9.0.125 May 2019 03:15
Improved display of RADIUS audit log from RADIUS tab.
Add '-copy' to the ID when cloning a configuration resource.
Better visual distinction when the database is in read-only mode.
Domain join is prompted after creating a domain.
Added current hostname to help page.
Aruba Instant access switch module compilation error.
Violations to security events upgrade script to use the.rpmsave file during the upgrade.
User visualization when the username contains a '/' or ' '.
Missing 'Signing' tab in mobileconfig provisioner configuration section.
Missing 'Compliance' tab in OPSWAT provisioner configuration section.
When defining multiple DNS servers in inline.
Where not all security events are visible when triggering a security event on a node.
With multi-cluster configuration generation.
With WMI scan engine rules failing to be saved.
9.0.016 May 2019 06:05
New web interface based on Vue.js and Bootstrap 4.
Let's Encrypt SSL certificates support for captive portal and RADIUS.
Cisco ASA VPN support with the captive portal.
Fortinet VPN support.
DHCP Filter to reply custom attributes in the OFFER and/or ACK (deprecate old DHCP Filter).
Add 802.1X and CoA support for Fortinet FortiSwitch.
Add module to support PICOS white box switches.
Support for Aerohive access point with switch port.
Support for Aruba Instant Access switch module.
Debian 9 (Stretch) support.
Now including timeout when authorizing a web-auth user on an Ubiquiti UniFi controller.
Now providing defaults for the Apache filters.
Allow to configure the RADIUS attributes and their lookup order for extracting the username.
conf/stats.conf has a default file now.
VoIP configuration parameter in node_cleanup task to bypass VoIP devices.
Adding/removing passthroughs doesn't require to restart pfdns anymore.
Added support for RADIUS disconnect on Ruckus SmartZone.
Disable Microsoft Active Directory join operating system check option.
Disable DNS lookup in MariaDB configuration.
Enable performance_schema if needed.
Display local account in the captive portal during registration if applicable.
Exception for portal detecion URL in pfdns.
Added support for Ruckus roles.
sms_carrier 'id' column is now auto-increment.
Better logging for haproxy-portal that allows to identify missing passthroughs.
Allow to skip management node in portal load-balancing when running in a cluster.
DHCP and DNS services can be enabled on a specific interface.
VoIP support for Dell switches.
the systemd logic in pfdhcp.
winbindd respawning extremely fast when failing to start.
winbindd processes not being killed on latest version of Samba.
Allow disabling processing of IPv6 packets in the pfdhcplistener.
Set the realm in the RADIUS request when doing machine authentication.
8.3.010 Jan 2019 03:15
Added support for Juniper EX2300 (JUNOS 18.2) switches.
Clickatell authentication source support.
Added a random algorithm for VLAN pooling.
Added the ability to reserve IP addresses in pfdhcp.
Added a way to trigger a violation when device profiling detects a change in the device class.
New SSL Inspection portal module.
RADIUS proxy integration from web admin interface.
RADIUS filtering support for pre_proxy/post_proxy/preacct/accounting/authorize phases.
Updated the Windows provisioning agent to the new Golang based version.
Redis now only listens on localhost.
Deprecate usage of roaring bitmap for the DHCP IP pool.
Email and SponsorEmail sources can have banned and allowed email domains.
Improved startup time of pfdhcp.
Removed OPSWAT Metadefender Cloud support.
Chose password hashing algorithm when creating a local user from a source.
Define the length of the password to generate when creating a local user from a source.
New "dummy" source just to compute the rules.
Logs permissions and configuration for Debian.
missing cache directory for NTLM auth cache.
working directory of NTLM auth cache sync script.
Handled multiple LDAP hosts properly in NTLM auth cache.
with the DHCP server that gives sometimes a duplicate IP address.
Adjusted CentOS and RHEL dependencies.
MAC filtered lookups that were cached in pfdns.
the OpenVAS integration to work with OpenVAS Manager 7.0 (OpenVAS 9).
encoding of files created in the administration interface (force them to UTF-8).
8.2.106 Dec 2018 03:15
Allow for SMS PIN codes to be reused.
Adjusted ports for Active Directory passthroughs.
Improved performance of nodes tab in the admin interface.
Google Project Fi missing from the official schema.
Various for broken NTLM cache job.
with realms after a restart of pfconfig.
with pfdhcp leaking file descriptors.
with captive portal requesting an artifact from the SAML server.
duplicate IP addresses given by pfdhcp.
Added new expected parameter for the redirect URL when performing web-auth with a Cisco WLC.
SEPM provisioner token refresh.
8.2.008 Nov 2018 03:15
Added support for clusters with servers located in multiple layer 3 networks.
Permit incoming Eduroam TLRS RADIUS requests.
pfconfig is tenant aware.
Realm are tenant scoped.
Added Mojo web authentication support.
New authentication source Password of the Day.
Added SMTP test function in Alerting.
Juniper SRX Firewall SSO module.
Now support CoA on Meraki switches.
jsonrpc requests send the current tenant_id.
Take the tenant id in consideration in the queue.
Performed various improvements to the maintenance script.
Increased maximum node bandwidth balance from 4 GB to 18.4467441 XB (exabytes).
Improve connection profile's advanced filter.
Use MySQL as backend for pfdhcp options (deprecates etcd).
Reorder iptables rules.
Better error handling for pfdetect.conf.
HAProxy stats files are now located in var/run/ with explicit filenames.
pfdns now uses the PacketFence standard Golang logging library.
Added VOIP and Downloadable ACLs support to Aruba 5400 switch module.
Switch filters can now be used to override the switch module that is instantiated during a RADIUS connection.
WIRED_MAC_AUTH and Ethernet-NoEAP merged.
Backslash in usernames in Reports section is shown as "=5C".
Multiple to the pfdhcp service.
Domain join log entries contain clear-text credentials.
false positive dhcp rogue detection.
Sponsor Email subject and body are i18n in the same language.
pfstats hammers pfdhcp and the API frontend with requests.
Can't download SAML metadata in the admin.
8.1.010 Jul 2018 03:15
Added support for dynamic PSK (Cisco IPSK) for the Cisco WLC and hostapd.
Added Ubiquiti Unifi web authentication and 802.1X support.
Added support for Cambium AP module for 802.1X, MAC and web authentication.
Change root portal module on failure/success.
Save already entered field on the portal (chain auth).
Custom message for SMS registration.
Expire SMS pin code.
Define the length of the pin code.
Enable or disable sponsor authentication when he validates access.
Allow connection profiles to be enabled/disabled.
Add new portal module action that wraps the default actions a module would normally execute.
Improved startup time of PacketFence.
local/reject realm for eduroam in standalone configuration.
Allow subsecond timeouts for LDAP connections.
Allow randomization of the search order for a list of LDAP servers.
IP exclusion is now possible in the DHCP server.
Allow max node per role when doing autoregistration.
Moved unregister on accounting stop parameter on the connection profile.
VLAN filters can be set to node_info.category and it will return the current category of the device.
The database load-balancer now listens on the cluster management IP address.
Allow to update switches while importing them via CSV.
Netdata never ending restarts after a reboot.
Systemd PID file causes when there is a stale PID file.
when a LDAP authentication source contains multiple IP addresses.
Added missing DHCP Statistics for routed networks on the dashboard.
8.0.110 May 2018 03:15
Update the computername (hostname) of a node using the Fingerbank Collector data.
Detect uplinks based on CDP flag instead of a string.
Put etcd in its own directory.
with device profiling not being performed when an endpoint connects for the first time.
missing timeout when performing RADIUS SSO (FortiGate, CheckPoint, WatchGuard).
with API frontend when initially configuring the webservices username and password.
packetfence-haproxy-portal and packetfence-tc systemd service in a wrong target.
Custom routing with inline enforcement fails silently.
Nessus 6 scanner.
haproxy-db only listens on IPv6 interface (Debian).
DNS passthrough for normal domains (was considered as a wildcard).
Winbind fails to start because of a permission on /var/run/samba/winbindd in the chroots.
Update from 7.4 to 8.0 audit log file not there.
unreg on RADIUS accounting stop.
Allow nodes without roles to be modified when restricting allowed role.
speed with node search in the admin.
missing timeout for RADIUS sources tests in pfstats.
8.0.027 Apr 2018 03:15
Replaced the ISC DHCP server with a new Golang-based DHCP server.
Now supporting inline enforcement in active/active clusters.
Replaced pfdns with a new Golang-based DNS server.
Allow an inline network to be split by the roles in PacketFence allowing to put specific devices in a distinct broadcast network.
Dashboard metrics are now based on Netdata.
Traffic shaping support for inline enforcement.
Added a configuration parameter to allow to unregister a device on an accounting stop.
Added CLI support on Aruba 5400 switches.
Username stripping (removing the realm) is now configurable via the realms instead of the sources.
PacketFence integration with JAMF API for Apple computers and mobile devices management.
Added an HTTP JSON API.
Distribute pfdhcplistener tasks among cluster members.
Now allowing to use the RADIUS accounting cache when in cluster mode.
Guest Portal validate_phone_number check not work.
A management user can override an account that was not created by him.
7.4.026 Jan 2018 06:25
New database access layer (DAL) for upcoming multi-tenancy support.
New portal module to permanently set roles.
Added portal module for selecting a role for the device being registered on the portal.
Added support for Allied Telesis GS950 switches.
Added ability to update the firewall SSO on RADIUS accounting packets.
Added a way to define a VLAN by role as a VLAN pool using a VLAN range.
Added cloning capability in connection profiles.
Read and write timeouts for LDAP connections can now be set.
Keepalived can be configured to detect its peers via unicast instead of multicast.
Suggest violation identifier when adding a new violation.
Create a priority queue.
Move ReAssignVlan and desAssociate API calls to the priority queue.
Added connection profile SSID filter suggestions based on all the previous SSIDs that have been seen in the locationlog.
Added a description to the switches in the nodes side navigation.
Improved configuration of the captive portal timer bar (via the captive_portal section of pf.conf).
(AD Powershell scripts) Enforce use of TLS in the powershell scripts which is required with the last versions of PacketFence.
(AD Powershell scripts) Cycle through all the possible Active Directory usernames formats in PacketFence.
Removed old authentication code sources.
Added rule description in listing.
Set a timeout for database queries for the admin to avoid long running queries slowing the system.
Documentation improvement about MySQL advanced parameters.
Enhanced localization support in violation module.
Improved the haproxy HTTP process monitoring.
Improved cluster maintenance script to perform necessary system changes to have the node in maintenance.
Moved add and delete buttons to the left to avoid the being cutoff.
"Admin: Multiple 'Device Type' options in Nodes tab".
Configurator: when using a different database name, the fingerbank.conf MySQL section is not updated.
7.3.026 Sep 2017 06:25
Added a RADIUS only mode to PacketFence.
Add a cluster wide view of pfqueue statistics.
Added the possibility of importing switches from a CSV file..
The GUI will now display the VLAN in the locationlog view.
The timezone is now a selectable item to prevent invalid input.
Updated ACE text editor to version 1.2.8.
Search forms for nodes and users can now be reset.
Configuration files can now be saved in readonly mode except violation, switches, role.
Extended descriptions are now supported in the custom reports.
Mail can now be sent using SSL and StartTLS.
Self signed certificate errors for nessus 6 can now be ignored.
Violations can now be triggered by nessus 6 scanner.
The device registration page now supports connection profiles like any other portal.
The username sent in firewall SSO now supports a configurable format.
PacketFence will now monitor TLS certificates expiration and alert if they are expired.
LDAP source caching is now caching the rule match rather that the whole source match.
The admin GUI startup time has been decreased.
New and improved documentation for Debian clustering.
Show DHCP Option82 data in the node view.
Custom reports columns representing a node or a user can now be configured to be clickable for details on the object in question (#PR 2508).
New Fortigate 50E 802.1x support.
The computer authentication username can now be normalized when using EAP-TLS.
Added a task count jitter to reduce the chance that pfqueue workers exit at the same time.
Experimental support for Content Security Policy (CSP) has been added, but is disabled by default.
A violation can now redirect to a URL specified in a template.
The syslog parser has moved from Compliance to Integration in the GUI.
pfsso now logs in packetfence.log.
httpd.dispatcher now logs in httpd.dispatcher.log.
incorrect inline sub type detection.
ipset update with the incorrect ip address.
missing confirm prompt when restarting
7.2.011 Jul 2017 03:15
Added support for authenticating users through OpenID Connect.
Added passthroughs for devices in violation state (isolation network).
Added ability to report a device lost or stolen in self-service portal.
Added ability to change a local account password in self-service portal.
Improved overall user experience of self-service portal.
Use the attributes returned by a radius use source as attributes to compute the rules.
Most services now support systemd sd_notify notifications.
The GUI will now only display readonly actions in readonly mode.
Journald total file size is now capped at 1Gb.
The GUI will now allow sources to be cloned.
The GUI now visually splits Administration and Authentication rules when viewing sources.
The GUI now has the ability to run "permissions" from the web admin GUI.
haproxy captive portal rate-limiting is now configurable.
winbindd will now use the regular samba mechanisms to locate and select DCs.
New pfcmd command pfcmd pfqueue clear_expired_counters to clear the expired task counters.
Allow to disable the captive portal haproxy abuse access lists.
Added a cleanup of the number in the SMS source.
TLS certificates and keys will no longer be overwritten.
Limit the amount of tasks a worker processes to avoid memory from growing.
a case where the REJECT role isn't honored in inline and some web-auth.
Sponsor authentication CC address is now BCC to help preserve privacy.
Use plain HTTP for network access detection page.
an where DHCP broadcast were treated more than once in clustered mode.
incorrect user login remaining count display.
a case where pfqueue counters show a count of 0 although queue is full.
node_discovered is no longer triggered when node hasn't been created in DB.
Detect date was not being populated when nodes were discovered via radius.
leftover httpd processes when restarting.
Mariadb binary logs files are now properly rotated.
scss settings and colors being wipe
7.1.003 Jun 2017 03:15
Added support for web authentication (external captive-portal) on Ubiquiti Unifi Controller.
New Firewall/SSO (JSON-RPC) for communicating with custom firewalls.
VoIP detection: LLDP lookup enhancement.
Add a button to access status from device registration and the other way around.
Added the ability to specify multiple DNS server(s) for domain join configuration.
Allow to force a predefined sponsor during sponsor authentication.
Updated pfdns default filters.
Added brands icons to authentication source (i.e Twitter, PayPal etc..) in the administration interface.
Allow pfqueue workers to perform work across multiple queues.
Added a way to set time and bandwidth balance in action rule (requires accounting to work).
Don't display the mobileprovider field when doing SMS authentication with only one carrier enabled.
Added new reports in the administration interface.
Apache based services now support systemd sd_notify.
Dashboard metrics are now fetched over https.
Renamed Ubiquity to Ubiquiti.
Set up variable GOPATH correctly while setting up developer environment for go.
too large scoping of authentication sources.
Prevent usage of a 'Null' source in the device registration page.
duplicate nodes displaying when there are multiple locationlog entries.
an with the Instagram OAuth2 source, where the scope has been modified on the API.
and where the logging configuration was ignored for httpd.aaaa and httpd.webservices.
7.0.227 May 2017 10:45
With ip4log cleanup job when rotation was enabled.
Adjusted default ip4log retention to match what was in PacketFence version 7 and below.
Make REJECT role have precedence over bypass role and VLAN.
Make VLAN filters have precedence over bypass role and VLAN.
Useless sessions being created in web-auth in the dispatcher.
Load liblasso during runtime in order to prevent a segfault of Apache on Debian 8.8.
Syntax error in the guest_sponsor_preregistration email template.
Previewing email templates in the admin.
7.0.120 May 2017 03:15
Incorrect locationlog entry when performing RADIUS CoA.
Twilio: "To" phone number is being stripped of any "+" sign.
Radiusd load-balancer failing to start in cluster with eduroam.
Authentication sources ordering for portal modules when using the administration interface.
Innobackup tmp directory when used with Galera cluster.
Width of auth sources conditions fields.
Admin login when only allowed to see auditing section.
Locationlog entries for VOIP devices when no voice VLAN is defined.
Authentication sources cache in connection profile.
Loose matching of host in haproxy dispatcher.
Lost MySQL handle errors in pfconfig.
Handle sources activation host in haproxy dispatcher.
Incorrect handling of unregistration year.
Incorrect LDAP error when user not found.
File cloning in connection profile.
Display of roles in admin GUI.
Unregistration date handling when it is over 2038.
Logging errors for undefined values.
Queues blocking when forking.
Pagination in GUI node search.
OS type display in status page.
URL for connection profile preview.
7.0.019 Apr 2017 03:15
Added provisioning support for SentinelOne.
Added MariaDB Galera cluster support.
All services are now handled by systemd.
IPv6 network stack in PacketFence.
New Golang-based HTTP dispatcher.
New Golang-based pfsso service to handle the firewall SSO requests.
Revamped the Web administration GUI.
SNMP traps are now handled in pfqueue.
Added the ability to grant CLI write access for Extreme Networks switches.
Added a distributed cache for the accounting information to safely disable the SQL accounting records in active/active clusters.
Reduce the number of ipset calls when adding ports for Active Directory.
pfmon tasks has their own configuration file.
new command pfcmd pfmon - for running pfmon task via pfcmd.
CentOS repositories (packetfence and packetfence-devel) packages are now signed.
Added way to unregister devices that were inactive for a certain amount of time (maintenance.node_unreg_window).
Added a new last_seen column to nodes to track their last activity (Authentication, HTTP portal, DHCP).
Delete nodes based on the new last_seen column instead of looking at the last DHCP packet.
iplog: Floored lease time for "tolerance".
Can now restart the switchport where a node is connected from the administration interface.
Added interface description to location entries.
New pffilter filtering engine.
Ability to manage multiple "active" endpoints behind a single switchport.
pfdhcplistner now runs as a master-worker style service.
Added a winbindd wrapper for the PacketFence managed winbindd processes.
Added a caddy middleware for rate limiting the concurrent connections.
Updated the Ruckus SmartZone module to use the most recent webauth technique available.
Added vsys support for PaloAlto firewall SSO modules.
Portal Profile has been renamed to Connection Profile.
Move common flows / process of DHCP processors in base class.
Removed PacketFence-Authorization-Status attribute from the RADIUS replies to pre
6.5.124 Feb 2017 06:25
Incorrect node cleanup job handling.
Multiple firewall SSO not working when cached updates were enabled.
Removed usage of pf_memoize which could create a race condition when adding a node.
Incorrect locationlog informations because of a null role.
Syntax error in generated Suricata rules.
The Portal preview through the admin.
Extracting the SSID from the switch HP::Controller_MSM710.
6.5.031 Jan 2017 03:15
Twilio support as authentication source.
New Redis driven cache for NTLM (Active Directory) 802.1X authentications.
New Firewall SSO for WatchGuard.
Syslog based SSO support for Palo Alto firewalls.
Ubiquiti EdgeSwitch support.
New syslog receiver to update the iplog from Infoblox and ISC DHCP syslog lines.
Can now specify specific ports for passthroughs.
Added a RADIUS filter scope for VoIP devices.
Ability to customize the OU in which the machine account will be created.
Added new routes service to manage static routes.
Added an authentication source that prompts for the password of a predefined user.
Added Aruba webauth documentation.
Eduroam authentication sources can now match rule.
Maintenance patching can now use git in order to ignore files that shouldn't be patched via the maintenance script.
Can now print multiple guest passes per page without the AUP in the administration interface.
Allow to whitelist unregistered devices from violations.
Changed password.valid_from default value to "0000-00-00 00:00:00" so its value is valid across the whole application.
Added Percona xtrabackup restore procedure documentation.
Added a way to track if files backups and database backup succeeded.
pfmon will not register and start a process for disabled task.
Added a way to define two different ports for disconnect and CoA.
Configurator database step now takes care of 'mysql_secure_installation'.
Improved clustering guide for MariaDB and systemd.
Added a portal module action to skip other actions.
Reduced p0f CPU usage.
Updated collectd in order to have new graphs.
Do not "match" a rule if "requested" action if not configured in it.
Improved monit checks accuracy.
Rate limited the DHCP listener processes to prevent specific devices from performing a denial of service on the DHCP listening processes.
Improved performance of radacct database table cleanup.
Email templates can now be specified on a per-portal basis.
6.4.017 Nov 2016 07:45
Added Mojo Networks WiFi equipment support.
Made Web admin reports more interactive.
Added new Eduroam authentication source type.
Allow to create different portal templates based on the browser locale.
Improved IP log performance.
Added fault tolerance on RADIUS monitoring scripts.
Improved the database and maintenance backup script.
Added password caching support for Novell eDirectory.
Improved caching of LDAP person data.
Improved clustering documentation.
Added RADIUS command line interface support on port 1812.
Removed useless htaccess file search for each HTTP request.
Turned off HTTP KeepAlive to avoid connections holding onto Apache processes.
Added Cisco MSE documentation.
Ability to query 'iplog_archive' table for detailed IP/MAC history.
Now also display the status for sub services from the Web interface.
Requests made with username 'dummy' will not be recorded in the RADIUS audit log anymore.
More lightweight p0f processing.
Remove useless logging in pfdns.log.
Added an activation timeout on sponsor source.
Improved captive portal logging.
Allow the OAuth landing page template to be customizable.
Use RESTful call for RADIUS accounting instead of Perl.
Optimized getting node information from the database.
New action generateconfig for pfcmd service command.
Added memory limitation for httpd.portal processes.
Added predefined search in RADUIS audit log and DHCP Option 82 log.
Improved display of fingerprinting informations in the nodes search.
Allow captiveportal::Form::Authentication to be customize.
Default config overlay for switches.conf, profiles.conf, pfqueue.conf and violations.conf.
Optimized queries for finding open violations.
floating devices in active/active clusters.
and improved syntax of `pfcmd ipmachistory`.
wrong bandwidth calculation on RADIUS accounting.
empty Calling-Station-Id in RADIUS accounting.
Make sure connection caches are cleared after forking.
Added a wor
6.3.006 Oct 2016 03:25
Added EAP-FAST support.
MySQL is now supported as the Fingerbank database backend.
Integration with Cisco MSE adds maps, location based portals and notifications.
Added the ability to locate a device based on DHCP Option 82.
Added support for Meraki wired switches.
New SQL reporting allows creation of personalized reports.
Added support for Brocade CLI RADIUS authentication.
Added support for OpenWrt Chaos Calmer 15.05 with hostapd.
Added configuration conflict handling for active/active clusters.
Fingerbank configuration is now cached.
Removed the pf/var directory from the backups to make them smaller.
Fingerbank is now configurable from the initial PacketFence configurator.
Added support for Xirrus switches CLI RADIUS authentication.
Pinterest and Instagram are now supported as OAuth authentication sources.
Support for Suricata md5 extraction over SMTP protocol.
Added sample monit helper scripts under pf/addons.
Added support for custom AUP template per portal module.
Several improvements to Fingerbank to make it more user-friendly.
Added option to export nodes and users within the web administration interface.
Third parties can now extend what can be matched in profile filters.
PacketFence created interfaces will now be excluded from Red Hat's NetworkManager.
Added the ability to restrict the modification of node roles by a user.
Added timeout to captive portal to prevent long running requests.
Do not start pfqueue processes for pfdetect if it's not running.
6.2.110 Jul 2016 03:15
Forbid trace mode in Apache default configuration.
Improved validation of portal modules configuration.
Debian 7 failing to start httpd.admin.
Missing Metadefender configuration section.
Missing parameter for fetchVlanForNode in pfsetvlan.
Incorrect NAS-Port use for RADIUS CoA on Cisco WLCs.
Incorrect domain handling in Active/Active.
6.2.006 Jul 2016 06:05
Added missing index to radacct table.
Searching nodes for "all" devices.
Invalid destination URL parsing.
Handling of provisioner return code in violations.
Binding of IP addresses in Active/Active mode.
Cluster status page with pid files.
Missing person lookup when using 802.1x autoregistration.
Permission on logrotation.
Invalid i18n of MAC address in node location view.
L2 cache write error of new switches namespaces.
6.1.126 Jun 2016 06:45
Missing schema version insert in database upgrade script.
Too short CA cert validity in raddb/certs/passwords.mk.
6.1.022 Jun 2016 17:25
Added support for CoovaChilli capable equipment.
Added page to visualize the status of the services on all cluster members.
Added support for RADIUS Change of Authorization on Meraki.
Added configurable actions to be executed at the end of a portal module.
Automatic registration of devices is now configurable from the GUI on a per profile basis.
Added switch and switch group in violation trigger.
Added switch group as a portal profile filter.
Moved RADIUS audit log in its own module.
Saved searches support for the RADIUS audit log module.
The portal now supports RADIUS Challenge Response authentication.
Added module to redirect to internal or external pages within the portal modules configuration.
Added configuration checkup for cluster.conf.
Added ability to limit the number of logins when creating a local account.
Added choice of sending either RADIUS CoA or Disconnect when deauthenticating a device.
Admin interface is now available on all members of the cluster without the need of being the master.
FreeRADIUS now logs to a separate file per process (authentication, accounting, load-balancer).
Improved performance of the online/offline search.
profile filter saving incorrectly on Debian Jessie.
Numerous improvements to i18n in the portal and administration GUI.
e-mail registration not working when activating access through a proxy or firewall.
Authentication log (auth_log) will now be cleaned automatically via pfmon.
incorrect graphite aggregation of metrics when data should not be averaged.
6.0.304 Jun 2016 03:15
(Id is denoted with #id).
Example in vlan filters showing incorrect operand for user_name.
The display of the aup when printing a user.
Email_instructions blocking email registration.
FreeRADIUS dynamic clients hanging the server when the database fails to respond.
Violation_add when applying one through bulk actions.
Sessions remembering failed authentication sources.
to listen to DHCPREQUEST in registration network when in cluster mode.
6.0.227 May 2016 03:15
(Id is denoted with #id).
pfdns to prevent pid file deletion when a child dies.
PacketFence will now handle the case where a source in the session is not available anymore.
missing PID when using device registration.
Fingerbank update will no longer sync all servers anymore.
VoIP detection flags default will now be undef in admin interface.
Suricata renamed to suricata_event in violations.conf.example.
The captive portal will now handle User Agent strings properly.
PacketFence will now delete the user (not device) session after activating sponsor.
incorrect MAC address formatting in the reporting section of the GUI.
"reuse dot1x credentials" in captive portal.
incorrect SNMP traps handling.
incorrect MAC address handling in radius accounting.
Added a check to database backup script for mariadb.
unregistration date handling when using email registration.
6.0.129 Apr 2016 06:25
(Id is denoted with #id).
Added back the option to set the logo in a portal profile.
Blackhole and Null authentication portal modules.
Added missing username field in Debian maintenance crontab.
Web authentication web form release in captive portal.
Validate configuration identifiers so they don't contain invalid characters.
Incorrect samba handling of " h" in server name.
Registration ACL computing for Cisco WLC and 2960 in web authentication.
Adjust pfdetect startup order to allow Snort / Suricata to start.
Pfsetvlan compilation error.
Incorrect rogue dhcp detection.
6.0.020 Apr 2016 22:25
Fully redesigned frontend and backend of the captive portal.
'Parking' state for unregistered devices (where it will have a longer DHCP lease time and will only access a lightweight portal).
CentOS 7 and Debian 8 (Jessie) support.
RADIUS support for Avaya switches.
pfdns filter engine (added a way to return custom answers in pfdns).
Redirect URL are defined in Role by Web Auth URL switch configuration (Cisco).
Added support for Captive-Portal DHCP attribute (RFC7710).
Added Google Project Fi as a SMS carrier for SMS signup option.
FreeRADIUS 3 support with Redis integration.
Added ability to expire users.
Automatically update all the Fingerbank databases (Redis, p0f, SQLite3).
Do not allow the TRACE method to be used in any of the web processes.
Can now limit the maximum unregdate an administrator can set to a person.
Added option to disable the accounting recording in the SQL tables.
Added caching of the latest accounting request for use in access reevaluation.
Reduced the number of webservices calls during RADIUS accounting.
Added configuration for Apache 2.4 with Template Toolkit.
Added a timer for each RADIUS request (radius audit log).
Assign the voice role to VoIP devices when PacketFence detects them.
Renamed VLAN to Role in admin gui violation.
Unregister a node from a secure connection to an unsecured one is now managed by the VLAN filters.
Location history of a node show the role instead of the VLAN id.
Documentation to configure Cisco switches with Identity Networking Policy.
Trigger violation on source or destination IP address if they are in the trapping range networks.
Performance improvement for VoIP detection.
Added new RADIUS filter return option (random number in a range).
Reinstated iplog (iplog_history and iplog_archive) rotation/cleanup jobs performed by pfmon.
(Id is denoted with #id).
Compute unregistration for secure connections.
unescape value in LDAP search.
Apache 2.4 core d
5.7.018 Feb 2016 06:05
DNS based enforcement as a new enforcement mode for routed networks.
Captive portal authentication now supports SAML authentication.
It is now possible to search for nodes that are online based on RADIUS accounting.
Integration with Suricata MD5 extraction module to scan against OPSWAT MetaScan online scanner.
Support for floating devices on HP Procurve switches.
RADIUS CoA support added to Brocade switches.
The NULL authorization source can now be combined with other sources.
Added possibility to trigger Firewall Single Sign-On when an endpoint changes status.
The username on a captive portal will no longer be stripped unless required otherwise.
Improved UDP reflector documentation.
Improved vendor specific attributes in radius filters.
Now able to specify on which LDAP attribute we should match for SponsorEmail.
Now able to strip a username in LDAP source even if not present in RADIUS request.
(Id is denoted with #id).
incorrect provisioning that ignored broadcast state of provisioned SSID.
Present a login page without login form when a blackhole source is used on the portal profile.
incorrect provisioning templates that required entering a password twice.
ambiguous SQL accounting stored procedure that could return duplicate results.
incorrect IPv6 DHCP processing in pfdhcplistener.
5.6.126 Jan 2016 03:25
Pfcmd will now validate the violation configuration in checkup.
Pfdns cached entries will now expire after 24 hours.
(Id is denoted with #id).
Duplicate open entries in locationlog for voip devices.
Avoid circular dependency when loading pf::Authentication::Source::StripeSource (1160).
Incorrect Cisco switch ACL number.
Removed use of pf::class modules which caused compilation errors.
an incorrect reload of the cached configuration (1157).
5.6.014 Jan 2016 03:25
New RADIUS auditing report allows troubleshooting from the GUI.
The email authorization source now allows to set roles based on the email used to register.
New switch groups now allows to assign settings to multiple switches at once.
DHCP filters now allow arbitrary rules to perform actions based on DHCP fingerprinting.
Cisco switches login access can now be authenticated through PacketFence.
The filter engine configuration can now be edited through the admin GUI.
New dedicated search feature for violations in the nodes panel.
New pfcmd pfqueue command allows managing the queue from the command line.
New option to specify the authentication source to use depending on the RADIUS realm.
Upgrade Config::IniFiles to allow faster loading of configuration files.
Performance improvements to the filtering engine by avoiding unnecessary database lookups.
New columns bypass_vlan and bypass_role are allowed to be import for nodes.
Service start/stop order can now be configured through the admin GUI.
Pagination can now be defined by the user in the admin GUI search results.
The pfdns service now forks to process multiple requests in parallel.
Added configurable timeout for send/receive operations on the OMAPI socket.
The authorization process will now test if the role changed before reevaluating access.
New option to add date based VLAN filter condition (is before date, is after date).
pfconfig backend can now be cleared via pfcmd.
Improved RADIUS accounting handling for better performance.
(Id is denoted with #id).
Remove old entries in ipset session.
Always reevaluate the access if the order come from the admin gui.
Portal profiles templates are now properly synced between members of a cluster.
Process requests properly when running a pfdhcplistener on an interface that has networks with and without dhcpd activated.
Violation trigger from web admin will now override grace period.
queue task counters out of sync when
5.5.205 Dec 2015 03:15
pf::CHI::compute_with_undef now supports cache options.
Use the fingerbank cache instead of caching its result globally.
Update dependency to 2.1 for fingerbank.
(Id is denoted with #id).
Completed renaming of trap to reevaluate_access in violations.conf.example.
deauthentication source IP not detected properly when no vip is assigned on the management interface.
Use proper API client when triggering a violation within pf::fingerbank.
5.5.023 Nov 2015 02:25
New device detection through TCP fingerprinting.
New DHCPv6 fingerprinting through Fingerbank.
New RADIUS filter engine to return custom attributes based on rules.
Security Onion integration.
Paypal payment is now supported in the captive portal.
Stripe payment and subscriptions are now supported in the captive portal.
New pfqueue service based on Redis to manage asynchronous tasks.
Memcached has been replaced by Redis for all caching.
pfdetect can now be configured through the administration interface.
Added ability to detect hostname changes using the information in the DHCP packets.
Added the ability to create 'not equal' conditions in LDAP sources.
DoS mitigation on the captive portal through mod_evasive.
Load balancing in an active/active process now uses a dedicated process.
Authentication and accounting are now in two different RADIUS processes.
Reworked violation triggers creation in the administration interface so it's more user friendly.
Added the ability to create combined violation triggers which allow to trigger a violation based off multiple attributes of a node.
Suricata alerts can now trigger a violation based on the alert category or description instead of only the ID of the alert.
Added ability to e-mail device owner as a violation action.
The PacketFence syslog parser (pfdetect) has been reworked to allow multiple logs to be parsed concurently.
New ntlm_auth wrapper will log authentication latency to StatsD automatically.
Handle Microsoft Windows based captive-portal detection mecanisms.
Manage pfdhcplistener status with keepalived and run pfdhcplistener on all cluster's members.
New portal profile filter (sub connection type).
Added switch IP and description in the available columns in the node list view.
Use SNMP to determine the ifindex based on the Nas-Port-Id.
Improved metrics now track SQL queries, LDAP queries, and more granular metrics in RADIUS AAA.
Added support for Nessus 6 scan
5.4.002 Oct 2015 03:15
PacketFence now supports SCEP integration with Microsoft's Network Enrollment Device Service during the device on-boarding process when using EAP-TLS.
Improved integration with social media networks (email address lookups from Github and Facebook sources, kickbox.io support, etc.).
External HTTP authentication sources support which allows an HTTP-based external API to act as an authentication source to PacketFence.
Introduced a 'packetfence_local' PKI provider to allow the use of locally generated TLS certificates to be used in a PKI provider / provisionner flow.
New filtering engine for the portal profiles allowing complex rules to determine which portal will be displayed.
Added the ability to define custom LDAP attributes in the configuration.
Add the ability to create "administrative" or "authentication" purposes rules in authentication sources.
Added support for Cisco SG300 switches.
RADIUS Diffie-Hellman key size has been increased to 2048 bits to prevent attacks such as Logjam.
HAProxy TLS configuration has been restricted to modern ciphers.
Improved error message in the profile management page.
Allow precise error messages from the authentication source when providing invalid credentials on the captive portal.
Aruba WiFi controllers now support wired RADIUS MAC authentication and 802.1X.
Added Kickbox.io authentication source which can allow a new Null type source with email validation.
Now redirecting to HTTP for devices that do not support self-signed certificates on the captive portal if needed.
httpd.portal now serves static content directly (without going through Catalyst engine).
Introduction of a new configuration parameter (captive_portal.wispr_redirection) to allow enabling/disabling captive-portal WISPr redirection capabilities.
File transfers through the webservices are now atomic to prevent corruption.
New web API call to release all violations for a device.
Added better error message propagation d
5.3.126 Jul 2015 03:15
This is strictly a bug fix release.
It corrects the following:
Fixed radiusd dying due to OOM caused by pf::statsd calling on pf::config.
Fixed incorrect whisper retention policy affecting metrics such as server load and memory use.
Fixed SMS and email registration case where using a different device to register may set an incorrect role.
Added delete session reason to status page logout.
Fixed incorrect HTML escaping in LDAP and AD authentication sources.
5.3.022 Jul 2015 03:15
Support for Single Sign-On integration with the iboss platform.
Support for web authentication for NATed clients.
Support for MAC Authentication and 802.1x for Alcatel-Lucent switches.
Support for the IBM StackSwitch G8052 switch.
New Powershell scripts to allow unregistering nodes for disabled accounts on Active Directory.
Force a JSON response if the Accept header is set to 'application/json'.
Fingerbank processing in pfdhcplistener is now asyncronous using the webservices.
Integration of pfconfig commands in bin/pfcmd.
Added web form registration to Ruckus Controllers.
Improved database maintenance script to prevent prolonged locking of tables.
Active/Active mode will now send gratuitous ARPs to update routers when changing master node.
Fixed multiple XSS vulnerabilities in the administration GUI.
Fixed incorrect RADIUS realm detection when using windows computer authentication.
Fixed an issue with pfdns returning the wrong IP when using active/active mode.
Fixed an issue on Debian and Ubuntu where the GUI could not change some field values.
Fixed incorrect graphite document root on Ubuntu.
Fixed SMS bug where the list of carriers could be accidentally deleted.
5.2.019 Jun 2015 03:15
Introducing support for the PacketFence PKI application to manage certificates and authenticate RADIUS using EAP-TLS.
Twitter OAuth is now supported as an authentication source.
New 'portal' interface type to spawn a captive-portal instance on selected interface.
Traffic shaping support for Inline mode managed by an ipset session per devices role.
Support for OpenWrt 14.07 with hostapd.
Specific vhost for httpd.portal diagnostics.
Added option to disable logging of sensitive information when failing to execute a command through pf_run.
Support for Meraki APs using web authentication on the cloud controller.
Passwords are now obfuscated in the Switch configuration.
Introduced new 'ports.httpd_portal_modstatus' configuration parameter to limit modstatus to a single virtual host.
Allow the usage of an external monitoring database when using an Active/Active cluster.
Validate that a provisioner is not used before deleting it through the administration interface.
Stopped logging database password on schema import failure.
Fixed incorrect error message when an external portal authenticated device hits the unknown state.
5.0.203 May 2015 06:05
This release is a bug fix only. No new features were introduced.
Added availables options (submit unknowns and update database) to the Fingerbank Settings page.
PacketFence will now leave clients.conf.inc empty if cluster mode is disabled.
PacketFence will longer unregister a device in pending state if the device is hitting the portal more than once while in "pending" state.
Fixed broken violation release process.
Fixed multiple lines returning from pfconfig.
Fixed undefined variables in portal template files.
Fixed provisioners OS detection with Fingerbank.
5.0.123 Apr 2015 16:45
This release is a bug fix only. No new features were introduced.
A number of strings have seen their translations improved.
The Debian and Ubuntu documentation has been split and made clearer.
Detailed which features may not work in active/active cluster mode in the documentation.
Added missing CHI File driver.
Delete left over Config::Fingerprint module in Debian and Ubuntu.
Fixed pfmon not starting when running a standalone PF server.
Fixed broken OS reporting.
Added missing dependency on perl-SOAP-Lite for packetfence-remote-snort-sensor.
Updating iplog without a lease time now reset end_time to default (0000-00-00 00:00:00) to avoid "closing" a valid entry.
fixed pfcmd watch emailing functionality.
dhcpd will now properly obey the "disabled" configuration.
5.0.016 Apr 2015 17:45
New active/active clustering mode. This allows HTTP and RADIUS load balancing and improves availability.
Fingerbank integration for accurate devices fingerprinting. It is now easier than ever to share devices fingerprinting.
Built-in support for StatsD. This allows fine grained performance monitoring and can be used to create a dashboard using Graphite.
Local database passwords are now encrypted using bcrypt by default on all new installations. The old plaintext mode is still supported for legacy installations and to allow migration to the new mode.
Devices can now have a "bypass role" that allows the administrator to manage them completely manually. This allows for exceptions to the authorization rules.
Support for ISC DHCP OMAPI queries. This allows PacketFence to dynamically query a dhcpd instance to establish IP to MAC mappings.
Completely rewritten pfcmd command. pfcmd is now much easier to extend and will allow us to integrate more features in the near future.
Rewritten IP/MAC mapping (iplog). Iplog should now never overflow.
New admin role action USERS_CREATE_MULTIPLE for finer grained control of the admin GUI. An administrative account can now be prevented from creating more than one other account.
PacketFence will no longer start MySQL when starting.
PacketFence will accept to start even if there are no internal networks.
Added a new listening port to pfdhcplistener to listen for replicated traffic.
Added a 'default' default user in replacement of the admin one.
Adds support for HP ProCurve 2920 switches.
Iptables will now allow access to the captive portal from the production network by default.
Major documentation rewrite and improvements.
Fixed violations applying portal redirection when using web authentication on a Cisco WLC.
Registration and Isolation VLAN ids can now be any string allowed by the RFCs.
Devices can no longer remain in "pending" state indefinitely.
4.7.007 Mar 2015 18:25
The admin GUI is now customizable.
New category filter on portal profile allows to select a portal based on existing role of a device.
New PacketFence-config service allows effortless scaling to thousands of switches and reduces memory use.
Nodes are now searchable by status.
Removed SSLv3 and legacy ciper suites support from default httpd configuration to prevent POODLE exploit and FREAK attack.
Added an option to display Bypass VLAN of a node in the Admin GUI.
Added nested groups support for Active Directory.
It is now possible to check if a device has already authenticated as member of an Active-Directory domain prior to user authentication.
Improved portal language detection.
Devices will now avoid autocorrect / uppercasing the login field in the captive portal.
Now supports roaming without SNMP on Aerohive APs.
Fixed broken default behaviour when receiving an SNMP trap.
Fixed email confirmation template for sponsor.
Fixed email subject encoding.
Fixes allowing a non-sponsored user to verify a sponsored email address.
Fixed invalid floating device creation where the MAC address was not normalized.
Fixed the date range search in node advanced search.
4.6.120 Feb 2015 03:25
Fix dynamic unregdate breaking when handling the infinite unregdate '0000-00-00'
Fixed issue where the same password can be generated multiple times
Assigned LC_CTYPE to C during postinstall script on debian to prevent i18n issues during installation.
Fixed dynamic_unreg_dated called from the wrong place
Fix searching for switches in the admin gui
4.6.005 Feb 2015 03:15
feature security cleanup:
Added support for MAC authentication on the AeroHIVE Branch Router 100
Added support for MAC authentication floating devices on Juniper EX series, and on the Cisco Catalyst series
Added a hybrid 802.1x + web authentication mode for Cisco Catalyst 2960
Added a web notification when network access is granted
Added the ability to tag functions that are allowed to be exposed through the web API
Added WiFi autoconfiguration for Windows through packetfence-windows-agent
Added a "Chained" authentication source where a user must first login in order to register by SMS, Email or SponsorEmail
Added call to the web API from the VLAN filters
Added a way to retrieve user information after the first registration
Added the ability to filter profiles by connection type
Profiles can be matched by all or any of its filters
Can optionally cache the results of LDAP rule matching for a user
New portal profile parameter to set a retry limit for SMS-based activation
The information available from an OAuth source are now added to the person when registering
Allow limiting the user login attempts
Added Check Point firewall integration for Single Sign-On
Added httpd.aaa service as a new API service for the exclusive use of RADIUS
More precisely define which DHCP message types we are listening for
Removed dead code referring to 'external' interface type which was no longer supported
Added VLAN filter in getNodeInfoForAutoReg and update/create person even if the device has been autoreg
Refactored the VLAN filter code to reduce code duplication
Added IMG path configuration parameter in admin
Added the ability to restrict the roles, access levels and access durations for admin users based on their role/access level
Reduced deadlocks caused by the cleaning of the iplog table
Reduced deadlocks caused by the cleaning of the locationlog table
Reorganized the portal profile configuration page
Added checkup on Apache filters and VLAN filters
Created a single LDAP connection
4.5.111 Nov 2014 02:45
Added compliance enforcement to OPSWAT GEARS provisioner.
Make Cisco web authentication sessions use less memory.
Internationalized the provisioners templates.
Fix node pagination when sorting.
Fix provisioners that were not enforced on external authentication sources.
Fix IBM and Symantec provisioners configuration form.
4.5.024 Oct 2014 10:25
Added provisioning support for Symantec SEPM, MobileIron and OPSWAT.
Added Barracuda firewall support for single sign-on.
pfmon can now run tasks on different intervals.
Added a way to reevaluate the access of a node from the admin interface.
Added a "Blackhole" authentication source.
Added a new violation to enforce provisioning of agents.
Violation can now be delayed.
Added portal profile filter based on switch-port couple.
Cache the ipset rule update to avoid unnecessary calls to ipset.
Dynamically load violations and nodes for a user for display in admin gui.
Dynamically load violations for a node for display in admin gui.
Ensure only one pfmon is running at a time.