PacketFence naturally evolved into a NAC strongly focused on VLAN isolation through tight coupling with network equipment. Lately with MAC-Auth and 802.1X we showcased hybrid access approaches - that is to combine techniques into the same solution using the same captive portal on the same server.
The success of that operation gave us to idea to do the same with inline mode. Inline mode (aka PacketFence's DHCP or ARP modes) is still useful. Here are some use cases: - For SME or home users, a very easy to setup NAC. Just plug, set the default internet gateway and bam: NAC - For larger organizations still with legacy hardware that doesn't support VLANs, port-security, MAC-Auth or 802.1X. It's not perfect, the drawbacks are the security, the scalability (incl. remote sites) and the fact that it is inline after all. So back to my original point, why wouldn't inline mode work in hybrid mode just like we did with port-security and 802.1X? Well guess what, we think it should work that way and that's what we are about to do. After all it's still more secure and useful than no NAC at all! So the plan is: - should be as simple as possible while scaling ok To accomplish this we will completely drop ARP mode in favor of DHCP mode. Everything will be inline passing through the PacketFence server and access will be enforced using iptables. For configuration simplicity we will NAT and not route through the server. - it will work alongside VLAN isolation. the inline mode being on a separate VLAN interface. - it will work with high-availability - PacketFence ZEN will become a "drop-in NAC" with inline mode pre-configured. VLAN mode will still be in there and configurable but it will not be the default technique anymore. These changes may imply some loss of functionality for some previous ARP or DHCP mode users as we will be refactoring the code base aggressively. Let us know what you need and we'll try our best to accommodate all use cases. We hope you'll be as excited by this new feature as much as we are! *: feature tracked with ticket http://www.packetfence.org/bugs/view.php?id=1227 -- Olivier Bilodeau obilod...@inverse.ca :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Packetfence-devel mailing list Packetfence-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-devel
