Skip to content

release_3_0_11
Compare
Choose a tag to compare
@alandekok alandekok released this 25 Jan 21:45
· 35173 commits to master since this release
release_3_0_11
d667a28

Feature improvements

  • "unlang" comparisons of IP addresses to IP prefixes are now detected, and types automatically cast.
  • Allow shorthand form of ipv4prefix values e.g. 127/8.
  • Add "auto_chain" to raddb/mods-available/eap, tls subsection. This allows the disabling of OpenSSL auto-chaining of certificates. Which might be wrong.
  • Added printing of coa and disconnect stats (radmin).
  • radclient defaults to expecting Access-Accept responses to Status-Server.
  • Updated dictionary.lancom, dictionary.starent.
  • Portability fixes for Solaris.
  • More errors from ntlm_auth gets passed to MS-CHAP.
  • Update abfab-tr-idp virtual server.
  • Added "filter_password" in policy.d/filter. This removes embedded zero bytes in User-Password, for compatibility with broken clients.
  • The server now issues a WARNING message if duplicate configuration items are found.
  • TLS can skip the "verify" section if OCSP returns OK. See raddb/mods-available/eap, "skip_if_ocsp_ok".
  • Set TLS-OCSP-Cert-Valid = yes / no / skipped, which is the result from the OCSP check.
  • Interoperate with AD and "LmCompatibiltyLevel = 5", by always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for native winbind in rlm_mschap.
  • TTLS and PEAP now require "virtual_server" to be a real server.
  • Print WARNING when TTLS or PEAP identities are spoofed or not properly anonymized. See RFC 7542 for requirements.
  • Various rlm_python fixes from Herwin Weststrate.
  • Allow setting Response-Packet-Type in "Post-Proxy-Type Fail", which is useful when the home server does not respond.
  • elasticsearch updates from Matthew Newton

Bug fixes

  • Fix issue where field nas_type would not be accessible via the %{client:} xlat, for clients loaded from SQL.
  • Fix compatiblity issues with OpenSSL 1.0.2. Ignore calls to msg_callback with 'pseudo' content types.
  • Data type "ipv4prefix" is parsed correctly.
  • Use correct talloc context in rlm_exec. Fixes #1338.
  • Complain in unlang if "else" is used with no previous "if" or "elsif".
  • Send accounting status packets to the accounting port. Fixes #1364.
  • Print out CFLAGS when doing "radiusd -Xxv"
  • Fixed bug with coa/acct stats value #1339. Based on patch from Jorge Pereira.
  • Fixes for LEAP proxying. Don't use LEAP!
  • Fix issue with "directory already exists" seen when doing make install.
  • Fixed bug with radmin related to the option "stats detail "
  • Complain if the detail file reader does not have permission to read the detail.work file. Fixes #1398
  • Fixed SoH. Attributes were not being copied to the virtual server.
  • Used a wrong list to global statistics in "stats".
  • Create EAP-PWD identity correctly. Prevents segfaults.
  • Dynamically validate authentication types for PEAP and EAP-MSCHAPv2.
  • Fix includes in installed headers.
  • OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys correctly.
    See raddb/mods-available/eap, "disable_tlsv1_2"
  • Allow password change to work for MS-CHAP. This requires 'r=0', because password changes are not retries.
  • Fix home server fail-over for home servers using TCP and/or RadSec.
  • Special characters in expanded regexes are now escaped e.g. User-Name containing '.', and comparing /%{User-Name}/, the '.' will now be escaped. See src/tests/keywords/regex-escape.
  • Use correct authentication vector when sending Access-Reject replies for RadSec.
  • Set FreeRADIUS-Proxied-To in TTLS again. You should use the "inner-tunnel" virtual server, instead of relying on this attribute.
  • Fix debugging constants in rlm_perl. Patch from Herwin Weststrate.
  • Add samba-dev / samba4-dev to debian builds so that rlm_mschap can automatically use the new winbind API.
  • Automatically skip zero-length attributes when sending packets, instead of erroring out.
Assets 2
Loading