1 FreeRADIUS 0.9 ; Date: 2003/07/04 21:01:29, urgency=low
3 * Many, many, bug fixes and feature enhancements.
4 * radrelay now updates packet 'id' on retransmissions.
5 * More checks for thread-safe functions.
6 * Fix CHAP related buffer overflow (ouch!), thanks to Masao NISHIKU.
7 * Issue warnings if deprecated configuration files are used.
8 * rlm_passwd can now add items to the reply, request, or config items.
9 * The rlm_digest, rlm_exec, and rlm_ippool modules are now marked
10 as 'stable', and included in the default build.
11 * Removed 'raduse'. No one has used it for years.
12 * Massive fixes for Debian packaging.
13 * radclient can now send "disconnect" packets, to NASes which
14 support it. The server, however, CANNOT send disconnect packets.
15 * Made Auth-Type, Acct-Type, etc. names consistent across
16 dictionary files and radiusd.conf. The old (inconsistent) names
17 are still allowed for backwards compatibility.
18 * Cleaned up problems with the rlm_sql module.
19 * Updates to the rlm_ldap module.
20 * rlm_mschap no longer reads SMB password files. See rlm_passwd,
22 * Changed default entry in the 'users' file to 'Auth-Type = System',
23 to allow EAP and Digest authentication to work automagically.
24 * Support for Cisco LEAP.
25 * Added many new dictionaries (Extreme, Wispr, ERX, Netscreen...)
26 * Removed support for ATTRIB_NMC. It is now handled (better)
27 in a different manner.
28 * Dictionaries have been moved from /etc/raddb to /usr/share/freeradius
29 * Many documentation updates
30 * Ignore whitespace-only lines in the 'users' file.
31 * Patch to fix 'rlm_realm' from returning the DEFAULT entry when
32 we are looking for the NULL entry and it doesn't exist. Bug
33 noted by Nathan Miller.
34 * Disable child process spawning if we don't have threads.
35 The code doesn't work, so it's better to force the server
36 to run in single-process mode.
37 * New rlm_exec module, which allows a more generic way of
38 executing external programs.
39 * Preliminary large file support in 'configure' and in the server,
40 to support 2G+ detail files.
41 * Install documentation into /usr/local/share/doc/freeradius
42 * Dictionaries are now in /usr/local/share/freeradius
43 * New/updated dictionaries for RedCreek, Bintec, Alcatel,
44 ITK, Telebit, and Cabletron.
45 * Updates to allow building on MAC OSX.
46 * Add support for Acct-Type,Session-Type and PostAuth-Type
47 * Removed builddbm. It hasn't been used for ages.
48 * Added new post_proxy section, based on patch from Chris Brotsos.
49 * rlm_counter shouldn't reset the counters on instantiation,
50 if the reset is set to 'never'.
51 * Significant updates to the rlm_python and rlm_perl modules
52 * Fix the rlm_pap module to handle password lengths properly.
53 * Do SQL 'close' on bad sockets, to prevent descriptor leaks
54 * Case insensitivity option for rlm_radutmp
55 * New pseudo-round-robin load balancing for realms.
56 * Suppress empty SQL queries.
58 * Create 'snmp' configuration directive, so that we can disable
59 SNMP at run time, even if it's built into the server.
60 * Refresh realm as 'active' when we see a response from it,
61 Based on a patch by Angelos Karageorgiou.
62 * Don't core dump if Status-Server is received, but it's disabled.
63 * Support more variants of character fields in Oracle.
64 Patch from Stocker Gernot.
65 * Better parsing of dictionary files.
66 * Alteon web switch dictionary, from Thomas Linden
68 FreeRADIUS 0.8 ; Date: 2002/11/18 15:37:24, urgency=low
70 * Added Oracle-specific queries.
71 * Updated SQL queries to match schema.
72 * PostGreSQL reconnect patch.
73 * Added documentation on how to build on MAC OSX.
74 * Allowed SQL module to ignore unknown Acct-Status-Type values.
75 * Updated PostGreSQL queries and schema.
76 * Updated the log rotation configuration files.
77 * Colubris and updated Nomadix dictionaries, from Marko Myllynen.
78 * Normalized error messages from the SQL modules, so that they're
80 * Added Suse specific directory and configuration files, from
82 * SQL fail-over patch, so that the module returns FAIL if
83 the back-end database is down. Based on a patch from
85 * Cleaned up the internal handling of the configuration
86 information, in preparation for better handling SIGHUP.
87 * Updated rlm_krb5 configuration to better find it's libraries
89 * radclient now complains if it receives a reply from a machine
90 other than the one to which it sent the request.
91 * Updated Postgresql SQL queries to get the operator, too.
92 * Added Juniper dictionary.
93 * Added Cisco VPN3000, VPN5000, and BBSM dictionaries.
94 * New platform-neutral 'rc.radiusd'
95 * Configuration files with private information get chmod'd
96 0600 after installation.
97 * Preliminary support for clean shutdowns when a SIGTERM is
99 * SNMP timeouts for checkrad, so there will be fewer situations
100 where it hangs for 30 seconds...
101 * Added code to clean up modules and memory when asked to exit
103 * Removed all need for the old-style 'naslist' and 'client' files,
104 and noted that they are deprecated.
105 * Added support for Status-Server packets, stolen shamelessly
106 from Cistron RADIUSD. This is despite the RFC's saying such
108 * Bug fixes to rlm_dbm.
109 * Updates for checkrad, max40xx routine, from Aleksandr Kuzminsky.
110 * Disable caching of passwords for the Unix module. It was
111 causing too much confusion.
112 * Fix a memory leak when proxying Authentication-Request's
113 * Attributes which are not found in the dictionary are now of
114 type 'octets', instead of 'string'.
115 * Support for "round-robin" load balancing, when proxying requests
116 to multiple servers for one realm.
117 * Minor changes for better HPUX support.
118 * Updated the documentation and README's
119 * Made FreeTDS build ONLY after hand-editing, as the FreeTDS
120 libraries are in a state of flux, due to active development.
121 * Fixes to help build the server on MAC OSX
122 * Cisco VPN 3000 dictionary, as posted to the list by Chris Deramus.
123 * Fix EAP problems with retransmission, from Rainer Weikusat.
124 * Updates to the Oracle module, from Andrea Gabellini.
125 * In xlat, Unix timestamps are unsigned ints.
126 * Security fixes for the Kerberos Module.
127 * New 'post-auth' section, to do additional processing of
128 requests after they've been authenticated.
129 * doc/aaa.txt describes how the server works.
130 * More uniform encoding/decoding of passwords, so that they will
131 be seen as clear-text where possible.
132 * radwho and radzap now read 'radiusd.conf' to discover where the
133 radutmp files are located. Patch from Andrea Gabellini.
134 * Preliminary 'expression' module, to allow you to do cool things
135 like: Session-Timeout = `%{expr:3600 - %{sql:SELECT ...}}`
136 * Added ability to do xlat on check items, and reply items,
137 so that the value of the reply attributes can be dynamically
139 * Added MIBs, taken from the RFC's. This makes SNMP queries to
140 the server a little easier to set up.
141 * Don't SEGV when we receive a packet which is larger than the
142 size claimed in the RADIUS portion. Patch from Vaughn Skinner.
143 * SNMP patches from Harrie Hazewinkel.
144 * Added Altiga dictionary, from Calum <calum.aug02@umtstrial.co.uk>
145 * New Rewrite-Rule for rlm_attr_rewrite, to selectively choose
146 which rewrite rule is performed, and when.
147 * Minor bug fixes for radrelay.
148 * Bug fixes in SQL and sub-modules.
149 * Major updates to dialup_admin.
150 * Fixed handling of tagged string attributes, so that the server
151 doesn't go off into never-never land.
152 * Cleaned up experimental rlm_smb, so that it builds on more
154 * Don't over-write request->reply->vps with the Reply-Message,
155 when doing authentication rejects with Exec-Program-Wait.
156 * Added 'instantiate' section, so that modules like 'expr',
157 with only an 'xlat' function can be registered.
158 * Allow '{' and '}' in xlat'd strings.
159 * C++ compatibility patch from Andrey Kotrekhov, for libradius.
160 * Automatically decrypt/encrypt User-Password, so that debugging
161 mode will print out the text password, and not the random
162 garbage it previously showed.
163 * Cleaned up header files and function prototypes for the SQL
166 FreeRADIUS 0.7 ; Date: 2002/07/26 18:01:50 , urgency=high
168 * Allow attributes of type 'date' to be sent in outgoing packets.
169 Bug found by Loh John Wu <ljwu@sandvine.com>
170 * Add 'Realm' attribute, even if it's a LOCAL realm.
171 Bug noted by Chris Brotsos.
172 * Added experimental SMB authentication module, which uses
173 PAP passwords to authenticate against an NT-Domain.
174 NT/LM-passwords are not currently supported.
175 * More documentation for rlm_passwd, rlm_mschap, and rlm_digest.
176 * 'configure' changes to better find sem_init and friends.
177 * Allow the use of previously installed libtool, and libltdl.
178 This appears to help a lot on FreeBSD.
179 * Fixes to work on non-threaded builds.
180 Patch from Rainer Weikusat.
181 * SQL now re-connects to the server, if the connection is lost.
182 Currently only MySQL is fixed, but other patches will follow.
183 Patch from Todd T. Fries.
184 * Added experimental use of dynamicly translated variables,
185 CallBack-Number = `%{request:Calling-Station-Id}`
186 sets the value of the CallBack-Number attribute to the value of
187 the Calling-Station-Id in the original request.
188 * Cute hack: Allow regex matching on IP addresses, by placing
189 the string representation of the IP address (1.2.3.4) into
190 the internal data structure. This allows things like
191 NAS-IP-Address =~ "^192\.168", which may be useful.
192 * Add documentation for experimental rlm_dbm module.
193 * Added experimental Perl module.
194 * Added the relevant IETF RFC's (standards documents) to 'doc/rfc',
195 along with some simple perl scripts to convert them to cross-
197 * Updated the experimental Python module.
198 * Added Cisco SSG VSA's
199 * When rejecting authentication due to external Exec-Program, do
200 NOT free the reply pairs, as the server core will take care of
201 doing that. Bug noted by Thomas Jalsovsky
202 * New experimental module: rlm_cram
203 Supports APOP, CRAM-MD5, CRAM-MD4, CRAM-SHA1 with it's own
204 VSA's. This module may be used for SMTP/POP3/IMAP4 server
206 * Make Exec-Program and Exec-Program-Wait work in debugging mode.
207 * Finalize the radrelay additions, based on Cistron RADIUS
208 Patches from Simon <lists@routemeister.net>
209 * Fix issues with linking, by making libradius shared.
210 * Fix issues with MD4, MD5, SHA1, and use of OpenSSL
211 * Update rlm_x99_token module to compile.
213 FreeRADIUS 0.6.0 ; Date: Date: 2002/07/03 14:16:33 , urgency=high
215 * Many bug fixes. For explicit details, see:
216 http://www.freeradius.org/cvs-log/
217 * Change to the user/group specified in the config file in all
218 modes ( debug and daemon ).
219 * SQL sockets are rotated so that all are used, to prevent the
220 SQL server timing out and closing unused sockets. Patch from
222 * Sybase driver from mattias@nogui.se.
223 * Modules are now versioned.
224 * Delete garbage Proxy-Reply attributes sent by the home server
225 before performing our own reply.
226 * Fix race conditions when duplicate packets resulted in a request
227 being processed by two threads, at the same time.
228 * Add '-d' command-line option to radwho
229 Bug noted by Matthew Schumacher
230 * Corrected issue that when a home server never replied to a
231 proxied request, the server may die.
232 * In SQL, look in radcheck, if not found there, try radgroupcheck.
233 Patch from Thomas Jalsovsky.
234 * Set sql user name for ALIVE accounting packets, too.
235 Patch from Simon <lists@routemeister.net>.
236 * Use port-specific checking for realms, now that we can proxy to
237 different auth/acct servers for the same realms.
238 Patch from Eddie Stassen.
239 * Minor updates to encrypted tunnel passwords.
240 * Default 'run_dir' is now /var/run/radiusd, not var/run.
241 /var/run is writeable only by root, and radiusd may be run suid.
242 * Modules are now versioned, so that upgrading the server
243 ensures that the new modules are installed.
244 * Fix sql code, so that magic SQL characters don't get the
246 * Remove references to "UNKNOWN-NAS" in log messages.
247 * Properly handle fork() and obtaining child processes exit
248 status when using threads. (pthread is broken w.r.t. signals)
249 * Correct code which would send erroneous reject, when the reject
250 was delayed, and a new request came in.
251 * Fix race condition where proxied requests would sometimes never
252 be re-sent. Bug noted by Eddie Stassen.
253 * Corrected LDAP3 schema
254 * Implemented Digest authentication, as per IETF document
255 draft-sterman-aaa-sip-00.txt, to perform authentication against
257 * If no password or group files have been specified in the config,
258 use the standard system calls to find them, rather than giving
259 up. Patch from Steve Langasek.
260 * Return Proxy-State attributes in a delated Access-Reject
261 * Corrected 'session zap' logic, when an old and unused session
262 is deleted from the databases. Accounting packets with garbage
263 Client-IP-Address attributes should no longer be a problem.
264 * Bug fixed in LDAP attribute map, for MS-CHAP related attributes.
265 * Fixes to the EAP module to work better with XP.
266 * Support for MS-SQL, using the FreeTDS library,
268 * New operators =* and !*. See 'man 5 users' for details.
269 * Added translation for %{config:section.subsection.item}, to
270 allow run-time translation of internal configuration parameters.
271 * New rlm_sqlcounter module, to keep counters based on SQL data.
272 * Fix rlm_realm, to allow seperate proxying of accounting and
273 authentication requests.
274 * Bug fixes in PostgreSQL back-end, from Andrew Kukhta.
275 * Increase internal buffers, to allow large SQL query strings.
276 * Added debug level 3 (-xxx), where debug messages have time stamps.
277 * Fix 'radwho' to use the correct radutmp file, as found by
278 'configure' (but radwho still doesn't read radiusd.conf)
279 * Fix bugs in tunnel (tagged attribute) code, which would prevent
280 tagged attributes from being generated correctly in a packet.
281 * Build only 'stable' modules by default. Experimental modules
282 require --with-experimental-modules to be passed to 'configure'
283 * New module rlm_ippool, to do server-side IP pooling.
284 * Fix rlm_eap module for portability, to work on non-x86 platforms.
285 * Re-connect to the LDAP server if the connection idles out
286 * Increased the visibility of the warning messages when doing
288 * Fixed EAP module to use 16-bit integers, so that it will
289 work on big-endian architectures.
291 FreeRADIUS 0.5.0 ; Date: 2002/03/14 22:18:22, urgency=medium
293 * Many bug fixes. For explicit details, see:
294 http://www.freeradius.org/cvs-log/
295 * Added Foundry dictionary, from Thomas Keitel
296 * Fix a logic bug in the 'walk over request list' code, which
297 would sometimes result in a request being deleted while it
298 was still being processed. Found by Rainer Clasen
299 * New 'tuning' guide, for optimizing the server's speed.
300 * The default ports are now 1812/1813, which is the standard.
301 * Fix a bug which would hang the server when many SQL connections
302 were open. Found by Cvetan Ivanov <zezo@spnet.net>
303 * Updated MySQL schema, with sanity checks, based on a schema from
304 Thomas Huehn <huehn@eozaen.net>
305 * Added 'Aptis' (Nortel CVX) dictionary.
306 * Added Ipv6 attributes (as 'octets' type for now)
307 * 'xlat' capability for SQL, so other modules can do SQL queries.
308 * We don't need a shared secret for LOCAL realms.
309 * Added better description of internal variables.
310 * Configurable fail-over to DEFAULT realm. Sometimes we don't
311 want to use the DEFAULT realm, if all configured realms are
312 marked dead. From Rainer Clasen.
313 * new configuration items 'max_attributes' and 'reject_delay'
314 If the packet contains too many attributes, it can be rejected.
315 We can also delay sending an Access-Reject, which slows down
317 * Updates to redhat scripts and spec file, from Marko Myllynen.
318 * Python module (EXPERIMENTAL) from migs paraz <mparaz@yahoo.com>
319 * Add ability to find *best* match when comparing attributes.
320 If there is more than one attribute in a request and the first
321 one doesn't match, go check the second one, instead of failing.
322 * unixODBC support for SQL, from Dmitri Ageev <d_ageev@ortcc.ru>
323 * Use thread-safe versions of library calls. This work is still
325 * New rlm_passwd module, to allow general parsing of passwd-style
327 * Preliminary EAP-TLS support.
328 * Updated LDAPv3 schema
329 * Correct checks for Odbc, and fix bugs in the module.
330 Andreas Kainz <aka@maxxio.at>
331 * MAN page fixes and updates
332 * Added PHP web interface 'dialup_admin'
333 * Password = "UNIX" or "PAM" backwards compatibility removed.
334 * Use the operators in the SQL schema and queries, and bug
335 fixes in the SQL module.
336 Randy Moore <ramoore@axion-it.net>
337 * fgetpwent() compatibility, for systems without it,
338 from Daniel Carroll <freeradius@defiant.mesastate.edu>
339 * Added PAP authentication module, as a step to removing
340 most authentication handlers in other modules.
341 * Send a Access-Reject after max_request_time
342 * Multiple fixes in the LDAP module.
343 * Quintum dictionary by Jeremy McNamara <jj@indie.org>
344 * Preliminary EAP Module with MD5 support
345 Contributed by Raghu <raghud@hereuare.com>
346 * Better sanity checking for bad VSA's when receiving a packet
347 * new 'xlat register' so that attribute values may be pulled
348 out of configurable databases at run-time.
349 e.g. %{ldap:ldap:///dc=company,dc=com?uid?sub?uid=%u}
350 * Minor fixes to debian package rules
351 * Attribute 'Password' deprecated in favor of 'User-Password'.
352 * MS-CHAP and MS-CHAPv2 MPPE support added.
353 Contributed by Takahiro Wagatsuma <waga@sic.shibaura-it.ac.jp>.
354 * X9.9 token enhancements (several).
356 -- Alan DeKok <aland@ox.org>
358 FreeRADIUS 0.4.0 ; urgency=low
360 * Allow the MS-CHAP module to work, and to read /etc/smbpass
361 3APA3A <3APA3A@SECURITY.NNOV.RU>
362 * Remove the server requirement that one of User-Password
363 or CHAP-Password exist when doing authentication. These
364 checks should be handled by the modules. This change
365 also prepares us for EAP.
366 Patch from Raghu <raghud@hereuare.com>
367 * Make NAS-Port-ID in radwho, raduse, etc. unsigned,
369 Patch from John Morrissey <jwm@horde.net>
370 * Allow \t and \n inside of configuration strings.
371 Frank Cusack <fcusack@fcusack.com>
372 * X9.9 Challenge-Response token card support.
373 For now, only CRYPTOCard tokens are supported.
374 Frank Cusack <fcusack@fcusack.com>
375 * Fix core dump on Solaris in radwho.c
376 Patch from Eddie Stassen <eddies@saix.net>
377 * Fix leak / core dump in Oracle module.
378 * Fix memory leak in rlm_counter
379 Kostas Kalevras <kkalev@noc.ntua.gr>
380 * "LOCAL" realms do not need to have an entry in the 'clients'
381 file. Philippe Levan <levan@epix.net>
383 -- Alan DeKok <aland@ox.org>
385 FreeRADIUS 0.3.0 ; urgency=low
387 * Added ability to send debug messages to the log file, when
388 running in daemon mode.
389 * Miscellaneous fixes to get Debian packaging working.
390 * When trapping a signal, don't SIGKILL children on a SIGTERM,
391 SIGTERM them, instead. This allows Exec-Program scripts to
392 catch the signal, and finish processing, instead of dying.
393 Bug noted by Michael Chernyakhovsky <magmike@mail.ru>
394 * Increased limit on length of user name read from /etc/passwd,
395 to match the maximum allowed by RADIUS.
396 Bug noted by "Gonzalez B., Fernando" <fgonzalez@manquehue.cl>
397 * Configurable fail-over when proxying packets. If the
398 home server doesn't respond to a repeated proxied request,
399 it's marked as 'dead', and the next one in the list is used.
400 Patch by Eddie Stassen <eddies@saix.net> and <spirn@21cn.com>
401 * Pass Access-Challenge attributes through the server, in
403 Raghu <raghud@hereuare.com>
404 * More fixes for RFC compliance on the Message-Authenticator
405 Raghu <raghud@hereuare.com>
406 * Merged OSFC2/OSFSIA authentication patches from Cistron.
407 (Bug # 104) The patches are not well tested, however.
408 * IBM DB2 UDB V7.1 SQL driver, contributed by
409 Joerg Wendland <wendland@scan-plus.de>
410 * Fix the IP + Port address assignment.
411 Bug found by "John Padula" <john_padula@aviancommunications.com>
412 * Patch to avoid smashing the contents of Ascend binary filters.
413 Michael Chernyakhovsky <magmike@mail.ru>
414 * Create and Validate Message-Authenticator attribute, in
416 * Initialize variables properly in rlm_attr_filter.
417 Patch from Andriy I Pilipenko <bamby@marka.net.ua>
418 * Renamed RedHat init script from 'radiusd.init' to 'radiusd'.
419 This allows it to work properly with the RedHat rc system.
420 Patch from Christian Vogel <chris@amor.iksys.de>
421 * Fix the configure script checks for PostgreSQL, so that
422 they use the 'test' command properly.
423 Bug found by Robert Haskins <rhaskins@ziplink.net>
424 * Change instances of 'assert' to 'rad_assert', so that it
425 can log the error to the standard radius log files.
426 Patch from Vesselin Atanasov <vesselin@bgnet.bg>
427 * Patch to prevent segv when freeing results, from
428 Tomas Heredia <tomas@intermediasp.com>
429 * Added support for Exec-Program to acct. Bug found by
431 * Corrected rlm_files so that raddb/acct_users works
432 * When doing synchronous proxying, update proxy next try
433 entries, so that the server doesn't eat CPU time.
434 Raghu <raghud@hereuare.com>
435 * Add primitive dictionary.nomadix <CBoyd@apogeetelecom.com>
436 * Log messages to console, if the logger hasn't been
437 initialized. <vesselin@bgnet.bg>
438 * Log invalid user for proxy rejects, too. <help@visp.net>
439 * Fixed Expiration attribute handling.
440 * Added code to handle Ascend-Send-Secret and Ascend-Receive-Secret
441 * Removed non thread-pool code. If we have threads, we now force
442 the use of thread pools.
443 * Update version number
444 * correct bug where proxied accounting packets would never have a
445 reply sent back to the NAS, or the reply would be sent twice.
447 -- Alan DeKok <aland@ox.org>
449 FreeRADIUS Alpha 0.2.0, July 30, 2001.
451 * call openlog() again when using PAM, to get the correct log
453 * Update child thread code, to minimize race conditions.
454 * Make thread pools the default. Using plain child threads is NOT
456 * Ignore SIGPIPE to get ride of crashes when using ldap.
457 * Update proxying code to work better.
458 * Platform independent pthread_cancel()ling
459 * Fix 'unresponsive child pid' erroneous warning messages.
460 * Many changes to get various SQL modules working.
461 Note that there may still be some issues with Oracle.
462 * Added configure options 'with-rlm-FOO-include/lib-dir', so that
463 lower-level rlm_FOO modules can be configured via the top-level
464 configuration file. This isn't completely done yet.
465 * Fix check for shared library using libtool info, instead of
466 assuming extension being ".so".
467 * Fixes for HPUX. We probably need more.
468 * Many additional bug fixes and changes.