Software update: PacketFence 2.0

An NAC system can be used to secure a network environment. This allows, based on pre-set policies, network devices to be automatically blocked if an undesirable situation occurs. Think of unknown network devices of visitors, a worm that is trying to spread or an authorized device that is equipped with a different operating system via a boot flop or live CD. PacketFence is one such nac system with support for 802.1x and vlan isolation, which allows a network device to be placed in the correct vlan after analysis. For more information, please refer to this page. The developers have released version 2.0 with the following announcement:

PacketFence 2.0.0 released

The Inverse Team is pleased to announce the immediate availability of PacketFence 2.0.0. This is a major release bringing new features, new hardware support, performance enhancements, documentation update and many other changes.

New Hardware Support:

• SMC TigerStack 6128 L2 support in Port Security (feature sponsored by Seattle Pacific University)
• HP ProCurve MSM710 Mobility Controller
• Meru Networks MC3000 Wireless Controller
• Juniper EX Series in MAC RADIUS (Juniper’s MAC Authentication)

New Features:

• Simplification of the Wireless, Wired 802.1X and Wired MAC Authentication configuration. Because of a new FreeRADIUS module and a Web Service interface, everything is now using standard PacketFence processes and configuration files.
• VoIP devices authorization over RADIUS (#1008)
• Proxy Interception. PacketFence can now operate in an environment where there is a client-side proxy configured. Check proxy bypass in addons/ for details. (#1035)
• Pass-through support! You can now configure PacketFence to let your users reach specific websites even if they are in registration or isolation. (#772) (feature sponsored by Shippensburg University)
• New pf::web::custom extension point to customize the captive portal’s code without the usual maintenance burden on upgrades (#1045)
• Bulk importation of nodes through CLI or Admin Web interface
• New parameter in switches.conf to ease FreeRADIUS integration
• Optional automatic configuration of FreeRADIUS’ clients using switches.conf (see addons/freeradius-integration/README for details)
• New ‘pending’ status for node. Allows for a wide range of captive portal workflows where an administrator approves network access (by email, SMS…)

Enhancements:

• New information available in Node Lookup (Connection Type, SSID, 802.1X User-Name, …)
• FreeRADIUS module improvements (#1034) and major revamping
• Easier installation process using yum groupinstall (#1089)
• Faster Web Services layer running under mod_perl
• Refactoring of the pf::vlan method names for more meaningful ones
• Removed unnecessary database connections and duplicated code
• 802.1X improvements (#995, #1002)
• General code base improvements, refactoring (#914, #977, #1001, #973)
• Usability improvements (#1006, #820, #1075)
• Migrated to the new Emerging Threats rules for snort and added rules for botnets, malware, shellcode, trojan and worm by default (#1102)
• New DHCP fingerprints (HP ProCurve Wireless, Ricoh MFP, Cisco/Linksys, Netgear, D-Link, Trendnet, Belkin Home Wireless Routers, Sony Ericsson, Android, Aruba Access Point, Avaya IP Phone, Gentoo Linux and Fedora Linux 13)
• pfcmd_vlan’s logging is now consistent with the rest of the system (#874)
• configurator.pl now handles DNS and DHCP basic configuration (#1112)

Documentation:

• Merged Installation and Administration guides into a more coherent document
• New documentation about DHCP and DNS services. Now easier to manage! (#1113)
• New documentation about running in a routed environment
• Improved documentation about Snort, Oinkmaster, and log rotation in Admin Guide
• Improved documentation on violations (external remediation pages and redirect_url) in the Administration Guide

Bug fixes:

• Captive Portal remediation pages can be hosted externally again! (#1024)
• Fixes to the SMC TigerStack 8824M and 8848M modules (see UPGRADE)
• No error reporting when trying to change configuration files with bad rights (#1088)
• Violation priorities are now enforced according to documentation (1 = highest)
• Wrong URL in the provided oinkmaster.conf (#1101)
• MAC addresses of format xxxx.xxxx.xxxx properly recognized in pf::util

…and more. See the ChangeLog file for the complete list of changes and the UPGRADE file for notes about upgrading. Both files are in the PacketFence distribution.