1.5.5. Release 1.2.5-3

Release date: 15.04.2025

Welcome to the 1.2.5 OpenNAC Enterprise release.

In this release, our focus has been on enhancing functionality, improving user experience, and addressing bug fixes across all components.

1.5.5.1. OpenNAC Improvements

This section describes all changes that affect the OpenNAC Enterprise solution.

1.5.5.1.1. General

These are the changes in this release that affect all components.

Functionalities

  • Improve specs output, making the technical details our system produces clearer and more organized.

  • New healthcheck for logstash and filebeat implementing a new healthcheck mechanism for Logstash and Filebeat. This will allow us to automatically monitor the operational status of these components and ensure they are functioning correctly.

  • Ansible now automates the configuration of log retention policies and backup procedures. Ensuring that system logs are stored for a defined period and that backups are consistently created.

  • We’re reducing the number of external repositories needed to deploy OpenNAC. Instead of requiring access to multiple sites, we’re consolidating dependencies through a dedicated proxy server with authentication. This streamlines the deployment process and centralizes resource access.

1.5.5.1.2. ON Core

These are the changes in this release that affect the ON Core component.

Functionalities

  • Replace all texts in the OpenNAC code and the portal administration from year 2024 to 2025.

  • Update Cookie Handling for Compatibility with Captive Portal modifying the SameSite attribute of cookies to ensure proper operation within captive portal environments. Specifically, the PHPSESSID cookie will be set to SameSite=Strict with the Secure attribute for enhanced session security. All other general cookies will be configured with SameSite=Lax and the Secure attribute to improve compatibility with various browsers and Wireless LAN Controllers (WLCs) while maintaining a baseline level of security.

  • Analysis revealed that the ‘normal’ priority assigned to certain jobs could lead to unintended execution order. Consequently, their priorities have been adjusted to ensure correct process sequencing.

  • Local users: allow special characters “<” and “>” in password: Enables the use of < and > in local user passwords for increased password complexity.

  • Users are allowed to introduce special characters in their identificatio names in the webauth-guest-users workflow on the Captive Portal.

  • Update LaTeX templates and api-doc with new oesia icons.

  • Modified the OpenNAC agent’s user active osquery entity configuration to adjust the collection of user operating system and related system attributes.

  • The OpenNAC Agent now uses the Agent Reporting Tag (ART). This tag reports a unique ID the very first time the agent sends information. This ID helps us keep track of each specific agent, especially when many different users or groups (multi-tenant scenarios) are using the system.

  • Add an option to enable/disable portal using the config.json file, by default the Next Gen portal is always enabled, but in some scenarios is not necessary

  • Added a new healthcheck to check if the KRI engine is running correctly, it will be available on the principal and workers.

  • Adapted the payload processing to be able to parse correctly the information coming from the mobile payloads.

  • Improved the performance for the search bar engine on the different sections.

  • Add log rotation for all MySQL related logs to prevent the /var/log directory from filling up.

  • When creating local users, allow the userID field to have the ‘/’ character, so we can define host users, i.e: host/oncore.

Bugs fixed

  • Error in policies preconditions, transalations were not working corretly, the internal variable referring to the field was displayed instead of its translation.

  • The Gather System Updates (Windows Only) varialbe is now enabled by default when creating a new agent profile, also, the

System Updates Check URL Timeout and System Updates Script Execution Timeout variables will be hidden or displayed depending on whether Gather System Updates (Windows Only) variable is enabled or not.

  • To avoid errors when evaluating the policiy fields, we won’t allow to use lowercase on tags related fields as the poleval engine does not recognize the lowecase tags.

  • The network device creation process has been corrected. Previously, while user events triggered the creation of network devices, the associated network tags were not being applied during the device creation phase. This has been resolved to ensure proper tagging of newly created network devices.

  • The cron task for removing old radacct entries was failing due to the absence of a required End-of-Line (EOL) character in the configuration.

  • In the bussiness profile view, the tags did not appear in “Switch location tags” field.

  • All the “opencloudfactory.com” emails have been replaced for cipherbit emails.

  • User names and user ID fields have been reviewed to check if special characters or spaces can be allowed.

  • Error when removing a ND from the default view, if we check the information of an event from the Default view, and we try to remove it from the Default View window, an application error was shown.

  • When creating new netwroks, we could define tags for the Network Device with special characters that affect the funcionality.

  • Fixed a bug related to the php-fpm service that appeared when editing policies on the frontend.

  • AuthModel is using redis parameters instead of the application.ini which can cause errors in some deployments.

  • CMDB Imports not showing the imported object information on the Imported file column.

  • In the Default view section, the Network Device link should not be displayed if the object does not exist.

  • Added a warning message so if a section does not have any object, we cannot perform the export action.

  • Added a filter selector by “State” on the captive sponsor validations requests that are archived.

  • The onvpngw node can be defined in any position on /etc/hosts, until now we only detected it when it was at the beginning of the line, which could lead to errors if it was not defined correctly.

  • Refactor API PUT call so it does not need the ID inside the data payload, we only need it in the URL.

  • Fixed the location filter in ON CMDB - Network Devices and also in the default view section.

  • When importing objects, NotEmpty type validations return error if the field does not exist, fixed to only show error with mandatory fields.

  • Discarded IPMAC events, in VISIBILITY connection, when IP does not match range defined by vlan, when a VISIBILITY connection is established, and a vlan is defined (different to “switch default”), if an IPMAC event is received where IP does not match range with IPs defined in CMDB Networks for current vlan, this event is discarded, but VISIBILITY events are not related on vlan assignement so this restriction would not apply.

  • KRI engine not working because of missing EOL, we added the full execution path for the KRI script and disabled its execution by default.

  • Protect PDF template download so if the necessary fields are empty we do not download any invalid objects.

  • If the session data field exceeds the expected lenght, we will use a POST query to send the data as the GET cannot process all the data in the field.

  • Sponsors could not validate the user after user e-mail confirmation, especially when the guest user confirms from the same device they used to sign up.

1.5.5.1.3. ON Captive

These are the changes in this release that affect the ON Captive component.

Bugs fixed

  • Fixed the owner for the captive-portal logrotate files so the logs rotate as expected.

1.5.5.1.4. ON Analytics

These are the changes in this release that affect the ON Analytics components.

Functionalities

  • Added Kerberos connections dashboard to visualize authentication metrics, including connection counts, client/server distribution, and error analysis, to monitor secure network communication

  • Added Trending dashboards to show temporal patterns of system events, segmented by nodes and source modules, to identify activity trends and potential anomalies

Bugs fixed

  • Improve convertFiles.sh script so the different actions in the script are performed in the correct order, also increased the mapping total fields to avoid errors when processing data.

1.5.5.1.5. ON Aggregator

These are the changes in this release that affect the ON Aggregator components.

Bugs fixed

  • Bug on 999_output file, we parametrized the variables so the file uses the OPENNAC_ES_HOSTS variable instead of forcing the onanalytics host.

1.5.5.1.6. ON Agent

These are the changes in this release that affect the ON Agent components.

Functionalities

  • Improve soluble agent download on Windows platform by checking that the application is valid and can be executed (valid referred to executable in OS) and another one to verify if it has really been executed.

1.5.5.2. Automated deployments

All the changes that afect automated deployments are described below.

1.5.5.2.1. ON Core

These are the ansible changes in this release that afects the deployment of the ON Core component

1.5.5.2.1.1. Bugs fixed

  • Some variables (msg_auth, lmt_proxy) where missing on the proxy configuration file, so we could not perform the node deployment correctly.

We greatly appreciate user feedback and ratings as they play a crucial role in delivering user-oriented content. Please, continue sharing your valuable insights to help us improve and meet your needs. You can do so by clicking on the smiley face at the bottom of the documentation page and leaving your feedback. Thank you for your contribution!