< Back to LISTSERV archives

NETMAN@LISTSERV.EDUCAUSE.EDU


View:

:

[

|

Previous Message

|

Next Message

|

]

:

[

|

Previous Message

|

Next Message

|

]

:

[

|

Previous Message

|

Next Message

|

]

:

Proportional Font

LISTSERV Archives

LISTSERV Archives

NETMAN Home

NETMAN Home

NETMAN  2014

NETMAN 2014

Subject:

Re: NAC (Network Access Control)

From:

Chuck Anderson <[log in to unmask]>

Reply-To:

The EDUCAUSE Network Management Constituent Group Listserv <[log in to unmask]>

Date:

Thu, 20 Nov 2014 19:17:44 -0500

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (93 lines)

On Thu, Nov 20, 2014 at 10:57:58AM -0600, Curt Braden wrote:
> Good Morning, We are in the process of researching different Network Access Control solutions.  We are curious what solutions others are using and/or planning to use.
> What is your current solution?

Multiple Linux servers (KVM VMs) running FreeRADIUS + PostgreSQL.
Other VMs for ISC BIND/ISC DHCPD.  The database is synced from a
master Linux server running CMU NetReg + lots of customization.  Much
of what I talk about below is the combined system based around CMU
NetReg/NetMon.

> What is the experience with your current solution?  

CMU NetReg has served us well for that last 10 years or so, but it is
showing its age.  The RADIUS NAC piece was only implemented a few
years back, enhanced over the last year, and more enhancements are
pending, like providing the user a web page to explain why they do not
have network access (unregistered, policy reason, virus, wrong subnet,
etc.)

> What is the difficulty of implementation and/or changes after implementation?

While most day-to-day changes are done through a fairly easy to use
(but dated) web interface, you need programming and SQL experience to
extend/customize it.  Initial implementation is pretty difficult as
well.  It was easier to bolt-on the FreeRADIUS NAC since we already
had all the other pieces running.

> What would you do different?  

We've been looking for over a year now, but have been unable to find
another product (commercial or not) that has all the features and
extensibility of CMU NetReg, which is more like an IPAM + DHCP + DNS,
and after our customizations, RADIUS/NAC, TFTP config file
generation/distribution, PXE boot server, etc.  We may end up hiring
contract programmers to do what we want, which is a more modern
programming style (like an actual web framework in a modern language),
modern web UI, real IPv6 support, instant updates, etc.

> What are the Pros/Cons?  

Pros:

Everything is self-service.  The same web UI is used by NetReg
administrators, IT personnel, and all end-users.  There is an
extensive granular permissions/protections system that applies to all
objects in the system.  A "machine", with an associated MAC address,
DNS name, (optional) static IP, etc. is a first-class object that is
added, deleted, and edited all as one thing.  Users can edit their own
records.  (These features are mostly lacking in the commercial
solutions)

Being open source, we can implement whatever we need and customize it
to our exact specifications.  It is very extensible even with minimal
programming (extract scripts) due to the way you can group different
objects into "Service Groups" and apply custom attributes in the
database.

Being based on commodity Linux systems, it fits with all the regular
server deployment, configuration automation, and monitoring systems we
already have.

We use switches that understand Dynamic VLAN and Firewall Policy
Assignment via RADIUS VSAs, and the FreeRADIUS configuration sends
back the correct VLAN attribute based on the policy we have created.
So we can have multiple different clients on a single switch port, and
each of those clients could be assigned a different VLAN if we wanted
and they would all work correctly on the same port at the same time.
In practice, we use a Quarantine VLAN + the user's registered VLAN.

The web interface, being straight HTML, works on every browser known
to man, including the text-based browsers Lynx and eLinks.


Cons:

It isn't really user-based networking/identity, but machine-based.
Currently, we are using MAC-RADIUS to authorize MAC addresses onto
VLANs/subnets.

Being open source and fairly old code that doesn't have much of a
support community anymore (CMU doesn't use it anymore AFAIK, and all
the NetReg programmers went on to other things), you really need smart
sysadmins/programmers on your team to maintain it.  You probably don't
want to attempt to install it from scratch in this day and age.

No real IPv6 support, although we've hacked in enough of it to make
forward DNS AAAA records work.

Old web UI, pre web-2.0/AJAX/Javascript/etc.  This might be a Pro
rather than a Con depending on your perspective :-)

**********
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Top of Message | Previous Page | Permalink


Options

Log In

Log In

Get Password

Get Password


Search Archives

Search Archives


Join or Leave NETMAN

Join or Leave NETMAN


Archives

2017
2016
2015
2014
2013
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999
1998

ATOM RSS1 RSS2