Press Releases

09 July 2015 - Version 2.2.8 has been released.

The focus of this release is stability.

Feature improvements

  • None.

Bug Fixes

  • Fixes for clients tied to virtual servers. If there is no "listen" section there, clients use the main "listen" section.
  • Remove compiler warnings
  • Print out correct filenames in debug mode
  • Allow post-auth section to return "reject". This turns the response into Access-Reject.
  • Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl" to eap.conf. Fixes oCert CVE-2015-4680.

08 July 2015 - Version 3.0.9 has been released.

The focus of this release is stability.

Feature improvements

  • Make "pool" configurations more consistent, and update documentation for them.
  • Move connection pool logic to "most recently started", instead of MRU. This should help with pool stability.
  • More VSAs for 3GPP2
  • Added examples of multi-value attributes to rlm_perl.
  • LDAP-Group and SQL-Group attributes are now dynamically allocated.
  • Only the "sql" module registers SQL-Group. Other instances register "instance-name-SQL-Group", similarly to "ldap".
  • Unknown attributes are now complained about more often when used in unlang statements. e.g. if (Foo-Bar == 3) used to be a string to string comparison. It is now a parse error.
  • Rename RLM_COMPONENT_* to MOD_* in the code. This makes many things easier.
  • Move to C99 initializers for modules.
  • Load modules in raddb/mods-enabled. This allows attributes like "LDAP-Group" to be used in the "files" module, without explicit ordering or listing in "instantiate".
  • Added 'bootstrap' section to modules. Third-party modules will need to be updated.
  • When adding clients from a DB, add them to a virtual server if that virtual server has a "listen" section. Otherwise, add the clients to the global list.
  • When reading dynamic clients from a file, don't expire them if the underlying file is unchanged.
  • Allow the server to originate CoA requests from the post-auth stage.
  • The server creates ${run_dir} and ${logdir} in daemon mode, if they do not already exist.
  • Add dictionary for Wi-Fi Alliance Hotspot 2.0. The server now supports all mandatory and optional attributes for this specification.
  • HUP now re-loads the configuration only if the files have changed. If all files are unchanged, HUP re-opens the log file, and does nothing else.
  • Much better debug messages for EAP-TLS, including which attributes are cached, and when they are retrieved.
  • Increase default max_requests to 16384. Memory is cheap now.
  • Added "stats memory" commands to radmin. Debug build only.
  • Aptilo controller dictionary updates.
  • SQL modules now use Acct-Unique-Session-Id everywhere.
  • The redis modules are now stable.
  • The LDAP module now supports SASL "interactive bind" method. This allows Kerberos based administrator and user binds.
  • DHCP code is now in libfreeradius-dhcp.
  • More DHCP encoding / decoding unit tests.
  • rlm_replicate can now be listed in the "accounting" section.
  • Better sqlite debugging output.
  • Remove "required" option from many sql_ippool directives.
  • Set default CA "basic constraints" to "critical". Fixes #1073
  • Updates to help / man pages from Jorge Pereira.
  • Added more tests.

Bug Fixes

  • Be more careful about unused config item warnings when using -Xx.
  • Move more defines to be auto-generated.
  • Allow virtual servers in proxy fallback.
  • Allow %{module:} to work.
  • Don't crash in RadSec. Closes #980.
  • Return better errors when a unix group / user is not found.
  • Re-enable detail module "locking" parameter.
  • Don't crash when logging replies from Status-Server packets.
  • The couchbase module now uses "update" instead of "map", for consistent with the rest of the server. See raddb/mods-available/couchbase
  • Don't require NT-Password for MS-CHAP password changes.
  • Be a bit more careful about decrypting MS-CHAP-MPPE-Key attributes. Closes #1013. There is no perfect fix, tho.
  • Fix security issues with EAP-PWD. See http://freeradius.org/security.html#eap-pwd-2015
  • Fix dynamic clients read from SQL in non-debug mode
  • MS-CHAP now allows retries (i.e. password change) when passwords are expired.
  • Allow "user=radiusd" when the server is already user "radiusd"
  • suid up/down works on non-Linux systems. This means that the control socket should have the correct ownership.
  • Fix issue which caused the server to sometimes have problems when a home server was marked zombie.
  • Fix format.pl because Perl is now more picky.
  • Fix proxy to Packet-Dst-IP-Address, so that it uses the correct destination port.
  • Fix corner case with cursor functions and removal.
  • OpenDirectory fixes and documentation.
  • Fix leaks in rlm_redis.
  • RFC 6929 "evs" attributes are now encoded / decoded properly.
  • Fix talloc pool leaks when receiving malformed or retransmitted Accounting/CoA requests.
  • Printed attributes again use double quotes instead of single quotes.
  • Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl" to eap.conf. Fixes oCert CVE-2015-4680.
  • rlm_expr now errors out correctly on malformed attribute references instead of triggering an assert.
  • Make "break" work in "foreach" loops
  • Allow dynamic expansions to work again in the "hints" file.
  • Correct minor typos in comments and examples from Alan Buxy.
  • Re-urlencode the path portion of ldapi:// urls before passing it to ldap_initialise.

22 April 2015 - Version 3.0.8 has been released.

The focus of this release is stability.

Feature improvements

  • Allow syslog_severity to be set in rlm_linelog.
  • Allow defaults to be set for bulk clients in LDAP and couchbase.
  • Updates to dhcpclient. Patches from Nicolas C.
  • rlm_mschap now supports direct connections to winbind, which is faster than ntlm_auth. See raddb/mods-available/mschap. Patch from Matthew Newton.
  • Recommend /dev/urandom for TLS randomness, instead of ${certdir}/random
  • Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}.
  • Allow Expanded EAP types where vendor is 0 (IETF) and type is normal EAP type. Supplicants sending Expanded EAP types like this are broken.
  • Add support for server side sort controls when searching for user objects in rlm_ldap.

Bug Fixes

  • Don't complain about "authorize" in "server {}" blocks, but only if there's no "server" block.
  • Fix cosmetic issue where debug from the first packet read by a detail reader thread would be emited during config parsing.
  • Fix ASSERT on truncated detail packets.
  • Don't use main server log functions from within panic_action, as in the case of syslog this would cause deadlocks if the fault was triggered from within a malloc.
  • Fix issue in "switch" when "correct_escapes = false". Fixes #911.
  • Fix sqlcounter configuration to use "%%b" instead of "%b", otherwise the new syntax validation will fail.
  • Allow forward references in configuration items. Modules aren't always loaded in a sane order.
  • Fix more escaping issues. Closes #912.
  • Decode MAC addresses correctly for VMPS.
  • Fix memory leak with TLS connections.
  • Fix state machine threading issues for conflicting packets.
  • Fix copy_request_to_tunnel issues for tagged attributes.
  • Allow "ok" to over-ride "updated" inside of Auth-Type sections.
  • Update state machine so that post-proxy is run though child threads for performance, instead of blocking the main thread.
  • Allow "netmask" to work again in client definitions.
  • Relax restrictions on SQL group queries.
  • track outgoing proxy sockets and clean them up more aggressively.
  • track proxy statistics, including CoA and Disconnect.
  • If radmin has a connection failure when running a command, it re-connects and runs the command again.
  • mark home servers "unknown" less aggressively.
  • Fix potential SEGV in PostgreSQL driver on error.
  • Fix issue where fields like nas_type would not be accessible via the %{client:} xlat, for dynamic clients.
  • Set default busy_timeout (of 200ms) in the sqlite driver, so writes don't cause selects to fail in multithreaded mode. This is user configurable, and may be increased if required.
  • Convert Password-With-Header attributes to binary (from hex or base64), in the authorize method of rlm_pap.
  • Fix invalid assert in state.c, that could cause abort in post-auth.
  • Fix double free when -m flag is used, and connection pools are referenced by multiple modules.
  • RADIUS over TLS accounting uses the same port as authentication.
  • Regularized return codes from radmin commands.
  • Fix RHEL spec file so it works correctly for Centos7 which uses systemd, and didn't like the SystemV init script.
  • radwho and radlast now have a -D option to load dictionaries
  • DHCP packets are no longer checked for duplicates.
  • Don't crash in sql module group comparisons in corner case.
  • Calculate MPPE keys correctly when using TLS 1.2.
  • Fix load-balance sections. Closes #945
  • TLS certificates are available again in the post-auth section. They are not available for session resumption.
  • radclient encodes CHAP-Password properly when using -c. Closes #955.
  • Fix issue in rlm_cache_memcached driver that caused variable length values to be truncated.
  • Fix track functionality in detail reader, so it no longer fails with a "Failed marking detail request as done: Bad file descriptor" error.
  • Actually add the peer identity (as User-Name) to the inner tunnel in EAP-PWD requests, so it's available for lookups.
  • Fixes to PostgreSQL queries. Patches from Santiago Gimeno.

22 April 2015 - Version 2.2.7 has been released.

The focus of this release is stability.

Feature improvements

  • Allow "eap" to be listed in Post-Auth-Type Reject so that it sends EAP-Fail and Message-Authenticator.

Bug Fixes

  • Fix typo in code checking for blocked threads. Closes #880.
  • Added more $(EXEEXT) to module utilities so that it builds on Cygwin. Closes #875.
  • Note that we don't need to generate ephemeral RSA keys.
  • Port detail file fixes from v3.
  • Use correct destination port for replies to DHCP relay.
  • rlm_perl can store multiple tagged attributes of the same name.
  • Update EAP-TLS methods for TLSv1.2
  • Fix load-balance sections. Closes #945

19 February 2015 - Version 3.0.7 has been released.

The focus of this release is stability.

Feature improvements

  • Allow coa home_servers to be derived from client sections if a coa_server section is provided.
  • Automatically determine the correct port if no port is provided for a home server.
  • Allow foreach to operate over lists.
  • Add compile time features to ${feature.*} and versions of core libraries to ${version.*}. Feature and version names match output of radiud -xv. %v is now deprecated.
  • Add support for PATCH method in rlm_rest.
  • Validate more module xlats on startup, and warn if an xlat expansion is found in a double quoted config item which will not be expanded.
  • Add support for sub-second timeouts in rlm_rest.
  • Add support for connection timeouts in rlm_rest.
  • Add %{jsonquote:<str>} xlat to escape strings for insertion into json documents.
  • Add %{ldapquote:<str>} xlat to escape strings for insertion into ldap DNs.
  • Add %{explode:&ref <char>}, splits value of &ref on <char> and creates new &ref type attributes with the fragments.
  • Allow rlm_ldap to use attribute references for base_dn and filter config items. The attribute references are not escaped, allowing DNs and filters to be created dynamically.
  • Add %{nexttime:[<int>]h|d|w|y} to calculate the number of seconds before the next <int> hour(s), day(s), week(s), or year(s).
  • Allow the left side of update sections to be xlat expansions. The result of the expansion is then used to reference the attribute to be modified.
  • Added %{lpad:&Attribute-Name 7 x} and rpad. These produce fixed-width output strings, with padding to the left (lpad) or the right (rpad).
  • For some SQL drivers (MySQL, sqlite) distinguish between constraints violations (on insert), invalid queries, and server errors, and return noop, invalid, and error respectively.
  • Call SHOW WARNINGS in the MySQL driver and write them to the request log, if libmysqlclient indicates warnings are available on the server.
  • Forbid the creation of Vendor-Specific for non-standard VSAs. Use Attr-26 = 0x... instead.
  • Make dhcpclient work with raw sockets and various other improvements - Contributed by nchaigne
  • Add support for SSHA2 - Contributed by PDD.
  • Add perle dictionary - Contributed by Hachmer
  • Modernise init scripts for RHEL, SUSE and Debian.
  • radmin now tracks the return code of commands, and exits with status "1" if any command failed to execute.
  • radmin now sends error messages from the server to stderr, instead of to stdout.
  • radmin now looks for sockets matching it's UID and GID, rather than just always using the first one it finds.
  • radmin can how delete clients which are tied to a listener.
  • Moved RADIUS attribute definitions to src/include/rfc*.h
  • Move to talloc pools for requests. For in-memory tests (default config, 'users' file), performance increases by 30%.
  • In rlm_ldap allow sasl_mech to be specified for admin and user binds. Only non-interactive mechs (like EXTERNAL) are currently supported.
  • Remove support for ephemeral RSA keys. They were "export only", and should not be used by anyone.
  • Syntax errors in the "users" file now produce better error messages.

Bug Fixes

  • Fix issues parsing LDAP hostnames with non-standard ports.
  • Fix issues with realms containing regular expressions.
  • Allow unary negation before parantheses in rlm_expr.
  • Fix infinite loop in kevent event loop code. Issue only presented on FreeBSD.
  • Be more careful to define Auth-Types before loading modules.
  • Link libfreeradius-radius against OpenSSL too, to avoid multi-version symbols in SSL libraries.
  • When rlm_ldap rebinds a connection, it should use bind credentials from the module that created the connection pool, not credentials from the module referencing it.
  • Empty server config pairs should be allowed in rlm_ldap instances that reference another module's connection pool.
  • Mark rlm_always as huppable, so its rcode can be changed via radmin (allows policy toggles).
  • Emit warnings when ignoring user configured pool values.
  • Fix issue that would cause radclient to complain intermittently about differing numbers of filters and requests.
  • Fix cosmetic issues in connection pool logging, that made it appear as if the same connection was being opened multiple times.
  • Fix threadsafety issues in SQL drivers, where a static buffer was used to store error messages.
  • Log RERROR, RWARN, RINFO to the global log if request logging is not enabled.
  • Link to libldap instead of libldap_r. libldap_r is not supported for use by projects outside of OpenLDAP.
  • Set connection timeout correctly in rlm_sql_mysql.
  • Build with older versions of libcurl, and use CFLAGS from curl-config.
  • Honour Packet-Src-Port and Packet-Src-IP-address in radclient.
  • Initialise ldapai_info_version field, so libldap will report its vendor and version.
  • Fix log rotation scripts by using the copyrotate option.
  • Fix issue that caused opening control sockets to always fail on non-Linux systems, if a user or group was set.
  • Save Session-State after proxying.
  • Additional fixes for reading CoA/DM requests from detail files.
  • Create dynamic clients if the dynamic clients virtual server returns ok *or* updated. Emit useful messages for other codes.
  • Compile bare "authorize" statements, and issue errors saying using them isn't a good idea.

17 December 2014 - Version 3.0.6 has been released.

The focus of this release is stability.

Feature improvements

  • radmin / raddebug conditional errors are printed to the output, instead of being discarded.
  • raddebug will exit if condition set with -c was invalid.
  • radmin auto-reconnects if the connection to the server has gone away.
  • rlm_cache now has submodule support. See raddb/mods-available/cache
  • New memcached driver for rlm_cache. See raddb/mods-available/cache
  • Add support for &Attribute-Name[*] in conditions. See "man unlang" for details.
  • Add &Attribute-Name[n] which gets the last instance of an attribute e.g. Module-Failure-Message[n].
  • Allow for redundant string expansions. See the "instantiate" section of radiusd.conf.
  • When checking IP addresses in conditions, make the right side be parsed as an IP prefix.
  • Support JIT compilation of compiled regular expressions when built with libpcre.
  • Support named capture groups with "%{regex:<name>}" when built with libpcre.
  • Increase regular expression capture groups from 8 to 32.
  • Emit error markers for badly formed regular expressions.
  • Allow 'm' flag to enable multiline mode in regular expressions.
  • Support limited implicit attribute conversion in update sections.
  • Support casting between IPv6 and IPv4 where the IPv6 address has the v4/v6 mapping prefix (::ffff:).

Bug Fixes

  • PEAP works again. As does proxying EAP-MSCHAPv2 from inside of a PEAP tunnel.
  • "group" is allowed inside of "instantiate" sections.
  • update disconnect {} with disconnect:Packet-Dst-IP-Address now works correctly.
  • Regular expression comparisons of non string attributes are now disallowed in the files module. Previously they would silently fail or produce undefined behaviour.
  • Fix parsing of old regular expressions. Closes #842
  • Fix off by one error in ascend filters. Closes #843.
  • Handle NT-Hash in rlm_pap. This allows passwords to have backslashes in them.
  • Fix infinite loop on "Fall-Through = yes" when processing SQL groups.
  • Correct the check of SQL query return code.
  • Run "Post-Auth-Type Reject" if the request was rejected in post-auth
  • Write "Login OK" only if the post-auth section passed.
  • Create TLS-Cert-* certificates, even when EAP session caching is disabled.
  • Finalize the "correct_escapes" with many more tests.
  • Move to the new OpenLDAP libldap API, fixes more issues with binary values.
  • Fix potential memory corruption in rlm_ldap if start connections were set to 0, and the server was running in threaded mode. The fix is a workaround for an issue in libldap and was suggested by Howard Chu.
  • Give parse errors on "%{...", without the closing brace.
  • Allow spaces in certificate passwords for build rules in raddb/certs//
  • Make all regular expression evaluation binary safe. Where that's not possible, emit an error if the pattern or subject contains an embedded null byte.
  • Fix various issues around masking IPv6 addresses.
  • Give descriptive error if unknown attributes are used in "update" sections.
  • Deal with cases where ldap_initialize isn't available gracefully, and use it exclusively when it's available.

21 November 2014 - Version 3.0.5 has been released.

The focus of this release is stability.

Feature improvements

  • Large update to Huawei dictionary.
  • Added dictionary.rfc7155
  • Regular expressions like /%{User-Name}/ are now parsed and validated when the server starts.
  • All configuration items which are dynamically expanded are now parsed and validated when the server starts.
  • %{expr:...} expressions can now do bit shifting and more. See raddb/mods-available/expr.
  • The detail file reader can now track packets which have had replies, so they are never re-transmitted. See raddb/sites-available/buffered-sql, the "track" config item.
  • CoA and Disconnect packets can now be sent to a specific home server by setting control:Packet-Dst-IP-Address and (optionally) control:Packet-Dst-Port.
  • Allow CoA and Disconnect packets to be read from the detail file.
  • Allow LDAP to specify arbitrary attributes for dynamic clients.
  • Convert all unused attributes in the control: list to config pairs in dynamic clients. This allows arbitrary client attributes to be set for dynamic clients too.
  • rlm_couchbase now supports bulk loading of clients on startup in a similar way to rlm_ldap. Contributed by Aaron Hurt.
  • Allow one level of backslashes (finally). See radiusd.conf, "correct_escapes" setting.
  • Rename dictionary.redback to dictionary.ericsson.ab
  • Add --disable-openssl-version-check option to configure. So vendors can disable the check. Patch from Nikolai Kondrashov.
  • Do context-specific indenting in debug messages. This makes the debug output easier to read.
  • Make configuration a separate RPM, just like for Debian.
  • better decoding of unknown VSAs
  • When supported by OpenSSL, allow TLS 1.1 and TLS 1.2 in EAP methods.
  • Allow multiple new connections to be spawned simultaneously in the connection pool, to cope with spikes in traffic.
  • Document retry_delay in connection pools.
  • Allow checksimul in rlm_couchbase.
  • Use kqueue on systems which support it. This allows for better scaling when using many sockets.

Bug Fixes

  • Parse list qualifiers in generic LDAP 'valuepair_attribute' attributes correctly.
  • Fix issue where prefix length would be ignored for dynamic or static clients if the address matched INADDR_ANY (0.0.0.0).
  • Allow null user object filter in rlm_ldap, it's valid to specify a complete object DN and use the base scope.
  • Don't SEGV if a received attribute value in a JSON structure is null, or a value can't be stringified.
  • Don't assert if the server returns a JSON content-type and the server hasn't been built with support for JSON. Closes #808.
  • Set CURLOPT_NOSIGNAL to prevent curl from handling signals and causing a longjmp error when the server was running with threads.
  • Allow tabs after attribute names in the "users" file. Closes #796.
  • Free unknown DICT_ATTRs. Closes #795
  • Handle unknown attributes in the conditions and "update" sections. e.g. Attr-1.2.3.4 = foo.
  • Use correct array size for MS-CHAP new password.
  • In rlm_rest, check for older versions of libraries at start time, rather than when a packet comes in.
  • Don't call detach on parse error in rlm_perl. Closes #802.
  • Integer fixes for big-endian systems. Closes #803.
  • Don't optimize %{Packet-Src-IP-Address}. Closes #804.
  • dhcpclient loads dictionaries correclty. Closes #805.
  • double quotes are no longer escaped in single-quoted strings. e.g. 'foo "hello" bar'.
  • Fixes for proxying to virtual servers broke the detail file reader. Now they both work.
  • Typos and fixes from Nikolai Kondrashov.
  • Fixes to OpenSSL version checks, for cross-platform issues.
  • cppcheck fixes from Herwin Weststrate.
  • Fix build for OSX Yosemite
  • Merge DHCP sub-options. Closes #812.
  • Fix decoding of Starent attributes.
  • When a module asks for a connection, don't return idle connections.
  • LDAP connection timeouts will now retry, instead of failing.
  • Prevent race conditions between fork and wait for child. Patch from James Rouzier.
  • Fix triggers for connection pools. Patches from Nikolai Kondrashov.
  • Fix SEGV when comparing non string type check items.
  • Build with newer versions of libmysqlclient.
  • make the %{escape:} and %{unescape:} xlat functions UTF8 safe.
  • Don't escape UTF8 chars in SQL query strings.
  • Fix issue in cached LDAP group comparisons, which caused checks to sometimes fail.
  • Fix use after free issue in unlang switch evaluation.
  • Respect operators in rlm_cache when merging into the current request.
  • Update Cache-Entry-Hits each time rlm_cache is called.
  • Produce WARN messages if SQL queries are empty strings.
  • Fix invalid assertion when proxying CoA requests.
  • Allow empty strings in "case" statements. Closes #836.
  • Normalize escaping for string expansions. i.e. don't do double escaping in rare situations.
  • Normalize LDAP escaping. LDAP servers have multiple ways to escape things, so the data has to be normalized before we can compare two LDAP DNs.
  • Don't go to high debug level if we're proxying inner EAP as EAP. Closes #839.
  • Fix rlm_rest state handling. Closes #835.

18 November 2014 - Version 2.2.6 has been released.

The focus of this release is stability.

Feature improvements

  • When supported by OpenSSL, allow TLS 1.1 and TLS 1.2 in EAP methods.

Bug Fixes

  • Fix redundant-load-balance blocks to try other modules in the group if one fails.
  • Fix potential read into uninitialised memory in rlm_pap when normalising octet type attributes containing password hashes. This is very unlikely to happen in the wild.
  • Don't stop decoding DHCP options if we find a padding option.
  • Define sig_t on systems which don't have it. Closes #765
  • When clients are loaded from SQL, allow them to be tied to a virtual server.
  • Prevent race conditions between fork and wait for child. Patch from James Rouzier.
  • Allow UTF-8 characters in SQL.
  • Back-port udpfromto fixes from v3

10 Sept 2014 - Version 3.0.4 has been released.

The focus of this release is stability.

Feature improvements

  • Home server "response_window" can now take fractions of a second. See proxy.conf.
  • radmin now supports "show module status", as the counterpart to "set module status"
  • Added dictionary ericsson.packet.ccore.networks, bluecoat, citrix, compatible, riverbed, ruckus, and RFC 7268.
  • Add %{tag:} expansion to get the tag value of an attribute.
  • Report 'application_name' in connections to PostgreSQL servers. FreeRADIUS connections will now appear as 'FreeRADIUS <version> - <name>' in pg_stat_activity.
  • All config item fields are now type checked at compile time to prevent issues similar to #634 occuring again.
  • Modify pairparsevalue to deal with embedded NULLs better, and use the binary versions of attribute values in rlm_ldap.
  • "ipaddr" will now use v6 if no v4 address is present. You should use "ipv4addr" or "ipv6addr" to force v4/v6 addresses.
  • The above applies to "listen", "home_server", and "client" sections.
  • "client" sections will allow "ipaddr = 192.192.0/24". The old "netmask" is still accepted, but the new format is preferred.
  • Allow custom HTTP headers to be set for rlm_rest requests using control:REST-HTTP-Header (attributes consumed after use).
  • Extend format of %{rest:} expansion to allow HTTP method and POST data to be specified e.g. %{rest:POST http://example.org/api foo=bar&baz=boink}.
  • Add %{hmacsha1:&data &key} and %{hmacmd5:&data &key} expansions for signing data in requests.
  • rlm_cache now consumes its control attributes to make runtime configuration easier.
  • Add control:Cache-Read-Only which when set to 'yes' will make the cache module merge existing cache data, but not create new entries.
  • Add %{unescape:} and %{urlunquote:} expansions to reverse escaping and urlquoting.
  • Add support for aliases in rlm_ldap.
  • Add support for connection pool sharing to all modules that use the connection pool (pool = <instance>).
  • "tls" sections now have a "psk_query" configuration item, for dynamic queries to discover a key from a PSK identity.
  • Preliminary support for EAP channel bindings.
  • Foundational work for dynamic home servers. They do not yet work, but this is now only a matter of updating the "realm" module in a future release.
  • Support &attr[*] syntax to copy all instances of an attribute when used with the += operator in an update section. May be qualified with a tag.
  • The logintime and expiration modules can now be listed in the post-auth section. This makes some configurations simpler.
  • Allow comparison of integer attributes of different sizes, without requiring a cast.
  • rlm_sqlippool is now IPV6 capable. Set "ipv6 = yes" to get Framed-IPv6-Prefix returned. The SQL queries have NOT been updated. Please submit patches.
  • The debian build now checks for the OpenSSL package with the heartbleed fix, and if found, sets: allow_vulnerable_openssl = 'CVE-2014-0160'
  • allow bootstrap from multiple files in sqlite driver.

Bug Fixes

  • make case-insensitive regular expressions work again, and add tests for them.
  • A few more talloc parenting issues
  • Fix delayed proxy reply handling. Closes #637
  • Fix OpenSSL initialization order when using RADIUS/TLS. Fixes #646
  • Don't double-quote strings in debugging messages
  • Fix foreach / break. Fixes #639
  • Chargeable-User-Identifier, ADSL-Agent-Circuit-Id and ADSL-Agent-Remote-Id should be "octets" types in the default dictionary.
  • Fix typo in mainconfig. Fixes #634
  • More rlm_perl fixes. Fixes #635
  • Free OpenSSL memory on clean exit.
  • Fix <attr>[0] !* ANY - Was removing all instances of <attr>
  • Fix case where multiple attributes were returned from RHS of mapping, as with rlm_ldap. Fixes #652
  • Fix corner case in cursor where using fr_cursor_next_by_da after calling fr_cursor_remove may of resulted in a read of uninitialised memory.
  • Don't SEGV if all connections to a database server go away. Fixes #651.
  • Fix issue where <attr> -= <value> was not removing tagged instances of <attr> equal to <value> (only untagged).
  • Fix issue where tag values were not being set on attributes created with unlang/ldap update blocks.
  • Create rlm_sqlcounter attributes as integer64 types instead of integer types, so large counter values can be specified.
  • Fix issue where specifying a dynamic client IP addresss using FreeRADIUS-Client-IPv6-Prefix or FreeRADIUS-Client-IP-Prefix may have caused a validation error.
  • Don't print two "&" for messages about attribute or list references in debug output.
  • Fix urlquote and escape to encode Unicode characters correctly.
  • Fix redundant-load-balance blocks to try other modules in the group if one fails.
  • Fix issue with rlm_pap password normalisation where 'known good' password strings stored in octets type attributes, would be sometimes misnormalised as base64.
  • Don't stop processing DHCP options if we find a 0x00 padding option.
  • Fix issue where modifying the value of an attribute created from a template with a literal value, may have resulted in the template literal being freed.
  • Fix parenting issues in tls code which may have resulted in memory corruption and crashes.
  • Fix issue in radsniff where writing to PCAP files and using -R response filters, where the requests would still be written to the PCAP for non matching responses.
  • Define __APPLE_USE_RFC_2292 so that the server builds with IPv6 support on OSX.
  • Fix LDAP group lookups for named rlm_ldap instances. Note that attribute references should be used when checking LDAP-Group attributes. e.g. if (&LDAP-Group == 'foo').
  • Delayed attribute references can now be used in unlang existence checks. i.e. if (&Attribute-Name) { ... }
  • Fix issues in EAP-PWD. CVE-2014-4731, CVE-2014-4732, and CVE-2014-4733. There is no external authentication bypass.
  • Fix a number of uses of the talloc parent/child reference.
  • Release connection used for reading bulk clients in rlm_ldap.
  • rlm_rest is now fail-safe if it's used without any configuration
  • Pull in build fixes for FreeBSD from ports.
  • Fix error in sqlite postauth query
  • Evaluate argument to "switch" statements once, instead of for each "case" statement.
  • Define sig_t on systems without it. Closes #765.
  • Fix boundary issue with rlm_rest. Closes #768
  • Optimize "%{Attribute-Name}" in comparisons only if the dictionary types match.
  • Don't do chmod() in rad_mkdir() if the directory already exists. We might not have permission to change it.
  • Use getpwnam_r() and getgrnam_r() on systems which support it. Closes #775.
  • Clients loaded from SQL are now tied to the "listen" section of a virtual server, instead of being global.
  • Check for -lpcre. The system might have pcre.h without -lpcre.
  • When proxying to a virtual server, use the proxy_reply instead of ignoring it.
  • Fixed typos in DHCP SQL IPPool.
  • Fix crash when passing multiple arguments to Perl xlat.

12 May 2014 - Version 3.0.3 has been released.

The focus of this release is stability.

Feature improvements

  • Everything now builds with no warnings from the C compiler, clang static analyzer, or cppcheck.
  • rlm_ldap now supports defining the LDAP attribute name via backticked expansion (i.e. shell command) in RADIUS <-> LDAP mappings.
  • rlm_ldap now supports older style generic attributes.
  • dynamic expansions (e.g. "%{expr:1 + 2}" are now parsed when the server starts. Syntax errors in the strings are caught, and a descriptive error is printed.
  • Static regular expressions (e.g. /a*b/) are now parsed when the server starts. Syntax errors in the strings are caught, and a descriptive error is printed.
  • dynamic expansions are cached after being parsed. They are no longer re-parsed at run-time for every request.
  • regular expressions are now parsed and cached when the server starts.
  • Added the %{rest:} expansion to rlm_rest, which will send a GET request to the URL passed as the format string. Any body text will be written to the expansion buffer.
  • rlm_rest now available as a debian package.
  • When an 'if' condition statically evaluates to true/false, unlang does more static optimization. For examples, see src/tests/keywords/if-skip
  • All modules are marked as safe for '-C', which lets the dynamic expansion checks work in more situations.
  • Added 'none' and 'custom' rlm_rest body types. 'custom' allows sending of arbitrary expanded text and content-type headers.
  • Added "config" section to Perl. See mods-available/perl
  • Added '%v' which expands to the server version - Patch from Alan Buxey.
  • more mis-matched casts are caught in "if" conditions, and descriptive errors are printed.
  • Support basic response validation in radclient. This allows administrators to write local test cases for their site-specific configurations.
  • Removed radconf2xml and radmin "show client config" and "show home_server config".
  • Forbid running with vulnerable versions of OpenSSL. See "allow_vulnerable_openssl" in the "security" subsection of "radiusd.conf"
  • Catch underlying "heartbleed" problem, so that nothing bad happens even when using a vulnerable version of OpenSSL.
  • Add locking API for sql_null, linelog, and detail modules, which should improve performance and work around issues on platforms with bad file locking.
  • Allow DHCP NAKs to be delayed, via setting reply:FreeRADIUS-Response-Delay = 1
  • Allow tag and array references anywhere attributes are allowed in "unlang".
  • many enhancements to radsniff, including output to collectd, ipv6 support and packet loss statistics.
  • Many dictionary updates (ZTE, Brocade, Motorola).
  • rlm_yubikey now automatically splits passwords from OTP strings.
  • The detail file reader is now threaded by default. This should improve performance reading the files.

Bug Fixes

  • Fix xlat expression %{attribute[n]} so that it actually returns the n'th attribute instead of the first one.
  • Don't parse string on RHS of update {} when using unary operators (!*). The RHS should always be ignored.
  • Check for more optional functions in json-c so we can Build with libjson0, which is the name of the json-c package on debian/ubuntu.
  • Fix issue in radmin where the main dictionaries would not be loaded which, depending on the configuration, may have caused validation errors.
  • Fix handling of "%{reply:3GPP-*}"
  • Fix rlm_perl garbage attributes
  • Fix oracle SQL queries, which amongst other things still used the old expansion format, which is no longer supported/parsed.
  • Truncate long format strings and error markers instead of omitting them.
  • Fix multiple attribute parsing in rlm_rest JSON.
  • Don't crash in rlm_rest if connect_uri is commented out in the configuration.
  • Don't double-escape strings to / from Perl. You may need to double-check your Perl scripts if they use "\" characters. See mods-available/perl for documentation.
  • Don't re-run "authorize" if a home server fails to respond.
  • Don't append "0x" to hex output of octets types, for xlat expansions. This is the same as v2, and makes it easier to concatenate multiple attributes of type "octets"
  • FreeBSD fixes for execinfo linking.
  • Make some of the module configurations more consistent.
  • Fix corner cases where STDOUT wouldn't be closed in daemon mode.
  • Re-enable "update coa" and originating CoA requests.
  • Prevent multiple threads writing to the sql query logs.
  • Fix zombie period calculation. Closes #579
  • Properly parent VPs for talloc, when moving them in map2request.
  • Various fixes for talloc parent / child relationships
  • Allow rlm_counter to support VSAs.
  • Normalize return codes for many modules. "do nothing" is noop, not "ok".
  • Run Post-Proxy-Type Fail. Closes #576
  • Fix DHCP destination port for replies to relays. Closes #591
  • Do-Not-Respond policy works again Closes #593
  • Proxy-To-Virtual-Server works again. Closes #596
  • Build fixes for ancient systems. Closes #607, #608, #609.
  • %{Module-Return-Code} works again. Closes #610.
  • Don't increment statistics for Status-Server responses. Closes #612.
  • A duplicate request isn't a duplicate if the original one is marked "done". This should lower retransmissions from clients.
  • Fix multiple regular expression and glob memory leaks.
  • Don't allocate any memory in fr_fault() as it can cause malloc to deadlock.
  • Temporarily set dumpable flag before calling system in fr_fault() else the debugger may not be able to attach.
  • Set nonblock on all TCP client sockets.
  • Fix minor buffer overrun in mschapv2 where some attribute strings were not correctly \0 terminated.
  • Fix crash on authentication failure with MIT kerberos.
  • Fix code so that octal escape sequences aren't prematurely unescaped in rlm_sql, radclient, preprocess, and other places. This may require configuration changes, as these sequences will no longer need double escaping (\\) of the backslash.
  • The connection pools no longer have one connection used twice in certain rare conditions.
  • Use self pipes for internal signals. The code was there, but was unused.
  • Don't crash if there are outstanding EAP sessions and were told to exit gracefully.
  • Fix typo in dictionary.rfc4072

28 April 2014 - Version 2.2.5 has been released.

The focus of this release is stability.

Feature improvements

  • Update dictionary.terena and dictionary.zte.
  • Expose server version via %v. Patch from Alan Buxey.
  • Forbid running with vulnerable versions of OpenSSL. See "allow_vulnerable_openssl" in the "security" subsection of "radiusd.conf"
  • Catch underlying "heartbleed" problem, so that nothing bad happens with EAP even when using a vulnerable version of OpenSSL.

Bug Fixes

  • Minor changes to build on Sun.
  • Print non-ASCII characters as octal in linelog. Closes #578.
  • Fix zombie period calculation. Closes #579

21 March 2014 - Version 3.0.2 has been released.

The focus of this release is stability.

Feature improvements

  • secret keys and LDAP / SQL passwords are now printed as '<<< secret >>>' in debugging mode. Use -Xx to see the actual passwords.
  • Print out more information about passwords in -Xx, including hashes, comparisons, etc.
  • Allow cast (and implicit conversion) of integers to IPv4 addresses
  • More xlats allow attribute references. This means they can operate on binary data. e.g. expr, base64, md5, sha1.
  • Added more tests.
  • The dictionaries are now auto-loaded. raddb/dictionary should no longer have $INCLUDE ${prefix}/share/dictionary
  • A "panic_action" can be set to have the server dump a gdb log on SEGV or other fatal error. See radiusd.conf
  • Add support for SHA-224, SHA-256, SHA-384, SHA-512 to rlm_pap.
  • Add "%{sha256:}" and "%{sha512:}" xlat functions.
  • Cache CUI in EAP session resumption.
  • templates can now have sub-sections, which will be included in the section referencing the template.
  • Update more dictionaries.
  • Added more instances of the "always" module, for all return codes.
  • Suppress broken NASes when proxying. Retransmits which occur more than once per second are rate-limited to once per second.
  • Allow '&' in more xlat expansions.
  • Update PostgreSQL schema and queries to record last updated time, and accounting interim.
  • Optimize more "if" conditions when the server loads. This will avoid work at run time. e.g. ("foo" == "bar") --> FALSE.
  • Allow removal of all attributes within a list with !* operator.
  • Allow list to list copies with request qualifiers (outer.).
  • Add support for ipv4 prefixes and ipv6 addresses and prefixes to %{integer:}.
  • allow radmin command "set module status <module> <code>" which can be used to forcibly enable/disable modules.
  • pap module now assumes Cleartext-Password if Password-With-Header doesn't have a {...} header.
  • Added "unpack" module. It can unpack binary data from horrible VSA formats. See raddb/mods-available/unpack
  • Added example IP Pool for DHCP, using sqlite. From Matthew Newton See raddb/mods-config/sql/ippool-dhcp/

Bug Fixes

  • Fix SQL groups.
  • Fix operation of fr_strerror() with RE*() macros.
  • Don't assert if the connection we're trying to reconnect is not in_use.
  • Fix %{mschap:User-Name} xlat.
  • Allow comparisons of signed integers and of ethernet addresses.
  • Fix parsing of text-based ascend binary filters.
  • Fix a few minor Coverity and clang analyzer issues.
  • Log WARNING and ERROR prefixes only once, not twice.
  • Fix attribute truncation seen in Perl and other places.
  • Use correct port when DHCP relaying.
  • Fix behaviour on FreeBSD where sending packets from an interface bound to an IP address would fail when the server was built with udpfromto.
  • Don't abort() when freeing home servers on exit.
  • Fix edge case in pairmove() when some attributes could be over- written.
  • Do checks for individual sqlite v2 functions so rlm_sqlite builds correctly with more versions of the library.
  • In heimdal kerberos, create MEMORY ccaches on a per context basis. This prevents issues with the root ccache being used.
  • Fix corner case with proxying, where home server goes down.
  • Rate-limit "max_requests" complaint. We don't want to fill the logs when something goes wrong.
  • Use /dev/urandom for raddb/certs/random, if it exists.
  • Issue WARNING that old-style clients should no longer be used.
  • Auto-set secret to "radsec" for tcp+tls home servers.
  • Fix double free in home_server_add when there is a parse error on startup.
  • rlm_unix checks if the dictionaries are broken, instead of crashing
  • Fix potential memory corruption when normalising salted password hashes from hex, where the combined hash and salt was > 64 bytes.
  • Register sqlcounter attributes correctly, and other issues with it
  • treat 127.0.0.1/32 as being identical to 127.0.0.1
  • Don't mangle error output of SQL drivers like PostgreSQL
  • Fix usage of "tls = ${tls}". It could previously cause problems when the reference was used multiple times.
  • Fix TLS session leak for incoming sockets.
  • Try harder to clean up memory on exit when using "-mM"
  • Fix memory leak when home server is down for RadSec connections
  • rate-limit outgoing connection attempts when the home server is down. It will retry no more than once per second.
  • When parsing ipv6 address prefixes, always mask off the host portion.
  • Fix rlm_counter so that it does not create two reply attributes.
  • Fix issues with DHCP Sub-TLVs where the value of the first Sub-TLV would appear corrupted, and subsequent TLVs would not appear in debug output.
  • Initialize scope in IP address parsing
  • Prevent vendor attributes and RFC space attributes from clashing in rlm_attr_filter.
  • Set source IP address for DHCP packets from DHCP-Server-IP-Address, or DHCP-DHCP-Server-Identifier, if we're unable to otherwise determine the source IP.
  • Fix POST attribute parsing in rlm_rest.
  • Fix JSON attribute parsing in rlm_rest.
  • Don't append trailing & to POST options in rlm_rest (minor).
  • Process HTTP 100 Continue messages correctly in rlm_rest
  • Fix generation of long > 512 byte POST payloads, where attribute values on the chunk boundary may have been omitted in rlm_rest.
  • Remove duplicate escape sequence parsing in rlm_sqlippool and rlm_sqlcounter which caused issues with escaping %. Escape sequence parsing is now handled purely by the xlat functions.
  • Ensure %% is treated as a string literal, and so not passed to any xlat escape functions for processing.
  • Correct calculation of Message-Authenticator for CoA packets. Closes #556

19 March 2014 - Version 2.2.4 has been released.

The focus of this release is stability.

Feature improvements

  • A "panic_action" can be set to have the server dump a gdb log on SEGV or other fatal error.
  • allow radmin command "set module status <module> <code>" which can be used to forcibly enable/disable modules.

Bug Fixes

  • If the server fails to bind() after fork(), that is now reported to the parent, which exits with an error.
  • Session / delay times in MySQL are unsigned int.
  • Use --tag=CC for libtool. Closes 497. Because libtool is too stupid to notice that compiling means compilation.
  • Fix bug when copying attributes for vendors > 32767
  • Fix behaviour on FreeBSD where sending packets from an interface bound to an IP address would fail when the server was built with udpfromto.
  • Don't fail config check if were listening on an IP which is also a home server. Some deployments have valid reasons to loop packets back to another virtual server.
  • Use correct port when DHCP relaying.
  • Set source IP address for DHCP packets from DHCP-Server-IP-Address, or DHCP-DHCP-Server-Identifier, if we're unable to otherwise determine the source IP.

Older Press Releases

2013, 2012, 2011, 2010, 2009, 2008, 2007, 2006, 2005.