4.6.3. Architecture
This section outlines the necessary nodes for the use case, offering essential information on its architecture, including components, simplified architecture, and recommended sizing.
4.6.3.1. Components
The deployment of the Guest module only requires the installation of two components:
ON Core: Perform centralized management of the solution.
ON Analytics: For management and visualization of the collected information, dashboards generation, and reports visualization.
The deployment of additional components depends on final project requirements.
4.6.3.1.1. ON Core
ON Core provides the centralized administration console, where the access policy engine resides, user authentication, authorization and accounting manager, processes and validates the user posture/profiling, integrating with the corporate identity manager. It also manages and validates the double authentication factor.
It is a mandatory component of the solution that includes critical components such as:
Policy Engine: It is the solution’s brain; all modules are implemented using this component.
CMDB: It is the memory of the solution where all the configuration, assets and its features are saved.
Administration Portal: It is the control panel for the solution.
Captive Portal: In basic architectures, the captive portal where users will authenticate resides in the ON Core component. In more complex architectures, the captive portal module may be installed on another machine located in another zone.
Note
It is a critical component in the solution, it will depend on the requirements of the deployment, and the final architecture design, the implementation of one or more nodes, to provide high availability. With this component offline, we would lose the ability to authenticate requests.
4.6.3.1.2. ON Analytics
OpenNAC Analytics, is based on the Stack ELK, receives the different solution logs, as well as the metadata of the traffic processed in OpenNAC Sensor via Filebeat. Gives structure to metadata and build the data lake to display dashboards and allow searches and reports.
It provides Dashboards and reports with the information about the use case. The solution includes a set of dashboards and reports based on common technical information gathered. You can create and generate your own custom dashboards
Note
ON Analytics is a non-critical component for the solution, therefore, it does NOT require high availability. The implementation of one or more nodes will depend on the requirements of the deployment, and the final architecture design. If this component is outlined, the main functionality of OpenNac Enterprise modules would continue working, with the exception that during the outlined period we would no longer have the ability to process and display the information of the solution.
In deployments where a large amount of data is generated, it may be necessary to deploy multiple Analytics nodes to load balancing the storage. Analytics has two types of roles, typically within the same node, a role with aggregation functions (Aggregator) that receives information through Filebeat and process logs with Logstash, the other role (Analytics) with data management functions performed by ElasticSearch and visualization through Kibana.
The Guest management use case can come from wire or Wi-Fi connections. If it comes from wire connections, the architecture is the following:
If it comes from Wi-Fi connections, it has the following architecture:
4.6.3.2. Standard Sizing
Concurrent user growth is achieved by adding more nodes in an N + 1 scheme.
Component |
Number |
CPU |
Memory |
Disc/Type |
Network Int. |
|---|---|---|---|---|---|
ON Core |
1 |
8 Cores |
16 GB |
160 GB/SSD |
2 NIC |
ON Analytics |
1 |
8 Cores |
16 GB |
200 GB/SSD |
2 NIC |
Note
The 2 network interfaces are mainly for service and management (internal communication between the different nodes)
4.6.3.2.1. Flow
The flow for this use case is different depending if we use captive portal with redirection or captive portal with MAB-CoA.
4.6.3.3. Captive portal with redirection flow
In the case of a captive portal with redirection connection:
4.6.3.4. Captive portal with MAB-CoA flow
In the case of a captive portal with MAB-CoA connection:
