PacketFence v5.4.0
cgx
released this
01 Oct 20:20
·
32587 commits
to devel
since this release
New Features
- PacketFence now supports SCEP integration with Microsoft's Network Enrollment Device Service during the device on-boarding process when using EAP-TLS
- Improved integration with social media networks (email address lookups from Github and Facebook sources, kickbox.io support, etc.)
- External HTTP authentication sources support which allows an HTTP-based external API to act as an authentication source to PacketFence
- Introduced a 'packetfence_local' PKI provider to allow the use of locally generated TLS certificates to be used in a PKI provider / provisionner flow
- New filtering engine for the portal profiles allowing complex rules to determine which portal will be displayed
- Added the ability to define custom LDAP attributes in the configuration
- Add the ability to create "administrative" or "authentication" purposes rules in authentication sources
- Added support for Cisco SG300 switches
Enhancements
- RADIUS Diffie-Hellman key size has been increased to 2048 bits to prevent attacks such as Logjam
- HAProxy TLS configuration has been restricted to modern ciphers
- Improved error message in the profile management page
- Allow precise error messages from the authentication source when providing invalid credentials on the captive portal
- Aruba WiFi controllers now support wired RADIUS MAC authentication and 802.1X
- Added Kickbox.io authentication source which can allow a new Null type source with email validation
- Now redirecting to HTTP for devices that do not support self-signed certificates on the captive portal if needed
- httpd.portal now serves static content directly (without going through Catalyst engine)
- Introduction of a new configuration parameter (captive_portal.wispr_redirection) to allow enabling/disabling captive-portal WISPr redirection capabilities
- File transfers through the webservices are now atomic to prevent corruption
- New web API call to release all violations for a device
- Added better error message propagation during a cluster synchronization
- Added additional in-process caching for pfconfig proxied configuration
- The server hostname is now displayed in the admin info box
- Added a warning in the configurator when the user is configuring multiple interfaces in the same network
- Added synchronization of the Fingerbank data in an active/active cluster
- Client IP and MAC address are now available though direct variables in the captive portal templates
- The IPlog can now be updated through RADIUS accounting
- Devices in the registration VLAN may now be allowed to reach an Active Directory Server
- Added an option to centralize deauthentication on the management node of an active/active cluster
- Added the option to use only the management node as the DNS server in active/active clustering
- Improved Ruckus ZoneDirector documentation regarding external captive portal
- pfconfig daemon can now listen on an alternative unix socket
- Improved handling of updating the /etc/sudoers file in packaging
- Improved roles handling on AeroHive devices
Bug Fixes
- Fix case where status page links would be pointing to the wrong protocol (HTTP vs HTTPS)
- set_unreg_date and set_access_duration actions now have the same priority when matching rule and actions (#816)
- Fixes the database query hanging in the captive portal
- The person attributes lookup will now be made on the stripped username if needed (#888)
- Active/active load balancing will now be dispatched based on the Calling-Station-Id attribute.
- Fix unaccessible portal preview when no internal network is defined (#790)
- Fixed a case where the wrong portal profile can be instantiated on the first connection
- Improved error message in the profile management page (#858)
- Do not use the PacketFence multi-domain FreeRADIUS module unless there are domains configured in PacketFence (#868)
- We now handle gracefully switches sending double Calling-Station-Id attributes (#864)
- Prevent OMAPI from being configured on the DHCP server without a key (#851)
- Switched to the memcached binary protocol to avoid memcached injection exploit
- Fixed ipset error if the device switches from one inline network to another
- Fixed wrong configuration parameters for redirect url (now a per-profile parameter)
- Fix bug with validation of mandatory fields causing exceptions in signup
- Made DHCP point DNS only on cluster IP if passthroughs are enabled in active/active clusters (#820)
- Defined the maximum message size that SNMP get can return (fixes VOIP LLDP/CDP detection on switch stacks #738)