• Home
• Download
• FAQ
• Wiki
• Mailing Lists
• Documentation
• Support

The FreeRADIUS Project

FreeRADIUS includes a RADIUS server, a BSD licensed client library, a PAM library, and an Apache module. In most cases, the word FreeRADIUS refers to the RADIUS server.

FreeRADIUS is the most widely deployed RADIUS server in the world. It is the basis for multiple commercial offerings. It supplies the AAA needs of many Fortune-500 companies and Tier 1 ISPs. It is also widely used in the academic community, including eduroam. The server is fast, feature-rich, modular, and scalable.

The server has reached a stable Version 2.2.0 (sig) , with incremental improvements added in every release.

---

Recent News

2012.09.10 Version 2.2.0 (sig) has been released. The focus of this release is stability.

Feature improvements

• 100% configuration file compatible with 2.1.x. The only fix needed is to disallow "hashsize=0" for rlm_passwd
• Update Aruba, Alcatel Lucent, APC, BT, PaloAlto, Pureware, Redback, and Mikrotik dictionaries
• Switch to using SHA1 for certificate digests instead of MD5. See raddb/certs/*.cnf
• Added copyright statements to the dictionaries, so that we know when people are using them.
• Better documentation for radrelay and detail file writer. See raddb/modules/radrelay and raddb/radrelay.conf
• Added TLS-Cert-Subject-Alt-Name-Email from patch by Luke Howard
• Added -F to radwho
• Added query timeouts to MySQL driver. Patch from Brian De Wolf.
• Add /etc/default/freeradius to debian package. Patch from Matthew Newton
• Finalize DHCP and DHCP relay code. It should now work everywhere. See raddb/sites-available/dhcp, src_ipaddr and src_interface.
• DHCP capabilitiies are now compiled in by default. It runs as a DHCP server ONLY when manually enabled.
• Added one letter expansions: %G - request minute and %I request ID.
• Added script to convert ISC DHCP lease files to SQL pools. See scripts/isc2ippool.pl
• Added rlm_cache to cache arbitrary attributes.
• Added max_use to rlm_ldap to force connection to be re-established after a given number of queries.
• Added configtest option to Debian init scripts, and automatic config test on restart.
• Added cache config item to rlm_krb5. When set to "no" ticket caching is disabled which may increase performance.

Bug fixes

• Fix CVE-2012-3547. All users of 2.1.10, 2.1.11, 2.1.12, and 802.1X should upgrade immediately.
• Fix typo in detail file writer, to skip writing if the packet was read from this detail file.
• Free cached replies when closing resumed SSL sessions.
• Fix a number of issues found by Coverity.
• Fix memory leak and race condition in the EAP-TLS session cache. Thanks to Phil Mayers for tracking down OpenSSL APIs.
• Restrict ATTRIBUTE names to character sets that make sense.
• Fix EAP-TLS session Id length so that OpenSSL doesn't get excited.
• Fix SQL IPPool logic for non-timer attributes. Closes bug #181
• Change some informational messages to DEBUG rather than error.
• Portability fixes for FreeBSD. Closes bug #177
• A much better fix for the _lt__PROGRAM__LTX_preloaded_symbols nonsense.
• Safely handle extremely long lines in conf file variable expansion
• Fix for Debian bug #606450
• Mutex lock around rlm_perl Clone routines. Patch from Eike Dehling
• The passwd module no longer permits "hashsize = 0". Setting that is pointless for a host of reasons. It will also break the server.
• Fix proxied inner-tunnel packets sometimes having zero authentication vector. Found by Brian Julin.
• Added $(EXEEXT) to Makefiles for portability. Closes bug #188.
• Fix minor build issue which would cause rlm_eap to be built twice.
• When using "status_check=request" for a home server, the username and password must be specified, or the server will not start.
• EAP-SIM now calculates keys from the SIM identity, not from the EAP-Identity. Changing the EAP type via NAK may result in identities changing. Bug reported by Microsoft EAP team.
• Use home server src_ipaddr when sending Status-Server packets
• Decrypt encrypted ERX attributes in CoA packets.
• Fix registration of internal xlat's so %{mschap:...} doesn't disappear after a HUP.
• Can now reference tagged attributes in expansions. e.g. %{Tunnel-Type:1} and %{Tunnel-Type:1[0]} now work.
• Correct calculation of Message-Authenticator for CoA and Disconnect replies. Patch from Jouni Malinen
• Install rad_counter, for managing rlm_counter files.
• Add unique index constraint to all SQL flavours so that alternate queries work correctly.
• The TTLS diameter decoder is now more lenient. It ignores unknown attributes, instead of rejecting the TTLS session.
• Use "globfree" in detail file reader. Prevents very slow leak. Closes bug #207.
• Operator =~ shouldn't copy the attribute, like :=. It should instead behave more like ==.
• Build main Debian package without SQL dependencies
• Use max_queue_size in threading code
• Update permissions in raddb/sql/postgresql/admin.sql
• Added OpenSSL_add_all_algorithms() to fix issues where OpenSSL wouldn't use methods it knew about.
• Add more sanity checks in dynamic_clients code so the server won't crash if it attempts to load a badly formated client definition.

2012.04.19 OpenSSL vulnerability may affect FreeRADIUS.

We recommend all administrators using certificates with FreeRADIUS upgrade their OpenSSL to a secure version. For details, see the OpenSSL notification

We emphasize that this is not a bug in FreeRADIUS. FreeRADIUS uses OpenSSL for many of it's cryptographic operations, and as such, is at the mercy of any problems in OpenSSL.

2010.05.21 - A Development Roadmap is announced

As part of the continued growth of the server, we are actively looking for sponsors for new features. New projects include support for 3GPP2, Windows ports, etc.

2009.09.09 Version 1.1.8 (sig) has been released. The focus of this release is security.

Feature Improvements

• None

Bug Fixes

• Fix crash (memcpy with length -1) when invalid Tunnel-Password attributes are received.

2009.07.20 We have worked with MySQL to create two white papers on MySQL scalability and MySQL cluster. They are now available:

Delivering Scalable & Highly Available AAA Services

This white paper discusses the concepts of current data storage solutions for Authentication, Authorization and Accounting (AAA) environments and their potential limitations as network use grows and services become more dynamic.

The paper then presents an alternative deployment scenario based on the FreeRADIUS Server and MySQL Cluster serving as the back-end AAA database, providing an infrastructure for high growth and availability, with low complexity. A sizing study and user case study are presented to demonstrate how the solution performs in real-world FreeRADIUS environments

Read the whitepaper, posted here:
http://www.mysql.com/why-mysql/white-papers/mysql_wp_ha_auth_account.php

Deployment Guide: FreeRADIUS with the MySQL Cluster Database

This Guide documents a best-practice approach to configuring and testing a FreeRADIUS server deployed with the MySQL Cluster database storage engine serving as the back-end data store for user and accounting data. Deployment topologies and configurations are presented, enabling users to quickly and simply replicate the solution in their own environment.

Read the guide, posted here:
http://www.mysql.com/why-mysql/white-papers/mysql_wp_deploying_FreeRADIUS.php

2008.03.05 FreeRADIUS Client Version 1.1.6 (sig) has been released. The focus of this release is stability.

• Added dead_time functionality / configuration.
• Merge in fixes and enhancements from 'radiusclient-ng'.
• Improved functionality for embedded operation. In use in FreeSWITCH and OpenSER projects.
• Wrap gethostby*() family of calls with threadsafe variants.
• Change UINT4 to uint32_t, int to size_t, etc.
• Fixed wrong usage of strncat function in several places.

---

Copyright 2012 The FreeRADIUS Server Project | Last modified (none)
Sponsored by Network RADIUS Inc.