Releases: inverse-inc/packetfence
Releases · inverse-inc/packetfence
PacketFence v6.0.3
Bug Fixes
- Fixed example in vlan filters showing incorrect operand for user_name
- Fixed the display of the aup when printing a user
- Fixed email_instructions blocking email registration
- Fixed FreeRADIUS dynamic clients hanging the server when the database fails to respond (#1500)
- Fixed violation_add when applying one through bulk actions (#1510)
- Fixed sessions remembering failed authentication sources
- Fixed to listen to DHCPREQUEST in registration network when in cluster mode
PacketFence v6.0.2
Bug Fixes
- Fixed pfdns to prevent pid file deletion when a child dies (#1444)
- PacketFence will now handle the case where a source in the session is not available anymore
- Fixed missing PID when using device registration (#1447)
- Fingerbank update will no longer sync all servers anymore
- VoIP detection flags default will now be undef in admin interface
- Suricata renamed to suricata_event in violations.conf.example
- The captive portal will now handle User Agent strings properly
- PacketFence will now delete the user (not device) session after activating sponsor
- Fixed incorrect MAC address formatting in the reporting section of the GUI
- Fixed "reuse dot1x credentials" in captive portal
- Fixed incorrect SNMP traps handling
- Fixed incorrect MAC address handling in radius accounting
- Added a check to database backup script for mariadb
- Fixed unregistration date handling when using email registration
PacketFence v6.0.1
Bug Fixes
- Added back the option to set the logo in a portal profile
- Fixed Blackhole and Null authentication portal modules (#1439)
- Added missing username field in Debian maintenance crontab
- Fixed web authentication web form release in captive portal
- Validate configuration identifiers so they don't contain invalid characters (#1417)
- Fixed incorrect samba handling of "%h" in server name
- Fixed registration ACL computing for Cisco WLC and 2960 in web authentication
- Adjust pfdetect startup order to allow Snort / Suricata to start
- Fixed pfsetvlan compilation error
- Fixed violations internationalization
- Fix incorrect rogue dhcp detection
PacketFence v6.0.0
New Features
- Fully redesigned frontend and backend of the captive portal
- Parking state for unregistered devices (where it will have a longer DHCP lease time and will only access a lightweight portal)
- CentOS 7 and Debian 8 (Jessie) support
- RADIUS support for Avaya switches
- New filter engine to return custom answers in pfdns
- Redirect URL are defined in Role by Web Auth URL switch configuration (Cisco)
- Added support for Captive-Portal DHCP attribute (RFC7710)
- Added Google Project Fi as a SMS carrier for SMS signup option
- FreeRADIUS 3 support with Redis integration
Enhancements
- Added ability to expire users
- Automatically update all the Fingerbank databases (Redis, p0f, SQLite3)
- Do not allow the TRACE method to be used in any of the web processes
- Can now limit the maximum unregdate an administrator can set to a person
- Added option to disable the accounting recording in the SQL tables
- Added caching of the latest accounting request for use in access reevaluation
- Reduced the number of webservices calls during RADIUS accounting
- Added configuration for Apache 2.4 with Template Toolkit
- Added a timer for each RADIUS request (radius audit log)
- Assign the voice role to VoIP devices when Packet``Fence detects them
- Renamed VLAN to Role in admin GUI violation
- Unregistering a node from a secure connection to an unsecured one is now managed by the VLAN filters
- Location history of a node now shows the role instead of the VLAN id
- Documentation to configure Cisco switches with Identity Networking Policy
- Trigger violation on source or destination IP address only if they are in the trapping range networks
- Performance improvement for VoIP detection
- Added new RADIUS filter return option (random number in a range)
- Reinstated iplog (iplog_history and iplog_archive) rotation/cleanup jobs performed by pfmon
- An asynchronous LDAP lookup is now done on each 802.1x request to populate the person fields for that user
Bug Fixes
- Compute unregistration date for secure connections
- Fixed unescape value in LDAP search
- Fixed Apache 2.4 core dump
- Fixed update locationlog from accounting start with the wrong connection type
PacketFence v5.7.0
New Features
- DNS based enforcement as a new enforcement mode for routed networks
- Captive portal authentication now supports SAML authentication
- It is now possible to search for nodes that are online based on RADIUS accounting
- Integration with Suricata MD5 extraction module to scan against OPSWAT MetaScan online scanner
Enhancements
- Support for floating devices on HP Procurve switches
- RADIUS CoA support added to Brocade switches
- The NULL authorization source can now be combined with other sources
- Added possibility to trigger Firewall Single Sign-On when an endpoint changes status
- The username on a captive portal will no longer be stripped unless required otherwise
- Improved UDP reflector documentation
- Improved vendor specific attributes in radius filters
- Now able to specify on which LDAP attribute we should match for SponsorEmail
- Now able to strip a username in LDAP source even if not present in RADIUS request
Bug Fixes
- Fixed incorrect provisioning that ignored broadcast state of provisioned SSID
- Present a login page without login form when a blackhole source is used on the portal profile ([#1021](https://github.com/inverse-inc/packet
fence/issues/1021)) - Fixed incorrect provisioning templates that required entering a password twice (#1119)
- Fixed ambiguous SQL accounting stored procedure that could return duplicate results
- Fixes incorrect IPv6 DHCP processing in pfdhcplistener
PacketFence v5.6.1
Enhancements
- pfcmd will now validate the violation configuration in checkup
- pfdns cached entries will now expire after 24 hours
Bug Fixes (bug Id is denoted with #id)
- Fix duplicate open entries in locationlog for voip devices
- Avoid circular dependency when loading pf::Authentication::Source::StripeSource (1160)
- Fix incorrect Cisco switch ACL number
- Removed use of pf::class modules which caused compilation errors
- Fixed an incorrect reload of the cached configuration (1157)
PacketFence v5.6.0
New Features
- New RADIUS auditing report allows troubleshooting from the GUI
- The email authorization source now allows to set roles based on the email used to register
- New switch groups now allows to assign settings to multiple switches at once
- DHCP filters now allow arbitrary rules to perform actions based on DHCP fingerprinting
- Cisco switches login access can now be authenticated through PacketFence
- The filter engine configuration can now be edited through the admin GUI
Enhancements
- New dedicated search feature for violations in the nodes panel
- New pfcmd pfqueue command allows managing the queue from the command line
- New option to specify the authentication source to use depending on the RADIUS realm
- Upgrade Config::IniFiles to allow faster loading of configuration files
- Performance improvements to the filtering engine by avoiding unnecessary database lookups
- New columns bypass_vlan and bypass_role are allowed to be import for nodes
- Service start/stop order can now be configured through the admin GUI
- Pagination can now be defined by the user in the admin GUI search results
- The pfdns service now forks to process multiple requests in parallel
- Added configurable timeout for send/receive operations on the OMAPI socket
- The authorization process will now test if the role changed before reevaluating access
- New option to add date based VLAN filter condition (is before date, is after date)
- pfconfig backend can now be cleared via pfcmd
- Improved RADIUS accounting handling for better performance
Bug Fixes (bug Id is denoted with #id)
- Remove old entries in ipset session
- Always reevaluate the access if the order come from the admin gui (#1056)
- Portal profiles templates are now properly synced between members of a cluster (#942)
- Process requests properly when running a pfdhcplistener on an interface that has networks with and without dhcpd activated
- Violation trigger from web admin will now override grace period (#1028)
- Fix queue task counters out of sync when a task expires
- Reworked the configuration backends to prevent a race condition of the configuration namespaces in active/active cluster (#1067)
- Define each internal network to NAT instead of a global rule when passthroughs are enabled (#1118)
PacketFence v5.5.2
Enhancements
- pf::CHI::compute_with_undef now supports cache options
- Use the fingerbank cache instead of caching its result globally.
- Update dependency to 2.1 for fingerbank.
Bug Fixes (bug Id is denoted with #id)
- Completed renaming of trap to reevaluate_access in violations.conf.example
- Fixed deauthentication source IP not detected properly when no vip is assigned on the management interface (#1035)
- Use proper API client when triggering a violation within pf::fingerbank
PacketFence v5.5.1
Bug Fixes
- pfdns will now resolve its own domain correctly
- Fixed missing violation_view_top call in radius filter
- Fixed equals operator in LDAP rule
PacketFence v5.5.0
New Features
- New device detection through TCP fingerprinting
- New DHCPv6 fingerprinting through Fingerbank
- New RADIUS filter engine to return custom attributes based on rules
- Security Onion integration
- Paypal payment is now supported in the captive portal
- Stripe payment and subscriptions are now supported in the captive portal
Enhancements
- New pfqueue service based on Redis to manage asynchronous tasks
- Memcached has been replaced by Redis for all caching
- pfdetect can now be configured through the administration interface
- Added ability to detect hostname changes using the information in the DHCP packets
- Added the ability to create 'not equal' conditions in LDAP sources
- DoS mitigation on the captive portal through mod_evasive
- Load balancing in an active/active process now uses a dedicated process
- Authentication and accounting are now in two different RADIUS processes
- Reworked violation triggers creation in the administration interface so it's more user friendly
- Added the ability to create combined violation triggers which allow to trigger a violation based off multiple attributes of a node
- Suricata alerts can now trigger a violation based on the alert category or description instead of only the ID of the alert
- Added ability to e-mail device owner as a violation action
- The PacketFence syslog parser (pfdetect) has been reworked to allow multiple logs to be parsed concurently
- New ntlm_auth wrapper will log authentication latency to StatsD automatically
- Handle Microsoft Windows based captive-portal detection mecanisms
- Manage pfdhcplistener status with keepalived and run pfdhcplistener on all cluster's members
- New portal profile filter (sub connection type)
- Added switch IP and description in the available columns in the node list view
- Use SNMP to determine the ifindex based on the Nas-Port-Id
- Improved metrics now track SQL queries, LDAP queries, and more granular metrics in RADIUS AAA
- Added support for Nessus 6 scan engine
- Added documentation for the Cisco iOS XE switches
- Reworked existing billing providers to be PCI compliant
- Billing providers are now part of the authentication sources
- Billing tiers are now stored in the configuration instead of the source code files
- Billing sources can now be used with other authentication sources on the same portal profile
- DHCP packet processing is now fully done asynchronously to allow more PPS in the pfdhcplistener
Bug Fixes (bug Id is denoted with #id)
- Fixed log rotation issue with the carbon daemons
- Fixed LLDP phone detection if only telephone capability is enabled (#964)
- Fixed keepalived and iptables configuration for portal interfaces
- Fixed improper httpd status code being set
- Removed the node delete button
- Fixed detection if the device asks for a portal per URI
- Fixed 3Com switches ifIndex calculation in stack mode using SNMP
- Not-found users will now be cached when using the caching in an LDAP source (#978)
- Updating a node puts an invalid entry in the voip field