PacketFence Upgrade Guide

There is a specific cluster upgrade that must be performed if the current version is prior to 10.3. Follow the steps described in MariaDB upgrade to 10.2.

If you reboot a standalone server or any server member in a cluster after services have been stopped, make sure you set the systemd target to multi-user.target before rebooting:

This will ensure services do not restart after a reboot.

After rebooting revert to the previous target:

Update PacketFence with yum:

PacketFence, Fingerbank and all their dependencies should now be upgraded. However, there may be extra steps required depending on the version you are upgrading from.

Update PacketFence with apt:

PacketFence relies heavily on Fingerbank, it is recommended to use the latest version:

PacketFence and Fingerbank are now upgraded. However, there may be additional steps that are required depending on the version being upgrading from.

Once packages are all upgraded, you should take care to review any changes to configuration files and merge them if required.

To find out which configuration files have changed run following command:

The list of files returned are the new versions shipped with PacketFence. Compare them with your installed versions and see if there are changes that should be merged into your existing configuration.

Then, once you are done make sure to delete these files so that there is no confusion the next time you upgrade PacketFence:

The headers for your specific kernel may not be published anymore in the CentOS repository. If that is the case, then perform the following prior to the upgrade:

In order to be able to work on the server, we first need to stop all the PacketFence application services on it, see Stop all PacketFence services section.

Now stop packetfence-mariadb:

Now proceed with the MariaDB upgrade

At this moment you have the newest version of MariaDB installed on your system. Ensure MariaDB is running:

You can check you are running MariaDB 10.2 version with following command:

Next step is to upgrade your databases:

After databases have been upgraded, you can disable default MariaDB service:

packetfence-mariadb service will be started later by upgrade of PacketFence package(s).

At this step you have now the MariaDB 10.2 database ready. You can now upgrade the PacketFence version by following instructions in Packages upgrades section.

In this procedure, the 3 nodes will be named A, B and C and they are in this order in cluster.conf. When we referenced their hostnames, we speak about hostnames in cluster.conf.

Follow instructions related to export process.

Changes have been made to the database schema. You will need to update it accordingly. An SQL upgrade script has been provided to upgrade the database from the 10.3 schema to 11.0.

To upgrade the database schema, run the following command:

Changes have been made to the database schema. You will need to update it accordingly. An SQL upgrade script has been provided to upgrade the database from the 11.0 schema to 11.1.

To upgrade the database schema, run the following command:

Changes have been made to the database schema. You will need to update it accordingly. An SQL upgrade script has been provided to upgrade the database from the 11.1 schema to 11.2.

To upgrade the database schema, run the following command:

The temporary password table has been extended to include roles information. Moreover, an "admin" user is now automatically created. The default password is also "admin". Finally, a new table has been added for saved searches in the new Web administrative interface.

PacketFence v4 received a major overhaul, especially regarding the authentication sources. Authentication modules found in conf/authentication/ are no longer being used and have been replaced by the conf/authentication.conf file. While this file can be hand-edited, you should create your authentication sources and perform roles-mapping using the Configuation > Users > Sources page from PacketFence’s Web administrative interface.

Also, in PacketFence v4, the VLANs can be assigned in conf/switches.conf by constructing the parameter names from the VLAN names and the Vlan suffix. The VLAN names must match one of the default names (registration, isolation, macDetection, inline, and voice) or one of the defined roles. If you were using custom VLANs, you must create a new role per VLAN and assign them accordingly.

Other key changes were done, such as:

For all parameters related to authentication (categories, access duration, sponsor authentication, etc.), you should now set proper actions in the conf/authentication.conf file.

Finally, the pf must be sudoer access to the /sbin/ip (and others) binary. As root, please do:

The method pf::authentication::authenticate now expects an array of pf::authentication::Source objects instead of an array of source IDs.

The methods getSourceByType, getInternalSources, and getExternalSources of the module pf::Portal::Profile now return pf::authentication::Source objects instead of source IDs.

The category column in the temporary_password should not be mandatory.

Also, the access_level of the temporary_password table is now a string instead of a bit string.

Make sure you run the following to update your schema:

The parameters trapping.redirecturl and trapping.always_use_redirecturl from pf.conf (or pf.conf.defaults) were moved to the default portal profile in profiles.conf.

The parameter registration.range has been deprecated. Make sure you remove it from your configuration file.

The action set_access_level of authentication sources in authentication.conf must now match one of the admin roles defined in adminroles.conf. The previous level 4294967295 must be replaced by ALL and the level 0 by NONE.

Adjust your configuration files accordingly.

Once the configuration completed, update the file /usr/local/pf/conf/currently-at to match the new release number.

The person table has many new columns that can be used for registration.

The node table has new columns to store the time and bandwidth balances of a node.

The node table has also a new column to keep the audit-session-id from the RADIUS request to use with the CoA.

Added a new column config_timestamp in radius_nas table.

The locationlog table has new columns to store the switch IP and MAC when using dynamic controllers.

New table for inline (layer 3) accounting.

New table for WRIX data.

Make sure you run the following to update your schema:

The parameter guests_self_registration.mandatory_fields from pf.conf (or pf.conf.defaults) was moved to the default portal profile in profiles.conf.

The parameters registration.gaming_devices_registration and registration.gaming_devices_registration_role are replaced with registration.device_registration and registration.device_registration_role.

Adjust your configuration files accordingly.

The captive portal has been rewritten using the Catalyst MVC framework. Any customization to the previous CGI scripts will need to be ported to the new architecture.

Once the configuration completed, update the file /usr/local/pf/conf/currently-at to match the new release number.

The person table has 2 new column to keep the portal and the source used to authenticate.

The tables email_activation and sms_activation have been merged in a table named activation. It has an additional column to keep the portal used to register.

Make sure you run the following to update your schema:

The parameters VlanMap and RoleMap have been added in switches.conf; be sure to add them in the [default] switch section.

The OAuth passthroughs will not be activated unless trapping.passthrough in pf.conf is enabled. Make sure you enable it if you have OAuth authentication sources (Google, Facebook, Github, LinkedIn and Windows Live).

Once the configuration is completed, update the file /usr/local/pf/conf/currently-at to match the new release number.

Introduced the 'iplog_history' table for easier cleanup of the existing 'iplog' table.

Make sure you run the following to update your schema:

The serialization of the objects in the cache changed, making all the previous cached objects invalid. With PacketFence completely stopped do :

Once completed, update the file /usr/local/pf/conf/currently-at to match the new release number (PacketFence 4.4.0).

The class table has a new column delay_by.

Make sure you run the following to update your schema:

A new parameter 'delay_by' has been introduced in the violation configuration. Make sure to add the following to the 'defaults' section of 'conf/violations.conf' to avoid any problem.

delay_by=0s

Once completed, update the file /usr/local/pf/conf/currently-at to match the new release number (PacketFence 4.5.0).

The locationlog and locationlog_history table have 2 new columns stripped_user_name and realm. We added new INDEX on iplog, violation and locationlog tables.

Make sure you run the following to update your schema:

Code to match violation template pages have been reworked. Make sure to lowercase FR to fr in french template files name.

Realm are now managed by Freeradius server so if your users authenticate with a username like username@acme.com then add the realm acme.com in the Radius Realms configuration menu and in your Active Directory source select 'Use stripped username'.

Once completed, update the file /usr/local/pf/conf/currently-at to match the new release number (PacketFence 4.6.0).

The 'node' table has a new column (machine_account).

Make sure you run the following to update your schema:

Once completed, update the file /usr/local/pf/conf/currently-at to match the new release number (PacketFence 4.7.0).

Before making any changes to your database, ensure that you have a backup. A complete database backup can be taken using this command:

If your database is more than a few hundred megabytes, you may also want to consider using a tool such as Percona XtraBackup which makes for much faster restores than mysqldump.

Multiple changes have been made to the database schema. You will need to update it accordingly. Since we will be dropping and recreating the 'iplog' table it is essential that you have a backup if you need the data it contains.

Make sure you run the following to update your schema:

You must manually enter the MySQL password of the pf user in the conf/pfconfig.conf file. The MySQL password is saved in the conf/pf.conf file under the [database] section. Copy the following from conf/pf.conf to conf/pfconfig.conf:

The violation triggers have been reworked for the new Fingerbank integration. We highly suggest you copy conf/violations.conf.example over conf/violations.conf and then reconfigure any violations you had before.

Also, make sure you adjust the following triggers to their new ID (Can be found under 'Configuration→Fingerbank'):

The OS trigger has been deprecated over the new dhcp_fingerprint trigger. You will need to adjust these triggers to the new ids as well as renaming them.

The iptables configuration file doesn’t use the generated rules '%%input_mgmt_guest_rules%%' anymore. Make sure you remove this line from conf/iptables.conf.

Also a lot of additions were made to the iptables configuration file. Make sure you add the new rules in conf/iptables.conf.example to your existing iptables file or execute the following command to replace the whole file.

If you are using EAP MS-CHAP local authentication, meaning your 802.1x connections authenticate against your local database, you will need to make sure you deactivate password encryption in the database. In the administration interface, go in 'Configuration → Advanced' and set 'Database passwords hashing method' to plaintext

Once completed, update the file /usr/local/pf/conf/currently-at to match the new release number (PacketFence 5.0.0).

Multiple changes have been made to the database schema. You will need to update it accordingly.

Make sure you run the following to update your schema:

These two services have been disabled by default. If you are using SNMP traps enforcement on your switches (like port-security), make sure you re-enable them in 'Configuration→Services'.

The Microsoft Active Directory domain join configuration is now part of PacketFence. A migration script has been made so you can migrate an existing domain join into this configuration. Note that this step is not mandatory, as the old join method is still supported. But if you do not perform this step, you will not see its configuration from the PacketFence web administrative interface.

Simply execute the following script and follow its instructions /usr/local/pf/addons/AD/migrate.pl

Once completed, update the file /usr/local/pf/conf/currently-at to match the new release number (PacketFence 5.1.0).

Multiple changes have been made to the database schema. You will need to update it accordingly.

Make sure you run the following to update your schema:

If you are using an Active/Active cluster, you will need to adjust the monitoring database host to point to your database as it is not forced anymore.

In conf/pf.conf :

If you are using email registration, web-auth enforcement (external captive-portal), device registration feature, or anything that would require to access the captive portal from outside the registration/isolation VLANs, you might want (actually, you need otherwise it will no longer works!) to add the 'portal' type to the existing 'management' interface.

In conf/pf.conf :

Once completed, update the file /usr/local/pf/conf/currently-at to match the new release number (PacketFence 5.2.0).

Changes have been made to the database schema. You will need to update it accordingly.

Make sure you run the following to update your schema:

A downgrade in a package version may cause an error when trying to upgrade.

If you receive this error:

Run the following commands:

Once completed, update the file /usr/local/pf/conf/currently-at to match the new release number (PacketFence 5.3.0).

Changes have been made to the database schema. You will need to update it accordingly.

Make sure you run the following to update your schema:

Authentication sources rules have been reworked in a way to differentiate an 'authentication' rule and an 'administration' rule. Codewise, that means that codeflow will look into specific types of rules depending of the use case.

Please take a minute or two to go through the existing rules for each of the authentication sources and make sure there is no 'administration' class actions into an 'authentication' class rule and vice versa, otherwise the "invalid" action will be ignored.

Authentication sources rules structure is as follow:

For example, if an existing rule is as follow:

That existing rule will default to the 'authentication' class if none is being set. If that’s the case, the first action "Set access level of Web admin" will then be ignored.

To replicate that existing rule with the new classes, you would have to create two separate rules, as follow:

Rule for 'administration' purposes

Rule for 'authentication' purposes

Configuration will be validated on every start / restart so that "bogus" authentication sources / rules can be identified.

The Facebook API now requires to specify the fields to be defined in the query. In all your facebook sources, change the parameter protected_resource_url to https://graph.facebook.com/me?fields=id,name,email,first_name,last_name

Change the parameter scope to user,user:email in all your Github sources as PacketFence is now fetching the email address of the user when registering with Github.

monitoring.statsd_host and monitoring.statsd_port have been removed from pf.conf. If you have specified a specific host or port, remove them from your configuration and change them in /usr/local/pf/lib/pf/StatsD.pm

Once completed, update the file /usr/local/pf/conf/currently-at to match the new release number (PacketFence 5.4.0).

Changes have been made to the database schema. You will need to update it accordingly.

Make sure you run the following to update your schema:

The VLAN filter has been reworked to use a more generalized syntax to allow more complex filters to be created.

This mean nested conditions no longer need to specify the attribute in the condition.

So the following attribute

Should be rewritten as

The older syntax is still supported but will be deprecated in a future release.

The operators match and match_not has changed their behavior. They will match (or not match) the exact string given in the condition. The following condition

Will match node_info.computername only if it contians '^Bob'. It will not match if node_info.computername start with 'Bob'

If you need to use a regex then use the regex/regex_not operator. So the following condition should be changed from

To the following

The following parameters have been removed from pf.conf. Make sure to remove them from your file if configured.

Violations have been reworked and configuration changes are necessary in order to maintain functionnality.

In violations.conf the following actions have been renamed, please update them accordingly.

The following action have been removed from the violations :

Also in violations.conf, the parameter whitelisted_categories has been renamed into whitelisted_roles

The parameter billing_engine of the Portal Profiles has been deprecated. Remove it from all your profiles configuration in /usr/local/pf/conf/profiles.conf.

The billing engine of PacketFence has been reworked completely.

It will require to reconfigure existing billing providers from scratch as there is no retro-compatibility with the previous configuration.

Please see the Administration Guide for details on how to configure the billing engine.

Mod_qos configuration has been moved from "services" to "captive_portal" section. Make sure to apply the appropriate changes if needed.

Once completed, update the file /usr/local/pf/conf/currently-at to match the new release number (PacketFence 5.5.0).

Changes have been made to the database schema. You will need to update it accordingly.

Make sure you run the following to update your schema:

The file lib/pf/vlan/custom.pm has now been renamed to lib/pf/role/custom.pm. Most of the customizations that used to be made in vlan/custom.pm can now be handled by configuring a vlan filter. You should take a good look at your existing vlan/custom.pm and consider porting the changes to conf/vlan_filters.conf.

The scopes for the VLAN filters have changed. The following have been renamed according to these rules:

NormalVlan → RegisteredRole RegistrationVlan → RegistrationRole ViolationVlan → ViolationRole InlineVlan → InlineRole

If you have defined any filters in /usr/local/pf/conf/vlan_filters.conf, make sure to rename all references to the left hand side with the new names on the right hand side.

The default type for the switches now needs to be set explicitly. Add the following line in the default section of /usr/local/pf/conf/switches.conf

type=Generic

Once completed, update the file /usr/local/pf/conf/currently-at to match the new release number (PacketFence 5.6.0).

With the introduction of the ability to trigger a violation based on a MD5 hash detected by Suricata, a new trigger type has been introduced, requiring the modification of the actual 'suricata' trigger. Make sure to go through your violations configuration and change any 'suricata' trigger name for 'suricata_event'.

Changes have been made to the database schema. You will need to update it accordingly.

Make sure you run the following to update your schema:

Once completed, update the file /usr/local/pf/conf/currently-at to match the new release number (PacketFence 5.7.0).

The new registration devices parking requires that you add the following violation in /usr/local/pf/conf/violations.conf

The chained source has been deprecated in favor of a fully customizable flow in the captive portal.

Make sure you delete the source BEFORE upgrading your installation.

Once you upgrade, configure a portal module for each of your sources and a chained one that contains both. Refer to the administration guide for a detailed example.

The parameter mandatory_fields of the Portal Profiles has been deprecated. Remove it from all the profiles in profiles.conf

To configure mandatatory fields in the portal, refer to the 'Portal Modules' section of the Administration guide

You need to add the root_module parameter to your default portal profile. In profiles.conf add root_module=default_policy to the default portal profile

All the OAuth2 sources you have configured (Facebook, Github, Google, LinkedIn ,Twitter, Windows Live) need to be adjusted as the redirect URL is now the same for all the types.

In the admin interface change Portal URL from https://YOUR_HOSTNAME/oauth2/SOURCE_TYPE to https://YOUR_HOSTNAME/oauth/callback (where SOURCE_TYPE would be the lower case name of the source type). Note that this parameter is named redirect_url in the configuration file.

Use the Cisco::Catalyst_2960 switch module instead of the Cisco::Catalyst_2960_http as switch type.

Use the Cisco::WLC switch module instead of the Cisco::WLC_http as switch type.

The portalURL configuration parameter is now configured per-role so make sure you have http://ip_portal/$session_id assigned to the registration role in the Role by Web Auth URL section of the switch configuration.

See the Network Device configuration guide for additional details.

Google Project Fi have been added as a supported carrier. Since an ID is hardcoded on creation of a new entry in the 'sms_carrier' database table, a manual intervention may be required in the case the database schema update fails.

'expire' and 'maintenance' section have been reworked and 'expire' section is no longer a thing. Make sure to adjust configuration parameter accordingly if needed;

The 'REJECT' role is now a default standard role. If you already have such role, make sure no conflict exists.

Also, add the following line to the default section of switches.conf :

REJECTVlan = -1

If you have a domain configured directly in PacketFence (in 'Configuration→Domains'), you need to re-generate the associated configuration files as changes have been made to the samba configuration.

Using the CLI /usr/local/pf/bin/pfcmd generatedomainconfig or in the admin interface in 'Configuration→Domains', click 'Refresh domain configuration'

PacketFence 6 relies on FreeRADIUS 3 rather that FreeRADIUS 2 as provided in PacketFence 5. The configuration files, directory layout and "unlang" directives have changed significantly. The packaging will automatically rename the existing raddb directory to raddb-pre6. All your existing configuration and certificates (if stored under raddb/certs) should be preserved but may need to be merged with the new raddb directory layout if you customized them.

The configuration files under conf/radiusd/.example have also changed. Make sure to compare them to your conf/radiusd/ files if you have any customizations, and merge any *.rpmnew files that may have been created by the packaging.

The default location for the FreeRADIUS server certificates has changed from conf/ssl/ to raddb/certs/. The configuration of the certificates location is in conf/radiusd/eap.conf. You may point it to any valid certificate and key by setting the value of certificate_file and private_key_file respectively. It is not recommended to use the same server certificate for the HTTP services and the RADIUS server as the requirements for each are different. Reusing the same certificate will work, but you would be well advised to consider separate certificates.

Finally, the database schema for the RADIUS accounting tables and stored procedures have changed. Make sure to apply the database changes as described in the following section.

Significant changes have been made to the database schema. You will need to update it accordingly. An SQL upgrade script has been provided to upgrade the database from the 5.7 schema to 6.0.

Since the schema of the radacct table has been reworked, the script will rename the existing table to radacct2 and insert it’s content into the new radacct table. If your existing radacct table is large (as is sometimes the case), the operation may take a long time and consume a significant amount of disk space. Make sure to have plenty of both before running the upgrade script.

You can estimate the size of the existing radacct table by running the following command:

You should have at least twice as much space as that table uses in the filesystem on which the MySQL data directory is mounted (usually /var/lib/mysql).

If you do not have enough space or time, you may consider truncating the radacct table (or simply deleting some of the rows) before running the upgrade script.

When ready, run the following to update your schema:

Once completed, update the file /usr/local/pf/conf/currently-at to match the new release number (PacketFence 6.0.0).

You will also want to drop the radacct2 table from the database as it will no longer be needed.

The management IP(s) of PacketFence are now defined as switches with a forced RADIUS secret defined in /usr/local/pf/conf/local_secret. Make sure you reconfigure the secret in the file if necessary and that this file is synchronized on all your cluster members if that applies. Note that this doesn’t affect the RADIUS secret you have configured for wireless controllers and switches. It only affects RADIUS requests that originate from the management IP(s)

A change to the authorize URL of LinkedIn was made. Make sure to change the 'API Authorize Path' in all your LinkedIn source to /uas/oauth2/authorization.

The following file: /usr/local/pf/conf/radiusd/eap.conf was modified to use TemplateToolkit, you will need to replace it by /usr/local/pf/conf/radiusd/eap.conf.example, make sure to re-edit the new file and add your certificate if needed.

Rejoining the domains from PacketFence GUI is required.

Go under Configuration→RADIUS→Domains and click Rejoin for each domain configured.

The configuration of the Scan engines and the Provisioners has been reworked to use the Fingerbank device IDs in the OS matching. scan.conf and provisioning.conf need to be migrated to use the new values. A migration script should be run # /usr/local/pf/addons/upgrade/to-6.3-os-rewrite.pl to migrate the configuration. This will output the migrated configuration in /usr/local/pf/conf/provisioning.conf.new and /usr/local/pf/conf/scan.conf.new. First run the script and then validate that their content is fine. Once that is done, copy the files over the original ones using :

The Fingerbank database can now be hosted in the same MySQL database PacketFence uses.

In order to do so, you need to collect the database credentials from the PacketFence configuration:

Now, you need to create the database and assign the proper rights to the user by executing the following commands:

Replace myPassword by the password displayed (pass) when running the first command.

Next, head to 'Configuration→Fingerbank Settings' in the web administration interface and configure the following parameters:

After saving those new parameters, at the top of the same page, click 'Initialize MySQL database' to start the import process. Once that is completed, you will receive an e-mail to the one configured for alerting and PacketFence will start using the MySQL backend for the Fingerbank database.

Changes have been made to the database schema. You will need to update it accordingly. An SQL upgrade script has been provided to upgrade the database from the 6.3 schema to 6.4.

To upgrade the database schema, run the following command:

Rework of the external captive portal capabilities involves some significant changes in the switch modules configuration. Some switch modules have been moved to other ones and some others have been removed. Please adjust the configuration (type) accordingly within switches.conf.

To instruct a switch module to perform external captive portal enforcement, a new switch configuration parameter have been added. Make sure to adjust the following parameter to your needs in switches.conf

External captive portal URLs have also changed. Change them accordingly depending on the type of equipment you use:

Where portal_ip is the IP Address (or DNS name) of your captive portal as it was configured before

If you use WMI, you must modify conf/wmi.conf in order to make sure that a namespace parameter is defined for each rule. For example, you could have:

Upon PacketFence installation, a default cronjob will be in /etc/cron.d/. You should make sure you do not invoke the /usr/local/pf/addons/backup-and-maintenance.sh script from any other cronjob.

Once completed, update the file /usr/local/pf/conf/currently-at to match the new release number (PacketFence 6.4.0).

Changes have been made to the database schema. You will need to update it accordingly. An SQL upgrade script has been provided to upgrade the database from the 6.4 schema to 6.5.

To upgrade the database schema, run the following command:

The method signature of pf::node::node_register has been modified. Make sure you adjust any custom code / external scripts to handle the new returned values.

You must rename "controllerPort" to "disconnectPort" in your switches.conf configuration file. You can automate this using:

Eduroam authentication source is now an "exclusive" authentication source rather than an "external" one. That being said, make sure to adjust portal profile accordingly (an "exclusive" authentication source can be the only one configured in a portal profile).

In order to be sure all your logging facilities use the new logging backend which ensures the processes will not die in case of a logging failure, you must execute the following command:

The email templates have been moved from /usr/local/pf/conf/emails/ to /usr/local/pf/html/captive-portal/templates/emails/ as they are now configurable by portal profile. Also you can configure the language in which PacketFence should send emails to the administrator in the Advanced section of the configuration.

Make sure you run the following command after upgrading:

When whitelisting roles in a violation, the registration role will now match unregistered devices where before it would never match. Make sure to go through violations that may include this role to make sure it is relevant.

The "configfile" and "traplog" database tables are now deprecated. If you wish to reclaim the disk space used by those two database tables, they should be manually removed.

Once completed, update the file /usr/local/pf/conf/currently-at to match the new release number (PacketFence 6.5.0).

If you were using the default 'RoleMap = Y' in the conf/switches.conf it’s disabled by default now. You will need to put 'RoleMap = Y' under your switches or switch group configuration.

The requirement for MariaDB 10.1 means that a simple "apt upgrade" will not be enough. You will need to help apt through the upgrade by manually removing some packages and installing some others. The need to ensure you have backups cannot be overstated.

Make sure the apt database is up to date

Remove the MySQL 5.5 packages (do not purge them, as that would delete the database)

Install the newer Mariadb-10.1 packages

Finally, upgrade the rest of the packages

Note that "full-upgrade" may also affect other packages you might have installed on the system if you had other software than PacketFence on it.

Upgrading to PacketFence 7+ will install a more recent version of MariaDB than the one that is shipped with CentOS.

In order to upgrade the MariaDB metadata files and tables, first stop any started process.

Then start a mysqld_safe process manually (this will start a background process)

Then, execute the upgrade script and enter the root password when prompted

When done, kill the mysqld_safe process we started before the update, reattach to it and wait for it to exit

Note that it might take up to a few minutes for the process to exit depending on the size of your database.

Once done, restart the MariaDB service (managed by PacketFence)

Changes have been made to the database schema. You will need to update it accordingly. An SQL upgrade script has been provided to upgrade the database from the 6.5 schema to 7.0.

To upgrade the database schema, run the following command:

All PacketFence services are managed individually via systemd unit files instead of one unit file (packetfence.service). When you updated the PacketFence package, it already set the system target to packetfence.target.

If you are hosting the MySQL/MariaDB service on your PacketFence servers (it is by default), you should now manage the service via packetfence-mariadb.service instead of mariadb.service. The changes in the server startup will be done automatically by the packaging.

Given the portal profiles have now been renamed to connection profiles, you need to make sure any admin role that allowed portal profile Create/Read/Update/Delete operations is updated to be valid for connection profiles.

Multiple parameters inside pf.conf have been renamed for better clarity. Execute the following in order to migrate the parameters.

Maintenance related configuration for pfmon has been moved to a dedicated configuration file (/usr/local/pf/conf/pfmon.conf).

In order to migrate your settings from pf.conf to pfmon.conf, run the following script:

Minor changes were made to the DHCP filters configuration (/usr/local/pf/conf/dhcp_filters.conf).

First, the computer_name attribute was renamed to computername to be consistent with the rest of the application. Then, the DhcpFingerbank scope was changed to Fingerbank

In order to rename those in an automated way:

The source of truth for roles is now in a configuration file (/usr/local/pf/conf/roles.conf) instead of being in the database. In order to pull the existing roles from your database into the configuration file, execute the following command:

New parameters have been introduced in conf/pfdetect.conf. Run the following script to migrate your configuration.

If you are using the LinkedIn OAuth2 source, a change has been made on their API, thus you will need to do the following:

Since all logging now goes through rsyslog, if you had edited the logging configuration (e.g. to forward logs to a centralized syslog server) make sure that the new logging rules in /etc/rsyslog.d/packetfence.conf do not conflict with your changes.

Take a look at /usr/local/pf/conf/log.conf and /usr/local/pf/conf/log.conf.d/* for the detailed configuration of the PacketFence services.

Clear the redis queue to avoid old stale jobs from being processes.

Given that haproxy is now the termination point for the captive portal, any SSL configuration you have in /usr/local/pf/conf/httpd.conf.d/ssl-certificates.conf needs to be ported so that it works with haproxy.

Easiest solution is to bundle your server cert, your intermediates (if any) along with the key in the default file used by the PacketFence haproxy process (/usr/local/pf/conf/ssl/server.pem)

In order to do so:

A complete re-visit of the database clustering stack was done in version 7.0. If you run your PacketFence installation in a cluster, make sure you read the following section.

We highly suggest you migrate your existing clustered installation using Corosync/Pacemaker to the new cluster stack of PacketFence that uses MariaDB Galera cluster. The easiest way to perform this is to build new servers and port your configuration (by copying the configuration files) and your database (using mysqldump). There are ways to migrate the 2 existing nodes to a 3 nodes cluster but this is not covered in this guide.

No changes to your clustering stack is required when using an external database.

First, no changes are required to your database stack as MariaDB supports being deployed in Active/Passive.

You will need to adjust the Corosync/Pacemaker configuration to take in consideration the changes made to systemd for PacketFence services. Before 7.0, PacketFence used to be controlled via a single systemd unit file while now it uses a multiple services grouped in targets. In order to mimic the single service behavior that was in previous versions, a unit file is provided here: https://github.com/inverse-inc/packetfence/blob/devel/packetfence-active-passive.service. You should install this file in /etc/systemd/system/packetfence.service and make sure there are no other leftovers of packetfence.service unit files on your system.

Then, you must adjust the systemd default target so PacketFence doesn’t start on boot and note that this should be done on every future upgrade of your system.

You should then change your Corosync configuration for MariaDB and PacketFence to the following:

The PacketFence Active Directory Domains integration now supports multiple DNS servers to be specified to find a DC. For this reason the parameter dns_server has been renamed to dns_servers in domain.conf. In order to automatically rename the parameters, run the following command:

In order to use the Ubiquiti switch module that has been renamed, run the following command:

Due to a change in the API of Instagram please change the scope if you are using an Instagram OAuth2 source. Replace 'scope=email' by 'scope=basic' in conf/authentication.conf under the section '[Instagram Source]'.

Changes have been made to the database schema. You will need to update it accordingly. An SQL upgrade script has been provided to upgrade the database from the 7.0 schema to 7.1.

To upgrade the database schema, run the following command:

PacketFence is now able to instruct Samba to «pin» a DC for authentication or use all of them. You should instruct Samba to connect to all domain controllers by adding the following to each of your domains in domain.conf:

And then regenerate the domain configuration:

The CC address for sponsors is now BCC. In order to adjust the configuration, execute the following:

Any custom authentication sources forms and templates would need to be copied to the new location.

Templates /usr/local/pf/html/pfappserver/root/authentication/source/type/ → /usr/local/pf/html/pfappserver/root/config/source/type/

Forms /usr/local/pf/html/pfappserver/lib/pfappserver/Form/Config/Authentication/Source → /usr/local/pf/html/pfappserver/lib/pfappserver/Form/Config/Source

Changes have been made to the database schema. You will need to update it accordingly. An SQL upgrade script has been provided to upgrade the database from the 7.1 schema to 7.2.

To upgrade the database schema, run the following command:

You will need to remove anything related to [device_registration] in the conf/pf.conf file. Once done, you will need to reconfigure any device registration policy using the following instructions: https://packetfence.org/doc/PacketFence_Installation_Guide.html#_devices_registration

You have to run the following script to change the configuration:

There was, in some cases, an issue where the database cluster was put in a read-only mode which then prevent it to comes back gracefully.

A modification have been made to now use the wsrep_ready state of the DB as a read only indicator. Therefore, PacketFence will stop putting the DB in read only on quorum + primary loss of MariaDB and trust wsrep_ready instead

Ensure you merge changes in the galera section of conf/mariadb/mariadb.conf.tt.rpmnew into conf/mariadb/mariadb.conf.tt

Once completed, update the file /usr/local/pf/conf/currently-at to match the new release number (PacketFence 7.3.0).

Changes have been made to the database schema. You will need to update it accordingly. An SQL upgrade script has been provided to upgrade the database from the 7.2 schema to 7.3.

To upgrade the database schema, run the following command:

If you use social login with LinkedIn OAuth2, you will need to adjust the list of domains that are passthroughs in the LinkedIn source.

For all your LinkedIn sources, change the domains to:

The redirection timer configuration (length of the timer bar at the end of the portal) has been moved from the fencing section to the captive_portal section. More precisely, it has moved from fencing.redirtimer to captive_portal.network_redirect_delay.

Changes have been made to the database schema. You will need to update it accordingly. An SQL upgrade script has been provided to upgrade the database from the 7.3 schema to 7.4.

To upgrade the database schema, run the following command:

Once completed, update the file /usr/local/pf/conf/currently-at to match the new release number (PacketFence 7.4.0).