Project

General

Profile

Install from Virtual Appliance (lab01)

Proposed lab

This is a basic openNAC lab to test openNAC core functinality like policy management, user monitoring, netconf, ...

Video tutorial


You can watch video at Youtube http://www.youtube.com/watch?v=I0_qg8wPCd4

Physical layout

openNAC vm will have a physical interface defined as trunk:
  • eth0: NAC interface, will be connected to switch in a TRUNK configuration on port 1

Logical layout

openNAC vm will have four logical interfaces:
  • eth0.310: REGISTRY interface of openNAC server, with VLAN id 310
  • eth0.320: QUARANTINE interface of openNAC server, with VLAN id 320
  • eth0.330: SERVICE interface of openNAC server, with VLAN id 330
  • eth0.1: ADMIN interface of openNAC server with VLAN 1

System Requirements

Minimum Hardware requirements

  • PC or LAPTOP with virtual runtime like KVM, VirtualBox or VMWARE
  • Switch Cisco 2950, 2960, 3550
  • PC or Laptop to simulate end user (windows, linux or MACos)

Minimum Software requirements

  • KVM hypervisor or VirtualBox hypervisor or VMware hypervisor
  • Browser

Minimum Network requirements

  • No internet connection is supposed at "Service network"

Download VM image

Prerequisites

Switch config

Parameters

port 1 TRUNK to openNAC vm
port 2 uplink to service network
port 17 802.1x client
vlan 310 registry
vlan 320 quarantine
vlan 330 service
192.168.1.2 switch admin ip at vlan1

Cisco 2960 sample config

!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$ft81$YJv.jiXKq0dR.a2ziIrj20
!
username admin password 7 04541B03012F4D4D
aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius 
aaa accounting dot1x default start-stop group radius
!         
!         
!         
aaa session-id common
system mtu routing 1500
ip subnet-zero
!         
!         
no ip domain-lookup
!         
!          
dot1x system-auth-control
!         
!         
!         
spanning-tree mode pvst
spanning-tree extend system-id
!         
vlan internal allocation policy ascending
!         
!         
interface FastEthernet0/1
 description externaltrunk
 switchport mode trunk
 spanning-tree bpdufilter enable
 spanning-tree bpduguard enable
!         
interface FastEthernet0/2
 description uploadswitch
 switchport access vlan 330
!         
interface FastEthernet0/3
!         
interface FastEthernet0/4
!         
interface FastEthernet0/5
!         
interface FastEthernet0/6
!         
interface FastEthernet0/7
!         
interface FastEthernet0/8
!         
interface FastEthernet0/9
!         
interface FastEthernet0/10
!         
interface FastEthernet0/11
 description TaBon
!         
interface FastEthernet0/12
 description TaBon
!         
interface FastEthernet0/13
 switchport mode access
 authentication port-control auto
 mab      
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout tx-period 2
!         
interface FastEthernet0/14
!         
interface FastEthernet0/15
 switchport mode access
 authentication port-control auto
 mab      
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
!         
interface FastEthernet0/16
 description test8021x
 switchport mode access
 authentication event no-response action authorize vlan 310
 authentication port-control auto
 dot1x pae authenticator
 spanning-tree portfast
!         
interface FastEthernet0/17
 description test8021x
 switchport mode access
 authentication event no-response action authorize vlan 310
 authentication port-control auto
 dot1x pae authenticator
 spanning-tree portfast
!         
interface FastEthernet0/18
!         
interface FastEthernet0/19
!         
interface FastEthernet0/20
!         
interface FastEthernet0/21
!         
interface FastEthernet0/22
!         
interface FastEthernet0/23
 description opennactrunk
 switchport mode trunk
 authentication port-control auto
 mab      
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 spanning-tree portfast
 spanning-tree bpdufilter enable
 spanning-tree bpduguard enable
!         
interface FastEthernet0/24
 description opennactrunk
 switchport mode trunk
 spanning-tree portfast
 spanning-tree bpdufilter enable
 spanning-tree bpduguard enable
!         
interface Vlan1
 ip address 192.168.2.150 255.255.255.0
 no ip route-cache
!         
ip http server
ip http secure-server
snmp-server community public RO
snmp-server community private RW
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps mac-notification change move threshold
snmp-server host 192.168.2.254 version 2c public 
radius-server host 192.168.2.254 auth-port 1812 acct-port 1813 key 7 021201481F0F01261D1C5A
radius-server vsa send accounting
radius-server vsa send authentication
!         
control-plane
!         
banner motd ^C 
   Switch Node Barcelona.
   Access Restricted and monitored.
   Authorized Access Only.
^C        
!         
line con 0
 exec-timeout 0 0
 password 7 104D000A0618
 logging synchronous
line vty 0 4
 exec-timeout 0 0
 password 7 0209145E05080E22
 logging synchronous
 transport input telnet ssh
line vty 5 15
 exec-timeout 0 0
 password 7 104D000A0618
 logging synchronous
!         
mac address-table notification change
end    

Connectivity

  • VM Server connected to the switch in a Trunk port (switch port 1)
  • PC Client connected to the switch in a User port (switch port 17)
  • [Optional] Service vlan gw (switch port 2)

Setup VM

Convert disk Images

  • OVA to VDI [Using VirtualBox utils]
tar xf opennac_XXX_img.ova
VBoxManage clonehd --format VDI opennac_XXX_img-disk1.vmdk opennac_XXX_img.vdi
  • VDI to QCOW2 [Using qemu utils]
qemu-img convert -f vdi -p -c -O qcow2 opennac_XXX_img.vdi opennac_XXX_img.qcow2

KVM

  • Setup Bridge Network device on host (NAC Port)

  • Use qcow2 vm image

VirtualBox

TBD

VMWARE

TBD

First VM Setup

On first boot we must configure interfaces with opennac-iface util:

/usr/share/opennac/utils/vm-iface-config/opennac-iface

Configure Keyboard and Timezone

Web Wizard Setup

  • login to admin console. Connect browser to admin console: http://<opennac IP>/admin
  • Web admin credentials: admin/opennac

Now reboot openNAC server doing an ssh login as root and execute, or you can restart manually dhcpd and named services.

# reboot

Configure a client with 802.1X

TBD

Test that a client is connected

TBD

Change Policy

If no policy is defined every request is redirected to REGISTRY vlan.

Policy rule to force user device registration

The purpose of this rule is to redirect all devices not previously registered but authenticated by a user (using 802.1x) to REGISTRY vlan, so users must register their devices.

  • Add rule
    • During all day
    • On any user
    • Using an UNREGISTERED DEVICE ( a device whose MAC is not present on user devices CMDB )
    • Assign REGISTRY vlan

  • Policy order

Overwrite Default rule

Redirect all registered devices, since in previously added rule all unregistered devices are catched, from every user to a custom VLAN, SERVICE vlan is chosen:

  • Add rule * During all day * On any user * Using any device * Assign SERVICE vlan

  • Final Policy rules

Setup a sample onNETconf job

To create a sample onNETconf job like

terminal length 0
show running-config

Go to ON NetConf/Create

Click on "Select Target"

Click on "Send to Scheduler"

Click on "Accept"

Click on "Status"

Click on "Detail"

Commonly Used Server Administration Commands

TBD

Log files in openNAC

TBD

Grepping and Tailing Errors

TBD