Releases: inverse-inc/packetfence
v15.0.0
The Inverse team is pleased to announce the immediate availability of PacketFence 15.0 - a major release bringing many improvements!
Here's the complete list of changes included in this release:
New Features
- Support for downloadable ACLs (dACLs) on Cisco WLC (Wireless LAN Controller) IOS XE (#8643)
- Default Apache Kafka configuration for simplified deployment (#8711)
- Admin UI for pfflow network flow monitoring (#8613)
- Security Event Purge feature for automated cleanup (#8615)
- Dynamic iptables rules management system (#8688)
- Cisco Easy PSK (Pre-Shared Key) support (#8637)
- RADIUS proxy support via pfconnector (#8676)
- RADIUS accounting rate limiting for httpd.aaa API calls (#8494)
- Local account creation support for Null authentication source (#8608)
- Base64 JSON decoding for RADIUS attributes (decode strings prefixed with base64:) (#8619)
Enhancements
- Simplified Unbound DPSK (Dynamic Pre-Shared Key) code (#8519)
- Reduced CPU and memory usage for pfdhcp with code refactoring (#8631)
- Moved pfsetacl to pfdebian Docker image (#8599)
- Updated to Golang 1.24.1 and improved tests to pass go vet (#8589)
- Added pprof profiling support for Caddy web server (#8636)
- Implemented automatic SSH reconnection for pfconnector (#8656)
- Generated encryption keys with local path for material artifacts (#8560)
- Added upgrade capability to easily download latest RPM or DEB packages (#8526)
- Enabled GitLab pipeline creation via API matching web interface (#8752)
- Implemented KISS (Keep It Simple, Stupid) EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) tests (#8665)
- Configurable Azure AD OAuth URLs (scope, graph, and OAuth endpoints) (#8612)
- Moved Fingerbank database to pfdebian Docker image (#8600)
- Major documentation overhaul with improved structure, troubleshooting guides, and cross-references (#8772)
- Updated Kafka, pfflow, and Fingerbank Collector documentation (#8614)
- Updated PKI certificate documentation (#8748)
- Improved documentation build process with includes (#8716)
- Added additional fields for improved troubleshooting in NTLM Auth API (#8567)
Bug Fixes
- Fixed form validation issues (#8776)
- Fixed UID/GID (User ID/Group ID) ownership for PacketFence and Fingerbank (#8749)
- Fixed additional cluster UID/GID ownership issues (#8790)
- Fixed Firefox browser compatibility issues (#8758)
- Fixed email activation expiration handling (#8780)
- Fixed database backup behavior on cluster non-master nodes (#8789)
- Added double quotes when searching upgrade files in export (#8731)
- Fixed cluster-to-standalone migration documentation reference (#8724)
- Moved 11.x upgrade documentation to archive, added copy buttons, fixed documentation links (#8762)
- Fixed various issues (#8778, #8755, #8718, #8693, #8686, #8659, #8652, #8605, #8522)
- Fixed dynamic ACL (Access Control List) feature for HP AOS Switch v16 (#8583)
- Fixed pfperl-api manager exit triggered by pfperl-api worker termination (#8629)
- Disabled common name validation in certificate checks (#8606)
- Fixed logic conflict when pfacct and radius-acct are both enabled (#8175)
- Fixed skipped entries in RADIUS audit log (#8621)
Security Fixes
v14.1.0
The Inverse team is pleased to announce the immediate availability of PacketFence 14.1 - a minor release bringing many improvements!
Here's the complete list of changes included in this release:
New Features
- Upgrade to FreeRADIUS 3.2.6 (#8290) - Fixes RadiusBlast, enhances RADIUS security, and improves client and proxy handling.
- NTLM Auth multi-threaded machine-accounts (#8335) - Boosts authentication performance and scalability.
- OS based Cisco Switch Modules (#8365) - Simplifies setup and improves Cisco device compatibility.
- Secrets encrypted at rest (#8406) - Strengthens security by protecting sensitive data.
Enhancements
- Use proxysql packages in the docker image instead of compilling from the sources (#8267)
- Move SSO options to Firewall SSO from Advanced (#8303)
- PKI - Multiple certificate with same Common Name (#8310)
- Improved Ruckus Unbound DPSK (#8315)
- Improved Docker images (#8337)
- Support for case-insensitive LDAP Explorer attributes (#8366) @E-ThanG
- Custom taggable LDAP Explorer attributes (e6435e8)
- Performance improvements on pfacct (#8369)
- Added Aruba-MPSK-password attribute (#6957)
- Reduce time to flush the RADIUS log (#8397)
- Improve DPSK (#8356)
- Improve Mikrotik Disconnect (#8418)
- Select the first device that matches MFA (#8400)
- Improve pfdhcp DB connection (#8419)
- Track TLS certificate attributes per node (#8416)
- Kafka UI Config (#8421)
- Netdata Upgrade (#8399)
- Updated Cisco-WLC AireOS WiSM module (#8455)
- FortiGate syslog DHCP parser (#8459)
- Improved regex for Forti-analyser (#8470)
- Update documentation for node-specific domain configuration file (#8437)
- Add ProxySQL metrics to Netdata (#8502)
- Add Webauth, DPSK and unbound DPSK for Juniper Mist (#8495)
- Improve NTLM Auth API logging (#8516)
- Update ip4log on RADIUS authentication request with Framed-Ip-Address (#8521)
Bug Fixes
- Don’t generate all the time a mac address when using the GenericVPN switch module (#8270)
- Add missing parameters for authentication rule match (#8306)
- Fixed the dynamic role assignment issue for Aruba switch modules (#8331)
- Show only registered nodes on status page (#8382)
- Fixed pfperl-api restart (#8391)
- Fixed deauthOnPrevious with webauth (#7319)
- Fixed IP resolution on LDAP SSL verification (#6808)
- Fixed NAS-Port to ifIndex on Comware v7 switches (#8062) @bmp96
- Fix Debian sudoers (#7908) @andrew-grasso
- Fix Clickatell Messages (#7623)
- Fix Fingerbank profile overwrite (#8468)
- Clear person lookup cache after deleting a person (#8460)
- Fix pfconnector TCP/UDP port allocation (#8446)
- Fix set VLAN on generic SNMP switch (#8486)
- Fix unbound DPSK in Ruckus and OpenWifi switch module (#8496)
- Fix machine account creation on cluster (#8512)
Security Fixes
Contributors
Assets 2
v14.0.0
The Inverse team is pleased to announce the immediate availability of PacketFence 14.0 - a major release bringing interesting improvements!
Here's the complete list of changes included in this release:
New Features
Enhancements
- Firewall SSO clustering load-balancing (#8207)
- Domains clustering high-availability (#8205)
- Update Caddy (#8210)
- VoIP support in Aruba CX (#8260)
Bug Fixes
- Fixed Aruba Deauth (#8174)
Security Fixes
Contributors
Assets 2
v13.2.0
The Inverse team is pleased to announce the immediate availability of PacketFence 13.2 - a minor release bringing interesting improvements!
Here's the complete list of changes included in this release:
New Features
- Add filtering and actions to Provisioning (#8033)
- Add Remote MySQL Database Support (#8038)
- Add logic for processing pfflows in pfcron (#8049)
- Add JAMF Cloud support (#8060)
Enhancements
- ProxySQL updated to 2.6.0 (#8058)
- Adapted the LDAP search filter in FreeRADIUS to do the sAMAccountName lookup (#8000)
- Moved Extreme switches to OS-based modules (#8010)
- Moved Juniper switches to OS-based modules (#8011)
- Moved Meraki switches to OS-based modules (#8018)
- Removed outdated Cisco Catalyst switch modules (#8027)
- Support for FQDN switch id (#8022)
- Cisco 9800 documentation (#8009)
- Added NT Key Cache for NTLM-Auth-API (#8044)
Bug Fixes
v13.1.0
The Inverse team is pleased to announce the immediate availability of PacketFence 13.1 - a minor release bringing interesting improvements!
Cloud-ready NTLM authentication service
PacketFence now provides its own NTLM authentication service - no longer relying on Samba nor requiring domain joins. EAP-PEAP authentications are now supported through the PacketFence Connector -- allowing Cloud-based deployments of PacketFence while maintaining support for this popular authentication mechanism.
Apache Kafka for flows reporting
PacketFence v13.1 now integrates Apache Kafka. This technology allows PacketFence to report NetFlow and sFlow flow data to it -- empowering administrators with more visibility and enforcement capabilities.
Improved ACLs precreation
ACLs precreation can now be performed on all or individual switches. This becomes handy when adding or replacing equipment. ACLs can be automatically pre-created upon equipment's addition/replacement without having to wait for a global ACL change on roles.
Here's the complete list of changes included in this release:
New Features
- New NTLM authentication service (no more domain joins, Cloud-ready)
- Added ACL precreation for individual and all switches (#7936)
- Integrated Apache Kafka for flows reporting
- Rewrote pfqueue in Go language
Enhancements
- RADIUS proxy configuration documentation and examples
- Node import supports IPv4 address (#7808)
- Added TCP flags parameter from role configuration in ACL for Cisco
- Added documentation for Azure AD EAP-TLS machine authentication
- Reuse the websocket buffer to reduce memory usage.
- Force mechanism LOGIN PLAIN for SMTP (#7813)
- Use the same timezone in all Docker images (#7862)
- Integrated Fingerbank Perl client into Packet``Fence's source code
- Added many PKI improvements (generate CSR from CA, SCEP server proxy and resign certificate)
- Moved Aruba, Fortinet and HP switches to OS-based modules
Bug Fixes
- Encode in base64 the RADIUS request and store it in Redis (#7853)
- Improve error handling if the calling station cannot be parsed in pfacct (#7871)
- Add MariaDB to the OOM list
- Docker needs a specific configuration to pull images behind a proxy (#7946)
- Fix the password of the day password generation (#7862)
- Add back missing thread support in radiusd (#7963)
v13.0.0
The Inverse team is pleased to announce the immediate availability of PacketFence v13.0. - a major release with new features, enhancements and bug fixes. This release is considered ready for production use and upgrading from previous versions is strongly advised.
ACL pre-creation support for wired and WiFi equipment
PacketFence is now able to pre-create ACLs on switches/WiFi controllers for multiple vendors. This allows PacketFence to support in/out ACLs for greater segmentation capabilities.
Redis-based queueing to improve geo-distributed deployments
PacketFence v13 received many optimizations to reduce database writes. Moreover, some write operations are now queued in Redis - which increases throughput and the required latency for geo-distributed deployments.
End-to-end testing framework to UI for CI/CD pipelines
PacketFence now integrates a complete end-to-end testing framework which allows the creation of automated UI tests for our CI/CI pipelines. This is a great addition to Venom-based tests - allowing greater test coverage and improved quality/stability.
LDAP explorer allows LDAP search (#7634 and #7683, @VakarisZ)
Here's the complete list of changes included in this release:
New Features
- ACL pre-creation support for wired and WiFi equipment
- Redis-based queueing to improve geo-distributed deployments
- End-to-end testing framework to UI for CI/CD pipelines (#7350)
- LDAP explorer allows LDAP search (#7634 and #7683, @VakarisZ)
Enhancements
- Refactored all Cisco modules to now use OS versions instead of model names
- Be informed (through security event) when a device pops up into a VLAN or a subnet that shouldn’t be there (#7529)
- Upgraded coredns libraries (#7197)
- Added Palo Alto switch module to manage web admin login using RADIUS (#7643)
- Removed WMI (#7649)
- Allow to call a custom script from pfupdate to handle VIP in cloud environments (#7654)
- Removed IBM provisioner (#7686)
- Removed ServiceNow provisioner (#7699)
- Removed Symantec Provisioner (#7700)
- Removed OPSWAT Provisioner (#7716)
- Removed httpd.proxy service (#7668)
- Removed unused service httpd.collector (#7667)
- Removed Traffic Shaping (#7666)
- Optimized pfdhcp (#7710)
- ISO installer supports UEFI booting (#7724)
- Updated to go 1.20.5 (#7636)
- Documentation to manage HTTP and RADIUS certificates
- Updated OpenAPI Specification to version 3 and improved coverage to all endpoints, including meta OPTIONS and distinct collection sub-types
Bug Fixes
Contributors
Assets 2
v12.2.0
The Inverse team is pleased to announce the immediate availability of PacketFence 12.2 - a minor release bringing interesting improvements!
ContentKeeper firewall SSO support
We are excited to announce that PacketFence is able to send SSO requests to ContentKeeper and update it in order to apply policies to end devices for internet access.
Added support for Unifi OS controllers (#7368)
We are also proud to annouce that PacketFence now supports Unifi OS controllers by adjusting the port and adding a prefix path.
Added support for downloadable ACLs on Cisco and Dell switches
PacketFence is now able to send Downloadable ACLs to Cisco and Dell switches. When the ACLs exceed the size of the RADIUS reply, PacketFence can trigger the downloadable ACLs and send a chuck of ACLs through multiples access-challenges.
Here's the complete list of changes included in this release:
New Features
- Content Keeper firewall SSO support
- Added support for Unifi OS controllers (#7368)
- Added support for downloadable ACLs on Cisco and Dell switches
Enhancements
- Allow ProxySQL to be configured to connect to a single external database
- Allow image files to be uploaded in a connection profile
- Added System Service and systemd buttons in Admin UI
- Online/offline doesn't rely on recording the bandwidth accounting data anymore
- Pending security events added to network threats visualization
- Allow to expose the fingerbank_info variable to all HTML portal templates (#7460)
- VLAN filters actions can now be done synchronously (#7351)
- Support for wired connections on Ruckus SmartZone
- Improve support of WebAuth on Aruba AP (#7470)
- Allow configurability of using the connector during firewall SSO
- New api call /api/v1/config/role/{role_id}/bulk_reevaluate_access
- Add warnings/errors when updating ACLs for roles and switches
- Azure SAML integration documentation
- Change log levels of Perl services using environment variable (#7487)
- Containerization
pfacctservice - Add not_before to PKI certificates (#7454)
- Support for out acls if the switch support it (#7560)
- Improvements and support for dACL in supported material (#7561)
Bug Fixes
- Force the destination IP for UDP packets going through the pfconnector (#7323)
- Clear the active dynamic reverses that exist when a pfconnector reconnects
- OpenID Authentication Source -Duplicated Username (#7399)
- Unable to upgrade to Debian 11.6 with PF 11.X and 12.X (#7438)
- Trust server certificates when provisioning Apple devices for EAP-TLS (#7428)
- Use WPA2 in place of WPA when provisioning Apple devices (#7428)
- Creating/modifying/deleting a syslog forwarder should prompt to restart rsyslog in the admin (#6532)
- Fixed UTF-8 encoding in email body (#7422)
- Escape quotes in LDAP passwords (AD source: too complex passwords prevent RADIUS to start #3976)
- Use the proper file extensions when uploading SAML config files. (ZEN 12.1 - XML File Renamed on upload. #7439)
- Return immediately after an async job is complete (Rework pfqueue results polling #7175)
- Fixed issue with Aruba DACL, only the first ACL was shown in the port
- ZEN 12.1 installations will generate a new RADIUS key after a reboot (#7568)
- Disable DNS lookup in sudo to prevent API timeouts and interfaces not detected (#7403)
- RADIUS source+pfconnector is not working in admin context (#7550)
v12.1.0
The Inverse team is pleased to announce the immediate availability of PacketFence 12.1 - a major release bringing tons of improvements!
Single-Sign-On for the admin interface
The PacketFence admin interface now has support for Single-Sign-On (SSO) using SAML, OAuth2 as well as supporting MFA using TOTP and Akamai MFA.
Fingerbank in the PacketFence Connector
The PacketFence Connector now supports running the Fingerbank Collector to perform device profiling using all the traffic a PacketFence connector sees.
Unbound dynamic PSK support for OpenWiFi
The OpenWiFi integration now supports dynamic unbound PSK which allows individual users to authenticate against PacketFence with their personal WPA2 key.
Here's the complete list of changes included in this release:
New Features
- Added unbound dynamic PSK support to the OpenWiFi module
- Added Single-Sign-On capability for the admin interface login (SAML/OAuth/MFA/etc)
- Improved PacketFence forwarder integration to mirror DNS packets from a Windows DNS server
- Support for the Fingerbank Collector on the PacketFence Connector
Enhancements
- More flexibility in the definition of the RADIUS servers in an Eduroam source
- Allow to import only DB or configuration during import
- Debian package for PacketFence Connector
- Removed the savedsearch table.
- Removed jQuery dependency in captive portal.
- Present the dynamic PSK on the status page when appropriate
- Manage pfconfig.conf through upgrade scripts instead of packaging
- Improve WebAuth support on Extreme controllers
- Allow users to upload files from the admin instead of uploading them manually via SCP/SSH
- Added new radius attribute vpn detection for fortigate
- Fixed valid_mac that identify some ip address as mac
- Support for hardware token like yubikey for Akamai MFA
- Added sms/phone call as default method in configuration
Bug Fixes
- Fixed issue with pfconnector where it would reuse a dynamic reverse that isn't active anymore (Pfconnector server active dyn reverse cache checks can fail #7218)
- Fixed RADIUS deauth through pfconnector-remote in a cluster where it was logging as failed although it succeeded
- When a rule match is 'any' and has no conditions the rule is always successful (#3768)
- Fix issue with database upgrade (#7283)
- Fix issue Sponsor registration: notes field can't be used on captive portal #6385
- Better error handling when performing a deauth on the previous switch. (captive portal redirect page return Caught exception in captiveportal::Controller::Root->dynamic_application "Can't use string ("0") as a HASH ref while "strict refs" in use at /usr/local/pf/lib/pf/enforcement.pm line 206 #6985)
- Fixes possible Clickjacking for netdata reverse proxy (#7338)
- Don't resync config files unnecessarily during restarts (Cluster resync on restart - pf12.1 #7360)
v12.0.0
The Inverse team is pleased to announce the immediate availability of PacketFence v12 - a major release bringing tons of improvements!
Containerization
Almost all PacketFence services have been containerized for the v12 release. This foundation work allows PacketFence to be deployed in a Kubernetes cluster environment.
Visualization
PacketFence v12 provides many new visualizations options for assets, threats and network communication flows. Perform asset and inventory management by either Fingerbank top-level category or a custom search with any node, ipv4 or ipv6 criteria. Summarize and review all security events and remediate individual events from a single dashboard. Summarize the network communication for any/all devices in a single graph and filter by Fingerbank top-level category, internal or external hosts, protocol and port.
Geo-distributed Database
PacketFence v12 now integrates ProxySQL - allowing us to R/W split database operations to improve handling with geo-distributed MySQL8 databases. This release aims to support deployments where 50-60 ms latency is observed and much higher latencies will be supported in upcoming releases.
Cluster Services
Manage PacketFence services for all cluster members from a single host while maintaining the cluster's quorum. Protected services needed by the UI in order to function can now be restarted from the UI without having to worry about network disconnects. Improved visibility of service status of all cluster members.
PKI
PacketFence v12 now supports CSR signing from PacketFence PKI, CA re-sign, per-profile CN certificates with the Subject, Audit Logs, and several template and date format improvements.
... and more!
PacketFence v12 provides additional important improvements such as Meraki RBAC support, Sophos VPN integration, CSR signing from the PacketFence PKI and much more.
Here's the complete list of changes included in this release:
New Features
- New assets, communications and threats visualizations
- Containerization of most PacketFence services
- New pfconnector service to connect remote locations to a central or cloud PacketFence server
- Support for role-based enforcement on Meraki wired devices (#7000)
- Support to split database read and writes to different MySQL servers (#7055)
- Support for distributed database reads in cluster using ProxySQL
- Initial Linode IaaS and PacketFence Connector documentation (#7152)
Enhancements
- Unified service store module allowing control of both local and cluster members services
- Sign a CSR from the PacketFence PKI
- Added ability to use the MariaDB database or Redis to store the api-frontend tokens
- Adjust logs for containerized and non-containerized services (#7043)
- Allow to enabled/disable processing bandwidth accounting (#6934)
- Sophos VPN support
- Automatically display mandatory fields in email/sponsor activation emails (#7069)
- Detect CLI access from Dell N1500 switches (#7070)
- Deprecate /api/v1/config/fixpermissions and /api/v1/config/checkup
- Update monit email (#7012)
- Monit sender address configurable from the admin GUI
- Full UTF-8 support in the PacketFence database
- Added MySQL compatibility
- Added CSV import to switch groups
- Simplify cluster upgrades (#7180)
Bug Fixes
- Only provide the unregdate action if access_duration is not defined for the local source (#6925)
- Clone switch template with correct ID (#6941)
- Add time to the available template switch variables (#6952)
- Only trigger the node discover security event in the context of RADIUS and pfdhcplistener (#4987)
- Use TLS 1.2 to communicate with Intune servers (#7021)
- Align Apache timeout with captive_portal.request_timeout (#7037)
- Return VIP in DHCP requests if
dns_on_vip_onlyis enabled (#7035) - Replace LF by CRLF at end of emails sent by PacketFence (SMS email has "Bare Line Feed Characters" Status code: 550 5.6.11 #5380)
- The User-Name value in an EAP-TTLS PAP reply will always be the identity of the inner-tunnel (#7017)
- Multi-line entries in "Role by access list" are returned as a string (#6791)
- Respect the time of the expiration date of the password (#7003)
- Monitoring scripting key is not installed correctly when performing an ISO installation (#6965)
- Set the database location to the system Local timezone (golang)
- Add missing translations to the captival portal
- Fix Trapeze Deauth issue
- Fix the wrong encoding of special char in the REST call to PacketFence (use base64)
v11.2.0
The Inverse team is pleased to announce the immediate availability of PacketFence v11.2- a major release bringing many improvements!
TIP OpenWiFi Integration
PacketFence v11.2 now directly integrates with TIP OpenWiFi. TIP OpenWiFi access points are now natively supported network/switch devices in PacketFence with the ability to provision out-of-band subscriber service networks, IoT networks and secured networks.
Kandji MDM Support
PacketFence v11.2 sees its device management (MDM) integration nicely enhanced with the addition of Kandji. This next-generation and Cloud-based MDM allows you to centrally manage and secure your Mac, iPhone, iPad, and Apple TV devices while PacketFence can make sure the agents are correctly installed during the onboarding process.
Automated Integration Tests
More automated tests were added in PacketFence v11.2 through Venom. More specifically, integration tests were added for Fingerbank integration, inline L2/L3 deployment, firewall SSO, CLI for NAS logins and for the captive portal. These extend the automated tests coverage in PacketFence further to ensure greater quality and stability for each new release and help us continue our effort to shorten the time between releases.
... and more!
PacketFence v11.2 provides additional important improvements such as floating devices support for Brocade/Ruckus switches, role-base access for VPNs, an ISO-based Debian 11 installer and much more.
What's Coming Up in v12
We're excited for the upcoming PacketFence v12 release later in 2022! This upcoming release will include more new visualization capabilities around asset discovery and threat detection, services containerization, increased integration with MDM/EDR/XDR solutions and better deployment options on public Cloud providers for infrastructure-less and Cloud-first organizations. Stay tuned and follow us on Twitter for progress reports!
Here's the complete list of changes included in this release:
New Features
- Added MAB floating device support to Ruckus/Brocade switches (#6774)
- Support for roles in VPN access
- Allow to centralize the virtual IPs on the same server (#6853)
- Added support for Kandji MDM as a provisioner
- OpenWiFi switch module
- Allow to manage devices (unregister) when reaching max nodes (#6860)
- ISO installer based on Debian 11 (#6803)
Enhancements
- Allow Meraki::MR_v2 module to be able to use a RADIUS Disconnect instead of only a RADIUS CoA
- Simplify local development of Venom tests (#6711)
- Integration tests on Fingerbank (#6725, #6786, #6798, #6816)
- Integration tests on captive portal (#6744)
- Integration tests for CLI login (#6783)
- Upgrade to Venom 1.0.0 (#6775)
- Upload logs of tests (#6784)
- Management of TLS minimum and maximum versions in GUI (#6773)
- Integration tests for Inline L2 and L3 (#6769)
- Drastically improved the performance of the Ruckus unbound DPSK implementation (#6817)
- Added an admin action to allow RADIUS Probe requests
- Allow access to the Status/Node Manager/Device Registration pages on SAML auth.
- Give each monitoring script a maximum of 10 seconds to run (#6828)
- Resign CA feature in PKI (#6770)
- Allow to download any certificates without private key using a button (#6778)
- Fixes date format of the PKI SQL tables (#6823)
- Use the Digest of the profile on SCEP request (#6823)
- Improve CLI login support on Ubiquiti Edge switches (#6727)
- Expose the open locationlog as a variable to switch templates.
- Improve the speed on the node online query.
- Message portal module can be used without the portal template.
- The ip6tables rules are now managed by PacketFence (#6836)
- Certificate signing requests created via the admin interface now include a Subject Alternative Name (SAN)
- The Subject Alternative Names of a certificate are now displayed in the admin interface
- SSL Certificates - RADIUS / HTTPs page Simple GUI Enhancements (wording clarification) (#6613)
- New mysql-probe service to monitor haproxy-db backends
- Allow to add environment overrides to Fingerbank collector via the config (#6854)
- Change the behavior of pf::condition::not_equal to always succeed when match value is undef
- Allow to renew certificate X days before the expiration date
- Send email X days before the expiration date to the user email/ profile email / administrator
- PKI CN provides certificate for the same CN but for different profiles (profile name added in Subject)
- Auto-revoke certificate if expired
- PKI actions are now logged to the admin API audit log
- Reduce list of accepted ciphers in haproxy-portal and haproxy-admin to reinforce security
- Improved the performance of the bandwidth accounting cleanup process (#6850)
- Purge binary logs task
- Integration tests for firewall SSO (HTTPS/RADIUS) (#6822)
- Add text warning on unreg date when past date is used (#6871)
- Add an option to sync a single ConfigStore storage in the bin/cluster/sync tool (#6904)
- Updated PayPal integration documentation
- Match expected administration rules for web admin and sponsor login (#3631)
Bug Fixes
- Reply to Windows devices configured through Intune even if they requested a non-existing URL (#6687)
- Add RADIUS audit log entry in correct tenant when switches are defined by MAC address (#6540)
- Fixed issue with edition of PKI template (#6713)
- Fixed issue on PKI template save (#6749)
- Fixed issue on PKI templates can be modified by a SCEP request (#6751)
- Fixed issue with PKI From value when sending certificate by email (#6370)
- Fixed documentation for Huawei (PR #6692)
- Fixed issue when pulling the wrong certificate only based on the cn (#5861)
- Fixed regression in the Unifi module for deauthentication of webauth clients when the APs are defined using an IP or CIDR in the configuration (#6686)
- Fixed revoke certificate on unregistration (#6826)
- Send certificates by email using alerting settings (#5917)
- Validate email format on TLS Enrollment form
- Fixed issue where portal could apply actions from different auth rules (#6896)
- Handle DBI library ping call dying in pfconfig MySQL backend (#6895)