Viewer

  Radius Bridge Release Notes

File: Release_radiusd.txt
Size: 4 KBytes
MD5: F366D1F03272EC13206FE9B2B0131E13

**************
*** v1.3.6 ***
**************

RadiusBridge now supports EAP-TLS authentication for Enterprise Wifi.
With EAP-TLS the user authentication uses a certificate only (no password or OTP).
The user certificates are generated in WebADM or the self services.

WebADM includes an OCSP service which is used by RadiusBridge to check the
revocation status of a user certificate. It is important to notice that a user
certificates is considered valid if it's not expired and present on the LDAP user
object. The WebADM OCSP cache is refreshed every 6 hours. But you can force OCSP
refresh by purging the license cache.

**************
*** v1.3.5 ***
**************

In this release, we simplified the configuration files' structure in order to
make OpenOTP RADIUS Bridge even more easy to configure. The 'radiusd.conf' config
file (the FreeRadius config file) is now hidden in an .ini file under the 'lib'
directory and should not need to be modified. The RADIUS 'dictionary' file has
been removed from the 'conf' directory too. And the 'openotp.conf' file which
contains OpenOTP related settings has been renamed to 'radiusd.conf'. The 'conf'
directory now also contains the 'radiusd.conf' and 'clients.conf' files only.

Note that upgrader package will automatically make the required changes to your
configuration files.

**************
*** v1.3.0 ***
**************

In this version, we switched from Freeradius v2.2 to Freeradius v3.0. As a
consequence, the conf/radiusd.conf file must be replaced by the new default file
(conf/radiusd.conf.default). If you made customizations to the radisud.conf file
then you will need to apply your customizations to the new file.

**************
*** v1.2.6 ***
**************

IMPORTNANT: You need RCDevs RadiusBridge >= 1.2.6 with OpenOTP v1.3.x!
Older versions of RadiusBridge will not work correctly with OpenOTP v1.3.x!

**************
*** v1.2.1 ***
**************

*** Wifi Access with RADIUS and EAP-GTC ***

RadiusBridge now supports the EAP protocol family for Enterprise Wifi access.
Only the EAP-GTC is supported and can be transported over a TTLS RADIUS session.
You will need to re-run the bin/setup script and copy conf/radisud.conf.default
to conf/radiusd.conf after the upgrade in order to enable EAP for RadiusBridge.

*** Contextual Authentication with Device IDs ***

RadiusBridge includes a new optional configuration 'context_attribute' to used
for specifying a RADIUS attribute containing the user MAC address. Not all VPNs
support passing the end-user MAC address to the RADIUS server. Only some Wifi
access points currently support this feature.

**************
*** v1.2.0 ***
**************

*** Client Policies with RADIUS Concentrators ***

RadiusBridge passes the NAS-IP-Address attribute value as OpenOTP Client ID when
no NAS-Identifier is provided. Also, when a RADIUS concentrator is used and the
RADIUS NAS does not provide the NAS-Identifier, the NAS IP address (and not the
concentrator IP address) is passed to OpenOTP as Client ID.

This new behavior is much more efficient to correctly apply client policies when
a RADIUS concentrator is used. Yet existing setup of Radius Bridge with a client
policy matching the concentrator IP must be updated accordingly!

In WebADM, you can define aliases for your client policies. Defining a client
alias is useful with RADIUS clients (NAS) which do not support passing the Client
ID via the NAS-Identifier attribute (Ex Cisco ASA). In this case, you need to use
the NAS IP address as Client name in order to define a Client Policy. With alias,
you can define the Client with a name of your choice and set the NAS IP Address
as an alias.

*** Support for Active Directory User Principal Names ***

A setting to use Active Directory User Principal Names (UPNs) is added. UPNs are
globally unique login names like email addresses (ex. user@company.com). The UPN
contains the DNS domain as part of the user ID (after the '@' character).
With UPNs, OpenOTP will select the right WebADM Domain based on the UPN domain
information.

When the UPN support is enabled, RB will will pass the UPN domain suffix as
domain name to OpenOTP. For example, if the UPN is user@company.com, then RB will
send user@company.com as username and company.com as domain to OpenOTP.

Note: In WebADM Domains, you can configure the UPN suffixes as Domain Alias in the
WebADM Domain settings.