v11.1.0

The Inverse team is pleased to announce the immediate availability of PacketFence v11.1 - a major release bringing many improvements!

Multi-Factor Authentication

PacketFence v11 now fully supports multi-factor authentication for its captive portal, CLI and VPN. Advanced integration with Akamai MFA is now included as well as generic support for any TOTP solutions.

Automation of Upgrades

Upgrading from v11 to v11.1 is fully automated for standalone installations. No more scripts to run nor database schema changes to apply - all is done for you, in a snap!

Unified Reports

PacketFence has unified the three reporting sections in to a single configuration and added bar-graphs, sankey-diagrams and scatter-charts in order to visualize different datasets or the same data in different dimensions. It includes a MySQL/MariaDB script mode that allows multi-statement SQL transactions, making it even easier to extend its reporting with custom configurations. Several new reports for accounting, authentication, nodes and roles are also now included.

Automated Integration Tests

More automated tests were added in PacketFence v11.1 through Venom. More specifically, an EAP-TLS test covering our PKI infrastructure was added together with a pfcron test covering all maintenance jobs PacketFence does. These extend the automated tests coverage in PacketFence further to ensure greater quality and stability for each new release and help us continue our effort to shorten the time between releases.

... and more!

PacketFence v11 provides additional important improvements such as MikroTik DHCP MAC authentication support, the automated generation of the supported equipment page for the PacketFence website, refactoring of authentication sources and much more.

---

Here's the complete list of changes included in this release:

New Features

• Support for Akamai MFA in VPN/CLI RADIUS authentication and on the captive portal
• Support for TOTP MFA in VPN/CLI RADIUS authentication and on the captive portal
• Automation of upgrades for standalone installations (#6583)

Enhancements

• MikroTik DHCP MAC authentication support
• Allow to use the sAMAccountName from the searchattributes in MSCHAP machine authentication (#6586)
• Improve the Data Access Layer to work in MariaDB's default sql_mode
• New command pfcmd mariadb [mariadb options]
• Deauth request can be made on the previous equipment the device was connected
• Allow the bulk import of config items to be async
• Remove unused/deprecated sources (AuthorizeNet, Instagram, Twitter, Pinterest, and Mirapay) (#6560)
• Automation of supported equipment page on PacketFence website (#6611)
• Use Venom 1.0.0 through Ansible to run integration tests (#6573)
• Import script will migrate the networks configuration if the new IP is in the same subnet (#6636)
• EAP-TLS integration tests using manual deployment and SCEP protocol (#6647)
• Added a monit check to ensure winbindd is still connected (11.1 - AD failover doesn't work #6655)
• Improve ZEN builds (#6663)

Bug Fixes

• Match the realm more strictly when its not a regex in EAP-TTLS PAP
• Populate the LDAP config for enabled LDAP EAP-TTLS PAP realms
• Only call oauth2 in authorize for the realms that have an Azure AD EAP-TTLS PAP configuration
• Use source username in LDAP module for EAP-TTLS PAP instead of always using sAMAccoutName
• Support LDAP certificate client auth for LDAP EAP-TTLS PAP authentication
• Allow to use Google Workspace LDAP sources in EAP-TTLS PAP authentication
• Add script for removing WMI scan (#6569)
• Fix Let's Encrypt renewal process restarting services even if they are disabled (#6606)
• Removes the deprecated NTLM background job fields and components (#6552)
• Ignore 'Mark as sponsor' administration rules when finding the access level of a VPN/CLI user (CLI authentication rules matching doesn't filter on the rules action #6349)
• Reducing time balance only when registered

v11.0.0

The Inverse team is pleased to announce the immediate availability of PacketFence v11 - a breakthrough release in network security!

RHEL v8 and Debian 11 Support

PacketFence v11 now fully supports Red Hat Enterprise Linux 8 (RHEL v8) and Debian 11. Both operating systems bring major performance, stability, and security improvements to PacketFence for many years to come. RHEL v8 alternatives such as AlmaLinux, Oracle Linux, and Rocky Linux can be used.

Google Workspace Integration

PacketFence v11 now natively integrates with Google Workspace for LDAP-based authentication. Moreover, PacketFence now provides a Google Workspace Chromebook provisioner to automatically onboard organization-owned Chromebook devices and assign them a role. PacketFence can now also raise a security event when a Chromebook becomes inactive and provides a way to import all activated Chromebooks part of an organization.

Microsoft Azure Integration

PacketFence now integrates with Microsoft Azure Active Directory for authenticating users on the captive portal, the admin interface, and performing 802.1X user authentication using EAP-TTLS PAP. Greatly enhances the integration possibilities of PacketFence in Azure-based Cloud environments.

Automation of Upgrades

Starting from PacketFence v11, upgrades are fully automated. No more scripts to run, database schema changes to apply, and more. This release also provides a way to export your v10.3 installation and migrate to v11 in a snap!

Logs Forwarding

PacketFence now supports forwarding of all database-stored logs. That means that the RADIUS audit log, DHCP audit log, DNS audit log, and admin access audit log can be fully exported to a remote syslog server - ensuring compliance with more security regulations.

... and more!

PacketFence v11 provides additional important features such as SCEP support for Microsoft Intune and AirWatch, Venom tests for Inline L3, massive performance improvements to the admin interface, multi-tenancy improvements, and much more.

---

Here's the complete list of changes included in this release:

New Features

• Red Hat Enterprise Linux 8 and Debian 11 support
• Microsoft Azure AD authentication and authorization support (#6380)
• Google Workspace integration for LDAP and Chromebooks
• Automation of upgrades from 10.3 and above (#6438)
• Forwarding support for audit logs stored in database

Enhancements

• Microsoft Intune SCEP support (#6360)
• Venom inline L3 (PR #6266)
• Massively improved web admin performance
• LDAP source now supports client certificates
• AirWatch SCEP documentation
• Rewrite the username of the request from RADIUS preProcess filter (#6293)
• Upgrade to golang 1.16.3 (#6343)
• pfpki: configure OCSP to listen on specific interfaces (#5825)
• Get maintenance patches through package manager (#6378)
• Adjust Intune integration to support pagination of the managed devices (#6135)
• Add an option to force the vip as the default gateway on layer2 registration network (#6406)
• Firewall SSO is tenant aware (#6384)
• Added conditions on owner information in the RADIUS filters (#6324)
• CLI access support for Avaya Switches (#6398)
• Authorize a MAC address on all APs of the switch group when using the Unifi module (#6134)
• Macro documentation for filter engine (#6392)
• Expose the source directory of documentation from Caddy (#6315)
• Audit successful admin login in the admin audit log. (#6345)
• Allow users to resend the SMS pin
• Improve the speed of retrieving switches (#6321)

Bug Fixes

• Configurator sets valid_from field to current time in place of 1970-01-01 00:00:00
• Support switch_group in advanced filters (#6379)
• Authentication rule condition basedn matching does not work (Authentication rule condition basedn matching does not work #6402)
• Filter netdata incoming connection (#6303)
• CLI switch access for Avaya ERS Switches (#6399)
• Avoid duplicate log entries "User has authenticated on the portal"
• Backup DB using MariaDB-backup does not work on standalone installations (#6424)
• Normalize connection_sub_type to use the numeric value (#6326)
• Expired switches for all tenants (#6024)

v10.3.0

New Features

• Static routes management via admin gui
• Aruba CX support
• Aruba 2930M Web Authentication and Dynamic ACL support (#6158)
• Meraki DPSK support
• Ruckus DPSK support
• Support for Ruckus SmartZone MAC authentication in non-proxy modes (#6201)
• Bluesocket support (#5878)
• Support for SCEP in pfpki (#6213)

Enhancements

• Improved the failover mechanisms when an Active Directory or LDAP server is detected as dead
• Expiration of the local accounts created on the portal can now be set on the source level
• pfacct and radiusd-acct can now both be enabled together (radiusd-acct proxies to pfacct)
• Added CoA support to Aerohive module
• Added role based enforcement (Filter-Id) support to Extreme module
• Use Called-Station-SSID attribute as the SSID when possible
• Added CLI login support to Huawei switch template
• Added detectionBypass in DNS resolver (#6028)
• Improve support of Android Agent for EAP-TLS and EAP-PEAP
• Improve CLI login support on HP and Aruba switches
• Use the "Authorization" header when performing API calls to Github in the OAuth context
• Replace xsltproc/fop by asciidoctor-pdf (#5968)
• FortiGate Role Based Enforcement (#5645)
• Add support for roles (RBAC) for Ruckus WLAN controllers (#2530)
• Upgrade to go version 1.15 (#6044)
• Build ready-to-use Vagrant images for integration tests and send them to Vagrant cloud (#6099)
• Documentation to configure Security Onion 2.3.10
• Added integration tests for 802.1X wireless and wireless MAC authentication (#6114)
• Restrict create, update, and delete operations to the default and global tenant users (#6075)
• Remove pftest MySQL tuner (#6130)
• Allow Netflow address to be configured (#6139)
• Deprecated fencing whitelist
• Description field for L2 and routed networks (#5829)
• Updated Stripe integration to use Stripe Elements (API v3) (#6121)
• Added Cisco WLC 9800 configuration documentation
• Inheritance on parent role on Role and Web Auth
• Enhance CLI login on SG300 switches
• Enable/disable the natting traffic for inline networks
• Remove unused table userlog (#6170)
• Clarifications on Ruckus Role-by-Role capabilities (#6201)
• DNS/IP attributes in pfpki certificates (#6213)
• Additional template attributes in certificate profile (#6213)
• Remove unused table inline_accounting (#6171)
• Make pfdhcplistener tenant aware (#6204)
• Upgrade to MariaDB 10.2.37 (#6149)

Bug Fixes

• Switch defined by MAC address are not processed by pfacct in cluster mode (#5969)
• Restart switchport return TRUE if MAC address is not found in locationlog for bouncePortCoA (#6013)
• Switch template: CLI authorize attributes ignored (#6009)
• ubiquiti_ap_mac_to_ip task doesn't update expires_at column in chi_cache table (#6004)
• A switch can't override switch group values using default switch group values (#5998)
• web admin: timer_expire and ocsp_timeout are not displayed correctly (#5961)
• web admin: Realm can't be selected as a filter on a connection profile (#5959)
• API: remove a source doesn't remove rules from authentication.conf (#5958)
• web admin: high-availability setting is not display correctly when editing an interface (#5963)
• SSIDs are not hidden by default when creating a provisioner (#5952)
• with_aup is correctly displayed on GUI (#5954)
• web admin: sender is wrong when you use Preview feature (#6023)
• sponsor guest registration: unexpected strings in email subject (#3669)
• Use the proper attribute name for Mikrotik in returnRadiusAccessAccept (#6051)
• Audit log: profile has an empty value when doing Ethernet/Wireless-NoEAP (#5977)
• pfacct stores 00:00:00:00:00:00 MAC in DB when Calling-Station-ID is XXXX-XXXX-XXXX (#6109)
• Update the location log when the Called-Station-Id changes (#6045)
• Only enable NetFlow in iptables if NetFlow is enabled (#6080)
• Firewall SSO: take username from accounting data if available in place of database (#6148)

v10.2.0

The Inverse team is pleased to announce the immediate availability of PacketFence v10.2 - a major release bringing tons of improvements! Moreover, the upcoming PacketFence v11 will feature full Zero Trust Network Access support - extending NAC concepts to remotely connected users with full micro-segmentation support. This release is considered ready for production use and upgrading from previous versions is strongly advised.

Improved Layer-3 Replication

Layer-3 replication over high-latency WAN connections has been dramatically improved in PacketFence v10.2 - by a factor of tenfold. This allows PacketFence to secure even larger widely distributed networks.

More Golang

Our endeavour in rewriting our services from Perl to Golang has reached another big milestone for PacketFence v10.2. One of PacketFence's most crucial service, the maintenance and monitoring service, has been fully rewritten in Golang to increase performance but also drastically reduce resource usage.

Automated Integration Tests

Our other big endeavour with achieving full integrated test coverage has reached an other big milestone in PacketFence v10.2. The Configurator, the very first part of PacketFence exposed to new users, has now complete integrated tests coverage. This means that through Venom, we can now fully test the Configurator, wired MAC authentication and 802.1X using EAP-PEAP, backup/restore and many more. Our WiFi, WMI and PKI/EAP-TLS will be completed for v11.

Upcoming v11 Release

PacketFence v11 will extend NAC concepts to remotely connected users with full micro-segmentation support. Using our new connectivity orchestrator, PacketFence will dynamically establish secured tunnels between endpoints - based on what they are allowed to do on the network. Traffic of remotely connected users will not go through PacketFence, but PacketFence will orchestrate the creation of a full mesh network between remote users, local or Cloud-based resources.

... and more!

PacketFence v10.2 now also supports EAP-TTLS for LDAP authentication sources, native Novell NetIQ eDirectory support, improved support for Extreme Networks switches running EXOS, improved multi-tenancy support, MAC addresses randomization support and many more admin interface improvements!

---

Here's the complete list of changes included in this release:

New Features

• EAP_TTLS PAP Support on a LDAP source
• eDirectory source
• Master/Slave radius proxy and degraded workflow
• go based pfmon (#5613)
• Integration tests: configurator scenario added (#5484)

Enhancements

• Adjust the settings in the admin for the SAML and OAuth portal modules (#5479)
• Select the role of the device when register via self-service portal.
• Improved support for Extreme switches running EXOS
• Added option to register device immediately after the sponsor activates the access during sponsor based registration (#5642)
• Added support for EAP-PEAP MSCHAPv2 and EAP-TLS for CLI and VPN RADIUS authentication (#5784)
• Template based bouncePort using CoA (#5735)
• Set the default switch type to Packetfence::Standard (#5742)
• Create a PacketFence::SNMP switch to force reevaluate access using SNMP (#5742)
• Add support for CLI Access for Switch::Template (#5708)
• Use Status Check in pfstats to test radius/eduroam sources
• Switch templates can define how to map a NasPort to an IfIndex (#5779)
• Syslog parsers are now tenant aware.
• Add default MAC address randomization security event check
• Allow to delete a node from web admin with a locationlog opened (#5492)
• Allow roles to be delete

Bug Fixes

• Fixed CoA for Meraki web-authentication so that it doesn't disconnect the user from the SSID
• Honor the AUP setting of the SAML portal module (#5476)
• Use the prebuilt freeradius perl dictionary.
• Don't override user defined values in the interface file for centos.
• haproxy-db can cause pfcmd service restart to failed (#5745)
• Pass in the mandatory fields to the email templates.
• Dell N1500.pm: LLDP detection doesn't work (#5758)
• Ensure the gateway was only written once in /etc/sysconfig/network (#2845)
• Remove the ip address of a server in the dhcp reply when the server has been disabled (#5677)
• Allow to set multiples ca certificates.
• Listen to all interfaces for radius accounting (#5821)
• Searching by 'Source Switch Identifier' for a switch range doesn't work (#5792)

See the complete list of changes and the UPGRADE.asciidoc file for notes about upgrading.

v10.1.0

New Features

• Live log viewer from admin interface
• Fully tenant-aware admin interface
• Support for MS-CHAP authentication for CLI/VPN access
• New pfcertmanager service that generates certificate files from configuration

Enhancements

• EAP configuration template - add a way to define multiples EAP profiles in FreeRADIUS
• New action for AD/LDAP sources to set role when user is not found
• Provide an advanced LDAP condition to allow custom LDAP queries
• The captive portal can now feed HTTP client hints to the Fingerbank collector
• Added ability to enable/disable a network anomaly detection policy (#5403)
• Return the portal IP if the QNAME matches one of the portal FQDN for registered devices using inline enforcement
• Individual source rules can be disabled
• Support for Dell N1500 starting from 6.6.0.10
• CoA support for Ubiquiti Unifi AP
• Added a way to define the Unifi AP by IP or IP range
• Use the value of an LDAP attribute as a role
• Added the return of the LDAP/RADIUS attributes to use them in RADIUS filter
• The /api/v1/radius_attributes endpoint is now searchable
• Proxy the captive portal detection URL when the device is registered
• Choose which EAP profile to use based on the realm
• LDAP's basedn can be defined in the authentication sources rules
• New hooks for the RADIUS filter engine in eduroam virtual server
• Redefined "restart" in the service manager to allow "PartOf" in systemd scripts
• Set role from source authentication rule option (needs #5459)
• Flatten the RADIUS request for the authentication sources (attributes like radius_request.User-Name)
• RADIUS request attributes / username are part of the common attributes
• Support of multiples LDAP servers in FreeRADIUS ldap_packetfence configuration file
• Copy outer User-Name attribute in PacketFence-Outer-User attribute to be able to use it in the authentication rules
• Copy the LDAP-UserDN attribute in PacketFence-UserDN attribute to be able to use it in the authentication rules
• Added a way to extend the LDAP filter for searchattributes configuration
• Documentation for EAP profile selection
• Documentation for regex realm
• Documentation for new action/condition in LDAP authentication
• Moved the VLAN filters example as default disabled VLAN filter
• Use PUT for node reevaluate_access to fix issue with admin_role actions mapping
• OpenID pid mapping is now configurable
• Can map OpenID attributes to a person attributes
• Allow to create authentication rules based on OpenID attributes

Bug Fixes

• Fixes Fortinet Fortigate returnAuthorizeVPN function (#5409)
• Barracuda NG firewall SSO SSH fails (#4828)
• Impossible to set multiple access level in administration rule (#5440)
• Fixed pf-maint.pl when its running behind a proxy (#3425 )
• Fix vendor attributes not being sent from Switch Template (#5453)
• Fixed issue authorizing a user in web-auth on Unifi when the node has its date set to '0000-00-00 00:00:00'

v10.0.1

Bug Fixes

• Fix issue with out of bound array in pfacct
• Fix handling of VSA in pfacct
• Fix handling of wireless secure to open SSID VLAN filter
• Fix limit of 25 filters in filter engines GUI (#5379)
• Fix the "from address" when sending emails through the pfpki
• Adjustments to the default anomaly detection policies
• Add missing sFlow and netflow ports in the iptables configuration
• Fix detection of the anomaly detection capabilities of the current Fingerbank account
• Improve anomaly detection triggers display in security events (#5402)
• Handle JAMF provisioner responses that aren't UTF-8 encoded
• Fix admin account validity when changing the timezone in the configurator (#5390)
• Restart packetfence-mariadb in the configurator after changing the timezone (#5390)
• Fix multi-tenancy detection when performing web-authentication (#5418)

v10.0.0

New Features

• Added support for network anomaly detection through Fingerbank
• New, fully integrated PacketFence PKI service
• New service for automatic clustering issue resolution
• New GUI for all filtering engines and switch templates
• New API and Vue.js based step-by-step configurator
• Added VMware Airwatch support

Enhancements

• Added suppport to run integration tests using Cumulus Linux and libvirt
• Added the ability to autoregister and assign a role to a device authorized in a provisioner
• Added the ability to control whether or not a provisioner should be enforcing (i.e. ensuring all devices matching it are authorized with it)
• Added the ability to sync the PID of devices authorized in a provisioner (only for Airwatch and JAMF)
• Add single sign-on support for Cisco ISE-PIC
• Support for MySQL as DHCP pool backend and provide active/active DHCP support
• Support Aruba switches using Aruba OS 16.10
• Added a new Meru controller module that supports RADIUS RFC3576 (RADIUS Disconnect)
• CLI login to Juniper switches
• Allow to configure VOIP RADIUS attributes in switch templates
• All configuration files have a copyright without year to avoid useless rpmnew or dpkg-dist files each yearly upgrade
• Improved Unifi deauthentication using HTTP
• Set TTL to 5 seconds when the host match with a captive portal detection host
• Enable tracking configuration service by default
• Better captive portal detection for Samsung devices
• Faster captive portal detection for Apple devices
• Routes are now managed by the keepalived service
• Parking security event can now be triggered without limitation
• Added a way to change the SQL table used by pfconfig
• Showing the configurator is now configurable (#5121)
• Node deletion in consistent between the the API and pf::node::node_delete (#5088)
• Allow VLAN number greater than 1023 for floating devices
• Improved captive-portal health checks in monit (#5185)
• Added RADIUS disconnect for wired port on Aruba AP (#5016)
• Switch templates can now use SNMP up/down to perform access reevaluation (#5197)
• HAProxy now serves the admin gui, httpd.admin disabled by default
• Reports are now tenant-aware
• Security events can be triggered when running node maintenance task (#4948)
• Added parameter to prevent external portal requests from updating the ip4log (#5336)
• Added new WMI examples

Bug Fixes

• Fixed logic to move MAC address to another port (Avaya)
• Fix serialization of the switch when calling ReAssignVlan/desAssociate
• Prevent double restart when setting the port admin status of an EX2300 Juniper switch
• Sponsor field is missing on sponsored users when using forced sponsor (#5171)
• Some DHCP info triggers use outdated Fingerbank data (#5106)
• Issue with the timezone in the admin not being honored on the system (#5205)
• Issue with chrome who don't show the portal on self signed certificate (#5233)
• Issue with RADIUS CLI access and ldap authentication source where the cache is enabled (#5018)
• Distribute pfsnmp trap jobs between queues based off switch id (#5004)
• Deleting a portal profile doesn't cleanup its templates (#793)
• pfacct doesn't report metrics to dashboard (#5267)

v9.3.0

New Features

• Only have a single active locationlog entry in the locationlog

Enhancements

• Don't try to do firewall SSO if the service is disabled
• Massively improved web admin performance

Bug Fixes

• Fix pfstats for LDAPS and StartTLS
• Allow to run any script from a security event without a modification of sudoers file
• Fix machine auth failed on eduroam virtual server
• Fix allow external RADIUS accounting from eduroam server (they use it to detect if a server is alive)
• Fix eduroam load-balancing issue on local realm

v9.2.0

New Features

• Allow to force the access duration when using device registration
• Migrate to go mod for Golang binaries (#4832 and #4841)
• Ready-to-use Docker images for PacketFence builds (#4841)
• Added audit log for API and new admin interface
• Added configuration based switch modules
• Support for remote layer 3 clusters in read-only mode
• Internal security event to trigger on managed network only or production network only

Enhancements

• Network visualization now supports custom sorting, min/max graph sizing, variable real-time network live-view, and infinite depth of switch-group inheritance.
• Speedup the dal generation (#4824)
• Enhance Juniper EX2300 to allow a port bounce to be done via RADIUS CoA

Bug Fixes

• fixes #4737 (SNMP trap stuck in the queue)
• MySQL schema upgrade statements should be re-runnable. (#4892)
• Return the authentication sources where the default realm has been associated if the realm used by the connection contain a realm that is not defined in the configuration.

v9.1.0

New Features

• Network visualization
• Microsoft Intune and ServiceNow support
• Family Zone, LightSpeedRocket and SmoothWall firewall SSO support
• New way to forward Eduroam local realm to a specific RADIUS server
• New DNS auditing log module

Enhancements

• Adjust Fingerbank device class lookup ordering for added precision of the device class
• Track configuration changes in local git repository
• Randomize KeyBalanced to randomize the load-balancing in FreeRADIUS Proxy.
• Support for SentinelOne's new API version (v2.0)
• Firewall SSO is now performed centrally on the management node of a cluster
• Added DHCP pool algorithm (random/oldest IP)
• Improved support for Juniper switches running Junos 15 and above
• Allow to configure the API token timeout
• Moved vlan_pool_technique configuration parameter to the connection profile
• Added the RADIUS' targeted IP address in the RADIUS audit log (help in cluster mode)
• pfperl-api port number changed to 22224
• Autoreg for mac-auth with an authorize source
• Parking portal has been moved in the haproxy and httpd.dispatcher services and deprecates the dedicated httpd.parking service

Bug Fixes

• pfstats queries /api/v1/dhcp/stats are taking a lot of time (#4096)
• Duplicate reservations in the DHCP pool caused by a big registration/inline network and pfstats call
• LinkedIn social login integration due to deprecated API calls from LinkedIn
• Fixed the logic of "Use the RADIUS username instead of the TLS certificate common name when performing machine authentication"