1.5.5. Release 1.2.4-3

Release date: 08.07.2024

Welcome to the 1.2.4-3 OpenNAC Enterprise release.

In this release, our main focus has been on enhancing stability to ensure a seamless user experience through minor bug fixing.

With this release, the OpenNAC Agent is updated to version 102.04.03006.

1.5.5.1. OpenNAC improvements

This section describes all changes that affect the OpenNAC solution.

1.5.5.1.1. General

Functionalities

  • This version introduces partition healthchecks to monitor disk usage across various OVA partitions, including /var/log, /var, and /tmp.

  • This version limits SSH authentications, by adding a new rule to the hardening script. Refer to the OpenNAC Securization section for a complete list of the rules applied.

Bugs

  • Resolved an issue where iptables configurations failed to apply rules defined in /etc/sysconfig/iptables after updates or Ansible deployments.

  • All scripts executed in cron.d now display the full path, preventing security issues.

1.5.5.1.2. ON Core

These are the changes that affect the ON Core component in this release.

Functionalities

  • We have enhanced HTTPD session cookies security by implementing SameSite attribute enforcement for session cookies in Apache. Now, with SameSite set to “Strict”, potential Cross-site request attacks are significantly reduced.

  • When registering devices in the ON CMDB you can now insert Tags in sets separated by comas instead of entering several tags individually.

  • This version introduces a new script that regenerates the Business Profiles shown in the EPT view, ensuring up-to-date information about profiles associated with user devices by filling in any missing User Device Profilings. See the ON Core Scripts section for more information.

  • This version features Apache basic authentication for the Elastic development portal. See the Customized Dashboards for information on how to configure the admin password.

  • There are new performance graphs for the Redis service in the Trending view: Redis defragmentation running, Redis allocator fragmentation (Ratio), Redis allocator fragmentation (Bytes), and Redis used memory. See the Status > Trending section for more details.

  • This version introduces Default preconfigured Policies. OpenNAC Enterprise helps users get started by providing a section with basic out-of-the-box policies with intuitive descriptive names. See the ON NAC > Policies section for more information.

  • The UD Tag policies section features a whole new set of default Tag Policies. See the UD Tag Policies section for more information.

  • The CACHE healthcheck now also monitor the Redis memory usage. See the Healthcheck section for more information.

  • This version adds CoA TogglePort, NetBackup, NetConf, and SNMP Traps Support for Dell N1500 devices.

  • The Policy evaluation view, features a new icon to expand and collapse Params received, Params processed, and Result information. See the Business Profiles section for more information.

  • The Policy configuration window, features a new icon to expand and collapse preconditions and postconditions. See the Policies section for more information.

  • The Policy configuration Precondition:Users and Precondition:Session now features tooltips to help users configure certificate params and session data expressions. Navigate to ON NAC > Policies to visualize the new feature.

  • Added LDAP (disabled) module to the Radius inner-tunnel site for easy activation in cases where MSCHAPv2 functionality is desired.

  • This version adds a new parameter for the synchronizeCaptiveThemes.sh script. You can now specify the parameter for a system user with sudo privileges but not root access. refer to the ON Core scripts section for more information.

  • This version features a new default role (userDeviceViewer) with the permissions to operate User Devices within the ON CMDB. Refer to the ON CMDB > Security > Roles section for more information.

  • The URL Proxy exceptions field of the Agent VPN configuration now features a validator to improve the usability of this configuration view. Navigate to the Agent Profiles section for more information.

  • We have added support for CoA toggle port requests on Cisco WLC.

  • In case of an error during form submission, the Administration Portal page will now automatically scroll up to display the error message.

Bugs fixed

  • Fixed an issue with the Agent Payloads search box where it wouldn’t return any values when introducing the ‘_’ character.

  • This version addresses an issue with the Business Profiles > Locations view where it was not properly handling the filtering of a larger number of tags.

  • Fixed the BitLocker tag handling, where the tags were not deleted when a device was disconnected.

  • Resolved an issue where the DNN tag occasionally was not assigned to devices.

  • This release fixes an issue where orphan fingerprint tag is now correctly inserted when a fingerprint is not identified in CSV.

  • We have addressed an issue where the configUpdates.sh script was not properly adding credentials to the repository.

  • This version replaces the source_module LOGIN_USER for WireGuard VPN authentications with the source_module opennacwg in the policy evaluation details.

  • Dates and times formats of the wireguard.log were standardized for for version.

  • This version fixed a warning issue related to Proxy RADIUS Balancing based on request attributes (force_Balance_Realm_opennac).

  • This release addresses errors when loading some Dashboards.

  • We have fixed a checkbox alignment issue in the Administration Portal frontend.

  • Refreshing the WireGuard configuration would produce an error in Tunnel Settings. This issue was addressed.

  • We have fixed a character encoding corruption in the Captive Portal Request Access Email. The text strings now are displayed correctly.

  • Some exceptions were added to the evaluateISSProductNotInstalled, evaluateUpdateInstallationNotInstalled, and evaluateCaCertificatesNotInstalled methods to process Agent payloads. They are now skipped if there is no ISS_AV_PRODUCT_* and ISS_FW_PRODUCT_* tags in the payload.

  • Fixed an issue where Agent Payloads SERVICE and SECURITYCENTER were removing IAI_* tags from user devices. Tags are now retained as expected.

  • Resolved an issue where NTLM healthchecks were not functioning properly with passwords containing semicolons (;).

  • The Policy evaluation view now displays policy match in increasing order, resolving the previous reverse order issue.

  • Resolved a segmentation fault issue in FreeRADIUS triggered by 802.1x authentication using Georgian (UTF-8) usernames.

  • Implemented measures to prevent the disclosure of compromised information in the /opennac-agent URL.

  • Resolved a bug where autogenerated local users were incorrectly using WLC User connection TTL instead of converting workflow TTL from minutes to seconds.

  • Fixed an issue where the ON Core node IP was not being properly displayed on the Administration Portal.

  • This version addresses an issue where the Collectd Redis latency Trending graph was displaying all values as 0.00.

  • Fixed an issue with Dashboard shortcuts links within the Business Profiles table.

  • Resolved a bug where the ON Core was providing an invalid response to legacy payloads. The response now aligns with the Multiplatform Agent.

  • Fixed an issue where only a single email from users connecting to the VPN using SAML was being saved. Now, all emails associated with the user are sent to the API within the sessionData property.

  • Fixed an issue where the Network Behaviour Dashboard used an empty “User ID” as a shortcut filter.

  • This version addresses an error (Invalid HTTP response) that occurred when executing the VPN SAML workflow.

  • Resolved an issue that resulted in the malfunctioning of the DBreplication healthcheck.

  • This version fixes an issue where the guest profiling workflow was incorrectly downloading a 32-bit version of the Soluble Agent, despite a flag indicating that it should use the CDN for downloading.

  • Fixed an error in the Operate mode of the NextGen Administration Portal that caused it to display blank content when the user had multiple tabs open.

  • The opennacansible8 repository is no longer displayed in the API vendor path, preventing security issues.

  • We have optimized Lua scripts to reduce Redis memory fragmentation.

  • Fixed an issue where IpMac events were discarded during roaming.

  • Fixed memory limit error caused by high payload retention in payload sending.

  • The log entry for CoA togglePort now correctly displays “NO-RESPONSE” instead of “response UNSUPPORTED” reflecting the accurate status of the operation.

  • Fixed a security issue where the sharedLogin private key had read permissions for all users.

  • Resolved an issue where licenses with interfaces lacking IP addresses would throw a warning and fail to function properly.

  • Fixed an issue where UTC (Unique Tag Change) tags were incorrectly updated when Agent payloads were processed, preventing them from expiring after their configured TTL time.

  • Resolved an error encountered during database reset (resetdb) due to a missing API key.

  • Resolved an issue where Aruba 2530 NetBackup failed due to the switch prompt.

  • Fixed an issue where the Auto Learn tags were not being added to devices discovered.

  • Resolved an error that ocurred in some installations where the Business Profiles > Location view would not be displayed.

  • We have limited the number of analyzed payloads to fix a payload timeline memory error.

1.5.5.1.3. ON Analytics

These are the changes that affect the ON Analytics component in this release.

Functionalities

  • This version enhances the visualizations for UDC Dashboards. It now displays data that relies on the following compliance tags: EPC_SECURITY_CENTER_COMPLIANCE, EPC_SECURITY_COMPLIANCE, EPC_SOFTWARE_COMPLIANCE, EPC_UPDATE_COMPLIANCE. See the Analytics > UDC > UDC Overview section for more information.

  • This version enhances the UNAC Volumetry Dashboard by adding new time evolution dashboards. See the:ref:Analytics > UNAC > UNAC Volumetry<unac_volumetry> section for more information.

  • This version adds new visualizations for the 2SRA Metrics and 2SRA Overview Dashboards.

  • This release features a new Visibility Dashboard that displays information about devices that have connected to the network and been profiled. See the Profiling Details section for more information.

  • This version adds the opennac_source_module to the Discover dashboard shortcut view.

Bugs fixed

  • Analytics and Sensor healthchecks were enabled in this version for new OVAs partitioning.

  • Fixed an error in the Connection Map of the Network Behaviour Dashboard.

1.5.5.1.4. ON Aggregator

These are the changes that affect the ON Aggregator component in this release.

Functionalities

  • There is a new field from each Network Device Location tag in the OpenNAC index: opennac_netdevlocation_floor, opennac_netdevlocation_building, opennac_netdevlocation_city, opennac_netdevlocation_country, and*opennac_netdevlocation_miscellaneous*. See the new available fields by navigating to the Analytics > Discover section.

1.5.5.1.5. ON Agent

These are the changes that affect the ON Agent component in this release.

Functionalities

  • There is a new log for CDN script executions on Windows Operating systems. Refer to the Soluble Agent log paths section for its location.

  • The Agent notifications now display standardized titles, e.g.: OpenNAC Agent - Update, OpenNAC Agent - VPN (Autoconnect), and OpenNAC Agent - VPN (Lost connection).

  • From this version, the Agent will send Policy notifications in the following cases, as long as a new payload response has been received:

    • After every full payload

    • After every scan payload

    • After every manual payload

    • After a policy change

    • After the message content has been changed

Refer to the ON NAC > Policy section to learn how to configure a customized policy notification.

  • The Soluble Agent now displays an alert message when executing soluble on 32-bit machine: “Running the agent is not possible on 32-bit operating systems”.

Bugs fixed

  • This version fixes an issue about DNS backup creation with incorrect values.

  • Fixed the issue where the Connect VPN with WireGuard button was not being displayed after installing the Agent in MacOS versions.

  • Addressed an issue where the VPN was not disconnecting when the Agent service was stopped on Windows operating systems.

  • This version fixes the issue where the Agent icon and was not displayed properly and the WireGuard interface was not working on Linux Ubuntu 24.04 LTS.

  • The .nac file was not recognized on Ubuntu 24.04 LTS, with the OS detecting it as an OpenNAC File but not finding any associated application to open it. This issue has been resolved.

  • A Network Change Payload was being generated after every session logout. This issue was addressed.

  • We have fixed the bug were the Recover payload was not being sent.

1.5.5.2. Automated deployments

These are the Ansible changes that affect the deployment of the OpenNAC components in this release.

  • This version removed unnecessary services for the proxy role within the Ansible configuration, preventing security issues.

Bugs fixed

  • After an update or deployment, in occasions, the iptables configuration wouldn’t apply the rules defined in /etc/sysconfig/iptables. The iptables rules are now correctly applied.

  • The OpenNAC OVAs now include the iptables-nft tool.

1.5.5.3. Documentation improvements

All the documentation changes are described in this section.

  • This release includes a new search engine powered by Google and the documentation access is no longer protected by credentials.

  • We have included URL Exceptions Syntax patterns to help users to specify URL exceptions when configuring Agent Profiles. Refer to the VPN configuration section of Agent Profiles for more information.

  • The Business Profiles section structure was rearranged for a better display of the operational capabilities of this view. Refer to the Business Profiles Introduction to navigate through its sections.

  • This documentation version features a new section that provides all the necessary information for Agent end users. Refer to the Agent End User Guide for more information.

  • All OpenNAC Enterprise updates were also updated on doc-opennac.

We greatly appreciate user feedback and ratings as they play a crucial role in delivering user-oriented content. Please, share your valuable insights to help us improve and meet your needs. You can locate the Feedback tab on the right side of the documentation page. Thank you for your contribution!