From 98a29c1227eb5132b2b3a10fca9b026759d6ef2c Mon Sep 17 00:00:00 2001 From: Victorwriter <131878979+Victorwriter@users.noreply.github.com> Date: Thu, 27 Apr 2023 18:36:12 +0100 Subject: [PATCH 1/5] Update authentication.md --- configuration/authentication.md | 250 +++++++++++++++++--------------- 1 file changed, 136 insertions(+), 114 deletions(-) diff --git a/configuration/authentication.md b/configuration/authentication.md index a2d0307..5c1a87e 100644 --- a/configuration/authentication.md +++ b/configuration/authentication.md @@ -1,29 +1,46 @@ -# Authentication +### Authentication +[Supported Authentication](#supported-authentication) -In many environments different Authentication is required. By default FMADIO capture systems using built in BASIC authentication over HTTP. As this makes configuration and setup simple but is very weak security setting. +[HTTPS only](#https-only) -## Supported Authentication +[RADIUS](#radius) -* BAISC (insecure) +[Active Directory](#active-directory) + +[Google Cloud](#google-cloud) + +[Ping Identity](#ping-identity) + +[LDAP Optional](#ldap-optional) + +# Authentication + +In many environments, different Authentication is required. By default, FMADIO captures systems using built-in BASIC authentication over HTTP as this makes configuration and setup simple. However, it is a very weak security setting. + +### Supported Authentication +[Supported]: https://github.com/fmadio/documentation/edit/fmadio100v2/configuration/authentication.md "Supported Authentication" + +* BASIC (insecure) * HTTPS Only + BASIC * RADIUS * Active Directory (SSO via OAUTH 2.0) * Google Cloud (SSO via OAUTH 2.0) * Ping Identity Cloud (SSO via OAUTH 2.0) -## HTTPS Only +### HTTPS Only +[HTTPS only]: https://github.com/fmadio/documentation/edit/fmadio100v2/configuration/authentication.md "HTTPS only" -By default HTTP and HTTPS are enabled on the GUI. In any security setting HTTP needs to be disabled, as its an unsecure protocol. To disable HTTP edit the config file +By default, HTTP and HTTPS are enabled on the GUI. In any security setting, HTTP must be disabled, as it's an unsecured protocol. To disable HTTP edit the config file -### General Config +###### General Config -``` +```c /opt/fmadio/etc/time.lua ``` Find the "Security" section as follows -``` +```c ["Security"] = { ["HTTPAccess"] = "enable", @@ -34,9 +51,9 @@ Find the "Security" section as follows ``` -Change the "HTTPAccess" section from "enable" to false as follows +Edit the "HTTPAccess" section from "enable" to "false" as follows: -``` +```c ["HTTPAccess"] = false, ``` @@ -44,33 +61,34 @@ Save the file ### Restart Nginx -Then restart nginx as follows +Restart nginx by running the following command: -``` +```c sudo killall nginx ``` -NGINX will restart automatically within 60 seconds with the updated configuration. Only HTTPS access is possible. +NGINX will restart automatically within 60 seconds with the updated configuration. Only HTTPS access is now possible. SSO configuration is more complicated, please contact support@fmad.io and we can walk you thru the setup personally -## RADIUS +### RADIUS +[RADIUS]: https://github.com/fmadio/documentation/edit/fmadio100v2/configuration/authentication.md "Radius" **FW: 7563+** We support RADIUS authentication using the freeradius client. Configuration is as follow -### **General Config** +##### **General Config** Edit the configuration file -``` +```c /opt/fmadio/etc/time.lua ``` -Find the "Security" section, example shown below +Find the "Security" section, as in the example shown below: -``` +```c ["Security"] = { ["HTTPAccess"] = false, @@ -85,54 +103,54 @@ Find the "Security" section, example shown below ``` -### **Disable HTTP Access** +##### **Disable HTTP Access** -Change the following, this disabled the HTTP protocol +Edit the following piece of code. This disables the HTTP protocol: -``` +```c ["HTTPAccess"] = false, ``` -Changes the following, this enables RADIUS as the authentication method +Edit the following, it sets RADIUS as the authentication method -``` +```c ["Auth"] = "RADIUS", ``` Configure your RADIUS login information -``` +```c ["RADIUS_Secret"] = "testing123", ["RADIUS_Host"] = "192.168.1.1", ["RADIUS_Protocol"] = "PPP", ``` -Finally the Timeout, this is how long the system waits until it will automatically logout the user and requirement them to re-authenticate. Value is in nanoseconds, scientific notation and formula is no problem. Per below, 24 hours \* 60 min \* 60 sec \* 1e9 (nanos) +Finally, the Timeout, is how long the system waits until it will automatically log out the user and require them to re-authenticate. The value is in nanoseconds, scientific notation, and the formula is no problem. As seen below, 24 hours \* 60 min \* 60 sec \* 1e9 (nanos) -``` +```c ["RADIUS_Timeout"] = 24*60*60*1e9, ``` -### **Restart Nginx** +##### **Restart Nginx** Restart nginx as follows, it will re-spawn within 60sec automatically -``` +```c sudo killall nginx ``` -### **Login** +##### **Login** -You should see a login page when accessing FMADIO as follows +You should see a login page when accessing FMADIO as shown in the following screenshot: ![](<../.gitbook/assets/image (80) (1).png>) -### **TROUBLESHOOTING** +##### **TROUBLESHOOTING** -If there is some problems, please confirm on CLI using radclient, example as follows. +If there are some problems, please confirm on CLI using radclient, an example is shown below. -``` +```c fmadio@fmadio100v2-228U:$ echo "User-Name = steve" | radclient :1812 auth testing123 Sent Access-Request Id 95 from 0.0.0.0:56527 to 192.168.2.132:1812 length 27 Received Access-Reject Id 95 from 192.168.2.132:1812 to 192.168.2.175:56527 length 20 @@ -141,37 +159,38 @@ fmadio@fmadio100v2-228U:$ ``` -## Active Directory (SSO via OAUTH 2.0) +### Active Directory +[Active Directory]: https://github.com/fmadio/documentation/edit/fmadio100v2/configuration/authentication.md "Active Directory" **FW:7608+** FMADIO Capture devices can authenticate the users using Active Directory via the OAUTH 2.0 protocol. This enable Single Sign On with ADFS. -### Public IP Testing +##### Public IP Testing -In the follow example we have used a reverse SSH tunnel to temporarily put FMADIO system on a public IP, as Azure Active Directory services require internet accessible devices for the redirect\_uri. +In the following example, we have used a reverse SSH tunnel to temporarily put the FMADIO system on a public IP, as Azure Active Directory services require internet-accessible devices for the redirect\_uri. -For an On Premise Active Directory server this is not required. +For an On-Premise Active Directory Server, this is not required. -Example Reverse SSH Tunnel +Example of Reverse SSH Tunnel: -``` +```c ssh -R 8888:192.168.1.100:443 ec2-user@aws-instance.compute.amazonaws.com ``` -NOTE: SSH tunnel should not use localhost, as all localhost sourced requests bypass authentication. Instead use the IP address of the management interface +NOTE: SSH tunnel should not use localhost, as all localhost-sourced requests bypass authentication. Instead, use the IP address of the management interface -### General Config +##### General Config Start by editing the general FMADIO configuration file -``` +```c /opt/fmadio/etc/time.lua ``` -Then setting HTTP (un-encrypted) access to "disable", and Auth method to "OAUTH", example shown below. The other security fields can be left as is. +Then setting HTTP (un-encrypted) access to "disable", and Auth method to "OAUTH", as shown in the example below. The other security fields can be left as they are. -``` +```c ["Security"] = { ["HTTPAccess"] = "disable", @@ -182,17 +201,17 @@ Then setting HTTP (un-encrypted) access to "disable", and Auth method to "OAUTH" Save the file and ensure there are no parse errors by running fmadiolua /opt/fmadio/etc/time.lua -### OAUTH Config +##### OAUTH Config -Next create a file name +Next, create a file name -``` +```c /opt/fmadio/etc/oauth_opts.lua ``` This file contains the ADFS OAUTH End points as follows -``` +```c local config = { redirect_uri = "https://fmadio100v2-ip-address:8888/secure/", @@ -207,13 +226,13 @@ local config = return config ``` -These fields are from the ADFS Endpoint URI information, for example as follows. We created a fmadio sign in entry, this has the following client\_id entered above. +These fields are from the ADFS Endpoint URI information. We created a fmadio sign-in entry, which has the client\_id entered above. -The "discovery" config in the above needs to be the OpenID Connect Metadata document, as seen below. +The "discovery" config in the above needs to be the OpenID Connect Metadata document, as seen in the screenshot below. ![](<../.gitbook/assets/image (118) (1) (1) (1).png>) -the "client\_id" is the shown below +the "client\_id" is shown below ![](<../.gitbook/assets/image (124) (1) (1) (1) (1) (1).png>) @@ -221,67 +240,68 @@ The "client\__secret" in the above config needs to be the Value shown below, not ![](<../.gitbook/assets/image (126) (1) (1).png>) -Finally the "redirect\_uri" needs to be registered as follows. +Finally the "redirect\_uri" needs to be registered as follows: ![](<../.gitbook/assets/image (119) (1) (1) (1) (1).png>) -Once config is complete, please confirm no syntax errors by running +Once config is complete, please confirm there are no syntax errors by running -``` +```c fmadiolua /opt/fmadio/etc/oauth_opts.lua ``` -Correct output is as follows, if there are any syntax errors please correct. +The correct output is as shown in the screenshot below. If there are any syntax errors please correct them. ![](<../.gitbook/assets/image (115) (1) (1).png>) -### Restart nginx +##### Restart nginx -Restart nginx to load in the new configuration file, by killing the process as below. It will reswpan on a 1min cron job automatically +Restart nginx to load in the new configuration file, by killing the process using the command below. It will re-spawn on a 1min cron job automatically -``` +```c sudo killall nginx ``` -### Logging in +##### Logging in -Next point a browser to the FMADIO device, it should redirect you to the Active Directory login page as follows. +Next, point a browser to the FMADIO device. It should redirect you to the Active Directory login page as shown in the screenshot below. ![](<../.gitbook/assets/image (121) (1) (1).png>) -Login to the system using your Azure / Microsoft credentials. Then the FMADIO device dashboard will be shown as below +Login to the system using your Azure / Microsoft credentials. Then the FMADIO device dashboard will be as shown below ![](<../.gitbook/assets/image (127) (1) (1) (1).png>) -### Logout +##### Logout Logout is the same, using the logout button shown below ![](<../.gitbook/assets/image (90) (1) (1) (1).png>) -Then choose an account to sign out of +Then choose an account to sign out of ![](<../.gitbook/assets/image (120) (1) (1) (1) (1).png>) -## Google Cloud (SSO via OAUTH 2.0) +### Google Cloud +[Google]: https://github.com/fmadio/documentation/edit/fmadio100v2/configuration/authentication.md "Google Cloud" **FW:7608+** While less practical as its typically for publicly accessible sites, it can be used with a Google Cloud VPC to tunnel authentication requests from a private network to Google Cloud infrastructure. -In this example we just reverse ssh tunnel an FMADIO system onto the public internet (strongly discouraged) for demonstration purposes only. +In this example, we just reverse ssh tunnel an FMADIO system onto the public internet (strongly discouraged) for demonstration purposes only. -### General Config +##### General Config Start by editing the general FMADIO configuration file -``` +```c /opt/fmadio/etc/time.lua ``` -Then setting HTTP (un-encrypted) access to "disable", and Auth method to "OAUTH", example shown below. The other security fields can be left as is. +Then setting HTTP (un-encrypted) access to "disable", and Auth method to "OAUTH", example shown below. The other security fields can be left as they are. -``` +```c ["Security"] = { ["HTTPAccess"] = "disable", @@ -296,13 +316,13 @@ Save the file and ensure there are no parse errors by running fmadiolua /opt/fma Next create a file name -``` +```c /opt/fmadio/etc/oauth_opts.lua ``` This file contains the Google Cloud OAUTH End points as follows. -``` +```c local config = { redirect_uri = "https://fmadio100v2-ip-address.com:8888/secure", @@ -317,11 +337,11 @@ local config = return config ``` -The "clientid" and "client\_secret" need to be replaced with the generated authentication information from google per below. The above is a throw away example only +The "clientid" and "client\_secret" need to be replaced with the generated authentication information from google as shown below. The above is a throw away example only -### Google Credentials +##### Google Credentials -Next generate Google OAUTH credentials as follows. +Next, generate Google OAUTH credentials as follows: ![](<../.gitbook/assets/image (90) (1) (1).png>) @@ -337,15 +357,15 @@ Update the oauth\_opts.lua file above with the information ### Restart nginx -Restart nginx to load in the new configuration file, by killing the process as below. It will reswpan on a 1min cron job automatically +Restart nginx to load in the new configuration file, by killing the process with the command below. It will re-spawn on a 1min cron job automatically -``` +```c sudo killall nginx ``` -### Logging In +##### Logging In -Next point the browser to the FMADIO device and it will redirect to Google Sign in account +Next, point the browser to the FMADIO device and it will redirect to Google Sign in account ![](<../.gitbook/assets/image (118) (1) (1).png>) @@ -355,13 +375,14 @@ Login using your Google account information, and it will re-direct you to the FM Any further questions please contact support@fmad.io for assistance. -## Ping Identity (SSO via OUAUTH 2.0) +## Ping Identity +[Ping]: https://github.com/fmadio/documentation/edit/fmadio100v2/configuration/authentication.md "Ping Identity" **FW:7608+** -Ping Identity is a popular onprem authentication system, typically used in large organizations. We support Single Sign On with their product suite, below is an example configuration example setup using the Cloud Services. This example uses a reverse SSH tunnel to put the FMADIO device on a publicly accessible IP (we strongly discourage) for demonstration purposes only, to replicate setting up an On Premise install. +Ping Identity is a popular On-Premise authentication system typically used in large organizations. We support Single Sign On with their product suite. Below is an example configuration using the Cloud Services. This example uses a reverse SSH tunnel to put the FMADIO device on a publicly accessible IP (we strongly discourage this approach) for demonstration purposes only, to replicate setting up an On-Premise install. -### General Config +##### General Config Start by editing the general FMADIO configuration file @@ -369,9 +390,9 @@ Start by editing the general FMADIO configuration file /opt/fmadio/etc/time.lua ``` -Then setting HTTP (un-encrypted) access to "disable", and Auth method to "OAUTH", example shown below. The other security fields can be left as is. +Then set HTTP (un-encrypted) access to "disable" and Auth method to "OAUTH" as shown below. The other security fields can be left as they are. -``` +```c ["Security"] = { ["HTTPAccess"] = "disable", @@ -382,17 +403,17 @@ Then setting HTTP (un-encrypted) access to "disable", and Auth method to "OAUTH" Save the file and ensure there are no parse errors by running fmadiolua /opt/fmadio/etc/time.lua -#### OAUTH Config +##### OAUTH Config -Next create a file name +Next, create a file name -``` +```c /opt/fmadio/etc/oauth_opts.lua ``` This file contains the Ping Identity OAUTH End points as follows. -``` +```c local config = { redirect_uri = "https://fmadio100v2-ip-address.com:8888/secure/", @@ -407,9 +428,9 @@ local config = return config ``` -The "clientid" and "client\_secret" need to be replaced with the generated authentication information from Ping Identity interface per below. The above is a throw away example only +The "clientid" and "client\_secret" need to be replaced with the generated authentication information from Ping Identity interface as shown below. The above is a throw away example only -### Ping Identity Credentials +##### Ping Identity Credentials We setup a web application using Ping Identity interface as follows. The key fields are shown in red. @@ -417,21 +438,21 @@ We setup a web application using Ping Identity interface as follows. The key fie These fields are mapped directly into the oauth\_opts.lua configuration file above. -### Restart nginx +##### Restart nginx -Restart nginx to load in the new configuration file, by killing the process as below. It will reswpan on a 1min cron job automatically. +Restart nginx to load in the new configuration file, by killing the process using the command below. It will re-spawn on a 1min cron job automatically. -``` +```c sudo killall nginx ``` -### Logging In +##### Logging In -Next point the browser to the FMADIO device and it will redirect to Ping Idneitty SSO account as follows +Next, point the browser to the FMADIO device and it will redirect to Ping Identity SSO account as follows ![](<../.gitbook/assets/image (119) (1) (1) (1).png>) -After a successful authentication the FMADIO dashboard is seen +After a successful authentication, the FMADIO dashboard is as shown below: ![](<../.gitbook/assets/image (129) (1) (1).png>) @@ -447,7 +468,7 @@ FMADIO systems support Linux PAM ( [https://github.com/linux-pam/linux-pam](http [https://docs.fmad.io/fmadio-documentation/cli-reference/fmadiocli#config-security-auth](https://docs.fmad.io/fmadio-documentation/cli-reference/fmadiocli#config-security-auth) -``` +```c config security auth pam-ldap ``` @@ -455,19 +476,19 @@ config security auth pam-ldap [https://docs.fmad.io/fmadio-documentation/cli-reference/fmadiocli#config-security-http](https://docs.fmad.io/fmadio-documentation/cli-reference/fmadiocli#config-security-http) -``` +```c config security http false ``` -3\) Configure LDAP client nslcd. Copy the default config file as follows +3\) Configure LDAP client nslcd. Copy the default config file as follows: -``` +```c cp /opt/fmadio/etc_ro/nslcd.conf /opt/fmadio/etc/nslcd.conf ``` The default config looks like the following -``` +```c fmadio@fmadio100v2-228U:~$ cat /opt/fmadio/etc_ro/nslcd.conf # /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) @@ -517,13 +538,13 @@ Modify the uri, base and any other LDAP specific configs to the enviroment and s Changing the username/domain/ip address etc to match your environment -``` +```c ldapwhoami -x -D cn=fmadio-user,dc=fmad,dc=io -H ldap://192.168.1.100/ -w "password" ``` Successful authentication looks like the following -``` +```c fmadio@fmadio100v2-228U:~$ ldapwhoami -x -D cn=fmadio-user,dc=fmad,dc=io -H ldap://192.168.1.100/ -w "password" dn:cn=fmadio-user,dc=fmad,dc=io ``` @@ -541,22 +562,23 @@ fmadio-www-user - for WWW user access (monitoring and pcap downloading) 6\) Both SSH and WWW now fully configured using LDAP as centralized authentication ### LDAP Optional +[LDAP]: https://github.com/fmadio/documentation/edit/fmadio100v2/configuration/authentication.md "LDAP Optional" Some environments require a notice when logging in, such as the following
-This can be customized as follows +This can be customized as follows: 1\) copy the default template -``` +```c cp /opt/fmadio/www/login/authorized_access.html.default /opt/fmadio/etc/authorized_access.html ``` 2\) Edit the content of -``` +```c /opt/fmadio/etc/authorized_access.html ``` @@ -564,26 +586,26 @@ cp /opt/fmadio/www/login/authorized_access.html.default /opt/fmadio/etc/authoriz kill nginx and wait 60sec for it to restart -``` +```c sudo killall nginx ``` -### Troubleshooting +##### Troubleshooting -Configuration usually does not go as planned, as such heres some tips to try +Configuration usually does not go as planned, as such here are some tips to try 1\) run nslcd in the foreground -``` +```c sudo killall nslcd sudo /usr/local/sbin/nslcd -f ``` -This will check the /etc/nslcd.conf configuration file is working correctly, either config typeo or LDAP server problems. +This will check the /etc/nslcd.conf configuration file is working correctly, either config type or LDAP server problems. Once its running ensure local lookups work correctly as follows -``` +```c ldapwhoami -x -D cn=fmadio-user,dc=fmad,dc=io -H ldap://192.168.1.100/ -w "password" ``` @@ -591,7 +613,7 @@ ldapwhoami -x -D cn=fmadio-user,dc=fmad,dc=io -H ldap://192.168.1.100/ -w "pas The nginx logfiles are located in -``` +```c tail -F -n 100 /mnt/store0/log/nginx_error.log ``` @@ -599,7 +621,7 @@ Any errors there might help understand the issues 3\) check syslog file for PAM logs -``` +```c tail -F -n 100 /mnt/store0/log/messages |grep -i pam ``` From 3ce1af0de2029c362c6fbb2904a111d9f5776321 Mon Sep 17 00:00:00 2001 From: Victorwriter <131878979+Victorwriter@users.noreply.github.com> Date: Tue, 2 May 2023 04:10:30 +0100 Subject: [PATCH 2/5] Structured authentication.md The editing done here includes, image resizing, spacing, adjusting character length per line, adding links to major sections --- configuration/authentication.md | 268 +++++++++++++++++++------------- 1 file changed, 159 insertions(+), 109 deletions(-) diff --git a/configuration/authentication.md b/configuration/authentication.md index 5c1a87e..4894b69 100644 --- a/configuration/authentication.md +++ b/configuration/authentication.md @@ -1,23 +1,29 @@ -### Authentication +## [Authentication ](#authentication) + [Supported Authentication](#supported-authentication) - + [HTTPS only](#https-only) - + [RADIUS](#radius) [Active Directory](#active-directory) [Google Cloud](#google-cloud) - + [Ping Identity](#ping-identity) + +[LDAP Optional](#ldap-optional) +
-[LDAP Optional](#ldap-optional) -# Authentication +# Authentication +[Supported]: https://github.com/fmadio/documentation/edit/fmadio100v2/configuration/authentication.md "Authentication" -In many environments, different Authentication is required. By default, FMADIO captures systems using built-in BASIC authentication over HTTP as this makes configuration and setup simple. However, it is a very weak security setting. +In many environments, different Authentication is required. By default, FMADIO captures systems
+using built-in BASIC authentication over HTTP as this makes configuration and setup simple.
However, it is a very weak security setting. The following is a list of [Supported Authentication](#supported-authentication) methods +
-### Supported Authentication +## Supported Authentication [Supported]: https://github.com/fmadio/documentation/edit/fmadio100v2/configuration/authentication.md "Supported Authentication" * BASIC (insecure) @@ -25,14 +31,15 @@ In many environments, different Authentication is required. By default, FMADIO c * RADIUS * Active Directory (SSO via OAUTH 2.0) * Google Cloud (SSO via OAUTH 2.0) -* Ping Identity Cloud (SSO via OAUTH 2.0) +* Ping Identity Cloud (SSO via OAUTH 2.0) +
-### HTTPS Only +## HTTPS Only [HTTPS only]: https://github.com/fmadio/documentation/edit/fmadio100v2/configuration/authentication.md "HTTPS only" -By default, HTTP and HTTPS are enabled on the GUI. In any security setting, HTTP must be disabled, as it's an unsecured protocol. To disable HTTP edit the config file +By default, HTTP and HTTPS are enabled on the GUI. In any security setting, HTTP must be disabled,
as it's an unsecured protocol. To disable HTTP, edit the config file: -###### General Config +### General Config ```c /opt/fmadio/etc/time.lua @@ -67,26 +74,26 @@ Restart nginx by running the following command: sudo killall nginx ``` -NGINX will restart automatically within 60 seconds with the updated configuration. Only HTTPS access is now possible. +NGINX will restart automatically within 60 seconds with the updated configuration. Only HTTPS
access is now possible. +SSO configuration is more complicated, please contact support@fmad.io
and we can walk you thru the setup personally +
-SSO configuration is more complicated, please contact support@fmad.io and we can walk you thru the setup personally - -### RADIUS +## RADIUS [RADIUS]: https://github.com/fmadio/documentation/edit/fmadio100v2/configuration/authentication.md "Radius" **FW: 7563+** We support RADIUS authentication using the freeradius client. Configuration is as follow -##### **General Config** +### **General Config** -Edit the configuration file +Edit the configuration file using the command ```c /opt/fmadio/etc/time.lua ``` -Find the "Security" section, as in the example shown below: +Find the "Security" section, as shown below: ```c ["Security"] = @@ -103,9 +110,9 @@ Find the "Security" section, as in the example shown below: ``` -##### **Disable HTTP Access** +### **Disable HTTP Access** -Edit the following piece of code. This disables the HTTP protocol: +Edit the following configuration. This disables the HTTP protocol: ```c ["HTTPAccess"] = false, @@ -125,30 +132,32 @@ Configure your RADIUS login information ["RADIUS_Protocol"] = "PPP", ``` -Finally, the Timeout, is how long the system waits until it will automatically log out the user and require them to re-authenticate. The value is in nanoseconds, scientific notation, and the formula is no problem. As seen below, 24 hours \* 60 min \* 60 sec \* 1e9 (nanos) +Finally, there's a Timeout, the user is logged out and will be required to re-authenticate. The value is
in nanoseconds, an example of converting 1 day to nanoseconds and setting it as the timeout value
is shown below: ```c ["RADIUS_Timeout"] = 24*60*60*1e9, ``` -##### **Restart Nginx** +### **Restart Nginx** -Restart nginx as follows, it will re-spawn within 60sec automatically +Restart nginx using the command below and it will re-spawn within 60sec automatically ```c sudo killall nginx ``` -##### **Login** - -You should see a login page when accessing FMADIO as shown in the following screenshot: +### **Login** -![](<../.gitbook/assets/image (80) (1).png>) +You should see a login page to access FMADIO as shown in the screenshot below: -##### **TROUBLESHOOTING** +
+ + +
+### **TROUBLESHOOTING** -If there are some problems, please confirm on CLI using radclient, an example is shown below. +If there are some problems, please confirm on CLI using radclient, see example below. ```c fmadio@fmadio100v2-228U:$ echo "User-Name = steve" | radclient :1812 auth testing123 @@ -164,13 +173,13 @@ fmadio@fmadio100v2-228U:$ **FW:7608+** -FMADIO Capture devices can authenticate the users using Active Directory via the OAUTH 2.0 protocol. This enable Single Sign On with ADFS. +FMADIO Capture devices can authenticate the users using Active Directory via the OAUTH 2.0
protocol. This enables Single Sign On with ADFS. -##### Public IP Testing +### Public IP Testing -In the following example, we have used a reverse SSH tunnel to temporarily put the FMADIO system on a public IP, as Azure Active Directory services require internet-accessible devices for the redirect\_uri. +In the following example, we have used a reverse SSH tunnel to temporarily put the FMADIO system
on a public IP, as Azure Active Directory services require internet-accessible devices for the redirect\_uri. -For an On-Premise Active Directory Server, this is not required. +> :memo: **Note:** For an On-Premise Active Directory Server, this is not required. Example of Reverse SSH Tunnel: @@ -178,9 +187,9 @@ Example of Reverse SSH Tunnel: ssh -R 8888:192.168.1.100:443 ec2-user@aws-instance.compute.amazonaws.com ``` -NOTE: SSH tunnel should not use localhost, as all localhost-sourced requests bypass authentication. Instead, use the IP address of the management interface +NOTE: SSH tunnel should not use localhost, as all localhost-sourced requests bypass authentication.
Instead, use the IP address of the management interface -##### General Config +### General Config Start by editing the general FMADIO configuration file @@ -188,7 +197,7 @@ Start by editing the general FMADIO configuration file /opt/fmadio/etc/time.lua ``` -Then setting HTTP (un-encrypted) access to "disable", and Auth method to "OAUTH", as shown in the example below. The other security fields can be left as they are. +Then setting HTTP (un-encrypted) access to "disable", and Auth method to "OAUTH", as shown in the
example below. The other security fields can be left as they are. ```c ["Security"] = @@ -201,7 +210,7 @@ Then setting HTTP (un-encrypted) access to "disable", and Auth method to "OAUTH" Save the file and ensure there are no parse errors by running fmadiolua /opt/fmadio/etc/time.lua -##### OAUTH Config +### OAUTH Config Next, create a file name @@ -226,23 +235,29 @@ local config = return config ``` -These fields are from the ADFS Endpoint URI information. We created a fmadio sign-in entry, which has the client\_id entered above. +These fields are from the ADFS Endpoint URI information. We created a fmadio sign-in entry, which
has the client\_id entered above. +The "discovery" config in the above needs to be the OpenID
Connect Metadata document, as seen in the screenshot below. +
-The "discovery" config in the above needs to be the OpenID Connect Metadata document, as seen in the screenshot below. + -![](<../.gitbook/assets/image (118) (1) (1) (1).png>) +the "client\_id" is shown below +
-the "client\_id" is shown below + -![](<../.gitbook/assets/image (124) (1) (1) (1) (1) (1).png>) +> :memo: **Note:** The "client\__secret" in the above config needs to be the Value shown below, not the secretID_ -The "client\__secret" in the above config needs to be the Value shown below, not the secretID_ +
-![](<../.gitbook/assets/image (126) (1) (1).png>) +Alt text -Finally the "redirect\_uri" needs to be registered as follows: +
-![](<../.gitbook/assets/image (119) (1) (1) (1) (1).png>) +Finally the "redirect\_uri" needs to be registered as follows: + +
+ Once config is complete, please confirm there are no syntax errors by running @@ -250,48 +265,59 @@ Once config is complete, please confirm there are no syntax errors by running&#x fmadiolua /opt/fmadio/etc/oauth_opts.lua ``` -The correct output is as shown in the screenshot below. If there are any syntax errors please correct them. +The correct output is as shown in the screenshot below. If there are any syntax errors, please correct
them. + +
-![](<../.gitbook/assets/image (115) (1) (1).png>) + -##### Restart nginx +### Restart nginx -Restart nginx to load in the new configuration file, by killing the process using the command below. It will re-spawn on a 1min cron job automatically +Restart nginx to load in the new configuration file, by killing the process using the command below.
It will re-spawn on a 1min cron job automatically ```c sudo killall nginx ``` -##### Logging in +### Logging in -Next, point a browser to the FMADIO device. It should redirect you to the Active Directory login page as shown in the screenshot below. +Next, point a browser to the FMADIO device. It should redirect you to the Active Directory login
page as shown in the screenshot below. -![](<../.gitbook/assets/image (121) (1) (1).png>) +
-Login to the system using your Azure / Microsoft credentials. Then the FMADIO device dashboard will be as shown below + +
-![](<../.gitbook/assets/image (127) (1) (1) (1).png>) +Login to the system using your Azure / Microsoft credentials. Then the FMADIO device dashboard
will be as shown below +
-##### Logout + +
-Logout is the same, using the logout button shown below +### Logout -![](<../.gitbook/assets/image (90) (1) (1) (1).png>) +Logout is the same, using the logout button shown below: +
+ + +
Then choose an account to sign out of -![](<../.gitbook/assets/image (120) (1) (1) (1) (1).png>) +
-### Google Cloud + + +## Google Cloud [Google]: https://github.com/fmadio/documentation/edit/fmadio100v2/configuration/authentication.md "Google Cloud" **FW:7608+** -While less practical as its typically for publicly accessible sites, it can be used with a Google Cloud VPC to tunnel authentication requests from a private network to Google Cloud infrastructure. +While less practical as its typically for publicly accessible sites, it can be used with a Google
Cloud VPC to tunnel authentication requests from a private network to Google Cloud infrastructure. -In this example, we just reverse ssh tunnel an FMADIO system onto the public internet (strongly discouraged) for demonstration purposes only. +In this example, we just reverse ssh tunnel an FMADIO system onto the public internet
(strongly discouraged) for demonstration purposes only. -##### General Config +### General Config Start by editing the general FMADIO configuration file @@ -299,7 +325,7 @@ Start by editing the general FMADIO configuration file /opt/fmadio/etc/time.lua ``` -Then setting HTTP (un-encrypted) access to "disable", and Auth method to "OAUTH", example shown below. The other security fields can be left as they are. +Then set HTTP (un-encrypted) access to "disable", and Auth method to "OAUTH", as shown in the
example below. The other security fields can be left as they are. ```c ["Security"] = @@ -312,7 +338,7 @@ Then setting HTTP (un-encrypted) access to "disable", and Auth method to "OAUTH" Save the file and ensure there are no parse errors by running fmadiolua /opt/fmadio/etc/time.lua -#### OAUTH Config +### OAUTH Config Next create a file name @@ -320,7 +346,7 @@ Next create a file name /opt/fmadio/etc/oauth_opts.lua ``` -This file contains the Google Cloud OAUTH End points as follows. +> :memo: **Note:** This file contains the Google Cloud OAUTH End points as follows. ```c local config = @@ -337,52 +363,63 @@ local config = return config ``` -The "clientid" and "client\_secret" need to be replaced with the generated authentication information from google as shown below. The above is a throw away example only - -##### Google Credentials +> :memo: **Note:** The "clientid" and "client\_secret" need to be replaced with the generated
authentication information from google as shown below. The above is a throw away example only -Next, generate Google OAUTH credentials as follows: +### Google Credentials -![](<../.gitbook/assets/image (90) (1) (1).png>) +Next, generate Google OAUTH credentials as follows: +
-Then fill in the information, as follows. Google is a bit more strict and requires TLD endpoints not raw IPs + +
+Then fill in the information, as follows. Google is a bit more strict and requires TLD endpoints
not raw IPs +
-![](<../.gitbook/assets/image (80).png>) + -Which results in the following secret information +Which results in the following secret information -![](<../.gitbook/assets/image (115) (1).png>) +
+ +
Update the oauth\_opts.lua file above with the information ### Restart nginx -Restart nginx to load in the new configuration file, by killing the process with the command below. It will re-spawn on a 1min cron job automatically +Restart nginx to load in the new configuration file, by killing the process with the command
below. It will re-spawn on a 1min cron job automatically ```c sudo killall nginx ``` -##### Logging In +### Logging In -Next, point the browser to the FMADIO device and it will redirect to Google Sign in account +Next, point the browser to the FMADIO device and it will redirect to Google Sign in account +
-![](<../.gitbook/assets/image (118) (1) (1).png>) + -Login using your Google account information, and it will re-direct you to the FMADIO dashboard. +Login using your Google account information, and it will re-direct you to the FMADIO dashboard. -![](<../.gitbook/assets/image (124) (1) (1) (1) (1).png>) +
-Any further questions please contact support@fmad.io for assistance. + + +
+ +> :memo: **Note:** Any further questions please contact support@fmad.io for assistance. + +
## Ping Identity [Ping]: https://github.com/fmadio/documentation/edit/fmadio100v2/configuration/authentication.md "Ping Identity" **FW:7608+** -Ping Identity is a popular On-Premise authentication system typically used in large organizations. We support Single Sign On with their product suite. Below is an example configuration using the Cloud Services. This example uses a reverse SSH tunnel to put the FMADIO device on a publicly accessible IP (we strongly discourage this approach) for demonstration purposes only, to replicate setting up an On-Premise install. +Ping Identity is a popular On-Premise authentication system typically used in large organizations.
We support Single Sign On with their product suite. Below is an example of a configuration setup
using the Cloud Services. This example uses a reverse SSH tunnel to put
the FMADIO device on a publicly accessible IP (we strongly discourage this approach)
for demonstration purposes only, to replicate setting up an On-Premise install. -##### General Config +### General Config Start by editing the general FMADIO configuration file @@ -390,7 +427,7 @@ Start by editing the general FMADIO configuration file /opt/fmadio/etc/time.lua ``` -Then set HTTP (un-encrypted) access to "disable" and Auth method to "OAUTH" as shown below. The other security fields can be left as they are. +Then set HTTP (un-encrypted) access to "disable" and Auth method to "OAUTH" as shown below. The other
security fields can be left as they are. ```c ["Security"] = @@ -403,7 +440,7 @@ Then set HTTP (un-encrypted) access to "disable" and Auth method to "OAUTH" as s Save the file and ensure there are no parse errors by running fmadiolua /opt/fmadio/etc/time.lua -##### OAUTH Config +### OAUTH Config Next, create a file name @@ -428,33 +465,43 @@ local config = return config ``` -The "clientid" and "client\_secret" need to be replaced with the generated authentication information from Ping Identity interface as shown below. The above is a throw away example only +The "clientid" and "client\_secret" need to be replaced with the generated authentication information
from Ping Identity interface as shown below. The above is a throw away example only + +### Ping Identity Credentials + +We setup a web application using Ping Identity interface as follows. The key fields are shown in red. -##### Ping Identity Credentials +
+ + -We setup a web application using Ping Identity interface as follows. The key fields are shown in red. +
+ -![](<../.gitbook/assets/image (117) (1).png>) +
These fields are mapped directly into the oauth\_opts.lua configuration file above. -##### Restart nginx +### Restart nginx -Restart nginx to load in the new configuration file, by killing the process using the command below. It will re-spawn on a 1min cron job automatically. +Restart nginx to load in the new configuration file, by killing the process using the command below.
It will re-spawn on a 1min cron job automatically. ```c sudo killall nginx ``` -##### Logging In +### Logging In -Next, point the browser to the FMADIO device and it will redirect to Ping Identity SSO account as follows +Next, point the browser to the FMADIO device and it will redirect to Ping Identity SSO account
as follows +
+ + -![](<../.gitbook/assets/image (119) (1) (1) (1).png>) -After a successful authentication, the FMADIO dashboard is as shown below: +After a successful authentication, the FMADIO dashboard is as shown below: +
-![](<../.gitbook/assets/image (129) (1) (1).png>) + Any further questions or problems, please contact us support@fmad.io @@ -462,7 +509,7 @@ After a successful authentication, the FMADIO dashboard is as shown below: **FW: 8529+** -FMADIO systems support Linux PAM ( [https://github.com/linux-pam/linux-pam](https://github.com/linux-pam/linux-pam) ) as an authetication method. One option for centralized authentication is to use LDAP via PAM. +FMADIO systems support Linux PAM ( [https://github.com/linux-pam/linux-pam](https://github.com/linux-pam/linux-pam) ) as an authetication
method. One option for centralized authentication is to use LDAP via PAM. 1\) First run fmadiocli settings to set the authentication method @@ -472,7 +519,7 @@ FMADIO systems support Linux PAM ( [https://github.com/linux-pam/linux-pam](http config security auth pam-ldap ``` -2\) We also strongly recommend to disable HTTP access as all username / passwords are sent over un-encrypted HTTP +2\) We also strongly recommend to disable HTTP access as all username / passwords are sent over
un-encrypted HTTP [https://docs.fmad.io/fmadio-documentation/cli-reference/fmadiocli#config-security-http](https://docs.fmad.io/fmadio-documentation/cli-reference/fmadiocli#config-security-http) @@ -549,24 +596,27 @@ fmadio@fmadio100v2-228U:~$ ldapwhoami -x -D cn=fmadio-user,dc=fmad,dc=io -H ld dn:cn=fmadio-user,dc=fmad,dc=io ``` -Once this is working, both SSH, WWW-Admin and WWW-User LDAP posix group members can login to the system. +Once this is working, both SSH, WWW-Admin and WWW-User LDAP posix group members can
login to the system. -The LDAP posixGroups are +The LDAP posixGroups are:
+```c fmadio-ssh-admin - for SSH access fmadio-www-admin - for WWW admin access (can change anything) fmadio-www-user - for WWW user access (monitoring and pcap downloading) +``` 6\) Both SSH and WWW now fully configured using LDAP as centralized authentication -### LDAP Optional +## LDAP Optional [LDAP]: https://github.com/fmadio/documentation/edit/fmadio100v2/configuration/authentication.md "LDAP Optional" -Some environments require a notice when logging in, such as the following - -
+Some environments require a notice when logging in, such as the following +
+ +
This can be customized as follows: @@ -590,9 +640,9 @@ kill nginx and wait 60sec for it to restart sudo killall nginx ``` -##### Troubleshooting +### Troubleshooting -Configuration usually does not go as planned, as such here are some tips to try +Configuration usually does not go as planned, as such here are some > :memo: **Note:**tips to try 1\) run nslcd in the foreground @@ -601,7 +651,7 @@ sudo killall nslcd sudo /usr/local/sbin/nslcd -f ``` -This will check the /etc/nslcd.conf configuration file is working correctly, either config type or LDAP server problems. +This will check the /etc/nslcd.conf configuration file is working correctly, either config type
or LDAP server problems. Once its running ensure local lookups work correctly as follows From baeaf3535d1307088906876324da1c798c777ec7 Mon Sep 17 00:00:00 2001 From: Victorwriter <131878979+Victorwriter@users.noreply.github.com> Date: Tue, 2 May 2023 04:31:52 +0100 Subject: [PATCH 3/5] More spacing --- configuration/authentication.md | 36 ++++++++++++++++++++++++--------- 1 file changed, 26 insertions(+), 10 deletions(-) diff --git a/configuration/authentication.md b/configuration/authentication.md index 4894b69..f6e0837 100644 --- a/configuration/authentication.md +++ b/configuration/authentication.md @@ -154,7 +154,8 @@ You should see a login page to access FMADIO as shown in the screenshot below:
-
+
+ ### **TROUBLESHOOTING** If there are some problems, please confirm on CLI using radclient, see example below. @@ -177,9 +178,11 @@ FMADIO Capture devices can authenticate the users using Active Directory via the ### Public IP Testing -In the following example, we have used a reverse SSH tunnel to temporarily put the FMADIO system
on a public IP, as Azure Active Directory services require internet-accessible devices for the redirect\_uri. +In the following example, we have used a reverse SSH tunnel to temporarily put the FMADIO system
on a public IP, as Azure Active Directory services require internet-accessible devices for the redirect\_uri. +
-> :memo: **Note:** For an On-Premise Active Directory Server, this is not required. +> :memo: **Note:** For an On-Premise Active Directory Server, this is not required. +
Example of Reverse SSH Tunnel: @@ -244,7 +247,9 @@ The "discovery" config in the above needs to be the OpenID
Connect Metad the "client\_id" is shown below
- + + +
> :memo: **Note:** The "client\__secret" in the above config needs to be the Value shown below, not the secretID_ @@ -344,9 +349,12 @@ Next create a file name ```c /opt/fmadio/etc/oauth_opts.lua -``` +``` +
-> :memo: **Note:** This file contains the Google Cloud OAUTH End points as follows. +> :memo: **Note:** This file contains the Google Cloud OAUTH End points as follows. + +
```c local config = @@ -361,9 +369,11 @@ local config = } return config -``` +``` +
-> :memo: **Note:** The "clientid" and "client\_secret" need to be replaced with the generated
authentication information from google as shown below. The above is a throw away example only +> :memo: **Note:** The "clientid" and "client\_secret" need to be replaced with the generated
authentication information from google as shown below. The above is only a throw away example +
### Google Credentials @@ -371,8 +381,11 @@ Next, generate Google OAUTH credentials as follows:
+
Then fill in the information, as follows. Google is a bit more strict and requires TLD endpoints
not raw IPs + +

@@ -398,7 +411,8 @@ sudo killall nginx Next, point the browser to the FMADIO device and it will redirect to Google Sign in account
- + +
Login using your Google account information, and it will re-direct you to the FMADIO dashboard. @@ -641,8 +655,10 @@ sudo killall nginx ``` ### Troubleshooting +
-Configuration usually does not go as planned, as such here are some > :memo: **Note:**tips to try +> :memo: **Note:** Configuration usually does not go as planned, as such here are some tips to try +
1\) run nslcd in the foreground From df962e192f6483572f45bf4cf7ed53ab6783be72 Mon Sep 17 00:00:00 2001 From: Victorwriter <131878979+Victorwriter@users.noreply.github.com> Date: Tue, 2 May 2023 04:35:59 +0100 Subject: [PATCH 4/5] More light changes --- configuration/authentication.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/configuration/authentication.md b/configuration/authentication.md index f6e0837..de55e26 100644 --- a/configuration/authentication.md +++ b/configuration/authentication.md @@ -311,7 +311,8 @@ Then choose an account to sign out of
- + +
## Google Cloud [Google]: https://github.com/fmadio/documentation/edit/fmadio100v2/configuration/authentication.md "Google Cloud" From 98d323d3777f470a4d3053b5b8eea25c602d227f Mon Sep 17 00:00:00 2001 From: Victorwriter <131878979+Victorwriter@users.noreply.github.com> Date: Tue, 2 May 2023 05:24:40 +0100 Subject: [PATCH 5/5] More changes - first line --- configuration/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configuration/authentication.md b/configuration/authentication.md index de55e26..f2bc27e 100644 --- a/configuration/authentication.md +++ b/configuration/authentication.md @@ -19,7 +19,7 @@ # Authentication [Supported]: https://github.com/fmadio/documentation/edit/fmadio100v2/configuration/authentication.md "Authentication" -In many environments, different Authentication is required. By default, FMADIO captures systems
+Many environments require different Authentication processes. By default, FMADIO captures systems
using built-in BASIC authentication over HTTP as this makes configuration and setup simple.
However, it is a very weak security setting. The following is a list of [Supported Authentication](#supported-authentication) methods