Press Releases

11 December 2013 - Version 3.0.1 has been released.

The focus of this release is stability.

Feature improvements

  • Add "timeout" to exec, and "ntlm_auth_timeout" to mschap. So that run-away child processes are caught earlier.
  • Allow TLS clients to use "proto = tls", in which case TLS is required. The shared secret is then set to "radsec".
  • More documentation in the tls virtual server.
  • Add "date" module for date formatting. See raddb/mods-available/date.
  • Added unit test suite for internal server functionality
  • When loading "update" sections, check if the RHS is a literal value. If so, syntax check it immediately.
  • Update LDAP module documentation and functionality. The generic attribute can now update lists.
  • Updated dictionary.extreme.
  • Update sqlippool to do clears as a separate transaction, and at most once per second. This should help MySQL.
  • Respect control:Response-Packet-Type for all types of requests.
  • Add support for SSL encryption to the MySQL driver.
  • Allow arbitrary connection parameters to be used with the PostgreSQL driver.
  • Changes to the OpenLDAP schema to fully expose functionality of the new LDAP module.
  • Update debian packaging to include a freeradius-config package. This package may be provided as a site local package to avoid fighting with the preinstalled config files.

Bug Fixes

  • Use correct field for ARP setting in DHCP.
  • Fix crash on debug condition (#454).
  • Fix a number of minor issues caught by the clang analyzer.
  • Set WARNING messages to yellow instead of normal text.
  • Correct debug colorise logic. Patch from Phil Mayers.
  • Encode attributes of type "ethernet". No one uses them, but it makes sense.
  • Work around regex initialization issues.
  • Fix build when linking against OpenSSL.
  • Print IDs as positive numbers, which helps for large DHCP XIDs.
  • Fix issue with sql_ippool.
  • sqlcounter now uses 64-bit counters, to deal with 4G overflow.
  • Fix issues with DHCP subsystem.
  • Don't build / install disabled modules, or their config files.
  • Fix build for OSX Mavericks, which hid the header files in a magical place.
  • Fix LEAP buffer issue. You should still avoid LEAP.
  • Mark "unknown" WiMAX attributes as being WiMAX.
  • Fix typo in packet decoder for fragmented extended attrs
  • RPM spec fixes.
  • Fix rlm_perl build issues when not using threads.
  • Enable %{Response-Packet-Type} again.
  • Update configuration file parser to handle "bool" consistently.
  • Update declarations of global boolean variables to use "bool" consistently. This fixes an issue where some modules were instantiated in "config check" mode and did not work correctly.
  • Make more messages debug instead of info, to avoid polluting the logs with messages that can't be fixed.
  • Set operator in internal unlang code to suppress spurious warning messages.
  • Fix debian packaging.
  • Added "status" to Debian init script.
  • Fix "update outer.request" to update the outer request.
  • Don't print TLS debugging messages when not in debug mode.
  • Correctly manage counters for "limit" sections of TCP / TLS "listen" sockets.
  • Fix libldap debug output.
  • Fix rlm_ldap tls functionality.
  • Initialise OpenSSL globals early to avoid issues with the PostgreSQL library.
  • Fix typo in sqlcounter expansion code. Fixes #463
  • Overwrite previous instances of SQL-User-Name when adding it to the request.
  • Work around bugs in both MIT and heimdal versions of krb5_copy_context(), which caused segfaults in multithreaded mode.
  • Provide meaningful error messages if Heimdal krb5 is used.
  • Fix attribute supression in rlm_detail.
  • Exit with error code if child fails to complete server initialisation after forking. This allows init scripts to correctly report whether the server started ok.

11 December 2013 - Version 2.2.3 has been released.

The focus of this release is stability.

Feature improvements

  • Added dictionary.efficientip, dictionary.alcatel-lucent-aaa
  • Allow zero length DN strings in rlm_ldap.
  • If Password-With-Header has no header, assume it is Cleartext-Password.

Bug Fixes

  • Make the server build when DHCP is enabled
  • Don't crash if there's no Post-Proxy-Type Reject.
  • Use correct fields for X509 attributes in certificates
  • Install threads.h making it possible to link against the installed headers again.
  • Initialize SSL once in "main", instead of rlm_eap_tls. Some client libraries may need SSL.

30 October 2013 - Version 2.2.2 has been released.

The focus of this release is stability.

Feature improvements

  • Add "timeout" to exec, and "ntlm_auth_timeout" to mschap. So that run-away child processes are caught earlier.
  • Print out thread number for "unresponsive child".

Bug Fixes

  • Fix erroneous fall-through in "case" statements
  • Fix priority handling in new module handling code
  • Fix threading issue with Perl. Closes #436
  • Fix EAP-TLS check_cert_issuer when X509v2 extensions existed. Patch from David Wood.
  • Fix pointer references in rlm_python.
  • Fix "unresponsive child" issue when proxying.
  • Set log output correctly when using -l. Fix ported from 3.0.0.
  • Buffer debug output when threaded, so that text from different threads isn't interspersed.
  • Fix SEGV in rlm_perl when using dynamic expansions.
  • Fix build for OSX Mavericks, which hid the header files in a magical place.
  • Port DHCP fixes from 3.0.

07 October 2013 - Version 3.0.0 has been released.

The focus of this release is new features.

Feature improvements

  • Documentation for upgrading from 2.x is in raddb/README.rst Please follow it. It will make the upgrade easier.
  • Moved configuration entries in radiusd.conf to make more sense.
  • Added the "integer64" and "ipv4prefix" data types.
  • Added RADIUS over TLS (i.e. RadSec). See raddb/sites-available/tls
  • Updated internal API to support new attributes and formats
  • Added code to send SNMP Traps. See raddb/trigger.conf.
  • Added preliminary support for Apple's Grand Central Dispatch
  • Added provisions for raddb/dictionary.local, for local changes. See raddb/dictionary for more details.
  • Added packet/s tracking. See max_pps in the "listen" section.
  • The %{} expansions and "unlang" conditions are now parsed at server start. Descriptive errors are produced for syntax and format errors.
  • Casting is now supported for "unlang" comparisons. See "man unlang" e.g. 127.0.0.1 == Framed-IP-Address.
  • Direct comparison of attribute references is now supported. e.g. &Foo == &Bar. This avoids stringification of the attributes.
  • Direct assignment of attributes is now supported. e.g. Foo := &Bar. It also works for "octets" data types.
  • Comparisons of IPv4 and IPv6 prefixes are now supported. The "<" operator means "within the prefix" for comparisons.
  • New sha1 xlat expansion (thanks to Alan Buxey)
  • Colourised log messages when logging to stdout. Look for yellow warnings and red errors. Doing this will save you a LOT of grief.
  • If the PCRE library is available, use it (insted of the POSIX functions) to process regular expressions (thanks to Phil Mayers).
  • -xv now displays all the features the server was built with, and the versions of the core libraries (libtalloc, libssl).

Module Changes

  • Moved raddb/modules/ to raddb/mods-available/, and raddb/mods-enabled/, following the examples of other projects.
  • Additional files for each module are now in raddb/mods-config/. See raddb/mods-config/README.rst for documentation.
  • Moved "users" to raddb/mods-config/files/authorize
  • Moved "hints" and "huntgroups" to raddb/mods-config/preprocess/
  • Moved eap.conf to mods-available/eap
  • Moved sql.conf to mods-available/sql
  • Moved TLS configuration for EAP into a common subsection. See raddb/mods-available/eap, "tls-config" section.
  • Added for MS-CHAP Change Password from Phil Mayers. See raddb/mods-available/mschap, "passchange" subsection.
  • Added EAP-PWD implementation from Dan Harkins
  • Added connection pools for modules. This unifies connection management which was previously different for different modules.
  • SQL now uses the connection pool. See mods-available/sql
  • SQL now supports arbitrary Acct-Status-Types. These changes are not compatible with 2.x.
  • SQL now has full support for SQLite. See raddb/sql/main/sqlite/
  • SQLite supports auto-creation of new databases on server startup for bootstrapping purposes.
  • LDAP now uses the connection pool. The LDAP module has been completely re-written for performance and simplicity.
  • LDAP now caches groups. This makes multiple group checks MUCH faster.
  • Removed all limitations on 253 octet attributes. RFC 6929 allows for attributes up to 4K in length.
  • New rlm_idn module providing an expansion for performing IDNA encoding of internationalized domain names. Thanks to 'skids'.
  • New rlm_yubikey module to validate yubikey OTP tokens. See raddb/modules/yubikey

Internal API Changes

  • All traces of the old build system have been removed. The new build system is faster and simpler.
  • clang is fully supported.
  • We now use "talloc" for memory management. A number of new features required this change. Thanks to the Samba people!
  • Many internal APIs have been updated to use talloc.
  • New API for iterating over VALUE_PAIRs. This is in preparation for attributes, in version 3.1.
  • No new code should directly modify any field of a VALUE_PAIR.
  • VALUE_PAIRs contain pointers to DICT_ATTR instead of containing attribute and vendor fields. This will allow nested attributes.
  • Some protocol specific code has been moved out into proto_* modules. More will come in subsequent versions. See proto_dhcp and proto_vmps.
  • Standardised internal logging macros. radlog() should not be used. See src/include/log.h
  • Use OpenSSL hashing functions when available.
  • The server now builds with no warnings on most platforms.
  • New RADIUS encoder/decoder, to support new formats.
  • Added RFC 6929 "extended attributes", via the new encoder/decoder.
  • Added full WiMAX support, via the new encoder/decoder. The old code could not handle some unusual corner cases.

Bug fixes

  • All known bug fixes from 2.2.x are included.
  • Removed "addport" functionality.
  • Removed many unused or duplicate modules. See raddb/README.rst.

17 September 2013 - Version 2.2.1 has been released.

The focus of this release is stability.

Feature improvements

  • Updated dictionaries for alcatel, broadsoft, bskyb, dlink, meru, telkom, trapeze, proxim, zeus, rfc6677, 6911, and rfc6930.
  • Added %{randstr:..} support. Creates random strings in a controllable format.
  • Added operator support to rlm_python
  • Added %{hex:...} for hex version of raw attribute data
  • Added %{sha1:...} for SHA1 hashing of data
  • Added %{base64:...} for raw attribute data (e.g. 32-bit IP addr), and %{tobase64:...} for the printable string form (e.g. 1.2.3.4), and %{base64tohex:...} to convert a base64 string to a hex string.
  • rlm_expr is now responsible for registering many of the xlat expansions. This is cleaner than bundling them all in the server core. You should ensure 'expr' is listed in instantiate to ensure correct operation of xlat expansions.
  • Use correct terminology when printing errors regarding request/ response/message authenticators.
  • Added keytab support to Heimdal Kerberos. Patch from Ryan Steinmetz.
  • radsqlrelay does multiple INSERTs in one transaction. Patch from Uwe Meyer-Gruhl.
  • Run Post-Proxy-Type Reject {} if the upstream server rejected the request.
  • On startup, the server checks if it was linked with the correct OpenSSL libraries. If not, it errors out. This prevents later crashes in OpenSSL, due to library incompatibilities.
  • Added radmin command "hup main.log", to re-open the log files, without HUPing any other part of the server.
  • Added support for EAP-Key-Name. See raddb/sites-available/default, and look for comments mentioning EAP-Key-Name. MacSec now works.
  • Added support for hex numbers (0x...) to %{expr: ...}
  • Backported TLS client certificate validation from 3.0.0.
  • Run Post-Auth for EAP inner-tunnel methods.
  • Added more RFCs
  • Added "show config " to radmin. You can now examine any configuration item in a running server.
  • Added TLS-Client-Cert-X509v3-Extended-Key-Usage for TLS-based EAP methods. It is set automatically from the fields in the certificate.
  • Add CRLCP attribute in certificate creation script. Windows phones require it. Patch from Alan Buxey.

Bug fixes

  • Skip OCSP if there's no host / port / url, with soft_fail
  • Properly decode AT_IDENTITY in EAP-SIM. Patch from Iliya Peregoudov
  • Thread max_queue_size has better bounds checking.
  • Use correct variable for warning message if the user misconfigures the server.
  • radtest is more generous about parsing ppphint
  • radeapclient now accepts -4 and -6, just like radclient. Patch from John Dennis.
  • Ignore ".rpmnew" and a bunch of other files when loading config files from a directory.
  • Wait for child threads before exiting. This prevents errors on exit, but may increase exit time if databases are blocked! Patch from Iliya Peregoudov.
  • Wrap rbtree calls in mutexes in rlm_cache to prevent memory corruption. Patch from Phil Mayers.
  • Port fix for %{3GPP-*} expansion from master branch.
  • Fix sample certificate scripts when multiple client certs are made
  • Track return code priorities across if/else/elsif in unlang. Closes #107
  • In debug mode, print out DHCP options when sending a DHCP packet.
  • Fixes to the redis modules from Brian Candler
  • Print better debug message for LDAP "operations error"
  • Fix a number of minor issues as found by Coverity
  • Frees module config in order to prevent occasional crash on exit
  • Update DHCP debugging messages to make it clearer what's going on.
  • Print multiple DHCP options the correct number of times in debugging mode
  • On debug builds, don't dlclose() modules when '-m' is used. This allows valgrind to show module symbols.
  • Don't count Status-Server packets in Access-Request statistics
  • Minor cleanups to debug output
  • Be more careful handling module configurations to avoid crash on otherwise clean exit.
  • For raddebug, correctly set the group of the output file.
  • renamed dhclient to dhcpclient. People who install it shouldn't have their systems broken.
  • for EAP-TLS methods, random_file is no longer required. OpenSSL already reads /dev/urandom.
  • Fix Suse and Redhat scripts. Patches from Fajar Nugraha.
  • Minor bug fix for base64 decoding.
  • Allow two consecutive WiMAX TLVs of the same number.
  • Remove requirement that User-Name has to match MS-CHAP-User-Name. I18n issues means that the character sets could be different.
  • Don't use ephemeral thread states from PyGILState_Ensure(), use our own, generated one per thread and stored in TLS.
  • Port module processing fixes from v3. The code is simpler, and one or two esoteric bugs are now gone.
  • update code handling max_requests_per_server. It should now work correctly.
  • wrap ASCTIME_R for systems not supporting the standard API.