4. FreeNAC daemons
Install the software
The Freenac software should already have been installed in the section Installing the FreeNAC software .
Create group and user
You need to create a freenac username and group. This is handy if you want the configuration file to be accesible by other daemons (e.g. Apache, Radius).
groupadd freenac && useradd freenac -r -g freenac
Configure FreeNAC
Master server: Create a config.inc from a template and set the DB connection parameters (this should correspond to the password you set in the MySQL configuration):
cp /opt/nac/etc/config.inc.template /opt/nac/etc/config.inc vi /opt/nac/etc/config.inc
Slave servers: copy /opt/nac/etc/config.inc from the master
Change the group the config.inc file and the lib directory belong to and its permissions
chgrp freenac /opt/nac/etc/config.inc chgrp freenac /opt/nac/lib chmod 640 /opt/nac/etc/config.inc chmod -R 640 /opt/nac/lib
For version 2.2 RC2 and earlier: import the config file into the database. To do so:
cd /opt/nac/contrib ./config2db ../etc/config.inc
For v2.2 RC3, V3.0 and later, all settings are in the 'config' table in the database. Only usernames and passwords are in config.inc. The 'config' paramets are set via the Windows GUI (see the Administration -> config tab).
Policy (v3.0 and later)
A substantial change in FreeNAC v3.0 is the introduction of an OO (objected oriented) policy interface, which provides greater flexibility and encapsulation of individual decisions regarding access to the network.
You need to specify a policy file to use. We provide some sample policy files in the etc directory. In the Technical Guide there are several policy chapters, please example at least the Sample Policies .
A policy file that would be useful to many sites is the etc/policy5.php file, lets assume you wish to use that. Now create a link from policy file to the default policy file name 'policy.inc.php':
cd /opt/nac/etc ln -s policy5.php policy.inc.php
Masters and slaves normally have the same policy.
Start the vmps daemon
Creating a start-up file and start the service:
cp /opt/nac/contrib/startup_init.d/vmps /etc/init.d/vmps chmod 750 /etc/init.d/vmps vi /etc/init.d/vmps [adapt IP address on vmpsd start line, if have more than one interface]
And activate it to start automatically according to your distro
chkconfig vmps on [SuSE] update-rc.d vmps defaults [Ubuntu/Debian based distros]
Start and watch syslog for events:
/etc/init.d/vmps start
ps -ef | grep vmps
tail -f /var/log/messages
If vmpsd does not start, see the troubleshooting section of the Users Guide.
Start the postconnect (v2.x: vmps_lastseen) daemon
On V3:
cp /opt/nac/contrib/startup_init.d/postconnect /etc/init.d/postconnect chmod 750 /etc/init.d/postconnect
And activate it to start automatically according to your distro
chkconfig postconnect on [SuSE] update-rc.d postconnect defaults [Ubuntu/Debian based distros]
Start and watch syslog for events:
/etc/init.d/postconnect start tail -f /var/log/messages
On V2.2 and earlier:
cp /opt/nac/contrib/startup_init.d/vmps_lastseen /etc/init.d/vmps_lastseen chmod 750 /etc/init.d/vmps_lastseen
And activate it to start automatically according to your distro
chkconfig vmps_lastseen on [SuSE] update-rc.d vmps_lastseen defaults [Ubuntu/Debian based distros]
Testing
Watch syslog for events:
tail -f /var/log/messages
If vmpsd does not start, see the troubleshooting section of the Users Guide.
See the Policy testing chapter of the Technical Guide, to explain how to read the syslog messages.
- Printer-friendly version
- Login or register to post comments
