Skip to content

Releases: inverse-inc/packetfence

PacketFence v5.5.0

03 Dec 13:49
@cgx cgx
Compare
Choose a tag to compare

New Features

  • New device detection through TCP fingerprinting
  • New DHCPv6 fingerprinting through Fingerbank
  • New RADIUS filter engine to return custom attributes based on rules
  • Security Onion integration
  • Paypal payment is now supported in the captive portal
  • Stripe payment and subscriptions are now supported in the captive portal

Enhancements

  • New pfqueue service based on Redis to manage asynchronous tasks
  • Memcached has been replaced by Redis for all caching
  • pfdetect can now be configured through the administration interface
  • Added ability to detect hostname changes using the information in the DHCP packets
  • Added the ability to create 'not equal' conditions in LDAP sources
  • DoS mitigation on the captive portal through mod_evasive
  • Load balancing in an active/active process now uses a dedicated process
  • Authentication and accounting are now in two different RADIUS processes
  • Reworked violation triggers creation in the administration interface so it's more user friendly
  • Added the ability to create combined violation triggers which allow to trigger a violation based off multiple attributes of a node
  • Suricata alerts can now trigger a violation based on the alert category or description instead of only the ID of the alert
  • Added ability to e-mail device owner as a violation action
  • The PacketFence syslog parser (pfdetect) has been reworked to allow multiple logs to be parsed concurently
  • New ntlm_auth wrapper will log authentication latency to StatsD automatically
  • Handle Microsoft Windows based captive-portal detection mecanisms
  • Manage pfdhcplistener status with keepalived and run pfdhcplistener on all cluster's members
  • New portal profile filter (sub connection type)
  • Added switch IP and description in the available columns in the node list view
  • Use SNMP to determine the ifindex based on the Nas-Port-Id
  • Improved metrics now track SQL queries, LDAP queries, and more granular metrics in RADIUS AAA
  • Added support for Nessus 6 scan engine
  • Added documentation for the Cisco iOS XE switches
  • Reworked existing billing providers to be PCI compliant
  • Billing providers are now part of the authentication sources
  • Billing tiers are now stored in the configuration instead of the source code files
  • Billing sources can now be used with other authentication sources on the same portal profile
  • DHCP packet processing is now fully done asynchronously to allow more PPS in the pfdhcplistener

Bug Fixes (bug Id is denoted with #id)

  • Fixed log rotation issue with the carbon daemons
  • Fixed LLDP phone detection if only telephone capability is enabled (#964)
  • Fixed keepalived and iptables configuration for portal interfaces
  • Fixed improper httpd status code being set
  • Removed the node delete button
  • Fixed detection if the device asks for a portal per URI
  • Fixed 3Com switches ifIndex calculation in stack mode using SNMP
  • Not-found users will now be cached when using the caching in an LDAP source (#978)
  • Updating a node puts an invalid entry in the voip field

PacketFence v5.4.0

01 Oct 20:20
@cgx cgx
Compare
Choose a tag to compare

New Features

  • PacketFence now supports SCEP integration with Microsoft's Network Enrollment Device Service during the device on-boarding process when using EAP-TLS
  • Improved integration with social media networks (email address lookups from Github and Facebook sources, kickbox.io support, etc.)
  • External HTTP authentication sources support which allows an HTTP-based external API to act as an authentication source to PacketFence
  • Introduced a 'packetfence_local' PKI provider to allow the use of locally generated TLS certificates to be used in a PKI provider / provisionner flow
  • New filtering engine for the portal profiles allowing complex rules to determine which portal will be displayed
  • Added the ability to define custom LDAP attributes in the configuration
  • Add the ability to create "administrative" or "authentication" purposes rules in authentication sources
  • Added support for Cisco SG300 switches

Enhancements

  • RADIUS Diffie-Hellman key size has been increased to 2048 bits to prevent attacks such as Logjam
  • HAProxy TLS configuration has been restricted to modern ciphers
  • Improved error message in the profile management page
  • Allow precise error messages from the authentication source when providing invalid credentials on the captive portal
  • Aruba WiFi controllers now support wired RADIUS MAC authentication and 802.1X
  • Added Kickbox.io authentication source which can allow a new Null type source with email validation
  • Now redirecting to HTTP for devices that do not support self-signed certificates on the captive portal if needed
  • httpd.portal now serves static content directly (without going through Catalyst engine)
  • Introduction of a new configuration parameter (captive_portal.wispr_redirection) to allow enabling/disabling captive-portal WISPr redirection capabilities
  • File transfers through the webservices are now atomic to prevent corruption
  • New web API call to release all violations for a device
  • Added better error message propagation during a cluster synchronization
  • Added additional in-process caching for pfconfig proxied configuration
  • The server hostname is now displayed in the admin info box
  • Added a warning in the configurator when the user is configuring multiple interfaces in the same network
  • Added synchronization of the Fingerbank data in an active/active cluster
  • Client IP and MAC address are now available though direct variables in the captive portal templates
  • The IPlog can now be updated through RADIUS accounting
  • Devices in the registration VLAN may now be allowed to reach an Active Directory Server
  • Added an option to centralize deauthentication on the management node of an active/active cluster
  • Added the option to use only the management node as the DNS server in active/active clustering
  • Improved Ruckus ZoneDirector documentation regarding external captive portal
  • pfconfig daemon can now listen on an alternative unix socket
  • Improved handling of updating the /etc/sudoers file in packaging
  • Improved roles handling on AeroHive devices

Bug Fixes

  • Fix case where status page links would be pointing to the wrong protocol (HTTP vs HTTPS)
  • set_unreg_date and set_access_duration actions now have the same priority when matching rule and actions (#816)
  • Fixes the database query hanging in the captive portal
  • The person attributes lookup will now be made on the stripped username if needed (#888)
  • Active/active load balancing will now be dispatched based on the Calling-Station-Id attribute.
  • Fix unaccessible portal preview when no internal network is defined (#790)
  • Fixed a case where the wrong portal profile can be instantiated on the first connection
  • Improved error message in the profile management page (#858)
  • Do not use the PacketFence multi-domain FreeRADIUS module unless there are domains configured in PacketFence (#868)
  • We now handle gracefully switches sending double Calling-Station-Id attributes (#864)
  • Prevent OMAPI from being configured on the DHCP server without a key (#851)
  • Switched to the memcached binary protocol to avoid memcached injection exploit
  • Fixed ipset error if the device switches from one inline network to another
  • Fixed wrong configuration parameters for redirect url (now a per-profile parameter)
  • Fix bug with validation of mandatory fields causing exceptions in signup
  • Made DHCP point DNS only on cluster IP if passthroughs are enabled in active/active clusters (#820)
  • Defined the maximum message size that SNMP get can return (fixes VOIP LLDP/CDP detection on switch stacks #738)

PacketFence v5.0.1

27 Apr 13:12
@cgx cgx
Compare
Choose a tag to compare

Enhancements

  • A number of strings have seen their translations improved.
  • The Debian and Ubuntu documentation has been split and made clearer.
  • Detailed which features may not work in active/active cluster mode in the documentation.

Bug Fixes

  • Added missing CHI File driver.
  • Delete left over Config::Fingerprint module in Debian and Ubuntu.
  • Fixed pfmon not starting when running a standalone PF server.
  • Fixed broken OS reporting.
  • Added missing dependency on perl-SOAP-Lite for packetfence-remote-snort-sensor.
  • Updating iplog without a lease time now reset end_time to default (0000-00-00 00:00:00) to avoid "closing" a valid entry
  • fixed pfcmd watch emailing functionality.
  • dhcpd will now properly obey the "disabled" configuration.

PacketFence v5.0.0

27 Apr 13:11
@cgx cgx
Compare
Choose a tag to compare

New Features

  • New active/active clustering mode. This allows HTTP and RADIUS load balancing and improves availability.
  • Fingerbank integration for accurate devices fingerprinting. It is now easier than ever to share devices fingerprinting.
  • Built-in support for StatsD. This allows fine grained performance monitoring and can be used to create a dashboard using Graphite.
  • Local database passwords are now encrypted using bcrypt by default on all new installations. The old plaintext mode is still supported for legacy installations and to allow migration to the new mode.
  • Devices can now have a "bypass role" that allows the administrator to manage them completely manually. This allows for exceptions to the authorization rules.
  • Support for ISC DHCP OMAPI queries. This allows PacketFence to dynamically query a dhcpd instance to establish IP to MAC mappings.

Enhancements

  • Completely rewritten pfcmd command. pfcmd is now much easier to extend and will allow us to integrate more features in the near future.
  • Rewritten IP/MAC mapping (iplog). Iplog should now never overflow.
  • New admin role action USERS_CREATE_MULTIPLE for finer grained control of the admin GUI. An administrative account can now be prevented from creating more than one other account.
  • PacketFence will no longer start MySQL when starting.
  • PacketFence will accept to start even if there are no internal networks.
  • Added a new listening port to pfdhcplistener to listen for replicated traffic.
  • Added a 'default' default user in replacement of the admin one.
  • Adds support for HP ProCurve 2920 switches.
  • Iptables will now allow access to the captive portal from the production network by default.
  • Major documentation rewrite and improvements.

Bug Fixes

  • Fixed violations applying portal redirection when using web authentication on a Cisco WLC
  • Registration and Isolation VLAN ids can now be any string allowed by the RFCs.
  • Devices can no longer remain in "pending" state indefinitely.

PacketFence v4.7.0

09 Mar 13:21
@cgx cgx
Compare
Choose a tag to compare

New Features

  • The admin GUI is now customizable.
  • New category filter on portal profile allows to select a portal based on existing role of a device.
  • New PacketFence-config service allows effortless scaling to thousands of switches and reduces memory use.

Enhancements

  • Nodes are now searchable by status
  • Removed SSLv3 and legacy ciper suites support from default httpd configuration to prevent POODLE exploit and FREAK attack.
  • Added an option to display Bypass VLAN of a node in the Admin GUI.
  • Added nested groups support for Active Directory.
  • It is now possible to check if a device has already authenticated as member of an Active-Directory domain prior to user authentication.
  • Improved portal language detection.
  • Devices will now avoid autocorrect / uppercasing the login field in the captive portal.
  • Now supports roaming without SNMP on Aerohive APs.

Bug Fixes

  • Fixed broken default behaviour when receiving an SNMP trap.
  • Fixed email confirmation template for sponsor.
  • Fixed email subject encoding.
  • Fixes allowing a non-sponsored user to verify a sponsored email address.
  • Fixed invalid floating device creation where the MAC address was not normalized.
  • Fixed the date range search in node advanced search.

PacketFence v4.5.0

24 Oct 18:49
Compare
Choose a tag to compare

New Features

  • Added provisioning support for Symantec SEPM, MobileIron and OPSWAT
  • pfmon can now run tasks on different intervals
  • Added a way to reevaluate the access of a node from the admin interface
  • Added a "Blackhole" authentication source
  • Added a new violation to enforce provisioning of agents
  • Violation can now be delayed
  • Added portal profile filter based on switch-port couple

Enhancements

  • Cache the ipset rule update to avoid unnecessary calls to ipset
  • Dynamically load violations and nodes for a user for display in admin gui
  • Dynamically load violations for a node for display in admin gui
  • Ensure only one pfmon is running at a time

Bug Fixes

  • Fix issue with userMiscellaneous and userCustomFields not showing if user does not have NODES_READ privilege
  • Fix MAC detection from IP on the Catalyst portal when using web authentication on the WLC controller.
  • Fix timestamp resolution not catching sub second changes in file in cache layer
  • Fixed handling of expiration time on the captive portal's status page

PacketFence v4.4.0

11 Sep 12:35
@cgx cgx
Compare
Choose a tag to compare

New Features

  • Added the possibility to search by computer name on the nodes page
  • Added support for the Anyfi WiFi controller
  • Show portal profiles directly on the admin gui
  • Added local account authentication for EAP
  • Added support for unreg date with dynamic year
  • Added support for NetGear FSM7328S switches
  • Added new network profile filter
  • Added external captive portal support for AeroHIVE
  • Added external captive portal support for Xirrus
  • Added support for Dynamic Access lists on the Cisco Catalyst 2960
  • Added the ability to search switches
  • Added support for Dlink DES3028 switches
  • Added reuse 802.1x credential on the portal profile
  • Added support for Mikrotik access point
  • Added ability to create local accounts when registering with external authentication sources.

Enhancements

  • Added support to configure either NATting or routed mode for inline layer 2 interfaces from the GUI
  • Added informational messages in the GUI for inline interfaces
  • Improvement of Inline Layer 3 (Inline L3 can only be defined behind Inline Layer 2 network)
  • pfbandwidthd is now able to capture on all inline interfaces
  • Added an option to set the timeout value for LDAP connections in authentication sources
  • FreeRADIUS default configuration should now be more scalable and resilient to misbehaving devices
  • Added the possibility to create rules using the username in OAuth authentication sources
  • Added the RADIUS request to the vlan filter
  • Moved from using Storable to Sereal to serialize cached data
  • Refactored portal profile filters to make it easier to extend
  • Improved support for Dlink DES 3526 switches
  • Rewrited log format [] for device mac () for switch "" for userID
  • Improve error handling of web api
  • Raised ServerLimit on apache httpd.portal, Lowered httpd.portal Timeout and KeepAliveTimeout to improve responsiveness under load.
  • Do not overlay the controllerIp if one is already defined when creating a switch
  • Verify the user roles level before creating a user via the admin gui
  • Added test iplogs not closed in pftest
  • Remove direct usage Apache2 modules in captive portal

Bug Fixes

  • Fix issue when adding multiple portal profile filters causing the wrong type to be picked
  • Fix issue when a trap is received for a switch that does not implement parseTrap()
  • Fix issue when a role is changed in the administration interface and the node's access is not reevaluated
  • Fix issue when a passthough is not able to be resolved and would generate an invalid DNS response
  • Fix missing files in logrotate file
  • Fix issue when setting a port in trunk on a Cisco Catalyst 3560, 3750 and 3750G would fail
  • Fix admin roles for bulk actions for nodes/users
  • fix issue where person was not updated in the database because of a case (non) match.
  • Fix send user password by email from the GUI
  • Fix backward compatibility issue for gaming-registration that should redirect to device-registration
  • Fix device-registration and status pages that were not accessible in inline mode when doing high-availability
  • Fix filetype of wireless-profile.mobileconfig not being set properly
  • Fix issue of iplog entries not being closed

PacketFence v4.2.2

29 May 18:17
@cgx cgx
packetfence-4.2.2
Compare
Choose a tag to compare

Enhancements

  • Rework logging to make it easier to follow the flow of registration
  • Allow users to login to see node in status page
  • pf-maint script uses new branch structure

Bug Fixes

  • Remove double saving of iptables
  • Do a configreload hard only during a pf restart not everytime you restart
  • Fixed undefined function and HP Controller module
  • Fixed a test in pfsetvlan
  • Allow old gaming-registration URL to work
  • If node is not found in the database then use the default profile
  • Fixed logging in dispatcher
  • Fixed deletion of a user failing
  • Compute unregdate and save the role for autoreg 802.1x
  • Fixed portal profile URI filter in new Catalyst-based captive-portal
  • RADIUS accounting fixed to call the correct method to parse the RADIUS request

PacketFence v4.2.1

16 May 17:47
@cgx cgx
packetfence-4.2.1
Compare
Choose a tag to compare

Enhancements

  • No longer need to repopulate password when updating a LDAP authentication source
  • Added check for profile directory existance
  • Added the ability to login from the status page

Bug Fixes

  • Added missing node manager URL from dispatcher
  • Fixed URL redirection on captive portal
  • Fixed wrong templates for device registration
  • Removed a breaking dependency (#1793)
  • Fixed exception on device registration page (#1794)
  • Fixed syntax error in SQL upgrade script (#1795)
  • deauthenticateMac was not respecting inheritance
  • STDERR & STDOUT from external command now redirected to /dev/null

PacketFence v4.2.0

06 May 19:25
@cgx cgx
packetfence-4.2.0
Compare
Choose a tag to compare

New Features

  • New 'Apply violation' bulk action
  • The same bulk actions for nodes are now available for users
  • New WRIX data management
  • Added PacketFence provisioning agent for Android
  • Support Hotspot for Cisco WLC and Aruba IAP
  • Support for Huawei AC6605 wireless controller
  • Support for Enterasys V2110 wireless controller
  • Support for Juniper EX2200 and EX4200 switches
  • Inline layer 3 support
  • New pfbandwidthd daemon for inline layer 3 accounting
  • New violation type based on time usage from RADIUS accounting information
  • New violation type based on bandwidth usage from pfbandwidthd information
  • New Mirapay online payment as a billing option
  • Billing tiers can now be defined with a real usage duration (instead of simply a timeout)
  • Billing: A confirmation email is sent when purchasing a tier
  • New status page with options to extend the network access (when billing is enabled with access duration)
    and to unregister any node associated to the current user
  • Integration of mod_qos in the Apache configuration of the captive portal
  • New pfcmd "cache" command
  • New pfcmd "configreload" command

Enhancements

  • Mandatory fields during registration are now configured per portal profile
  • Expanded fields for person field
  • Allow pfcmd error/warning/success messages colors to be configurable
  • Allow rules on username for null authentication sources
  • Landing page of Web admin interface now depends on the user's access rights
  • Reevaluate access when changing the role of multiple nodes (#1757)
  • Each portal profile can now use its own set of locales
  • Added a new URI filter for portal profiles
  • Switches configuration page is now paginated
  • LLDP support for 3Com 4000 Series
  • Multiple DNS server in the network configuration
  • Allow alias interface as captive portal
  • MAC Authentication support for Enterasys D2 switch
  • Added support for JSON-RPC and msgpack RPC over HTTP for webservices
  • Made msgpack the default RPC for RADIUS
  • Improved performance of webservices by preloading Perl modules
  • Regexp filter for LDAP source is now case-insensitive
  • Improved maintenance database script
  • Preserve and restore the URL fragment when the web session expires in Web admin (#1780)
  • Logging is now separated and configurable for each service
  • Added missing 'redirect_url' paramater when editing a violation in the Web admin
  • Complete rewrite of captive portal as a Catalyst application
  • Added a section documenting eduroam support to the Admin guide
  • Controller IP address can be determined dynamically
  • Added a file backing for the cache to decrease cache misses
  • Allow advanced search of nodes by OS type (#1790)
  • The PF RPC client can be configured in the conf/radiusd/radiusd.conf
  • Added PacketFence RADIUS dictionary

Bug Fixes

  • Fixed retrieval of ifIndex in Cisco Catalyst 2950 module
  • Fixed Snort and Suricata services management
  • Fixed issue when saving a users search in Web admin
  • Fixed JavaScript error with IE8 on Web admin users page
  • Fixed Web admin access restrictions for users and nodes creation
  • Fixed SQL query of connection types report in Web admin
  • Fixed blank page with WISPr on OS X
  • Fixed nodes simple search by IP address
  • Fixed access reevaluation when changing the status of a pending node
  • Fixed network access for users with no "set role" action (#1778)
  • Fixed conversion of wildcards to regular expressions in domains passthroughs
  • Fixed display of last IP address of nodes when end_time is in the future
  • Fixed XSS issues in Web admin
  • Fixed extractSsid for Cisco Aironet and Cisco Aironet WDS