Recent releases for PacketFence

PacketFence packetfence-5.4.0

2015-10-01T20:20:07+00:00

### New Features - PacketFence now supports SCEP integration with Microsoft's Network Enrollment Device Service during the device on-boarding process when using EAP-TLS - Improved integration with social media networks (email address lookups from Github and Facebook sources, kickbox.io support, etc.) - External HTTP authentication sources support which allows an HTTP-based external API to act as an authentication source to PacketFence - Introduced a 'packetfence_local' PKI provider to allow the use of locally generated TLS certificates to be used in a PKI provider / provisionner flow - New filtering engine for the portal profiles allowing complex rules to determine which portal will be displayed - Added the ability to define custom LDAP attributes in the configuration - Add the ability to create "administrative" or "authentication" purposes rules in authentication sources - Added support for Cisco SG300 switches ### Enhancements - RADIUS Diffie-Hellman key size has been increased to 2048 bits to prevent attacks such as Logjam - HAProxy TLS configuration has been restricted to modern ciphers - Improved error message in the profile management page - Allow precise error messages from the authentication source when providing invalid credentials on the captive portal - Aruba WiFi controllers now support wired RADIUS MAC authentication and 802.1X - Added Kickbox.io authentication source which can allow a new Null type source with email validation - Now redirecting to HTTP for devices that do not support self-signed certificates on the captive portal if needed - httpd.portal now serves static content directly (without going through Catalyst engine) - Introduction of a new configuration parameter (captive_portal.wispr_redirection) to allow enabling/disabling captive-portal WISPr redirection capabilities - File transfers through the webservices are now atomic to prevent corruption - New web API call to release all violations for a device - Added better error message propagation during a cluster synchronization - Added additional in-process caching for pfconfig proxied configuration - The server hostname is now displayed in the admin info box - Added a warning in the configurator when the user is configuring multiple interfaces in the same network - Added synchronization of the Fingerbank data in an active/active cluster - Client IP and MAC address are now available though direct variables in the captive portal templates - The IPlog can now be updated through RADIUS accounting - Devices in the registration VLAN may now be allowed to reach an Active Directory Server - Added an option to centralize deauthentication on the management node of an active/active cluster - Added the option to use only the management node as the DNS server in active/active clustering - Improved Ruckus ZoneDirector documentation regarding external captive portal - pfconfig daemon can now listen on an alternative unix socket - Improved handling of updating the /etc/sudoers file in packaging - Improved roles handling on AeroHive devices ### Bug Fixes - Fix case where status page links would be pointing to the wrong protocol (HTTP vs HTTPS) - set_unreg_date and set_access_duration actions now have the same priority when matching rule and actions ([#816](http://packetfence.org/bugs/view.php?id=816)) - Fixes the database query hanging in the captive portal - The person attributes lookup will now be made on the stripped username if needed ([#888](http://packetfence.org/bugs/view.php?id=888)) - Active/active load balancing will now be dispatched based on the Calling-Station-Id attribute. - Fix unaccessible portal preview when no internal network is defined ([#790](http://packetfence.org/bugs/view.php?id=790)) - Fixed a case where the wrong portal profile can be instantiated on the first connection - Improved error message in the profile management page ([#858](http://packetfence.org/bugs/view.php?id=858)) - Do not use the PacketFence multi-domain FreeRADIUS module unless there are domains configured in PacketFence ([#868](http://packetfence.org/bugs/view.php?id=868)) - We now handle gracefully switches sending double Calling-Station-Id attributes ([#864](http://packetfence.org/bugs/view.php?id=864)) - Prevent OMAPI from being configured on the DHCP server without a key ([#851](http://packetfence.org/bugs/view.php?id=851)) - Switched to the memcached binary protocol to avoid memcached injection exploit - Fixed ipset error if the device switches from one inline network to another - Fixed wrong configuration parameters for redirect url (now a per-profile parameter) - Fix bug with validation of mandatory fields causing exceptions in signup - Made DHCP point DNS only on cluster IP if passthroughs are enabled in active/active clusters ([#820](http://packetfence.org/bugs/view.php?id=820)) - Defined the maximum message size that SNMP get can return (fixes VOIP LLDP/CDP detection on switch stacks #738)

PacketFence packetfence-5.5.0

2015-12-03T13:49:59+00:00

### New Features - New device detection through TCP fingerprinting - New DHCPv6 fingerprinting through Fingerbank - New RADIUS filter engine to return custom attributes based on rules - Security Onion integration - Paypal payment is now supported in the captive portal - Stripe payment and subscriptions are now supported in the captive portal ### Enhancements - New pfqueue service based on Redis to manage asynchronous tasks - Memcached has been replaced by Redis for all caching - pfdetect can now be configured through the administration interface - Added ability to detect hostname changes using the information in the DHCP packets - Added the ability to create 'not equal' conditions in LDAP sources - DoS mitigation on the captive portal through mod_evasive - Load balancing in an active/active process now uses a dedicated process - Authentication and accounting are now in two different RADIUS processes - Reworked violation triggers creation in the administration interface so it's more user friendly - Added the ability to create combined violation triggers which allow to trigger a violation based off multiple attributes of a node - Suricata alerts can now trigger a violation based on the alert category or description instead of only the ID of the alert - Added ability to e-mail device owner as a violation action - The PacketFence syslog parser (pfdetect) has been reworked to allow multiple logs to be parsed concurently - New ntlm_auth wrapper will log authentication latency to StatsD automatically - Handle Microsoft Windows based captive-portal detection mecanisms - Manage pfdhcplistener status with keepalived and run pfdhcplistener on all cluster's members - New portal profile filter (sub connection type) - Added switch IP and description in the available columns in the node list view - Use SNMP to determine the ifindex based on the Nas-Port-Id - Improved metrics now track SQL queries, LDAP queries, and more granular metrics in RADIUS AAA - Added support for Nessus 6 scan engine - Added documentation for the Cisco iOS XE switches - Reworked existing billing providers to be PCI compliant - Billing providers are now part of the authentication sources - Billing tiers are now stored in the configuration instead of the source code files - Billing sources can now be used with other authentication sources on the same portal profile - DHCP packet processing is now fully done asynchronously to allow more PPS in the pfdhcplistener ### Bug Fixes (bug Id is denoted with #id) - Fixed log rotation issue with the carbon daemons - Fixed LLDP phone detection if only telephone capability is enabled ([#964](https://github.com/inverse-inc/packetfence/issues/964)) - Fixed keepalived and iptables configuration for portal interfaces - Fixed improper httpd status code being set - Removed the node delete button - Fixed detection if the device asks for a portal per URI - Fixed 3Com switches ifIndex calculation in stack mode using SNMP - Not-found users will now be cached when using the caching in an LDAP source ([#978](https://github.com/inverse-inc/packetfence/issues/978)) - Updating a node puts an invalid entry in the voip field

PacketFence packetfence-5.5.1

2015-12-03T13:50:44+00:00

### Bug Fixes - pfdns will now resolve its own domain correctly - Fixed missing violation_view_top call in radius filter - Fixed equals operator in LDAP rule

PacketFence packetfence-5.5.2

2016-02-19T13:23:38+00:00

### Enhancements - pf::CHI::compute_with_undef now supports cache options - Use the fingerbank cache instead of caching its result globally. - Update dependency to 2.1 for fingerbank. ### Bug Fixes (bug Id is denoted with #id) - Completed renaming of trap to reevaluate_access in violations.conf.example - Fixed deauthentication source IP not detected properly when no vip is assigned on the management interface ([#1035](https://github.com/inverse-inc/packetfence/issues/1035)) - Use proper API client when triggering a violation within pf::fingerbank

PacketFence packetfence-5.6.0

2016-02-19T13:24:13+00:00

### New Features - New RADIUS auditing report allows troubleshooting from the GUI - The email authorization source now allows to set roles based on the email used to register - New switch groups now allows to assign settings to multiple switches at once - DHCP filters now allow arbitrary rules to perform actions based on DHCP fingerprinting - Cisco switches login access can now be authenticated through PacketFence - The filter engine configuration can now be edited through the admin GUI ### Enhancements - New dedicated search feature for violations in the nodes panel - New pfcmd pfqueue command allows managing the queue from the command line - New option to specify the authentication source to use depending on the RADIUS realm - Upgrade Config::IniFiles to allow faster loading of configuration files - Performance improvements to the filtering engine by avoiding unnecessary database lookups - New columns bypass_vlan and bypass_role are allowed to be import for nodes - Service start/stop order can now be configured through the admin GUI - Pagination can now be defined by the user in the admin GUI search results - The pfdns service now forks to process multiple requests in parallel - Added configurable timeout for send/receive operations on the OMAPI socket - The authorization process will now test if the role changed before reevaluating access - New option to add date based VLAN filter condition (is before date, is after date) - pfconfig backend can now be cleared via pfcmd - Improved RADIUS accounting handling for better performance ### Bug Fixes (bug Id is denoted with #id) - Remove old entries in ipset session - Always reevaluate the access if the order come from the admin gui ([#1056](https://github.com/inverse-inc/packetfence/issues/1056)) - Portal profiles templates are now properly synced between members of a cluster ([#942](https://github.com/inverse-inc/packetfence/issues/942)) - Process requests properly when running a pfdhcplistener on an interface that has networks with and without dhcpd activated - Violation trigger from web admin will now override grace period ([#1028](https://github.com/inverse-inc/packetfence/issues/1028)) - Fix queue task counters out of sync when a task expires - Reworked the configuration backends to prevent a race condition of the configuration namespaces in active/active cluster ([#1067](https://github.com/inverse-inc/packetfence/issues/1067)) - Define each internal network to NAT instead of a global rule when passthroughs are enabled ([#1118](https://github.com/inverse-inc/packetfence/issues/1118))

PacketFence packetfence-5.6.1

2016-02-19T13:24:44+00:00

### Enhancements - pfcmd will now validate the violation configuration in checkup - pfdns cached entries will now expire after 24 hours ### Bug Fixes (bug Id is denoted with #id) - Fix duplicate open entries in locationlog for voip devices - Avoid circular dependency when loading pf::Authentication::Source::StripeSource (1160) - Fix incorrect Cisco switch ACL number - Removed use of pf::class modules which caused compilation errors - Fixed an incorrect reload of the cached configuration (1157)

PacketFence packetfence-5.7.0

2016-02-19T13:25:43+00:00

### New Features - DNS based enforcement as a new enforcement mode for routed networks - Captive portal authentication now supports SAML authentication - It is now possible to search for nodes that are online based on RADIUS accounting - Integration with Suricata MD5 extraction module to scan against OPSWAT MetaScan online scanner ### Enhancements - Support for floating devices on HP Procurve switches - RADIUS CoA support added to Brocade switches - The NULL authorization source can now be combined with other sources - Added possibility to trigger Firewall Single Sign-On when an endpoint changes status - The username on a captive portal will no longer be stripped unless required otherwise - Improved UDP reflector documentation - Improved vendor specific attributes in radius filters - Now able to specify on which LDAP attribute we should match for SponsorEmail - Now able to strip a username in LDAP source even if not present in RADIUS request ### Bug Fixes - Fixed incorrect provisioning that ignored broadcast state of provisioned SSID - Present a login page without login form when a blackhole source is used on the portal profile ([#1021](https://github.com/inverse-inc/packet fence/issues/1021)) - Fixed incorrect provisioning templates that required entering a password twice ([#1119](https://github.com/inverse-inc/packetfence/issues/1119)) - Fixed ambiguous SQL accounting stored procedure that could return duplicate results - Fixes incorrect IPv6 DHCP processing in pfdhcplistener

PacketFence packetfence-6.0.0

2016-04-29T12:22:55+00:00

### New Features - Fully redesigned frontend and backend of the captive portal - Parking state for unregistered devices (where it will have a longer DHCP lease time and will only access a lightweight portal) - CentOS 7 and Debian 8 (Jessie) support - RADIUS support for Avaya switches - New filter engine to return custom answers in pfdns - Redirect URL are defined in Role by Web Auth URL switch configuration (Cisco) - Added support for Captive-Portal DHCP attribute (RFC7710) - Added Google Project Fi as a SMS carrier for SMS signup option - FreeRADIUS 3 support with Redis integration ### Enhancements - Added ability to expire users - Automatically update all the Fingerbank databases (Redis, p0f, SQLite3) - Do not allow the TRACE method to be used in any of the web processes - Can now limit the maximum unregdate an administrator can set to a person - Added option to disable the accounting recording in the SQL tables - Added caching of the latest accounting request for use in access reevaluation - Reduced the number of webservices calls during RADIUS accounting - Added configuration for Apache 2.4 with Template Toolkit - Added a timer for each RADIUS request (radius audit log) - Assign the voice role to VoIP devices when Packet``Fence detects them - Renamed VLAN to Role in admin GUI violation - Unregistering a node from a secure connection to an unsecured one is now managed by the VLAN filters - Location history of a node now shows the role instead of the VLAN id - Documentation to configure Cisco switches with Identity Networking Policy - Trigger violation on source or destination IP address only if they are in the trapping range networks - Performance improvement for VoIP detection - Added new RADIUS filter return option (random number in a range) - Reinstated iplog (iplog_history and iplog_archive) rotation/cleanup jobs performed by pfmon - An asynchronous LDAP lookup is now done on each 802.1x request to populate the person fields for that user ### Bug Fixes - Compute unregistration date for secure connections - Fixed unescape value in LDAP search - Fixed Apache 2.4 core dump - Fixed update locationlog from accounting start with the wrong connection type

PacketFence packetfence-6.0.1

2016-04-29T12:24:37+00:00

### Bug Fixes - Added back the option to set the logo in a portal profile - Fixed Blackhole and Null authentication portal modules ([#1439](https://github.com/inverse-inc/packetfence/issues/1439)) - Added missing username field in Debian maintenance crontab - Fixed web authentication web form release in captive portal - Validate configuration identifiers so they don't contain invalid characters ([#1417](https://github.com/inverse-inc/packetfence/issues/1417)) - Fixed incorrect samba handling of "%h" in server name - Fixed registration ACL computing for Cisco WLC and 2960 in web authentication - Adjust pfdetect startup order to allow Snort / Suricata to start - Fixed pfsetvlan compilation error - Fixed violations internationalization - Fix incorrect rogue dhcp detection

PacketFence packetfence-6.0.2

2016-06-21T17:45:39+00:00

### Bug Fixes - Fixed pfdns to prevent pid file deletion when a child dies ([#1444](https://github.com/inverse-inc/packetfence/issues/1444)) - PacketFence will now handle the case where a source in the session is not available anymore - Fixed missing PID when using device registration ([#1447](https://github.com/inverse-inc/packetfence/issues/1447)) - Fingerbank update will no longer sync all servers anymore - VoIP detection flags default will now be undef in admin interface - Suricata renamed to suricata_event in violations.conf.example - The captive portal will now handle User Agent strings properly - PacketFence will now delete the user (not device) session after activating sponsor - Fixed incorrect MAC address formatting in the reporting section of the GUI - Fixed "reuse dot1x credentials" in captive portal - Fixed incorrect SNMP traps handling - Fixed incorrect MAC address handling in radius accounting - Added a check to database backup script for mariadb - Fixed unregistration date handling when using email registration

PacketFence packetfence-6.0.3

2016-06-21T17:46:21+00:00

### Bug Fixes - Fixed example in vlan filters showing incorrect operand for user_name - Fixed the display of the aup when printing a user - Fixed email_instructions blocking email registration - Fixed FreeRADIUS dynamic clients hanging the server when the database fails to respond ([#1500](https://github.com/inverse-inc/packetfence/issues/1500)) - Fixed violation_add when applying one through bulk actions ([#1510](https://github.com/inverse-inc/packetfence/issues/1510)) - Fixed sessions remembering failed authentication sources - Fixed to listen to DHCPREQUEST in registration network when in cluster mode

PacketFence packetfence-6.1.0

2016-06-21T17:47:23+00:00

### New Features - Added support for CoovaChilli capable equipment - Added page to visualize the status of the services on all cluster members - Added support for RADIUS Change of Authorization on Meraki - Added configurable actions to be executed at the end of a portal module - Automatic registration of devices is now configurable from the GUI on a per profile basis - Added switch and switch group in violation trigger - Added switch group as a portal profile filter - Moved RADIUS audit log in its own module - Saved searches support for the RADIUS audit log module - The portal now supports RADIUS Challenge Response authentication ### Enhancements - Added module to redirect to internal or external pages within the portal modules configuration - Added configuration checkup for cluster.conf - Added ability to limit the number of logins when creating a local account - Added choice of sending either RADIUS CoA or Disconnect when deauthenticating a device - Admin interface is now available on all members of the cluster without the need of being the master - FreeRADIUS now logs to a separate file per process (authentication, accounting, load-balancer) - Improved performance of the online/offline search ### Bug Fixes - Fix profile filter saving incorrectly on Debian Jessie - Numerous improvements to i18n in the portal and administration GUI - Fixed e-mail registration not working when activating access through a proxy or firewall - Authentication log (auth_log) will now be cleaned automatically via pfmon ([#1511](https://github.com/inverse-inc/packetfence/issues/1511)) - Fixes incorrect graphite aggregation of metrics when data should not be averaged

PacketFence packetfence-6.1.1

2016-06-23T12:31:07+00:00

### Bug Fixes - Fixed missing schema version insert in database upgrade script - Fixed too short CA cert validity in raddb/certs/passwords.mk

PacketFence packetfence-6.2.0

2017-01-30T19:37:45+00:00

### Bug Fixes - Added missing index to radacct table (fixes #1586) - Fixed searching nodes for "all" devices (fixes #1584) - Fixed invalid destination URL parsing - Fixed handling of provisioner return code in violations - Fixed binding of IP addresses in Active/Active mode - Fixed cluster status page issues with pid files - Fixed missing person lookup when using 802.1x autoregistration - Fixed permission issue on logrotation - Fixed invalid i18n of MAC address in node location view (fixes #1591) - Fixed L2 cache write error of new switches namespaces

PacketFence packetfence-6.2.1

2017-01-30T19:38:25+00:00

### Enhancements - Forbid trace mode in Apache default configuration - Improved validation of portal modules configuration ### Bug Fixes - Fixed Debian 7 failing to start httpd.admin - Fixed missing Metadefender configuration section - Fixed missing parameter for fetchVlanForNode in pfsetvlan - Fixed incorrect NAS-Port use for RADIUS CoA on Cisco WLCs - Fix incorrect domain handling in Active/Active

PacketFence packetfence-6.3.0

2017-01-30T19:38:54+00:00

### New Features - Added EAP-FAST support - MySQL is now supported as the Fingerbank database backend - Integration with Cisco MSE adds maps, location based portals and notifications - Added the ability to locate a device based on DHCP Option 82 - Added support for Meraki wired switches - New SQL reporting allows creation of personalized reports ### Enhancements - Added support for Brocade CLI RADIUS authentication - Added support for OpenWrt Chaos Calmer 15.05 with hostapd - Added configuration conflict handling for active/active clusters - Fingerbank configuration is now cached - Removed the pf/var directory from the backups to make them smaller - Fingerbank is now configurable from the initial PacketFence configurator - Added support for Xirrus switches CLI RADIUS authentication - Pinterest and Instagram are now supported as OAuth authentication sources - Support for Suricata md5 extraction over SMTP protocol - Added sample monit helper scripts under pf/addons - Added support for custom AUP template per portal module - Several improvements to Fingerbank to make it more user-friendly - Added option to export nodes and users within the web administration interface - Third parties can now extend what can be matched in profile filters - PacketFence created interfaces will now be excluded from Red Hat's NetworkManager - Added the ability to restrict the modification of node roles by a user ### Bug Fixes - Added timeout to captive portal to prevent long running requests ([#1570](https://github.com/inverse-inc/packetfen ce/issues/1570)) - Do not start pfqueue processes for pfdetect if it's not running ([#1593](https://github.com/inverse-inc/packetfenc e/issues/1593))

PacketFence packetfence-6.4.0

2017-01-30T19:44:27+00:00

### New Features - Added Mojo Networks WiFi equipment support (PR #1765) - Made Web admin reports more interactive (PR #1731) - Added new Eduroam authentication source type (PR #1642) - Allow to create different portal templates based on the browser locale (PR #1638) ### Enhancements - Improved IP log performance (PR #1832 / PR #1828 / PR #1790) - Added fault tolerance on RADIUS monitoring scripts (PR #1831) - Improved the database and maintenance backup script (PR #1830) - Added password caching support for Novell eDirectory (PR #1829) - Improved caching of LDAP person data (PR #1826) - Improved clustering documentation (PR #1825) - Added RADIUS command line interface support on port 1812 (PR #1817) - Removed useless htaccess file search for each HTTP request (PR #1806) - Turned off HTTP KeepAlive to avoid connections holding onto Apache processes (PR #1801) - Added Cisco MSE documentation (PR #1799) - Ability to query 'iplog_archive' table for detailed IP/MAC history (PR #1793) - Now also display the status for sub services from the Web interface (#1040 /PR #1792) - Requests made with username 'dummy' will not be recorded in the RADIUS audit log anymore (PR #1789) - More lightweight p0f processing (PR #1788) - Remove useless logging in pfdns.log (PR #1782) - Added an activation timeout on sponsor source (PR #1777) - Improved captive portal logging (PR #1769) - Allow the OAuth landing page template to be customizable (PR #1767) - Use RESTful call for RADIUS accounting instead of Perl (#1760) - Optimized getting node information from the database (PR #1753) - New action generateconfig for pfcmd service command (PR #1744) - Added memory limitation for httpd.portal processes (PR #1738) - Added predefined search in RADUIS audit log and DHCP Option 82 log (PR #1716) - Improved display of fingerprinting informations in the nodes search (PR #1709) - Allow captiveportal::Form::Authentication to be customize (PR #1666) - Default config overlay for switches.conf, profiles.conf, pfqueue.conf and violations.conf (PR #1647) - Optimized queries for finding open violations (PR #1718) ### Bug Fixes - Fixed floating devices in active/active clusters (PR #1800) - Fixed and improved syntax of `pfcmd ipmachistory` (#1794) - Fixed wrong bandwidth calculation on RADIUS accounting (#1733) - Fixed empty Calling-Station-Id in RADIUS accounting (PR #1756) - Make sure connection caches are cleared after forking (#1748 / #1749 / PR #1751) - Added a workaround for DHCP clients that do not respect short lease times (#1673) - Added namespace parameter in WMI rule (PR #1633) - Fixed non-working switch ranges with external portal (#1574 / PR #1613) - Joining a domain will sometimes return a 500 even though it succeeded (#1821/#1818) - Cisco WLC ignores our CoA requests but accepts our Disconnect Requests (#1819) - pfdetect: pipe is closing when no content (#1814) - Condition `is a Phone` in RADIUS audit log is not working properly (#1813) - Condition AutoRegistration in RADIUS audit log is not working properly (#1812) - Configurator: Status on the services doesn't work (#1811) - Invalid SQL for iplog_cleanup_sql (#1802) - Added request cache support (#1775) - Added stack trace logging (#1774) - Removed redundant SQL indexes (#1773) - Removed unused code in pf::locationlog (#1772) - Fixed missing fields in RADIUS audit log (#1395) - Fixed RADIUS audit log hours selection (#1364)

PacketFence packetfence-6.5.0

2017-04-19T15:24:47+00:00

### New Features - Twilio support as authentication source (PR#1951) - New Redis driven cache for NTLM (Active Directory) 802.1X authentications (PR#1885) - New Firewall SSO for WatchGuard (PR#1851) - Syslog based SSO support for Palo Alto firewalls (PR#1859) - Ubiquiti EdgeSwitch support (PR#1816) - New syslog receiver to update the iplog from Infoblox and ISC DHCP syslog lines (PR#1868) - Can now specify specific ports for passthroughs (#1078/PR#1926) ### Enhancements - Added a RADIUS filter scope for VoIP devices (PR#1807) - Ability to customize the OU in which the machine account will be created (#1927) - Added new routes service to manage static routes (PR#1891) - Added an authentication source that prompts for the password of a predefined user (PR#1810) - Added Aruba webauth documentation (PR#1949) - Eduroam authentication sources can now match rule (PR#1940) - Maintenance patching can now use git in order to ignore files that shouldn't be patched via the maintenance script (#807/PR#1931) - Can now print multiple guest passes per page without the AUP in the administration interface (#1409/PR#1930) - Allow to whitelist unregistered devices from violations (#1278/PR#1929) - Changed password.valid_from default value to "0000-00-00 00:00:00" so its value is valid across the whole application (#1920/PR#1922) - Added Percona xtrabackup restore procedure documentation (#1646/PR#1919) - Added a way to track if files backups and database backup succeeded (PR#1904) - pfmon will not register and start a process for disabled task (PR#1899) - Added a way to define two different ports for disconnect and CoA (PR#1894) - Configurator database step now takes care of 'mysql_secure_installation' (PR#1878) - Improved clustering guide for MariaDB and systemd (PR#1875) - Added a portal module action to skip other actions (PR#1869) - Reduced p0f CPU usage (PR#1867) - Updated collectd in order to have new graphs (PR#1863) - Do not "match" a rule if "requested" action if not configured in it (#1858/PR#1861) - Improved monit checks accuracy (PR#1849) - Rate limited the DHCP listener processes to prevent specific devices from performing a denial of service on the DHCP listening processes (#1722/PR#1845) - Improved performance of radacct database table cleanup (PR#1839) - Email templates can now be specified on a per-portal basis (#1322/PR#1823) - Added CLI login support for HP Procurve switches (#1710) - Added support for Ruckus SmartZone using web auth enforcement - Revamped default colours of the captive portal to a more neutral/grayish theme ### Bug Fixes - Fixed iplog rotation retention configuration not always using the right param (#1896) - Reworked and "simplified" the logic of filtering authentication source for a realm (PR#1943) - Ability to customize the OU in which the machine account will be created (#1927/PR#1928) - Now limiting dates to 2038-01-18 in admin interface (#1126/PR#1923) - Remove unused configfile database table (PR#1902) - Enable haproxy on portal interface (PR#1893) - Prevent logging failure from making a process die (#1734/PR#1862) - pfmon should run on every server in active-active (#1852/PR#1853) - Removed the use of pf::cache::cached (#695/PR#1820) - Removed error when we receive a RADIUS request to test the RADIUS status (PR#1803) - Refactored pf::node::node_register to add return code and status code/message (#1797/PR#1798) - Removed unused traplog database table (#367/PR#1785) - RADIUS disconnect doesn't work on the Ruckus switch module (#1971/PR#1988)

PacketFence packetfence-6.5.1

2017-04-19T15:26:25+00:00

## Maintenance release for 6.5 branch ### Bug Fixes - Fix incorrect node cleanup job handling. - Fix multiple firewall SSO not working when cached updates were enabled. - Removed usage of pf_memoize which could create a race condition when adding a node. - Fix incorrect locationlog informations because of a null role. - Fixed syntax error in generated Suricata rules - Fixed the Portal preview through the admin - Fixed issue extracting the SSID from the switch HP::Controller_MSM710

PacketFence packetfence-7.0.0

2017-04-19T16:27:58+00:00

### New Features - Added provisioning support for SentinelOne (PR#1294) - Added MariaDB Galera cluster support (PR#2002/PR#2023/PR#2039/PR#2040/PR#2041/PR#2043/PR#2044/PR#2070/PR#2076/PR#2079/PR#2080/PR#2082/PR#2090) - All services are now handled by systemd (PR#2010) - IPv6 network stack in PacketFence (PR#2024) - New Golang-based HTTP dispatcher (#1301/PR#2029/PR#2067) - New Golang-based pfsso service to handle the firewall SSO requests (#1144/PR#2037/PR#2062) - Revamped the Web administration interface (PR#2108) ### Enhancements - SNMP traps are now handled in pfqueue (PR#1656) - Added the ability to grant CLI write access for Extreme Networks switches (PR#1699) - Added a distributed cache for the accounting information to safely disable the SQL accounting records in active/active clusters (PR#1715) - Reduced the number of ipset calls when adding ports for Active Directory (PR#1886) - pfmon tasks have their own configuration file (PR#1918) - new command "pfcmd pfmon" - for running pfmon tasks via pfcmd (PR#1918) - CentOS repositories (packetfence and packetfence-devel) packages are now signed (PR#1946) - Added way to unregister devices that were inactive for a certain amount of time (maintenance.node_unreg_window) (PR#1948) - Added a new last_seen column to nodes table to track their last activity (Authentication, HTTP portal, DHCP) (PR#1948) - Delete nodes based on the new last_seen column instead of looking at the last DHCP packet (PR#1948) - iplog: Floored lease time for "tolerance" (#1965/PR#1968) - Can now restart the switchport where a node is connected from the administration interface (PR#2006) - Added interface description to location entries (PR#2007) - New pffilter filtering engine (PR#2032) - Ability to manage multiple "active" endpoints behind a single switchport (PR#2034) - pfdhcplistner now runs as a master-worker style service (PR#2036) - Added a winbindd wrapper for the PacketFence managed winbindd processes (#2065/PR#2038/PR#2069) - Added a caddy middleware for rate limiting the concurrent connections (PR#2055) - Updated the Ruckus SmartZone module to use the most recent webauth technique available (PR#2059/PR#2088) - Added vsys support for PaloAlto firewall SSO modules (PR#2061) - Portal Profile has been renamed to Connection Profile (PR#2066) - Moved common flows / process of DHCP processors in base class (PR#2086) - Removed PacketFence-Authorization-Status attribute from the RADIUS replies to prevent RADIUS replies from being discarded due to an unknown attribute (#2085/PR#2087) - Added option to fetch users one by one in the NTLM cache instead of all together (PR#2093) - New parallel testing infrastructure (PR#2094) - Roles are now stored in a configuration file for easier backup and management (PR#2097) - Tightened up HAproxy's SSL termination security (#893/#410/#411/#412) - Tightened up Apache's encryption security by requiring TLS v1.2 support only and restricted cipher suites (#893/#410/#411/#412) - Clickjacking attack prevention enforcement for recent browsers (PR#2111) - Cross-site scripting (XSS) filtering is now requested from your browser (PR#2114) - Dell N2000 series support (#675/PR#2115) - All logging is now done through syslog (PR#2124) - IP forwarding is now activated by default per PacketFence package installation (#2145/PR#2146/PR#2148/PR#2149) - Added more fine grain stats for the captive portal (#1962/PR#2173) - Many documentation improvements (PR#2136/PR#2214) ### Bug Fixes - Fixed addition of an UDP SRV record port as a TCP port (PR#1886) - Restored pf::api compatibility to Sourcefire module (#2048/PR#2019) - Avoid opening a double entry with wrong accounting values (PR#2113) - Added the ability to "format" the CN when using PKI (#2116/PR#2119) - pfdhcplistener doesn't work on a monitor interface (#1377) - pfqueue stats: Outstanding Task Counters isn't accurate (#1726) - pfdhcplistener: Segfaulting when keepalived transitions quickly from backup/master/backup (#1737) - pfdhcplistener takes a minute to die (#1791) - captive-portal: i18n labels for dynamic fields (#1911)

PacketFence packetfence-7.0.1

2017-05-24T19:01:38+00:00

## Maintenance release for 7.0 branch ### Bug Fixes - Fixed incorrect locationlog entry when performing RADIUS CoA (#2222) - Twilio: "To" phone number is being stripped of any "+" sign (#2296) - Fixed radiusd load-balancer failing to start in cluster with eduroam (#2303) - Fix authentication sources ordering issue for portal modules when using the administration interface (#2323) - Fix innobackup tmp directory when used with Galera cluster - Fix width of auth sources conditions fields (#2312) - Fixed admin login when only allowed to see auditing section - Fixed locationlog entries for VOIP devices when no voice VLAN is defined (#2314) - Fixed authentication sources cache in connection profile (#2309) - Fixed loose matching of host in haproxy dispatcher (#2299) - Fixed lost MySQL handle errors in pfconfig - Handle sources activation host in haproxy dispatcher (#2266) - Fixed incorrect handling of unregistration year - Fixed incorrect LDAP error when user not found - Fixed file cloning in connection profile - Fixed display of roles in admin GUI - Fixed unregistration date handling when it is over 2038 (#2269) - Fixed logging errors for undefined values - Fixed queues blocking when forking - Fixed pagination in GUI node search - Fixed OS type display in status page - Fixed URL for connection profile preview

PacketFence packetfence-7.0.2

2017-05-29T17:23:17+00:00

## Maintenance release for 7.0 branch ### Bug Fixes - Fixed issue with ip4log cleanup job when rotation was enabled (#2358 and #2359) - Adjusted default ip4log retention to match what was in PacketFence version 7 and below - Make REJECT role have precedence over bypass role and VLAN - Make VLAN filters have precedence over bypass role and VLAN - Fix useless sessions being created in web-auth in the dispatcher (#2352) - Load liblasso during runtime in order to prevent a segfault of Apache on Debian 8.8 (#2342) - Fix syntax error in the guest_sponsor_preregistration email template - Fix previewing email templates in the admin

PacketFence packetfence-7.1.0

2017-06-01T18:56:46+00:00

### New Features - Added support for web authentication (external captive-portal) on Ubiquiti Unifi Controller - New Firewall/SSO (JSON-RPC) for communicating with custom firewalls (PR #2320) - VoIP detection: LLDP lookup enhancement (#2227) (PR #2316) ### Enhancements - Add a button to access status from device registration and the other way around(PR #2259) - Added the ability to specify multiple DNS server(s) for domain join configuration (PR #2223) - Allow to force a predefined sponsor during sponsor authentication (PR #2150) - Updated pfdns default filters (PR #2165) - Added brands icons to authentication source (i.e Twitter, PayPal etc ..) in the administration interface (PR #2287) - Allow pfqueue workers to perform work across multiple queues (PR #2260) - Added a way to set time and bandwidth balance in action rule (requires accounting to work) (PR #1936) - Don’t display the mobileprovider field when doing SMS authentication with only one carrier enabled (PR #2322) - Added new reports in the administration interface (PR #2313) - Apache based services now support systemd sd_notify (PR #2351) ### Bug Fixes - Dashboard metrics are now fetched over https (#2272) - Renamed Ubiquity to Ubiquiti (PR #2293) - Set up variable GOPATH correctly while setting up developer environment for go (PR #2319) - Fix too large scoping of authentication sources (#2338) - Prevent usage of a Null source in the device registration page (#1784) - Fixes duplicate nodes displaying when there are multiple locationlog entries (#1848) - Fixed an issue with the Instagram OAuth2 source, where the scope has been modified on the API - Fixed and issue where the logging configuration was ignored for httpd.aaaa and httpd.webservices (#2350)

PacketFence packetfence-7.2.0

2017-07-11T17:10:17+00:00

### New Features - Added support for authenticating users through OpenID Connect (PR #2394) - Added passthroughs for devices in violation state (isolation network) (PR #2328) - Added ability to report a device lost or stolen in self-service portal (PR #2337) - Added ability to change a local account password in self-service portal (PR #2337) - Improved overall user experience of self-service portal (PR #2337) ### Enhancements - Use the attributes returned by a radius use source as attributes to compute the rules (PR #2369) - Most services now support systemd sd_notify notifications. - The GUI will now only display readonly actions in readonly mode (PR #2384) - Journald total file size is now capped at 1Gb (PR #2389) - The GUI will now allow sources to be cloned (PR #2395) - The GUI now visually splits Administration and Authentication rules when viewing sources (PR #2395) - The GUI now has the ability to run "fixpermissions" from the web admin GUI (PR #2398) - haproxy captive portal rate-limiting is now configurable (PR #2422) - winbindd will now use the regular samba mechanisms to locate and select DCs (PR #2410) - New pfcmd command pfcmd pfqueue clear_expired_counters to clear the expired task counters (PR #2433) - Allow to disable the captive portal haproxy abuse access lists (#2418) ### Bug Fixes - Added a cleanup of the number in the SMS source (#1966) - TLS certificates and keys will no longer be overwritten (#2366) - Limit the amount of tasks a worker processes to avoid memory from growing - Fixed a case where the REJECT role isn’t honored in inline and some web-auth (#2383) - Sponsor authentication CC address is now BCC to help preserve privacy (#2267) - Use plain HTTP for network access detection page (#2393) - Fixed an issue where DHCP broadcast were treated more than once in clustered mode (PR #2413) (#2408) - Fixed incorrect user login remaining count display (#2450) - Fixed a case where pfqueue counters show a count of 0 although queue is full (#2420) - node_discovered is no longer triggered when node hasn’t been created in DB (#2436) - Detect date was not being populated when nodes were discovered via radius (#2424) - Fixed leftover httpd processes when restarting (#2439) - Mariadb binary logs files are now properly rotated (#2440) - Fixed scss settings and colors being wiped on each upgrade (#2317)

PacketFence packetfence-7.3.0

2017-09-25T18:18:01+00:00

### New Features - Added a RADIUS only mode to PacketFence. - Add a cluster wide view of pfqueue statistics (#2195) (PR #2573) - Added the possibility of importing switches from a CSV file. (PR #2480) ### Enhancements - The GUI will now display the VLAN in the locationlog view - The timezone is now a selectable item to prevent invalid input - Updated ACE text editor to version 1.2.8 - Search forms for nodes and users can now be reset (PR #2555) - Configuration files can now be saved in readonly mode except violation, switches, role (#2464) (PR #2566) - Extended descriptions are now supported in the custom reports - Mail can now be sent using SSL and StartTLS (PR #2446) - Self signed certificate errors for nessus 6 can now be ignored (PR #2568) - Violations can now be triggered by nessus 6 scanner (PR #2568) - The device registration page now supports connection profiles like any other portal - The username sent in firewall SSO now supports a configurable format (PR #2499) - PacketFence will now monitor TLS certificates expiration and alert if they are expired (PR #2444) - LDAP source caching is now caching the rule match rather that the whole source match (PR #2560) - The admin GUI startup time has been decreased (#2545) - New and improved documentation for Debian clustering - Show DHCP Option82 data in the node view (#2396) - Custom reports columns representing a node or a user can now be configured to be clickable for details on the object in question (#PR 2508) - New Fortigate 50E 802.1x support - The computer authentication username can now be normalized when using EAP-TLS (PR #2414) - Added a task count jitter to reduce the chance that pfqueue workers exit at the same time - Experimental support for Content Security Policy (CSP) has been added, but is disabled by default (PR #2336) - A violation can now redirect to a URL specified in a template (PR #2400) ### Bug Fixes - The syslog parser has moved from Compliance to Integration in the GUI (#2467) - pfsso now logs in packetfence.log (#2553) (PR #2557) - httpd.dispatcher now logs in httpd.dispatcher.log (PR #2557) - Fixed incorrect inline sub type detection - Fixed ipset update with the incorrect ip address - Fixed missing confirm prompt when restarting all services via the admin interface (#2365) (PR #2571) - Fixed violation definition sync when removing a violation from the config - Fixed incorrect Connection-Type when using EAP-TTLS (#2582) - Fixed VOIP logic to reduce the chance of duplicate locationlog entries (#2527) - Fixed SNMP connection issues on Extricom controllers - Fixes segfaults when logging in the multithread environments (#2603) - reuseDot1x: Changed the way authentication sources are matched with realms regarding a security concern(#2536) - Trust the wsrep_ready flag of MariaDB Galera cluster for read only detection as putting the DB in read-only can result in occasional de-synchronization between members. (#2593) (PR #2594) - Run the configreload as the pf user when done through pfcmd (PR #2510) - Run the 6.0+ upgrade scripts as the pf user to prevent permissions issues after running them (PR #2509) - Fixed incorrect NULL realm use when authenticating to the admin GUI (#2529) - Enforced use of the system time instead of browser time when using preset time values (#2559) - Logging into the status page when reuse dot1x is enabled is no longer broken (#2542) (PR #2598)

PacketFence packetfence-7.4.0

2018-01-25T18:33:41+00:00

### New Features * New database access layer (DAL) for upcoming multi-tenancy support * New portal module to permanently set roles (PR #2490) * Added portal module for selecting a role for the device being registered on the portal (PR #2471) * Added support for Allied Telesis GS950 switches (PR #1866) * Added ability to update the firewall SSO on RADIUS accounting packets (PR #2662) * Added a way to define a VLAN by role as a VLAN pool using a VLAN range (PR #2675) ### Enhancements * Added cloning capability in connection profiles (PR #2814) (#2809) * Read and write timeouts for LDAP connections can now be set (#2613) (PR #2614) * Keepalived can be configured to detect its peers via unicast instead of multicast (PR #2794) * Suggest violation identifier when adding a new violation (#2804) (PR #2807) * Create a priority queue * Move ReAssignVlan and desAssociate API calls to the priority queue * Added connection profile SSID filter suggestions based on all the previous SSIDs that have been seen in the locationlog (#2758) (PR #2771) * Added a description to the switches in the nodes side navigation (#2791) (PR #2795) * Improved configuration of the captive portal timer bar (via the captive_portal section of pf.conf) (#383) (PR #2762) * (AD Powershell scripts) Enforce use of TLS in the powershell scripts which is required with the last versions of PacketFence (PR #2788) * (AD Powershell scripts) Cycle through all the possible Active Directory usernames formats in PacketFence (PR #2788) * Removed old authentication code sources (#2610) * Added rule description in listing (#2619) * Improved documentation (PR #2774) (#2773) * Set a timeout for database queries for the admin to avoid long running queries slowing the system (#2630) (PR #2659) * Documentation improvement about MySQL advanced parameters (#266) * Enhanced localization support in violation module (PR #2759) * Improved the haproxy HTTP process monitoring * Improved cluster maintenance script to perform necessary system changes to have the node in maintenance ### Bug Fixes * Moved add and delete buttons to the left to avoid the being cutoff (#2678) * Fixed "Admin: Multiple 'Device Type' options in Nodes tab" (#2789) (PR #2793) * Configurator: when using a different database name, the fingerbank.conf MySQL section is not updated (#2665) (PR #2787) * rlm_perl modules are now using syslog instead writing directly to the file (PR #2609) * Prevent a valid PID from being overwritten at the end of the portal registration if the new PID is default (#2825) * Auth log is not set to completed after email registration (#2648) (PR #2649) * Fixed redirects when previewing profiles that use OAuth source (#2882) (PR #2908)

PacketFence packetfence-8.0.0

2018-04-26T18:56:27+00:00

### New Features * Replaced the ISC DHCP server with a new Golang-based DHCP server (PR #2911) * Now supporting inline enforcement in active/active clusters (PR #2911) * Replaced pfdns with a new Golang-based DNS server (PR #2911) * Allow an inline network to be split by the roles in PacketFence allowing to put specific devices in a distinct broadcast network (PR #2911) * DNS routing (PR #2911) * Dashboard metrics are now based on Netdata (PR #2935) * Traffic shaping support for inline enforcement (PR #2803) * Added a configuration parameter to allow to unregister a device on an accounting stop (PR #2685) * Added CLI support on Aruba 5400 switches (PR #2965) * Username stripping (removing the realm) is now configurable via the realms instead of the sources * PacketFence integration with JAMF API for Apple computers and mobile devices management (PR #2797) * Added an HTTP JSON API ### Enhancements * Distribute pfdhcplistener tasks among cluster members (PR #2887) (#2858) * Removed pfsetvlan * Now allowing to use the RADIUS accounting cache when in cluster mode ### Bug Fixes * Guest Portal validate_phone_number check not work (#2783) * A management user can override an account that was not created by him (#2883)

PacketFence packetfence-8.0.1

2018-05-09T18:42:57+00:00

### Enhancements * Update the computername (hostname) of a node using the Fingerbank Collector data * Detect uplinks based on CDP flag instead of a string * Put etcd in its own directory ### Bug Fixes * Fixed issue with device profiling not being performed when an endpoint connects for the first time * Fixed missing timeout when performing RADIUS SSO (FortiGate, CheckPoint, WatchGuard) * Fixed issue with API frontend when initially configuring the webservices username and password * packetfence-haproxy-portal and packetfence-tc systemd service in a wrong target * Custom routing with inline enforcement fails silently (#3215) * Nessus 6 scanner * haproxy-db only listens on IPv6 interface (Debian) (#3208) * Fixed packetfence-local-auth * Fixed DNS passthrough for normal domains (was considered as a wildcard) * Winbind fails to start because of a permission issues on /var/run/samba/winbindd in the chroots * Update from 7.4 to 8.0 audit log file not there (#3216) * Fixed unreg on RADIUS accounting stop (#3220) * Allow nodes without roles to be modified when restricting allowed role (#3217) * Fixed speed issues with node search in the admin * Fixed missing timeout for RADIUS sources tests in pfstats

PacketFence packetfence-8.1.0

2018-07-09T20:20:08+00:00

### New Features * Added support for dynamic PSK (Cisco IPSK) for the Cisco WLC and hostapd (PR #3244) * Added Ubiquiti Unifi web authentication and 802.1X support * Added support for Cambium AP module for 802.1X, MAC and web authentication (PR #3282) * Change root portal module on failure/success * Save already entered field on the portal (chain auth) * Custom message for SMS registration * Expire SMS pin code * Define the length of the pin code * Enable or disable sponsor authentication when he validates access (PR #2995) ### Enhancements * Allow connection profiles to be enabled/disabled (PR #3175) * Add new portal module action that wraps the default actions a module would normally execute (fixes #3231) * Improved startup time of PacketFence (PR #3213) * Fix local/reject realm for eduroam in standalone configuration (PR #3264) * Allow subsecond timeouts for LDAP connections * Allow randomization of the search order for a list of LDAP servers * IP exclusion is now possible in the DHCP server * Allow max node per role when doing autoregistration * Moved unregister on accounting stop parameter on the connection profile * VLAN filters can be set to ${node_info.category} and it will return the current category of the device * The database load-balancer now listens on the cluster management IP address * Allow to update switches while importing them via CSV ### Bug Fixes * Netdata never ending restarts after a reboot (#3287) * Systemd PID file causes issues when there is a stale PID file (#3291) * Fixes when a LDAP authentication source contains multiple IP addresses (#3234) * Added missing DHCP Statistics for routed networks on the dashboard (#3128)

PacketFence packetfence-8.2.0

2018-11-07T18:30:39+00:00

### New Features * Added support for clusters with servers located in multiple layer 3 networks (PR #3656) * Permit incoming Eduroam TLRS RADIUS requests (PR #3399) * pfconfig is tenant aware (PR #3385) * Realm are tenant scoped (PR #3385) * Added Mojo web authentication support (PR #3604) * New authentication source Password of the Day (PR #3285) * Added SMTP test function in Alerting (PR #3642) * Juniper SRX Firewall SSO module (PR #2842) ### Enhancements * Now support CoA on Meraki switches * jsonrpc requests send the current tenant_id (#3271) * Take the tenant id in consideration in the queue (#3269) * Performed various improvements to the maintenance script (PR #3445) * Increased maximum node bandwidth balance from 4 GB to 18.4467441 XB (exabytes) (#3477) (PR #3493) * Improve connection profile's advanced filter * Use MySQL as backend for pfdhcp options (deprecates etcd) (PR #3484) * Reorder iptables rules (PR #3463) * Better error handling for pfdetect.conf (PR #3607) * HAProxy stats files are now located in var/run/ with explicit filenames (PR #3645) * pfdns now uses the PacketFence standard Golang logging library (PR #3638) * Added VOIP and Downloadable ACLs support to Aruba 5400 switch module (PR #3372) * Switch filters can now be used to override the switch module that is instantiated during a RADIUS connection (PR #3583) * WIRED_MAC_AUTH and Ethernet-NoEAP merged (#3069) (PR #3261) ### Bug Fixes * Backslash in usernames in Reports section is shown as "=5C" (#3508) (PR #3510) * Multiple bug fixes to the pfdhcp service (PR #3571) * Domain join log entries contain clear-text credentials (#3448) * Fixed false positive dhcp rogue detection (PR #3514) * Sponsor Email subject and body are i18n in the same language (#3670) * pfstats hammers pfdhcp and the API frontend with requests (#3634) * Can't download SAML metadata in the admin (#3720)

PacketFence packetfence-8.2.1

2018-12-07T13:41:53+00:00

### Enhancements * Allow for SMS PIN codes to be reused (#3436) ### Bug Fixes * Adjusted ports for Active Directory passthroughs (#3769) * Improved performance of nodes tab in the admin interface (#3721) * Fixed Google Project Fi missing from the official schema * Various fixes for broken NTLM cache job * Fixed issues with realms after a restart of pfconfig (#3797) * Fixed issue with pfdhcp leaking file descriptors * Fixed issue with captive portal requesting an artifact from the SAML server * Fixed duplicate IP addresses given by pfdhcp * Added new expected parameter for the redirect URL when performing web-auth with a Cisco WLC * Fixed SEPM provisioner token refresh

PacketFence packetfence-8.3.0

2019-01-09T18:31:47+00:00

### New Features * Added support for Juniper EX2300 (JUNOS 18.2) switches * Clickatell authentication source support * Added a random algorithm for VLAN pooling * Added the ability to reserve IP addresses in pfdhcp * Added a way to trigger a violation when device profiling detects a change in the device class * New SSL Inspection portal module * RADIUS proxy integration from web admin interface * RADIUS filtering support for pre_proxy/post_proxy/preacct/accounting/authorize phases * Updated the Windows provisioning agent to the new Golang based version ### Enhancements * Redis now only listens on localhost (#3729) * Deprecate usage of roaring bitmap for the DHCP IP pool (#3779) * Email and SponsorEmail sources can have banned and allowed email domains (#3807) * Improved startup time of pfdhcp * Removed OPSWAT Metadefender Cloud support * Chose password hashing algorithm when creating a local user from a source * Define the length of the password to generate when creating a local user from a source * New "dummy" source just to compute the rules ### Bug Fixes * Logs permissions and configuration for Debian (#3780) * Fixed missing cache directory for NTLM auth cache (#3788) * Fixed working directory of NTLM auth cache sync script (#3777) * Handled multiple LDAP hosts properly in NTLM auth cache (#3776) * Issue with the DHCP server that gives sometimes a duplicate IP address * Adjusted CentOS and RHEL dependencies * Fixed MAC filtered lookups that were cached in pfdns (#3785) * Fixed the OpenVAS integration to work with OpenVAS Manager 7.0 (OpenVAS 9) * Fixed encoding of files created in the administration interface (force them to UTF-8)

PacketFence packetfence-9.0.0

2019-05-16T13:11:41+00:00

### Version 9.0.0 released on 2019-05-15 ### New Features * New web interface based on Vue.js and Bootstrap 4 * Let's Encrypt SSL certificates support for captive portal and RADIUS * Cisco ASA VPN support with the captive portal * Fortinet VPN support * DHCP Filter to reply custom attributes in the OFFER and/or ACK (deprecate old DHCP Filter) * Add 802.1X and CoA support for Fortinet FortiSwitch * Add module to support PICOS white box switches * Support for Aerohive access point with switch port * Support for Aruba Instant Access switch module * Debian 9 (Stretch) support ### Enhancements * Now including timeout when authorizing a web-auth user on an Ubiquiti UniFi controller * Now providing defaults for the Apache filters * Allow to configure the RADIUS attributes and their lookup order for extracting the username * conf/stats.conf has a default file now * VoIP configuration parameter in node_cleanup task to bypass VoIP devices * Adding/removing passthroughs doesn't require to restart pfdns anymore (#3127) * Added support for RADIUS disconnect on Ruckus SmartZone * Disable Microsoft Active Directory join operating system check option * Disable DNS lookup in MariaDB configuration * Enable performance_schema if needed * Display local account in the captive portal during registration if applicable (#3615) * Exception for portal detecion URL in pfdns * Added support for Ruckus roles * sms_carrier 'id' column is now auto-increment (#1270/PR #3684) * Better logging for haproxy-portal that allows to identify missing passthroughs * Allow to skip management node in portal load-balancing when running in a cluster * DHCP and DNS services can be enabled on a specific interface * VoIP support for Dell switches ### Bug Fixes * Fixed the systemd logic in pfdhcp * Fixed winbindd respawning extremely fast when failing to start * Fixed winbindd processes not being killed on latest version of Samba * Allow disabling processing of IPv6 packets in the pfdhcplistener * fixed untainted variable (#3920) * fixed on-registration scanning (#3963) * Set the realm in the RADIUS request when doing machine authentication * Keep connections to the unified API alive * Fixed the documentation and the form for the Juniper SRX firewall

PacketFence packetfence-9.0.1

2019-05-24T17:19:16+00:00

### Enhancements * Improved display of RADIUS audit log from RADIUS tab (#4473) * Add '-copy' to the ID when cloning a configuration resource (#4468) * Better visual distinction when the database is in read-only mode (#4464) * Domain join is prompted after creating a domain (#4544) * Added current hostname to help page ### Bug Fixes * Fixed Aruba Instant access switch module compilation error * Fixed violations to security events upgrade script to use the .rpmsave file during the upgrade * Fixed user visualization when the username contains a '/' or '\' (#4531 and #4570) * Fixed missing 'Signing' tab in mobileconfig provisioner configuration section (#4533) * Fixed missing 'Compliance' tab in OPSWAT provisioner configuration section * Fixed issue when defining multiple DNS servers in inline * Fixed issue where not all security events are visible when triggering a security event on a node (#4550) * Fixed issue with multi-cluster configuration generation * Fixed issue with WMI scan engine rules failing to be saved (#4559)

PacketFence packetfence-9.1.0

2019-09-18T13:37:52+00:00

### New Features * Network visualization * Microsoft Intune and ServiceNow support * Family Zone, LightSpeedRocket and SmoothWall firewall SSO support * New way to forward Eduroam local realm to a specific RADIUS server * New DNS auditing log module ### Enhancements * Adjust Fingerbank device class lookup ordering for added precision of the device class * Track configuration changes in local git repository * Randomize KeyBalanced to randomize the load-balancing in FreeRADIUS Proxy. * Support for SentinelOne's new API version (v2.0) * Firewall SSO is now performed centrally on the management node of a cluster * Added DHCP pool algorithm (random/oldest IP) * Improved support for Juniper switches running Junos 15 and above * Allow to configure the API token timeout * Moved vlan_pool_technique configuration parameter to the connection profile * Added the RADIUS' targeted IP address in the RADIUS audit log (help in cluster mode) * pfperl-api port number changed to 22224 * Autoreg for mac-auth with an authorize source * Parking portal has been moved in the haproxy and httpd.dispatcher services and deprecates the dedicated httpd.parking service ### Bug Fixes * pfstats queries /api/v1/dhcp/stats are taking a lot of time (#4096) * Duplicate reservations in the DHCP pool caused by a big registration/inline network and pfstats call * LinkedIn social login integration due to deprecated API calls from LinkedIn * Fixed the logic of "Use the RADIUS username instead of the TLS certificate common name when performing machine authentication"

PacketFence v9.2.0

2019-11-26T18:20:15+00:00

### New Features * Allow to force the access duration when using device registration * Migrate to go mod for Golang binaries (#4832 and #4841) * Ready-to-use Docker images for PacketFence builds (#4841) * Added audit log for API and new admin interface * Added configuration based switch modules * Support for remote layer 3 clusters in read-only mode * Internal security event to trigger on managed network only or production network only ### Enhancements * Network visualization now supports custom sorting, min/max graph sizing, variable real-time network live-view, and infinite depth of switch-group inheritance. * Speedup the dal generation (#4824) * Enhance Juniper EX2300 to allow a port bounce to be done via RADIUS CoA ### Bug Fixes * fixes #4737 (SNMP trap stuck in the queue) * MySQL schema upgrade statements should be re-runnable. (#4892) * Return the authentication sources where the default realm has been associated if the realm used by the connection contain a realm that is not defined in the configuration.

PacketFence v9.3.0

2020-01-13T20:08:44+00:00

### New Features * Only have a single active locationlog entry in the locationlog ### Enhancements * Don't try to do firewall SSO if the service is disabled * Massively improved web admin performance ### Bug Fixes * Fix `pfstats` for LDAPS and StartTLS * Allow to run any script from a security event without a modification of sudoers file * Fix machine auth failed on eduroam virtual server * Fix allow external RADIUS accounting from eduroam server (they use it to detect if a server is alive) * Fix eduroam load-balancing issue on local realm

PacketFence v10.0.0

2020-04-16T14:58:54+00:00

### New Features * Added support for network anomaly detection through Fingerbank * New, fully integrated PacketFence PKI service * New service for automatic clustering issue resolution * New GUI for all filtering engines and switch templates * New API and Vue.js based step-by-step configurator * Added VMware Airwatch support ### Enhancements * Added suppport to run integration tests using Cumulus Linux and libvirt * Added the ability to autoregister and assign a role to a device authorized in a provisioner * Added the ability to control whether or not a provisioner should be enforcing (i.e. ensuring all devices matching it are authorized with it) * Added the ability to sync the PID of devices authorized in a provisioner (only for Airwatch and JAMF) * Add single sign-on support for Cisco ISE-PIC * Support for MySQL as DHCP pool backend and provide active/active DHCP support * Support Aruba switches using Aruba OS 16.10 * Added a new Meru controller module that supports RADIUS RFC3576 (RADIUS Disconnect) * CLI login to Juniper switches * Allow to configure VOIP RADIUS attributes in switch templates * All configuration files have a copyright without year to avoid useless rpmnew or dpkg-dist files each yearly upgrade * Improved Unifi deauthentication using HTTP * Set TTL to 5 seconds when the host match with a captive portal detection host * Enable tracking configuration service by default * Better captive portal detection for Samsung devices * Faster captive portal detection for Apple devices * Routes are now managed by the keepalived service * Parking security event can now be triggered without limitation * Added a way to change the SQL table used by pfconfig * Showing the configurator is now configurable (#5121) * Node deletion in consistent between the the API and pf::node::node_delete (#5088) * Allow VLAN number greater than 1023 for floating devices * Improved captive-portal health checks in monit (#5185) * Added RADIUS disconnect for wired port on Aruba AP (#5016) * Switch templates can now use SNMP up/down to perform access reevaluation (#5197) * HAProxy now serves the admin gui, httpd.admin disabled by default * Reports are now tenant-aware * Security events can be triggered when running node maintenance task (#4948) * Added parameter to prevent external portal requests from updating the ip4log (#5336) * Added new WMI examples ### Bug Fixes * Fixed logic to move MAC address to another port (Avaya) * Fix serialization of the switch when calling ReAssignVlan/desAssociate * Prevent double restart when setting the port admin status of an EX2300 Juniper switch * Sponsor field is missing on sponsored users when using forced sponsor (#5171) * Some DHCP info triggers use outdated Fingerbank data (#5106) * Issue with the timezone in the admin not being honored on the system (#5205) * Issue with chrome who don't show the portal on self signed certificate (#5233) * Issue with RADIUS CLI access and ldap authentication source where the cache is enabled (#5018) * Distribute pfsnmp trap jobs between queues based off switch id (#5004) * Deleting a portal profile doesn't cleanup its templates (#793) * pfacct doesn't report metrics to dashboard (#5267)

PacketFence v10.0.1

2020-05-08T19:50:01+00:00

### Bug Fixes * Fix issue with out of bound array in pfacct * Fix handling of VSA in pfacct * Fix handling of wireless secure to open SSID VLAN filter * Fix limit of 25 filters in filter engines GUI (#5379) * Fix the "from address" when sending emails through the pfpki * Adjustments to the default anomaly detection policies * Add missing sFlow and netflow ports in the iptables configuration * Fix detection of the anomaly detection capabilities of the current Fingerbank account * Improve anomaly detection triggers display in security events (#5402) * Handle JAMF provisioner responses that aren't UTF-8 encoded * Fix admin account validity when changing the timezone in the configurator (#5390) * Restart packetfence-mariadb in the configurator after changing the timezone (#5390) * Fix multi-tenancy detection when performing web-authentication (#5418)

PacketFence v10.1.0

2020-06-17T19:38:48+00:00

### New Features * Live log viewer from admin interface * Fully tenant-aware admin interface * Support for MS-CHAP authentication for CLI/VPN access * New pfcertmanager service that generates certificate files from configuration ### Enhancements * EAP configuration template - add a way to define multiples EAP profiles in FreeRADIUS * New action for AD/LDAP sources to set role when user is not found * Provide an advanced LDAP condition to allow custom LDAP queries * The captive portal can now feed HTTP client hints to the Fingerbank collector * Added ability to enable/disable a network anomaly detection policy (#5403) * Return the portal IP if the QNAME matches one of the portal FQDN for registered devices using inline enforcement * Individual source rules can be disabled * Support for Dell N1500 starting from 6.6.0.10 * CoA support for Ubiquiti Unifi AP * Added a way to define the Unifi AP by IP or IP range * Use the value of an LDAP attribute as a role * Added the return of the LDAP/RADIUS attributes to use them in RADIUS filter * The /api/v1/radius_attributes endpoint is now searchable * Proxy the captive portal detection URL when the device is registered * Choose which EAP profile to use based on the realm * LDAP's basedn can be defined in the authentication sources rules * New hooks for the RADIUS filter engine in eduroam virtual server * Redefined "restart" in the service manager to allow "PartOf" in systemd scripts * Set role from source authentication rule option (needs #5459) * Flatten the RADIUS request for the authentication sources (attributes like radius_request.User-Name) * RADIUS request attributes / username are part of the common attributes * Support of multiples LDAP servers in FreeRADIUS ldap_packetfence configuration file * Copy outer User-Name attribute in PacketFence-Outer-User attribute to be able to use it in the authentication rules * Copy the LDAP-UserDN attribute in PacketFence-UserDN attribute to be able to use it in the authentication rules * Added a way to extend the LDAP filter for searchattributes configuration * Documentation for EAP profile selection * Documentation for regex realm * Documentation for new action/condition in LDAP authentication * Moved the VLAN filters example as default disabled VLAN filter * Use PUT for node reevaluate_access to fix issue with admin_role actions mapping * OpenID pid mapping is now configurable * Can map OpenID attributes to a person attributes * Allow to create authentication rules based on OpenID attributes ### Bug Fixes * Fixes Fortinet Fortigate returnAuthorizeVPN function (#5409) * Barracuda NG firewall SSO SSH fails (#4828) * Impossible to set multiple access level in administration rule (#5440) * Fixed pf-maint.pl when its running behind a proxy (#3425 ) * Fix vendor attributes not being sent from Switch Template (#5453) * Fixed issue authorizing a user in web-auth on Unifi when the node has its date set to '0000-00-00 00:00:00'

PacketFence v10.2.0

2020-10-07T16:06:50+00:00

The Inverse team is pleased to announce the immediate availability of PacketFence v10.2 - a major release bringing tons of improvements! Moreover, the upcoming PacketFence v11 will feature full *Zero Trust Network Access* support - extending NAC concepts to remotely connected users with full micro-segmentation support. This release is considered ready for production use and upgrading from previous versions is strongly advised. ## Improved Layer-3 Replication Layer-3 replication over high-latency WAN connections has been dramatically improved in PacketFence v10.2 - by a factor of tenfold. This allows PacketFence to secure even larger widely distributed networks. ## More Golang Our endeavour in rewriting our services from Perl to Golang has reached another big milestone for PacketFence v10.2. One of PacketFence's most crucial service, the maintenance and monitoring service, has been fully rewritten in Golang to increase performance but also drastically reduce resource usage. ## Automated Integration Tests Our other big endeavour with achieving full integrated test coverage has reached an other big milestone in PacketFence v10.2. The Configurator, the very first part of PacketFence exposed to new users, has now complete integrated tests coverage. This means that through Venom, we can now fully test the Configurator, wired MAC authentication and 802.1X using EAP-PEAP, backup/restore and many more. Our WiFi, WMI and PKI/EAP-TLS will be completed for v11. ## Upcoming v11 Release PacketFence v11 will extend NAC concepts to remotely connected users with *full micro-segmentation support*. Using our new connectivity orchestrator, PacketFence will dynamically establish secured tunnels between endpoints - based on what they are allowed to do on the network. Traffic of remotely connected users will not go through PacketFence, but PacketFence will orchestrate the creation of a full mesh network between remote users, local or Cloud-based resources. ## ... and more! PacketFence v10.2 now also supports EAP-TTLS for LDAP authentication sources, native Novell NetIQ eDirectory support, improved support for Extreme Networks switches running EXOS, improved multi-tenancy support, MAC addresses randomization support and many more admin interface improvements! --- Here's the complete list of changes included in this release: #### New Features * EAP_TTLS PAP Support on a LDAP source * eDirectory source * Master/Slave radius proxy and degraded workflow * go based pfmon ([#5613](https://github.com/inverse-inc/packetfence/issues/5613)) * Integration tests: configurator scenario added ([#5484](https://github.com/inverse-inc/packetfence/issues/5484)) #### Enhancements * Adjust the settings in the admin for the SAML and OAuth portal modules ([#5479](https://github.com/inverse-inc/packetfence/issues/5479)) * Select the role of the device when register via self-service portal. * Improved support for Extreme switches running EXOS * Added option to register device immediately after the sponsor activates the access during sponsor based registration ([#5642](https://github.com/inverse-inc/packetfence/issues/5642)) * Added support for EAP-PEAP MSCHAPv2 and EAP-TLS for CLI and VPN RADIUS authentication ([#5784](https://github.com/inverse-inc/packetfence/issues/5784)) * Template based bouncePort using CoA ([#5735](https://github.com/inverse-inc/packetfence/issues/5735)) * Set the default switch type to Packetfence::Standard ([#5742](https://github.com/inverse-inc/packetfence/issues/5742)) * Create a PacketFence::SNMP switch to force reevaluate access using SNMP ([#5742](https://github.com/inverse-inc/packetfence/issues/5742)) * Add support for CLI Access for Switch::Template ([#5708](https://github.com/inverse-inc/packetfence/issues/5708)) * Use Status Check in pfstats to test radius/eduroam sources * Switch templates can define how to map a NasPort to an IfIndex ([#5779](https://github.com/inverse-inc/packetfence/issues/5779)) * Syslog parsers are now tenant aware. * Add default MAC address randomization security event check * Allow to delete a node from web admin with a locationlog opened ([#5492](https://github.com/inverse-inc/packetfence/issues/5492)) * Allow roles to be delete #### Bug Fixes * Fixed CoA for Meraki web-authentication so that it doesn't disconnect the user from the SSID * Honor the AUP setting of the SAML portal module ([#5476](https://github.com/inverse-inc/packetfence/issues/5476)) * Use the prebuilt freeradius perl dictionary. * Don't override user defined values in the interface file for centos. * haproxy-db can cause pfcmd service restart to failed ([#5745](https://github.com/inverse-inc/packetfence/issues/5745)) * Pass in the mandatory fields to the email templates. * Dell N1500.pm: LLDP detection doesn't work ([#5758](https://github.com/inverse-inc/packetfence/issues/5758)) * Ensure the gateway was only written once in /etc/sysconfig/network ([#2845](https://github.com/inverse-inc/packetfence/issues/2845)) * Remove the ip address of a server in the dhcp reply when the server has been disabled ([#5677](https://github.com/inverse-inc/packetfence/issues/5677)) * Allow to set multiples ca certificates. * Listen to all interfaces for radius accounting ([#5821](https://github.com/inverse-inc/packetfence/issues/5821)) * Searching by 'Source Switch Identifier' for a switch range doesn't work ([#5792](https://github.com/inverse-inc/packetfence/issues/5792)) See the [complete list of changes](https://github.com/inverse-inc/packetfence/compare/v10.0.0...v10.1.0) and the [UPGRADE.asciidoc](https://github.com/inverse-inc/packetfence/blob/v10.1.0/UPGRADE.asciidoc) file for notes about upgrading.

PacketFence v10.3.0

2021-04-14T18:36:03+00:00

### New Features * Static routes management via admin gui * Aruba CX support * Aruba 2930M Web Authentication and Dynamic ACL support (#6158) * Meraki DPSK support * Ruckus DPSK support * Support for Ruckus SmartZone MAC authentication in non-proxy modes (#6201) * Bluesocket support (#5878) * Support for SCEP in `pfpki` (#6213) ### Enhancements * Improved the failover mechanisms when an Active Directory or LDAP server is detected as dead * Expiration of the local accounts created on the portal can now be set on the source level * pfacct and radiusd-acct can now both be enabled together (radiusd-acct proxies to pfacct) * Added CoA support to Aerohive module * Added role based enforcement (Filter-Id) support to Extreme module * Use Called-Station-SSID attribute as the SSID when possible * Added CLI login support to Huawei switch template * Added detectionBypass in DNS resolver (#6028) * Improve support of Android Agent for EAP-TLS and EAP-PEAP * Improve CLI login support on HP and Aruba switches * Use the "Authorization" header when performing API calls to Github in the OAuth context * Replace xsltproc/fop by asciidoctor-pdf (#5968) * FortiGate Role Based Enforcement (#5645) * Add support for roles (RBAC) for Ruckus WLAN controllers (#2530) * Upgrade to go version 1.15 (#6044) * Build ready-to-use Vagrant images for integration tests and send them to Vagrant cloud (#6099) * Documentation to configure Security Onion 2.3.10 * Added integration tests for 802.1X wireless and wireless MAC authentication (#6114) * Restrict create, update, and delete operations to the default and global tenant users (#6075) * Remove pftest MySQL tuner (#6130) * Allow Netflow address to be configured (#6139) * Deprecated fencing whitelist * Description field for L2 and routed networks (#5829) * Updated Stripe integration to use Stripe Elements (API v3) (#6121) * Added Cisco WLC 9800 configuration documentation * Inheritance on parent role on Role and Web Auth * Enhance CLI login on SG300 switches * Enable/disable the natting traffic for inline networks * Remove unused table userlog (#6170) * Clarifications on Ruckus Role-by-Role capabilities (#6201) * DNS/IP attributes in pfpki certificates (#6213) * Additional template attributes in certificate profile (#6213) * Remove unused table inline_accounting (#6171) * Make pfdhcplistener tenant aware (#6204) * Upgrade to MariaDB 10.2.37 (#6149) ### Bug Fixes * Switch defined by MAC address are not processed by pfacct in cluster mode (#5969) * Restart switchport return TRUE if MAC address is not found in locationlog for bouncePortCoA (#6013) * Switch template: CLI authorize attributes ignored (#6009) * ubiquiti_ap_mac_to_ip task doesn't update expires_at column in chi_cache table (#6004) * A switch can't override switch group values using default switch group values (#5998) * web admin: timer_expire and ocsp_timeout are not displayed correctly (#5961) * web admin: Realm can't be selected as a filter on a connection profile (#5959) * API: remove a source doesn't remove rules from authentication.conf (#5958) * web admin: high-availability setting is not display correctly when editing an interface (#5963) * SSIDs are not hidden by default when creating a provisioner (#5952) * with_aup is correctly displayed on GUI (#5954) * web admin: sender is wrong when you use Preview feature (#6023) * sponsor guest registration: unexpected strings in email subject (#3669) * Use the proper attribute name for Mikrotik in returnRadiusAccessAccept (#6051) * Audit log: profile has an empty value when doing Ethernet/Wireless-NoEAP (#5977) * pfacct stores 00:00:00:00:00:00 MAC in DB when Calling-Station-ID is XXXX-XXXX-XXXX (#6109) * Update the location log when the Called-Station-Id changes (#6045) * Only enable NetFlow in iptables if NetFlow is enabled (#6080) * Firewall SSO: take username from accounting data if available in place of database (#6148)

PacketFence v11.0.0

2021-09-02T17:19:12+00:00

![v11](https://www.packetfence.org/campaigns/img/v11/pf.png) The Inverse team is pleased to announce the immediate availability of PacketFence v11 - a breakthrough release in network security! ## RHEL v8 and Debian 11 Support PacketFence v11 now fully supports Red Hat Enterprise Linux 8 (RHEL v8) and Debian 11. Both operating systems bring major performance, stability, and security improvements to PacketFence for many years to come. RHEL v8 alternatives such as AlmaLinux, Oracle Linux, and Rocky Linux can be used. ## Google Workspace Integration PacketFence v11 now natively integrates with Google Workspace for LDAP-based authentication. Moreover, PacketFence now provides a Google Workspace Chromebook provisioner to automatically onboard organization-owned Chromebook devices and assign them a role. PacketFence can now also raise a security event when a Chromebook becomes inactive and provides a way to import all activated Chromebooks part of an organization. ## Microsoft Azure Integration PacketFence now integrates with Microsoft Azure Active Directory for authenticating users on the captive portal, the admin interface, and performing 802.1X user authentication using EAP-TTLS PAP. Greatly enhances the integration possibilities of PacketFence in Azure-based Cloud environments. ## Automation of Upgrades Starting from PacketFence v11, upgrades are fully automated. No more scripts to run, database schema changes to apply, and more. This release also provides a way to export your v10.3 installation and migrate to v11 in a snap! ## Logs Forwarding PacketFence now supports forwarding of all database-stored logs. That means that the RADIUS audit log, DHCP audit log, DNS audit log, and admin access audit log can be fully exported to a remote syslog server - ensuring compliance with more security regulations. ## ... and more! PacketFence v11 provides additional important features such as SCEP support for Microsoft Intune and AirWatch, Venom tests for Inline L3, massive performance improvements to the admin interface, multi-tenancy improvements, and much more. --- Here's the complete list of changes included in this release: #### New Features * Red Hat Enterprise Linux 8 and Debian 11 support * Microsoft Azure AD authentication and authorization support (#6380) * Google Workspace integration for LDAP and Chromebooks * Automation of upgrades from 10.3 and above (#6438) * Forwarding support for audit logs stored in database #### Enhancements * Microsoft Intune SCEP support (#6360) * Venom inline L3 (PR #6266) * Massively improved web admin performance * LDAP source now supports client certificates * AirWatch SCEP documentation * Rewrite the username of the request from RADIUS `preProcess` filter (#6293) * Upgrade to golang 1.16.3 (#6343) * pfpki: configure OCSP to listen on specific interfaces (#5825) * Get maintenance patches through package manager (#6378) * Adjust Intune integration to support pagination of the managed devices (#6135) * Add an option to force the vip as the default gateway on layer2 registration network (#6406) * Firewall SSO is tenant aware (#6384) * Added conditions on owner information in the RADIUS filters (#6324) * CLI access support for Avaya Switches (#6398) * Authorize a MAC address on all APs of the switch group when using the Unifi module (#6134) * Macro documentation for filter engine (#6392) * Expose the source directory of documentation from Caddy (#6315) * Audit successful admin login in the admin audit log. (#6345) * Allow users to resend the SMS pin * Improve the speed of retrieving switches (#6321) #### Bug Fixes * Configurator sets valid_from field to current time in place of 1970-01-01 00:00:00 * Support switch_group in advanced filters (#6379) * Authentication rule condition basedn matching does not work (Authentication rule condition basedn matching does not work #6402) * Filter netdata incoming connection (#6303) * CLI switch access for Avaya ERS Switches (#6399) * Avoid duplicate log entries "User has authenticated on the portal" * Backup DB using MariaDB-backup does not work on standalone installations (#6424) * Normalize connection_sub_type to use the numeric value (#6326) * Expired switches for all tenants (#6024)

PacketFence v11.1.0

2021-10-29T17:34:56+00:00

![v11](https://www.packetfence.org/campaigns/img/v111/pf.png) The Inverse team is pleased to announce the immediate availability of PacketFence v11.1 - a major release bringing many improvements! ## Multi-Factor Authentication PacketFence v11 now fully supports multi-factor authentication for its captive portal, CLI and VPN. Advanced integration with Akamai MFA is now included as well as generic support for any TOTP solutions. ## Automation of Upgrades Upgrading from v11 to v11.1 is fully automated for standalone installations. No more scripts to run nor database schema changes to apply - all is done for you, in a snap! ## Unified Reports PacketFence has unified the three reporting sections in to a single configuration and added bar-graphs, sankey-diagrams and scatter-charts in order to visualize different datasets or the same data in different dimensions. It includes a MySQL/MariaDB script mode that allows multi-statement SQL transactions, making it even easier to extend its reporting with custom configurations. Several new reports for accounting, authentication, nodes and roles are also now included. ## Automated Integration Tests More automated tests were added in PacketFence v11.1 through Venom. More specifically, an EAP-TLS test covering our PKI infrastructure was added together with a pfcron test covering all maintenance jobs PacketFence does. These extend the automated tests coverage in PacketFence further to ensure greater quality and stability for each new release and help us continue our effort to shorten the time between releases. ## ... and more! PacketFence v11 provides additional important improvements such as MikroTik DHCP MAC authentication support, the automated generation of the supported equipment page for the PacketFence website, refactoring of authentication sources and much more. --- Here's the complete list of changes included in this release: ### New Features * Support for Akamai MFA in VPN/CLI RADIUS authentication and on the captive portal * Support for TOTP MFA in VPN/CLI RADIUS authentication and on the captive portal * Automation of upgrades for standalone installations (#6583) ### Enhancements * MikroTik DHCP MAC authentication support * Allow to use the sAMAccountName from the searchattributes in MSCHAP machine authentication (#6586) * Improve the Data Access Layer to work in MariaDB's default sql_mode * New command pfcmd mariadb [mariadb options] * Deauth request can be made on the previous equipment the device was connected * Allow the bulk import of config items to be async * Remove unused/deprecated sources (AuthorizeNet, Instagram, Twitter, Pinterest, and Mirapay) (#6560) * Automation of supported equipment page on PacketFence website (#6611) * Use Venom 1.0.0 through Ansible to run integration tests (#6573) * Import script will migrate the networks configuration if the new IP is in the same subnet (#6636) * EAP-TLS integration tests using manual deployment and SCEP protocol (#6647) * Added a monit check to ensure winbindd is still connected (11.1 - AD failover doesn't work #6655) * Improve ZEN builds (#6663) ### Bug Fixes * Match the realm more strictly when its not a regex in EAP-TTLS PAP * Populate the LDAP config for enabled LDAP EAP-TTLS PAP realms * Only call oauth2 in authorize for the realms that have an Azure AD EAP-TTLS PAP configuration * Use source username in LDAP module for EAP-TTLS PAP instead of always using sAMAccoutName * Support LDAP certificate client auth for LDAP EAP-TTLS PAP authentication * Allow to use Google Workspace LDAP sources in EAP-TTLS PAP authentication * Add script for removing WMI scan (#6569) * Fix Let's Encrypt renewal process restarting services even if they are disabled (#6606) * Removes the deprecated NTLM background job fields and components (#6552) * Ignore 'Mark as sponsor' administration rules when finding the access level of a VPN/CLI user (CLI authentication rules matching doesn't filter on the rules action #6349) * Reducing time balance only when registered

PacketFence v11.2.0

2022-02-23T20:04:35+00:00

![v11](https://www.packetfence.org/campaigns/img/v112/pf.png) The Inverse team is pleased to announce the immediate availability of PacketFence v11.2- a major release bringing many improvements! ## TIP OpenWiFi Integration PacketFence v11.2 now directly integrates with TIP OpenWiFi. TIP OpenWiFi access points are now natively supported network/switch devices in PacketFence with the ability to provision out-of-band subscriber service networks, IoT networks and secured networks. ## Kandji MDM Support PacketFence v11.2 sees its device management (MDM) integration nicely enhanced with the addition of Kandji. This next-generation and Cloud-based MDM allows you to centrally manage and secure your Mac, iPhone, iPad, and Apple TV devices while PacketFence can make sure the agents are correctly installed during the onboarding process. ## Automated Integration Tests More automated tests were added in PacketFence v11.2 through Venom. More specifically, integration tests were added for Fingerbank integration, inline L2/L3 deployment, firewall SSO, CLI for NAS logins and for the captive portal. These extend the automated tests coverage in PacketFence further to ensure greater quality and stability for each new release and help us continue our effort to shorten the time between releases. ## ... and more! PacketFence v11.2 provides additional important improvements such as floating devices support for Brocade/Ruckus switches, role-base access for VPNs, an ISO-based Debian 11 installer and much more. ## What's Coming Up in v12 We're excited for the upcoming PacketFence v12 release later in 2022! This upcoming release will include more new visualization capabilities around asset discovery and threat detection, services containerization, increased integration with MDM/EDR/XDR solutions and better deployment options on public Cloud providers for infrastructure-less and Cloud-first organizations. Stay tuned and follow us on Twitter for progress reports! --- Here's the complete list of changes included in this release: ### New Features * Added MAB floating device support to Ruckus/Brocade switches ([#6774](https://github.com/inverse-inc/packetfence/issues/6774)) * Support for roles in VPN access * Allow to centralize the virtual IPs on the same server ([#6853](https://github.com/inverse-inc/packetfence/issues/6853)) * Added support for Kandji MDM as a provisioner * OpenWiFi switch module * Allow to manage devices (unregister) when reaching max nodes ([#6860](https://github.com/inverse-inc/packetfence/issues/6860)) * ISO installer based on Debian 11 ([#6803](https://github.com/inverse-inc/packetfence/issues/6803)) ### Enhancements * Allow Meraki::MR_v2 module to be able to use a RADIUS Disconnect instead of only a RADIUS CoA * Simplify local development of Venom tests ([#6711](https://github.com/inverse-inc/packetfence/issues/6711)) * Integration tests on Fingerbank ([#6725](https://github.com/inverse-inc/packetfence/issues/6725), [#6786](https://github.com/inverse-inc/packetfence/issues/6786), [#6798](https://github.com/inverse-inc/packetfence/issues/6798), [#6816](https://github.com/inverse-inc/packetfence/issues/6816)) * Integration tests on captive portal ([#6744](https://github.com/inverse-inc/packetfence/issues/6744)) * Integration tests for CLI login ([#6783](https://github.com/inverse-inc/packetfence/issues/6783)) * Upgrade to Venom 1.0.0 ([#6775](https://github.com/inverse-inc/packetfence/issues/6775)) * Upload logs of tests ([#6784](https://github.com/inverse-inc/packetfence/issues/6784)) * Management of TLS minimum and maximum versions in GUI ([#6773](https://github.com/inverse-inc/packetfence/issues/6773)) * Integration tests for Inline L2 and L3 ([#6769](https://github.com/inverse-inc/packetfence/issues/6769)) * Drastically improved the performance of the Ruckus unbound DPSK implementation ([#6817](https://github.com/inverse-inc/packetfence/issues/6817)) * Added an admin action to allow RADIUS Probe requests * Allow access to the Status/Node Manager/Device Registration pages on SAML auth. * Give each monitoring script a maximum of 10 seconds to run ([#6828](https://github.com/inverse-inc/packetfence/issues/6828)) * Resign CA feature in PKI ([#6770](https://github.com/inverse-inc/packetfence/issues/6770)) * Allow to download any certificates without private key using a button ([#6778](https://github.com/inverse-inc/packetfence/issues/6778)) * Fixes date format of the PKI SQL tables ([#6823](https://github.com/inverse-inc/packetfence/issues/6823)) * Use the Digest of the profile on SCEP request ([#6823](https://github.com/inverse-inc/packetfence/issues/6823)) * Improve CLI login support on Ubiquiti Edge switches ([#6727](https://github.com/inverse-inc/packetfence/issues/6727)) * Expose the open locationlog as a variable to switch templates. * Improve the speed on the node online query. * Message portal module can be used without the portal template. * The ip6tables rules are now managed by PacketFence ([#6836](https://github.com/inverse-inc/packetfence/issues/6836)) * Certificate signing requests created via the admin interface now include a Subject Alternative Name (SAN) * The Subject Alternative Names of a certificate are now displayed in the admin interface * SSL Certificates - RADIUS / HTTPs page Simple GUI Enhancements (wording clarification) ([#6613](https://github.com/inverse-inc/packetfence/issues/6613)) * New mysql-probe service to monitor haproxy-db backends * Allow to add environment overrides to Fingerbank collector via the config ([#6854](https://github.com/inverse-inc/packetfence/issues/6854)) * Change the behavior of pf::condition::not_equal to always succeed when match value is undef * Allow to renew certificate X days before the expiration date * Send email X days before the expiration date to the user email/ profile email / administrator * PKI CN provides certificate for the same CN but for different profiles (profile name added in Subject) * Auto-revoke certificate if expired * PKI actions are now logged to the admin API audit log * Reduce list of accepted ciphers in haproxy-portal and haproxy-admin to reinforce security * Improved the performance of the bandwidth accounting cleanup process ([#6850](https://github.com/inverse-inc/packetfence/issues/6850)) * Purge binary logs task * Integration tests for firewall SSO (HTTPS/RADIUS) ([#6822](https://github.com/inverse-inc/packetfence/issues/6822)) * Add text warning on unreg date when past date is used ([#6871](https://github.com/inverse-inc/packetfence/issues/6871)) * Add an option to sync a single ConfigStore storage in the bin/cluster/sync tool ([#6904](https://github.com/inverse-inc/packetfence/issues/6904)) * Updated PayPal integration documentation * Match expected administration rules for web admin and sponsor login ([#3631](https://github.com/inverse-inc/packetfence/issues/3631)) ### Bug Fixes * Reply to Windows devices configured through Intune even if they requested a non-existing URL ([#6687](https://github.com/inverse-inc/packetfence/issues/6687)) * Add RADIUS audit log entry in correct tenant when switches are defined by MAC address ([#6540](https://github.com/inverse-inc/packetfence/issues/6540)) * Fixed issue with edition of PKI template ([#6713](https://github.com/inverse-inc/packetfence/issues/6713)) * Fixed issue on PKI template save ([#6749](https://github.com/inverse-inc/packetfence/issues/6749)) * Fixed issue on PKI templates can be modified by a SCEP request ([#6751](https://github.com/inverse-inc/packetfence/issues/6751)) * Fixed issue with PKI From value when sending certificate by email ([#6370](https://github.com/inverse-inc/packetfence/issues/6370)) * Fixed documentation for Huawei (PR [#6692](https://github.com/inverse-inc/packetfence/issues/6692)) * Fixed issue when pulling the wrong certificate only based on the cn ([#5861](https://github.com/inverse-inc/packetfence/issues/5861)) * Fixed regression in the Unifi module for deauthentication of webauth clients when the APs are defined using an IP or CIDR in the configuration ([#6686](https://github.com/inverse-inc/packetfence/issues/6686)) * Fixed revoke certificate on unregistration ([#6826](https://github.com/inverse-inc/packetfence/issues/6826)) * Send certificates by email using alerting settings ([#5917](https://github.com/inverse-inc/packetfence/issues/5917)) * Validate email format on TLS Enrollment form * Fixed issue where portal could apply actions from different auth rules ([#6896](https://github.com/inverse-inc/packetfence/issues/6896)) * Handle DBI library ping call dying in pfconfig MySQL backend ([#6895](https://github.com/inverse-inc/packetfence/issues/6895))

PacketFence v12.0.0

2022-09-14T17:16:34+00:00

![v12](https://www.packetfence.org/campaigns/img/v12/pf.png) The Inverse team is pleased to announce the immediate availability of PacketFence v12 - a major release bringing tons of improvements! ## Containerization Almost all PacketFence services have been containerized for the v12 release. This foundation work allows PacketFence to be deployed in a Kubernetes cluster environment. ## Visualization PacketFence v12 provides many new visualizations options for assets, threats and network communication flows. Perform asset and inventory management by either Fingerbank top-level category or a custom search with any node, ipv4 or ipv6 criteria. Summarize and review all security events and remediate individual events from a single dashboard. Summarize the network communication for any/all devices in a single graph and filter by Fingerbank top-level category, internal or external hosts, protocol and port. ## Geo-distributed Database PacketFence v12 now integrates ProxySQL - allowing us to R/W split database operations to improve handling with geo-distributed MySQL8 databases. This release aims to support deployments where 50-60 ms latency is observed and much higher latencies will be supported in upcoming releases. ## Cluster Services Manage PacketFence services for all cluster members from a single host while maintaining the cluster's quorum. Protected services needed by the UI in order to function can now be restarted from the UI without having to worry about network disconnects. Improved visibility of service status of all cluster members. ## PKI PacketFence v12 now supports CSR signing from PacketFence PKI, CA re-sign, per-profile CN certificates with the Subject, Audit Logs, and several template and date format improvements. ## ... and more! PacketFence v12 provides additional important improvements such as Meraki RBAC support, Sophos VPN integration, CSR signing from the PacketFence PKI and much more. --- Here's the complete list of changes included in this release: ### New Features * New assets, communications and threats visualizations * Containerization of most PacketFence services * New pfconnector service to connect remote locations to a central or cloud PacketFence server * Support for role-based enforcement on Meraki wired devices ([#7000](https://github.com/inverse-inc/packetfence/issues/7000)) * Support to split database read and writes to different MySQL servers ([#7055](https://github.com/inverse-inc/packetfence/issues/7055)) * Support for distributed database reads in cluster using ProxySQL * Initial Linode IaaS and PacketFence Connector documentation ([#7152](https://github.com/inverse-inc/packetfence/issues/7152)) ### Enhancements * Unified service store module allowing control of both local and cluster members services * Sign a CSR from the PacketFence PKI * Added ability to use the MariaDB database or Redis to store the api-frontend tokens * Adjust logs for containerized and non-containerized services ([#7043](https://github.com/inverse-inc/packetfence/issues/7043)) * Allow to enabled/disable processing bandwidth accounting ([#6934](https://github.com/inverse-inc/packetfence/issues/6934)) * Sophos VPN support * Automatically display mandatory fields in email/sponsor activation emails ([#7069](https://github.com/inverse-inc/packetfence/issues/7069)) * Detect CLI access from Dell N1500 switches ([#7070](https://github.com/inverse-inc/packetfence/issues/7070)) * Deprecate /api/v1/config/fixpermissions and /api/v1/config/checkup * Update monit email ([#7012](https://github.com/inverse-inc/packetfence/issues/7012)) * Monit sender address configurable from the admin GUI * Full UTF-8 support in the PacketFence database * Added MySQL compatibility * Added CSV import to switch groups * Simplify cluster upgrades ([#7180](https://github.com/inverse-inc/packetfence/issues/7180)) ### Bug Fixes * Only provide the unregdate action if access_duration is not defined for the local source ([#6925](https://github.com/inverse-inc/packetfence/issues/6925)) * Clone switch template with correct ID ([#6941](https://github.com/inverse-inc/packetfence/issues/6941)) * Add time to the available template switch variables ([#6952](https://github.com/inverse-inc/packetfence/issues/6952)) * Only trigger the node discover security event in the context of RADIUS and pfdhcplistener ([#4987](https://github.com/inverse-inc/packetfence/issues/4987)) * Use TLS 1.2 to communicate with Intune servers ([#7021](https://github.com/inverse-inc/packetfence/issues/7021)) * Align Apache timeout with captive_portal.request_timeout ([#7037](https://github.com/inverse-inc/packetfence/issues/7037)) * Return VIP in DHCP requests if `dns_on_vip_only` is enabled ([#7035](https://github.com/inverse-inc/packetfence/issues/7035)) * Replace LF by CRLF at end of emails sent by PacketFence (SMS email has "Bare Line Feed Characters" Status code: 550 5.6.11 [#5380](https://github.com/inverse-inc/packetfence/issues/5380)) * The User-Name value in an EAP-TTLS PAP reply will always be the identity of the inner-tunnel ([#7017](https://github.com/inverse-inc/packetfence/issues/7017)) * Multi-line entries in "Role by access list" are returned as a string ([#6791](https://github.com/inverse-inc/packetfence/issues/6791)) * Respect the time of the expiration date of the password ([#7003](https://github.com/inverse-inc/packetfence/issues/7003)) * Monitoring scripting key is not installed correctly when performing an ISO installation ([#6965](https://github.com/inverse-inc/packetfence/issues/6965)) * Set the database location to the system Local timezone (golang) * Add missing translations to the captival portal * Fix Trapeze Deauth issue * Fix the wrong encoding of special char in the REST call to PacketFence (use base64)

PacketFence v12.1.0

2022-11-22T15:16:58+00:00

The Inverse team is pleased to announce the immediate availability of PacketFence 12.1 - a major release bringing tons of improvements! ## Single-Sign-On for the admin interface The PacketFence admin interface now has support for Single-Sign-On (SSO) using SAML, OAuth2 as well as supporting MFA using TOTP and Akamai MFA. ## Fingerbank in the PacketFence Connector The PacketFence Connector now supports running the Fingerbank Collector to perform device profiling using all the traffic a PacketFence connector sees. ## Unbound dynamic PSK support for OpenWiFi The OpenWiFi integration now supports dynamic unbound PSK which allows individual users to authenticate against PacketFence with their personal WPA2 key. --- Here's the complete list of changes included in this release: ### New Features * Added unbound dynamic PSK support to the OpenWiFi module * Added Single-Sign-On capability for the admin interface login (SAML/OAuth/MFA/etc) * Improved PacketFence forwarder integration to mirror DNS packets from a Windows DNS server * Support for the Fingerbank Collector on the PacketFence Connector ### Enhancements * More flexibility in the definition of the RADIUS servers in an Eduroam source * Allow to import only DB or configuration during import * Debian package for PacketFence Connector * Removed the savedsearch table. * Removed jQuery dependency in captive portal. * Present the dynamic PSK on the status page when appropriate * Manage pfconfig.conf through upgrade scripts instead of packaging * Improve WebAuth support on Extreme controllers * Allow users to upload files from the admin instead of uploading them manually via SCP/SSH * Added new radius attribute vpn detection for fortigate * Fixed valid_mac that identify some ip address as mac * Support for hardware token like yubikey for Akamai MFA * Added sms/phone call as default method in configuration ### Bug Fixes * Fixed issue with pfconnector where it would reuse a dynamic reverse that isn't active anymore (Pfconnector server active dyn reverse cache checks can fail #7218) * Fixed RADIUS deauth through pfconnector-remote in a cluster where it was logging as failed although it succeeded * When a rule match is 'any' and has no conditions the rule is always successful (#3768) * Fix issue with database upgrade (#7283) * Fix issue Sponsor registration: notes field can't be used on captive portal #6385 * Better error handling when performing a deauth on the previous switch. (captive portal redirect page return Caught exception in captiveportal::Controller::Root->dynamic_application "Can't use string ("0") as a HASH ref while "strict refs" in use at /usr/local/pf/lib/pf/enforcement.pm line 206 #6985) * Fixes possible Clickjacking for netdata reverse proxy (#7338) * Don't resync config files unnecessarily during restarts (Cluster resync on restart - pf12.1 #7360)

PacketFence v12.2.0

2023-03-09T15:22:44+00:00

The Inverse team is pleased to announce the immediate availability of PacketFence 12.2 - a minor release bringing interesting improvements! ## ContentKeeper firewall SSO support We are excited to announce that PacketFence is able to send SSO requests to ContentKeeper and update it in order to apply policies to end devices for internet access. ## Added support for Unifi OS controllers (#7368) We are also proud to annouce that PacketFence now supports Unifi OS controllers by adjusting the port and adding a prefix path. ## Added support for downloadable ACLs on Cisco and Dell switches PacketFence is now able to send Downloadable ACLs to Cisco and Dell switches. When the ACLs exceed the size of the RADIUS reply, PacketFence can trigger the downloadable ACLs and send a chuck of ACLs through multiples access-challenges. --- Here's the complete list of changes included in this release: ### New Features * Content Keeper firewall SSO support * Added support for Unifi OS controllers (#7368) * Added support for downloadable ACLs on Cisco and Dell switches ### Enhancements * Allow ProxySQL to be configured to connect to a single external database * Allow image files to be uploaded in a connection profile * Added System Service and systemd buttons in Admin UI * Online/offline doesn't rely on recording the bandwidth accounting data anymore * Pending security events added to network threats visualization * Allow to expose the fingerbank_info variable to all HTML portal templates (#7460) * VLAN filters actions can now be done synchronously (#7351) * Support for wired connections on Ruckus SmartZone * Improve support of WebAuth on Aruba AP (#7470) * Allow configurability of using the connector during firewall SSO * New api call /api/v1/config/role/{role_id}/bulk_reevaluate_access * Add warnings/errors when updating ACLs for roles and switches * Azure SAML integration documentation * Change log levels of Perl services using environment variable (#7487) * Containerization `pfacct` service * Add not_before to PKI certificates (#7454) * Support for out acls if the switch support it (#7560) * Improvements and support for dACL in supported material (#7561) ### Bug Fixes * Force the destination IP for UDP packets going through the pfconnector (#7323) * Clear the active dynamic reverses that exist when a pfconnector reconnects * OpenID Authentication Source -Duplicated Username (#7399) * Unable to upgrade to Debian 11.6 with PF 11.X and 12.X (#7438) * Trust server certificates when provisioning Apple devices for EAP-TLS (#7428) * Use WPA2 in place of WPA when provisioning Apple devices (#7428) * Creating/modifying/deleting a syslog forwarder should prompt to restart rsyslog in the admin (#6532) * Fixed UTF-8 encoding in email body (#7422) * Escape quotes in LDAP passwords (AD source: too complex passwords prevent RADIUS to start #3976) * Use the proper file extensions when uploading SAML config files. (ZEN 12.1 - XML File Renamed on upload. #7439) * Return immediately after an async job is complete (Rework pfqueue results polling #7175) * Fixed issue with Aruba DACL, only the first ACL was shown in the port * ZEN 12.1 installations will generate a new RADIUS key after a reboot (#7568) * Disable DNS lookup in sudo to prevent API timeouts and interfaces not detected (#7403) * RADIUS source+pfconnector is not working in admin context (#7550)

PacketFence v13.0.0

2023-08-09T13:52:02+00:00

![v13](https://www.packetfence.org/campaigns/img/v13/pf.png) The Inverse team is pleased to announce the immediate availability of PacketFence v13.0. - a major release with new features, enhancements and bug fixes. This release is considered ready for production use and upgrading from previous versions is strongly advised. ## ACL pre-creation support for wired and WiFi equipment PacketFence is now able to pre-create ACLs on switches/WiFi controllers for multiple vendors. This allows PacketFence to support in/out ACLs for greater segmentation capabilities. ## Redis-based queueing to improve geo-distributed deployments PacketFence v13 received many optimizations to reduce database writes. Moreover, some write operations are now queued in Redis - which increases throughput and the required latency for geo-distributed deployments. ## End-to-end testing framework to UI for CI/CD pipelines PacketFence now integrates a complete end-to-end testing framework which allows the creation of automated UI tests for our CI/CI pipelines. This is a great addition to Venom-based tests - allowing greater test coverage and improved quality/stability. ## LDAP explorer allows LDAP search (#7634 and #7683, @VakarisZ) --- Here's the complete list of changes included in this release: ### New Features * ACL pre-creation support for wired and WiFi equipment * Redis-based queueing to improve geo-distributed deployments * End-to-end testing framework to UI for CI/CD pipelines (#7350) * LDAP explorer allows LDAP search (#7634 and #7683, @VakarisZ) ### Enhancements * Refactored all Cisco modules to now use OS versions instead of model names * Be informed (through security event) when a device pops up into a VLAN or a subnet that shouldn’t be there (#7529) * Upgraded coredns libraries (#7197) * Added Palo Alto switch module to manage web admin login using RADIUS (#7643) * Removed WMI (#7649) * Allow to call a custom script from pfupdate to handle VIP in cloud environments (#7654) * Removed IBM provisioner (#7686) * Removed ServiceNow provisioner (#7699) * Removed Symantec Provisioner (#7700) * Removed OPSWAT Provisioner (#7716) * Removed httpd.proxy service (#7668) * Removed unused service httpd.collector (#7667) * Removed Traffic Shaping (#7666) * Optimized pfdhcp (#7710) * ISO installer supports UEFI booting (#7724) * Updated to go 1.20.5 (#7636) * Documentation to manage HTTP and RADIUS certificates * Updated OpenAPI Specification to version 3 and improved coverage to all endpoints, including meta OPTIONS and distinct collection sub-types ### Bug Fixes * Removed the use of pthread_atfork (#7538) * Don't delete a node from pfdhcp if it is disabled on node deregister (#7525) * Accurately display the number of registered nodes per role and the overall total of registered nodes (#7471) * Moved FreeRADIUS refresh to pfqueue (#7620)