Home

Authentication

In many environments different Authentication is required. By default FMADIO capture systems using built in BASIC authentication over HTTP. As this makes configuration and setup simple but is very weak security setting.

Supported Authentication

  • BAISC (insecure)

  • HTTPS Only + BASIC

  • RADIUS

  • Active Directory (SSO via OAUTH 2.0)

  • Google Cloud (SSO via OAUTH 2.0)

  • Ping Identity Cloud (SSO via OAUTH 2.0)

HTTPS Only

By default HTTP and HTTPS are enabled on the GUI. In any security setting HTTP needs to be disabled, as its an unsecure protocol. To disable HTTP edit the config file

General Config

/opt/fmadio/etc/time.lua

Find the "Security" section as follows

["Security"] =
{
    ["HTTPAccess"] = "enable",
    ["Auth"] = "BASIC",
    ["ConfigAccess"] = "full",
    ["GUIMode"] = "full",
},

Change the "HTTPAccess" section from "enable" to false as follows

Save the file

Restart Nginx

Then restart nginx as follows

NGINX will restart automatically within 60 seconds with the updated configuration. Only HTTPS access is possible.

SSO configuration is more complicated, please contact [email protected] and we can walk you thru the setup personally

RADIUS

FW: 7563+

We support RADIUS authentication using the freeradius client. Configuration is as follow

General Config

Edit the configuration file

Find the "Security" section, example shown below

Disable HTTP Access

Change the following, this disabled the HTTP protocol

Changes the following, this enables RADIUS as the authentication method

Configure your RADIUS login information

Finally the Timeout, this is how long the system waits until it will automatically logout the user and requirement them to re-authenticate. Value is in nanoseconds, scientific notation and formula is no problem. Per below, 24 hours * 60 min * 60 sec * 1e9 (nanos)

Restart Nginx

Restart nginx as follows, it will re-spawn within 60sec automatically

Login

You should see a login page when accessing FMADIO as follows

TROUBLESHOOTING

If there is some problems, please confirm on CLI using radclient, example as follows.

Active Directory (SSO via OAUTH 2.0)

FW:7608+

FMADIO Capture devices can authenticate the users using Active Directory via the OAUTH 2.0 protocol. This enable Single Sign On with ADFS.

Public IP Testing

In the follow example we have used a reverse SSH tunnel to temporarily put FMADIO system on a public IP, as Azure Active Directory services require internet accessible devices for the redirect_uri.

For an On Premise Active Directory server this is not required.

Example Reverse SSH Tunnel

NOTE: SSH tunnel should not use localhost, as all localhost sourced requests bypass authentication. Instead use the IP address of the management interface

General Config

Start by editing the general FMADIO configuration file

Then setting HTTP (un-encrypted) access to "disable", and Auth method to "OAUTH", example shown below. The other security fields can be left as is.

Save the file and ensure there are no parse errors by running fmadiolua /opt/fmadio/etc/time.lua

OAUTH Config

Next create a file name

This file contains the ADFS OAUTH End points as follows

These fields are from the ADFS Endpoint URI information, for example as follows. We created a fmadio sign in entry, this has the following client_id entered above.

The "discovery" config in the above needs to be the OpenID Connect Metadata document, as seen below.

the "client_id" is the shown below

The "client_secret" in the above config needs to be the Value shown below, not the secretID

Finally the "redirect_uri" needs to be registered as follows.

Once config is complete, please confirm no syntax errors by running

Correct output is as follows, if there are any syntax errors please correct.

Restart nginx

Restart nginx to load in the new configuration file, by killing the process as below. It will reswpan on a 1min cron job automatically

Logging in

Next point a browser to the FMADIO device, it should redirect you to the Active Directory login page as follows.

Login to the system using your Azure / Microsoft credentials. Then the FMADIO device dashboard will be shown as below

Logout

Logout is the same, using the logout button shown below

Then choose an account to sign out of

Google Cloud (SSO via OAUTH 2.0)

FW:7608+

While less practical as its typically for publicly accessible sites, it can be used with a Google Cloud VPC to tunnel authentication requests from a private network to Google Cloud infrastructure.

In this example we just reverse ssh tunnel an FMADIO system onto the public internet (strongly discouraged) for demonstration purposes only.

General Config

Start by editing the general FMADIO configuration file

Then setting HTTP (un-encrypted) access to "disable", and Auth method to "OAUTH", example shown below. The other security fields can be left as is.

Save the file and ensure there are no parse errors by running fmadiolua /opt/fmadio/etc/time.lua

OAUTH Config

Next create a file name

This file contains the Google Cloud OAUTH End points as follows.

The "clientid" and "client_secret" need to be replaced with the generated authentication information from google per below. The above is a throw away example only

Google Credentials

Next generate Google OAUTH credentials as follows.

Then fill in the information, as follows. Google is a bit more strict and requires TLD endpoints not raw IPs

Which results in the following secret information

Update the oauth_opts.lua file above with the information

Restart nginx

Restart nginx to load in the new configuration file, by killing the process as below. It will reswpan on a 1min cron job automatically

Logging In

Next point the browser to the FMADIO device and it will redirect to Google Sign in account

Login using your Google account information, and it will re-direct you to the FMADIO dashboard.

Any further questions please contact [email protected] for assistance.

Ping Identity (SSO via OUAUTH 2.0)

FW:7608+

Ping Identity is a popular onprem authentication system, typically used in large organizations. We support Single Sign On with their product suite, below is an example configuration example setup using the Cloud Services. This example uses a reverse SSH tunnel to put the FMADIO device on a publicly accessible IP (we strongly discourage) for demonstration purposes only, to replicate setting up an On Premise install.

General Config

Start by editing the general FMADIO configuration file

Then setting HTTP (un-encrypted) access to "disable", and Auth method to "OAUTH", example shown below. The other security fields can be left as is.

Save the file and ensure there are no parse errors by running fmadiolua /opt/fmadio/etc/time.lua

OAUTH Config

Next create a file name

This file contains the Ping Identity OAUTH End points as follows.

The "clientid" and "client_secret" need to be replaced with the generated authentication information from Ping Identity interface per below. The above is a throw away example only

Ping Identity Credentials

We setup a web application using Ping Identity interface as follows. The key fields are shown in red.

These fields are mapped directly into the oauth_opts.lua configuration file above.

Restart nginx

Restart nginx to load in the new configuration file, by killing the process as below. It will reswpan on a 1min cron job automatically.

Logging In

Next point the browser to the FMADIO device and it will redirect to Ping Idneitty SSO account as follows

After a successful authentication the FMADIO dashboard is seen

Any further questions or problems, please contact us [email protected]

PAM LDAP

FW: 8529+

FMADIO systems support Linux PAM ( https://github.com/linux-pam/linux-pam ) as an authetication method. One option for centralized authentication is to use LDAP via PAM.

1) First run fmadiocli settings to set the authentication method

https://docs.fmad.io/fmadio-documentation/cli-reference/fmadiocli#config-security-auth

2) We also strongly recommend to disable HTTP access as all username / passwords are sent over un-encrypted HTTP

https://docs.fmad.io/fmadio-documentation/cli-reference/fmadiocli#config-security-http

3) Configure LDAP client nslcd. Copy the default config file as follows

The default config looks like the following

NOTE: ensure the permissions of

Are set as root.root and user only read/write

Otherwise nslcd will fail to start due to in-secure permissions

Modify the uri, base and any other LDAP specific configs to the enviroment and save it

4) reboot system

5) check LDAP connectivity

Changing the username/domain/ip address etc to match your environment

Successful authentication looks like the following

Once this is working, both SSH, WWW-Admin and WWW-User LDAP posix group members can login to the system.

The LDAP posixGroups are

fmadio-ssh-admin - for SSH access

fmadio-www-admin - for WWW admin access (can change anything)

fmadio-www-user - for WWW user access (monitoring and pcap downloading)

6) Both SSH and WWW now fully configured using LDAP as centralized authentication

LDAP Optional

Some environments require a notice when logging in, such as the following

This can be customized as follows

1) copy the default template

2) Edit the content of

3) restart nginx

kill nginx and wait 60sec for it to restart

Troubleshooting

Configuration usually does not go as planned, as such heres some tips to try

1) run nslcd in the foreground

This will check the /etc/nslcd.conf configuration file is working correctly, either config typeo or LDAP server problems.

Once its running ensure local lookups work correctly as follows

2) check nginx config files

The nginx logfiles are located in

Any errors there might help understand the issues

3) check syslog file for PAM logs

This will print out logs of all PAM messages and may help debugging

PreviousWWW CustomizationNextFirewall IPTables

Last updated

Was this helpful?