Note

A new documentation has been launched for that release, with a new structure, a new theme, and all the information up to date.

1.5.9. Release 1.2.2-9

Release date: 24.11.2022

Note

If there is an onanalytics cluster, it is recommended to update the onanalytics one by one so that the cluster does not go down. Before upgrading a new node it is important to check that the previous Elasticsearch node has been successfully added to the cluster.

The new changes in this release are the following:

1.5.9.1. ON Core

  • Use of dynamic values in the custom parameters and the radius parameters to define in the policies. For custom parameters and radius parameters, we can add dynamic values in the form of %VARIABLE%. The dynamic values that we can use are the following:

    • RULENUM

    • RULENAME

    • MAC

    • DATE

    • USERID

    • SWITCHIP

    • SWITCHPORT

    • SWITCHPORTID

    • IP

    • VSA

    • VLAN

  • The OpenNAC ID is created from the assetid and not from the uri, as we did before. All user devices are registered, so they will all have assetid.

  • New priority for the Called-Station-SSID parameter taken from the radius parameters. The Called-Station-SSID field of the radius parameters is parsed, and it is saved with the following priority, since it can come in different fields: Called-Station-SSID => Called-Station-ID => cisco-wlan-ssid.

  • New DHCP fingerprints. The following fingerprints have been added:

    • 1,121,33,3,6,12,15,26,28,42,51,54,58,59,119,157|LifeSize Video Conferencing

    • 1,28,2,3,15,6,12,119|RIM BlackBerry

    • 1,3,6,12,15,28,42,43,66,60,61|Alcatel OmniTouch

    • 66,67,160|MediaPack Analog gateway

    • 1,3,4,6,43|Moxa OS

    • 1,2,3,4,6,12,15,28,40,41,42,43,66,67,160,128,129,132,144,157,191|AudioCodes

    • 1,2,4,3,12,6,15,44,43,161,162,184,185,186,192,187,181,182,188,190,194,199,165,166,167,169,140,141,166,167|Wyse Technology Thin Client

    • 1,121,33,3,6,12,15,26,28,42,51,54,58,59,119,157|LifeSize Video Conferencing

    • 1,28,2,3,15,6,12,119|RIM BlackBerry

    • 1,3,6,12,15,28,42,43,66,60,61|Alcatel OmniTouch

    • 66,67,160|MediaPack Analog gateway

    • 1,3,4,6,43|Moxa OS

    • 1,2,3,4,6,12,15,28,40,41,42,43,66,67,160,128,129,132,144,157,191|AudioCodes

    • 1,2,4,3,12,6,15,44,43,161,162,184,185,186,192,187,181,182,188,190,194,199,165,166,167,169,140,141,166,167|Wyse Technology Thin Client

    • 43|Dell DRAC

    • 1,28,2,3,15,6,119,12,44,47,26,121,42,252|Aruba WiFi Sensor

    • 1,3,6,12,15,17,28,42,43,56,60,61,66,67|VoIP Device

    • 1,2,3,4,6,12,15,28,40,41,42,43,66,67,160|AudioCodes

    • 1,121,3,6,15,108,114,119,252,95,44,46|Apple OS

  • Autoconnect functionality in ON Agent. In ON Agent -> Agent Profile -> Taskbar configuration there is the option to autoconnect the agent. We have the different options:

    • User defined

    • Automatic connection by default

    • No automatic connection by default

    • Force automatic connection

  • Aruba CX-6200 switch homologation: the Aruba CX-6200 switch has been approved with the following parameters:

    • General info

      • Brand: Aruba

      • Model: CX-6200 JL725A 6200F 24G CL4 4SFP+370W Swch

      • Current firmware used: ArubaOS-CX ML.10.10.1000

    • Dot1x Authentication

      • Supplicant Auth: OK

      • Supplicant User: OK

      • Supplicant Host: OK

      • Supplicant Cert: OK

      • MAB Auth: OK

    • Dot1x Authorization

      • Default VLAN: OK

      • Critical VLAN: OK

      • Reject VLAN: OK

      • Dynamic VLAN: OK

      • Voice VLAN: OK

      • ACLs:

        • Static: OK

        • Dynamic: OK

    • TogglePort

      • CoA:

        • MAB: OK

        • Dot1x: OK

      • SNMP: OK -> min version 10.10.100

    • SNMP Traps

      • MAC change: OK

    • NetConf & NetBackup

      • NetConf: OK

      • NetBackup: OK

  • Access point Aruba 505H homologation: the Aruba 505H AP has been approved with the following parameters:

    • General info

      • Brand: Aruba

      • Model: 505H

      • Current firmware used: 8.9.0.2

    • Dot1x Authentication

      • Supplicant Auth: OK

      • Supplicant User: OK

      • Supplicant Host: OK

      • Supplicant Cert: OK

      • MAC Auth: OK

      • MAB: KO

    • Dot1x Authorization

      • Default VLAN: OK

      • Critical VLAN: KO

      • Dynamic VLAN: OK

    • Captive Portal

      • Default VLAN: OK

      • Critical VLAN: KO

      • Dynamic VLAN: OK

    • TogglePort

      • CoA:

        • MAB: OK

        • Dot1x: OK

    • NetConf & NetBackup

      • NetConf: OK

      • NetBackup: OK

  • Switch Alcatel 6224 homologation: the switch Alcatel 6224 has been approved with the following parameters:

    • General info

      • Brand: Alcatel

      • Model: 6224

      • Current firmware used: 1.7.1.12

    • Dot1x Authentication

      • Supplicant Auth: OK

      • Supplicant User: OK

      • Supplicant Host: OK

      • Supplicant Cert: OK

      • MAB Auth: OK / KO

    • Dot1x Authorization

      • Default VLAN: OK / KO

      • Critical VLAN: OK / KO

      • Reject VLAN: OK / KO

      • Dynamic VLAN: OK / KO

      • Voice VLAN: OK / KO

      • ACLs:

        • Static: OK / KO

        • Dynamic: OK / KO

    • TogglePort

      • CoA:

        • MAB: OK / KO

        • Dot1x: OK / KO

      • SNMP: OK

    • SNMP Traps

      • MAC change: OK / KO

    • NetConf & NetBackup

      • NetConf: OK

      • NetBackup: OK

  • New PPX_ tag to display the levels of the EPT tag, for example:

    • EPT_DESKTOP_LINUX_UBUNTU:

      • PP1_DESKTOP

      • PP2_DESKTOP_LINUX

      • PP3_DESKTOP_LINUX_UBUNTU

  • ipdiscover plugin. New plugin that searches for the different IPs for the MACs that have active status in openNAC and come from an SNMP trap.

  • medigate plugin. This plugin retrieves information from the Medigate platform to help us profile users’ devices by providing information about security, device operating system, VOS, etc. The MAC address is used to execute queries to the Medigate API and obtain information about the user’s device (if the device is already registered in the Medigate database and they have information about it).

  • Certain tags that appeared in the others section in business profiles have been classified:

    • UCA (User Device Category): Profile

    • USC (User Device Sub Category): Profile

    • UMA (User Device Manufacturer): Profile

    • UTA (User Device Type): Profile

    • UMO (User Device Model): Profile

    • UCL (User Device Class): Profile

    • VOS (Version Operating System): Profile

    • ROS (Root Operating System): Profile

    • DOS (Device Operating System): Profile

    • UPL (User Device Portdue Level): Network

    • DRG (Device Risk Grade): Governance

    • HDT (Hardware Device Type): Profile

    • UFC (User Device FDA Class): Profile

    • DMO (Device Mobility): Profile

  • New trending chart for php-fpm pools. New graphs of php-fpm in Trending -> OpenNAC:

    • PHP-FPM poleval processes

    • PHP-FPM www processes

  • New screenrc file as default screen template

    • A new base for screen configuration is defined, including visual enhancements and predefined commands to improve usability.

1.5.9.2. OTP

  • It is possible to send OTP QR by email to several users at the same time in Configuration -> OTP with the Send QR function.

  • Local OpenNAC users are allowed to authenticate by OTP.

1.5.9.3. Third Party VPN

  • The option to terminate the profile-guest-users workflow without running the agent is given. If the user device does not support downloading and running the agent, it will be allowed to finish the workflow and the ONC_AGENT_UNAVAILABLE tag will be added.

  • New tags are added in the profile-guest-users workflow. The CWT_PROFILE_GUEST_USERS (Captive Workflow Template) tag and the DOS (Device Operating System) tag to the devices that go through the workflow.

  • Warning that the agent filename must not be modified. In the captive workflow, it is warned that the user must not modify the name of the agent file once it is downloaded.

1.5.9.4. ON Analytics

  • Updated ELK (elasticsearch, logstash, and kibana) from version 7.2.1 to version 7.17.6. This enhancement addresses the Log4j vulnerability.

  • Improved radius logs. The url that arrives in the radius logs in kibana has been parsed in order to extract all the information contained in the poleval in question.

  • A field with the tag count has been created. The kibana logs, all those that are enriched with OpenNAC, contain a new variable that shows the total number of tags that the device in question has. The variable is opennac_tags_on.length.

  • New dashboards have been added:

    • Third Party VPN

    • Volumetry

    • Profiling Metrics

    • Visibility mobile details

  • Improved geoip database. The geoip database has been improved to keep all public IPs updated with the corresponding locations.

1.5.9.5. ON Agent

  • New impersonate script to apply proxy settings. A script has been created that is executed every time we connect/disconnect to the VPN through wireguard. The script runs on network change, full scan, and user scan events. When we connect to wireguard we need to apply proxy settings, when we disconnect we need to disable proxy settings.

  • New function that alerts the user to authenticate to process the payload. In ON Agent -> Agent Configuration -> Download & Parse, the “Only process trusted payloads” option has been added. It alerts the user that they have to authenticate for the payload to be processed.

  • EMMA’s new theme. In ON Agent -> Agent Configuration -> Download & Install agent options, a selector has been added in “UI theme” that allows changing the agent theme between OpenNAC and EMMA.

  • Autologin feature in Wireguard. In ON Agent -> Agent Profiles, the autoconnect option in the agent has been added. This option allows four options:

    • To connect when the user requires it, with the option to select it from the agent.

    • Connect by default.

    • Don’t connect by default.

    • Force autoconnect.

  • New timeout for POST type payloads. In the case of a payload, the POST action timeout should be a maximum of 45 seconds. But in all other cases where a 5 second timeout is fine.

  • New USER_ACTIVE osquery for Linux and MACOS. A new SQL entry called USER_ACTIVE has been added for MACOS and Linux:
    USER_ACTIVE = SELECT DISTINCT user AS NAME FROM logged_in_users WHERE type = 'user' AND user != ''

  • Notice of misconfiguration of the file name in the soluble agent. The data is collected and transferred to the server regardless of whether the file name setting is correct or not. The user is notified before data collection if the file name is incorrect and it will not be possible to send data, so that he/she can know in advance.

  • The VPN user has been hidden in the logs on a VPN connection/autoconnect. With the auto-connect feature: It has also been hidden in Windows Credential Manager without requiring any special permissions (“$username [$configFile]” was displayed). The user can be stored in the password field, like MacOS does, so the stored password can be: $username [$configFile] $password (and username as “VpnCredentials”), also hidden in this case.

  • All translations for all 5 available languages have been added. The language to display in the soluble is chosen automatically, by the language configured in the user’s operating system. The languages are: English, Portuguese, French, Catalan and Spanish.

  • If a payload fails, it is tried again after a random amount of time. When a 5xx error is received it means that the server is under heavy load so it is necessary to return this type of response in openNAC and the agent deals with this by retrying after a random amount of time to send the payload again.

  • New Wireguard management on Windows with integrated libraries:

    • tunnel.dll

    • wireguard.dll

  • The VPN interface disconnects when doing an agent update.

  • New RANDOM_MAC_SWITCH attribute in payloads. There is a new attribute in the agent payload that tells you if the random macs feature is enabled. That attribute comes with the name of RANDOM_MAC_SWITCH in the JSON of the payload.