FreeRADIUS Changelog

What's new in FreeRADIUS 3.0.20

Nov 14, 2019

The focus of this release is stability.

New in FreeRADIUS 3.0.19 (Apr 10, 2019)

New in FreeRADIUS 3.0.14 (May 31, 2017)

New in FreeRADIUS 3.0.12 (Nov 14, 2016)

Feature improvements:
Add support for =~ and !~ in update sections. See "man unlang"
Add dictionary.checkpoint.
Simultaneous-Use prints out more information.
Print WARNING in debug mode when packets may be truncated.
Added expansions %{home_server:state} and %{home_server_pool:state}, which show the state of the server / pool.
Mark rlm_sql_freetds as stable.
Make rlm_perl less fragile. Patch from Herwin Weststrate.
Allow extended attributes to have "encrypt=2"
Update dictionary.aruba.
Add support for EAP-FAST. This is an isolated feature which does not affect anything else.
Update OpenSSL vulnerability list. Use a version of OpenSSL released after September 20, 2016.
EAP certificate verification is now done when "verify" is enabled and "ocsp" is disabled.
New dhcpclient and rlm_rad_counter man pages.
Minor abfab and moonshot additions.
Pass CFLAGS through from environment in RPM builds. Allows more custom builds.
Build with Heimdal in addtion to libkrb5.
Bug Fixes:
Use correct typedef for older versions of sqlite.
Update mssql schema to add priority
don't complain on /dev/urandom in ldap
fix == operator in update sections
Don't create DHCP strings with many trailing zeros. Patch from Nicolas C. Fixes #1526.
Allow MS-CHAP change passwords instead of complaining on large buffer.
Allow assignment or equality operator on SQL.
Update aclocal tests for FreeBSD 10. Patches from Mathieu Simon.
Remove occasional hang in rlm_linelog.
Copy VSAs to inner tunnel for TTLS and PEAP. Fixes #1544
A few minor bugfixes caught in v3.1.x cleanup, and back-ported to v3.0.x.
do_not_respond again works in post-proxy
Allow realm "~^.*$" {} and User-Name with no realm.
Fix leak when creating unknown attributes
Fix Debian / logrotate.
Make OpenSSL error functions thread-safe.
Fix crash with rlm_sql and updating SQL-User-Name.
Debian build updates.
Allow regular expression comparisons in radclient fixes #1574.
Fix memory leak on unknown attributes in detail file reader.
Update example paths in "man" pages when installing them
Build fixes for rlm_mschap. Fixes #1489.
BSD build fixes. Patch from issue #1583.
Be more careful about /lib/ when building. Fixes #1585.
Correct ifdef placement error. Fixes #1572.
Allow for more files in internal "exfile" API So it will be possible to open more than 64 "detail" files at the same time.
Remove support for statically built EAP modules. Fixes #1591.
Many fixes to rlm_python from Guillaume Pannatier.
Use correct week adjustment in SQLcounter. Fixes #1608
Minor fixes to allow compilation without DHCP, VMPS, or TCP.
Fix checks for module / config file change on HUP.
Compile regex comparisons when sent via "debug condition". Fixes #1632.
Update filenames in documentation and examples. Patch from Alan Buxey, #1655.
Don't crash if SQL connection becomes unavailable. Fixes #1640.
Disallow originate_coa when proxy_requests = no Fixes #1684.
Free rad_perlconf_hv in correct perl context. Fixes #1675.
Multiple fixes for Debian builds. #1510, among others.
Set OpenSSL FIPS compatibility flag when necessary.
Pulled fixes for the build system over from other branches.
Fix OCSP for RADIUS over TLS.
Fix skip_if_ocsp_ok behavior.
Better fixes for systems without closefrom() but which have /proc. Fixes #1757.
Minor build fixes back-ported from v4.0.x.
build --whout-ascend-binary. Fixes #1761.
Be more aggressive about not opening new connections in debug mode after CTRL-C. Address #1604.

New in FreeRADIUS 3.0.9 (Aug 19, 2015)

Feature improvements:
Make "pool" configurations more consistent, and update documentation for them.
Move connection pool logic to "most recently started", instead of MRU. This should help with pool stability.
More VSAs for 3GPP2
Added examples of multi-value attributes to rlm_perl.
LDAP-Group and SQL-Group attributes are now dynamically allocated.
Only the "sql" module registers SQL-Group. Other instances register "instance-name-SQL-Group", similarly to "ldap".
Unknown attributes are now complained about more often when used in unlang statements. e.g. if (Foo-Bar == 3) used to be a string to string comparison. It is now a parse error.
Rename RLM_COMPONENT_* to MOD_* in the code. This makes many things easier.
Move to C99 initializers for modules.
Load modules in raddb/mods-enabled. This allows attributes like "LDAP-Group" to be used in the "files" module, without explicit ordering or listing in "instantiate".
Added 'bootstrap' section to modules. Third-party modules will need to be updated.
When adding clients from a DB, add them to a virtual server if that virtual server has a "listen" section. Otherwise, add the clients to the global list.
When reading dynamic clients from a file, don't expire them if the underlying file is unchanged.
Allow the server to originate CoA requests from the post-auth stage.
The server creates ${run_dir} and ${logdir} in daemon mode, if they do not already exist.
Add dictionary for Wi-Fi Alliance Hotspot 2.0. The server now supports all mandatory and optional attributes for this specification.
HUP now re-loads the configuration only if the files have changed. If all files are unchanged, HUP re-opens the log file, and does nothing else.
Much better debug messages for EAP-TLS, including which attributes are cached, and when they are retrieved.
Increase default max_requests to 16384. Memory is cheap now.
Added "stats memory" commands to radmin. Debug build only.
Aptilo controller dictionary updates.
SQL modules now use Acct-Unique-Session-Id everywhere.
The redis modules are now stable.
The LDAP module now supports SASL "interactive bind" method. This allows Kerberos based administrator and user binds.
DHCP code is now in libfreeradius-dhcp.
More DHCP encoding / decoding unit tests.
rlm_replicate can now be listed in the "accounting" section.
Better sqlite debugging output.
Remove "required" option from many sql_ippool directives.
Set default CA "basic constraints" to "critical". Fixes #1073
Updates to help / man pages from Jorge Pereira.
Added more tests.
Bug Fixes:
Be more careful about unused config item warnings when using -Xx.
Move more defines to be auto-generated.
Allow virtual servers in proxy fallback.
Allow %{module:} to work.
Don't crash in RadSec. Closes #980.
Return better errors when a unix group / user is not found.
Re-enable detail module "locking" parameter.
Don't crash when logging replies from Status-Server packets.
The couchbase module now uses "update" instead of "map", for consistent with the rest of the server. See raddb/mods-available/couchbase
Don't require NT-Password for MS-CHAP password changes.
Be a bit more careful about decrypting MS-CHAP-MPPE-Key attributes. Closes #1013. There is no perfect fix, tho.
Fix security issues with EAP-PWD. See http://freeradius.org/security.html#eap-pwd-2015
Fix dynamic clients read from SQL in non-debug mode
MS-CHAP now allows retries (i.e. password change) when passwords are expired.
Allow "user=radiusd" when the server is already user "radiusd"
suid up/down works on non-Linux systems. This means that the control socket should have the correct ownership.
Fix issue which caused the server to sometimes have problems when a home server was marked zombie.
Fix format.pl because Perl is now more picky.
Fix proxy to Packet-Dst-IP-Address, so that it uses the correct destination port.
Fix corner case with cursor functions and removal.
OpenDirectory fixes and documentation.
Fix leaks in rlm_redis.
RFC 6929 "evs" attributes are now encoded / decoded properly.
Fix talloc pool leaks when receiving malformed or retransmitted Accounting/CoA requests.
Printed attributes again use double quotes instead of single quotes.
Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl" to eap.conf. Fixes oCert CVE-2015-4680.
rlm_expr now errors out correctly on malformed attribute references instead of triggering an assert.
Make "break" work in "foreach" loops
Allow dynamic expansions to work again in the "hints" file.
Correct minor typos in comments and examples from Alan Buxy.
Re-urlencode the path portion of ldapi:// urls before passing it to ldap_initialise.

New in FreeRADIUS 3.0.7 (Mar 12, 2015)

Feature improvements:
Allow coa home_servers to be derived from client sections if a coa_server section is provided.
Automatically determine the correct port if no port is provided for a home server.
Allow foreach to operate over lists.
Add compile time features to ${feature.*} and versions of core libraries to ${version.*}. Feature and version names match output of radiud -xv. %v is now deprecated.
Add support for PATCH method in rlm_rest.
Validate more module xlats on startup, and warn if an xlat expansion is found in a double quoted config item which will not be expanded.
Add support for sub-second timeouts in rlm_rest.
Add support for connection timeouts in rlm_rest.
Add %{jsonquote:} xlat to escape strings for insertion into json documents.
Add %{ldapquote:} xlat to escape strings for insertion into ldap DNs.
Add %{explode:&ref }, splits value of &ref on and creates new &ref type attributes with the fragments.
Allow rlm_ldap to use attribute references for base_dn and filter config items. The attribute references are not escaped, allowing DNs and filters to be created dynamically.
Add %{nexttime:[]h|d|w|y} to calculate the number of seconds before the next hour(s), day(s), week(s), or year(s).
Allow the left side of update sections to be xlat expansions. The result of the expansion is then used to reference the attribute to be modified.
Added %{lpad:&Attribute-Name 7 x} and rpad. These produce fixed-width output strings, with padding to the left (lpad) or the right (rpad).
For some SQL drivers (MySQL, sqlite) distinguish between constraints violations (on insert), invalid queries, and server errors, and return noop, invalid, and error respectively.
Call SHOW WARNINGS in the MySQL driver and write them to the request log, if libmysqlclient indicates warnings are available on the server.
Forbid the creation of Vendor-Specific for non-standard VSAs. Use Attr-26 = 0x... instead.
Make dhcpclient work with raw sockets and various other improvements - Contributed by nchaigne
Add support for SSHA2 - Contributed by PDD.
Add perle dictionary - Contributed by Hachmer
Modernise init scripts for RHEL, SUSE and Debian.
radmin now tracks the return code of commands, and exits with status "1" if any command failed to execute.
radmin now sends error messages from the server to stderr, instead of to stdout.
radmin now looks for sockets matching it's UID and GID, rather than just always using the first one it finds.
radmin can how delete clients which are tied to a listener.
Moved RADIUS attribute definitions to src/include/rfc*.h
Move to talloc pools for requests. For in-memory tests (default config, 'users' file), performance increases by 30%.
In rlm_ldap allow sasl_mech to be specified for admin and user binds. Only non-interactive mechs (like EXTERNAL) are currently supported.
Remove support for ephemeral RSA keys. They were "export only", and should not be used by anyone.
Syntax errors in the "users" file now produce better error messages.
Bug Fixes:
Fix issues parsing LDAP hostnames with non-standard ports.
Fix issues with realms containing regular expressions.
Allow unary negation before parantheses in rlm_expr.
Fix infinite loop in kevent event loop code. Issue only presented on FreeBSD.
Be more careful to define Auth-Types before loading modules.
Link libfreeradius-radius against OpenSSL too, to avoid multi-version symbols in SSL libraries.
When rlm_ldap rebinds a connection, it should use bind credentials from the module that created the connection pool, not credentials from the module referencing it.
Empty server config pairs should be allowed in rlm_ldap instances that reference another module's connection pool.
Mark rlm_always as huppable, so its rcode can be changed via radmin (allows policy toggles).
Emit warnings when ignoring user configured pool values.
Fix issue that would cause radclient to complain intermittently about differing numbers of filters and requests.
Fix cosmetic issues in connection pool logging, that made it appear as if the same connection was being opened multiple times.
Fix threadsafety issues in SQL drivers, where a static buffer was used to store error messages.
Log RERROR, RWARN, RINFO to the global log if request logging is not enabled.
Link to libldap instead of libldap_r. libldap_r is not supported for use by projects outside of OpenLDAP.
Set connection timeout correctly in rlm_sql_mysql.
Build with older versions of libcurl, and use CFLAGS from curl-config.
Honour Packet-Src-Port and Packet-Src-IP-address in radclient.
Initialise ldapai_info_version field, so libldap will report its vendor and version.
Fix log rotation scripts by using the copyrotate option.
Fix issue that caused opening control sockets to always fail on non-Linux systems, if a user or group was set.
Save Session-State after proxying.
Additional fixes for reading CoA/DM requests from detail files.
Create dynamic clients if the dynamic clients virtual server returns ok *or* updated. Emit useful messages for other codes.
Compile bare "authorize" statements, and issue errors saying using them isn't a good idea.

New in FreeRADIUS 3.0.4 (Sep 11, 2014)

Feature improvements:
Home server "response_window" can now take fractions of a second. See proxy.conf.
radmin now supports "show module status", as the counterpart to "set module status"
Added dictionary ericsson.packet.ccore.networks, bluecoat, citrix, compatible, riverbed, ruckus, and RFC 7268.
Add %{tag:} expansion to get the tag value of an attribute.
Report 'application_name' in connections to PostgreSQL servers. FreeRADIUS connections will now appear as 'FreeRADIUS - ' in pg_stat_activity.
All config item fields are now type checked at compile time to prevent issues similar to #634 occuring again.
Modify pairparsevalue to deal with embedded NULLs better, and use the binary versions of attribute values in rlm_ldap.
"ipaddr" will now use v6 if no v4 address is present. You should use "ipv4addr" or "ipv6addr" to force v4/v6 addresses.
The above applies to "listen", "home_server", and "client" sections.
"client" sections will allow "ipaddr = 192.192.0/24". The old "netmask" is still accepted, but the new format is preferred.
Allow custom HTTP headers to be set for rlm_rest requests using control:REST-HTTP-Header (attributes consumed after use).
Extend format of %{rest:} expansion to allow HTTP method and POST data to be specified e.g. %{rest:POST http://example.org/api foo=bar&baz=boink}.
Add %{hmacsha1:&data &key} and %{hmacmd5:&data &key} expansions for signing data in requests.
rlm_cache now consumes its control attributes to make runtime configuration easier.
Add control:Cache-Read-Only which when set to 'yes' will make the cache module merge existing cache data, but not create new entries.
Add %{unescape:} and %{urlunquote:} expansions to reverse escaping and urlquoting.
Add support for aliases in rlm_ldap.
Add support for connection pool sharing to all modules that use the connection pool (pool = ).
"tls" sections now have a "psk_query" configuration item, for dynamic queries to discover a key from a PSK identity.
Preliminary support for EAP channel bindings.
Foundational work for dynamic home servers. They do not yet work, but this is now only a matter of updating the "realm" module in a future release.
Support &attr[*] syntax to copy all instances of an attribute when used with the += operator in an update section. May be qualified with a tag.
The logintime and expiration modules can now be listed in the post-auth section. This makes some configurations simpler.
Allow comparison of integer attributes of different sizes, without requiring a cast.
rlm_sqlippool is now IPV6 capable. Set "ipv6 = yes" to get Framed-IPv6-Prefix returned. The SQL queries have NOT been updated. Please submit patches.
The debian build now checks for the OpenSSL package with the heartbleed fix, and if found, sets: allow_vulnerable_openssl = 'CVE-2014-0160'
allow bootstrap from multiple files in sqlite driver.
Bug Fixes:
make case-insensitive regular expressions work again, and add tests for them.
A few more talloc parenting issues
Fix delayed proxy reply handling. Closes #637
Fix OpenSSL initialization order when using RADIUS/TLS. Fixes #646
Don't double-quote strings in debugging messages
Fix foreach / break. Fixes #639
Chargeable-User-Identifier, ADSL-Agent-Circuit-Id and ADSL-Agent-Remote-Id should be "octets" types in the default dictionary.
Fix typo in mainconfig. Fixes #634
More rlm_perl fixes. Fixes #635
Free OpenSSL memory on clean exit.
Fix [0] !* ANY - Was removing all instances of
Fix case where multiple attributes were returned from RHS of mapping, as with rlm_ldap. Fixes #652
Fix corner case in cursor where using fr_cursor_next_by_da after calling fr_cursor_remove may of resulted in a read of uninitialised memory.
Don't SEGV if all connections to a database server go away. Fixes #651.
Fix issue where -= was not removing tagged instances of equal to (only untagged).
Fix issue where tag values were not being set on attributes created with unlang/ldap update blocks.
Create rlm_sqlcounter attributes as integer64 types instead of integer types, so large counter values can be specified.
Fix issue where specifying a dynamic client IP addresss using FreeRADIUS-Client-IPv6-Prefix or FreeRADIUS-Client-IP-Prefix may have caused a validation error.
Don't print two "&" for messages about attribute or list references in debug output.
Fix urlquote and escape to encode Unicode characters correctly.
Fix redundant-load-balance blocks to try other modules in the group if one fails.
Fix issue with rlm_pap password normalisation where 'known good' password strings stored in octets type attributes, would be sometimes misnormalised as base64.
Don't stop processing DHCP options if we find a 0x00 padding option.
Fix issue where modifying the value of an attribute created from a template with a literal value, may have resulted in the template literal being freed.
Fix parenting issues in tls code which may have resulted in memory corruption and crashes.
Fix issue in radsniff where writing to PCAP files and using -R response filters, where the requests would still be written to the PCAP for non matching responses.
Define __APPLE_USE_RFC_2292 so that the server builds with IPv6 support on OSX.
Fix LDAP group lookups for named rlm_ldap instances. Note that attribute references should be used when checking LDAP-Group attributes. e.g. if (&LDAP-Group == 'foo').
Delayed attribute references can now be used in unlang existence checks. i.e. if (&Attribute-Name) { ... }
Fix issues in EAP-PWD. CVE-2014-4731, CVE-2014-4732, and CVE-2014-4733. There is no external authentication bypass.
Fix a number of uses of the talloc parent/child reference.
Release connection used for reading bulk clients in rlm_ldap.
rlm_rest is now fail-safe if it's used without any configuration
Pull in build fixes for FreeBSD from ports.
Fix error in sqlite postauth query
Evaluate argument to "switch" statements once, instead of for each "case" statement.
Define sig_t on systems without it. Closes #765.
Fix boundary issue with rlm_rest. Closes #768
Optimize "%{Attribute-Name}" in comparisons only if the dictionary types match.
Don't do chmod() in rad_mkdir() if the directory already exists. We might not have permission to change it.
Use getpwnam_r() and getgrnam_r() on systems which support it. Closes #775.
Clients loaded from SQL are now tied to the "listen" section of a virtual server, instead of being global.
Check for -lpcre. The system might have pcre.h without -lpcre.
When proxying to a virtual server, use the proxy_reply instead of ignoring it.
Fixed typos in DHCP SQL IPPool.
Fix crash when passing multiple arguments to Perl xlat.

New in FreeRADIUS 3.0.3 (Aug 26, 2014)

Feature improvements:
Everything now builds with no warnings from the C compiler, clang static analyzer, or cppcheck.
rlm_ldap now supports defining the LDAP attribute name via backticked expansion (i.e. shell command) in RADIUS LDAP mappings.
rlm_ldap now supports older style generic attributes.
dynamic expansions (e.g. "%{expr:1 + 2}" are now parsed when the server starts. Syntax errors in the strings are caught, and a descriptive error is printed.
Static regular expressions (e.g. /a*b/) are now parsed when the server starts. Syntax errors in the strings are caught, and a descriptive error is printed.
dynamic expansions are cached after being parsed. They are no longer re-parsed at run-time for every request.
regular expressions are now parsed and cached when the server starts.
Added the %{rest:} expansion to rlm_rest, which will send a GET request to the URL passed as the format string. Any body text will be written to the expansion buffer.
rlm_rest now available as a debian package.
When an 'if' condition statically evaluates to true/false, unlang does more static optimization. For examples, see src/tests/keywords/if-skip
All modules are marked as safe for '-C', which lets the dynamic expansion checks work in more situations.
Added 'none' and 'custom' rlm_rest body types. 'custom' allows sending of arbitrary expanded text and content-type headers.
Added "config" section to Perl. See mods-available/perl
Added '%v' which expands to the server version - Patch from Alan Buxey.
more mis-matched casts are caught in "if" conditions, and descriptive errors are printed.
Support basic response validation in radclient. This allows administrators to write local test cases for their site-specific configurations.
Removed radconf2xml and radmin "show client config" and "show home_server config".
Forbid running with vulnerable versions of OpenSSL. See "allow_vulnerable_openssl" in the "security" subsection of "radiusd.conf"
Catch underlying "heartbleed" problem, so that nothing bad happens even when using a vulnerable version of OpenSSL.
Add locking API for sql_null, linelog, and detail modules, which should improve performance and work around issues on platforms with bad file locking.
Allow DHCP NAKs to be delayed, via setting reply:FreeRADIUS-Response-Delay = 1
Allow tag and array references anywhere attributes are allowed in "unlang".
many enhancements to radsniff, including output to collectd, ipv6 support and packet loss statistics.
Many dictionary updates (ZTE, Brocade, Motorola).
rlm_yubikey now automatically splits passwords from OTP strings.
The detail file reader is now threaded by default. This should improve performance reading the files.
Bug Fixes:
Fix xlat expression %{attribute[n]} so that it actually returns the n'th attribute instead of the first one.
Don't parse string on RHS of update {} when using unary operators (!*). The RHS should always be ignored.
Check for more optional functions in json-c so we can Build with libjson0, which is the name of the json-c package on debian/ubuntu.
Fix issue in radmin where the main dictionaries would not be loaded which, depending on the configuration, may have caused validation errors.
Fix handling of "%{reply:3GPP-*}"
Fix rlm_perl garbage attributes
Fix oracle SQL queries, which amongst other things still used the old expansion format, which is no longer supported/parsed.
Truncate long format strings and error markers instead of omitting them.
Fix multiple attribute parsing in rlm_rest JSON.
Don't crash in rlm_rest if connect_uri is commented out in the configuration.
Don't double-escape strings to / from Perl. You may need to double-check your Perl scripts if they use "\" characters. See mods-available/perl for documentation.
Don't re-run "authorize" if a home server fails to respond.
Don't append "0x" to hex output of octets types, for xlat expansions. This is the same as v2, and makes it easier to concatenate multiple attributes of type "octets"
FreeBSD fixes for execinfo linking.
Make some of the module configurations more consistent.
Fix corner cases where STDOUT wouldn't be closed in daemon mode.
Re-enable "update coa" and originating CoA requests.
Prevent multiple threads writing to the sql query logs.
Fix zombie period calculation. Closes #579
Properly parent VPs for talloc, when moving them in map2request.
Various fixes for talloc parent / child relationships
Allow rlm_counter to support VSAs.
Normalize return codes for many modules. "do nothing" is noop, not "ok".
Run Post-Proxy-Type Fail. Closes #576
Fix DHCP destination port for replies to relays. Closes #591
Do-Not-Respond policy works again Closes #593
Proxy-To-Virtual-Server works again. Closes #596
Build fixes for ancient systems. Closes #607, #608, #609.
%{Module-Return-Code} works again. Closes #610.
Don't increment statistics for Status-Server responses. Closes #612.
A duplicate request isn't a duplicate if the original one is marked "done". This should lower retransmissions from clients.
Fix multiple regular expression and glob memory leaks.
Don't allocate any memory in fr_fault() as it can cause malloc to deadlock.
Temporarily set dumpable flag before calling system in fr_fault() else the debugger may not be able to attach.
Set nonblock on all TCP client sockets.
Fix minor buffer overrun in mschapv2 where some attribute strings were not correctly \0 terminated.
Fix crash on authentication failure with MIT kerberos.
Fix code so that octal escape sequences aren't prematurely unescaped in rlm_sql, radclient, preprocess, and other places. This may require configuration changes, as these sequences will no longer need double escaping (\\) of the backslash.
The connection pools no longer have one connection used twice in certain rare conditions.
Use self pipes for internal signals. The code was there, but was unused.
Don't crash if there are outstanding EAP sessions and were told to exit gracefully.
Fix typo in dictionary.rfc4072

New in FreeRADIUS 3.0.2 (Mar 26, 2014)

Feature improvements:
secret keys and LDAP / SQL passwords are now printed as '>' in debugging mode. Use -Xx to see the actual passwords.
Print out more information about passwords in -Xx, including hashes, comparisons, etc.
Allow cast (and implicit conversion) of integers to IPv4 addresses
More xlats allow attribute references. This means they can operate on binary data. e.g. expr, base64, md5, sha1.
Added more tests.
The dictionaries are now auto-loaded. raddb/dictionary should no longer have $INCLUDE ${prefix}/share/dictionary
A "panic_action" can be set to have the server dump a gdb log on SEGV or other fatal error. See radiusd.conf
Add support for SHA-224, SHA-256, SHA-384, SHA-512 to rlm_pap.
Add "%{sha256:}" and "%{sha512:}" xlat functions.
Cache CUI in EAP session resumption.
templates can now have sub-sections, which will be included in the section referencing the template.
Update more dictionaries.
Added more instances of the "always" module, for all return codes.
Suppress broken NASes when proxying. Retransmits which occur more than once per second are rate-limited to once per second.
Allow '&' in more xlat expansions.
Update PostgreSQL schema and queries to record last updated time, and accounting interim.
Optimize more "if" conditions when the server loads. This will avoid work at run time. e.g. ("foo" == "bar") --> FALSE.
Allow removal of all attributes within a list with !* operator.
Allow list to list copies with request qualifiers (outer.).
Add support for ipv4 prefixes and ipv6 addresses and prefixes to %{integer:}.
allow radmin command "set module status " which can be used to forcibly enable/disable modules.
pap module now assumes Cleartext-Password if Password-With-Header doesn't have a {...} header.
Added "unpack" module. It can unpack binary data from horrible VSA formats. See raddb/mods-available/unpack
Added example IP Pool for DHCP, using sqlite. From Matthew Newton See raddb/mods-config/sql/ippool-dhcp/
Bug Fixes:
Fix SQL groups.
Fix operation of fr_strerror() with RE*() macros.
Don't assert if the connection we're trying to reconnect is not in_use.
Fix %{mschap:User-Name} xlat.
Allow comparisons of signed integers and of ethernet addresses.
Fix parsing of text-based ascend binary filters.
Fix a few minor Coverity and clang analyzer issues.
Log WARNING and ERROR prefixes only once, not twice.
Fix attribute truncation seen in Perl and other places.
Use correct port when DHCP relaying.
Fix behaviour on FreeBSD where sending packets from an interface bound to an IP address would fail when the server was built with udpfromto.
Don't abort() when freeing home servers on exit.
Fix edge case in pairmove() when some attributes could be over- written.
Do checks for individual sqlite v2 functions so rlm_sqlite builds correctly with more versions of the library.
In heimdal kerberos, create MEMORY ccaches on a per context basis. This prevents issues with the root ccache being used.
Fix corner case with proxying, where home server goes down.
Rate-limit "max_requests" complaint. We don't want to fill the logs when something goes wrong.
Use /dev/urandom for raddb/certs/random, if it exists.
Issue WARNING that old-style clients should no longer be used.
Auto-set secret to "radsec" for tcp+tls home servers.
Fix double free in home_server_add when there is a parse error on startup.
rlm_unix checks if the dictionaries are broken, instead of crashing
Fix potential memory corruption when normalising salted password hashes from hex, where the combined hash and salt was > 64 bytes.
Register sqlcounter attributes correctly, and other issues with it
treat 127.0.0.1/32 as being identical to 127.0.0.1
Don't mangle error output of SQL drivers like PostgreSQL
Fix usage of "tls = ${tls}". It could previously cause problems when the reference was used multiple times.
Fix TLS session leak for incoming sockets.
Try harder to clean up memory on exit when using "-mM"
Fix memory leak when home server is down for RadSec connections
rate-limit outgoing connection attempts when the home server is down. It will retry no more than once per second.
When parsing ipv6 address prefixes, always mask off the host portion.
Fix rlm_counter so that it does not create two reply attributes.
Fix issues with DHCP Sub-TLVs where the value of the first Sub-TLV would appear corrupted, and subsequent TLVs would not appear in debug output.
Initialize scope in IP address parsing
Prevent vendor attributes and RFC space attributes from clashing in rlm_attr_filter.
Set source IP address for DHCP packets from DHCP-Server-IP-Address, or DHCP-DHCP-Server-Identifier, if we're unable to otherwise determine the source IP.
Fix POST attribute parsing in rlm_rest.
Fix JSON attribute parsing in rlm_rest.
Don't append trailing & to POST options in rlm_rest (minor).
Process HTTP 100 Continue messages correctly in rlm_rest
Fix generation of long > 512 byte POST payloads, where attribute values on the chunk boundary may have been omitted in rlm_rest.
Remove duplicate escape sequence parsing in rlm_sqlippool and rlm_sqlcounter which caused issues with escaping %. Escape sequence parsing is now handled purely by the xlat functions.
Ensure %% is treated as a string literal, and so not passed to any xlat escape functions for processing.
Correct calculation of Message-Authenticator for CoA packets. Closes #556

New in FreeRADIUS 3.0.1 (Feb 19, 2014)

Feature improvements
Add "timeout" to exec, and "ntlm_auth_timeout" to mschap. So that run-away child processes are caught earlier.
Allow TLS clients to use "proto = tls", in which case TLS is required. The shared secret is then set to "radsec".
More documentation in the tls virtual server.
Add "date" module for date formatting. See raddb/mods-available/date.
Added unit test suite for internal server functionality
When loading "update" sections, check if the RHS is a literal value. If so, syntax check it immediately.
Update LDAP module documentation and functionality. The generic attribute can now update lists.
Updated dictionary.extreme.
Update sqlippool to do clears as a separate transaction, and at most once per second. This should help MySQL.
Respect control:Response-Packet-Type for all types of requests.
Add support for SSL encryption to the MySQL driver.
Allow arbitrary connection parameters to be used with the PostgreSQL driver.
Changes to the OpenLDAP schema to fully expose functionality of the new LDAP module.
Update debian packaging to include a freeradius-config package. This package may be provided as a site local package to avoid fighting with the preinstalled config files.
Bug Fixes
Use correct field for ARP setting in DHCP.
Fix crash on debug condition (#454).
Fix a number of minor issues caught by the clang analyzer.
Set WARNING messages to yellow instead of normal text.
Correct debug colorise logic. Patch from Phil Mayers.
Encode attributes of type "ethernet". No one uses them, but it makes sense.
Work around regex initialization issues.
Fix build when linking against OpenSSL.
Print IDs as positive numbers, which helps for large DHCP XIDs.
Fix issue with sql_ippool.
sqlcounter now uses 64-bit counters, to deal with 4G overflow.
Fix issues with DHCP subsystem.
Don't build / install disabled modules, or their config files.
Fix build for OSX Mavericks, which hid the header files in a magical place.
Fix LEAP buffer issue. You should still avoid LEAP.
Mark "unknown" WiMAX attributes as being WiMAX.
Fix typo in packet decoder for fragmented extended attrs
RPM spec fixes.
Fix rlm_perl build issues when not using threads.
Enable %{Response-Packet-Type} again.
Update configuration file parser to handle "bool" consistently.
Update declarations of global boolean variables to use "bool" consistently. This fixes an issue where some modules were instantiated in "config check" mode and did not work correctly.
Make more messages debug instead of info, to avoid polluting the logs with messages that can't be fixed.
Set operator in internal unlang code to suppress spurious warning messages.
Fix debian packaging.
Added "status" to Debian init script.
Fix "update outer.request" to update the outer request.
Don't print TLS debugging messages when not in debug mode.
Correctly manage counters for "limit" sections of TCP / TLS "listen" sockets.
Fix libldap debug output.
Fix rlm_ldap tls functionality.
Initialise OpenSSL globals early to avoid issues with the PostgreSQL library.
Fix typo in sqlcounter expansion code. Fixes #463
Overwrite previous instances of SQL-User-Name when adding it to the request.
Work around bugs in both MIT and heimdal versions of krb5_copy_context(), which caused segfaults in multithreaded mode.
Provide meaningful error messages if Heimdal krb5 is used.
Fix attribute supression in rlm_detail.
Exit with error code if child fails to complete server initialisation after forking. This allows init scripts to correctly report whether the server started ok.

New in FreeRADIUS 2.2.3 (Dec 17, 2013)

New in FreeRADIUS 2.1.12 (Oct 2, 2011)

New in FreeRADIUS 2.1.11 (Jun 21, 2011)

Feature improvements:
Added doc/rfc/rfc6158.txt: RADIUS Design Guidelines. All vendors need to read it and follow its directions.
Microsoft SoH support for PEAP from Phil Mayers. See doc/SoH.txt
Certificate "bootstrap" script now checks for certificate expiry. See comments in raddb/eap.conf, and then "make_cert_command".
Support for dynamic expansion of EAP-GTC challenges. Patch from Alexander Clouter.
OCSP support from Alex Bergmann. See raddb/eap.conf, "ocsp" section.
Updated dictionary.huawei, dictionary.3gpp, dictionary.3gpp3.
Added dictionary.eltex, dictionary.motorola, and dictionary.ukerna.
Experimental redis support from Gabriel Blanchard. See raddb/modules/redis and raddb/modules/rediswho
Add "key" to rlm_fastusers. Closes bug #126.
Added scripts/radtee from original software at http://horde.net/~jwm/software/misc/comparison-tee
Updated radmin "man" page for new commands.
radsniff now prints the hex decoding of the packet (-x -x -x)
mschap module now reloads its configuration on HUP
Added experimental "replicate" module. See raddb/modules/replicate
Policy "foo" can now refer to module "foo". This lets you over-ride the behavior of a module.
Policy "foo.authorize" can now over-ride the behavior of module "foo", "authorize" method.
Produce errors in more situations when the configuration files have invalid syntax.
Bug fixes:
Ignore pre/post-proxy sections if proxying is disabled.
Add configure checks for pcap_fopen*.
Fix call to otp_write in rlm_otp
Fix issue with Access-Challenge checking from 2.1.10, when the debug flag was set after server startup. Closes #116 and #117.
Fix typo in zombie period start time.
Fix leak in src/main/valuepair.c. Patch from James Ballantine.
Allow radtest to use spaces in shared secret. Patch from Cedric Carree.
Remove extra calls to HMAC_CTX_init() in rlm_wimax, fixing leak. Patch from James Ballantine.
Remove MN-FA key generation. The NAS does this, not AAA. Patch from Ben Weichman.
Include dictionary.mikrotik by default. Closes bug #121.
Add group membership query to MS-SQL examples. Closes bug #120.
Don't cast NAS-Port to integer in Postgresql queries. Closes bug #112.
Fixes for libtool and autoconf from Sam Hartman.
radsniff should read the dictionaries in more situations.
Use fnmatch to check for detail file reader==writer. Closes bug #128.
Check for short writes (i.e. disk full) in rlm_detail. Closes bug #130. Patches and testing from John Morrissey.
Fix typo in src/lib/token.c. Closes bug #124
Allow workstation trust accounts to use MS-CHAP. Closes bug #123.
Assigning foo=`/bin/echo hello` now produces a syntax error if it is done outside of an "update" section.
Fix "too many open file descriptors" problem when using "verify client" in eap.conf.
Many fixes to dialup_admin for PHP5, by Stefan Winter.
Allow preprocess module to have "hints = " and "huntgroups =", which allows them to be empty or non-existent.
Renamed "php3" files to "php" in dialup_admin/
Produce error when sub-TLVs are used in a dictionary. They are supported only in the "master" branch, and not in 2.1.x.
Minor fix in dictionary.redback. Closes bug #138.
Fixed MySQL "NULL" issues in ippool.conf. Closes bug #129.
Fix to Access-Challenge warning from Ken-ichirou Matsuzawa. Closes bug #118.
DHCP fixes to send unicast packets in more situations.
Fix to udpfromto, to enable it to work on IPv6 networks.
Fixes to the Oracle accounting_onoff_query.
When using both IPv4 and IPv6 home servers, ensure that we use the correct local socket for proxying. Closes bug #143.
Suppress messages when thread pool is nearly full, all threads are busy, and we can't create new threads.
IPv6 is now enabled for udpfromto. Closes bug #141
Make sqlippool query buffer the same size as sql module. Closes bug #139.
Make Coa / Disconnect proxying work again.
Configure scripts for rlm_caching from Nathaniel McCallum
src/lib/dhcp.c and src/include/libradius.h are LGPL, not GPL.
Updated password routines to use time-insensitive comparisons. This prevents timing attacks (though none are known).
Allow sqlite module to do normal SELECT queries.
rlm_wimax now has a configure script
Moved Ascend, USR, and Motorola "illegal" dictionaries to separate files. See share/dictionary for explanations.
Check for duplicate module definitions in the modules{} section, and refuse to start if duplicates are found.
Check for duplicate virtual servers, and refuse to start if duplicates are found.
Don't use udpfromto if source is INADDR_ANY. Closes bug #148.
Check pre-conditions before running radmin "inject file".
Don't over-ride "no match" with "match" for regexes. Closes bug #152.
Make retry and error message configurable in mschap. See raddb/modules/mschap
Allow EAP-MSCHAPv2 to send error message to client. This change allows some clients to prompt the user for a new password. See raddb/eap.conf, mschapv2 section, "send_error".
Load the default virtual server before any others. This matches what users expect, and reduces confusion.
Fix configure checks for udpfromto. Fixes Debian bug #606866
Definitive fix for bug #35, where the server could crash under certain loads. Changes src/lib/packet.c to use RB trees.
Updated "configure" checks to allow IPv6 udpfromto on Linux.
SQL module now returns NOOP if the accounting start/interim/stop queries don't do anything.
Allow %{outer.control: ... } in string expansions
home_server coa config now matches raddb/proxy.conf
Never send a reply to a DHCP Release.

New in FreeRADIUS 2.1.9 (Jul 14, 2010)

New in FreeRADIUS 2.1.7 (Sep 18, 2009)

Feature Improvements:
Full support for CoA and Disconnect packets as per RFC 3576 and RFC 5176. Both receiving and proxying packets is supported.
Added "src_ipaddr" configuration to "home_server". See proxy.conf for details.
radsniff now accepts -I, to read from a filename instead of a device.
radsniff also prints matching requests and any responses to those requests when '-r' is used.
Added example of attr_filter for Access-Challenge packets
Added support for udpfromto in DHCP code
radmin can now selectively mark modules alive/dead. See "set module state".
Added customizable messages on login success/fail. See msg_goodpass && msg_badpass in log{} section of radiusd.conf
Document "chase_referrals" and "rebind" in raddb/modules/ldap
Preliminary implementation of DHCP relay.
Made thread pool section optional. If it doesn't exist, the server will run single-threaded.
Added sample radrelay.conf for people upgrading from 1.x
Made proxying more stable by failing over, rather than rejecting the first request. See "response_window" in proxy.conf
Allow home_server_pools to exist without realms.
Add dictionary.iea (closes bug #7)
Added support for RFC 5580
Added experimental sql_freetds module from Gabriel Blanchard.
Updated dictionary.foundry
Added sample configuration for MySQL cluster in raddb/sql/ndb. See the README file for explanations.
Bug Fixes:
Fixed corner case where proxied packets could have extra character in User-Password attribute. Fix from Niko Tyni.
Extended size of "attribute" field in SQL to 64.
Fixes to ruby module to be more careful about when it builds.
Updated Perl module "configure" script to check for broken Perl installations.
Fix "status_check = none". It would still send packets in some cases.
Set recursive flag on the proxy mutex, which enables safer cleanup on some platforms.
Copy the EAP username verbatim, rather than escaping it.
Update handling so that robust-proxy-accounting works when all home servers are down for extended periods of time.
Look for DHCP option 53 anywhere in the packet, not just at the start.
Fix processing of proxy fail handler with virtual servers.
DHCP code now prints out correct src/dst IP addresses when sending packets.
Removed requirement for DHCP to have clients
Fixed handling of DHCP packets with message-type buried in the packet
Fixed corner case with negation in unlang.
Minor fixes to default MySQL & PostgreSQL schemas
Suppress MSCHAP complaints in debugging mode.
Fix SQL module for multiple instance, and possible crash on HUP
Fix permissions for radius.log for sites that change user/group, but which don't create the file before starting radiusd.
Fix double counting of packets when proxying
Make %l work
Fix pthread keys in rlm_perl
Log reasons for EAP failure (closes bug #8)
Load home servers and pools that aren't referenced from a realm.
Handle return codes from virtual attributes in "unlang" (e.g. LDAP-Group). This makes "!(expr)" work for them.
Enable VMPS to see contents of virtual server again
Fix WiMAX module to be consistent with examples. (closes bug #10)
Fixed crash with policies dependent on NAS-Port comparisons
Allowed vendor IDs to be be higher than 32767.
Fix crash on startup with certain regexes in "hints" file.
Fix crash in attr_filter module when packets don't exist
Allow detail file reader to be faster when "load_factor = 100"
Add work-around for build failures with errors related to lt__PROGRAM__LTX_preloaded_symbols.
Made ldap module "rebind" option aware of older, incompatible versions of OpenLDAP.
Check value of Fall-Through in attr_filter module.

New in FreeRADIUS 2.1.6 (May 19, 2009)

Feature Improvements:
radclient exits with 0 on successful (accept / ack), and 1 otherwise (no response / reject)
Added support for %{sql:UPDATE ..}, and insert/delete. Patch from Arran Cudbard-Bell
Added sample "do not respond" policy. See raddb/policy.conf and raddb/sites-available/do_not_respond
Cleanups to Suse spec file from Norbert Wegener
New VSAs for Juniper from Bjorn Mork
Include more RFC dictionaries in the default install
More documentation for the WiMAX module
Added "chase_referrals" and "rebind" configuration to rlm_ldap. This helps with Active Directory. See raddb/modules/ldap
Don't load pre/post-proxy if proxying is disabled.
Added %{md5:...}, which returns MD5 hash in hex.
Added configurable "retry_interval" and "poll_interval" for "detail" listeners.
Added "delete_mppe_keys" configuration option to rlm_wimax. Apparently some WiMAX clients misbehave when they see those keys.
Added experimental rlm_ruby from http://github.com/Antti/freeradius-server/tree/master
Add Tunnel attributes to ldap.attrmap
Enable virtual servers to be reloaded on HUP. For now, only the "authorize", "authenticate", etc. processing sections are reloaded. Clients and "listen" sections are NOT reloaded.
Updated "radwatch" script to be more robust. See scripts/radwatch
Added certificate compatibility notes in raddb/certs/README, for compatibility with different operating systems. (i.e. Windows)
Bug Fixes:
Minor changes to allow building without VQP.
Minor fixes from John Center
Fixed raddebug example
Don't crash when deleting attributes via unlang
Be friendlier to very fast clients
Updated the "detail" listener so that it only polls once, and not many times in a row, leaking memory each time...
Update comparison for Packet-Src-IP-Address (etc.) so that the operators other than '==' work.
Did autoconf magic to work around weird libtool bug
Make rlm_perl keep tags for tagged attributes in more situations
Update UID checking for radmin
Added "include_length" field for TTLS. It's needed for RFC compliance, but not (apparently) for interoperability.