1.3.1. ON Core

OpenNAC Core provides the administration console, where the policy engine and the compliance rules engine reside. It is responsible for applying the access policy and the discovery, profiling, and identity validation rules. It also executes plugins to enrich the data of each asset connected to the network to define the profiling in an active or passive way.

It is where the authentication, authorization, and user accounting management are carried out. ON Core processes and validates the user’s posture/profile integrating with the corporate identity manager. It is also responsible for the management and validation of the double authentication factor.

This component contains and applies the compliance tests defined for network devices. It allows access to the devices or to a centralized repository, to recover the backup copies by storing them centrally. It also makes it possible to perform centralized configurations from a single point.

ON Core is a mandatory component of the solution and includes critical components such as:

  • Policy Engine: : the solution’s brain; all modules are implemented using this component.

  • The CMDB: the memory of the solution where all the configuration, assets, and its features are saved.

  • The administration portal: the control panel for the solution.

Note

ON Core is a critical component in the solution. The implementation of one or more nodes to provide high availability will depend on the requirements of the deployment and the final architecture design. If this component were offline, we would lose the ability to perform the discovery and profiling of assets in our network.

1.3.1.1. Architecture Overview

ON Core Software Architecture includes different technologies and modules. These modules are:

  • Apache: technology that is being used by the Administration Portal, the OpenNAC Agent, the Captive Portal, and the API Access.

  • FreeRadius: technology that covers AAAA Services (Authentication, Authorization, Accounting, Auditing).

  • MySQL: technology that stores configuration and collected data.

  • Redis: technology that provides really fast access to events and internal processes such as workers, DHCP Reader, and SNMP Trap.

  • Gearman Queues: these are consumed by workers.

  • Workers: technology that carries out asynchronous processes such as Plugins.

  • Collectd: technology that is being used to create OpenNAC trending status Dashboards.

1.3.1.2. Sizing an ON Core Instance

The dimension of Network Access solution infrastructure can be directly inferred from the expected workload in terms of users, IPs, types of authentications, or use cases deployed that the NAC must sustain. The workload may be complicated to estimate, but this is a crucial exercise to build an efficient NAC Architecture.

The hardware specs for the ON Core are:

Resources

Minimum

Memory

16 GB

CPU

8 CPUs

Disk Size

160 GB

Disk Type

SSD

Network

2 NIC**

Note

  • ** The 2 network interfaces are mainly for service and management (internal communication between the different nodes)

1.3.1.3. Administration Portal

The machine that holds the openNAC Administration portal is the ON Core, this administration Portal is the main interface to configure, operate and monitor openNAC technologies.

For more information about web console review Web Console Operation.