PacketFence v11.1 released

October 28, 2021

The Inverse team is pleased to announce the immediate availability of PacketFence v11.1 - a major release bringing many improvements!

Multi-Factor Authentication

PacketFence v11 now fully supports multi-factor authentication for its captive portal, CLI and VPN. Advanced integration with Akamai MFA is now included as well as generic support for any TOTP solutions.

Automation of Upgrades

Upgrading from v11 to v11.1 is fully automated for standalone installations. No more scripts to run nor database schema changes to apply - all is done for you, in a snap!

Unified Reports

PacketFence has unified the three reporting sections in to a single configuration and added bar-graphs, sankey-diagrams and scatter-charts in order to visualize different datasets or the same data in different dimensions. It includes a MySQL/MariaDB script mode that allows multi-statement SQL transactions, making it even easier to extend its reporting with custom configurations. Several new reports for accounting, authentication, nodes and roles are also now included.

Automated Integration Tests

More automated tests were added in PacketFence v11.1 through Venom. More specifically, an EAP-TLS test covering our PKI infrastructure was added together with a pfcron test covering all maintenance jobs PacketFence does. These extend the automated tests coverage in PacketFence further to ensure greater quality and stability for each new release and help us continue our effort to shorten the time between releases.

… and more!

PacketFence v11 provides additional important improvements such as MikroTik DHCP MAC authentication support, the automated generation of the supported equipment page for the PacketFence website, refactoring of authentication sources and much more.

Here’s the complete list of changes included in this release:

New Features

• Support for Akamai MFA in VPN/CLI RADIUS authentication and on the captive portal
• Support for TOTP MFA in VPN/CLI RADIUS authentication and on the captive portal
• Automation of upgrades for standalone installations (#6583)

Enhancements

• MikroTik DHCP MAC authentication support
• Allow to use the sAMAccountName from the searchattributes in MSCHAP machine authentication (#6586)
• Improve the Data Access Layer to work in MariaDB’s default sql_mode
• New command pfcmd mariadb [mariadb options]
• Deauth request can be made on the previous equipment the device was connected
• Allow the bulk import of config items to be async
• Remove unused/deprecated sources (AuthorizeNet, Instagram, Twitter, Pinterest, and Mirapay) (#6560)
• Automation of supported equipment page on PacketFence website (#6611)
• Use Venom 1.0.0 through Ansible to run integration tests (#6573)
• Import script will migrate the networks configuration if the new IP is in the same subnet (#6636)
• EAP-TLS integration tests using manual deployment and SCEP protocol (#6647)
• Added a monit check to ensure winbindd is still connected (11.1 - AD failover doesn’t work #6655)
• Improve ZEN builds (#6663)

Bug Fixes

• Match the realm more strictly when its not a regex in EAP-TTLS PAP
• Populate the LDAP config for enabled LDAP EAP-TTLS PAP realms
• Only call oauth2 in authorize for the realms that have an Azure AD EAP-TTLS PAP configuration
• Use source username in LDAP module for EAP-TTLS PAP instead of always using sAMAccoutName
• Support LDAP certificate client auth for LDAP EAP-TTLS PAP authentication
• Allow to use Google Workspace LDAP sources in EAP-TTLS PAP authentication
• Add script for removing WMI scan (#6569)
• Fix Let’s Encrypt renewal process restarting services even if they are disabled (#6606)
• Removes the deprecated NTLM background job fields and components (#6552)
• Ignore ‘Mark as sponsor’ administration rules when finding the access level of a VPN/CLI user (CLI authentication rules matching doesn’t filter on the rules action #6349)
• Reducing time balance only when registered

See the complete list of changes and the upgrade guide file for notes about upgrading.