PacketFence - BTS - PacketFence |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0001227 | PacketFence | core | public | 2011-06-17 16:12 | 2011-10-25 09:06 |
|
| Reporter | obilodeau | |
| Assigned To | obilodeau | |
| Priority | normal | Severity | feature | Reproducibility | N/A |
| Status | closed | Resolution | fixed | |
| Platform | | OS | | OS Version | |
| Product Version | | |
| Target Version | 3.0.0 | Fixed in Version | 3.0.0 | |
| fixed in git revision | |
| fixed in mtn revision | |
|
| Summary | 0001227: Reintroduce inline mode as a first class citizen |
| Description | PacketFence naturally evolved into a NAC strongly focused on VLAN isolation through tight coupling with network equipment. Lately with MAC-Auth and 802.1X we showcased hybrid access approaches - that is to combine techniques into the same solution using the same captive portal on the same server.
The success of that operation gave us to idea to do the same with inline mode.
Inline mode (aka PacketFence's DHCP or ARP modes) is still useful. Here are some use cases:
- For SME or home users, a very easy to setup NAC. Just plug, set the default internet gateway and bam: NAC
- For larger organizations still with legacy hardware that doesn't support VLANs, port-security, MAC-Auth or 802.1X.
It's not perfect, the drawbacks are the security, the scalability (incl. remote sites) and the fact that it is inline after all.
So back to my original point, why wouldn't inline mode work in hybrid mode just like we did with port-security and 802.1X? Well guess what, we think it should work that way and that's what we are about to do. After all it's still more secure and useful than no NAC at all!
So the plan is:
- should be as simple as possible while scaling ok
To accomplish this we will completely drop ARP mode in favor of DHCP mode. Everything will be inline passing through the PacketFence server and access will be enforced using iptables. For configuration simplicity we will NAT and not route through the server.
- it will work alongside VLAN isolation. the inline mode being on a separate VLAN interface.
- it will work with high-availability
- PacketFence ZEN will become a "drop-in NAC" with inline mode pre-configured. VLAN mode will still be in there and configurable but it will not be the default technique anymore.
These changes may imply some loss of functionality for some previous ARP or DHCP mode users as we will be refactoring the code base aggressively. Let us know what you need and we'll try our best to accommodate all use cases.
We hope you'll be as excited by this new feature as much as we are! |
| Steps To Reproduce | |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | | related to | 0000213 | closed | | Request to have multiple gateway IP's supported per interface | | related to | 0000760 | closed | obilodeau | Improve DHCP isolation mode documentation | | related to | 0000781 | closed | obilodeau | Registration in arp mode doesn't work | | related to | 0001239 | closed | obilodeau | PacketFence won't start if no inline interface |
|
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2011-06-17 16:12 | obilodeau | New Issue | |
| 2011-06-17 16:12 | obilodeau | Status | new => assigned |
| 2011-06-17 16:12 | obilodeau | Assigned To | => obilodeau |
| 2011-06-17 17:23 | obilodeau | Relationship added | related to 0000213 |
| 2011-06-17 17:24 | obilodeau | Relationship added | related to 0000760 |
| 2011-06-17 17:24 | obilodeau | Relationship added | related to 0000761 |
| 2011-06-17 17:24 | obilodeau | Relationship deleted | related to 0000761 |
| 2011-06-17 17:24 | obilodeau | Relationship added | related to 0000781 |
| 2011-06-28 17:51 | obilodeau | Note Added: 0002095 | |
| 2011-06-29 17:54 | obilodeau | Note Added: 0002097 | |
| 2011-07-21 17:06 | obilodeau | Note Added: 0002113 | |
| 2011-08-16 15:59 | obilodeau | Relationship added | related to 0001239 |
| 2011-09-13 17:28 | obilodeau | Note Added: 0002202 | |
| 2011-09-14 13:08 | obilodeau | Note Added: 0002204 | |
| 2011-09-14 17:05 | obilodeau | Note Added: 0002206 | |
| 2011-09-14 17:05 | obilodeau | Status | assigned => resolved |
| 2011-09-14 17:05 | obilodeau | Fixed in Version | => trunk |
| 2011-09-14 17:05 | obilodeau | Resolution | open => fixed |
| 2011-09-21 22:07 | obilodeau | Fixed in Version | trunk => 3.0.0 |
| 2011-09-21 22:15 | obilodeau | Note Added: 0002252 | |
| 2011-09-21 22:16 | obilodeau | Status | resolved => closed |
| 2011-10-25 09:06 | obilodeau | Target Version | +2 => 3.0.0 |
|
Notes |
|
|
|
|
Work has started in public branch: org.packetfence.feature.inline |
|
|
|
|
|
pushed hybrid dhcp configuration today in revno: 584bbe27ca3e0e8acf2e822fc8830efc0f39177f |
|
|
|
|
|
org.packetfence.feature.inline was merged in trunk today. Most of the stuff is there and works, only some (several) rough edges to polish. |
|
|
|
|
|
pushed new monitor interface chain that allows everything on a monitor interface by default (for snort) |
|
|
|
|
pushed changes were if no inline mode is used, no inline rules will be added
also pushed changes were we don't add NAT statements if inline mode is not used. |
|
|
|
|
|
|
|
|
|