v10.2.0

The Inverse team is pleased to announce the immediate availability of PacketFence v10.2 - a major release bringing tons of improvements! Moreover, the upcoming PacketFence v11 will feature full Zero Trust Network Access support - extending NAC concepts to remotely connected users with full micro-segmentation support. This release is considered ready for production use and upgrading from previous versions is strongly advised.

Improved Layer-3 Replication

Layer-3 replication over high-latency WAN connections has been dramatically improved in PacketFence v10.2 - by a factor of tenfold. This allows PacketFence to secure even larger widely distributed networks.

More Golang

Our endeavour in rewriting our services from Perl to Golang has reached another big milestone for PacketFence v10.2. One of PacketFence's most crucial service, the maintenance and monitoring service, has been fully rewritten in Golang to increase performance but also drastically reduce resource usage.

Automated Integration Tests

Our other big endeavour with achieving full integrated test coverage has reached an other big milestone in PacketFence v10.2. The Configurator, the very first part of PacketFence exposed to new users, has now complete integrated tests coverage. This means that through Venom, we can now fully test the Configurator, wired MAC authentication and 802.1X using EAP-PEAP, backup/restore and many more. Our WiFi, WMI and PKI/EAP-TLS will be completed for v11.

Upcoming v11 Release

PacketFence v11 will extend NAC concepts to remotely connected users with full micro-segmentation support. Using our new connectivity orchestrator, PacketFence will dynamically establish secured tunnels between endpoints - based on what they are allowed to do on the network. Traffic of remotely connected users will not go through PacketFence, but PacketFence will orchestrate the creation of a full mesh network between remote users, local or Cloud-based resources.

... and more!

PacketFence v10.2 now also supports EAP-TTLS for LDAP authentication sources, native Novell NetIQ eDirectory support, improved support for Extreme Networks switches running EXOS, improved multi-tenancy support, MAC addresses randomization support and many more admin interface improvements!

---

Here's the complete list of changes included in this release:

New Features

• EAP_TTLS PAP Support on a LDAP source
• eDirectory source
• Master/Slave radius proxy and degraded workflow
• go based pfmon (#5613)
• Integration tests: configurator scenario added (#5484)

Enhancements

• Adjust the settings in the admin for the SAML and OAuth portal modules (#5479)
• Select the role of the device when register via self-service portal.
• Improved support for Extreme switches running EXOS
• Added option to register device immediately after the sponsor activates the access during sponsor based registration (#5642)
• Added support for EAP-PEAP MSCHAPv2 and EAP-TLS for CLI and VPN RADIUS authentication (#5784)
• Template based bouncePort using CoA (#5735)
• Set the default switch type to Packetfence::Standard (#5742)
• Create a PacketFence::SNMP switch to force reevaluate access using SNMP (#5742)
• Add support for CLI Access for Switch::Template (#5708)
• Use Status Check in pfstats to test radius/eduroam sources
• Switch templates can define how to map a NasPort to an IfIndex (#5779)
• Syslog parsers are now tenant aware.
• Add default MAC address randomization security event check
• Allow to delete a node from web admin with a locationlog opened (#5492)
• Allow roles to be delete

Bug Fixes

• Fixed CoA for Meraki web-authentication so that it doesn't disconnect the user from the SSID
• Honor the AUP setting of the SAML portal module (#5476)
• Use the prebuilt freeradius perl dictionary.
• Don't override user defined values in the interface file for centos.
• haproxy-db can cause pfcmd service restart to failed (#5745)
• Pass in the mandatory fields to the email templates.
• Dell N1500.pm: LLDP detection doesn't work (#5758)
• Ensure the gateway was only written once in /etc/sysconfig/network (#2845)
• Remove the ip address of a server in the dhcp reply when the server has been disabled (#5677)
• Allow to set multiples ca certificates.
• Listen to all interfaces for radius accounting (#5821)
• Searching by 'Source Switch Identifier' for a switch range doesn't work (#5792)

See the complete list of changes and the UPGRADE.asciidoc file for notes about upgrading.

v10.1.0

New Features

• Live log viewer from admin interface
• Fully tenant-aware admin interface
• Support for MS-CHAP authentication for CLI/VPN access
• New pfcertmanager service that generates certificate files from configuration

Enhancements

• EAP configuration template - add a way to define multiples EAP profiles in FreeRADIUS
• New action for AD/LDAP sources to set role when user is not found
• Provide an advanced LDAP condition to allow custom LDAP queries
• The captive portal can now feed HTTP client hints to the Fingerbank collector
• Added ability to enable/disable a network anomaly detection policy (#5403)
• Return the portal IP if the QNAME matches one of the portal FQDN for registered devices using inline enforcement
• Individual source rules can be disabled
• Support for Dell N1500 starting from 6.6.0.10
• CoA support for Ubiquiti Unifi AP
• Added a way to define the Unifi AP by IP or IP range
• Use the value of an LDAP attribute as a role
• Added the return of the LDAP/RADIUS attributes to use them in RADIUS filter
• The /api/v1/radius_attributes endpoint is now searchable
• Proxy the captive portal detection URL when the device is registered
• Choose which EAP profile to use based on the realm
• LDAP's basedn can be defined in the authentication sources rules
• New hooks for the RADIUS filter engine in eduroam virtual server
• Redefined "restart" in the service manager to allow "PartOf" in systemd scripts
• Set role from source authentication rule option (needs #5459)
• Flatten the RADIUS request for the authentication sources (attributes like radius_request.User-Name)
• RADIUS request attributes / username are part of the common attributes
• Support of multiples LDAP servers in FreeRADIUS ldap_packetfence configuration file
• Copy outer User-Name attribute in PacketFence-Outer-User attribute to be able to use it in the authentication rules
• Copy the LDAP-UserDN attribute in PacketFence-UserDN attribute to be able to use it in the authentication rules
• Added a way to extend the LDAP filter for searchattributes configuration
• Documentation for EAP profile selection
• Documentation for regex realm
• Documentation for new action/condition in LDAP authentication
• Moved the VLAN filters example as default disabled VLAN filter
• Use PUT for node reevaluate_access to fix issue with admin_role actions mapping
• OpenID pid mapping is now configurable
• Can map OpenID attributes to a person attributes
• Allow to create authentication rules based on OpenID attributes

Bug Fixes

• Fixes Fortinet Fortigate returnAuthorizeVPN function (#5409)
• Barracuda NG firewall SSO SSH fails (#4828)
• Impossible to set multiple access level in administration rule (#5440)
• Fixed pf-maint.pl when its running behind a proxy (#3425 )
• Fix vendor attributes not being sent from Switch Template (#5453)
• Fixed issue authorizing a user in web-auth on Unifi when the node has its date set to '0000-00-00 00:00:00'

v10.0.1

Bug Fixes

• Fix issue with out of bound array in pfacct
• Fix handling of VSA in pfacct
• Fix handling of wireless secure to open SSID VLAN filter
• Fix limit of 25 filters in filter engines GUI (#5379)
• Fix the "from address" when sending emails through the pfpki
• Adjustments to the default anomaly detection policies
• Add missing sFlow and netflow ports in the iptables configuration
• Fix detection of the anomaly detection capabilities of the current Fingerbank account
• Improve anomaly detection triggers display in security events (#5402)
• Handle JAMF provisioner responses that aren't UTF-8 encoded
• Fix admin account validity when changing the timezone in the configurator (#5390)
• Restart packetfence-mariadb in the configurator after changing the timezone (#5390)
• Fix multi-tenancy detection when performing web-authentication (#5418)

v10.0.0

New Features

• Added support for network anomaly detection through Fingerbank
• New, fully integrated PacketFence PKI service
• New service for automatic clustering issue resolution
• New GUI for all filtering engines and switch templates
• New API and Vue.js based step-by-step configurator
• Added VMware Airwatch support

Enhancements

• Added suppport to run integration tests using Cumulus Linux and libvirt
• Added the ability to autoregister and assign a role to a device authorized in a provisioner
• Added the ability to control whether or not a provisioner should be enforcing (i.e. ensuring all devices matching it are authorized with it)
• Added the ability to sync the PID of devices authorized in a provisioner (only for Airwatch and JAMF)
• Add single sign-on support for Cisco ISE-PIC
• Support for MySQL as DHCP pool backend and provide active/active DHCP support
• Support Aruba switches using Aruba OS 16.10
• Added a new Meru controller module that supports RADIUS RFC3576 (RADIUS Disconnect)
• CLI login to Juniper switches
• Allow to configure VOIP RADIUS attributes in switch templates
• All configuration files have a copyright without year to avoid useless rpmnew or dpkg-dist files each yearly upgrade
• Improved Unifi deauthentication using HTTP
• Set TTL to 5 seconds when the host match with a captive portal detection host
• Enable tracking configuration service by default
• Better captive portal detection for Samsung devices
• Faster captive portal detection for Apple devices
• Routes are now managed by the keepalived service
• Parking security event can now be triggered without limitation
• Added a way to change the SQL table used by pfconfig
• Showing the configurator is now configurable (#5121)
• Node deletion in consistent between the the API and pf::node::node_delete (#5088)
• Allow VLAN number greater than 1023 for floating devices
• Improved captive-portal health checks in monit (#5185)
• Added RADIUS disconnect for wired port on Aruba AP (#5016)
• Switch templates can now use SNMP up/down to perform access reevaluation (#5197)
• HAProxy now serves the admin gui, httpd.admin disabled by default
• Reports are now tenant-aware
• Security events can be triggered when running node maintenance task (#4948)
• Added parameter to prevent external portal requests from updating the ip4log (#5336)
• Added new WMI examples

Bug Fixes

• Fixed logic to move MAC address to another port (Avaya)
• Fix serialization of the switch when calling ReAssignVlan/desAssociate
• Prevent double restart when setting the port admin status of an EX2300 Juniper switch
• Sponsor field is missing on sponsored users when using forced sponsor (#5171)
• Some DHCP info triggers use outdated Fingerbank data (#5106)
• Issue with the timezone in the admin not being honored on the system (#5205)
• Issue with chrome who don't show the portal on self signed certificate (#5233)
• Issue with RADIUS CLI access and ldap authentication source where the cache is enabled (#5018)
• Distribute pfsnmp trap jobs between queues based off switch id (#5004)
• Deleting a portal profile doesn't cleanup its templates (#793)
• pfacct doesn't report metrics to dashboard (#5267)

v9.3.0

New Features

• Only have a single active locationlog entry in the locationlog

Enhancements

• Don't try to do firewall SSO if the service is disabled
• Massively improved web admin performance

Bug Fixes

• Fix pfstats for LDAPS and StartTLS
• Allow to run any script from a security event without a modification of sudoers file
• Fix machine auth failed on eduroam virtual server
• Fix allow external RADIUS accounting from eduroam server (they use it to detect if a server is alive)
• Fix eduroam load-balancing issue on local realm

v9.2.0

New Features

• Allow to force the access duration when using device registration
• Migrate to go mod for Golang binaries (#4832 and #4841)
• Ready-to-use Docker images for PacketFence builds (#4841)
• Added audit log for API and new admin interface
• Added configuration based switch modules
• Support for remote layer 3 clusters in read-only mode
• Internal security event to trigger on managed network only or production network only

Enhancements

• Network visualization now supports custom sorting, min/max graph sizing, variable real-time network live-view, and infinite depth of switch-group inheritance.
• Speedup the dal generation (#4824)
• Enhance Juniper EX2300 to allow a port bounce to be done via RADIUS CoA

Bug Fixes

• fixes #4737 (SNMP trap stuck in the queue)
• MySQL schema upgrade statements should be re-runnable. (#4892)
• Return the authentication sources where the default realm has been associated if the realm used by the connection contain a realm that is not defined in the configuration.

v9.1.0

New Features

• Network visualization
• Microsoft Intune and ServiceNow support
• Family Zone, LightSpeedRocket and SmoothWall firewall SSO support
• New way to forward Eduroam local realm to a specific RADIUS server
• New DNS auditing log module

Enhancements

• Adjust Fingerbank device class lookup ordering for added precision of the device class
• Track configuration changes in local git repository
• Randomize KeyBalanced to randomize the load-balancing in FreeRADIUS Proxy.
• Support for SentinelOne's new API version (v2.0)
• Firewall SSO is now performed centrally on the management node of a cluster
• Added DHCP pool algorithm (random/oldest IP)
• Improved support for Juniper switches running Junos 15 and above
• Allow to configure the API token timeout
• Moved vlan_pool_technique configuration parameter to the connection profile
• Added the RADIUS' targeted IP address in the RADIUS audit log (help in cluster mode)
• pfperl-api port number changed to 22224
• Autoreg for mac-auth with an authorize source
• Parking portal has been moved in the haproxy and httpd.dispatcher services and deprecates the dedicated httpd.parking service

Bug Fixes

• pfstats queries /api/v1/dhcp/stats are taking a lot of time (#4096)
• Duplicate reservations in the DHCP pool caused by a big registration/inline network and pfstats call
• LinkedIn social login integration due to deprecated API calls from LinkedIn
• Fixed the logic of "Use the RADIUS username instead of the TLS certificate common name when performing machine authentication"

v9.0.1

Enhancements

• Improved display of RADIUS audit log from RADIUS tab (#4473)
• Add '-copy' to the ID when cloning a configuration resource (#4468)
• Better visual distinction when the database is in read-only mode (#4464)
• Domain join is prompted after creating a domain (#4544)
• Added current hostname to help page

Bug Fixes

• Fixed Aruba Instant access switch module compilation error
• Fixed violations to security events upgrade script to use the .rpmsave file during the upgrade
• Fixed user visualization when the username contains a '/' or '' (#4531 and #4570)
• Fixed missing 'Signing' tab in mobileconfig provisioner configuration section (#4533)
• Fixed missing 'Compliance' tab in OPSWAT provisioner configuration section
• Fixed issue when defining multiple DNS servers in inline
• Fixed issue where not all security events are visible when triggering a security event on a node (#4550)
• Fixed issue with multi-cluster configuration generation
• Fixed issue with WMI scan engine rules failing to be saved (#4559)

v9.0.0

Version 9.0.0 released on 2019-05-15

New Features

• New web interface based on Vue.js and Bootstrap 4
• Let's Encrypt SSL certificates support for captive portal and RADIUS
• Cisco ASA VPN support with the captive portal
• Fortinet VPN support
• DHCP Filter to reply custom attributes in the OFFER and/or ACK (deprecate old DHCP Filter)
• Add 802.1X and CoA support for Fortinet FortiSwitch
• Add module to support PICOS white box switches
• Support for Aerohive access point with switch port
• Support for Aruba Instant Access switch module
• Debian 9 (Stretch) support

Enhancements

• Now including timeout when authorizing a web-auth user on an Ubiquiti UniFi controller
• Now providing defaults for the Apache filters
• Allow to configure the RADIUS attributes and their lookup order for extracting the username
• conf/stats.conf has a default file now
• VoIP configuration parameter in node_cleanup task to bypass VoIP devices
• Adding/removing passthroughs doesn't require to restart pfdns anymore (#3127)
• Added support for RADIUS disconnect on Ruckus SmartZone
• Disable Microsoft Active Directory join operating system check option
• Disable DNS lookup in MariaDB configuration
• Enable performance_schema if needed
• Display local account in the captive portal during registration if applicable (#3615)
• Exception for portal detecion URL in pfdns
• Added support for Ruckus roles
• sms_carrier 'id' column is now auto-increment (#1270/PR #3684)
• Better logging for haproxy-portal that allows to identify missing passthroughs
• Allow to skip management node in portal load-balancing when running in a cluster
• DHCP and DNS services can be enabled on a specific interface
• VoIP support for Dell switches

Bug Fixes

• Fixed the systemd logic in pfdhcp
• Fixed winbindd respawning extremely fast when failing to start
• Fixed winbindd processes not being killed on latest version of Samba
• Allow disabling processing of IPv6 packets in the pfdhcplistener
• fixed untainted variable (#3920)
• fixed on-registration scanning (#3963)
• Set the realm in the RADIUS request when doing machine authentication
• Keep connections to the unified API alive
• Fixed the documentation and the form for the Juniper SRX firewall

v8.3.0

New Features

• Added support for Juniper EX2300 (JUNOS 18.2) switches
• Clickatell authentication source support
• Added a random algorithm for VLAN pooling
• Added the ability to reserve IP addresses in pfdhcp
• Added a way to trigger a violation when device profiling detects a change in the device class
• New SSL Inspection portal module
• RADIUS proxy integration from web admin interface
• RADIUS filtering support for pre_proxy/post_proxy/preacct/accounting/authorize phases
• Updated the Windows provisioning agent to the new Golang based version

Enhancements

• Redis now only listens on localhost (#3729)
• Deprecate usage of roaring bitmap for the DHCP IP pool (#3779)
• Email and SponsorEmail sources can have banned and allowed email domains (#3807)
• Improved startup time of pfdhcp
• Removed OPSWAT Metadefender Cloud support
• Chose password hashing algorithm when creating a local user from a source
• Define the length of the password to generate when creating a local user from a source
• New "dummy" source just to compute the rules

Bug Fixes

• Logs permissions and configuration for Debian (#3780)
• Fixed missing cache directory for NTLM auth cache (#3788)
• Fixed working directory of NTLM auth cache sync script (#3777)
• Handled multiple LDAP hosts properly in NTLM auth cache (#3776)
• Issue with the DHCP server that gives sometimes a duplicate IP address
• Adjusted CentOS and RHEL dependencies
• Fixed MAC filtered lookups that were cached in pfdns (#3785)
• Fixed the OpenVAS integration to work with OpenVAS Manager 7.0 (OpenVAS 9)
• Fixed encoding of files created in the administration interface (force them to UTF-8)