1.3.39 (September 3 2024)
- Upgraded FreeRadius to version 3.2.5 (including bug fixes).
- Fixed issues with Access-Challenge messages on some VPN servers.
1.3.38 (August 20 2024)
- Fixed issues with Access-Challenge messages on some VPN servers.
> FreeRADIUS now sends Message-Authenticator in all responses but
Access-Challenge with Message Authenticator present is broken with
some VPN server implementations. RadiusBridge will now add the
Message-Authenticator in the Access-Challenge response only if the
client itself provided a Message-Authenticator in the Access-Request.
- Removed a denpendency with libxcrypt.
1.3.37 (July 18 2024)
- Removed the 'machine_cert' setting in 'radiusd.conf' (this is not
necessary anymore and handled automatically).
- EAP-TLS does not need the username or hostname to be set in the client
configuration anymore.
- The setting 'ocsp_url' is not supported anymore (replaced by PKILogin).
> OCSP is not necesary with openotpPKILogin where revocation is check
by OpenOTP itself.
> EAP-TLS with OCSP only (not using OpenOTP) is not supported anymore.
- Fixed source IP Address not obtained by default from Calling-Station-Id.
- Updated freeradius dictionary files.
1.3.36 (July 10 2024)
- Upgraded FreeRadius to version 3.2.5 (including security fixes).
1.3.35 (June 13 2024)
- Added support for MAC address audit and restrictions with RADIUS NAC.
- Added support for NAC with Ethernet devices.
- EAP-TLS (ie. cert_support in radiusd.conf) is now enabled by default.
- Upgraded embedded OpenSSL to version 3.2.2 (including security fixes).
- Updated libopenotp to version 1.0.30.
1.3.34 (June 9 2024)
- Added support for OpenOTP NAC auto-badging in OpenOTP v2.2.17.
- RADIUS Bridge now listens on both IPv4 and IPv6 by default.
1.3.33 (February 22 2024)
- Upgraded OpenSSL to version 3.2.1.
- Default SSL ciphersuite is now set to HIGH:MEDIUM.
- Added support for RADIUS over TCP with TLS over standard listen ports.
1.3.32 (November 1 2023)
- Upgraded OpenSSL to version 3.0.12 (long-term 3.x).
1.3.31 (June 2023)
- Added support for PKI login with machine certificates.
- Upgraded OpenSSL to version 1.1.1w (including bug fixes).
1.3.30 (July 3 2023)
- Fixed a startup error when ca_cert is set in the config file.
- Updated libopenotp to version 1.0.28.
- Added a 'renew' launcher command to renew the SSL certificate and trust
bundle and reload the daemon.
> The renewal can be scheduled via a cron command.
1.3.29 (June 5 2023)
- Upgraded FreeRadius to version 3.2.3 (including bug fixes).
- Upgraded OpenSSL to version 1.1.1u (including bug fixes).
- Fixed issues when deprecated ocsp_url is configured in radiusd.conf.
1.3.28 (April 22 2023)
- Upgraded FreeRadius to version 3.2.2 (including bug fixes).
- Upgraded OpenSSL to version 1.1.1t (including bug fixes).
- Added support OpenOTP Cloud API keys.
- Added SELinux log context creation in the setup script.
1.3.27 (December 5 2022)
- Upgraded FreeRadius to version 3.2.1 (including bug fixes).
- Upgraded OpenSSL to version 1.1.1s (including bug fixes).
- Updated vendor dictionary database.
1.3.26 (May 10 2022)
- Upgraded FreeRadius to version 3.2.0 (including security fixes).
- Upgraded OpenSSL to version 1.1.1o (including security fixes).
1.3.25 (April 22 2022)
- Added support for EAP-TLS with UPNs (requires OpenOTP v2.1.1).
- Radiusd SSL certificate auto-renewal complies with WebADM v2.1.9.
1.3.24 (April 6 2022)
- Fixed EAP-TLS username not recognized with newer Windows versions.
- Upgraded embedded OpenSSL to version 1.1.1n (including bug fixes).
1.3.23 (January 24 2022)
- WebADM CA trust bundle is automatically trusted by Radiusd for EAP-TLS.
> The CA bundle is auto-updated in 'conf/trusted.crt' at startup.
> Requires WebADM v2.1.2.
- Upgraded embedded OpenSSL to version 1.1.1m (including bug fixes).
- Added 'auth_support' setting to allow disabling OpenOTP authentication and
work in EAP-TLS mode only (ie. PKI login).
1.3.22 (November 22 2021)
- EAP-TLS (certificate based login) now uses OpenOTP v2.0.3 PKILogin method
by default and not the usual OCSP login.
> Note: This update requires OpenOTP v2.0.3 for EAL-TLS PKI login to work!
> Simply comment 'ocsp_url' in 'conf/radiusd.conf' to use OpenOTP PKILogin.
> You can still revert to the previous behavior (ie. using OCSP service) by
enabling the 'ocsp_url' setting in 'conf/radiusd.conf'.
1.3.21 (November 8 2021)
- Upgraded FreeRadius to version 3.0.25 (stability fixes).
- Upgraded OpenSSL to version 1.1.1l (including security fixes).
- Upgraded OpenLDAP to version 2.6.0.
- Fixed stability issues with EAP-TLS (client certificates).
1.3.20 (September 17 2021)
- Fixed incorrect EAP max_sessions setting in lib/radiusd.ini.
- Added module optional rlm_ippool.so to the lib/modules folder.
- Now requires Linux with min glibc-2.17 and not glibc-2.12 anymore.
1.3.19 (August 25 2021)
- Upgraded OpenSSL to version 1.1.1l (including security fixes).
- Fixed crashes with talloc memory management when using EAP-TLS.
1.3.17 (July 5 2021)
- Multiple CA certificates can be concatenated in 'conf/ca.crt' for OSCP
client certificates' validation.
- When trusted certificates contain an OCSP endpoint URL, it is preferred
to the configured 'ocsp_url'.
> This allows using Windows machine certificates together with EAP-TLS.
- Fixed multiple EAP-TLS issues.
- Upgraded FreeRadius to version 3.0.23.
- Upgraded OpenSSL to version 1.1.1k (including security fixes).
- Upgraded OpenLDAP to version 2.5.5.
1.3.16 (March 18 2021)
- Fixed a un-necessary dependency on libpcre.
- Upgraded OpenSSL to version 1.1.1j (including security fixes).
- Upgraded OpenLDAP to version 2.4.57.
1.3.15
- Added support for EAP-PEAP-GTC (for NAC and 802.1x).
- Updated libopenotp to version 1.0.24.
1.3.14
- Added the 'cert_nopolicy' config to disable OpenOTP call with EAP-TLS.
This setting disable the enforcement of client policies in WebADM.
- Upgraded OpenSSL to version 1.1.1i (including security fixes).
- Upgraded OpenLDAP to version 2.4.56.
1.3.13
- Fixed client Id not defaulting to the NAS-IP-Address when NAS-Identifier
is not provided.
- Fixed a segfault with EAP-TLS and client certificate login.
- Upgraded OpenLDAP to version 2.4.50.
1.3.12
- Upgraded OpenLDAP to version 2.4.49.
- Added compatibility with RedHat 8 and CentOS 8.
- Added support for OpenOTP v1.5 and voice biometrics.
- Upgraded OpenSSL to version 1.1.1g (including security fixes).
- Upgraded FreeRadius to version 3.0.21.
1.3.11
- Added support for OpenOTP request with EAP-TLS (physical and Wifi NAC).
> RadiusBridge sends OpenOTP requests with client certificates generated
by WebADM in order to validate client policies and return reply attrs.
- Upgraded libopenotp to version 1.0.22 (stability).
1.3.10
- Fixed a crash occurring with more than 1024 simultaneous connections.
- Fixed a memory leak with EAP-TLS for NAC access (Wifi/Ethernet).
- Upgraded libopenotp to version 1.0.21 (stability).
- Upgraded OpenSSL to version 1.1.1d (including security fixes).
- Added a nodelay_usernames to prevent anti-bruteforce delay for load-tests.
- Added Docker start mode with '/opt/radiusd/bin/radiusd start docker'.
- Upgraded FreeRadius to version 3.0.19.
1.3.9
- Upgraded OpenSSL to version 1.1.1c (including security fixes).
- Added SSL certificate auto-renewal (requires WebADM v1.7.3-1).
1.3.8
- Upgraded FreeRadius to version 3.0.19.
- Added support for WebADM 1.7.2 fast OCSP service for EAP-TLS.
- Added support for OCSP logs in WebADM Web Services' SQL log.
1.3.7
- Fixed a SOAP timeout issue in libopenotp.
- Upgraded OpenSSL to version 1.0.2r (including security fixes).
- Upgraded FreeRadius to version 3.0.18.
- Radiusd 32 bit version is discontinued.
1.3.6
- Added support for OTP retries over RADIUS (requires OpenOTP v1.4.1).
- Upgraded OpenSSL to version 1.0.2p (including security fixes).
- Upgraded libopenotp to version 1.0.19 (challenge timeout optimizations).
- Added support for FIDO2 over RCDevs Vendor-Specific RADIUS attributes.
> Setting 'u2f_support' is replaced by "fido_support'.
- Added support for EAP-TLS for WIFI access with WebADM user certificates.
> You need to configure cert_support and ocsp_url in radiusd.conf for AP-TLS.
> If RadiusBridge refuses to start because it's missing the conf/ca.crt file,
then copy the WebADM CA certificate from the Admin menu in conf/ca.crt.
1.3.5
- Removed conf/dictionary and conf/radiusd.conf files.
> The FreeRadius config is located in an .ini file under the lib/ directory.
> conf/openotp.conf is renamed to conf/radiusd.conf for any future version.
> The conf/ directory now only contains radiusd.conf and clients.conf.
> You can adjust the listening interface/ports by creating conf/radiusd.env.
- Upgraded FreeRadius to version 3.0.17.
- nolock_usernames and similar settings now allow lists up to 256 usernames.
1.3.4
- Better support for Wifi access points.
- New setup wizard with server URL auto-configuration and SSL certificate signed
by WebADM CA (Rsignd).
- denied_usernames, nolock_usernames and cached_usernames support wildcard matching.
- Upgraded OpenSSL to version 1.0.2o (including security fixes).
- Upgraded OpenLDAP to version 2.4.46.
- Fixed a memory leak in the libopenotp with SSL connections.
1.3.3
- Upgraded Freeradius to version 3.0.16.
- Added support for Microsoft NPS with Terminal service gateways.
- Fixed error handling when OpenOTP reply data value-pairs cannot be parsed.
1.3.2
- Added TCP listener for RADIUS auth requests.
- Added support for Cisco ASA servers not supporting 30 seconds' timeouts.
- Added support for local LDAP password checks (AD / LDAP).
> This option is reversed for MSP partners (please contact RCDevs for details).
- Added support for PaloAlto client source IP address.
- Fixed config with source/context/client attributes in vendor-specific dictionaries.
- Updated OpenSSL to version 1.0.2m.
1.3.1
- Upgraded Freeradius to version 3.0.15 (including security fixes).
- Fixed server not willing to start with server_url1 & server_url2 configured.
- Upgraded OpenLDAP to version 2.4.45 and libopenotp to version 1.0.17
- Removed log "TLS section tls missing, trying to use legacy configuration".
1.3.0
- Moved from Freeradius 2.x branch to Freeradius 3.x.
> The previous radiusd.conf must be replaced by radiusd.conf.default.
- Fixed EAP security issue CVE-2017-9148.
- Updated OpenSSL to version 1.0.2l.
1.2.8-1
- All with xxx_attribute (ex. client_attribute or source_attribute) support an
optional list of values in the form "Attribute1,Attibute2,...".
- When client_attribute is not set, the attributes NAS-IIdentifier NAS-IP-Address
and NAS-IPv6-Address are tried in order.
- Removed the deprecated setting mode_attribute.
1.2.8
- Added Radius Bridge backup and restore scripts in the /opt/slapd/bin/.
> The scripts can be used to migrate your Radius Bridge to a new server.
- Added FreeRADIUS LDAP module to the modules directory (ie. rml_ldap).
- Added the 'denied_usernames' configuration to the openotp.conf file to deny
some user IDs without sending any OpenOTP request.
- Added 'cached_usernames' for optimizing system user polling using LDAP-only.
> Check openotp.conf.default for more information.
> This option requires OpenOTP v1.3.3-1 or greater.
- Upgraded libopenotp to version 1.0.15.
- Upgraded OpenSSL to version 1.0.2k (security fixes).
1.2.7
- Upgraded OpenSSL to version 1.0.2j and libopenotp to version 1.0.15.
- Added support for OpenOTP protocol version checking.
- Added U2F support over RADIUS with a RCDevs vendor-specific dictionary.
> Check the dictionary in /opt/radius/lib/dictionaries/dictionary.rcdevs
1.2.6
- Upgraded OpenSSL to version 1.0.2h and libopenotp to version 1.0.14-2.
- The default SOAP timeout is 30 secs to accommodate with the OpenOTP Simple-Push.
- Added support for OpenOTP RADIUS Reply Web services.
- Added support for OpenOTP v1.3 (older RB versions do not support OpenOTP v1.3).
1.2.5
- The client ID attribute can be configured if NAS-Identifier cannot be used.
- The source attribute defaults to 'Calling-Station-Id'. The value is ignored if
it is not an IP address.
- When configured, the context attribute is ignored if it contains an IP address.
- With two servers it is now possible to configure server_url1 & server_url2.
- Fixed thread crashes under very high server loads.
- Fixed systemd startup script.
1.2.4
- Removed the 'reply_is_vps' and 'reply_attribute' configurations.
> Use OpenOTP v1.2.2-1 to return OpenOTP Reply Attributes as RADIUS value-pairs.
> OpenOTP v1.2.2-1 includes a RADIUS attributes' editor in the user settings.
- Setting 'reply_vps' is renamed 'reply_attributes'.
- Upgraded OpenSSL to version 1.0.2f.
1.2.3
- Fixed issues with long passwords (containing more than 64 characters).
- Fixed a rare issue with libopenotp causing some requests to hang.
- Upgraded OpenSSL to version 1.0.2e and FreeRADIUS to version 2.2.9.
1.2.2
- When two OpenOTP servers are configured, the health of the servers is checked
at regular interval using TCP socket polling.
> A new configuration (status_cache) is used to specify the polling interval.
- Wifi access with OTP is now supported with EAP-GTC and EAP-TTLS/PAP.
Warning: Challenged OTP is not supported with Wifi access protocols.
- Added support for systemd startup with RedHat and CentOS 7.
- Updated libopenotp to version 1.0.11 (timeout enhancements and bug fixes).
1.2.1
- Added support for OpenOTP 1.2.1 with libopenotp 1.0.10.
- Added support for EAP-GTC and EAP-TTLS for wifi access over RADIUS.
> You need to re-run the bin/setup script and then to replace conf/radiusd.conf
with conf/radiusd.conf.default in order to enable EAP.
- Upgraded to FreeRadius v2.2.7.
- Added a temp directory for PID file and temporary data.
- Added support for OpenOTP 1.2.1 contextual authentication mechanism.
> Read the documentation for the setting "context_attribute" for more details.
- PID file and temporary files is now stored in /opt/radiusd/temp/.
- Fixed SOAP timeout not working with SSL server URLs.
- Added support for '@' domain separator where the domain is on the right side.
With any other separator character, the domain part is on the left side.
- Listen on old RADIUS ports (auth 1645 and accounting 1646) for compatibility.
1.2.0
- Added support for OpenOTP 1.2 with FIDO U2F.
> FIDO is currently not supported for RADIUS.
- Added OTP routing policy when multiple servers are configured in server_url.
The allowed policies are 'ordered', 'balanced' and 'consistent'.
- When multiple servers are configured, the challenge responses are sent to the
server which was used in the access request by default.
- The bin/radtest tool supports challenged login requests.
- Updated OpenSSL library to 1.0.1k with vulnerability fixes CVE-2014-0160 and
CVE-2014-0224.
- Upgraded to FreeRadius v2.2.6.
- Fixed filtered value pairs (fetched from OpenOTP Reply Data) not parsed.
- Added support for Microsoft DirectAccess RADIUS Probe requests.
- Fixed a crash in libopenotp when multiple server URLs are set.
- Use NAS-IP-Address as Client ID when NAS-Identifier is not available.
- Added support for fetching domain names form AD User Principal Names.
1.1.1
- Fixed a parsing problem with OpenOTP reply-data and filtered value-pairs.
- Fixed a bug in libopenotp causing a socket read loop under heavy load when
WebADM server closes and restarts.
- Upgraded to FreeRadius v2.2.3 and OpenSSL v1.0.1f.
- Added a debugging start mode with 'bin/radiusd debug'.
- Added a failure response delay when OpenOTP SOAP service does not respond to
allow RADIUS failover at the client side. The delay can be configured with
the no_response_delay setting in conf/openotp.conf and is disabled by default.
- Concatenated password mode 3 now supports both LDAP only or OTP only login via
OpenOTP SimpleLogin method when the separator character is not found.
- Added a special concatenation mode for Yubikeys (username followed by OTP).
- Setting mode_attribute supports string and integer dictionary attributes.
- Setting source_attribute supports string and ipaddr dictionary attributes.
1.1.0
- Added support for OpenOTP v1.1.0.
This version does not work with OpenOTP v1.0.x.
- Added password_mode 0 (default) which let OpenOTP automatically handle the
user passwords. This mode uses the new OpenOTP SimpleLogin API.
1.0.9
- Added support for location-based policies in WebADM v1.2.3 & OpenOTP v1.0.17.
- Added a 'source_attribute' setting allowing the RADIUS clients to provide
the source IP address of the end user.
- Added a 'mode_attribute' setting allowing the RADIUS clients to provide
the password mode in a RADIUS attribute of the Access request.
- Added RADIUS attribute encoding checks for username, password and state.
- Added no_success_message and no_failure_message to disable reply messages
in the success and failure responses with some broken RADIUS clients.
- If not configured, domain separator is now disabled (no separator).
- Upgraded to FreeRADIUS v2.2.0 and OpenSSL v1.0.1c.
- Added RADIUS accounting support on port 1813.
A new log file is created for accounting information (accounting.log).
> Please replace your radiusd.conf file with the radiusd.conf.new file.
- Added RADIUS server status support on port 18120.
- Fixed client filter separator '.' not working with the filtered value_is_vps.
- Removed user password traces from access log.
1.0.7
- Fixed a bug with the domain_separator setting.
- fixed a bug with data_is_vps setting.
- Added the possibility to get a list of RADIUS attributes and values
in the OpenOTP Reply Data.
- Added the possibility to set a list of static radius attributes to be
sent back to the radius clients in the Access-Accept packets.
- Fixed a bug with radius requests containing OpenOTP settings.
- Added support for concatenated password with variable OTP length.
You can now specify a password separator instead of a fixed OTP length.
- Updated FreeRadius to version 2.1.10.
1.0.6
- Added support for OpenOTP 1.0.11-1.
- Fixed otp_length max limitation problem.
- Added data_separator setting to allow returning multiple Reply Data.
1.0.5
- Radius Bridge 1.0.5 is required for use with OpenOTP 1.0.9.
- Uses libopenotp version 1.0.2.
- Updated documentations files (INSTALL and README).
- Updated default configurations.
- Corrected radtest script.
1.0.4
- Added soap_timeout setting.
- Added data_attribute setting.
- Added settings_attribute setting.
- Added password mode 4 for concatenated passwords with OTP first.
- Updated all libraries and components to the latest versions.
1.0.3
- Updated rlm_openotp to version 1.0.3. New version has several bug fixes.
1.0.2
- Added password_mode and otp_length settings allowing to send only OTP
password or LDAP+OTP passwords concatenated.
See the updated radiusd.conf for details.
1.0.1
- Fixed a bug when the RADIUS client sends a NAS-Identifier attribute
1.0.0
First official release.
- Upgraded FreeRadius to version 3.2.5 (including bug fixes).
- Fixed issues with Access-Challenge messages on some VPN servers.
1.3.38 (August 20 2024)
- Fixed issues with Access-Challenge messages on some VPN servers.
> FreeRADIUS now sends Message-Authenticator in all responses but
Access-Challenge with Message Authenticator present is broken with
some VPN server implementations. RadiusBridge will now add the
Message-Authenticator in the Access-Challenge response only if the
client itself provided a Message-Authenticator in the Access-Request.
- Removed a denpendency with libxcrypt.
1.3.37 (July 18 2024)
- Removed the 'machine_cert' setting in 'radiusd.conf' (this is not
necessary anymore and handled automatically).
- EAP-TLS does not need the username or hostname to be set in the client
configuration anymore.
- The setting 'ocsp_url' is not supported anymore (replaced by PKILogin).
> OCSP is not necesary with openotpPKILogin where revocation is check
by OpenOTP itself.
> EAP-TLS with OCSP only (not using OpenOTP) is not supported anymore.
- Fixed source IP Address not obtained by default from Calling-Station-Id.
- Updated freeradius dictionary files.
1.3.36 (July 10 2024)
- Upgraded FreeRadius to version 3.2.5 (including security fixes).
1.3.35 (June 13 2024)
- Added support for MAC address audit and restrictions with RADIUS NAC.
- Added support for NAC with Ethernet devices.
- EAP-TLS (ie. cert_support in radiusd.conf) is now enabled by default.
- Upgraded embedded OpenSSL to version 3.2.2 (including security fixes).
- Updated libopenotp to version 1.0.30.
1.3.34 (June 9 2024)
- Added support for OpenOTP NAC auto-badging in OpenOTP v2.2.17.
- RADIUS Bridge now listens on both IPv4 and IPv6 by default.
1.3.33 (February 22 2024)
- Upgraded OpenSSL to version 3.2.1.
- Default SSL ciphersuite is now set to HIGH:MEDIUM.
- Added support for RADIUS over TCP with TLS over standard listen ports.
1.3.32 (November 1 2023)
- Upgraded OpenSSL to version 3.0.12 (long-term 3.x).
1.3.31 (June 2023)
- Added support for PKI login with machine certificates.
- Upgraded OpenSSL to version 1.1.1w (including bug fixes).
1.3.30 (July 3 2023)
- Fixed a startup error when ca_cert is set in the config file.
- Updated libopenotp to version 1.0.28.
- Added a 'renew' launcher command to renew the SSL certificate and trust
bundle and reload the daemon.
> The renewal can be scheduled via a cron command.
1.3.29 (June 5 2023)
- Upgraded FreeRadius to version 3.2.3 (including bug fixes).
- Upgraded OpenSSL to version 1.1.1u (including bug fixes).
- Fixed issues when deprecated ocsp_url is configured in radiusd.conf.
1.3.28 (April 22 2023)
- Upgraded FreeRadius to version 3.2.2 (including bug fixes).
- Upgraded OpenSSL to version 1.1.1t (including bug fixes).
- Added support OpenOTP Cloud API keys.
- Added SELinux log context creation in the setup script.
1.3.27 (December 5 2022)
- Upgraded FreeRadius to version 3.2.1 (including bug fixes).
- Upgraded OpenSSL to version 1.1.1s (including bug fixes).
- Updated vendor dictionary database.
1.3.26 (May 10 2022)
- Upgraded FreeRadius to version 3.2.0 (including security fixes).
- Upgraded OpenSSL to version 1.1.1o (including security fixes).
1.3.25 (April 22 2022)
- Added support for EAP-TLS with UPNs (requires OpenOTP v2.1.1).
- Radiusd SSL certificate auto-renewal complies with WebADM v2.1.9.
1.3.24 (April 6 2022)
- Fixed EAP-TLS username not recognized with newer Windows versions.
- Upgraded embedded OpenSSL to version 1.1.1n (including bug fixes).
1.3.23 (January 24 2022)
- WebADM CA trust bundle is automatically trusted by Radiusd for EAP-TLS.
> The CA bundle is auto-updated in 'conf/trusted.crt' at startup.
> Requires WebADM v2.1.2.
- Upgraded embedded OpenSSL to version 1.1.1m (including bug fixes).
- Added 'auth_support' setting to allow disabling OpenOTP authentication and
work in EAP-TLS mode only (ie. PKI login).
1.3.22 (November 22 2021)
- EAP-TLS (certificate based login) now uses OpenOTP v2.0.3 PKILogin method
by default and not the usual OCSP login.
> Note: This update requires OpenOTP v2.0.3 for EAL-TLS PKI login to work!
> Simply comment 'ocsp_url' in 'conf/radiusd.conf' to use OpenOTP PKILogin.
> You can still revert to the previous behavior (ie. using OCSP service) by
enabling the 'ocsp_url' setting in 'conf/radiusd.conf'.
1.3.21 (November 8 2021)
- Upgraded FreeRadius to version 3.0.25 (stability fixes).
- Upgraded OpenSSL to version 1.1.1l (including security fixes).
- Upgraded OpenLDAP to version 2.6.0.
- Fixed stability issues with EAP-TLS (client certificates).
1.3.20 (September 17 2021)
- Fixed incorrect EAP max_sessions setting in lib/radiusd.ini.
- Added module optional rlm_ippool.so to the lib/modules folder.
- Now requires Linux with min glibc-2.17 and not glibc-2.12 anymore.
1.3.19 (August 25 2021)
- Upgraded OpenSSL to version 1.1.1l (including security fixes).
- Fixed crashes with talloc memory management when using EAP-TLS.
1.3.17 (July 5 2021)
- Multiple CA certificates can be concatenated in 'conf/ca.crt' for OSCP
client certificates' validation.
- When trusted certificates contain an OCSP endpoint URL, it is preferred
to the configured 'ocsp_url'.
> This allows using Windows machine certificates together with EAP-TLS.
- Fixed multiple EAP-TLS issues.
- Upgraded FreeRadius to version 3.0.23.
- Upgraded OpenSSL to version 1.1.1k (including security fixes).
- Upgraded OpenLDAP to version 2.5.5.
1.3.16 (March 18 2021)
- Fixed a un-necessary dependency on libpcre.
- Upgraded OpenSSL to version 1.1.1j (including security fixes).
- Upgraded OpenLDAP to version 2.4.57.
1.3.15
- Added support for EAP-PEAP-GTC (for NAC and 802.1x).
- Updated libopenotp to version 1.0.24.
1.3.14
- Added the 'cert_nopolicy' config to disable OpenOTP call with EAP-TLS.
This setting disable the enforcement of client policies in WebADM.
- Upgraded OpenSSL to version 1.1.1i (including security fixes).
- Upgraded OpenLDAP to version 2.4.56.
1.3.13
- Fixed client Id not defaulting to the NAS-IP-Address when NAS-Identifier
is not provided.
- Fixed a segfault with EAP-TLS and client certificate login.
- Upgraded OpenLDAP to version 2.4.50.
1.3.12
- Upgraded OpenLDAP to version 2.4.49.
- Added compatibility with RedHat 8 and CentOS 8.
- Added support for OpenOTP v1.5 and voice biometrics.
- Upgraded OpenSSL to version 1.1.1g (including security fixes).
- Upgraded FreeRadius to version 3.0.21.
1.3.11
- Added support for OpenOTP request with EAP-TLS (physical and Wifi NAC).
> RadiusBridge sends OpenOTP requests with client certificates generated
by WebADM in order to validate client policies and return reply attrs.
- Upgraded libopenotp to version 1.0.22 (stability).
1.3.10
- Fixed a crash occurring with more than 1024 simultaneous connections.
- Fixed a memory leak with EAP-TLS for NAC access (Wifi/Ethernet).
- Upgraded libopenotp to version 1.0.21 (stability).
- Upgraded OpenSSL to version 1.1.1d (including security fixes).
- Added a nodelay_usernames to prevent anti-bruteforce delay for load-tests.
- Added Docker start mode with '/opt/radiusd/bin/radiusd start docker'.
- Upgraded FreeRadius to version 3.0.19.
1.3.9
- Upgraded OpenSSL to version 1.1.1c (including security fixes).
- Added SSL certificate auto-renewal (requires WebADM v1.7.3-1).
1.3.8
- Upgraded FreeRadius to version 3.0.19.
- Added support for WebADM 1.7.2 fast OCSP service for EAP-TLS.
- Added support for OCSP logs in WebADM Web Services' SQL log.
1.3.7
- Fixed a SOAP timeout issue in libopenotp.
- Upgraded OpenSSL to version 1.0.2r (including security fixes).
- Upgraded FreeRadius to version 3.0.18.
- Radiusd 32 bit version is discontinued.
1.3.6
- Added support for OTP retries over RADIUS (requires OpenOTP v1.4.1).
- Upgraded OpenSSL to version 1.0.2p (including security fixes).
- Upgraded libopenotp to version 1.0.19 (challenge timeout optimizations).
- Added support for FIDO2 over RCDevs Vendor-Specific RADIUS attributes.
> Setting 'u2f_support' is replaced by "fido_support'.
- Added support for EAP-TLS for WIFI access with WebADM user certificates.
> You need to configure cert_support and ocsp_url in radiusd.conf for AP-TLS.
> If RadiusBridge refuses to start because it's missing the conf/ca.crt file,
then copy the WebADM CA certificate from the Admin menu in conf/ca.crt.
1.3.5
- Removed conf/dictionary and conf/radiusd.conf files.
> The FreeRadius config is located in an .ini file under the lib/ directory.
> conf/openotp.conf is renamed to conf/radiusd.conf for any future version.
> The conf/ directory now only contains radiusd.conf and clients.conf.
> You can adjust the listening interface/ports by creating conf/radiusd.env.
- Upgraded FreeRadius to version 3.0.17.
- nolock_usernames and similar settings now allow lists up to 256 usernames.
1.3.4
- Better support for Wifi access points.
- New setup wizard with server URL auto-configuration and SSL certificate signed
by WebADM CA (Rsignd).
- denied_usernames, nolock_usernames and cached_usernames support wildcard matching.
- Upgraded OpenSSL to version 1.0.2o (including security fixes).
- Upgraded OpenLDAP to version 2.4.46.
- Fixed a memory leak in the libopenotp with SSL connections.
1.3.3
- Upgraded Freeradius to version 3.0.16.
- Added support for Microsoft NPS with Terminal service gateways.
- Fixed error handling when OpenOTP reply data value-pairs cannot be parsed.
1.3.2
- Added TCP listener for RADIUS auth requests.
- Added support for Cisco ASA servers not supporting 30 seconds' timeouts.
- Added support for local LDAP password checks (AD / LDAP).
> This option is reversed for MSP partners (please contact RCDevs for details).
- Added support for PaloAlto client source IP address.
- Fixed config with source/context/client attributes in vendor-specific dictionaries.
- Updated OpenSSL to version 1.0.2m.
1.3.1
- Upgraded Freeradius to version 3.0.15 (including security fixes).
- Fixed server not willing to start with server_url1 & server_url2 configured.
- Upgraded OpenLDAP to version 2.4.45 and libopenotp to version 1.0.17
- Removed log "TLS section tls missing, trying to use legacy configuration".
1.3.0
- Moved from Freeradius 2.x branch to Freeradius 3.x.
> The previous radiusd.conf must be replaced by radiusd.conf.default.
- Fixed EAP security issue CVE-2017-9148.
- Updated OpenSSL to version 1.0.2l.
1.2.8-1
- All with xxx_attribute (ex. client_attribute or source_attribute) support an
optional list of values in the form "Attribute1,Attibute2,...".
- When client_attribute is not set, the attributes NAS-IIdentifier NAS-IP-Address
and NAS-IPv6-Address are tried in order.
- Removed the deprecated setting mode_attribute.
1.2.8
- Added Radius Bridge backup and restore scripts in the /opt/slapd/bin/.
> The scripts can be used to migrate your Radius Bridge to a new server.
- Added FreeRADIUS LDAP module to the modules directory (ie. rml_ldap).
- Added the 'denied_usernames' configuration to the openotp.conf file to deny
some user IDs without sending any OpenOTP request.
- Added 'cached_usernames' for optimizing system user polling using LDAP-only.
> Check openotp.conf.default for more information.
> This option requires OpenOTP v1.3.3-1 or greater.
- Upgraded libopenotp to version 1.0.15.
- Upgraded OpenSSL to version 1.0.2k (security fixes).
1.2.7
- Upgraded OpenSSL to version 1.0.2j and libopenotp to version 1.0.15.
- Added support for OpenOTP protocol version checking.
- Added U2F support over RADIUS with a RCDevs vendor-specific dictionary.
> Check the dictionary in /opt/radius/lib/dictionaries/dictionary.rcdevs
1.2.6
- Upgraded OpenSSL to version 1.0.2h and libopenotp to version 1.0.14-2.
- The default SOAP timeout is 30 secs to accommodate with the OpenOTP Simple-Push.
- Added support for OpenOTP RADIUS Reply Web services.
- Added support for OpenOTP v1.3 (older RB versions do not support OpenOTP v1.3).
1.2.5
- The client ID attribute can be configured if NAS-Identifier cannot be used.
- The source attribute defaults to 'Calling-Station-Id'. The value is ignored if
it is not an IP address.
- When configured, the context attribute is ignored if it contains an IP address.
- With two servers it is now possible to configure server_url1 & server_url2.
- Fixed thread crashes under very high server loads.
- Fixed systemd startup script.
1.2.4
- Removed the 'reply_is_vps' and 'reply_attribute' configurations.
> Use OpenOTP v1.2.2-1 to return OpenOTP Reply Attributes as RADIUS value-pairs.
> OpenOTP v1.2.2-1 includes a RADIUS attributes' editor in the user settings.
- Setting 'reply_vps' is renamed 'reply_attributes'.
- Upgraded OpenSSL to version 1.0.2f.
1.2.3
- Fixed issues with long passwords (containing more than 64 characters).
- Fixed a rare issue with libopenotp causing some requests to hang.
- Upgraded OpenSSL to version 1.0.2e and FreeRADIUS to version 2.2.9.
1.2.2
- When two OpenOTP servers are configured, the health of the servers is checked
at regular interval using TCP socket polling.
> A new configuration (status_cache) is used to specify the polling interval.
- Wifi access with OTP is now supported with EAP-GTC and EAP-TTLS/PAP.
Warning: Challenged OTP is not supported with Wifi access protocols.
- Added support for systemd startup with RedHat and CentOS 7.
- Updated libopenotp to version 1.0.11 (timeout enhancements and bug fixes).
1.2.1
- Added support for OpenOTP 1.2.1 with libopenotp 1.0.10.
- Added support for EAP-GTC and EAP-TTLS for wifi access over RADIUS.
> You need to re-run the bin/setup script and then to replace conf/radiusd.conf
with conf/radiusd.conf.default in order to enable EAP.
- Upgraded to FreeRadius v2.2.7.
- Added a temp directory for PID file and temporary data.
- Added support for OpenOTP 1.2.1 contextual authentication mechanism.
> Read the documentation for the setting "context_attribute" for more details.
- PID file and temporary files is now stored in /opt/radiusd/temp/.
- Fixed SOAP timeout not working with SSL server URLs.
- Added support for '@' domain separator where the domain is on the right side.
With any other separator character, the domain part is on the left side.
- Listen on old RADIUS ports (auth 1645 and accounting 1646) for compatibility.
1.2.0
- Added support for OpenOTP 1.2 with FIDO U2F.
> FIDO is currently not supported for RADIUS.
- Added OTP routing policy when multiple servers are configured in server_url.
The allowed policies are 'ordered', 'balanced' and 'consistent'.
- When multiple servers are configured, the challenge responses are sent to the
server which was used in the access request by default.
- The bin/radtest tool supports challenged login requests.
- Updated OpenSSL library to 1.0.1k with vulnerability fixes CVE-2014-0160 and
CVE-2014-0224.
- Upgraded to FreeRadius v2.2.6.
- Fixed filtered value pairs (fetched from OpenOTP Reply Data) not parsed.
- Added support for Microsoft DirectAccess RADIUS Probe requests.
- Fixed a crash in libopenotp when multiple server URLs are set.
- Use NAS-IP-Address as Client ID when NAS-Identifier is not available.
- Added support for fetching domain names form AD User Principal Names.
1.1.1
- Fixed a parsing problem with OpenOTP reply-data and filtered value-pairs.
- Fixed a bug in libopenotp causing a socket read loop under heavy load when
WebADM server closes and restarts.
- Upgraded to FreeRadius v2.2.3 and OpenSSL v1.0.1f.
- Added a debugging start mode with 'bin/radiusd debug'.
- Added a failure response delay when OpenOTP SOAP service does not respond to
allow RADIUS failover at the client side. The delay can be configured with
the no_response_delay setting in conf/openotp.conf and is disabled by default.
- Concatenated password mode 3 now supports both LDAP only or OTP only login via
OpenOTP SimpleLogin method when the separator character is not found.
- Added a special concatenation mode for Yubikeys (username followed by OTP).
- Setting mode_attribute supports string and integer dictionary attributes.
- Setting source_attribute supports string and ipaddr dictionary attributes.
1.1.0
- Added support for OpenOTP v1.1.0.
This version does not work with OpenOTP v1.0.x.
- Added password_mode 0 (default) which let OpenOTP automatically handle the
user passwords. This mode uses the new OpenOTP SimpleLogin API.
1.0.9
- Added support for location-based policies in WebADM v1.2.3 & OpenOTP v1.0.17.
- Added a 'source_attribute' setting allowing the RADIUS clients to provide
the source IP address of the end user.
- Added a 'mode_attribute' setting allowing the RADIUS clients to provide
the password mode in a RADIUS attribute of the Access request.
- Added RADIUS attribute encoding checks for username, password and state.
- Added no_success_message and no_failure_message to disable reply messages
in the success and failure responses with some broken RADIUS clients.
- If not configured, domain separator is now disabled (no separator).
- Upgraded to FreeRADIUS v2.2.0 and OpenSSL v1.0.1c.
- Added RADIUS accounting support on port 1813.
A new log file is created for accounting information (accounting.log).
> Please replace your radiusd.conf file with the radiusd.conf.new file.
- Added RADIUS server status support on port 18120.
- Fixed client filter separator '.' not working with the filtered value_is_vps.
- Removed user password traces from access log.
1.0.7
- Fixed a bug with the domain_separator setting.
- fixed a bug with data_is_vps setting.
- Added the possibility to get a list of RADIUS attributes and values
in the OpenOTP Reply Data.
- Added the possibility to set a list of static radius attributes to be
sent back to the radius clients in the Access-Accept packets.
- Fixed a bug with radius requests containing OpenOTP settings.
- Added support for concatenated password with variable OTP length.
You can now specify a password separator instead of a fixed OTP length.
- Updated FreeRadius to version 2.1.10.
1.0.6
- Added support for OpenOTP 1.0.11-1.
- Fixed otp_length max limitation problem.
- Added data_separator setting to allow returning multiple Reply Data.
1.0.5
- Radius Bridge 1.0.5 is required for use with OpenOTP 1.0.9.
- Uses libopenotp version 1.0.2.
- Updated documentations files (INSTALL and README).
- Updated default configurations.
- Corrected radtest script.
1.0.4
- Added soap_timeout setting.
- Added data_attribute setting.
- Added settings_attribute setting.
- Added password mode 4 for concatenated passwords with OTP first.
- Updated all libraries and components to the latest versions.
1.0.3
- Updated rlm_openotp to version 1.0.3. New version has several bug fixes.
1.0.2
- Added password_mode and otp_length settings allowing to send only OTP
password or LDAP+OTP passwords concatenated.
See the updated radiusd.conf for details.
1.0.1
- Fixed a bug when the RADIUS client sends a NAS-Identifier attribute
1.0.0
First official release.