The Web GUI is an alternative to the Windows GUI allowing control of some parts of the FreeNAC system. The main method of configuring and monitoring FreeNAC remains the Windows GUI however.
Install Apache & libraries for graphics support:
These libraries are normally provided by your distribution and should have been installed in previous (Linux) steps of this installation.
One exception is JPGraph, where the standard package may not work (e.g. on Ubuntu 7.10). If the graphs are not showing, or are completely blank, install from sources as follows. Download the latest jpgraph sources (this example uses the version 2.3) from http://www.aditus.nu/jpgraph/jpdownload.php and untar the file to /opt
cd /opt/ tar xvzf jpgraph-2.3.tar.gz ln -s jpgraph-2.3 jpgraph
Next, install the MS TTF fonts that are used by jpgraph, if the msttfcorefonts package is not already on your system.
sudo apt-get install msttfcorefonts
JPGraph expects to find these fonts at /usr/X11R6/lib/X11/fonts/truetype, so create a link from the actual install location to there, for example on Ubuntu:
ln -s /usr/share/fonts/truetype/msttcorefonts/ /usr/X11R6/lib/X11/fonts/truetype
There are several options in the 'config' table of FreeNAC that may need setting, which can be configured using the windows GUI (Administration -> config), or on the SQL command line (e.g. update config set value='NEW VALUE' where name='VARIABLE NAME').
Optional: Excel export
If you want to use the Excel export function you also need the following PEAR Module: Spreadsheet_Excel_Writer. To install Spreadsheet_Excel_Writer invoque the following command on your shell:
pear install --alldeps -f Spreadsheet_Excel_Writer
Allow the apache user to read and write key files, for the WebGUI to function correctly.
usermod -a -G freenac www-data
chgrp freenac config.inc chmod 640 config.inc
chown www-data /opt/nac/web/tmp
The web interface can display the last lines of a given logfile (see 'Monitor > Syslog message log'. By default it shows the last 100 lines of /var/log/messages and /var/log/debug (on Ubuntu). These files needs to be readable by the webserver :
chmod 644 /var/log/messages chmod 644 /var/log/debug
The Web GUI is located in /opt/nac/web, so we'll create a virtual directory in Apache pointing to this directory.
Locate your Apache main configuration file (it is distribution dependant) and add the definition of this virtual directory as follows. For example on Ubuntu, create /etc/apache2/sites-available/nac:
Alias /nac /opt/nac/web <Directory /opt/nac/web/> Options None Order deny,allow Allow from all </Directory> <LocationMatch "\/nac.*\.inc\.*"> Deny from all </LocationMatch>
The LocationMatch stanza protects from reading all include files that you could contain within your /opt/nac/web directory. This is really important since your config.inc file, contains sensitive information such as usernames and passwords.
To make the GUI the default webpage on the webserver, add to /etc/apache2/httpd.conf (on Ubuntu):
DocumentRoot /opt/nac/web
Enable the /etc/apache2/sites-available/nac configuration above.
a2ensite nac
Restart apache (/etc/init.d/apache2 restart)
The basic configuration above doesn't restrict the use of this interface to anyone. The FreeNAC GUI can be configured to use either AD (active Directory) or no authentication.The AD configuration is discussed in the next section.
If not doing any authentication in the FreeNAC GUI, then $anon_auth=true (and $ad_auth=false) must be set in web/web1.config.inc.
Then access to the GUI probably needs to be limited by a network firewall, or by limiting allowed source addresses in the webserver. To restrict access only to certain IP addresses, adapt the 'nac' Virtual host definition able as follows:
Deny from all Allow from 192.168.0.1 192.168.0.2
Alternatively, user accounts can be maintained on apache, and a logon forced to limit access. Once again, set $anon_auth=true (and $ad_auth=false) in web/web1.config.inc.
AuthType Basic AuthName name AuthBasicProvider file # local file AuthUserFile .htpasswd Require valid-user
The FreeNAC GUI can be configured to use either AD (active
Directory) or no authentication (see above). For AD authentication, Apache must be configured (see below) and web/web1.config.inc set as follows: $anon_auth=false, $ad_auth=true.
Using AD authentication allows assignment of rights per user, as each user is individually identified. Rights such as readonly/edit/admin are assigned via the 'guirights' field for that user (see examples further below).
To configure Apache to authenticate users against AD, use the module mod_authnz_ldap. Check if in the list of compiled in modules there is an entry like mod_authnz_ldap.c (running a2enmod without any parameters should list available modules).
Then enable the module:
a2enmod authnz_ldap
If the module is enabled, we are ready to start configuring Apache and the Web interface. If not, install this module.
In your Apache configuration (see above) you have already defined a VirtualHost entry for /nac. To perform AD authentication, you need to modify that entry as follows:
Alias /nac /opt/nac/web <Directory "/opt/nac/web/"> Options All ExecCGI -Indexes Order deny,allow Allow from all
AuthzLDAPAuthoritative off AuthType Basic AuthBasicProvider ldap AuthUserFile /dev/null AuthName "Sensitive Zone" AuthLDAPBindDN cn=Administrator,cn=Users,dc=domain,dc=com AuthLDAPBindPassword password AuthLDAPURL "ldap://server.domain.com/?userPrincipalName?sub?(&(objectClass=person)(objectClass=user))" require valid-user </Directory> <LocationMatch "\/nac.*\.inc\.*"> Deny from all </LocationMatch>
AuthLDAPBindDN is an optional DN used to bind to the server when searching for entries. If not provided, mod_authnz_ldap will use an anonymous bind.
AuthLDAPBindPassword is a bind password to use in conjunction with the bind DN.
AuthLDAPBindDN and AuthLDAPBindDN should only be used if no anonymous bind is allowed.
AuthzLDAPAuthoritative prevents other authentication modules from authenticating the user if this one fails. Set to off if this module should let other authentication modules attempt to authenticate the user, should authentication with this module fail.
If you have more than one domain, you should be using global catalog. Global catalog uses port 3268. Global Catalog is a read only copy of selected attributes of all the Active Directory servers within the Active Directory forest. Querying the Global Catalog allows all the domains to be queried in a single query, without the query spanning servers over potentially slow links.
To use the Global Catalog, you just need to substitute the line
AuthLDAPURL "ldap://server.domain.com/?userPrincipalName?sub?(&(objectClass=person)(objectClass=user))"
for
AuthLDAPURL "ldap://server.domain.com:3268/?userPrincipalName?sub?(&(objectClass=person)(objectClass=user))"
To distinguish users between domains, an identifier called a User Principal Name (UPN) can be added to a user's entry in the directory. This UPN usually takes the form of the user's account name, followed by the domain components of the particular domain, for example
somebody@nz.somedomain.com
For more information about mod_authnz_ldap please see http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html
Once you are done with this, restart Apache and let's start configuring the Web interface.
Edit your file /opt/nac/etc/config.inc (or /opt/nac/web/config.inc if you are using v2.x) and adjust the following variables:
$ad_server $ad_port $ad_user $ad_password $ad_base $ad_auth
This interface reuses the credentials supplied to Apache to identify the user and do access control. A read-only and edit mode is available, which can be decided on a per-user basis.
Currently the rights can only be assigned in the 'Windows GUI' (Administration > Users > NAC Gui Rights) or on the SQL command line:
update users set nac_rights=1 where username='JOE'; update users set nac_rights=2 where username='BILL'; update users set nac_rights=99 where username='SUSAN';
This allow the user with the name Joe read-only access, Edit access for Bill and Admin access for Susan. It is really only in the Windows interface that the power of the admin access comes into play.
After the above configuration, reload/restart apache
/etc/init.d/apache2 restart
Finally, point your web browser to http://YOURSERVER/nac and you should see the web interface.
See also the User guide documentation.
For troubleshooting, check:
tail -f /var/log/debug (syslog debug) tail -f /var/log/message (syslog 'normal' messages) tail -f /var/log/apache2/error.log (Apache)
The naclog and guilog tables, both of which are visible from the Windows and Web GUIs.