FreeNAC provides easy-to-use Virtual LAN assignment, LAN access control (for all kinds of network devices such as Servers, Workstations, Printers, IP-Phones, Webcams…), live network end-device inventory, vlan management and allows documentation of Patch cabling. FreeNAC aims to be the OpenSource product of choice for LAN Access Control.
NAC is in productive use since 2004. Support is limited to Cisco Switches (in VMPS mode with authentication based on MAC addresses). Version 2.2 provides stronger security with support for 802.1x.
The solution FreeNAC
FreeNAC provides a transparent solution for dynamic VLAN management while allowing monitoring LAN connectivity. From the security point of view, it detects devices alien to the network that are trying to gain access through an open Ethernet network socket and then denies access (and logs the event). Known, registered devices are switched to the LAN attributed to them. Visitors (unknown devices), may optionally be given access to a default/guest VLAN zone. This may be useful, for example, for organisations who wish to allow visitors Web / VPN access to the Internet, but no access to internal networks.
How it works
A switch detects a new PC and requests authorisation from FreeNAC, which checks its database and refuses or grants access to the network based on the PCs MAC address. FreeNAC is a much improved version of “OpenVMPS” and can directly replace other VMPS solutions with major improvements in ease of use.
The main features of FreeNAC are:
o Dynamic VLAN assignment, i.e. VLANs are assigned based on the device’s MAC address, not based on the Switch port, i.e. devices can move and keep being assigned the same VLAN
o Network port access control
o A friendly user interface for management
o Works with hubs
o Can be linked to external databases: User DBs, device DBs, Office/Building DB’s, etc.
o Advanced monitoring and alerting
o Highly automated, for example, new switches, ports, unknown MACs are automatically added to the Database
o Redundancy
o Documentation of LAN cabling and reporting.
o The use of a MySQL database provides scalability, flexibility, easier integration and allows querying of live network inventory.
Benefits:
o No software is needed on end devices.
o Open: Well defined protocol, open source and extensible.
o NAC works with old Cisco switches.
o Customers who already use “manual port-based access” will save time and gain effectiveness
o NAC runs on standard hardware & Operating Systems (Linux/Unix)
A dynamic network allows:
o Better use of available switch ports (efficiency, cost savings)
o Quick configuration of new ports
o Can be configured by Helpdesk/1st level support
o Easier switch configuration, since ports are ‘dynamic’
o Fewer changes in cabling during re-organisations
FreeNAC architecture
NAC consists of:
One Master server with Database and Control programs
Optionally: one or more slave servers for redundancy and load distribution
NAC is remotely configured via a GUI, that may be installed on one or more PCs.
NAC requires:
VMPS compatible switches
Syslog messages from switches
Access to an email server for delivery of alerts
Optionally: SNMP read/write access to switches
Optionally: SNMP read access to routers
Optionally: Interface to Enterprise User and Device databases
NAC is usually connected to the Network Management LAN, which may be geographically distributed.
Implementation:
* The Windows GUI was developed in Delphi (web GUIs are under development)
* Server programs are written in PHP
* The Database is MySQL
Comments Off
Entries (RSS)