For RedHat-based systems, run the following command:
yum update packetfence --enablerepo=packetfence
PacketFence should now be upgraded. However, there may be extra steps required depending on the version you are upgrading from. Please review the following notes about upgrading from an older release.
Once completed, update the file /usr/local/pf/conf/currently-at to match the new release number (PacketFence X.Y.Z).
Upgrading a version of PacketFence older than 4.1 to v5 will be a complex undertaking. While it’s entirely possible if done meticulously, we suggest you start from scratch and move your customizations and nodes information over to your new installation.
Please note that the sections below are cumulative. That is to say, if you are upgrading from version 4.3 to version 5.0 you must apply in order all changes in between the two versions, including database schema changes.
As always, taking a complete backup of your current installation is strongly recommended. A backup should contain a copy of all PacketFence files as well as a copy of the database. You can take a backup of the pf directory with the following command:
tar -C /usr/local -czf /root/packetfence.tar.gz pf
A backup of the database can be taken using the procedure described in the next section.
You must manually enter the MySQL password of the pf user in the conf/pfconfig.conf file. The MySQL password is saved in the conf/pf.conf file under the [database] section. Copy the following from conf/pf.conf to conf/pfconfig.conf:
pass=$YOURPASSWORDHERE
The violation triggers have been reworked for the new Fingerbank integration.
We highly suggest you copy conf/violations.conf.example over conf/violations.conf and then reconfigure any violations you had before.
Also, make sure you adjust the following triggers to their new ID (Can be found under Configuration→Fingerbank):
-
USERAGENTbecomesuser_agent -
MACVENDORbecomesmac_vendor
The OS trigger has been deprecated over the new dhcp_fingerprint trigger.
You will need to adjust these triggers to the new ids as well as renaming them.
The iptables configuration file doesn’t use the generated rules %%input_mgmt_guest_rules%% anymore. Make sure you remove this line from conf/iptables.conf.
Also a lot of additions were made to the iptables configuration file. Make sure you add the new rules in conf/iptables.conf.example to your existing iptables file or execute the following command to replace the whole file.
cp /usr/local/pf/conf/iptables.conf.example /usr/local/pf/conf/iptables.conf
If you are using EAP MS-CHAP local authentication, meaning your 802.1x connections authenticate against your local database, you will need to make sure you deactivate password encryption in the database.
In the administration interface, go in Configuration → Advanced and set Database passwords hashing method to plaintext
Before making any changes to your database, ensure that you have a backup. A complete database backup can be taken using this command:
mysqldump --opt -u root -p pf | gzip > /root/packetfence_db.sql.gz
If your database is more than a few hundred megabytes, you may also want to consider using a tool such as Percona XtraBackup which makes for much faster restores than mysqldump.
Multiple changes have been made to the database schema. You will need to update it accordingly. Since we will be dropping and recreating the iplog table it is essential that you have a backup if you need the data it contains.
Make sure you run the following to update your schema:
mysql -u root -p pf -v < db/upgrade-4.7.0-5.0.0.sql
Once completed, update the file /usr/local/pf/conf/currently-at to match the new release number (PacketFence 5.0.0).
The node table has a new column (machine_account).
Make sure you run the following to update your schema:
mysql -u root -p pf -v < /usr/local/pf/db/upgrade-4.6.0-4.7.0.sql
Once completed, update the file /usr/local/pf/conf/currently-at to match the new release number (PacketFence 4.7.0).
The locationlog and locationlog_history table have 2 new columns stripped_user_name and realm. We added new INDEX on iplog, violation and locationlog tables.
Make sure you run the following to update your schema:
mysql -u root -p pf -v < /usr/local/pf/db/upgrade-4.5.0-4.6.0.sql
Code to match violation template pages have been reworked. Make sure to lowercase FR to fr in french template files name.
Realm are now managed by Freeradius server so if your users authenticate with a username like username@acme.com then add the realm acme.com in the Radius Realms configuration menu and in your Active Directory source select Use stripped username.
The class table has a new column delay_by.
Make sure you run the following to update your schema:
mysql -u root -p pf -v < /usr/local/pf/db/upgrade-4.4.0-4.5.0.sql
The person table has 2 new column to keep the portal and the source used to authenticate.
The tables email_activation and sms_activation have been merged in a table named activation. It has an additional column to keep the portal used to register.
Make sure you run the following to update your schema:
mysql -u root -p pf -v < /usr/local/pf/db/upgrade-4.2.0-4.3.0.sql
The parameters VlanMap and RoleMap have been added in switches.conf; be sure to add them in the [default] switch section.
The OAuth passthroughs will not be activated unless trapping.passthrough in pf.conf is enabled. Make sure you enable it if you have OAuth authentication sources (Google, Facebook, Github, LinkedIn and Windows Live).
Once the configuration is completed, update the file /usr/local/pf/conf/currently-at to match the new release number.
The person table has many new columns that can be used for registration.
The node table has new columns to store the time and bandwidth balances of a node.
The node table has also a new column to keep the audit-session-id from the RADIUS request to use with the CoA.
Added a new column config_timestamp in radius_nas table.
The locationlog table has new columns to store the switch IP and MAC when using dynamic controllers.
New table for inline (layer 3) accounting.
New table for WRIX data.
Make sure you run the following to update your schema:
mysql -u root -p pf -v < /usr/local/pf/db/upgrade-4.1.0-4.2.0.sql
The parameter guests_self_registration.mandatory_fields from pf.conf (or pf.conf.defaults) was moved to the
default portal profile in profiles.conf.
The parameters registration.gaming_devices_registration and registration.gaming_devices_registration_role are replaced
with registration.device_registration and registration.device_registration_role.
Adjust your configuration files accordingly.
The captive portal has been rewritten using the Catalyst MVC framework. Any customization to the previous CGI scripts will need to be ported to the new architecture.
Once the configuration completed, update the file /usr/local/pf/conf/currently-at to match the new release number.
The category column in the temporary_password should not be mandatory.
Also, the access_level of the temporary_password table is now a string instead of a bit string.
Make sure you run the following to update your schema:
mysql -u root -p pf -v < /usr/local/pf/db/upgrade-4.0.0-4.1.0.sql
The parameters trapping.redirecturl and trapping.always_use_redirecturl from pf.conf (or pf.conf.defaults)
were moved to the default portal profile in profiles.conf.
The parameter registration.range has been deprecated. Make sure you remove it from your configuration file.
The action set_access_level of authentication sources in authentication.conf must now match one of the admin roles
defined in adminroles.conf. The previous level 4294967295 must be replaced by ALL and the level 0 by NONE.
Adjust your configuration files accordingly.
Once the configuration completed, update the file /usr/local/pf/conf/currently-at to match the new release number.
The method pf::authentication::authenticate now expects an array of pf::authentication::Source objects instead of an array of source IDs.
The methods getSourceByType, getInternalSources, and getExternalSources of the module pf::Portal::Profile now return pf::authentication::Source objects instead of source IDs.
This release adds a new dependency on the Perl module Apache::SSLLookup. Once installed, update the file /usr/local/pf/conf/currently-at to match the new release number.
The parameter guest_self_reg in the profiles.conf file is no longer necessary. The self-registration is now automatically enabled if at least one external authentication source is selected (Email, SMS, SponsorEmail, or Oauth2).
You need to downgrade the version of perl-Net-DNS and perl-Net-DNS-Nameserver to version 0.65-4 in order to fix the issue with pfdns crashing.
This release only fixes various bugs and doesn’t need the database schema to be modified. Simply update the file /usr/local/pf/conf/currently-at to match the new release number.
LDAP SSL and STARTTLS is now correctly implemented. Make sure the server you specify in authentication.conf supports the encryption type requested on the port configured. Failure to do so will break LDAP and Active Directory authentication.
This release only fixes various bugs and doesn’t need the database schema to be modified. Simply update the file /usr/local/pf/conf/currently-at to match the new release number.
Upgrading an old version of PacketFence to v4 will be quite an endeavor. While it’s entirely possible if done meticulously, we suggest you start from scratch and move your customizations and nodes information over to your new installation.
The temporary password table has been extended to include roles information. Moreover, an "admin" user is now automatically created. The default password is also "admin". Finally, a new table has been added for saved searches in the new Web administrative interface.
mysql -u root -p pf -v < /usr/local/pf/db/upgrade-3.6.1-4.0.0.sql
PacketFence v4 received a major overhaul, especially regarding the authentication
sources. Authentication modules found in conf/authentication/ are no longer
being used and have been replaced by the conf/authentication.conf file. While
this file can be hand-edited, you should create your authentication sources
and perform roles-mapping using the Configuation > Users > Sources page from
PacketFence’s Web administrative interface.
Also, in PacketFence v4, the VLANs can be assigned in conf/switches.conf by constructing
the parameter names from the VLAN names and the Vlan suffix. The VLAN names must match one
of the default names (registration, isolation, macDetection, inline, and voice) or one of the
defined roles. If you were using custom VLANs, you must create a new role per VLAN and assign
them accordingly.
Other key changes were done, such as:
-
moved remediation templates in
html/captive-portal/templates/violationsand converted them to Template Toolkit -
dropped guests_admin_registration.category
-
dropped guests_self_registration.access_duration
-
dropped guests_self_registration.category
-
dropped guests_self_registration.sponsor_authentication
-
dropped guests_self_registration.sponsors_only_from_localdomain
-
dropped ports.listeners
-
dropped registration.auth and registration.default_auth
-
dropped registration.maxnodes
-
dropped registration.expire_* and registration.skip_*
-
dropped trapping.blacklist
-
dropped support for resetVlanAllPort in
bin/pfcmd_vlan -
dropped
sbin/pfredirectbinary -
splitted the httpd services in three: httpd.admin, httpd.portal and httpd.webservices
-
domain-name is no longer required in each section of networks.conf
For all parameters related to authentication (categories, access duration, sponsor authentication, etc.),
you should now set proper actions in the conf/authentication.conf file.
Finally, the pf must be sudoer access to the /sbin/ip (and others) binary. As root, please do:
echo "pf ALL=NOPASSWD: /sbin/iptables, /usr/sbin/ipset, /sbin/ip, /sbin/vconfig, /sbin/route, /sbin/service, /usr/bin/tee, /usr/local/pf/sbin/pfdhcplistener, /bin/kill, /usr/sbin/dhcpd, /usr/sbin/radiusd" >> /etc/sudoers