CNaaS NAC - Installation

Prerequisites

  • VM/ physical machine with Linux and Docker.
  • Network access to the NAS(es).
  • Git repository for configuration files etc.

Git repositories and settings

To store settings and configuration we need one Git repository. The repository used for etc-files in CNaaS can be used, or a completely new one. In the lab installation of CNaaS NAC, we have the following files stored:

  • clients.conf - FreeRADIUS client configuration.
  • krb5.conf - Kerberos configuration for AD integration.
  • proxy.conf - Proxy configuration, tells FreeRADIUS which packets to pass on to Eduroam etc.
  • radiusd.conf - FreeRADIUS server configuration.
  • site-default - FreeRADIUS default logic.
  • smb.conf - Samba configuration for AD integration.

We must also store settings in Hiera, preferably as encrypted data using EYAML. The following data must be available:

  • RADIUS_SERVER_SECRET - The secret to used when communicating with FreeRADIUS.
  • GITREPO_ETC - The Git repository for settings, mentioned above.
  • EDUROAM_R1_SECRET - Secret for primary Eduroam server (optional).
  • EDUROAM_R2_SECRET - Secret for secondary Eduroam server (optional).
  • AD_DOMAIN - Active Directory domain name (ad-lab.local for example) (optional).
  • AD_USERNAME - Active Directory username (optional).
  • AD_PASSWORD - Active Directory password (optional).
  • AD_BASE_DN - Active Directory base DN (optional).
  • AD_DNS_PRIMARY - Active Directory primary DNS server (optional).
  • AD_DNS_SECONDARY - Active Directory secondary DNS server (optional).
  • NTLM_DOMAIN - NTLM domain to use for authorisation (optional).

Docker

To distribute the software Docker is used. First thing we must do is to create a volume to be used for the persistent FreeRADIUS configuration and Postgres database:


To create the volume for Postgres:

docker volume create --name=cnaas-postgres-data


And for FreeRADIUS:

docker volume create --name=cnaas-radius-etc


Below is an example of a docker-compose.yaml file which can be used to launch the containers needed.

version: '3.7'
services:
  nac_api:
    image: docker.sunet.se/cnaas-nac/api
    ports:
      - 1443:443
    networks:
      - cnaas
    environment:
      - RADIUS_SLAVE

  nac_radius:
    image: docker.sunet.se/cnaas-nac/radius
    ports:
      - 1812:1812/udp
      - 1813:1813/udp
    networks:
      - cnaas
    environment:
      - EDUROAM_R1_SECRET
      - EDUROAM_R2_SECRET
      - RADIUS_SERVER_SECRET
      - GITREPO_ETC
      - AD_DOMAIN
      - AD_USERNAME
      - AD_PASSWORD
      - AD_BASE_DN
      - NTLM_DOMAIN
      - AD_DNS_PRIMARY
      - AD_DNS_SECONDARY
    depends_on:
      - nac_api

  nac_postgres:
    build: image: docker.sunet.se/cnaas-nac/postgres
    volumes:
      - type: volume
        source: nac-postgres-data
        target: /var/lib/postgresql/data
    environment:
      - POSTGRES_USER
      - POSTGRES_PASSWORD
      - POSTGRES_DB
    ports:
      - 5432:5432
    networks:
      - cnaas

networks:
  cnaas:
    driver: bridge
    name: cnaas
    ipam:
      config:
      - subnet: 172.30.0.0/24
    driver_opts:
      com.docker.network.bridge.name: br-cnaas

volumes:
  nac-postgres-data:
    external: true


  • No labels