Freeradius server 3.26 released
The FreeRADIUS Server Project is a high performance and highly configurable multi-protocol policy server, supporting RADIUS, DHCPv4, and VMPS. It is available under the terms of the GNU GPLv2. Using RADIUS allows authentication and authorization for a network to be centralized, and minimizes the number of changes that have to be done when adding or deleting new users to a network.
FreeRADIUS can authenticate users on systems such as 802.1x (WiFi), dial-up, PPPoE, VPN’s, VoIP, and many others. It supports back-end databases such as MySQL, PostgreSQL, Oracle, Microsoft Active Directory, Apache Cassandra, Redis, OpenLDAP, and many more. It is used daily to authenticate Internet access for hundreds of millions of people, in sites ranging from 10 to 10 million+ users.
Changelog v3.26
Feature improvements
- Add support for OpenSSL3
- Add
dictionary.mellanox,dictionary.netelastic,dictionary.ciena,dictionary.nile - Update
dictionary.aruba,dictionary.roaringpenguin - Removed haproxy support. It’s new and experimental, and belongs in the v3.2 release, where it will be fully supported.
- Support PEAP and TTLS with TLS 1.3. This has been tested with wpa_supplicant and Windows 11.
- Add
%{concat:foo[*] ;}, which concatenates a set of attributes, separated by a character. - Added sample configuration for using Google LDAP. See sites-available/google-ldap-auth, and mods-available/google_ldap, and mods-available/cache_auth.
- Add Dockerfiles for Rocky8.
- Add
raduatscript to thefreeradius-utilspackage. - Add Debian
freeradius-freetdspackage. - Add client short name to “dropping packet” message,
- Update MS-SQL queries to avoid using column which was deleted years ago.
- Add configure-time FIPS workaround to use internal MD4/MD5 implementations when disabled in OpenSSL.
Bug fixes
- Ensure PBKDF2 always uses at least one iteration
- Actually use the certificate in “realm_dir” hinted at by SNI.
- Removed the use of “locate” during the “configure” phase. Fixes #4318
- Fix for showing incomplete home server list after deleting a home server via radmin.
- Call
closedir()when reading certificates from a directory. Found by Antonio Torres. Fixes #4378. - If we read more than 16K of data in RadSec, then read it all. Fixes #4388, patch from Aren Sandersen.
- Fix information leak in
compute_password_element()function of EAP-PWD. Found by Mohamed Sabt. - Fix crash in EAP-SIM when unknown attributes are sent.
- Update linelog, etc. to allow the use of
/dev/stdout - Fix crash in race condition when 500+ sockets are open.
- Remove sample “cache_eap” module. It does not work, and offers no benefit.
- Fix crash in RadSec with expired server certificate. #4447.
- PEAP now correctly runs Post-Auth-Type Accept.
- Build fixes for OS X
- Minor updates and fixes to CI, Dockerfiles and packaging.
Install
git clone https://github.com/FreeRADIUS/freeradius-server.git
./configure
make
make install
Configuring the server
- Start off with the default configuration files.
- Save a copy of the default configuration: It WORKS. Don’t change it!
- Verify that the server starts – in debugging mode (
radiusd -X). - Send it test packets using “radclient”, or a NAS or AP.
- Verify that the server does what you expect
- If it does not work, change the configuration, and go to step (3)
- If you’re stuck, revert to using the “last working” configuration.
- If it works, proceed to step (6).
- Save a copy of the working configuration, along with a note of what you changed, and why.
- Make a SMALL change to the configuration.
- Repeat from step (3).
Tutorial
Copyright (C) 1999-2018 The FreeRADIUS Server Project
Source: https://github.com/FreeRADIUS/
