Release Notes ========================================================================= Interlink Networks Services Software Version 8.1.0 Release Notes ========================================================================= [C] 2005-2013 Interlink Networks Services, LLC. All Rights Reserved. Interlink Networks Services, LLC. 2531 Jackson Road Suite 306 Ann Arbor, MI 48103-3818 734-821-1200 (tel), 734-821-1235 (fax) www.interlinknetworks.com ------------------------------------- NEW FEATURES in 8.1.0: ---------------------- 1. Implemented the first phase of the next generation Session Manager including: a) Well defined session states, transitions, timeouts, and states applying to simultaneous session and licensing limits b) Greater configuration control for session management including "Session-Collision-Timeout" "Session-Dropped-Timeout" "Session-Finished-Timeout" "Session-MIA-Timeout" "Session-Pending-Timeout" "Session-Unconfirmed-Timeout" "Accounting-OnOff-Support" "Acct-Interim-Grace-Period" "Session-Table-Update-Interval" "Session-Table-Checkpoint-Interval" "Session-Checkpoint-File-Lifetime" "Minimum-Acct-Interim-Timeout" "Simultaneous-Use-States" c) Performance improvements d) Generic tokenpools e) Server-generated accounting records for the following cases, where no Acct-Stop message is received from the NAS: 1) NAS sends an Accounting-On/Off 2) A session expires while waiting for a Interim-Acct message in the MIA state 3) A session expires in the COLLISION state 4) A session expires in the UNCONFIRMED state f) Session-Id identification when there are multiple Class AVPs g) Quicker releasing of resources such as IP addresses, tokens, and session counts following failed authentications. h) Support for a new Interim-Accounting timeout algorithm, based upon measuring the intervals between Interim Accounting messages. i) Improved matching of Accounting-Requests to sessions through use of the internally generated Session-Id. j) Improved logging of error conditions such as the session table full. 2. Added support for Chargeable-User-Identity. If the server receives a CUI AVP in the Access-Request, it will generate a CUI and return the CUI in the Access-Accept, save the value, and change the value approximately every week. If the server is doing session management, then the CUI will be added to the accounting record that the server logs. This is the mechanism (i.e. searching the accounting logs) by which the customer maps a CUI to the real user identity. 3. Added a logfile (I) message when a radcheck request is received. This marker message helps correlate the radcheck statistics with the logfile. 4. Added support for the RETRIEVE_DEFAULT event. A search of a users file returns a RETRIEVE_DEFAULT, rather than a RETRIEVE_ERROR, if the default user is retrieved. 5. Added support for Delegated-IPv6-Prefix, from RFC4818. 6. Added a new "-writesess" parameter to radcheck. If specified, radcheck will request the server to write out session.las when processing the radcheck request. 7. Expanded statistics reported by radcheck. 8. Added new aatv.Tunneling{} configuration parameters: a) Tagged-VSA-Hints Accept | Discard | Reject b) Tunnel-Password-Requires-Message-Authenticator YES | NO c) HINTS Accept | Discard CHANGES in 8.1.0: ----------------- 1. Added NOLOG to these Interlink attributes, to suppress their appearance in accounting logfiles: Date-Time, Time-Of-Day, Day-Of-Week, Interlink-Packet-Code, Interlink-Proxy-Action. This more accurately reports what was actually received in the Accounting-Request. NOLOG can be removed from any of these attributes in the dictionary for customers wanting them logged. 2. Changed las.conf processing so that End-Realm is optional in realm configurations. 3. Expanded support for a User-Name or User-Id longer than 64 characters. Now up to 253 characters (max length of a RADIUS string attribute) is supported. The server, session table, accounting, clients, sesstab, radrecord, and LDAP searches all support the longer userids. 4. The proxy server was changed to ignore NO_APPEND when handling an Acct-Response, and to retain the original acct authreq's AVP list, to which the proxy appends any new AVPs from the response following the proxy's Proxy-State AVP. 5. Improved parsing of command-line -p/-q/-pp/-qq parameters to handle out of range values. 6. Changed sesstab to display both the outer and inner identities for tunneled sessions e.g. PEAP/MSCHAP. Previously sesstab displayed only the inner identity. 7. The value of the Proxy-State AVP is changed to guarantee its uniqueness. The Proxy-State value is "--", where is a 32-bit counter which increments each time a Proxy-State AVP is generated. The is initialized to a 32-bit random number at startup. The is the address of the authreq. The component is never dereferenced. 8. Changed all aaa.config keywords to be consistently case insensitive. 9. The server no longer runs the Session-Timeout, which caused potential conflicts with the NAS, which has responsibility for Session-Timeout. 10. Improved range checking of las.conf configuration parameters. Extended log.config and las.conf parsing error handling. 11. Changed the server to reject an Access-Request for a realm which isn't being session-tracked and if session-managed resources (tokens and/or IP addresses) are being requested. 12. Changed the tunneling support so that the aatv.Tunneling{} block is re-read upon a HUP signal. Previously the aatv.Tunneling{} block was only read at startup, and ignored thereafter. 13. The new session checkpoint interval takes place immediately after the HUP, rather than waiting for one expiration. 14. The Server Manager was updated to configure parameters which previously could only be added by directly editing the configuration files. FIXES in 8.1.0: ----------------- 1. The RADIUS server was fixed to fully support 32 bit values in the NAS-Port AVP. Formerly, this support was limited by special values internally indicating conditions such as the absence of the AVP. 2. Fixed the parsing of integer las.conf parameters to check for underflow and overflow conditions. 3. log.config parsing was fixed to correctly handle trailing spaces and parameters in quotes. 4. Fixed the handling of configured tagged AVPs, so that all configured tagged AVPs, not just a fixed set of RADIUS tagged AVPs, take part in the merging-of-tunneled-hints algorithm. 5. Fix for the cases during logfile rollover where some messages related to logfile compression were not being logged. 6. Changes were made to correct the output of misleading logfile messages which can appear when a response is received for which there is no matching proxied request. The server now logs "Received unexpected response whose id matches no pending request", and no longer says either "Received response ... with bad authenticator" or "Received response for completed request". 7. Fixed bug which occurs when debug is on and a request is received with a zero-length password. REMOVED FEATURES in 8.1.0 ------------------------- 1. Removed support for obsolete Modem-Start, Modem-Stop, and Cancel Acct-Status-Types. 2. Removed configuration of obsolete and unsupported LAS services. 3. Removed support for the ACCT_DUP event. KNOWN ISSUES in 8.1.0: ---------------------- 1. When installing the server over previous installations, the java runtime files are not correctly updated. The workaround is to rename the java directory before starting the install process. The java directory is in the binary directory, /opt/aaa by default. 2. When installing the server over previous configurations and you have hand edited your old configurations for an authentication plug-in, it is possible that your plug-in line from the configuration may be lost during the conversion of the authfile. Re-adding the line after the installation/conversion will be necessary. 3. There are some issues interfacing to the SNMP master agent [12307]: a) If the master agent is not running when radiusd starts it will never connect to master agent even after starting master agent (a HUP of radiusd does not help). b) If the connection to the master agent comes up but the master agent is stopped and restarted, the connection to radiusd is not reported as down and does not regain functionality (a HUP does not help). c) The iaaaAgent.conf file in the config directory does not control the attempt to reconnect currently. 4. The 32 bit X window compatibility libraries must be present for the installer to run. On systems where they are missing, the installer gives a cryptic message about missing the JVM. The real problem is that the OS is missing the X window compatibility libraries. On Linux OSs the libraries can be installed with the equivalent of # yum install libXp.i686 # yum install libXt.i686 # yum install libXtst.i686 5. The Server Manager may experience an out-of-memory exception if Maintenance->Statistics or Maintenance->Logfile has to parse a logfile with too many records in the given selection time span. The workaround is to select shorter time spans, say two 12-hour periods rather than one 24-hour period, to accumulate the desired information. ========================================================================= NEW FEATURES in 8.0.2: ---------------------- 1. Added support generic salt encryption of attributes. This allows for attributes to be identified as salt encypted in the dictionary to support salt encrypted vendor specific attributes. CHANGES in 8.0.2: ----------------- 1. Changed server handling of an error condition: Now the server, when asked to create a tagged-int attribute with tag > 31 or with the value > 24 bits, will discard the attribute. FIXES in 8.0.2: ----------------- 1. Fix problem where a mis-configured abinary attribute value, with a keyword exceeding 80 characters, can overflow an internal buffer, possible causing the server to core. 2. Fixed an issue where the server could hang waiting for input on one of its ports following a HUP. REMOVED FEATURES in 8.0.2 ------------------------- KNOWN ISSUES in 8.0.2: ---------------------- 1. When installing the server over previous installations, the java runtime files are not correctly updated. The workaround is to rename the java directory before starting the install process. The java directory is in the binary directory, /opt/aaa by default. 2. When installing the server over previous configurations and you have hand edited your old configurations for an authentication plug-in, it is possible that your plug-in line from the configuration may be lost during the conversion of the authfile. Re-adding the line after the installation/conversion will be necessary. 3. There are some issues interfacing to the SNMP master agent [12307]: a) If the master agent is not running when radiusd starts it will never connect to master agent even after starting master agent (a HUP of radiusd does not help). b) If the connection to the master agent comes up but the master agent is stopped and restarted, the connection to radiusd is not reported as down and does not regain functionality (a HUP does not help). c) The iaaaAgent.conf file in the config directory does not control the attempt to reconnect currently. ========================================================================= NEW FEATURES in 8.0.1: ---------------------- 1. Added support for a new "compress-logfile on|off|yes|no" aaa.config parameter. Default = on = yes, the server's current behavior. If set to OFF, the server will not compress the logfile upon logfile rollover, leaving it as logfile.yyyymmdd rather than compressing it to logfile.yyyymmdd.gz. 2. Added support for authport=zero and acctport=zero in the radius_socket{} block. Prior to this update, the exact non-zero port needed to be explicitly configured. Now, if authport is configured as zero, the server will execute a hierarchy of steps to determine the authentication listen port: [Step1] If "-p authport" is configured, use that value, else [Step2] If the environment variable RAD_AUTH_PORT is defined, use that, else [Step3] If getservbyname() returns a port, use that, else [Step4] Use 1812, as the default defined by the RADIUS RFC 2865. Now, if acctport is configured as zero, the server will execute a hierarchy of steps to determine the accounting listen port: [Step1] If "-q acctport" is configured, use that value, else [Step2] If the environment variable RAD_ACCT_PORT is defined, use that, else [Step3] If getservbyname() returns a port, use that, else [Step4] Use 1813, as the default defined by the RADIUS RFC 2866. CHANGES in 8.0.1: ----------------- 1. Implement fix so that an Accounting-On/Off message from a NAS will cause that NAS's sessions to be cleared, previously the server received and ACKed an Accounting-On/Off message, but did not clear any sessions. Also now we allow the Acct-Session-Id AVP to be absent in an Accounting-On/Off. [12317] 2. Change the processing of the clients file to allow and ignore comments (starting with '#') at the end of a line. 3. Added a '(N):' type logfile message when we disallow PEAP fast reconnect and force a new full authentication. Note: only the message is new. 4. A new logfile message now appears if there are no certificates configured in the aatv.ProLDAP{} block. It appears once each time the authfile is read and there is a ldaps:// URL. The message now reads: "(N): No certificates are configured in 'aatv.ProLDAP{}' for use by ldaps:// connections" Previously a '(E):' message occurred for each ldaps://... URL configured in the authfile 5. Changed the ipv6check.sh script to handle a different DNS response for ns0.ietf.org. Also improved the checking of returned IPv6 addresses. 6. Changed the server so that when it receives a response to a proxied request to accept, rather than discard, an empty (no AVPs) Accounting-Response even though it does not contain the RFC required Proxy-State attribute. Additional changes were made to correctly distinguish an empty response from a malformed response. 7. Changed the maximum number of states in the FSM from 256 to 1024. This change requires a new SDK to handle the larger number of states. 8. The server now logs "Received unexpected response whose id matches no pending request" instead of "Received response ... with bad authenticator" and "Received response for completed request". 9. Added protection for when radiusd acts as a proxy server and receives a response with an AVP that needs to be decrypted and re-encrypted and the AVP is corrupted. This is for these AVPs: MS-CHAP-MPPE-Keys, MS-MPPE-Recv-Key, MS-MPPE-Send-Key, Tunnel-Password and Cisco-Avpair("leap:session-key=xxx"). 10. Changed the server acting as a proxy to ignore NO_APPEND when handling an Accounting-Response, and to retain the original acct authreq's AVP list, to which the proxy appends any new AVPs from the response following the proxy's Proxy-State. That is, the proxy server treats an Acct-Response as APPEND, whether the home server was configured as APPEND or NO_APPEND. 11. Added a new global variable, "int radiusd_pid", which holds the process-id of the radiusd main process. This is available to child processes who may want to check if their parent is still alive, i.e. the child process can periodically compare their current parent [as returned by getppid()] against radiusd's PID. 12. Changed DNS update child process to check, after every DNS lookup, if his parent process is still alive. If not, the DNS update process terminates. 13. Improved logfile messages regarding starting and ending of child processes: - When a DNS-Update or logfile-compression child is forked, a logfile message is generated, indicating that the child has been launched and indicating the child's process-id, e.g.: (I): Have forked DNS Update child process with pid(4589). [update_clients] - When the server receives a SIGCHLD signal for a child process, a logfile message indicating the PID of the terminating child is displayed, e.g.: (I): DNS update (pid:4589) finished. [child_end] or, if not a DNS update child: (I): Received SIGCHLD signal for child process (pid:4589). [child_end] - Changed the loglevel for a logfile message for a child process that terminated abnormally, from (I) to (A). FIXES in 8.0.1: ----------------- 1. Fixed a bug in three dprintf() statements which can core on Solaris. This bug occurs only when debug is on and only when running with a non-default FSM where "%enable_ingress_egress_policy" is NOT set to "yes", and only when proxying requests. 2. Fixed a bug in a dprintf() statement which can core on Solaris. This bug occurs only when debug is on and a request is received with a zero-length password. 3. Fix bug in log_init() when processing log.config's "default-path" parameter and encountering an error, where the server can try to display a NULL string pointer. 4. Fixed the launching of a child process such as SecurID or Oracle, to close any inherited RADIUS listen or RADIUS proxy sockets. If the server was launched by (x)inetd, then this includes socket #0 opened by (x)inetd. Failure to close these sockets causes a problem when HUPing a server which has the SecurID sub-process running and is then not able to bind to its RADIUS listen ports. 5. Fixed a bug in the parsing of the "Session-Collision-Checking on/off" parameter value in las.conf. 6. Fixed a bug that can cause a core when running a very specific custom FSM. This bug allowed multiple entries in the proxied request index for the same authreq. 7. Correct the display of a Tagged string attribute whose tag value is > 31. 8. Fixed a segmentation-fault core which occurs when debug level is > 2 and when processing log.config and finding that the configured accounting log AATV doesn't exist. 9. Fixed the sesstab utility to correctly display a session in INIT state (value -2) rather than as a session in state 254 (unknown). 10. Fixed parsing of "type=xxx" field of clients file, so an invalid (i.e. unknown) flag, e.g. type=NAS+BLAH, is be detected and logged. REMOVED FEATURES in 8.0.1 ------------------------- KNOWN ISSUES in 8.0.1: ---------------------- 1. When installing the server over previous installations, the java runtime files are not correctly updated. The workaround is to rename the java directory before starting the install process. The java directory is in the binary directory, /opt/aaa by default. 2. When installing the server over previous configurations and you have hand edited your old configurations for an authentication plug-in, it is possible that your plug-in line from the configuration may be lost during the conversion of the authfile. Re-adding the line after the installation/conversion will be necessary. 3. There are some issues interfacing to the SNMP master agent [12307]: a) If the master agent is not running when radiusd starts it will never connect to master agent even after starting master agent (a HUP of radiusd does not help). b) If the connection to the master agent comes up but the master agent is stopped and restarted, the connection to radiusd is not reported as down and does not regain functionality (a HUP does not help). c) The iaaaAgent.conf file in the config directory does not control the attempt to reconnect currently. ========================================================================= NEW FEATURES in 8.0.0: ---------------------- 1. Support for IPv6 addressing and communications has been added to the server. See the Admin Guide for more details. a) Support for the new IPv6 attribute types: ipv6addr, ipv6prefix and interfaceid have been added [12318]. b) Support for the IPv6 socket and IPv6 DNS lookups has been added [12319]. c) Support for the IPv6 connections in the utilities has been added [12319]. d) IPv6 support for communications to a LDAP server has been added [12319]. e) An IPv6 readiness tool has been added to the instalation. 2. The SNMP RADIUS MIB support has been updated to the extended MIBs per RFCs 4668/4669/4770/4771, replacing support for the deprecated MIBs per RFCs 2619/2621. This includes new support for the RADIUS Client MIB [12319]. 3. Significant performance improvements have been made in these areas: a) Duplicate request checking, b) Dictionary lookups of attributes and values, c) Lookup of users from the users file, d) Management of proxied requests, e) Management of work queue, f) Lookup of a client by name or IP address from the clients file, and g) Management of session table. 4. You can now configure how the date attributes in the accounting log files are displayed. In the log.config file, you can now define the strftime-format string used to display the dates. The implementation is fully backwards-compatible: if the new fields are not configured, then the server behaves as before. See the Administrator's Guide for details. 5. Added the ability to optionally configure HH:MM:SS when configuring check/deny/reply attributes and the ability to configure dates in either YYYY-MM-DD format or MMM-DD-YYYY format. Also added the ability to optional configure the timezone of "UTC" to override the default of localtime for date check/deny/reply attribute values [12318]. See the Administrator's Guide for details. 6. Added support for the "/nn" wildcarded address format for both IPv4 and IPv6 addresses in the clients file. The IPv4 '*' syntax e.g. '192.168.*' continues to be supported. Added a check for duplicate wildcarded clients, e.g. 192.168.* and 192.168.*.* and 192.168.0.0/16 are equivalent [12319]. 7. Added support for the optional "srcip=" parameter in the clients file. It can also have an optional source port, "srcip=[ipaddr]:port. Note the square brackets are mandatory if a port is entered [12319]. 8. Added a global proxy_udp_recv_buffer_size parameter in aaa.config. Added auth_udp_recv_buffer_size and acct_udp_recv_buffer_size parameters that can be optionally configured within the new aaa.config radius_socket{} listen block. a) The range of valid values for the UDP recv buffer size parameters is 8192-to-8388608 (8KB-8MB). If the xxx_udp_recv_buffer_size is not configured, the socket is opened but the socket is left at whatever buffer size the system uses by default. b) When a socket is opened: if there is a configured xxx_udp_recv_buffer_size and that buffer size does not match the actual buffer size assigned by the OS, then a logfile (N) message is generated. 9. Added support for two new global aaa.config parameters: "default_source_ipv4_address" and "default_source_ipv6_address" [12319]. a) The default values, if not configured, are: default_source_ipv4_address 0.0.0.0 default_source_ipv6_address :: b) These parameters specify the default source IP address to use when proxying a RADIUS request, if the client record did not specify a "srcip=" field. c) The default values indicate the ANY address, which lets the system pick the source IP address. 10. The server can now listen for requests on multiple authentication sockets and on multiple accounting sockets, and can proxy from multiple sockets. Each such socket is configured with an IP address (IPv4 or IPv6) and a port. CHANGES in 8.0.0: ----------------- 1. Two new messages were added for an aaa.config {}block which is configured but not processed. During the initial server startup, the message is: (N): config_cleanup: Block 'xxx{}' was configured but not processed. Following a HUP, the message is: (N): config_cleanup: Block 'xxx{}' was configured but not reprocessed following the HUP. 2. Added support for optional [ ] around IPv4 addresses in clients file. 3. Improved the error detection of clients file records. 4. Changes to the handling of the aatv.ProLDAP{} configuration: a) Continue processing the remainder of the config block, upon encountering a bad parameter or bad value, rather than bailing out and ignoring the remainder of the block. b) Added a new logfile (N) message upon encountering a TLS-xxx parameter with an empty string e.g. TLS-CertFile "". c) When processing the authfile for a PROLDAP auth type, generate a new logfile (E) message upon encountering a "URL ldaps:..." line, and finding that there are no certificates configured in the aatv.ProLDAP{} block. d) Added a new (E) logfile message if an "Enable-Default-Conf" parameter follows a "TLS-xxx" parameter, as processing of the TLS-xxx parameter requires the Enable-Default-Conf value to be first. 5. Changed the time the server waits before removing a session in the LAS-Stop state from the session table, from Session-Clear-Time (default: 30.25 minutes) to Session-Hold-Time (default: 45 seconds). 6. Changed the minimum acceptable time between HUPs from 1 second to 2 seconds. Now a new HUP will follows the end of the previous HUP by fewer than two seconds will be ignored, and a logfile message generated. 7. Changed the decision file processing so that, when displaying a date attribute value, it will always display the date and time. 8. Changed all printing of a date attribute, outside of accounting logging, to print the full-precision date and time. 9. Upgraded to Net-SNMP version 5.4.3. 10. Added the NAS-Restart enumerated value for the LAS-Code attribute to the dictionary. 11. When parsing configured check/deny/reply items and encountering an invalid attribute value, the handling of invalid configured attribute values has changed to: a) A logfile error message is generated as before, identifying the invalid attribute and value. b) A logfile error message "(E) : Parse error for user '' in file '' at line <#> (check/deny items)", or "...(reply items)", is generated. c) The user record is discarded. The authentication will fail. Note -- This also affects more than just configured check/deny/reply items. For example the initial processing of radius.fsm processes the xvalue and xstring optionally appended to the end of a FSM entry. If there is an error in or , this error was previously ignored and the or were discarded. Now the server will report the error and fail to start due to a FSM syntax error. 12. Improved the logging of attribute validation failure messages. Every validation failure message is now a Warning-level (W) message, formerly most were Error-level (E). Every validation failure message now identifies the failed attribute by name, displays the value, and indicates that the server's action is to discard the offending attribute [12320,12323]. 13. Changed loglevel of some "xxx exceeds range" messages from loglevel (A) to loglevel (E). 14. Improved logging of bad configured attribute values, to identify the specific badly-configured attribute: a) You now get an (E) message if the attribute name is not in the dictionary. b) You now get an (E) message if the attribute value is incompletely specified, e.g. "NAS-IP-Address=" or just "NAS-IP-Address". Previously such an incomplete specification would just cause the check/deny/reply item to be silently discarded. c) You now get an (E) message if you specify "!=" for a Reply-Item. d) In all cases of a bad attribute, you should now see a two line pair of error messages. The first line of the pair identifies the bad attribute and the second line identifies the userid. 15. For received attributes of type tagged-integer, the server now checks that the tag is in the range 0-31. If not, a logfile message is generated and the attribute is discarded. Also check that the data length of a tagged-integer attribute is exactly 6. If not, a logfile message is generated and the received attribute is discarded. 16. Allow optional square brackets around any IPv4 addresses configured as a proxy hosts in the authfile [12319]. 17. Improved the logfile message which appears when the server receives an unexpected proxied response, i.e. the response is for an already-completed proxied request, or the response for a pending request has a bad authenticator, or the id of the response matches the id of no pending request. 18. Changed log level of "HUP signal received (HUP#)" logfile message from (I) to (N). 19. Changed the loglevel of the logfile message which is generated, when a proxied request cannot be sent because the proxied host name is not yet DNS-resolved, from (E) to (N). Also reworded (clarified) the message, which now says: "(N): radius_send: Proxying to server '' failed, server name not yet resolved to an IP address.". The server does not respond to the NAS, the server awaits a later NAS retransmission whereupon the DNS resolution has likely been completed and the REDO action will cause the proxied request to be sent. 20. Changed the logfile message for a proxied request which cannot be sent when the proxied host (from the authfile) does not exist in the clients file. It now says "(E): radius_send: Proxying to server '' failed, server not in 'clients' configuration file." 21. Changed the logfile message which appears when a request is received from a NAS and which is missing a required attribute, to additionally display the User-Name and NAS-Port. 22. When retransmitting a response, the server now logs an (N)-level message indicating that a response is being retransmitted. The log message identifies the message type and remote client. 23. Changes made to radpwtst are: a) Made the "-x" behave the same as "-X" behaves. b) Added a new switch and value, -ipv6 on/off, to allow it to send IPv6. c) Added a new switch and value, -secret secret, to allow communication with a server which is not in the clients file. d) Changed radpwtst to display the list of sent and received attributes if debug is on ("-x" or "-X"). e) Improved error messages about parameter problems. f) Removed the "Password=7" and "Status-Server=12" help text and replaced it with "n = Packet code n, 0 <= n <= 255" under the "-c ". g) Revise all of the help text, describing all the parameters. 24. De-supported the "-:" and "-P" command line parameters in radcheck. Added "-0" to the help text. Reformatted the help text. 25. Changed the configurable maximum size of Max. Authentication Requests (global_auth_q.limit) and Max. Accounting Requests (global_acct_q.limit) from 65535 to 100000. FIXES in 8.0.0: ----------------- 1. Fixed an issue with printing the timezone of any "date" attribute on Solaris [12317]. 2. Fixed an issue in the Merit style accounting logfile where any date attribute was incorrectly displayed as "yyyy-mm-dd/mm/yy", e.g. "2010-01-01/20/10" [12317]. 3. Improved the error checking when processing configured "ipaddr" type attributes such as configured check/deny/reply attributes to make sure they are in standard dotted-quad format [12322]. 4. Fixed radpwtst to handle the "-i " parameter correctly. Changed it to send either NAS-IP-Address or NAS-IPv6-Address in an authentication request, whichever is appropriate [12319]. 5. Added a length check for received 32-bit attributes of type integer, date, and ipaddr [12320,12323]. 6. Removed a misleading logfile message that occurred if the PROLDAP configuration has 'retrieve-only false' and the user password check fails. An extraneous Error-Level (E) message was written to the logfile [12317]. An example message is: (E): Providing ERROR event to FSM: Authentication: 168/152 'fred@realm.com' from t25.abc.com port 2501 7. Fixed an issue where the year 2038 was treated as a valid year when converting a text date to an attribute. 8. Fixed an issue which allowed time values earlier than 1970 on some systems. 9. Fixed an issue where some configured local timezone Dec-31-1969 date/times were treated as invalid even when these local timezone date/times translated to a UTC date/time which was on or after Jan-1-1970 00:00:00 UTC. 10. Fixed an issue where ".1.2.3" was treated as a name rather than an invalid IPv4 address. 11. Fixed an issue where the final attribute of a received message is accepted if it "only" runs off the end of the packet by one or two bytes. Clarified the logfile error message when we run off the end of a received message. 12. Added a check for a received attribute value length of zero. The attribute is now discarded and a logfile (W) message is produced if the attribute is of type integer, ipaddr, date, octet, short, tag_str or tag_int. The attribute is accepted and a logfile (N) message is produced if the attribute is of type string, octets, or filter_binary. 13. Fixed a possible buffer overflow problem when displaying IP addresses. 14. Fixed an issue with replies sent by FREPLY AATVs being discarded by the server. 15. Fixed the case where a proxied request which could be sent returns a NAK and the ingress/egress policy is enabled; previously the server did not add an Interlink-Reply-Status attribute to the authreq, as required by the replyDispatch AATV. 16. Fixed radpwtst output, when attempting to output a logfile error message. 17. Fixed an issue where the radiusAuthServTotalPacketsDropped counter is sometimes incorrectly incremented if the server is doing PEAP tunneled authentication. 18. Fixed an issue where the server still counts all the existing sessions even though the las.conf is configured with Simultaneous-Use=-1. This does no harm other than the wasted overhead of counting sessions. 19. Fixed the aaa.config parameter avpair_checking, which was ignored in some cases. This had some performance implications. 20. Fixed a bug which can crash server when processing a Filter-Id attribute of length > 16 characters, and for a realm for which we do session-tracking. REMOVED FEATURES in 8.0.0 ------------------------- 1. De-supported the configuration of the "ourhostname" parameter in the aaa.config file. Use new aaa.config block radius_socket{} instead. 2. Remove support for paired / in clients file. 3. Remove support for obsolete US Robotics extensions. 4. Removed the support for the "Proxy Forwarding" message. The Proxy-Forwarding uses RADIUS message code of 216 and is Merit-specific, not a standard RADIUS message type. 5. The following switches, and all code conditionally-compiled under these switches, have been removed: MERIT_HUNTGROUP, MERIT_HUNTGROUP_DAC, MERIT_HUNTGROUP_SHP, Y2K, MERIT_TIMELEFT, MERIT_NASMAN, MERIT_HGAS, MERIT_OAS, MERIT_ORGANIZATION 6. Removed the support for the "year_2000 on/off" configuration parameter, which controlled whether the year was displayed as 4-digits or 2-digits. The rad_time() routine now always displays the year as 4-digits. 7. Removed -C (token caching) and -P (password changing) support. KNOWN ISSUES in 8.0.0: ---------------------- 1. When installing the server over previous installations, the java runtime files are not correctly updated. The workaround is to rename the java directory before starting the install process. The java directory is in the binary directory, /opt/aaa by default. 2. When installing the server over previous configurations and you have hand edited your old configurations for an authentication plug-in, it is possible that your plug-in line from the configuration may be lost during the conversion of the authfile. Re-adding the line after the installation/conversion will be necessary. 3. There are some issues interfacing to the SNMP master agent [12307]: a) If the master agent is not running when radiusd starts it will never connect to master agent even after starting master agent (a HUP of radiusd does not help). b) If the connection to the master agent comes up but the master agent is stopped and restarted, the connection to radiusd is not reported as down and does not regain functionality (a HUP does not help). c) The iaaaAgent.conf file in the config directory does not control the attempt to reconnect currently. 4. The User-Name AVP in an Accounting-On request is not required and has no particular meaning since the Accounting-On applies to the entire NAS and not to a particular session or user. Currently the Accounting-On processing only clears sessions from the session table if the specified realm is configured in las.conf. The realm comes from the User-Name or is NULL realm if there is no User-Name AVP. It is possible that an administrator wants to do session tracking for some realms but not the NULL realm which would prevent the Accounting-On from doing the session clears that are needed [12303]. ========================================================================= NEW FEATURES in 7.5.0: ---------------------- 1. Added a configuration parameter to reduce the tunnel MTU to accommodate EAP TLS inside EAP PEAP [12325]. security.paths { Tunneled-EAP-MTU Reduction 100 } The value is the number of bytes by which to reduce the Framed-MTU AVP value inside the tunnel. The default value is 0, no reduction of MTU. The value must be numeric, with a value >=0 and <=512. A reduced value is needed for EAP-PEAP/EAP-TLS to leave room for any reply attributes that need to be sent along with the tunneled-EAP conversation. A minimum value of about 100 appears to be required. 2. Added ECC (elliptic curve crytpography) cipher suites to the server. This adds the Microsoft CNG cipher suites [12327]. Added a SSL debug level configuration parameter: security.paths { SSL-Debug-Level 2 } The value indicates the minimum debug level for SSL debug output. A value of 0 disables SSL debug output. 3. Added a option to the clients file (no_append) that is useful when a remote server does not return all of the A-V pairs that it received in the order they were received. If it is not set, the server will append all the A-V pairs received from a remote server to the new A-V pairs sent in the response message. 4. Added an aaa.config configuration option (Session-Collision-Checking) which, when set to No, allows you to disable current server behavior of collision checking. This disables the check to see if a newly-received authentication request comes from the same NAS (as identified by the NAS-Identifier or NAS-IP-Address or NAS-IPv6-Address attribute) and port (as identified by the NAS-Port attribute) as an existing active session. CHANGES in 7.5.0: ----------------- 1. Upgraded to OpenSSL version 0.9.8l [12326]. 2. Changes to dictionary [12315]: - Added ASCEND extensions to basic attributes (NOT vendor specific). - Added some more Ascend extensions to Framed-Protocol values. - Added some ASCEND extensions to Framed-Routing values. - Added some more Bay Networks vendor specific extensions. - Added some more APTIS vendor specific extensions. - Added a comment about Aptis unique four-octet fields attributes. - Added Packeteer vendor specific extensions. - Added WISPr - Wi-Fi Alliance vendor specific extensions. 3. Changes to vendors [12315]: - Changed the Airespace vendor ID from 6139 to 14179. - Defined vendor IDs for Packeteer and WISPr (Wi-Fi Alliance). 4. Added a logfile (N) message if a scoped aaa.config parameter or block is ignored. Previously the parameter or block would be silently ignored. 5. Changed the delimiter for scoped configuration blocks from [ ] to << >>. FIXES in 7.5.0: ----------------- 1. Fixed a number of issues in sesstab. a) The -a and -i selection switches did not work correctly. b) The reporting under -f (full report) was erroneous when displaying selected records (-i/-a/-p/-n). c) Switches are no longer allowed following the file name. d) Changed sesstab to exit with return code -1, rather than 1, when doing an error exit. e) Change sesstab to not go into any infinite loop if a selection criteria parameter is repeated e.g. "-p 2000 -p 2001". f) Changed sesstab to display, in the help, the correct default values for the "-d" and "-dd" parameters. g) In some cases, suppress the display of an IP address of 0.0.0.0. h) Exit gracefully when encountering an unsupported session.las format version. 2. Fix Server Manager support for Java 6u12 and later by converting isValid() methods to isComplete() methods so that they are not invoked before everything is initialized [12333]. 3. Fixed an issue with the policy cache handling [12334]. 4. Fixed the FSMs to recognize expired password events [12335]. 5. Changed to not log an LDAP Connect Result = 0 as an error. 6. Timeout is now logged in radius.debug but not the logfile and it does not count as a retry. 7. Fixed the TIMEOUT AATV to prevent a possible server abort when the pointer to the next event was not saved before the current event was handled. 8. No longer abort and dump by default during A-V Pair checking. REMOVED FEATURES in 7.5.0 ------------------------- KNOWN ISSUES in 7.5.0: ---------------------- 1. When installing the server over previous installations, the java runtime files are not correctly updated. The workaround is to rename the java directory before starting the install process. The java directory is in the binary directory, /opt/aaa by default. 2. When installing the server over previous configurations and you have hand edited your old configurations for an authentication plug-in, it is possible that your plug-in line from the configuration may be lost during the conversion of the authfile. Re-adding the line after the installation/conversion will be necessary. 3. There are some issues interfacing to the SNMP master agent [12307]: a) If the master agent is not running when radiusd starts it will never connect to master agent even after starting master agent (a HUP of radiusd does not help). b) If the connection to the master agent comes up but the master agent is stopped and restarted, the connection to radiusd is not reported as down and does not regain functionality (a HUP does not help). c) The iaaaAgent.conf file in the config directory does not control the attempt to reconnect currently. 4. The User-Name AVP in an Accounting-On request is not required and has no particular meaning since the Accounting-On applies to the entire NAS and not to a particular session or user. Currently the Accounting-On processing only clears sessions from the session table if the specified realm is configured in las.conf. The realm comes from the User-Name or is NULL realm if there is no User-Name AVP. It is possible that an administrator wants to do session tracking for some realms but not the NULL realm which would prevent the Accounting-On from doing the session clears that are needed [12303]. ========================================================================= NEW FEATURES in 7.4.1: ---------------------- CHANGES in 7.4.1: ----------------- FIXES in 7.4.1: ----------------- 1. Fixed an issue with parsing CR/LF terminated lines in the FSM table [12311]. 2. Fixed an issue where sending a radcheck retransmission from a client not in the clients file would crash the server [12314]. REMOVED FEATURES in 7.4.1 ------------------------- KNOWN ISSUES in 7.4.1: ---------------------- 1. When installing the server over previous installations, the java runtime files are not correctly updated. The workaround is to rename the java directory before starting the install process. The java directory is in the binary directory, /opt/aaa by default. 2. When installing the server over previous configurations and you have hand edited your old configurations for an authentication plug-in, it is possible that your plug-in line from the configuration may be lost during the conversion of the authfile. Re-adding the line after the installation/conversion will be necessary. 3. There are some issues interfacing to the SNMP master agent [12307]: a) If the master agent is not running when radiusd starts it will never connect to master agent even after starting master agent (a HUP of radiusd does not help). b) If the connection to the master agent comes up but the master agent is stopped and restarted, the connection to radiusd is not reported as down and does not regain functionality (a HUP does not help). c) The iaaaAgent.conf file in the config directory does not control the attempt to reconnect currently. 4. The User-Name AVP in an Accounting-On request is not required and has no particular meaning since the Accounting-On applies to the entire NAS and not to a particular session or user. Currently the Accounting-On processing only clears sessions from the session table if the specified realm is configured in las.conf. The realm comes from the User-Name or is NULL realm if there is no User-Name AVP. It is possible that an administrator wants to do session tracking for some realms but not the NULL realm which would prevent the Accounting-On from doing the session clears that are needed [12303]. ========================================================================= NEW FEATURES in 7.4.0: ---------------------- 1. Support for EAP-AKA protocol (RFC 4187) was added [12271]. 2. The installation process now creates a startup script for radiusd. The script can be used when you do not wish to start the server from the Server Manager [10023]. 3. There is a new configuration parameter, Request-Attribute-For-Search, for ProLDAP configurations. Support for this parameter has been added to the RADIUS server and Server Manager [12284]. 4. Laurel Networks has been added to the vendors file and their defined RADIUS VSAs have been added to the dictionary. The Server Manager can be used to define Laurel Networks NASes [12286]. 5. Significant performance improvements have been made in the area of retransmisssion detection and response. Also improved the handling of EAP continuation packets. [12304,12305,12306] CHANGES in 7.4.0: ----------------- 1. When the server parses the parameters in the aaa.config file, it now consistently applies the following rules [10637]: - check the value against the low and high limits correctly - report errors as alerts - log changes with old and new values - all log messages will refer to the file and line number - if the parameter value is "" or '' then use the correct server default value. 2. The default options in SDK compiles were different than in server compiles. The SDK compiles will now compile customer plug-ins to be compiled with '-g' so they will have symbols for core dump analysis. Added the default options of '-Wall -Wstrict-prototypes' to enable all C/C++ compile warnings as is used by the server compile. Added the default options of '-O2' to set the same optimaization level as the server compile [12274]. 3. The RADIUS server has always performed various RFC conformance tests on received requests from clients configured with type=NAS and silently discarded the request if any errors were found. Access-Requests with no User-Name attribute were being discarded as specified in RFC 2138. RFC 2865 has relaxed the requirement to allow processing of an Access-Request with no User-Name attribute. This change has been made [12287]. 4. The append attributes option on the Server Manager proxy configuration screen is no longer relevent as of version 7.2.0. The option has now been removed from the Server Manager screen. The proxy append flag in the clients file is ignored and the server always appends attributes following the proxy state, in the proxy response, to the access response [12295]. 5. Many ot the server's AATVs return the AAA_EV_ERROR event knowing that the FSM does not handle this event and so it will output "No next state..." message and drop the request. All of the server's AATVs now adequately log the error before returning AAA_EV_ERROR and the built-in FSM handles the AAA_EV_ERROR event by simply going to the Hold state with no additional logging [12296]. FIXES in 7.4.0: ----------------- 1. Fixed an issue with RADIUS connections to LDAP over SSL on the same machine. This could cause the radiusd process to hang if the LDAP server does not respond beyond accepting the TCP connection [12256]. 2. Updated the JAVA used by the Server Manager so the time reported will not be off by one hour for those timezones for which the start date for daylight savings time has changed [12282]. 3. Fixed an issue with the tomcat configuration files by defining a missing security role. The missing secutiy role caused a warning message in the localhost_log file [12290]. 4. Fixed an issue in the Server Manager where it would accept wild carded proxy entries with a realm to forward or forwarding ports configured. The server can not proxy to a server defined as a wild card. The server has no way to know which one of the wild carded IP addresses to send to. Since the server can not really proxy to the wild carded proxy entry, the realm and both ports should not have been allowed [12293]. 5. Fixed an issue where when deleting a local realm, configured for local storage, the screen incorrectly allows the filter-type, realm file and default users file buttons to function. The screen also incorrectly allowed the realm file name to be changed [12298]. 6. The iaaaUsers AATV functionality was inadvertently changed in version 7.3.0. It incorrectly changed the search string to all caps if there is a CIS auth entry associated with the authreq. This requires a custom plugin to encounter the change in behavior [12299]. 7. Fixed an issue in the Server Manager where changing a realm from EAP authentication to Password authentication using the Server Manager leaves the -EAP flag set. The result is that the realm is not found for password authentication and authentication fails [12227,12302]. REMOVED FEATURES in 7.4.0 ------------------------- 1. Support for Cisco EAP-LEAP protocol has been removed [12301]. 2. Support for Cisco TACACS authentication protocol has been removed [12283]. KNOWN ISSUES in 7.4.0: ---------------------- 1. When installing the server over previous installations, the java runtime files are not correctly updated. The workaround is to rename the java directory before starting the install process. The java directory is in the binary directory, /opt/aaa by default. 2. When installing the server over previous configurations and you have hand edited your old configurations for an authentication plug-in, it is possible that your plug-in line from the configuration may be lost during the conversion of the authfile. Re-adding the line after the installation/conversion will be necessary. 3. There are some issues interfacing to the SNMP master agent [12307]: a) If the master agent is not running when radiusd starts it will never connect to master agent even after starting master agent (a HUP of radiusd does not help). b) If the connection to the master agent comes up but the master agent is stopped and restarted, the connection to radiusd is not reported as down and does not regain functionality (a HUP does not help). c) The iaaaAgent.conf file in the config directory does not control the attempt to reconnect currently. 4. The User-Name AVP in an Accounting-On request is not required and has no particular meaning since the Accounting-On applies to the entire NAS and not to a particular session or user. Currently the Accounting-On processing only clears sessions from the session table if the specified realm is configured in las.conf. The realm comes from the User-Name or is NULL realm if there is no User-Name AVP. It is possible that an administrator wants to do session tracking for some realms but not the NULL realm which would prevent the Accounting-On from doing the session clears that are needed [12303]. ========================================================================= NEW FEATURES in 7.3.1: ---------------------- CHANGES in 7.3.1: ----------------- FIXES in 7.3.1: ----------------- 1. Fixed an issue with RADIUS connections to LDAP over SSL on the same machine. This could cause the radiusd process to hang if the LDAP server does not respond beyond accepting the TCP connection [12256]. 2. Fixed an issue with the LAS accounting code for states stop and suspend. They were checking for the duration of the longest session and using that as the time to hold a session in these states. This would cause the session table to grow bigger and bigger [12258]. 3. Fixed an issue with parsing the authfiles where an EAP entry, which does not have any brace block and is at the end of the file, will cause the server to core on startup [12259]. 4. Fixed an issue where the server manager status frame hangs without showing any status and any commands depending on the server status, such as stop and start, also hang. The server manager checks the server status by running /bin/ps -e and if the number of processes is large it will hang waiting for the ps process to complete [12260]. 5. Fixed an issue where the FSM state recorded in the Proxy-State was incorrect which could cause a failure to match proxy responses [12262]. 6. Fixed the distributed DNIS.fsm. The lines in state Start4b had an Xstring that are NOT needed/used by ProxySend AATV [12264]. 7. Fixed an issue when a proxy request could not be forwarded to the remote server due to some internal error like remote server not configured in clients file. This would have previously returned a NAK. This is incorrect behavior since it never forwarded the request and it is not known if the authentication would fail or not. It now logs the event and returns ERROR so that the request gets dropped without further processing [12265]. 8. Fixed an issue in PEAP and TTLS where the check to allow vendor specific attributes from the user's profile to be returned in the response was done incorrectly [12266]. 9. Fixed the procedure for determining which attributes held by the server for a request are from the original request. Under some circumstances this could cause incorrect reply attributes [12268]. 10. Fixed the propagation of reply attributes from one step of the EAP conversation to the next such that they are available to custom AATVs for any special processing they may want to do [12270]. 11. Fixed an issue where if you set LDAP-Version to 2 in aaa.config and connected to a LDAP server which rejects protocol version 2 connections by default, the AAA server log shows that the connection to the LDAP server has succeeded when it did not [12272]. 12. Fixed an issue with the interpretation of the Merit Proxy-Action AVP starting with version 7.2.0. The server will no longer send the Proxy-Action AVP when proxying a request. This can be changed back to be sent by adding the 'Proxy-Action-Send on' config item in aaa.config. This will prevent each step of the EAP conversation from running through the entire state machine. This caused inefficiencies and multiple lookups which can cause multiple reply items [12275]. 13. Fixed an issue which would cause looping in the state machine and ultimately dropping the request if you use the authfile to proxy an auth-only request. The AuthOnly1d state incorrectly called itself for an ACK [12276]. 14. Fixed an issue in the Server Manager where not all of the vendors defined in the standard vendors file are available in the Server Manager drop-down lists for clients and proxies [12277]. 15. Fixed an issue when you configured the server to do PEAP locally for an outer realm and configured it to proxy the inner realm that caused the authentication to fail. The home serve detects that the proxied inner realm request is an EAP-Message but with no Message-Authenticator [12278]. 16. Fixed an issue when "Send_proxy_action off" is configured in the aaa.config file, then when it proxies the inner MD5 of a TTLS/MD5 causes a core [12279]. 17. Fixed an issue when "Send_proxy_action off" is configured in the aaa.config file, then it incorrectly removed whatever attribute that happens to be the first attribute on the authreq when processing the proxy response [12280]. 18. Fixed an issue where the Tunnel-Password was not re-encrypted with the shared secret at each hop when proxying it [12281]. REMOVED FEATURES in 7.3.1 ------------------------- KNOWN ISSUES in 7.3.1: ---------------------- 1. When installing the server over previous installations, the java runtime files are not correctly updated. The workaround is to rename the java directory before starting the install process. The java directory is in the binary directory, /opt/aaa by default. 2. When installing the server over previous configurations and you have hand edited your old configurations for an authentication plug-in, it is possible that your plug-in line from the configuration may be lost during the conversion of the authfile. Re-adding the line after the installation/conversion will be necessary. ========================================================================= NEW FEATURES in 7.3.0: ---------------------- 1. A new "Action" policy language has been implemented which can be used in place of the current "Group" policy [12233]. 2. Support for EAP-SIM protocol (RFC 4186) was added [12239]. CHANGES in 7.3.0: ----------------- FIXES in 7.3.0: ----------------- 1. The server no longer attempts to put "Config" attributes into a RADIUS packet. Several Merit VSAs are defined as "Config" attributes and have attribite codes that exceed the 0-255 range of RADIUS attributes so they would generate an error message if there is an attempt to put them into a RADIUS packet [12251]. 2. In EAP-TLS, when using authenticate-as-computer, the "host/" prefix no longer appears in accounting session logfile field for Authenticated-User-Name [12257]. 3. In EAP-PEAP, when using authenticate-as-computer, the "host/" prefix was stripped from the Inner-Identity attribute incorrectly. This caused excess junk at the end of the Inner-Identity and Authenticated-User-Name attributes in the accounting session logfile [12257]. REMOVED FEATURES in 7.3.0 ------------------------- KNOWN ISSUES in 7.3.0: ---------------------- 1. When installing the server over previous installations, the java runtime files are not correctly updated. The workaround is to rename the java directory before starting the install process. The java directory is in the binary directory, /opt/aaa by default. 2. When installing the server over previous configurations and you have hand edited your old configurations for an authentication plug-in, it is possible that your plug-in line from the configuration may be lost during the conversion of the authfile. Re-adding the line after the installation/conversion will be necessary. ========================================================================= NEW FEATURES in 7.2.3: ---------------------- 1. The server now generates two new Interlink internal AVPs, EAP-MSK and EAP-EMSK, whenever the MPPE key attributes are generated for TLS, TTLS and PEAP. These attributes are available for plug-ins to use [12246]. CHANGES in 7.2.3: ----------------- 1. Support type "octets" the same way that type string is supported. This allows for attributes of type "octets" to be read from users files [12240]. FIXES in 7.2.3: ----------------- 1. Fixed the handling of reply items for EAP-MSCHAP, GTC, EAP-TLS, EAP-TTLS and EAP-PEAP so that they will be returned on the final Access-Accept [10353]. 2. Produce an ALERT message when truncating values of tag-int, short and octet type attributes to put into a RADIUS packet. If any non-zero bits are being discarded, an ALERT message is logged that indicates the actual value being sent and the original value being truncated [12241]. 3. When unpacking tagged string attributes from received packets the server now checks the size of the attribute before picking up the tag so that it does not access a byte that is not present. The server now allows zero string data characters in a tagged string from users files or in received packets as is done for string attributes [12243]. 4. Fixed EAP-TTLS tunnel AVP padding to correctly pad to a multiple of 4 bytes [12244]. 5. EAP-TTLS and EAP-PEAP inner authentications began to perform a database lookup for each step of the inner conversation as of version 7.2.0. This adds extraneous overhead to the authentication. The extra lookups have been eliminated [12245]. 6. Removed the additional debugging information, including passwords, being written to syslog even though debugging is not enabled. This will happen if the server is started with "-g syslog". The extra output is not logged when logging is sent to the local logfile instead of syslog. Also changed the debug output to not print the decrypted password from a EAP-TTLS tunnel [12247]. 7. Fixed the handling of empty ("") paths in the aatv.ProLDAP block of the aaa.config file. Now any of the four certificate related paths can be empty when not used. [12248]. 8. Fixed the issue associated with having a parameter name but no parameter value in a ProLDAP configuration block in the autfile or EAP.authfile which caused an infinite loop in the parser [12250]. 9. Fixed an issue when ProLDAP looks up a ProLDAP policy which does not exist. Depending on timing, it either drops the request or sends a reject. The server now alwasys drops the request since the policy is not available to make a correct accept or reject decision [12252]. 10. Fixed the pruning of Vendor Specific Attributes to not ignore the vendor code when limiting the number of occurrences to one instance. Only the last instance of all the VSAs that share a particular attribute code were actually sent before the fix. [12253]. 11. Fixed many memory leaks associated with configuration file handling. Also fixed a memory leak associated with EAP-TTLS and EAP-PEAP inner continuation processing if check or deny items are involved [12255]. 12. A change to the TLS-CACertFile parameter in the aatv.ProLDAP block of the aaa.config file now takes effect on a HUP (restart) [12216]. REMOVED FEATURES in 7.2.3 ------------------------- 1. The -t option has been disabled. This option would cause the server to exit if it was idle for the specified time if the server was started by inetd/xinetd. The server would sometimes exit even when not idle. The -t option is now accepted only for compatibility [12249]. KNOWN ISSUES in 7.2.3: ---------------------- 1. When installing the server over previous installations, the java runtime files are not correctly updated. The workaround is to rename the java directory before starting the install process. The java directory is in the binary directory, /opt/aaa by default. 2. When installing the server over previous configurations and you have hand edited your old configurations for an authentication plug-in, it is possible that your plug-in line from the configuration may be lost during the conversion of the authfile. Re-adding the line after the installation/conversion will be necessary. ========================================================================= NEW FEATURES in 7.2.2: ---------------------- CHANGES in 7.2.2: ----------------- FIXES in 7.2.2: ----------------- 1. Fixed an issue with the sorting of multiple wild card realms to remove any order dependency in the authfiles [10973]. 2. Fixed an issue where multiple wild carded realm entries configured with the -DEFAULT or no protocol flag cause the server to select the least specific wild carded realm entry instead of the more specific wild carded realm entry [12215]. 3. Fixed a bug introduced in 7.2.0 that prevented the retransmission of the previous response when a duplicate request was received [12234]. 4. Fixed an issue that prevented wild carded realms from doing EAP PEAP and EAP TTLS [12236]. 5. Fixed an issue with EAP PEAP and EAP TTLS realms configured to use the same inner and outer realm name that caused the clients file specified prefix for the inner realm to be ignored [12238]. 6. Fixed an issue with EAP PEAP and EAP TTLS realms configured to use the same inner and outer realm name that can cause the data store for the outer realm to be used to retrieve the password if no inner realm data store is configured. This could occur if you are using 6.x configuration files that have not been correctly converted. Loading and saving the configurations with the Server Manager will correct the configuration files for you [12238]. 7. Fixed an issue with LDAP bind failures which can abort later LDAP directory search requests. This is only an issue if the finite state machine has been modified to do special LDAP lookups [12235]. 8. Fixed an issue with how the server handles simultaneous events [12235]. REMOVED FEATURES in 7.2.2 ------------------------- KNOWN ISSUES in 7.2.2: ---------------------- 1. When installing the server over previous installations, the java runtime files are not correctly updated. The workaround is to rename the java directory before starting the install process. The java directory is in the binary directory, /opt/aaa by default. 2. When installing the server over previous configurations and you have hand edited your old configurations for an authentication plug-in, it is possible that your plug-in line from the configuration may be lost during the conversion of the authfile. Re-adding the line after the installation/conversion will be necessary. 3. A change to the TLS-CACertFile parameter in the aatv.ProLDAP block of the aaa.config file does not take effect on a HUP (restart). ========================================================================= NEW FEATURES in 7.2.1: ---------------------- CHANGES in 7.2.1: ----------------- FIXES in 7.2.1: ----------------- 1. Fixed an issue which can cause problems on systems which have a maximum open file limit (ulimit -n) greater than 1024 [12225]. 2. The default entry for the NULL realm has been corrected so it does not cause problems if it is modified using the Server Manager [12226]. 3. The default value for Session-Clear-Time in the Server Manager has been updated to match the default value in the RADIUS server [12229]. 4. Fixed an issue with reconnecting to an LDAP server after the LDAP server has closed the connection. This issue was introduced in the 7.2.0 version [12230]. 5. Limitations on the allowable characters in the Server Manager user name and password are now enforced during the initial installation [12228]. 6. The Server Manager now correctly configures a realm for Unix password authentication [12231]. 7. Fixed some of the links in the help pages. REMOVED FEATURES in 7.2.1 ------------------------- KNOWN ISSUES in 7.2.1: ---------------------- 1. When installing the server over previous installations, the java runtime files are not correctly updated. The workaround is to rename the java directory before starting the install process. The java directory is in the binary directory, /opt/aaa by default. 2. When installing the server over previous configurations and you have hand edited your old configurations for an authentication plug-in, it is possible that your plug-in line from the configuration may be lost during the conversion of the authfile. Re-adding the line after the installation/conversion will be necessary. 3. A change to the TLS-CACertFile parameter in the aatv.ProLDAP block of the aaa.config file does not take effect on a HUP (restart). ========================================================================= NEW FEATURES in 7.2.0: ---------------------- 1. The State Machine files and the Server have been updated to add four new places that policies can be executed without having to customize the FSMs. The four new places are for: - Pre-processing of incoming requests - Post-processing of outgoing replies - Post-processing of outgoing proxy requests - Pre-processing of incoming proxy replies 2. Two new functions have been added to the SDK for cleaning up asynchronous operations. CHANGES in 7.2.0: ----------------- FIXES in 7.2.0: ----------------- REMOVED FEATURES in 7.2.0 ------------------------- KNOWN ISSUES in 7.2.0: ---------------------- 1. When installing the server over previous installations, the java runtime files are not correctly updated. The workaround is to rename the java directory before starting the install process. The java directory is in the binary directory, /opt/aaa by default. 2. When installing the server over previous configurations and you have hand edited your old configurations for an authentication plug-in, it is possible that your plug-in line from the configuration may be lost during the conversion of the authfile. Re-adding the line after the installation/conversion will be necessary. ========================================================================= NEW FEATURES in 7.1.1: ---------------------- 1. Added support for Funk/Odyssey MSCHAPv2 client challenge hash mechanism. 2. Provide the ability to roll server activity logs and accounting streams on demand. 1. Created the new utility, radsignal. 2. Replace raddbginc utility and debug interface with a shell script that invokes the radsignal utility. 3. Ensure that server activity logfile is rolled over on a timely basis, not just when the next log message is written. 4. Support any number of parts for a log file (was limited to 64). 3. Added support for a new flag in the dictionary, INTERNAL. Changed the server to suppress INTERNAL attributes from RADIUS messages received and sent. 4. Added support for the same inner and outer realm for EAP TTLS with EAP inside. 5. Support for WPA2 has been added. Accommodate State AVP in an Identity Response message. A 'reauth' is treated just like a normal authentication request by the RAD server. The State from the Identity Response is ignored; a new State is assigned. CHANGES in 7.1.1: ----------------- 1. Change the default value for Session-Clear-Time from 48 hours to 30min, 15sec. 2. Changes to LAS session management to prevent session resurrection due to delayed packets. - Do not consider sessions in the Stop state when looking for collisions (or active sessions). - On Accounting-START, only change state from Init or No-Confirm to Authorized. On Interim-Update, only change state from Suspended to Authorized. 3. Changed the pruning rules to allow the UserName attribute to be returned in an ACK per RFC 2865. 4. The poll queue size is now indirectly configurable via the global_auth_q.limit. The size of the poll queue will be set to global_auth_q.limit * 2. 5. Upgraded to using OpenLDAP version 2.3.20 library. 6. Updated dictionary attributes for: Cisco, APTIS, Altiga, and Redback. Added vendors: 3GPP, Airespace, CBBSM, Colubris, CVPN5000, Extreme, Netscreen, and Juniper. Added attributes for: 3GPP, Airespace, CBBSM, Colubris, CVPN5000, Extreme, Netscreen, and Juniper. 7. The -proto flags (PW, CHAP, EAP, HASDOT, DEFAULT) were case-sensitive. The -proto flags are no longer case-sensitive in authfiles. 8. The server now reports when deprecated flags are used in the clients file. 9. The installation upgrade process no longer converts the authfiles and users files if the current radius.fsm can not be upgraded or is missing. FIXES in 7.1.1: ----------------- 1. Fix some interoperability problems with clients that have a reconnect button which is used too quickly after an authentication. 2. Fix an issue with proxying requests where, under some rare circumstances, some attributes were not deleted as requested by the home server. 3. Fix an issue with config file parsing that required a line after the closing }. 4. Change the order that PEAP inner EAP methods are listed in the config files by the Server Manager so that ones that don't negotiate are at the end. 5. Change the Server Manager to handle multiple EAP-Types for PEAP/TTLS when the same inner/outer realm is configured. 6. Check that a finite state machine parameter-specified prefixed authfile is readable and has at least one entry in it. Accommodate a client-file-specified prefix in combination with parameter-specified prefix. Allow client-file-specified prefix to be optional. 7. Fixed an issue with maximum log file size configuration. 8. Changed to always strip User-Password and Chap-Password from NAK and challenges or any other response. 9. Fixed a OpenLDAP issue which causes LDAP/SSL connections to hang. The OpenLDAP client library blocked forever during SSL connection. The OpenLDAP client library was modified to perform a non-blocking SSL connection. The ProLDAP AATV was modified to accommodate the asynchronous connection model. 10. Fixed the ProLDAP AATV to not attempt to open connections until after the aatv.ProLDAP block has been read from the aaa.config file. 11. Fixed the search for realms in authfiles to use the best match (protocol or default) in all cases. The first match on name (regardless of protocol) was sometimes used before. 12. Fixed parsing of realm entries with {} blocks to apply the -proto flag as specified. This was not done for EAP, Oracle and ProLDAP realms before. 13. Fixed parsing of realm entries with {} blocks to apply aliases as specified. Aliases were ignored for EAP, Oracle and ProLDAP realms. 14. Fixed parsing of realm entries with {} blocks to apply the host parameter. The host (parameter) was ignored for EAP, Oracle and ProLDAP realms. This information is not used by any {} block items at this time but this information may be useful to user written plug-ins. 15. Fixed the parsing code so that a syntax error in a {} block no longer causes subsequent confusion. The ProLDAP AATV now skips to the end of the {} block after a syntax error. 16. Fixed the issue that caused ProLDAP bind in auto mode when search is not possible. The ProLDAP AATV (in auto mode) would attempt a bind when no connections are available or the search failed. The ProLDAP AATV (in auto mode) now attempts a bind only when the search has been successful. 17. Fixed the distributed FSM files to handle EAP properly for the Auth-Only case. 18. Fixed how the server handles duplicate realm entries. Two realm entries with the same name and -proto flag were ignored. The server now rejects duplicate realm entries. 19. Fixed how the server handles duplicate realm aliases. Two realm entries with the same alias and -proto flag were ignored. The server now rejects duplicate realm aliases. 20. Fixed how the server handles multiple -BIN/CIS flags. A realm entry with more than one -BIN/CIS flag was ignored. The server now rejects a realm entry that has more than one -BIN/CIS flag. 21. Fixed how the server handles multiple -proto flags. A realm entry with more than one -proto flag was ignored. The server now rejects a realm entry that has more than one -proto flag. 22. Fixed an issue where, under some circumstances, the poll queue could be corrupted when removing an entry. 23. On some systems, the md5_calc function in the Server Manager was being resolved from some library other than libradlib. Now we use 'MD5' from the SSL library instead of a local copy of md5_calc. 24. In the Server Manager we made the vendor names case insensitive in access devices and proxies screens. 25. Clean up LDAP connections properly when they fail to open in timely fashion and other poll queue fixes to prevent a file handle leak. 26. Complain about, and reject, invalid wild-card patterns in client file entries. This prevents unpleasant behavior of the server on some platforms when the only entry in the clients file is bad. 27. In the Server Manager, corrected the "Timeout for TCP connect" for ProLDAP to be in tenths of seconds. 28. Print a warning message in the logfile when deprecated flags are used in the clients file. REMOVED FEATURES in 7.1.1 ------------------------- 1. The authfile realm entries had a 'Filter-ID' argument previously. It was ignored for EAP, ORACLE and ProLDAP realms. The Filter-ID capability has been removed and the argument is ignored. KNOWN ISSUES in 7.1.1: ---------------------- 1. If the LDAP server is located on the same server as radiusd or the LDAP server is faster than the RAD-Series server then the response to queries of LDAP may come back to radiusd before it is ready to process it. The authentication request may not receive a response. 2. When installing the server over previous configurations and you have hand edited your old configurations for an authentication plug-in, it is possible that your plug-in line from the configuration may be lost during the conversion of the authfile. Re-adding the line after the installation/conversion will be necessary. ========================================================================= NEW FEATURES in 7.1.0: ---------------------- 1. It is now possible to enable the ldap.conf file and environment variables for configuring the OpenLDAP client library. The default is to not enable either of them. 2. Support for LDAP over SSL has been added. The default is to verify the LDAP server certificate. 3. Can now configure a Session Table size limit which can prevent the server from running out of memory due to too many session entries. 4. Configuration conversion tool runs at installation time. All configuration files except for modified state table files are converted. 5. Server Manager now displays Livingston accounting formatted logfiles. 6. MPPE and LEAP key attributes are now "magic". If they are present, they will be sent. You no longer need to configure Microsoft and Cisco as vendors for the access device. 7. The accounting record now shows the inner realm userid (Authenticated User Name) for tunneled authentication methods when Session Tracking is enabled for the realm. 8. It is now possible to configure PEAP to start version negotiation with version 0 to support clients that do not perform PEAP version negotiation properly. 9. Support for the RedHat Enterprise Linux platform has been added. CHANGES in 7.1.0: ----------------- 1. Performance has been improved when a large Certificate Revocation List file is used. 2. The Server Manager no longer reads nor writes the files in the server certificate directory. This speeds up the load and save of configuration files. 3. New Server Properties group has been added for Security Certificate Path properties. 4. New Server Properties group has been added for ProLDAP properties. 5. Filesize Server Properties group has been removed; Maximum Log File Size parameter is now in Miscellaneous Properties. 6. Required fields are now indicated on the Server Manager GUI by an asterisk, rather than a boldface label. 7. engine.config has been removed from the configuration. 8. sesstab has been removed from server programs. 9. Default size of the auth queue is changed from 1000 to 40000. 10. Default size of the acct queue is changed from 2000 to 40000. 11. The upgrade conversion will set the OpenLDAP protocol version to 3 if it is not explicitly configured to be version 2. The Server Manager also assigns a default OpenLDAP version of 3 when it writes the aaa.config file. 12. The server has been modified to avoid multiple profile store searches when using tunneled-EAP (PEAP or TTLS) authentication. 13. The server has been modified to generate only one session for a tunneled-EAP (PEAP or TTLS) authentication. 14. The server now supports password encryption using the SSHA hashing algorithm. 15. The order of entries in an authfile no longer affects the matching of wildcard realms. The entries are internally sorted to use the longest (most-specific) match. 16. The ProLDAP module has been modified to request only certain attributes when searching for user profiles. This increases ProLDAP performance. 17. The server no longer returns User-Id, User-Realm and Inner-Identity attributes in any responses. 18. The server now handles TTLS/PAP and PEAP/GTC authentications properly when the user's password is more than 16 characters long. 19. The server now enforces a minimum value of 4096 for transmit and receive buffers. 20. The server detects string parameter values in the finite state machine which are more than 63 characters long. The server reports an error in the logfile, and exits. Previously, the portion beyond 63 characters was silently truncated. 21. The authfile syntax for configuring tunneled-EAP inner-authentication in the NULL realm has been changed to use NULL/PEAP, NULL/PEAPv0 and NULL/TTLS. The old form of /PEAP and /TTLS is still supported but support for it will be removed in the future. 22. Many hex dumps are now provided only with debug enabled. These hex dumps are written only to the debug file. 23. Simultaneous session control is now based on the inner identity for tunneled-EAP authentications. 24. The server now rejects invalid wildcard client entries. 25. DHCP can now be disabled while preserving the active configuration. 26. The upgrade conversion merges the contents of engine.config into the aaa.config file. The Server Manager no longer supports the engine.config file. 27. The keyword Access-Policy is now a reserved word in the authfile and EAP.authfile. REMOVED FEATURES in 7.1.0: -------------------------- 1. Support for the EAP-SPEKE authentication method has been removed. 2. Support for advanced policies stored in ProLDAP has been removed from the distributed LDAP schema. If you are presently using advanced policies stored in ProLDAP, you may continue to do so. Support for retrieving advanced policies stored in ProLDAP may be removed in future versions. FIXES in 7.1.0: ----------------- 1. Fixed a problem with zero-length password for SecurID that could result in a server core. 2. Fixed a case-sensitivity issue for State and User-Id attribute names in the dictionary when using SecurID. 3. Use a larger buffer for the decrypted password for SecurID to avoid a potential server core when a long password was used. 4. Fixed a potential server core if more than 63 states were present in a finite state machine file. 5. Fixed a bug in range check of the LDAP Retry-Wait parameter in the aatv.ProLDAP{...} configuration section of the aaa.config file. 6. Fixed a problem where the "Timeout" parameter of the aatv.ProLDAP{} section of aaa.config was ignored. 7. Fixed anomalous behavior which occurred when all LDAP servers are down and the RAD server receives authentication requests. 8. Fixed a ProLDAP problem where the logfile message was only displayed every other time, e.g. every 120 seconds even though the connection attempt happened every 60 seconds. 9. Tool-tips in the Server Manager GUI are now displayed correctly with the Mozilla browser. 10. An LDAP policy with a Reply-Item no longer results in two copies of the Reply-Item being returned in the response. 11. When realm "User Profile Storage" = "OS Security Database," the option of selecting password versus EAP authentication has been removed. 12. When realm "User Profile Storage" = "OS Security DataBase", the User Group field no longer appears under "User Storage Parameters." 13. When tracking sessions through the Server Manager, an option is offered to either Stop or OK. Selecting OK no longer returns an error that the previous page has expired. 14. Fixed a bug where the unsupported use of tagged attributes in a decisionfile condition block caused the server to core. 15. The Server Manager no longer deletes Class attributes from user profile entries. 16. The Server Manager has been enhanced to enforce restrictions on more input Fields. 17. The lifetime of intermediate EAP requests is now reduced when a response is received from the client. 18. Wildcard client entries no longer cause a DNS update to occur every 5 minutes. KNOWN ISSUES in 7.1.0: ---------------------- 1. If the LDAP server is located on the same server as radiusd or the LDAP server is faster than the RAD-Series server then the response to queries of LDAP may come back to radiusd before it is ready to process it. The authentication request may not receive a response.