1.5.6. Release 1.2.5-4

Release date: 26.09.2025

Welcome to the 1.2.5 OpenNAC Enterprise release.

This release prioritizes stability for the agent and core components and introduces security enhancements to the core

1.5.6.1. OpenNac improvements

All the changes in this release that afect OpenNAC Enterprise solution.

1.5.6.1.1. ON Core

These are the changes in this release that afects ON Core component

Functionalities

  • Improved error handling in the Cynerio plugin to ensure device attributes and risk indicators are applied reliably.

  • Added a workflow template for FortiAP external captive portals, simplifying integration and homologation with dynamic parameter support.

  • Add DOP_* and DDP_* tags to the list of tags that the API processes when it receives an agent payload.

  • Fixed the guest approval flow so sponsor emails are sent correctly and users can complete the process without errors.

  • Improved validation and controls for local administrator accounts to strengthen identification and authorization policies ( password policy: “It must also contain 3 of these 4 characteristics: 1 number, 1 capital letter , 1 lower case or 1 special character[ ^$%*()}{@#~,.!|=_±<> ]).

  • Corrected role-based permissions to match the intended model, operator can now edit/delete local users, while otpmanager and audit can no longer modify the inactivity timeout—resolving the inconsistencies between design and behavior and ensuring consistent, reliable administration.

  • Expanded audit logs to include logouts, credential changes, event results (OK/ERROR) and clearer action types for better traceability.

  • Fixed a privilege escalation path by tightening ACL checks in certain API endpoints as part of LINCE certification.

  • Closed local file inclusion weaknesses in file handling routines to comply with LINCE certification.

  • Resolved a cross‑site scripting issue in the administration portal’s configuration section to meet LINCE requirements.

  • Blocked a local file inclusion path via LaTeX templates to prevent unintended file access, for LINCE certification.

  • Resolved a cross‑site scripting issue in the ON CMDB section of the portal, aligning with LINCE certification.

  • Hardened the Content Security Policy by removing ‘unsafe-eval’ and adding form-action and frame-ancestors directives.

  • Fixed an error when cloning Security Profiles, allowing duplicated profiles to be saved correctly without requiring a vendor-specific placeholder.

  • Improved user experience in captive workflows by centering timeout error messages, ensuring clearer communication when a session cannot start.

  • Strengthened TLS configuration by enabling modern ciphers and removing obsolete ones to improve security compliance.

  • Added support for creating new captive workflows, including guest user profiles and email verification forms.

  • Guest and SAML workflows now check device status considering visibility connections to reflect real device context.

  • Successful captive authentications now present clear confirmations and consistent post‑login behavior.

  • Fixed captive portal errors when handling requests containing the ‘autherr=0’ parameter so sessions continue correctly.

  • Corrected the Network Behavior dashboard so filters using system identifiers return valid results.

  • Prevented creation of duplicate default servers in agent configuration via API, ensuring consistent settings.

  • Mitigated a code execution risk by validating and sanitizing inputs as part of the LINCE certification effort.

  • Removed obsolete elastiFlow configuration remnants to simplify and stabilize deployments.

  • Extended the whitelist to accept additional tags reported by Android payloads.

  • Updated Android agent download options to improve compatibility and streamline installation.

  • Fixed SQL injection vulnerabilities found during evaluation, ensuring safer database operations for LINCE certification.

  • Fixed a server-side check that discarded iOS payloads, ensuring mobile configuration profiles are handled correctly.

  • Corrected the Agent Profile REST API so PUT requests update profiles consistently without errors.

  • Fixed the display of Android payload header fields so multi‑value attributes are shown correctly in the portal.

  • Fixed a problem when deleting email templates so templates are removed reliably without errors.

  • Corrected agent profile renewal timing so network parameters are applied with the proper units.

  • Fixed the tags column rendering in NetBackup Scheduler targets so all values display correctly.

  • Fixed the search in CMDB Imports to prevent invalid response errors and allow proper querying.

  • Fixed a server-side issue that returned an HTML file instead of the APK so Android installers download correctly.

  • Fixed application errors when creating or updating profiles that include WireGuard options.

  • Fixed a loading issue in the ACL management section so roles and permissions can be edited reliably.

  • Restricted RADIUS to EAP‑TLS only, disabling weaker methods for stronger security.

Bugs fixed

  • Corrected VLAN filtering so lists show valid options and results are consistent across views.

  • Policy preconditions now accept certificate values containing ‘/’, with proper escaping and validation.

  • Resolved an issue where captive portal updates were not synchronized across nodes, keeping clusters consistent.

  • When updating a network device via API, if the brand or model is missing it now defaults to “Generic”, preventing incomplete or blank inventory records and ensuring data consistency across the platform.

  • Corrected compliance checks for Dell N1500 switches so MAB configuration applied on interfaces is detected and reflected in Analytics reports, ensuring accurate visibility of device posture and rule enforcement.

  • Fixed validation for local user identifiers so they correctly accept alphanumeric values as well as “/” and “_”, eliminating false validation errors and allowing legitimate accounts to be managed without issues.

  • Clarified error handling when disabling a default OSquery: the system now generates a single, consistent message instead of showing both a warning and an error, avoiding confusion for administrators.

  • The ‘retry’ option in captive workflows now triggers a new email and shows in‑portal notifications instead of browser alerts.

  • ISS_FW and ISS_AV tags are now cleared when newer agent information indicates they no longer apply.

  • Improved the suggested fields UI so options appear consistently.

  • Fixed OTP sections to avoid spurious error and warning dialogs.

  • Improved handling of rejected authentications so resulting VLAN shows ‘access denied’ correctly and policy evaluation is coherent.When a reject is produced in authentication, result vlan would be an “access denied”. Now, when a reject is produced in authentication, there is a policy evaluation, and in “NAC Status” is displayed the policy matching the request, although there is a non-valid authentication. The red flag indicates the “REJECT” status, but result vlan is notified, although there is no access: A solution would be return a 4095 vlan (“access denied”) when a “REJECT” status is returned.

  • Default agent rules are now immutable via API — previously they could be edited or deleted; server-side validation now blocks these operations to match the admin portal.

  • Hardened OSQuery API validation so invalid values are rejected on PUT requests.

  • Location tags must be unique; duplicates are now prevented at creation and update time.

  • Fixed a localization error in captive portal layout files that could trigger a fatal error.

  • Restored image preview functionality in the portal so assets display correctly.

  • Improved translation handling to prevent errors when an incorrect translation is applied from the frontend.

  • Fixed an issue where creating OSQuery configs returned a constant identifier; new items now return their correct IDs.

  • Aligned checkboxes in nested panels so controls are properly positioned.

  • Fixed input validation in agent OSQuery editing so saved changes are accepted correctly.

  • Resolved errors when creating captive themes so new themes can be added without interruptions.

  • Fixed column filters in the NetBackup log section so users can refine results as expected.

  • The default view now orders columns by ‘last access’ to highlight most recent activity.

  • Fixed the search filters for captive workflows and captive VPN workflows so results are accurate.

  • Ensured the default filter is applied in Business Profiles so views load with the expected criteria.

  • Restored the evaluation order control in Policies so reordering takes effect immediately.

  • Handled duplicate tag prefixes during network device import to prevent creation errors.

  • Fixed an issue where applying filters froze pagination in the next‑gen portal, restoring smooth navigation of agent payloads.

  • Fix on the code that allowed JavaScript injections in the configuration dashboards and captive themes areas.

  • Resolved an issue that prevented the download of agents from the captive portal and the agent configuration when no IP was set in the server list after a clean installation.

1.5.6.1.2. ON AGENT

These are the changes in this release that afects ON Agent component

Functionalities

  • Updated the vendor logo in the terms & conditions window for a consistent brand experience.

  • Agent now executes certain PowerShell checks in memory, reducing temporary file usage and improving security.

Bugs fixed

  • Stabilized agent tests tied to network configuration to improve build reliability.

  • Fixed Mac soluble installer packaging so the .dmg is generated correctly and the app starts without read‑only errors.

  • Resolved timeouts in system updates and added progress feedback to improve user visibility.