1.5.12. Release 1.2.2-12

Release date: 18.09.2023

Welcome to the 1.2.2-12 OpenNAC Enterprise release. In this version, we have compiled several improvements and new functionalities to enhance your workflows and user experience.

Warning

In installations that are going to be upgraded to the 1.2.2-12 version with policies reliant on the EPT tag, it is crucial to run a script that checks the profile of user devices before updating.

The script file, checkProfiling.php, must be executed before proceeding with the upgrade.

For more information, see the Platform Administration > Scripts section.

Warning

To ensure the proper utilization of the newly introduced healthchecks, re-copy the corresponding healthcheck.ini file that corresponds to the specific node type being used, once the update process is finished.

If healthchecks have been customized, be sure to consider those customizations when reapplying the configuration. For more information about this configuration, refer to the healthcheck section.

Collectd healthcheck has been enabled on all the nodes. For more information, see the healthcheck list. There are also new healthchecks in the corresponding nodes explained above.

1.5.12.1. Development

1.5.12.1.1. ON Core

  • The devices with MAC 00:00:00:00:00:00 have been excluded from the Dashboard tab.

  • We have updated the security policies of the SSH service. As a result, connections through weak methods are no longer allowed. This update requires manual implementation during the update process. See the Troubleshooting Guide section for more information.

  • You can now set an expiration date for users’ passwords from the Configuration > Configuration vars section. This configured expiration date will then be displayed in ON CMDB > Security > Admin users. See the Configuration vars > Advance section and the ON CMDB > Security > Admin users section for more information.

  • Additionally, a new healthcheck has been implemented to monitor the expiration date of users’ passwords (ADM_USERS_PASSWD_EXPIRATION), ensuring their compliance with the set criteria. For more information, see the complete healthcheck list.

  • The SYSTEM_INFO healthcheck now saves the Core version and checks that all Workers have the same version. For more information, see the complete healthcheck list.

  • There is a new parameter in all synchronous plugins to define the execution order of the plugins. The default value for this parameter is 0, allowing you to assign appropriate values based on your needs. Also, a change in the plugin execution order now ensures that during a poleval execution, the plugins are executed in the following order:

    1. Synchronous plugins (based on their Execute order attribute)

    2. Synchronous plugins

    3. Asynchronous plugins

    For more information about synchronous plugins, see the Plugins section.

  • From this version onwards, when an asynchronous plugin is executed correctly, it will add a specific tag in the format of PLE<plugin_name>. Consult the tags table section for tagging examples.

  • After the execution of each sync plugin, the VLAN ID will be checked, and if the VLAN ID is set to “rejected,” the session status will be automatically updated accordingly. This ensures that the status change is enforced, addressing the previous limitation where plugins could only check the session status and not the VLAN ID. For more information, see the Plugins section.

  • Starting with this release, when the components of OpenNAC are discovered and added to the CMDB, they will no longer be listed as “Generic”. Instead, OpenNAC will be included in the CMDB as a specific brand, and its components will be categorized as specific models. See the Network Devices section for more information.

  • We have implemented compatibility for CoA messages with the Alcatel 6560 switch series, which was previously not supported among the available Brands/Models in OpenNAC Enterprise. See the Network Devices Compatibility and Configuration section for more details about this homologation.

  • We have implemented compatibility for CoA messages and security profiles with the FortiSwitch 124F switch series, which was previously not supported among the available Brands/Models in OpenNAC Enterprise. See the Network Devices Compatibility and Configuration section for more details about this homologation.

  • We have added compatibility for CoA messages, NetBackup, NetConf, SNMP Traps, and dynamic security profile support to the Extreme X440G2 switch series. See the Network Devices Compatibility and Configuration section for more details.

  • In this new release, you will see that the Extreme Networks B5K125 switch is homologated to ensure its correct operation in the OpenNAC Enterprise solution. For more information about this homologation, see the Network Devices Compatibility and Configuration section.

  • This release also presents the compatibility for Toggle Port through CoA messages and backups through the NetBackup module on Aruba 2930F. For more information about this homologation, see the Network Devices Compatibility and Configuration section.

  • When creating User Data Sources (UDS), the default type has been updated to Active Directory (AD) instead of the LDAP type. This change aims to prevent reported issues where querying Active Directory groups would fail and not display groups, which occurred due to their default configuration as LDAP. See the User Data Sources section for more information.

  • We have added a new script that automatically updates the CRLs used by RADIUS certificate authentications. See the Development section for more information.

  • The discover plugin now includes a “specific port list” field that allows for faster scanning by specifying a predefined list of ports to be scanned. See the discover plugin section for detailed information about the plugin execution.

  • When a known DHCP fingerprint is processed, all the DFP tags in the tree are added to it. For example, in an HP printer fingerprint, the DFP_PRINTER and DFP_PRINTER_HP tags will be added.

  • When the scanned output matches a defined encoded information (Banners, HTTP parsing and SNMP OID), and the tag to be added has parents in the profile tree, it will also add the parent tags. For example, if an output text matches NETWORK_DEVICE_AP_CISCO, it will also add NETWORK_DEVICE_AP and NETWORK_DEVICE.

  • This release also presents the compatibility for NetBakcup and NetConf module on Cisco SG350X.

  • By default, the number of connections is used first to sort the Business Profiles. However, in case of equal connections, the Member ID is used instead of the Name field, so it is more advisable to use the latter.

  • In this new release, we have added improvements in ipdiscover plugin. The following improvements are:

    • Using the Generic Device class to support SNMP v3.

    • If it is defined, use of NetDev IP Management.

    • Eliminate SNMP status check prior to the ARP query (this can cause failures in case there are ACLs in SNMP queries) we can use the ARP query itself to find out if it is accessible or not and avoid unnecessary queries.

    • In the event that two NetDevs (which are GWs of a network) have the same management IP, only one of them will be asked (through said management IP). This is because it is possible that the same router has several interfaces acting as a gateway, it is not necessary to ask each one.

    • Standardization of logs.

    • Error handling.

  • Configuration for SNMP v3 has been added.

  • New profiling rules have been added.

  • Now, when the DHCP fingerprint is modified and new types of DFP tags are generated, the old tags are deleted to reduce possible failures when calculating the profiling. See the User device profiling section for more information.

  • In this new release, the Update Installation Pending (UIP) tag is included in the security tag grouping.

  • We have implemented an automated script for rotating Radius radacct logs, specifically the ‘detail-%Y%m%d’ logs, to ensure log files remain manageable in size.

  • In this release, we have introduced a new parameter for the DHCP Helper Reader, allowing the configuration of a secondary Gearman server. This enhancement is particularly useful in situations where two independent deployments share data and rely on a single Sensor. Petitions can be efficiently sent to both the primary and secondary servers simultaneously.

1.5.12.1.2. ON Agent

  • The Agent’s User Interface, now presents new icons and images. See the Agent’s User Interface section for more details.

  • There is a new tab that allows users to configure ON Agent licenses for the soluble and installable versions of the Agent in multiple languages. For more details, see the Agent Configuration section.

  • Introducing a new agent payload rule: The HDT_MACRANDOM tag will now be created when the payload contains the RANDOM_MAC_SWITCH attribute. See the Agent payload section for more information about payloads.

  • Users can now connect to the VPN even if their license has expired. While they won’t be able to administer OpenNAC, it will not affect their VPN service. Users making VPN connections may be using the same IP.

  • We have implemented the multisessions functionality in OpenNAC and the CMIX node, allowing users to establish multiple sessions. With this update, session identification is now based on sessionId instead of username, which enables straightforward tracking and management of individual sessions. For detailed information about the Agent, see the Agent Doc in the Reference Guide section.

  • We have improved the authentication process to distinguish between UDS (User Data Sources) being down and incorrect username/password entries, providing more accurate feedback during authentication attempts.

  • You can now enable notification warnings for VPN disconnections and the interval between these notifications. See the Agent profiles section for more information about how to enable these notifications.

  • There is a new functionality that allows using Content Delivery Network (CDN) to download the soluble agent. The CDN infrastructure optimizes the download process for the soluble agent. See the Agent Configuration section for more details.

  • In this new version, we announce the availability of two OpenNAC Agent installers for MacOS: one for Macosx x64 architecture and another for Macosx arm64 architecture. See the ON Agent section for more information.

  • To facilitate deployments across multiple computers within an Active Directory domain, you can find in this new version a Script to install using Active Directoty GPO in the ON Agent > Configuration section. Refer to Remote Deployment for Windows for more information.

  • Users can now download the Windows, Macosx, and Linux versions of the Soluble Agent from the web server. For more details, see the Agent configuration section.

  • We have reviewed the information sent in different Agent payloads, introducing new fields: System updates active, System updated, and System build number. Additionally, we have added two new sections called Pending System Updates,*Tags and Recover to the payloads. See the Agent payload section for more information.

  • In this version, the dynamic text fields of the Agent User Interface are translated also when app language changes.

  • We have increased the timeout for the Agent download to 5 minutes. Also, now the user will receive a notification if this time is exceeded. See the Agent Configuration section for more information about Agent download and installation options.

  • The “uninstall Agent” payloads now are also sent to MacOS and Linux platforms.

  • As of this version, application updates have a limit of two max attempts for download and installation. If the update fails, the Agent Update failed field in the OPENNAC DATA payload section will show “true.”

  • Now, the user will be notified that an authentication is needed for the payload to be processed. You can enable this option in “Parser options” located at the Agent Configuration section.

  • From this version, you can obtain the consumption information of the service by consulting the OSQueries table.

  • We have introduced compatibility with MacOS processors M1 and M2 in this update.

  • In this release, we have implemented a new API call to retrieve the agent license based on the agent type and language: /opennac-agent/license?type=X&lang=X, where “Type” can be either “s” for soluble or “i” for installer, and “Lang” should be replaced with the desired language code.

  • We have enhanced the payload to report the selected server from the list of IPs and domains, and also to report and URL used to send the payload. You ca visualize it in the (CHOSEN_SERVER) field.

  • In this release, there is a new “AGENT_USER_AUTHENTICATED” property in the agent response. It indicates whether a user has been authenticated (true/false)

  • OSQuery has been updated to 5.8.2. version.

  • This version includes improvements related to the VPN disconnection notifications.

  • We have added local proxy settings for MacOS and Linux, in addition to the existing support for Windows. For information on how to enable local proxy, see the Agent profiles section.

  • In cases with multiple configured servers, our latest update enhances the retry mechanism. If a connection error occurs with the currently used server during disconnection, the system will now attempt to reconnect with the other configured servers before returning an error.

  • We have improved User Interface messages and notifications. See the Agent Troubleshooting section for more information.

  • In this release, we have enhanced the uninstallation process on all operating systems. Agent logs, previously found in UI/Service directories, will now be relocated to the /tmp/ folder.

  • Now, the Agent also detects locking and unlocking of session events in MacOS and Linux. See the Data sent to the OpenNAC server section form more information.

  • In this release, we’ve embedded the Linux WireGuard library directly into the Agent, enabling seamless WireGuard management without external commands.

  • A new tag named OSU_LAST_UPDATE_{DAYS} is created when the computer has not been updated for 15 or more days. This applies to both installable and soluble agents. See the Agent-Collected Data Tags section for tag examples.

1.5.12.1.3. ON Analytics

  • OpenNAC logrotate has been created to rotate the healthcheck logs.

  • A new dashboard for VLANs profiles has been added. For more information go to Profiles per VLAN dashboard.

1.5.12.1.4. ON Aggregator

  • OpenNAC logrotate has been created to rotate the healthcheck logs.

  • A new Discover functionality has been implemented for devices based on Sensor connections when there is access VLAN information captured. Refer to discover mac address in access VLANs.

1.5.12.1.5. ON Sensor

  • OpenNAC logrotate has been created to rotate the healthcheck logs.

1.5.12.1.6. Captive Portal

  • We have included a new healthcheck (CAPTIVE_PORTAL_THEMES) to check if captive portal themes of a Worker machine are synchronized with the ON Principal. There is also a script to synchronize Captive themes. The script copies all the captive portal theme files from the onprincipal to the onworker instances, ensuring that the themes are consistent between them.

/usr/share/opennac/api/scripts/synchronizeCaptiveThemes.sh

For more information about healthchecks, see the Platform Administration > Healthcheck section.

1.5.12.2. Documentation

  • All development changes and new features implemented are documented. Refer to the provided navigation links within the release notes to access more detailed information about each specific topic.

  • We greatly appreciate user feedback and ratings as they play a crucial role in delivering user-oriented content. Please, continue sharing your valuable insights to help us improve and meet your needs. You can do so by clicking on the smiley face you can see at the bottom of the documentation page and leaving a comment. Thank you for your contribution!