PacketFence v6.0.3

Bug Fixes

• Fixed example in vlan filters showing incorrect operand for user_name
• Fixed the display of the aup when printing a user
• Fixed email_instructions blocking email registration
• Fixed FreeRADIUS dynamic clients hanging the server when the database fails to respond (#1500)
• Fixed violation_add when applying one through bulk actions (#1510)
• Fixed sessions remembering failed authentication sources
• Fixed to listen to DHCPREQUEST in registration network when in cluster mode

PacketFence v6.0.2

Bug Fixes

• Fixed pfdns to prevent pid file deletion when a child dies (#1444)
• PacketFence will now handle the case where a source in the session is not available anymore
• Fixed missing PID when using device registration (#1447)
• Fingerbank update will no longer sync all servers anymore
• VoIP detection flags default will now be undef in admin interface
• Suricata renamed to suricata_event in violations.conf.example
• The captive portal will now handle User Agent strings properly
• PacketFence will now delete the user (not device) session after activating sponsor
• Fixed incorrect MAC address formatting in the reporting section of the GUI
• Fixed "reuse dot1x credentials" in captive portal
• Fixed incorrect SNMP traps handling
• Fixed incorrect MAC address handling in radius accounting
• Added a check to database backup script for mariadb
• Fixed unregistration date handling when using email registration

PacketFence v6.0.1

Bug Fixes

• Added back the option to set the logo in a portal profile
• Fixed Blackhole and Null authentication portal modules (#1439)
• Added missing username field in Debian maintenance crontab
• Fixed web authentication web form release in captive portal
• Validate configuration identifiers so they don't contain invalid characters (#1417)
• Fixed incorrect samba handling of "%h" in server name
• Fixed registration ACL computing for Cisco WLC and 2960 in web authentication
• Adjust pfdetect startup order to allow Snort / Suricata to start
• Fixed pfsetvlan compilation error
• Fixed violations internationalization
• Fix incorrect rogue dhcp detection

PacketFence v6.0.0

New Features

• Fully redesigned frontend and backend of the captive portal
• Parking state for unregistered devices (where it will have a longer DHCP lease time and will only access a lightweight portal)
• CentOS 7 and Debian 8 (Jessie) support
• RADIUS support for Avaya switches
• New filter engine to return custom answers in pfdns
• Redirect URL are defined in Role by Web Auth URL switch configuration (Cisco)
• Added support for Captive-Portal DHCP attribute (RFC7710)
• Added Google Project Fi as a SMS carrier for SMS signup option
• FreeRADIUS 3 support with Redis integration

Enhancements

• Added ability to expire users
• Automatically update all the Fingerbank databases (Redis, p0f, SQLite3)
• Do not allow the TRACE method to be used in any of the web processes
• Can now limit the maximum unregdate an administrator can set to a person
• Added option to disable the accounting recording in the SQL tables
• Added caching of the latest accounting request for use in access reevaluation
• Reduced the number of webservices calls during RADIUS accounting
• Added configuration for Apache 2.4 with Template Toolkit
• Added a timer for each RADIUS request (radius audit log)
• Assign the voice role to VoIP devices when Packet``Fence detects them
• Renamed VLAN to Role in admin GUI violation
• Unregistering a node from a secure connection to an unsecured one is now managed by the VLAN filters
• Location history of a node now shows the role instead of the VLAN id
• Documentation to configure Cisco switches with Identity Networking Policy
• Trigger violation on source or destination IP address only if they are in the trapping range networks
• Performance improvement for VoIP detection
• Added new RADIUS filter return option (random number in a range)
• Reinstated iplog (iplog_history and iplog_archive) rotation/cleanup jobs performed by pfmon
• An asynchronous LDAP lookup is now done on each 802.1x request to populate the person fields for that user

Bug Fixes

• Compute unregistration date for secure connections
• Fixed unescape value in LDAP search
• Fixed Apache 2.4 core dump
• Fixed update locationlog from accounting start with the wrong connection type

PacketFence v5.7.0

New Features

• DNS based enforcement as a new enforcement mode for routed networks
• Captive portal authentication now supports SAML authentication
• It is now possible to search for nodes that are online based on RADIUS accounting
• Integration with Suricata MD5 extraction module to scan against OPSWAT MetaScan online scanner

Enhancements

• Support for floating devices on HP Procurve switches
• RADIUS CoA support added to Brocade switches
• The NULL authorization source can now be combined with other sources
• Added possibility to trigger Firewall Single Sign-On when an endpoint changes status
• The username on a captive portal will no longer be stripped unless required otherwise
• Improved UDP reflector documentation
• Improved vendor specific attributes in radius filters
• Now able to specify on which LDAP attribute we should match for SponsorEmail
• Now able to strip a username in LDAP source even if not present in RADIUS request

Bug Fixes

• Fixed incorrect provisioning that ignored broadcast state of provisioned SSID
• Present a login page without login form when a blackhole source is used on the portal profile ([#1021](https://github.com/inverse-inc/packet
  fence/issues/1021))
• Fixed incorrect provisioning templates that required entering a password twice (#1119)
• Fixed ambiguous SQL accounting stored procedure that could return duplicate results
• Fixes incorrect IPv6 DHCP processing in pfdhcplistener

PacketFence v5.6.1

Enhancements

• pfcmd will now validate the violation configuration in checkup
• pfdns cached entries will now expire after 24 hours

Bug Fixes (bug Id is denoted with #id)

• Fix duplicate open entries in locationlog for voip devices
• Avoid circular dependency when loading pf::Authentication::Source::StripeSource (1160)
• Fix incorrect Cisco switch ACL number
• Removed use of pf::class modules which caused compilation errors
• Fixed an incorrect reload of the cached configuration (1157)

PacketFence v5.6.0

New Features

• New RADIUS auditing report allows troubleshooting from the GUI
• The email authorization source now allows to set roles based on the email used to register
• New switch groups now allows to assign settings to multiple switches at once
• DHCP filters now allow arbitrary rules to perform actions based on DHCP fingerprinting
• Cisco switches login access can now be authenticated through PacketFence
• The filter engine configuration can now be edited through the admin GUI

Enhancements

• New dedicated search feature for violations in the nodes panel
• New pfcmd pfqueue command allows managing the queue from the command line
• New option to specify the authentication source to use depending on the RADIUS realm
• Upgrade Config::IniFiles to allow faster loading of configuration files
• Performance improvements to the filtering engine by avoiding unnecessary database lookups
• New columns bypass_vlan and bypass_role are allowed to be import for nodes
• Service start/stop order can now be configured through the admin GUI
• Pagination can now be defined by the user in the admin GUI search results
• The pfdns service now forks to process multiple requests in parallel
• Added configurable timeout for send/receive operations on the OMAPI socket
• The authorization process will now test if the role changed before reevaluating access
• New option to add date based VLAN filter condition (is before date, is after date)
• pfconfig backend can now be cleared via pfcmd
• Improved RADIUS accounting handling for better performance

Bug Fixes (bug Id is denoted with #id)

• Remove old entries in ipset session
• Always reevaluate the access if the order come from the admin gui (#1056)
• Portal profiles templates are now properly synced between members of a cluster (#942)
• Process requests properly when running a pfdhcplistener on an interface that has networks with and without dhcpd activated
• Violation trigger from web admin will now override grace period (#1028)
• Fix queue task counters out of sync when a task expires
• Reworked the configuration backends to prevent a race condition of the configuration namespaces in active/active cluster (#1067)
• Define each internal network to NAT instead of a global rule when passthroughs are enabled (#1118)

PacketFence v5.5.2

Enhancements

• pf::CHI::compute_with_undef now supports cache options
• Use the fingerbank cache instead of caching its result globally.
• Update dependency to 2.1 for fingerbank.

Bug Fixes (bug Id is denoted with #id)

• Completed renaming of trap to reevaluate_access in violations.conf.example
• Fixed deauthentication source IP not detected properly when no vip is assigned on the management interface (#1035)
• Use proper API client when triggering a violation within pf::fingerbank

PacketFence v5.5.1

Bug Fixes

• pfdns will now resolve its own domain correctly
• Fixed missing violation_view_top call in radius filter
• Fixed equals operator in LDAP rule

PacketFence v5.5.0

New Features

• New device detection through TCP fingerprinting
• New DHCPv6 fingerprinting through Fingerbank
• New RADIUS filter engine to return custom attributes based on rules
• Security Onion integration
• Paypal payment is now supported in the captive portal
• Stripe payment and subscriptions are now supported in the captive portal

Enhancements

• New pfqueue service based on Redis to manage asynchronous tasks
• Memcached has been replaced by Redis for all caching
• pfdetect can now be configured through the administration interface
• Added ability to detect hostname changes using the information in the DHCP packets
• Added the ability to create 'not equal' conditions in LDAP sources
• DoS mitigation on the captive portal through mod_evasive
• Load balancing in an active/active process now uses a dedicated process
• Authentication and accounting are now in two different RADIUS processes
• Reworked violation triggers creation in the administration interface so it's more user friendly
• Added the ability to create combined violation triggers which allow to trigger a violation based off multiple attributes of a node
• Suricata alerts can now trigger a violation based on the alert category or description instead of only the ID of the alert
• Added ability to e-mail device owner as a violation action
• The PacketFence syslog parser (pfdetect) has been reworked to allow multiple logs to be parsed concurently
• New ntlm_auth wrapper will log authentication latency to StatsD automatically
• Handle Microsoft Windows based captive-portal detection mecanisms
• Manage pfdhcplistener status with keepalived and run pfdhcplistener on all cluster's members
• New portal profile filter (sub connection type)
• Added switch IP and description in the available columns in the node list view
• Use SNMP to determine the ifindex based on the Nas-Port-Id
• Improved metrics now track SQL queries, LDAP queries, and more granular metrics in RADIUS AAA
• Added support for Nessus 6 scan engine
• Added documentation for the Cisco iOS XE switches
• Reworked existing billing providers to be PCI compliant
• Billing providers are now part of the authentication sources
• Billing tiers are now stored in the configuration instead of the source code files
• Billing sources can now be used with other authentication sources on the same portal profile
• DHCP packet processing is now fully done asynchronously to allow more PPS in the pfdhcplistener

Bug Fixes (bug Id is denoted with #id)

• Fixed log rotation issue with the carbon daemons
• Fixed LLDP phone detection if only telephone capability is enabled (#964)
• Fixed keepalived and iptables configuration for portal interfaces
• Fixed improper httpd status code being set
• Removed the node delete button
• Fixed detection if the device asks for a portal per URI
• Fixed 3Com switches ifIndex calculation in stack mode using SNMP
• Not-found users will now be cached when using the caching in an LDAP source (#978)
• Updating a node puts an invalid entry in the voip field