PacketFence
Bug Tracking System

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001227PacketFencecorepublic2011-06-17 16:122011-10-25 09:06
Reporterobilodeau 
Assigned Toobilodeau 
PrioritynormalSeverityfeatureReproducibilityN/A
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Target Version3.0.0Fixed in Version3.0.0 
Summary0001227: Reintroduce inline mode as a first class citizen
DescriptionPacketFence naturally evolved into a NAC strongly focused on VLAN isolation through tight coupling with network equipment. Lately with MAC-Auth and 802.1X we showcased hybrid access approaches - that is to combine techniques into the same solution using the same captive portal on the same server.

The success of that operation gave us to idea to do the same with inline mode.

Inline mode (aka PacketFence's DHCP or ARP modes) is still useful. Here are some use cases:
- For SME or home users, a very easy to setup NAC. Just plug, set the default internet gateway and bam: NAC
- For larger organizations still with legacy hardware that doesn't support VLANs, port-security, MAC-Auth or 802.1X.
It's not perfect, the drawbacks are the security, the scalability (incl. remote sites) and the fact that it is inline after all.

So back to my original point, why wouldn't inline mode work in hybrid mode just like we did with port-security and 802.1X? Well guess what, we think it should work that way and that's what we are about to do. After all it's still more secure and useful than no NAC at all!

So the plan is:
- should be as simple as possible while scaling ok
To accomplish this we will completely drop ARP mode in favor of DHCP mode. Everything will be inline passing through the PacketFence server and access will be enforced using iptables. For configuration simplicity we will NAT and not route through the server.
- it will work alongside VLAN isolation. the inline mode being on a separate VLAN interface.
- it will work with high-availability
- PacketFence ZEN will become a "drop-in NAC" with inline mode pre-configured. VLAN mode will still be in there and configurable but it will not be the default technique anymore.

These changes may imply some loss of functionality for some previous ARP or DHCP mode users as we will be refactoring the code base aggressively. Let us know what you need and we'll try our best to accommodate all use cases.

We hope you'll be as excited by this new feature as much as we are!
TagsNo tags attached.
fixed in git revision
fixed in mtn revision
Attached Files

- Relationships
related to 0000213closed Request to have multiple gateway IP's supported per interface 
related to 0000760closedobilodeau Improve DHCP isolation mode documentation 
related to 0000781closedobilodeau Registration in arp mode doesn't work 
related to 0001239closedobilodeau PacketFence won't start if no inline interface 

-  Notes
(0002095)
obilodeau (reporter)
2011-06-28 17:51

Work has started in public branch: org.packetfence.feature.inline
(0002097)
obilodeau (reporter)
2011-06-29 17:54

pushed hybrid dhcp configuration today in revno: 584bbe27ca3e0e8acf2e822fc8830efc0f39177f
(0002113)
obilodeau (reporter)
2011-07-21 17:06

org.packetfence.feature.inline was merged in trunk today. Most of the stuff is there and works, only some (several) rough edges to polish.
(0002202)
obilodeau (reporter)
2011-09-13 17:28

pushed new monitor interface chain that allows everything on a monitor interface by default (for snort)
(0002204)
obilodeau (reporter)
2011-09-14 13:08

pushed changes were if no inline mode is used, no inline rules will be added

also pushed changes were we don't add NAT statements if inline mode is not used.
(0002206)
obilodeau (reporter)
2011-09-14 17:05

Enjoy!
(0002252)
obilodeau (reporter)
2011-09-21 22:15

fix released in 3.0

- Issue History
Date Modified Username Field Change
2011-06-17 16:12 obilodeau New Issue
2011-06-17 16:12 obilodeau Status new => assigned
2011-06-17 16:12 obilodeau Assigned To => obilodeau
2011-06-17 17:23 obilodeau Relationship added related to 0000213
2011-06-17 17:24 obilodeau Relationship added related to 0000760
2011-06-17 17:24 obilodeau Relationship added related to 0000761
2011-06-17 17:24 obilodeau Relationship deleted related to 0000761
2011-06-17 17:24 obilodeau Relationship added related to 0000781
2011-06-28 17:51 obilodeau Note Added: 0002095
2011-06-29 17:54 obilodeau Note Added: 0002097
2011-07-21 17:06 obilodeau Note Added: 0002113
2011-08-16 15:59 obilodeau Relationship added related to 0001239
2011-09-13 17:28 obilodeau Note Added: 0002202
2011-09-14 13:08 obilodeau Note Added: 0002204
2011-09-14 17:05 obilodeau Note Added: 0002206
2011-09-14 17:05 obilodeau Status assigned => resolved
2011-09-14 17:05 obilodeau Fixed in Version => trunk
2011-09-14 17:05 obilodeau Resolution open => fixed
2011-09-21 22:07 obilodeau Fixed in Version trunk => 3.0.0
2011-09-21 22:15 obilodeau Note Added: 0002252
2011-09-21 22:16 obilodeau Status resolved => closed
2011-10-25 09:06 obilodeau Target Version +2 => 3.0.0


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker