PacketFence v10.2 released and Zero Trust Network Access

October 6, 2020

The Inverse team is pleased to announce the immediate availability of PacketFence v10.2 - a major release bringing tons of improvements! Moreover, the upcoming PacketFence v11 will feature full Zero Trust Network Access support - extending NAC concepts to remotely connected users with full micro-segmentation support. This release is considered ready for production use and upgrading from previous versions is strongly advised.

Improved Layer-3 Replication

Layer-3 replication over high-latency WAN connections has been dramatically improved in PacketFence v10.2 - by a factor of tenfold. This allows PacketFence to secure even larger widely distributed networks.

More Golang

Our endeavour in rewriting our services from Perl to Golang has reached another big milestone for PacketFence v10.2. One of PacketFence’s most crucial service, the maintenance and monitoring service, has been fully rewritten in Golang to increase performance but also drastically reduce resource usage.

Automated Integration Tests

Our other big endeavour with achieving full integrated test coverage has reached an other big milestone in PacketFence v10.2. The Configurator, the very first part of PacketFence exposed to new users, has now complete integrated tests coverage. This means that through Venom, we can now fully test the Configurator, wired MAC authentication and 802.1X using EAP-PEAP, backup/restore and many more. Our WiFi, WMI and PKI/EAP-TLS will be completed for v11.

Upcoming v11 Release

PacketFence v11 will extend NAC concepts to remotely connected users with full micro-segmentation support. Using our new connectivity orchestrator, PacketFence will dynamically establish secured tunnels between endpoints - based on what they are allowed to do on the network. Traffic of remotely connected users will not go through PacketFence, but PacketFence will orchestrate the creation of a full mesh network between remote users, local or Cloud-based resources.

… and more!

PacketFence v10.2 now also supports EAP-TTLS for LDAP authentication sources, native Novell NetIQ eDirectory support, improved support for Extreme Networks switches running EXOS, improved multi-tenancy support, MAC addresses randomization support and many more admin interface improvements!

Here’s the complete list of changes included in this release:

New Features

• EAP_TTLS PAP Support on a LDAP source
• eDirectory source
• Master/Slave radius proxy and degraded workflow
• go based pfmon (#5613)
• Integration tests: configurator scenario added (#5484)

Enhancements

• Adjust the settings in the admin for the SAML and OAuth portal modules (#5479)
• Select the role of the device when register via self-service portal.
• Improved support for Extreme switches running EXOS
• Added option to register device immediately after the sponsor activates the access during sponsor based registration (#5642)
• Added support for EAP-PEAP MSCHAPv2 and EAP-TLS for CLI and VPN RADIUS authentication (#5784)
• Template based bouncePort using CoA (#5735)
• Set the default switch type to Packetfence::Standard (#5742)
• Create a PacketFence::SNMP switch to force reevaluate access using SNMP (#5742)
• Add support for CLI Access for Switch::Template (#5708)
• Use Status Check in pfstats to test radius/eduroam sources
• Switch templates can define how to map a NasPort to an IfIndex (#5779)
• Syslog parsers are now tenant aware.
• Add default MAC address randomization security event check
• Allow to delete a node from web admin with a locationlog opened (#5492)
• Allow roles to be delete

Bug Fixes

• Fixed CoA for Meraki web-authentication so that it doesn’t disconnect the user from the SSID
• Honor the AUP setting of the SAML portal module (#5476)
• Use the prebuilt freeradius perl dictionary.
• Don’t override user defined values in the interface file for centos.
• haproxy-db can cause pfcmd service restart to failed (#5745)
• Pass in the mandatory fields to the email templates.
• Dell N1500.pm: LLDP detection doesn’t work (#5758)
• Ensure the gateway was only written once in /etc/sysconfig/network (#2845)
• Remove the ip address of a server in the dhcp reply when the server has been disabled (#5677)
• Allow to set multiples ca certificates.
• Listen to all interfaces for radius accounting (#5821)
• Searching by ‘Source Switch Identifier’ for a switch range doesn’t work (#5792)

See the complete list of changes and the UPGRADE.asciidoc file for notes about upgrading.