Get OpenNMS
Get Involved
Get to Know Us
From OpenNMS
Contents |
Sample Configuration
FreeRadius
Configuring FreeRadius outside of adding the dictionary file or adding the OpenNMS-User-Roles to the users file is beyond the scope of this document. Please see FreeRadius documentation and man pages for more.
OpenNMS Dictionary file
First, we need to create a dictionary file for OpenNMS. On Gentoo, dictionary files are located in /usr/share/freeradius. Create a new file in /usr/share/freeradius called dictionary.opennms. It should look like this:
VENDOR OpenNMS 5813 BEGIN-VENDOR OpenNMS ATTRIBUTE OpenNMS-User-Roles 1 string END-VENDOR OpenNMS
Now edit the file /usr/share/freeradius/dictionary and add the following line to it:
$INCLUDE dictionary.opennms
FreeRadius users file
To authorize users with OpenNMS user roles after they have been authenticated, we need to edit the FreeRadius users file. This may be located in /etc/raddb/users. Find the section for the user or group for which you would like to assign OpenNMS roles, and add the following:
OpenNMS-User-Roles = "ROLE_USER"
Or, ff the user or group should also have the admin role:
OpenNMS-User-Roles = "ROLE_USER,ROLE_ADMIN"
See the List of Roles below for more.
A sample of a simple users file might look something like:
mike User-Password == "foo"
OpenNMS-User-Roles = "ROLE_USER"
chris User-Password == "bar"
OpenNMS-User-Roles = "ROLE_USER,ROLE_ADMIN"
Once you have FreeRadius configured to use the new dictionary file and to authorize OpenNMS user roles, restart FreeRadius.
Microsoft Network Policy Server (NPS)
Microsoft Network Policy Server (NPS) is a RADIUS add-on for Active Directory. Let's assume you have installed it and configured a RADIUS client previously, so we're looking specifically at how to configure the vendor attributes for our user roles.
Network Policy 'OpenNMS Admins'
Create a 'Network Policy' called 'OpenNMS Admins' with the following settings:
Overview:
Tick 'Policy enabled'. Select 'Grant acess. Grant access if the connection request matches this policy'. The 'Type of network access server' should be set to 'Unspecified'.
Conditions:
Windows Groups 'Domain Admins' (or whatever appropriate for your admins)
Constraints - Authentication Methods:
EAP Types: Microsoft: Secured password (EAP-MSCHAP v2) Disable all other tick boxes in this tab
Settings - Standard:
Attributes: Service-Type Framed
Settings - Vendor Specific:
Vendor Code: 5813 Attribute number: 1 Attribute format: String Attribute value: ROLE_USER,ROLE_ADMIN
Ensure this policy appears above the 'OpenNMS Users' policy.
Network Policy 'OpenNMS Users'
Create a 'Network Policy' called 'OpenNMS Users' with the following settings:
Overview:
Tick 'Policy enabled'. Select 'Grant acess. Grant access if the connection request matches this policy'. The 'Type of network access server' should be set to 'Unspecified'.
Conditions:
Windows Groups 'Domain Users' (or whatever appropriate for your users)
Constraints - Authentication Methods:
EAP Types: Microsoft: Secured password (EAP-MSCHAP v2) Disable all other tick boxes in this tab
Settings - Standard:
Attributes: Service-Type Framed
Settings - Vendor Specific:
Vendor Code: 5813 Attribute number: 1 Attribute format: String Attribute value: ROLE_USER
Ensure this policy appears below the 'OpenNMS Admins' policy.
Notes on spring security configuration
Within the applicationContext-spring-security.xml file we need to specify our authTypeClass as net.jradius.client.auth.EAPMSCHAPv2Authenticator to match with the configuration on the NPS side:
<beans:property name="authTypeClass"><beans:bean class="net.jradius.client.auth.EAPMSCHAPv2Authenticator"/></beans:property>
The role attributes can be gained using the same syntax as for FreeRadius:
<beans:property name="rolesAttribute" value="Unknown-VSAttribute(5813:1)"/>
Jetty
Configuring applicationContext-spring-security.xml
Spring security is configured in $OPENNMS_HOME/jetty-webapps/opennms/WEB-INF/applicationContext-spring-security.xml. Open the file and look for the line:
<!-- ====================== RADIUS AUTHENTICATION ===================== -->
Below this line, add the following snippet of xml, changing the value "192.168.0.1" to the ip address of your radius server and the value "secret" to the radius secret of your radius server.
<beans:bean id="radiusAuthenticationProvider" class="org.opennms.web.springframework.security.RadiusAuthenticationProvider">
<custom-authentication-provider />
<beans:constructor-arg value="192.168.0.1"/>
<beans:constructor-arg value="secret"/>
<beans:property name="rolesAttribute" value="Unknown-VSAttribute(5813:1)"/>
</beans:bean>
Note the rolesAttribute line. This tells Jetty which vendor specific attribute to use from the FreeRadius dictionary file we created above. 5813 is the enterprise number for OpenNMS and 1 is the OpenNMS-User-Roles attribute.
Once you have specified the IP address of your FreeRadius server and the radius secret, restart OpenNMS to reload applicationContext-spring-security.xml.
Conclusion
You should now be able to log into OpenNMS using FreeRadius for authentication and authorization. Please note that if you wish to create duty schedules or notifications which escalate to users, you will still need to create an account inside of OpenNMS for these users. If the user names match on both sides, notifications should be seamless.
List of Roles
| ROLE | DESCRIPTION |
| ROLE_USER | OpenNMS User <== Must be included in with each group. |
| ROLE_ADMIN | OpenNMS Administrator |
| ROLE_READONLY | OpenNMS Read-Only User |
| ROLE_DASHBOARD | OpenNMS Dashboard User |
| ROLE_RTC | OpenNMS RTC Daemon |
| ROLE_PROVISION | OpenNMS Provision User |
| ROLE_REMOTING | OpenNMS Remote Poller User |
