Release Notes ========================================================================= Interlink Networks Software Version 7.5.0 Release Notes ========================================================================= [C] 2005-2011 Interlink Networks, LLC. All Rights Reserved. Interlink Networks, LLC. 2531 Jackson Road Suite 306 Ann Arbor, MI 48103-3818 734-821-1200 (tel), 734-821-1235 (fax) www.interlinknetworks.com ------------------------------------- NEW FEATURES in 7.5.0: ---------------------- 1. Added a configuration parameter to reduce the tunnel MTU to accommodate EAP TLS inside EAP PEAP [12325]. security.paths { Tunneled-EAP-MTU Reduction 100 } The value is the number of bytes by which to reduce the Framed-MTU AVP value inside the tunnel. The default value is 0, no reduction of MTU. The value must be numeric, with a value >=0 and <=512. A reduced value is needed for EAP-PEAP/EAP-TLS to leave room for any reply attributes that need to be sent along with the tunneled-EAP conversation. A minimum value of about 100 appears to be required. 2. Added ECC (elliptic curve crytpography) cipher suites to the server. This adds the Microsoft CNG cipher suites [12327]. Added a SSL debug level configuration parameter: security.paths { SSL-Debug-Level 2 } The value indicates the minimum debug level for SSL debug output. A value of 0 disables SSL debug output. 3. Added a option to the clients file (no_append) that is useful when a remote server does not return all of the A-V pairs that it received in the order they were received. If it is not set, the server will append all the A-V pairs received from a remote server to the new A-V pairs sent in the response message. 4. Added an las.conf configuration option (Session-Collision-Checking) which, when set to No, allows you to disable current server behavior of collision checking. This disables the check to see if a newly-received authentication request comes from the same NAS (as identified by the NAS-Identifier or NAS-IP-Address or NAS-IPv6-Address attribute) and port (as identified by the NAS-Port attribute) as an existing active session. CHANGES in 7.5.0: ----------------- 1. Upgraded to OpenSSL version 0.9.8l [12326]. 2. Changes to dictionary [12315]: - Added ASCEND extensions to basic attributes (NOT vendor specific). - Added some more Ascend extensions to Framed-Protocol values. - Added some ASCEND extensions to Framed-Routing values. - Added some more Bay Networks vendor specific extensions. - Added some more APTIS vendor specific extensions. - Added a comment about Aptis unique four-octet fields attributes. - Added Packeteer vendor specific extensions. - Added WISPr - Wi-Fi Alliance vendor specific extensions. 3. Changes to vendors [12315]: - Changed the Airespace vendor ID from 6139 to 14179. - Defined vendor IDs for Packeteer and WISPr (Wi-Fi Alliance). 4. Added a logfile (N) message if a scoped aaa.config parameter or block is ignored. Previously the parameter or block would be silently ignored. 5. Changed the delimiter for scoped configuration blocks from [ ] to << >>. FIXES in 7.5.0: ----------------- 1. Fixed a number of issues in sesstab. a) The -a and -i selection switches did not work correctly. b) The reporting under -f (full report) was erroneous when displaying selected records (-i/-a/-p/-n). c) Switches are no longer allowed following the file name. d) Changed sesstab to exit with return code -1, rather than 1, when doing an error exit. e) Change sesstab to not go into any infinite loop if a selection criteria parameter is repeated e.g. "-p 2000 -p 2001". f) Changed sesstab to display, in the help, the correct default values for the "-d" and "-dd" parameters. g) In some cases, suppress the display of an IP address of 0.0.0.0. h) Exit gracefully when encountering an unsupported session.las format version. 2. Fix Server Manager support for Java 6u12 and later by converting isValid() methods to isComplete() methods so that they are not invoked before everything is initialized [12333]. 3. Fixed an issue with the policy cache handling [12334]. 4. Fixed the FSMs to recognize expired password events [12335]. 5. Changed to not log an LDAP Connect Result = 0 as an error. 6. Timeout is now logged in radius.debug but not the logfile and it does not count as a retry. 7. Fixed the TIMEOUT AATV to prevent a possible server abort when the pointer to the next event was not saved before the current event was handled. 8. No longer abort and dump by default during A-V Pair checking. REMOVED FEATURES in 7.5.0 ------------------------- KNOWN ISSUES in 7.5.0: ---------------------- 1. When installing the server over previous installations, the java runtime files are not correctly updated. The workaround is to rename the java directory before starting the install process. The java directory is in the binary directory, /opt/aaa by default. 2. When installing the server over previous configurations and you have hand edited your old configurations for an authentication plug-in, it is possible that your plug-in line from the configuration may be lost during the conversion of the authfile. Re-adding the line after the installation/conversion will be necessary. 3. There are some issues interfacing to the SNMP master agent [12307]: a) If the master agent is not running when radiusd starts it will never connect to master agent even after starting master agent (a HUP of radiusd does not help). b) If the connection to the master agent comes up but the master agent is stopped and restarted, the connection to radiusd is not reported as down and does not regain functionality (a HUP does not help). c) The iaaaAgent.conf file in the config directory does not control the attempt to reconnect currently. 4. The User-Name AVP in an Accounting-On request is not required and has no particular meaning since the Accounting-On applies to the entire NAS and not to a particular session or user. Currently the Accounting-On processing only clears sessions from the session table if the specified realm is configured in las.conf. The realm comes from the User-Name or is NULL realm if there is no User-Name AVP. It is possible that an administrator wants to do session tracking for some realms but not the NULL realm which would prevent the Accounting-On from doing the session clears that are needed [12303]. ========================================================================= NEW FEATURES in 7.4.1: ---------------------- CHANGES in 7.4.1: ----------------- FIXES in 7.4.1: ----------------- 1. Fixed an issue with parsing CR/LF terminated lines in the FSM table [12311]. 2. Fixed an issue where sending a radcheck retransmission from a client not in the clients file would crash the server [12314]. REMOVED FEATURES in 7.4.1 ------------------------- KNOWN ISSUES in 7.4.1: ---------------------- 1. When installing the server over previous installations, the java runtime files are not correctly updated. The workaround is to rename the java directory before starting the install process. The java directory is in the binary directory, /opt/aaa by default. 2. When installing the server over previous configurations and you have hand edited your old configurations for an authentication plug-in, it is possible that your plug-in line from the configuration may be lost during the conversion of the authfile. Re-adding the line after the installation/conversion will be necessary. 3. There are some issues interfacing to the SNMP master agent [12307]: a) If the master agent is not running when radiusd starts it will never connect to master agent even after starting master agent (a HUP of radiusd does not help). b) If the connection to the master agent comes up but the master agent is stopped and restarted, the connection to radiusd is not reported as down and does not regain functionality (a HUP does not help). c) The iaaaAgent.conf file in the config directory does not control the attempt to reconnect currently. 4. The User-Name AVP in an Accounting-On request is not required and has no particular meaning since the Accounting-On applies to the entire NAS and not to a particular session or user. Currently the Accounting-On processing only clears sessions from the session table if the specified realm is configured in las.conf. The realm comes from the User-Name or is NULL realm if there is no User-Name AVP. It is possible that an administrator wants to do session tracking for some realms but not the NULL realm which would prevent the Accounting-On from doing the session clears that are needed [12303]. ========================================================================= NEW FEATURES in 7.4.0: ---------------------- 1. Support for EAP-AKA protocol (RFC 4187) was added [12271]. 2. The installation process now creates a startup script for radiusd. The script can be used when you do not wish to start the server from the Server Manager [10023]. 3. There is a new configuration parameter, Request-Attribute-For-Search, for ProLDAP configurations. Support for this parameter has been added to the RADIUS server and Server Manager [12284]. 4. Laurel Networks has been added to the vendors file and their defined RADIUS VSAs have been added to the dictionary. The Server Manager can be used to define Laurel Networks NASes [12286]. 5. Significant performance improvements have been made in the area of retransmisssion detection and response. Also improved the handling of EAP continuation packets. [12304,12305,12306] CHANGES in 7.4.0: ----------------- 1. When the server parses the parameters in the aaa.config file, it now consistently applies the following rules [10637]: - check the value against the low and high limits correctly - report errors as alerts - log changes with old and new values - all log messages will refer to the file and line number - if the parameter value is "" or '' then use the correct server default value. 2. The default options in SDK compiles were different than in server compiles. The SDK compiles will now compile customer plug-ins to be compiled with '-g' so they will have symbols for core dump analysis. Added the default options of '-Wall -Wstrict-prototypes' to enable all C/C++ compile warnings as is used by the server compile. Added the default options of '-O2' to set the same optimaization level as the server compile [12274]. 3. The RADIUS server has always performed various RFC conformance tests on received requests from clients configured with type=NAS and silently discarded the request if any errors were found. Access-Requests with no User-Name attribute were being discarded as specified in RFC 2138. RFC 2865 has relaxed the requirement to allow processing of an Access-Request with no User-Name attribute. This change has been made [12287]. 4. The append attributes option on the Server Manager proxy configuration screen is no longer relevent as of version 7.2.0. The option has now been removed from the Server Manager screen. The proxy append flag in the clients file is ignored and the server always appends attributes following the proxy state, in the proxy response, to the access response [12295]. 5. Many ot the server's AATVs return the AAA_EV_ERROR event knowing that the FSM does not handle this event and so it will output "No next state..." message and drop the request. All of the server's AATVs now adequately log the error before returning AAA_EV_ERROR and the built-in FSM handles the AAA_EV_ERROR event by simply going to the Hold state with no additional logging [12296]. FIXES in 7.4.0: ----------------- 1. Fixed an issue with RADIUS connections to LDAP over SSL on the same machine. This could cause the radiusd process to hang if the LDAP server does not respond beyond accepting the TCP connection [12256]. 2. Updated the JAVA used by the Server Manager so the time reported will not be off by one hour for those timezones for which the start date for daylight savings time has changed [12282]. 3. Fixed an issue with the tomcat configuration files by defining a missing security role. The missing secutiy role caused a warning message in the localhost_log file [12290]. 4. Fixed an issue in the Server Manager where it would accept wild carded proxy entries with a realm to forward or forwarding ports configured. The server can not proxy to a server defined as a wild card. The server has no way to know which one of the wild carded IP addresses to send to. Since the server can not really proxy to the wild carded proxy entry, the realm and both ports should not have been allowed [12293]. 5. Fixed an issue where when deleting a local realm, configured for local storage, the screen incorrectly allows the filter-type, realm file and default users file buttons to function. The screen also incorrectly allowed the realm file name to be changed [12298]. 6. The iaaaUsers AATV functionality was inadvertently changed in version 7.3.0. It incorrectly changed the search string to all caps if there is a CIS auth entry associated with the authreq. This requires a custom plugin to encounter the change in behavior [12299]. 7. Fixed an issue in the Server Manager where changing a realm from EAP authentication to Password authentication using the Server Manager leaves the -EAP flag set. The result is that the realm is not found for password authentication and authentication fails [12227,12302]. REMOVED FEATURES in 7.4.0 ------------------------- 1. Support for Cisco EAP-LEAP protocol has been removed [12301]. 2. Support for Cisco TACACS authentication protocol has been removed [12283]. KNOWN ISSUES in 7.4.0: ---------------------- 1. When installing the server over previous installations, the java runtime files are not correctly updated. The workaround is to rename the java directory before starting the install process. The java directory is in the binary directory, /opt/aaa by default. 2. When installing the server over previous configurations and you have hand edited your old configurations for an authentication plug-in, it is possible that your plug-in line from the configuration may be lost during the conversion of the authfile. Re-adding the line after the installation/conversion will be necessary. 3. There are some issues interfacing to the SNMP master agent [12307]: a) If the master agent is not running when radiusd starts it will never connect to master agent even after starting master agent (a HUP of radiusd does not help). b) If the connection to the master agent comes up but the master agent is stopped and restarted, the connection to radiusd is not reported as down and does not regain functionality (a HUP does not help). c) The iaaaAgent.conf file in the config directory does not control the attempt to reconnect currently. 4. The User-Name AVP in an Accounting-On request is not required and has no particular meaning since the Accounting-On applies to the entire NAS and not to a particular session or user. Currently the Accounting-On processing only clears sessions from the session table if the specified realm is configured in las.conf. The realm comes from the User-Name or is NULL realm if there is no User-Name AVP. It is possible that an administrator wants to do session tracking for some realms but not the NULL realm which would prevent the Accounting-On from doing the session clears that are needed [12303]. ========================================================================= NEW FEATURES in 7.3.1: ---------------------- CHANGES in 7.3.1: ----------------- FIXES in 7.3.1: ----------------- 1. Fixed an issue with RADIUS connections to LDAP over SSL on the same machine. This could cause the radiusd process to hang if the LDAP server does not respond beyond accepting the TCP connection [12256]. 2. Fixed an issue with the LAS accounting code for states stop and suspend. They were checking for the duration of the longest session and using that as the time to hold a session in these states. This would cause the session table to grow bigger and bigger [12258]. 3. Fixed an issue with parsing the authfiles where an EAP entry, which does not have any brace block and is at the end of the file, will cause the server to core on startup [12259]. 4. Fixed an issue where the server manager status frame hangs without showing any status and any commands depending on the server status, such as stop and start, also hang. The server manager checks the server status by running /bin/ps -e and if the number of processes is large it will hang waiting for the ps process to complete [12260]. 5. Fixed an issue where the FSM state recorded in the Proxy-State was incorrect which could cause a failure to match proxy responses [12262]. 6. Fixed the distributed DNIS.fsm. The lines in state Start4b had an Xstring that are NOT needed/used by ProxySend AATV [12264]. 7. Fixed an issue when a proxy request could not be forwarded to the remote server due to some internal error like remote server not configured in clients file. This would have previously returned a NAK. This is incorrect behavior since it never forwarded the request and it is not known if the authentication would fail or not. It now logs the event and returns ERROR so that the request gets dropped without further processing [12265]. 8. Fixed an issue in PEAP and TTLS where the check to allow vendor specific attributes from the user's profile to be returned in the response was done incorrectly [12266]. 9. Fixed the procedure for determining which attributes held by the server for a request are from the original request. Under some circumstances this could cause incorrect reply attributes [12268]. 10. Fixed the propagation of reply attributes from one step of the EAP conversation to the next such that they are available to custom AATVs for any special processing they may want to do [12270]. 11. Fixed an issue where if you set LDAP-Version to 2 in aaa.config and connected to a LDAP server which rejects protocol version 2 connections by default, the AAA server log shows that the connection to the LDAP server has succeeded when it did not [12272]. 12. Fixed an issue with the interpretation of the Merit Proxy-Action AVP starting with version 7.2.0. The server will no longer send the Proxy-Action AVP when proxying a request. This can be changed back to be sent by adding the 'Proxy-Action-Send on' config item in aaa.config. This will prevent each step of the EAP conversation from running through the entire state machine. This caused inefficiencies and multiple lookups which can cause multiple reply items [12275]. 13. Fixed an issue which would cause looping in the state machine and ultimately dropping the request if you use the authfile to proxy an auth-only request. The AuthOnly1d state incorrectly called itself for an ACK [12276]. 14. Fixed an issue in the Server Manager where not all of the vendors defined in the standard vendors file are available in the Server Manager drop-down lists for clients and proxies [12277]. 15. Fixed an issue when you configured the server to do PEAP locally for an outer realm and configured it to proxy the inner realm that caused the authentication to fail. The home serve detects that the proxied inner realm request is an EAP-Message but with no Message-Authenticator [12278]. 16. Fixed an issue when "Send_proxy_action off" is configured in the aaa.config file, then when it proxies the inner MD5 of a TTLS/MD5 causes a core [12279]. 17. Fixed an issue when "Send_proxy_action off" is configured in the aaa.config file, then it incorrectly removed whatever attribute that happens to be the first attribute on the authreq when processing the proxy response [12280]. 18. Fixed an issue where the Tunnel-Password was not re-encrypted with the shared secret at each hop when proxying it [12281]. REMOVED FEATURES in 7.3.1 ------------------------- KNOWN ISSUES in 7.3.1: ---------------------- 1. When installing the server over previous installations, the java runtime files are not correctly updated. The workaround is to rename the java directory before starting the install process. The java directory is in the binary directory, /opt/aaa by default. 2. When installing the server over previous configurations and you have hand edited your old configurations for an authentication plug-in, it is possible that your plug-in line from the configuration may be lost during the conversion of the authfile. Re-adding the line after the installation/conversion will be necessary. ========================================================================= NEW FEATURES in 7.3.0: ---------------------- 1. A new "Action" policy language has been implemented which can be used in place of the current "Group" policy [12233]. 2. Support for EAP-SIM protocol (RFC 4186) was added [12239]. CHANGES in 7.3.0: ----------------- FIXES in 7.3.0: ----------------- 1. The server no longer attempts to put "Config" attributes into a RADIUS packet. Several Merit VSAs are defined as "Config" attributes and have attribite codes that exceed the 0-255 range of RADIUS attributes so they would generate an error message if there is an attempt to put them into a RADIUS packet [12251]. 2. In EAP-TLS, when using authenticate-as-computer, the "host/" prefix no longer appears in accounting session logfile field for Authenticated-User-Name [12257]. 3. In EAP-PEAP, when using authenticate-as-computer, the "host/" prefix was stripped from the Inner-Identity attribute incorrectly. This caused excess junk at the end of the Inner-Identity and Authenticated-User-Name attributes in the accounting session logfile [12257]. REMOVED FEATURES in 7.3.0 ------------------------- KNOWN ISSUES in 7.3.0: ---------------------- 1. When installing the server over previous installations, the java runtime files are not correctly updated. The workaround is to rename the java directory before starting the install process. The java directory is in the binary directory, /opt/aaa by default. 2. When installing the server over previous configurations and you have hand edited your old configurations for an authentication plug-in, it is possible that your plug-in line from the configuration may be lost during the conversion of the authfile. Re-adding the line after the installation/conversion will be necessary. ========================================================================= NEW FEATURES in 7.2.3: ---------------------- 1. The server now generates two new Interlink internal AVPs, EAP-MSK and EAP-EMSK, whenever the MPPE key attributes are generated for TLS, TTLS and PEAP. These attributes are available for plug-ins to use [12246]. CHANGES in 7.2.3: ----------------- 1. Support type "octets" the same way that type string is supported. This allows for attributes of type "octets" to be read from users files [12240]. FIXES in 7.2.3: ----------------- 1. Fixed the handling of reply items for EAP-MSCHAP, GTC, EAP-TLS, EAP-TTLS and EAP-PEAP so that they will be returned on the final Access-Accept [10353]. 2. Produce an ALERT message when truncating values of tag-int, short and octet type attributes to put into a RADIUS packet. If any non-zero bits are being discarded, an ALERT message is logged that indicates the actual value being sent and the original value being truncated [12241]. 3. When unpacking tagged string attributes from received packets the server now checks the size of the attribute before picking up the tag so that it does not access a byte that is not present. The server now allows zero string data characters in a tagged string from users files or in received packets as is done for string attributes [12243]. 4. Fixed EAP-TTLS tunnel AVP padding to correctly pad to a multiple of 4 bytes [12244]. 5. EAP-TTLS and EAP-PEAP inner authentications began to perform a database lookup for each step of the inner conversation as of version 7.2.0. This adds extraneous overhead to the authentication. The extra lookups have been eliminated [12245]. 6. Removed the additional debugging information, including passwords, being written to syslog even though debugging is not enabled. This will happen if the server is started with "-g syslog". The extra output is not logged when logging is sent to the local logfile instead of syslog. Also changed the debug output to not print the decrypted password from a EAP-TTLS tunnel [12247]. 7. Fixed the handling of empty ("") paths in the aatv.ProLDAP block of the aaa.config file. Now any of the four certificate related paths can be empty when not used. [12248]. 8. Fixed the issue associated with having a parameter name but no parameter value in a ProLDAP configuration block in the autfile or EAP.authfile which caused an infinite loop in the parser [12250]. 9. Fixed an issue when ProLDAP looks up a ProLDAP policy which does not exist. Depending on timing, it either drops the request or sends a reject. The server now alwasys drops the request since the policy is not available to make a correct accept or reject decision [12252]. 10. Fixed the pruning of Vendor Specific Attributes to not ignore the vendor code when limiting the number of occurrences to one instance. Only the last instance of all the VSAs that share a particular attribute code were actually sent before the fix. [12253]. 11. Fixed many memory leaks associated with configuration file handling. Also fixed a memory leak associated with EAP-TTLS and EAP-PEAP inner continuation processing if check or deny items are involved [12255]. 12. A change to the TLS-CACertFile parameter in the aatv.ProLDAP block of the aaa.config file now takes effect on a HUP (restart) [12216]. REMOVED FEATURES in 7.2.3 ------------------------- 1. The -t option has been disabled. This option would cause the server to exit if it was idle for the specified time if the server was started by inetd/xinetd. The server would sometimes exit even when not idle. The -t option is now accepted only for compatibility [12249]. KNOWN ISSUES in 7.2.3: ---------------------- 1. When installing the server over previous installations, the java runtime files are not correctly updated. The workaround is to rename the java directory before starting the install process. The java directory is in the binary directory, /opt/aaa by default. 2. When installing the server over previous configurations and you have hand edited your old configurations for an authentication plug-in, it is possible that your plug-in line from the configuration may be lost during the conversion of the authfile. Re-adding the line after the installation/conversion will be necessary. ========================================================================= NEW FEATURES in 7.2.2: ---------------------- CHANGES in 7.2.2: ----------------- FIXES in 7.2.2: ----------------- 1. Fixed an issue with the sorting of multiple wild card realms to remove any order dependency in the authfiles [10973]. 2. Fixed an issue where multiple wild carded realm entries configured with the -DEFAULT or no protocol flag cause the server to select the least specific wild carded realm entry instead of the more specific wild carded realm entry [12215]. 3. Fixed a bug introduced in 7.2.0 that prevented the retransmission of the previous response when a duplicate request was received [12234]. 4. Fixed an issue that prevented wild carded realms from doing EAP PEAP and EAP TTLS [12236]. 5. Fixed an issue with EAP PEAP and EAP TTLS realms configured to use the same inner and outer realm name that caused the clients file specified prefix for the inner realm to be ignored [12238]. 6. Fixed an issue with EAP PEAP and EAP TTLS realms configured to use the same inner and outer realm name that can cause the data store for the outer realm to be used to retrieve the password if no inner realm data store is configured. This could occur if you are using 6.x configuration files that have not been correctly converted. Loading and saving the configurations with the Server Manager will correct the configuration files for you [12238]. 7. Fixed an issue with LDAP bind failures which can abort later LDAP directory search requests. This is only an issue if the finite state machine has been modified to do special LDAP lookups [12235]. 8. Fixed an issue with how the server handles simultaneous events [12235]. REMOVED FEATURES in 7.2.2 ------------------------- KNOWN ISSUES in 7.2.2: ---------------------- 1. When installing the server over previous installations, the java runtime files are not correctly updated. The workaround is to rename the java directory before starting the install process. The java directory is in the binary directory, /opt/aaa by default. 2. When installing the server over previous configurations and you have hand edited your old configurations for an authentication plug-in, it is possible that your plug-in line from the configuration may be lost during the conversion of the authfile. Re-adding the line after the installation/conversion will be necessary. 3. A change to the TLS-CACertFile parameter in the aatv.ProLDAP block of the aaa.config file does not take effect on a HUP (restart). ========================================================================= NEW FEATURES in 7.2.1: ---------------------- CHANGES in 7.2.1: ----------------- FIXES in 7.2.1: ----------------- 1. Fixed an issue which can cause problems on systems which have a maximum open file limit (ulimit -n) greater than 1024 [12225]. 2. The default entry for the NULL realm has been corrected so it does not cause problems if it is modified using the Server Manager [12226]. 3. The default value for Session-Clear-Time in the Server Manager has been updated to match the default value in the RADIUS server [12229]. 4. Fixed an issue with reconnecting to an LDAP server after the LDAP server has closed the connection. This issue was introduced in the 7.2.0 version [12230]. 5. Limitations on the allowable characters in the Server Manager user name and password are now enforced during the initial installation [12228]. 6. The Server Manager now correctly configures a realm for Unix password authentication [12231]. 7. Fixed some of the links in the help pages. REMOVED FEATURES in 7.2.1 ------------------------- KNOWN ISSUES in 7.2.1: ---------------------- 1. When installing the server over previous installations, the java runtime files are not correctly updated. The workaround is to rename the java directory before starting the install process. The java directory is in the binary directory, /opt/aaa by default. 2. When installing the server over previous configurations and you have hand edited your old configurations for an authentication plug-in, it is possible that your plug-in line from the configuration may be lost during the conversion of the authfile. Re-adding the line after the installation/conversion will be necessary. 3. A change to the TLS-CACertFile parameter in the aatv.ProLDAP block of the aaa.config file does not take effect on a HUP (restart). ========================================================================= NEW FEATURES in 7.2.0: ---------------------- 1. The State Machine files and the Server have been updated to add four new places that policies can be executed without having to customize the FSMs. The four new places are for: - Pre-processing of incoming requests - Post-processing of outgoing replies - Post-processing of outgoing proxy requests - Pre-processing of incoming proxy replies 2. Two new functions have been added to the SDK for cleaning up asynchronous operations. CHANGES in 7.2.0: ----------------- FIXES in 7.2.0: ----------------- REMOVED FEATURES in 7.2.0 ------------------------- KNOWN ISSUES in 7.2.0: ---------------------- 1. When installing the server over previous installations, the java runtime files are not correctly updated. The workaround is to rename the java directory before starting the install process. The java directory is in the binary directory, /opt/aaa by default. 2. When installing the server over previous configurations and you have hand edited your old configurations for an authentication plug-in, it is possible that your plug-in line from the configuration may be lost during the conversion of the authfile. Re-adding the line after the installation/conversion will be necessary. ========================================================================= NEW FEATURES in 7.1.1: ---------------------- 1. Added support for Funk/Odyssey MSCHAPv2 client challenge hash mechanism. 2. Provide the ability to roll server activity logs and accounting streams on demand. 1. Created the new utility, radsignal. 2. Replace raddbginc utility and debug interface with a shell script that invokes the radsignal utility. 3. Ensure that server activity logfile is rolled over on a timely basis, not just when the next log message is written. 4. Support any number of parts for a log file (was limited to 64). 3. Added support for a new flag in the dictionary, INTERNAL. Changed the server to suppress INTERNAL attributes from RADIUS messages received and sent. 4. Added support for the same inner and outer realm for EAP TTLS with EAP inside. 5. Support for WPA2 has been added. Accommodate State AVP in an Identity Response message. A 'reauth' is treated just like a normal authentication request by the RAD server. The State from the Identity Response is ignored; a new State is assigned. CHANGES in 7.1.1: ----------------- 1. Change the default value for Session-Clear-Time from 48 hours to 30min, 15sec. 2. Changes to LAS session management to prevent session resurrection due to delayed packets. - Do not consider sessions in the Stop state when looking for collisions (or active sessions). - On Accounting-START, only change state from Init or No-Confirm to Authorized. On Interim-Update, only change state from Suspended to Authorized. 3. Changed the pruning rules to allow the UserName attribute to be returned in an ACK per RFC 2865. 4. The poll queue size is now indirectly configurable via the global_auth_q.limit. The size of the poll queue will be set to global_auth_q.limit * 2. 5. Upgraded to using OpenLDAP version 2.3.20 library. 6. Updated dictionary attributes for: Cisco, APTIS, Altiga, and Redback. Added vendors: 3GPP, Airespace, CBBSM, Colubris, CVPN5000, Extreme, Netscreen, and Juniper. Added attributes for: 3GPP, Airespace, CBBSM, Colubris, CVPN5000, Extreme, Netscreen, and Juniper. 7. The -proto flags (PW, CHAP, EAP, HASDOT, DEFAULT) were case-sensitive. The -proto flags are no longer case-sensitive in authfiles. 8. The server now reports when deprecated flags are used in the clients file. 9. The installation upgrade process no longer converts the authfiles and users files if the current radius.fsm can not be upgraded or is missing. FIXES in 7.1.1: ----------------- 1. Fix some interoperability problems with clients that have a reconnect button which is used too quickly after an authentication. 2. Fix an issue with proxying requests where, under some rare circumstances, some attributes were not deleted as requested by the home server. 3. Fix an issue with config file parsing that required a line after the closing }. 4. Change the order that PEAP inner EAP methods are listed in the config files by the Server Manager so that ones that don't negotiate are at the end. 5. Change the Server Manager to handle multiple EAP-Types for PEAP/TTLS when the same inner/outer realm is configured. 6. Check that a finite state machine parameter-specified prefixed authfile is readable and has at least one entry in it. Accommodate a client-file-specified prefix in combination with parameter-specified prefix. Allow client-file-specified prefix to be optional. 7. Fixed an issue with maximum log file size configuration. 8. Changed to always strip User-Password and Chap-Password from NAK and challenges or any other response. 9. Fixed a OpenLDAP issue which causes LDAP/SSL connections to hang. The OpenLDAP client library blocked forever during SSL connection. The OpenLDAP client library was modified to perform a non-blocking SSL connection. The ProLDAP AATV was modified to accommodate the asynchronous connection model. 10. Fixed the ProLDAP AATV to not attempt to open connections until after the aatv.ProLDAP block has been read from the aaa.config file. 11. Fixed the search for realms in authfiles to use the best match (protocol or default) in all cases. The first match on name (regardless of protocol) was sometimes used before. 12. Fixed parsing of realm entries with {} blocks to apply the -proto flag as specified. This was not done for EAP, Oracle and ProLDAP realms before. 13. Fixed parsing of realm entries with {} blocks to apply aliases as specified. Aliases were ignored for EAP, Oracle and ProLDAP realms. 14. Fixed parsing of realm entries with {} blocks to apply the host parameter. The host (parameter) was ignored for EAP, Oracle and ProLDAP realms. This information is not used by any {} block items at this time but this information may be useful to user written plug-ins. 15. Fixed the parsing code so that a syntax error in a {} block no longer causes subsequent confusion. The ProLDAP AATV now skips to the end of the {} block after a syntax error. 16. Fixed the issue that caused ProLDAP bind in auto mode when search is not possible. The ProLDAP AATV (in auto mode) would attempt a bind when no connections are available or the search failed. The ProLDAP AATV (in auto mode) now attempts a bind only when the search has been successful. 17. Fixed the distributed FSM files to handle EAP properly for the Auth-Only case. 18. Fixed how the server handles duplicate realm entries. Two realm entries with the same name and -proto flag were ignored. The server now rejects duplicate realm entries. 19. Fixed how the server handles duplicate realm aliases. Two realm entries with the same alias and -proto flag were ignored. The server now rejects duplicate realm aliases. 20. Fixed how the server handles multiple -BIN/CIS flags. A realm entry with more than one -BIN/CIS flag was ignored. The server now rejects a realm entry that has more than one -BIN/CIS flag. 21. Fixed how the server handles multiple -proto flags. A realm entry with more than one -proto flag was ignored. The server now rejects a realm entry that has more than one -proto flag. 22. Fixed an issue where, under some circumstances, the poll queue could be corrupted when removing an entry. 23. On some systems, the md5_calc function in the Server Manager was being resolved from some library other than libradlib. Now we use 'MD5' from the SSL library instead of a local copy of md5_calc. 24. In the Server Manager we made the vendor names case insensitive in access devices and proxies screens. 25. Clean up LDAP connections properly when they fail to open in timely fashion and other poll queue fixes to prevent a file handle leak. 26. Complain about, and reject, invalid wild-card patterns in client file entries. This prevents unpleasant behavior of the server on some platforms when the only entry in the clients file is bad. 27. In the Server Manager, corrected the "Timeout for TCP connect" for ProLDAP to be in tenths of seconds. 28. Print a warning message in the logfile when deprecated flags are used in the clients file. REMOVED FEATURES in 7.1.1 ------------------------- 1. The authfile realm entries had a 'Filter-ID' argument previously. It was ignored for EAP, ORACLE and ProLDAP realms. The Filter-ID capability has been removed and the argument is ignored. KNOWN ISSUES in 7.1.1: ---------------------- 1. If the LDAP server is located on the same server as radiusd or the LDAP server is faster than the RAD-Series server then the response to queries of LDAP may come back to radiusd before it is ready to process it. The authentication request may not receive a response. 2. When installing the server over previous configurations and you have hand edited your old configurations for an authentication plug-in, it is possible that your plug-in line from the configuration may be lost during the conversion of the authfile. Re-adding the line after the installation/conversion will be necessary. ========================================================================= NEW FEATURES in 7.1.0: ---------------------- 1. It is now possible to enable the ldap.conf file and environment variables for configuring the OpenLDAP client library. The default is to not enable either of them. 2. Support for LDAP over SSL has been added. The default is to verify the LDAP server certificate. 3. Can now configure a Session Table size limit which can prevent the server from running out of memory due to too many session entries. 4. Configuration conversion tool runs at installation time. All configuration files except for modified state table files are converted. 5. Server Manager now displays Livingston accounting formatted logfiles. 6. MPPE and LEAP key attributes are now "magic". If they are present, they will be sent. You no longer need to configure Microsoft and Cisco as vendors for the access device. 7. The accounting record now shows the inner realm userid (Authenticated User Name) for tunneled authentication methods when Session Tracking is enabled for the realm. 8. It is now possible to configure PEAP to start version negotiation with version 0 to support clients that do not perform PEAP version negotiation properly. 9. Support for the RedHat Enterprise Linux platform has been added. CHANGES in 7.1.0: ----------------- 1. Performance has been improved when a large Certificate Revocation List file is used. 2. The Server Manager no longer reads nor writes the files in the server certificate directory. This speeds up the load and save of configuration files. 3. New Server Properties group has been added for Security Certificate Path properties. 4. New Server Properties group has been added for ProLDAP properties. 5. Filesize Server Properties group has been removed; Maximum Log File Size parameter is now in Miscellaneous Properties. 6. Required fields are now indicated on the Server Manager GUI by an asterisk, rather than a boldface label. 7. engine.config has been removed from the configuration. 8. sesstab has been removed from server programs. 9. Default size of the auth queue is changed from 1000 to 40000. 10. Default size of the acct queue is changed from 2000 to 40000. 11. The upgrade conversion will set the OpenLDAP protocol version to 3 if it is not explicitly configured to be version 2. The Server Manager also assigns a default OpenLDAP version of 3 when it writes the aaa.config file. 12. The server has been modified to avoid multiple profile store searches when using tunneled-EAP (PEAP or TTLS) authentication. 13. The server has been modified to generate only one session for a tunneled-EAP (PEAP or TTLS) authentication. 14. The server now supports password encryption using the SSHA hashing algorithm. 15. The order of entries in an authfile no longer affects the matching of wildcard realms. The entries are internally sorted to use the longest (most-specific) match. 16. The ProLDAP module has been modified to request only certain attributes when searching for user profiles. This increases ProLDAP performance. 17. The server no longer returns User-Id, User-Realm and Inner-Identity attributes in any responses. 18. The server now handles TTLS/PAP and PEAP/GTC authentications properly when the user's password is more than 16 characters long. 19. The server now enforces a minimum value of 4096 for transmit and receive buffers. 20. The server detects string parameter values in the finite state machine which are more than 63 characters long. The server reports an error in the logfile, and exits. Previously, the portion beyond 63 characters was silently truncated. 21. The authfile syntax for configuring tunneled-EAP inner-authentication in the NULL realm has been changed to use NULL/PEAP, NULL/PEAPv0 and NULL/TTLS. The old form of /PEAP and /TTLS is still supported but support for it will be removed in the future. 22. Many hex dumps are now provided only with debug enabled. These hex dumps are written only to the debug file. 23. Simultaneous session control is now based on the inner identity for tunneled-EAP authentications. 24. The server now rejects invalid wildcard client entries. 25. DHCP can now be disabled while preserving the active configuration. 26. The upgrade conversion merges the contents of engine.config into the aaa.config file. The Server Manager no longer supports the engine.config file. 27. The keyword Access-Policy is now a reserved word in the authfile and EAP.authfile. REMOVED FEATURES in 7.1.0: -------------------------- 1. Support for the EAP-SPEKE authentication method has been removed. 2. Support for advanced policies stored in ProLDAP has been removed from the distributed LDAP schema. If you are presently using advanced policies stored in ProLDAP, you may continue to do so. Support for retrieving advanced policies stored in ProLDAP may be removed in future versions. FIXES in 7.1.0: ----------------- 1. Fixed a problem with zero-length password for SecurID that could result in a server core. 2. Fixed a case-sensitivity issue for State and User-Id attribute names in the dictionary when using SecurID. 3. Use a larger buffer for the decrypted password for SecurID to avoid a potential server core when a long password was used. 4. Fixed a potential server core if more than 63 states were present in a finite state machine file. 5. Fixed a bug in range check of the LDAP Retry-Wait parameter in the aatv.ProLDAP{...} configuration section of the aaa.config file. 6. Fixed a problem where the "Timeout" parameter of the aatv.ProLDAP{} section of aaa.config was ignored. 7. Fixed anomalous behavior which occurred when all LDAP servers are down and the RAD server receives authentication requests. 8. Fixed a ProLDAP problem where the logfile message was only displayed every other time, e.g. every 120 seconds even though the connection attempt happened every 60 seconds. 9. Tool-tips in the Server Manager GUI are now displayed correctly with the Mozilla browser. 10. An LDAP policy with a Reply-Item no longer results in two copies of the Reply-Item being returned in the response. 11. When realm "User Profile Storage" = "OS Security Database," the option of selecting password versus EAP authentication has been removed. 12. When realm "User Profile Storage" = "OS Security DataBase", the User Group field no longer appears under "User Storage Parameters." 13. When tracking sessions through the Server Manager, an option is offered to either Stop or OK. Selecting OK no longer returns an error that the previous page has expired. 14. Fixed a bug where the unsupported use of tagged attributes in a decisionfile condition block caused the server to core. 15. The Server Manager no longer deletes Class attributes from user profile entries. 16. The Server Manager has been enhanced to enforce restrictions on more input Fields. 17. The lifetime of intermediate EAP requests is now reduced when a response is received from the client. 18. Wildcard client entries no longer cause a DNS update to occur every 5 minutes. KNOWN ISSUES in 7.1.0: ---------------------- 1. If the LDAP server is located on the same server as radiusd or the LDAP server is faster than the RAD-Series server then the response to queries of LDAP may come back to radiusd before it is ready to process it. The authentication request may not receive a response.