3.1.10.2.9. ironchipSync

The Iron Chip plugin is used as a location-based security 2FA. When a user tries to authenticate, we will add another authorization factor based on the user’s location.

The ironChipSync plugin allows getting information about the user’s location once it tries to authenticate through the OpenNAC Enterprise server. The information about the location should be previously registered in the Iron Chip App, registering some security zones, so once the user tries to connect, we can check if the location is secure, and we can guarantee access.

To configure the ironChipSync plugin, we need to enter the following information.

../../../../_images/ironchipsync.png


  • IronChip Address: IP or domain for Iron Chip Server.

  • Enable HTTPS: Enables the HTTP or HTTPS protocol.

  • IronChip API Key: The key that will be associated with a secure zone. It is generated through the Iron Chip App.

  • Execution order: Determines the order in which sync plugins are executed, with higher priority assigned to lower numerical values (0 being the lowest priority). In situations where multiple plugins share the same execution order value, the execution order will follow an alphabetical arrangement.

3.1.10.2.9.1. Ironchip authorization process

When a user tries to authenticate through OpenNAC, and its authentication matches a policy where the Iron Chip Plugin has been enabled, an authorization alert will be sent to the user Iron Chip App. Once the user authorizes the petition, the mobile App will scan the location to determine if the user is in one of the secure locations that have been registered previously.

If the user is in a secure location, we will authorize it and give access according to the policy parameters. If the user is in an unsecured area or there has been an error with the parameters, we won’t authorize the user.

We can see an execution example:

../../../../_images/ironchipsync2.png


About the timeouts

For the correct functioning of the plugin, we will have to adapt some timeouts to wait until obtaining the validation from the Iron Chip application. The validation process usually lasts between 15-30 seconds approximately, for longer times we will consider that there has been no response and we will close the connection. As a consequence, the user will not be verified, and we will deny access. From OpenNAC Enterprise we recommend adjusting the timeouts of the following files to optimize operation:

  • /etc/httpd/conf.d/php.conf

We will need to change the timeout that refers to the php execution in the php.conf file. We will have to increment the value from 11 to 31, to give the user enough to execute the verification. If we do not configure this value, the web connection will be closed without receiving any response.

<Proxy "unix:/run/php-fpm/www.sock|fcgi://localhost" timeout=60>
</Proxy>
<Proxy "unix:/run/php-fpm/poleval.sock|fcgi://127.0.0.1" timeout=31>
</Proxy>

  • /etc/php-fpm.d/poleval.conf

We will need to change the timeout that refers to the poleval execution In the poleval.conf file. We will have to increment the value from 10 to 30, to give the user enough to execute the verification. If we do not configure this value, if the poleval does not have a response in 10 seconds, it will return an invalid result.

;Custom
listen = /run/php-fpm/poleval.sock
pm.max_requests = 500
pm.status_path = /statuspoleval
slowlog = /var/log/php-fpm/poleval-slow.log
request_terminate_timeout = 30
php_admin_value[memory_limit] = 128M
php_admin_value[error_log] = /var/log/php-fpm/poleval-error.log

  • /etc/raddb/mods-available/opennac

In this file, we will configure a parameter that refers to the API calls. If the poleval gets no response due to the apiTimeout, we will discard any information we receive after that time is up, so we will change the acceptWhenPolEvalDiscards parameter to no

# Default result when any issue is produced in openNAC policy evaluation or
# "apiTimeout" is reached
# By default, request is accept and default vlan is assigned
acceptWhenPolEvalDiscards = no;

Also, we will need to configure the timeout to abort the API calls. We will have to increase this timeout to give enough time to wait for the answer from the Iron Chip app.

# Timeout to abort api call (value in seconds)
apiTimeout = 120