Ok, as my email adress doesn't show, I'm also working wit Sean (yes, for the "blue giant").<br><br>I'll first answer some points raised by alan :<br>- VMPS in FreeRadius was a surprise and is positive.
<br>- sure, you can get part of the funding (see later).<br><br><br><div><span class="gmail_quote">On 10/07/07, <b class="gmail_sendername">Phil Mayers</b> <<a href="mailto:p.mayers@imperial.ac.uk">p.mayers@imperial.ac.uk
</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>><br>> VMPS is only one part of the problem.<br>> Do you want to add a Database, Client Security tools/interfaces, policy
<br>> engine,<br>> interfaces to AntiVirus servers, scanners, Patch servers, and so to<br>> FreeRadius?<br><br>Yes. By implementing EAP-TNC.<br><br>> I thought Freeradius concentrates on the authentication protocols, not
<br>> the<br>> network integration aspects?<br><br>Perhaps you could explain, if FreeRadius supported EAP-TNC, why I as a<br>medium/large organisation would possibly want to use FreeNAC? Bearing in<br>mind that (correct me if I'm wrong) FreeNAC consists of:
<br><br> * a database schema<br> * a web editor for said database<br> * a gui editor for said database (bleh)<br> * a freeradius config to authenticate off that database<br> * a patched version of openvmps to query off that database
<br> * yet another re-implementation of netdisco (<a href="http://www.netdisco.org">www.netdisco.org</a>) talking<br>to the same database<br> * some helper utilities for pulling info from SMS/Wsus</blockquote><div><br>More or less ok.
<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">We (for example) already have a network/vlan/switchh/host/router<br>database, SQL schema and SQL servers, web interface to same, device
<br>management/discover/polling and helper utilties hooked up to wsus.</blockquote><br>Ok, so that's very similar.<br>We also wanted that, didn't find any tools that met our requirements, implemented ours and "went out" with it.
<br><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">I'm not saying what FreeNAC is doing is wrong, but it does not help to<br>represent it as something it's not. I would have understood this a lot
<br>more:<br><br>"""FreeNAC is a standard database schema, GUI and set of management<br>tools for running access-controlled LAN networks. It uses FreeRadius and<br>OpenVMPS, running against MySQL, to perform its job."""
</blockquote><div><br>well, the website now shows " FreeNAC is an OpenSource solution for LAN access control and dynamic Vlan management")<br><br>first sentence is basically the same when replacing "a standard database schema, GUI and set of management
<br>tools" by "solution" - which is simpler.<br><br>I guess we should highlight the "based on" aspect by putting it on the main page (cf packetfence).<br>Would you find that OK ? <br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
If you're interested, perhaps I can make some constructive suggestions<br>about ways FreeNAC could offer actual added value to medium/large orgs.<br>All this is, of course, my personal opinion (and I've got to tell you,
<br>you've zero chance of selling to us because we don't work that way, but<br>anyway... ;o):</blockquote><div><br>thanks a lot <br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
* a GPLed, ActiveX / Java / other browser-based endpoint posture<br>assessment client, for use in fallback non-802.1x (walled-garden) mode.</blockquote><div><br>right. but I guess it should come after a 802.1x and a VPN client ...
<br>and those still don't exist<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> * contribute working EAP-TNC to FreeRadius
</blockquote><div><br>That's something already written by the TNC@FHH projects. <br>Code is available here <a href="http://tnc.inform.fh-hannover.de/wiki/index.php/Download">http://tnc.inform.fh-hannover.de/wiki/index.php/Download
</a><br><br>Is there any plan to integrate that in the official release ?<br><br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> * contribute working PEAPv2 and whatever-the-vista-posture-protocol is
<br>called</blockquote><div><br><br>to precise quickly : Vista posture protocol has been microsoft-standardized as "IF-TNCCS-SOH" (statement of health) - <a href="https://www.trustedcomputinggroup.org/specs/TNC/IF-TNCCS-SOH_v1.0_r8.pdf">
https://www.trustedcomputinggroup.org/specs/TNC/IF-TNCCS-SOH_v1.0_r8.pdf</a><br><br><mixofunconfirmedbits><br>Concerning those three points, in no particular order<br>- We would really be happy to see the mentionned items implemented (in freeradius for TNC).
<br>- We have funding - but not unlimited nor for an undefine time period <br>- Some of it could be assigned to implement those protocols.<br>- Alan, before jumping the gun on that f word, it would be no strings attached (bounty-like, resulting code solely licensed under GPL in freeradius, copyright retained by the author, ...).
<br>- Coordination with other related opensource project, especially TNC@FHH.<br></mixofunconfirmedbits><br></div><br><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
* liase with the FreeRadius SQL developers to come up with the most<br>appropriate SQL schema; ideally (from your PoV) the FreeNAC SQL schema<br>could become the default for new FreeRadius installs.</blockquote><div><br>
If I understood FreeRadius SQL correctly, the way chosen is a very minimalistic one, with very few formal definition.<br>Therefore, it is also very flexible ... and apart from supporting eventual additionnal fields/functions due to the SOH extension, I have the impression that the DB format could (should) be left to the GUI/extra tools part ?
<br><br>BTW, I've also worked previously on IDS and I tried many tools (nmap, nessus, snmp) and meta-tools (netdisco, ...) to map a network and put that into some DB.<br>So far, I did not found anything convincing that's wy we always end up with some custom database.
<br>I'll be happy to compare what we have (freenac db) with your db schema.<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hope that perspective is useful.</blockquote><div><br>Well, technically, for full NAC, we also miss the "post-connect" aspects (cf packetfence) - but that's another story. But, OTOH, not that much switches understand the "packet of disconnect".
<br></div><div><br>A lot, I hope it'll start getting the two highly respectable but sometime emotive leaders on a more constructive mood (yes, I'll be flamed for that, I know, I know)<br></div><br>your humble, <br>
<br>dago<br></div><br><br>PS : of course, I also have plans for total world domination - but I'll first start to become sean's boss. Then, I can move to mind-controlling hundreds of million of people.<br>