Spring Security and Radius

From OpenNMS
Jump to navigation Jump to search

Sample Configuration

FreeRadius

Configuring FreeRadius outside of adding the dictionary file or adding the OpenNMS-User-Roles to the users file is beyond the scope of this document. Please see FreeRadius documentation and man pages for more.

OpenNMS Dictionary file

First, we need to create a dictionary file for OpenNMS. On Gentoo, dictionary files are located in /usr/share/freeradius. Create a new file in /usr/share/freeradius called dictionary.opennms. It should look like this:

VENDOR OpenNMS 5813
  BEGIN-VENDOR    OpenNMS
  ATTRIBUTE       OpenNMS-User-Roles    1          string
END-VENDOR OpenNMS

Now edit the file /usr/share/freeradius/dictionary and add the following line to it:

$INCLUDE dictionary.opennms

FreeRadius users file

To authorize users with OpenNMS user roles after they have been authenticated, we need to edit the FreeRadius users file. This may be located in /etc/raddb/users. Find the section for the user or group for which you would like to assign OpenNMS roles, and add the following:

OpenNMS-User-Roles = "ROLE_USER"

Or, ff the user or group should also have the admin role:

OpenNMS-User-Roles = "ROLE_USER,ROLE_ADMIN"

See the List of Roles below for more.

A sample of a simple users file might look something like:

mike    User-Password == "foo"
        OpenNMS-User-Roles = "ROLE_USER"
chris   User-Password == "bar"
        OpenNMS-User-Roles = "ROLE_USER,ROLE_ADMIN"

Once you have FreeRadius configured to use the new dictionary file and to authorize OpenNMS user roles, restart FreeRadius.

Microsoft Network Policy Server (NPS)

Microsoft Network Policy Server (NPS) is a RADIUS add-on for Active Directory. Let's assume you have installed it and configured a RADIUS client previously, so we're looking specifically at how to configure the vendor attributes for our user roles.

Network Policy 'OpenNMS Admins'

Create a 'Network Policy' called 'OpenNMS Admins' with the following settings:

Overview:

Tick 'Policy enabled'.
Select 'Grant acess.  Grant access if the connection request matches this policy'.
The 'Type of network access server' should be set to 'Unspecified'.

Conditions:

Windows Groups 'Domain Admins' (or whatever appropriate for your admins)

Constraints - Authentication Methods:

EAP Types: Microsoft: Secured password (EAP-MSCHAP v2)
Disable all other tick boxes in this tab

Settings - Standard:

Attributes: Service-Type Framed

Settings - Vendor Specific:

Vendor Code:      5813
Attribute number: 1
Attribute format: String
Attribute value:  ROLE_USER,ROLE_ADMIN

Ensure this policy appears above the 'OpenNMS Users' policy.

Network Policy 'OpenNMS Users'

Create a 'Network Policy' called 'OpenNMS Users' with the following settings:

Overview:

Tick 'Policy enabled'.
Select 'Grant acess.  Grant access if the connection request matches this policy'.
The 'Type of network access server' should be set to 'Unspecified'.

Conditions:

Windows Groups 'Domain Users' (or whatever appropriate for your users)

Constraints - Authentication Methods:

EAP Types: Microsoft: Secured password (EAP-MSCHAP v2)
Disable all other tick boxes in this tab

Settings - Standard:

Attributes: Service-Type Framed

Settings - Vendor Specific:

Vendor Code:      5813
Attribute number: 1
Attribute format: String
Attribute value:  ROLE_USER

Ensure this policy appears below the 'OpenNMS Admins' policy.

Notes on spring security configuration

Within the applicationContext-spring-security.xml file we need to specify our authTypeClass as net.jradius.client.auth.EAPMSCHAPv2Authenticator to match with the configuration on the NPS side:

   <beans:property name="authTypeClass"><beans:bean class="net.jradius.client.auth.EAPMSCHAPv2Authenticator"/></beans:property>

The role attributes can be gained using the same syntax as for FreeRadius:

   <beans:property name="rolesAttribute" value="Unknown-VSAttribute(5813:1)"/>

When using an attribute named in the JRADIUS constants, use the attribute's name rather than the Unknown-VSAttribute(X:Y) notation above:

   <beans:property name="rolesAttribute" value="Cisco-AVPair"/>

Jetty

Configuring applicationContext-spring-security.xml

Spring security is configured in $OPENNMS_HOME/jetty-webapps/opennms/WEB-INF/applicationContext-spring-security.xml. Open the file and look for the line:

<!-- ====================== RADIUS AUTHENTICATION ===================== -->

Below this line, add the following snippet of xml, changing the value "192.168.0.1" to the ip address of your radius server and the value "secret" to the radius secret of your radius server.

<beans:bean id="radiusAuthenticationProvider" class="org.opennms.web.springframework.security.RadiusAuthenticationProvider">
    <custom-authentication-provider />
    <beans:constructor-arg value="192.168.0.1"/>
    <beans:constructor-arg value="secret"/>
    <beans:property name="rolesAttribute" value="Unknown-VSAttribute(5813:1)"/>
</beans:bean>

Note the rolesAttribute line. This tells Jetty which vendor specific attribute to use from the FreeRadius dictionary file we created above. 5813 is the enterprise number for OpenNMS and 1 is the OpenNMS-User-Roles attribute.

Once you have specified the IP address of your FreeRadius server and the radius secret, restart OpenNMS to reload applicationContext-spring-security.xml.

Conclusion

You should now be able to log into OpenNMS using FreeRadius for authentication and authorization. Please note that if you wish to create duty schedules or notifications which escalate to users, you will still need to create an account inside of OpenNMS for these users. If the user names match on both sides, notifications should be seamless.

List of Roles

ROLE DESCRIPTION
ROLE_USER OpenNMS User <== Must be included in with each group.
ROLE_ADMIN OpenNMS Administrator
ROLE_READONLY OpenNMS Read-Only User
ROLE_DASHBOARD OpenNMS Dashboard User
ROLE_RTC OpenNMS RTC Daemon
ROLE_PROVISION OpenNMS Provision User
ROLE_REMOTING OpenNMS Remote Poller User

See Also

Spring Security and LDAP