769470d6d4
Accepting request 1195073 from network
Ana Guerrero2024-08-22 16:13:13 +00:00
f91e3ccd6e
- update to 3.2.5 Feature Improvements * TOTP now supports TOTP-Time-Offset for tokens with times that are out of sync. See mods-available/totp. * radclient now supports forcing the Request Authenticator and ID for Access-Request packets. * Update dictionary.3gpp. * Update advice on shared secrets, including suggesting a secure method for generating useful secrets. Bug Fixes * Allow proxying by pool / home server name to work with auth+acct servers. * Fix OpenSSL API usage which sometimes caused crash in MS-CHAP Previously it would either always crash immediately, or never crash. * Fix packet statistics. Stop double counting some packets, and track packet statistics even if a socket is closed. * Reverted patch in TTLS which broke compatibility with some systems. * Don't crash in debug mode when multiple intermediate certs are used Patch from Alexander Chernikov.
Dirk Mueller2024-08-21 11:13:44 +00:00
17304d0b8d
Accepting request 1193650 from home:amanzini:branches:network
Dirk Mueller2024-08-21 11:13:44 +00:00
2ddd73e0da
Accepting request 1177967 from network
Ana Guerrero2024-05-31 20:18:26 +00:00
7ea104037f
Accepting request 1177967 from network
Ana Guerrero2024-05-31 20:18:26 +00:00
02f9ae48b0
- update to 3.2.4 Feature Improvements * Preliminary support for TEAP. * Update EAP module pre_proxy checks to make them less restrictive This prevents the "middle box" effect from affecting future traffic. * Many fixes and updates for Docker images. * Add dpsk module. See mods-available/dpsk. * Print out what cause the TLS operations to be made, such as the EAP method name (peap, ttls, etc), or RADIUS/TLS listen / proxy socket. * Add auto_escape to sample SQL module config. * Add 'if not exists' to mysql create table queries. * Update dictionary.aruba; add dictionary.tplink, dictionary.alphion. * Allow for 'encrypt=1' attributes to be longer than 128 characters. * Added "radsecret" program which generates strong secrets. See the top of the "clients.conf" file for more information. * radclient now prints packets as hex when using -xxx. * Added "-t timeout" to radsniff. It will stop processing packets after <timeout> seconds. * Support "interface = ..." on OSX and other *BSD which have IP_BOUND_IF. * The detail module now has a "dates_as_integer" configuration item See mods-available/detail for more information. * Add lookback/lookforward steps and more configuration to totp. See mods-available/totp. * Add "time_since" xlat to calculate elapsed time in seconds, milliseconds and microseconds. * Support "Post-Auth-Type Challenge" in the inner tunnel. * Add "proxy_dedup_window". See radiusd.conf. * Document KRB5_CLIENT_KTNAME in the "env" section of radiusd.conf. * Add "dedup_key" for misbehaving supplicants. See mods-available/eap. Bug Fixes
Adam Majer2024-05-31 14:47:06 +00:00
bd2e8769f1
- update to 3.2.4 Feature Improvements * Preliminary support for TEAP. * Update EAP module pre_proxy checks to make them less restrictive This prevents the "middle box" effect from affecting future traffic. * Many fixes and updates for Docker images. * Add dpsk module. See mods-available/dpsk. * Print out what cause the TLS operations to be made, such as the EAP method name (peap, ttls, etc), or RADIUS/TLS listen / proxy socket. * Add auto_escape to sample SQL module config. * Add 'if not exists' to mysql create table queries. * Update dictionary.aruba; add dictionary.tplink, dictionary.alphion. * Allow for 'encrypt=1' attributes to be longer than 128 characters. * Added "radsecret" program which generates strong secrets. See the top of the "clients.conf" file for more information. * radclient now prints packets as hex when using -xxx. * Added "-t timeout" to radsniff. It will stop processing packets after <timeout> seconds. * Support "interface = ..." on OSX and other *BSD which have IP_BOUND_IF. * The detail module now has a "dates_as_integer" configuration item See mods-available/detail for more information. * Add lookback/lookforward steps and more configuration to totp. See mods-available/totp. * Add "time_since" xlat to calculate elapsed time in seconds, milliseconds and microseconds. * Support "Post-Auth-Type Challenge" in the inner tunnel. * Add "proxy_dedup_window". See radiusd.conf. * Document KRB5_CLIENT_KTNAME in the "env" section of radiusd.conf. * Add "dedup_key" for misbehaving supplicants. See mods-available/eap. Bug Fixes
Adam Majer2024-05-31 14:47:06 +00:00
2bb7f5eecf
Accepting request 1148113 from network
Ana Guerrero2024-02-20 20:15:57 +00:00
eaa142a47d
Accepting request 1148113 from network
Ana Guerrero2024-02-20 20:15:57 +00:00
1b4e5f1e09
- update to version 3.2.3: Feature Improvements * Add "max_retries" for connection pools. Fixes#4908. * Update dictionary.ciena, dictionary.huawei, dictionary.wifialliance and dictionary.wispr; add dictionary.eleven. * You can now list "eap" in the "pre-proxy" section. If the packet contains a malformed EAP message, then the request will be rejected The home server will either reject (or discard) this packet anyways, so this change can only help with large proxy scenarios. * Show warnings if libldap is not using OpenSSL. * Support RADIUS/1.1. See https://datatracker.ietf.org/doc/draft-dekok-radext-radiusv11/ Disabled by default, can be enabled by passing --with-radiusv11 to the configure script. For now, this is for testing interoperability. * Add extra sanity checks for malformed EAP attributes. * More TLS debugging output. * Clear old module instance data before HUP reload. Avoids burst memory use when e.g. using large data files with rlm_files. * rlm_cache_redis is now included in the freeradius-redis packages. Bug Fixes * Don't leak MD contexts with OpenSSL 3.0. * Increase internal buffer size for TLS connections, which can help with high-load proxies. * Send Status-Server checks for TLS connections. * Give descriptive error if "update CoA" is used with "fake" packets, as it won't work. i.e. inner-tunnel and virtual home servers. * Many small ASAN / LSAN fixes from Jorge Pereira. * Close inbound RADIUS/TLS socket on TLS errors. When a home server sees a TLS error, it will now close the socket, so proxies do not have an open (but dead) TLS connection.
Adam Majer2023-09-01 11:37:49 +00:00
8c244a1664
- update to version 3.2.3: Feature Improvements * Add "max_retries" for connection pools. Fixes#4908. * Update dictionary.ciena, dictionary.huawei, dictionary.wifialliance and dictionary.wispr; add dictionary.eleven. * You can now list "eap" in the "pre-proxy" section. If the packet contains a malformed EAP message, then the request will be rejected The home server will either reject (or discard) this packet anyways, so this change can only help with large proxy scenarios. * Show warnings if libldap is not using OpenSSL. * Support RADIUS/1.1. See https://datatracker.ietf.org/doc/draft-dekok-radext-radiusv11/ Disabled by default, can be enabled by passing --with-radiusv11 to the configure script. For now, this is for testing interoperability. * Add extra sanity checks for malformed EAP attributes. * More TLS debugging output. * Clear old module instance data before HUP reload. Avoids burst memory use when e.g. using large data files with rlm_files. * rlm_cache_redis is now included in the freeradius-redis packages. Bug Fixes * Don't leak MD contexts with OpenSSL 3.0. * Increase internal buffer size for TLS connections, which can help with high-load proxies. * Send Status-Server checks for TLS connections. * Give descriptive error if "update CoA" is used with "fake" packets, as it won't work. i.e. inner-tunnel and virtual home servers. * Many small ASAN / LSAN fixes from Jorge Pereira. * Close inbound RADIUS/TLS socket on TLS errors. When a home server sees a TLS error, it will now close the socket, so proxies do not have an open (but dead) TLS connection.
Adam Majer2023-09-01 11:37:49 +00:00
6b34ba0ef7
- update to version 3.2.1: Feature Improvements * Add dictionary.ciena, dictionary.nile, and DHCPv4 dictionaries * Add simultaneous-use queries for MS SQL * Add radmin command for "stats pool <module-name>" which prints out statistics about the connection pools. * Client statistics now shows "conflicts", to count conflicting packets. * New optional "lightweight accounting-on/off" strategy. When refreshing queries.conf you should also add the new nasreload table and corresponding GRANTs to your DB schema. * Add TLS-Client-Cert-X509v3-Certificate-Policies, which helps with Eduroam. * Allow auth+acct for TCP sockets, too. * Add rlm_cache_redis. See raddb/mods-available/cache for details. * Allow radmin to look up home servers by name, too. * Ensure that dynamic clients don't create loops on duplicates * Removed rlm_sqlhpwippool. There was no documentation, no configuration, and the module was ~15 years old with no one using it. * Marked rlm_python3 as stable. * Add sigalgs_list. See raddb/mods-available/eap * For rlm_linelog, when opening files in /dev, look at "permissions" to see whether to open them r/w. * More flexibility for dynamic home servers. See doc/configuration/dynamic_home_servers.md and raddb/home_servers/README.md. * Allow setting of application_name for PostgreSQL. See mods-available/sql. Bug Fixes * Correct test for open sessions in radacct for MS SQL.
Adam Majer2023-02-06 18:23:52 +00:00
af6a62a896
- update to version 3.2.1: Feature Improvements * Add dictionary.ciena, dictionary.nile, and DHCPv4 dictionaries * Add simultaneous-use queries for MS SQL * Add radmin command for "stats pool <module-name>" which prints out statistics about the connection pools. * Client statistics now shows "conflicts", to count conflicting packets. * New optional "lightweight accounting-on/off" strategy. When refreshing queries.conf you should also add the new nasreload table and corresponding GRANTs to your DB schema. * Add TLS-Client-Cert-X509v3-Certificate-Policies, which helps with Eduroam. * Allow auth+acct for TCP sockets, too. * Add rlm_cache_redis. See raddb/mods-available/cache for details. * Allow radmin to look up home servers by name, too. * Ensure that dynamic clients don't create loops on duplicates * Removed rlm_sqlhpwippool. There was no documentation, no configuration, and the module was ~15 years old with no one using it. * Marked rlm_python3 as stable. * Add sigalgs_list. See raddb/mods-available/eap * For rlm_linelog, when opening files in /dev, look at "permissions" to see whether to open them r/w. * More flexibility for dynamic home servers. See doc/configuration/dynamic_home_servers.md and raddb/home_servers/README.md. * Allow setting of application_name for PostgreSQL. See mods-available/sql. Bug Fixes * Correct test for open sessions in radacct for MS SQL.
Adam Majer2023-02-06 18:23:52 +00:00
79ab8ece2d
- remove python2 build - drop references to SLE11
Adam Majer2021-10-07 16:11:57 +00:00
d2ac4cdbeb
- remove python2 build - drop references to SLE11
Adam Majer2021-10-07 16:11:57 +00:00
09dea27b0a
- freeradius-server-radiusd-logrotate.patch: move logrotate options into specific parts for each log as "global" options will persist past and clobber global options in the main logrotate config (bsc#1180525)
Adam Majer2021-10-07 15:45:35 +00:00
0af3e91be0
- freeradius-server-radiusd-logrotate.patch: move logrotate options into specific parts for each log as "global" options will persist past and clobber global options in the main logrotate config (bsc#1180525)
Adam Majer2021-10-07 15:45:35 +00:00
a3c6eee1bb
logrotate global section (bsc#1170505, bsc#1174905)
Adam Majer2020-08-26 11:42:57 +00:00
d7073d6ae9
logrotate global section (bsc#1170505, bsc#1174905)
Adam Majer2020-08-26 11:42:57 +00:00
3bd17f8ba3
- freeradius-server-radiusd-logrotate.patch: fix permissions in lograte global section (bsc#1170505, bsc#1174905)
Adam Majer2020-08-26 11:35:27 +00:00
140a41acbc
- freeradius-server-radiusd-logrotate.patch: fix permissions in lograte global section (bsc#1170505, bsc#1174905)
Adam Majer2020-08-26 11:35:27 +00:00
65823d05b2
- update to 3.0.21 Feature Improvements * New stored procedure for allocating IPs with PostgreSQL Rates of 1500 IPs per second are now possible See raddb/mods-config/sql/ippool/postgresql/procedure.sql * Add SQL IP pool support for Microsoft SQL Server See raddb/mods-config/sql/ippool/mssql/ * Added RCNTEC dictionary. Closes#3168. * Added Pica8 dictionary. Closes#3179. * Add TLS-Client-Cert-Valid-Since attribute holding not Before date Patch from Boris Lytochkin. Fixes#3157. * Generate attributes containing unknown OIDs See raddb/sites-available/tls * Update the WiMAX dictionary. * Added ability to rlm_python(Python2) show a stacktrace from errors. #2979. * Add WiFi Alliance Policy OIDs. See raddb/certs/xpextensions * radmin now shows coa stats, too. * Sample schema extensions for summarizing data in SQL See mods-config/sql/main/*/process-radacct.sql * Update dictionary.aerohive, dictionary.fortinet, dictionary.arista and dictionary.erx. * Added VAS Experts dictionary. * Many updates to RPM and jenkins builds from Matthew Newton. * Added %C (time now in seconds) and %c (microsecond component of now) back-ported from the "master" branch. * Add reload capability to systemd unit file in Debian and RedHat. * Increase timestamp precision in postauth to maximum supported by each database and simplify (and make more consistent between drivers) the timestamps in SQL queries by using expansions.
Adam Majer2020-03-24 15:45:52 +00:00
bfa1f1789e
- update to 3.0.21 Feature Improvements * New stored procedure for allocating IPs with PostgreSQL Rates of 1500 IPs per second are now possible See raddb/mods-config/sql/ippool/postgresql/procedure.sql * Add SQL IP pool support for Microsoft SQL Server See raddb/mods-config/sql/ippool/mssql/ * Added RCNTEC dictionary. Closes#3168. * Added Pica8 dictionary. Closes#3179. * Add TLS-Client-Cert-Valid-Since attribute holding not Before date Patch from Boris Lytochkin. Fixes#3157. * Generate attributes containing unknown OIDs See raddb/sites-available/tls * Update the WiMAX dictionary. * Added ability to rlm_python(Python2) show a stacktrace from errors. #2979. * Add WiFi Alliance Policy OIDs. See raddb/certs/xpextensions * radmin now shows coa stats, too. * Sample schema extensions for summarizing data in SQL See mods-config/sql/main/*/process-radacct.sql * Update dictionary.aerohive, dictionary.fortinet, dictionary.arista and dictionary.erx. * Added VAS Experts dictionary. * Many updates to RPM and jenkins builds from Matthew Newton. * Added %C (time now in seconds) and %c (microsecond component of now) back-ported from the "master" branch. * Add reload capability to systemd unit file in Debian and RedHat. * Increase timestamp precision in postauth to maximum supported by each database and simplify (and make more consistent between drivers) the timestamps in SQL queries by using expansions.
Adam Majer2020-03-24 15:45:52 +00:00
415f44c27c
Remove git files from installation
Adam Majer2020-03-24 14:47:55 +00:00
b514b0c8a0
Remove git files from installation
Adam Majer2020-03-24 14:47:55 +00:00
dc40c1af74
- update to 3.0.20 Feature Improvements * Added Force10 dictionary. * Update dictionary.hp with new attributes. #2690. * Update dictionary.aruba with new attributes. #2696. * Fix side-channel leak in EAP-PWD (bsc#1166858, CVE-2019-20510) * Relax OpenSSL version checks, now that their API is both public, and stable. * Note that tls_min_version/tls_max_version also support "1.3" Since there is no standard yet for EAP with TLS 1.3, it will not work. * Added tripplite dictionary from #2760. * Switch to the async interface for rlm_sql_postgresql so that we can enforce query_timeout. * Added new LDAP option 'allow_dangling_group_ref'. * Updated documentation and functionality for EAP session caching See "cache" section of mods-available/eap. * Tighten systemd unit file security. Fixes#2637. * Disable TLS 1.0 and TLS 1.1 support in the default configuration We STRONGLY recommend doing this for all installations. * Add expansions for *outgoing* Radsec connections "%{proxy_listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. Fixes#2839. * Add %{listen:tls} which returns "yes" or "no" for TLS or non-TLS connections. * Update dictionary.lancom with new attributes. #2847. * Added rlm_sql_mongo. See raddb/mods-available/sql. Note that this module is experimental. * Added more documentation in sites-available/robust-proxy-accounting. * sqlippool now re-allocates unexpired leases, to prevent IP pool exhaustion when clients perform multiple reauthentication attempts * Add support to radmin keep the history in ~/.radmin_history.
Adam Majer2020-03-24 14:20:37 +00:00
147d291ae5
- update to 3.0.20 Feature Improvements * Added Force10 dictionary. * Update dictionary.hp with new attributes. #2690. * Update dictionary.aruba with new attributes. #2696. * Fix side-channel leak in EAP-PWD (bsc#1166858, CVE-2019-20510) * Relax OpenSSL version checks, now that their API is both public, and stable. * Note that tls_min_version/tls_max_version also support "1.3" Since there is no standard yet for EAP with TLS 1.3, it will not work. * Added tripplite dictionary from #2760. * Switch to the async interface for rlm_sql_postgresql so that we can enforce query_timeout. * Added new LDAP option 'allow_dangling_group_ref'. * Updated documentation and functionality for EAP session caching See "cache" section of mods-available/eap. * Tighten systemd unit file security. Fixes#2637. * Disable TLS 1.0 and TLS 1.1 support in the default configuration We STRONGLY recommend doing this for all installations. * Add expansions for *outgoing* Radsec connections "%{proxy_listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. Fixes#2839. * Add %{listen:tls} which returns "yes" or "no" for TLS or non-TLS connections. * Update dictionary.lancom with new attributes. #2847. * Added rlm_sql_mongo. See raddb/mods-available/sql. Note that this module is experimental. * Added more documentation in sites-available/robust-proxy-accounting. * sqlippool now re-allocates unexpired leases, to prevent IP pool exhaustion when clients perform multiple reauthentication attempts * Add support to radmin keep the history in ~/.radmin_history.
Adam Majer2020-03-24 14:20:37 +00:00
Ana Guerrero
Adam Majer
Dirk Mueller
Dominique Leuenberger
Richard Brown
Michael Ströder
Tomáš Chvátal