Project homepage: https://packetfence.org/
Please report bugs to: https://github.com/inverse-inc/packetfence/issues
Interested in contributing to the project? https://packetfence.org/support/community.html
This is a list of noteworthy changes across releases. For more details and developer visible changes see the ChangeLog file. For a list of compatibility related changes see the Upgrade Guide.
-
Upgrade to FreeRADIUS 3.2.6 (#8290)
-
NTLM Auth multi-threaded machine-accounts (#8335)
-
OS based Cisco Switch Modules (#8365)
-
Secrets encrypted at rest (#8406)
-
Use proxysql packages in the docker image instead of compilling from the sources (#8267)
-
Move SSO options to Firewall SSO from Advanced (#8303)
-
PKI - Multiple certificate with same Common Name (#8310)
-
Improved Ruckus Unbound DPSK (#8315)
-
Improved Docker images (#8337)
-
Support for case-insensitive LDAP Explorer attributes (#8366) @E-ThanG
-
Custom taggable LDAP Explorer attributes (e6435e8)
-
Performance improvements on pfacct (#8369)
-
Added Aruba-MPSK-password attribute (#6957)
-
Reduce time to flush the RADIUS log (#8397)
-
Improve DPSK (#8356)
-
Improve Mikrotik Disconnect (#8418)
-
Select the first device that matches MFA (#8400)
-
Improve pfdhcp DB connection (#8419)
-
Track TLS certificate attributes per node (#8416)
-
Kafka UI Config (#8421)
-
Netdata Upgrade (#8399)
-
Don’t generate all the time a mac address when using the GenericVPN switch module (#8270)
-
Add missing parameters for authentication rule match (#8306)
-
Fixed the dynamic role assignment issue for Aruba switch modules (#8331)
-
Show only registered nodes on status page (#8382)
-
Fixed pfperl-api restart (#8391)
-
Fixed deauthOnPrevious with webauth (#7319)
-
Fixed IP resolution on LDAP SSL verification (#6808)
-
Fixed NAS-Port to ifIndex on Comware v7 switches (#8062) @bmp96
-
Fix Debian sudoers (#7908) @andrew-grasso
-
Fix Clickatell Messages (#7623)
-
Firewall SSO clustering load-balancing (#8207)
-
Domains clustering high-availability (#8205)
-
Update Caddy (#8210)
-
VoIP support in Aruba CX (#8260)
-
Add filtering and actions to Provisioning (#8033)
-
Add Remote MySQL Database Support (#8038)
-
Add logic for processing pfflows in pfcron (#8049)
-
Add JAMF Cloud support (#8060)
-
ProxySQL updated to 2.6.0 (#8058)
-
Adapted the LDAP search filter in FreeRADIUS to do the sAMAccountName lookup (#8000)
-
Moved Extreme switches to OS-based modules (#8010)
-
Moved Juniper switches to OS-based modules (#8011)
-
Moved Meraki switches to OS-based modules (#8018)
-
Removed outdated Cisco Catalyst switch modules (#8027)
-
Support for FQDN switch id (#8022)
-
Cisco 9800 documentation (#8009)
-
Added NT Key Cache for NTLM-Auth-API (#8044)
-
Fixes error message in portal on non HASH variable for DPSK (#8068)
-
Send username, ip and role to PaloAlto Firewall SSO payload (#8089)
-
Restore original config file if patch is failing (#8072)
-
Fix Cisco::Cisco_IOS_12_x NAS-Port-Type=Async (#7924)
-
Fix Captive Portal on Fortigate Switches (#7436)
-
New NTLM authentication service (no more domain joins, Cloud-ready)
-
Added ACL precreation for individual and all switches (#7936)
-
Integrated Apache Kafka for flows reporting
-
Rewrote pfqueue in Go language
-
RADIUS proxy configuration documentation and examples
-
Node import supports IPv4 address (#7808)
-
Added TCP flags parameter from role configuration in ACL for Cisco
-
Added documentation for Azure AD EAP-TLS machine authentication
-
Reuse the websocket buffer to reduce memory usage.
-
Force mechanism LOGIN PLAIN for SMTP (#7813)
-
Use the same timezone in all Docker images (#7862)
-
Integrated Fingerbank Perl client into PacketFence’s source code
-
Added many PKI improvements (generate CSR from CA, SCEP server proxy and resign certificate)
-
Moved Aruba, Fortinet and HP switches to OS-based modules
-
Encode in base64 the RADIUS request and store it in Redis (#7853)
-
Improve error handling if the calling station cannot be parsed in pfacct (#7871)
-
Add MariaDB to the OOM list
-
Docker needs a specific configuration to pull images behind a proxy (#7946)
-
Fix the password of the day password generation (#7862)
-
Add back missing thread support in radiusd (#7963)
-
ACL pre-creation support for wired and WiFi equipment
-
Redis-based queueing to improve geo-distributed deployments
-
End-to-end testing framework to UI for CI/CD pipelines (#7350)
-
LDAP explorer allows LDAP search (#7634 and #7683, @VakarisZ)
-
Refactored all Cisco modules to now use OS versions instead of model names
-
Be informed (through security event) when a device pops up into a VLAN or a subnet that shouldn’t be there (#7529)
-
Upgraded coredns libraries (#7197)
-
Added Palo Alto switch module to manage web admin login using RADIUS (#7643)
-
Removed WMI (#7649)
-
Allow to call a custom script from pfupdate to handle VIP in cloud environments (#7654)
-
Removed IBM provisioner (#7686)
-
Removed ServiceNow provisioner (#7699)
-
Removed Symantec Provisioner (#7700)
-
Removed OPSWAT Provisioner (#7716)
-
Removed httpd.proxy service (#7668)
-
Removed unused service httpd.collector (#7667)
-
Removed Traffic Shaping (#7666)
-
Optimized pfdhcp (#7710)
-
ISO installer supports UEFI booting (#7724)
-
Updated to go 1.20.5 (#7636)
-
Documentation to manage HTTP and RADIUS certificates
-
Updated OpenAPI Specification to version 3 and improved coverage to all endpoints, including meta OPTIONS and distinct collection sub-types
-
Content Keeper firewall SSO support
-
Added support for Unifi OS controllers (#7368)
-
Added support for downloadable ACLs on Cisco and Dell switches (Also visible in Packetfence Supported network devices webpage https://www.packetfence.org/about.html#/material)
-
Allow ProxySQL to be configured to connect to a single external database
-
Allow image files to be uploaded in a connection profile
-
Added System Service and systemd buttons in Admin UI
-
Online/offline doesn’t rely on recording the bandwidth accounting data anymore
-
Pending security events added to network threats visualization
-
Allow to expose the fingerbank_info variable to all HTML portal templates (#7460)
-
VLAN filters actions can now be done synchronously (#7351)
-
Support for wired connections on Ruckus SmartZone
-
Improve support of WebAuth on Aruba AP (#7470)
-
Allow configurability of using the connector during firewall SSO
-
New api call /api/v1/config/role/{role_id}/bulk_reevaluate_access
-
Add warnings/errors when updating ACLs for roles and switches
-
Azure SAML integration documentation
-
Change log levels of Perl services using environment variable (#7487)
-
Containerization
pfacct
service -
Add not_before to PKI certificates (#7454)
-
Support for out acls if the switch support it (#7560)
-
Improvements and support for dACL in supported material (#7561)
-
Force the destination IP for UDP packets going through the pfconnector (#7323)
-
Clear the active dynamic reverses that exist when a pfconnector reconnects
-
OpenID Authentication Source -Duplicated Username (#7399)
-
Unable to upgrade to Debian 11.6 with PF 11.X and 12.X (#7438)
-
Trust server certificates when provisioning Apple devices for EAP-TLS (#7428)
-
Use WPA2 in place of WPA when provisioning Apple devices (#7428)
-
Creating/modifying/deleting a syslog forwarder should prompt to restart rsyslog in the admin (#6532)
-
Fixed UTF-8 encoding in email body (#7422)
-
Escape quotes in LDAP passwords (AD source: too complex passwords prevent RADIUS to start #3976)
-
Use the proper file extensions when uploading SAML config files. (ZEN 12.1 - XML File Renamed on upload. #7439)
-
Return immediately after an async job is complete (Rework pfqueue results polling #7175)
-
Fixed issue with Aruba DACL, only the first ACL was shown in the port
-
ZEN 12.1 installations will generate a new RADIUS key after a reboot (#7568)
-
Disable DNS lookup in sudo to prevent API timeouts and interfaces not detected (#7403)
-
RADIUS source+pfconnector is not working in admin context (#7550)
-
Added unbound dynamic PSK support to the OpenWiFi module
-
Added Single-Sign-On capability for the admin interface login (SAML/OAuth/MFA/etc)
-
Improved PacketFence forwarder integration to mirror DNS packets from a Windows DNS server
-
Support for the Fingerbank Collector on the PacketFence Connector
-
More flexibility in the definition of the RADIUS servers in an Eduroam source
-
Allow to import only DB or configuration during import
-
Debian package for PacketFence Connector
-
Removed the savedsearch table.
-
Removed jQuery dependency in captive portal.
-
Present the dynamic PSK on the status page when appropriate
-
Manage pfconfig.conf through upgrade scripts instead of packaging
-
Improve WebAuth support on Extreme controllers
-
Allow users to upload files from the admin instead of uploading them manually via SCP/SSH
-
Added new radius attribute vpn detection for fortigate
-
Fixed valid_mac that identify some ip address as mac
-
Support for hardware token like yubikey for Akamai MFA
-
Added sms/phone call as default method in configuration
-
Fixed issue with pfconnector where it would reuse a dynamic reverse that isn’t active anymore (Pfconnector server active dyn reverse cache checks can fail #7218)
-
Fixed RADIUS deauth through pfconnector-remote in a cluster where it was logging as failed although it succeeded
-
When a rule match is 'any' and has no conditions the rule is always successful (#3768)
-
Fix issue with database upgrade (#7283)
-
Fix issue Sponsor registration: notes field can’t be used on captive portal #6385
-
Better error handling when performing a deauth on the previous switch. (captive portal redirect page return Caught exception in captiveportal::Controller::Root→dynamic_application "Can’t use string ("0") as a HASH ref while "strict refs" in use at /usr/local/pf/lib/pf/enforcement.pm line 206 #6985)
-
Fixes possible Clickjacking for netdata reverse proxy (#7338)
-
Don’t resync config files unnecessarily during restarts (Cluster resync on restart - pf12.1 #7360)
-
Regenerate secrets at first boot of ZEN
-
New assets, communications and threats visualizations
-
Containerization of most PacketFence services
-
New pfconnector service to connect remote locations to a central or cloud PacketFence server
-
Support for role-based enforcement on Meraki wired devices (#7000)
-
Support to split database read and writes to different MySQL servers (#7055)
-
Support for distributed database reads in cluster using ProxySQL
-
Initial Linode IaaS and PacketFence Connector documentation (#7152)
-
Unified service store module allowing control of both local and cluster members services
-
Sign a CSR from the PacketFence PKI
-
Added ability to use the MariaDB database or Redis to store the api-frontend tokens
-
Adjust logs for containerized and non-containerized services (#7043)
-
Allow to enabled/disable processing bandwidth accounting (#6934)
-
Sophos VPN support
-
Automatically display mandatory fields in email/sponsor activation emails (#7069)
-
Detect CLI access from Dell N1500 switches (#7070)
-
Deprecate /api/v1/config/fixpermissions and /api/v1/config/checkup
-
Update monit email (#7012)
-
Monit sender address configurable from the admin GUI
-
Full UTF-8 support in the PacketFence database
-
Added MySQL compatibility
-
Added CSV import to switch groups
-
Simplify cluster upgrades (#7180)
-
Only provide the unregdate action if access_duration is not defined for the local source (#6925)
-
Clone switch template with correct ID (#6941)
-
Add time to the available template switch variables (#6952)
-
Only trigger the node discover security event in the context of RADIUS and pfdhcplistener (#4987)
-
Use TLS 1.2 to communicate with Intune servers (#7021)
-
Align Apache timeout with captive_portal.request_timeout (#7037)
-
Return VIP in DHCP requests if
dns_on_vip_only
is enabled (#7035) -
Replace LF by CRLF at end of emails sent by PacketFence (SMS email has "Bare Line Feed Characters" Status code: 550 5.6.11 #5380)
-
The User-Name value in an EAP-TTLS PAP reply will always be the identity of the inner-tunnel (#7017)
-
Multi-line entries in "Role by access list" are returned as a string (#6791)
-
Respect the time of the expiration date of the password (#7003)
-
Monitoring scripting key is not installed correctly when performing an ISO installation (#6965)
-
Set the database location to the system Local timezone (golang)
-
Add missing translations to the captival portal
-
Fix Trapeze Deauth issue
-
Fix the wrong encoding of special char in the REST call to PacketFence (use base64)
-
Added MAB floating device support to Ruckus/Brocade switches (#6774)
-
Support for roles in VPN access
-
Allow to centralize the virtual IPs on the same server (#6853)
-
Added support for Kandji MDM as a provisioner
-
OpenWiFi switch module
-
Allow to manage devices (unregister) when reaching max nodes (#6860)
-
ISO installer based on Debian 11 (#6803)
-
Allow Meraki::MR_v2 module to be able to use a RADIUS Disconnect instead of only a RADIUS CoA
-
Simplify local development of Venom tests (#6711)
-
Integration tests on Fingerbank (#6725, #6786, #6798, #6816)
-
Integration tests on captive portal (#6744)
-
Integration tests for CLI login (#6783)
-
Upgrade to Venom 1.0.0 (#6775)
-
Upload logs of tests (#6784)
-
Management of TLS minimum and maximum versions in GUI (#6773)
-
Integration tests for Inline L2 and L3 (#6769)
-
Drastically improved the performance of the Ruckus unbound DPSK implementation (#6817)
-
Added an admin action to allow RADIUS Probe requests
-
Allow access to the Status/Node Manager/Device Registration pages on SAML auth.
-
Give each monitoring script a maximum of 10 seconds to run (#6828)
-
Resign CA feature in PKI (#6770)
-
Allow to download any certificates without private key using a button (#6778)
-
Fixes date format of the PKI SQL tables (#6823)
-
Use the Digest of the profile on SCEP request (#6823)
-
Improve CLI login support on Ubiquiti Edge switches (#6727)
-
Expose the open locationlog as a variable to switch templates.
-
Improve the speed on the node online query.
-
Message portal module can be used without the portal template.
-
The ip6tables rules are now managed by PacketFence (#6836)
-
Certificate signing requests created via the admin interface now include a Subject Alternative Name (SAN)
-
The Subject Alternative Names of a certificate are now displayed in the admin interface
-
SSL Certificates - RADIUS / HTTPs page Simple GUI Enhancements (wording clarification) (#6613)
-
New mysql-probe service to monitor haproxy-db backends
-
Allow to add environment overrides to Fingerbank collector via the config (#6854)
-
Change the behavior of pf::condition::not_equal to always succeed when match value is undef
-
Allow to renew certificate X days before the expiration date
-
Send email X days before the expiration date to the user email/ profile email / administrator
-
PKI CN provides certificate for the same CN but for different profiles (profile name added in Subject)
-
Auto-revoke certificate if expired
-
PKI actions are now logged to the admin API audit log
-
Reduce list of accepted ciphers in haproxy-portal and haproxy-admin to reinforce security
-
Improved the performance of the bandwidth accounting cleanup process (#6850)
-
Purge binary logs task
-
Integration tests for firewall SSO (HTTPS/RADIUS) (#6822)
-
Add text warning on unreg date when past date is used (#6871)
-
Add an option to sync a single ConfigStore storage in the bin/cluster/sync tool (#6904)
-
Updated PayPal integration documentation
-
Match expected administration rules for web admin and sponsor login (#3631)
-
Reply to Windows devices configured through Intune even if they requested a non-existing URL (#6687)
-
Add RADIUS audit log entry in correct tenant when switches are defined by MAC address (#6540)
-
Fixed issue with edition of PKI template (#6713)
-
Fixed issue on PKI template save (#6749)
-
Fixed issue on PKI templates can be modified by a SCEP request (#6751)
-
Fixed issue with PKI From value when sending certificate by email (#6370)
-
Fixed documentation for Huawei (PR #6692)
-
Fixed issue when pulling the wrong certificate only based on the cn (#5861)
-
Fixed regression in the Unifi module for deauthentication of webauth clients when the APs are defined using an IP or CIDR in the configuration (#6686)
-
Fixed revoke certificate on unregistration (#6826)
-
Send certificates by email using alerting settings (#5917)
-
Validate email format on TLS Enrollment form
-
Fixed issue where portal could apply actions from different auth rules (#6896)
-
Handle DBI library ping call dying in pfconfig MySQL backend (#6895)
-
Support for Akamai MFA in VPN/CLI RADIUS authentication and on the captive portal
-
Support for TOTP MFA in VPN/CLI RADIUS authentication and on the captive portal
-
Automation of upgrades for standalone installations (#6583)
-
MikroTik DHCP MAC authentication support
-
Allow to use the sAMAccountName from the searchattributes in MSCHAP machine authentication (#6586)
-
Improve the Data Access Layer to work in MariaDB’s default sql_mode
-
New command pfcmd mariadb [mariadb options]
-
Deauth request can be made on the previous equipment the device was connected
-
Allow the bulk import of config items to be async
-
Remove unused/deprecated sources (AuthorizeNet, Instagram, Twitter, Pinterest, and Mirapay) (#6560)
-
Automation of supported equipment page on PacketFence website (#6611)
-
Use Venom 1.0.0 through Ansible to run integration tests (#6573)
-
Import script will migrate the networks configuration if the new IP is in the same subnet (#6636)
-
EAP-TLS integration tests using manual deployment and SCEP protocol (#6647)
-
Added a monit check to ensure winbindd is still connected (11.1 - AD failover doesn’t work #6655)
-
Improve ZEN builds (#6663)
-
Improved tests for pfcron jobs (#6637)
-
Match the realm more strictly when its not a regex in EAP-TTLS PAP
-
Populate the LDAP config for enabled LDAP EAP-TTLS PAP realms
-
Only call oauth2 in authorize for the realms that have an Azure AD EAP-TTLS PAP configuration
-
Use source username in LDAP module for EAP-TTLS PAP instead of always using sAMAccoutName
-
Support LDAP certificate client auth for LDAP EAP-TTLS PAP authentication
-
Allow to use Google Workspace LDAP sources in EAP-TTLS PAP authentication
-
Add script for removing WMI scan (#6569)
-
Fix Let’s Encrypt renewal process restarting services even if they are disabled (#6606)
-
Removes the deprecated NTLM background job fields and components (#6552)
-
Ignore 'Mark as sponsor' administration rules when finding the access level of a VPN/CLI user (CLI authentication rules matching doesn’t filter on the rules action #6349)
-
Reducing time balance only when registered
-
Allowed/Banned domains fields corrupted after refreshing the admin (#6882)
-
Red Hat Enterprise Linux 8 and Debian 11 support
-
Microsoft Azure AD authentication and authorization support (#6380)
-
Google Workspace integration for LDAP and Chromebooks
-
Automation of upgrades from 10.3 and above (#6438)
-
Forwarding support for audit logs stored in database
-
New reports type for MySQL/MariaDB scripts allowing multi-statement session-based statements (#6597)
-
3 new report charts including parallel categories (sankey diagram) and time-based scatter charts. 10 new reports for accounting, authentication, nodes and roles (#6597)
-
Microsoft Intune SCEP support (#6360)
-
Venom inline L3 (PR#6266)
-
Massively improved web admin performance
-
LDAP source now supports client certificates
-
AirWatch SCEP documentation
-
Rewrite the username of the request from RADIUS
preProcess
filter (#6293) -
Upgrade to golang 1.16.3 (#6343)
-
pfpki: configure OCSP to listen on specific interfaces (#5825)
-
Get maintenance patches through package manager (#6378)
-
Adjust Intune integration to support pagination of the managed devices (#6135)
-
Add an option to force the vip as the default gateway on layer2 registration network (#6406)
-
Firewall SSO is tenant aware (#6384)
-
Added conditions on owner information in the RADIUS filters (#6324)
-
CLI access support for Avaya Switches (#6398)
-
Authorize a MAC address on all APs of the switch group when using the Unifi module (#6134)
-
Macro documentation for filter engine (#6392)
-
Expose the source directory of documentation from Caddy (#6315)
-
Audit successful admin login in the admin audit log. (#6345)
-
Allow users to resend the SMS pin
-
Improve the speed of retrieving switches (#6321)
-
UI user saved searches in searchable Reports (#6597)
-
Unified Reports, combining Standard and Dynamic reports in a single configuration (#6597)
-
Recategorized Reports UI menu and improved search, date/time selection, and extended hotlinks in tabular report data. Added users' saved search in searchable Reports (#6597)
-
Configurator sets valid_from field to current time in place of 1970-01-01 00:00:00
-
Support switch_group in advanced filters (#6379)
-
Authentication rule condition basedn matching does not work (Authentication rule condition basedn matching does not work #6402)
-
Filter netdata incoming connection (#6303)
-
CLI switch access for Avaya ERS Switches (#6399)
-
Avoid duplicate log entries "User <username> has authenticated on the portal"
-
Backup DB using MariaDB-backup does not work on standalone installations (#6424)
-
Normalize connection_sub_type to use the numeric value (#6326)
-
Expired switches for all tenants (#6024)
-
Static routes management via admin gui
-
Aruba CX support
-
Aruba 2930M Web Authentication and Dynamic ACL support (#6158)
-
Meraki DPSK support
-
Ruckus DPSK support
-
Support for Ruckus SmartZone MAC authentication in non-proxy modes (#6201)
-
Bluesocket support (#5878)
-
Support for SCEP in
pfpki
(#6213)
-
Improved the failover mechanisms when an Active Directory or LDAP server is detected as dead
-
Expiration of the local accounts created on the portal can now be set on the source level
-
pfacct and radiusd-acct can now both be enabled together (radiusd-acct proxies to pfacct)
-
Added CoA support to Aerohive module
-
Added role based enforcement (Filter-Id) support to Extreme module
-
Use Called-Station-SSID attribute as the SSID when possible
-
Added CLI login support to Huawei switch template
-
Added detectionBypass in DNS resolver (#6028)
-
Improve support of Android Agent for EAP-TLS and EAP-PEAP
-
Improve CLI login support on HP and Aruba switches
-
Use the "Authorization" header when performing API calls to Github in the OAuth context
-
Replace xsltproc/fop by asciidoctor-pdf (#5968)
-
FortiGate Role Based Enforcement (#5645)
-
Add support for roles (RBAC) for Ruckus WLAN controllers (#2530)
-
Upgrade to go version 1.15 (#6044)
-
Build ready-to-use Vagrant images for integration tests and send them to Vagrant cloud (#6099)
-
Documentation to configure Security Onion 2.3.10
-
Added integration tests for 802.1X wireless and wireless MAC authentication (#6114)
-
Restrict create, update, and delete operations to the default and global tenant users (#6075)
-
Remove pftest MySQL tuner (#6130)
-
Allow Netflow address to be configured (#6139)
-
Deprecated fencing whitelist
-
Description field for L2 and routed networks (#5829)
-
Updated Stripe integration to use Stripe Elements (API v3) (#6121)
-
Added Cisco WLC 9800 configuration documentation
-
Inheritance on parent role on Role and Web Auth
-
Enhance CLI login on SG300 switches
-
Enable/disable the natting traffic for inline networks
-
Remove unused table userlog (#6170)
-
Clarifications on Ruckus Role-by-Role capabilities (#6201)
-
DNS/IP attributes in pfpki certificates (#6213)
-
Additional template attributes in certificate profile (#6213)
-
Remove unused table inline_accounting (#6171)
-
Make pfdhcplistener tenant aware (#6204)
-
Upgrade to MariaDB 10.2.37 (#6149)
-
Switch defined by MAC address are not processed by pfacct in cluster mode (#5969)
-
Restart switchport return TRUE if MAC address is not found in locationlog for bouncePortCoA (#6013)
-
Switch template: CLI authorize attributes ignored (#6009)
-
ubiquiti_ap_mac_to_ip task doesn’t update expires_at column in chi_cache table (#6004)
-
A switch can’t override switch group values using default switch group values (#5998)
-
web admin: timer_expire and ocsp_timeout are not displayed correctly (#5961)
-
web admin: Realm can’t be selected as a filter on a connection profile (#5959)
-
API: remove a source doesn’t remove rules from authentication.conf (#5958)
-
web admin: high-availability setting is not display correctly when editing an interface (#5963)
-
SSIDs are not hidden by default when creating a provisioner (#5952)
-
with_aup is correctly displayed on GUI (#5954)
-
web admin: sender is wrong when you use Preview feature (#6023)
-
sponsor guest registration: unexpected strings in email subject (#3669)
-
Use the proper attribute name for Mikrotik in returnRadiusAccessAccept (#6051)
-
Audit log: profile has an empty value when doing Ethernet/Wireless-NoEAP (#5977)
-
pfacct stores 00:00:00:00:00:00 MAC in DB when Calling-Station-ID is XXXX-XXXX-XXXX (#6109)
-
Update the location log when the Called-Station-Id changes (#6045)
-
Only enable NetFlow in iptables if NetFlow is enabled (#6080)
-
Firewall SSO: take username from accounting data if available in place of database (#6148)
-
EAP_TTLS PAP support on a LDAP source
-
eDirectory source
-
Master/slave RADIUS proxy and degraded workflow
-
go based pfmon (#5613)
-
Integration tests: configurator scenario added (#5484)
-
Adjust the settings in the admin for the SAML and OAuth portal modules (#5479)
-
Select the role of the device when register via self-service portal
-
Improved support for Extreme switches running EXOS
-
Added option to register device immediately after the sponsor activates the access during sponsor based registration (#5642)
-
Added support for EAP-PEAP MSCHAPv2 and EAP-TLS for CLI and VPN RADIUS authentication (#5784)
-
Template based bouncePort using CoA (#5735)
-
Set the default switch type to Packetfence::Standard (#5742)
-
Create a PacketFence::SNMP switch to force reevaluate access using SNMP (#5742)
-
Add support for CLI Access for Switch::Template (#5708)
-
Use Status Check in pfstats to test RADIUS/eduroam sources
-
Switch templates can define how to map a NasPort to an IfIndex (#5779)
-
Syslog parsers are now tenant aware
-
Add default MAC address randomization security event check
-
Allow to delete a node from web admin with a locationlog opened (#5492)
-
Allow roles to be delete
-
Fixed CoA for Meraki web-authentication so that it doesn’t disconnect the user from the SSID
-
Honor the AUP setting of the SAML portal module (#5476)
-
Use the prebuilt FreeRADIUS Perl dictionary
-
Don’t override user defined values in the interface file for CentOS
-
haproxy-db can cause pfcmd service restart to failed (#5745)
-
Pass in the mandatory fields to the email templates
-
Dell N1500.pm: LLDP detection doesn’t work (#5758)
-
Ensure the gateway was only written once in /etc/sysconfig/network (#2845)
-
Remove the ip address of a server in the dhcp reply when the server has been disabled (#5677)
-
Allow to set multiples ca certificates
-
Listen to all interfaces for RADIUS accounting (#5821)
-
Searching by 'Source Switch Identifier' for a switch range doesn’t work (#5792)
-
Validity of the local accounts created on the portal is tied to the access duration of the user.
-
Live log viewer from admin interface
-
Fully tenant-aware admin interface
-
Support for MS-CHAP authentication for CLI/VPN access
-
New pfcertmanager service that generates certificate files from configuration
-
EAP configuration template - add a way to define multiples EAP profiles in FreeRADIUS
-
New action for AD/LDAP sources to set role when user is not found
-
Provide an advanced LDAP condition to allow custom LDAP queries
-
The captive portal can now feed HTTP client hints to the Fingerbank collector
-
Added ability to enable/disable a network anomaly detection policy (#5403)
-
Return the portal IP if the QNAME matches one of the portal FQDN for registered devices using inline enforcement
-
Individual source rules can be disabled
-
Support for Dell N1500 starting from 6.6.0.10
-
CoA support for Ubiquiti Unifi AP
-
Added a way to define the Unifi AP by IP or IP range
-
Use the value of an LDAP attribute as a role
-
Added the return of the LDAP/RADIUS attributes to use them in RADIUS filter
-
The /api/v1/radius_attributes endpoint is now searchable
-
Proxy the captive portal detection URL when the device is registered
-
Choose which EAP profile to use based on the realm
-
LDAP’s basedn can be defined in the authentication sources rules
-
New hooks for the RADIUS filter engine in eduroam virtual server
-
Redefined "restart" in the service manager to allow "PartOf" in systemd scripts
-
Set role from source authentication rule option (needs #5459)
-
Flatten the RADIUS request for the authentication sources (attributes like radius_request.User-Name)
-
RADIUS request attributes / username are part of the common attributes
-
Support of multiples LDAP servers in FreeRADIUS ldap_packetfence configuration file
-
Copy outer User-Name attribute in PacketFence-Outer-User attribute to be able to use it in the authentication rules
-
Copy the LDAP-UserDN attribute in PacketFence-UserDN attribute to be able to use it in the authentication rules
-
Added a way to extend the LDAP filter for searchattributes configuration
-
Documentation for EAP profile selection
-
Documentation for regex realm
-
Documentation for new action/condition in LDAP authentication
-
Moved the VLAN filters example as default disabled VLAN filter
-
Use PUT for node reevaluate_access to fix issue with admin_role actions mapping
-
OpenID pid mapping is now configurable
-
Can map OpenID attributes to a person attributes
-
Allow to create authentication rules based on OpenID attributes
-
Fixes Fortinet Fortigate returnAuthorizeVPN function (#5409)
-
Barracuda NG firewall SSO SSH fails (#4828)
-
Impossible to set multiple access level in administration rule (#5440)
-
Fixed pf-maint.pl when its running behind a proxy (#3425 )
-
Fix vendor attributes not being sent from Switch Template (#5453)
-
Fixed issue authorizing a user in web-auth on Unifi when the node has its date set to '0000-00-00 00:00:00'
-
Added support for network anomaly detection through Fingerbank
-
New, fully integrated PacketFence PKI service
-
New service (
pfacct
) to track bandwidth usage using RADIUS accounting and NetFlow traffic (inline setups only) -
New service for automatic clustering issue resolution
-
New GUI for all filtering engines and switch templates
-
New API and Vue.js based step-by-step configurator
-
Added VMware Airwatch support
-
Added support to run integration tests using Cumulus Linux and libvirt
-
Added the ability to autoregister and assign a role to a device authorized in a provisioner
-
Added the ability to control whether or not a provisioner should be enforcing (i.e. ensuring all devices matching it are authorized with it)
-
Added the ability to sync the PID of devices authorized in a provisioner (only for Airwatch and JAMF)
-
Add single sign-on support for Cisco ISE-PIC
-
Support for MySQL as DHCP pool backend and provide active/active DHCP support
-
Support Aruba switches using Aruba OS 16.10
-
Added a new Meru controller module that supports RADIUS RFC3576 (RADIUS Disconnect)
-
CLI login to Juniper switches
-
Allow to configure VOIP RADIUS attributes in switch templates
-
All configuration files have a copyright without year to avoid useless rpmnew or dpkg-dist files each yearly upgrade
-
Improved Unifi deauthentication using HTTP
-
Set TTL to 5 seconds when the host match with a captive portal detection host
-
Enable tracking configuration service by default
-
Better captive portal detection for Samsung devices
-
Faster captive portal detection for Apple devices
-
Routes are now managed by the keepalived service
-
Parking security event can now be triggered without limitation
-
Added a way to change the SQL table used by pfconfig
-
Showing the configurator is now configurable (#5121)
-
Node deletion in consistent between the the API and pf::node::node_delete (#5088)
-
Allow VLAN number greater than 1023 for floating devices
-
Improved captive-portal health checks in monit (#5185)
-
Added RADIUS disconnect for wired port on Aruba AP (#5016)
-
Switch templates can now use SNMP up/down to perform access reevaluation (#5197)
-
HAProxy now serves the admin gui, httpd.admin disabled by default
-
Reports are now tenant-aware
-
Security events can be triggered when running node maintenance task (#4948)
-
Added parameter to prevent external portal requests from updating the ip4log (#5336)
-
Added new WMI examples
-
Fixed logic to move MAC address to another port (Avaya)
-
Fix serialization of the switch when calling ReAssignVlan/desAssociate
-
Prevent double restart when setting the port admin status of an EX2300 Juniper switch
-
Sponsor field is missing on sponsored users when using forced sponsor (#5171)
-
Some DHCP info triggers use outdated Fingerbank data (#5106)
-
Issue with the timezone in the admin not being honored on the system (#5205)
-
Issue with Chrome not showing the portal on self signed certificates (#5233)
-
Issue with RADIUS CLI access and ldap authentication source where the cache is enabled (#5018)
-
Distribute pfsnmp trap jobs between queues based off switch id (#5004)
-
Deleting a portal profile doesn’t cleanup its templates (#793)
-
pfacct doesn’t report metrics to dashboard (#5267)
-
Don’t try to do firewall SSO if the service is disabled
-
Massively improved web admin performance
-
Fix
pfstats
for LDAPS and StartTLS -
Allow to run any script from a security event without a modification of sudoers file
-
Fix machine auth failed on eduroam virtual server
-
Fix allow external RADIUS accounting from eduroam server (they use it to detect if a server is alive)
-
Fix eduroam load-balancing issue on local realm
-
Adjust backup-and-maintenance.sh for locationlog_history table (#5076)
-
Allow to force the access duration when using device registration
-
Migrate to go mod for Golang binaries (#4832 and #4841)
-
Ready-to-use Docker images for PacketFence builds (#4841)
-
Added audit log for API and new admin interface
-
Added configuration based switch modules
-
Support for remote layer 3 clusters in read-only mode
-
Internal security event to trigger on managed network only or production network only
-
Network visualization now supports custom sorting, min/max graph sizing, variable real-time network live-view, and infinite depth of switch-group inheritance.
-
Speedup the dal generation (#4824)
-
Enhance Juniper EX2300 to allow a port bounce to be done via RADIUS CoA
-
Network visualization
-
Microsoft Intune and ServiceNow support
-
Family Zone, LightSpeedRocket and SmoothWall firewall SSO support
-
New way to forward Eduroam local realm to a specific RADIUS server
-
New DNS auditing log module
-
Adjust Fingerbank device class lookup ordering for added precision of the device class
-
Track configuration changes in local git repository
-
Randomize KeyBalanced to randomize the load-balancing in FreeRADIUS Proxy.
-
Support for SentinelOne’s new API version (v2.0)
-
Firewall SSO is now performed centrally on the management node of a cluster
-
Added DHCP pool algorithm (random/oldest IP)
-
Improved support for Juniper switches running Junos 15 and above
-
Allow to configure the API token timeout
-
Moved vlan_pool_technique configuration parameter to the connection profile
-
Added the RADIUS' targeted IP address in the RADIUS audit log (help in cluster mode)
-
pfperl-api port number changed to 22224
-
Autoreg for mac-auth with an authorize source
-
Parking portal has been moved in the haproxy and httpd.dispatcher services and deprecates the dedicated httpd.parking service
-
Inline access to the documentation from the Web admin interface
-
pfstats queries /api/v1/dhcp/stats are taking a lot of time (#4096)
-
Duplicate reservations in the DHCP pool caused by a big registration/inline network and pfstats call
-
LinkedIn social login integration due to deprecated API calls from LinkedIn
-
Fixed the logic of "Use the RADIUS username instead of the TLS certificate common name when performing machine authentication"
-
Improved display of RADIUS audit log from RADIUS tab (#4473)
-
Add '-copy' to the ID when cloning a configuration resource (#4468)
-
Better visual distinction when the database is in read-only mode (#4464)
-
Domain join is prompted after creating a domain (#4544)
-
Added current hostname to help page
-
Fixed Aruba Instant access switch module compilation error
-
Fixed violations to security events upgrade script to use the .rpmsave file during the upgrade
-
Fixed user visualization when the username contains a '/' or '\' (#4531 and #4570)
-
Fixed missing 'Signing' tab in mobileconfig provisioner configuration section (#4533)
-
Fixed missing 'Compliance' tab in OPSWAT provisioner configuration section
-
Fixed issue when defining multiple DNS servers in inline
-
Fixed issue where not all security events are visible when triggering a security event on a node (#4550)
-
Fixed issue with multi-cluster configuration generation
-
Fixed issue with WMI scan engine rules failing to be saved (#4559)
-
New web interface based on Vue.js and Bootstrap 4
-
Let’s Encrypt SSL certificates support for captive portal and RADIUS
-
Cisco ASA VPN support with the captive portal
-
Fortinet VPN support
-
DHCP Filter to reply custom attributes in the OFFER and/or ACK (deprecate old DHCP Filter)
-
Add 802.1X and CoA support for Fortinet FortiSwitch
-
Add module to support PICOS white box switches
-
Support for Aerohive access point with switch port
-
Support for Aruba Instant Access switch module
-
Debian 9 (Stretch) support
-
Now including timeout when authorizing a web-auth user on an Ubiquiti UniFi controller
-
Now providing defaults for the Apache filters
-
Allow to configure the RADIUS attributes and their lookup order for extracting the username
-
conf/stats.conf has a default file now
-
VoIP configuration parameter in node_cleanup task to bypass VoIP devices
-
Adding/removing passthroughs doesn’t require to restart pfdns anymore (#3127)
-
Added support for RADIUS disconnect on Ruckus SmartZone
-
Disable Microsoft Active Directory join operating system check option
-
Disable DNS lookup in MariaDB configuration
-
Enable performance_schema if needed
-
Display local account in the captive portal during registration if applicable (#3615)
-
Exception for portal detecion URL in pfdns
-
Added support for Ruckus roles
-
sms_carrier 'id' column is now auto-increment (#1270/PR#3684)
-
Better logging for haproxy-portal that allows to identify missing passthroughs
-
Allow to skip management node in portal load-balancing when running in a cluster
-
DHCP and DNS services can be enabled on a specific interface
-
VoIP support for Dell switches
-
Fixed the systemd logic in pfdhcp
-
Fixed winbindd respawning extremely fast when failing to start
-
Fixed winbindd processes not being killed on latest version of Samba
-
Allow disabling processing of IPv6 packets in the pfdhcplistener
-
fixed untainted variable (#3920)
-
fixed on-registration scanning (#3963)
-
Set the realm in the RADIUS request when doing machine authentication
-
Keep connections to the unified API alive
-
Fixed the documentation and the form for the Juniper SRX firewall
-
Added support for Juniper EX2300 (JUNOS 18.2) switches
-
Clickatell authentication source support
-
Added a random algorithm for VLAN pooling
-
Added the ability to reserve IP addresses in pfdhcp
-
Added a way to trigger a violation when device profiling detects a change in the device class
-
New SSL Inspection portal module
-
RADIUS proxy integration from web admin interface
-
RADIUS filtering support for pre_proxy/post_proxy/preacct/accounting/authorize phases
-
Updated the Windows provisioning agent to the new Golang based version
-
Redis now only listens on localhost (#3729)
-
Deprecate usage of roaring bitmap for the DHCP IP pool (#3779)
-
Email and SponsorEmail sources can have banned and allowed email domains (#3807)
-
Improved startup time of pfdhcp
-
Removed OPSWAT Metadefender Cloud support
-
Chose password hashing algorithm when creating a local user from a source
-
Define the length of the password to generate when creating a local user from a source
-
New "dummy" source just to compute the rules
-
Logs permissions and configuration for Debian (#3780)
-
Fixed missing cache directory for NTLM auth cache (#3788)
-
Fixed working directory of NTLM auth cache sync script (#3777)
-
Handled multiple LDAP hosts properly in NTLM auth cache (#3776)
-
Issue with the DHCP server that gives sometimes a duplicate IP address
-
Adjusted CentOS and RHEL dependencies
-
Fixed MAC filtered lookups that were cached in pfdns (#3785)
-
Fixed the OpenVAS integration to work with OpenVAS Manager 7.0 (OpenVAS 9)
-
Fixed encoding of files created in the administration interface (force them to UTF-8)
-
Adjusted ports for Active Directory passthroughs (#3769)
-
Improved performance of nodes tab in the admin interface (#3721)
-
Fixed Google Project Fi missing from the official schema
-
Various fixes for broken NTLM cache job
-
Fixed issues with realms after a restart of pfconfig (#3797)
-
Fixed issue with pfdhcp leaking file descriptors
-
Fixed issue with captive portal requesting an artifact from the SAML server
-
Fixed duplicate IP addresses given by pfdhcp
-
Added new expected parameter for the redirect URL when performing web-auth with a Cisco WLC
-
Fixed SEPM provisioner token refresh
-
Added support for clusters with servers located in multiple layer 3 networks (PR #3656)
-
Permit incoming Eduroam TLRS RADIUS requests (PR #3399)
-
pfconfig is tenant aware (PR #3385)
-
Realm are tenant scoped (PR #3385)
-
Added Mojo web authentication support (PR #3604)
-
New authentication source Password of the Day (PR #3285)
-
Added SMTP test function in Alerting (PR #3642)
-
Juniper SRX Firewall SSO module (PR #2842)
-
Now support CoA on Meraki switches
-
jsonrpc requests send the current tenant_id (#3271)
-
Take the tenant id in consideration in the queue (#3269)
-
Performed various improvements to the maintenance script (PR #3445)
-
Increased maximum node bandwidth balance from 4 GB to 18.4467441 XB (exabytes) (#3477) (PR #3493)
-
Improve connection profile’s advanced filter
-
Use MySQL as backend for pfdhcp options (deprecates etcd) (PR #3484)
-
Reorder iptables rules (PR #3463)
-
Better error handling for pfdetect.conf (PR #3607)
-
HAProxy stats files are now located in var/run/ with explicit filenames (PR #3645)
-
pfdns now uses the PacketFence standard Golang logging library (PR #3638)
-
Added VOIP and Downloadable ACLs support to Aruba 5400 switch module (PR #3372)
-
Switch filters can now be used to override the switch module that is instantiated during a RADIUS connection (PR #3583)
-
WIRED_MAC_AUTH and Ethernet-NoEAP merged (#3069) (PR #3261)
-
Backslash in usernames in Reports section is shown as "=5C" (#3508) (PR #3510)
-
Multiple bug fixes to the pfdhcp service (PR #3571)
-
Domain join log entries contain clear-text credentials (#3448)
-
Fixed false positive dhcp rogue detection (PR #3514)
-
Sponsor Email subject and body are i18n in the same language (#3670)
-
pfstats hammers pfdhcp and the API frontend with requests (#3634)
-
Can’t download SAML metadata in the admin (#3720)
-
Added support for dynamic PSK (Cisco IPSK) for the Cisco WLC and hostapd (PR #3244)
-
Added Ubiquiti Unifi web authentication and 802.1X support
-
Added support for Cambium AP module for 802.1X, MAC and web authentication (PR #3282)
-
Change root portal module on failure/success
-
Save already entered field on the portal (chain auth)
-
Custom message for SMS registration
-
Expire SMS pin code
-
Define the length of the pin code
-
Enable or disable sponsor authentication when he validates access (PR #2995)
-
Rewrite of the pfdetect service in Golang (PR #3260)
-
Added support for OpenWRT/LEDE 17.01.4 (PR #3008)
-
Allow connection profiles to be enabled/disabled (PR #3175)
-
Add new portal module action that wraps the default actions a module would normally execute (fixes #3231)
-
Improved startup time of PacketFence (PR #3213)
-
Fix local/reject realm for eduroam in standalone configuration (PR #3264)
-
Allow subsecond timeouts for LDAP connections
-
Allow randomization of the search order for a list of LDAP servers
-
IP exclusion is now possible in the DHCP server
-
Allow max node per role when doing autoregistration
-
Moved unregister on accounting stop parameter on the connection profile
-
VLAN filters can be set to ${node_info.category} and it will return the current category of the device
-
The database load-balancer now listens on the cluster management IP address
-
Allow to update switches while importing them via CSV
-
Update the computername (hostname) of a node using the Fingerbank Collector data
-
Detect uplinks based on CDP flag instead of a string
-
Put etcd in its own directory
-
Fixed issue with device profiling not being performed when an endpoint connects for the first time
-
Fixed missing timeout when performing RADIUS SSO (FortiGate, CheckPoint, WatchGuard)
-
Fixed issue with API frontend when initially configuring the webservices username and password
-
packetfence-haproxy-portal and packetfence-tc systemd service in a wrong target
-
Custom routing with inline enforcement fails silently (#3215)
-
Nessus 6 scanner
-
haproxy-db only listens on IPv6 interface (Debian) (#3208)
-
Fixed packetfence-local-auth
-
Fixed DNS passthrough for normal domains (was considered as a wildcard)
-
Winbind fails to start because of a permission issues on /var/run/samba/winbindd in the chroots
-
Update from 7.4 to 8.0 audit log file not there (#3216)
-
Fixed unreg on RADIUS accounting stop (#3220)
-
Allow nodes without roles to be modified when restricting allowed role (#3217)
-
Fixed speed issues with node search in the admin
-
Fixed missing timeout for RADIUS sources tests in pfstats
-
Replaced the ISC DHCP server with a new Golang-based DHCP server (PR #2911)
-
Now supporting inline enforcement in active/active clusters (PR #2911)
-
Replaced pfdns with a new Golang-based DNS server (PR #2911)
-
Allow an inline network to be split by the roles in PacketFence allowing to put specific devices in a distinct broadcast network (PR #2911)
-
DNS routing (PR #2911)
-
Dashboard metrics are now based on Netdata (PR #2935)
-
Traffic shaping support for inline enforcement (PR #2803)
-
Added a configuration parameter to allow to unregister a device on an accounting stop (PR #2685)
-
Added CLI support on Aruba 5400 switches (PR #2965)
-
Username stripping (removing the realm) is now configurable via the realms instead of the sources
-
PacketFence integration with JAMF API for Apple computers and mobile devices management (PR #2797)
-
Added an HTTP JSON API
-
Distribute pfdhcplistener tasks among cluster members (PR #2887) (#2858)
-
Removed pfsetvlan
-
Now allowing to use the RADIUS accounting cache when in cluster mode
-
New database access layer (DAL) for upcoming multi-tenancy support
-
New portal module to permanently set roles (PR #2490)
-
Added portal module for selecting a role for the device being registered on the portal (PR #2471)
-
Added support for Allied Telesis GS950 switches (PR #1866)
-
Added ability to update the firewall SSO on RADIUS accounting packets (PR #2662)
-
Added a way to define a VLAN by role as a VLAN pool using a VLAN range (PR #2675)
-
Added cloning capability in connection profiles (PR #2814) (#2809)
-
Read and write timeouts for LDAP connections can now be set (#2613) (PR #2614)
-
Keepalived can be configured to detect its peers via unicast instead of multicast (PR #2794)
-
Suggest violation identifier when adding a new violation (#2804) (PR #2807)
-
Create a priority queue
-
Move ReAssignVlan and desAssociate API calls to the priority queue
-
Added connection profile SSID filter suggestions based on all the previous SSIDs that have been seen in the locationlog (#2758) (PR #2771)
-
Added a description to the switches in the nodes side navigation (#2791) (PR #2795)
-
Improved configuration of the captive portal timer bar (via the captive_portal section of pf.conf) (#383) (PR #2762)
-
(AD Powershell scripts) Enforce use of TLS in the powershell scripts which is required with the last versions of PacketFence (PR #2788)
-
(AD Powershell scripts) Cycle through all the possible Active Directory usernames formats in PacketFence (PR #2788)
-
Removed old authentication code sources (#2610)
-
Added rule description in listing (#2619)
-
Improved documentation (PR #2774) (#2773)
-
Set a timeout for database queries for the admin to avoid long running queries slowing the system (#2630) (PR #2659)
-
Documentation improvement about MySQL advanced parameters (#266)
-
Enhanced localization support in violation module (PR #2759)
-
Improved the haproxy HTTP process monitoring
-
Improved cluster maintenance script to perform necessary system changes to have the node in maintenance
-
Moved add and delete buttons to the left to avoid the being cutoff (#2678)
-
Fixed "Admin: Multiple 'Device Type' options in Nodes tab" (#2789) (PR #2793)
-
Configurator: when using a different database name, the fingerbank.conf MySQL section is not updated (#2665) (PR #2787)
-
rlm_perl modules are now using syslog instead writing directly to the file (PR #2609)
-
Prevent a valid PID from being overwritten at the end of the portal registration if the new PID is default (#2825)
-
Auth log is not set to completed after email registration (#2648) (PR #2649)
-
Fixed redirects when previewing profiles that use OAuth source (#2882) (PR #2908)
-
Added a RADIUS only mode to PacketFence.
-
Add a cluster wide view of pfqueue statistics (#2195) (PR #2573)
-
Added the possibility of importing switches from a CSV file. (PR #2480)
-
The GUI will now display the VLAN in the locationlog view
-
The timezone is now a selectable item to prevent invalid input
-
Updated ACE text editor to version 1.2.8
-
Search forms for nodes and users can now be reset (PR #2555)
-
Configuration files can now be saved in readonly mode except violation, switches, role (#2464) (PR #2566)
-
Extended descriptions are now supported in the custom reports
-
Mail can now be sent using SSL and StartTLS (PR #2446)
-
Self signed certificate errors for nessus 6 can now be ignored (PR #2568)
-
Violations can now be triggered by nessus 6 scanner (PR #2568)
-
The device registration page now supports connection profiles like any other portal
-
The username sent in firewall SSO now supports a configurable format (PR #2499)
-
PacketFence will now monitor TLS certificates expiration and alert if they are expired (PR #2444)
-
LDAP source caching is now caching the rule match rather that the whole source match (PR #2560)
-
The admin GUI startup time has been decreased (#2545)
-
New and improved documentation for Debian clustering
-
Show DHCP Option82 data in the node view (#2396)
-
Custom reports columns representing a node or a user can now be configured to be clickable for details on the object in question (#PR 2508)
-
New Fortigate 50E 802.1x support
-
The computer authentication username can now be normalized when using EAP-TLS (PR #2414)
-
Added a task count jitter to reduce the chance that pfqueue workers exit at the same time
-
Experimental support for Content Security Policy (CSP) has been added, but is disabled by default (PR #2336)
-
A violation can now redirect to a URL specified in a template (PR #2400)
-
Changed the path of mariadb error log file (PR #2652)
-
The syslog parser has moved from Compliance to Integration in the GUI (#2467)
-
pfsso now logs in packetfence.log (#2553) (PR #2557)
-
httpd.dispatcher now logs in httpd.dispatcher.log (PR #2557)
-
Fixed incorrect inline sub type detection
-
Fixed ipset update with the incorrect ip address
-
Fixed missing confirm prompt when restarting all services via the admin interface (#2365) (PR #2571)
-
Fixed violation definition sync when removing a violation from the config
-
Fixed incorrect Connection-Type when using EAP-TTLS (#2582)
-
Fixed VOIP logic to reduce the chance of duplicate locationlog entries (#2527)
-
Fixed SNMP connection issues on Extricom controllers
-
Fixes segfaults when logging in the multithread environments (#2603)
-
reuseDot1x: Changed the way authentication sources are matched with realms regarding a security concern(#2536)
-
Trust the wsrep_ready flag of MariaDB Galera cluster for read only detection as putting the DB in read-only can result in occasional de-synchronization between members. (#2593) (PR #2594)
-
Run the configreload as the pf user when done through pfcmd (PR #2510)
-
Run the 6.0+ upgrade scripts as the pf user to prevent permissions issues after running them (PR #2509)
-
Fixed incorrect NULL realm use when authenticating to the admin GUI (#2529)
-
Enforced use of the system time instead of browser time when using preset time values (#2559)
-
Logging into the status page when reuse dot1x is enabled is no longer broken (#2542) (PR #2598)
-
Added support for authenticating users through OpenID Connect (PR #2394)
-
Added passthroughs for devices in violation state (isolation network) (PR #2328)
-
Added ability to report a device lost or stolen in self-service portal (PR #2337)
-
Added ability to change a local account password in self-service portal (PR #2337)
-
Improved overall user experience of self-service portal (PR #2337)
-
Use the attributes returned by a radius use source as attributes to compute the rules (PR #2369)
-
Most services now support systemd sd_notify notifications.
-
The GUI will now only display readonly actions in readonly mode (PR #2384)
-
Journald total file size is now capped at 1Gb (PR #2389)
-
The GUI will now allow sources to be cloned (PR #2395)
-
The GUI now visually splits Administration and Authentication rules when viewing sources (PR #2395)
-
The GUI now has the ability to run "fixpermissions" from the web admin GUI (PR #2398)
-
haproxy captive portal rate-limiting is now configurable (PR #2422)
-
winbindd will now use the regular samba mechanisms to locate and select DCs (PR #2410)
-
New pfcmd command pfcmd pfqueue clear_expired_counters to clear the expired task counters (PR #2433)
-
Allow to disable the captive portal haproxy abuse access lists (#2418)
-
Added a cleanup of the number in the SMS source (#1966)
-
TLS certificates and keys will no longer be overwritten (#2366)
-
Limit the amount of tasks a worker processes to avoid memory from growing
-
Fixed a case where the REJECT role isn’t honored in inline and some web-auth (#2383)
-
Sponsor authentication CC address is now BCC to help preserve privacy (#2267)
-
Use plain HTTP for network access detection page (#2393)
-
Fixed an issue where DHCP broadcast were treated more than once in clustered mode (PR #2413) (#2408)
-
Fixed incorrect user login remaining count display (#2450)
-
Fixed a case where pfqueue counters show a count of 0 although queue is full (#2420)
-
node_discovered is no longer triggered when node hasn’t been created in DB (#2436)
-
Detect date was not being populated when nodes were discovered via radius (#2424)
-
Fixed leftover httpd processes when restarting (#2439)
-
Mariadb binary logs files are now properly rotated (#2440)
-
Fixed scss settings and colors being wiped on each upgrade (#2317)
-
pfdns: catch all the dns traffic in the registration network (#2381)
-
Added support for web authentication (external captive-portal) on Ubiquiti Unifi Controller
-
New Firewall/SSO (JSON-RPC) for communicating with custom firewalls (PR #2320)
-
VoIP detection: LLDP lookup enhancement (#2227) (PR #2316)
-
Add a button to access status from device registration and the other way around(PR #2259)
-
Added the ability to specify multiple DNS server(s) for domain join configuration (PR #2223)
-
Allow to force a predefined sponsor during sponsor authentication (PR #2150)
-
Updated pfdns default filters (PR #2165)
-
Added brands icons to authentication source (i.e Twitter, PayPal etc ..) in the administration interface (PR #2287)
-
Allow pfqueue workers to perform work across multiple queues (PR #2260)
-
Added a way to set time and bandwidth balance in action rule (requires accounting to work) (PR #1936)
-
Don’t display the mobileprovider field when doing SMS authentication with only one carrier enabled (PR #2322)
-
Added new reports in the administration interface (PR #2313)
-
Apache based services now support systemd sd_notify (PR #2351)
-
Dashboard metrics are now fetched over https (#2272)
-
Renamed Ubiquity to Ubiquiti (PR #2293)
-
Set up variable GOPATH correctly while setting up developer environment for go (PR #2319)
-
Fix too large scoping of authentication sources (#2338)
-
Prevent usage of a 'Null' source in the device registration page (#1784)
-
Fixes duplicate nodes displaying when there are multiple locationlog entries (#1848)
-
Fixed an issue with the Instagram OAuth2 source, where the scope has been modified on the API
-
Fixed and issue where the logging configuration was ignored for httpd.aaaa and httpd.webservices (#2350)
-
Displaying of roles for device registration is now working (#3226)
-
Fixed issue with ip4log cleanup job when rotation was enabled (#2358 and #2359)
-
Adjusted default ip4log retention to match what was in PacketFence version 7 and below
-
Make REJECT role have precedence over bypass role and VLAN
-
Make VLAN filters have precedence over bypass role and VLAN
-
Fix useless sessions being created in web-auth in the dispatcher (#2352)
-
Load liblasso during runtime in order to prevent a segfault of Apache on Debian 8.8 (#2342)
-
Fix syntax error in the guest_sponsor_preregistration email template
-
Fix previewing email templates in the admin
-
Fixed incorrect locationlog entry when performing RADIUS CoA (#2222)
-
Twilio: "To" phone number is being stripped of any "+" sign (#2296)
-
Fixed radiusd load-balancer failing to start in cluster with eduroam (#2303)
-
Fix authentication sources ordering issue for portal modules when using the administration interface (#2323)
-
Fix innobackup tmp directory when used with Galera cluster
-
Fix width of auth sources conditions fields (#2312)
-
Fixed admin login when only allowed to see auditing section
-
Fixed locationlog entries for VOIP devices when no voice VLAN is defined (#2314)
-
Fixed authentication sources cache in connection profile (#2309)
-
Fixed loose matching of host in haproxy dispatcher (#2299)
-
Fixed lost MySQL handle errors in pfconfig
-
Handle sources activation host in haproxy dispatcher (#2266)
-
Fixed incorrect handling of unregistration year
-
Fixed incorrect LDAP error when user not found
-
Fixed file cloning in connection profile
-
Fixed display of roles in admin GUI
-
Fixed unregistration date handling when it is over 2038 (#2269)
-
Fixed logging errors for undefined values
-
Fixed queues blocking when forking
-
Fixed pagination in GUI node search
-
Fixed OS type display in status page
-
Fixed URL for connection profile preview
-
Added provisioning support for SentinelOne (PR#1294)
-
Added MariaDB Galera cluster support (PR#2002/PR#2023/PR#2039/PR#2040/PR#2041/PR#2043/PR#2044/PR#2070/PR#2076/PR#2079/PR#2080/PR#2082/PR#2090)
-
All services are now handled by systemd (PR#2010)
-
IPv6 network stack in PacketFence (PR#2024)
-
New Golang-based HTTP dispatcher (#1301/PR#2029/PR#2067)
-
New Golang-based pfsso service to handle the firewall SSO requests (#1144/PR#2037/PR#2062)
-
Revamped the Web administration interface (PR#2108)
-
SNMP traps are now handled in pfqueue (PR#1656)
-
Added the ability to grant CLI write access for Extreme Networks switches (PR#1699)
-
Added a distributed cache for the accounting information to safely disable the SQL accounting records in active/active clusters (PR#1715)
-
Reduced the number of ipset calls when adding ports for Active Directory (PR#1886)
-
pfmon tasks have their own configuration file (PR#1918)
-
new command "pfcmd pfmon" - for running pfmon tasks via pfcmd (PR#1918)
-
CentOS repositories (packetfence and packetfence-devel) packages are now signed (PR#1946)
-
Added way to unregister devices that were inactive for a certain amount of time (maintenance.node_unreg_window) (PR#1948)
-
Added a new last_seen column to nodes table to track their last activity (Authentication, HTTP portal, DHCP) (PR#1948)
-
Delete nodes based on the new last_seen column instead of looking at the last DHCP packet (PR#1948)
-
iplog: Floored lease time for "tolerance" (#1965/PR#1968)
-
Can now restart the switchport where a node is connected from the administration interface (PR#2006)
-
Added interface description to location entries (PR#2007)
-
New pffilter filtering engine (PR#2032)
-
Ability to manage multiple "active" endpoints behind a single switchport (PR#2034)
-
pfdhcplistner now runs as a master-worker style service (PR#2036)
-
Added a winbindd wrapper for the PacketFence managed winbindd processes (#2065/PR#2038/PR#2069)
-
Added a caddy middleware for rate limiting the concurrent connections (PR#2055)
-
Updated the Ruckus SmartZone module to use the most recent webauth technique available (PR#2059/PR#2088)
-
Added vsys support for PaloAlto firewall SSO modules (PR#2061)
-
Portal Profile has been renamed to Connection Profile (PR#2066)
-
Moved common flows / process of DHCP processors in base class (PR#2086)
-
Removed PacketFence-Authorization-Status attribute from the RADIUS replies to prevent RADIUS replies from being discarded due to an unknown attribute (#2085/PR#2087)
-
Added option to fetch users one by one in the NTLM cache instead of all together (PR#2093)
-
New parallel testing infrastructure (PR#2094)
-
Roles are now stored in a configuration file for easier backup and management (PR#2097)
-
Tightened up HAproxy’s SSL termination security (#893/#410/#411/#412)
-
Tightened up Apache’s encryption security by requiring TLS v1.2 support only and restricted cipher suites (#893/#410/#411/#412)
-
Clickjacking attack prevention enforcement for recent browsers (PR#2111)
-
Cross-site scripting (XSS) filtering is now requested from your browser (PR#2114)
-
Dell N2000 series support (#675/PR#2115)
-
All logging is now done through syslog (PR#2124)
-
IP forwarding is now activated by default per PacketFence package installation (#2145/PR#2146/PR#2148/PR#2149)
-
Added more fine grain stats for the captive portal (#1962/PR#2173)
-
Many documentation improvements (PR#2136/PR#2214)
-
Fixed addition of an UDP SRV record port as a TCP port (PR#1886)
-
Restored pf::api compatibility to Sourcefire module (#2048/PR#2019)
-
Avoid opening a double entry with wrong accounting values (PR#2113)
-
Added the ability to "format" the CN when using PKI (#2116/PR#2119)
-
pfdhcplistener doesn’t work on a monitor interface (#1377)
-
pfqueue stats: Outstanding Task Counters isn’t accurate (#1726)
-
pfdhcplistener: Segfaulting when keepalived transitions quickly from backup/master/backup (#1737)
-
pfdhcplistener takes a minute to die (#1791)
-
captive-portal: i18n labels for dynamic fields (#1911)
-
Fix incorrect node cleanup job handling.
-
Fix multiple firewall SSO not working when cached updates were enabled.
-
Removed usage of pf_memoize which could create a race condition when adding a node.
-
Fix incorrect locationlog informations because of a null role.
-
Fixed syntax error in generated Suricata rules
-
Fixed the Portal preview through the admin
-
Fixed issue extracting the SSID from the switch HP::Controller_MSM710
-
Twilio support as authentication source (PR#1951)
-
New Redis driven cache for NTLM (Active Directory) 802.1X authentications (PR#1885)
-
New Firewall SSO for WatchGuard (PR#1851)
-
Syslog based SSO support for Palo Alto firewalls (PR#1859)
-
Ubiquiti EdgeSwitch support (PR#1816)
-
New syslog receiver to update the iplog from Infoblox and ISC DHCP syslog lines (PR#1868)
-
Can now specify specific ports for passthroughs (#1078/PR#1926)
-
Added a RADIUS filter scope for VoIP devices (PR#1807)
-
Ability to customize the OU in which the machine account will be created (#1927)
-
Added new routes service to manage static routes (PR#1891)
-
Added an authentication source that prompts for the password of a predefined user (PR#1810)
-
Added Aruba webauth documentation (PR#1949)
-
Eduroam authentication sources can now match rule (PR#1940)
-
Maintenance patching can now use git in order to ignore files that shouldn’t be patched via the maintenance script (#807/PR#1931)
-
Can now print multiple guest passes per page without the AUP in the administration interface (#1409/PR#1930)
-
Allow to whitelist unregistered devices from violations (#1278/PR#1929)
-
Changed password.valid_from default value to "0000-00-00 00:00:00" so its value is valid across the whole application (#1920/PR#1922)
-
Added Percona xtrabackup restore procedure documentation (#1646/PR#1919)
-
Added a way to track if files backups and database backup succeeded (PR#1904)
-
pfmon will not register and start a process for disabled task (PR#1899)
-
Added a way to define two different ports for disconnect and CoA (PR#1894)
-
Configurator database step now takes care of 'mysql_secure_installation' (PR#1878)
-
Improved clustering guide for MariaDB and systemd (PR#1875)
-
Added a portal module action to skip other actions (PR#1869)
-
Reduced p0f CPU usage (PR#1867)
-
Updated collectd in order to have new graphs (PR#1863)
-
Do not "match" a rule if "requested" action if not configured in it (#1858/PR#1861)
-
Improved monit checks accuracy (PR#1849)
-
Rate limited the DHCP listener processes to prevent specific devices from performing a denial of service on the DHCP listening processes (#1722/PR#1845)
-
Improved performance of radacct database table cleanup (PR#1839)
-
Email templates can now be specified on a per-portal basis (#1322/PR#1823)
-
Added CLI login support for HP Procurve switches (#1710)
-
Added support for Ruckus SmartZone using web auth enforcement
-
Revamped default colours of the captive portal to a more neutral/grayish theme
-
Fixed iplog rotation retention configuration not always using the right param (#1896)
-
Reworked and "simplified" the logic of filtering authentication source for a realm (PR#1943)
-
Ability to customize the OU in which the machine account will be created (#1927/PR#1928)
-
Now limiting dates to 2038-01-18 in admin interface (#1126/PR#1923)
-
Remove unused configfile database table (PR#1902)
-
Enable haproxy on portal interface (PR#1893)
-
Prevent logging failure from making a process die (#1734/PR#1862)
-
pfmon should run on every server in active-active (#1852/PR#1853)
-
Removed the use of pf::cache::cached (#695/PR#1820)
-
Removed error when we receive a RADIUS request to test the RADIUS status (PR#1803)
-
Refactored pf::node::node_register to add return code and status code/message (#1797/PR#1798)
-
Removed unused traplog database table (#367/PR#1785)
-
RADIUS disconnect doesn’t work on the Ruckus switch module (#1971/PR#1988)
-
Added Mojo Networks WiFi equipment support (PR#1765)
-
Made Web admin reports more interactive (PR#1731)
-
Added new Eduroam authentication source type (PR#1642)
-
Allow to create different portal templates based on the browser locale (PR#1638)
-
Improved IP log performance (PR#1832 / PR#1828 / PR#1790)
-
Added fault tolerance on RADIUS monitoring scripts (PR#1831)
-
Improved the database and maintenance backup script (PR#1830)
-
Added password caching support for Novell eDirectory (PR#1829)
-
Improved caching of LDAP person data (PR#1826)
-
Improved clustering documentation (PR#1825)
-
Added RADIUS command line interface support on port 1812 (PR#1817)
-
Removed useless htaccess file search for each HTTP request (PR#1806)
-
Turned off HTTP KeepAlive to avoid connections holding onto Apache processes (PR#1801)
-
Added Cisco MSE documentation (PR#1799)
-
Ability to query 'iplog_archive' table for detailed IP/MAC history (PR#1793)
-
Now also display the status for sub services from the Web interface (#1040 /PR#1792)
-
Requests made with username 'dummy' will not be recorded in the RADIUS audit log anymore (PR#1789)
-
More lightweight p0f processing (PR#1788)
-
Remove useless logging in pfdns.log (PR#1782)
-
Added an activation timeout on sponsor source (PR#1777)
-
Improved captive portal logging (PR#1769)
-
Allow the OAuth landing page template to be customizable (PR#1767)
-
Use RESTful call for RADIUS accounting instead of Perl (#1760)
-
Optimized getting node information from the database (PR#1753)
-
New action generateconfig for pfcmd service command (PR#1744)
-
Added memory limitation for httpd.portal processes (PR#1738)
-
Added predefined search in RADUIS audit log and DHCP Option 82 log (PR#1716)
-
Improved display of fingerprinting informations in the nodes search (PR#1709)
-
Allow captiveportal::Form::Authentication to be customize (PR#1666)
-
Default config overlay for switches.conf, profiles.conf, pfqueue.conf and violations.conf (PR#1647)
-
Optimized queries for finding open violations (PR#1718)
-
Fixed floating devices in active/active clusters (PR#1800)
-
Fixed and improved syntax of
pfcmd ipmachistory
(#1794) -
Fixed wrong bandwidth calculation on RADIUS accounting (#1733)
-
Fixed empty Calling-Station-Id in RADIUS accounting (PR#1756)
-
Make sure connection caches are cleared after forking (#1748 / #1749 / PR#1751)
-
Added a workaround for DHCP clients that do not respect short lease times (#1673)
-
Added namespace parameter in WMI rule (PR#1633)
-
Fixed non-working switch ranges with external portal (#1574 / PR#1613)
-
Joining a domain will sometimes return a 500 even though it succeeded (#1821/#1818)
-
Cisco WLC ignores our CoA requests but accepts our Disconnect Requests (#1819)
-
pfdetect: pipe is closing when no content (#1814)
-
Condition
is a Phone
in RADIUS audit log is not working properly (#1813) -
Condition AutoRegistration in RADIUS audit log is not working properly (#1812)
-
Configurator: Status on the services doesn’t work (#1811)
-
Invalid SQL for iplog_cleanup_sql (#1802)
-
Added request cache support (#1775)
-
Added stack trace logging (#1774)
-
Removed redundant SQL indexes (#1773)
-
Removed unused code in pf::locationlog (#1772)
-
Fixed missing fields in RADIUS audit log (#1395)
-
Fixed RADIUS audit log hours selection (#1364)
-
Added EAP-FAST support
-
MySQL is now supported as the Fingerbank database backend
-
Integration with Cisco MSE adds maps, location based portals and notifications
-
Added the ability to locate a device based on DHCP Option 82
-
Added support for Meraki wired switches
-
New SQL reporting allows creation of personalized reports
-
Added support for Brocade CLI RADIUS authentication
-
Added support for OpenWrt Chaos Calmer 15.05 with hostapd
-
Added configuration conflict handling for active/active clusters
-
Fingerbank configuration is now cached
-
Removed the pf/var directory from the backups to make them smaller
-
Fingerbank is now configurable from the initial PacketFence configurator
-
Added support for Xirrus switches CLI RADIUS authentication
-
Pinterest and Instagram are now supported as OAuth authentication sources
-
Support for Suricata md5 extraction over SMTP protocol
-
Added sample monit helper scripts under pf/addons
-
Added support for custom AUP template per portal module
-
Several improvements to Fingerbank to make it more user-friendly
-
Added option to export nodes and users within the web administration interface
-
Third parties can now extend what can be matched in profile filters
-
PacketFence created interfaces will now be excluded from Red Hat’s NetworkManager
-
Added the ability to restrict the modification of node roles by a user
-
Forbid trace mode in Apache default configuration
-
Improved validation of portal modules configuration
-
Added missing index to radacct table (fixes #1586)
-
Fixed searching nodes for "all" devices (fixes #1584)
-
Fixed invalid destination URL parsing
-
Fixed handling of provisioner return code in violations
-
Fixed binding of IP addresses in Active/Active mode
-
Fixed cluster status page issues with pid files
-
Fixed missing person lookup when using 802.1x autoregistration
-
Fixed permission issue on logrotation
-
Fixed invalid i18n of MAC address in node location view (fixes #1591)
-
Fixed L2 cache write error of new switches namespaces
-
Added support for CoovaChilli capable equipment
-
Added page to visualize the status of the services on all cluster members
-
Added support for RADIUS Change of Authorization on Meraki
-
Added configurable actions to be executed at the end of a portal module
-
Automatic registration of devices is now configurable from the GUI on a per profile basis
-
Added switch and switch group in violation trigger
-
Added switch group as a portal profile filter
-
Moved RADIUS audit log in its own module
-
Saved searches support for the RADIUS audit log module
-
The portal now supports RADIUS Challenge Response authentication
-
Added module to redirect to internal or external pages within the portal modules configuration
-
Added configuration checkup for cluster.conf
-
Added ability to limit the number of logins when creating a local account
-
Added choice of sending either RADIUS CoA or Disconnect when deauthenticating a device
-
Admin interface is now available on all members of the cluster without the need of being the master
-
FreeRADIUS now logs to a separate file per process (authentication, accounting, load-balancer)
-
Improved performance of the online/offline search
-
Fix profile filter saving incorrectly on Debian Jessie
-
Numerous improvements to i18n in the portal and administration GUI
-
Fixed e-mail registration not working when activating access through a proxy or firewall
-
Authentication log (auth_log) will now be cleaned automatically via pfmon (#1511)
-
Fixes incorrect graphite aggregation of metrics when data should not be averaged
-
Fixed example in vlan filters showing incorrect operand for user_name
-
Fixed the display of the aup when printing a user
-
Fixed email_instructions blocking email registration
-
Fixed FreeRADIUS dynamic clients hanging the server when the database fails to respond (#1500)
-
Fixed violation_add when applying one through bulk actions (#1510)
-
Fixed sessions remembering failed authentication sources
-
Fixed to listen to DHCPREQUEST in registration network when in cluster mode
-
Fixed pfdns to prevent pid file deletion when a child dies (#1444)
-
PacketFence will now handle the case where a source in the session is not available anymore
-
Fixed missing PID when using device registration (#1447)
-
Fingerbank update will no longer sync all servers anymore
-
VoIP detection flags default will now be undef in admin interface
-
Suricata renamed to suricata_event in violations.conf.example
-
The captive portal will now handle User Agent strings properly
-
PacketFence will now delete the user (not device) session after activating sponsor
-
Fixed incorrect MAC address formatting in the reporting section of the GUI
-
Fixed "reuse dot1x credentials" in captive portal
-
Fixed incorrect SNMP traps handling
-
Fixed incorrect MAC address handling in radius accounting
-
Added a check to database backup script for mariadb
-
Fixed unregistration date handling when using email registration
-
Added back the option to set the logo in a portal profile
-
Fixed Blackhole and Null authentication portal modules (#1439)
-
Added missing username field in Debian maintenance crontab
-
Fixed web authentication web form release in captive portal
-
Validate configuration identifiers so they don’t contain invalid characters (#1417)
-
Fixed incorrect samba handling of "%h" in server name
-
Fixed registration ACL computing for Cisco WLC and 2960 in web authentication
-
Adjust pfdetect startup order to allow Snort / Suricata to start
-
Fixed pfsetvlan compilation error
-
Fixed violations internationalization
-
Fix incorrect rogue dhcp detection
-
Fully redesigned frontend and backend of the captive portal
-
'Parking' state for unregistered devices (where it will have a longer DHCP lease time and will only access a lightweight portal)
-
CentOS 7 and Debian 8 (Jessie) support
-
RADIUS support for Avaya switches
-
pfdns filter engine (added a way to return custom answers in pfdns)
-
Redirect URL are defined in Role by Web Auth URL switch configuration (Cisco)
-
Added support for Captive-Portal DHCP attribute (RFC7710)
-
Added Google Project Fi as a SMS carrier for SMS signup option
-
FreeRADIUS 3 support with Redis integration
-
Added ability to expire users
-
Automatically update all the Fingerbank databases (Redis, p0f, SQLite3)
-
Do not allow the TRACE method to be used in any of the web processes
-
Can now limit the maximum unregdate an administrator can set to a person
-
Added option to disable the accounting recording in the SQL tables
-
Added caching of the latest accounting request for use in access reevaluation
-
Reduced the number of webservices calls during RADIUS accounting
-
Added configuration for Apache 2.4 with Template Toolkit
-
Added a timer for each RADIUS request (radius audit log)
-
Assign the voice role to VoIP devices when PacketFence detects them
-
Renamed VLAN to Role in admin gui violation
-
Unregister a node from a secure connection to an unsecured one is now managed by the VLAN filters
-
Location history of a node show the role instead of the VLAN id
-
Documentation to configure Cisco switches with Identity Networking Policy
-
Trigger violation on source or destination IP address if they are in the trapping range networks
-
Performance improvement for VoIP detection
-
Added new RADIUS filter return option (random number in a range)
-
Reinstated iplog (iplog_history and iplog_archive) rotation/cleanup jobs performed by pfmon
-
DNS based enforcement as a new enforcement mode for routed networks
-
Captive portal authentication now supports SAML authentication
-
It is now possible to search for nodes that are online based on RADIUS accounting
-
Integration with Suricata MD5 extraction module to scan against OPSWAT MetaScan online scanner
-
Support for floating devices on HP Procurve switches
-
RADIUS CoA support added to Brocade switches
-
The NULL authorization source can now be combined with other sources
-
Added possibility to trigger Firewall Single Sign-On when an endpoint changes status
-
The username on a captive portal will no longer be stripped unless required otherwise
-
Improved UDP reflector documentation
-
Improved vendor specific attributes in radius filters
-
Now able to specify on which LDAP attribute we should match for SponsorEmail
-
Now able to strip a username in LDAP source even if not present in RADIUS request
-
Fixed incorrect provisioning that ignored broadcast state of provisioned SSID
-
Present a login page without login form when a blackhole source is used on the portal profile (#1021)
-
Fixed incorrect provisioning templates that required entering a password twice (#1119)
-
Fixed ambiguous SQL accounting stored procedure that could return duplicate results
-
Fixes incorrect IPv6 DHCP processing in pfdhcplistener
-
pfcmd will now validate the violation configuration in checkup
-
pfdns cached entries will now expire after 24 hours
-
Fix duplicate open entries in locationlog for voip devices
-
Avoid circular dependency when loading pf::Authentication::Source::StripeSource (1160)
-
Fix incorrect Cisco switch ACL number
-
Removed use of pf::class modules which caused compilation errors
-
Fixed an incorrect reload of the cached configuration (1157)
-
New RADIUS auditing report allows troubleshooting from the GUI
-
The email authorization source now allows to set roles based on the email used to register
-
New switch groups now allows to assign settings to multiple switches at once
-
DHCP filters now allow arbitrary rules to perform actions based on DHCP fingerprinting
-
Cisco switches login access can now be authenticated through PacketFence
-
The filter engine configuration can now be edited through the admin GUI
-
New dedicated search feature for violations in the nodes panel
-
New pfcmd pfqueue command allows managing the queue from the command line
-
New option to specify the authentication source to use depending on the RADIUS realm
-
Upgrade Config::IniFiles to allow faster loading of configuration files
-
Performance improvements to the filtering engine by avoiding unnecessary database lookups
-
New columns bypass_vlan and bypass_role are allowed to be import for nodes
-
Service start/stop order can now be configured through the admin GUI
-
Pagination can now be defined by the user in the admin GUI search results
-
The pfdns service now forks to process multiple requests in parallel
-
Added configurable timeout for send/receive operations on the OMAPI socket
-
The authorization process will now test if the role changed before reevaluating access
-
New option to add date based VLAN filter condition (is before date, is after date)
-
pfconfig backend can now be cleared via pfcmd
-
Improved RADIUS accounting handling for better performance
-
Remove old entries in ipset session
-
Always reevaluate the access if the order come from the admin gui (#1056)
-
Portal profiles templates are now properly synced between members of a cluster (#942)
-
Process requests properly when running a pfdhcplistener on an interface that has networks with and without dhcpd activated
-
Violation trigger from web admin will now override grace period (#1028)
-
Fix queue task counters out of sync when a task expires
-
Reworked the configuration backends to prevent a race condition of the configuration namespaces in active/active cluster (#1067)
-
Define each internal network to NAT instead of a global rule when passthroughs are enabled (#1118)
-
pf::CHI::compute_with_undef now supports cache options
-
Use the fingerbank cache instead of caching its result globally.
-
Update dependency to 2.1 for fingerbank.
-
Completed renaming of trap to reevaluate_access in violations.conf.example
-
Fixed deauthentication source IP not detected properly when no vip is assigned on the management interface (#1035)
-
Use proper API client when triggering a violation within pf::fingerbank
-
New device detection through TCP fingerprinting
-
New DHCPv6 fingerprinting through Fingerbank
-
New RADIUS filter engine to return custom attributes based on rules
-
Security Onion integration
-
Paypal payment is now supported in the captive portal
-
Stripe payment and subscriptions are now supported in the captive portal
-
New pfqueue service based on Redis to manage asynchronous tasks
-
Memcached has been replaced by Redis for all caching
-
pfdetect can now be configured through the administration interface
-
Added ability to detect hostname changes using the information in the DHCP packets
-
Added the ability to create 'not equal' conditions in LDAP sources
-
DoS mitigation on the captive portal through mod_evasive
-
Load balancing in an active/active process now uses a dedicated process
-
Authentication and accounting are now in two different RADIUS processes
-
Reworked violation triggers creation in the administration interface so it’s more user friendly
-
Added the ability to create combined violation triggers which allow to trigger a violation based off multiple attributes of a node
-
Suricata alerts can now trigger a violation based on the alert category or description instead of only the ID of the alert
-
Added ability to e-mail device owner as a violation action
-
The PacketFence syslog parser (pfdetect) has been reworked to allow multiple logs to be parsed concurently
-
New ntlm_auth wrapper will log authentication latency to StatsD automatically
-
Handle Microsoft Windows based captive-portal detection mechanisms
-
Manage pfdhcplistener status with keepalived and run pfdhcplistener on all cluster’s members
-
New portal profile filter (sub connection type)
-
Added switch IP and description in the available columns in the node list view
-
Use SNMP to determine the ifindex based on the Nas-Port-Id
-
Improved metrics now track SQL queries, LDAP queries, and more granular metrics in RADIUS AAA
-
Added support for Nessus 6 scan engine
-
Added documentation for the Cisco iOS XE switches
-
Reworked existing billing providers to be PCI compliant
-
Billing providers are now part of the authentication sources
-
Billing tiers are now stored in the configuration instead of the source code files
-
Billing sources can now be used with other authentication sources on the same portal profile
-
DHCP packet processing is now fully done asynchronously to allow more PPS in the pfdhcplistener
-
Fixed log rotation issue with the carbon daemons
-
Fixed LLDP phone detection if only telephone capability is enabled (#964)
-
Fixed keepalived and iptables configuration for portal interfaces
-
Fixed improper httpd status code being set
-
Removed the node delete button
-
Fixed detection if the device asks for a portal per URI
-
Fixed 3Com switches ifIndex calculation in stack mode using SNMP
-
Not-found users will now be cached when using the caching in an LDAP source (#978)
-
Updating a node puts an invalid entry in the voip field
-
PacketFence now supports SCEP integration with Microsoft’s Network Device Enrollment Service during the device on-boarding process when using EAP-TLS
-
Improved integration with social media networks (email address lookups from Github and Facebook sources, kickbox.io support, etc.)
-
External HTTP authentication sources support which allows an HTTP-based external API to act as an authentication source to PacketFence
-
Introduced a 'packetfence_local' PKI provider to allow the use of locally generated TLS certificates to be used in a PKI provider / provisionner flow
-
New filtering engine for the portal profiles allowing complex rules to determine which portal will be displayed
-
Added the ability to define custom LDAP attributes in the configuration
-
Add the ability to create "administrative" or "authentication" purposes rules in authentication sources
-
Added support for Cisco SG300 switches
-
RADIUS Diffie-Hellman key size has been increased to 2048 bits to prevent attacks such as Logjam
-
HAProxy TLS configuration has been restricted to modern ciphers
-
Improved error message in the profile management page
-
Allow precise error messages from the authentication source when providing invalid credentials on the captive portal
-
Aruba WiFi controllers now support wired RADIUS MAC authentication and 802.1X
-
Added Kickbox.io authentication source which can allow a new Null type source with email validation
-
Now redirecting to HTTP for devices that do not support self-signed certificates on the captive portal if needed
-
httpd.portal now serves static content directly (without going through Catalyst engine)
-
Introduction of a new configuration parameter (captive_portal.wispr_redirection) to allow enabling/disabling captive-portal WISPr redirection capabilities
-
File transfers through the webservices are now atomic to prevent corruption
-
New web API call to release all violations for a device
-
Added better error message propagation during a cluster synchronization
-
Added additional in-process caching for pfconfig proxied configuration
-
The server hostname is now displayed in the admin info box
-
Added a warning in the configurator when the user is configuring multiple interfaces in the same network
-
Added synchronization of the Fingerbank data in an active/active cluster
-
Client IP and MAC address are now available though direct variables in the captive portal templates
-
The IPlog can now be updated through RADIUS accounting
-
Devices in the registration VLAN may now be allowed to reach an Active Directory Server
-
Added an option to centralize deauthentication on the management node of an active/active cluster
-
Added the option to use only the management node as the DNS server in active/active clustering
-
Improved Ruckus ZoneDirector documentation regarding external captive portal
-
pfconfig daemon can now listen on an alternative unix socket
-
Improved handling of updating the /etc/sudoers file in packaging
-
Improved roles handling on AeroHive devices
-
Fix case where status page links would be pointing to the wrong protocol (HTTP vs HTTPS)
-
set_unreg_date and set_access_duration actions now have the same priority when matching rule and actions (#816)
-
Fixes the database query hanging in the captive portal
-
The person attributes lookup will now be made on the stripped username if needed (#888)
-
Active/active load balancing will now be dispatched based on the Calling-Station-Id attribute.
-
Fix unaccessible portal preview when no internal network is defined (#790)
-
Fixed a case where the wrong portal profile can be instantiated on the first connection
-
Improved error message in the profile management page (#858)
-
Do not use the PacketFence multi-domain FreeRADIUS module unless there are domains configured in PacketFence (#868)
-
We now handle gracefully switches sending double Calling-Station-Id attributes (#864)
-
Prevent OMAPI from being configured on the DHCP server without a key (#851)
-
Switched to the memcached binary protocol to avoid memcached injection exploit
-
Fixed ipset error if the device switches from one inline network to another
-
Fixed wrong configuration parameters for redirect url (now a per-profile parameter)
-
Fix bug with validation of mandatory fields causing exceptions in signup
-
Made DHCP point DNS only on cluster IP if passthroughs are enabled in active/active clusters (#820)
-
Defined the maximum message size that SNMP get can return (fixes VOIP LLDP/CDP detection on switch stacks #738)
-
Support for Single Sign-On integration with the iboss platform
-
Support for web authentication for NATed clients
-
Support for MAC Authentication and 802.1x for Alcatel-Lucent switches
-
Support for the IBM StackSwitch G8052 switch
-
New Powershell scripts to allow unregistering nodes for disabled accounts on Active Directory
-
Force a JSON response if the Accept header is set to 'application/json'
-
Fingerbank processing in pfdhcplistener is now asyncronous using the webservices
-
Integration of pfconfig commands in bin/pfcmd
-
Added web form registration to Ruckus Controllers
-
Improved database maintenance script to prevent prolonged locking of tables
-
Active/active mode will now send gratuitous ARPs to update routers when changing master node
-
Fixed multiple XSS vulnerabilities in the administration GUI
-
Fixed incorrect RADIUS realm detection when using windows computer authentication
-
Fixed an issue with pfdns returning the wrong IP when using active/active mode
-
Fixed an issue on Debian and Ubuntu where the GUI could not change some field values
-
Fixed incorrect graphite document root on Ubuntu
-
Fixed SMS bug where the list of carriers could be accidentally deleted
-
Introducing support for the PacketFence PKI application to manage certificates and authenticate RADIUS using EAP-TLS.
-
Twitter OAuth is now supported as an authentication source.
-
New 'portal' interface type to spawn a captive-portal instance on selected interface.
-
Traffic shaping support for Inline mode managed by an ipset session per devices role.
-
Support for OpenWrt 14.07 with hostapd.
-
Specific vhost for httpd.portal diagnostics.
-
Added option to disable logging of sensitive information when failing to execute a command through pf_run.
-
Support for Meraki APs using web authentication on the cloud controller.
-
Passwords are now obfuscated in the Switch configuration.
-
Introduced new 'ports.httpd_portal_modstatus' configuration parameter to limit modstatus to a single virtual host.
-
Allow the usage of an external monitoring database when using an active/active cluster.
-
Validate that a provisioner is not used before deleting it through the administration interface.
-
Stopped logging database password on schema import failure.
-
Fixed incorrect error message when an external portal authenticated device hits the unknown state.
-
New activation_domain feature allowing to expose a different domain than PacketFence’s name in email templates
-
Added Windows Management Instrumentation (WMI) as a scan engine
-
Multiple scan engine definitions based on the OS type and role
-
Scan definition based on portal profiles
-
New external command action in violation
-
New API methods for adding, viewing or modifying a person
-
New performance dashboard based on Graphite allows tracking of core performance metrics such as number and latency of RADIUS requests, number of httpd processes and authorization latency
-
Define range of network switches (CIDR) in switch configuration
-
Module for Cisco Aironet 1600
-
Added ability to join an Active Directory domain directly from the administration interface
-
Added the ability to join multiple Active Directory domains for EAP-PEAP authentication
-
Verify if the database schema matches the current version of PacketFence
-
Removed the unnecessary "Upstream" listing from the "Combination" menu item of Fingerbank section
-
Ability to search in Fingerbank "Local" "Devices" listing
-
Allow rules to match on both source and action
-
pfsetvlan and snmptrapd are now stopped by default as most users no longer require them
-
Improve the end process redirection on the captive portal
-
Refactor mandatory fields to be dynamic and update the person table with them
-
Moved raddb/sites-enabled/packetfence and raddb/sites-enabled/packetfence-tunnel in conf/radiusd
-
pfcmd can now validate that certificates used by Apache and FreeRADIUS are still valid
-
Added new SMS carrier for Switzerland
-
Ability to fix Fingerbank files permissions from pfcmd fixpermissions
-
Fixes tables displaying bugs in Fingerbank menu items
-
Fixed search values not being preserved in some cases
-
Fixed switch access list field turning into an object reference
-
Fixed bad redirection to the portal at the end of the registration process
-
Better handling of Fingerbank errors
-
PacketFence will no longer automatically start after an upgrade. This prevents problems in an active/active configuration.
This release is a bug fix only. No new features were introduced.
-
Added availables options (submit unknowns and update database) to the Fingerbank Settings page.
-
PacketFence will now leave clients.conf.inc empty if cluster mode is disabled.
-
PacketFence will longer unregister a device in pending state if the device is hitting the portal more than once while in "pending" state.
-
Fixed broken violation release process.
-
Fixed multiple lines returning from pfconfig.
-
Fixed undefined variables in portal template files.
-
Fixed provisioners OS detection with Fingerbank.
This release is a bug fix only. No new features were introduced.
-
A number of strings have seen their translations improved.
-
The Debian and Ubuntu documentation has been split and made clearer.
-
Detailed which features may not work in active/active cluster mode in the documentation.
-
Added missing CHI File driver.
-
Delete left over Config::Fingerprint module in Debian and Ubuntu.
-
Fixed pfmon not starting when running a standalone PF server.
-
Fixed broken OS reporting.
-
Added missing dependency on perl-SOAP-Lite for packetfence-remote-snort-sensor.
-
Updating iplog without a lease time now reset end_time to default (0000-00-00 00:00:00) to avoid "closing" a valid entry
-
fixed pfcmd watch emailing functionality.
-
dhcpd will now properly obey the "disabled" configuration.
-
Fixed bulk apply of bypass roles for node in the admin GUI
-
New active/active clustering mode. This allows HTTP and RADIUS load balancing and improves availability.
-
Fingerbank integration for accurate devices fingerprinting. It is now easier than ever to share devices fingerprinting.
-
Built-in support for StatsD. This allows fine grained performance monitoring and can be used to create a dashboard using Graphite.
-
Local database passwords are now encrypted using bcrypt by default on all new installations. The old plaintext mode is still supported for legacy installations and to allow migration to the new mode.
-
Devices can now have a "bypass role" that allows the administrator to manage them completely manually. This allows for exceptions to the authorization rules.
-
Support for ISC DHCP OMAPI queries. This allows PacketFence to dynamically query a dhcpd instance to establish IP to MAC mappings.
-
Completely rewritten pfcmd command. pfcmd is now much easier to extend and will allow us to integrate more features in the near future.
-
Rewritten IP/MAC mapping (iplog). Iplog should now never overflow.
-
New admin role action USERS_CREATE_MULTIPLE for finer grained control of the admin GUI. An administrative account can now be prevented from creating more than one other account.
-
PacketFence will no longer start MySQL when starting.
-
PacketFence will accept to start even if there are no internal networks.
-
Added a new listening port to pfdhcplistener to listen for replicated traffic.
-
Added a 'default' default user in replacement of the admin one.
-
Adds support for HP ProCurve 2920 switches.
-
Iptables will now allow access to the captive portal from the production network by default.
-
Major documentation rewrite and improvements.
-
The admin GUI is now customizable.
-
New category filter on portal profile allows to select a portal based on existing role of a device.
-
New PacketFence-config service allows effortless scaling to thousands of switches and reduces memory use.
-
Nodes are now searchable by status
-
Removed SSLv3 and legacy ciper suites support from default httpd configuration to prevent POODLE exploit and FREAK attack.
-
Added an option to display Bypass VLAN of a node in the Admin GUI.
-
Added nested groups support for Active Directory.
-
It is now possible to check if a device has already authenticated as member of an Active-Directory domain prior to user authentication.
-
Improved portal language detection.
-
Devices will now avoid autocorrect / uppercasing the login field in the captive portal.
-
Now supports roaming without SNMP on Aerohive APs.
-
Fixed broken default behaviour when receiving an SNMP trap.
-
Fixed email confirmation template for sponsor.
-
Fixed email subject encoding.
-
Fixes allowing a non-sponsored user to verify a sponsored email address.
-
Fixed invalid floating device creation where the MAC address was not normalized.
-
Fixed the date range search in node advanced search.
-
Fix dynamic unregdate breaking when handling the infinite unregdate '0000-00-00'
-
Fixed issue where the same password can be generated multiple times
-
Assigned LC_CTYPE to C during postinstall script on debian to prevent i18n issues during installation.
-
Fixed dynamic_unreg_dated called from the wrong place
-
Fix searching for switches in the admin gui
-
Fixed broken default behavior when receiving an SNMP trap.
-
Added support for MAC authentication on the AeroHIVE Branch Router 100
-
Added support for MAC authentication floating devices on Juniper EX series, and on the Cisco Catalyst series
-
Added a hybrid 802.1x + web authentication mode for Cisco Catalyst 2960
-
Added a web notification when network access is granted
-
Added the ability to tag functions that are allowed to be exposed through the web API
-
Added WiFi autoconfiguration for Windows through packetfence-windows-agent
-
Added a "Chained" authentication source where a user must first login in order to register by SMS, Email or SponsorEmail
-
Added call to the web API from the VLAN filters
-
Added a way to retrieve user information after the first registration
-
Added the ability to filter profiles by connection type
-
Profiles can be matched by all or any of its filters
-
Can optionally cache the results of LDAP rule matching for a user
-
New portal profile parameter to set a retry limit for SMS-based activation
-
The information available from an OAuth source (first name, last name, …) are now added to the person when registering
-
Allow limiting the user login attempts
-
Added Check Point firewall integration for Single Sign-On
-
Added httpd.aaa service as a new API service for the exclusive use of RADIUS
-
More precisely define which DHCP message types we are listening for
-
Removed dead code referring to 'external' interface type which was no longer supported
-
Added VLAN filter in getNodeInfoForAutoReg and update/create person even if the device has been autoreg
-
Refactored the VLAN filter code to reduce code duplication
-
Added IMG path configuration parameter in admin
-
Added the ability to restrict the roles, access levels and access durations for admin users based on their role/access level
-
Reduced deadlocks caused by the cleaning of the iplog table
-
Reduced deadlocks caused by the cleaning of the locationlog table
-
Reorganized the portal profile configuration page
-
Added checkup on Apache filters and VLAN filters
-
Created a single LDAP connection when matching against multiple rules
-
Reduced the numbers of entries in iplog table (update end_time instead of closing and inserting a new line)
-
Now matching on language and not only language/country combination for violation templates (See UPGRADE guide)
-
PacketFence FreeRADIUS will return reject on "NAS-Prompt-User" Service-Type requests (Console login using RADIUS as backend)
-
PacketFence now allows limiting the number of times a user can request an sms message
-
Fixed old MAC addresses being left on port-security enabled ports in a RADIUS + port-security environment
-
Fixed firewall rule that allows httpd.portal to be reached on management IP when pre-registration enabled
-
Fixed creating a new file from the Portal Profile GUI in a subdirectory
-
Improved log rotation handling
-
Fixed previewing templates in the admin GUI
-
Fixed bulk applying of roles and violations in the admin GUI
-
Fixed importing of nodes when no pid is given
-
Added a cleanup of trailing and leading spaces of the posted username during the login
-
Fixed wrong regex to detect ifindex in Cisco switches
-
Honor order of profiles when matching profile filters
-
Fixed URI based portal profiles
-
Fixed XSS vulnerabilities in the portal
-
Refresh node page after updating a node
-
Fixed multiple pfdhcplistener spawning
-
Fixed double display of the user page
-
Fixed displaying of rules description after updating source
-
Removed executable bit on some files which do not require it
-
Make Cisco web authentication sessions use less memory
-
Internationalized the provisioners templates
-
Added provisioning support for Symantec SEPM, MobileIron and OPSWAT
-
Barracuda Networks firewall integration for Single Sign-On
-
pfmon can now run tasks on different intervals
-
Added a way to reevaluate the access of a node from the admin interface
-
Added a "Blackhole" authentication source
-
Added a new violation to enforce provisioning of agents
-
Violation can now be delayed
-
Added portal profile filter based on switch-port couple
-
Cache the ipset rule update to avoid unnecessary calls to ipset
-
Dynamically load violations and nodes for a user for display in admin gui
-
Dynamically load violations for a node for display in admin gui
-
Ensure only one pfmon is running at a time
-
Fix issue with userMiscellaneous and userCustomFields not showing if user does not have NODES_READ privilege
-
Fix MAC detection from IP on the Catalyst portal when using web authentication on the WLC controller
-
Fix timestamp resolution not catching sub second changes in file in cache layer
-
Fixed handling of expiration time on the captive portal’s status page
-
Fixed viewing node pagination sorted
-
Added the possibility to search by computer name on the nodes page
-
Added support for the Anyfi Gateway (a Wi-Fi over IP tunnel aggregator)
-
Show portal profiles directly on the admin GUI
-
Added local account authentication for EAP
-
Added support for unreg date with dynamic year
-
Added support for NetGear FSM7328S switches
-
Added new network profile filter
-
Added external captive portal support for AeroHIVE
-
Added external captive portal support for Xirrus
-
Added support for Dynamic Access lists on the Cisco Catalyst 2960
-
Added the ability to search switches
-
Added support for Dlink DES3028 switches
-
Added reuse 802.1x credential on the portal profile
-
Added support for Mikrotik access point
-
Added ability to create local accounts when registering with external authentication sources
-
Added support to configure either NATting or routed mode for inline layer 2 interfaces from the GUI
-
Added informational messages in the GUI for inline interfaces
-
Improvement of Inline Layer 3 (Inline L3 can only be defined behind Inline Layer 2 network)
-
pfbandwidthd is now able to capture on all inline interfaces
-
Added an option to set the timeout value for LDAP connections in authentication sources
-
FreeRADIUS default configuration should now be more scalable and resilient to misbehaving devices
-
Added the possibility to create rules using the username in OAuth authentication sources
-
Added the RADIUS request to the VLAN filter
-
Moved from using Storable to Sereal to serialize cached data
-
Refactored portal profile filters to make it easier to extend
-
Improved support for Dlink DES 3526 switches
-
Rewrited log format [] for device MAC () for switch "" for userID
-
Improve error handling of web API
-
Raised ServerLimit on Apache httpd.portal, lowered httpd.portal Timeout and KeepAliveTimeout to improve responsiveness under load
-
Do not overlay the controllerIp if one is already defined when creating a switch
-
Verify the user roles level before creating a user via the admin GUI
-
Added test iplogs not closed in pftest
-
Remove direct usage of Apache2 modules in captive portal
-
Fix issue when adding multiple portal profile filters causing the wrong type to be picked
-
Fix issue when a trap is received for a switch that does not implement parseTrap()
-
Fix issue when a role is changed in the administration interface and the node’s access is not reevaluated
-
Fix issue when a passthrough is not able to be resolved and would generate an invalid DNS response
-
Fix missing files in logrotate file
-
Fix issue when setting a port in trunk on a Cisco Catalyst 3560, 3750 and 3750G would fail
-
Fix admin roles for bulk actions for nodes/users
-
Fix issue where person was not updated in the database because of a case (non) match
-
Fix send user password by email from the GUI
-
Fix backward compatibility issue for gaming-registration that should redirect to device-registration
-
Fix device-registration and status pages that were not accessible in inline mode when doing high-availability
-
Fix filetype of wireless-profile.mobileconfig not being set properly
-
Fix issue of iplog entries not being closed
-
Added MAC authentication support for Edge-corE 4510
-
Added support for Ruckus External Captive Portal
-
Support for Huawei S2700, S3700, S5700, S6700, S7700, S9700 switches
-
Added support for LinkedIn and Windows Live as authentication sources
-
Support for 802.1X on Juniper EX2200 and EX4200 switches
-
Added support for the Netgear M series switches
-
Added support to define SNAT interface to use for passthrough
-
Added Nessus scan policy based on a DHCP fingerprint
-
Added support to unregister a node if the username is locked or deleted in Active Directory
-
Fortinet FortiGate and PaloAlto firewalls integration
-
New configuration parameters in switches.conf to use mapping by VLAN and/or mapping by role
-
When validating an email confirmation code, use the same portal profile initially used by to register the device
-
Removed old iptables code (ipset is now always used for inline enforcement)
-
MariaDB support
-
Updated WebAPI method
-
Use Webservices parameters from PacketFence configuration
-
Use WebAPI notify from pfdhcplistener (faster)
-
Improved Apache SSL configuration forbids SSLv2 use and prioritzes better ciphers
-
Removed CGI-based captive portal files
-
For device registration use the source used to authenticate for calculating the role and unregdate (bugid:1805)
-
For device registration, we set the "NOTES" field of the node with the selected type of device (if defined)
-
On status page check the portal associated to the user and authenticate on the sources included in the portal profile
-
Merge pf::email_activation and pf::sms_activation to pf::activation
-
Removed unused table switchlocation
-
Deauthentication and firewall enforcement can now be done throught the web API
-
Added support to configure high-availability from within the configurator/webadmin
-
Changed the way we’re handling DNS blackholing when unregistered in inline enforcement mode (using DNAT rather than REDIRECT)
-
Now handling rogue DHCP servers based both on the server IP and server MAC address
-
We can now match exclusive authentication sources from vlan.pm. This allows using e.g. "NULL" auth and still have complex auhtorization rules. The primary use case is eduroam.
-
Fixed pfdetectd not starting because of stale pid file
-
Fixed SQL join with iplog in advanced search of nodes
-
Fixed unreg date calculation in Catalyst captive portal
-
Fixed allowed_device_types array in device registration page (bugid:1809)
-
Fixed VLAN format to comply with RFC 2868
-
Fixed possible double submission of the form on the billing page
-
Fixed db upgrade script to avoid duplicate changes to locationlog table
-
Rework logging to make it easier to follow the flow of registration
-
Allow users to login to see node in status page
-
pf-maint script uses new branch structure
-
Remove double saving of iptables
-
Do a configreload hard only during a pf restart not everytime you restart
-
Fixed undefined function and HP Controller module
-
Fixed a test in pfsetvlan
-
Allow old gaming-registration URL to work
-
If node is not found in the database then use the default profile
-
Fixed logging in dispatcher
-
Fixed deletion of a user failing
-
Compute unregdate and save the role for autoreg 802.1x
-
Fixed portal profile URI filter in new Catalyst-based captive-portal
-
RADIUS accounting fixed to call the correct method to parse the RADIUS request
-
No longer need to repopulate password when updating a LDAP authentication source
-
Added check for profile directory existance
-
Added the ability to login from the status page
-
New pf::MAC class to manage MAC adresses.
-
Added missing node manager URL from dispatcher
-
Fixed URL redirection on captive portal
-
Fixed wrong templates for device registration
-
Removed a breaking dependency (#1793)
-
Fixed exception on device registration page (#1794)
-
Fixed syntax error in SQL upgrade script (#1795)
-
deauthenticateMac was not respecting inheritance
-
STDERR & STDOUT from external command now redirected to /dev/null
-
New 'Apply violation' bulk action
-
The same bulk actions for nodes are now available for users
-
New WRIX data management
-
Added PacketFence provisioning agent for Android
-
Support Hotspot for Cisco WLC and Aruba IAP
-
Support for Huawei AC6605 wireless controller
-
Support for Enterasys V2110 wireless controller
-
Support for Juniper EX2200 and EX4200 switches
-
Inline layer 3 support
-
New pfbandwidthd daemon for inline layer 3 accounting
-
New violation type based on time usage from RADIUS accounting information
-
New violation type based on bandwidth usage from pfbandwidthd information
-
New Mirapay online payment as a billing option
-
Billing tiers can now be defined with a real usage duration (instead of simply a timeout)
-
Billing: A confirmation email is sent when purchasing a tier
-
New status page with options to extend the network access (when billing is enabled with access duration) and to unregister any node associated to the current user
-
Integration of mod_qos in the Apache configuration of the captive portal
-
New pfcmd "cache" command
-
New pfcmd "configreload" command
-
Filters for HTTP requests on the portal
-
Mandatory fields during registration are now configured per portal profile
-
Expanded fields for person field
-
Allow pfcmd error/warning/success messages colors to be configurable
-
Allow rules on username for null authentication sources
-
Landing page of Web admin interface now depends on the user’s access rights
-
Reevaluate access when changing the role of multiple nodes (#1757)
-
Each portal profile can now use its own set of locales
-
Added a new URI filter for portal profiles
-
Switches configuration page is now paginated
-
LLDP support for 3Com 4000 Series
-
Multiple DNS server in the network configuration
-
Allow alias interface as captive portal
-
MAC Authentication support for Enterasys D2 switch
-
Added support for JSON-RPC and msgpack RPC over HTTP for webservices
-
Made msgpack the default RPC for RADIUS
-
Improved performance of webservices by preloading Perl modules
-
Regexp filter for LDAP source is now case-insensitive
-
Improved maintenance database script
-
Preserve and restore the URL fragment when the web session expires in Web admin (#1780)
-
Logging is now separated and configurable for each service
-
Added missing 'redirect_url' paramater when editing a violation in the Web admin
-
Complete rewrite of captive portal as a Catalyst application
-
Added a section documenting eduroam support to the Admin guide
-
Controller IP address can be determined dynamically
-
Added a file backing for the cache to decrease cache misses
-
Allow advanced search of nodes by OS type (#1790)
-
The PF RPC client can be configured in the conf/radiusd/radiusd.conf
-
Added PacketFence RADIUS dictionary
-
Fixed retrieval of ifIndex in Cisco Catalyst 2950 module
-
Fixed Snort and Suricata services management
-
Fixed issue when saving a users search in Web admin
-
Fixed JavaScript error with IE8 on Web admin users page
-
Fixed Web admin access restrictions for users and nodes creation
-
Fixed SQL query of connection types report in Web admin
-
Fixed blank page with WISPr on OS X
-
Fixed nodes simple search by IP address
-
Fixed access reevaluation when changing the status of a pending node
-
Fixed network access for users with no "set role" action (#1778)
-
Fixed conversion of wildcards to regular expressions in domains passthroughs
-
Fixed display of last IP address of nodes when end_time is in the future
-
Fixed XSS issues in Web admin
-
Fixed extractSsid for Cisco Aironet and Cisco Aironet WDS
-
Portal profiles can now be filtered by switches
-
Proxy interception support
-
New pfcmd "fixpermissions" command
-
Added a "Null" authentication source for simple "Click to connect" portals
-
Displayed columns of nodes are now customizable
-
Create a single node or import multiple nodes from a CSV file from the Web admin interface
-
LDAP authentication sources can now filter by group membership using a second LDAP query
-
Extended definition of access durations
-
FreeRADIUS no longer needs to be restarted after adding a switch
-
New customizable ACLs for the Web admin interface
-
Force10 switches support
-
Improved error messages in RADIUS modules
-
Simple search for nodes now includes IP address
-
Search by MAC address for nodes and users now accepts any MAC format
-
Improved starting delay when using inline mode
-
Added memcached as a managed service
-
Added CoA support for Xirrus access point
-
Improved validation of VLAN management
-
Updated FontAwesome to version 3.2.1
-
Each portal profile can now have a different redirection URL
-
Initial destination URL is now respected with Firefox
-
An Htpasswd source can now define sponsors
-
Improved display of pie charts (limit of legend labels and highlight of table rows)
-
Creation of users is now performed from the users page (was on the configuration page)
-
Validate file path when saving an Htpasswd authentication source
-
Improved validation of a sponsor’s email address
-
Allow actions depending on authentication source type
-
Modified logrotate so it uses copytruncate instead of restarting the services.
-
Now comes with a corosync compatible barnyard2 init script in addons.
-
Unreg the node when you come from a secure connection to an open connection
-
Allow a self-registered node by SMS to go back to the registration page
-
Sponsor email authentication source can refuse email addresses of the local domain (as the email source)
-
Updated German (de) translation
-
RADIUS configuration files are no longer replaced when updating packages
-
Fixed match of Htpasswd authentication source (#1714)
-
Fixed creation of users without a role (#1721)
-
Fixed expiration date of registration to the end of the day (#1722)
-
Fixed caching issue when editing authentication sources (#1729)
-
Allow rules with dashes (#1730)
-
Fixed vconfig setting the wrong name_type
-
Fixed help text in Web admin (#1724)
-
Removed references to unavailable snort rules (#1715)
-
Fixed LDAP regexp condition not considering all attribute values (#1737)
-
Fixed sort by phone number and nodes count when performing an advanced search on users (#1738)
-
Fixed users searches not being saved in the proper namespace
-
Fixed handling of form submit when saving a user search
-
Fixed self-registration of multiple unverified devices
-
Fixed duplicate entries in advanced search of nodes
-
Fixed advanced search by node category
-
Fixed reordering of conf sections and groups (#1749)
-
Fixed pid of SMS-registered devices (was "admin" in certain circumstances)
-
Fixed saving of 'allow local domain' option when disabled in an email authentication source
-
The 'allow local domain' option of the email source will now only affect the user who registers by email
-
Fixed ifoctetshistoryuser command to use the correct query when just a user is given
-
Fixed network-detection for IE 8
-
Fixed SQL query of SSID report in Web admin
-
New Polish (pl_PL) translation (thanks to Maciej Uhlig <[email protected]>)
-
Improved display of filters and sources (DynamicTable) in portal profile editor
-
Ensure the VLAN naming scheme is set on start up
-
When no authentication source is associated to the default portal profile, all available sources are used
-
Phone number is now editable from the user editor
-
Updated fingerprints of gaming devices (Xbox)
-
Moved pfmon to a single process daemon and added the ability to restart itself upon error
-
Added new test tool bin/pftest
-
Improved SQL query in pf::node when matching a valid MAC
-
Allow change of owner in node editor (with auto-completion)
-
iptables management by packetfence is now optional
-
Allow advanced search of users and nodes by notes (#1701)
-
Added better error/warning messages when adding a violation with pfcmd
-
Output the violation id for pfcmd violation add command when the json option is supplied
-
Fixed XML encoding of RADIUS attributes in SOAP request
-
Fixed retrieval of user role for gaming devices
-
Fixed SQL query of connection types report in Web admin
-
Fixed issue with anonymous LDAP bind failing with searches
-
Fixed email subject when self-registering by email
-
Fixed empty variables of preregistration email template
-
Fixed detection of guest-only authentication sources when no source is associated to the portal
-
Fixed stylesheet for Firefox and IE when printing user access credentials
-
Fixed display of IP address in advanced search of nodes
-
Fixed advanced search of nodes by violation
-
Fixed advanced search of users by sponsor
-
Fixed various caching issues
-
Fixed various logged warnings
-
Fixed various authentication issues (#1693, #1695)
-
Improved validation of sponsor’s email
-
Self-registration by sponsor now works without having to define an email authentication source
-
Fetching VLAN for dot1x connections is now limited to internal authentication sources
-
Splitted internal and external classes in dropdown menu of authentication types
-
Show error message when trying to delete a source used by the portal profiles
-
Documentation of the vip parameter for management interface
-
Authentication is now limited to internal sources
-
DynamicTable widget now allows to drag’n’drop under last row
-
Connections on port 443 are now accepted for self-registration (#1679)
-
Use virtual ip when available for SNAT
-
Remote conformity scan engines (Nessus/OpenVAS) can now scan devices in unregistrated state on inline networks
-
Returned per-switch role (if configured) for "Role mapping by switch role" rather than sending the user role
-
Added new regexp operator for strings in authentication rules
-
Automatic landing on the sign-in page if no internal/oauth authentication source is used by the portal profile
-
Self-registration is now enabled when a profile has at least one external authentication source
-
Authentication sources of portal profiles are now displayed in a sortable table
-
Sort actions of a violation in reverse order to set the role before auto registration
-
Added hostapd configuration in the Network Devices Configuration Guide
-
Version number is now sent when submiting dhcp and useragents fingerprints
-
External authentication sources of portal profiles are not respected
-
A portal profile can have multiple external authentication sources of the same type
-
Port 443 on the management interface is not open when gaming registration is enable
-
Crash of FreeRADIUS with SOAP::Lite prior to version 1.0
-
Wrong permissions on the logs files causes an error with the log action of violations
-
Error with violations with tainted chain in pfmailer and action_log subroutines
-
Triggering a violation with a trap action doesn’t reevaluate access
-
authentication.conf and profiles.conf are overwritten when updating PacketFence
-
First element of button groups is not properly displayed
-
Sponsors are not extracted from LDAP sources
-
New buttons to clone a switch, a floating device, and a violation
-
New version number in the top navigation bar
-
Form toggle fields don’t support all variations
-
Counters and graphs for today are empty
-
Maintenance interval is not respected in pfmon
-
Optgroup labels in select menus are hidden when build multiple times
-
Callbacks are performed on every ReadConfig
-
Guest modes don’t show up on captive portal
-
Authentication source is not respected when matching actions in register.cgi
-
Replaced bind with pfdns - PacketFence’s own DNS server
-
Rewrote Oauth2 support (based on ipset sessions)
-
New counters bellow line graphs of reports
-
Support for anonymous bind in LDAP authentication sources
-
Added support for date and time conditions in authentication sources
-
Added "is not" condition on connection type
-
Extend simple search of nodes to match MAC, owner and computer name
-
Added search and display of the a user’s telephone number
-
Can now have multiple external authentication sources
-
Increased speed of loading configuration from the cache
-
Each portal profile can now use a list of authentication sources
-
A switch definition can now be easily cloned
-
Switches are now ordered by IP address
-
LDAP SSL and STARTTLS now works as expected.
-
Re-evaluate network access when changing a node status
-
Re-evaluate network access when closing a violation
-
Missing unit when interval is zero
-
Switch with empty inlineTrigger rises an exception
-
Web admin sets 'triggerInline' while libs expect 'inlineTrigger'
-
Condition on user email doesn’t work for email sources
-
Sponsors can’t be validated
-
Node search by person name is broken (#1652)
-
Can’t enable VoIP from switch configuration form (#1663)
-
Maximum number of nodes per user is not respected by role
-
Routed networks are not properly sorted (#1666)
-
Can’t edit notes of a node (#1667)
-
pfdetect_remote and pfarp_remote fix
-
Line graphs now automatically switch to a month-based view when the period covers more than 90 days
-
Debian 7.0 (Wheezy) packages
-
Default values override defined values in violations.conf
-
Wrong version of pf::vlan::custom
-
Groups in configuration files are not ordered under their respective section
-
mysqld is not enabled at startup
-
memcached is not enabled at startup
-
Access duration action doesn’t honor default values in web admin
-
Types in networks.conf are missing the "vlan-" prefix
-
Default pid in node table and config module must be "admin", not "1"
-
No warning when stopping httpd.admin
-
Match not performed by type in mobile-confirmation.cgi
-
Authentication rule condition on connection type doesn’t work
-
Authentication rule condition on SSID doesn’t work
-
Access level is lost when editing a user
-
Catchall rules won’t work in a htpasswd source
-
Minor visual improvements to the web admin interface
-
Statics routes not added on PacketFence restart
-
Brand new Perl-based Web administrative interface using the Catalyst framework
-
New violation actions to set the node’s role and deregister it
-
Support for scanning dot1x connections for auto-registration by EAP-Type
-
Support for auto registering dot1x node based of the EAP-Type
-
New searchable MAC Addresses module to query all existing OUI prefixes
-
New advanced search capabilities for nodes and users
-
New memory object caching subsystem for configuration files
-
Ubuntu packages (12.04)
-
Authentication sources can now be managed directly from the GUI
-
Roles (previously called categories) are now computed dynamically using authentication sources
-
Portal profiles and portal pages are now managed from the GUI
-
Fingerprints and User Agents modules are now searchable