1.5.3. Release 1.2.4-1

Release date: 18.03.2024

Welcome to the 1.2.4 OpenNAC Enterprise release.

In this release, our main focus has been on enhancing stability to ensure a seamless user experience. The Agent now boasts improved stabilization and diagnostics.

The standout feature of this release is the incorporation of the Linux Rocky 9 update.

Warning

The OpenNAC Enterprise 1.2.4 version requires the upgrade to Rocky Linux 9. Before migrating to 1.2.4 version, execute the Rocky Linux 9 update process.

Users can upgrade to version 1.2.4 from any 1.2.2 release series.

After completing the Rocky Linux upgrade, you can proceed to the update of your OpenNAC components.

Note

A hardening script has been developed to secure all the OpenNAC components. This script is applied during updates to version 1.2.4-1 or when deploying new 1.2.4-1 nodes.

Warning

It is necessary to replace the elasticsearch-curator information file with the new one.

  • First save a backup: cp /etc/elastCurator/action.yaml /etc/elastCurator/action.yaml.bkcp.

  • Then replace the file: cp /usr/share/opennac/analytics/curator/action.yaml /etc/elastCurator/action.yaml.

  • Finally, when you have the new action.yaml file, you need to configure it again with the values you had before, in /etc/elastCurator/action.yaml.bkcp.

Warning

This version introduces a security enhancement for captive communications by implementing HTTP request redirecting to the HTTPS protocol. With this update, all requests sent to the Captive Portal will be automatically redirected to HTTPS.

1.5.3.1. OpenNAC improvements

This section describes all changes that affect the OpenNAC solution.

1.5.3.1.1. ON Core

These are the changes that affect the ON Core component in this release.

Functionalities

  • Added a Proxy configuration on the Configuration vars section now to provide proxy settings to all plugins that use external communication: airwatch, airwatchSync, ciscoprime, ironchipSync, maas360, maas360Sync, medigate, mobileIron and mobileIronSync. See the Configuration vars > General section for more information.

  • New parameter called Deny VLAN in the airwatchSync plugin configuration that allows specifying a VLAN assignment for devices not registered in Airwatch. See the airwatchSync plugin section for more information.

  • There is a new parameter that defines the range of IPs that can trigger the execution of the FortiGateAccounting plugin. See the Configuration > Plugin section for more information.

  • This version features a new plugin called getADGroup. This plugin is responsible for obtaining the names of the groups in the Active Directory to which the device is connected, adding the names to defined tag prefix. See the Configuration > Plugins section for more information.

  • The Business Profiles view introduces improved visualization for the connection Certificate field.

  • In this release, we have removed the Tag Policies > ND Tag policies view from the Administration Portal.

  • There is a new tag format generated through Agent data collection for Windows. This tag provides specific details about the product enabled within the Internal Security Status (ISS) tags, such as ISS_AV_PRODUCT_XXX. See the Agent-Collected Data Tags section for more information.

  • We introduce the support for users to utilize SNMP login events on the Extreme Networks B5 switch. See the Wired supported devices section for more information.

  • Implemented a feature where OpenNAC utilizes the relay agent IP address as the gateway in DHCP-Helper-Reader events, restricted to starter events. This enhancement allows for the utilization of the relay agent IP address extracted from a DHCP request packet, enabling its use as the gateway in sessions where no previous gateway was present.

  • This release brings improvements for policy evaluation visualization. Now, the field Params processed is displayed collapsed by default, and the remaining fields Params received, Result and Evaluation can also be collapsed. In addition, the Params received field now includes the identification of the Source Module of the event. See the Business Profiles section for more information about this view.

  • This version implements the possibility to Collapse or Expand all Policies when creating or editing a new one. See the NAC > Policies section for more information.

  • The Policies view, features a new button (Enable/Disable) in the main task bar for enabling and disabling multiple polices. Refer to the NAC > Policies section to visualize it.

  • The healthcheck that verifies the expiration dates of user passwords now only checks the Admin user password and was renamed from ADM_USERS_PASSWD_EXPIRATION to ADM_USER_PASSWD_EXPIRATION. See the Platform Administration > Healthcheck section for a complete list of services healthchecks.

  • In this version, when running the script updatedb, it will exclude non-existent directories from its operations.

  • Extended default timeout for non-connected users to over 120 seconds, for improved connection efficiency.

  • To enhance OpenNAC performance and prevent potential issues, a timeout feature has been implemented for NetBackup operations.

  • Upon joining Active Directory, our system now automatically handles the NTLM healthcheck using information from the UDS read-only user.

  • This version allows JSON format to be used to pack job data in queues, alongside the php serialization format currently in use.

  • In this release, we have implemented port redirection from 80 to 443 on VPNGW Firewall polevals.

  • This version introduces a validator feature for the VPNGW section to verify files before import, reducing the risk of human errors. Now you can validate zones, policies, rules, params, interfaces, and hosts files prior to execution.

  • We have improved the import process of VPNGW objects allowing them to have a minimum of 3 characters instead of 4 characters.

  • This release addresses the issue with MAC address handling in User Device imports. Now, the import process effectively manages incorrect MAC addresses, empty fields, and repeated MAC addresses.

  • Now, when configuring the Download & Install agent options, the “CDN URL” will remain available even if you disable the “Use CDN to download agent soluble” flag. This improvement will prevent you from having to reintroduce the URL every time you enable the flag. See the Agent configuration section for more information.

  • The section Agent Profiles > Network Renewal configuration now includes a new parameter called Maximum server status check time, which sets a duration in seconds for checking the server status. See the Agent Profiles section for more information.

  • This version prevents unauthorized downloads of the Agent from the Administration Portal IP. Operators can now disable a specific URL in the Administration Portal.

  • We have updated the SQLQuery parameter of Linux SOFTWARE OSQueries. It now retrieves only the packages that are marked as installed.

  • This version features syslog parsing for Switch Trunk Ports. To enable this functionality, set the SYSLOG_PARSE_SWITCH_TRUNK_PORT parameter to “true” in the /etc/default/opennac configuration file.

  • The ON Captive section features a new section called Captive Configuration. It basically consists of a flag to allow or disallow the Agent download from the Administration Portal IP. See the ON Captive section for more information.

  • We have removed the warning that notifies the user that the active modules do not match the installed license.

  • The filebeat has been updated to version 8.12.2, ensuring compatibility and enhancing performance for data collection and transmission within the system.

Bugs fixed

  • This release addresses and fixes bugs encountered from PHP 8.1 upgrade.

  • Resolved an issue where the Frontend did not process characters correctly in the Regular Expression field when configuring NDC rules.

  • This release resolves an issue in NetBackup Scheduler Flags where an Application Error occurred when attempting to sort the table by [STATUS | STAGE] columns.

  • This version has enhanced the assignment of IPv4 Local Networks in the VPNGW WireGuard configuration allowing only valid entries in this field.

  • Resolved an issue with the output status message in Business Profiles > Policy evaluation > Params received, eliminating confusion. Previously, when not all data was autodiscovered by the plugin using tags, it incorrectly indicated “Plugin finished with errors”. The message has been refined to accurately reflect the scenario.

  • When configuring Captive Workflows, the email field in the Notifications tab now displays validation messages in the correct language as per the setting previously specified in the General options of this section.

  • Addressed a bug where MACDISCOVER events were erroneously discarded by OpenNAC due to incorrect handling, which resulted in misinterpreting the network definition status.

  • Resolved the issue in MikroTik 802.1X configurations, enabling the toggle port to use the username without the domain.

  • Resolved the issue of invalid Calling-Station-Id and NAS-Port values in MikroTik DHCP accounting, ensuring accurate and reliable reporting.

  • This version addresses the issue where the EPT view was not being removed when its related User Device Profiling was deleted.

  • When a tunneled GRE traffic (ERSPAN) was managed by the Sensor, the DHCP-Helper-Reader could not process the DHCP packets. This problem has been successfully addressed in this release.

  • This version addresses issues related to invalid responses when uploading Certificate Authority files in the VPNGW section.

  • In the NextGen Portal, attempting to visualize Unidentified User devices was returning an error message. This issue has now been resolved.

  • Fixed an issue in the User Device Profiling configuration where profiles were erroneously set to predefined.

  • This version resolves the issue where a VPN connection remained active in the Core, even though the disconnection was executed at the node. Also fixes the connection being logged as “toggle port” instead of indicating disconnected from Agent.

  • This release fixes a misleading error message in the Policy evaluation based on fortiGateAccounting plugin. It incorrectly displayed ‘Plugin finished with errors’ when not all data was auto-discovered using tags.

  • The DHCP-Helper-Reader can now process GRE or ERSPAN packets, by using a custom filter. See the ON Sensor advanced configuration topic for a custom filter example.

  • Resolved the issue related to errors encountered when loading certificate files in VPNGW views.

  • This release addresses the issues regarding OSQuery’s proper functionality on macOS systems.

  • The DHCP-Helper-Reader reader now functions properly even when Gearmand is unavailable, preventing CPU consumption.

  • The NetBackup process now completes successfully and saves the configuration file of the NetDev on Alcatel 6260 switches.

  • Resolved an issue about the Network Devices CMDB Modified date display. It now displays the proper Modified date in the network device details.

  • Resolved issue where nodes were not automatically set as active in the list of server IPs after being activated in VPNGW farms. This issue has been addressed in the latest update.

  • Users now receive a descriptive warning when attempting to authenticate against the Administration Portal and the Active Directory is unavailable.

  • This version addresses errors regarding DISK_VAR and DISK_VAR_LOG healthchecks when deploying OVAs.

  • The User Devices bulk edit feature works properly in the new release.

  • VPN logout events have been fixed so the logout is not processed when triggered by a different user.

  • The error notification displayed due to deleting a VPNGW policy has been fixed.

  • This version fixes the password being displayed as cleartext when logging in to the Administration Portal.

  • In this version, as the partitions have been modified, the DISK_VAR healthcheck is no longer performed in the following nodes: analytics, aggregator, analy+agg, sensor, and vpngw.

  • This version adds support for dynamic Security Profiles and TogglePort over SNMP to MikroTik switches.

  • Resolved session data reset in active sessions occurring after receiving an IpMac with complementary session data information.

  • Resolved CLI errors encountered during NDC test simulation.

  • We have addressed the issue regarding the NDC PDF Report. The file was being generated without a file extension and this issue is now resolved.

  • Fixed an issue where checkboxes remained checked after deletion or other modifications in all tables.

  • Resolved issue where captive themes were created with root ownership instead of Apache during synchronization with the synchronizeCaptiveThemes.sh script, enhancing the theme synchronization process.

  • Fixed an issue where selecting a VPNGW node in VPNGW Interfaces resulted in an application error, causing the user to be logged out.

  • This version resolves an issue that occurred in different sections of the Administration Portal, where the table failed to refresh after deleting multiple items.

1.5.3.1.2. ON Captive

These are the changes in this release that affects the ON Captive component in this release.

Functionalities

  • We have disabled the BACKUP healthcheck for the ON Captive node by default as it has no database and it is not necessary to execute a backup.

  • The filebeat has been updated to version 8.12.2, ensuring compatibility and enhancing performance for data collection and transmission within the system.

1.5.3.1.3. ON Analytics

These are the changes that affect the ON Analytics component in this release.

Functionalities

  • The Mobile Visibility Dashboard was removed from this version and the Profiling Metrics dashboard now features new tables to provide information about profiling tags. See the Profiling metrics dashboard section for more information about the visualizations.

  • The UNAC use case now features a new Analytics visualization called Volumetry dashboard. See the Analytics > UNAC section for more information.

  • We have updated the ELK stack, including Elasticsearch, Kibana and Metricbeat, to version 8.12.2, introducing new features, improvements, and enhanced functionality to our system’s data processing and visualization capabilities.

  • We have updated Elasticsearch Curator to version 8.0.10 and EnhancedTable plugin to version 1.14.0, enhancing the management of Elasticsearch indices and improving analytics capabilities within our system.

Bugs fixed

  • This version has resolved an issue where Elasticsearch’s log rotation was not functioning properly.

  • This release introduces the necessary changes, enabling proper functionality for shortcut filters in Elasticsearch 8.9.

  • This version brings a new Analytics view called Stack monitoring that displays Analytics cluster metrics. See the Analytics > Stack monitoring section for a detailed description.

  • We have addressed an issue where elasticsearch-curator was not installed in the analytics environment, and added a package to the repository to facilitate installation in offline environments.

  • This version resolves a deprecated curl issue that was impacting Analytics cluster updates.

1.5.3.1.4. ON Aggregator

These are the changes that affect the ON Aggregator component in this release.

Functionalities

  • Implemented parsing of switch-trunk-port logs for Analytics. The SwitchTrunkPortStatus job now sends a log with output results, which are parsed and sent to Analytics.

  • This version implements a syslog parser to identify link up notifications related to trunk ports for initiating additional checks.

  • We have updated the ELK stack, including Logstash and Metricbeat, to version 8.12.2, introducing new features, improvements, and enhanced functionality to our system’s data processing and visualization capabilities.

Bugs fixed

  • Addressed an issue in the ON Aggregator where the policy evaluation was sending incorrect information.

1.5.3.1.5. ON Sensor

These are the changes that affect the ON Sensor component in this release.

Functionalities

  • The filebeat has been updated to version 8.12.2, ensuring compatibility and enhancing performance for data collection and transmission within the system.

Bugs fixed

  • Fixed the issue where the HP ERM script was added to the local.zeek file with each time we update the ON Sensor.

1.5.3.1.6. ON VPNGW

These are the changes that affect the ON VPNGW component in this release.

Functionalities

  • The filebeat has been updated to version 8.12.2, ensuring compatibility and enhancing performance for data collection and transmission within the system.

  • In this release, we have improved the VPNGW update process by implementing a procedure that ensures smoother updates.

Bugs fixed

  • This release fixes the issue where, during the update of the ON VPNGW node, the filebeat file was being removed.

  • Resolved issue where Redis was generating unwanted dump files in the update, migration, and deployment processes.

1.5.3.1.7. ON AGENT

These are the changes that affect the ON Agent component in this release.

Functionalities

  • We have updated the OSQuery version used in the Multiplatform Agent to the 5.11.0 version.

  • From this release onwards, when multiple servers are configured for the Agent, the UI will display server statuses using colors to indicate whether they are up (green) or down (red). See the Agent’s User Interface section for more information.

  • A new flag has been implemented in the OSQuery configuration, which, when enabled, allows for empty results. See the Agent configuration section for more information.

  • The IPTABLES is now proper displayed in the Payload section facilitating analysis of network traffic filtering. See the Agent payload section for more information.

  • In this release, the IPTABLES OSQuery has been deprecated due to non-functionality; information retrieval has been transitioned to Agent commands, making Iptables query with OSQuery unnecessary.

  • New entity displayed in the Agent payload view for INSTALLED SYSTEM UPDATES. See the Agent payload section for more information.

  • The Multiplatform Agent OSQueries now introduces a new setting for Processes allowing you to Execute OSQuery during network scan. See the Agent configuration section for more information.

  • This version brings a firewall change event detection enhancement. Now, the system can detect firewall change events when an iptables command fails. In such instances, a payload containing the corresponding error message on the IPTABLES parameter is sent to the server.

  • The Use interactive OSQuery flag has been replaced with the Allow empty result flag in the Agent Configuration options. Enable this flag if the specified OSQuery may produce empty results; if it is disabled, an error message will be displayed inside the payload entity when it returns empty data. See the Multiplatform Agent OSQueries for more information.

  • This version enables remote script execution for the Agent on MacOS and Ubuntu in the Agent Queries.

  • The Agent Profile section now features a new selector called Log level that replaces the Debug mode flag in both Service and Taskbar configuration. See the Agent profile section to visualize this new parameter.

  • This version prevents the Agent update when the user is not active. Also the user now will be notified when the update is finished.

  • The Agent user interface now displays new WireGuard connection states: Authenticating and Connecting.

  • We have updated WireGuard sessions on Linux an MacOS so it remains connected when locking a session but disconnects when closing it or switching to another user, making VPN management smoother.

  • In the event of an Agent upgrade, VPN disconnection will now be accompanied by an indication of the reason for the disconnect.

  • This version introduces a separation of dependency between the client connection timeout parameter and the IP renewal functionality. This modification allows for the IP renewal process to operate independently by introducing a new parameter.

  • Changes on Agent 2FA connection, the 2FA section from VPN connection form was removed, the OTP input screen is displayed if required for authentication.

Bugs fixed

  • Fixed the issue in Download & Install agent options where the Agent server was not saved as default after the configuration was saved.

  • Resolved a bug where local DNS entries were not correctly added to WireGuard DNS on MacOS.

  • This version fixes the issue on System Updates payload type, where no information was being displayed.

  • Fixed an issue with the decoding of Agent soluble names, specifically addressing errors encountered when decoding soluble names with the CDN script.

  • Resolved the issue where the Proxy checker task was being created more than once, resulting in proxies not being deleted after a manual VPN disconnect.

  • Fixed a Windows platform bug that prevented the disabling of events due to user session changes.

  • Resolved the issue where scheduled payloads were erroneously reconfigured after the equipment had been suspended for some time.

  • Fixed an issue in the VPN Wireguard Agent on Linux where automatic route assignment was not functioning. It addresses the problem of manual route assignment for accessing hosts via VPN Wireguard.

  • Resolved the issue where uninstalling the Agent on Windows without access to the %localappdata%/Temp was not possible.

  • Fixed the issue where custom DNS settings were unexpectedly removed after connecting to the VPN.

  • Fixed the bug where Agent scripts were listed without any corresponding enabled processes to execute the script.

  • This version addresses Soluble Agent issues in Windows and Linux operating systems.

  • Resolved issue where auto connection to WireGuard VPN after computer suspension was unsuccessful due to the interface remaining up.

  • Fixed issue where a Linux Agent update failed because the logged-in session was not detected.

  • This release addresses an issue where incorrect DNS settings persisted in MacOS after running with the Agent, causing connectivity problems when switching networks.

  • Resolved discrepancy between data displayed in Agent logs and WireGuard, ensuring accurate transmission information.

  • This version applies a correction in the USER_ACTIVE OSQuery, fixing the multiple users being incorrectly reported as active.

  • Fixed issue where exception information in OSQuery was not sent to the server.

  • We have addressed the unnecessary launch of autoconnect from the service to the UI, ensuring it is only managed by the UI when necessary, such as in the case of SAML.

  • This version addresses the issue where authentication failed when the VPN autoconnect feature was enabled with saved credentials. Previously, disabling the autoconnect checkbox and then attempting to connect manually allowed authentication without requiring credentials.

  • From this version, after uninstalling the Agent, the autoconnection credentials are going to be cleared.

  • This version fixes the issue regarding multiple status requests occurring when connecting to the VPN.

  • This version improves the readability of logs by unifying lines, removing irrelevant information, and renaming functions for an enhanced comprehensibility.

  • We have addressed the issue with the Agent response URL upon update.The download request was being sent to the previous server after the agent processed the response.

  • The issue where adding a new interface resulted in two NetworkChange payloads in Windows has been resolved. Now, only one payload containing the network change is sent as expected.

  • This release resolves an issue where OSQuery was found inactive in some Agent applications.

  • The issue where changes to the SESSION_EVENTS OSQuery in the Core were not applied in the Agent has been resolved. Now, the functionality works properly.

  • We have enhanced the timestamp format within the opennac-agent-analytics logs and included IP address values.

  • This release resolved an application error encountered while editing user device profiling child.

  • Resolved issue where duplicate Session Change payloads were generated upon logout in Ubuntu.

  • Fixed unexpected behavior encountered when installing after removing the older Agent version on Ubuntu 23.10.

  • Fixed issue with Lock/Unlock events not functioning on Ubuntu 20.04. Previously, no payload was sent and there were no corresponding event logs.

  • Resolved issue where the Agent UI limited the field by maximum length, preventing users from inputting two domains.

  • Fixed issue with incorrect VPN status displayed in the Agent UI.

  • Resolved Agent UI crash occurring when closing the UI after canceling Terms & Conditions.

  • Fixed issue where uninstalling software on the Linux platform did not generate payloads.

  • Resolved issue where Stop payloads were not functioning correctly on Ubuntu.

  • Fixed the issue that prevented the execution of the Soluble Agent on the Windows platform.

  • Resolved an issue where the time between VPN disconnection notifications did not change properly upon updating the value in teh Administration Portal. With the fix, the updated value is immediately enforced upon refresh without waiting for the next notification.

  • Fixed KeyNotFoundException occurring in OsQueryEventManager. Previously, exceptions were thrown for events such as Network and Session Changes on Linux/MacOS platforms, as well as firewall events on Windows, where the expected event payload was not sent if initially configured as disabled and later enabled.

  • This version addresses an incorrect language display issue in the Soluble Agent Terms & Conditions window.

  • Resolved an issue realted to slow performance when opening Agent UI windows.

  • Fixed issue where the VPN network change was not reported when disconnectig form VPN in the payload of a logout event.

1.5.3.2. Automated deployments

These are the Ansible changes that affect the deployment of the OpenNAC components in this release.

Functionalities

  • New in version 1.2.4, the Ansible playbooks are now stored in our public repository. Users can conveniently access a ZIP file containing the essential playbooks required for the OpenNAC automated deployment.

  • This version introduces Ansible playbooks for Captive configuration and VPNGW configuration in the repository.

  • The configuration of the Metricbeat has been included in the ansible configuration for Analytics, Aggregator, and Analy+Agg.

  • This version features a new ansible for the automatic configuration migration from CMIX to the VPNGW node. See the CMIX to VPNGW Migration section for more information.

  • Ensure correct configuration of vpngw and captive collectd in ansible playbooks. Standardize collectd installation in package building specs; review network conf necessity. Remove LoadPlugin syslog and copy types.conf and conntrack.conf to all collectd roles.

  • This version introduces a new ansible for bulk password management. Now, you can change all MySQL passwords along with the Portal and CollectD passwords by configuring their variables and executing a single command. See the Bulk Password management section for more information.

  • This version adds the collectd_password variable to the vars_general.yml file.

  • A new playbook has been created to change the passwords of some opennac services (mysql, colledct, proxy shared_key, etc).

Bugs fixed

  • From this release onwards, when the worker configuration role (worker_config ) is executed, it will not remove the database.

  • This version addresses logrotate errors. Fixed some Logrotate errors to ensure correct log file permissions, adjust program setup, and maintain system integrity.

  • The .ini files are now only copied during Ansible execution if they do not already exist, preventing the replacement of user configurations.

1.5.3.3. Documentation improvements

All the documentation changes are described in this section.

  • FAQ: In this release you will see there is a new section dedicated to Frequently Asked Questions, designed to address your most common doubts and provide helpful insights.

  • Glossary expansion: We are actively expanding the glossary to offer a more extensive and user-friendly reference for key terms.

  • Basic concepts expansion: just like with the glossary enhancement, we have expanded basic concepts in the documentation to ensure a solid understanding of foundational ideas.

  • License Error Troubleshooting: A new section guides users on manually configuring Core nodes to eliminate error messages in the Administration Portal. This is particularly useful for users without the VPNGW license.

  • Automated Deployments: We have restructured the entire Automated Deployments section to improve the deployment experience after exhaustive testing of the documentation’s usability. Detailed instructions for first-time deployments and new node deployments, either using OVA or from an Empty Rocky Linux, are now available.

    • We have temporarily removed the Allin1 server deployment from the documentation. We are actively working on providing support and will update users as soon as it becomes available again.

  • Satisfaction Survey: We greatly appreciate user feedback and ratings as they play a crucial role in delivering user-oriented content. Please, share your valuable insights to help us improve and meet your needs. You can locate the Feedback tab on the right side of the documentation page. Thank you for your contribution!