v8.3.0

New Features

• Added support for Juniper EX2300 (JUNOS 18.2) switches
• Clickatell authentication source support
• Added a random algorithm for VLAN pooling
• Added the ability to reserve IP addresses in pfdhcp
• Added a way to trigger a violation when device profiling detects a change in the device class
• New SSL Inspection portal module
• RADIUS proxy integration from web admin interface
• RADIUS filtering support for pre_proxy/post_proxy/preacct/accounting/authorize phases
• Updated the Windows provisioning agent to the new Golang based version

Enhancements

• Redis now only listens on localhost (#3729)
• Deprecate usage of roaring bitmap for the DHCP IP pool (#3779)
• Email and SponsorEmail sources can have banned and allowed email domains (#3807)
• Improved startup time of pfdhcp
• Removed OPSWAT Metadefender Cloud support
• Chose password hashing algorithm when creating a local user from a source
• Define the length of the password to generate when creating a local user from a source
• New "dummy" source just to compute the rules

Bug Fixes

• Logs permissions and configuration for Debian (#3780)
• Fixed missing cache directory for NTLM auth cache (#3788)
• Fixed working directory of NTLM auth cache sync script (#3777)
• Handled multiple LDAP hosts properly in NTLM auth cache (#3776)
• Issue with the DHCP server that gives sometimes a duplicate IP address
• Adjusted CentOS and RHEL dependencies
• Fixed MAC filtered lookups that were cached in pfdns (#3785)
• Fixed the OpenVAS integration to work with OpenVAS Manager 7.0 (OpenVAS 9)
• Fixed encoding of files created in the administration interface (force them to UTF-8)

v8.2.1

Enhancements

• Allow for SMS PIN codes to be reused (#3436)

Bug Fixes

• Adjusted ports for Active Directory passthroughs (#3769)
• Improved performance of nodes tab in the admin interface (#3721)
• Fixed Google Project Fi missing from the official schema
• Various fixes for broken NTLM cache job
• Fixed issues with realms after a restart of pfconfig (#3797)
• Fixed issue with pfdhcp leaking file descriptors
• Fixed issue with captive portal requesting an artifact from the SAML server
• Fixed duplicate IP addresses given by pfdhcp
• Added new expected parameter for the redirect URL when performing web-auth with a Cisco WLC
• Fixed SEPM provisioner token refresh

v8.2.0

New Features

• Added support for clusters with servers located in multiple layer 3 networks (PR #3656)
• Permit incoming Eduroam TLRS RADIUS requests (PR #3399)
• pfconfig is tenant aware (PR #3385)
• Realm are tenant scoped (PR #3385)
• Added Mojo web authentication support (PR #3604)
• New authentication source Password of the Day (PR #3285)
• Added SMTP test function in Alerting (PR #3642)
• Juniper SRX Firewall SSO module (PR #2842)

Enhancements

• Now support CoA on Meraki switches
• jsonrpc requests send the current tenant_id (#3271)
• Take the tenant id in consideration in the queue (#3269)
• Performed various improvements to the maintenance script (PR #3445)
• Increased maximum node bandwidth balance from 4 GB to 18.4467441 XB (exabytes) (#3477) (PR #3493)
• Improve connection profile's advanced filter
• Use MySQL as backend for pfdhcp options (deprecates etcd) (PR #3484)
• Reorder iptables rules (PR #3463)
• Better error handling for pfdetect.conf (PR #3607)
• HAProxy stats files are now located in var/run/ with explicit filenames (PR #3645)
• pfdns now uses the PacketFence standard Golang logging library (PR #3638)
• Added VOIP and Downloadable ACLs support to Aruba 5400 switch module (PR #3372)
• Switch filters can now be used to override the switch module that is instantiated during a RADIUS connection (PR #3583)
• WIRED_MAC_AUTH and Ethernet-NoEAP merged (#3069) (PR #3261)

Bug Fixes

• Backslash in usernames in Reports section is shown as "=5C" (#3508) (PR #3510)
• Multiple bug fixes to the pfdhcp service (PR #3571)
• Domain join log entries contain clear-text credentials (#3448)
• Fixed false positive dhcp rogue detection (PR #3514)
• Sponsor Email subject and body are i18n in the same language (#3670)
• pfstats hammers pfdhcp and the API frontend with requests (#3634)
• Can't download SAML metadata in the admin (#3720)

v8.1.0

New Features

• Added support for dynamic PSK (Cisco IPSK) for the Cisco WLC and hostapd (PR #3244)
• Added Ubiquiti Unifi web authentication and 802.1X support
• Added support for Cambium AP module for 802.1X, MAC and web authentication (PR #3282)
• Change root portal module on failure/success
• Save already entered field on the portal (chain auth)
• Custom message for SMS registration
• Expire SMS pin code
• Define the length of the pin code
• Enable or disable sponsor authentication when he validates access (PR #2995)

Enhancements

• Allow connection profiles to be enabled/disabled (PR #3175)
• Add new portal module action that wraps the default actions a module would normally execute (fixes #3231)
• Improved startup time of PacketFence (PR #3213)
• Fix local/reject realm for eduroam in standalone configuration (PR #3264)
• Allow subsecond timeouts for LDAP connections
• Allow randomization of the search order for a list of LDAP servers
• IP exclusion is now possible in the DHCP server
• Allow max node per role when doing autoregistration
• Moved unregister on accounting stop parameter on the connection profile
• VLAN filters can be set to ${node_info.category} and it will return the current category of the device
• The database load-balancer now listens on the cluster management IP address
• Allow to update switches while importing them via CSV

Bug Fixes

• Netdata never ending restarts after a reboot (#3287)
• Systemd PID file causes issues when there is a stale PID file (#3291)
• Fixes when a LDAP authentication source contains multiple IP addresses (#3234)
• Added missing DHCP Statistics for routed networks on the dashboard (#3128)

v8.0.1

Enhancements

• Update the computername (hostname) of a node using the Fingerbank Collector data
• Detect uplinks based on CDP flag instead of a string
• Put etcd in its own directory

Bug Fixes

• Fixed issue with device profiling not being performed when an endpoint connects for the first time
• Fixed missing timeout when performing RADIUS SSO (FortiGate, CheckPoint, WatchGuard)
• Fixed issue with API frontend when initially configuring the webservices username and password
• packetfence-haproxy-portal and packetfence-tc systemd service in a wrong target
• Custom routing with inline enforcement fails silently (#3215)
• Nessus 6 scanner
• haproxy-db only listens on IPv6 interface (Debian) (#3208)
• Fixed packetfence-local-auth
• Fixed DNS passthrough for normal domains (was considered as a wildcard)
• Winbind fails to start because of a permission issues on /var/run/samba/winbindd in the chroots
• Update from 7.4 to 8.0 audit log file not there (#3216)
• Fixed unreg on RADIUS accounting stop (#3220)
• Allow nodes without roles to be modified when restricting allowed role (#3217)
• Fixed speed issues with node search in the admin
• Fixed missing timeout for RADIUS sources tests in pfstats

v8.0.0

New Features

• Replaced the ISC DHCP server with a new Golang-based DHCP server (PR #2911)
• Now supporting inline enforcement in active/active clusters (PR #2911)
• Replaced pfdns with a new Golang-based DNS server (PR #2911)
• Allow an inline network to be split by the roles in PacketFence allowing to put specific devices in a distinct broadcast network (PR #2911)
• DNS routing (PR #2911)
• Dashboard metrics are now based on Netdata (PR #2935)
• Traffic shaping support for inline enforcement (PR #2803)
• Added a configuration parameter to allow to unregister a device on an accounting stop (PR #2685)
• Added CLI support on Aruba 5400 switches (PR #2965)
• Username stripping (removing the realm) is now configurable via the realms instead of the sources
• PacketFence integration with JAMF API for Apple computers and mobile devices management (PR #2797)
• Added an HTTP JSON API

Enhancements

• Distribute pfdhcplistener tasks among cluster members (PR #2887) (#2858)
• Removed pfsetvlan
• Now allowing to use the RADIUS accounting cache when in cluster mode

Bug Fixes

• Guest Portal validate_phone_number check not work (#2783)
• A management user can override an account that was not created by him (#2883)

v7.4.0

New Features

• New database access layer (DAL) for upcoming multi-tenancy support
• New portal module to permanently set roles (PR #2490)
• Added portal module for selecting a role for the device being registered on the portal (PR #2471)
• Added support for Allied Telesis GS950 switches (PR #1866)
• Added ability to update the firewall SSO on RADIUS accounting packets (PR #2662)
• Added a way to define a VLAN by role as a VLAN pool using a VLAN range (PR #2675)

Enhancements

• Added cloning capability in connection profiles (PR #2814) (#2809)
• Read and write timeouts for LDAP connections can now be set (#2613) (PR #2614)
• Keepalived can be configured to detect its peers via unicast instead of multicast (PR #2794)
• Suggest violation identifier when adding a new violation (#2804) (PR #2807)
• Create a priority queue
• Move ReAssignVlan and desAssociate API calls to the priority queue
• Added connection profile SSID filter suggestions based on all the previous SSIDs that have been seen in the locationlog (#2758) (PR #2771)
• Added a description to the switches in the nodes side navigation (#2791) (PR #2795)
• Improved configuration of the captive portal timer bar (via the captive_portal section of pf.conf) (#383) (PR #2762)
• (AD Powershell scripts) Enforce use of TLS in the powershell scripts which is required with the last versions of PacketFence (PR #2788)
• (AD Powershell scripts) Cycle through all the possible Active Directory usernames formats in PacketFence (PR #2788)
• Removed old authentication code sources (#2610)
• Added rule description in listing (#2619)
• Improved documentation (PR #2774) (#2773)
• Set a timeout for database queries for the admin to avoid long running queries slowing the system (#2630) (PR #2659)
• Documentation improvement about MySQL advanced parameters (#266)
• Enhanced localization support in violation module (PR #2759)
• Improved the haproxy HTTP process monitoring
• Improved cluster maintenance script to perform necessary system changes to have the node in maintenance

Bug Fixes

• Moved add and delete buttons to the left to avoid the being cutoff (#2678)
• Fixed "Admin: Multiple 'Device Type' options in Nodes tab" (#2789) (PR #2793)
• Configurator: when using a different database name, the fingerbank.conf MySQL section is not updated (#2665) (PR #2787)
• rlm_perl modules are now using syslog instead writing directly to the file (PR #2609)
• Prevent a valid PID from being overwritten at the end of the portal registration if the new PID is default (#2825)
• Auth log is not set to completed after email registration (#2648) (PR #2649)
• Fixed redirects when previewing profiles that use OAuth source (#2882) (PR #2908)

v7.3.0

New Features

• Added a RADIUS only mode to PacketFence.
• Add a cluster wide view of pfqueue statistics (#2195) (PR #2573)
• Added the possibility of importing switches from a CSV file. (PR #2480)

Enhancements

• The GUI will now display the VLAN in the locationlog view
• The timezone is now a selectable item to prevent invalid input
• Updated ACE text editor to version 1.2.8
• Search forms for nodes and users can now be reset (PR #2555)
• Configuration files can now be saved in readonly mode except violation, switches, role (#2464) (PR #2566)
• Extended descriptions are now supported in the custom reports
• Mail can now be sent using SSL and StartTLS (PR #2446)
• Self signed certificate errors for nessus 6 can now be ignored (PR #2568)
• Violations can now be triggered by nessus 6 scanner (PR #2568)
• The device registration page now supports connection profiles like any other portal
• The username sent in firewall SSO now supports a configurable format (PR #2499)
• PacketFence will now monitor TLS certificates expiration and alert if they are expired (PR #2444)
• LDAP source caching is now caching the rule match rather that the whole source match (PR #2560)
• The admin GUI startup time has been decreased (#2545)
• New and improved documentation for Debian clustering
• Show DHCP Option82 data in the node view (#2396)
• Custom reports columns representing a node or a user can now be configured to be clickable for details on the object in question (#PR 2508)
• New Fortigate 50E 802.1x support
• The computer authentication username can now be normalized when using EAP-TLS (PR #2414)
• Added a task count jitter to reduce the chance that pfqueue workers exit at the same time
• Experimental support for Content Security Policy (CSP) has been added, but is disabled by default (PR #2336)
• A violation can now redirect to a URL specified in a template (PR #2400)

Bug Fixes

• The syslog parser has moved from Compliance to Integration in the GUI (#2467)
• pfsso now logs in packetfence.log (#2553) (PR #2557)
• httpd.dispatcher now logs in httpd.dispatcher.log (PR #2557)
• Fixed incorrect inline sub type detection
• Fixed ipset update with the incorrect ip address
• Fixed missing confirm prompt when restarting all services via the admin interface (#2365) (PR #2571)
• Fixed violation definition sync when removing a violation from the config
• Fixed incorrect Connection-Type when using EAP-TTLS (#2582)
• Fixed VOIP logic to reduce the chance of duplicate locationlog entries (#2527)
• Fixed SNMP connection issues on Extricom controllers
• Fixes segfaults when logging in the multithread environments (#2603)
• reuseDot1x: Changed the way authentication sources are matched with realms regarding a security concern(#2536)
• Trust the wsrep_ready flag of MariaDB Galera cluster for read only detection as putting the DB in read-only can result in occasional de-synchronization between members. (#2593) (PR #2594)
• Run the configreload as the pf user when done through pfcmd (PR #2510)
• Run the 6.0+ upgrade scripts as the pf user to prevent permissions issues after running them (PR #2509)
• Fixed incorrect NULL realm use when authenticating to the admin GUI (#2529)
• Enforced use of the system time instead of browser time when using preset time values (#2559)
• Logging into the status page when reuse dot1x is enabled is no longer broken (#2542) (PR #2598)

v7.2.0

New Features

• Added support for authenticating users through OpenID Connect (PR #2394)
• Added passthroughs for devices in violation state (isolation network) (PR #2328)
• Added ability to report a device lost or stolen in self-service portal (PR #2337)
• Added ability to change a local account password in self-service portal (PR #2337)
• Improved overall user experience of self-service portal (PR #2337)

Enhancements

• Use the attributes returned by a radius use source as attributes to compute the rules (PR #2369)
• Most services now support systemd sd_notify notifications.
• The GUI will now only display readonly actions in readonly mode (PR #2384)
• Journald total file size is now capped at 1Gb (PR #2389)
• The GUI will now allow sources to be cloned (PR #2395)
• The GUI now visually splits Administration and Authentication rules when viewing sources (PR #2395)
• The GUI now has the ability to run "fixpermissions" from the web admin GUI (PR #2398)
• haproxy captive portal rate-limiting is now configurable (PR #2422)
• winbindd will now use the regular samba mechanisms to locate and select DCs (PR #2410)
• New pfcmd command pfcmd pfqueue clear_expired_counters to clear the expired task counters (PR #2433)
• Allow to disable the captive portal haproxy abuse access lists (#2418)

Bug Fixes

• Added a cleanup of the number in the SMS source (#1966)
• TLS certificates and keys will no longer be overwritten (#2366)
• Limit the amount of tasks a worker processes to avoid memory from growing
• Fixed a case where the REJECT role isn’t honored in inline and some web-auth (#2383)
• Sponsor authentication CC address is now BCC to help preserve privacy (#2267)
• Use plain HTTP for network access detection page (#2393)
• Fixed an issue where DHCP broadcast were treated more than once in clustered mode (PR #2413) (#2408)
• Fixed incorrect user login remaining count display (#2450)
• Fixed a case where pfqueue counters show a count of 0 although queue is full (#2420)
• node_discovered is no longer triggered when node hasn’t been created in DB (#2436)
• Detect date was not being populated when nodes were discovered via radius (#2424)
• Fixed leftover httpd processes when restarting (#2439)
• Mariadb binary logs files are now properly rotated (#2440)
• Fixed scss settings and colors being wiped on each upgrade (#2317)

v7.1.0

New Features

• Added support for web authentication (external captive-portal) on Ubiquiti Unifi Controller
• New Firewall/SSO (JSON-RPC) for communicating with custom firewalls (PR #2320)
• VoIP detection: LLDP lookup enhancement (#2227) (PR #2316)

Enhancements

• Add a button to access status from device registration and the other way around(PR #2259)
• Added the ability to specify multiple DNS server(s) for domain join configuration (PR #2223)
• Allow to force a predefined sponsor during sponsor authentication (PR #2150)
• Updated pfdns default filters (PR #2165)
• Added brands icons to authentication source (i.e Twitter, PayPal etc ..) in the administration interface (PR #2287)
• Allow pfqueue workers to perform work across multiple queues (PR #2260)
• Added a way to set time and bandwidth balance in action rule (requires accounting to work) (PR #1936)
• Don’t display the mobileprovider field when doing SMS authentication with only one carrier enabled (PR #2322)
• Added new reports in the administration interface (PR #2313)
• Apache based services now support systemd sd_notify (PR #2351)

Bug Fixes

• Dashboard metrics are now fetched over https (#2272)
• Renamed Ubiquity to Ubiquiti (PR #2293)
• Set up variable GOPATH correctly while setting up developer environment for go (PR #2319)
• Fix too large scoping of authentication sources (#2338)
• Prevent usage of a Null source in the device registration page (#1784)
• Fixes duplicate nodes displaying when there are multiple locationlog entries (#1848)
• Fixed an issue with the Instagram OAuth2 source, where the scope has been modified on the API
• Fixed and issue where the logging configuration was ignored for httpd.aaaa and httpd.webservices (#2350)