Freeradius 2.0 - vmps feature, accuracies on FreeNAC

Alan DeKok aland at deployingradius.com
Tue Jul 10 19:16:46 CEST 2007


Sean.Boran at swisscom.com wrote:
> My focus was to offer "LAN Access Control", what many people call "NAC".

  Switches already do 802.1x for LAN access control.  They use RADIUS.

> To me there was no solution for that, from systems management point of
> view. 

  Packet Fence is widely known and widely used.  Netreg is older, but
perhaps not as actively developed.  There were existing solutions in
this space before FreeNAC was started.

> It wasn't a provocation, really. I did not think FreeRadius sees itself
> as a NAC server.

  Again, you are not understanding.  The announcement didn't say "the
NAC solution".  It said "the WLAN authentication" solution.  The reality
is that FreeRADIUS is already the WLAN authentication solution.

  And, of course, when I point that out, you try to pretend my attitude
is because your project is doing NAC.

> The idea of the consulting is to try and get some funding  to ensure the 
> long term survival. I did not think of GPL and funding as 
> mutually exclusive, but you do?

  I said "FreeNAC, like some other projects, appears largely to be a way
to generate consulting revenue.  That isn't a bad thing, as people have
to make money."

  If you have to ask whether or not I think GPL & funding is mutually
exclusive:

  a) you didn't read my post
  b) you read it, but you didn't understand it
  c) you're being a jackass

> You can have SVN access if you want.

  Great!  Do I get part of the funding from selling the enterprise
version?  Do I have to participate in supporting the enterprise version?
  Do I even *know* who's buying the enterprise version?

  Given corporate agendas, the reality is that there will be two core
teams.  One composed of Swisscom people who deal with the enterprise
customers, and another, which includes the "community".

  This is not anything nefarious on the part of Swisscom, but it's the
only way to make these kinds of dual corporate/community projects work.
 The only way to have *one* core team is to set up a legal "FreeNAC"
entity separate from Swisscom, and have membership determined by
FreeNAC, not by Swisscom.

  i.e. That's how everyone else on the planet runs these kinds of
projects.  Your disclaimer that it's a "community" effort is a little
disingenuous.

> Is the ISC GPL?

  Does Google have a search engine?

> Good. Perhaps you could explain your CVS commit policy, or what we
> should do differently?

  That was the CVS commit policy.

> My intention *is* to create a community with a consulting spinoff, not
> the other way around. 

  That's not the way the project is structured right now.

  Look at Packet Fence for a NAC solution that's widely deployed, and
which makes a clear distinction between the community and corporate areas.

> As regards WLAN, I only mentioned that as an aim, because its turns out
> that if you
> doing LAN access control on wired LAN, its useful if it can do wireless
> too.

  Yes.  So it makes sense for you to claim that by integrating
FreeRADIUS, you would become the leader in WLAN authentication.

  It's like me saying I'm the King of Linux because I burned a CD the
other day with Linux on it.

> Well it's a pity I didn't know that, that really was not the aim, but I
> guess the damage is done now.

  If your aim was collaboration, it would be clear in everything you say
and do that your aim was collaboration.  Instead, the words you use are
synonyms for "subsume" and "take over".

> VMPS is only one part of the problem.
> Do you want to add a Database, Client Security tools/interfaces, policy
> engine, 
> interfaces to AntiVirus servers, scanners, Patch servers, and so to
> FreeRadius?
> I thought Freeradius concentrates on the authentication protocols, not
> the
> network integration aspects? 

  I see.  Apache is an implementation of the HTTP protocol, and doesn't
include any kind of integration with databases, policies, client tools,
management interfaces, policy engines, etc.  Right?  Isn't that how
protocol implementations are done?

  Your view of FreeRADIUS as a simple implementation of the RADIUS
protocol is either ridiculously naive, or very self-serving.

  If you had cared to look (and it's obvious that you haven't looked, or
that you're pretending you haven't looked), FreeRADIUS has had database
integration since the start, almost a decade ago.  It has had client
tools, and a management interface (dialup-admin) for almost a decade.
It has had a policy engine for almost a decade.

  So far as network integration, FreeRADIUS is whatever the community
needs it to be.  If you read the web site, you'll see that it's grown to
include a BSD licensed client implementation.  It's grown to include
VMPS.  This allows it to do cross-protocol integration of information,
and use it's "policy engine" to store that information in a "database",
and to display it in the "administration interface" that comes with the
server.

  If the core value of FreeNAC is (s you said) at the "policy level",
then the release of a VMPS server with a powerful policy language and
database integration should have been a tremendous boon for FreeNAC.
Especially since FreeRADIUS supports VMPS policies in LDAP, Perl, or
Python, Oracle, Postgresql, etc. which OpenVMPS (and FreeNAC) do not
currently support.

  Was VMPS support in FreeRADIUS a pleasant surprise?  Or do you view it
as being negative for FreeNAC?  Please explain.

  Alan DeKok.



More information about the Freeradius-Users mailing list