LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Development page

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

PacketFence 2.0 released

[Posted December 15, 2010 by corbet]

From:  Olivier Bilodeau <obilodeau-AT-inverse.ca>
To:  lwn-AT-lwn.net
Subject:  PacketFence 2.0 released!
Date:  Wed, 15 Dec 2010 14:33:06 -0500
Message-ID:  <4D0917F2.7030208@inverse.ca>
Archive-link:  Article, Thread 

The Inverse Team is pleased to announce the immediate availability of 
PacketFence 2.0. This is a major release bringing new features, new 
hardware support, performance enhancements, documentation update and 
other smaller changes. This release is considered ready for production use.

=== What is PacketFence ? ===

PacketFence is a fully supported, trusted, Free and Open Source network 
access control (NAC) system. Boosting an impressive feature set including:

  * Registration and remediation through a captive portal
  * Detection of abnormal network activities using Snort IDS
  * Proactive vulnerability scans using Nessus
  * Isolation of problematic devices
  * 802.1X for wired and wireless networks
  * Wireless integration for all provided features
  * Supports complex and heterogeneous environments
  * VoIP / IP Telephony support and more!

A set of screenshots is available from 
http://www.packetfence.org/tour/screenshots.html and a set of videos is 
available from http://www.packetfence.org/tour/videos.html

=== Changes Since Previous Release ===

New Hardware Support
  * SMC TigerStack 6128 L2 support in Port Security (feature sponsored 
by Seattle Pacific University)
  * HP ProCurve MSM710 Mobility Controller
  * Meru Networks MC3000 Wireless Controller
  * Juniper EX Series in MAC RADIUS (Juniper's MAC Authentication)

New Features
  * Simplification of the Wireless, Wired 802.1X and Wired MAC 
Authentication configuration. Because of a new FreeRADIUS module and a 
Web Service interface, everything is now using standard PacketFence 
processes and configuration files.
  * VoIP devices authorization over RADIUS (#1008)
  * Proxy interception. PacketFence can now operate in an environment 
where there is a client-side proxy configured. Check proxy-bypass in 
addons/ for details. (#1035)
  * Passthroughs support! You can now configure PacketFence to let your 
users reach specific websites even if they are in registration or 
isolation. (#772) (feature sponsored by Shippensburg University)
  * New pf::web::custom extension point to customize the captive 
portal's code without the usual maintenance burden on upgrades (#1045)
  * Bulk importation of nodes through CLI or Admin Web interface
  * New parameter in switches.conf to ease FreeRADIUS integration
  * Optional automatic configuration of FreeRADIUS' clients using 
switches.conf (see addons/freeradius-integration/README for details)
  * New 'pending' status for node. Allows for a wide range of captive 
portal workflows where an administrator approves network access (by 
email, SMS...)

Enhancements
  * New information available in Node Lookup (Connection Type, SSID, 
802.1X User-Name, ...)
  * FreeRADIUS module improvements (#1034) and major revamping
  * Easier installation process using yum groupinstall (#1089)
  * Faster Web Services layer running under mod_perl
  * Refactoring of the pf::vlan method names for more meaningful ones
  * Removed unnecessary database connections and duplicated code
  * 802.1X improvements (#995, #1002)
  * General code base improvements, refactoring (#914, #977, #1001, #973)
  * Usability improvements (#1006, #820, #1075)
  * Migrated to the new Emerging Threats rules for snort and added rules 
for botnets, malware, shellcode, trojan and worm by default (#1102)
  * New DHCP fingerprints (HP ProCurve Wireless, Ricoh MFP, 
Cisco/Linksys, Netgear, D-Link, Trendnet, Belkin Home Wireless Routers, 
Sony Ericsson, Android, Aruba Access Point, Avaya IP Phone, Gentoo Linux 
and Fedora Linux 13)
  * pfcmd_vlan's logging is now consistent with the rest of the system 
(#874)
  * configurator.pl now handles DNS and DHCP basic configuration (#1112)

Documentation
  * Merged Installation and Administration guides into a more coherent 
document
  * New documentation about DHCP and DNS services. Now easier to manage! 
(#1113)
  * New documentation about running in a routed environment
  * Improved documentation about Snort, Oinkmaster, and log rotation in 
Admin Guide
  * Improved documentation on violations (external remediation pages and 
redirect_url) in the Administration Guide

Bug fixes
  * Captive Portal remediation pages can be hosted externally again! (#1024)
  * Fixes to the SMC TigerStack 8824M and 8848M modules (see UPGRADE)
  * No error reporting when trying to change configuration files with 
bad rights (#1088)
  * Violation priorities are now enforced according to documentation (1 
= highest)
  * Wrong URL in the provided oinkmaster.conf (#1101)
  * MAC addresses of format xxxx.xxxx.xxxx properly recognized in pf::util

... and more. See the ChangeLog file for the complete list of changes 
and the UPGRADE file for notes about upgrading. Both files are in the 
PacketFence distribution.

=== Getting PacketFence ===

PacketFence is free software and is distributed under the GNU GPL. As 
such, you are free to download and try it by either getting the new 
release from:

http://prdownloads.sourceforge.net/packetfence/packetfenc...

or by getting the sources from the official monotone server using the 
instructions at 
http://www.packetfence.org/development/source_code_reposi...

Documentation about the installation and configuration of PacketFence is 
available from:

http://www.packetfence.org/documentation/documentation.html

=== How Can I Help ? ===

PacketFence is a collaborative effort in order to create the best Free 
and Open Source NAC solution. There are multiple ways you can contribute 
to the project:

  * Documentation reviews, enhancements and translations
  * Feature requests or by sharing your ideas
  * Participate in the discussion on mailing lists 
(http://www.packetfence.org/support/community.html)
  * Patches for bugs or enhancements
  * Provide new translations of remediation pages

=== Getting Support ===

For any questions, do not hesitate to contact us by writing to 
support@inverse.ca

You can also fill our online form 
(http://www.inverse.ca/about/contact.html) and a representative from 
Inverse will contact you.

Inverse offers professional services to organizations willing to secure 
their wired and wireless networks with the PacketFence solution.

I hope you will enjoy this release as much as we enjoyed making it!

-- 
Olivier Bilodeau
obilodeau@inverse.ca  ::  +1.514.447.4918 *115  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)
(Log in to post comments)

Step 2: Disable SELinux?

Posted Dec 16, 2010 1:27 UTC (Thu) by signbit (subscriber, #71372) [Link]

From the install manual:

  • Step 1: turn on the firewall
  • Step 2: disable SElinux

The two "supported" distributions are RHEL and Centos. I wonder why, if they are serious about security, they didn't at least distribute the selinux policy that one can generate with audit2allow.

The web is becoming more and more complex and vulnerabilities are propping up left and right. I would like to the the security-oriented folks work more on getting a secure usable configuration work out of the box.

Step 2: Disable SELinux?

Posted Dec 19, 2010 18:54 UTC (Sun) by dougsk (guest, #25954) [Link]

SELinux, more difficult than 802.1x, eap-tls, radius, ldap, pam, and cisco IOS all in a single bound.

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds