On Thu, Nov 20, 2014 at 10:57:58AM -0600, Curt Braden wrote:
> Good Morning, We are in the process of researching different Network Access Control solutions. We are curious what solutions others are using and/or planning to use.
> What is your current solution?
Multiple Linux servers (KVM VMs) running FreeRADIUS + PostgreSQL.
Other VMs for ISC BIND/ISC DHCPD. The database is synced from a
master Linux server running CMU NetReg + lots of customization. Much
of what I talk about below is the combined system based around CMU
> What is the experience with your current solution?
CMU NetReg has served us well for that last 10 years or so, but it is
showing its age. The RADIUS NAC piece was only implemented a few
years back, enhanced over the last year, and more enhancements are
pending, like providing the user a web page to explain why they do not
have network access (unregistered, policy reason, virus, wrong subnet,
> What is the difficulty of implementation and/or changes after implementation?
While most day-to-day changes are done through a fairly easy to use
(but dated) web interface, you need programming and SQL experience to
extend/customize it. Initial implementation is pretty difficult as
well. It was easier to bolt-on the FreeRADIUS NAC since we already
had all the other pieces running.
> What would you do different?
We've been looking for over a year now, but have been unable to find
another product (commercial or not) that has all the features and
extensibility of CMU NetReg, which is more like an IPAM + DHCP + DNS,
and after our customizations, RADIUS/NAC, TFTP config file
generation/distribution, PXE boot server, etc. We may end up hiring
contract programmers to do what we want, which is a more modern
programming style (like an actual web framework in a modern language),
modern web UI, real IPv6 support, instant updates, etc.
> What are the Pros/Cons?
Everything is self-service. The same web UI is used by NetReg
administrators, IT personnel, and all end-users. There is an
extensive granular permissions/protections system that applies to all
objects in the system. A "machine", with an associated MAC address,
DNS name, (optional) static IP, etc. is a first-class object that is
added, deleted, and edited all as one thing. Users can edit their own
records. (These features are mostly lacking in the commercial
Being open source, we can implement whatever we need and customize it
to our exact specifications. It is very extensible even with minimal
programming (extract scripts) due to the way you can group different
objects into "Service Groups" and apply custom attributes in the
Being based on commodity Linux systems, it fits with all the regular
server deployment, configuration automation, and monitoring systems we
We use switches that understand Dynamic VLAN and Firewall Policy
Assignment via RADIUS VSAs, and the FreeRADIUS configuration sends
back the correct VLAN attribute based on the policy we have created.
So we can have multiple different clients on a single switch port, and
each of those clients could be assigned a different VLAN if we wanted
and they would all work correctly on the same port at the same time.
In practice, we use a Quarantine VLAN + the user's registered VLAN.
The web interface, being straight HTML, works on every browser known
to man, including the text-based browsers Lynx and eLinks.
It isn't really user-based networking/identity, but machine-based.
Currently, we are using MAC-RADIUS to authorize MAC addresses onto
Being open source and fairly old code that doesn't have much of a
support community anymore (CMU doesn't use it anymore AFAIK, and all
the NetReg programmers went on to other things), you really need smart
sysadmins/programmers on your team to maintain it. You probably don't
want to attempt to install it from scratch in this day and age.
No real IPv6 support, although we've hacked in enough of it to make
forward DNS AAAA records work.
rather than a Con depending on your perspective :-)
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.