Skip to content

Releases: inverse-inc/packetfence

v8.3.0

09 Jan 18:31
Compare
Choose a tag to compare

New Features

  • Added support for Juniper EX2300 (JUNOS 18.2) switches
  • Clickatell authentication source support
  • Added a random algorithm for VLAN pooling
  • Added the ability to reserve IP addresses in pfdhcp
  • Added a way to trigger a violation when device profiling detects a change in the device class
  • New SSL Inspection portal module
  • RADIUS proxy integration from web admin interface
  • RADIUS filtering support for pre_proxy/post_proxy/preacct/accounting/authorize phases
  • Updated the Windows provisioning agent to the new Golang based version

Enhancements

  • Redis now only listens on localhost (#3729)
  • Deprecate usage of roaring bitmap for the DHCP IP pool (#3779)
  • Email and SponsorEmail sources can have banned and allowed email domains (#3807)
  • Improved startup time of pfdhcp
  • Removed OPSWAT Metadefender Cloud support
  • Chose password hashing algorithm when creating a local user from a source
  • Define the length of the password to generate when creating a local user from a source
  • New "dummy" source just to compute the rules

Bug Fixes

  • Logs permissions and configuration for Debian (#3780)
  • Fixed missing cache directory for NTLM auth cache (#3788)
  • Fixed working directory of NTLM auth cache sync script (#3777)
  • Handled multiple LDAP hosts properly in NTLM auth cache (#3776)
  • Issue with the DHCP server that gives sometimes a duplicate IP address
  • Adjusted CentOS and RHEL dependencies
  • Fixed MAC filtered lookups that were cached in pfdns (#3785)
  • Fixed the OpenVAS integration to work with OpenVAS Manager 7.0 (OpenVAS 9)
  • Fixed encoding of files created in the administration interface (force them to UTF-8)

v8.2.1

07 Dec 13:41
Compare
Choose a tag to compare

Enhancements

  • Allow for SMS PIN codes to be reused (#3436)

Bug Fixes

  • Adjusted ports for Active Directory passthroughs (#3769)
  • Improved performance of nodes tab in the admin interface (#3721)
  • Fixed Google Project Fi missing from the official schema
  • Various fixes for broken NTLM cache job
  • Fixed issues with realms after a restart of pfconfig (#3797)
  • Fixed issue with pfdhcp leaking file descriptors
  • Fixed issue with captive portal requesting an artifact from the SAML server
  • Fixed duplicate IP addresses given by pfdhcp
  • Added new expected parameter for the redirect URL when performing web-auth with a Cisco WLC
  • Fixed SEPM provisioner token refresh

v8.2.0

07 Nov 18:30
Compare
Choose a tag to compare

New Features

  • Added support for clusters with servers located in multiple layer 3 networks (PR #3656)
  • Permit incoming Eduroam TLRS RADIUS requests (PR #3399)
  • pfconfig is tenant aware (PR #3385)
  • Realm are tenant scoped (PR #3385)
  • Added Mojo web authentication support (PR #3604)
  • New authentication source Password of the Day (PR #3285)
  • Added SMTP test function in Alerting (PR #3642)
  • Juniper SRX Firewall SSO module (PR #2842)

Enhancements

  • Now support CoA on Meraki switches
  • jsonrpc requests send the current tenant_id (#3271)
  • Take the tenant id in consideration in the queue (#3269)
  • Performed various improvements to the maintenance script (PR #3445)
  • Increased maximum node bandwidth balance from 4 GB to 18.4467441 XB (exabytes) (#3477) (PR #3493)
  • Improve connection profile's advanced filter
  • Use MySQL as backend for pfdhcp options (deprecates etcd) (PR #3484)
  • Reorder iptables rules (PR #3463)
  • Better error handling for pfdetect.conf (PR #3607)
  • HAProxy stats files are now located in var/run/ with explicit filenames (PR #3645)
  • pfdns now uses the PacketFence standard Golang logging library (PR #3638)
  • Added VOIP and Downloadable ACLs support to Aruba 5400 switch module (PR #3372)
  • Switch filters can now be used to override the switch module that is instantiated during a RADIUS connection (PR #3583)
  • WIRED_MAC_AUTH and Ethernet-NoEAP merged (#3069) (PR #3261)

Bug Fixes

  • Backslash in usernames in Reports section is shown as "=5C" (#3508) (PR #3510)
  • Multiple bug fixes to the pfdhcp service (PR #3571)
  • Domain join log entries contain clear-text credentials (#3448)
  • Fixed false positive dhcp rogue detection (PR #3514)
  • Sponsor Email subject and body are i18n in the same language (#3670)
  • pfstats hammers pfdhcp and the API frontend with requests (#3634)
  • Can't download SAML metadata in the admin (#3720)

v8.1.0

09 Jul 20:20
Compare
Choose a tag to compare

New Features

  • Added support for dynamic PSK (Cisco IPSK) for the Cisco WLC and hostapd (PR #3244)
  • Added Ubiquiti Unifi web authentication and 802.1X support
  • Added support for Cambium AP module for 802.1X, MAC and web authentication (PR #3282)
  • Change root portal module on failure/success
  • Save already entered field on the portal (chain auth)
  • Custom message for SMS registration
  • Expire SMS pin code
  • Define the length of the pin code
  • Enable or disable sponsor authentication when he validates access (PR #2995)

Enhancements

  • Allow connection profiles to be enabled/disabled (PR #3175)
  • Add new portal module action that wraps the default actions a module would normally execute (fixes #3231)
  • Improved startup time of PacketFence (PR #3213)
  • Fix local/reject realm for eduroam in standalone configuration (PR #3264)
  • Allow subsecond timeouts for LDAP connections
  • Allow randomization of the search order for a list of LDAP servers
  • IP exclusion is now possible in the DHCP server
  • Allow max node per role when doing autoregistration
  • Moved unregister on accounting stop parameter on the connection profile
  • VLAN filters can be set to ${node_info.category} and it will return the current category of the device
  • The database load-balancer now listens on the cluster management IP address
  • Allow to update switches while importing them via CSV

Bug Fixes

  • Netdata never ending restarts after a reboot (#3287)
  • Systemd PID file causes issues when there is a stale PID file (#3291)
  • Fixes when a LDAP authentication source contains multiple IP addresses (#3234)
  • Added missing DHCP Statistics for routed networks on the dashboard (#3128)

v8.0.1

09 May 18:42
Compare
Choose a tag to compare

Enhancements

  • Update the computername (hostname) of a node using the Fingerbank Collector data
  • Detect uplinks based on CDP flag instead of a string
  • Put etcd in its own directory

Bug Fixes

  • Fixed issue with device profiling not being performed when an endpoint connects for the first time
  • Fixed missing timeout when performing RADIUS SSO (FortiGate, CheckPoint, WatchGuard)
  • Fixed issue with API frontend when initially configuring the webservices username and password
  • packetfence-haproxy-portal and packetfence-tc systemd service in a wrong target
  • Custom routing with inline enforcement fails silently (#3215)
  • Nessus 6 scanner
  • haproxy-db only listens on IPv6 interface (Debian) (#3208)
  • Fixed packetfence-local-auth
  • Fixed DNS passthrough for normal domains (was considered as a wildcard)
  • Winbind fails to start because of a permission issues on /var/run/samba/winbindd in the chroots
  • Update from 7.4 to 8.0 audit log file not there (#3216)
  • Fixed unreg on RADIUS accounting stop (#3220)
  • Allow nodes without roles to be modified when restricting allowed role (#3217)
  • Fixed speed issues with node search in the admin
  • Fixed missing timeout for RADIUS sources tests in pfstats

v8.0.0

26 Apr 18:56
@cgx cgx
Compare
Choose a tag to compare

New Features

  • Replaced the ISC DHCP server with a new Golang-based DHCP server (PR #2911)
  • Now supporting inline enforcement in active/active clusters (PR #2911)
  • Replaced pfdns with a new Golang-based DNS server (PR #2911)
  • Allow an inline network to be split by the roles in PacketFence allowing to put specific devices in a distinct broadcast network (PR #2911)
  • DNS routing (PR #2911)
  • Dashboard metrics are now based on Netdata (PR #2935)
  • Traffic shaping support for inline enforcement (PR #2803)
  • Added a configuration parameter to allow to unregister a device on an accounting stop (PR #2685)
  • Added CLI support on Aruba 5400 switches (PR #2965)
  • Username stripping (removing the realm) is now configurable via the realms instead of the sources
  • PacketFence integration with JAMF API for Apple computers and mobile devices management (PR #2797)
  • Added an HTTP JSON API

Enhancements

  • Distribute pfdhcplistener tasks among cluster members (PR #2887) (#2858)
  • Removed pfsetvlan
  • Now allowing to use the RADIUS accounting cache when in cluster mode

Bug Fixes

  • Guest Portal validate_phone_number check not work (#2783)
  • A management user can override an account that was not created by him (#2883)

v7.4.0

25 Jan 18:33
Compare
Choose a tag to compare

New Features

  • New database access layer (DAL) for upcoming multi-tenancy support
  • New portal module to permanently set roles (PR #2490)
  • Added portal module for selecting a role for the device being registered on the portal (PR #2471)
  • Added support for Allied Telesis GS950 switches (PR #1866)
  • Added ability to update the firewall SSO on RADIUS accounting packets (PR #2662)
  • Added a way to define a VLAN by role as a VLAN pool using a VLAN range (PR #2675)

Enhancements

  • Added cloning capability in connection profiles (PR #2814) (#2809)
  • Read and write timeouts for LDAP connections can now be set (#2613) (PR #2614)
  • Keepalived can be configured to detect its peers via unicast instead of multicast (PR #2794)
  • Suggest violation identifier when adding a new violation (#2804) (PR #2807)
  • Create a priority queue
  • Move ReAssignVlan and desAssociate API calls to the priority queue
  • Added connection profile SSID filter suggestions based on all the previous SSIDs that have been seen in the locationlog (#2758) (PR #2771)
  • Added a description to the switches in the nodes side navigation (#2791) (PR #2795)
  • Improved configuration of the captive portal timer bar (via the captive_portal section of pf.conf) (#383) (PR #2762)
  • (AD Powershell scripts) Enforce use of TLS in the powershell scripts which is required with the last versions of PacketFence (PR #2788)
  • (AD Powershell scripts) Cycle through all the possible Active Directory usernames formats in PacketFence (PR #2788)
  • Removed old authentication code sources (#2610)
  • Added rule description in listing (#2619)
  • Improved documentation (PR #2774) (#2773)
  • Set a timeout for database queries for the admin to avoid long running queries slowing the system (#2630) (PR #2659)
  • Documentation improvement about MySQL advanced parameters (#266)
  • Enhanced localization support in violation module (PR #2759)
  • Improved the haproxy HTTP process monitoring
  • Improved cluster maintenance script to perform necessary system changes to have the node in maintenance

Bug Fixes

  • Moved add and delete buttons to the left to avoid the being cutoff (#2678)
  • Fixed "Admin: Multiple 'Device Type' options in Nodes tab" (#2789) (PR #2793)
  • Configurator: when using a different database name, the fingerbank.conf MySQL section is not updated (#2665) (PR #2787)
  • rlm_perl modules are now using syslog instead writing directly to the file (PR #2609)
  • Prevent a valid PID from being overwritten at the end of the portal registration if the new PID is default (#2825)
  • Auth log is not set to completed after email registration (#2648) (PR #2649)
  • Fixed redirects when previewing profiles that use OAuth source (#2882) (PR #2908)

v7.3.0

25 Sep 18:18
Compare
Choose a tag to compare

New Features

  • Added a RADIUS only mode to PacketFence.
  • Add a cluster wide view of pfqueue statistics (#2195) (PR #2573)
  • Added the possibility of importing switches from a CSV file. (PR #2480)

Enhancements

  • The GUI will now display the VLAN in the locationlog view
  • The timezone is now a selectable item to prevent invalid input
  • Updated ACE text editor to version 1.2.8
  • Search forms for nodes and users can now be reset (PR #2555)
  • Configuration files can now be saved in readonly mode except violation, switches, role (#2464) (PR #2566)
  • Extended descriptions are now supported in the custom reports
  • Mail can now be sent using SSL and StartTLS (PR #2446)
  • Self signed certificate errors for nessus 6 can now be ignored (PR #2568)
  • Violations can now be triggered by nessus 6 scanner (PR #2568)
  • The device registration page now supports connection profiles like any other portal
  • The username sent in firewall SSO now supports a configurable format (PR #2499)
  • PacketFence will now monitor TLS certificates expiration and alert if they are expired (PR #2444)
  • LDAP source caching is now caching the rule match rather that the whole source match (PR #2560)
  • The admin GUI startup time has been decreased (#2545)
  • New and improved documentation for Debian clustering
  • Show DHCP Option82 data in the node view (#2396)
  • Custom reports columns representing a node or a user can now be configured to be clickable for details on the object in question (#PR 2508)
  • New Fortigate 50E 802.1x support
  • The computer authentication username can now be normalized when using EAP-TLS (PR #2414)
  • Added a task count jitter to reduce the chance that pfqueue workers exit at the same time
  • Experimental support for Content Security Policy (CSP) has been added, but is disabled by default (PR #2336)
  • A violation can now redirect to a URL specified in a template (PR #2400)

Bug Fixes

  • The syslog parser has moved from Compliance to Integration in the GUI (#2467)
  • pfsso now logs in packetfence.log (#2553) (PR #2557)
  • httpd.dispatcher now logs in httpd.dispatcher.log (PR #2557)
  • Fixed incorrect inline sub type detection
  • Fixed ipset update with the incorrect ip address
  • Fixed missing confirm prompt when restarting all services via the admin interface (#2365) (PR #2571)
  • Fixed violation definition sync when removing a violation from the config
  • Fixed incorrect Connection-Type when using EAP-TTLS (#2582)
  • Fixed VOIP logic to reduce the chance of duplicate locationlog entries (#2527)
  • Fixed SNMP connection issues on Extricom controllers
  • Fixes segfaults when logging in the multithread environments (#2603)
  • reuseDot1x: Changed the way authentication sources are matched with realms regarding a security concern(#2536)
  • Trust the wsrep_ready flag of MariaDB Galera cluster for read only detection as putting the DB in read-only can result in occasional de-synchronization between members. (#2593) (PR #2594)
  • Run the configreload as the pf user when done through pfcmd (PR #2510)
  • Run the 6.0+ upgrade scripts as the pf user to prevent permissions issues after running them (PR #2509)
  • Fixed incorrect NULL realm use when authenticating to the admin GUI (#2529)
  • Enforced use of the system time instead of browser time when using preset time values (#2559)
  • Logging into the status page when reuse dot1x is enabled is no longer broken (#2542) (PR #2598)

v7.2.0

11 Jul 17:10
Compare
Choose a tag to compare

New Features

  • Added support for authenticating users through OpenID Connect (PR #2394)
  • Added passthroughs for devices in violation state (isolation network) (PR #2328)
  • Added ability to report a device lost or stolen in self-service portal (PR #2337)
  • Added ability to change a local account password in self-service portal (PR #2337)
  • Improved overall user experience of self-service portal (PR #2337)

Enhancements

  • Use the attributes returned by a radius use source as attributes to compute the rules (PR #2369)
  • Most services now support systemd sd_notify notifications.
  • The GUI will now only display readonly actions in readonly mode (PR #2384)
  • Journald total file size is now capped at 1Gb (PR #2389)
  • The GUI will now allow sources to be cloned (PR #2395)
  • The GUI now visually splits Administration and Authentication rules when viewing sources (PR #2395)
  • The GUI now has the ability to run "fixpermissions" from the web admin GUI (PR #2398)
  • haproxy captive portal rate-limiting is now configurable (PR #2422)
  • winbindd will now use the regular samba mechanisms to locate and select DCs (PR #2410)
  • New pfcmd command pfcmd pfqueue clear_expired_counters to clear the expired task counters (PR #2433)
  • Allow to disable the captive portal haproxy abuse access lists (#2418)

Bug Fixes

  • Added a cleanup of the number in the SMS source (#1966)
  • TLS certificates and keys will no longer be overwritten (#2366)
  • Limit the amount of tasks a worker processes to avoid memory from growing
  • Fixed a case where the REJECT role isn’t honored in inline and some web-auth (#2383)
  • Sponsor authentication CC address is now BCC to help preserve privacy (#2267)
  • Use plain HTTP for network access detection page (#2393)
  • Fixed an issue where DHCP broadcast were treated more than once in clustered mode (PR #2413) (#2408)
  • Fixed incorrect user login remaining count display (#2450)
  • Fixed a case where pfqueue counters show a count of 0 although queue is full (#2420)
  • node_discovered is no longer triggered when node hasn’t been created in DB (#2436)
  • Detect date was not being populated when nodes were discovered via radius (#2424)
  • Fixed leftover httpd processes when restarting (#2439)
  • Mariadb binary logs files are now properly rotated (#2440)
  • Fixed scss settings and colors being wiped on each upgrade (#2317)

v7.1.0

01 Jun 18:56
Compare
Choose a tag to compare

New Features

  • Added support for web authentication (external captive-portal) on Ubiquiti Unifi Controller
  • New Firewall/SSO (JSON-RPC) for communicating with custom firewalls (PR #2320)
  • VoIP detection: LLDP lookup enhancement (#2227) (PR #2316)

Enhancements

  • Add a button to access status from device registration and the other way around(PR #2259)
  • Added the ability to specify multiple DNS server(s) for domain join configuration (PR #2223)
  • Allow to force a predefined sponsor during sponsor authentication (PR #2150)
  • Updated pfdns default filters (PR #2165)
  • Added brands icons to authentication source (i.e Twitter, PayPal etc ..) in the administration interface (PR #2287)
  • Allow pfqueue workers to perform work across multiple queues (PR #2260)
  • Added a way to set time and bandwidth balance in action rule (requires accounting to work) (PR #1936)
  • Don’t display the mobileprovider field when doing SMS authentication with only one carrier enabled (PR #2322)
  • Added new reports in the administration interface (PR #2313)
  • Apache based services now support systemd sd_notify (PR #2351)

Bug Fixes

  • Dashboard metrics are now fetched over https (#2272)
  • Renamed Ubiquity to Ubiquiti (PR #2293)
  • Set up variable GOPATH correctly while setting up developer environment for go (PR #2319)
  • Fix too large scoping of authentication sources (#2338)
  • Prevent usage of a Null source in the device registration page (#1784)
  • Fixes duplicate nodes displaying when there are multiple locationlog entries (#1848)
  • Fixed an issue with the Instagram OAuth2 source, where the scope has been modified on the API
  • Fixed and issue where the logging configuration was ignored for httpd.aaaa and httpd.webservices (#2350)