8. Web interface

Posted August 10th, 2007 by dago

Description

The Web GUI is an alternative to the Windows GUI allowing control of some parts of the FreeNAC system. The main method of configuring and monitoring FreeNAC remains the Windows GUI however.

Basic installation

Install Apache & libraries for graphics support:

Install Apache
Graphviz for the switch view
JPGraph for statistics (also required freetype & MS core fonts)
GD devel libraries

These libraries are normally provided by your distribution and should have been installed in previous (Linux) steps of this installation.

One exception is JPGraph, where the standard package may not work (e.g. on Ubuntu 7.10). If the graphs are not showing, or are completely blank, install from sources as follows. Download the latest jpgraph sources (this example uses the version 2.3) from http://www.aditus.nu/jpgraph/jpdownload.php and untar the file to /opt

cd /opt/
tar xvzf jpgraph-2.3.tar.gz
ln -s jpgraph-2.3 jpgraph

Next, install the MS TTF fonts that are used by jpgraph, if the msttfcorefonts package is not already on your system.

sudo apt-get install msttfcorefonts

JPGraph expects to find these fonts at /usr/X11R6/lib/X11/fonts/truetype, so create a link from the actual install location to there, for example on Ubuntu:

ln -s /usr/share/fonts/truetype/msttcorefonts/ /usr/X11R6/lib/X11/fonts/truetype

Configure the WebGUI

There are several options in the 'config' table of FreeNAC that may need setting, which can be configured using the windows GUI (Administration -> config), or on the SQL command line (e.g. update config set value='NEW VALUE' where name='VARIABLE NAME').

web_jpgraph: set the path to jpgraph library (default /opt/jpgraph/src/)
web_dotcmd: set the graphviz binary (default /usr/bin/neato)
web_lastdays: show devices seen in the last XX days (default 14) in the switch-port diagram of the GUI.
web_logtail_file: what syslog file is to be shown under Monitoring > Syslog Messages log (default /var/log/messages)
web_logdebug_file: what syslog file is to be shown under Monitoring > Syslog Debug log (default /var/log/debug)
web_logtail_length: how many lines of the above log are to be shown (default 100)?
web_showdhcp: Enable the showing of the fields related to the DHCP management module (in beta status, default=false)
web_showdns: Enable the showing of the fields related to the DNS management module (in beta status, default=false)

Optional: Excel export

If you want to use the Excel export function you also need the following PEAR Module: Spreadsheet_Excel_Writer. To install Spreadsheet_Excel_Writer invoque the following command on your shell:

pear install --alldeps -f Spreadsheet_Excel_Writer

File permissions

Allow the apache user to read and write key files, for the WebGUI to function correctly.

Add the apache user to the freenac unix group (e.g. on Ubuntu the apache user is www-data)

usermod -a -G freenac www-data

Ensure that the freenac group can read the configuration file:

chgrp freenac config.inc
chmod 640 config.inc

Change the owner of the /opt/nac/web/tmp directory to the apache user (e.g. 'www-data' on Ubuntu). This directory is used to write data when graphing.

chown www-data /opt/nac/web/tmp

The web interface can display the last lines of a given logfile (see 'Monitor > Syslog message log'. By default it shows the last 100 lines of /var/log/messages and /var/log/debug (on Ubuntu). These files needs to be readable by the webserver :

chmod 644 /var/log/messages
chmod 644 /var/log/debug

Apache: Enable the FreeNAC WebGUI

The Web GUI is located in /opt/nac/web, so we'll create a virtual directory in Apache pointing to this directory.

Locate your Apache main configuration file (it is distribution dependant) and add the definition of this virtual directory as follows. For example on Ubuntu, create /etc/apache2/sites-available/nac:

Alias /nac /opt/nac/web
<Directory /opt/nac/web/>
Options None
Order deny,allow
Allow from all
</Directory>
<LocationMatch "\/nac.*\.inc\.*">
Deny from all
</LocationMatch>

The LocationMatch stanza protects from reading all include files that you could contain within your /opt/nac/web directory. This is really important since your config.inc file, contains sensitive information such as usernames and passwords.

To make the GUI the default webpage on the webserver, add to /etc/apache2/httpd.conf (on Ubuntu):

DocumentRoot /opt/nac/web

Enable the /etc/apache2/sites-available/nac configuration above.

a2ensite nac

Restart apache (/etc/init.d/apache2 restart)

Apache: Restrict Access to the GUI by IP address

The basic configuration above doesn't restrict the use of this interface to anyone. The FreeNAC GUI can be configured to use either AD (active Directory) or no authentication.The AD configuration is discussed in the next section.

If not doing any authentication in the FreeNAC GUI, then $anon_auth=true (and $ad_auth=false) must be set in web/web1.config.inc.

Then access to the GUI probably needs to be limited by a network firewall, or by limiting allowed source addresses in the webserver. To restrict access only to certain IP addresses, adapt the 'nac' Virtual host definition able as follows:

Deny from all
Allow from 192.168.0.1 192.168.0.2

Apache: Restrict Access by apache login

Alternatively, user accounts can be maintained on apache, and a logon forced to limit access. Once again, set $anon_auth=true (and $ad_auth=false) in web/web1.config.inc.

AuthType Basic
AuthName name
AuthBasicProvider  file
# local file
AuthUserFile .htpasswd
Require valid-user

Apache: Authentication against Active Directory

The FreeNAC GUI can be configured to use either AD (active
Directory) or no authentication (see above). For AD authentication, Apache must be configured (see below) and web/web1.config.inc set as follows: $anon_auth=false, $ad_auth=true.

Using AD authentication allows assignment of rights per user, as each user is individually identified. Rights such as readonly/edit/admin are assigned via the 'guirights' field for that user (see examples further below).

To configure Apache to authenticate users against AD, use the module mod_authnz_ldap. Check if in the list of compiled in modules there is an entry like mod_authnz_ldap.c (running a2enmod without any parameters should list available modules).

Then enable the module:

a2enmod authnz_ldap

If the module is enabled, we are ready to start configuring Apache and the Web interface. If not, install this module.

In your Apache configuration (see above) you have already defined a VirtualHost entry for /nac. To perform AD authentication, you need to modify that entry as follows:

 Alias /nac /opt/nac/web
<Directory "/opt/nac/web/">
Options All ExecCGI -Indexes
Order deny,allow
Allow from all

AuthzLDAPAuthoritative off
AuthType Basic
AuthBasicProvider ldap
AuthUserFile /dev/null
AuthName "Sensitive Zone"
AuthLDAPBindDN cn=Administrator,cn=Users,dc=domain,dc=com
AuthLDAPBindPassword password
AuthLDAPURL "ldap://server.domain.com/?userPrincipalName?sub?(&(objectClass=person)(objectClass=user))"
require valid-user
</Directory> 
<LocationMatch "\/nac.*\.inc\.*">
Deny from all
</LocationMatch>

AuthLDAPBindDN is an optional DN used to bind to the server when searching for entries. If not provided, mod_authnz_ldap will use an anonymous bind.
AuthLDAPBindPassword is a bind password to use in conjunction with the bind DN.
AuthLDAPBindDN and AuthLDAPBindDN should only be used if no anonymous bind is allowed.
AuthzLDAPAuthoritative prevents other authentication modules from authenticating the user if this one fails. Set to off if this module should let other authentication modules attempt to authenticate the user, should authentication with this module fail.

If you have more than one domain, you should be using global catalog. Global catalog uses port 3268. Global Catalog is a read only copy of selected attributes of all the Active Directory servers within the Active Directory forest. Querying the Global Catalog allows all the domains to be queried in a single query, without the query spanning servers over potentially slow links.

To use the Global Catalog, you just need to substitute the line

AuthLDAPURL "ldap://server.domain.com/?userPrincipalName?sub?(&(objectClass=person)(objectClass=user))"

for

AuthLDAPURL "ldap://server.domain.com:3268/?userPrincipalName?sub?(&(objectClass=person)(objectClass=user))"

To distinguish users between domains, an identifier called a User Principal Name (UPN) can be added to a user's entry in the directory. This UPN usually takes the form of the user's account name, followed by the domain components of the particular domain, for example

somebody@nz.somedomain.com

For more information about mod_authnz_ldap please see http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html

Once you are done with this, restart Apache and let's start configuring the Web interface.

Edit your file /opt/nac/etc/config.inc (or /opt/nac/web/config.inc if you are using v2.x) and adjust the following variables:

$ad_server
$ad_port
$ad_user
$ad_password
$ad_base
$ad_auth

ad_server: The Domain controller where the AD is queried.
ad_port: Make sure it matches what you have defined in your Apache main configuration file. If you are using a Global Catalog set it to 3268, 389 otherwise.
ad_user: This is the DN of a user with sufficient privileges to read the necessary information from AD. The possible values for this setting should be in the form 'cn=User,cn=users,dc=domain,dc=com';
ad_password: The password for ad_user
ad_base: The base DN (Distinguished Name) where users' information is stored. The possible values for this setting should be in the form 'cn=users,dc=test,dc=com'
ad_port: Set it to true to active AD authentication in the Web Interface, to false otherwise.

This interface reuses the credentials supplied to Apache to identify the user and do access control. A read-only and edit mode is available, which can be decided on a per-user basis.

Currently the rights can only be assigned in the 'Windows GUI' (Administration > Users > NAC Gui Rights) or on the SQL command line:

update users set nac_rights=1 where username='JOE';
update users set nac_rights=2 where username='BILL';
update users set nac_rights=99 where username='SUSAN';

This allow the user with the name Joe read-only access, Edit access for Bill and Admin access for Susan. It is really only in the Windows interface that the power of the admin access comes into play.

Starting the WebGUI

After the above configuration, reload/restart apache

/etc/init.d/apache2 restart

Finally, point your web browser to http://YOURSERVER/nac and you should see the web interface.

Languages

Menu tree

Documentation