4.5.3. Architecture
This section outlines the necessary nodes for the use case, offering essential information on its architecture, including components, simplified architecture, and recommended sizing.
4.5.3.1. Components
The deployment of BYOD module only requires the installation of two components:
ON Core: Performs centralized management of the solution.
ON Analytics: For management and visualization of the collected information, dashboard’s generation, and reports visualization.
The deployment of additional components, depends on the final project requirements.
4.5.3.1.1. ON Core
ON Core provides the centralized administration console, where the access policy engine resides, user authentication, authorization and accounting manager, processes and validates the user posture/profiling, integrating with the corporate identity manager. It also manages and validates the double authentication factor.
It is a mandatory component of the solution that includes critical components such as:
Policy Engine: It is the solution’s brain; all modules are implemented using this component.
CMDB: It is the memory of the solution where all the configuration, assets and its features are saved.
Administration Portal: It is the control panel for the solution.
Captive Portal: In basic architectures, the captive portal where users will authenticate resides in the ON Core component. In more complex architectures, the captive portal module may be installed on another machine located in another zone.
Note
The ON Core is a critical component of the solution. The implementation of one or more nodes to ensure high availability will depend on the deployment requirements and the final architecture design.
If this component goes offline, the solution will lose the ability to authenticate requests.
4.5.3.1.2. ON Analytics:
OpenNAC Analytics, is based on the Stack ELK, receives the different solution logs, as well as the metadata of the traffic processed in OpenNAC Sensor via Filebeat. Gives structure to metadata and build the data lake to display dashboards and allow searches and reports.
It provides Dashboards and reports with the information about the use case. The solution includes a set of dashboards and reports based on common technical information gathered. You can create and generate your own custom dashboards
Note
ON Analytics is a non-critical component of the solution and therefore does not require high availability. The decision to implement one or more nodes will depend on the specific deployment requirements and the final architecture design.
If this component is taken offline, the main functionality of the OpenNAC Enterprise modules will remain operational. However, during this downtime, the system will not be able to process or display solution-related data.
In deployments where large volumes of data are generated, it may be necessary to deploy multiple Analytics nodes to balance the storage load.
The Analytics component has two roles, typically running on the same node:
Aggregator: This role receives information via Filebeat and processes logs using Logstash.
Analytics: This role handles data management through Elasticsearch and provides data
4.5.3.2. Standard Architecture
The BYOD management use case can come from wire or Wi-Fi connections. If it comes from wire connections, it has the following architecture:
If it comes from Wi-Fi connections, it has the following architecture:
4.5.3.3. Standard Sizing
Concurrent user growth is achieved by adding more nodes in an N + 1 scheme.
Component |
Number |
CPU |
Memory |
Disc/Type |
Network Int. |
|---|---|---|---|---|---|
ON Core |
1 |
8 Cores |
16 GB |
160 GB/SSD |
2 NIC |
ON Analytics |
1 |
8 Cores |
16 GB |
200 GB/SSD |
2 NIC |
Note
The 2 network interfaces are mainly for service and management (internal communication between the different nodes)
4.5.3.3.1. Flow
The flow for this use case is different depending if we use captive portal with redirection or captive portal with MAB-CoA.
4.5.3.4. Captive Portal with redirection flow
In the case of a captive portal with redirection connection:
4.5.3.5. Captive portal with MAB-CoA flow
In the case of a captive portal with MAB-CoA connection:
