Freeradius server 3.2.3 released
The FreeRADIUS Server Project is a high performance and highly configurable multi-protocol policy server, supporting RADIUS, DHCPv4, and VMPS. It is available under the terms of the GNU GPLv2. Using RADIUS allows authentication and authorization for a network to be centralized, and minimizes the number of changes that have to be done when adding or deleting new users to a network.
FreeRADIUS can authenticate users on systems such as 802.1x (WiFi), dial-up, PPPoE, VPN’s, VoIP, and many others. It supports back-end databases such as MySQL, PostgreSQL, Oracle, Microsoft Active Directory, Apache Cassandra, Redis, OpenLDAP, and many more. It is used daily to authenticate Internet access for hundreds of millions of people, in sites ranging from 10 to 10 million+ users.
Changelog v3.2.3
Configuration changes
- The
rlm_ldap
andrlm_sql
modules now have amax_retries
configuration item in the pool section. This sets a limit on how many times an operation will be retried if it fails indicating a connection issue. - Added
check_crl
configuration torlm_ldap
. This only works with OpenSSL. Many Linux distributions use other TLS libraries, which won’t work. - Note that
rlm_ldap
does not support-=
operators. The documentation disagreed with the code, so we fixed the documentation. - If
checkrad
is called from SQL Simultaneous-Use checks it will now be passedNAS-Port-Id
(as stored in the database), rather thanNAS-Port
.
Feature improvements
- Add
max_retries
for connection pools. Fixes #4908. Patch from Nick Porter. - Update
dictionary.ciena
,dictionary.huawei
,dictionary.wifialliance
anddictionary.wispr
; adddictionary.eleven
. - You can now list
eap
in thepre-proxy
section. If the packet contains a malformed EAP message, then the request will be rejected. The home server will either reject (or discard) this packet anyways, so this change can only help with large proxy scenarios. - Show warnings if libldap is not using OpenSSL.
- Support RADIUS/1.1. See https://datatracker.ietf.org/doc/draft-dekok-radext-radiusv11/ Disabled by default, can be enabled by passing
--with-radiusv11
to the configure script. For now, this is for testing interoperability. - Add extra sanity checks for malformed EAP attributes.
- More TLS debugging output
- Clear old module instance data before HUP reload. Avoids burst memory use when e.g. using large data files with
rlm_files
. Patch from Nick Porter. rlm_cache_redis
is now included in thefreeradius-redis
packages.- Separate out python2/python3 in Debian Packages. Previously python 2 or 3 was built depending on the system default which led to confusion. We now build both
freeradius-python2
andfreeradius-python3
packages where possible.
Bug fixes
- Don’t leak MD contexts with OpenSSL 3.0.
- Increase internal buffer size for TLS connections, which can help with high-load proxies.
- Send
Status-Server
checks for TLS connections - Give descriptive error if “update CoA” is used with “fake” packets, as it won’t work. i.e. inner-tunnel and virtual home servers.
- Many small ASAN / LSAN fixes from Jorge Pereira.
- Close inbound RADIUS/TLS socket on TLS errors. When a home server sees a TLS error, it will now close the socket, so proxies do not have an open (but dead) TLS connection.
- Fix mutex locking issues on inbound RADIUS/TLS connections. This change avoids random issues with “bad record mac”.
- Improve REST encoding loop. Patch from Herwin Weststrate. Closes #4950
- Correctly report the LDAP group a user was found in. Fixes #3084. Patch from Nick Porter.
- Force correct packet type when running
Post-Auth-Type
. Helps with #4980 - Fix small leak in Client-Lost code. Patch from Terry Burton. PR #4996
- Fix TCP socket statistics. Closes #4990
- Use
NAS-Port-Id
instead ofNAS-Port
during SQL simultaneous-use checks. Helps with #5010
Install
git clone https://github.com/FreeRADIUS/freeradius-server.git
./configure
make
make install
Configuring the server
- Start off with the default configuration files.
- Save a copy of the default configuration: It WORKS. Don’t change it!
- Verify that the server starts – in debugging mode (
radiusd -X
). - Send it test packets using “radclient”, or a NAS or AP.
- Verify that the server does what you expect
- If it does not work, change the configuration, and go to step (3)
- If you’re stuck, revert to using the “last working” configuration.
- If it works, proceed to step (6).
- Save a copy of the working configuration, along with a note of what you changed, and why.
- Make a SMALL change to the configuration.
- Repeat from step (3).
Tutorial
Copyright (C) 1999-2018 The FreeRADIUS Server Project
Source: https://github.com/FreeRADIUS/