Voor het beveiligen van een netwerkomgeving kan onder andere een nac-systeem worden ingezet. Hiermee kunnen, op basis van vooraf ingestelde policies, automatisch netwerkapparaten worden geblokkeerd als zich een ongewenste situatie voordoet. Denk daarbij aan onbekende netwerkapparaten van bezoekers, een worm die zich probeert te verspreiden, of een geautoriseerd apparaat dat via een bootflop of live-cd van een ander besturingssysteem is voorzien. PacketFence is zo’n nac-systeem, met ondersteuning voor 802.1x, Fingerbank, vlan isolation en integraties met bijvoorbeeld Snort of Nessus, waarmee een netwerkapparaat na analyse in het juiste vlan kan worden geplaatst. De ontwikkelaars hebben versie 12.1.0 uitgebracht en voorzien van de volgende aankondiging.

Version 12.1.0

The Inverse team is pleased to announce the immediate availability of PacketFence 12.1 – a major release bringing tons of improvements!

Single-Sign-On for the admin interface
The PacketFence admin interface now has support for Single-Sign-On (SSO) using SAML, OAuth2 as well as supporting MFA using TOTP and Akamai MFA.

Fingerbank in the PacketFence Connector
The PacketFence Connector now supports running the Fingerbank Collector to perform device profiling using all the traffic a PacketFence connector sees.

Unbound dynamic PSK support for OpenWiFi
The OpenWiFi integration now supports dynamic unbound PSK which allows individual users to authenticate against PacketFence with their personal WPA2 key.

Here’s the complete list of changes included in this release:

New Features

  • Added unbound dynamic PSK support to the OpenWiFi module
  • Added Single-Sign-On capability for the admin interface login (SAML/OAuth/MFA/etc)
  • Improved PacketFence forwarder integration to mirror DNS packets from a Windows DNS server
  • Support for the Fingerbank Collector on the PacketFence Connector


Enhancements

  • More flexibility in the definition of the RADIUS servers in an Eduroam source
  • Allow to import only DB or configuration during import
  • Debian package for PacketFence Connector
  • Removed the savedsearch table.
  • Removed jQuery dependency in captive portal.
  • Present the dynamic PSK on the status page when appropriate
  • Manage pfconfig.conf through upgrade scripts instead of packaging
  • Improve WebAuth support on Extreme controllers
  • Allow users to upload files from the admin instead of uploading them manually via SCP/SSH
  • Added new radius attribute vpn detection for fortigate
  • Fixed valid_mac that identify some ip address as mac
  • Support for hardware token like yubikey for Akamai MFA
  • Added sms/phone call as default method in configuration


Bug Fixes

  • Fixed issue with pfconnector where it would reuse a dynamic reverse that isn’t active anymore (Pfconnector server active dyn reverse cache checks can fail #7218)
  • Fixed RADIUS deauth through pfconnector-remote in a cluster where it was logging as failed although it succeeded When a rule match is ‘any’ and has no conditions the rule is always successful (#3768)
  • Fix issue with database upgrade (#7283)
  • Fix issue Sponsor registration: notes field can’t be used on captive portal #6385
  • Better error handling when performing a deauth on the previous switch. (captive portal redirect page return Caught exception in captiveportal::Controller::Root->dynamic_application “Can’t use string (“0”) as a HASH ref while “strict refs” in use at /usr/local/pf/lib/pf/enforcement.pm line 206 #6985)
  • Fixes possible Clickjacking for netdata reverse proxy (#7338)
  • Don’t resync config files unnecessarily during restarts (Cluster resync on restart – pf12.1 #7360)