                         PacketFence

http://www.packetfence.org/

Notes on upgrading from an older release
----------------------------------------

o Upgrading from a version prior to 3.0.0:

    - BACKUP YOUR /usr/local/pf/ BEFORE UPGRADING
    All files in html/user/ will be removed on upgrade (everything is now
    in html/captive-portal/ as you'll see below). This includes templates and 
    remediation pages.

    - Database schema update
    Added support for guest self-registration / management. Also added support
    for Radius accounting. New tables creation. You need to update your schema
    with:
    mysql -u root -p pf -v < db/upgrade-2.2.0-3.0.0.sql

    - pf/vlan/custom.pm and pf/vlan/radius.pm API changes
    Several variables were changed from bareword constants into Readonly 
    constants (to fix #1266). Some of you might need to adjust your 
    customizations to handle this change. Most of you won't need to. If you use
    any of these constants in your customizations:
    WIRELESS_802_1X, WIRELESS_MAC_AUTH, WIRED_802_1X, WIRED_MAC_AUTH, 
    WIRED_SNMP_TRAPS, WIRELESS, WIRED, EAP, UNKNOWN, INLINE, VOIP, NO_VOIP
    Then you need to add a $ symbol in front of the constant's name.
    All of you will need to bump the API level to '1.01' after your changes are
    made (if required) to stop PacketFence from complaining about correct API 
    level.

    - Upgrade helper scripts
    Very basic upgrade scripts for 3.0 were created in addons/upgrade/. See 
    their POD doc for usage information:
    perldoc addons/upgrade/to-3.0-networks.conf.pl 
    perldoc addons/upgrade/to-3.0-pf.conf.pl 
    perldoc addons/upgrade/to-3.0-violations.conf.pl

    - Firewall (iptables) now handled by PacketFence
    Make sure that the iptables generated will not conflict with the rules you
    need for your environment. You can customize the default firewall 
    configuration in conf/iptables.conf. Also make sure that the iptables 
    service is started by your distro by default otherwise you will have 
    unnecessary error messages on PacketFence's startup.

    - Several changes to Apache configuration
    We've externalized repetitive portions in conf/httpd.conf.d/. Make sure to
    re-integrate any customization you've made.

    - violations.conf disable parameter deprecated in favor of enabled
    disable=Y|N is no longer supported. Change with enabled=Y|N.
    A helper upgrade script is provided in addons/upgrade/. See:
    perldoc addons/upgrade/to-3.0-violations.conf.pl

    - 'guest' category required for guest access
    Newly added guest handling requires a 'guest' node category. Users upgrading
    need to create it manually. See Node > Categories under the Web Admin or 
    `pfcmd help nodecategory`.

    - New pf.conf configuration parameter: interface enforcement
    Under the [interface ...] statements a new configuration parameter has been
    added: enforcement. We got rid of the concept of 'modes' in PacketFence and
    enforcement replaces that concept. It is a per interface choice allowing 
    you to run PacketFence in both inline and out-of-band mode at the same 
    time. Users upgrading should probably set enforcement=vlan on all interface
    with type=internal. Run `bin/pfcmd checkup` to validate your configuration.

    - conf/named_vlan.conf moved to conf/named.conf
    People using packages should be automatically updated. Make sure to put
    back any local changes you have made to the file. Others will need to move
    the file. You can do so with:
    mv /usr/local/pf/conf/named_vlan.conf /usr/local/pf/conf/named.conf

    - conf/dhcpd_vlan.conf moved to conf/dhcpd.conf
    People using packages should be automatically updated. Make sure to put
    back any local changes you have made to the file. Others will need to move
    the file. You can do so with:
    mv /usr/local/pf/conf/dhcpd_vlan.conf /usr/local/pf/conf/dhcpd.conf

    - vlan.dhcpd, vlan.named and vlan.radiusd moved under [services]
    These variables are now located under [services] and they have a new 
    default value of enabled. Make sure to remove or migrate the old 
    configuration from your conf/pf.conf.

    - services.httpd, dhcpd, named, radiusd, snmptrapd and snort renamed
    They were all renamed to <name>_binary. Adapt your configuration if 
    required. Most users shouldn't have to.

    - general.caching disabled by default
    A historical and badly understood feature, general caching, has now been
    disabled by default. Previously it only had impacts if the mode was ARP but
    because of the modes removal it needed to be changed to disabled by default.
    Please report any regression introduced by this change.

    - pf.conf's scan.live_tids parameter removed
    This "feature" has been removed because it created more confusion than 
    usefulness. Now every scan trigger ids specified in violations.conf have
    full effect.

    - networks.conf's pf_gateway= renamed next_hop=
    Make sure to update your configuration otherwise you will get warnings on
    startup. At some point in the future pf_gateway will no longer be supported.

    - networks.conf's type change
    isolation and registration keywords are replaced by vlan-isolation and 
    vlan-registration in networks.conf's type parameter. This is done to allow
    the introduction of the inline keyword and avoid confusion between vlan and
    inline enforcement over a network. It's recommended that you update your
    configuration as the old names will be removed in the future. `pfcmd 
    checkup` will warn you about this.

    - pf.conf parameter name and category changes
    Here are the changes:
    - vlan.adjustswitchportvlanscript is now advanced.adjustswitchportvlanscript
    - vlan.adjustswitchportvlanreasons is now advanced.reevaluate_access_reasons
    - ports.redirect is now inline.ports_redirect
    You only need to take action if you are not using the default values.

    - pf.conf's interface type changes
    We added management keyword to replace the confusing managed keyword. Also
    dhcp-listener is accepted in addition to the previously used dhcplistener.
    Use of the managed keyword will issue warnings in `pfcmd checkup`.

    - Dropping support of interface authorizedips
    pf.conf's per interface authorizedips parameter no longer exists. We don't
    belive if was used at all. If you want to achieve the same functionality 
    just edit conf/iptables.conf and add your own rules to allow specific IPs
    in.

    - flip.pl is no more
    Its functionality has been merged into pfcmd_vlan under the -reevaluateVlan
    flag. If you replaced system's flip.pl with your own you would like to know
    that you will need to parse the -reevaluateVlan and -mac aa:bb:cc:dd:ee:ff
    properly.

    - Authentication modules interface change
    All authentication modules (conf/authentication/*) were migrated into
    objects. Please carefully merge any module you were using by comparing
    the .rpmnew version and your version. If you are unsure, replace your
    module with the .rpmnew one and re-apply configuration parameters 
    afterwards.

    - Intrusive changes to Captive Portal
    It is recommended that you redo your customization from scratch instead of 
    trying to adapt it.
    Among other things:
     - Changes to all templates, cgi-bin/ scripts and pf::web core code
     - All remediation URLs have changed from /content/index.php to 
       /content/remediation.php. Make sure to update your conf/violations.conf!
     - All URLs are now clean URLs translated by Apache's mod_rewrite config
     - Default workflow now brings you to the login page (no more registration
       click-through unless you adjust nbregpages in configuration)
     - Default logo changed to packetfence-cp.png (was packetfence.png)
     - Files organization was changed. Anything custom relying on specific paths
       should be updated.
       - html/user/ became html/captive-portal
       - cgi-bin/ -> html/captive-portal/
       - html/user/content/templates/ -> html/captive-portal/templates/
       - html/user/content/violations/ -> html/captive-portal/violations/
       - html/user/content/3rdparty/ -> html/captive-portal/content/

    - Email Activation URL change
    From /activate/<hash> to /activate/email/<hash>

    - Support for Apache prior to version 2.2.0 dropped
    Upgrade your Apache. We don't think it's used by anyone at this point. Let
    us know if you need it back.

    - register-$type.cgi no longer supported
    If you relied on it, we suggest that you migrate your custom code into 
    lib/pf/web/custom.pm or the captive-portal's CGIs.

    - jpgraph external library now included with distribution
    Due to the lack of jpgraph packages, we decided to inline the software 
    instead of building packages for it. This simplifies installation from 
    tarball.
    Jpgraph's installation used to be at 
    /usr/local/pf/html/admin/common/jpgraph/jpgraph-<version> but is now in 
    /usr/local/pf/lib/jpgraph. Users of our packaged versions won't notice the
    change and can safely get rid of the php-jpgraph-packetfence package.

    - jpgraph 1.x support deprecated
    We got rid of the 1.x jpgraph support. It was only required for 
    environments still on PHP4. We don't think it's used by anyone at this 
    point. Let us know if you need it back.

    - Nortal/Avaya ERS Switch module rename
    We changed the naming of some Nortel/Avaya switch modules:
     - Avaya::ERS5500 -> Avaya::ERS5000
     - Avaya::ERS5500_6x -> Avaya::ERS5000_6x
     - Nortel::ERS4500 -> Nortel::ERS4000
     - Nortel::ERS5500 -> Nortel::ERS5000
     - Nortel::ERS5500_6x -> Nortel::ERS5000_6x

    - RADIUS Accounting
    RADIUS is now using SQL to fetch the client configuration.  So, for
    every device that needs to do MAC Authentication (Wired/Wireless) or
    802.1X, you need to add the radiusSecret=YOUR_SECRET to the
    switches.conf entry for that device.  Change YOUR_SECRET with the 
    actual RADIUS secret.

o Upgrading from a version prior to 2.2.1:

    - Cisco port-security + Voice over IP support on 2960, 2970, 3550 and 4500
    Changes (regressions?) in the Cisco 2960 IOS behavior in 12.2(46)SE or 
    greater forced us to change our VoIP handling behavior. If you run such an 
    IOS and have nodes behind the data port of your VoIP you need to upgrade 
    your switch configuration:
    On every PacketFence port with VoIP add:
      switchport port-security maximum 1 vlan voice
      switchport port-security mac-address 0200.010x.xxxx vlan voice
    where xxxxx is the ifIndex of the port under modification. See Network 
    Device Guide for a reminder of port to ifIndex translation for the 2960.

    Above configuration should *not* be applied to IOS earlier than 12.2(46)SE
    otherwise VoIP and/or device authorization will malfunction.

    We think that the above mentionned changes should not be required on other
    models than the 2960. Let us know if you experience otherwise.

    - pf::vlan's $node_info changed
    If you are using custom VLAN assignment code be aware that the $node_info
    hashref is now populated by node_attributes() instead of node_view(). Most
    important fields should still be available in $node_info however if you 
    needed one that is no longer there feel free to call node_view() yourself.
    This was done to reduce the overall latency of RADIUS replies.

o Upgrading from a version prior to 2.2.0:

    - Database schema update
    Related to the easier User-Agent violation system, some tables were 
    dropped and others added. You need to update your schema with:
    mysql -u root -p pf -v < db/upgrade-2.0.0-2.2.0.sql

    - Configuration files location changed from conf/templates/ to conf/
    Please make sure that you move your configuration files appropriately.

    - SSL configuration changes
    SSL Certificate statements are now stored in conf/ssl-certificates.conf.
    Make sure that you configure this file with your certificates correctly.
    This file will not be modified by our package. One less thing to worry 
    about on ugprades.

    - logrotate script installed by default
    Be careful if you done yours by hand. It might conflict with your script.

    - New Captive Portal Network Access Detection technique
    The previous approach to redirect users to the Internet when access was
    enabled never reliably worked so we are introducing a new javascript-based
    technique to do so. This approach involves a couple of clever tricks and 
    some browser-specific adjustments. Please review the differences between 
    your current html/user/content/templates/release.html file and the new 
    html/user/content/templates/release.html.rpmnew file. Also the behavior is
    adjusted by pf.conf's redirtimer, redirecturl and always_use_redirecturl 
    parameters under [trapping] and network_detection_ip under [captive_portal].
    More about this feature can be found in the Administration guide.

    - Apache's automatic performance settings adjustments
    Apache's configuration is now adjusted based on total system memory to
    prevent swapping scenarios with PacketFence. We feel the dynamic 
    configuration should do a good job but feel free to maintain your Apache 
    configuration by hand if you know better.

    - packetfence-freeradius2
    A new package that configures FreeRADIUS is available now. If you upgrade
    DO NOT install it unless you really know what you are doing.

    - clean-up in conf/violations.conf
    We added better examples and reduced the length of some violation names to
    improve user experience especially in the Web Admin. Update your 
    configuration if you want to benefit from those changes.

    - deprecated pf.conf parameters
    registration.queuesize was removed.

    - User-Agent violations rewrite
    If you are using USERAGENT::<id> triggers in your violation configuration,
    you need to updated them. We completely changed the back-end and the IDs
    are now all different. Check in the Web Admin under configuration -> 
    user-agent for the new IDs and the new possibilities.

    - Important problems found in the port-security for the 3Com Switch 4200G
    There is a bug in these switches that make the port-security support in 
    PacketFence flaky. If you use it you should upgrade to a MAC Auth / 802.1X
    configuration.

    - Status unknown of the port-security support for the 3Com SuperStack 4500
    We had problems with this code with the 4200G and since we don't have 
    access to a SS4500 we cannot guarantee that it works. Please get in touch
    with us if you have a SS4500 and can run some tests for us.

    - Behavior change regarding wired MAC-Authentication
    No matter what is connected on the port (ie: VoIP), when a client using 
    MAC-Authentication need to change VLAN, we shut / no shut the port. This
    might affect ongoing Voice over IP calls but is better than the previous 
    behavior were the node was simply left where it was. This is an interim 
    measure before we implement RADIUS Change of Authorzation support (CoA).

    - node lookup changed
    By default we do not update the node lookup module in order to allow local
    customization. However if you want to benefit from the improved node lookup
    script, make sure that you overwrite your existing lib/pf/lookup/node.pm 
    module with the new file (.rpmnew). Be aware that the output of `pfcmd 
    lookup node <mac>` changed so make sure you update your parsing scripts (if
    any). This also affects the Node lookup section of the Web Admin interface.

o Upgrading from a version prior to 2.1.0:

    - You MUST upgrade conf/templates/httpd.conf and 
    conf/templates/named_vlan.conf
    The location of the PID files changed. The templates must reflect this new
    location: var/run/ instead of var/
    Also in conf/templates/named_vlan.conf the configuration directory is 
    var/named instead of var/.
    See the .rpmnew files for the proper configuration.

    - Module versioning for pf::vlan::custom and pf::radius::custom
    We are now relying on module versioning to catch interface changes before
    they hurt the users. PacketFence will generate errors on startup if you 
    have not upgraded your modules' interface and version. The interfaces have
    not changed so all you need to do on upgrade is to add:
        our $VERSION = 1.00;
    to both lib/pf/radius/custom.pm and lib/vlan/custom.pm.

    - Default port bounce duration changed
    To support a variety of Linux desktop operating systems we needed to 
    increase the duration of our port bounce from 2 seconds to 5 seconds. On a
    very busy setup this could have consequences. Either increase the number of
    concurrent threads working (nbtraphandlerthreads under [vlan]) or restore
    the port bounce duration to 5 seconds (bounce_duration under [vlan]).

    - Several Nortel/Avaya module changes
    5520 renamed to 5500, 5520Stacked is no longer necessary, firmware 6.x 
    support for the 5500 series requires you to use module name BayStack5500_6x.
    Just make sure to review your conf/switches.conf so that the config refers
    to proper modules.

    - Removed conf/templates/*.pl captive portal extensions
    This mechanism was removed since the new pf::web::custom mechanism is
    cleaner and less error-prone. Make sure to migrate any custom code you have
    in release.pl, login.pl, enabler.pl, redirect.pl, scan-in-progress.pl, 
    error.pl, status.pl and register.pl to lib/pf/web/custom.pm.

    - pid files changed location
    Previously in var/ they are now in var/run/   

    - New configuration directory for generated configuration: var/conf/
    Changed the location of the generated configuration file from conf/
    to var/conf/.  This will mitigate the fact that people were trying to
    modify the generated files instead of the templates.

    - 'pending' node status now relies on javascript to detect network access
    The HTML meta refresh approach never reliably worked so there's a new 
    javascript technique. If you rely on node status 'pending' in your 
    workflow, please check pf.conf's new captive_portal.network_detection_ip 
    variable and re-test your portal to make sure it still works.

    - Output of node lookup changed (again!)
    The output of `pfcmd lookup node <mac>` changed. Make sure you update your
    parsing scripts (if any). This also affects the Node lookup section of the
    Web Admin interface.

    - pf::SNMP (lib/pf/SNMP.pm) API level bump
    We changed the contract of setAdminStatus() so we bumped the version of 
    pf::SNMP to 2.00. If you use setAdminStatus() in custom code make sure you
    update your calls.

o Upgrading from a version prior to 2.0.1:

    - lib/pf/vlan.pm's fetchVlanForNode interface changed
    If you built a customized version of this method in lib/pf/vlan/custom.pm
    you will need to update it.

    - Meru Controller 3000 now named Meru Controller
    Since our code should work for all Meru Controllers, we renamed the module.
    Meru::MC3000 is now Meru::MC. If you upgrade make sure you update your 
    conf/switches.conf or Configuration -> Switches (in the web admin).

    - Output of node lookup changed
    The output of `pfcmd lookup node <mac>` changed. Make sure you update your
    parsing scripts (if any). This also affects the Node lookup section of the
    Web Admin interface.

o Upgrading from a version prior to 2.0.0:

    - Database schema update
    Several new fields were added. You need to update your schema with:
    mysql -u root -p pf -v < db/upgrade-1.9.0-2.0.0.sql

    - FreeRADIUS module rewritten and renamed
    The FreeRADIUS has been completely re-written from the previous release 
    series. Now, except for the authentication against the PacketFence server
    all the control is centralized in the PacketFence configuration. No more 
    customization required in the FreeRADIUS module! We strongly recommend
    that you carefully migrate to this module and forget about the old one.
    We also changed the name from rlm_perl_packetfence.pl to packetfence.pm so
    update your FreeRADIUS configuration accordingly.

    - /cgi-bin/pdp.cgi moved
    Remote snort probes or other mechanisms relying on the presence of this 
    file should be updated to be /webapi instead. Upgrading each probe's
    packetfence-remote-snort-sensor will take care of this for remote snort 
    probes. All other custom means should be manually upgraded.

    - SOAP handler changed
    The URI of the SOAP handler changed from 
    http://www.packetfence.org/PFEvents to http://www.packetfence.org/PFAPI. To
    better reflect the fact that it is not just an event handling server. You 
    will need to upgrade your remote snort probes with the new PacketFence 
    remote snort sensor RPM or manually change the URI.

    - Output of node lookup changed
    The output of `pfcmd lookup node <mac>` changed. Make sure you update your
    parsing scripts (if any). This also affects the Node lookup section of the
    Web Admin interface.

    - pfcmd_vlan output change
    Output of `pfcmd_vlan` changed dramatically. If you used scripts to 
    automate tasks with pfcmd_vlan and expected particular output, your scripts
    should be updated.

    - pfcmd input and output change
    If you used script to automate tasks relying on the `pfcmd` interface, you
    need to update them. Output of `pfcmd node`, `pfcmd locationhistorymac`, 
    `pfcmd locationhistoryswitch`, `pfcmd violation view all`, `pfcmd 
    switchconfig` and `pfcmd fingerprint view all` also changed.

    - DHCP and DNS server configuration changes
    With previous versions it was recommended to configure DHCP and DNS servers
    manually and instructions were provided to do so on the Administration 
    Guide. Starting with this version it is recommended to use the configuration
    templates and let PacketFence auto-configure the DHCP and DNS servers. 
    Migrating to this new approach is not mandatory but is recommended. To do so
    please follow the "DHCP and DNS Server Configuration (networks.conf)" 
    section of the Administration Guide.

    - lib/pf/vlan.pm interface changed
    If you built a customized version of vlan.pm in lib/pf/vlan/custom.pm be 
    aware that there were a lot of changes. We strongly recommend you rewrite 
    your custom.pm on top of these new changes instead keeping your old.

    - Captive Portal changes
    By default pf::web is no longer exporting it's subroutines. This means that
    all the captive portal scripts in cgi-bin/ will need to be updated to use 
    the full name pf::web::web_node_register() instead of web_node_register().
    If your cgi-bin files are the default ones you don't need to change
    anything. These breaking changes are introduced to allow pf::web::custom to
    redefine any subroutine in pf::web and will allow easier upgrade path for 
    users who need to customize the portal.

    - Violation priority enforcement
    Violation priorities are now properly enforced: 1 means highest priority
    and 10 means lowest priority. Even if documentation said so, before this 
    release, the code enforced it the other way around. This affects what 
    violation is shown on multiple violations (it will favor highest) and has
    most impact when Nessus scanning is used. Since this is a default behavior
    change, you should double check your config!

    - External remediation pages 
    Violations with fully qualified URLs are now handled with new code that 
    uses mod_proxy and mod_rewrite instead of mod_proxy_html. This was done
    because the current implementation is broken out of the box on a CentOS 
    system without manually compiling and installing the mod_proxy_html 
    package. If you used it then reverify all your remediation pages with
    fully qualified URLs as they might be broken now.

    - SMC TS8800M module changes
    A lot of changes were made to this SMC module such that problems occuring
    with the previous module should be resolved now. These fixes also required
    an updated firmware from SMC. Make sure your switch runs at opcode 2.4.5.13
    for the SMC TigerStack 8824M or 8848M to work properly with PacketFence.

    - loadMACintoDB.pl removed
    Dropping loadMACintoDB.pl. Replaced by node import feature see `pfcmd node 
    import` or Node -> Import in the Web Administration interface.

    - connect_and_read.pl and dhcp_dumper moved
    They are now located in addons/.
 
    - deprecated subs
    lib/pf/SNMP.pm's setIsolationVlan, setRegistrationVlan and setNormalVlan 
    are now deprecated and will be removed in the future. Use 
    setVlanByName($ifIndex, $switch_locker_ref, $vlanName) instead. For 
    example: setVlanByName($ifIndex, \%switch_locker, 'guestVlan'); 

o Upgrading from a version prior to 1.9.1:

    - Captive portal using mod_perl
    The captive portal's default mode of operation relies on mod_perl now. 
    The benefit is a tremendous performance gain. If you experience problems 
    with authentication after you upgraded make sure that the cgi file has the
    proper 'use lib' statements to load the authentication modules in conf/. 
    Default configurations should not have any issues.

    - Extreme switches new firmware requirement
    Due to a change in Extreme's code, linkup/linkdown mode now requires at 
    least firmware 12.2. A compatibility layer to support pre-12.2 could be 
    written. Contact us if you are interested.

    - Web Administration interface access control
    Administrators can now give different access levels to users. By default
    all users will be given the admin level rights unless you modify the 
    conf/admin.perm file. See the Administration Guide FAQ for details.

    - pfcmd output change
    pfcmd node edit <mac> ... will no longer output changes made to the node 
    entry. This behavior was due to a side effect rather than a feature and it
    caused some problems so we got rid of it. pf::node::node_modify is also 
    affected.

    - switches.conf: htaccessUser and htaccessPwd deprecated
    Web Services related parameters were added in switches.conf. Because of the
    duplicate functionality we are deprecating the htaccessUser and htaccessPwd
    parameters. Only the Intel Express 460 module is affected. The parameters
    will still work but if you are reading this you should migrate them to the 
    new wsUser, wsPwd and wsTransport parameters.

o Upgrading from a version prior to 1.9.0:

    - Passthrough
    Passthrough is now set to disabled by default. If you need it, make sure
    you re-enable it in your conf/pf.conf. As a reminder, passthrough is the
    mechanism used to allow users trapped in registration or isolation to reach
    certain external URLs or custom violation pages hosted externally. It is 
    not used in a default install.

    - Freeradius 2.x
    We now recommend using freeradius 2.x instead of 1.x for wireless, 802.1x
    or MAC authentication Bypass authentication mechanisms. Freeradius 1.x 
    still works but we are seeing more hang cases with AD 2008, Vista and Win 7.

    - Library update: steps required on manual upgrade
    PacketFence no longer relies on a specific version of the Parse-RecDescent
    library. If you upgraded manually, you should re-generate the precompiled
    grammar by running installer.pl. If you upgraded using the RPM package the
    grammar already comes precompiled.

    - Changes to some OS violations
    Some DHCP fingerprint have been re-labeled to avoid problems with VoIP 
    autodetection. OS::311 is now OS:1102 and OS::315 is now OS::1103. These
    devices (iPhone and HTC Android) are now categorized under Smartphone 
    instead of VoIP phones. Update your configuration accordingly.

    - pfdhcplistener logging in logs/packetfence.log
    We reduced the number of INFO messages that pfdhcplistener was producing
    because it was too verbose. Now only INFORM / OFFER / ACK messages are 
    logged and the fingerprint and node modification messages were 
    consolidated. If you are troubleshooting and need the other messages, make
    sure you increase log verbosity to DEBUG.

    - pfcmd output change
    pfcmd will print "Command not understood. (pfcmd grammar test failed at 
    line 200.)" to STDERR on unrecognized input before showing the usage 
    message. You might have to change your scripts to handle that.

    - Cisco Controller 4400 now named WLC_4400
    To be more consistent, we renamed Cisco::Controller_4400_4_2_130 to 
    Cisco::WLC_4400. If you upgrade make sure you update your conf/switches.conf
    or Configuration -> Switches (in web admin)

    - Output of node lookup changed
    The output of `pfcmd lookup node <mac>` changed. Make sure you update your 
    parsing scripts (if any). This also affects the Node lookup section of the
    Web Admin interface.

    - New run-time perl dependencies Try::Tiny and Readonly::XS (optional but
    will improve performance)

    - New parameter in conf/violations.conf: whitelisted_categories
    Node in a whitelisted category will not be isolated on a given violation.

    - Database change
    A new table and a few fields were added for the new node categorization 
    feature. To upgrade your schema, run:
    mysql -u root -p pf -v < db/upgrade-1.8.6-1.9.0.sql

    - pfsetvlan and conf/switches.conf validation
    If there is a problem in the conf/switches.conf file PacketFence will say 
    so at startup but will still try to run. Before this release, pfsetvlan 
    wouldn't start with a bad config file.

    - Foundry module change
    In order to support port-security some aspects of the Foundry module had
    to change. We are not 100% that the module will still work since we don't
    have the original switch on which linkUp/linkDown support was developped.
    If you experience a regression, please file an issue into our bugtracker.

    - lib/pf/vlan.pm interface changed
    If you built a customized version of vlan.pm in lib/pf/vlan/custom.pm be 
    aware that the parameters expected by vlan_determine_for_node() and 
    custom_getCorrectVlan() changed. Instead of the switch's IP, a switch 
    object (pf::SNMP) is expected. Also, the whole node_info is passed to 
    custom_getCorrectVlan() instead of scalars of node_info's content.

    - Backup script archives locationlog_history records older than a year
    Archives are an SQL dump of the records placed in /root/backup/ by default 
    and never deleted. It will run the first day of each month.

    - Backup script less aggressive about history
    We are now keeping 1 month of locationlog instead of 15 days with the 
    optional database backup script in addons/. Makes more sense for most users.

o Upgrading from a version prior to 1.8.7:

    - No action on wireless deauthentication traps
    PacketFence no longer close locationlog entries based on wireless 
    deauthencation traps. It was causing more problems than anything. See bug
    #880 for details: http://www.packetfence.org/mantis/view.php?id=880

    - Registration login no longer kept in browser session
    We fixed a bug that changes the behavior of the registration login. Before
    if you registered and deregistered while keeping your browser open, you
    would not be presented with the login page if you tried to register again. 
    You would have been automatically authenticated. This is no longer the case.
    You will need to re-authenticate now. You might have relied on that 
    behavior.

o Upgrading from a version prior to 1.8.6:

    - Table format changed
    Migrated tables `configfiles` and `traplog` from type MyISAM to InnoDB. You
    are not required to change the format but if you want, run (at night):  
    mysql> alter table configfile ENGINE = InnoDB;
    mysql> alter table traplog ENGINE = InnoDB;

    - Backup script less aggressive about history
    We are now keeping 15 days of locationlog instead of 2 with the optional 
    database backup script in addons/. Makes more sense for most users.

    - Database schema update
    A new table `locationlog_history` has been added to the database schema. It
    should be useful for people with big locationlog tables. Upgrading your 
    schema is not required but recommended. You can update your schema with:
    mysql -u root -p pf < db/upgrade-1.8.4-1.8.6.sql
    The script migrate-to-locationlog_history.sh in addons/ can help you 
    transition your old records to this new table.

    - Updated conf/ui.conf
    To fix a bug we had to change ui.conf. By default an rpm upgrade will 
    replace ui.conf and save a backup of the previous file to ui.conf.rpmsave.
    If you modified your ui.conf, do not forget to merge your old version with
    this new one.
    
    - New Snort default configuration
    Default configuration for snort changed. Old config can still be found at 
    conf/templates/snort.conf.pre_snort-2.8.

    - Output of pfcmd switchconfig changed
    The output of `pfcmd switchconfig get <ip|all>` changed. Make sure you 
    update your scripts that relies on that output (if any). This also affects 
    the Configuration->Switches section of the Web Admin interface.

    - Fixed an issue with CLI transport for switches/APs: for SSH make sure you
    have 'SSH' and not 'ssh'. Look into the 'Configuration->Switches' or edit
    /usr/local/pf/conf/switches.conf

    - 802.1x module expects 'guest' instead of 'visitor' in node.pid
    We changed the naming of the guest concept from visitor to guest. If you
    allow guests on your network, doublecheck your rlm_perl_packetfence.pl 
    module and align it on your naming (update all to guest or change back to 
    visitor).

o Upgrading from a version prior to 1.8.5:

    - 802.1X freeradius module updated 
    pfcmd_ap.pl's code has been integrated in rlm_perl_packetfence.pl. If you 
    need the performance benefit from this transition, you have two options:
      1) Replace completely your rlm_perl_packetfence.pl with the new one
      2) Migrate your pfcmd_ap.pl manually
         To do so, copy all of pfcmd_ap.pl's code into a sub in 
         rlm_perl_packetfence.pl. Change all the print calls into return calls.
         Remove all exit and make sure you free resources before returning.
    If you don't need the performance improvement, leave things as they are. 
    We will be deprecating the MySQL interface in favor of a better SOAP 
    interface soon.

    - whitelisting MAC addresses is now more consistent across violation types
    Certain types of violation triggers (OS, USERAGENT, VENDORMAC) were not
    honoring the whitelist parameter. The bug is fixed but you might have 
    relied on that behaviour.
    http://www.packetfence.org/mantis/view.php?id=801

    - logging priority now shown in log files
    To improve logging readability, we now include logging priority (ex: DEBUG,
    INFO, WARN, etc.). If you use scripts to parse PacketFence's logs you will
    need to update them.

    - Added new dependencies:
	- perl-LDAP (used to authenticate users trough LDAP during 
	  registration)
	- php-ldap (used to authenticate users connecting to the 
	  Web interface through LDAP)
	- perl-IPC-Cmd (used to generate static routes for registration and
	  isolation routed VLANs)
	- perl-SOAP-Lite (used when receiving alerts from Snort)

    - HUB violation removal
    HUB violations have been removed since they create a lot of false positives.
    http://www.packetfence.org/mantis/view.php?id=793

    - Dynamic uplink fixes
    In certain cases, PacketFence took action on switches where dynamic uplinks
    couldn't be found. The bug is fixed but you might have relied on that 
    behaviour.
    http://www.packetfence.org/mantis/view.php?id=795
    http://www.packetfence.org/mantis/view.php?id=809

    - Source of Correct/Normal VLAN changed
    Correct/Normal VLAN no longer comes from the database's node entry but from
    switches.conf. This is a modified behavior when returning the correct (aka 
    normal) VLAN (in custom_getCorrectVlan). This behavior is redefined by most
    users in lib/pf/vlan/custom.pm (or conf/pfsetvlan.pm in 1.7.x) so it should
    not have any impact for most of you. However, if you relied on the node 
    entry specifying which VLAN is the normal VLAN, this is no longer the case. 
    Now, the correct/normal VLAN is defined by the normalVlan variable in the 
    switch's entry or the default entry in switches.conf. This makes more sense
    for most new installs.


o Upgrading from a version prior to 1.8.4:

    There was no upgrade-specific documentation done prior to 1.8.5.

    - Database schema
    Always make sure that your database schema is up to date. See if upgrade 
    scripts are available in db/.

