Freeradius 2.0 - vmps feature, inaccuracies on FreeNAC

Alan DeKok aland at deployingradius.com
Sun Jul 8 22:43:25 CEST 2007 

Sean.Boran at swisscom.com wrote:
> I just came across your blog post commenting on the release of the 2.0
> version of freeradius. I was kind of surprised by the upcoming support
> of VMPS.

  <shrug>  It was pretty easy to do, and some people said it would be
useful.

> While trying to know more, I also found a post commenting on OpenVMPS
> (http://lists.cistron.nl/pipermail/freeradius-users/2007-May/063152.html
> ) and I have to say that I've been really dissapointed by what you
> wrote. I really didn't expect that animosity or that amount of FUD
> coming from you.

  Take a look at this:

http://lists.cistron.nl/pipermail/freeradius-users/2006-August/056121.html

  FreeNAC is announced:  "The 'plan' is for the project to move forward
to eventually become THE OpenSource Enterprise tool for dynamic VLAN
assignment and LAN/WLAN authentication."

  Uh... right.  FreeRADIUS hasn't been doing that already for nearly a
decade?  FreeRADIUS is *crushing* Cisco and Microsoft in the AAA space.
 It's doing LAN & WLAN authentication daily for hundreds of millions of
users.  There is *nothing* in the WLAN authentication space (open source
or otherwise) that competes with FreeRADIUS.  I *regularly* here about
sites with 10+ million users switching to FreeRADIUS.

  And FreeNAC is going to become "THE" project for LAN & WLAN
authentication... by "tying in" FreeRADIUS as a subsidiary project?

  Honestly, what reaction did you expect?

  It's one thing to say "we've written a web gui that administers VMPS
and RADIUS".  It's another thing *entirely* to say that a project funded
by a large company is going to "tie in" FreeRADIUS, and become "THE"
market leader in the space.

  Don't get me wrong, Swisscom is a good company with smart people.  But
the announcement on the freeradius-users list was a little much.

> - This project has been, from the start, a GPL project, sources have
> always been published. Just because an OpenVMPS binary is there doesn't
> mean there's no source : look into the contrib directory.

  I was rather surprised to see that the compiled binaries were checked
into CVS, and that the official releases included pre-compiled binaries.
 It's not the usual "open source" way of doing things.

 > - The main sponsor is effectively Swisscom Innovations, but there's no
> need to put quotes around community. Even if it's small (70 registered
> users), I let you check our forums to verify that it is not limited to
> Swisscom. We received some contributions (patches, documentation) that
> we accepted and we don't have any hidden agenda.
> [FreeNAC is GPL, and we respect the GPL of OpenVMPS too].

  FreeNAC, like some other projects, appears largely to be a way to
generate consulting revenue.  That isn't a bad thing, as people have to
make money.  But don't pretend that it's an "open" project because your
boss tells you to (1) work on it, and to (2) accept patches from other
people.

  In contrast, there is NO corporate agenda or funding behind
FreeRADIUS.  There never has been, and never will be.  I've turned down
jobs and consulting contracts because the people involved wanted to take
over FreeRADIUS.

> - "Good luck getting patches added if they conflict with the corporate
> agenda"
>   The community are free to change FreeNAC themselves, and submit
> patches, 

  ... which may or may not be accepted.

  Is there anyone *other* than a Swisscom employee who has CVS commit
access to FreeNAC?

  For similar examples, see ISC, and the third-party patches to Bind and
dhcpd.  There are patches floating around for features used by many
sites.  Those patches are tested, widely used, in wide demand, and
aren't included in the main distribution.  The reasons they're not
included aren't nefarious... just reality.

  In contrast, FreeRADIUS adds features that people need.  If a patch
works, and enough people say they're using it, the patch goes in.
(Modulu some editorial re-writes).  This is the way it's worked for
almost a decade, and this is the way it will *always* work.

>   if we don't do it fast enough. That is what OpenSource is about.
>   The core team is not closed to Swisscom Innovation people either. I'll
> welcome 
>   anyone with the motivation, skills and time.
>   This is, I repeat, a GPL - OpenSource project.

  ... started by a company, with the core team being solely company
employees.

  There are many open source, GPL projects that work that way.  But they
make it clear they're corporate projects with community input.  They
don't pretend they're community projects.  The ones that try to co-opt
community projects encounter hostility from that community.

  In your case, the community response was that no one cared.

  *I* got annoyed.  But that's because it was clear that FreeNAC was
using *my* work to claim that *they* were the leader in the WLAN
authentication space.

> But, at the end, I'd really like to close this misunderstanding and move
> further. There's no point in arguing or flaming each other as we're both
> working on closely related opensource project.

  I would like to move forward in a productive manner.  As such, I've
added VMPS functionality to FreeRADIUS.  Since it is has more features,
is more functional, and is more configurable then the OpenVMPS server in
FreeNAC, I expect you to switch to using a real VMPS server in the next
release.

  At that point, it will become clear that FreeNAC is a web GUI around
FreeRADIUS.  One among many.

> In fact, FreeRADIUS was always in our mind, we announced FreeNAC on the
> "freeradius-user" mailing list in 2006 and we also integrated it. This
> is natural because the core value of FreeNAC is in at the "policy
> level", and not in the support of underlying protocols like VMPS or
> 802.1x.

  The announcement was... interesting.  The claim to be "THE" project
for LAN & WLAN authentication was grandiose from a project and people
with *zero* track record.

> We've also closely followed the development in the NAC area and
> contacted other opensource projects (SecureW2,  NAC at FHH) for that
> purpose.
> 
> We would enjoy a collaboration that would lead to create _the_
> opensource NAC framework.

  Really.  The original announcement didn't mention the word
"collaboration".  If it had, it would have been more positive.  Instead,
 it looked a lot like the intent was to put a web front end on
FreeRADIUS, and label the result as "FreeNAC".  Maybe with a fine-print
disclaimer of "by the way, it's a corporate project that builds on a
decade of community work on FreeRADIUS".

  Yes, the original announcement *really* got under my skin.  Rather
than fight you, I spent a few hours writing code that filled a market
demand: a supported and actively maintained VMPS server.

  FreeNAC can do what it wants.  When v2.0 is released, FreeRADIUS will
be the most widely used VMPS server on the planet.  And the best way to
get a web GUI for VMPS + RADIUS shipped to 100k sites will be to include
 it's code in FreeRADIUS.

  Alan DeKok.

More information about the Freeradius-Users mailing list