diff --git a/configuration/authentication.md b/configuration/authentication.md
index a2d0307..f2bc27e 100644
--- a/configuration/authentication.md
+++ b/configuration/authentication.md
@@ -1,29 +1,53 @@
-# Authentication
+## [Authentication ](#authentication)
+
+[Supported Authentication](#supported-authentication)
+
+[HTTPS only](#https-only)
+
+[RADIUS](#radius)
-In many environments different Authentication is required. By default FMADIO capture systems using built in BASIC authentication over HTTP. As this makes configuration and setup simple but is very weak security setting.
+[Active Directory](#active-directory)
+
+[Google Cloud](#google-cloud)
+
+[Ping Identity](#ping-identity)
+
+[LDAP Optional](#ldap-optional)
+
+
+
+# Authentication
+[Supported]: https://github.com/fmadio/documentation/edit/fmadio100v2/configuration/authentication.md "Authentication"
+
+Many environments require different Authentication processes. By default, FMADIO captures systems
+using built-in BASIC authentication over HTTP as this makes configuration and setup simple. However, it is a very weak security setting. The following is a list of [Supported Authentication](#supported-authentication) methods
+
## Supported Authentication
+[Supported]: https://github.com/fmadio/documentation/edit/fmadio100v2/configuration/authentication.md "Supported Authentication"
-* BAISC (insecure)
+* BASIC (insecure)
* HTTPS Only + BASIC
* RADIUS
* Active Directory (SSO via OAUTH 2.0)
* Google Cloud (SSO via OAUTH 2.0)
-* Ping Identity Cloud (SSO via OAUTH 2.0)
+* Ping Identity Cloud (SSO via OAUTH 2.0)
+
## HTTPS Only
+[HTTPS only]: https://github.com/fmadio/documentation/edit/fmadio100v2/configuration/authentication.md "HTTPS only"
-By default HTTP and HTTPS are enabled on the GUI. In any security setting HTTP needs to be disabled, as its an unsecure protocol. To disable HTTP edit the config file
+By default, HTTP and HTTPS are enabled on the GUI. In any security setting, HTTP must be disabled, as it's an unsecured protocol. To disable HTTP, edit the config file:
### General Config
-```
+```c
/opt/fmadio/etc/time.lua
```
Find the "Security" section as follows
-```
+```c
["Security"] =
{
["HTTPAccess"] = "enable",
@@ -34,9 +58,9 @@ Find the "Security" section as follows
```
-Change the "HTTPAccess" section from "enable" to false as follows
+Edit the "HTTPAccess" section from "enable" to "false" as follows:
-```
+```c
["HTTPAccess"] = false,
```
@@ -44,17 +68,18 @@ Save the file
### Restart Nginx
-Then restart nginx as follows
+Restart nginx by running the following command:
-```
+```c
sudo killall nginx
```
-NGINX will restart automatically within 60 seconds with the updated configuration. Only HTTPS access is possible.
-
-SSO configuration is more complicated, please contact support@fmad.io and we can walk you thru the setup personally
+NGINX will restart automatically within 60 seconds with the updated configuration. Only HTTPS access is now possible.
+SSO configuration is more complicated, please contact support@fmad.io and we can walk you thru the setup personally
+
## RADIUS
+[RADIUS]: https://github.com/fmadio/documentation/edit/fmadio100v2/configuration/authentication.md "Radius"
**FW: 7563+**
@@ -62,15 +87,15 @@ We support RADIUS authentication using the freeradius client. Configuration is a
### **General Config**
-Edit the configuration file
+Edit the configuration file using the command
-```
+```c
/opt/fmadio/etc/time.lua
```
-Find the "Security" section, example shown below
+Find the "Security" section, as shown below:
-```
+```c
["Security"] =
{
["HTTPAccess"] = false,
@@ -87,52 +112,55 @@ Find the "Security" section, example shown below
### **Disable HTTP Access**
-Change the following, this disabled the HTTP protocol
+Edit the following configuration. This disables the HTTP protocol:
-```
+```c
["HTTPAccess"] = false,
```
-Changes the following, this enables RADIUS as the authentication method
+Edit the following, it sets RADIUS as the authentication method
-```
+```c
["Auth"] = "RADIUS",
```
Configure your RADIUS login information
-```
+```c
["RADIUS_Secret"] = "testing123",
["RADIUS_Host"] = "192.168.1.1",
["RADIUS_Protocol"] = "PPP",
```
-Finally the Timeout, this is how long the system waits until it will automatically logout the user and requirement them to re-authenticate. Value is in nanoseconds, scientific notation and formula is no problem. Per below, 24 hours \* 60 min \* 60 sec \* 1e9 (nanos)
+Finally, there's a Timeout, the user is logged out and will be required to re-authenticate. The value is in nanoseconds, an example of converting 1 day to nanoseconds and setting it as the timeout value is shown below:
-```
+```c
["RADIUS_Timeout"] = 24*60*60*1e9,
```
### **Restart Nginx**
-Restart nginx as follows, it will re-spawn within 60sec automatically
+Restart nginx using the command below and it will re-spawn within 60sec automatically
-```
+```c
sudo killall nginx
```
### **Login**
-You should see a login page when accessing FMADIO as follows
+You should see a login page to access FMADIO as shown in the screenshot below:
- (1).png>)
+
+
+
+
### **TROUBLESHOOTING**
-If there is some problems, please confirm on CLI using radclient, example as follows.
+If there are some problems, please confirm on CLI using radclient, see example below.
-```
+```c
fmadio@fmadio100v2-228U:$ echo "User-Name = steve" | radclient :1812 auth testing123
Sent Access-Request Id 95 from 0.0.0.0:56527 to 192.168.2.132:1812 length 27
Received Access-Reject Id 95 from 192.168.2.132:1812 to 192.168.2.175:56527 length 20
@@ -141,37 +169,40 @@ fmadio@fmadio100v2-228U:$
```
-## Active Directory (SSO via OAUTH 2.0)
+### Active Directory
+[Active Directory]: https://github.com/fmadio/documentation/edit/fmadio100v2/configuration/authentication.md "Active Directory"
**FW:7608+**
-FMADIO Capture devices can authenticate the users using Active Directory via the OAUTH 2.0 protocol. This enable Single Sign On with ADFS.
+FMADIO Capture devices can authenticate the users using Active Directory via the OAUTH 2.0 protocol. This enables Single Sign On with ADFS.
### Public IP Testing
-In the follow example we have used a reverse SSH tunnel to temporarily put FMADIO system on a public IP, as Azure Active Directory services require internet accessible devices for the redirect\_uri.
+In the following example, we have used a reverse SSH tunnel to temporarily put the FMADIO system on a public IP, as Azure Active Directory services require internet-accessible devices for the redirect\_uri.
+
-For an On Premise Active Directory server this is not required.
+> :memo: **Note:** For an On-Premise Active Directory Server, this is not required.
+
-Example Reverse SSH Tunnel
+Example of Reverse SSH Tunnel:
-```
+```c
ssh -R 8888:192.168.1.100:443 ec2-user@aws-instance.compute.amazonaws.com
```
-NOTE: SSH tunnel should not use localhost, as all localhost sourced requests bypass authentication. Instead use the IP address of the management interface
+NOTE: SSH tunnel should not use localhost, as all localhost-sourced requests bypass authentication. Instead, use the IP address of the management interface
### General Config
Start by editing the general FMADIO configuration file
-```
+```c
/opt/fmadio/etc/time.lua
```
-Then setting HTTP (un-encrypted) access to "disable", and Auth method to "OAUTH", example shown below. The other security fields can be left as is.
+Then setting HTTP (un-encrypted) access to "disable", and Auth method to "OAUTH", as shown in the example below. The other security fields can be left as they are.
-```
+```c
["Security"] =
{
["HTTPAccess"] = "disable",
@@ -184,15 +215,15 @@ Save the file and ensure there are no parse errors by running fmadiolua /opt/fma
### OAUTH Config
-Next create a file name
+Next, create a file name
-```
+```c
/opt/fmadio/etc/oauth_opts.lua
```
This file contains the ADFS OAUTH End points as follows
-```
+```c
local config =
{
redirect_uri = "https://fmadio100v2-ip-address:8888/secure/",
@@ -207,81 +238,102 @@ local config =
return config
```
-These fields are from the ADFS Endpoint URI information, for example as follows. We created a fmadio sign in entry, this has the following client\_id entered above.
+These fields are from the ADFS Endpoint URI information. We created a fmadio sign-in entry, which has the client\_id entered above.
+The "discovery" config in the above needs to be the OpenID Connect Metadata document, as seen in the screenshot below.
+
-The "discovery" config in the above needs to be the OpenID Connect Metadata document, as seen below.
+
- (1) (1) (1).png>)
+the "client\_id" is shown below
+
-the "client\_id" is the shown below
+
- (1) (1) (1) (1) (1).png>)
+
-The "client\__secret" in the above config needs to be the Value shown below, not the secretID_
+> :memo: **Note:** The "client\__secret" in the above config needs to be the Value shown below, not the secretID_
- (1) (1).png>)
+
-Finally the "redirect\_uri" needs to be registered as follows.
+
- (1) (1) (1) (1).png>)
+
-Once config is complete, please confirm no syntax errors by running
+Finally the "redirect\_uri" needs to be registered as follows:
-```
+
+
+
+Once config is complete, please confirm there are no syntax errors by running
+
+```c
fmadiolua /opt/fmadio/etc/oauth_opts.lua
```
-Correct output is as follows, if there are any syntax errors please correct.
+The correct output is as shown in the screenshot below. If there are any syntax errors, please correct them.
+
+
- (1) (1).png>)
+
### Restart nginx
-Restart nginx to load in the new configuration file, by killing the process as below. It will reswpan on a 1min cron job automatically
+Restart nginx to load in the new configuration file, by killing the process using the command below. It will re-spawn on a 1min cron job automatically
-```
+```c
sudo killall nginx
```
### Logging in
-Next point a browser to the FMADIO device, it should redirect you to the Active Directory login page as follows.
+Next, point a browser to the FMADIO device. It should redirect you to the Active Directory login page as shown in the screenshot below.
+
+
- (1) (1).png>)
+
+
-Login to the system using your Azure / Microsoft credentials. Then the FMADIO device dashboard will be shown as below
+Login to the system using your Azure / Microsoft credentials. Then the FMADIO device dashboard will be as shown below
+
- (1) (1) (1).png>)
+
+
### Logout
-Logout is the same, using the logout button shown below
+Logout is the same, using the logout button shown below:
+
+
+
+
- (1) (1) (1).png>)
+Then choose an account to sign out of
-Then choose an account to sign out of
+
- (1) (1) (1) (1).png>)
+
+
-## Google Cloud (SSO via OAUTH 2.0)
+## Google Cloud
+[Google]: https://github.com/fmadio/documentation/edit/fmadio100v2/configuration/authentication.md "Google Cloud"
**FW:7608+**
-While less practical as its typically for publicly accessible sites, it can be used with a Google Cloud VPC to tunnel authentication requests from a private network to Google Cloud infrastructure.
+While less practical as its typically for publicly accessible sites, it can be used with a Google Cloud VPC to tunnel authentication requests from a private network to Google Cloud infrastructure.
-In this example we just reverse ssh tunnel an FMADIO system onto the public internet (strongly discouraged) for demonstration purposes only.
+In this example, we just reverse ssh tunnel an FMADIO system onto the public internet (strongly discouraged) for demonstration purposes only.
### General Config
Start by editing the general FMADIO configuration file
-```
+```c
/opt/fmadio/etc/time.lua
```
-Then setting HTTP (un-encrypted) access to "disable", and Auth method to "OAUTH", example shown below. The other security fields can be left as is.
+Then set HTTP (un-encrypted) access to "disable", and Auth method to "OAUTH", as shown in the example below. The other security fields can be left as they are.
-```
+```c
["Security"] =
{
["HTTPAccess"] = "disable",
@@ -292,17 +344,20 @@ Then setting HTTP (un-encrypted) access to "disable", and Auth method to "OAUTH"
Save the file and ensure there are no parse errors by running fmadiolua /opt/fmadio/etc/time.lua
-#### OAUTH Config
+### OAUTH Config
Next create a file name
-```
+```c
/opt/fmadio/etc/oauth_opts.lua
-```
+```
+
-This file contains the Google Cloud OAUTH End points as follows.
+> :memo: **Note:** This file contains the Google Cloud OAUTH End points as follows.
-```
+
+
+```c
local config =
{
redirect_uri = "https://fmadio100v2-ip-address.com:8888/secure",
@@ -315,51 +370,69 @@ local config =
}
return config
-```
+```
+
-The "clientid" and "client\_secret" need to be replaced with the generated authentication information from google per below. The above is a throw away example only
+> :memo: **Note:** The "clientid" and "client\_secret" need to be replaced with the generated authentication information from google as shown below. The above is only a throw away example
+
### Google Credentials
-Next generate Google OAUTH credentials as follows.
+Next, generate Google OAUTH credentials as follows:
+
- (1) (1).png>)
+
-Then fill in the information, as follows. Google is a bit more strict and requires TLD endpoints not raw IPs
+
+Then fill in the information, as follows. Google is a bit more strict and requires TLD endpoints not raw IPs
-.png>)
+
+
-Which results in the following secret information
+
- (1).png>)
+Which results in the following secret information
+
+
+
+
Update the oauth\_opts.lua file above with the information
### Restart nginx
-Restart nginx to load in the new configuration file, by killing the process as below. It will reswpan on a 1min cron job automatically
+Restart nginx to load in the new configuration file, by killing the process with the command below. It will re-spawn on a 1min cron job automatically
-```
+```c
sudo killall nginx
```
### Logging In
-Next point the browser to the FMADIO device and it will redirect to Google Sign in account
+Next, point the browser to the FMADIO device and it will redirect to Google Sign in account
+
+
+
+
+
+Login using your Google account information, and it will re-direct you to the FMADIO dashboard.
- (1) (1).png>)
+
-Login using your Google account information, and it will re-direct you to the FMADIO dashboard.
+
- (1) (1) (1) (1).png>)
+
-Any further questions please contact support@fmad.io for assistance.
+> :memo: **Note:** Any further questions please contact support@fmad.io for assistance.
-## Ping Identity (SSO via OUAUTH 2.0)
+
+
+## Ping Identity
+[Ping]: https://github.com/fmadio/documentation/edit/fmadio100v2/configuration/authentication.md "Ping Identity"
**FW:7608+**
-Ping Identity is a popular onprem authentication system, typically used in large organizations. We support Single Sign On with their product suite, below is an example configuration example setup using the Cloud Services. This example uses a reverse SSH tunnel to put the FMADIO device on a publicly accessible IP (we strongly discourage) for demonstration purposes only, to replicate setting up an On Premise install.
+Ping Identity is a popular On-Premise authentication system typically used in large organizations. We support Single Sign On with their product suite. Below is an example of a configuration setup using the Cloud Services. This example uses a reverse SSH tunnel to put the FMADIO device on a publicly accessible IP (we strongly discourage this approach) for demonstration purposes only, to replicate setting up an On-Premise install.
### General Config
@@ -369,9 +442,9 @@ Start by editing the general FMADIO configuration file
/opt/fmadio/etc/time.lua
```
-Then setting HTTP (un-encrypted) access to "disable", and Auth method to "OAUTH", example shown below. The other security fields can be left as is.
+Then set HTTP (un-encrypted) access to "disable" and Auth method to "OAUTH" as shown below. The other security fields can be left as they are.
-```
+```c
["Security"] =
{
["HTTPAccess"] = "disable",
@@ -382,17 +455,17 @@ Then setting HTTP (un-encrypted) access to "disable", and Auth method to "OAUTH"
Save the file and ensure there are no parse errors by running fmadiolua /opt/fmadio/etc/time.lua
-#### OAUTH Config
+### OAUTH Config
-Next create a file name
+Next, create a file name
-```
+```c
/opt/fmadio/etc/oauth_opts.lua
```
This file contains the Ping Identity OAUTH End points as follows.
-```
+```c
local config =
{
redirect_uri = "https://fmadio100v2-ip-address.com:8888/secure/",
@@ -407,33 +480,43 @@ local config =
return config
```
-The "clientid" and "client\_secret" need to be replaced with the generated authentication information from Ping Identity interface per below. The above is a throw away example only
+The "clientid" and "client\_secret" need to be replaced with the generated authentication information from Ping Identity interface as shown below. The above is a throw away example only
### Ping Identity Credentials
-We setup a web application using Ping Identity interface as follows. The key fields are shown in red.
+We setup a web application using Ping Identity interface as follows. The key fields are shown in red.
+
+
+
+
+
+
+
- (1).png>)
+
These fields are mapped directly into the oauth\_opts.lua configuration file above.
### Restart nginx
-Restart nginx to load in the new configuration file, by killing the process as below. It will reswpan on a 1min cron job automatically.
+Restart nginx to load in the new configuration file, by killing the process using the command below. It will re-spawn on a 1min cron job automatically.
-```
+```c
sudo killall nginx
```
### Logging In
-Next point the browser to the FMADIO device and it will redirect to Ping Idneitty SSO account as follows
+Next, point the browser to the FMADIO device and it will redirect to Ping Identity SSO account as follows
+
+
+
- (1) (1) (1).png>)
-After a successful authentication the FMADIO dashboard is seen
+After a successful authentication, the FMADIO dashboard is as shown below:
+
- (1) (1).png>)
+
Any further questions or problems, please contact us support@fmad.io
@@ -441,33 +524,33 @@ After a successful authentication the FMADIO dashboard is seen
**FW: 8529+**
-FMADIO systems support Linux PAM ( [https://github.com/linux-pam/linux-pam](https://github.com/linux-pam/linux-pam) ) as an authetication method. One option for centralized authentication is to use LDAP via PAM.
+FMADIO systems support Linux PAM ( [https://github.com/linux-pam/linux-pam](https://github.com/linux-pam/linux-pam) ) as an authetication method. One option for centralized authentication is to use LDAP via PAM.
1\) First run fmadiocli settings to set the authentication method
[https://docs.fmad.io/fmadio-documentation/cli-reference/fmadiocli#config-security-auth](https://docs.fmad.io/fmadio-documentation/cli-reference/fmadiocli#config-security-auth)
-```
+```c
config security auth pam-ldap
```
-2\) We also strongly recommend to disable HTTP access as all username / passwords are sent over un-encrypted HTTP
+2\) We also strongly recommend to disable HTTP access as all username / passwords are sent over un-encrypted HTTP
[https://docs.fmad.io/fmadio-documentation/cli-reference/fmadiocli#config-security-http](https://docs.fmad.io/fmadio-documentation/cli-reference/fmadiocli#config-security-http)
-```
+```c
config security http false
```
-3\) Configure LDAP client nslcd. Copy the default config file as follows
+3\) Configure LDAP client nslcd. Copy the default config file as follows:
-```
+```c
cp /opt/fmadio/etc_ro/nslcd.conf /opt/fmadio/etc/nslcd.conf
```
The default config looks like the following
-```
+```c
fmadio@fmadio100v2-228U:~$ cat /opt/fmadio/etc_ro/nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
@@ -517,46 +600,50 @@ Modify the uri, base and any other LDAP specific configs to the enviroment and s
Changing the username/domain/ip address etc to match your environment
-```
+```c
ldapwhoami -x -D cn=fmadio-user,dc=fmad,dc=io -H ldap://192.168.1.100/ -w "password"
```
Successful authentication looks like the following
-```
+```c
fmadio@fmadio100v2-228U:~$ ldapwhoami -x -D cn=fmadio-user,dc=fmad,dc=io -H ldap://192.168.1.100/ -w "password"
dn:cn=fmadio-user,dc=fmad,dc=io
```
-Once this is working, both SSH, WWW-Admin and WWW-User LDAP posix group members can login to the system.
+Once this is working, both SSH, WWW-Admin and WWW-User LDAP posix group members can login to the system.
-The LDAP posixGroups are
+The LDAP posixGroups are:
+```c
fmadio-ssh-admin - for SSH access
fmadio-www-admin - for WWW admin access (can change anything)
fmadio-www-user - for WWW user access (monitoring and pcap downloading)
+```
6\) Both SSH and WWW now fully configured using LDAP as centralized authentication
-### LDAP Optional
+## LDAP Optional
+[LDAP]: https://github.com/fmadio/documentation/edit/fmadio100v2/configuration/authentication.md "LDAP Optional"
-Some environments require a notice when logging in, such as the following
+Some environments require a notice when logging in, such as the following
+
+
+
-
-
-This can be customized as follows
+This can be customized as follows:
1\) copy the default template
-```
+```c
cp /opt/fmadio/www/login/authorized_access.html.default /opt/fmadio/etc/authorized_access.html
```
2\) Edit the content of
-```
+```c
/opt/fmadio/etc/authorized_access.html
```
@@ -564,26 +651,28 @@ cp /opt/fmadio/www/login/authorized_access.html.default /opt/fmadio/etc/authoriz
kill nginx and wait 60sec for it to restart
-```
+```c
sudo killall nginx
```
### Troubleshooting
+
-Configuration usually does not go as planned, as such heres some tips to try
+> :memo: **Note:** Configuration usually does not go as planned, as such here are some tips to try
+
1\) run nslcd in the foreground
-```
+```c
sudo killall nslcd
sudo /usr/local/sbin/nslcd -f
```
-This will check the /etc/nslcd.conf configuration file is working correctly, either config typeo or LDAP server problems.
+This will check the /etc/nslcd.conf configuration file is working correctly, either config type or LDAP server problems.
Once its running ensure local lookups work correctly as follows
-```
+```c
ldapwhoami -x -D cn=fmadio-user,dc=fmad,dc=io -H ldap://192.168.1.100/ -w "password"
```
@@ -591,7 +680,7 @@ ldapwhoami -x -D cn=fmadio-user,dc=fmad,dc=io -H ldap://192.168.1.100/ -w "pas
The nginx logfiles are located in
-```
+```c
tail -F -n 100 /mnt/store0/log/nginx_error.log
```
@@ -599,7 +688,7 @@ Any errors there might help understand the issues
3\) check syslog file for PAM logs
-```
+```c
tail -F -n 100 /mnt/store0/log/messages |grep -i pam
```
 (1).png)
+
### **TROUBLESHOOTING**
-If there is some problems, please confirm on CLI using radclient, example as follows.
+If there are some problems, please confirm on CLI using radclient, see example below.
-```
+```c
fmadio@fmadio100v2-228U:$ echo "User-Name = steve" | radclient  (1) (1) (1).png)
- (1) (1) (1).png>)
+the "client\_id" is shown below
+
-the "client\_id" is the shown below
+ (1) (1) (1) (1) (1).png)
- (1) (1) (1) (1) (1).png>)
+
-The "client\__secret" in the above config needs to be the Value shown below, not the secretID_
+> :memo: **Note:** The "client\__secret" in the above config needs to be the Value shown below, not the secretID_
- (1) (1).png>)
+
-Finally the "redirect\_uri" needs to be registered as follows.
+ (1) (1).png)
- (1) (1) (1) (1).png>)
+
-Once config is complete, please confirm no syntax errors by running
+Finally the "redirect\_uri" needs to be registered as follows:
-```
+
+ (1) (1) (1).png)
+
+Once config is complete, please confirm there are no syntax errors by running
+
+```c
fmadiolua /opt/fmadio/etc/oauth_opts.lua
```
-Correct output is as follows, if there are any syntax errors please correct.
+The correct output is as shown in the screenshot below. If there are any syntax errors, please correct them.
+
+
- (1) (1).png>)
+ (1) (1).png)
### Restart nginx
-Restart nginx to load in the new configuration file, by killing the process as below. It will reswpan on a 1min cron job automatically
+Restart nginx to load in the new configuration file, by killing the process using the command below. It will re-spawn on a 1min cron job automatically
-```
+```c
sudo killall nginx
```
### Logging in
-Next point a browser to the FMADIO device, it should redirect you to the Active Directory login page as follows.
+Next, point a browser to the FMADIO device. It should redirect you to the Active Directory login page as shown in the screenshot below.
+
+
- (1) (1).png>)
+ (1) (1).png)
+
-Login to the system using your Azure / Microsoft credentials. Then the FMADIO device dashboard will be shown as below
+Login to the system using your Azure / Microsoft credentials. Then the FMADIO device dashboard will be as shown below
+
- (1) (1) (1).png>)
+ (1) (1) (1).png)
+
### Logout
-Logout is the same, using the logout button shown below
+Logout is the same, using the logout button shown below:
+
+
+ (1) (1) (1).png)
+
- (1) (1) (1).png>)
+Then choose an account to sign out of
-Then choose an account to sign out of
+
- (1) (1) (1) (1).png>)
+ (1) (1) (1).png)
+
-## Google Cloud (SSO via OAUTH 2.0)
+## Google Cloud
+[Google]: https://github.com/fmadio/documentation/edit/fmadio100v2/configuration/authentication.md "Google Cloud"
**FW:7608+**
-While less practical as its typically for publicly accessible sites, it can be used with a Google Cloud VPC to tunnel authentication requests from a private network to Google Cloud infrastructure.
+While less practical as its typically for publicly accessible sites, it can be used with a Google Cloud VPC to tunnel authentication requests from a private network to Google Cloud infrastructure.
-In this example we just reverse ssh tunnel an FMADIO system onto the public internet (strongly discouraged) for demonstration purposes only.
+In this example, we just reverse ssh tunnel an FMADIO system onto the public internet (strongly discouraged) for demonstration purposes only.
### General Config
Start by editing the general FMADIO configuration file
-```
+```c
/opt/fmadio/etc/time.lua
```
-Then setting HTTP (un-encrypted) access to "disable", and Auth method to "OAUTH", example shown below. The other security fields can be left as is.
+Then set HTTP (un-encrypted) access to "disable", and Auth method to "OAUTH", as shown in the example below. The other security fields can be left as they are.
-```
+```c
["Security"] =
{
["HTTPAccess"] = "disable",
@@ -292,17 +344,20 @@ Then setting HTTP (un-encrypted) access to "disable", and Auth method to "OAUTH"
Save the file and ensure there are no parse errors by running fmadiolua /opt/fmadio/etc/time.lua
-#### OAUTH Config
+### OAUTH Config
Next create a file name
-```
+```c
/opt/fmadio/etc/oauth_opts.lua
-```
+```
+
-This file contains the Google Cloud OAUTH End points as follows.
+> :memo: **Note:** This file contains the Google Cloud OAUTH End points as follows.
-```
+
+
+```c
local config =
{
redirect_uri = "https://fmadio100v2-ip-address.com:8888/secure",
@@ -315,51 +370,69 @@ local config =
}
return config
-```
+```
+
-The "clientid" and "client\_secret" need to be replaced with the generated authentication information from google per below. The above is a throw away example only
+> :memo: **Note:** The "clientid" and "client\_secret" need to be replaced with the generated authentication information from google as shown below. The above is only a throw away example
+
### Google Credentials
-Next generate Google OAUTH credentials as follows.
+Next, generate Google OAUTH credentials as follows:
+
- (1) (1).png>)
+ (1) (1).png)
-Then fill in the information, as follows. Google is a bit more strict and requires TLD endpoints not raw IPs
+
+Then fill in the information, as follows. Google is a bit more strict and requires TLD endpoints not raw IPs
-.png>)
+
+
-Which results in the following secret information
+.png)
- (1).png>)
+Which results in the following secret information
+
+
+ (1).png)
+
Update the oauth\_opts.lua file above with the information
### Restart nginx
-Restart nginx to load in the new configuration file, by killing the process as below. It will reswpan on a 1min cron job automatically
+Restart nginx to load in the new configuration file, by killing the process with the command below. It will re-spawn on a 1min cron job automatically
-```
+```c
sudo killall nginx
```
### Logging In
-Next point the browser to the FMADIO device and it will redirect to Google Sign in account
+Next, point the browser to the FMADIO device and it will redirect to Google Sign in account
+
+
+ (1).png)
+
+
+ (1) (1).png)
- (1).png>)
+
These fields are mapped directly into the oauth\_opts.lua configuration file above.
### Restart nginx
-Restart nginx to load in the new configuration file, by killing the process as below. It will reswpan on a 1min cron job automatically.
+Restart nginx to load in the new configuration file, by killing the process using the command below. It will re-spawn on a 1min cron job automatically.
-```
+```c
sudo killall nginx
```
### Logging In
-Next point the browser to the FMADIO device and it will redirect to Ping Idneitty SSO account as follows
+Next, point the browser to the FMADIO device and it will redirect to Ping Identity SSO account as follows
+
+
+ (1) (1).png)
Any further questions or problems, please contact us support@fmad.io
@@ -441,33 +524,33 @@ After a successful authentication the FMADIO dashboard is seen
**FW: 8529+**
-FMADIO systems support Linux PAM ( [https://github.com/linux-pam/linux-pam](https://github.com/linux-pam/linux-pam) ) as an authetication method. One option for centralized authentication is to use LDAP via PAM.
+FMADIO systems support Linux PAM ( [https://github.com/linux-pam/linux-pam](https://github.com/linux-pam/linux-pam) ) as an authetication method. One option for centralized authentication is to use LDAP via PAM.
1\) First run fmadiocli settings to set the authentication method
[https://docs.fmad.io/fmadio-documentation/cli-reference/fmadiocli#config-security-auth](https://docs.fmad.io/fmadio-documentation/cli-reference/fmadiocli#config-security-auth)
-```
+```c
config security auth pam-ldap
```
-2\) We also strongly recommend to disable HTTP access as all username / passwords are sent over un-encrypted HTTP
+2\) We also strongly recommend to disable HTTP access as all username / passwords are sent over un-encrypted HTTP
[https://docs.fmad.io/fmadio-documentation/cli-reference/fmadiocli#config-security-http](https://docs.fmad.io/fmadio-documentation/cli-reference/fmadiocli#config-security-http)
-```
+```c
config security http false
```
-3\) Configure LDAP client nslcd. Copy the default config file as follows
+3\) Configure LDAP client nslcd. Copy the default config file as follows:
-```
+```c
cp /opt/fmadio/etc_ro/nslcd.conf /opt/fmadio/etc/nslcd.conf
```
The default config looks like the following
-```
+```c
fmadio@fmadio100v2-228U:~$ cat /opt/fmadio/etc_ro/nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
@@ -517,46 +600,50 @@ Modify the uri, base and any other LDAP specific configs to the enviroment and s
Changing the username/domain/ip address etc to match your environment
-```
+```c
ldapwhoami -x -D cn=fmadio-user,dc=fmad,dc=io -H ldap://192.168.1.100/ -w "password"
```
Successful authentication looks like the following
-```
+```c
fmadio@fmadio100v2-228U:~$ ldapwhoami -x -D cn=fmadio-user,dc=fmad,dc=io -H ldap://192.168.1.100/ -w "password"
dn:cn=fmadio-user,dc=fmad,dc=io
```
-Once this is working, both SSH, WWW-Admin and WWW-User LDAP posix group members can login to the system.
+Once this is working, both SSH, WWW-Admin and WWW-User LDAP posix group members can login to the system.
-The LDAP posixGroups are
+The LDAP posixGroups are:
+```c
fmadio-ssh-admin - for SSH access
fmadio-www-admin - for WWW admin access (can change anything)
fmadio-www-user - for WWW user access (monitoring and pcap downloading)
+```
6\) Both SSH and WWW now fully configured using LDAP as centralized authentication
-### LDAP Optional
+## LDAP Optional
+[LDAP]: https://github.com/fmadio/documentation/edit/fmadio100v2/configuration/authentication.md "LDAP Optional"
-Some environments require a notice when logging in, such as the following
+Some environments require a notice when logging in, such as the following
+
+ (2).png)
+
-