Freeradius server 3.0.20 released
The FreeRADIUS Server Project is a high performance and highly configurable multi-protocol policy server, supporting RADIUS, DHCPv4, and VMPS. It is available under the terms of the GNU GPLv2. Using RADIUS allows authentication and authorization for a network to be centralized, and minimizes the number of changes that have to be done when adding or deleting new users to a network.
FreeRADIUS can authenticate users on systems such as 802.1x (WiFi), dial-up, PPPoE, VPN’s, VoIP, and many others. It supports back-end databases such as MySQL, PostgreSQL, Oracle, Microsoft Active Directory, Apache Cassandra, Redis, OpenLDAP, and many more. It is used daily to authenticate Internet access for hundreds of millions of people, in sites ranging from 10 to 10 million+ users.
Changelog v3.0.20
Feature improvements
- Add Jenkins continuous integration. Fixes #2620. Used to build http://packages.networkradius.com/
- Added Force10 dictionary.
- Update dictionary.hp with new attributes. #2690
- Update dictionary.aruba with new attributes. #2696
- Update logrotate settings to rotate as non-root user. #2666
- Fix side-channel leak in EAP-PWD. Patch from Mathy Vanhoef.
- Relax OpenSSL version checks, now that their API is both public, and stable.
- Note that tls_min_version/tls_max_version also support “1.3”. Since there is no standard yet for EAP with TLS 1.3, it will not work.
- Added tripplite dictionary from #2760.
- Switch to the async interface for rlm_sql_postgresql so that we can enforce query_timeout.
- Added new LDAP option ‘allow_dangling_group_ref’.
- Updated documentation and functionality for EAP session caching. See “cache” section of mods-available/eap.
- Tighten systemd unit file security. Fixes #2637.
- Disable TLS 1.0 and TLS 1.1 support in the default configuration. We STRONGLY recommend doing this for all installations.
- Add expansions for outgoing Radsec connections. “%{proxy_listen:TLS-…}” for TLS-Client-Cert-* and TLS-Cert-* attributes. Fixes #2839.
- Add %{listen:tls} which returns “yes” or “no” for TLS or non-TLS connections.
- Update dictionary.lancom with new attributes. #2847
- Added rlm_sql_mongo. See raddb/mods-available/sql. Note that this module is experimental.
- Added more documentation in sites-available/robust-proxy-accounting
- sqlippool now re-allocates unexpired leases, to prevent IP pool exhaustion when clients perform multiple reauthentication attempts. Patch from Terry Burton.
- Add support to radmin keep the history in ~/.radmin_history
- Add support for ENV and LD_PRELOAD in radiusd.conf. See the new ENV sub-section of radiusd.conf.
- Update dictionary.aptilo. #3002
- Update dictionary.airespace. #3039
- Add sites-available/coa-relay, which makes CoA easier. Patch from Terry Burton. #3045.
- Add example stored procedure for IP Pools in MySQL. See mods-config/sql/ippool/mysql/procedure.sql Patch from Terry Burton. #3048.
- Update dictionary.dhcp dictionary with the recent hardware types.
- Add experimental rlm_python3. This should largely work the same as rlm_python, which was Python2 only.
- Add Dockerfiles for Debian10 and CentOS8.
- Add RPM spec file compatibility for RHEL/CentOS 8.
- Notes on iOS 13 certificate issues. See https://support.apple.com/en-us/HT210176.
- Notes on certificate constraints. See raddb/certs/server.cnf.
- Add NAIRealm example to raddb/certs/server.cnf, for RFC 7585.
Bug fixes
- Allow listen.ipaddr to reference an IPv6-only host. Fixes #2627.
- ERX-Acct-Request-Reason is “integer”. Closes #2635.
- Fix a slow memory leak in the file management code.
- Try to fix file permissions if they get modified while the server is running.
- Fix slow memory leak with clients.
- Fix request and connection timeouts in rlm_rest.
- Fix systemd issues. Patches from Daniele Rondina.
- Fixes from clang analyzer.
- Fix missing include for the dictionaries: alcatel.esam, altiga,alvarion.wimax.v2_2,aptis,asn,audiocodes,avaya,bristol, columbia_university,freedhcp,garderos,infoblox,motorola.illegal, starent.vsa1, telkom, wimax.wichorus.
- Fix internal sanity check when running with “-Xx”
- Allow “inner-tunnel” virtual servers to work better with “accept” and “reject” policies.
- Fix dictionary.huawei data types for Huawei-DNS-Server-IPv6-address and Huawei-Framed-IPv6-Address. Fixes #2803
- Framed-Interface-ID in postgresql/queries.conf is string, not inet Fixes #2817.
- Fix rlm_cache to complain on unknown attributes in the “update” section of its configuration.
- Add configure checks for -latomic. This helps on armel, mips and mipsel. Fixes #2828.
- Add support to Oracle 19 and 18. Via #2857
- Add support for decoding tags in rlm_rest. Fixes #2848.
- Use correct passwords when updating CRLs in raddb/certs/
- Properly separate “originate-coa” packets when accounting packets are read from the detail file reader.
- Use the correct virtual server for pre/post-proxy.
- radsqlrelay fixes backported from “master” branch. Patches from Terry Burton.
- Fix DoS issues due to multithreaded BN_CTX access. Patch from Mathy Vanhoef. CVE-2019-17185
Install
git clone https://github.com/FreeRADIUS/freeradius-server.git
./configure
make
make install
Configuring the server
- Start off with the default configuration files.
- Save a copy of the default configuration: It WORKS. Don’t change it!
- Verify that the server starts – in debugging mode (
radiusd -X). - Send it test packets using “radclient”, or a NAS or AP.
- Verify that the server does what you expect
- If it does not work, change the configuration, and go to step (3)
- If you’re stuck, revert to using the “last working” configuration.
- If it works, proceed to step (6).
- Save a copy of the working configuration, along with a note of what you changed, and why.
- Make a SMALL change to the configuration.
- Repeat from step (3).
Copyright (C) 1999-2018 The FreeRADIUS Server Project
Source: https://github.com/FreeRADIUS/
