Freeradius 2.0 - vmps feature, inaccuracies on FreeNAC

[Thomas Dagonnier]

Ok, as my email adress doesn't show, I'm also working wit Sean (yes, for the
"blue giant").

I'll first answer some points raised by alan :
- VMPS in FreeRadius was a surprise and is positive.
- sure, you can get part of the funding (see later).


On 10/07/07, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>
>
> >
> > VMPS is only one part of the problem.
> > Do you want to add a Database, Client Security tools/interfaces, policy
> > engine,
> > interfaces to AntiVirus servers, scanners, Patch servers, and so to
> > FreeRadius?
>
> Yes. By implementing EAP-TNC.
>
> > I thought Freeradius concentrates on the authentication protocols, not
> > the
> > network integration aspects?
>
> Perhaps you could explain, if FreeRadius supported EAP-TNC, why I as a
> medium/large organisation would possibly want to use FreeNAC? Bearing in
> mind that (correct me if I'm wrong) FreeNAC consists of:
>
> * a database schema
> * a web editor for said database
> * a gui editor for said database (bleh)
> * a freeradius config to authenticate off that database
> * a patched version of openvmps to query off that database
> * yet another re-implementation of netdisco (www.netdisco.org) talking
> to the same database
> * some helper utilities for pulling info from SMS/Wsus


More or less ok.

We (for example) already have a network/vlan/switchh/host/router
> database, SQL schema and SQL servers, web interface to same, device
> management/discover/polling and helper utilties hooked up to wsus.


Ok, so that's very similar.
We also wanted that, didn't find any tools that met our requirements,
implemented ours and "went out" with it.

I'm not saying what FreeNAC is doing is wrong, but it does not help to
> represent it as something it's not. I would have understood this a lot
> more:
>
> """FreeNAC is a standard database schema, GUI and set of management
> tools for running access-controlled LAN networks. It uses FreeRadius and
> OpenVMPS, running against MySQL, to perform its job."""


well, the website now shows " FreeNAC is an OpenSource solution for LAN
access control and dynamic Vlan management")

first sentence is basically the same when replacing "a standard database
schema, GUI and set of management
tools" by "solution" - which is simpler.

I guess we should highlight the "based on" aspect by putting it on the main
page (cf packetfence).
Would you find that OK ?

If you're interested, perhaps I can make some constructive suggestions
> about ways FreeNAC could offer actual added value to medium/large orgs.
> All this is, of course, my personal opinion (and I've got to tell you,
> you've zero chance of selling to us because we don't work that way, but
> anyway... ;o):


thanks a lot

* a GPLed, ActiveX / Java / other browser-based endpoint posture
> assessment client, for use in fallback non-802.1x (walled-garden) mode.


right. but I guess it should come after a 802.1x  and a VPN client ...
and those still don't exist

* contribute working EAP-TNC to FreeRadius


That's something already written by the TNC at FHH projects.
Code is available here
http://tnc.inform.fh-hannover.de/wiki/index.php/Download

Is there any plan to integrate that in the official release ?


* contribute working PEAPv2 and whatever-the-vista-posture-protocol is
> called



to precise quickly : Vista posture protocol has been microsoft-standardized
as "IF-TNCCS-SOH" (statement of health) -
https://www.trustedcomputinggroup.org/specs/TNC/IF-TNCCS-SOH_v1.0_r8.pdf

<mixofunconfirmedbits>
Concerning those three points, in no particular order
- We would really be happy to see the mentionned items implemented (in
freeradius for TNC).
- We have funding - but not unlimited nor for an undefine time period
- Some of it could be assigned to implement those protocols.
- Alan, before jumping the gun on that f word, it would be no strings
attached (bounty-like, resulting code solely licensed under GPL in
freeradius, copyright retained by the author, ...).
- Coordination with other related opensource project, especially TNC at FHH.
</mixofunconfirmedbits>


* liase with the FreeRadius SQL developers to come up with the most
> appropriate SQL schema; ideally (from your PoV) the FreeNAC SQL schema
> could become the default for new FreeRadius installs.


If I understood FreeRadius SQL correctly, the way chosen is a very
minimalistic one, with very few formal definition.
Therefore, it is also very flexible ... and apart from supporting eventual
additionnal fields/functions due to the SOH extension, I have the impression
that the DB format could (should) be left to the GUI/extra tools part ?

BTW, I've also worked previously on IDS and I tried many tools (nmap,
nessus, snmp) and meta-tools (netdisco, ...) to map a network and put that
into some DB.
So far, I did not found anything convincing that's wy we always end up with
some custom database.
I'll be happy to compare what we have (freenac db) with your db schema.

Hope that perspective is useful.


Well, technically, for full NAC, we also miss the "post-connect" aspects (cf
packetfence) - but that's another story. But, OTOH, not that much switches
understand the "packet of disconnect".

A lot, I hope it'll start getting the two highly respectable but sometime
emotive leaders on a more constructive mood (yes, I'll be flamed for that, I
know, I know)

your humble,

dago


PS : of course, I also have plans for total world domination - but I'll
first start to become sean's boss. Then, I can move to mind-controlling
hundreds of million of people.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070710/16a96571/attachment.html>