The Inverse team is pleased to announce the immediate availability of PacketFence 5.4.0. This is a major release with new features, enhancements and important bug fixes. This release is considered ready for production use and upgrading from previous versions is strongly advised.

     What is PacketFence ?

PacketFence is a fully supported, trusted, Free and Open Source Network Access Control (NAC) solution. Boasting an impressive feature set, PacketFence can be used to effectively secure small to very large heterogeneous networks.

Among the features provided by PacketFence, there are:

 * powerful BYOD (Bring Your Own Device) capabilities
 * state-of-the art devices fingerprinting with Fingerbank
 * multiple enforcement methods including Role-Based Access Control
   (RBAC) and hotspot-style
 * compliance checks for endpoints present on your network
 * integration with various vulnerability scanners, intrusion detection
   solutions, security agents and firewalls
 * bandwidth accounting for all devices

A complete overview of the solution is available from the official website:

     Changes Since Previous Release

*New Features*


   PacketFence now supports SCEP integration with Microsoft's Network
   Enrollment Device Service during the device on-boarding process when
   using EAP-TLS

 * Improved integration with social media networks (email address
   lookups from Github and Facebook sources, support, etc.)

   External HTTP authentication sources support which allows an
   HTTP-based external API to act as an authentication source to

 * Introduced a 'packetfence_local' PKI provider to allow the use of
   locally generated TLS certificates to be used in a PKI provider /
   provisionner flow
 * New filtering engine for the portal profiles allowing complex rules
   to determine which portal will be displayed
 * Added the ability to define custom LDAP attributes in the configuration
 * Add the ability to create "administrative" or "authentication"
   purposes rules in authentication sources
 * Added support for Cisco SG300 switches


 * RADIUS Diffie-Hellman key size has been increased to 2048 bits to
   prevent attacks such as Logjam
 * HAProxy TLS configuration has been restricted to modern ciphers
 * Improved error message in the profile management page
 * Allow precise error messages from the authentication source when
   providing invalid credentials on the captive portal

   Aruba WiFi controllers now support wired RADIUS MAC authentication
   and 802.1X

 * Added authentication source which can allow a new Null
   type source with email validation
 * Now redirecting to HTTP for devices that do not support self-signed
   certificates on the captive portal if needed
 * httpd.portal now serves static content directly (without going
   through Catalyst engine)
 * Introduction of a new configuration parameter
   (captive_portal.wispr_redirection) to allow enabling/disabling
   captive-portal WISPr redirection capabilities
 * File transfers through the webservices are now atomic to prevent
 * New web API call to release all violations for a device
 * Added better error message propagation during a cluster synchronization
 * Added additional in-process caching for pfconfig proxied configuration
 * The server hostname is now displayed in the admin info box
 * Added a warning in the configurator when the user is configuring
   multiple interfaces in the same network
 * Added synchronization of the Fingerbank data in an active/active cluster
 * Client IP and MAC address are now available though direct variables
   in the captive portal templates
 * The IPlog can now be updated through RADIUS accounting
 * Devices in the registration VLAN may now be allowed to reach an
   Active Directory Server
 * Added an option to centralize deauthentication on the management
   node of an active/active cluster
 * Added the option to use only the management node as the DNS server
   in active/active clustering

   Improved Ruckus ZoneDirector documentation regarding external
   captive portal

 * pfconfig daemon can now listen on an alternative unix socket
 * Improved handling of updating the /etc/sudoers file in packaging

   Improved roles handling on AeroHive devices

*Bug Fixes (bug Id is denoted with #id)*

 * Fix case where status page links would be pointing to the wrong
   protocol (HTTP vs HTTPS)
 * set_unreg_date and set_access_duration actions now have the same
   priority when matching rule and actions (#816)
 * Fixes the database query hanging in the captive portal
 * The person attributes lookup will now be made on the stripped
   username if needed (#888)
 * Active/active load balancing will now be dispatched based on the
   Calling-Station-Id attribute.
 * Fix unaccessible portal preview when no internal network is defined
 * Fixed a case where the wrong portal profile can be instantiated on
   the first connection
 * Improved error message in the profile management page (#858)

   Do not use the PacketFence multi-domain FreeRADIUS module unless
   there are domains configured in PacketFence (#868)

 * We now handle gracefully switches sending double Calling-Station-Id
   attributes (#864)
 * Prevent OMAPI from being configured on the DHCP server without a key
 * Switched to the memcached binary protocol to avoid memcached
   injection exploit
 * Fixed ipset error if the device switches from one inline network to
 * Fixed wrong configuration parameters for redirect url (now a
   per-profile parameter)
 * Fix bug with validation of mandatory fields causing exceptions in signup
 * Made DHCP point DNS only on cluster IP if passthroughs are enabled
   in active/active clusters (#820)
 * Defined the maximum message size that SNMP get can return (fixes
   VOIP LLDP/CDP detection on switch stacks #738)

See the complete change log.

See the UPGRADE file for notes about upgrading:

     Getting PacketFence

PacketFence is free software and is distributed under the GNU GPL. As such, you are free to download and try it by either getting the new release or by getting the sources:

Documentation about the installation and configuration of PacketFence is also available:

     How Can I Help ?

PacketFence is a collaborative effort in order to create the best Free and Open Source NAC solution. There are multiple ways you can contribute to the project:

 * Documentation reviews, enhancements and translations
 * Feature requests or by sharing your ideas

   Participate in the discussion on mailing lists

 * Patches for bugs or enhancements
 * Provide new translations of remediation pages

     Getting Support

For any questions, do not hesitate to contact us by writing <>

You can also fill our online form ( and a representative from Inverse will contact you.

Inverse offers professional services to organizations willing to secure their wired and wireless networks with the PacketFence solution.

Ludovic Marcotte  ::  +1.514.755.3630  ::
Inverse inc. :: Leaders behind SOGo ( and PacketFence 

PacketFence-devel mailing list

Reply via email to