3.2.4
mcnewton
released this
29 May 18:48
·
34683 commits
to master
since this release
Configuration changes
- Better handle backslashes in strings in the configuration files. If the configuration items contain backslashes, then behavior may change. However, the previous behavior didn't work as expected, and therefore is not likely to be used.
reject_delay
no longer applies to proxied packets. All servers should now setreject_delay = 1
for security and scalability.%{randstr:...}
now returns the requested amount of data, instead of one too many bytes.
Feature improvements
- Preliminary support for TEAP.
- Update EAP module pre_proxy checks to make them less restrictive. This prevents the "middle box" effect from affecting future traffic.
- Many fixes and updates for Docker images
- Add dpsk module. See
mods-available/dpsk
- Print out what cause the TLS operations to be made, such as the EAP method name (peap, ttls, etc), or RADIUS/TLS listen / proxy socket.
- Add
auto_escape
to sample SQL module config - Add 'if not exists' to mysql create table queries. ref #5032 (#5137)
- Update dictionary.aruba; add dictionary.tplink, dictionary.alphion
- Allow for
encrypt=1
attributes to be longer than 128 characters. - Added
radsecret
program which generates strong secrets. See the top of theclients.conf
file for more information. - radclient now prints packets as hex when using -xxx.
- Added
-t timeout
to radsniff. It will stop processing packets after seconds. - Support
interface = ...
on OSX and other *BSD which have IP_BOUND_IF. - The detail module now has a
dates_as_integer
configuration item. See mods-available/detail for more information. - Add lookback/lookforward steps and more configuration to totp. See mods-available/totp.
- Add
time_since
xlat to calculate elapsed time in seconds, milliseconds and microseconds. - Support "Post-Auth-Type Challenge" in the inner tunnel. Patch from Alexander Clouter. PR #5320.
- Add "proxy_dedup_window". See radiusd.conf.
- Document
KRB5_CLIENT_KTNAME
in the "env" section of radiusd.conf. - Add
dedup_key
for misbehaving supplicants. See mods-available/eap
Bug fixes
- Fix corner case with empty defaults in rlm_files. Fixes #5035
- When we have multiple attributes of the same name, always use the canonical attribute
- Make
FreeRADIUS-Server-EMA*
attributes work again for home server exponential moving average statistics. - Don't send the global server stats when asked for client stats. They use the same attributes, so the result is confusing.
- Fix multiple typos in MongoDB query.conf (#5130)
- Add define for illumos. Fixes #5135
- Add client configuration for TLS PSK.
- Permit originate CoA after proxying to an internal virtual server
- Use virtual server
default
when passed-i
and-p
on the command line. - Fix locking issues with rlm_python3.
- The detail file reader will catch bad times in the file, and will not update
Acct-Delay-Time
with extreme values. - Fix issue where
Message-Authenticator
was calculated incorrectly for CoA / Disconnect ACK and NAK packets. - Update Python thread and error handling. Fixes #5208.
- Fix handling of Session-State when proxying. Fixes #5288.
- Run relevant post-proxy Fail-* section on CoA / Disconnect timeout.
- Add
limit
section to AWS health check configurtion. Fixes 35300. - Use
MAX
in sqlite queries instead ofGREATEST
. - Fix typo in Mongo queries. Fixes #5301.
- Fix occasional crash with bad home servers. Fixes #5308.
- Minor bug fixes to the SQL freetds modules.
- Fix blocking issue with RADIUS/TLS connection checks.
- Fix run-time crash on configuration typos of
%{substr ...}
instead of%{substr:...}
Fixes #5321. - Fix crash with TLS Status-Server requests. Fixes #5326.