Freeradius server 3.2.3 released
The FreeRADIUS Server Project is a high performance and highly configurable multi-protocol policy server, supporting RADIUS, DHCPv4, and VMPS. It is available under the terms of the GNU GPLv2. Using RADIUS allows authentication and authorization for a network to be centralized, and minimizes the number of changes that have to be done when adding or deleting new users to a network.
FreeRADIUS can authenticate users on systems such as 802.1x (WiFi), dial-up, PPPoE, VPN’s, VoIP, and many others. It supports back-end databases such as MySQL, PostgreSQL, Oracle, Microsoft Active Directory, Apache Cassandra, Redis, OpenLDAP, and many more. It is used daily to authenticate Internet access for hundreds of millions of people, in sites ranging from 10 to 10 million+ users.
rlm_sqlmodules now have a
max_retriesconfiguration item in the pool section. This sets a limit on how many times an operation will be retried if it fails indicating a connection issue.
rlm_ldap. This only works with OpenSSL. Many Linux distributions use other TLS libraries, which won’t work.
- Note that
rlm_ldapdoes not support
-=operators. The documentation disagreed with the code, so we fixed the documentation.
checkradis called from SQL Simultaneous-Use checks it will now be passed
NAS-Port-Id(as stored in the database), rather than
max_retriesfor connection pools. Fixes #4908. Patch from Nick Porter.
- You can now list
pre-proxysection. If the packet contains a malformed EAP message, then the request will be rejected. The home server will either reject (or discard) this packet anyways, so this change can only help with large proxy scenarios.
- Show warnings if libldap is not using OpenSSL.
- Support RADIUS/1.1. See https://datatracker.ietf.org/doc/draft-dekok-radext-radiusv11/ Disabled by default, can be enabled by passing
--with-radiusv11to the configure script. For now, this is for testing interoperability.
- Add extra sanity checks for malformed EAP attributes.
- More TLS debugging output
- Clear old module instance data before HUP reload. Avoids burst memory use when e.g. using large data files with
rlm_files. Patch from Nick Porter.
rlm_cache_redisis now included in the
- Separate out python2/python3 in Debian Packages. Previously python 2 or 3 was built depending on the system default which led to confusion. We now build both
freeradius-python3packages where possible.
- Don’t leak MD contexts with OpenSSL 3.0.
- Increase internal buffer size for TLS connections, which can help with high-load proxies.
Status-Serverchecks for TLS connections
- Give descriptive error if “update CoA” is used with “fake” packets, as it won’t work. i.e. inner-tunnel and virtual home servers.
- Many small ASAN / LSAN fixes from Jorge Pereira.
- Close inbound RADIUS/TLS socket on TLS errors. When a home server sees a TLS error, it will now close the socket, so proxies do not have an open (but dead) TLS connection.
- Fix mutex locking issues on inbound RADIUS/TLS connections. This change avoids random issues with “bad record mac”.
- Improve REST encoding loop. Patch from Herwin Weststrate. Closes #4950
- Correctly report the LDAP group a user was found in. Fixes #3084. Patch from Nick Porter.
- Force correct packet type when running
Post-Auth-Type. Helps with #4980
- Fix small leak in Client-Lost code. Patch from Terry Burton. PR #4996
- Fix TCP socket statistics. Closes #4990
NAS-Portduring SQL simultaneous-use checks. Helps with #5010
git clone https://github.com/FreeRADIUS/freeradius-server.git
Configuring the server
- Start off with the default configuration files.
- Save a copy of the default configuration: It WORKS. Don’t change it!
- Verify that the server starts – in debugging mode (
- Send it test packets using “radclient”, or a NAS or AP.
- Verify that the server does what you expect
- If it does not work, change the configuration, and go to step (3)
- If you’re stuck, revert to using the “last working” configuration.
- If it works, proceed to step (6).
- Save a copy of the working configuration, along with a note of what you changed, and why.
- Make a SMALL change to the configuration.
- Repeat from step (3).
Copyright (C) 1999-2018 The FreeRADIUS Server Project