PacketFence v10.3 released

April 14, 2021

The Inverse team is pleased to announce the immediate availability of PacketFence v10.3 - a major release bringing tons of improvements! This release is considered ready for production use and upgrading from previous versions is strongly advised.

Roles Inheritance and Dynamic ACLs

PacketFence v10.3 features roles inheritance. This is particularly useful for dynamic ACLs that can be combined based on the user or device’s hierarchy - allowing greater micro-segmentation. This is one of the foundation element for the upcoming v11 release.

GUI Performance

The administrative GUI of PacketFence has received massive improvements for the 10.3 release. Most components were rewritten to use Vue.js’ Composition API making them more reusable and a lot more scalable. This results in tenfolds of performance improvements in the GUI for a greater user experience.

Automated Integration Tests

More automated tests were added in PacketFence v10.3 through Venom. More specifically, a WiFi test covering MAC authentication and WPA2 Enterprise EAP-PEAP as well as a test covering our PKI infrastructure were added. These extend the automated tests coverage in PacketFence further to ensure greater quality and stability for each new release.

SCEP Support in PKI

Included in v11, PacketFence’s PKI now fully supports the Simple Certificate Enrollment Protocol (SCEP) protocol. This new feature greatly enhances interoperability with MDM and other security solutions handling certificates deployment on endpoints.

… and more!

PacketFence v10.3 now also supports Netflow/sFlow on management interface, Stripe integration was upgraded to API v3, SecurityOnion integration was updated for v2.3, Aruba/HP web-based authentication on switches was added as well as Meraki DPSK support, MariaDB was upgraded to v10.2 and much more!

Here’s the complete list of changes included in this release:

New Features

• Static routes management via admin gui
• Aruba CX support
• Aruba 2930M Web Authentication and Dynamic ACL support (#6158)
• Meraki DPSK support
• Support for Ruckus SmartZone MAC authentication in non-proxy modes (#6201)
• Bluesocket support (#5878)
• Support for SCEP in pfpki (#6213)

Enhancements

• Improved the failover mechanisms when an Active Directory or LDAP server is detected as dead
• Expiration of the local accounts created on the portal can now be set on the source level
• pfacct and radiusd-acct can now both be enabled together (radiusd-acct proxies to pfacct)
• Added CoA support to Aerohive module
• Added role based enforcement (Filter-Id) support to Extreme module
• Use Called-Station-SSID attribute as the SSID when possible
• Added CLI login support to Huawei switch template
• Added detectionBypass in DNS resolver (#6028)
• Improve support of Android Agent for EAP-TLS and EAP-PEAP
• Improve CLI login support on HP and Aruba switches
• Use the “Authorization” header when performing API calls to Github in the OAuth context
• Replace xsltproc/fop by asciidoctor-pdf (#5968)
• FortiGate Role Based Enforcement (#5645)
• Add support for roles (RBAC) for Ruckus WLAN controllers (#2530)
• Upgrade to go version 1.15 (#6044)
• Build ready-to-use Vagrant images for integration tests and send them to Vagrant cloud (#6099)
• Documentation to configure Security Onion 2.3.10
• Added integration tests for 802.1X wireless and wireless MAC authentication (#6114)
• Restrict create, update, and delete operations to the default and global tenant users (#6075)
• Remove pftest MySQL tuner (#6130)
• Allow Netflow address to be configured (#6139)
• Deprecated fencing whitelist
• Description field for L2 and routed networks (#5829)
• Updated Stripe integration to use Stripe Elements (API v3) (#6121)
• Added Cisco WLC 9800 configuration documentation
• Inheritance on parent role on Role and Web Auth
• Enhance CLI login on SG300 switches
• Enable/disable the natting traffic for inline networks
• Remove unused table userlog (#6170)
• Clarifications on Ruckus Role-by-Role capabilities (#6201)
• DNS/IP attributes in pfpki certificates (#6213)
• Additional template attributes in certificate profile (#6213)
• Remove unused table inline_accounting (#6171)
• Make pfdhcplistener tenant aware (#6204)
• Upgrade to MariaDB 10.2.37 (#6149)

Bug Fixes

• Switch defined by MAC address are not processed by pfacct in cluster mode (#5969)
• Restart switchport return TRUE if MAC address is not found in locationlog for bouncePortCoA (#6013)
• Switch template: CLI authorize attributes ignored (#6009)
• ubiquiti_ap_mac_to_ip task doesn’t update expires_at column in chi_cache table (#6004)
• A switch can’t override switch group values using default switch group values (#5998)
• web admin: timer_expire and ocsp_timeout are not displayed correctly (#5961)
• web admin: Realm can’t be selected as a filter on a connection profile (#5959)
• API: remove a source doesn’t remove rules from authentication.conf (#5958)
• web admin: high-availability setting is not display correctly when editing an interface (#5963)
• SSIDs are not hidden by default when creating a provisioner (#5952)
• with_aup is correctly displayed on GUI (#5954)
• web admin: sender is wrong when you use Preview feature (#6023)
• sponsor guest registration: unexpected strings in email subject (#3669)
• Use the proper attribute name for Mikrotik in returnRadiusAccessAccept (#6051)
• Audit log: profile has an empty value when doing Ethernet/Wireless-NoEAP (#5977)
• pfacct stores 00:00:00:00:00:00 MAC in DB when Calling-Station-ID is XXXX-XXXX-XXXX (#6109)
• Update the location log when the Called-Station-Id changes (#6045)
• Only enable NetFlow in iptables if NetFlow is enabled (#6080)
• Firewall SSO: take username from accounting data if available in place of database (#6148)

See the complete list of changes and the upgrade guide for notes about upgrading.