1.5.3. Release 1.2.5-1
Release date: 29.11.2024
Welcome to the 1.2.5 OpenNAC Enterprise release.
In this release, our focus has been on improving the user experience. The key highlights include:
Agent Lateral Visibility: The Lateral Visibility function is designed to enhance network visibility by scanning for and analyzing devices within the same network. Refer to the Agent documentation for detailed information.
New Key Risk Indicator (KRI) Section: The NextGen Portal introduces a dedicated KRI section to offer a detailed overview of critical risk indicators, specifically targeting network security and compliance. For more details, refer to the KRI section.
Manage farms: This release introduces a new API module for managing “Farms”. The NextGen Portal now features a view for monitoring the nodes of your OpenNAC environment. For more details, refer to the Configure > Farms section.
Enhanced Agent UI: The Agent UI now displays real-time VPN status and provides detailed error information, giving users greater control over their connections. It also introduces the Smart 2FA feature.
Ansible directory path: The path has changed from /usr/share/opennac/utils/ansible to /usr/share/opennac/ansible.
VPN Services: Starting with this version, the Agent no longer supports OpenVPN, and the VPNGW node no longer includes the following packages: openvpn-2.5.9-2.el9.x86_64 and openvpn-auth-ldap-2.0.4-7.el9.x86_64.
Warning
This release requires additional update steps to ensure compatibility. Refer to the 1.2.5 Update Steps section to perform the necessary actions for a smooth upgrade.
1.5.3.1. OpenNAC Improvements
This section describes all changes that affect the OpenNAC Enterprise solution.
1.5.3.1.1. General
These are the changes in this release that affect all components.
Functionalities
This version added a common package that handles system hardening, and repository management, applies OS hotfixes across all nodes, and includes updated collectd configurations with the redis.conf file.
Added the opennac.sh to profile.d in package updates.
Updated ELK stack to the latest version (8.14.3).
Bugs fixed
Fixed the PHP header in the check_syslog.php script (Logcollector healthcheck) to resolve execution errors.
Fixed iptables configurations and updated to prevent overwriting existing rules.
Resolved issue with Collectd Redis where script execution was terminated before data processing.
1.5.3.1.2. ON Core
These are the changes in this release that affect the ON Core component.
Functionalities
Note
This version disables the automatic Agent update when updating the ON Core. Administrators must manually re-enable the functionality to update Agents to the latest version following Core updates.
This release introduces the capability for integration with the OAuth 2.0 authorization framework. See the Integrations section for detailed information.
We have added NetBackup and NetConf support for the Zyxel XGS1930 switch. See the Network Compatibility section for a complete list of supported devices.
We have added NetBackup and support for the PROCURVE 2626 - J4900B PROCURVE 3400cl - J4905A, and PROCURVE 2810 - J9021A switches. Refer to the Network Compatibility section for a complete list of supported devices.
This version includes homologation for the Extreme Summit x435-8T-4S Switch.
This release enhances the Discover plugin by improving passive open port detection. When “Softlist IPs or Networks” is enabled in the Discover configuration, it now includes the Passive Open Ports (POP) tag from the User Device Profiling plugin. See the Discover plugin section for more information.
Updated the WireGuard > Manage users section with table modifications. The “Time to live” field has been renamed to “Valid connection up to,” now displaying the connection expiration time represented as a timestamp.
This version introduces Bash scripting for Linux/macOS, replacing cscript and cmd scripts. See the Running Scripts section for more information about these scripts.
By enabling the new feature: Enable network behavior analysis flag in the userDeviceProfiling plugin, it will assign the NBI tag to certain types of network behavior exhibited by devices. Example: a fully established Internet connection will be tagged as NBI_ICD_FULL. See the Tags Table for more information.
The Administration Portal now includes a new tooltip for viewing tag details. This functionality is available in the following sections:
In these sections, you can right-click on any tag displayed in a connection to view its details. Additionally, you can generate a device tag report directly from this feature. For more information on how to generate a tag report, refer to the Business Profiles Overview section.
This version includes new tooltips for filter parameters in the following views:
This release sorted tags alphabetically across the following views: Business Profiles, User Devices, and Network Devices.
The ON CMDB > Networks section now supports the import of CSV files in addition to JSON and XML files. Refer to the Networks section for an example of the correct file format to ensure proper functionality.
This version brings a new functionality for configuring VPNGW Zones. Now, if you disable a zone, all its related objects and the related objects of its subzones will be disabled. Similarly, enabling a zone will also enable its associated objects and those of its subzones.
The SRV (SERVICES) tag was replaced with tags to differentiate between provided and consumed services: SBC (Service Being Consumed) and SBP (Service Being Provided). See the Tags table for examples.
From this version, the Healthcheck dropdown displays the component along with its IP address, facilitating the retrieval of information for SSH access when needed. See the Administration Platform Overview for more information.
The Status column of the Business Profiles table now displays shortcuts for different views: Discover dashboard, Network Behaviour dashboard, VPNGW dashboard, and Manage VPN users window. You will also see these shortcuts in the NextGen Portal. See more details in the Business Profiles section.
From this release, the https://<open_core_ip>/api-doc URL you redirect you to the API documentation login page instead of the Administration Portal login page. See the OpenNAC API-Doc section for more information.
We have removed the Required patches view from the Agent configuration section.
The wireGuardSync plugin now allows for configuring email notifications to inform users about their VPN login status and includes a new property to enforce full tunneling by policy. For more details on configuring these features, refer to the wireGuardSync plugin section.
The wireGuardSync.php script now returns an error when there is no Switch IP configured and the WireGuardSync plugin is executed.
The Security > Admin users and Local users configuration now include a flag to “Request OTP to authenticate user”. Refer to the Security section to see the new flag.
There is a new flag that allows plugins to ignore general Proxy settings for the following plugins: airwatch, airwatchSync, ciscoprime, ironchipSync, maas360, maas360Sync, medigate, mobileIron, mobileIronSync, sendHttpRequest. See the corresponding plugin section for more information.
This version includes several improvements related to OTP (One-Time Password) configuration:
Centralized management of OTP configuration in one view within the Default Portal.
Enhanced email HTML template editor with a preview feature for improved visualization.
Improved OTP configuration enabling the creation of OTPs using the same user ID but distinct repositories.
During user authentication, the system now utilizes both the user ID and repository ID of the authenticated repository to verify OTPs.
New feature called OTP Policies. This view enables the creation of OTP policies that must be met to request OTPs upon user authentication.
New delta script that checks against the repositories and assigns User Data Sources (UDS) to OTP users that have no source assigned to them.
Note
Since the OTP section now segments users into Local, Admin and External, note that creating new OTP users relies on User Data Sources.
See the Default Portal Configuration > OTP section for more information, and refer to the OTP policies section to understand the new OTP policy evaluation process.
The Administration Portal settings now include a feature for configuring a default language preference that is independent of the browser language. See the Administration Portal overview for more information on how to configure this feature.
This version introduces the Captcha feature to protect the Administration Portal login. The Login page will require Captcha if you fail to introduce your credentials correctly. See the Administration Portal overview section for more information.
You can now save Custom filters for later use when searching for connections in the Locations view of the Business Profiles section. See the Business Profiles > Locations view for more information.
The CMDB import data process for User Devices and Network Devices has been enhanced offering now two import options:
The regular process where imported objects update old objects
A new option where the import preserves existing values for empty elements in the new JSON.
The userDeviceProfiling plugin no longer features the “Enable client discovery scope to unregistered networks” option. This capability was suppressed from the frontend as now there is a new logic for identifying and tagging devices of unregistered networks.
The UDS view now allows visualizing users’ details, by expanding each identity information within the “View users” button. Refer to the ON CMDB > UDS for more information.
The Administration Portal now enables customization for the “About” logo. Refer to the Administration Portal Theme Settings for more information.
The View Backups section features a new functionality that compares backups and displays an output with the original backup, the new one and the results of the comparison in a diff-like display. Refer to the ON NetBackup > View Backups for more information.
The NetConf and NetBackup schedulers now display the next three scheduled executions when creating a new scheduler. Refer to the NetConf Scheduler and NetBackup Scheduler sections for more information.
There is a new tag prefix for the Medigate plugin retrieved information (MED). Refer to the Tags table for more information.
This release introduces a new plugin for retrieving information from the Cynerio platform. The plugin execution generates the CYN tag. Refer to the Plugins section for more information.
In case of multiple NCS tags, they now will be displayed as grouped tags using the NCS_* format.
From this version, all policy evaluations will return sessionid data, which will also be included in the Agent payload response under the attribute name SESSIONID.
This release updates the URL for connecting to WireGuard with token authentication.
We have added new radius.conf variables to configure Server certificate Password and Server Certificate Filename. This enhancement eliminates the need to create separate files for these configuration parameters.
We have implemented a filter capability to the Security Profiles view. Refer to the ON CMDB > Security Profiles section for more information.
This release implemented pre-population of hardware UUID from systemd to an environment variable, enabling UUID extraction for license key determination without requiring root privileges.
This version includes the OPENNAC-WEAK-KEY.pmod policy module to enable authentication with smaller RSA keys. Refer to the Troubleshooting section for more information.
Implemented lazy loading for the Translate class to prevent multiple instance creation and improve performance.
Enhanced opennac-job.log to provide more detailed information on FortiGateAccounting, including missing tags and user group tags, to facilitate quicker error resolution.
This version certifies Network Device Compatibility for Dell EMC Networking N1548P & HPE 2530-24G.
Updated FortiOS Network Device Compliance Tests to align with the latest CCN configuration and improved outdated rules.
The Policy section now allows filtering by enabled or disabled policies. Refer to the ON NAC > Policies for more filtering options.
The Policy section now features a tooltip in the Precondition: Session providing an example of a session data expression. Refer to the Policies section for more information.
From this version, if users exceed the number of login attempts (5), they will have to wait 5 minutes to unblock their IP for a new attempt.
This version includes new CNN-CERT default templates for Network Device Compliance scheduling. Refer to the Configuration > Configuration vars section to see the list of default PDF report images.
Removed poleval with source_module = “LOGIN_USER” when authenticating users connecting to the VPN via WireGuard.
Added a new error message in the check_ntlm.php script to provide information about the UDS being checked during execution.
There is a new Healthcheck that monitors RADIUS memory consumption (RADIUS_MEMORY). Refer to the Healthcheck section for more information.
This version introduces a new Trending view that uses the collectd process plugin to add Processes graphs to trending charts. Refer to the Trending Processes section for more information.
There is a new field in the Configuration vars > Local users section that allows changing the subject on the Captive Portal access credentials e-mail. Refer to the Configuration vars section for more information.
This release features new variables to configure CRL certificate validation. Users can now configure the following parameters on radius.conf file: check_crl –> Def. no and allow_expired_crl –> Def. no.
We have updated the User Device auto learned information by adding the source_module details to the comment for this User Device. Refer to the ON CMDB > User Devices section for more information about the information displayed.
Decoupled “TechFileAssistant”, “TagFamily”, “TagReport”, “CmdbExport”, admonportal, and “LocalUser” queue worker from the core API. Queries are now executed via the /rest endpoint.
Adapted tracer for OpenTelemetry compatibility; now supports the Zipkin collector and includes adjustments for proper operation with OpenTelemetry parameters.
Implemented relay Agent IP address as the gateway if none is provided (starter events only).
The NetDevice tests simulation now displays a list of Network Devices to be used on the simulation. Refer to the Network Device Compliance section for more information.
This release includes the useridraw parameter to the policy evaluation response.
This release introduces the necessary changes to mitigate the BlastRADIUS CVE vulnerability affecting FreeRADIUS. Refer to the Reference Guide section for details on the changes implemented and any additional actions administrators may need to take.
The new release updates the profiling dataset with new profiling rules, updates fingerprints, and refreshes active information, including banners, SNMP OIDs, and HTTP parsing.
This version eliminates the ON CMDB > Security > Guest users view from the Administration Portal.
The /usr/share/opennac/admonportal/admonportal/config.json file now features new variables with default values. Refer to the ON Core basic configuration section for more information.
There is a new tab in the File log viewer section for visualizing Healthcheck logs. The Administration Portal logs were removed from the view. Refer to the File Log viewer section for more information.
The monitor_client.sh script has been renamed to check_opennac.sh. Refer to the External Monitoring section for more information.
The ON NAC > Policies > Preconditions: Session configuration now features a WYSIWYG configuration field in addition to the RegEx field. You can see this enhancement within the ON NAC > Policies section.
Bugs fixed
This release fixes the issue related to changing the Administration Portal password.
When filtering the Agent payloads view to visualize by Process type, it now features a list of valid options.
To avoid errors when executing he the check_syslog.php script, in this version we have replaced the the opennac.conf with the opennac_common.conf file that is generic for all the nodes within /etc/rsyslog.d/.
Fixed a plugin execution issue reported as a “known issue” in the 1.2.4-2 release notes. Now, asynchronous plugins wait for synchronous plugins to finish execution before considering their results for evaluation. Since this solution affects the device’s auto-learn functionality, there will no longer be a policy reevaluation when devices that are not registered in the CMDB perform their first connection; they will be directly evaluated.
The opennac-agent-audit.log was displaying invalid characters. The log now is more concise and displays relevant and easy-to-access information.
Resolved an issue where newer dashboards were not created during updates by ensuring the menuAnalytics file is read correctly, bypassing the condition that prevented loading new dashboards.
This version adds processing for switchip and port parameters when IpMac data is received via queues, ensuring that extra parameters are now correctly handled.
Fixed an issue where DHCP-Helper-Reader failed to read from pcap files when running without debug mode and daemonizing.
Updated the ADM_USER_PASSWD_EXPIRATION healthcheck to verify password expiration for all users with the admin role, not just the default “admin” user.
Fixed the handling of the autherr parameter from Extreme WLCs.
This release addressed a bug where Mobileauth login was failing due to missing repoId.
Fixed an issue with “Manage Group Authorization” authentication via Active Directory, which was preventing access to the Administration portal.
Fixed the log format (dates and times) received in the wireguard.log file.
Addressed the issue were DDI_ tags (DEVICE DOMAIN INFO) reported by the Agent were not being assigned to devices.
When creating a new Business profile, if you do not pick a color, the Profile will be created with a random color instead of returning an error.
This version updates the plugin response “statusmsg” to “statusmodule”.
This release addresses the deprecation warnings that were being displayed in logs.
Fixed an issue where temporary interfaces (e.g., from Docker containers) in the license request data could cause validation errors. The license generation process now uses more stable parameters to avoid mismatches when interfaces change or disappear.
Fixed charset handling for userid and session data user-name to ensure they match the original input without alteration.
Fixed segmentation fault issues in RADIUS authentication related to Calling-Station-Id and UTF-8 usernames with excessive length.
CDN information in the “CDN URL” field no longer gets automatically deleted when “Use CDN to download agent” is disabled in the “Download & Install agent options” configuration.
Renamed IPMAC event to INFO to prevent error 400 caused by duplicate ARP data from multiple interfaces.
Replaced the Trigger Type value in Agent Payloads from a number to a text string.
Backup commands for Cisco/2950 switch class now execute correctly, ensuring accurate backup display.
Fixed DHCP-Helper-Reader crash caused by memory corruption during malloc().
During a DBwrite rollback, all tags related to userdev are now correctly cleaned.
Fixed an issue where a payload without NETWORKS section was triggering an error.
Addressed the issue where an Import remained “In progress” when importing an incorrect JSON.
Fixed the issue where executing a NetBackup job against an Aruba 2930F switch failed.
Null values for payloads were not being displayed in the Agent payloads view. It is now displayed with “Unknown” value.
Fixed an issue that returned errors related to the removal of profiling rules in the User Device Profiling section.
This release addresses an issue that was preventing users from disabling Agent OSQueries.
We have fixed an application error when trying to delete connections in the Business Profiles > Default view.
Added support for toggling MAB CoA on MikroTik devices.
Fixed an issue where removing a UDS now also correctly removes its related authorization groups.
The User Devices edition capability is now properly working.
Fixed the filter capability from the VPNGW > Farm > WireGuard users section.
Fixed issue where users were not removed from the dynamic zone when Redis was flushed.
Fixed MikroTik 802.1X certificate toggle to use username without domain.
This release addresses an issue where the EPT view was not being removed when its related UD profile was deleted.
Fixed the issue with filtering by tags in the Network Devices section.
The FORTIOS_INT_AP_DISCOVER_DISABLED rule appeared as editable within the NetDevice tests view. This issue was addressed, and the rule is no longer editable.
Fixed an application error when selecting a node in the VPNGW > Interfaces section.
The Authenticated User’s Data Source is now correctly saved in the session.
Fixed an issue where rebooting a VPNGW node resulted in non-functional vxlan-tap interface.
Fixed the endpoint connection issue with WireGuard, which previously returned an error for both local and external users.
This release addresses the issue of the CAPTIVE_PORTAL healthcheck error display.
Addressed an issue where some Agent Payloads were returning a JavaScript error.
The Import process now returns an error message indicating a field format error (if there is any) and terminates the current process.
Fixed an issue where users were asked to authenticate to access the Analytics section in the NextGen Portal. The authentication is only required for accessing the Elastic development portal.
Switching between different tabs is now working properly in the Captive Workflows configuration window.
Local users were receiving the Captive Portal access credentials email with empty data. This issue is now addressed.
Fixed an issue where changing from the Default Portal to the NextGen Portal did not retain the selected language.
The Simulate Network Devices tests button is now properly working.
Fixed a timeout error in the VPNGW > WireGuard users’ section.
Fixed an issue where licenses with interfaces lacking an IP address would throw a warning and fail to function.
Fixed an issue where the Async Plugin minion would crash when using the database.
Fixed an issue where filtering by nodes in the VPNGW > Farm > WireGuard > Manage Users section prevented searching by username.
The Network Device export button is now properly working.
The NetBackup “Export last backup” functionality is now properly working.
Fixed an issue in the Configuration vars section where PDF report images could not be saved and returned an error.
The Administration Portal image/icons rendering issue was addressed in this release.
The WireGuard service restart now works successfully.
Fixed an issue where generating a Tag report for a large number of user devices caused the report to enter an endless loop.
Fixed invalid Calling-Station-Id and NAS-Port values on MikroTik DHCP accounting.
Fixed an issue where the RADIUS server performed LDAP queries before applying suffix_opennac.
Resolved frontend compatibility issues following the PHP 8.1 upgrade.
Fixed an issue where users could not reattempt logging in to the Administration Portal after an initial failure due to an application error.
Fixed an issue where the page did not refresh automatically after deleting a VPN farm in the NextGen Portal.
Fixed an issue with the checkHostDomain plugin where it was not being executed upon the creation of a new OpenNAC ID if it had previously been run for the same MAC address.
Fixed an issue where the API was retrieving the first match of onanalytics instead of the correct onanalytics value as configured.
The event right-click function that enabled a drop-down menu in the ON NAC > Business Profiles view is now functioning properly.
Fixed an issue that displayed an error message after the deletion of User device profiling backups.
1.5.3.1.3. ON Captive
These are the changes in this release that affect the ON Captive component.
Functionalities
Warning
The Bootstrap library has been updated to version 5. As a result, several changes need to be made manually in all Custom Captive Themes for compatibility.
Replace your custom views values as specified in the table below.
Former Value |
New Value |
|---|---|
col-lg-5 |
col-xl-5 |
col-md-6 |
col-lg-6 |
col-sm-7 |
col-md-7 |
col-xs-10 |
col-10 |
panel |
card |
panel-heading |
card-header |
panel-body |
card-body |
col-center-block |
mx-auto |
col-lg-offset-2 |
* offset-xl-2 |
h5 |
<div class=”mt-2 mb-2”> |
text-right |
text-end |
text-left |
text-start |
h4 |
h5 |
input-lg |
form-control-lg |
data-dismiss |
data-bs-dismiss |
* It applies to all other offsets. Just like in the col, the change from ‘lg’ to ‘xl’ is intentional.
Captive workflows now offer the option to authenticate the user before displaying the page for Agent download. You can configure this parameter in the Agent Configuration > Download & Install agent options .
In this release, we have replaced the deprecated Custom properties field in the “Captive workflows > Form fields” section with additional parameters for ON Captive Validation. See the changes mentioned in the Captive workflows section.
This version improved the Captive themes configuration, by incorporating all necessary settings (general, CSS, header, footer, translations, e-mail templates, and images) to the same window. Additionally, the e-mail templates tab now provides a preview of the HTML code content for an enhanced user experience. See the Captive themes section for more information.
The Captive flow now before downloading the Soluble Agent, verifies if the user already has the Agent installed. If yes, it will trigger a profile evaluation to send a payload to OpenNAC. If not, it will download the Soluble Agent. See the example of this flow on the Third-Party VPN .
This release enhances the Captive Instances view by adding new sections to the Instance configuration: Workflows, VPN workflows, and Theme. Due to this change, the ON Captive > Captive Domains view has been eliminated. Refer to the ON Captive > Captive Instances section for more information.
The Captive configuration new section features a flag for allowing Agent download only for authenticated users. See the Captive configuration section for more information.
There is a new flag to enable the display of the Captive VPN workflows on the Captive main page.
This version improves the Captive workflows configuration by displaying only the parameters related to the workflow being created and implementing validation for the configuration fields.
Captive Workflows configuration now enables Extreme Networks within the WLC Configurations. Refer to the Guest Wifi Workflow for more Captive Workflow configuration options.
In this release, Captive themes e-mail templates and CSS are automatically updated in a multinode environment.
Implemented automatic updates for customized CSS, Header, and Footer in a multinode environment. The system now checks if the customized object matches the default one. If they match, the customized object is replaced automatically.
Custom captive theme header must be updated if default custom is modified
This version enhances the Captive Themes translations in a multi-node environment. The translations now are automatically updated.
We introduce a new Captive workflow to allow the Soluble Agent to be an intermediate between the Captive Portal and WireGuard.
The Captive e-mail validation requests section now displays a history of requests called “Archived validation requests” that can be stored for the time established within the Captive configuration. See the ON Captive section for more information.
The Captive Portal now consistently uses the CDN script to download the Agent, regardless of whether a CDN URL is defined.
The Captive for Guest users flow now runs script to identify the OS and automatically select the correct Agent version (32-bit or 64-bit), as browser-based checks are no longer reliable.
Bugs fixed
We have clean deprecated Captive Portal PHP 8.2 warnings.
1.5.3.1.4. ON Analytics & ON Aggregator
These are the changes in this release that affect the ON Analytics and ON Aggregator components.
Functionalities
This release introduces a new range of dashboards associated with the KRI (Key Risk Indicator) section. The dashboards provide a comprehensive overview of critical risk indicators related to network security and compliance. Refer to the Network Insights section for more details.
The Configuration > Dashboards section now displays alerts whenever OpenNAC detects that changes are pending to be applied in any Analytics Dashboard. See the Dashboards section for more information.
This version suppresses the UDC Metrics Dashboard and updates the UDC Overview dashboards.
This release adds support for JA4 fingerprint in Logstash for enhanced SSH client identification.
Bugs fixed
Added a new field in Aggregator config to identify public destination IPs, with support for excluding specified internal public IP ranges.
1.5.3.1.5. ON Sensor
Functionalities
This release removed obsolete rsyslog entries from the Sensor file.
1.5.3.1.6. ON VPNGW
These are the changes in this release that affect the ON VPNGW component.
Functionalities
This version enhanced the WireGuard node configuration to allow clients to choose how DNS servers are handled upon connection by implementing a new flag to the configuration options. See the VPNGW > FARM > WireGuard section for more information.
There is a new flag to Enable Dynamic Local Network. If the flag is enabled, VPN rules will be applied to route traffic. Refer to the VPNGW > FARM > WireGuard section for more information.
This version improves the import of VPNGW objects by changing the minimum length validation from 4 characters to 3 characters.
The VPNGW node no longer includes the following packages: openvpn-2.5.9-2.el9.x86_64 and openvpn-auth-ldap-2.0.4-7.el9.x86_64.
Bugs fixed
Added support for configuring multiple dynamic zones by including all IP pools in the wireguard_monitor_up.sh script to ensure that rules for traffic from different IP pools are properly created.
Introduced the endpoint_internal parameter in WireGuard connection parameters to address the issue where the Agent incorrectly indicated a disconnected status despite the interface being up.
1.5.3.1.7. ON Agent
These are the changes in this release that affect the ON Agent component.
Functionalities
New Agent version for Android operating systems. Refer to the Agent documentation for information about its capabilities.
Warning
The Android Agent is an Alpha version and is not stable. Use with caution as it may contain bugs or incomplete features until the final release.
This version of the Agent is compatible with MacOS Sequoia 15.
The Agent no longer supports the OpenVPN service.
Upgraded OSQuery to version 5.12.2 to enhance stability and performance.
This Agent release is supported in the UBUNTU 24.04 LTS OS version. Refer to the OpenNAC Agent section for a complete list of supported operating systems.
This release adds support and compatibility for LINUX Mint 22. For a full list of supported operating systems, please refer to the Supported Operating Systems table.
New feature called Lateral visibility that consists of scanning not only the device but also the network to which the device belongs. You will find a flag to enable this feature in the Agent profiles section. Refer to the Agent documentation to learn more about this functionality.
This release introduces the Smart 2FA feature. Refer to the Multiplatform Agent section for detailed information about how the second authenticator factor works in the Agent application.
Integrated MacOS WireGuard directly into the OpenNAC Agent, eliminating the need for external dependencies and simplifying the setup and management of VPN connections.
In this release, the Agent profiles configuration features a new parameter that determines the maximum time (in seconds) the Agent UI waits for responses from the agent service. See the Agent profile section for more information.
Agent Profiles configuration modules can now be expanded and collapsed for better navigation and usability. Refer to the Agent Profiles section to visualize this change.
The Agent Profiles > Service configuration section now features a flag to enable the execution of the System Updates Script, which gathers information about pending and installed updates on Windows operating systems. See the Agent Profiles section for more information.
From this version, the Agent will only allow the HTTPS connection protocol. Therefore, the Agent Profiles configuration no longer displays the “connection protocol” field that allows choosing between HTTP and HTTPS.
The Taskbar configuration of the Agent Profiles section now features a new option that allows pausing the Agent from the user interface. Refer to the Agent Profiles section to see this new parameter.
Updated log levels to allow selection from different levels in the Agent Profiles section. Previously, many logs were set to debug or info; now each log is configured with the appropriate level.
The Agent Profiles VPN configuration now includes features to verify VPN connectivity, including setting the interval for WireGuard status checks and client-server handshakes, plus an option to enable ping tests for added verification. Refer to the Agent Profiles section for more information.
We have introduced a new feature in Agent Configuration. When creating Multiplatform agent rules, you can now clone an existing configuration to create a new one with similar settings.
The Agent payloads section called Script Execution Results, now displays the corresponding script as a new field.
This version introduces a new payload type for SCANNED_NETWORKS that includes the display of broadcast address, netmask, and IP address information, providing enhanced network details. See the Agent payloads section for more information.
We have added a new boolean parameter, SCRIPTS_MODIFICATIONS, to the JSON object OPENNAC. If this parameter is true, it will display a new icon (Script execution changes) in the column ‘Payload type’ of Agent payloads. See the Payload types table for a visual reference of the mentioned icon.
From this version onwards, you will see new icons in the Process type column of the Agent Payloads section: Script execution changes on a script modification event and Agent paused on a service pause. See the Agent Payloads section for more information.
There is a new OSQuery that identifies Active Admin Users and adds the ISS_ACTIVE_ADMIN_USER tag to the device see the Agent payloads section for more information.
New filtering option for the Agent payloads and Agent payload timeline sections that allows filtering based on Hostname, MAC, IP, Agent version, OS, User, etc.
The Agent payload timeline section now displays new blocks for: Bluetooth, certificates, system updates, security center, USB device, active admin users, and Bitlocker payloads. Refer to the Agent payload timeline section for more information about this view.
We have added a new field to the Agent payloads OPENNAC section to display information about PowerShell execution: POWER_SHELL_DISABLED. The value returned will be true or false. See the Agent payloads section for more information.
The Agent payloads Data column now has an icon called Update results that displays a payload with the result of the Agent update (null, true, or false). See the Agent payloads section for more information.
Each payload query now displays a stamp for Query time, Memory consumption, and CPU Percentage. See the Agent Payloads section for more information.
The View server response feature of the Agent payloads section now displays new objects: Agent Query, Minimum version required, Agent OAuth2 WireGuard config, Agent VPN WireGuard Farm, and Agent OSQueries. See the Agent Payloads section for more information.
This version includes a new log file for the Soluble Agent CDN script execution. See the Soluble Agent section for more information.
Now the Agent payloads section features a new payload visualization for Agent Updates. This allows you to see the Agent update result payload separately.
The icons for “Agent service uninstalled and Agent service stopped were moved from the “Data” column” to the “Process type” column for an intuitive visualization. See the Agent Payloads section for icon references.
The Agent features a new tag with DDI (Device Domain Info) prefix that displays Windows Domain information based on Agent payloads: Full, SessionChanges and Recover. See the Agent-Collected Data Tags section for examples.
The ACTIVE_ADMIN_USERS entity is now added to all payload types.
This version integrates OSQuery into the Multiplatform Agent, ensuring it is always up-to-date with the latest version. OSQuery is now integrated directly within the package for seamless functionality. See the OpenNAC Agent section for more information.
When configuring the Agent OSQueries, in the Processes that will execute the query parameter, the is a new process that allows the Agent to Execute OSQuery during network scan. See the Agent configuration section for more information.
We have updated the USER_ACTIVE OSQuery for Windows to enhance the displayed query result.
The IE_EXT OSQuery (Internet Explorer) was updated in this version.
The NETWORKS OSQuery was updated in this version on Linux and MacOS.
The Agent Configuration section features two new button for enabling and disabling default OSQueries. See the Agent Configuration > Agent OSQueries section for more information.
The Agent now can add the DDP (DEVICE DESTINATION PORT) and DOP (DEVICE OPEN PORT) tags from the EstablishedConnections and OpenPorts OSQueries responses. See the Agent-Collected Data Tags section for examples.
The Soluble Agent ID generation was redesigned to provide shorter identifiers and enhance operational efficiency.
This Agent version suppresses the Server protocol selector field from the “About” view. See the Agent’s User Interface section for more information.
The Agent UI, when connectig to the VPN now displays the server you are trying to connect to. Refer to the Agent’s User Interface section for more information.
If there is a VPN connection error, the Agent’s UI will now display a message indicating the reason of the connection failure. Refer to the Agent’s Troubleshooting section for more information.
The Agent UI now displays dynamic VPN status during the connection process. If an error occurs, you can hover over the error message to expand the failure information and copy it to your clipboard for further analysis.
This version adds syntax validation for configuring Agent rules .
This release introduces a new payload called mobileFull.
We have updated the following OSQueries: BITLOCKER, HARDWARE, SECURITY_CENTER, and ARP. Refer to the Agent configuration section for a complete list of queries.
The Windows Agent is now updated to generate an MSI installer instead of an EXE.
Separated the installable and soluble Agents into distinct URI schemes: onnac: for the installable agent and onnacsoluble: for the soluble agent.
The filename for the Soluble agent download has been changed to include a hexadecimal value indicating whether WireGuard is enabled or disabled.
The soluble agent now retrieves a VPN token from the payload, which is used in the VPN SAML workflow to encrypt and decrypt the WireGuard configuration file.
This version ensures that remote lock events are logged by the Agent even if a ConsoleDisconnect event is received before the lock event.
The Agent now notifies the Core if the computer is not allowing PowerShell to run because it is disabled.
Implemented a check to verify if the MSI Windows installer is active before proceeding with an Agent update. If the installer is running, the update is deferred, and the user is notified that the update is delayed due to the system installer being in use.
Implemented a prompt for notification permissions upon launching the UI in MacOS to ensure that notifications are displayed, as they would otherwise be blocked if permissions are not granted after installation.
Enhanced user experience by displaying the OTP text box in plaintext instead of asterisks. It makes it easier for users to review and correct typos if the system rejects authentication.
This release added the capability to support one UI instance per user on macOS and Linux endpoints.
This version introduces new URI schemes for the profile-guest-users workflow.
The Agent UI now notifies users about policy changes. Refer to the ON NAC > Policies section to learn about the possible notification scenarios.
This release added WireGuard connection capacity to the Soluble Agent, expanding its VPN functionality. Refer to the Captive Workflows section to see the flag that enables this functionality: “Allow execution without installable Agent”.
Updated Soluble Fast CDN to support new filename parameters, ensuring compatibility across all platforms while correctly processing other parameters.
Updated the agent to send Bluetooth tags in the payload: BDA for available devices and BDC for connected devices.
The VPN window now closes immediately after the connection is established.
We have limited the Agent installer to supported operating systems only: prevent installation on versions prior to Windows 10; restrict installation to Ubuntu and Linux Mint distributions; and update support to macOS 12 or higher.
Updated the VPN flow for Windows and MacOS to download the Soluble Agent with the VPN flag set to 0 (disabled).
The Soluble Agent is now available for Windows 32-bit. Refer to the Agent configuration for a list of available versions for download.
This version includes a new option in the Agent profiles that allows pausing the Agent directly from the user interface. Refer to the Agent’s Taskbar Configuration secton for more information.
The invalid Agent payloads are now stored in /usr/share/opennac/api/data/payloads-unprocessed/.
Bugs fixed
This version enhanced the Soluble Agent execution time when they consult the SystemUpdates info.
Fixed an issue where the Soluble Agent with CDN would fail on Windows OS.
Addressed unhandled VPN errors by handling error messages in the Agent and updating connection status in statususerdev to reflect rejected connections.
We have enhanced the information displayed within the Agent payloads: translations, duplicated info, CPU and memory info, and payload table filter. Refer to the Agent Payloads section for more information.
The browser extensions query (CHROME, FIREFOX, IE) now allows empty results.
Fixed an issue where payloads were not processed because the agent object was missing in queued events.
Ensured consistency by setting a single title for each type of notification, resolving discrepancies in notification titles.
Resolved an issue where an error 500 was returned on a failed VPN connection attempt (e.g., due to an invalid password). Now, a JSON response with an appropriate error message is returned.
This release removed duplicated parameters on HARDWARE and SECURITY_CENTER payload entities.
Fixed an issue that prevented the Agent service is stopped payload type from working properly.
DNS backups now are created with correct values, addressing the problem identified in a previous version.
We have cleared InteractiveOsQueryService logs and relocated Bluetooth logs to debug/trace.
The Agent UI’s “About” option now displays standardized text across all available languages.
This version addresses issues regarding the Agent unistall process.
Addressed the Agent VPN connection issue after updating the application.
This version manages update issues caused by shutting down or restarting the computer.
Fixed an issue where the agent could not detect Bluetooth devices.
We have addressed the issue of double payloads being displayed during the same script execution.
Fixed the issue where connection to the server via proxy was not working.
Updated the Ubuntu uninstall process to send only the uninstall payload, matching other platforms.
Fixed an issue where VPN disconnection was not reported during the logout event.
Addressed the issue where “Agent service stop” payloads were not being sent on Windows OS.
Fixed an installation error detected on MacBook Air with Apple M1 running MacOS Sonoma 14.4.
Fixed an issue where the UI did not open after an update on Ubuntu 23.10.
Fixed an issue where uninstalling the Agent did not disconnect the VPN.
Resolved the issue where the uninstall payload was not being sent on MacOS and Linux.
Addressed the issue where the “Connect VPN with WireGuard” option did not appear in the taskbar menu.
Corrected the Agent icon display issue on Ubuntu 24.04.
Resolved the issue where a Network Change payload was generated after every session logout.
Fixed the issue where the VPN status remained as “Connecting” even after a successful connection.
Resolved the issue where the Agent UI mouseover dialog was displayed in the system language instead of the language configured in the appsettings file.
Fixed the issue where Interface descriptions were not retrieved on MacOS and Linux, which prevented the Agent timeline functionality from distinguishing between added interfaces.
Resolved the issue where the Installer failed with an error when attempting to install using the incorrect name.
Fixed an issue where a connection was established but an error message “Unable to connect VPN” was displayed.
Fixed the issue where the taskbar lost its styling after an update on Linux.
Resolved the exception occurring when launching the Soluble Agent with sudo.
Fixed the issue where a Session Changed payload with a logon event was sent after an update on Ubuntu and Linux Mint.
Resolved the issue where the Soluble Agent did not run on Linux Mint 22.
Fixed the issue where VPN auto-connection did not work when the interface was killed on MacOS and Linux platforms.
Resolved the issue where payloads were not sent from a proxy when using incorrect user credentials or password.
Fixed the issue where the “Agent service is stopped” payload was not sent.
Fixed the issue where lock and unlock events did not work on Ubuntu 20.04.
Fixed the issue where the Soluble Agent did not correctly set allowed IPs, causing issues when multiple IPs were configured.
Resolved the issue where the Soluble Agent did not receive parameters via URI scheme.
Fixed the issue where the UI displayed “unauthenticated” while the server indicated “authenticated” status.
Resolved an issue where an error message was displayed when attempting to enable or disable an Agent Profile using the Default flag.
Resolved a string encoding error in Agent Profiles view.
Fixed a Soluble Agent error while executing for the second time.
Fixed an issue where the VPN connection flow incorrectly used the URI scheme onnac: instead of onnacsoluble: when loading data after sending the payload.
1.5.3.2. Automated Deployments
These are the ansible changes in this release that affects the deployment of all OpenNAC Enterprise components.
Functionalities
This release updated security communications between components.
Before Ansible execution, the system will now check credentials and verify access to the repository (for deployment and configuration) and the Administration Portal (for configuration only).
The elk_cluster_config and restart_core_services roles have been removed and integrated into specific configuration files.
Now users can now download the ansible playbooks for automated deployments directly from our public repository. This change provides for easier distribution and storage simplifying the Ansible deployment from Rocky Linux 8. See the Automated deployment section for more information.
The inventory sample file now manages servers’ hostnames with a new variable called hostname. Refer to the Inventory sample file to visualize this change.
This version introduces an Ansible playbook to address Database replication issues. See the Troubleshooting section for more information.
New section Automated Troubleshooting dedicated to automating infrastructure troubleshooting using Ansible. Also available in the platform administration section of the NextGen portal at Automated Troubleshooting.
Bugs fixed
Fixed an issue where the Analytics cluster configuration in Ansible was not importing index templates correctly.
Removed trending for hosts that no longer exist in the inventory. This update ensures old hostnames are removed if new nodes are added or hostnames change.
1.5.3.3. Documentation Changes
The documentation features expanded information about Agent updates detailing the conditions for the update to be triggered.
New section dedicated to the Lateral Visibility functionality.
New troubleshooting section intended for maximum login issues. Refer to the Troubleshooting Guide for more information.
There is a new troubleshooting section intended for VOIP phone issues. Refer to the Troubleshooting Guide for more information.
There is a new section dedicated to the OAuth 2.0 integration. This authorization framework enables third-party applications to access user’s resources without exposing their credentials. See the Integration > OAuth2.0 section for more information.
Use Case sections feature improvements by including more practical examples and relevant information for administrating and operating the OpenNAC Enterprise modules.
We greatly appreciate user feedback and ratings as they play a crucial role in delivering user-oriented content. Please, continue sharing your valuable insights to help us improve and meet your needs. You can do so by clicking on the smiley face at the bottom of the documentation page and leaving your feedback. Thank you for your contribution!