PacketFence v12 released

September 14, 2022

The Inverse team is pleased to announce the immediate availability of PacketFence v12 - a major release bringing tons of improvements!

Containerization

Almost all PacketFence services have been containerized for the v12 release. This foundation work allows PacketFence to be deployed in a Kubernetes cluster environment.

Visualization

PacketFence v12 provides many new visualizations options for assets, threats and network communication flows. Perform asset and inventory management by either Fingerbank top-level category or a custom search with any node, ipv4 or ipv6 criteria. Summarize and review all security events and remediate individual events from a single dashboard. Summarize the network communication for any/all devices in a single graph and filter by Fingerbank top-level category, internal or external hosts, protocol and port.

Geo-distributed Database

PacketFence v12 now integrates ProxySQL - allowing us to R/W split database operations to improve handling with geo-distributed MySQL8 databases. This release aims to support deployments where 50-60 ms latency is observed and much higher latencies will be supported in upcoming releases.

Cluster Services

Manage PacketFence services for all cluster members from a single host while maintaining the cluster’s quorum. Protected services needed by the UI in order to function can now be restarted from the UI without having to worry about network disconnects. Improved visibility of service status of all cluster members.

PKI

PacketFence v12 now supports CSR signing from PacketFence PKI, CA re-sign, per-profile CN certificates with the Subject, Audit Logs, and several template and date format improvements.

… and more!

PacketFence v12 provides additional important improvements such as Meraki RBAC support, Sophos VPN integration, CSR signing from the PacketFence PKI and much more.

Here’s the complete list of changes included in this release:

New Features

• New assets, communications and threats visualizations
• Containerization of most PacketFence services
• New pfconnector service to connect remote locations to a central or cloud PacketFence server
• Support for role-based enforcement on Meraki wired devices (#7000)
• Support to split database read and writes to different MySQL servers (#7055)
• Support for distributed database reads in cluster using ProxySQL
• Initial Linode IaaS and PacketFence Connector documentation (#7152)

Enhancements

• Unified service store module allowing control of both local and cluster members services
• Sign a CSR from the PacketFence PKI
• Added ability to use the MariaDB database or Redis to store the api-frontend tokens
• Adjust logs for containerized and non-containerized services (#7043)
• Allow to enabled/disable processing bandwidth accounting (#6934)
• Sophos VPN support
• Automatically display mandatory fields in email/sponsor activation emails (#7069)
• Detect CLI access from Dell N1500 switches (#7070)
• Deprecate /api/v1/config/fixpermissions and /api/v1/config/checkup
• Update monit email (#7012)
• Monit sender address configurable from the admin GUI
• Full UTF-8 support in the PacketFence database
• Added MySQL compatibility
• Added CSV import to switch groups
• Simplify cluster upgrades (#7180)

Bug Fixes

• Only provide the unregdate action if access_duration is not defined for the local source (#6925)
• Clone switch template with correct ID (#6941)
• Add time to the available template switch variables (#6952)
• Only trigger the node discover security event in the context of RADIUS and pfdhcplistener (#4987)
• Use TLS 1.2 to communicate with Intune servers (#7021)
• Align Apache timeout with captive_portal.request_timeout (#7037)
• Return VIP in DHCP requests if dns_on_vip_only is enabled (#7035)
• Replace LF by CRLF at end of emails sent by PacketFence (SMS email has “Bare Line Feed Characters” Status code: 550 5.6.11 #5380)
• The User-Name value in an EAP-TTLS PAP reply will always be the identity of the inner-tunnel (#7017)
• Multi-line entries in “Role by access list” are returned as a string (#6791)
• Respect the time of the expiration date of the password (#7003)
• Monitoring scripting key is not installed correctly when performing an ISO installation (#6965)
• Set the database location to the system Local timezone (golang)
• Add missing translations to the captival portal
• Fix Trapeze Deauth issue
• Fix the wrong encoding of special char in the REST call to PacketFence (use base64)

See the complete list of changes and the upgrade guide file for notes about upgrading.

This release is considered ready for production use and upgrading from previous versions is strongly advised.