Skip to content

PacketFence v5.4.0

Compare
Choose a tag to compare
@cgx cgx released this 01 Oct 20:20
· 32587 commits to devel since this release

New Features

  • PacketFence now supports SCEP integration with Microsoft's Network Enrollment Device Service during the device on-boarding process when using EAP-TLS
  • Improved integration with social media networks (email address lookups from Github and Facebook sources, kickbox.io support, etc.)
  • External HTTP authentication sources support which allows an HTTP-based external API to act as an authentication source to PacketFence
  • Introduced a 'packetfence_local' PKI provider to allow the use of locally generated TLS certificates to be used in a PKI provider / provisionner flow
  • New filtering engine for the portal profiles allowing complex rules to determine which portal will be displayed
  • Added the ability to define custom LDAP attributes in the configuration
  • Add the ability to create "administrative" or "authentication" purposes rules in authentication sources
  • Added support for Cisco SG300 switches

Enhancements

  • RADIUS Diffie-Hellman key size has been increased to 2048 bits to prevent attacks such as Logjam
  • HAProxy TLS configuration has been restricted to modern ciphers
  • Improved error message in the profile management page
  • Allow precise error messages from the authentication source when providing invalid credentials on the captive portal
  • Aruba WiFi controllers now support wired RADIUS MAC authentication and 802.1X
  • Added Kickbox.io authentication source which can allow a new Null type source with email validation
  • Now redirecting to HTTP for devices that do not support self-signed certificates on the captive portal if needed
  • httpd.portal now serves static content directly (without going through Catalyst engine)
  • Introduction of a new configuration parameter (captive_portal.wispr_redirection) to allow enabling/disabling captive-portal WISPr redirection capabilities
  • File transfers through the webservices are now atomic to prevent corruption
  • New web API call to release all violations for a device
  • Added better error message propagation during a cluster synchronization
  • Added additional in-process caching for pfconfig proxied configuration
  • The server hostname is now displayed in the admin info box
  • Added a warning in the configurator when the user is configuring multiple interfaces in the same network
  • Added synchronization of the Fingerbank data in an active/active cluster
  • Client IP and MAC address are now available though direct variables in the captive portal templates
  • The IPlog can now be updated through RADIUS accounting
  • Devices in the registration VLAN may now be allowed to reach an Active Directory Server
  • Added an option to centralize deauthentication on the management node of an active/active cluster
  • Added the option to use only the management node as the DNS server in active/active clustering
  • Improved Ruckus ZoneDirector documentation regarding external captive portal
  • pfconfig daemon can now listen on an alternative unix socket
  • Improved handling of updating the /etc/sudoers file in packaging
  • Improved roles handling on AeroHive devices

Bug Fixes

  • Fix case where status page links would be pointing to the wrong protocol (HTTP vs HTTPS)
  • set_unreg_date and set_access_duration actions now have the same priority when matching rule and actions (#816)
  • Fixes the database query hanging in the captive portal
  • The person attributes lookup will now be made on the stripped username if needed (#888)
  • Active/active load balancing will now be dispatched based on the Calling-Station-Id attribute.
  • Fix unaccessible portal preview when no internal network is defined (#790)
  • Fixed a case where the wrong portal profile can be instantiated on the first connection
  • Improved error message in the profile management page (#858)
  • Do not use the PacketFence multi-domain FreeRADIUS module unless there are domains configured in PacketFence (#868)
  • We now handle gracefully switches sending double Calling-Station-Id attributes (#864)
  • Prevent OMAPI from being configured on the DHCP server without a key (#851)
  • Switched to the memcached binary protocol to avoid memcached injection exploit
  • Fixed ipset error if the device switches from one inline network to another
  • Fixed wrong configuration parameters for redirect url (now a per-profile parameter)
  • Fix bug with validation of mandatory fields causing exceptions in signup
  • Made DHCP point DNS only on cluster IP if passthroughs are enabled in active/active clusters (#820)
  • Defined the maximum message size that SNMP get can return (fixes VOIP LLDP/CDP detection on switch stacks #738)