OneFabric Connect and iboss Internet Filtering Appliance Configuration and Installation Guide Abstract: This document provides a step-by-step overview for integrating the iboss Internet Filtering Appliance with Extreme Networks OneFabric Connect solution. Published: April 2014 Extreme Networks, Inc. 145 Rio Robles San Jose, California 95134 Phone / +1 408.579.2800 Toll-free / +1 888.257.3000 www.extremenetworks.com 2012 2014 Extreme Networks, Inc. All Rights Reserved. AccessAdapt, Alpine, Altitude, BlackDiamond, Direct Attach, EPICenter, ExtremeWorks Essentials, Ethernet Everywhere, Extreme Enabled, Extreme Ethernet Everywhere, Extreme Networks, Extreme Standby Router Protocol, Extreme Turbodrive, Extreme Velocity, ExtremeWare, ExtremeWorks, ExtremeXOS, Go Purple Extreme Solution, ExtremeXOS ScreenPlay, ReachNXT, Ridgeline, Sentriant, ServiceWatch, Summit, SummitStack, Triumph, Unified Access Architecture, Unified Access RF Manager, UniStack, XNV, the Extreme Networks logo, the Alpinelogo, the BlackDiamond logo, the Extreme Turbodrive logo, the Summit logos, and the Powered by ExtremeXOS logo are trademarks or registered trademarks of Extreme Networks, Inc. or its subsidiaries in the United States and/or other countries. sflow is the property of InMon Corporation. Specifications are subject to change without notice. All other registered trademarks, trademarks, and service marks are property of their respective owners. For additional information on Extreme Networks trademarks, see www.extremenetworks.com/company/legal/trademarks. 120938-00
Overview... 3 Pre-Requisites... 3 iboss Operational Information... 3 How Integration Works... 4 Integration Configuration... 5 Step 1: Defining Groups in Active Directory... 5 Step 2: Defining Locations... 5 Step 3: Configuring the iboss Appliance... 6 Part A Configure LDAP Settings... 6 Part B Configure AD Plugin... 10 Part C Configure Filters... 12 Step 4: Installing and Configuring OneFabric Connect... 16 Step 5: Configuration of NAC... 23 Testing the Integration... 26 Appendix A: Troubleshooting / FAQ... 30 Extreme Networks, Inc. All rights reserved. 2
Overview The iboss Internet filtering appliance provides filtering up through Layer 7 and differentiated Internet filter sets to end systems based on a number of criteria, such as user Active Directory group membership, IP source ranges, and more. This document describes the integration process between the iboss Internet filter appliance, Active Directory (AD), and the Extreme Networks Mobile IAM (Identity and Access Management) solution. Integrating iboss with Extreme Networks Mobile IAM provides the ability to define various locations within the network and then assign different access profiles and Internet filter sets to end systems based on those locations. This integration also permits iboss to assign Internet filters to devices based on AD group membership that do not traditionally authenticate into AD (ios devices, Android devices, etc.). While tested only with Active Directory, iboss supports other directory services and should configure and function similarly. Pre-Requisites Extreme Networks NetSight 6.0 or above NMS- XXX (e.g. NMS-10 - NetSight License for up to 10 devices and 100 thin Aps) Extreme Networks NAC 6.0 or above NAC-A-XX, NAC-V-XX or IA-ES-XX (e.g.ia-es-1k - Identity and Access 1,000 end-system license, IA licenses with appliance IA-A-XX require NMS- ADV-XXX NetSight Advanced licenses ) with 802.1X or Web Authentication / Registration where usernames are populated into NAC Manager. iboss Security appliance version 6.0.13.7 or later integrated with Active Directory or another LDAP server. iboss Operational Information The iboss Internet Filtering Appliance can be installed in one of three ways to filter Internet content. It can be installed as a transparent bridge in which the appliance is placed in-line with the Internet connection. In this mode the appliance is invisible to the end system and performs filtering by dropping the external traffic. A second deployment method involves setting up a port mirror on the switch where the Internet connection connects. iboss monitors traffic on this port and injects blocking packets as needed to filter traffic. iboss can also be used as an out of band proxy server where end systems are configured to use the appliance as a standard web proxy/filter through their browser settings. In all deployment scenarios, the iboss appliance can integrate with Active Directory. For domain member computers the appliance uses a client-based agent to provide single sign-on NTLM authentication functionality. For end systems that do not participate in AD, the appliance can prompt the user for their AD credentials via the web browser or assign a default filter set to the end system. In our integration effort, we supply the AD account information for the end system to iboss in lieu of having the appliance prompt the end user for that information. This provides a seamless experience for the end user as they roam between locations. Extreme Networks, Inc. All rights reserved. 3
Once iboss knows which AD user account is associated with a particular IP address, it performs an account lookup in AD, iterates groups the account is a member of, and then matches those to preconfigured filter rule sets - called filter groups - based on the AD group name. The filter groups in the appliance are configured in a priority-ordered list, so the first filter group to match an AD group is the filter group applied to that end system traffic. Each end system authenticated into iboss can have its own filter group setting. How the Integration Works Integration between iboss and Mobile IAM is accomplished via OneFabric Connect. Once installed, the OneFabric Connect iboss module is configured with connection information for the iboss appliance. The iboss appliance filter groups are configured with the appropriate information to match the desired AD group and location information. Mobile IAM is configured with matching location-based rules (or rules based on AD groups) using a specific syntax. This rule syntax permits iboss to apply the correct filter group to the end system Internet traffic. When an end system first connects to an IAM-enabled system, it is evaluated and an access rule is applied according to the criteria defined in the NAC rule set. If the end system is classified as unregistered, the OneFabric Connect iboss module takes no action. By definition, unregistered systems are unknown systems and direct Internet access is not typically granted in this case. Any required Internet access (such as the case for self-remediation) is usually proxied by the NAC appliance. Once the end system is registered to an AD account and re-authenticated, the end system is reevaluated by NAC and the appropriate access rule is applied. The OneFabric Connect iboss module collects authentication, location and rule information on the end system and sends this to the iboss appliance. The iboss appliance parses this information and performs an account lookup in Active Directory on the AD account name provided by the OneFabric Connect iboss module. Finally, iboss applies the appropriate filter group to the end system traffic based on the given user/location/ad group combination. As the end system roams to another location, it is re-authenticated by NAC and then the OneFabric Connect iboss module again collects the appropriate information and sends it to iboss. iboss performs its actions and assigns the appropriate filter group to the end system traffic. In this manner, the filter group assigned by iboss to the end system traffic can dynamically change as the end system roams between locations. Extreme Networks, Inc. All rights reserved. 4
Integration Configuration This section details the steps necessary to install, configure, and test integration between Active Directory, iboss, and Mobile IAM in a hypothetical K-12 educational environment. The process for integration in other verticals is similar. For purposes of this text, it is assumed the reader has a technical understanding of the Extreme Networks Mobile IAM solution and the skills required to implement a typical LDAP-integrated deployment of Mobile IAM. Integration of iboss and Mobile IAM can be accomplished in five steps: 1. Defining needed user groups in Active Directory 2. Defining the various locations requiring differentiated access 3. Configuration of the iboss appliance 4. Installation and configuration of the OneFabric Connect Integration services 5. Configuration of NAC This document covers the primary considerations for each of the steps and provides step-by-step instructions for some of the processes involved. Other steps (including installing/configuring Windows Active Directory, installing NetSight, NAC, and other components) are outside the scope of this document and are omitted for brevity. Step 1: Defining Groups in Active Directory When considering an integration project, it is most important to first determine the various user populations you wish to define access for, and then place those populations into separate AD groups. In the case of our hypothetical K-12 environment, we will define to two distinct sets of end users staff and students. For this exercise, we will create two AD groups named All Students and All Staff. These groups contain all student and staff AD accounts respectively. Creating and managing AD groups and accounts is outside the scope of this document and not covered here. Step 2: Defining Locations Once you have determined the various end user populations and created/populated the AD groups, the next step is to determine what locations require differentiated access for each group. For the purposes of this exercise, we will provide three different iboss filter groups for students: one for instructional areas (classrooms), one for the cafeteria, and one for the gym. Staff will have two different iboss filter groups defined: one for instructional areas (classrooms) and one for everywhere else. Listing this location information by user group in a table is most helpful for visualizing our needs: AD Group All Students All Students All Students All Staff All Staff Location Instructional Areas Cafeteria Gym Instructional Areas Everywhere Else Extreme Networks, Inc. All rights reserved. 5
Step 3: Configuring the iboss Appliance There are three areas to configure on the iboss appliance to integrate with Active Directory and Mobile IAM beyond the standard configuration needed for standard iboss operation. We will cover only those steps necessary for the integration and will not cover basic installation of the appliance. Part A Configure LDAP Settings To log into the appliance, open a web browser and go to https://<ip address of appliance>. This presents the appliance logon screen. Provide the necessary credentials and click the Login button. Extreme Networks, Inc. All rights reserved. 6
Once login is complete, you are presented with the main configuration menu. The first item we must configure is LDAP access for the iboss appliance so it can access the AD domain controller. Select LDAP Settings under Network Settings to configure the Active Directory settings: The LDAP settings page is divided into three sections. The top section contains global settings for the appliance. The default settings should work fine and do not need to be edited. Extreme Networks, Inc. All rights reserved. 7
The middle section of this page is where you define the AD domain controller iboss will use by specifying the LDAP parameters required for communication to that domain controller. Complete this section and then click the Add button to save the server definition. Extreme Networks, Inc. All rights reserved. 8
Once the AD server is defined and added to the appliance, the bottom section of the screen lists the server definition you just created. Click the Done button to save the changes and complete the LDAP configuration. Extreme Networks, Inc. All rights reserved. 9
Part B Configure AD Plugin The second item to be configured is the AD Plugin / NAC Agent. To do this, select the AD Plugin screen from the home page. Extreme Networks, Inc. All rights reserved. 10
In the AD Directory / Network Access Controller Integration screen, leave the global values as they are but navigate to the bottom half of the screen where it says Registered AD Servers/NAC Agents. In this screen we are going to add a description of the NetSight server and its IP address so the iboss server will listen to updates sent by the NAC servers. The default settings can be used for Filtering Group and subnets unless told differently by support. Once these settings are saved, this section is complete. Extreme Networks, Inc. All rights reserved. 11
Part C Configure Filters The last items to configure are the filter groups that iboss assigns to traffic from end systems. A filter group is a set of network controls that define what website content categories, programs, QoS settings, and more are allowed or not allowed to pass through the appliance for a given connection. Filter groups are applied to end system traffic on an individual basis. For this exercise, we will be defining the individual filter groups in iboss, but will not cover how to configure the individual network controls for each filter group definition. Access the Filter Group definition page by clicking on Users in the navigation menu on the left hand side of the page, then clicking the Groups submenu link. This brings the filtering group definition page to the right pane. There are five pages of definitions available for defining filter groups and each page section contains five filter group definitions, for a total of 25 available filter groups. Filter group #1 is the default filter group and should remain unchanged. Define a filter group for each AD Group/Location combination (identified in Step 2 above) by specifying a name for each filter group using the format ADGroupName@Location. The @ symbol acts as a delimiter, so iboss can separate the AD group name from the location name. The specified group name must be identical to the name of AD group as specified in Active Directory, and the location must be identical to the location name as defined in NAC. Spaces are allowed in both the AD group name and the name of the location. Referring to the table from Step 2, we will configure filter groups for each AD group/location combination as follows, with the staff filter groups first: Extreme Networks, Inc. All rights reserved. 12
Note that in this case we have specified only an AD group in the filter group name and not a location. Because there is no location specified, iboss applies this filter group to any end system registered to AD accounts that are members of All Staff that are not in the Instructional Areas location. Using this syntax allows filter groups to be assigned to end systems based solely on AD group membership. Extreme Networks, Inc. All rights reserved. 13
The next filter groups to define are the three AD group/location combinations for students: As there are only five filter group definitions on each page, each page of definitions must be saved separately before moving on to the next page. Once you have defined the first five filters. click the Save button at the bottom of the page to save changes. Navigate to the next page of filter group definitions by clicking the arrow to the left of the drop down box at the top of the page: Extreme Networks, Inc. All rights reserved. 14
Now add the remaining student group/location definition: Once this definition is added be certain to click the Save button at the bottom of the page to save your changes. At this point we are finished with the configuration of iboss. Extreme Networks, Inc. All rights reserved. 15
Step 4: Installing and Configuring OneFabric Connect OneFabric Connect is an add-in element for NetSight that provides integration functionality between the NetSight Suite and various third-party devices and tools. OneFabric Connect is delivered as a module installed on the NetSight server (Windows or Linux) and configured for use with the desired device or tool. For purposes of this exercise, we will install and configure OneFabric Connect on a NetSight virtual appliance. Installation on a Windows install may have slightly different directory paths and filenames. The first step is to copy the OneFabric Connect distribution file to the NetSight appliance. Log into the appliance as root and transfer the file to a folder on the appliance. The destination folder is not important, so in this case we will put the file in /root. Extreme Networks, Inc. All rights reserved. 16
Connect to the console of the NetSight appliance via either local console or SSH and move the file to the directory /usr/local/extreme_networks/netsight. This can be done with the command cp /root/nms_ofconnect_x.xx.xx.jar /usr/local/extreme_networks/netsight while substituting for the appropriate version number. Once copied navigate to that directory with the command cd /usr/local/extreme_networks/netsight. Verify the file is there with the command ls. Run the installer by typing the command: /usr/local/extreme_networks/netsight/java/bin/java -jar NMS_OFConnect_x.xx.xx.jar -console making sure to substitute the appropriate version number. Note that the full path of java is required. Since the NetSight appliance is a headless computer, the installation is all done by an interactive command line. If NetSight is installed on a Windows server, remove the -console from the command and a GUI will be used for configuration instead. Press 1 to continue. Extreme Networks, Inc. All rights reserved. 17
A welcome message and some quick notes are displayed giving you some information on the installation. Press 1 again to continue. Leave the default target path set. It should be /usr/local/extreme_networks/netsight. Press Enter to accept the default then press 1 to continue. Select whether you are updating or doing a new installation. If this is a new installation select that option by pressing 0 and then press 1 to continue Extreme Networks, Inc. All rights reserved. 18
In the OneFabric Connect settings the user account to connect to NetSight needs to be specified as well as the password. Note that the password will be shown in clear text. If needed, the password can be changed later on where it will be masked. The password will be encrypted after the install. Accept the default entries for the Extreme NMS Server IP and URL. The installation will finish unpacking and should exit back to the command prompt. The last thing that needs to be done is restart NetSight. To do this enter the command /usr/local/extreme_networks/netsight/scripts/stopserver.sh. After the command completes, enter the command /usr/local/extreme_networks/netsight/scripts/startserver.sh. These commands will restart the NetSight services so that OneFabric Connect will be started. This completes the installation of the OneFabric Connect. Extreme Networks, Inc. All rights reserved. 19
Now that the OneFabric Connect is installed into the NetSight server must configure the iboss integration module for use with our iboss appliance. Open a web browser and navigate to https://{ip of NMS Server}:8443/fusion_jboss/ to access the OneFabric Connect login page. Log into OneFabric Connect as root using the root password for the NetSight appliance. Extreme Networks, Inc. All rights reserved. 20
The General Tab of the OneFabric Connect configuration page displays first after login. Click on the iboss Client tab to access the iboss appliance configuration settings. In the field labeled iboss Server IP address enter the IP address of the iboss appliance, then click on the Save link to the right of the field. The default iboss web service port is 8015 and does not need to be changed. Extreme Networks, Inc. All rights reserved. 21
The iboss Key field is for the unique access key to access the iboss appliance; this key can be found inside the management interface of the iboss appliance. In iboss, click on Network in the navigation menu on the left hand side of the page and then click the AD Plugin submenu item. The key is the second item listed on this page. Copy and paste this key into the iboss Key field in the OneFabric Connect iboss module and then click the Save link to the right of the field to save the key. The last item to configure for the OneFabric Connect iboss module is to enable the module. Under the General Module Configuration section, change the dropdown labeled Module enabled: to read True, then click the Save link to the right of the dropdown to save the change. At this point the configuration of the OneFabric Connect iboss module is complete. It is necessary to stop and restart the NetSight services again for the configuration changes to take effect. Restart the services from the server console using the same commands used when first installing the OneFabric Connect. Be certain to allow a few minutes for all NetSight services to come all the way up before continuing to the next step. Extreme Networks, Inc. All rights reserved. 22
Step 5: Configuration of NAC The final step in configuring the integration of iboss and Mobile IAM is to create the location definitions, set up NAC for Active Directory access via LDAP, and configure access rules for each AD group/location combination. This document covers the last item in detail but will not cover LDAP profile creation, role creation, the creation of locations or other typical NAC configuration considerations. Recall our table of groups and locations from Step 2: AD Group All Students All Students All Students All Staff All Staff Location Instructional Areas Cafeteria Gym Instructional Areas Everywhere Else Our first step is to create an LDAP user group in NAC to represent each AD group used for assigning access. For this exercise we will create the NAC group Students (which maps to the AD group All Students), and Staff (which maps to the AD group All Staff). Next create locations in NAC to represent the locations listed in Step 2. For this exercise we will create three NAC locations: Cafeteria, Gym, and Instructional Areas. We will not need a specific NAC location for everywhere else but instead will create a general rule to assign access for those end systems. Now we are ready to create the access rules to assign policy according to locations. The first rule we will create is for All Students in Instructional Areas: The name of the rule is significant and must be specified using this particular syntax. Name the rule by putting the AD group name this rule refers to on the left side of the @ symbol, and the location this rule applies to on the right side. The @ symbol acts as a delimiter that allows OneFabric Connect to determine which part of the rule name is which and must be specified in this fashion. Since this rule applies to All Students in the Instructional Areas location, the rule name becomes All Students@Instructional Areas. Failure to name your rules in this manner will prevent the integration from working properly. Extreme Networks, Inc. All rights reserved. 23
Next create the rule for All Students in the Cafeteria and All Students in the Gym using the same syntax: Note that in all three cases we are assigning the same NAC profile to members of All Students. From a network perspective these rules are for student end systems and thus all assign the same rate limits, layer 3-4 filters, etc. regardless of the location the end system is in. What is different about each of these rules is the location of the end system and the filter group that iboss assigns to the end system traffic. Finally, create the two Staff access rules. The rule for All Staff in Instructional Areas follows the same format as the student rules: Extreme Networks, Inc. All rights reserved. 24
The final rule is different in how it is named; because there is no specific location information provided we name the rule using just the name of the AD group itself: Recall when we configured the filter groups in iboss that we created a filter group with just the AD group name of All Staff. Because there is no location specified iboss applies that filter group to any end system registered to AD accounts that are members of All Staff that are not otherwise in a defined location. Naming the rule without the @ symbol or location name tells OneFabric Connect to omit the location when making the call to iboss. Using this naming syntax allows filter groups to be assigned to end systems based solely on AD group membership. Because this rule is more general than the previous staff access rule, it must be located below the All Staff@Instructional Areas rule in the NAC configuration in order to work correctly. Extreme Networks, Inc. All rights reserved. 25
Testing the Integration The final step is to test the integration. As with all NAC installations you should test each access rule to ensure the correct NAC rules and iboss filter groups are assigned to end systems based on end system registration and current location. For purposes of this exercise we have created two AD accounts; staff1 and student1. The staff1 account is a member of the All Staff AD group and student1 is a member of All Students. Each account will have one end system registered through the normal Mobile IAM registration process. iboss can display information about the filter groups it assigns to end systems from its web interface. We will use both NAC Manager and the iboss management interface to confirm our integration configuration. First we will locate both end systems so they connect from the Instructional Areas location. From the Identity and Access tab of OneView we can see that the correct rules have been applied to each end system: Extreme Networks, Inc. All rights reserved. 26
To see the corresponding information in iboss, open the management interface and click on Users from the navigation menu on the left hand side of the page, then click the Computers submenu item. Our information is listed in the Detected Computers section of this page: Note that both NAC and iboss list the same end system IP address, filter set name, and AD user name for each end system. This indicates that integration is working and our configuration is correct. Next we move both end systems so they connect from the Cafeteria location. Looking at the end systems in NAC Manager confirms the end systems have changed location by triggering different access rules: Extreme Networks, Inc. All rights reserved. 27
To see the updated information in iboss, refresh the page by clicking the refresh button: Again iboss is reflecting the same information as reported in NAC Manager. Both end systems have different filter groups assigned than what was assigned while they were in the previous location. Note that the filter group and NAC rule applied to the end system registered to staff1 does not have location information. This assignment reflects only the registered user s AD group membership, which is in line with our table from Step 2. Now we test the final location configuration by moving the end systems so they connect from the Gym location: Extreme Networks, Inc. All rights reserved. 28
Again, click the Refresh button in iboss to see the updated information: Again we see the information from iboss tracks that in NAC Manager. This indicates that integration is working and the two systems are configured properly. Note that the filter group and NAC rule applied to the end system registered to staff1 did not change between the Cafeteria and Gym locations, but they did change for the end system registered to student1. Recall from Step 2 that the only differentiation desired for staff end systems was between Instructional Areas and Everywhere Else. This completes the integration between Active Directory, iboss, and Mobile IAM. Extreme Networks, Inc. All rights reserved. 29
Appendix A: Troubleshooting / FAQ To verify that NetSight is sending over updates correctly for user an option for diagnostics can be turned on from the iboss server. To do this, log out the example user from the Users tab in iboss. After logging out the user, navigate to the Active Directory / Network Access Controller Integration page. In the global settings enter the username that you want to troubleshoot into Diagnostic Username Filter and select Apply. Extreme Networks, Inc. All rights reserved. 30
The next time the user connects to the network and an update to the iboss is sent, the Request Info field will populate with the web request info that is sent from the NetSight server. This information can be used to verify that the NetSight server is sending both the correct username as well as the correct location for the user. To disable the diagnostics for this user, clear the Diagnostic Username Filter and press Apply. Extreme Networks, Inc. All rights reserved. 31