Press Releases

30 December 2009 - Version 2.1.8 has been released.

The focus of this release is stability.

Feature improvements

  • Print more descriptive error message for too many EAP sessions.
  • This gives hints on what to do when "failed to store handler"
  • Commands received from radmin are now printed on stdout when in debugging mode.
  • Allow accounting packets to be written to a detail file, even if they were read from a different detail file.
  • Added OpenSSL license exception (src/LICENSE.openssl)

Bug fixes

  • DHCP sockets can now set the broadcast flag before binding to a socket. You need to set "broadcast = yes" in the DHCP listener.
  • Be more restrictive on string parsing in the config files
  • Fix password length in scripts/create-users.pl
  • Be more flexible about parsing the detail file. This allows it to read files where the attributes have been edited.
  • Ensure that requests read from the detail file are cleaned up (i.e. don't leak) if they are proxied without a response.
  • Write the PID file after opening sockets, not before (closes bug #29)
  • Proxying large numbers of packets no longer gives error "unable to open proxy socket".
  • Avoid mutex locks in libc after fork
  • Retry packet from detail file if there was no response.
  • Allow old-style dictionary formats, where the vendor name is the last field in an ATTRIBUTE definition.
  • Removed all recursive use of mutexes. Some systems just don't support this.
  • Allow !* to work as documented.
  • make templates work (see templates.conf)
  • Enabled "allow_core_dumps" to work again
  • Print better errors when reading invalid dictionaries
  • Sign client certificates with CA, rather than server certs.
  • Fix potential crash in rlm_passwd when file was closed
  • Fixed corner cases in conditional dynamic expansion.
  • Use InnoDB for MySQL IP Pools, to gain transactional support
  • Apply patch to libltdl for CVE-2009-3736.
  • Fixed a few issues found by LLVM's static checker
  • Keep track of "bad authenticators" for accounting packets
  • Keep track of "dropped packets" for auth/acct packets
  • Synced the "debian" directory with upstream
  • Made "unlang" use unsigned 32-bit integers, to match the dictionaries.

14 September 2009 - Version 2.1.7 has been released.

The focus of this release is stability.

Feature Improvements

  • Full support for CoA and Disconnect packets as per RFC 3576 and RFC 5176. Both receiving and proxying packets is supported.
  • Added "src_ipaddr" configuration to "home_server". See proxy.conf for details.
  • radsniff now accepts -I, to read from a filename instead of a device.
  • radsniff also prints matching requests and any responses to those requests when '-r' is used.
  • Added example of attr_filter for Access-Challenge packets
  • Added support for udpfromto in DHCP code
  • radmin can now selectively mark modules alive/dead. See "set module state".
  • Added customizable messages on login success/fail. See msg_goodpass && msg_badpass in log{} section of radiusd.conf
  • Document "chase_referrals" and "rebind" in raddb/modules/ldap
  • Preliminary implementation of DHCP relay.
  • Made thread pool section optional. If it doesn't exist, the server will run single-threaded.
  • Added sample radrelay.conf for people upgrading from 1.x
  • Made proxying more stable by failing over, rather than rejecting the first request. See "response_window" in proxy.conf
  • Allow home_server_pools to exist without realms.
  • Add dictionary.iea (closes bug #7)
  • Added support for RFC 5580
  • Added experimental sql_freetds module from Gabriel Blanchard.
  • Updated dictionary.foundry
  • Added sample configuration for MySQL cluster in raddb/sql/ndb. See the README file for explanations.
  • Unset the DF bit on outgoing packets, so that packets can be fragmented if necessary.

Bug Fixes

  • Fixed corner case where proxied packets could have extra character in User-Password attribute. Fix from Niko Tyni.
  • Extended size of "attribute" field in SQL to 64.
  • Fixes to ruby module to be more careful about when it builds.
  • Updated Perl module "configure" script to check for broken Perl installations.
  • Fix "status_check = none". It would still send packets in some cases.
  • Set recursive flag on the proxy mutex, which enables safer cleanup on some platforms.
  • Copy the EAP username verbatim, rather than escaping it.
  • Update handling so that robust-proxy-accounting works when all home servers are down for extended periods of time.
  • Look for DHCP option 53 anywhere in the packet, not just at the start.
  • Fix processing of proxy fail handler with virtual servers.
  • DHCP code now prints out correct src/dst IP addresses when sending packets.
  • Removed requirement for DHCP to have clients
  • Fixed handling of DHCP packets with message-type buried in the packet
  • Fixed corner case with negation in unlang.
  • Minor fixes to default MySQL & PostgreSQL schemas
  • Suppress MSCHAP complaints in debugging mode.
  • Fix SQL module for multiple instance, and possible crash on HUP
  • Fix permissions for radius.log for sites that change user/group, but which don't create the file before starting radiusd.
  • Fix double counting of packets when proxying
  • Make %l work
  • Fix pthread keys in rlm_perl
  • Log reasons for EAP failure (closes bug #8)
  • Load home servers and pools that aren't referenced from a realm.
  • Handle return codes from virtual attributes in "unlang" (e.g. LDAP-Group). This makes "!(expr)" work for them.
  • Enable VMPS to see contents of virtual server again
  • Fix WiMAX module to be consistent with examples. (closes bug #10)
  • Fixed crash with policies dependent on NAS-Port comparisons
  • Allowed vendor IDs to be be higher than 32767.
  • Fix crash on startup with certain regexes in "hints" file.
  • Fix crash in attr_filter module when packets don't exist
  • Allow detail file reader to be faster when "load_factor = 100"
  • Add work-around for build failures with errors related to lt__PROGRAM__LTX_preloaded_symbols.
  • Made ldap module "rebind" option aware of older, incompatible versions of OpenLDAP.
  • Check value of Fall-Through in attr_filter module.

09 September 2009 - Version 1.1.8 has been released.

The focus of this release is security.

Feature Improvements

  • None

Bug Fixes

  • Fix crash (memcpy with length -1) when invalid Tunnel-Password attributes are received.

20 July 2009 We have worked with MySQL to create two white papers on MySQL scalability and MySQL cluster. They are now available:
    Delivering Scalable & Highly Available AAA Services

    This white paper discusses the concepts of current data storage solutions for Authentication, Authorization and Accounting (AAA) environments and their potential limitations as network use grows and services become more dynamic.

    The paper then presents an alternative deployment scenario based on the FreeRADIUS Server and MySQL Cluster serving as the back-end AAA database, providing an infrastructure for high growth and availability, with low complexity. A sizing study and user case study are presented to demonstrate how the solution performs in real-world FreeRADIUS environments

    Read the whitepaper, posted here:
    http://www.mysql.com/why-mysql/white-papers/mysql_wp_ha_auth_account.php

    Deployment Guide: FreeRADIUS with the MySQL Cluster Database

    This Guide documents a best-practice approach to configuring and testing a FreeRADIUS server deployed with the MySQL Cluster database storage engine serving as the back-end data store for user and accounting data. Deployment topologies and configurations are presented, enabling users to quickly and simply replicate the solution in their own environment.

    Read the guide, posted here:
    http://www.mysql.com/why-mysql/white-papers/mysql_wp_deploying_FreeRADIUS.php

18 May 2009 - Version 2.1.6 has been released.

The focus of this release is stability.

Feature Improvements

  • radclient exits with 0 on successful (accept / ack), and 1 otherwise (no response / reject)
  • Added support for %{sql:UPDATE ..}, and insert/delete. Patch from Arran Cudbard-Bell
  • Added sample "do not respond" policy. See raddb/policy.conf and raddb/sites-available/do_not_respond
  • Cleanups to Suse spec file from Norbert Wegener
  • New VSAs for Juniper from Bjorn Mork
  • Include more RFC dictionaries in the default install
  • More documentation for the WiMAX module
  • Added "chase_referrals" and "rebind" configuration to rlm_ldap. This helps with Active Directory. See raddb/modules/ldap
  • Don't load pre/post-proxy if proxying is disabled.
  • Added %{md5:...}, which returns MD5 hash in hex.
  • Added configurable "retry_interval" and "poll_interval" for "detail" listeners.
  • Added "delete_mppe_keys" configuration option to rlm_wimax. Apparently some WiMAX clients misbehave when they see those keys.
  • Added experimental rlm_ruby from http://github.com/Antti/freeradius-server/tree/master
  • Add Tunnel attributes to ldap.attrmap
  • Enable virtual servers to be reloaded on HUP. For now, only the "authorize", "authenticate", etc. processing sections are reloaded. Clients and "listen" sections are NOT reloaded.
  • Updated "radwatch" script to be more robust. See scripts/radwatch
  • Added certificate compatibility notes in raddb/certs/README, for compatibility with different operating systems. (i.e. Windows)

Bug Fixes

  • Minor changes to allow building without VQP.
  • Minor fixes from John Center
  • Fixed raddebug example
  • Don't crash when deleting attributes via unlang
  • Be friendlier to very fast clients
  • Updated the "detail" listener so that it only polls once, and not many times in a row, leaking memory each time...
  • Update comparison for Packet-Src-IP-Address (etc.) so that the operators other than '==' work.
  • Did autoconf magic to work around weird libtool bug
  • Make rlm_perl keep tags for tagged attributes in more situations
  • Update UID checking for radmin
  • Added "include_length" field for TTLS. It's needed for RFC compliance, but not (apparently) for interoperability.

10 March 2009 - Version 2.1.4 has been released.

The focus of this release is stability.

Feature Improvements

  • Permit multiple "-e" in radmin.
  • Add support for originating CoA-Request and Disconnect-Request. See raddb/sites-available/originate-coa.
  • Added "lifetime" and "max_queries" to raddb/sql.conf. This helps address the problem of hung SQL sockets.
  • Allow packets to be injected via radmin. See "inject help" in radmin.
  • Answer VMPS reconfirmation request. Patch from Hermann Lauer.
  • Sample logrotate script in scripts/logrotate.freeradius
  • Add configurable poll interval for "detail" listeners
  • New "raddebug" command. This prints debugging information from a running server. See man raddebug.
  • Add "require_message_authenticator" configuration to home_server configuration. This makes the server add Message-Authenticator to all outgoing Access-Request packets.
  • Added smsotp module, as contributed by Siemens.
  • Enabled the administration socket in the default install. See raddb/sites-available/control-socket, and man radmin
  • Handle duplicate clients, such as with replicated or load-balanced SQL servers and "readclients = yes"

Bug Fixes

  • Clean up control sockets when they are closed, so that we don't leak memory.
  • Define SUN_LEN for systems that don't have it.
  • Correct some boundary conditions in the conditional checker ("if") in "unlang". Bug noted by Arran Cudbard-Bell.
  • Work around minor building issues in gmake. This should only have affected developers.
  • Change how we manage unprivileged user/group, so that we do not create control sockets owned by root.
  • Fixed more minor issues found by Coverity.
  • Allow raddb/certs/bootstrap to run when there is no "make" command installed.
  • In radiusd.conf, run_dir depends on the name of the program, and isn't hard-coded to "..../radiusd"
  • Check for EOF in more places in the "detail" file reader.
  • Added Freeswitch dictionary.
  • Chop ethernet frames in VMPS, rather than droppping packets.
  • Fix EAP-TLS bug. Patch from Arnaud Ebalard
  • Don't lose string for regex-compares in the "users" file.
  • Expose more functions in rlm_sql to rlm_sqlippool, which helps on systems where RTLD_GLOBAL is off.
  • Fix typos in MySQL schemas for ippools.
  • Remove macro that was causing build issues on some platforms.
  • Fixed issues with dead home servers. Bug noted by Chris Moules.
  • Fixed "access after free" with some dynamic clients.