Auth & Accounts

the controller supports users in binding the authentication server and making relevant authentication related configurations note this chapter only configures the authentication server in actual network usage scenarios, switches proxy the authentication of wired terminals; aps proxy the authentication of wireless terminals it is necessary to configure the authentication functions of switches and aps respectively in the wired service configuration and wireless service configuration bind nac bind nac the current authentication server needs to be launched in the entity through background configuration first, and then bound to the venue under that entity online to the entity online to the entity enter the entity, click on \[auth & accounts] \[copy entity id] , and the entity id will be copied onto the clipboard enter the authentication server to modify the file modify the nac agent related configuration in /opt/openwisp2/openwisp2/settings py nac agent = { 'mgmt interface' 'ethernet0', 'firmware version' 'v1 0 0', 'build number' 1002, 'entity id' '3d8bdc44 e96a 4feb 8cf0 328a6a23b976' # entity id the associated organization id needs to be obtained from the controller } websocket server = { 'host' '192 168 0 91', # host controller ip address 'port' 15008, 'use ssl' true, 'ssl verify' false, 'heartbeat interval' 60, 'websocket ca cert' '/opt/openwisp2/nac agent/certs/ca crt' } start the ucentral service systemctl enable openwisp nac agent service systemctl start openwisp nac agent service restart the authentication service sudo supervisorctl restart openwisp2 after the configuration is completed, you can see that the authentication server is online in the specified organization bind to the venue bind to the venue after the authentication server is launched in the entity, all venues within the entity can be bound to this server enter the venue and click on \[configuration] \[auth & accounts] click on the connected authentication server and click \[save] to bind the server to the venue configuration configuration the authentication configuration needs to be carried out at the venue user group user group name the unique identifier of a user group, used for management and identification auth type the authentication methods that users in this group need to use when logging into the network users can choose between username password authentication and mac address authentication according to their needs priority when a user belongs to multiple groups or there are conflicting rules, determine which group's permissions take effect the larger the number, the higher the priority max number of online clients per user limit the number of devices that each user account in this group can connect to the network simultaneously account expiration timestamp set the overall validity period for the entire user group, which will automatically expire after the period ends group permission – acl table name bind an access control list (acl) an acl is a pre configured set of network access rules (such as allowing/denying access to a certain server or network segment) group permission – vlan id specify which vlan the group of users will be assigned to after successful authentication password cycle set the validity period of the user password during the password retention period, authentication is automatically completed through device mac authentication, and the user does not need to re enter the password the password needs to be re entered after expiration oauth e mail domain the email suffix bound to this group during oauth login, for example @asterfusion com description group description information note the function of priority and group permission acl table name is not supported in version v9 for the time being user user user group name select the created user group user name the user's unique identifier, used for management and identification e mail user email, currently only serving a presentation function phone number user's phone number, which currently only serves a display purpose description user description information user password user password when the authentication type of the selected user group is user password, a password needs to be created mac mac when the user group uses mac authentication, the mac address needs to be filled in nas(network access server) nas(network access server) the authentication server will only respond to authentication requests from allowed network segments with matching passwords nas ip addr fill in the address range allowed for access authentication the access authentication point for wired terminals is the switch, and for wireless terminals, it is the ap secret it needs to be the same as the "wi fi configuration / network activation / ssids / radius / authentication secret" in this venue block access block access supports interception by username and mac address