Freeradius 2.0 - vmps feature, inaccuracies on FreeNAC

Sean.Boran at swisscom.com Sean.Boran at swisscom.com
Tue Jul 10 17:10:26 CEST 2007 

Hi,

Thanks for taking the time to respond, I understand better, see the
answers inline below..

...
> http://lists.cistron.nl/pipermail/freeradius-users/2006-
> August/056121.html
> 
>   FreeNAC is announced:  "The 'plan' is for the project to move
forward
> to eventually become THE OpenSource Enterprise tool for dynamic VLAN
> assignment and LAN/WLAN authentication."
> 
>   Uh... right.  FreeRADIUS hasn't been doing that already for nearly a
> decade?  FreeRADIUS is *crushing* Cisco and Microsoft in the AAA
space.
>  It's doing LAN & WLAN authentication daily for hundreds of millions
of
> users.  There is *nothing* in the WLAN authentication space (open
> source
> or otherwise) that competes with FreeRADIUS.  I *regularly* here about
> sites with 10+ million users switching to FreeRADIUS.

I was thinking in a very different way.
The idea was not to create any tensions or competition with other
OpenSource products. 
My focus was to offer "LAN Access Control", what many people call "NAC".

To me there was no solution for that, from systems management point of
view. 
So I created the DB and GUI around OpenVMPS, added switch/router
scanning, integration with other
network tools and a GUI.

We did not try to replace OpenVMPS, or FreeRadius, but make them easier
to use in one specific environment: LAN control.

When I said "become THE OpenSource Enterprise tool for dynamic VLAN..",
it was a call
to ask people to help and work, not a declaration against other tools
like Freeradius. I like the idea of setting a goal.

 
>   And FreeNAC is going to become "THE" project for LAN & WLAN
> authentication... by "tying in" FreeRADIUS as a subsidiary project?
> 
>   Honestly, what reaction did you expect?

It wasn't a provocation, really. I did not think FreeRadius sees itself
as a NAC server.

>   It's one thing to say "we've written a web gui that administers VMPS
> and RADIUS".  It's another thing *entirely* to say that a project
> funded
> by a large company is going to "tie in" FreeRADIUS, and become "THE"
> market leader in the space.

Hang on, I meant to use FreeRadius for the 802.1x, my focus was to add
whatever additional DB modules, interfaces, or GUIs were necessary.
A pity we didn't discuss this along time ago..

...

>   FreeNAC, like some other projects, appears largely to be a way to
> generate consulting revenue.  That isn't a bad thing, as people have
to
> make money.  But don't pretend that it's an "open" project because
your
> boss tells you to (1) work on it, and to (2) accept patches from other
> people.

Actually no, it was first and foremost a GPL project with the
aim of publishing the work done so far. 

I really consider it to be an open project, it was, and still is my
first
priority to create an OpenSurce GPL project that could live with or
without
its initial sponsor, Swisscom Innovations.
No boss told me to work on it, its been my idea from day 1.
The idea of the consulting is to try and get some funding  to ensure the

long term survival. I did not think of GPL and funding as 
mutually exclusive, but you do?

....

> > - "Good luck getting patches added if they conflict with the
> corporate
> > agenda"
> >   The community are free to change FreeNAC themselves, and submit
> > patches,
> 
>   ... which may or may not be accepted.
> 
>   Is there anyone *other* than a Swisscom employee who has CVS commit
> access to FreeNAC?

You can have SVN access if you want.
Any developer can have it if he takes the time. All I ask is that,
like in most projects there is a phase where people get to know each
other,
communicate, and ensure patches do not create major stability problems.

>   For similar examples, see ISC, and the third-party patches to Bind
> and
> dhcpd.  There are patches floating around for features used by many
> sites.  Those patches are tested, widely used, in wide demand, and
> aren't included in the main distribution.  The reasons they're not
> included aren't nefarious... just reality.

Is the ISC GPL?

>   In contrast, FreeRADIUS adds features that people need.  If a patch
> works, and enough people say they're using it, the patch goes in.
> (Modulu some editorial re-writes).  This is the way it's worked for
> almost a decade, and this is the way it will *always* work.

Good. Perhaps you could explain your CVS commit policy, or what we
should do differently?

...
> >   if we don't do it fast enough. That is what OpenSource is about.
> >   The core team is not closed to Swisscom Innovation people either.
> I'll
> > welcome
> >   anyone with the motivation, skills and time.
> >   This is, I repeat, a GPL - OpenSource project.
> 
>   ... started by a company, with the core team being solely company
> employees.
> 
>   There are many open source, GPL projects that work that way.  But
> they
> make it clear they're corporate projects with community input.  They
> don't pretend they're community projects.  The ones that try to co-opt
> community projects encounter hostility from that community.

My intention *is* to create a community with a consulting spinoff, not
the other way around. 


...
>   *I* got annoyed.  But that's because it was clear that FreeNAC was
> using *my* work to claim that *they* were the leader in the WLAN
> authentication space.

That I understand now.
As regards WLAN, I only mentioned that as an aim, because its turns out
that if you
doing LAN access control on wired LAN, its useful if it can do wireless
too.


> > But, at the end, I'd really like to close this misunderstanding and
> move
> > further. There's no point in arguing or flaming each other as we're
> both
> > working on closely related opensource project.
> 
>   I would like to move forward in a productive manner.  As such, I've
> added VMPS functionality to FreeRADIUS.  Since it is has more
features,
> is more functional, and is more configurable then the OpenVMPS server
> in
> FreeNAC, I expect you to switch to using a real VMPS server in the
next
> release.

The OpenVMPS tool/interface is "real" and has worked well for us.
I will download FreeRadius and look at your implementation.

...
> > In fact, FreeRADIUS was always in our mind, we announced FreeNAC on
> the
> > "freeradius-user" mailing list in 2006 and we also integrated it.
> This
> > is natural because the core value of FreeNAC is in at the "policy
> > level", and not in the support of underlying protocols like VMPS or
> > 802.1x.
> 
>   The announcement was... interesting.  The claim to be "THE" project
> for LAN & WLAN authentication was grandiose from a project and people
> with *zero* track record.

It was an aim, not a claim.

> 
> > We've also closely followed the development in the NAC area and
> > contacted other opensource projects (SecureW2,  NAC at FHH) for that
> > purpose.
> >
> > We would enjoy a collaboration that would lead to create _the_
> > opensource NAC framework.
> 
>   Really.  The original announcement didn't mention the word
> "collaboration".  If it had, it would have been more positive.
> Instead,
>  it looked a lot like the intent was to put a web front end on
> FreeRADIUS, and label the result as "FreeNAC".  Maybe with a
fine-print
> disclaimer of "by the way, it's a corporate project that builds on a
> decade of community work on FreeRADIUS".
> 
>   Yes, the original announcement *really* got under my skin.  Rather
> than fight you, I spent a few hours writing code that filled a market
> demand: a supported and actively maintained VMPS server.

Well it's a pity I didn't know that, that really was not the aim, but I
guess the
damage is done now.


>   FreeNAC can do what it wants.  When v2.0 is released, FreeRADIUS
will
> be the most widely used VMPS server on the planet.  And the best way
to
> get a web GUI for VMPS + RADIUS shipped to 100k sites will be to
> include
>  it's code in FreeRADIUS.
> 
>   Alan DeKok.

VMPS is only one part of the problem.
Do you want to add a Database, Client Security tools/interfaces, policy
engine, 
interfaces to AntiVirus servers, scanners, Patch servers, and so to
FreeRadius?
I thought Freeradius concentrates on the authentication protocols, not
the
network integration aspects? 

Regards,

Sean

More information about the Freeradius-Users mailing list