4.7.5. Administration

4.7.5.1. Introduction

In this section, we make the configurations of the BackEnd ON Core. Initially, we configure everything related to the IDP (AD/LDAP and LDAP) to be able to create the user filter validation policies, then the agent for the RoadWarrior VPN will be configured and finally, the OTP configuration will be done.

4.7.5.2. AD Configuration

The BackEnd ON Core configuration is done through the web interface, https://IP_CORE/admin/ so we must access the previously configured IP address and log in with the default credentials (admin/opennac).

4.7.5.2.1. Join corporate AD

This section explains how to Join the corporate AD (To carry out this process, the user must have specific permissions to Join in AD, later the user can be modified, using one that only has read permission to make queries of users).

Go to the menu “Configuration -> Wizards -> Join Domain Wizard”

Complete the Wizard form with your data

Click “Execute”

A window will appear asking if you want to add a new UDS (User Data Source) click “yes” to add it

A new window will be displayed, with the information filled in based on the data we previously entered. Modify the form if necessary

Click the “Accept” button

On the right side of the screen called “Status”, the progress of joining the domain will be shown. In the event that errors occur, they will be shown there. If everything goes well we can see “Join is OK”

Verify that the UDS is in the ready state.

Go to “ON CMDB -> User Data Sources”

If the new UDS has the “ready” status, there is nothing else to do.

Otherwise:

select it
Click on the “Check status” button.
If there are no errors, the UDS will change state to “ready”.

4.7.5.2.2. LDAP filters VPN groups

This section explains how to generate LDAP filters. The filters are used to segment the groups of users that access through the VPN and associate them with the dynamic zones in the VPNGW, assigning the different access ACLs through the VPN. Keep in mind that an example is provided in this document, you must create the different LDAP filters necessary for your access policies.

Go to “ON CMDB -> LDAP/AD Filters” menu.

Click the “+ Add new” button

In this section:

Add a name to the filter

Write the LDAP query with the required information

Click the “Accept” button

Once the filter is created, it will appear in the list in grey. You can see that the filter is disabled by default

To enable the new filter:

Select it

Click the “Check & Enable LDAP/AD Query” button

In this section:

Choose the active directory to associate this filter with

Click the “Accept” button

If no errors occur, the filter will be enabled

4.7.5.3. Set FW as Network Device

It will be necessary to add the FE node as a Network Device in the ON Core CMDB. To do this, we go to “ON CMDB -> Network Devices” and click “Add new”:

The minimum information that must be filled in is indicated below.

4.7.5.3.1. General info

In this tab, it is required to complete at least the following fields.

IP: IP address that identifies the device. FW IP.
Hostname: Hostname that identifies the device. FW hostname.
Brand / Model: Brand and model of the device. In this case, Viapps/Fw.

4.7.5.3.2. Disconnection Settings - WireGuard VPN

The WireGuard VPN allows us to TogglePort connections for re-authentication. To do this, we must configure the disconnections settings with the following information:

General:

In the “General” section, we select the type “API Rest”.

API Rest Properties:

In this section, we must define the following parameters:

API Rest protocol: Connection protocol with the API Rest of the FW. (default https)
API Rest port: Connection port with the API Rest of the FW. (Default 10443)
API Key: API Key to make requests to the API Rest of the FW.

To obtain an API KEY from VPN Gateway go to the CMI and open the menu “Security -> API keys”.

Click “Add New”:

If there is more than one OpenNAC node (workers) we will select the option All IPs using this key will be authorized, otherwise, we will enter the OpenNAC node IP in IP.

4.7.5.4. VPN RoadWarrior policy configuration (ON Core)

4.7.5.4.1. VPN configuration file

4.7.5.4.1.1. OpenVPN

Once the user validation policies have been configured, we are going to associate the VPN configuration file so that it can be downloaded by the agents installed on the remote clients and used to make the VPN connection against the FrontEnd VPNGW.

It is necessary to download the VPNGW configuration file.
1. To do so, access the CMI portal https://IP_CMI/
  
  Go to menu “Manage -> Appliances”
  
  Select the corresponding vpngw
  
  Click on “Manage”

In the VPNGW administration portal
1. Go to Manage -> VPN RoadWarrior
2. Select the corresponding VPN
3. Click “Download” to download the configuration file

Once you have the file downloaded, return to the ON Core portal
1. Go to the ON Agent -> Agent VPN -> OpenVPN menu to access VPN configuration management and register the configuration file

We must create a new OpenVPN profile.To add the configuration for it, we will click on the Add new button, and fill in the information requested.

The required fields are the following ones:

Name: Name of the configuration
Configuration: OpenVPN configuration. This is the configuration file that was downloaded from the FrontEnd. Copy and paste the content of the file downloaded in the previous step.
Enable: Enable or disable this configuration for downloading from the agent.
Description: Field in which a description of the configuration can be entered if desired.

Click “Accept” to save the settings.

4.7.5.4.1.2. WireGuard

Once the user validation policies have been configured, we are going to associate the VPN configuration file so that it can be downloaded by the agents installed in the remote clients and used to make the VPN connection against the FrontEnd VPNGW.

It is necessary to download the VPNGW configuration file.
1. To do so, access the CMI portal https://IP_CMI/
  Go to menu Manage -> Appliances
  
  Select the corresponding vpngw
  
  Click on Manage

In the VPNGW administration portal
1. Go to Manage -> VPN RoadWarrior
2. Select the corresponding VPN
3. Click “Download” to download the configuration file

Once you have the file downloaded, return to the ON Core portal
1. Go to the ON Agent -> Agent VPN -> WireGuard menu to access VPN configuration management and register the configuration file

We must create a new WireGuard profile, where to add the configuration for it we will click on the “Add new” button, and fill in the information requested.

The required fields are the following ones:

Name: Name of the configuration
Configuration: WireGuard configuration. This is the configuration file that was downloaded from the FrontEnd. Copy and paste the content of the file downloaded in the previous step.
Enable: Enable or disable this configuration for downloading from the agent.
Description: Field in which a description of the configuration can be entered if desired.
1. Click “Accept” to save the settings.

4.7.5.4.2. Agent Profiles

Agent Profiles are the settings that are sent to remote agents installed in client devices, after receiving information from them.

After creating the VPN configuration in the previous step, it is necessary to add the connection profile to the Agent configuration profile that we have registered as the default profile. In this way, when the agent connects with the Backend we will send the VPN configuration.

Go to the “ON Agent > Agent Profiles” section to open the agent profiles management screen.

Select the “default” profile and click “Edit”.

In the VPN configuration module of the pop-up window, you will find the OpenVPN and Wireguard fields that allows you to select the VPN connection profile with the settings previously created.

Inside the “Taskbar Configuration” module, enable “Enable UI”, “Enable the client authentication option” and “Enable OpenVPN” or “Enable WireGuard” corresponding to what we have previously configured.

Finally, after selecting the desired settings, click the “Accept” button to save the changes made.

After configuring the Agent, we will configure the download to indicate the connection IP and enable the use of VPNs such as WireGuard or OpenVPN.

To do that, go to “ON Agent -> Agent configuration -> Download & parse”, and in Download & Install agent options fill the Server IP or Name, and enable Wireguard or OpenVPN corresponding to what we have configured previously.

../../_images/agent_configuration_download.PNG

Note

Within “Server IP or name” you must put the Public URL of the VPN connection, which will be associated with the name registered in the public DNS and the certificate that was previously generated.

Click on “Save” to save the settings.

4.7.5.5. Policies Configuration

4.7.5.5.1. Plugin Configuration (WireGuard Only)

If a wireguard VPN is used, it is necessary to configure the corresponding plugin. For OpenVPN this step is not .necessary.

Configure the WireGuard plugin.

Open the menu “Configuration -> Plugins -> wireGuardSync -> Edit plugin”.

Configure the Synchronous WireGuard plugin form.

To obtain an API KEY from VPN Gateway go to the CMI and open the menu “Security -> API keys”:

Click “Add new” and fill in the “IP” field with the ON Core IP.

Click “Accept” to save the settings.

4.7.5.5.2. TAG Policy profiles

In this section, the Tag will be created and it will be used later to create user validation policies. These Tags allow us to group characteristics of the remote devices collected through the agent and allow us to granularly profile the devices that access them.

Go to the menu “ON NAC -> Tag policies -> UD Tag policies”

Click the “+ Add new” button

Fill in the fields with the necessary information (an example can be seen in the next page):

Name: The name of the policy tag.

Tag: The tag to use. In this case it is used: EPC_SECURITY_COMPLIANCE

The conditions for this tag being created to occur. In this case: (&,’ISS_AV_UPDATE’,’ISS_AV_ENABLED’,’ISS_FW_ENABLED’)

Search Tag Assistant: Helps to search for the tags that are used in the rule (step b).

Comment: A comment regarding the policy.

Enabled: Enables the rule to be used from its creation.

Click the Accept button to create the Tag Policy.

You can see the rule created at the bottom of the list.

4.7.5.5.3. Policies

In this section, the VPN user validation policies are configured. In our example three policies will be created; the one for admin users, the one for standard users and the one for Rejected users.

Note

For WireGuard VPNs it is necessary to associate the WireGuard plugin configured in section 4.3.1. This configuration should not be done if OpenVPN is used.

To associate the WireGuard plugin to a policy, select the “wireGuardSync” plugin in the Postconditions section:

A) Admin user policy:

Go to the “ON NAC -> Policies” menu.
Click on the “Add new” button

In the General section:
1. Name: policy name
2. Enable: yes (so that the policy is enabled from the beginning)
3. Section: policy section
4. Comment: policy comment

In the Preconditions: Users form:
1. Click on “Set User Data Source”
  Select the AD to use
2. Click on “Set LDAP Filter”
  Select the Rule to use (if you don’t have it, you can create a new one)

In the Preconditions: User Devices window, add a Tag from those previously created.

In the Preconditions: Sources form select only VPN:

In the Postconditions section:
1. Click on “Set Vlan”
2. Select the VLAN “Switch default”

Zone Assignment:
8.1. OpenVPN

In the Postconditions section: Extra Radius params
1. Click “+ Add new”
2. Fill in the fields
  Vendor -> opennac
  
  Name -> OpenNAC-VPNGW-Role
  
  Value -> We will assign the name of the dynamic zone created previously and that allows us to associate the group of AD users and the selected LDAP filter, and validate with the rule that we are creating, to assign the ACLs security policies in the finalizer automatically.
8.2. WireGuard

In the form in Postconditions: Custom params
1. Click “Add new”
2. Fill in the fields
  Type -> Free text
  
  Name -> VPNGW-Role
  
  Value -> We will assign the name of the dynamic zone created previously and that allows us to associate the group of AD users and selected LDAP filter, and validate with the rule that we are creating, to assign the ACLs security policies in the finisher automatically.
Finally, click on “Accept”.

B) Standard user policy:

Repeat the previous steps 1,2.

In the General section:
1. Name: policy name
2. Enable: yes (so that the policy is enabled from the beginning)
3. Section: policy section
4. Comment: policy comment

In step 4 you have to select the necessary LDAP Filter, in Preconditions: Users. In this example it would be the following:

Repeat the previous steps 5,6,7.

In step 8, you have to create a parameter with a new value. This is because this parameter is used in the firewall to be able to distinguish VPN networks. The corresponding zone must be assigned in “Custom params” in the case of WireGuard or “Extra Radius params” in the case of OpenVPN.

Repeat the previous steps 9.

C) VPN Reject Policy.

A Reject policy must be created to reject the connection of those users who do not comply with the rest of the VPN policies, this policy must be located at the end of all VPN policies:

In the form in General:
1. Name: policy name
2. Enable: yes (so that the policy is enabled from the beginning)
3. Section: policy section
4. Comment: policy comment

In the form in Preconditions: Sources select only VPN

In the Postconditions section:
1. Click on “Set Vlan”
2. Select the Vlan “Access Denied”

Finally, click on “Accept”

D) Visibility Agent

This policy will give an agent profile to all the devices that contains agent before they are connected.

In the form in General:
1. Name: policy name
2. Enable: yes (so that the policy is enabled from the beginning)
3. Section: policy section
4. Comment: policy comment

In Preconditions: User Devices:
1. Add the agent tag to filter ($,’ONC_AGENT’).
2. Check that is correct pressing Check expression.

In Preconditions: Sources select the Visibility source:

In the Postconditions section:
1. Click on “Set Vlan”
2. Select the VLAN “Switch default”

In Postconditions section:
1. Add the Agent Profile created previously.

4.7.5.6. Single Sign-On Wireguard VPN using SAML

You can perform a Single Sign-On (SOO) authentication flow using SAML to perform WireGuard-type VPN authentications.

To configure this authentication, execute the following steps:

4.7.5.6.1. VPN captive portal creation

When users start the authentication process, they will be redirected to the system’s captive portal and must go through the flow configured for authentication.

For the creation and start-up of the captive portal where users will carry out the SAML authentication flow, we must make the following configurations:

4.7.5.6.1.1. Captive Portal Flow Creation (IdP Federation)

The first step includes creating the authentication flow. At this point, the federation of the SP in the IdP will be configured, so it will be necessary to have:

IdP federation metadata.
IdP server ID.

Once we have this data, we can follow the steps in the ON Captive -> Captive VPN workflows.

4.7.5.6.1.2. Captive Portal Domain Creation

Once we have defined the VPN authentication flow, we will need to add it to a new captive portal domain. The domain corresponds to a grouping of different flows, including VPN flows. To do this we go to “ON Captive -> Captive domains” and add a new domain by clicking on “Add new”:

Name: Name of the new domain.
Enabled: Check to enable or disable the domain.
Description: Description of the new domain.
Workflows: Cable/wifi authentication flows.
VPN Workflows: VPN authentication flows. Here we must select the flow created in the previous section.

4.7.5.6.1.3. Captive Portal Instance Creation

Once we have defined the VPN authentication flow, we will need to add it to a new captive portal instance. To do this we go to “ON Captive -> Captive instances” and add a new domain by clicking “Add new”:

Name: Name of the new captive portal instance.
Captive node IP: The IP address for the Captive node.
Portal IP/Domain: IP address or domain (FQDN) to which the instance will be assigned.
Installed in core: Check that verifies if the instance is installed on the ON Core server itself.
Description: Description of the new instance.
Domain: Domain created in the previous step. This will define the flow to follow.
Theme: Theme applied to the captive portal.
List of IPs that will be redirected to the default page: This parameter can be used to redirect users to the default page and not to the captive portal.

4.7.5.6.2. Federation of the SP in the IdP

Once the “Captive VPN Workflow” is created, we can obtain the metadata and identity of our SP in the following link:

https://<captive_portal_ip_or_domain>/simplesaml/module.php/saml/sp/metadata.php/saml-test?output=xhtml

When accessing the link we will see the page of our SP with the metadata:

This metadata is what we must provide to the IdP in order to complete the federation between the two.

4.7.5.6.3. Agent Configuration

The use of SAML to authenticate the VPN connections of the WireGuard service requires an additional configuration. This setting is to enable such functionality in the ON Agent software.

To activate the SAML functionality in the agents we must go to “ON Agent -> Agent Profiles” and in the profile used for it (default by default) activate the options “Enable WireGuard” and “Authenticate WireGuard use using SAML”:

4.7.5.6.4. SAML Authentication Flow Example

This section will explain an example of a connection using the SAML authentication flow.

Having already downloaded and installed the Agent, the first step will be to right-click on the icon in the taskbar and select the “WireGuard” type VPN connection:

When opening the Agent, it will appear to connect to the VPN without the possibility of entering access credentials. We must click “Connect”:

A new window will automatically open in the browser that will direct us to the IdP access page (example image) where we must enter our credentials:

Once we have authenticated ourselves, we will return to the ON Core portal where, if we have accessed correctly, we will be able to download the VPN access file:

When we have downloaded the VPN access file we must execute it:

The Agent will automatically configure itself and access the VPN:

4.7.5.7. OTP configuration

4.7.5.7.1. OTP email template

This section explains how to configure the email that we will send to users.

Go to menu “Configuration -> Configuration vars”

Click on the OTP tab

Fill in the fields

Enable ‘Send OTP secret as QR’: select “yes” so that the user receives a QR code that will be used in Google Authenticator.
Allow send QR more than once: by default the QR Code can be sent only once (if you want to send another email, you must generate a new OTP secret). In case you want to reuse the same code, enable this field.
One time QR: enable one time QR mode.
TTL one time QR (in minutes): defines the time in minutes that a QR image will take to expire from when it is sent until it is scanned by the user. Default 480 minutes.
Maximum number of uses of QR image: defines the maximum number of scans of the same QR image.
Captive portal URL: Fill in the captive portal address for the one time QR.
E-mail configuration: configuration of the mail without the one time QR mode enabled.
- E-mail QR from: fill in the name of the email sender.
- E-mail QR title: fill in the email title.
- E-mail QR template: this section includes the HTML code that will be seen in the content of the email with the one time QR mode disabled.
One time QR e-mail configuration: email configuration with the one time QR mode enabled.
- E-mail QR from: fill in the name of the email sender.
- E-mail QR title: fill in the email title.
- E-mail QR template: this section includes the HTML code that will be seen in the content of the email with the one time QR mode enabled
1. Click “Save” to save the changes

In the following image you can see the different sections previously mentioned:

The title of the email
Name of who sends the mail
The OTP in the form of a QR
The HTML template rendered in the mail

4.7.5.7.2. Mail sending with the QR

Going to Configuration -> OTP, it is possible to manage all the tasks related with OTP Network Access. OTP Management includes many different functions.

We can add new users by clicking on the Add new and writing the desired username for the QR owner.

We can also Regenerate the QR for a selected user.

You can create an OTP for a user selecting a group from a selected LDAP or AD by clicking on Create OTP using LDAP/AD group. We have to select the options:

User data source: the LDAP or AD source we want to use

Users group: the group of users that will be using the OTP

Regenerate OTPs that already exist and send QR: flag that allows to enable or disable the OTP regeneration if it already existed.

We can Delete the selected OTP or Refresh the page.

To get the email with the QR for a selected user, click on Send QR.

The functionality Check token allows us to check a token based on a username.

It is easy to see the Query user log selecting the user and clicking on this button.

Finally, we can click on Export data to export the data in JSON format.

You can also Search a user and review its OTP parameters clicking on the + icon.

User: the owner of the QR.
User e-mail: the email where the QR has been sent.
OTP Secret downloaded: Boolean indicating whether the OTP has been downloaded or not.
OTP Secret sent as QR: date and time indicating when the QR was sent.
OTP Secret sent by: the user that sent the QR.
#QR used: number of times the QR was used.
QR last use: date of the last use of the QR.
QR expiration date: expiration date of the sent QR (in red if the QR has expired).
Created by: user who created the OTP.
Modified by: user who modified the OTP.

After creating an user or group QR and sending it to the users, you will also have to have configured the Configuration -> Configuration Vars -> OTP.

You can use your one time QR with any authenticator app such as Google authenticator.

Once you scan the QR, a dynamic PIN will appear and it lasts about 30 seconds.

Now you can connect to the VPN selecting the 2FA on the authentication window and filling with your username, password, and OTP pin.

4.7.5.8. ON Agent Configuration

Once we have the Agent installed on the client computers, downloading it from the portal, we can continue with the registration in Google Authenticator and the connection tests.

We can find the information regarding the ON Agent installation in the Node Deployment Guide.

4.7.5.8.1. Registration of a QR

4.7.5.8.1.1. Registration of QR not one time with Google Authenticator

When establishing the VPN connection, the double authentication factor (2FA), will be requested. This second factor is offered through Google Authenticator, having registered the user account by scanning the QR code that was sent by email to the user.

To install the application, the user must download it from one of the following links:

App Store:

https://apps.apple.com/us/app/google-authenticator/id388497605

PlayStore:

https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2

Once installed, the user must scan the QR code they received, the email the user receives is similar to the one in the following image:

To register the 2FA, the user must open the application with their mobile phone and execute the following steps:

If this is your first time using Google Authenticator, follow these steps:

Click “START SETUP”

Then click on “Scan Barcode”

Scan the QR code that is attached to the email

Now you can view the code

If you have previously used Google Authenticator, follow these steps:

Click on the “+” symbol at the top right

Then click on “Scan Barcode”

Scan the QR code that is attached to the email

Now you can view the code

In the following image, you can see how the Google Authenticator OTP code is displayed.

4.7.5.8.1.2. Registration of a QR one time

When establishing the VPN connection, the double authentication factor (2FA) will be requested. This second factor is offered through the captive portal defined in the configuration, having registered the user account by scanning the QR code that was sent by email to the user.

To obtain the 2FA code, you must scan the QR code received in the specified email, which will look like this:

By scanning the code, you will be directed to a web portal that will generate the OTP and redirect you to your password wallet (Apple) or default application (Android) to save and display the access code:

In the event that the QR has expired or the maximum number of scans has been exceeded, the portal will display an error message.

4.7.5.8.2. Connection test

This section shows how to make the VPN connection in a Windows computer which the configured agent was downloaded and installed. To carry out these steps, the connection will be made with user2, belonging to the group of standard users of our example.

Right click on the ON Agent icon.
Select Wireguard or OpenVPN depending on the service used:

In the following form, fill in the necessary information
Click “Connect”

File: configuration file, configured in chapter 4.3.1. In the “dropdown” dropdown field, the different options found in the device will be shown.

User: user name.

Password: user’s password.

2FA: In case of using 2FA we must activate the check.

Code: (In case of activating 2FA) code generated by Google Authenticator.

When connecting, the following message will appear:

It can be verified that the connection was successful and the client received IP configuration:
1. On Windows device, access the cmd command line
2. Run the command

ipconfig

From the BackEnd ON Core, through the administration portal, we will see the access policy in which you made “Match”:
1. Go to the menu “ON NAC -> Default view”
2. Click on the business profile “VPN”
3. You will be able to see the user connection

Click the eye icon in the Policy column. This way you can see more information related to the event. In this case, you can see the VPN event of user2.

From the FrontEnd through the VPNGW administration portal:
1. Go to the “Users Manage” menu of OpenVPN or WireGuard
2. You will be able to see that the user is connected:

The last step of the connection test would be to check that the user accesses only the networks/servers on which it was configured. Let’s recall the infrastructure defined for the example we are working on:

After the VPN connection is established from the Windows device and using user2 (which is a vpnusr user or standard users) we check access to the servers.

We access the cmd command line
1. We ping one of the standard servers 172.16.20.45 (Ping OK)
2. We ping another of the standard servers 172.16.20.65 (Ping OK)
3. We ping one of the critical servers 172.16.30.20 (Request Time out)
4. We ping another of the critical servers 172.16.30.30 (Request Time out)
We do the same check, now establishing the VPN connection with user3 (which is a vpnadm user or administrator users)

We access the cmd command line
1. We ping one of the standard servers 172.16.20.45 (Request Time out)
2. We ping another of the standard servers 172.16.20.65 (Request Time out)
3. We ping one of the critical servers 172.16.30.20 (Ping OK)
4. We ping another of the critical servers 172.16.30.30 (Ping OK)