.PNG

MAC, IP address, user group can be verified for each hit on the define policy access rule.

Also in the first console screen the authentication hits by method should be reflected.

../../../_images/auth_method_unac.png

4.5 TROUBLESHOOTING

  1. Please perform a basic review Basic Check
  2. To perform a debug of authentication proces you can verify the link Radius Troubleshooting
  3. For issues in this procedure review Join Domain Troubleshooting