4. Installing the Windows Interface
- Download the Windows GUI (vmps.exe and vmps.xml) and save a copy to a folder, for example called FreeNAC.
- The GUI configuration file is vmps.xml, open this in your favourite text editor (vim, notepad, ...)
Configuration: NAC server IP address and Database name
- Configure vmps.xml and set the 'mysql server' parameter to the IP address of the NAC master server.
- By default, the GUI expects to connect to the 'opennac' dataset, which is initially empty. It will be used when FreeNAC talks to switches and routers in your environment.
To select this database, no changes are needed to vmps.xml.
- There is also a sample database "nacdemo" (see the contrib directory), if you wish the GUI to point to this:
Configure vmps.xml and set the 'mysql database' to 'nacdemo'.
- Optional (v3.0.1): a 'server2' parameter can be added to the mysql section to specify a secondary server. This enables a second 'connect' button in the GUI that alllows connections to the secondary server if the primary fails - i.e. to allow the GUI to continue to work if one of the servers dies.
Configuration: GUI user rights
There are two levels of authentication/authorisation:
A. MySQL authentication & authorisation: the windows GUI uses a specific user & password to connect to the DB. We call this the 'mysql user'
B. Windows GUI identification and authorisation: the GUI takes your currently windows logged-in user to identify you, and uses the value in the nac_rights field for this user to control what you can do (client-side enforcement). we call this the 'NAC user'
A. MySQL user
The MySQL user is created as part of the mysql configuration and given rights to access certain tables remotely. This user is usually called 'inventwrite' (for historical reasons). The password chosen for this user now needs to be encrypted and stored in the windows configuration file.
To verify that the inventwrite user exists, try the following SQL command:
select * from user where user='inventwrite';
If you are using the Demo Virtual Machine, the password is PASSWORD1. This, of course, should be changed in a productive environment!
Now, inform the windows GUI about which username/password it should use. The username and password is stored in an encrypted string called 'auth' in the vmps.xml configuration file.
- Starting the GUI vmps.exe
- Select Admin -> Encrypt User
- Fill in the Username and Password, and click on Generate
- Copy the value of the 'generated key' field to the 'auth' field in vmps.xml
- Then, quit the GUI
B. NAC user
The GUI takes your currently windows logged-in user to identify you, to the server. It also sends the Windows domain to the server too.
Depending on the rights of this login name in the 'users' table, the GUI will grant you access or refuse to work.
So the windows username must also exist in the NAC user table, and the user must also have a permission value set. The permission is in the nac_rights field and can have three values (1=readonly, 2=write, 99=administrator).
- Read-only: Users can view, but not make any changes to the GUI.
- Write: Users can make changes to the Overview and Edit tabs, but not to the Switch, Ports, Logs or Administration tabs (config, vlan)
Example: to add a user called 'smith' to the users table, with administrator permissions, the following SQL command will needed to be executed:
insert into opennac.users (username, Surname, GivenName, nac_rights) values ('jsmith', 'John', 'Smith', 99);
update users set nac_rights=1 where username='JOE'; update users set nac_rights=2 where username='BILL'; update users set nac_rights=99 where username='SUSAN';
Once users have been added, their permissions and other details can be changed in the GUI itself. (Administration -> Users).
For demonstration purposes, there is a 'demo mode' which is enabled if the field 'DemoMode' is set to '1' in the config table on the server.
If DemoMode is=1, and the DEMO company is set in vmps.xml, then all Windows users are given administrator access, which is fine for initial testing, but must be changed afterwards.
To disable, do the following as root on the MySQL prompt:
update opennac.config set value='0' WHERE name='DemoMode';
Verification of the windows domain
- The GUI can also be restricted to a specific window domain, if the 'guidomain' field in the config table on the server is set.
- If this is set to 'MYDOMAIN' for example, then the GUI will only allow users to connect who are logged onto that domain.
Using the NAC Windows GUI
Start the GUI and press 'connect'.
See the Users Guide for a description of how to use the Windows interface.
There is also a pending bug/fixes list for the Windows GUI that you may wish to consult.
Connect to the online FreeNAC demo database
A sample database is available to play around and try out the GUI.
- Download the Windows GUI (vmps.exe ) and save a copy to a folder, for example called FreeNACdemo.
- Download the demo config file vmps.xml
- Start vmps.exe
This will try to connect via the Internet to the FreeNAC demo database, which is re-initiailised automatically every hour.
Note: this will not run behind a corporate proxying firewall, port 3306/mysql needs to be open outgoing.
Other vmps.xml parameters
The mysql-inv stanza if for the Microsoft SQL inreface to a static inventory system, if one exists. This has been used for custom installed and is not documented yet. Basically the inventory key in the systems table is used to lookup and display information from the static inventory DB and show it in the Edit tab.
Since v3, parameters for enabling modules such as StaticInvEnabled, NmapEnabled, AntiVirusEnabled, PatchCableEnabled, as no longer needed - these are now set in the config table on the server.