1.5.11. Release 1.2.2-11

Release date: 16.03.2023

These are the development and documentation release notes for version 1.2.2-11.

Warning

Captive instances configuration properties have changed. “Captive node IP” and “Portal IP/Domain” properties need to be manually set.

Users should enter the IP address of the node where the portal is installed in the Captive node IP property. If the instance has the Installed in Core set, it will take as value localhost. The IP address or domain of the portal need to be added in the Portal IP/Domain property. The two fields are now required.

If it was already working, it will be necessary to edit the ON Captive instance as expected.

Warning

In case of an ON Captive SAML flow, the agent must be updated to the last version. If the agent is not updated, the flow will not work properly.

1.5.11.1. Development

The new development changes in this release are the following:

1.5.11.1.1. ON Core

  • A New translation file for the OpenNAC Captive has been added. The new languages added for the Captive Portal are the following:

    • Catalan

    • German

    • Spanish

    • Basque

    • French

    • Galician

    • Italian

  • CoA support for Aruba 650 APs series has been added. Previously, Aruba 650 series APs did not support CoA messages that were launched in any of the Brands/Models available in OpenNAC Enterprise. Now, CoAs following attributes are compatible with the Aruba 650 APs:

    • NAS-IP-Address

    • Calling-Station-ID

  • Previously, the SAML connection timeout was not configurable. Now, there is a new option in ON Agent > Agent Profiles to configure this value. The option can be found in the Taskbar configuration module and it is called Timeout to authenticate VPN using SAML (in minutes).

    This timeout represents the maximum time between the user’s click on the Connect VPN button and the user’s click on the .nac file downloaded in the browser. After 2 minutes without receiving the .nac click action, the UI should display an error.

  • For massive ON Agent deployments, a flag for enabling or disabling the Terms & Conditions disclaimer has been added. The flag is called Display Terms & Conditions and it is located at ON Agent > Agent Configuration > Download & parse > Download & Install agent options.

  • The size of the rsyslog buffer has been increased from 64k to 128k to to accommodate larger agent logs.

    The variable changed is called $MaxMessageSize and we can locate it in the /etc/rsyslog.conf file.

  • The Dashboard management section was removed from the Dashboards tab.

  • In Dashboards > Dashboard list, the User device ID parameter has been added to allow querying by the opennac_id ELK field.

  • The following fields have been added to ON Agent > Agent Profiles to perform the proxy configuration for Windows clients:

    • Enable local proxy

    • Force local proxy

    • Proxy IP

    • Proxy port

    • URL exceptions

  • Improvements in Business profiles response time.

  • The OpenNAC Enterprise version has been removed from the administration portal login page.

  • In this version, if an IPMAC event is received but the VLAN associated with the event does not match the defined IP address range in the CMDB for that network, the event should be discarded. However, if a SWITCH DEFAULT VLAN is applied, the IPMAC event has to be processed, since the VLAN used by the switch is unknown.

  • Some fingerprints may not be found in the local OpenNAC Enterprise database and therefore a device may not be profiled correctly. Now, we will see that the packet has the field os_name with the value unregistered and the tag DFP_ORPHAN_XXXXXXXX will be generated for that device.

  • The Enable client discovery and Enable client discovery scope to unregistered networks fields are two new fields for configuring the userDeviceProfiling plugin. The tag UDC (User Device Client) is created with the type of server the device is connected.

  • Now, we can obtain the SSL certificate information and label the common name (CN) of the subject and the organization (O) of the issuer. The tags with that information are:

    • COI (CERTIFICATE ORGANIZATION ISSUER)

    • CNS (CERTIFICATE NAME SUBJECT)

  • The execution of the discover plugin will be forced when a device has the tag ONC_FORCE_DISCOVER_FULL, which is added by the tagsLogoutSync plugin if the device is logged out.

  • A new OSQuery to retrieve ARPs has been added.

  • Improvements in ansible playbooks found in /usr/share/opennac/utils/ansible.

  • Improvements in the Medigate plugin. Now, it has a new field in its configuration window called Medigate API URL that allows accessing Medigate data resources.

1.5.11.1.2. ON Analytics

  • The ALL_LOGS boolean variable has been added in /etc/default/opennac to regulate specific bro logs reducing the Elasticsearch disk memory.

  • Improvements for the Analytics > Use Cases > Network Device Compliance dashboard.

  • Improvements for the Analytics > Use Cases > Guest/BYOD dashboard.

  • Improvements for the Analytics > Use Cases > Volumetry dashboard.

  • New Analytics > Use Cases > Third Party VPN dashboard, that use a new index called third_party_vpn.

1.5.11.1.3. Captive Portal

  • The Default Captive Portal does not allow the download of the Soluble Agent anymore.

  • The waiting time or timeout needed for the toggle port to be noticed by the Captive Portal, has been adjusted. Now, the timeout is static.

1.5.11.1.4. ON Agent

  • When the ON Agent .nac file is downloaded, the file is automatically executed by the browser, and then, the file is deleted to avoid multiple executions.

  • The OSQuery repo prompt has been skipped when adding OSQuery in the ON Agent Linux installer.

1.5.11.1.5. ON Sensor

  • Syslog logs detected by ON Sensor, are no longer sent by default through Filebeat. This avoids the increase of the Elasticsearch indices.

1.5.11.2. Documentation

The new documentation changes in this release are the following:

  • Increased Rsyslog buffer size.

  • View policy evaluation in Business Profiles.

  • List of necessary repositories for 1.2.2.

  • DHCP Helper Reader flow and AAA RADIUS concepts.

  • CoA, Location-bases authorization and Host modes topics added to the UNAC introduction section.

  • Configure zeek for multiple interfaces.

  • Import/Export dashboards.

  • NetConf troubleshooting.

  • Edit Elasticsearch mappings.

  • New Segmentation Use Case graphic.

  • List of Supported Operating Systems for the ON Agent.

  • ON Core and ON Analytics scripts documented.