1.5.2. Release 1.2.3-1

Release date: 09.10.2023

Welcome to the 1.2.3 OpenNAC Enterprise release.

We are thrilled to announce the integration of the CMI console to the Web Administration Portal to enhance your software experience. With this integration, users can now find a new section called VPNGW in the main menu without having to navigate to a separate platform. This means you can now access and utilize the functionalities of different consoles from a single interface, simplifying your workflows and saving you time.

Our second important announcement is a completely new and improved Administration Portal design. For now, this new console only includes the VPN component for the 2SRA use case, but we will be introducing the remaining modules in future releases. That means you will still need the Default Portal to administrate other use cases at the moment.

In addition to this, we have compiled several improvements and new functionalities that you will see in the release notes.

1.5.2.1. Development Changes

Warning

When migrating from 1.2.2 to 1.2.3, delete VPN configuration files and all VPN plugin configurations.

The VPN config files cannot be managed from the portal in the 1.2.3 version.

Warning

PHP 8 has been enabled in version 1.2.3, check the migration process before proceeding with the update.

1.5.2.1.1. VPNGW

This topic presents all the new features related to VPNGW.

  • The VPNGW component features the following representing levels of configuration and customization in the Default Administration Portal:

    • Manage VPNGW: The CMI now is integrated into the Administration platform and takes place in this section.

    • CMDB: From this section you can manage Objects, Radius authentications, Certificate authorities, and Server certificates.

    • FARM: From the Manage VPNGW section you can create farms. This section features the former CMIX configurations: Zones, Interfaces, Policies, Rules, Hosts, WireGuard, OpenVPN.

  • The NextGen Administration Portal features two views (operate and configure) where the same VPN configuration assets are reorganized in a different display.

See the Default portal > VPNGW or NextGen Portal > VPN sections for detailed information about the VPNGW component interface. You can also consult the VPNGW component section for information on its architecture and sizing.

  • Within this new version, we have enhanced the user experience by allowing users to establish multiple WireGuard sessions simultaneously across different devices using the same identity.

  • There is a new log called opennac-delay.log that calculates the time it takes to establish a new connection and disconnect a VPN user using the WireGuard protocol. See the Logs description section for more details.

  • There is a new healthcheck for VPNGW. See the Healthcheck section for more information.

1.5.2.1.2. ON Core

This topic presents all the new features related to the ON Core.

  • The execution of playbooks for automated deployments has changed. See the Ansible deployment from empty Rocky Linux and the Ansible configuration from OpenNAC OVA sections for more information.

  • There is a new plugin that manages endpoint device tags once a logout event is produced. Normally plugins cannot modify user device parameters once it logs out, that is why the tagsLogoutSync plugin is useful to manage tags after logout events. See the tagsLogoutSync section to learn more about the plugin.

  • There are new password compliance definitions for the Administration Portal:

    • It cannot be the user’s name.

    • It cannot be a car license plate.

    • None of the last 3 passwords used can be reused.

    The system will enforce a password change annually. For more information, read the Password Management section.

  • Now, every time you change configurations in the Business Profiles configuration and Dashboards configuration sections, it will force reloading only the main menu instead of the whole portal. See the Dashboards Configuration and Business Profiles Configuration sections for more information.

  • Quickly add users’ notes from the Administration Portal settings menu. You can see this new feature in the drop-down menu by clicking on the user icon. See the Administration Portal Overview for more information.

  • In this new version, if a sync plugin execution takes longer than 10 seconds, it will trigger a warning message. A policy evaluation now can trap and notify possible errors by showing a message in the poleval statusmessage.

  • You can now also visualize response data from ON NAC > Business profiles > Default view, by clicking on the View policy evaluation eye icon. See the Business profiles section for more information.

  • We have added new filters to the API.

  • Users can now call the agentpayload and agenttimeline endpoints, and access the API info, using their API key.

  • Now, two users from different MAC addresses can connect to the VPN allowing VPN Multisessions to take place.

  • The CMDB > Network devices and User Devices sections, feature a new icon for each tags group. By clicking on this toggle icon, this tag group will became a new field in the Network devices/User devices table. See Network Devices and User Devices for more information.

  • The CMDB > Network Devices and User Devices sections have merged the tags search bar with the filters search bar. Now, you can find the tags option inside the add filter drop-down menu. See Network Devices and User Devices for more information.

  • The CMDB export process has been improved. Now, in massive deployments with a large number of registered user devices, you can export the query XML and JSON files in less time. The algorithm now divides and exports tasks between several workers. Find more information about the export process in the CMDB Exports section.

  • We have installed the Rsync package for this version. This utility enables efficient data transfer and synchronization, since it minimizes the amount of data copied, moving only the parts of the files that have changed.

  • In this version, we have introduced an enhanced balancing key solution, to improve handling requests. Now, all the workers correctly attend to a similar number of requests.

  • In this release, we have improved security by encrypting API tokens in headers for enhanced protection.

1.5.2.1.3. Multiplatform Agent

This topic presents changes related to the Multiplatform Agent.

  • To enhance the authentication process, we have introduced new functionalities and improved the way payloads are stored:

    • Agent Payloads and logs are compressed before their storage in the database.

    • The API now retrieves the last authentication status on each Agent response.

    • The API now sends, saves, and displays the user ID of the person who authenticated the Agent.

  • We have improved the Network OSQuery to allow identifying the interface type on Windows platforms and random MAC addresses. You can see that in the Agent Payloads section when clicking on the “View payload” eye icon. There are two new columns in the Networks* information section called:

    • Interface type- It will return Physical, Virtual, or Unknown. In the case of MAC OS and Linux OS platforms, it will return Unknown.

    • Random MAC - It will return TRUE or FALSE.

See the Agent payload section for more information.

  • The Agent payload now includes the Random MAC Switch attribute that will return TRUE or FALSE. You can see that in the Agent Payloads section when clicking on the “View payload” eye icon. There a new field in the Hardware information section called Random MAC Switch. See the Agent payload section for more information.

  • Now you can manage custom OSQueries from the Administration Portal. The Agent Configuration section has a new tab called Multiplatform Agent OSQueries. This section guides you to select the data you want to obtain and also gives you the option to directly write the OSQuery to be executed. See the Multiplatform Agent OSQueries section for detailed information.

  • This release allows you to configure multiple Agent URLs and set one as the default for Agent download. See the Agent configuration section for more information.

  • The connection IP field of the Agent profile section is now preconfigured in the Agent configuration > Download & Install agent options section.

1.5.2.1.4. Analytics & Sensor

This topic presents changes related to the Analytics and Sensor components.

  • Introducing a significant update to the Analytics section, this release brings a Dashboards refactor. The dashboards have been restructured in an intuitive manner, organized by use cases for enhanced usability.

For a clear visual representation of the changes, we have prepared a table showcasing the former dashboard on the left and its corresponding new version on the right:

Former Dashboard

New Version

Discover

Discover

Discover

Visibility

Use Cases/Visibility & Discovery

Visibility Overview

Use Cases/Visibility mobile detail

Mobile Visibility

UNAC

Use Cases/Unac Dashboard

UNAC Overview

openNAC/Volumetry

UNAC Detail

openNAC/Radius

Authentication metrics

Segmentation

Use Cases/Segmentation Dashboard

Segmentation Overview

openNAC/Radius

Segmentation metrics

UDC

Use Cases/Endpoint Compliance

UDC Overview

NEW DASHBOARD

UDC Metrics

Agent details

UDC Agent Metrics

Use Cases/EPT changes

EPT Changes

NDC

Use Cases/Network Device Compliance

NDC Overview

NEW DASHBOARD

NDC Details

NEW DASHBOARD

NDC Metrics

2SRA

Use Cases/VPN

2SRA Overview

Volumetry filtered by VPN

2SRA Metrics

Use Cases/VPNGW

VPNGW

Use Cases/Third Party VPN

Third Party VPN

Guest/BYOD

Use Cases/Guest/BYOD

Guest/BYOD MNGT Overview

Use Cases/Guest/BYOD

Guest/BYOD MNGT Metrics

Log aggregation

Network devices syslog

Network devices syslog

Custom Dashboard

Custom Dashboard

  • We have updated our ELK software to version 8.9.0. The packets updated are: elasticsearch (8.9.0), elasticsearch-curator (8.0.8), logstash (8.9.0), kibana (8.9.0), filebeat (8.9.0), enhancedTable plugin (8.9.0).

  • Now, you will no longer see the Kibana headers in the Administration Portal. To customize dashboards, you can access the Kibana development environment, using the following path:

    https://<CORE_IP_OR_DOMAIN>/admin/rest/elasticsearch/app/home

  • We have added the vpngw index which contains VPN use case events. There is a new dashboard that displays an overview of these events. See the VPNGW dashboard section for more information.

  • In this release, we have introduced separate packages, opennac-analytics and opennac-aggregator, to improve role distinction.

  • We have enhanced the ON Sensor by incorporating a Zeek script that enables the decoding of HP ERM traffic on port 7932 UDP.

  • In this release, we have incorporated the latest versions of Zeek (5.2.1) and PF_RING (8.4.0) packets.

  • Due to a vulnerability issue, we have upgraded the Ruby RPM to version 2.7. This package is utilized by Logstash.

1.5.2.1.5. Tags

This topic presents a list of changes related to Tags and their grouping system. For tags description and examples, see the Tags Table.

  • If there are more than 5 UTC (Unique Tag Change) tags, they will be grouped and displayed in the Business Profile Section as UTC_*. If you hover over UTC_*, you will be able to see the list of UTC tags.

  • The DSC (Device System Categorization) tag will be calculated in User Devices Tag Policies based on the DCL (Data Confidential Level), DIL (Data Integrity Level), DTL (Data Traceability Level), DAL (Data Authenticity Level), and DAG (Data Availability Grade) tags. The categorization reads as follows:

    • The DSC_LOW is assigned if all tags mentioned above are LOW.

    • The DSC_MEDIUM is assigned if any of the tags is Medium and the rest is not high.

    • The DSC_HIGH is assigned if there is any High tag.

  • A new User Device group of tags called Governance Risk Compliance (GRC) now displays the following tags:

    • Data-related: DCL, DIL, DTL, DAL, DTC, DAD

    • Devices-related: DRG and DAG.

  • There is a new tag intended for VPN connections. Now, when connecting to VPN using WireGuard a tag will be added to the device:

    • Using 1FA > ONC_1FAAUTH

    • Using 2FA > ONC_2FAAUTH_OTP

  • There is a new tag intended for Agent reporting data called ARU Agent Reporting URL.

  • The tag formerly known as MDN (Mobile Device Name) is now referred as HAD (HTTP User Agent Device), so devices like Smart TVs can also get the correct tagging policy.

  • From this version, devices utilizing random MAC addresses across all of their interfaces will now be labeled with the tag HDT_MACRANDOM for improved identification.

1.5.2.2. Documentation Changes

  • The section previously known as Web Console Operation has been renamed to Administration Portal to align with the new portal implementation. The Administration Portal section was split into two sections to incorporate the new portal (NextGen) documentation: Default Portal and NextGen Portal.

  • The navigation of the 2SRA Use Case section has been redesigned to effectively meet the needs of the NextGen Portal. It was split into two sections to incorporate the new portal (NextGen) documentation: Default Portal and NextGen Portal. Also, as part of this update, a new section called End User Guide has been introduced, providing comprehensive information for end users on how to connect to the network.

  • The Agent Basic configuration section was split into two sections to incorporate the new Administration Portal (NextGen) documentation: Configuring and Installing the Agent in the NextGen Portal and Default Portal.

  • The Agent Update section was split into two sections to incorporate the new Administration Portal (NextGen) documentation: Updating the Agent in the NextGen Portal and Default Portal.

  • The ON VPNGW Basic Configuration new section was split into two sections to accommodate the new Administration Portal (NextGen) documentation: ON VPNGW Basic Configuration in the NextGen Portal and Default Portal.

  • Due to the CMI integration into the Administration Portal, the CMI-dedicated topics are no longer in the documentation. Instead, you can find a whole new section dedicated to the VPNGW module in the Administration Platform.

  • In response to the CMI integration, a new section called VPNGW was also incorporated to the Analytics Dashboards.

  • As part of the Analytics Dashboards refactor, we have made corresponding updates to the documentation. These changes can be found in both the NextGen Portal documentation and the Default Portal documentation.

  • We have introduced a new section titled Elevate in the documentation. This section is intended for users of Elevate, the centralized monitoring and management platform for OpenNAC instances.

  • We have introduced subtle changes to the Table of Contents to enhance navigation and create a more user-oriented structure in our documentation.

  • Graphic resources have been refreshed with a new design, ensuring a consistent and visually appealing experience.

We greatly appreciate user feedback and ratings as they play a crucial role in delivering user-oriented content. Please, continue sharing your valuable insights to help us improve and meet your needs. You can do so by clicking on the smiley face at the bottom of the documentation page and leaving your feedback. Thank you for your contribution!