PacketFence v5.4 released

October 1, 2015

The Inverse team is pleased to announce the immediate availability of PacketFence 5.4.0. This is a major release with new features, enhancements and important bug fixes. This release is considered ready for production use and upgrading from previous versions is strongly advised.

Here are the changes in v5.4.0:

• PacketFence now supports SCEP integration with Microsoft’s Network Device Enrollment Service during the device on-boarding process when using EAP-TLS
• Improved integration with social media networks (email address lookups from Github and Facebook sources, kickbox.io support, etc.)
• External HTTP authentication sources support which allows an HTTP-based external API to act as an authentication source to PacketFence
• Introduced a ‘packetfence_local’ PKI provider to allow the use of locally generated TLS certificates to be used in a PKI provider / provisionner flow
• New filtering engine for the portal profiles allowing complex rules to determine which portal will be displayed
• Added the ability to define custom LDAP attributes in the configuration
• Add the ability to create "administrative" or "authentication" purposes rules in authentication sources
• Added support for Cisco SG300 switches

• RADIUS Diffie-Hellman key size has been increased to 2048 bits to prevent attacks such as Logjam
• HAProxy TLS configuration has been restricted to modern ciphers
• Improved error message in the profile management page
• Allow precise error messages from the authentication source when providing invalid credentials on the captive portal
• Aruba WiFi controllers now support wired RADIUS MAC authentication and 802.1X
• Added Kickbox.io authentication source which can allow a new Null type source with email validation
• Now redirecting to HTTP for devices that do not support self-signed certificates on the captive portal if needed
• httpd.portal now serves static content directly (without going through Catalyst engine)
• Introduction of a new configuration parameter (captive_portal.wispr_redirection) to allow enabling/disabling captive-portal WISPr redirection capabilities
• File transfers through the webservices are now atomic to prevent corruption
• New web API call to release all violations for a device
• Added better error message propagation during a cluster synchronization
• Added additional in-process caching for pfconfig proxied configuration
• The server hostname is now displayed in the admin info box
• Added a warning in the configurator when the user is configuring multiple interfaces in the same network
• Added synchronization of the Fingerbank data in an active/active cluster
• Client IP and MAC address are now available though direct variables in the captive portal templates
• The IPlog can now be updated through RADIUS accounting
• Devices in the registration VLAN may now be allowed to reach an Active Directory Server
• Added an option to centralize deauthentication on the management node of an active/active cluster
• Added the option to use only the management node as the DNS server in active/active clustering
• Improved Ruckus ZoneDirector documentation regarding external captive portal
• pfconfig daemon can now listen on an alternative unix socket
• Improved handling of updating the /etc/sudoers file in packaging
• Improved roles handling on AeroHive devices

• Fix case where status page links would be pointing to the wrong protocol (HTTP vs HTTPS)
• set_unreg_date and set_access_duration actions now have the same priority when matching rule and actions (#816)
• Fixes the database query hanging in the captive portal
• The person attributes lookup will now be made on the stripped username if needed (#888)
• Active/active load balancing will now be dispatched based on the Calling-Station-Id attribute.
• Fix unaccessible portal preview when no internal network is defined (#790)
• Fixed a case where the wrong portal profile can be instantiated on the first connection
• Improved error message in the profile management page (#858)
• Do not use the PacketFence multi-domain FreeRADIUS module unless there are domains configured in PacketFence (#868)
• We now handle gracefully switches sending double Calling-Station-Id attributes (#864)
• Prevent OMAPI from being configured on the DHCP server without a key (#851)
• Switched to the memcached binary protocol to avoid memcached injection exploit
• Fixed ipset error if the device switches from one inline network to another
• Fixed wrong configuration parameters for redirect url (now a per-profile parameter)
• Fix bug with validation of mandatory fields causing exceptions in signup
• Made DHCP point DNS only on cluster IP if passthroughs are enabled in active/active clusters (#820)
• Defined the maximum message size that SNMP get can return (fixes VOIP LLDP/CDP detection on switch stacks #738)

See the complete list of changes and the UPGRADE.asciidoc file for notes about upgrading.