Hide
Services/Collaborations
Campus Network as a Service
Prerequisites
- VM/ physical machine with Linux and Docker.
- Network access to the NAS(es).
- Git repository for configuration files etc.
Git repositories and settings
To store settings and configuration we need one Git repository. The repository used for etc-files in CNaaS can be used, or a completely new one. In the lab installation of CNaaS NAC, we have the following files stored:
- clients.conf - FreeRADIUS client configuration.
- krb5.conf - Kerberos configuration for AD integration.
- proxy.conf - Proxy configuration, tells FreeRADIUS which packets to pass on to Eduroam etc.
- radiusd.conf - FreeRADIUS server configuration.
- site-default - FreeRADIUS default logic.
- smb.conf - Samba configuration for AD integration.
We must also store settings in Hiera, preferably as encrypted data using EYAML. The following data must be available:
- RADIUS_SERVER_SECRET - The secret to used when communicating with FreeRADIUS.
- GITREPO_ETC - The Git repository for settings, mentioned above.
- EDUROAM_R1_SECRET - Secret for primary Eduroam server (optional).
- EDUROAM_R2_SECRET - Secret for secondary Eduroam server (optional).
- AD_DOMAIN - Active Directory domain name (ad-lab.local for example) (optional).
- AD_USERNAME - Active Directory username (optional).
- AD_PASSWORD - Active Directory password (optional).
- AD_BASE_DN - Active Directory base DN (optional).
- AD_DNS_PRIMARY - Active Directory primary DNS server (optional).
- AD_DNS_SECONDARY - Active Directory secondary DNS server (optional).
- NTLM_DOMAIN - NTLM domain to use for authorisation (optional).
Docker
To distribute the software Docker is used. First thing we must do is to create a volume to be used for the persistent FreeRADIUS configuration and Postgres database:
To create the volume for Postgres:
docker volume create --name=cnaas-postgres-data
And for FreeRADIUS:
docker volume create --name=cnaas-radius-etc
Below is an example of a docker-compose.yaml file which can be used to launch the containers needed.
version: '3.7' services: nac_api: image: docker.sunet.se/cnaas-nac/api ports: - 1443:443 networks: - cnaas environment: - RADIUS_SLAVE nac_radius: image: docker.sunet.se/cnaas-nac/radius ports: - 1812:1812/udp - 1813:1813/udp networks: - cnaas environment: - EDUROAM_R1_SECRET - EDUROAM_R2_SECRET - RADIUS_SERVER_SECRET - GITREPO_ETC - AD_DOMAIN - AD_USERNAME - AD_PASSWORD - AD_BASE_DN - NTLM_DOMAIN - AD_DNS_PRIMARY - AD_DNS_SECONDARY depends_on: - nac_api nac_postgres: build: image: docker.sunet.se/cnaas-nac/postgres volumes: - type: volume source: nac-postgres-data target: /var/lib/postgresql/data environment: - POSTGRES_USER - POSTGRES_PASSWORD - POSTGRES_DB ports: - 5432:5432 networks: - cnaas networks: cnaas: driver: bridge name: cnaas ipam: config: - subnet: 172.30.0.0/24 driver_opts: com.docker.network.bridge.name: br-cnaas volumes: nac-postgres-data: external: true