                         PacketFence

http://www.packetfence.org/

Notes on upgrading from an older release
----------------------------------------

o Upgrading from a version prior to 2.2.0:

    - Database schema update
    Related to the easier User-Agent violation system, some tables were 
    dropped and others added. You need to update your schema with:
    mysql -u root -p pf -v < db/upgrade-2.0.0-2.2.0.sql

    - Configuration files location changed from conf/templates/ to conf/
    Please make sure that you move your configuration files appropriately.

    - SSL configuration changes
    SSL Certificate statements are now stored in conf/ssl-certificates.conf.
    Make sure that you configure this file with your certificates correctly.
    This file will not be modified by our package. One less thing to worry 
    about on ugprades.

    - logrotate script installed by default
    Be careful if you done yours by hand. It might conflict with your script.

    - New Captive Portal Network Access Detection technique
    The previous approach to redirect users to the Internet when access was
    enabled never reliably worked so we are introducing a new javascript-based
    technique to do so. This approach involves a couple of clever tricks and 
    some browser-specific adjustments. Please review the differences between 
    your current html/user/content/templates/release.html file and the new 
    html/user/content/templates/release.html.rpmnew file. Also the behavior is
    adjusted by pf.conf's redirtimer, redirecturl and always_use_redirecturl 
    parameters under [trapping] and network_detection_ip under [captive_portal].
    More about this feature can be found in the Administration guide.

    - Apache's automatic performance settings adjustments
    Apache's configuration is now adjusted based on total system memory to
    prevent swapping scenarios with PacketFence. We feel the dynamic 
    configuration should do a good job but feel free to maintain your Apache 
    configuration by hand if you know better.

    - packetfence-freeradius2
    A new package that configures FreeRADIUS is available now. If you upgrade
    DO NOT install it unless you really know what you are doing.

    - clean-up in conf/violations.conf
    We added better examples and reduced the length of some violation names to
    improve user experience especially in the Web Admin. Update your 
    configuration if you want to benefit from those changes.

    - deprecated pf.conf parameters
    registration.queuesize was removed.

    - User-Agent violations rewrite
    If you are using USERAGENT::<id> triggers in your violation configuration,
    you need to updated them. We completely changed the back-end and the IDs
    are now all different. Check in the Web Admin under configuration -> 
    user-agent for the new IDs and the new possibilities.

    - Important problems found in the port-security for the 3Com Switch 4200G
    There is a bug in these switches that make the port-security support in 
    PacketFence flaky. If you use it you should upgrade to a MAC Auth / 802.1X
    configuration.

    - Status unknown of the port-security support for the 3Com SuperStack 4500
    We had problems with this code with the 4200G and since we don't have 
    access to a SS4500 we cannot guarantee that it works. Please get in touch
    with us if you have a SS4500 and can run some tests for us.

    - Behavior change regarding wired MAC-Authentication
    No matter what is connected on the port (ie: VoIP), when a client using 
    MAC-Authentication need to change VLAN, we shut / no shut the port. This
    might affect ongoing Voice over IP calls but is better than the previous 
    behavior were the node was simply left where it was. This is an interim 
    measure before we implement RADIUS Change of Authorzation support (CoA).

    - node lookup changed
    By default we do not update the node lookup module in order to allow local
    customization. However if you want to benefit from the improved node lookup
    script, make sure that you overwrite your existing lib/pf/lookup/node.pm 
    module with the new file (.rpmnew). Be aware that the output of `pfcmd 
    lookup node <mac>` changed so make sure you update your parsing scripts (if
    any). This also affects the Node lookup section of the Web Admin interface.

o Upgrading from a version prior to 2.1.0:

    - You MUST upgrade conf/templates/httpd.conf and 
    conf/templates/named_vlan.conf
    The location of the PID files changed. The templates must reflect this new
    location: var/run/ instead of var/
    Also in conf/templates/named_vlan.conf the configuration directory is 
    var/named instead of var/.
    See the .rpmnew files for the proper configuration.

    - Module versioning for pf::vlan::custom and pf::radius::custom
    We are now relying on module versioning to catch interface changes before
    they hurt the users. PacketFence will generate errors on startup if you 
    have not upgraded your modules' interface and version. The interfaces have
    not changed so all you need to do on upgrade is to add:
        our $VERSION = 1.00;
    to both lib/pf/radius/custom.pm and lib/vlan/custom.pm.

    - Default port bounce duration changed
    To support a variety of Linux desktop operating systems we needed to 
    increase the duration of our port bounce from 2 seconds to 5 seconds. On a
    very busy setup this could have consequences. Either increase the number of
    concurrent threads working (nbtraphandlerthreads under [vlan]) or restore
    the port bounce duration to 5 seconds (bounce_duration under [vlan]).

    - Several Nortel/Avaya module changes
    5520 renamed to 5500, 5520Stacked is no longer necessary, firmware 6.x 
    support for the 5500 series requires you to use module name BayStack5500_6x.
    Just make sure to review your conf/switches.conf so that the config refers
    to proper modules.

    - Removed conf/templates/*.pl captive portal extensions
    This mechanism was removed since the new pf::web::custom mechanism is
    cleaner and less error-prone. Make sure to migrate any custom code you have
    in release.pl, login.pl, enabler.pl, redirect.pl, scan-in-progress.pl, 
    error.pl, status.pl and register.pl to lib/pf/web/custom.pm.

    - pid files changed location
    Previously in var/ they are now in var/run/   

    - New configuration directory for generated configuration: var/conf/
    Changed the location of the generated configuration file from conf/
    to var/conf/.  This will mitigate the fact that people were trying to
    modify the generated files instead of the templates.

    - 'pending' node status now relies on javascript to detect network access
    The HTML meta refresh approach never reliably worked so there's a new 
    javascript technique. If you rely on node status 'pending' in your 
    workflow, please check pf.conf's new captive_portal.network_detection_ip 
    variable and re-test your portal to make sure it still works.

    - Output of node lookup changed (again!)
    The output of `pfcmd lookup node <mac>` changed. Make sure you update your
    parsing scripts (if any). This also affects the Node lookup section of the
    Web Admin interface.

    - pf::SNMP (lib/pf/SNMP.pm) API level bump
    We changed the contract of setAdminStatus() so we bumped the version of 
    pf::SNMP to 2.00. If you use setAdminStatus() in custom code make sure you
    update your calls.

o Upgrading from a version prior to 2.0.1:

    - lib/pf/vlan.pm's fetchVlanForNode interface changed
    If you built a customized version of this method in lib/pf/vlan/custom.pm
    you will need to update it.

    - Meru Controller 3000 now named Meru Controller
    Since our code should work for all Meru Controllers, we renamed the module.
    Meru::MC3000 is now Meru::MC. If you upgrade make sure you update your 
    conf/switches.conf or Configuration -> Switches (in the web admin).

    - Output of node lookup changed
    The output of `pfcmd lookup node <mac>` changed. Make sure you update your
    parsing scripts (if any). This also affects the Node lookup section of the
    Web Admin interface.

o Upgrading from a version prior to 2.0.0:

    - Database schema update
    Several new fields were added. You need to update your schema with:
    mysql -u root -p pf -v < db/upgrade-1.9.0-2.0.0.sql

    - FreeRADIUS module rewritten and renamed
    The FreeRADIUS has been completely re-written from the previous release 
    series. Now, except for the authentication against the PacketFence server
    all the control is centralized in the PacketFence configuration. No more 
    customization required in the FreeRADIUS module! We strongly recommend
    that you carefully migrate to this module and forget about the old one.
    We also changed the name from rlm_perl_packetfence.pl to packetfence.pm so
    update your FreeRADIUS configuration accordingly.

    - /cgi-bin/pdp.cgi moved
    Remote snort probes or other mechanisms relying on the presence of this 
    file should be updated to be /webapi instead. Upgrading each probe's
    packetfence-remote-snort-sensor will take care of this for remote snort 
    probes. All other custom means should be manually upgraded.

    - SOAP handler changed
    The URI of the SOAP handler changed from 
    http://www.packetfence.org/PFEvents to http://www.packetfence.org/PFAPI. To
    better reflect the fact that it is not just an event handling server. You 
    will need to upgrade your remote snort probes with the new PacketFence 
    remote snort sensor RPM or manually change the URI.

    - Output of node lookup changed
    The output of `pfcmd lookup node <mac>` changed. Make sure you update your
    parsing scripts (if any). This also affects the Node lookup section of the
    Web Admin interface.

    - pfcmd_vlan output change
    Output of `pfcmd_vlan` changed dramatically. If you used scripts to 
    automate tasks with pfcmd_vlan and expected particular output, your scripts
    should be updated.

    - pfcmd input and output change
    If you used script to automate tasks relying on the `pfcmd` interface, you
    need to update them. Output of `pfcmd node`, `pfcmd locationhistorymac`, 
    `pfcmd locationhistoryswitch`, `pfcmd violation view all`, `pfcmd 
    switchconfig` and `pfcmd fingerprint view all` also changed.

    - DHCP and DNS server configuration changes
    With previous versions it was recommended to configure DHCP and DNS servers
    manually and instructions were provided to do so on the Administration 
    Guide. Starting with this version it is recommended to use the configuration
    templates and let PacketFence auto-configure the DHCP and DNS servers. 
    Migrating to this new approach is not mandatory but is recommended. To do so
    please follow the "DHCP and DNS Server Configuration (networks.conf)" 
    section of the Administration Guide.

    - lib/pf/vlan.pm interface changed
    If you built a customized version of vlan.pm in lib/pf/vlan/custom.pm be 
    aware that there were a lot of changes. We strongly recommend you rewrite 
    your custom.pm on top of these new changes instead keeping your old.

    - Captive Portal changes
    By default pf::web is no longer exporting it's subroutines. This means that
    all the captive portal scripts in cgi-bin/ will need to be updated to use 
    the full name pf::web::web_node_register() instead of web_node_register().
    If your cgi-bin files are the default ones you don't need to change
    anything. These breaking changes are introduced to allow pf::web::custom to
    redefine any subroutine in pf::web and will allow easier upgrade path for 
    users who need to customize the portal.

    - Violation priority enforcement
    Violation priorities are now properly enforced: 1 means highest priority
    and 10 means lowest priority. Even if documentation said so, before this 
    release, the code enforced it the other way around. This affects what 
    violation is shown on multiple violations (it will favor highest) and has
    most impact when Nessus scanning is used. Since this is a default behavior
    change, you should double check your config!

    - External remediation pages 
    Violations with fully qualified URLs are now handled with new code that 
    uses mod_proxy and mod_rewrite instead of mod_proxy_html. This was done
    because the current implementation is broken out of the box on a CentOS 
    system without manually compiling and installing the mod_proxy_html 
    package. If you used it then reverify all your remediation pages with
    fully qualified URLs as they might be broken now.

    - SMC TS8800M module changes
    A lot of changes were made to this SMC module such that problems occuring
    with the previous module should be resolved now. These fixes also required
    an updated firmware from SMC. Make sure your switch runs at opcode 2.4.5.13
    for the SMC TigerStack 8824M or 8848M to work properly with PacketFence.

    - loadMACintoDB.pl removed
    Dropping loadMACintoDB.pl. Replaced by node import feature see `pfcmd node 
    import` or Node -> Import in the Web Administration interface.

    - connect_and_read.pl and dhcp_dumper moved
    They are now located in addons/.
 
    - deprecated subs
    lib/pf/SNMP.pm's setIsolationVlan, setRegistrationVlan and setNormalVlan 
    are now deprecated and will be removed in the future. Use 
    setVlanByName($ifIndex, $switch_locker_ref, $vlanName) instead. For 
    example: setVlanByName($ifIndex, \%switch_locker, 'guestVlan'); 

o Upgrading from a version prior to 1.9.1:

    - Captive portal using mod_perl
    The captive portal's default mode of operation relies on mod_perl now. 
    The benefit is a tremendous performance gain. If you experience problems 
    with authentication after you upgraded make sure that the cgi file has the
    proper 'use lib' statements to load the authentication modules in conf/. 
    Default configurations should not have any issues.

    - Extreme switches new firmware requirement
    Due to a change in Extreme's code, linkup/linkdown mode now requires at 
    least firmware 12.2. A compatibility layer to support pre-12.2 could be 
    written. Contact us if you are interested.

    - Web Administration interface access control
    Administrators can now give different access levels to users. By default
    all users will be given the admin level rights unless you modify the 
    conf/admin.perm file. See the Administration Guide FAQ for details.

    - pfcmd output change
    pfcmd node edit <mac> ... will no longer output changes made to the node 
    entry. This behavior was due to a side effect rather than a feature and it
    caused some problems so we got rid of it. pf::node::node_modify is also 
    affected.

    - switches.conf: htaccessUser and htaccessPwd deprecated
    Web Services related parameters were added in switches.conf. Because of the
    duplicate functionality we are deprecating the htaccessUser and htaccessPwd
    parameters. Only the Intel Express 460 module is affected. The parameters
    will still work but if you are reading this you should migrate them to the 
    new wsUser, wsPwd and wsTransport parameters.

o Upgrading from a version prior to 1.9.0:

    - Passthrough
    Passthrough is now set to disabled by default. If you need it, make sure
    you re-enable it in your conf/pf.conf. As a reminder, passthrough is the
    mechanism used to allow users trapped in registration or isolation to reach
    certain external URLs or custom violation pages hosted externally. It is 
    not used in a default install.

    - Freeradius 2.x
    We now recommend using freeradius 2.x instead of 1.x for wireless, 802.1x
    or MAC authentication Bypass authentication mechanisms. Freeradius 1.x 
    still works but we are seeing more hang cases with AD 2008, Vista and Win 7.

    - Library update: steps required on manual upgrade
    PacketFence no longer relies on a specific version of the Parse-RecDescent
    library. If you upgraded manually, you should re-generate the precompiled
    grammar by running installer.pl. If you upgraded using the RPM package the
    grammar already comes precompiled.

    - Changes to some OS violations
    Some DHCP fingerprint have been re-labeled to avoid problems with VoIP 
    autodetection. OS::311 is now OS:1102 and OS::315 is now OS::1103. These
    devices (iPhone and HTC Android) are now categorized under Smartphone 
    instead of VoIP phones. Update your configuration accordingly.

    - pfdhcplistener logging in logs/packetfence.log
    We reduced the number of INFO messages that pfdhcplistener was producing
    because it was too verbose. Now only INFORM / OFFER / ACK messages are 
    logged and the fingerprint and node modification messages were 
    consolidated. If you are troubleshooting and need the other messages, make
    sure you increase log verbosity to DEBUG.

    - pfcmd output change
    pfcmd will print "Command not understood. (pfcmd grammar test failed at 
    line 200.)" to STDERR on unrecognized input before showing the usage 
    message. You might have to change your scripts to handle that.

    - Cisco Controller 4400 now named WLC_4400
    To be more consistent, we renamed Cisco::Controller_4400_4_2_130 to 
    Cisco::WLC_4400. If you upgrade make sure you update your conf/switches.conf
    or Configuration -> Switches (in web admin)

    - Output of node lookup changed
    The output of `pfcmd lookup node <mac>` changed. Make sure you update your 
    parsing scripts (if any). This also affects the Node lookup section of the
    Web Admin interface.

    - New run-time perl dependencies Try::Tiny and Readonly::XS (optional but
    will improve performance)

    - New parameter in conf/violations.conf: whitelisted_categories
    Node in a whitelisted category will not be isolated on a given violation.

    - Database change
    A new table and a few fields were added for the new node categorization 
    feature. To upgrade your schema, run:
    mysql -u root -p pf -v < db/upgrade-1.8.6-1.9.0.sql

    - pfsetvlan and conf/switches.conf validation
    If there is a problem in the conf/switches.conf file PacketFence will say 
    so at startup but will still try to run. Before this release, pfsetvlan 
    wouldn't start with a bad config file.

    - Foundry module change
    In order to support port-security some aspects of the Foundry module had
    to change. We are not 100% that the module will still work since we don't
    have the original switch on which linkUp/linkDown support was developped.
    If you experience a regression, please file an issue into our bugtracker.

    - lib/pf/vlan.pm interface changed
    If you built a customized version of vlan.pm in lib/pf/vlan/custom.pm be 
    aware that the parameters expected by vlan_determine_for_node() and 
    custom_getCorrectVlan() changed. Instead of the switch's IP, a switch 
    object (pf::SNMP) is expected. Also, the whole node_info is passed to 
    custom_getCorrectVlan() instead of scalars of node_info's content.

    - Backup script archives locationlog_history records older than a year
    Archives are an SQL dump of the records placed in /root/backup/ by default 
    and never deleted. It will run the first day of each month.

    - Backup script less aggressive about history
    We are now keeping 1 month of locationlog instead of 15 days with the 
    optional database backup script in addons/. Makes more sense for most users.

o Upgrading from a version prior to 1.8.7:

    - No action on wireless deauthentication traps
    PacketFence no longer close locationlog entries based on wireless 
    deauthencation traps. It was causing more problems than anything. See bug
    #880 for details: http://www.packetfence.org/mantis/view.php?id=880

    - Registration login no longer kept in browser session
    We fixed a bug that changes the behavior of the registration login. Before
    if you registered and deregistered while keeping your browser open, you
    would not be presented with the login page if you tried to register again. 
    You would have been automatically authenticated. This is no longer the case.
    You will need to re-authenticate now. You might have relied on that 
    behavior.

o Upgrading from a version prior to 1.8.6:

    - Table format changed
    Migrated tables `configfiles` and `traplog` from type MyISAM to InnoDB. You
    are not required to change the format but if you want, run (at night):  
    mysql> alter table configfile ENGINE = InnoDB;
    mysql> alter table traplog ENGINE = InnoDB;

    - Backup script less aggressive about history
    We are now keeping 15 days of locationlog instead of 2 with the optional 
    database backup script in addons/. Makes more sense for most users.

    - Database schema update
    A new table `locationlog_history` has been added to the database schema. It
    should be useful for people with big locationlog tables. Upgrading your 
    schema is not required but recommended. You can update your schema with:
    mysql -u root -p pf < db/upgrade-1.8.4-1.8.6.sql
    The script migrate-to-locationlog_history.sh in addons/ can help you 
    transition your old records to this new table.

    - Updated conf/ui.conf
    To fix a bug we had to change ui.conf. By default an rpm upgrade will 
    replace ui.conf and save a backup of the previous file to ui.conf.rpmsave.
    If you modified your ui.conf, do not forget to merge your old version with
    this new one.
    
    - New Snort default configuration
    Default configuration for snort changed. Old config can still be found at 
    conf/templates/snort.conf.pre_snort-2.8.

    - Output of pfcmd switchconfig changed
    The output of `pfcmd switchconfig get <ip|all>` changed. Make sure you 
    update your scripts that relies on that output (if any). This also affects 
    the Configuration->Switches section of the Web Admin interface.

    - Fixed an issue with CLI transport for switches/APs: for SSH make sure you
    have 'SSH' and not 'ssh'. Look into the 'Configuration->Switches' or edit
    /usr/local/pf/conf/switches.conf

    - 802.1x module expects 'guest' instead of 'visitor' in node.pid
    We changed the naming of the guest concept from visitor to guest. If you
    allow guests on your network, doublecheck your rlm_perl_packetfence.pl 
    module and align it on your naming (update all to guest or change back to 
    visitor).

o Upgrading from a version prior to 1.8.5:

    - 802.1X freeradius module updated 
    pfcmd_ap.pl's code has been integrated in rlm_perl_packetfence.pl. If you 
    need the performance benefit from this transition, you have two options:
      1) Replace completely your rlm_perl_packetfence.pl with the new one
      2) Migrate your pfcmd_ap.pl manually
         To do so, copy all of pfcmd_ap.pl's code into a sub in 
         rlm_perl_packetfence.pl. Change all the print calls into return calls.
         Remove all exit and make sure you free resources before returning.
    If you don't need the performance improvement, leave things as they are. 
    We will be deprecating the MySQL interface in favor of a better SOAP 
    interface soon.

    - whitelisting MAC addresses is now more consistent across violation types
    Certain types of violation triggers (OS, USERAGENT, VENDORMAC) were not
    honoring the whitelist parameter. The bug is fixed but you might have 
    relied on that behaviour.
    http://www.packetfence.org/mantis/view.php?id=801

    - logging priority now shown in log files
    To improve logging readability, we now include logging priority (ex: DEBUG,
    INFO, WARN, etc.). If you use scripts to parse PacketFence's logs you will
    need to update them.

    - Added new dependencies:
	- perl-LDAP (used to authenticate users trough LDAP during 
	  registration)
	- php-ldap (used to authenticate users connecting to the 
	  Web interface through LDAP)
	- perl-IPC-Cmd (used to generate static routes for registration and
	  isolation routed VLANs)
	- perl-SOAP-Lite (used when receiving alerts from Snort)

    - HUB violation removal
    HUB violations have been removed since they create a lot of false positives.
    http://www.packetfence.org/mantis/view.php?id=793

    - Dynamic uplink fixes
    In certain cases, PacketFence took action on switches where dynamic uplinks
    couldn't be found. The bug is fixed but you might have relied on that 
    behaviour.
    http://www.packetfence.org/mantis/view.php?id=795
    http://www.packetfence.org/mantis/view.php?id=809

    - Source of Correct/Normal VLAN changed
    Correct/Normal VLAN no longer comes from the database's node entry but from
    switches.conf. This is a modified behavior when returning the correct (aka 
    normal) VLAN (in custom_getCorrectVlan). This behavior is redefined by most
    users in lib/pf/vlan/custom.pm (or conf/pfsetvlan.pm in 1.7.x) so it should
    not have any impact for most of you. However, if you relied on the node 
    entry specifying which VLAN is the normal VLAN, this is no longer the case. 
    Now, the correct/normal VLAN is defined by the normalVlan variable in the 
    switch's entry or the default entry in switches.conf. This makes more sense
    for most new installs.


o Upgrading from a version prior to 1.8.4:

    There was no upgrade-specific documentation done prior to 1.8.5.

    - Database schema
    Always make sure that your database schema is up to date. See if upgrade 
    scripts are available in db/.

