Viewer

  Radius Bridge Changelog

File: Changelog_radiusd.txt
Size: 13 KBytes
MD5: 98E754F7EB5206BFE6A6A6240CAAE4E1

1.3.9-2
    - Fixed a crash occuring whith more than 1024 simultaneous connections.
    - Fixed a memory leak with EAP-TLS for NAC access (Wifi/Ethernet).
    - Upgraded libopenotp to version 1.0.21 (stability).

1.3.9
    - Upgraded OpenSSL to version 1.1.1c (including security fixes).
    - Added SSL certificate auto-renewal (requires WebADM v1.7.3-1).
    
1.3.8
    - Upgraded FreeRadius to version 3.0.19.
    - Added support for WebADM 1.7.2 fast OCSP service for EAP-TLS.
    - Added support for OCSP logs in WebADM Web Services' SQL log.
    
1.3.7
    - Fixed a SOAP timeout issue in libopenotp.
    - Upgraded OpenSSL to version 1.0.2r (including security fixes).
    - Upgraded FreeRadius to version 3.0.18.
    - Radiusd 32 bit version is discontinued.
    
1.3.6
    - Added suppport for OTP retries over RADIUS (requires OpenOTP v1.4.1).
    - Upgraded OpenSSL to version 1.0.2p (including security fixes).
    - Upgraded libopenotp to version 1.0.19 (challenge timeout optimizations).
    - Added support for FIDO2 over RCDevs Vendor-Specific RADIUS attributes.
      > Setting 'u2f_support' is replaced by "fido_support'.
    - Added support for EAP-TLS for WIFI access with WebADM user certificates.
      > You need to configure cert_support and ocsp_url in radiusd.conf for AP-TLS.
      > If RadiusBridge refuses to start because it's missing the conf/ca.crt file,
        then copy the WebADM CA certificate from the Admin menu in conf/ca.crt.
 
1.3.5
    - Removed conf/dictionary and conf/radiusd.conf files.
      > The FreeRadius config is located in an .ini file under the lib/ directory.
      > conf/openotp.conf is renamed to conf/radiusd.conf for any future version.
      > The conf/ directory now only contains radiusd.conf and clients.conf.
      > You can adjust the listening interface/ports by creating conf/radiusd.env.
    - Upgraded FreeRadius to version 3.0.17.
    - nolock_usernames and similar settings now allow lists up to 256 usernames.
    
1.3.4
    - Better support for Wifi access points.
    - New setup wizard with server URL auto-configuration and SSL certificate signed
      by WebADM CA (Rsignd).
    - denied_usernames, nolock_usernames and cached_usernames support wildcard matching.
    - Upgraded OpenSSL to version 1.0.2o (including security fixes).
    - Upgraded OpenLDAP to version 2.4.46.
    - Fixed a memory leak in the libopenotp with SSL connections.
    
1.3.3
    - Upgraded Freeradius to version 3.0.16.
    - Added support for Microsoft NPS with Terminal service gateways.
    - Fixed error handling when OpenOTP reply data value-pairs cannot be parsed.
    
1.3.2
    - Added TCP listener for RADIUS auth requests.
    - Added support for Cisco ASA servers not supporting 30 seconds' timeouts.
    - Added upport for local LDAP password checks (AD / LDAP).
      > This option is reverved for MSP partners (please contact RCDevs for details).
    - Added support for PaloAlto client source IP address.
    - Fixed config with source/context/client attributes in vendor-specific dictionaries.
    - Updated OpenSSL to version 1.0.2m.
    
1.3.1
    - Upgraded Freeradius to version 3.0.15 (including security fixes).
    - Fixed server not willing to start with server_url1 & server_url2 configured.
    - Upgraded OpenLDAP to version 2.4.45 and libopenotp to version 1.0.17
    - Removed log "TLS section tls missing, trying to use legacy configuration".
    
1.3.0
    - Moved from Freeradius 2.x branch to Freeradius 3.x.
      > The previous radiusd.conf must be replaced by radiusd.conf.default.
    - Fixed EAP security issue CVE-2017-9148.
    - Updated OpenSSL to version 1.0.2l.

1.2.8-1
    - All with xxx_attribute (ex. client_attribute or source_attribute) support an
      optional list of values in the form "Attribute1,Attibute2,...".
    - When client_attribute is not set, the attributes NAS-IIdentifier NAS-IP-Address
      and NAS-IPv6-Address are tried in order.
    - Removed the deprecated setting mode_attribute.
    
1.2.8
    - Added Radius Bridge backup and restore scripts in the /opt/slapd/bin/.
      > The scripts can be used to migrate your Radius Bridge to a new server.
    - Added FreeRADIUS LDAP module to the modules directory (ie. rml_ldap).
    - Added the 'denied_usernames' configuration to the openotp.conf file to deny
      some user IDs wihout sending any OpenOTP request.
    - Added 'cached_usernames' for optimizing system user polling using LDAP-only.
      > Check openotp.conf.default for more information.
      > This option requires OpenOTP v1.3.3-1 or greater.
    - Upgraded libopenotp to version 1.0.15.
    - Upgraded OpenSSL to version 1.0.2k (security fixes).
    
1.2.7
    - Upgraded OpenSSL to version 1.0.2j and libopenotp to version 1.0.15.
    - Added support for OpenOTP protocol version checking.
    - Added U2F support over RADIUS with a RCDevs vendor-specific dictionary.
      > Check the dictionary in /opt/radius/lib/dictionaries/dictionary.rcdevs
   
1.2.6
    - Upgraded OpenSSL to version 1.0.2h and libopenotp to version 1.0.14-2.
    - The default SOAP timeout is 30 secs to accomodate with the OpenOTP Simple-Push.
    - Added support for OpenOTP RADIUS Reply Web services.
    - Added support for OpenOTP v1.3 (older RB verions do not support OpenOTP v1.3).

1.2.5
    - The client ID attribute can be configured if NAS-Identifier cannot be used.
    - The source attribute defaults to 'Calling-Station-Id'. The value is ignored if
      it is not an IP address.
    - When configured, the context attribute is ignored if it contains an IP address.
    - With two servers it is now possible to configure server_url1 & server_url2.
    - Fixed thread crashes under very high server loads.
    - Fixed systemd startup script.

1.2.4
    - Removed the 'reply_is_vps' and 'reply_attribute' configurations.
      > Use OpenOTP v1.2.2-1 to return OpenOTP Reply Attributes as RADIUS value-pairs.
      > OpenOTP v1.2.2-1 includes a RADIUS attributes' editor in the user settings.
    - Setting 'reply_vps' is renamed 'reply_attributes'.
    - Upgraded OpenSSL to version 1.0.2f.

1.2.3
    - Fixed issues with long passwords (containing more than 64 characters).
    - Fixed a rare issue with libopenotp causing some requests to hang.
    - Upgraded OpenSSL to version 1.0.2e and FreeRADIUS to version 2.2.9.

1.2.2
    - When two OpenOTP servers are configured, the health of the servers is checked
      at regular interval using TCP socket polling.
      > A new configuration (status_cache) is used to specify the polling interval.
    - Wifi access with OTP is now supported with EAP-GTC and EAP-TTLS/PAP.
      Warning: Challenged OTP is not supported with Wifi access protocols.
    - Added support for systemd startup with RedHat and CentOS 7.
    - Updated libopenotp to version 1.0.11 (timeout enhancements and bug fixes).
    
1.2.1
    - Added support for OpenOTP 1.2.1 with libopenotp 1.0.10.
    - Added support for EAP-GTC and EAP-TTLS for wifi access over RADIUS.
      > You need to re-run the bin/setup script and then to replate conf/radiusd.conf
        with conf/radiusd.conf.default in order to enable EAP.
    - Upgraded to FreeRadius v2.2.7.
    - Added a temp directory for PID file and temporary data.
    - Added support for OpenOTP 1.2.1 contextual authentication mechanism.
      > Read the documentation for the setting "context_attribute" for more details.
    - PID file and temporary files is now stored in /opt/radiusd/temp/.
    - Fixed SOAP timeout not working with SSL server URLs.
    - Added support for '@' domain separator where the domain is on the right side.
      With any other separator character, the domain part is on the left side.
    - Listen on old RADIUS ports (auth 1645 and accounting 1646) for compatibility.
    
1.2.0
    - Added support for OpenOTP 1.2 with FIDO U2F.
      > FIDO is currently not supported for RADIUS.
    - Added OTP routing policy when multiple servers are configured in server_url.
      The allowed policies are 'ordered', 'balanced' and 'consistent'.
    - When multiple servers are configured, the challenge responses are sent to the
      server which was used in the access request by default.
    - The bin/radtest tool supports challenged login requests.
    - Updated OpenSSL library to 1.0.1k with vulnerability fixes CVE-2014-0160 and
      CVE-2014-0224.
    - Upgraded to FreeRadius v2.2.6.
    - Fixed filtered value pairs (fetched from OpenOTP Reply Data) not parsed.
    - Added support for Microsoft DirectAccess RADIUS Probe requests.
    - Fixed a crash in libopenotp when multiple server URLs are set.
    - Use NAS-IP-Address as Client ID when NAS-Identifier is not available.
    - Added support for fetching domain names form AD User Principal Names.

1.1.1
    - Fixed a parsing problem with OpenOTP reply-data and filtered value-pairs.
    - Fixed a bug in libopenotp causing a socket read loop under heavy load when
      WebADM server closes and restarts.
    - Upgraded to FreeRadius v2.2.3 and OpenSSL v1.0.1f.
    - Added a debugging start mode with 'bin/radiusd debug'.
    - Added a failure response delay when OpenOTP SOAP service does not respond to
      allow RADIUS failover at the client side. The delay can be configured with
      the no_response_delay setting in conf/openotp.conf and is disabled by default.
    - Concatenated password mode 3 now supports both LDAP only or OTP only login via
      OpenOTP SimpleLogin method when the separator character is not found.
    - Added a special concatenation mode for Yubikeys (username followed by OTP).
    - Setting mode_attribute supports string and integer dictionary attributes.
    - Setting source_attribute supports string and ipaddr dictionary attributes.
    
1.1.0
    - Added support for OpenOTP v1.1.0.
      This version does not work with OpenOTP v1.0.x.
    - Added password_mode 0 (default) which let OpenOTP automatically handle the
      user passwords. This mode uses the new OpenOTP SimpleLogin API.

1.0.9
    - Added support for location-based policies in WebADM v1.2.3 & OpenOTP v1.0.17.
    - Added a 'source_attribute' setting allowing the RADIUS clients to provide
      the source IP address of the end user.
    - Added a 'mode_attribute' setting allowing the RADIUS clients to provide
      the password mode in a RADIUS attribute of the Access request.
    - Added RADIUS attribute encoding checks for username, password and state.
    - Added no_success_message and no_failure_message to disable reply messages
      in the success and failure responses with some broken RADIUS clients.
    - If not configured, domain separator is now disabled (no separator).
    - Upgraded to FreeRADIUS v2.2.0 and OpenSSL v1.0.1c.
    - Added RADIUS accounting support on port 1813.
      A new log file is created for accounting information (accounting.log).
      > Please replace your radiusd.conf file with the radiusd.conf.new file.
    - Added RADIUS server status support on port 18120.
    - Fixed client filter separator '.' not working with the filtered value_is_vps.
    - Removed user password traces from access log.
    
1.0.7
    - Fixed a bug with the domain_separator setting.
    - fixed a bug with data_is_vps setting.
    - Added the possibility to get a list of RADIUS attributes and values
      in the OpenOTP Reply Data.
    - Added the possibility to set a list of static radius attributes to be
      sent back to the radius clients in the Access-Accept packets.
    - Fixed a bug with radius requests containing OpenOTP settings.
    - Added support for concatenated password with variable OTP length.
      You can now specify a password separator instead of a fixed OTP length.
    - Updated FreeRadius to version 2.1.10.

1.0.6
    - Added support for OpenOTP 1.0.11-1.
    - Fixed otp_length max limitation problem.
    - Added data_separator setting to allow returning multiple Reply Data.
    
1.0.5
    - Radius Bridge 1.0.5 is required for use with OpenOTP 1.0.9.
    - Uses libopenotp version 1.0.2.
    - Updated documentations files (INSTALL and README).
    - Updated default configurations.
    - Corrected radtest script.

1.0.4
    - Added soap_timeout setting.
    - Added data_attribute setting.
    - Added settings_attribute setting.
    - Added password mode 4 for concatenated passwords with OTP first.
    - Updated all libraries and components to the latest versions.
    
1.0.3
    - Updated rlm_openotp to version 1.0.3. New version has several bug fixes.

1.0.2
    - Added password_mode and otp_length settings allowing to send only OTP
      password or LDAP+OTP passwords concatenated.
      See the updated radiusd.conf for details.

1.0.1
    - Fixed a bug when the RADIUS client sends a NAS-Identifier attribute
    
1.0.0
    First official release.