Versions Compared

Old Version 3

changes.mady.by.user Kristofer Hallin

Saved on

compared with

New Version 4

changes.mady.by.user Kristofer Hallin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

CNaaS NAC provides a way for clients to authenticate themselves using IEEE 802.1X and/or MAB.

Features:

  • Automatic registration of MAB clients.
  • Periodic cleanup of inactive clients.
  • Replication between primary and secondary server.
  • API which can be used for all sorts of integrations.
  • Port-locking, possible to bind clients to a single switch port for enhanced security.
  • Fancy web UI written in React.

CNaaS NAC consists of two parts, NAC and NAC frontend, both runs in Docker. 

Docker

We are using Docker Compose to manage all containers. First of all we want to start the CNaaS NAC containers without the frontend and a minimal YAML-file can look something like this (of course secrets and passwords should be replaced):

Prerequisites

  • VM/ physical machine with Linux and Docker.
  • Network access to the NAS(es).
  • Git repository for configuration files etc.

Git repositories and settings

To store settings and configuration we need one Git repository. The repository used for etc-files in CNaaS can be used, or a completely new one. In the lab installation of CNaaS NAC, we have the following files stored:

  • clients.conf - FreeRADIUS client configuration.
  • krb5.conf - Kerberos configuration for AD integration.
  • proxy.conf - Proxy configuration, tells FreeRADIUS which packets to pass on to Eduroam etc.
  • radiusd.conf - FreeRADIUS server configuration.
  • site-default - FreeRADIUS default logic.
  • smb.conf - Samba configuration for AD integration.

We must also store settings in Hiera, preferably as encrypted data using EYAML. The following data must be available:

  • RADIUS_SERVER_SECRET - The secret to used when communicating with FreeRADIUS.
  • GITREPO_ETC - The Git repository for settings, mentioned above.
  • EDUROAM_R1_SECRET - Secret for primary Eduroam server (optional).
  • EDUROAM_R2_SECRET - Secret for secondary Eduroam server (optional).
  • AD_DOMAIN - Active Directory domain name (ad-lab.local for example) (optional).
  • AD_USERNAME - Active Directory username (optional).
  • AD_PASSWORD - Active Directory password (optional).
  • AD_BASE_DN - Active Directory base DN (optional).
  • AD_DNS_PRIMARY - Active Directory primary DNS server (optional).
  • AD_DNS_SECONDARY - Active Directory secondary DNS server (optional).
  • NTLM_DOMAIN - NTLM domain to use for authorisation (optional).

Docker

To distribute the software Docker is used. First thing we must do is to create a volume to be used for the persistent FreeRADIUS configuration and Postgres database:

To create the volume for Postgres:

Code Block
docker volume create --name=cnaas-postgres-data

And for FreeRADIUS:

Code Block
docker volume create --name=cnaas-radius-etc

Below is an example of a docker-compose.yaml file which can be used to launch the containers needed.

Code Block
languageyml
version: '3.7'
services:
  nac_api:
    imagebuild: docker.sunet.se/cnaas-nac/api/api/
    ports:
      - 1443:4434430
    networks:
      - cnaascnaas:
        ipv4_address: 172.31.0.10
    environmentdepends_on:
      - RADIUSnac_SLAVEpostgres

  nac_radius:
    imagebuild: docker.sunet.se/cnaas-nac/radius
    ports:
      - 1812:1812/udp
      - 1813:1813/udp
    networks:
       - cnaascnaas:
        ipv4_address: 172.31.0.20
    environment:
      - EDUROAMRADIUS_R1SERVER_SECRET=testing123
      - EDUROAMRADIUS_NO_R2PORT_SECRETLOCK=True
      - RADIUS_SERVER_SECRETdepends_on:
      - GITREPO_ETCnac_api
    volumes:
      - AD_DOMAINtype: volume
        source: nac-freeradius- AD_USERNAME
data
        - AD_PASSWORDtarget: /etc/Freeradius/3.0/
      - AD_BASE_DN
 type: volume
        source: nac- NTLM_DOMAIN
var-data
        - AD_DNS_PRIMARYtarget: /var/
      - AD_DNS_SECONDARY type: volume
    depends_on:
    source: nac-api-certs
        - nac_apitarget: /opt/cnaas/certs/

  nac_postgres:
    build: image: docker.sunet.se/cnaas-nac/postgres
    volumes:
      - type: volume
        source: nac-postgres-data
        target: /var/lib/postgresql/data/
    environment:
      - POSTGRES_USER=cnaas
      - POSTGRES_PASSWORD=cnaas
      - POSTGRES_DB=nac
    ports:
      - 5432:5432
    networks:
      cnaas:
      - cnaas  ipv4_address: 172.31.0.30

networks:
  cnaas:
    driver: bridge
    name: cnaas
    ipam:
      config:
      - subnet: 172.3031.0.0/24
    driver_opts:
      com.docker.network.bridge.name: br-cnaas

volumes:
  nac-postgres-data:
    external: false
  nac-freeradius-data:
    external: false
  nac-var-data:
    external: false
  nac-api-certs:
    external: truefalse

This will launch the containers needed for NAC. If you need to edit any configuration files for FreeRADIUS (out of the scope of this document) the easiest is to either run bash inside the nac_radius container and edit the files or do it from the host and use the directory in which nac-freeradius-data is mounted. Control socket etc for radmin is enabled inside the container for debugging.


To launch the frontend we must first have CNaaS Auth POC running, instructions available here: CNaaS Auth POC server installation