Authenticate OpenNMS Horizon with FreeRADIUS
Centralized authentication is a core service as soon you have a network with more than 3 computers. This article is about how to authenticate a OpenNMS Horizon 22.0.2 using RADIUS provided by a FreeRADIUS service.
In this example the FreeRADIUS server is configured to provide 3 users. A dictionary is configured which returns 2 roles, ROLE_USER and ROLE_ADMIN which can be used to decide which security role is assigned in the OpenNMS Horizon Web UI.
To run the services locally, you can use all components in a Docker Compose defined service stack.
Step 1: Checkout the repository
git clone https://github.com/indigo423/opennms-radius-auth.git
cd opennms-radius-auth
Step 2: Initialize the service stack
docker-compose up -d
Step 3: Install OpenNMS Horizon Plugin protocol for RADIUS and restart
docker-compose exec horizon yum install -y opennms-plugin-protocol-radius
docker-compose stop horizon
docker-compose up -d
You can now login with 4 users:
admin
/admin
: Default initial admin user defined inusers.xml
user1
/u5er1p455
: RADIUS user in security role ROLE_ADMIN and ROLE_USERuser2
/u5er2p455
: RADIUS user in security role ROLE_USERuser3
/u5er3p455
: RADIUS user without security role, this user falls back into ROLE_USER.
Configuration FreeRADIUS
The FreeRADIUS configuration is built with the following configuration files:
volumes:
- ./freeradius/dictionary.opennms:/etc/raddb/dictionary.opennms <1>
- ./freeradius/dictionary:/etc/raddb/dictionary <2>
- ./freeradius/clients.conf:/etc/raddb/clients.conf <3>
- ./freeradius/users:/etc/raddb/users <4>
- Reply authentication message with a security role
- Include the
dictionary.opennms
on startup ofradiusd
- Define IP range and shared secret to allow communication with RADIUS server
- User with passwords and assigned security roles
Configuration OpenNMS Horizon
volumes:
- ./jetty-overlay:/opt/opennms-jetty-webinf-overlay <1>
- Authentication configuration for the Jetty Webapp
Enable externalAuthenticationProvider in
applicationContext-spring-security.xml`
<authentication-manager alias="authenticationManager">
<!-- If a user is pre-authenticated, make sure their user details are populated correctly. -->
<authentication-provider ref="preauthAuthProvider" />
<!-- Use our custom authentication provider -->
<authentication-provider ref="hybridAuthenticationProvider" />
<!-- To enable external (e.g. LDAP, RADIUS) authentication, uncomment the following.
You must also rename and customize exactly ONE of the example files in the
spring-security.d subdirectory. -->
<authentication-provider ref="externalAuthenticationProvider" />
</authentication-manager>
Create a RADIUS configuration for Authentication in spring-security.d/radius.xml
<beans:bean id="externalAuthenticationProvider" class="org.opennms.protocols.radius.springsecurity.RadiusAuthenticationProvider">
<beans:constructor-arg value="freeradius"/> <1>
<beans:constructor-arg value="SECRET"/> <2>
<beans:property name="port" value="1812"/> <3>
<beans:property name="timeout" value="5"/> <4>
<beans:property name="retries" value="3"/> <5>
<beans:property name="authTypeClass"><beans:bean class="net.jradius.client.auth.PAPAuthenticator"/></beans:property> <6>
<beans:property name="defaultRoles" value="ROLE_USER"/> <7>
<beans:property name="rolesAttribute" value="Unknown-VSAttribute(5813:1)"/> <8>
</beans:bean>
- Hostname or IP address of the RADIUS server
- Shared secret for communication
- Port RADIUS server is listening
- Timeout for RADIUS requests
- Retries for RADIUS requests
- PAP authentication for clear text passwords
- Define default role when no role is assigned
- Attribute which is used to assign security roles