v7.0.2

Maintenance release for 7.0 branch

Bug Fixes

• Fixed issue with ip4log cleanup job when rotation was enabled (#2358 and #2359)
• Adjusted default ip4log retention to match what was in PacketFence version 7 and below
• Make REJECT role have precedence over bypass role and VLAN
• Make VLAN filters have precedence over bypass role and VLAN
• Fix useless sessions being created in web-auth in the dispatcher (#2352)
• Load liblasso during runtime in order to prevent a segfault of Apache on Debian 8.8 (#2342)
• Fix syntax error in the guest_sponsor_preregistration email template
• Fix previewing email templates in the admin

v7.0.1

Maintenance release for 7.0 branch

Bug Fixes

• Fixed incorrect locationlog entry when performing RADIUS CoA (#2222)
• Twilio: "To" phone number is being stripped of any "+" sign (#2296)
• Fixed radiusd load-balancer failing to start in cluster with eduroam (#2303)
• Fix authentication sources ordering issue for portal modules when using the administration interface (#2323)
• Fix innobackup tmp directory when used with Galera cluster
• Fix width of auth sources conditions fields (#2312)
• Fixed admin login when only allowed to see auditing section
• Fixed locationlog entries for VOIP devices when no voice VLAN is defined (#2314)
• Fixed authentication sources cache in connection profile (#2309)
• Fixed loose matching of host in haproxy dispatcher (#2299)
• Fixed lost MySQL handle errors in pfconfig
• Handle sources activation host in haproxy dispatcher (#2266)
• Fixed incorrect handling of unregistration year
• Fixed incorrect LDAP error when user not found
• Fixed file cloning in connection profile
• Fixed display of roles in admin GUI
• Fixed unregistration date handling when it is over 2038 (#2269)
• Fixed logging errors for undefined values
• Fixed queues blocking when forking
• Fixed pagination in GUI node search
• Fixed OS type display in status page
• Fixed URL for connection profile preview

v7.0.0

New Features

• Added provisioning support for SentinelOne (PR#1294)
• Added MariaDB Galera cluster support (PR#2002/PR#2023/PR#2039/PR#2040/PR#2041/PR#2043/PR#2044/PR#2070/PR#2076/PR#2079/PR#2080/PR#2082/PR#2090)
• All services are now handled by systemd (PR#2010)
• IPv6 network stack in PacketFence (PR#2024)
• New Golang-based HTTP dispatcher (#1301/PR#2029/PR#2067)
• New Golang-based pfsso service to handle the firewall SSO requests (#1144/PR#2037/PR#2062)
• Revamped the Web administration interface (PR#2108)

Enhancements

• SNMP traps are now handled in pfqueue (PR#1656)
• Added the ability to grant CLI write access for Extreme Networks switches (PR#1699)
• Added a distributed cache for the accounting information to safely disable the SQL accounting records in active/active clusters (PR#1715)
• Reduced the number of ipset calls when adding ports for Active Directory (PR#1886)
• pfmon tasks have their own configuration file (PR#1918)
• new command "pfcmd pfmon" - for running pfmon tasks via pfcmd (PR#1918)
• CentOS repositories (packetfence and packetfence-devel) packages are now signed (PR#1946)
• Added way to unregister devices that were inactive for a certain amount of time (maintenance.node_unreg_window) (PR#1948)
• Added a new last_seen column to nodes table to track their last activity (Authentication, HTTP portal, DHCP) (PR#1948)
• Delete nodes based on the new last_seen column instead of looking at the last DHCP packet (PR#1948)
• iplog: Floored lease time for "tolerance" (#1965/PR#1968)
• Can now restart the switchport where a node is connected from the administration interface (PR#2006)
• Added interface description to location entries (PR#2007)
• New pffilter filtering engine (PR#2032)
• Ability to manage multiple "active" endpoints behind a single switchport (PR#2034)
• pfdhcplistner now runs as a master-worker style service (PR#2036)
• Added a winbindd wrapper for the PacketFence managed winbindd processes (#2065/PR#2038/PR#2069)
• Added a caddy middleware for rate limiting the concurrent connections (PR#2055)
• Updated the Ruckus SmartZone module to use the most recent webauth technique available (PR#2059/PR#2088)
• Added vsys support for PaloAlto firewall SSO modules (PR#2061)
• Portal Profile has been renamed to Connection Profile (PR#2066)
• Moved common flows / process of DHCP processors in base class (PR#2086)
• Removed PacketFence-Authorization-Status attribute from the RADIUS replies to prevent RADIUS replies from being discarded due to an unknown attribute (#2085/PR#2087)
• Added option to fetch users one by one in the NTLM cache instead of all together (PR#2093)
• New parallel testing infrastructure (PR#2094)
• Roles are now stored in a configuration file for easier backup and management (PR#2097)
• Tightened up HAproxy's SSL termination security (#893/#410/#411/#412)
• Tightened up Apache's encryption security by requiring TLS v1.2 support only and restricted cipher suites (#893/#410/#411/#412)
• Clickjacking attack prevention enforcement for recent browsers (PR#2111)
• Cross-site scripting (XSS) filtering is now requested from your browser (PR#2114)
• Dell N2000 series support (#675/PR#2115)
• All logging is now done through syslog (PR#2124)
• IP forwarding is now activated by default per PacketFence package installation (#2145/PR#2146/PR#2148/PR#2149)
• Added more fine grain stats for the captive portal (#1962/PR#2173)
• Many documentation improvements (PR#2136/PR#2214)

Bug Fixes

• Fixed addition of an UDP SRV record port as a TCP port (PR#1886)
• Restored pf::api compatibility to Sourcefire module (#2048/PR#2019)
• Avoid opening a double entry with wrong accounting values (PR#2113)
• Added the ability to "format" the CN when using PKI (#2116/PR#2119)
• pfdhcplistener doesn't work on a monitor interface (#1377)
• pfqueue stats: Outstanding Task Counters isn't accurate (#1726)
• pfdhcplistener: Segfaulting when keepalived transitions quickly from backup/master/backup (#1737)
• pfdhcplistener takes a minute to die (#1791)
• captive-portal: i18n labels for dynamic fields (#1911)

v6.5.1

Maintenance release for 6.5 branch

Bug Fixes

• Fix incorrect node cleanup job handling.
• Fix multiple firewall SSO not working when cached updates were enabled.
• Removed usage of pf_memoize which could create a race condition when adding a node.
• Fix incorrect locationlog informations because of a null role.
• Fixed syntax error in generated Suricata rules
• Fixed the Portal preview through the admin
• Fixed issue extracting the SSID from the switch HP::Controller_MSM710

v6.5.0

New Features

• Twilio support as authentication source (PR#1951)
• New Redis driven cache for NTLM (Active Directory) 802.1X authentications (PR#1885)
• New Firewall SSO for WatchGuard (PR#1851)
• Syslog based SSO support for Palo Alto firewalls (PR#1859)
• Ubiquiti EdgeSwitch support (PR#1816)
• New syslog receiver to update the iplog from Infoblox and ISC DHCP syslog lines (PR#1868)
• Can now specify specific ports for passthroughs (#1078/PR#1926)

Enhancements

• Added a RADIUS filter scope for VoIP devices (PR#1807)
• Ability to customize the OU in which the machine account will be created (#1927)
• Added new routes service to manage static routes (PR#1891)
• Added an authentication source that prompts for the password of a predefined user (PR#1810)
• Added Aruba webauth documentation (PR#1949)
• Eduroam authentication sources can now match rule (PR#1940)
• Maintenance patching can now use git in order to ignore files that shouldn't be patched via the maintenance script (#807/PR#1931)
• Can now print multiple guest passes per page without the AUP in the administration interface (#1409/PR#1930)
• Allow to whitelist unregistered devices from violations (#1278/PR#1929)
• Changed password.valid_from default value to "0000-00-00 00:00:00" so its value is valid across the whole application (#1920/PR#1922)
• Added Percona xtrabackup restore procedure documentation (#1646/PR#1919)
• Added a way to track if files backups and database backup succeeded (PR#1904)
• pfmon will not register and start a process for disabled task (PR#1899)
• Added a way to define two different ports for disconnect and CoA (PR#1894)
• Configurator database step now takes care of 'mysql_secure_installation' (PR#1878)
• Improved clustering guide for MariaDB and systemd (PR#1875)
• Added a portal module action to skip other actions (PR#1869)
• Reduced p0f CPU usage (PR#1867)
• Updated collectd in order to have new graphs (PR#1863)
• Do not "match" a rule if "requested" action if not configured in it (#1858/PR#1861)
• Improved monit checks accuracy (PR#1849)
• Rate limited the DHCP listener processes to prevent specific devices from performing a denial of service on the DHCP listening processes (#1722/PR#1845)
• Improved performance of radacct database table cleanup (PR#1839)
• Email templates can now be specified on a per-portal basis (#1322/PR#1823)
• Added CLI login support for HP Procurve switches (#1710)
• Added support for Ruckus SmartZone using web auth enforcement
• Revamped default colours of the captive portal to a more neutral/grayish theme

Bug Fixes

• Fixed iplog rotation retention configuration not always using the right param (#1896)
• Reworked and "simplified" the logic of filtering authentication source for a realm (PR#1943)
• Ability to customize the OU in which the machine account will be created (#1927/PR#1928)
• Now limiting dates to 2038-01-18 in admin interface (#1126/PR#1923)
• Remove unused configfile database table (PR#1902)
• Enable haproxy on portal interface (PR#1893)
• Prevent logging failure from making a process die (#1734/PR#1862)
• pfmon should run on every server in active-active (#1852/PR#1853)
• Removed the use of pf::cache::cached (#695/PR#1820)
• Removed error when we receive a RADIUS request to test the RADIUS status (PR#1803)
• Refactored pf::node::node_register to add return code and status code/message (#1797/PR#1798)
• Removed unused traplog database table (#367/PR#1785)
• RADIUS disconnect doesn't work on the Ruckus switch module (#1971/PR#1988)

PacketFence v6.4.0

New Features

• Added Mojo Networks WiFi equipment support (PR #1765)
• Made Web admin reports more interactive (PR #1731)
• Added new Eduroam authentication source type (PR #1642)
• Allow to create different portal templates based on the browser locale (PR #1638)

Enhancements

• Improved IP log performance (PR #1832 / PR #1828 / PR #1790)
• Added fault tolerance on RADIUS monitoring scripts (PR #1831)
• Improved the database and maintenance backup script (PR #1830)
• Added password caching support for Novell eDirectory (PR #1829)
• Improved caching of LDAP person data (PR #1826)
• Improved clustering documentation (PR #1825)
• Added RADIUS command line interface support on port 1812 (PR #1817)
• Removed useless htaccess file search for each HTTP request (PR #1806)
• Turned off HTTP KeepAlive to avoid connections holding onto Apache processes (PR #1801)
• Added Cisco MSE documentation (PR #1799)
• Ability to query 'iplog_archive' table for detailed IP/MAC history (PR #1793)
• Now also display the status for sub services from the Web interface (#1040 /PR #1792)
• Requests made with username 'dummy' will not be recorded in the RADIUS audit log anymore (PR #1789)
• More lightweight p0f processing (PR #1788)
• Remove useless logging in pfdns.log (PR #1782)
• Added an activation timeout on sponsor source (PR #1777)
• Improved captive portal logging (PR #1769)
• Allow the OAuth landing page template to be customizable (PR #1767)
• Use RESTful call for RADIUS accounting instead of Perl (#1760)
• Optimized getting node information from the database (PR #1753)
• New action generateconfig for pfcmd service command (PR #1744)
• Added memory limitation for httpd.portal processes (PR #1738)
• Added predefined search in RADUIS audit log and DHCP Option 82 log (PR #1716)
• Improved display of fingerprinting informations in the nodes search (PR #1709)
• Allow captiveportal::Form::Authentication to be customize (PR #1666)
• Default config overlay for switches.conf, profiles.conf, pfqueue.conf and violations.conf (PR #1647)
• Optimized queries for finding open violations (PR #1718)

Bug Fixes

• Fixed floating devices in active/active clusters (PR #1800)
• Fixed and improved syntax of pfcmd ipmachistory (#1794)
• Fixed wrong bandwidth calculation on RADIUS accounting (#1733)
• Fixed empty Calling-Station-Id in RADIUS accounting (PR #1756)
• Make sure connection caches are cleared after forking (#1748 / #1749 / PR #1751)
• Added a workaround for DHCP clients that do not respect short lease times (#1673)
• Added namespace parameter in WMI rule (PR #1633)
• Fixed non-working switch ranges with external portal (#1574 / PR #1613)
• Joining a domain will sometimes return a 500 even though it succeeded (#1821/#1818)
• Cisco WLC ignores our CoA requests but accepts our Disconnect Requests (#1819)
• pfdetect: pipe is closing when no content (#1814)
• Condition is a Phone in RADIUS audit log is not working properly (#1813)
• Condition AutoRegistration in RADIUS audit log is not working properly (#1812)
• Configurator: Status on the services doesn't work (#1811)
• Invalid SQL for iplog_cleanup_sql (#1802)
• Added request cache support (#1775)
• Added stack trace logging (#1774)
• Removed redundant SQL indexes (#1773)
• Removed unused code in pf::locationlog (#1772)
• Fixed missing fields in RADIUS audit log (#1395)
• Fixed RADIUS audit log hours selection (#1364)

PacketFence v6.3.0

New Features

• Added EAP-FAST support
• MySQL is now supported as the Fingerbank database backend
• Integration with Cisco MSE adds maps, location based portals and notifications
• Added the ability to locate a device based on DHCP Option 82
• Added support for Meraki wired switches
• New SQL reporting allows creation of personalized reports

Enhancements

• Added support for Brocade CLI RADIUS authentication
• Added support for OpenWrt Chaos Calmer 15.05 with hostapd
• Added configuration conflict handling for active/active clusters
• Fingerbank configuration is now cached
• Removed the pf/var directory from the backups to make them smaller
• Fingerbank is now configurable from the initial PacketFence configurator
• Added support for Xirrus switches CLI RADIUS authentication
• Pinterest and Instagram are now supported as OAuth authentication sources
• Support for Suricata md5 extraction over SMTP protocol
• Added sample monit helper scripts under pf/addons
• Added support for custom AUP template per portal module
• Several improvements to Fingerbank to make it more user-friendly
• Added option to export nodes and users within the web administration interface
• Third parties can now extend what can be matched in profile filters
• PacketFence created interfaces will now be excluded from Red Hat's NetworkManager
• Added the ability to restrict the modification of node roles by a user

Bug Fixes

• Added timeout to captive portal to prevent long running requests ([#1570](https://github.com/inverse-inc/packetfen
  ce/issues/1570))
• Do not start pfqueue processes for pfdetect if it's not running ([#1593](https://github.com/inverse-inc/packetfenc
  e/issues/1593))

PacketFence v6.2.1

Enhancements

• Forbid trace mode in Apache default configuration
• Improved validation of portal modules configuration

Bug Fixes

• Fixed Debian 7 failing to start httpd.admin
• Fixed missing Metadefender configuration section
• Fixed missing parameter for fetchVlanForNode in pfsetvlan
• Fixed incorrect NAS-Port use for RADIUS CoA on Cisco WLCs
• Fix incorrect domain handling in Active/Active

PacketFence v6.2.0

Bug Fixes

• Added missing index to radacct table (fixes #1586)
• Fixed searching nodes for "all" devices (fixes #1584)
• Fixed invalid destination URL parsing
• Fixed handling of provisioner return code in violations
• Fixed binding of IP addresses in Active/Active mode
• Fixed cluster status page issues with pid files
• Fixed missing person lookup when using 802.1x autoregistration
• Fixed permission issue on logrotation
• Fixed invalid i18n of MAC address in node location view (fixes #1591)
• Fixed L2 cache write error of new switches namespaces

PacketFence v6.1.1

Bug Fixes

• Fixed missing schema version insert in database upgrade script
• Fixed too short CA cert validity in raddb/certs/passwords.mk