Changelog and update notes
This document explains the changes since v2.2 RC3, and the steps to upgrade to v3.
What is new in V3.0.3?
V3.0.3 is a small pont release (SVN build 1582) gathering fixes to the stable branch since v3.0.0.
A new feature called "clear mac" has been added, which completes the port restarting mechanism. This is needed for newer IOS version where port restart does not work as expected. See clear_mac discussion in the technical guide.
The Windows GUI and Web GUI have been modified accordingly. Information about configuration of this new feature can be found in the Switch configuration part of the Install Guide.
Windows GUI: The source code (Delphi Pascal) been finally released under GPL, see the Windows GUI changelog.
Port_scan: A new policy and feature have been introduced which allow port scanning of systems upon connection. This enhances the quality of the inventory. An example of such a policy can be found here.
Systems Management Server: A new class has been added that will allow the integration between FreeNAC and a Microsoft SMS server.
What is new in V3.0.2?
V3.0.2 is a small point release (SVN build 1233) gathering fixes to the stable branch since v3.0.0.
Windows GUI: several small improvements.
- Many small fixes to dameons. A detailed list of changes is in doc/CHANGES.detailed
- DB changes are documented in contrib/migration_3.0_to_3.0.2/db_changes.sql
- Clean up column defaults
- Add switch: scan3 and vlan_id columns
- Add several new rows to the config table.
- Improve comments in the config table
- Layer 3 scanning of switches/routers is now controlled by the new 'scan3' field in the switches table, not the router list in the config table.
- Fixes to sample policies
What is new in V3.0.0?
A substantial change in FreeNAC v3.0 is the introduction of an OO (objected oriented) policy interface, which provides greater flexibility and encapsulation of individual decisions regarding control of end-device access to the network.
The main programs have been rewritten using OO techniques, some others have been modified to work with our framework, and some others have been added to this new release. The aim of the OO change is to have a modularized system which would be easier to debug, troubleshoot, maintain and extend in the long run.
It's now a requirement to use PHP 5 (not PHP4) - we recommend using the latest PHP version.
Here is a summary of the changes in v3.0 (since v2.2):
- vmpsd_external has been completely rewritten. vmps_lastseen doesn't exist any more, it was written as the postconnect daemon.
- Added the lib directory, which holds several class files that provide the framework for FreeNAC v3.0. In case you want to dig into the innards of FreeNAC, this is the place to start.
- Creation of a policy file which allows the system administrator with light PHP skills to modify the decision process. Sample policy files are provided in /opt/nac/etc, see also the Policy chapters in the Technical Guide which describe writing, testing and trying the sample policies.
- Emergency off scripts have been added. In case you want to quickly disable FreeNAC in your network (e.g. at 02:00 in the morning, when there is a problem on the network that is difficult to localise), you only need to run these scripts. Likewise, after disabling it, you can re-enable it (e.g. the next morning, serenely) using another script. See also the techguide chapter .
- The Windows GUI has been improved and adapted to support the new features.
- All the PHP scripts have now the extension '.php'. This is to allow phpDocumentor to better parse the scripts and thus get extra documentation auto magically generated.
- SNMP functions have been added to funcs.inc.php. Thus we can perform some operations to the switches (like programming of VMPS parameters, learning ports' status, etc) from several scripts. One of those scripts is cron_restart_port.php, which besides restarting a port, it allows for programming of the switch ports from the Windows GUI. Another interesting script is ping_switch.php which tells if a switch port and the switch are up or down.
- New interfaces for the integration of McAfee EPO anti virus and Windows update services (WSUS) have been added.
- The Database schema has changed a little, new fields and tables have been added.
We have added fields to store ports and switches' status and the last time that the switch/port was monitored. In the systems table, we now have an index to indicate the health of a connecting device. Some other fields have been added to express what user last used the device, the last name of that device, or even to send an email whenever that device get connected to the network. See also the DB migration script in contrib/migration_2.2_to_3.0.
- The notion of health has been introduced. This allows quarantining of end-devices which do not meet the policy.
Initially there is one module that uses this new health feature, using the port scan module: let's say that you know that a trojan opens the port 666 and if there is a system which is connecting to your network and its port 666 is open, you can decide what to do with it (notify, quarantine, kill it, etc).
The policy health checking using the Wsus/Epo modules in still in beta status, example policies will be published in the coming weeks.
Installation & Configuration
Upgrading from V2.2 RC3
If you have a previous FreeNAC installation and would like to update to 3.0, here is what you have to do:
Stop previous instances of vmps, last_seen and proctst (if you are using this latter)
/etc/init.d/vmps stop /etc/init.d/vmps_lastseen stop /etc/init.d/proctst stop
Checkout the latest stable release
mkdir /opt/nac3.0 svn co https://opennac.svn.sourceforget.net/svnroot/opennac/branches/3.0/ /opt/nac3.0
Then, copy over the config files or adapt the config.inc.template according to your needs.
Apply the changes to the database
cd /opt/nac3.0/contrib/migration_2.2_to_3.0/ mysql opennac < db_changes.sql
Add the extension .php to all php scripts you have in your crontab
Copy over the startup scripts
mv /etc/init.d/vmps /etc/init.d/vmps.$$ mv /etc/init.d/vmps_lastseen /etc/init.d/vmps_lastseen.$$ cp /opt/nac3.0/contrib/startup_init.d/vmps /etc/init.d/ cp /opt/nac3.0/contrib/startup_init.d/postconnect /etc/init.d/
Copy over the proctst configuration file (if you are using it)
mv /etc/proctst.conf /etc/proctst.$$ cp /opt/nac/contrib/etc/proctst.conf /etc
Activate the new directory
mv /opt/nac /opt/nac.$$ ln -s /opt/nac3.0/ nac
And finally start the daemons and watch syslog
/etc/init.d/vmps start /etc/init.d/postconnect start /etc/init.d/proctst start (only if you are using it)
All modules are configured via settings in the 'config' table. This was already the case in v2.2 RC3. If upgrading from an even earlier release (v2.1 for example), please read the relevant migration notes on config.inc. The contents of config.inc has not changed between v2.2 RC3 and V3.
As usual, any questions/remarks/queries can be posted in the forums .
See also the troubleshooting section of the user Guide, search the website, and serach the forum.
Is there are errors or omissions in this document, please login to the website and post a comment below.
The FreeNAC Team