Ludovic Marcotte
2015-10-01 20:34:00 UTC
The Inverse team is pleased to announce the immediate availability of
PacketFence 5.4.0. This is a major release with new features,
enhancements and important bug fixes. This release is considered ready
for production use and upgrading from previous versions is strongly advised.
What is PacketFence ?
PacketFence is a fully supported, trusted, Free and Open Source Network
Access Control (NAC) solution. Boasting an impressive feature set,
PacketFence can be used to effectively secure small to very large
heterogeneous networks.
Among the features provided by PacketFence, there are:
* powerful BYOD (Bring Your Own Device) capabilities
* state-of-the art devices fingerprinting with Fingerbank
* multiple enforcement methods including Role-Based Access Control
(RBAC) and hotspot-style
* compliance checks for endpoints present on your network
* integration with various vulnerability scanners, intrusion detection
solutions, security agents and firewalls
* bandwidth accounting for all devices
A complete overview of the solution is available from the official
website:http://www.packetfence.org/about/overview.html
Changes Since Previous Release
*New Features*
*
PacketFence now supports SCEP integration with Microsoft's Network
Enrollment Device Service during the device on-boarding process when
using EAP-TLS
* Improved integration with social media networks (email address
lookups from Github and Facebook sources, kickbox.io support, etc.)
*
External HTTP authentication sources support which allows an
HTTP-based external API to act as an authentication source to
PacketFence
* Introduced a 'packetfence_local' PKI provider to allow the use of
locally generated TLS certificates to be used in a PKI provider /
provisionner flow
* New filtering engine for the portal profiles allowing complex rules
to determine which portal will be displayed
* Added the ability to define custom LDAP attributes in the configuration
* Add the ability to create "administrative" or "authentication"
purposes rules in authentication sources
* Added support for Cisco SG300 switches
*Enhancements*
* RADIUS Diffie-Hellman key size has been increased to 2048 bits to
prevent attacks such as Logjam
* HAProxy TLS configuration has been restricted to modern ciphers
* Improved error message in the profile management page
* Allow precise error messages from the authentication source when
providing invalid credentials on the captive portal
*
Aruba WiFi controllers now support wired RADIUS MAC authentication
and 802.1X
* Added Kickbox.io authentication source which can allow a new Null
type source with email validation
* Now redirecting to HTTP for devices that do not support self-signed
certificates on the captive portal if needed
* httpd.portal now serves static content directly (without going
through Catalyst engine)
* Introduction of a new configuration parameter
(captive_portal.wispr_redirection) to allow enabling/disabling
captive-portal WISPr redirection capabilities
* File transfers through the webservices are now atomic to prevent
corruption
* New web API call to release all violations for a device
* Added better error message propagation during a cluster synchronization
* Added additional in-process caching for pfconfig proxied configuration
* The server hostname is now displayed in the admin info box
* Added a warning in the configurator when the user is configuring
multiple interfaces in the same network
* Added synchronization of the Fingerbank data in an active/active cluster
* Client IP and MAC address are now available though direct variables
in the captive portal templates
* The IPlog can now be updated through RADIUS accounting
* Devices in the registration VLAN may now be allowed to reach an
Active Directory Server
* Added an option to centralize deauthentication on the management
node of an active/active cluster
* Added the option to use only the management node as the DNS server
in active/active clustering
*
Improved Ruckus ZoneDirector documentation regarding external
captive portal
* pfconfig daemon can now listen on an alternative unix socket
* Improved handling of updating the /etc/sudoers file in packaging
*
Improved roles handling on AeroHive devices
*Bug Fixes (bug Id is denoted with #id)*
* Fix case where status page links would be pointing to the wrong
protocol (HTTP vs HTTPS)
* set_unreg_date and set_access_duration actions now have the same
priority when matching rule and actions (#816)
* Fixes the database query hanging in the captive portal
* The person attributes lookup will now be made on the stripped
username if needed (#888)
* Active/active load balancing will now be dispatched based on the
Calling-Station-Id attribute.
* Fix unaccessible portal preview when no internal network is defined
(#790)
* Fixed a case where the wrong portal profile can be instantiated on
the first connection
* Improved error message in the profile management page (#858)
*
Do not use the PacketFence multi-domain FreeRADIUS module unless
there are domains configured in PacketFence (#868)
* We now handle gracefully switches sending double Calling-Station-Id
attributes (#864)
* Prevent OMAPI from being configured on the DHCP server without a key
(#851)
* Switched to the memcached binary protocol to avoid memcached
injection exploit
* Fixed ipset error if the device switches from one inline network to
another
* Fixed wrong configuration parameters for redirect url (now a
per-profile parameter)
* Fix bug with validation of mandatory fields causing exceptions in signup
* Made DHCP point DNS only on cluster IP if passthroughs are enabled
in active/active clusters (#820)
* Defined the maximum message size that SNMP get can return (fixes
VOIP LLDP/CDP detection on switch stacks #738)
Seehttps://github.com/inverse-inc/packetfence/commits/packetfence-5.4.0for
the complete change log.
See the UPGRADE file for notes about
upgrading:https://github.com/inverse-inc/packetfence/tree/packetfence-5.4.0/UPGRADE.asciidoc
Getting PacketFence
PacketFence is free software and is distributed under the GNU GPL. As
such, you are free to download and try it by either getting the new
release or by getting the
sources:http://www.packetfence.org/development/sourcecode.html
Documentation about the installation and configuration of PacketFence is
also available:http://www.packetfence.org/documentation/
How Can I Help ?
PacketFence is a collaborative effort in order to create the best Free
and Open Source NAC solution. There are multiple ways you can contribute
to the project:
* Documentation reviews, enhancements and translations
* Feature requests or by sharing your ideas
*
Participate in the discussion on mailing lists
(http://www.packetfence.org/support/community.html)
* Patches for bugs or enhancements
* Provide new translations of remediation pages
Getting Support
For any questions, do not hesitate to contact us by writing
***@inverse.ca <mailto:***@inverse.ca>
You can also fill our online form (http://www.inverse.ca/#contact) and a
representative from Inverse will contact you.
Inverse offers professional services to organizations willing to secure
their wired and wireless networks with the PacketFence solution.
PacketFence 5.4.0. This is a major release with new features,
enhancements and important bug fixes. This release is considered ready
for production use and upgrading from previous versions is strongly advised.
What is PacketFence ?
PacketFence is a fully supported, trusted, Free and Open Source Network
Access Control (NAC) solution. Boasting an impressive feature set,
PacketFence can be used to effectively secure small to very large
heterogeneous networks.
Among the features provided by PacketFence, there are:
* powerful BYOD (Bring Your Own Device) capabilities
* state-of-the art devices fingerprinting with Fingerbank
* multiple enforcement methods including Role-Based Access Control
(RBAC) and hotspot-style
* compliance checks for endpoints present on your network
* integration with various vulnerability scanners, intrusion detection
solutions, security agents and firewalls
* bandwidth accounting for all devices
A complete overview of the solution is available from the official
website:http://www.packetfence.org/about/overview.html
Changes Since Previous Release
*New Features*
*
PacketFence now supports SCEP integration with Microsoft's Network
Enrollment Device Service during the device on-boarding process when
using EAP-TLS
* Improved integration with social media networks (email address
lookups from Github and Facebook sources, kickbox.io support, etc.)
*
External HTTP authentication sources support which allows an
HTTP-based external API to act as an authentication source to
PacketFence
* Introduced a 'packetfence_local' PKI provider to allow the use of
locally generated TLS certificates to be used in a PKI provider /
provisionner flow
* New filtering engine for the portal profiles allowing complex rules
to determine which portal will be displayed
* Added the ability to define custom LDAP attributes in the configuration
* Add the ability to create "administrative" or "authentication"
purposes rules in authentication sources
* Added support for Cisco SG300 switches
*Enhancements*
* RADIUS Diffie-Hellman key size has been increased to 2048 bits to
prevent attacks such as Logjam
* HAProxy TLS configuration has been restricted to modern ciphers
* Improved error message in the profile management page
* Allow precise error messages from the authentication source when
providing invalid credentials on the captive portal
*
Aruba WiFi controllers now support wired RADIUS MAC authentication
and 802.1X
* Added Kickbox.io authentication source which can allow a new Null
type source with email validation
* Now redirecting to HTTP for devices that do not support self-signed
certificates on the captive portal if needed
* httpd.portal now serves static content directly (without going
through Catalyst engine)
* Introduction of a new configuration parameter
(captive_portal.wispr_redirection) to allow enabling/disabling
captive-portal WISPr redirection capabilities
* File transfers through the webservices are now atomic to prevent
corruption
* New web API call to release all violations for a device
* Added better error message propagation during a cluster synchronization
* Added additional in-process caching for pfconfig proxied configuration
* The server hostname is now displayed in the admin info box
* Added a warning in the configurator when the user is configuring
multiple interfaces in the same network
* Added synchronization of the Fingerbank data in an active/active cluster
* Client IP and MAC address are now available though direct variables
in the captive portal templates
* The IPlog can now be updated through RADIUS accounting
* Devices in the registration VLAN may now be allowed to reach an
Active Directory Server
* Added an option to centralize deauthentication on the management
node of an active/active cluster
* Added the option to use only the management node as the DNS server
in active/active clustering
*
Improved Ruckus ZoneDirector documentation regarding external
captive portal
* pfconfig daemon can now listen on an alternative unix socket
* Improved handling of updating the /etc/sudoers file in packaging
*
Improved roles handling on AeroHive devices
*Bug Fixes (bug Id is denoted with #id)*
* Fix case where status page links would be pointing to the wrong
protocol (HTTP vs HTTPS)
* set_unreg_date and set_access_duration actions now have the same
priority when matching rule and actions (#816)
* Fixes the database query hanging in the captive portal
* The person attributes lookup will now be made on the stripped
username if needed (#888)
* Active/active load balancing will now be dispatched based on the
Calling-Station-Id attribute.
* Fix unaccessible portal preview when no internal network is defined
(#790)
* Fixed a case where the wrong portal profile can be instantiated on
the first connection
* Improved error message in the profile management page (#858)
*
Do not use the PacketFence multi-domain FreeRADIUS module unless
there are domains configured in PacketFence (#868)
* We now handle gracefully switches sending double Calling-Station-Id
attributes (#864)
* Prevent OMAPI from being configured on the DHCP server without a key
(#851)
* Switched to the memcached binary protocol to avoid memcached
injection exploit
* Fixed ipset error if the device switches from one inline network to
another
* Fixed wrong configuration parameters for redirect url (now a
per-profile parameter)
* Fix bug with validation of mandatory fields causing exceptions in signup
* Made DHCP point DNS only on cluster IP if passthroughs are enabled
in active/active clusters (#820)
* Defined the maximum message size that SNMP get can return (fixes
VOIP LLDP/CDP detection on switch stacks #738)
Seehttps://github.com/inverse-inc/packetfence/commits/packetfence-5.4.0for
the complete change log.
See the UPGRADE file for notes about
upgrading:https://github.com/inverse-inc/packetfence/tree/packetfence-5.4.0/UPGRADE.asciidoc
Getting PacketFence
PacketFence is free software and is distributed under the GNU GPL. As
such, you are free to download and try it by either getting the new
release or by getting the
sources:http://www.packetfence.org/development/sourcecode.html
Documentation about the installation and configuration of PacketFence is
also available:http://www.packetfence.org/documentation/
How Can I Help ?
PacketFence is a collaborative effort in order to create the best Free
and Open Source NAC solution. There are multiple ways you can contribute
to the project:
* Documentation reviews, enhancements and translations
* Feature requests or by sharing your ideas
*
Participate in the discussion on mailing lists
(http://www.packetfence.org/support/community.html)
* Patches for bugs or enhancements
* Provide new translations of remediation pages
Getting Support
For any questions, do not hesitate to contact us by writing
***@inverse.ca <mailto:***@inverse.ca>
You can also fill our online form (http://www.inverse.ca/#contact) and a
representative from Inverse will contact you.
Inverse offers professional services to organizations willing to secure
their wired and wireless networks with the PacketFence solution.
--
Ludovic Marcotte
***@inverse.ca :: +1.514.755.3630 :: http://inverse.ca
Inverse inc. :: Leaders behind SOGo (http://sogo.nu) and PacketFence (http://packetfence.org)
Ludovic Marcotte
***@inverse.ca :: +1.514.755.3630 :: http://inverse.ca
Inverse inc. :: Leaders behind SOGo (http://sogo.nu) and PacketFence (http://packetfence.org)