PacketFence 3.0 released!

The Inverse Team is pleased to announce the immediate availability of PacketFence 3.0. This is a major release bringing new hardware support, several shiny new features, enhancements, bug fixes and updated translations. This release is considered ready for production use.

=== What is PacketFence ? ===

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) system. Boosting an impressive feature set including:

* Registration and remediation through a captive portal
* Detection of abnormal network activities using Snort IDS
* Proactive vulnerability scans using Nessus
* Isolation of problematic devices
* 802.1X for wired and wireless networks
* Wireless integration for all provided features
* Supports complex and heterogeneous environments
* VoIP / IP Telephony support and more!

A set of screenshots is available from http://www.packetfence.org/tour/screenshots.html and a set of videos is available from http://www.packetfence.org/tour/videos.html

=== Important upgrade notice ===

* BACKUP YOUR /usr/local/pf/ BEFORE UPGRADING. Several paths have changed with this release and an RPM upgrade will REMOVE your templates and remediation pages. See UPGRADE for more information.
* Removed the central concept of mode (ARP, DHCP or VLAN). PacketFence can now operate in multiple modes simultaneously. This new concept is called enforcement and is specified per interface in pf.conf. This affects the default configuration for all installation. Reading the UPGRADE file is recommended.
* Removed support for Apache prior to version 2.2.0 (#828)
* Removed support for jpgraph 1.x, 2.x which bumps our dependency to PHP 5.1

=== Changes Since Previous Release ===

In a nutshell, we have a redesigned captive portal, complete guest management including self-registration of devices by email activation or SMS and pre-registered guest creation by administrators. Also added a new feature to allow PacketFence to secure network access on unmanageable (consumer) devices (so-called inline enforcement). Bandwidth tracking with RADIUS accounting, RedHat Enterprise Linux (RHEL) / CentOS 6 support and several usability improvements are in there as well. Finally we took the big three-point-ohh opportunity to fix several things that annoyed us but that were breaking changes.

Here are the gory details:

New Hardware Support
* Avaya/Nortel switches now support the floating network device feature
* Avaya Wireless Controller support
* Dlink DWL Access-Point support
* LG-Ericsson iPecs 4500 support for port-security and MAC Authentication/802.1X
* Netgear FGS Series support for port-security

New features
* Major update to the captive portal look and feel! More modern and professional. Cleaner XHTML/CSS makes customization a lot easier than before. Also, all user-visible URLs are now clean and short (no more cgi-bin/... clutter). (#980, #982, #1114)
* Flexible guest handling (covering temporary passwords, self-registration, pre-registration, extension API, etc.)
* Introduced in-line support: firewall based access control with captive portal. Use this complementary technique when you cannot use VLAN enforcement. (#1227)
* Ability to view log files from the Web Administration interface (#1080)
* PacketFence now takes care of the local firewall configuration on the server
* Captive portal authentication modules are versioned, validated on startup and have customizable names
* New default_auth parameter will be the default authentication module selected if you have multiple authentication back-end enabled in auth
* Simplification of the captive portal translation (#822, #1114)
* RADIUS Accounting for tracking node bandwidth usage
* RedHat Enterprise Linux 6 / CentOS 6 support (#1244)
* Snort 2.9.x support

Enhancements
* Captive portal usability improvements for both users and administrators
* pfcmd and web administration performance improvements by avoiding duplicate loading of some configuration files
* Configuration simplification (#1051, #1182)
* FreeRADIUS package now does the certificate boostrapping process (#1226)
* Named isolation and registration zones now automatically generated on startup based on networks.conf's DNS entry (#1105)
* Simplified Apache configuration
* Improved installer.pl and configurator.pl
* Included the jpgraph PHP library. Simplifies installation from source.
* More start-up validation in `pfcmd checkup` (#1031, #1191, #1252)
* Improved error-handling, reduced number of Perl warnings, added tests (#1266)
* Improved Filesystem Hierarchy Standard (FHS) compliance (#762)
* Improves PHP 5.3.x support, relates to distro portability too (#1211, #1244, #1251: Thanks to Philipp Snizek)
* Migrated bin/flip.pl into a bin/pfcmd_vlan subcommand
* Added ldap port option to Web Admin LDAP (AD) authentication
* New controllerIp network device parameter will make it simpler to support wireless hardware working in bridged mode
* New DHCP fingerprints for Mac OS X Lion, Fedora 14, Polycom, Aastra, LifeSize, Nortel, Polycom and Snom Conferencing and VoIP, Ubuntu 11.04, Belkin Wireless Router, HP ProCurve switches, Androids, Zebra, Kyocera, HP and Xerox printers, NEC Projectors, Polycom Video Conferencing and Paradox Card Access module
* Developer documentation to add Floating Network Devices support to switches
* Minor usability improvements

Bug fixes
* Fixed issues with several switches if node MAC address falls into an Hex to ASCII printable range (#1098)
* Renaming Nortel ERS modules (#1238)
* Fixed Avaya/Nortel switches problems on ERS2500 / ERS4500 (at least)
* Fixed OS violations regression introduced in 2.2.0
* Fixed nessus scans don't work with bin/pfcmd as a setuid/setgid (#1087)
* Fixed custom VLAN assignments relying on connection_type failing on "unknown" nodes (#1231)
* Fixed problematic default grace period for System scan violation
* Fixed configurator.pl does not show interfaces without IP address (#1221)
* Fixed issue to detect the shell prompt MeruOS 4.1 or greater (#1232)
* Fixed issues with wireless hardware not sending a NAS-Port parameter (#1229)
* Fixed Apache configuration problems on non RHEL / CentOS platforms
* Fixed other cases of warnings from our FreeRADIUS module
* jpgraph version bump to 3.0.7. Fixes RHEL 6 issues. (#1244)
* Fixed silent failure when deleting a person with associated nodes (#1265)
* Fixed encoding issues in the captive portal (#1115)
* Fixed redirect loop on the captive portal if VLAN reassignment failed (#1260)
* Fixes issues with accentuated characters and single quotes in some captive portal strings
* Fixed accidental stop/restart of services because administrative where done in GET instead of POST (#1119)
* Fixed help not visible in the Web Admin when using Internet Explorer (#1256)
* Fixed missing exportation icon in the Web Admin when using Internet Explorer (#1255)
* Cisco C3560 now heritates the Cisco C2960 code
* Fixed distro portability problems (#1185, #1187, #1248)
* Fixed snort pidpath (#1258)
* Additional fixes to nessus scans
* Interim fixes (#1239, #1240, #1263, #1268, #1269)
* Missing "named" in the pfcmd help

Translations
* Updated Spanish (es) translation (Thanks to Juan Camilo Valencia)

... and more. See the ChangeLog file for the complete list of changes and the UPGRADE file for notes about upgrading. Both files are in the PacketFence distribution.

=== Getting PacketFence ===

PacketFence is free software and is distributed under the GNU GPL. As such, you are free to download and try it by either getting the new release from:

http://www.packetfence.org/download/releases.html

or by getting the sources from the official monotone server using the instructions at http://www.packetfence.org/development/source_code_repository.html

Documentation about the installation and configuration of PacketFence is available from:

http://www.packetfence.org/documentation/

=== How Can I Help ? ===

PacketFence is a collaborative effort in order to create the best Free and Open Source NAC solution. There are multiple ways you can contribute to the project:

* Documentation reviews, enhancements and translations
* Feature requests or by sharing your ideas
* Participate in the discussion on mailing lists (http://www.packetfence.org/support/community.html)
* Patches for bugs or enhancements
* Provide new translations of remediation pages

=== Getting Support ===

For any questions, do not hesitate to contact us by writing to support@inverse.ca

You can also fill our online form (http://www.inverse.ca/about/contact.html) and a representative from Inverse will contact you.

Inverse offers professional services to organizations willing to secure their wired and wireless networks with the PacketFence solution.

We told you our next release was going to be big! Have fun with this one and let us know how it goes!

Posted by Olivier Bilodeau 2011-09-22