***************************************************************** RadiusNT and RadiusX change history for versions 6.x, 5.x ***************************************************************** Modified: 5/10/2021 Copyright (c) 1999-2021 IEA Software, Inc. All rights reserved worldwide. This file contains important, late-breaking information about changes made within RadiusNT/X. We recommend that you read this file and keep a printed copy with your RadiusNT/X documentation. For updated CHANGES.TXT files and additional information about installing and running RadiusNT/X, please visit our Support Web site for updated documentation at http://www.iea-software.com/support. Tip: If necessary, choose Word Wrap from the Notepad Edit menu or Wrap To Window from the WordPad View/Options menu to wrap the text within the document window. Note: All changes starting with 'UNIX:' are specific to the RadiusX products and do not affect RadiusNT. Any change starting with a version number in brackets '[x.x]' applies only to that version of the product. ---------------------------------------------- CHANGES.TXT CONTENTS ---------------------------------------------- . KNOWN PROBLEMS . RELEASE CHANGES . TECHNICAL SUPPORT ---------------------------------------------- KNOWN PROBLEMS ---------------------------------------------- * None ---------------------------------------------- RELEASE CHANGES ---------------------------------------------- Radius 6.0.19, 5.1.108 - 5/10/2021 -- * Added log action being performed with database error messages * Added include text of failure reason in log entries when an error occurs sending UDP packets * Added removed invalid cursor class of failures from dbpool reconnect whitelist * Fixed packet replay retransmits stored response to wrong host Radius 6.0.18, 5.1.107 - 3/29/2021 -- * Added upgraded TLS support libraries * Added redundant datasource monitoring and connection status change announcements to dbpool replacing connection test via server maintenance thread * Added when in database mode delay server startup until one or more databases are available * Added improve reporting of socket binding related failure messages * Fixed rating step cost matching type does not work as expected failing to properly apply first and second colors to each interval of the range * Fixed Y2038 workarounds no longer needed and should be removed * Fixed connection status should not be checked by prior to executing database queries * Fixed exception free initialization should be used for encryption manager and all query instances * Fixed unsafe time functions should be replaced * Fixed tagged string attributes with type values above 31 should be treated as strings * Fixed database connection pool not properly sized when redundant datasources configured and pool allocation failures should be logged Radius 6.0.13, 5.1.104 - 8/20/2019 -- * [6.0] Added RadGetPoolConfigs v6 schema and detection of result sets supporting attribute merge operations * Added EAP-PEAP and EAP-TTLS support for TLS version 1.3 * Fixed encrypted passwords and secrets should always be trimmed prior to use Radius 6.0.12, 5.1.104 - 1/28/2019 -- * Fixed sequence server access checking before time/data left checking so that authentication failure resulting from no time/data allocation cannot be overridden by failure attributes when server access is denied * Fixed replace custom list and memory management for filtering and EAP registry * Fixed data rates conditioned on time sets should only increment historical time and data usage counters over subset of range currently costed * Fixed dynamic rating variables in data dimension for greater than less than rule comparisons without specifying data rate having rule set linked to time set have their values incorrectly multiplied by number of elements comprising the time set * Fixed failure to create one or more threads while initializing multi-threaded work scheduler should result in initialization failure Radius 6.0.11, 5.1.104 - 9/10/2018 -- * Added IPv4/IPv6 CIDR range source filter search type * Added improve type conversion associated with each filter search type * Added switch to pthreads for rw locking on Linux platform * Added service type DataLeftAuth flag to manage whether services with no data remaining should cause authentication failure * Added prevent hash table downscale for users, service types, server access and virtual class * Added support tagged attribute when writing to accounting output tables * Fixed regular expression source filter search type always matches on attributes of type string * Fixed merge operations should be respected when applying failure attributes on authentication failure Radius 6.0.10, 5.1.104 - 7/10/2018 -- * Added EAP-PEAP and EAP-TTLS support for TLS version 1.1 and 1.2 * Added L3 IPv4 address specific authentication similar to L2 MAC authentication feature * Fixed multi-threaded work scheduler leaks synchronization objects during controlled shutdown * Fixed improve reliability of dbpool, registry and keychain when insufficient resources exist to complete initialization Radius 6.0.9, 5.1.104 - 4/10/2018 -- * Added include error cause when reporting name resolution failures * Added bypass balance checking for rates where balance based session limiting is enabled and consumption unit of rate is data or time left * Added increase per-process open file limits on Linux platform to at least 4096 * fixed quantization error when rating data over fraction of total session duration with very short data range causes rate to be ignored due to lack of apparent change in data dimension * Fixed improve front end checking for attempts to authenticate with an empty NAI Radius 6.0.8, 5.1.104 - 12/10/2017 -- * Added rate limit accounting transaction start failure warnings * Added backoff delay between accounting transaction failures Radius 6.0.7, 5.1.104 - 11/15/2017 -- * Fixed address lookup failure retrieving server password for MAC authentication * Fixed query error when writing attribute values as integer fields to RadLogs table * Fixed when accounting requests from unauthorized systems are discarded the dropped counter rather than malformed request counter should be incremented Radius 6.0.6, 5.1.103 - 7/12/2017 -- * Fixed track last configuration refresh with SNMP stats * Fixed synchronize access to SNMP stats update * Fixed QKS variable parser is now inherently secure Radius 6.0.5, 5.1.103 - 6/1/2017 -- * Fixed rating history upload process does not completely compensate for upload failures leading to possibility of same usage being uploaded more than once * Fixed rating update fails when rating call records with session references Radius 6.0.4, 5.1.103 - 2/2/2017 -- * Added upgraded SSL support libraries * Fixed replaced accounting time functions Radius 6.0.3, 5.1.102 - 1/25/2017 -- * Added record warning to accounting log and failover to database when system clock used for accounting timestamp is suspected of being invalid Radius 6.0.3, 5.1.101 - 1/19/2017 -- * [6.0] Added GlobalServerPassword registry key to support MAC password authentication for unknown clients where GlobalSecret is used * Added reveal whether a value is set in configuration debug output for sensitive configuration data fields * Fixed EAP authentication fails with bad password on 64-bit version of RadiusX for Linux Radius 6.0.2, 5.1.101 - 9/16/2016 -- * Added display source port with packet id within requests debug output * [6.0] Added disable smart cache by default Radius 6.0.1, 5.1.101 - 7/20/2016 -- * Added switch all query related string processing to dbpool * Added move Message-Authenticator validation if present/required to occur prior to username and password related constraint checking * [6.0] Added remove command triggers and Desktalk related custom flags * [6.0] Added time range syntax validation improvements to better detect formatting mistakes and reduce ambiguity * [6.0] Fixed replaced rating interface RateBytesUp and RateBytesDown with RateDataLeft Radius 6.0.0, 5.1.101 - 4/26/2016 -- * Fixed desired socket type missing when performing name lookup while transmitting log messages to syslog server * Fixed primary key constraint failure should trigger batch failure within accounting spooler * Fixed reset nocount when using SQL Server database on accounting batch failure * Fixed update SQL server database driver on Linux platform to correct transaction management failures Radius 6.0.0, 5.1.100 - 4/10/2016 -- * [6.0] Added if username missing or empty, MAC authentication is enabled for NAS and Calling-Station-Id is MAC formatted treat Calling-Station-Id as username * Added improve and consolidate type marshalling for attribute filtering and custom query processing * Added when UDP send fails transmitting a RADIUS packet socket error information now included with logged failure message * Fixed enforced port access time limit restriction may be logged as port access denied * Fixed service type label must be trimmed while caching service attributes to prevent service types with leading or trailing spaces from failing to match applicable service type default * Fixed packet replay to an IPv6 interface fails * Fixed concurrent login enforcement using default profile during authentication fails on the Linux platform * Fixed AV user domain must never be stored in the global string cache Radius 6.0.0, 5.1.99 - 12/10/2015 -- * Added transmit matching services AccountID for authentication failure in RadLogs if column exists and a service match is possible * [6.0] Fixed improved server password and account password handling and missing failure messages * [6.0] Fixed remove database timestamp offset option for authentication and accounting * Fixed removed session id based NAS clearing hint and options Radius 6.0.0, 5.1.98 - 6/5/2015 -- * Added not-substring matching option to attribute filtering system * [6.0] Fixed server password was not decrypted before use * Fixed null data should be treated as empty string when matching values via attribute filtering system * Fixed failures should be atomic while adding keys when insufficient memory exists * Fixed check reference count while processing EAP state removal hints Radius 6.0.0, 5.1.97 - 2/16/2015 -- * Added provide session encryption keys when authenticating via EAP-MSCHAPv2 * Added improved formatting of Access-Challenge packet debug output * Fixed AV possible checking server access before configuration has been downloaded * Fixed AV when roam server result set does not provide required fields * Fixed reference count may not be reset while checking in EAP state * Fixed length may be reported incorrectly within error message presented when Digest-Entity-Body-Hash is not 32 bytes * Fixed memory leak possible if server access configuration is not successfully validated * Fixed stop processing accounting request earlier upon accounting authenticator failure * Fixed remove minimum hostname length requirement for syslog servers * Fixed allow case insensitive hostip attribute filter match * Fixed AV possible loading rejects with no data or value * Fixed unsafe function use in vendor token security libraries Radius 6.0.0, 5.1.95 - 1/29/2015 -- * Added improved informational log messages when discarding authentication requests * Added check, reject and LDAP mapping attribute support for data types int64, octets and binary filters * Fixed memory leak clearing expired EAP state * Fixed removed interim accounting configuration and -h and -H CLI parameters * Fixed added lock for deferred replacement of user reply attributes * Fixed AV when authenticating with invalid signature and no username * Fixed unlocked data access while reporting reject attribute checking outcome * Fixed removed global string cache on user controlled realms * Fixed uninitialized memory access after authentication failure * Fixed double free possible when user has one or more check attributes and authentication fails after successfully verifying check attributes Radius 6.0.0, 5.1.94 - 1/22/2015 -- * Added queue NAS restart messages * [6.0] Added timestamp parameter for RadClearNAS to improve NAS restart indication * Fixed allow PEAP/TTLS certificates to load in absence of PEAPSSLCert setting * Fixed AV while adding stored procedures to accounting spooler Radius 6.0.0, 5.1.92 - 12/10/2014 -- * Added TLS certificate wizard to automate creation of private keys, CSRs and self-signed certificates for PEAP/TTLS authentication * Added allow configuration of separate files for PEAP/TTLS public and private keys * Added when multiple datasources are configured concurrently in RadiusNT/X Administrator stack rather than interleave pool access * Added when no bind addresses are configured IPv4 auto-configured interface addresses should be excluded from the listen interface list Radius 6.0.0, 5.1.91 - 10/29/2014 -- * [6.0] Added two person encryption key management * Added upgraded SSL support libraries * Fixed missing type conversions for IPv6 address and prefix when uploading accounting data Radius 6.0.0, 5.1.90 - 8/28/2014 -- * Fixed apply treat as local strip domain to inner identity * Fixed PEAP-MSCHAPv2 peer challenge fails when realm name is used * Fixed improved filter tag matching when tag information unavailable * Fixed allow authentication input filter to modify password from auth request * Fixed AV handling unknown attributes loading database users * Fixed attribute filter search type failures Radius 6.0.0, 5.1.89 - 7/23/2014 -- * [6.0] Added attribute filter regular expression search option * [6.0] Added per client group password for ID/MAC authorization * [6.0] Added allow authentication with no service type authorization attributes * [6.0] Added remove SNMP concurrency and configuration persistence without database access * [6.0] Added remove NAS clearing version discovery * [6.0] Added signal need for RadGetConfigs from RadGetUser * [6.0] Added rating engine session identifier level aggregation * [6.0] Added TimeRef column to Calls upload * Added class attribute timestamp based replay protection for archived or deleted call records * Added improved attribute type conversion from Data column during attribute download * Added Value column now optional during attribute download * Added removed option to allow accounting without authenticator validation * Added improved EAP-PEAP-MSCHAPv2 compatibility with android platform * Added reduced memory utilization of attribute data * Added attribute filter current time search source with time range matching * Added attribute filter not equal search option * Added attribute filtering improved data type conversion * Added decrypt User-Password prior to processing authentication input filter * Added duplicate filtering within accounting upload transactions * Added reduced memory utilization of accounting spooler * Added query batching for accounting spooler upload transactions * Added sub-millisecond reporting during accounting spooler high utilization logging * Fixed unable to authenticate using EAP-TTLS-PAP or EAP-TTLS-MSCHAPv1 * Fixed invalid length field in MSCHAPv2 response affecting EAP-PEAP-MSCHAPv2 and EAP-TTLS-MSCHAPv2 * Fixed outer User-Name not used properly while authenticating EAP-TTLS with missing inner User-Name attribute * Fixed memory leak possible handling deferred storage of externally mapped values * Fixed missing compensation for accounting upload transaction failure * Fixed RADIUS requests smaller than underlying UDP packet should not be assumed malformed * Fixed vulnerable password replace feature * Fixed invalid assertion loading service type attributes * Fixed check client concurrency enforcement setting by NAS-IP prior to requesting client address Radius 5.1.88 - 3/10/2014 -- * Added secure functions for ellipses processing on Windows * Added increase initial count of primary and backup database connections reserved * Added upgraded SSL support libraries * Fixed IPv6 attribute types not provided to rating engine while rating auth requests * Fixed invalid warning message logged while attempting to decrypt unencrypted fields smaller than 5 characters Radius 5.1.87 - 8/10/2013 -- * Added do not abort on failed interim leadership updates while downloading call records * Added access time format supports one month day - month day range and week of month expressed as first, second, third and fourth * Fixed assume CallIDs when rating usage are complete and non-sequential * Fixed any retryable failure within a RateGetCalls batch must fail the full batch Radius 5.1.86 - 6/10/2013 -- * Added accounting spooler high utilization, query and commit time logging * Added access time settings for server port access * Added use secure random source to obtain unique proxy id * Added removed ascend max time option * Added respond with Access-Reject to EAP TLS negotiation failure * Added ECDH EAP TLS ciphers * Added 30/1 and 60/1 rounding types to rating engine Radius 5.1.85 - 4/20/2013 -- * Added replace TLS session callbacks * Added LDAP bind and search debug messages display directory server response time in milliseconds * Added improve EAP failure messages * Added increase size of LDAP connection pool * Added log warning messages when LDAP authentication requests are delayed longer than 5 seconds on connection availability * Added rating engine time set support for last week of month * Fixed false session failure when processing EAP-PEAP and EAP-TTLS types Radius 5.1.84 - 2/14/2013 -- * Added upgraded TLS support libraries * Added removed LDAP status poller * Added replaced LDAP support libraries and configuration options * Added admin directory server connection check while saving configuration * Added support for starent VSA format Radius 5.1.83 - 10/29/2012 -- * Added increased information provided during syslog failure messages * Fixed invalid MPPE session encryption keys after MSCHAPv2 authentication Radius 5.1.82 - 5/24/2012 -- * Added 64-bit rating data interval * Added session counter variable while rating authentication requests * Added rating engine step cost match type * Fixed quoted column labels in accounting spooler * Fixed dictionary schema checking occurred on accounting rather than authentication datasource Radius 5.1.81 - 2/10/2012 -- * Added automatic local log file rotation using labels YYYY, YY, MM and DD * Added RGU/RGCU rating engine support for RateBytesDown, RateBytesUp and RateTimeLeft fields * Added attribute filter data left variables $dataleftlow and $datalefthigh to support 32-bit data consumption limit VSAs * Fixed PEAP/TTLS fragmentation error when certificate is larger than a RADIUS message * Fixed IP address prefix validation error * Fixed IPv6 address attributes within access accept messages are not transmitted * Fixed MySQL date formatting changed from YYMMDD to YY-MM-DD * Fixed dbpool mark connection suspect should begin transaction fail Radius 5.1.78 - 11/10/2011 -- * Added increased concurrency of server access and accounting table format processing * Added max service type label length for server access enforcement increased to 64 characters * Added rating engine enhancements configurable costing dimension, classifier data source attributes, session counting, datasource attributes may override matching dynamic aggregate attributes, custom historical update query * Fixed deadlock possible on windows platform while managing PEAP/TTLS fast session resume cache or while rating authentication and accounting requests * Fixed AV may be possible when processing DNIS server access and check attributes * Fixed column bind failure when loading accounting columns results in lock reference error Radius 5.1.76 - 7/10/2011 -- * Added automatically convert integer data types of VSAs having 8 byte payloads to 64-bit integer types * Added accept Emerald 6 license keys * Fixed AV while generating LAN Manager hash for MSCHAP password verification Radius 5.1.75 - 5/10/2011 -- * Added advanced menu option to assume local clock is always synchronized with RDBMS disabling database clock offsets Radius 5.1.74 - 3/10/2011 -- * Added advanced menu option requiring all access-request messages to include message authenticator (signature) attribute * Added upgraded SSL support libraries * Fixed AVP encode failure when multiple consecutive VSAs of vendor type zero (Colubris-AVPair) are sent * Fixed remove text users file maximum license limit of 100 entries when RadiusNT only license keys are used * Fixed plaintext password entry into text users file must override octets type input filter preventing weak passwords matching 0-9a-f with an even number of digits from being interpreted as hexadecimal input Radius 5.1.71 - 1/10/2011 -- * Added increased RDBMS accounting buffer to allow larger numbers of RADIUS attributes to be uploaded to accounting table * Added upgraded SSL support libraries * Fixed AVP encoded length may be incorrect when multiple consecutive VSAs of the same vendor type are sent * Fixed single byte overflow obtaining sqlstate parameter during query error Radius 5.1.69 - 10/26/2010 -- * Added transactional AVP encoder and decoder to support new data types and packet formats * Added data types - combo IPv4/IPv6 address, 16-bit integer, 8-bit integer and 32-bit signed integer * Added nested TLVs, attribute fragments and extension attributes * Added unknown attributes can now be forwarded and processed using the octets data type * Added removed allow malformed packet configuration options * Added bound outgoing messages to maximum RADIUS packet length * Fixed rating engine data rates in time rate context with multiple rates may ignore previous local authorization settings * Fixed rating engine should zero data dimension when rating in the time dimension and there is no time interval Radius 5.1.67 - 9/10/2010 -- * Fixed requests from unauthorized clients are logged with the dotted fields of the IPv4 address in reverse order * Fixed RADIUS authorization attributes uploaded from the rating system during authentication should be limited to only those attributes applicable at the instant of authentication rather than to subsequent rule matches throughout the costed dimension * Fixed session duration limits based on current balance from rating engine is not enforced when the InitialCost attribute is uploaded to specify the starting cost of the session * Fixed authentication reject for users associated with one or more rates having no default rules should only be enforced when there are one or more rate matches via rate class Radius 5.1.66 - 6/16/2010 -- * Fixed tag attributes are not processed properly when applied to VSAs * Added database users service type can be accessed from the variable $accounttype during filter processing * Added Cisco avpair attribute parsing combines portions of variables separated by ':' character Radius 5.1.65, 4.0.88 - 5/10/2010 -- * Added reply attribute management update * Added allow filters using the equal match type to work with string data types * Added changed PEAP v1 PRF magic to match PEAP v0 for Apple compatibility * Fixed thread safe SNMP query functions * Fixed disallow users file default users in database mode Radius 5.1.64, 4.0.88 - 3/5/2010 -- * Added IPv6 transport support for RADIUS messages, rating engine, syslog and RadiusNT/X administrator UI * Added increased maximum UDP listener sockets from 64 to 128 * Added improved attribute indexing system * Added syslog messages can be distributed to multiple syslog servers based on DNS configuration * Added DNS name lookup caching * UNIX: Added when no bind addresses are configured the server now binds separatly to each network interface * Added logging for all transport send operation failures Radius 5.1.63, 4.0.88 - 1/11/2010 -- * [5.1] Fixed single byte overrun when authenticating users with NT hash passwords * Fixed memory leak retrying authentication requests Radius 5.1.62, 4.0.88 - 11/5/2009 -- * [5.1] Added PAP and MSCHAP support for passwords stored in NT hash form * [5.1] Fixed RadiusX restarts on systems with Sparc processors when multi-threaded authentication has been enabled * [5.1] Fixed SHA1 dependent authentication algorithms fail on Solaris platform Radius 5.1.60, 4.0.88 - 9/10/2009 -- * [5.1] Added support for IPv6 prefix attribute types * Fixed IPv6 string representations trailing zeros not properly compressed * Fixed IPv6 encode failure of certain properly formatted IPv6 addresses Radius 5.1.59, 4.0.88 - 6/15/2009 -- * [5.1] Fixed query errors displayed in authentication log file when a new day starts and no authentication requests have been previously sent since server startup Radius 5.1.58, 4.0.88 - 5/1/2009 -- * [5.1] Added support for marshalling attributes of type octets to the calls table as hexidecimal values * [5.1] Added if MSCHAPv2 validation fails with user only portion of user@realm retry with user@realm * [5.1] Added support for authentication reject when auth rating is enabled, default cost is not configured and no rating rules match Radius 5.1.56, 4.0.88 - 2/21/2009 -- * [5.1] Added current data usage for reauthorized sessions count input and output octets instead of output only * [5.1] Added updated supporting encryption routines Radius 5.1.55, 4.0.88 - 12/31/2008 -- * [5.1] Fixed AV caused by EAP inner protocols providing username attributes that contain no value * [5.1] Added filter queries can now convert proxied access reject messages to access accept by returning a query with AttributeID and VendorID set to -1 * [5.1] Fixed rating engine memory leak when reconfiguring active rating rules and a custom classifier query has been associated with a rate Radius 5.1.53, 4.0.88 - 11/22/2008 -- * [5.1] Added support for WISPr-Session data left usage limit VSAs * [5.1] Added 64-bit signed integer data type * [5.1] Added tunnel password and tag tunnel password attribute type configuration * [5.1] Added octets binary data type with ability to enter values in hexadecimal format * [5.1] Fixed TTLS username is not used when identity hiding is enabled via User-Name attribute or EAP-Identity * [5.1] Fixed rating engine when rating requests containing usage for both time and data dimensions data only rates previously required a dummy zero cost time rate to prevent the data only rate from being ignored Radius 5.1.47, 4.0.88 - 8/14/2008 -- * Added workaround for MSSQL 2008 ODBC driver bug causing a numeric overflow error to be displayed when retrieving cached account information * [5.1] Fixed authentication may fail intermittently when large numbers of users are concurrently authenticated using PEAP or TTLS Radius 5.1.46, 4.0.88 - 7/22/2008 -- * [5.1] Added ignore Diameter encoded AVPs containing a zero length payload instead of failing the decode to improve TTLS client compatibility * [5.1] Added startup and shutdown section logging * [5.1] Added updated supporting encryption routines * [5.1] Added support for storage of Emerald database encryption secret key via operating systems secure key store * Fixed when realm service type replacement is enabled and challenge responses are proxied replaced attributes should apply only to the final access accept message * Fixed instances where logging messages were incorrectly classified * Fixed when synchronizing account changes via smart cache the per request authentication query timeout should not apply * Fixed AV may occur during the forced shutdown process which can occur when pending operations take too long to complete Radius 5.1.44, 4.0.87 - 4/25/2008 -- * Added support for excluding a service type from DNIS checking unless reverse DNIS checking is enabled by setting a NULL value for the DNISNumber column of SQLDNIS * Added Vista and Windows 2008 compatibility update to account for missing RRAS API calls in these versions of windows * [5.1] Added support for conversion of string port values to integers to maintain compatibility with older Calls table schemas having an integer NASPort column * Fixed malformed RadiusNT/X admin web server post request may cause AV of the admin configuration server Radius 5.1.42, 4.0.86 - 1/26/2008 -- * [5.1] Added reverse counting of SNMP concurrency violations by exception and substring matching of SNMP values to username * [5.1] Added rating engine support for additional rounding options Radius 5.1.41, 4.0.86 - 12/23/2007 -- * Fixed account expiration should be treated as the minimum of MBR and SA expiration when using an Emerald database * [5.1] Fixed incremental cache updates not being performed at configured interval on the Oracle platform using an Emerald 5 database * Fixed failure to preload server access configuration not logged as an error Radius 5.1.40, 4.0.85 - 12/06/2007 -- * [5.1] Fixed rating engine AV while rating accounting records * [5.1] Fixed possible AV while proxy accounting echo and accounting store and forward mode are both enabled * [5.1] Fixed compatibility problem with version 6.x RSA SecurID clients on the windows platform Radius 5.1.38, 4.0.85 - 9/23/2007 -- * [5.1] Added removed boingo VSA 32 from the tunnel password attribute list * [5.1] Fixed primary database connection pool too shallow to handle worse case query load * [5.1] Fixed possible AV during long term cache maintenance shortly after midnight * [5.1] Added support for EAP-TTLS PAP/CHAP/MSCHAPv1/MSCHAPv2 * [5.1] Added compatibility with Emerald v5 on the Oracle database platform * [5.1] Added option to customize reply attributes sent in response to an authentication failure * [5.1] Added RFC 4590 SIP/HTTP Digest authentication in addition to draft-sterman-aaa-sip-01 Radius 5.1.35, 4.0.85 - 6/27/2007 -- * [5.1] Fixed the attribute filtering system may not act on requests that determine an authentication response should be rejected or ignored * [5.1] Added rating engine updates supporting InitialCost and StaticCost attributes if avaliable in the rating request * [5.1] Added Req/Resp Code RadFilterTypeID (5) to attribute filtering system to match the RADIUS request or response packet code * [5.1] Fixed disable day + 1 for service expirations only when used with Emerald v5 as this is now controlled via Emerald * [5.1] Added improved zero value port filtering while the "Add virtual NAS-Port if missing" advanced option is enabled * Fixed SHA password hash formats are not properly recognized Radius 5.1.29, 4.0.84 - 4/4/2007 -- * [5.1] Fixed rating engine accounting rating decision was incorrectly controlled by the "Enforce cost-based session limits" advanced option instead of "Allow rating of accounting call records" * [5.1] Added support for Cisco encrypted AVPair attribute * [5.1] Fixed rating engine data only rate with session limit should reject authentication after credit limit has been exhausted * [5.1] Fixed rating engine AV when specific ordered combinations of duplicate attributes of different types are received * [5.1] Added filter out authorization attributes before passing request attributes to the rating engine when rating of authentication requests is enabled * [5.1] Added "data banking" feature to enforce data remaining restrictions similiar to "time banking" * [5.1] Fixed when uploading call records the Emerald5 Calls.CallID column must be excluded from column discovery to prevent attributes of the same name from setting a CallID value * [5.1] Added "amountleft" and "dataleft" variables for "auth out" and "auth req+resp" attribute filters * [5.1] Fixed rating engine AV while loading numeric rating rules having a "less than" match type Radius 5.1.25, 4.0.83 - 12/22/2006 -- * [5.1] Added optional "RadCheck" field to second attribute result set of RadGetUser * [5.1] Fixed rating engine requests with null or 0 default cost must still be rated * [5.1] Fixed rating engine zero cost rules were being ignored and assigned default cost * [5.1] Fixed rating engine ~3 sec shutdown delay caused by not waking queue manager * [5.1] Fixed rating engine assert when totals are required by max cost but not any applicable rating rules * [5.1] Fixed rating engine rates with data and time rating rules did not link data starting period costs for enforcement of max charge amount Radius 5.1.24, 4.0.83 - 11/22/2006 -- * [5.1] Added allow conversion of rating engine upload attributes to RADIUS reply attributes * [5.1] Fixed allow Emerald 5 RADIUS enterprise and professional license features * [5.1] Fixed rating engine time indexing error * [5.1] Fixed rating engine authentication failure condition and uploaded reply attributes were not enforced * [5.1] Added allow rating engine data dimension tracking for authentication reauthorization requests * Fixed escape accounting username and nasid * [5.1] Fixed rating engine time remaining calculations now influenced by data rates * [5.1] Fixed rating engine was recording only the first historical update when rating a request * [5.1] Fixed display of invalid AES decryption warnings * [5.1] Added Emerald decryption support for results of query based data filters * Added Boingo encrypted attribute support * [5.1] Added MS Vista PEAP bug workaround for vista client compatibility Radius 5.1.19, 4.0.82 - 9/18/2006 -- * Added support for 16-bit Alcatel VSAs * Added when NAS-Port equals 0 and NAS-Port-ID or another port identifier is avaliable use this instead of NAS-Port * Added preference internal class attribute least when using attribute filter variables with multiple class attributes * [5.1] Fixed rating engine update Radius 5.1.17, 4.0.81 - 7/6/2006 -- * Fixed Password replace feature would incorrectly set password blank when password was ANY or WINNT/UNIX and CHAP authentication is used * Added SecureRandom configuration option to allow disabling the use of operating system provided random numbers * [5.1] Fixed incorrect secret when sending outgoing proxy requests using Emerald v5 password encryption with encrypted shared secrets * [5.1] Added support for online port clear stored procedure RadClearNAS and database configuration option SQLClearNAS * [5.1] Fixed authentication rating engine errors * Added expiration dates now include time of day information * [5.1] Added support for UNIX MD5 encrypted passwords Radius 5.1.16, 4.0.80 - 3/9/2006 -- * [5.1] Added support for limiting total time a proxy accounting record can remain queued (QueueMaxTime) Radius 5.1.15, 4.0.80 - 2/15/2006 -- * [5.1] Added support for a virtual NAS-Port if one is not provided by the RADIUS client * Fixed AV caused by external authentication API attribute checking * [5.1] Added accounting upload query timeout setting * Fixed allow proxy of initial request when all roam servers in group are over max rate in store and forward mode * Fixed load balanced retries may prevent proxy servers that are not responding from being quickly detected * Fixed allow delayed response removal for authentication requests * Fixed allow proxy authenticator history for authentication requests * Fixed roam server reconfigure requests did not transfer current state for all members of a roam domain * [5.1] Fixed substring attribute filter and proxy attribute match types are now case insensitive * Fixed proxy retry rate for down proxy servers was not restricted to the proxy check interval * Fixed do not allow proxy request duplication when one or more servers are unavaliable * Fixed increase retry partitioning for store and forward proxy mode * [5.1] Fixed rating engine classifier database errors were being reported as memory allocation errors * Fixed entering 0 in auth or accounting port field of a roam server now causes authentication or accounting messages to be ignored * Fixed remove delay between detection of a down accounting server in store and forward mode and resetting of the affected proxy records retry counters * Fixed AV introduced in 5.1.6 while processing unrecoverable malformed packets * Fixed allow processing of packets containing unknown attributes with unknown proprietary VSA formats Radius 5.1.10, 4.0.79 - 1/31/2006 -- * [5.1] Fixed AV caused by use of auth req + resp attribute filter with a destination type of Reject containing destination data * [5.1] Fixed when using an attribute filter of source type Auth Proxy Out and a destination type of Reject the destination data field is not passed in the reply-message attribute of the access-reject * Fixed RADIUS messages with no attributes were ignored as invalid * [5.1] Added custom logging auth out source type now has access to many local access reject messages * [5.1] Added support for request nak conversion via sql query merge type when VID and AID are 0 Data becomes reply-message * [5.1] Added include connection group name with accounting spooler related messages * [5.1] Added proxy queue updates * [5.1] Added default proxy rate limiting for store and forward accounting mode. It is still recommended proxy forwarding rates be defined while using this mode * [5.1] Added authenticator history to validate multiple responses to the same request * [5.1] Added delay for proxy response removal to allow for secondary responses * [5.1] Fixed add Acct-Delay-Time attribute with local delay if attribute is not included with accounting record * [5.1] Fixed ADIF logging errors * [5.1] Fixed authenticator validation error is incorrectly displayed when validating proxy accounting retry response where retry has changed since initial request * [5.1] Fixed authentication input attribute filters with a merge type of filter replace may cause an AV * [5.1] Fixed connection group specific accounting upload queues will eventually incorrectly switch to the default accounting datasource * [5.1] Fixed allow attribute filter data fields to contain values exceeding the RADIUS per attribute size limit Radius 5.1.6, 4.0.77 - 12/30/2005 -- * [5.1] Added 'distribution key' search type for attribute filtering and attribute proxy to allow attribute-based deterministic load balancing * [5.1] Added separate accounting queues for each connection group * [5.1] Added merge type of 'log query to accounting' which queues filter SQL queries into the accounting spooler * [5.1] Fixed show contents of attribute filter queries while ODBC debugging is enabled * [5.1] WIN32: Fixed background database test may not report the correct status information when more than one type of ODBC datasource is used * [5.1] Added custom logging only attribute filter source types * [5.1] Default Oracle procedure calls no longer use package syntax. Existing Oracle installations still using the Radius package should choose the 'RadiusNT/X 5.0 compatibility for Oracle' profile from the custom settings menu within the RadiusNT/X administrator to maintain compatibility with existing stored procedures * [5.1] Added ability to log unknown attributes via the attribute filtering system * [5.1] Added rating engine updates to support rating outside of RateHistory * [5.1] Fixed accounting query retries should not be attempted after an ODBC error with a state class of 37 Radius 5.1.5, 4.0.76 - 11/22/2005 -- * [5.1] Fixed sequence conflict when initially decrypting Emerald v5 AES encrypted shared secrets * [5.1] Fixed while sending a proxied access-accept message with a configured proxy source port the configured port may be used as the source port instead of the origional destination port of the associated request * Fixed proxy responses with a matched proxy state having an invalid authenticator should not count as receiving a response to an outstanding request Radius 5.1.4, 4.0.75 - 9/26/2005 -- * [5.1] Added support for Emerald v5 AES password encryption * [5.1] Added global attribute filtering variable change option Radius 5.1.3, 4.0.75 - 8/3/2005 -- * [5.1] Added real-time rating engine * Fixed require exclusive rather than shared access to all authentication and accounting UDP listen ports * Fixed time stamp of call records logged to a MySQL database are incorrectly formatted * Fixed passivly detecting when a proxy server has recovered from a failure may not occur in some cases * Fixed allow per-user concurrency control logon limits to exceed 253 concurrent sessions * Fixed when text and database mode is enabled logging accounting records to local files should be disabled * Fixed command line option '-f' to test all database connections and exit was not displaying the database status * Fixed removed unecessary service type reloads while caching is disabled * Fixed attempting to locate internal proxy state for records without a proxy state attribute should only be done while the request does not contain a Proxy-State attribute with a local prefix * Fixed proxy authenticator validation may fail intermittently while proxying accounting records * Fixed while proxying requests under high load packets may occasionally be routed to the wrong destination * Fixed removed possibility of responding with an authentication ack if the Session-Limit attribute is zero * Fixed treat-as-local roam server setting was not enforced for requests routed using proxy-attributes * Fixed using Tunnel-Password in a reply attribute can lead to a malformed response * Fixed using tag attributes in proxied reply can lead to a malformed proxy response * Fixed when proxying a response containing Tunnel-Password the attribute is decrypted incorrectly in some cases Radius 5.0.58, 4.0.74 - 7/3/2005 -- * Fixed DNS should not be used to discover NAS-IP-Address when only NAS-Identifier is avaliable for concurrency enforcement * Added year 2038 workaround Radius 5.0.57, 4.0.73 - 6/5/2005 -- * Fixed enabling logged accounting may decrease maximum accounting upload rate by ~60% * Fixed logged accounting did not cover queue backlogs * [5.0] Added user selectable source port for all outgoing proxy authentication and accounting requests * [5.0] Added custom attribute filtering extensions Radius 5.0.55, 4.0.72 - 5/2/2005 -- * Fixed sensitive data should not be reported to syslog servers * [5.0] Added allow log file locations to change without requiring RadiusNT/X to be restarted * Fixed cases of general messages being incorrectly routed to the authentication log file * [5.0] Added support for multiple listen addresses and listen ports * Added options to control interface from which to proxy authentication and accounting requests * [5.0] Added server now listens on ports 1645 and 1646 for authentication and 1646 and 1813 for accounting by default * Fixed when not specified default pathnames for authentication and accounting logs are now assigned * Fixed account expiration in some cases may occur several hours before or after midnight * Added improved debug output for packet codes and packet source address * Fixed possible conflicts with attributes of the same name and vendor while displaying RADIUS dictionary values * Fixed EAP-MSCHAPv2 password retry failure on subsequent password retries after password is entered incorrectly on first attempt Radius 5.0.54, 4.0.71 - 4/8/2005 -- * [5.0] Fixed when using a custom authentication query and the TimeLeft column is NULL limits must not be enforced rather than reflecting the account has no time remaining * Fixed additional exemptions for constraint error filter for MSSQL and Sybase when recording accounting data * [5.0] Added maximum store and forward accounting mode retention setting * Fixed validate proxied response authenticator for authentication and accounting responses * Fixed validate proxied message authenticator for authentication responses * Fixed message signature validation fails when 'always use digitial signatures' is disabled and EAP authentication is not used * Fixed prevent sending multiple signature attributes when proxying EAP auth responses with 'always use digital signatures' enabled * Added improved minimized memory usage behavior on low memory * Added sequence numbering for proxy state attributes * Added improved authenticator related error messages * Fixed prevent accounting upload retry for non connection oriented classes of errors * Fixed VSA sub-attributes containing one byte or less may incorrectly be marked as malformed * Fixed when proxying auth requests containing the signature attribute the signature is incorrectly based on the client secret rather than the remote RADIUS servers secret * [5.0] Fixed when rejecting an authentication request based on an authentication input filter the reject message contains an invalid response authenticator Radius 5.0.50, 4.0.70 - 3/4/2005 -- * [5.0] Fixed removed special check used to reject accounting records with a username of 'Reject' * [5.0] Added when setting an accounting table such as the Calls table to 'none' logging is disabled for that table however the accounting request is still acknolwedged * [5.0] Added index and marshalling optimizations Radius 5.0.49, 4.0.70 - 2/24/2005 -- * Added when recording accounting Call records ignore Acct-Delay-Time in CallDate calculation where Acct-Delay-Time is greater than a year * [5.0] Fixed custom queries and attribute filter definitions containing variables may in rare cases become corrupt until their configuration is refreshed * [5.0] Fixed oracle default account lookup query error * [5.0] Added 'Auth Proxy Resp' filter source option allowing authentication proxy responses to be matched and modified * [5.0] Fixed second result set of a custom configured SQLRadGetUser query was ignored * [5.0] Added 'Virtual class attribute' feature allowing RadiusNT to correlate accounting requests with authentication responses for clients not supporting the 'Class' attribute * Fixed include a partition ID in IEA Class attribute to prevent proxied local attributes from being decoded by other organizations also using RadiusNT Radius 5.0.45, 4.0.69 - 2/3/2005 -- * Fixed number of proxy retries for authentication and non-store-and-forward accounting proxy modes were sometimes more than the configured retry count * Fixed request authenticator was resent on the first retried proxy authentication response instead of the new authenticator sent with the initial response * [5.0] Added request replay now works for proxied requests improving performance over unreliable links * [5.0] Added 'Ignore client retry policy' proxy option allowing RadiusNT to discard unecessary retransmission attempts from the requesting client * Fixed accounting records should not be acknowledged while column information for the accounting Calls table is unavaliable * [5.0] Fixed packet replay system did not work for accounting records * [5.0] Added improved packet replay checking and raised minimum possible replay history size * [5.0] Fixed authentication responses may in a rare case be delayed by 15 seconds Radius 5.0.43, 4.0.68 - 1/14/2005 -- * [5.0] While starting in database mode and no database server is avaliable RadiusNT should refresh its configuration as soon as the database becomes avaliable while persistant caching is enabled * Added more descriptive error text for EAP-PEAP errors * [5.0] Fixed RadGetUser parameter discovery is not retried on failure, default parameters were assumed should discovery fail during startup * Fixed while restoring presistant cache in database mode the use of service type default attributes were always assumed ignoring any user specific attributes Radius 5.0.42, 4.0.67 - 12/08/2004 -- * [5.0] Fixed while reconfiguring RadiusNT with SNMP polling enabled, realtime concurrency checking is not automatically disabled * Fixed EAP-MSCHAPv2 authentication fails if authenticating clients provide a realm while domain trimming is disabled * [5.0] Added support for including only dynamically added filter attributes to subsequently used attribute variables * Fixed RADIUS authentication proxy may retry more than configured number if store and forward proxy mode is enabled * Added EAP authentication requests may now be proxied * Fixed while proxying a request containing a message signature the signature is now recalculated * Fixed challenge responses could not be forwarded to remote proxies * Fixed access challenge responses were not forwarding Proxy-State attributes from remote proxies * Fixed EAP-GTC method will no longer send password field description unless challenged for improved compatibility with Cisco clients * Fixed EAP-PEAP v1 version negotiation failure * Fixed EAP inner authentication identity must be authoratative when avaliable * Fixed EAP now allows responses of type identity to authentication requests of other methods provided a response is forthcoming * UNIX: Fixed proxy retry timer may hang until next incoming request is received * Fixed while proxying an authentication response containing tunnel encrypted attributes the attributes were not being correctly re-encrypted * Added clearer error messages for external authentication and cases where multiple auth attempts are made * Fixed possible AV while loading a specific service types attribute list where no attributes are present for that service type Radius 5.0.39, 4.0.63 - 10/11/2004 -- * Fixed while proxying a CHAP request containing CHAP-Challenge this attribute is sent twice during the authentication request to the remote server * Fixed Rad Rejects may not match attributes having a string data type Radius 5.0.38, 4.0.62 - 8/18/2004 -- * Fixed AV displaying attribute debug having timestamp data * [5.0] Added support for HostIP attribute filter source type * [5.0] Fixed AV when Active field is present using v5 RadGetUser result sets * [5.0] Fixed packet replay does not work correctly when used with proxied responses Radius 5.0.36, 4.0.60 - 6/20/2004 -- * [5.0] Added support for calculating session limit to reflect an accounts expiration date * Added support for 3GPP2 session encryption keys * Win32: Fixed bind IP address listing in RadiusNT admin did not show multiple addresses per interface Radius 5.0.35, 4.0.59 - 6/3/2004 -- * [5.0] Added support for SIP proxies (HTTP digest authentication) * Added option to allow or deny concurrency enforcement on a per RADIUS client basis * Changed some NASes behave incorrectly while reply-message is sent in access-accept, removed reply-message for this case * [5.0] Added allow attribute filters of destination type auth/acct proxy out to modify the outgoing User-Name attribute * [5.0] Added support for destip in the destination group of output attribute filters * Added support for explicitly denying server port access Radius 5.0.31, 4.0.57 - 4/12/2004 -- * Fixed proxy attribute matching problem which could cause requests to be routed to the wrong roam server * Added additional format checking to proxy store and forward ADIF logging * Fixed possible AV when processing proxy out attribute filters with a destination type of merge replace * Added informational debug for LDAP authentication * Fixed LDAP authentication failure using internal comparison of password attributes Radius 5.0.29, 4.0.56 - 2/16/2004 -- * [5.0] Fixed SQL query destination merge type should use SQL variable encoding rules * Fixed increased VSA format error checking to prevent errors from leading to unnecessary attribute decoding problems * Fixed problem finding port information for IP pooling and server port access * Fixed LDAP authentication failure using bind to auth with the netscape/sun directory server * Added preference for NAS-Port over NAS-Port-ID for accounting record port selections Radius 5.0.27, 4.0.55 - 11/17/2003 -- * Fixed response string conversion errors while processing an external auth methods mapped attributes * Fixed attribute mapping system incorrectly required at least one attribute value before it can initialize * Added support for NAS-Port-ID as NASPort * Fixed NASIdentifier and NASPort fields in Calls were not being restricted by size * Fixed removed incorrect ignore for 22xxx class of errors from accounting spooler * [5.0] Fixed incorrect AVP value matching in Proxy attribute and attribute filtering system * [5.0] Added $serverip variable to destination data field of the attribute filtering system * Fixed unmatched proxy domain causes an auth trim regardless of the global trim setting * Fixed when loading RADIUS clients from a database and the IP Address field has trailing or leading spaces that client entry is ignored * Added use hardware sources for random numbers when possible * [5.0] Added attribute filter source to allow searching request attributes to conditionally modify response attributes * UNIX: Fixed when using Sybase ASE accounting and authentication performance is diminished after receiving a duplicate accounting request * [5.0] Fixed error reading RadGetUser procedure parameters with Sybase ASE 11.9.2 * [5.0] Fixed Auth Proxy Req+Resp source type 'destination ip' and 'client ip' reversed * Fixed when time banking is enabled and an account has no time limit smart caching should be allowed Radius 5.0.22, 4.0.54 - 10/16/2003 -- * Fixed supporting crypto and database driver updates * [5.0] Fixed RadGetUser Password parameter passed even when the parameter is not part of this stored procedure * Fixed allow treat as local to completely override the global trim setting * Fixed malformed response while sending tag integer attributes * Fixed timestamp datatypes not being sent in auth response * [5.0] Added $timetstamp filtering variable to report current time in RADIUS datetime format * [5.0] Added destination merge type of SQL query to attribute filtering system * [5.0] Fixed incorrectly restricting application of destination filters based on their filter type * Fixed domain not stripped for auth when global trim is disabled and a proxy server with 'treat as local' enables strip domain * Fixed disable accounting despooler in text-only mode * Fixed ServerID/AccountID columns may appear multiple times in Calls update due to a NAS incorrectly sending duplicate Class attributes Radius 5.0.17, 4.0.51 - 9/27/2003 -- * Fixed EAP-GTC does not work in conjunction with PEAP * UNIX: fixed AV while generating PEAP session encryption keys * Added -X4 option to enable EAP packet level debug * Added support for restricting PEAP version negotiation to v0 for improved client compatibility * Fixed EAP authentication was incorrectly disabled in text only mode ---------------------------------------------- RELEASE NOTES ---------------------------------------------- ---------------------------------------------- TECHNICAL SUPPORT ---------------------------------------------- Should you experience any trouble installing or using RadiusNT/X, please consider the following technical support options: Please read the readme.txt and changes.txt files that are included with your distribution archive. These files contain pertinent up-to-date information on the software noting any changes, feature enhancements or known problems. The documentation manual has much of the information you need to solve problems. Please re-read the pertinent section to ensure that something wasn't overlooked. Please check out our Web site at http://www.iea-software.com for announcements, troubleshooting tips, Frequently Asked Questions (FAQs) and more. IEA Software hosts a mailing list for RadiusNT/X. This is a user-supported list and is a great resource for conversing with others who own the product. You can learn more about the mailing lists at http://www.iea-software.com/support/maillists/liststart. We host a searchable archive of the list on our Web site as well. You can reach our Technical Support Team at (509) 444-BILL (2455) or support@iea-software.com. If you still require assistance, we have a variety of support contract options available via our Web site at http://www.iea-software.com/support. You can reach our Sales Team at (509) 444-2455 or sales@iea-software.com. ****************** End of CHANGES.TXT ******************