4. FreeNAC daemons

Posted Agosto 10th, 2007 by sean

Install the software

The Freenac software should already have been installed in the section Installing the FreeNAC software .

Create group and user

You need to create a freenac username and group. This is handy if you want the configuration file to be accesible by other daemons (e.g. Apache, Radius). 

groupadd freenac && useradd freenac -r -g freenac

Configure FreeNAC

Master server: Create a config.inc from a template and set the DB connection parameters (this should correspond to the password you set in the MySQL configuration): 

  cp /opt/nac/etc/config.inc.template /opt/nac/etc/config.inc
vi /opt/nac/etc/config.inc

Slave servers: copy /opt/nac/etc/config.inc from the master

Change the group the config.inc file and the lib directory belong to and its permissions 

chgrp freenac /opt/nac/etc/config.inc 
chgrp freenac /opt/nac/lib
chmod 640 /opt/nac/etc/config.inc
chmod -R 640 /opt/nac/lib

For version 2.2 RC2 and earlier: import the config file into the database. To do so: 

cd /opt/nac/contrib
./config2db ../etc/config.inc

For v2.2 RC3, V3.0 and later, all settings are in the 'config' table in the database. Only usernames and passwords are in config.inc. The 'config' paramets are set via the Windows GUI (see the Administration -> config tab).

Policy (v3.0 and later)

A substantial change in FreeNAC v3.0 is the introduction of an OO (objected oriented) policy interface, which provides greater flexibility and encapsulation of individual decisions regarding access to the network.

You need to specify a policy file to use. We provide some sample policy files in the etc directory. In the Technical Guide there are several policy chapters, please example at least the Sample Policies .

A policy file that would be useful to many sites is the etc/policy5.php file, lets assume you wish to use that. Now create a link from policy file to the default policy file name 'policy.inc.php': 

cd /opt/nac/etc
ln -s policy5.php policy.inc.php

Masters and slaves normally have the same policy.

Start the vmps daemon

Creating a start-up file and start the service: 

cp /opt/nac/contrib/startup_init.d/vmps /etc/init.d/vmps
chmod 750 /etc/init.d/vmps
vi /etc/init.d/vmps       [adapt IP address on vmpsd start line, if have more than one interface]

And activate it to start automatically according to your distro 

chkconfig vmps on [SuSE]
update-rc.d vmps defaults [Ubuntu/Debian based distros]


Start and watch syslog for events: 

/etc/init.d/vmps start

ps -ef | grep vmps

tail -f /var/log/messages 

If vmpsd does not start, see the troubleshooting section  of the Users Guide.

Start the postconnect (v2.x: vmps_lastseen) daemon

On V3:

cp /opt/nac/contrib/startup_init.d/postconnect /etc/init.d/postconnect
chmod 750 /etc/init.d/postconnect

And activate it to start automatically according to your distro 

chkconfig postconnect on     [SuSE]
update-rc.d postconnect defaults    [Ubuntu/Debian based distros]

Start and watch syslog for events: 

/etc/init.d/postconnect start
tail -f /var/log/messages

On V2.2 and earlier:

cp /opt/nac/contrib/startup_init.d/vmps_lastseen /etc/init.d/vmps_lastseen
chmod 750 /etc/init.d/vmps_lastseen

And activate it to start automatically according to your distro 

chkconfig vmps_lastseen on [SuSE]
update-rc.d vmps_lastseen defaults [Ubuntu/Debian based distros]

 

Testing

Watch syslog for events: 

tail -f /var/log/messages

If vmpsd does not start, see the troubleshooting section of the Users Guide.
See the Policy testing chapter of the Technical Guide, to explain how to read the syslog messages.

‹ 3. PHP settingsarriba5. Monitoring ›