Software update: PacketFence 4.3.0

Spread the love

An NAC system can be used to secure a network environment. This allows network devices to be automatically blocked, based on pre-set policies, if an undesirable situation occurs. Think of unknown network devices of visitors, a worm that is trying to spread or an authorized device that is equipped with a different operating system via a boot flop or live CD. PacketFence is such a nac system, with support for 802.1x and vlan isolation, which allows a network device to be placed in the correct vlan after analysis. For more information, please refer to this page and to the 32nd [In]Secure Magazine, in which an article about this package can be found. The developers have released version 4.3.0 with the following announcement:

PacketFence 4.3.0 released

The Inverse team is pleased to announce the immediate availability of PacketFence 4.3.0. This is a major release with new features, enhancements and important bug fixes. This release is considered ready for production use and upgrading from 4.2 is strongly advised.

Here are the changes in 4.3.0 :/

New Features

  • Added MAC authentication support for Edge-corE 4510
  • Added support for Ruckus External Captive Portal
  • Support for Huawei S2700, S3700, S5700, S6700, S7700, S9700 switches
  • Added support for LinkedIn and Windows Live as authentication sources
  • Support for 802.1X on Juniper EX2200 and EX4200 switches
  • Added support for the Netgear M series switches
  • Added support to define SNAT interface to use for passthrough
  • Added Nessus scan policy based on a DHCP fingerprint
  • Added support to unregister a node if the username is locked or deleted in Active Directory
  • Fortinet FortiGate and PaloAlto firewalls integration
  • New configuration parameters in switches.conf to use mapping by VLAN and/or mapping by role

Enhancements

  • When validating an email confirmation code, use the same portal profile initially used by to register the device
  • Removed old iptables code (ipset is now always used for inline enforcement)
  • MariaDB support
  • Updated WebAPI method
  • Use Webservices parameters from PacketFence configuration
  • Use WebAPI notify from pfdhcplistener (faster)
  • Improved Apache SSL configuration forbids SSLv2 use and prioritzes better ciphers
  • Removed CGI-based captive portal files
  • For device registration use the source used to authenticate for calculating the role and unregdate (bugid:1805)
  • For device registration, we set the “NOTES” field of the node with the selected type of device (if defined)
  • On status page check the portal associated to the user and authenticate on the sources included in the portal profile
  • Merge pf::email_activation and pf::sms_activation to pf::activation
  • Removed unused table switchlocation
  • Deauthentication and firewall enforcement can now be done throught the web API
  • Added support to configure high-availability from within the configurator/webadmin
  • Changed the way we’re handling DNS blackholing when unregistered in inline enforcement mode (using DNAT rather than REDIRECT)
  • Now handling rogue DHCP servers based both on the server IP and server MAC address

Bug Fixes

  • Fixed pfdetectd not starting because of stale pid file
  • Fixed SQL join with iplog in advanced search of nodes
  • Fixed unreg date calculation in Catalyst captive portal
  • Fixed allowed_device_types array in device registration page (bugid:1809)
  • Fixed VLAN format to comply with RFC 2868
  • Fixed possible double submission of the form on the billing page
  • Fixed db upgrade script to avoid duplicate changes to locationlog table

Version number 4.3.0
Release status Final
Operating systems Linux
Website PacketFence
Download http://www.packetfence.org/download/releases.html
License type GPL
You might also like