Download PacketFence 12.1.0

A nac system can be used, among other things, to secure a network environment. This allows network devices to be automatically blocked if an undesirable situation occurs, based on preset policies. Consider unknown network devices of visitors, a worm trying to spread, or an authorized device that has been provided with a different operating system via a bootflop or live CD. PacketFence is such a nac system, with support for 802.1x, Fingerbank, vlan isolation and integrations with, for example, Snort or Nessus, which allow a network device to be placed in the correct VLAN after analysis. The developers have released version 12.1.0 and provided the following announcement.

Version 12.1.0

The Inverse team is pleased to announce the immediate availability of PacketFence 12.1 – a major release bringing tons of improvements!

Single-Sign-On for the admin interface
The PacketFence admin interface now has support for Single-Sign-On (SSO) using SAML, OAuth2 as well as supporting MFA using TOTP and Akamai MFA.

Fingerbank in the PacketFence Connector
The PacketFence Connector now supports running the Fingerbank Collector to perform device profiling using all the traffic a PacketFence connector sees.

Unbound dynamic PSK support for OpenWiFi
The OpenWiFi integration now supports dynamic unbound PSK which allows individual users to authenticate against PacketFence with their personal WPA2 key.

Here’s the complete list of changes included in this release:

New Features

• Added unbound dynamic PSK support to the OpenWiFi module
• Added Single-Sign-On capability for the admin interface login (SAML/OAuth/MFA/etc)
• Improved PacketFence forwarder integration to mirror DNS packets from a Windows DNS server
• Support for the Fingerbank Collector on the PacketFence Connector

Enhancements

• More flexibility in the definition of the RADIUS servers in an Eduroam source
• Allow to import only DB or configuration during import
• Debian package for PacketFence Connector
• Removed the savedsearch table.
• Removed jQuery dependency in captive portal.
• Present the dynamic PSK on the status page when appropriate
• Manage pfconfig.conf through upgrade scripts instead of packaging
• Improve WebAuth support on Extreme controllers
• Allow users to upload files from the admin instead of uploading them manually via SCP/SSH
• Added new radius attribute vpn detection for fortigate
• Fixed valid_mac that identify some ip address as mac
• Support for hardware token like yubikey for Akamai MFA
• Added sms/phone call as default method in configuration

Bug fixes

• Fixed issue with pfconnector where it would reuse a dynamic reverse that isn’t active anymore (Pfconnector server active dyn reverse cache checks can fail #7218)
• Fixed RADIUS deauth through pfconnector-remote in a cluster where it was logging as failed although it succeeded When a rule match is ‘any’ and has no conditions the rule is always successful (#3768)
• Fix issue with database upgrade (#7283)
• Fix issue Sponsor registration: notes field can’t be used on captive portal #6385
• Better error handling when performing a deauth on the previous switch. (captive portal redirect page return Caught exception in captiveportal::Controller::Root->dynamic_application “Can’t use string (“0”) as a HASH ref while “strict refs” in use at /usr/local/pf/lib /pf/enforcement.pm line 206 #6985)
• Fixes possible Clickjacking for netdata reverse proxy (#7338)
• Don’t resync config files unnecessarily during restarts (Cluster resync on restart – pf12.1 #7360)