Software update: PacketFence 5.5.0

An NAC system can be used to secure a network environment. This allows, based on pre-set policies, network devices to be automatically blocked if an undesirable situation occurs. Think of unknown network devices of visitors, a worm that is trying to spread or an authorized device that is equipped with a different operating system via a boot flop or live CD. PacketFence is such a nac system, with support for 802.1x and vlan isolation, which allows a network device to be placed in the correct vlan after analysis. For more information, please refer to this page and to the 32nd [In]Secure Magazine, in which an article about this package can be found. The developers have released version 5.5.0 with the following changes:

New Features

• New device detection through TCP fingerprinting
• New DHCPv6 fingerprinting through Fingerbank
• New RADIUS filter engine to return custom attributes based on rules
• Security Onion integration
• Paypal payment is now supported in the captive portal
• Stripe payment and subscriptions are now supported in the captive portal

Enhancements

• New pfqueue service based on Redis to manage asynchronous tasks
• Memcached has been replaced by Redis for all caching
• pfdetect can now be configured through the administration interface
• Added ability to detect hostname changes using the information in the DHCP packets
• Added the ability to create not equal conditions in LDAP sources
• DoS mitigation on the captive portal through mod_evasive
• Load balancing in an active/active process now uses a dedicated process
• Authentication and accounting are now in two different RADIUS processes
• Reworked violation triggers creation in the administration interface so it is more user friendly
• Added the ability to create combined violation triggers which allow to trigger a violation based off multiple attributes of a node
• Suricata alerts can now trigger a violation based on the alert category or description instead of only the ID of the alert
• Added ability to email device owner as a violation action
• The PacketFence syslog parser (pfdetect) has been reworked to allow multiple logs to be parsed concurrently
• New ntlm_auth wrapper will log authentication latency to StatsD automatically
• Handle Microsoft Windows based captive portal detection mechanisms
• Manage pfdhcplistener status with keepalive and run pfdhcplistener on all cluster members
• New portal profile filter (sub connection type)
• Added switch IP and description in the available columns in the node list view
• Use SNMP to determine the ifIndex based on the NAS-Port-Id
• Improved metrics now track SQL queries, LDAP queries, and more granular metrics in RADIUS AAA
• Added support for Nessus 6 scan engine
• Added documentation for the Cisco iOS XE switches
• Reworked existing billing providers to be PCI compliant
• Billing providers are now part of the authentication sources
• Billing tiers are now stored in the configuration instead of the source code files
• Billing sources can now be used with other authentication sources on the same portal profile
• DHCP packet processing is now fully done asynchronously to allow more PPS in the pfdhcplistener

Bug Fixes (bug Id is denoted with #id)

• Fixed log rotation issue with the carbon daemons
• Fixed LLDP phone detection if only telephone capability is enabled (#964)
• Fixed keepalive and iptables configuration for portal interfaces
• Fixed improper httpd status code being set
• Removed the node delete button
• Fixed detection if the device asks for a portal per URI
• Fixed 3Com switches ifIndex calculation in stack mode using SNMP
• Not-found users will now be cached when using the caching in an LDAP source (#978)
• Updating a node puts an invalid entry in the voip field

See the complete list of changes and the UPGRADE.asciidoc file for notes about upgrading.