Softpedia >Windows >Internet >Servers >Other Servers >FreeRADIUS >  Changelog

FreeRADIUS Changelog

What's new in FreeRADIUS 3.2.3

May 26, 2023
  • The focus of this release is stability.

New in FreeRADIUS 3.2.2 (Feb 16, 2023)

  • The focus of this release is stability.

New in FreeRADIUS 3.2.1 (Oct 3, 2022)

  • The focus of this release is stability.

New in FreeRADIUS 3.2.0 (Sep 5, 2022)

  • Feature Improvements:
  • All features from 3.0.x are included in the 3.2.x releases. In addition:.
  • Add 'reset_day' and '%%r' parameter for rlm_sqlcounter to specify which day of the month the counter should be reset.
  • Partial backport of rlm_json from v4, providing the json_encode xlat See mods-available/json for documentation.
  • Support for haproxy "PROXY" protocol See sites-available/tls, "proxy_protocol" and doc/antora/modules/howto/pages/protocols/proxy/.
  • Support for sending CoA-Request and Disconnect-Request packets in "reverse" down RadSec tunnels. Experimental for now, and undocumented.
  • It is now possible to run a virtual server when saving / loading TLS cache attributes. See sites-available/tls-cache for more information.
  • Removed the "cram" module. It was undocumented, and used old and insecure authentication methods.
  • Remove the "otp" module. The "otpd" program it needs is no longer available, and the module has not been usable since at least 2015.
  • All features from 3.0.x are included in the 3.2.x releases.
  • 3.2.0 requires OpenSSL 1.0.2 or greater.
  • Bug Fixes:
  • All bug fixes from 3.0.x are included in the 3.2.x releases.

New in FreeRADIUS 3.0.25 (Oct 7, 2021)

  • Feature Improvements:
  • Better debug output when proxying is disabled.
  • Updates to support PostgreSQL 14 (#4251).
  • Bug Fixes:
  • Add `correct_escapes` back into default configuration.
  • Fix undeclared variable with some compile options (#4246).
  • Quiet erroneous debug output.
  • Fix segfault when proxying to zombie home server.
  • Fix resolving values to enum strings in rlm_rest (#4167).
  • Fix printing raw values rather than enum strings in rlm_couchbase (#4167).

New in FreeRADIUS 3.0.23 (Jun 11, 2021)

  • The focus of this release is stability.

New in FreeRADIUS 3.0.19 (Apr 10, 2019)

  • Feature Improvements:
  • Update dictionary.cisco.
  • Update sqlippool to allow for stored procedures with PostgreSQL. This increases performance substantially Patch from Nathan Ward. Fixes #2540.
  • Re-added "show client config" command to radmin.
  • Cleaned up mods-available/sql example so that it is easier to understand.
  • Added pfSense dictionary. Closes #2581.
  • Update dictionary.h3c Closes #2592.
  • Update elasticsearch/logstash config for v6.7.0.
  • EAP-PWD security fixes from Mathy Vanhoef. See http://freeradius.org/security/.
  • Bug Fixes:
  • Update dynamic_client module and server core so that the functionality works. This has been broken since at least v2.
  • Fix crash in sqlippool due to escaping changes Patch from Nathan Ward. Fixes #2532, #2533.
  • Fix systemd notify, watchdog and unit files Fixes #2541, #2499.
  • Fix erroneous length check in EAP-FAST.
  • Update documentation to remove old "ignore_null" configuration. Fixes #2578.
  • Fix default POD port. Should be 3799. Fixes #2591.
  • Correctly encode vendor-specific "encrypted" attributes Fixes #2600.

New in FreeRADIUS 3.0.18 (Feb 26, 2019)

  • The focus of this release is stability.

New in FreeRADIUS 4.0.x Development (Apr 18, 2018)

  • FEATURE IMPROVEMENTS:
  • For upgrade instructions, see raddb/README.rst.
  • "authorize", "authenticate", "preacct", etc are deprecated. We now use "recv Access-Request" See raddb/README.rst.
  • Dropped support for -i and -p flags in radiusd.
  • New "map" function in unlang. See "man unlang".
  • The "load-balance" and "redundant-load-balance" sections accept a key. See "man unlang".
  • The EAP module tracks certificates in a different attribute list. See the upgrade instructions.
  • The EAP module produces much better messages when using TLS.
  • The MySQL and Postgresql modules now call the database string escape functions, instead of using "safe_characters".
  • radmin / raddebug can now stream debug output directly to radmin, instead of using an intermediary file.
  • radsniff stats (-W) now operates on PCAP files too.
  • radsniff stats can be printed in CSV format.
  • radsniff processes .1Q tagged packets by default.
  • Improved internal state API, to simplify multiround authentication.
  • ipaddr = * 'just works' for most DHCP configurations.
  • Redis cluster support for all Redis modules.
  • TLV Attributes can now be nested to nearly any depth.
  • radsnmp client which can listen on Net-SNMP "pass persist" and translate that into queries to the server.
  • rlm_perl: radiusd::xlat to evaluate xlat string within perl script.
  • rlm_ldap supports maps, which can map the contents of multiple LDAP objects to RADIUS attributes.
  • Both the rlm_ldap map and xlat functions support server side sort control specifiers in their URLs.
  • rlm_eap supports RSA/ECC key agility.
  • BUG FIXES:
  • Attribute names in unlang MUST be prefixed with & This fixes a host of ambiguities when parsing.
  • Added unit tests for dictionary parsing and restrictions on which attributes can appear where.

New in FreeRADIUS 3.0.17 (Apr 18, 2018)

  • FEATURE IMPROVEMENTS:
  • Add CURLOPT_CAINFO. Patch from Nicolas C #2167.
  • "stats home server" now supports "src IPADDR", to specify home server also by source IP. Fixes #2169.
  • Add Dockerfiles for a selection of common systems.
  • Increase number of permitted file descriptors, for systems with many home servers.
  • Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs Patch from Isaac Boukris. Fixes #2205.
  • Update main READMEs. Patches from Matthew Newton.
  • Added dictionary.mimosa.
  • BUG FIXES:
  • Don't call post-proxy twice when proxying to a virtual server. Matthew Newton, #2161.
  • Use "raw" string value for shared secrets and dynamic clients It now parses strings with backslashes and "special characters" correctly. Fixes #2168.
  • Fix RuntimeDirectory for RedHat, from Alan Buxey.
  • Relax checks in 'if' parser from Isaac Bourkis.
  • Minor cleanups for %{debug_attr:&request} from Isaac Boukris.
  • Be more aggressive about cleaning up cached certificate attributes, due to deficiencies in OpenSSL. Reported by Nicolas Reich.
  • Be more accepting when parsing IPv6 addresses. Bug noted by Klara Mall.
  • Fix double free in rlm_sql. Fixes #2180.
  • rlm_detail now writes empty Access-Accept packets.
  • rlm_python can now create tagged attributes.
  • Don't crash on duplicate realm + authhost / accthost Bug found by Richard Palmer.
  • Allow partial certificate chain to trusted CA. Fixes #2162.
  • Treat SSL_read() returning zero as error. Fixes #2164.
  • detail writer now checks if the file was renamed or deleted.
  • Add User-Name to Access-Accept if EAP-Message exists, not Stripped-User-Name.
  • RedHat Systemd updates. Fixes #2184.
  • Use correct API for State variable in rlm_securid.
  • Remove broken radclient option "-i".
  • Fix "users" file (and hints, etc). So that it does not get confused about entry ordering with multiple $INCLUDEs.
  • Fix rlm_sql to expand the un-escaped string, not the raw string.
  • Link default and inner-tunnel only if they exist. Fixes #2206.
  • Don't use both IP_PKTINFO and IP_SENDSRCADDR.
  • Always install signal handler for SIGINT (needed by Docker).
  • Fix intermediate CA flow for OCSP. Fixes #2160 Intermediate certs which are not self-signed will now be checked.
  • sqlippool now returns "fail" if it fails IP allocation.
  • Fix rlm_yubikey to look for correct attribute in replay attack check.

New in FreeRADIUS 3.0.16 (Jan 12, 2018)

  • The focus of this release is stability.

New in FreeRADIUS 3.0.15 (Oct 24, 2017)

  • FEATURE IMPROVEMENTS:
  • Provide HOSTNAME in default systemd files.
  • Incorporate RedHat specific files.
  • Update dictionary.starent, dictionary.ruckus.
  • Allow builds without TCP or DHCP.
  • BUG FIXES:
  • Fix multiple issues. See this web page for details: http://freeradius.org/security/fuzzer-2017.html.
  • Pass correct statement length into sqlite3_prepare[_v2].
  • Bind the lifetime of program name and python path to the module.
  • Check input / output length in make_secret() FR-GV-201.
  • Fix read overflow when decoding DHCP option 63 FR-GV-206.
  • Fix write overflow in data2vp_wimax() FR-GV-301.
  • Fix infinite loop and memory exhaustion with 'concat' attributes FR-GV-302.
  • Fix infinite read in dhcp_attr2vp() FR-GV-303.
  • Fix buffer over-read in fr_dhcp_decode_suboptions() FR-GV-304.
  • Decode 'signed' attributes correctly FR-GV-305.
  • use strncmp() instead of memcmp() for bounded data FR-AD-001.
  • Bind the lifetime of program name and python path to the module FR-AD-002.
  • Pass correct statement length into sqlite3_prepare[_v2] FR-AD-003.
  • print messages when we see deprecated configuration items.
  • show reasons why we couldn't parse a certificate expiry time.
  • be more accepting about truncated ASN1 times.
  • Fix OpenSSL API issue which could leak small amounts of memory. Issue reported by Guido Vranken.
  • For Access-Reject, call rad_authlog() after running the post-auth section, just like for Access-Accept.
  • don't crash when reading corrupted data from session resumption cache. Fixes #1999.
  • Parse port in dhcpclient. Fixes #2000.
  • Don't leak memory for OpenSSL Patch from Guido Vranken.
  • Portability fixes taken from OpenBSD port collection.
  • run rad_authlog after post-auth for Access-Reject.
  • Don't process VMPS packets twice.
  • Fix attribute truncation in rlm_perl.
  • Fix bug when processing huntgroups.

New in FreeRADIUS 3.0.7 Feature Release (Mar 7, 2015)

  • Feature improvements:
  • Allow coa home_servers to be derived from client sections if a coa_server section is provided.
  • Automatically determine the correct port if no port is provided for a home server.
  • Allow foreach to operate over lists.
  • Add compile time features to ${feature.*} and versions of core libraries to ${version.*}. Feature and version names match output of radiud -xv. %v is now deprecated.
  • Add support for PATCH method in rlm_rest.
  • Validate more module xlats on startup, and warn if an xlat expansion is found in a double quoted config item which will not be expanded.
  • Add support for sub-second timeouts in rlm_rest.
  • Add support for connection timeouts in rlm_rest.
  • Add %{jsonquote:} xlat to escape strings for insertion into json documents.
  • Add %{ldapquote:} xlat to escape strings for insertion into ldap DNs.
  • Add %{explode:&ref }, splits value of &ref on and creates new &ref type attributes with the fragments.
  • Allow rlm_ldap to use attribute references for base_dn and filter config items. The attribute references are not escaped, allowing DNs and filters to be created dynamically.
  • Add %{nexttime:[]h|d|w|y} to calculate the number of seconds before the next hour(s), day(s), week(s), or year(s).
  • Allow the left side of update sections to be xlat expansions. The result of the expansion is then used to reference the attribute to be modified.
  • Added %{lpad:&Attribute-Name 7 x} and rpad. These produce fixed-width output strings, with padding to the left (lpad) or the right (rpad).
  • For some SQL drivers (MySQL, sqlite) distinguish between constraints violations (on insert), invalid queries, and server errors, and return noop, invalid, and error respectively.
  • Call SHOW WARNINGS in the MySQL driver and write them to the request log, if libmysqlclient indicates warnings are available on the server.
  • Forbid the creation of Vendor-Specific for non-standard VSAs. Use Attr-26 = 0x... instead.
  • Make dhcpclient work with raw sockets and various other improvements - Contributed by nchaigne
  • Add support for SSHA2 - Contributed by PDD.
  • Add perle dictionary - Contributed by Hachmer
  • Modernise init scripts for RHEL, SUSE and Debian.
  • radmin now tracks the return code of commands, and exits with status "1" if any command failed to execute.
  • radmin now sends error messages from the server to stderr, instead of to stdout.
  • radmin now looks for sockets matching it's UID and GID, rather than just always using the first one it finds.
  • radmin can how delete clients which are tied to a listener.
  • Moved RADIUS attribute definitions to src/include/rfc*.h
  • Move to talloc pools for requests. For in-memory tests (default config, 'users' file), performance increases by 30%.
  • In rlm_ldap allow sasl_mech to be specified for admin and user binds. Only non-interactive mechs (like EXTERNAL) are currently supported.
  • Remove support for ephemeral RSA keys. They were "export only", and should not be used by anyone.
  • Syntax errors in the "users" file now produce better error messages.
  • Bug Fixes:
  • Fix issues parsing LDAP hostnames with non-standard ports.
  • Fix issues with realms containing regular expressions.
  • Allow unary negation before parantheses in rlm_expr.
  • Fix infinite loop in kevent event loop code. Issue only presented on FreeBSD.
  • Be more careful to define Auth-Types before loading modules.
  • Link libfreeradius-radius against OpenSSL too, to avoid multi-version symbols in SSL libraries.
  • When rlm_ldap rebinds a connection, it should use bind credentials from the module that created the connection pool, not credentials from the module referencing it.
  • Empty server config pairs should be allowed in rlm_ldap instances that reference another module's connection pool.
  • Mark rlm_always as huppable, so its rcode can be changed via radmin (allows policy toggles).
  • Emit warnings when ignoring user configured pool values.
  • Fix issue that would cause radclient to complain intermittently about differing numbers of filters and requests.
  • Fix cosmetic issues in connection pool logging, that made it appear as if the same connection was being opened multiple times.
  • Fix threadsafety issues in SQL drivers, where a static buffer was used to store error messages.
  • Log RERROR, RWARN, RINFO to the global log if request logging is not enabled.
  • Link to libldap instead of libldap_r. libldap_r is not supported for use by projects outside of OpenLDAP.
  • Set connection timeout correctly in rlm_sql_mysql.
  • Build with older versions of libcurl, and use CFLAGS from curl-config.
  • Honour Packet-Src-Port and Packet-Src-IP-address in radclient.
  • Initialise ldapai_info_version field, so libldap will report its vendor and version.
  • Fix log rotation scripts by using the copyrotate option.
  • Fix issue that caused opening control sockets to always fail on non-Linux systems, if a user or group was set.
  • Save Session-State after proxying.
  • Additional fixes for reading CoA/DM requests from detail files.
  • Create dynamic clients if the dynamic clients virtual server returns ok *or* updated. Emit useful messages for other codes.
  • Compile bare "authorize" statements, and issue errors saying using them isn't a good idea.

New in FreeRADIUS 3.0.6 Feature Release (Mar 7, 2015)

  • Feature improvements:
  • radmin / raddebug conditional errors are printed to the output, instead of being discarded.
  • raddebug will exit if condition set with -c was invalid.
  • radmin auto-reconnects if the connection to the server has gone away.
  • rlm_cache now has submodule support. See raddb/mods-available/cache
  • New memcached driver for rlm_cache. See raddb/mods-available/cache
  • Add support for &Attribute-Name[*] in conditions. See "man unlang" for details.
  • Add &Attribute-Name[n] which gets the last instance of an attribute e.g. Module-Failure-Message[n].
  • Allow for redundant string expansions. See the "instantiate" section of radiusd.conf.
  • When checking IP addresses in conditions, make the right side be parsed as an IP prefix.
  • Support JIT compilation of compiled regular expressions when built with libpcre.
  • Support named capture groups with "%{regex:}" when built with libpcre.
  • Increase regular expression capture groups from 8 to 32.
  • Emit error markers for badly formed regular expressions.
  • Allow 'm' flag to enable multiline mode in regular expressions.
  • Support limited implicit attribute conversion in update sections.
  • Support casting between IPv6 and IPv4 where the IPv6 address has the v4/v6 mapping prefix (::ffff:).
  • Bug Fixes:
  • PEAP works again. As does proxying EAP-MSCHAPv2 from inside of a PEAP tunnel.
  • "group" is allowed inside of "instantiate" sections.
  • update disconnect {} with disconnect:Packet-Dst-IP-Address now works correctly.
  • Regular expression comparisons of non string attributes are now disallowed in the files module. Previously they would silently fail or produce undefined behaviour.
  • Fix parsing of old regular expressions. Closes #842
  • Fix off by one error in ascend filters. Closes #843.
  • Handle NT-Hash in rlm_pap. This allows passwords to have backslashes in them.
  • Fix infinite loop on "Fall-Through = yes" when processing SQL groups.
  • Correct the check of SQL query return code.
  • Run "Post-Auth-Type Reject" if the request was rejected in post-auth
  • Write "Login OK" only if the post-auth section passed.
  • Create TLS-Cert-* certificates, even when EAP session caching is disabled.
  • Finalize the "correct_escapes" with many more tests.
  • Move to the new OpenLDAP libldap API, fixes more issues with binary values.
  • Fix potential memory corruption in rlm_ldap if start connections were set to 0, and the server was running in threaded mode. The fix is a workaround for an issue in libldap and was suggested by Howard Chu.
  • Give parse errors on "%{...", without the closing brace.
  • Allow spaces in certificate passwords for build rules in raddb/certs//
  • Make all regular expression evaluation binary safe. Where that's not possible, emit an error if the pattern or subject contains an embedded null byte.
  • Fix various issues around masking IPv6 addresses.
  • Give descriptive error if unknown attributes are used in "update" sections.
  • Deal with cases where ldap_initialize isn't available gracefully, and use it exclusively when it's available.

New in FreeRADIUS 3.0.5 Feature Release (Mar 7, 2015)

  • Feature improvements:
  • Large update to Huawei dictionary.
  • Added dictionary.rfc7155
  • Regular expressions like /%{User-Name}/ are now parsed and validated when the server starts.
  • All configuration items which are dynamically expanded are now parsed and validated when the server starts.
  • %{expr:...} expressions can now do bit shifting and more. See raddb/mods-available/expr.
  • The detail file reader can now track packets which have had replies, so they are never re-transmitted. See raddb/sites-available/buffered-sql, the "track" config item.
  • CoA and Disconnect packets can now be sent to a specific home server by setting control:Packet-Dst-IP-Address and (optionally) control:Packet-Dst-Port.
  • Allow CoA and Disconnect packets to be read from the detail file.
  • Allow LDAP to specify arbitrary attributes for dynamic clients.
  • Convert all unused attributes in the control: list to config pairs in dynamic clients. This allows arbitrary client attributes to be set for dynamic clients too.
  • rlm_couchbase now supports bulk loading of clients on startup in a similar way to rlm_ldap. Contributed by Aaron Hurt.
  • Allow one level of backslashes (finally). See radiusd.conf, "correct_escapes" setting.
  • Rename dictionary.redback to dictionary.ericsson.ab
  • Add --disable-openssl-version-check option to configure. So vendors can disable the check. Patch from Nikolai Kondrashov.
  • Do context-specific indenting in debug messages. This makes the debug output easier to read.
  • Make configuration a separate RPM, just like for Debian.
  • better decoding of unknown VSAs
  • When supported by OpenSSL, allow TLS 1.1 and TLS 1.2 in EAP methods.
  • Allow multiple new connections to be spawned simultaneously in the connection pool, to cope with spikes in traffic.
  • Document retry_delay in connection pools.
  • Allow checksimul in rlm_couchbase.
  • Use kqueue on systems which support it. This allows for better scaling when using many sockets.
  • Bug Fixes:
  • Parse list qualifiers in generic LDAP 'valuepair_attribute' attributes correctly.
  • Fix issue where prefix length would be ignored for dynamic or static clients if the address matched INADDR_ANY (0.0.0.0).
  • Allow null user object filter in rlm_ldap, it's valid to specify a complete object DN and use the base scope.
  • Don't SEGV if a received attribute value in a JSON structure is null, or a value can't be stringified.
  • Don't assert if the server returns a JSON content-type and the server hasn't been built with support for JSON. Closes #808.
  • Set CURLOPT_NOSIGNAL to prevent curl from handling signals and causing a longjmp error when the server was running with threads.
  • Allow tabs after attribute names in the "users" file. Closes #796.
  • Free unknown DICT_ATTRs. Closes #795
  • Handle unknown attributes in the conditions and "update" sections. e.g. Attr-1.2.3.4 = foo.
  • Use correct array size for MS-CHAP new password.
  • In rlm_rest, check for older versions of libraries at start time, rather than when a packet comes in.
  • Don't call detach on parse error in rlm_perl. Closes #802.
  • Integer fixes for big-endian systems. Closes #803.
  • Don't optimize %{Packet-Src-IP-Address}. Closes #804.
  • dhcpclient loads dictionaries correclty. Closes #805.
  • double quotes are no longer escaped in single-quoted strings. e.g. 'foo "hello" bar'.
  • Fixes for proxying to virtual servers broke the detail file reader. Now they both work.
  • Typos and fixes from Nikolai Kondrashov.
  • Fixes to OpenSSL version checks, for cross-platform issues.
  • cppcheck fixes from Herwin Weststrate.
  • Fix build for OSX Yosemite
  • Merge DHCP sub-options. Closes #812.
  • Fix decoding of Starent attributes.
  • When a module asks for a connection, don't return idle connections.
  • LDAP connection timeouts will now retry, instead of failing.
  • Prevent race conditions between fork and wait for child. Patch from James Rouzier.
  • Fix triggers for connection pools. Patches from Nikolai Kondrashov.
  • Fix SEGV when comparing non string type check items.
  • Build with newer versions of libmysqlclient.
  • make the %{escape:} and %{unescape:} xlat functions UTF8 safe.
  • Don't escape UTF8 chars in SQL query strings.
  • Fix issue in cached LDAP group comparisons, which caused checks to sometimes fail.
  • Fix use after free issue in unlang switch evaluation.
  • Respect operators in rlm_cache when merging into the current request.
  • Update Cache-Entry-Hits each time rlm_cache is called.
  • Produce WARN messages if SQL queries are empty strings.
  • Fix invalid assertion when proxying CoA requests.
  • Allow empty strings in "case" statements. Closes #836.
  • Normalize escaping for string expansions. i.e. don't do double escaping in rare situations.
  • Normalize LDAP escaping. LDAP servers have multiple ways to escape things, so the data has to be normalized before we can compare two LDAP DNs.
  • Don't go to high debug level if we're proxying inner EAP as EAP. Closes #839.
  • Fix rlm_rest state handling. Closes #835.

New in FreeRADIUS 2.2.6 (Mar 7, 2015)

  • Feature improvements:
  • When supported by OpenSSL, allow TLS 1.1 and TLS 1.2 in EAP methods.
  • Bug Fixes:
  • Fix redundant-load-balance blocks to try other modules in the group if one fails.
  • Fix potential read into uninitialised memory in rlm_pap when normalising octet type attributes containing password hashes. This is very unlikely to happen in the wild.
  • Don't stop decoding DHCP options if we find a padding option.
  • Define sig_t on systems which don't have it. Closes #765
  • When clients are loaded from SQL, allow them to be tied to a virtual server.
  • Prevent race conditions between fork and wait for child. Patch from James Rouzier.
  • Allow UTF-8 characters in SQL.
  • Back-port udpfromto fixes from v3

New in FreeRADIUS 3.0.4 Feature Release (Mar 7, 2015)

  • Feature improvements:
  • Home server "response_window" can now take fractions of a second. See proxy.conf.
  • radmin now supports "show module status", as the counterpart to "set module status"
  • Added dictionary ericsson.packet.ccore.networks, bluecoat, citrix, compatible, riverbed, ruckus, and RFC 7268.
  • Add %{tag:} expansion to get the tag value of an attribute.
  • Report 'application_name' in connections to PostgreSQL servers. FreeRADIUS connections will now appear as 'FreeRADIUS - ' in pg_stat_activity.
  • All config item fields are now type checked at compile time to prevent issues similar to #634 occuring again.
  • Modify pairparsevalue to deal with embedded NULLs better, and use the binary versions of attribute values in rlm_ldap.
  • "ipaddr" will now use v6 if no v4 address is present. You should use "ipv4addr" or "ipv6addr" to force v4/v6 addresses.
  • The above applies to "listen", "home_server", and "client" sections.
  • "client" sections will allow "ipaddr = 192.192.0/24". The old "netmask" is still accepted, but the new format is preferred.
  • Allow custom HTTP headers to be set for rlm_rest requests using control:REST-HTTP-Header (attributes consumed after use).
  • Extend format of %{rest:} expansion to allow HTTP method and POST data to be specified e.g. %{rest:POST http://example.org/api foo=bar&baz=boink}.
  • Add %{hmacsha1:&data &key} and %{hmacmd5:&data &key} expansions for signing data in requests.
  • rlm_cache now consumes its control attributes to make runtime configuration easier.
  • Add control:Cache-Read-Only which when set to 'yes' will make the cache module merge existing cache data, but not create new entries.
  • Add %{unescape:} and %{urlunquote:} expansions to reverse escaping and urlquoting.
  • Add support for aliases in rlm_ldap.
  • Add support for connection pool sharing to all modules that use the connection pool (pool = ).
  • "tls" sections now have a "psk_query" configuration item, for dynamic queries to discover a key from a PSK identity.
  • Preliminary support for EAP channel bindings.
  • Foundational work for dynamic home servers. They do not yet work, but this is now only a matter of updating the "realm" module in a future release.
  • Support &attr[*] syntax to copy all instances of an attribute when used with the += operator in an update section. May be qualified with a tag.
  • The logintime and expiration modules can now be listed in the post-auth section. This makes some configurations simpler.
  • Allow comparison of integer attributes of different sizes, without requiring a cast.
  • rlm_sqlippool is now IPV6 capable. Set "ipv6 = yes" to get Framed-IPv6-Prefix returned. The SQL queries have NOT been updated. Please submit patches.
  • The debian build now checks for the OpenSSL package with the heartbleed fix, and if found, sets: allow_vulnerable_openssl = 'CVE-2014-0160'
  • allow bootstrap from multiple files in sqlite driver.
  • Bug Fixes:
  • make case-insensitive regular expressions work again, and add tests for them.
  • A few more talloc parenting issues
  • Fix delayed proxy reply handling. Closes #637
  • Fix OpenSSL initialization order when using RADIUS/TLS. Fixes #646
  • Don't double-quote strings in debugging messages
  • Fix foreach / break. Fixes #639
  • Chargeable-User-Identifier, ADSL-Agent-Circuit-Id and ADSL-Agent-Remote-Id should be "octets" types in the default dictionary.
  • Fix typo in mainconfig. Fixes #634
  • More rlm_perl fixes. Fixes #635
  • Free OpenSSL memory on clean exit.
  • Fix [0] !* ANY - Was removing all instances of
  • Fix case where multiple attributes were returned from RHS of mapping, as with rlm_ldap. Fixes #652
  • Fix corner case in cursor where using fr_cursor_next_by_da after calling fr_cursor_remove may of resulted in a read of uninitialised memory.
  • Don't SEGV if all connections to a database server go away. Fixes #651.
  • Fix issue where -= was not removing tagged instances of equal to (only untagged).
  • Fix issue where tag values were not being set on attributes created with unlang/ldap update blocks.
  • Create rlm_sqlcounter attributes as integer64 types instead of integer types, so large counter values can be specified.
  • Fix issue where specifying a dynamic client IP addresss using FreeRADIUS-Client-IPv6-Prefix or FreeRADIUS-Client-IP-Prefix may have caused a validation error.
  • Don't print two "&" for messages about attribute or list references in debug output.
  • Fix urlquote and escape to encode Unicode characters correctly.
  • Fix redundant-load-balance blocks to try other modules in the group if one fails.
  • Fix issue with rlm_pap password normalisation where 'known good' password strings stored in octets type attributes, would be sometimes misnormalised as base64.
  • Don't stop processing DHCP options if we find a 0x00 padding option.
  • Fix issue where modifying the value of an attribute created from a template with a literal value, may have resulted in the template literal being freed.
  • Fix parenting issues in tls code which may have resulted in memory corruption and crashes.
  • Fix issue in radsniff where writing to PCAP files and using -R response filters, where the requests would still be written to the PCAP for non matching responses.
  • Define __APPLE_USE_RFC_2292 so that the server builds with IPv6 support on OSX.
  • Fix LDAP group lookups for named rlm_ldap instances. Note that attribute references should be used when checking LDAP-Group attributes. e.g. if (&LDAP-Group == 'foo').
  • Delayed attribute references can now be used in unlang existence checks. i.e. if (&Attribute-Name) { ... }
  • Fix issues in EAP-PWD. CVE-2014-4731, CVE-2014-4732, and CVE-2014-4733. There is no external authentication bypass.
  • Fix a number of uses of the talloc parent/child reference.
  • Release connection used for reading bulk clients in rlm_ldap.
  • rlm_rest is now fail-safe if it's used without any configuration
  • Pull in build fixes for FreeBSD from ports.
  • Fix error in sqlite postauth query
  • Evaluate argument to "switch" statements once, instead of for each "case" statement.
  • Define sig_t on systems without it. Closes #765.
  • Fix boundary issue with rlm_rest. Closes #768
  • Optimize "%{Attribute-Name}" in comparisons only if the dictionary types match.
  • Don't do chmod() in rad_mkdir() if the directory already exists. We might not have permission to change it.
  • Use getpwnam_r() and getgrnam_r() on systems which support it. Closes #775.
  • Clients loaded from SQL are now tied to the "listen" section of a virtual server, instead of being global.
  • Check for -lpcre. The system might have pcre.h without -lpcre.
  • When proxying to a virtual server, use the proxy_reply instead of ignoring it.
  • Fixed typos in DHCP SQL IPPool.
  • Fix crash when passing multiple arguments to Perl xlat.

New in FreeRADIUS 3.0.3 Feature Release (Mar 7, 2015)

  • Feature improvements:
  • Everything now builds with no warnings from the C compiler, clang static analyzer, or cppcheck.
  • rlm_ldap now supports defining the LDAP attribute name via backticked expansion (i.e. shell command) in RADIUS LDAP mappings.
  • rlm_ldap now supports older style generic attributes.
  • dynamic expansions (e.g. "%{expr:1 + 2}" are now parsed when the server starts. Syntax errors in the strings are caught, and a descriptive error is printed.
  • Static regular expressions (e.g. /a*b/) are now parsed when the server starts. Syntax errors in the strings are caught, and a descriptive error is printed.
  • dynamic expansions are cached after being parsed. They are no longer re-parsed at run-time for every request.
  • regular expressions are now parsed and cached when the server starts.
  • Added the %{rest:} expansion to rlm_rest, which will send a GET request to the URL passed as the format string. Any body text will be written to the expansion buffer.
  • rlm_rest now available as a debian package.
  • When an 'if' condition statically evaluates to true/false, unlang does more static optimization. For examples, see src/tests/keywords/if-skip
  • All modules are marked as safe for '-C', which lets the dynamic expansion checks work in more situations.
  • Added 'none' and 'custom' rlm_rest body types. 'custom' allows sending of arbitrary expanded text and content-type headers.
  • Added "config" section to Perl. See mods-available/perl
  • Added '%v' which expands to the server version - Patch from Alan Buxey.
  • more mis-matched casts are caught in "if" conditions, and descriptive errors are printed.
  • Support basic response validation in radclient. This allows administrators to write local test cases for their site-specific configurations.
  • Removed radconf2xml and radmin "show client config" and "show home_server config".
  • Forbid running with vulnerable versions of OpenSSL. See "allow_vulnerable_openssl" in the "security" subsection of "radiusd.conf"
  • Catch underlying "heartbleed" problem, so that nothing bad happens even when using a vulnerable version of OpenSSL.
  • Add locking API for sql_null, linelog, and detail modules, which should improve performance and work around issues on platforms with bad file locking.
  • Allow DHCP NAKs to be delayed, via setting reply:FreeRADIUS-Response-Delay = 1
  • Allow tag and array references anywhere attributes are allowed in "unlang".
  • many enhancements to radsniff, including output to collectd, ipv6 support and packet loss statistics.
  • Many dictionary updates (ZTE, Brocade, Motorola).
  • rlm_yubikey now automatically splits passwords from OTP strings.
  • The detail file reader is now threaded by default. This should improve performance reading the files.
  • Bug Fixes:
  • Fix xlat expression %{attribute[n]} so that it actually returns the n'th attribute instead of the first one.
  • Don't parse string on RHS of update {} when using unary operators (!*). The RHS should always be ignored.
  • Check for more optional functions in json-c so we can Build with libjson0, which is the name of the json-c package on debian/ubuntu.
  • Fix issue in radmin where the main dictionaries would not be loaded which, depending on the configuration, may have caused validation errors.
  • Fix handling of "%{reply:3GPP-*}"
  • Fix rlm_perl garbage attributes
  • Fix oracle SQL queries, which amongst other things still used the old expansion format, which is no longer supported/parsed.
  • Truncate long format strings and error markers instead of omitting them.
  • Fix multiple attribute parsing in rlm_rest JSON.
  • Don't crash in rlm_rest if connect_uri is commented out in the configuration.
  • Don't double-escape strings to / from Perl. You may need to double-check your Perl scripts if they use "\" characters. See mods-available/perl for documentation.
  • Don't re-run "authorize" if a home server fails to respond.
  • Don't append "0x" to hex output of octets types, for xlat expansions. This is the same as v2, and makes it easier to concatenate multiple attributes of type "octets"
  • FreeBSD fixes for execinfo linking.
  • Make some of the module configurations more consistent.
  • Fix corner cases where STDOUT wouldn't be closed in daemon mode.
  • Re-enable "update coa" and originating CoA requests.
  • Prevent multiple threads writing to the sql query logs.
  • Fix zombie period calculation. Closes #579
  • Properly parent VPs for talloc, when moving them in map2request.
  • Various fixes for talloc parent / child relationships
  • Allow rlm_counter to support VSAs.
  • Normalize return codes for many modules. "do nothing" is noop, not "ok".
  • Run Post-Proxy-Type Fail. Closes #576
  • Fix DHCP destination port for replies to relays. Closes #591
  • Do-Not-Respond policy works again Closes #593
  • Proxy-To-Virtual-Server works again. Closes #596
  • Build fixes for ancient systems. Closes #607, #608, #609.
  • %{Module-Return-Code} works again. Closes #610.
  • Don't increment statistics for Status-Server responses. Closes #612.
  • A duplicate request isn't a duplicate if the original one is marked "done". This should lower retransmissions from clients.
  • Fix multiple regular expression and glob memory leaks.
  • Don't allocate any memory in fr_fault() as it can cause malloc to deadlock.
  • Temporarily set dumpable flag before calling system in fr_fault() else the debugger may not be able to attach.
  • Set nonblock on all TCP client sockets.
  • Fix minor buffer overrun in mschapv2 where some attribute strings were not correctly \0 terminated.
  • Fix crash on authentication failure with MIT kerberos.
  • Fix code so that octal escape sequences aren't prematurely unescaped in rlm_sql, radclient, preprocess, and other places. This may require configuration changes, as these sequences will no longer need double escaping (\\) of the backslash.
  • The connection pools no longer have one connection used twice in certain rare conditions.
  • Use self pipes for internal signals. The code was there, but was unused.
  • Don't crash if there are outstanding EAP sessions and were told to exit gracefully.
  • Fix typo in dictionary.rfc4072

New in FreeRADIUS 2.2.5 (Mar 7, 2015)

  • Feature improvements:
  • Update dictionary.terena and dictionary.zte.
  • Expose server version via %v. Patch from Alan Buxey.
  • Forbid running with vulnerable versions of OpenSSL. See "allow_vulnerable_openssl" in the "security" subsection of "radiusd.conf"
  • Catch underlying "heartbleed" problem, so that nothing bad happens with EAP even when using a vulnerable version of OpenSSL.
  • Bug Fixes:
  • Minor changes to build on Sun.
  • Print non-ASCII characters as octal in linelog. Closes #578.
  • Fix zombie period calculation. Closes #579
  • improvements:
  • When supported by OpenSSL, allow TLS 1.1 and TLS 1.2 in EAP methods.
  • Bug Fixes:
  • Fix redundant-load-balance blocks to try other modules in the group if one fails.
  • Fix potential read into uninitialised memory in rlm_pap when normalising octet type attributes containing password hashes. This is very unlikely to happen in the wild.
  • Don't stop decoding DHCP options if we find a padding option.
  • Define sig_t on systems which don't have it. Closes #765
  • When clients are loaded from SQL, allow them to be tied to a virtual server.
  • Prevent race conditions between fork and wait for child. Patch from James Rouzier.
  • Allow UTF-8 characters in SQL.
  • Back-port udpfromto fixes from v3