***************************************************************** Air Marshal change history for all versions (Linux Platform) ***************************************************************** Modified: 1/05/2023 Copyright (c) 2002-2023 IEA Software, Inc. All rights reserved worldwide. This file contains important, late-breaking information about changes made within Air Marshal. We recommend that you read this file and keep a printed copy with your Emerald documentation. Tip: If necessary, choose Word Wrap from the Notepad Edit menu or Wrap To Window from the WordPad View/Options menu to wrap the text within the document window. ---------------------------------------------- CHANGES.TXT CONTENTS ---------------------------------------------- . KNOWN PROBLEMS . RELEASE CHANGES ---------------------------------------------- KNOWN PROBLEMS ---------------------------------------------- * None at this time ---------------------------------------------- RELEASE CHANGES ---------------------------------------------- 2.0.64 - Jan 5 2023 -- * Fixed web server workers fail to enter nonblocking operation on Linux platform 2.0.63 - Dec 4 2022 -- * Fixed workaround unreliable condition signaling on Linux platform * Fixed TLS and network messages related to canceled web sessions should not be logged * Fixed self-signed certs created via TLS wizard should have matching SAN attribute 2.0.62 - Mar 10 2022 -- * Added per session NAT port allocation setting to network options menu enabling unique per session source port ranges to be assigned for each concurrent session * Added default log folder should be applied when path omitted from log file pathname * Added web server workers switched to nonblocking operation improving response to management signals * Added web server should periodically enforce reasonable non backlog receive side limits * Added web server backlog mode improved to consider authentication status, data rate and increase signaling performance * Added web server should be the passive closer where possible and minimize middlebox allocated port exhaustion * Added http client should avoid including port number in host header when default ports are used to improve interoperability * Added simplify web server request scaling and enforce global concurrent buffer pool limits on medium sized or larger requests * Added include thread identifier in logged messages * Fixed web server GET requests containing message bodies may not be considered completed request 2.0.61 - Oct 20 2021 -- * Fixed reauthorization via Termination-Action = RADIUS-Request should count Session-Timeout from start of session rather than start of reauthorization 2.0.60 - Mar 29 2021 -- * Added upgraded TLS support libraries 2.0.59 - Nov 10 2020 -- * Added session usage statistics for nftables * Added improve reliability when insufficient resources available 2.0.58 - Jul 29 2020 -- * Added improve network related error messages logged by web server * Added http client improve failure responses, add session reset, stream TLS upgrade option, abstract transport interface and switch to common encoding library * Fixed web listener should transmit failure response for unknown request methods before closing connection and strict parsing of supported methods * Fixed remaining non-reentrant time formatting functions should be replaced * Fixed AV possible after increasing size of server request buffer 2.0.57 - Apr 22 2020 -- * Added upgraded TLS support libraries * Added TLS version selection * Added disable environment and request variable downscale * Fixed synchronize socket access while clearing slow connections in backlog mode 2.0.56 - Apr 6 2020 -- * Added modernize default example login interface * Added TLS v1.3 support for login and admin interfaces * Added loading svg files now supported from local html folder * Added improve performance of web server startup and shutdown when a large thread pool is configured * Fixed concurrent attempts to close the same session should be restricted 2.0.55 - Jan 2 2019 -- * Added when starting new session with initial consumption data above threshold zero initial usage to account for possibility of session management failure * Added wait for xtable lock when supported by operating system * Added move backup session closure attempt from close to initial session start 2.0.54 - Dec 20 2018 -- * Added allow global bandwidth allocation to exceed 4 gbit/s * Added increase NAS-Port pool from 50k to 100k * Added increase maximum concurrent bandwidth managed sessions from 10k to 65k * Added remove unused bandwidth pools hourly instead of when no bandwidth allocations remain * Fixed NAS-Port should not be transmitted when port pool is full 2.0.53 - Jul 10 2018 -- * Fixed continue to send interim accounting updates even when no new usage data is recorded * Fixed increase maximum number of unique sessions assignable within same second from 2048 to 50000 * Fixed escape username in online session list and reply message response on authentication failure * Fixed when session is already started subsequent (re)authentication attempts must not alter any session identifying attributes 2.0.52 - Jun 4 2018 -- * Added increase per-process open file limits on Linux platform to at least 4096 * Fixed fair queue fails to be assigned to 2 out of first 5000 concurrent sessions * Fixed when closing user session user bandwidth rules should be immediately removed to allow future removal of any unused bandwidth groups 2.0.51 - Mar 27 2018 -- * Added upgraded SSL support libraries * Added improve RADIUS accounting backoff algorithm and apply custom policy for interim accounting * Added support high numbers of in-flight RADIUS accounting requests to reduce queue delay and increase throughput * Added include error cause when reporting name resolution failures * Added reload resolver configuration on name lookup failures on Linux platform limited to once per 10 minutes * Added increase aggressiveness of queue deflation during controlled shutdown * Added handle xtable locking failures * Added logging of problems occurring within shellkey to portal script log file * Added reduced session lock contention while processing RADIUS dynamic authorization requests * Added improve service compatibility with Debian based systems * Added continue to wait for valid responses until timeout period upon receipt of RADIUS responses with invalid authenticators and signatures * Fixed TLS session preparation should not be performed within web server primary async request handler 2.0.50 - Feb 10 2017 -- * Added upgraded SSL support libraries * Fixed standard functions not thread safe on Linux platform 2.0.49 - Nov 17 2016 -- * Fixed prevent restart within admin UI while gateway is not running * Fixed AV occurs after shutdown completes 2.0.48 - Oct 22 2016 -- * Added scalable filtering * Added SNI support for html folder proxy client 2.0.47 - Aug 15 2015 -- * Added unique session identifier formatting improvements * Added TLS 1.2 support for web authentication * Fixed start records with empty session identifier may be transmitted when reauthenticating active sessions * Fixed prevent virtual port assignments still in active use from being reassigned 2.0.46 - May 5 2015 -- * Added SSL certificate wizard to automate creation of private keys, CSRs and self-signed certificates * Fixed authorization attributes for session data usage enforcement did not properly count gigawords when data limits exceed 4GB * Fixed SSLPublic and SSLPrivate settings not displayed with configuration debug output * Fixed SSL configuration ignored if SSLCert parameter was not configured * Fixed RADIUS client should calculate hashes in-place to reduce possibility for error * Fixed remove support for SSLv3 2.0.45 - Jul 18 2013 -- * Added show TLS version negotiated in transport column of /status display * Added display failure reason in /status URL if any SSL certificates cannot be loaded * Added improve web server listener failure messages * Added separate fields for SSL public and private key files * Added support for message authenticator (signature) within RADIUS Disconnect and CoA messages * Fixed prevent theme from being selected for session upon authentication failure * Fixed retry failed iptables operations due to temporary resource unavailability 2.0.44 - Mar 4 2013 -- * Added support for URLs containing IPv6 literals * Added RADIUS improve command code mismatch failure messages * Fixed assertion error generating remote server URLs configured from themes * Fixed correct error during startup with partial web server bind failure * Fixed previous ACL configuration may be reused if closed session is re-authenticated and no subsequent ACLs are provided * Fixed ACL clearing missing from failed session start compensation rollback 2.0.43 - Dec 7 2012 -- * Added upgraded SSL support libraries * Fixed extension filtering using substring instead of right match * Fixed continue to track MAC address after session has entered closed state until close expiration * Fixed MAC address must not be cleared immediately after authentication * Fixed check for getnameinfo failure while obtaining numeric address of web client * Fixed query strings containing a key field without an equal sign and value are now treated the same as a key field with equal sign and no value * Fixed client IPv4 address appears invalid in systems using scope identifiers with IPv4 mapped IPv6 addresses 2.0.41 - Jun 10 2012 -- * Fixed Acct-Session-ID attribute missing from RADIUS Accounting-On and Accounting-Off reboot messages * Fixed changed iptables parameter negation syntax from -parm ! to ! -parm due to incompatible change in later versions of iptables 2.0.40 - Jan 18 2012 -- * Added variables $inused, $outused and $dataused added to status display reflecting current data usage within users active session * Added logfile rollover support for 'YYYY' four digit year substitution * Fixed web server /status display can cause AV when viewing transport statistics for active sessions 2.0.39 - Oct 23 2011 -- * Added NAT optimized for tracking much larger quantities of network sessions * Added preauth http listener setting enabling preauth listener to trigger on incoming web requests without an authorization key * Added prevent forwarding local traffic within a managed subnet * Added increased default value for general settings option server threads to 50 * Added ipass smart client interface html folder 2.0.38 - Oct 6 2011 -- * Added RADIUS authentication setting to control User-Name attribute format sent during MAC pre-authentication 2.0.37 - Aug 18 2011 -- * Added anonymous access options added to configure minimum bandwidth rate guaranteed to each anonymous session * Added each user session under bandwidth limit now has an additional queue to minimize network latency as their data transfer rate approaches session bandwidth limit * Fixed minimum bandwidth rate automatically calculated for local account does not change the next time the user logs on until user session has been completely expired 2.0.36 - Jun 15 2011 -- * Added host address in walled garden configuration now accepts addresses in CIDR form * Added form variable 'UserName' may now be used in place of 'Login' when processing authentication requests * Added $locationid and $locationname variables can be referenced by client interface based on configuration of global and theme specific WISPr Location ID and WISPr Location Name fields 2.0.35 - May 10 2011 -- * Added enable TCP keepalives while retrieving themes content from external servers * Added improved active session tracking to exclude less reliable approaches when multiple overlapping methods are enabled 2.0.34 - Mar 3 2011 -- * Added reduced initial startup time and virtual memory utilization * Added fair acceptance of non-blocking http and https connection requests * Added RADIUS accounting menu options controlling NAS-Port-Type and Calling-Station-ID attributes sent during Authentication and Accounting request * Added send message authenticator (signature) attribute with RADIUS access-request and validate signature in authentication response 2.0.31 - Jan 10 2011 -- * Added AM-Disconnect-Access authorization attribute to control ability of a management station to issue Disconnect requests for the session * Added allow L3 preauthorization for local accounts * Fixed remote requests for content proxied from external servers via SSL to display customer portal interface may cause a memory leak 2.0.30 - Sep 27 2010 -- * Added when VLANs are used for client interfaces enforce bandwidth on the physical interface rather than vlan level. VLAN interface label format must be ethx.y * Fixed global upload and download data rate setting was reversed * Added RADIUS AVP encoder and decoder update to support new data types and packet formats * Added support for WISPr-Bandwidth-Min-Up and WISPr-Bandwidth-Min-Down bandwidth prioritization attributes * Added global upload and download data rates may now be centrally configured from the network options setting * Added AM-Mirroring VSA to control client data mirroring without using filteravp * Added RADIUS named bandwidth pools to constrain all sessions having a common pool label to a shared bandwidth allocation 2.0.28 - Sep 1 2010 -- * Added authorization parameters of active sessions can now be be modified via RADIUS CoA signal (RFC3576) * Added indexed RADIUS attribute search 2.0.27 - Jul 10 2010 -- * Added reduced maximum acceptable web server request size from 20MB to 32k * Added client data mirroring has changed from UDP broadcast to local storage of wireshark compatible capture files. Filter reply attribute to enable mirroring is mirror=local * Added MB data rates in online list and status popup now reported as 1000000 bytes for consistancy with Emerald reporting of the same figures * Fixed missing configuration read lock when obtaining current local folder name managing themes 2.0.26 - Feb 27 2010 -- * Added moved change password menu option to general settings menu * Added syslog logging supports IPv6 and multiple syslog hosts concurrently when provided DNS name resolves to multiple IP addresses * Added theme system for presentation of customized login portals based on client IP address, language and browser or device type * Added RADIUS preauth option to select pre-authorization using layer 2 MAC Address or layer 3 IP address * Added login portals may now be stored on remote web servers and presented as local content using request proxy * Added configuration server (/settings URL) now supports IPv6 for management * Added RADIUS VSAs AM-ACK-HTMLFile and AM-NAK-HTMLFile to enable customization of the page presented on login success or failure directly following user login * Added Connect-Info RADIUS attribute is now sent during RADIUS Access-Request and has been updated to provide theme name rather than interface labels when themes are used * Added RADIUS client support for IPv6 * Added prevent duplicate content from being added to multi-value list boxes within the configuration server * Fixed debug text for accounting messages sent via RADIUS reported wrong unit for response time metrics * Fixed replymsg variable displayed in status popup may contain RADIUS client warnings such as receipt of unknown authorization attributes - this information should not be presented via replymsg 2.0.25 - Jan 27 2010 -- * Added show RADIUS response times for outgoing authentication and accounting requests * Added increase maximum web request limit from 255 to 1024 concurrent connections * Fixed detailed debug logging options may cause AV 2.0.24 - Jan 7 2010 -- * Added serialize bulk ARP data loading to improve concurrent session authentication performance * Added bind failure messages for web listener have been improved to be more specific * Added prevent closure of popup status windows during active sessions by default for 'tos' and 'default' interfaces * Fixed web server rx/tx operations must be aware of anti-dos async connection closures to prevent rare probability of interference with unrelated connections in event of rapid socket reuse * Fixed improved compatibility with RIM Blackberry devices using OS version 4.6 and earlier * Fixed orderly shutdown for restart or service stop request may lead to AV and trigger non-orderly restart if administrative UI is being accessed during restart * Fixed entries in walled garden, local account or accounts profile whose keys contain non-alphanumeric characters may not be able to be removed * Fixed updated wording of welcome message 2.0.23 - Nov 11 2009 -- * Added increased default web server thread pool from 10 to 50 to support larger deployments without configuration change * Added css file extension support to allow custom interfaces to reference external css files located in the portal html folder 2.0.22 - Sep 10 2009 -- * Added option for possibility of user initiated reauthorization to refresh any authorization parameters initially sent at start of session * Added Reply-Message RADIUS attribute as 'replymsg' variable can now be displayed on successful authentication if presented * Fixed make sure Account-Terminate-Cause is not present during interim accounting updates * Fixed when idle timeout attribute is sent via Access-Accept status refresh and data usage increments should be the only session maintenance triggers 2.0.21 - Jul 10 2009 -- * Added send RADIUS attribute Service-Type=Framed-User, NAS-Port-Type and NAS-Port in authentication request * Fixed RADIUS POD request validation of Framed-IP-Address attribute if present was incorrectly based on the Session IP even when a different framed-IP-Address is specified in the Access-Accept 2.0.19 - Jun 14 2009 -- * Added anonymous authentication options to control where and when during the preauth stage it would be allowed to authenticate a session * Added if preauth listeners have been enabled and preauth initialization fails try again periodically to initialize listeners 2.0.18 - Apr 2 2009 -- * Fixed password configuration dialouge should only appear on key not found or empty key error classes * Fixed general menu config access IP settings applied to the entire interface rather than remain limited to the configuration server only * Added allow Air Marshal to startup without the configuration server if the configuration server should fail to initialize 2.0.17 - Feb 20 2009 -- * Fixed when similiar bandwidth limits are assigned to multiple users all users would share a common bandwidth pool rather than each having their own * Fixed input and output byte counts should always be from the perspective of the access server 2.0.15 - Dec 24 2008 -- * Added allow subsequent SSL connections to choose different protocol versions and ciphers * Fixed interpret Session-Timeout with a value of 0 as no seconds remaining rather than no time limit 2.0.14 - Nov 9 2008 -- * Added Pulse refresh advanced configuration option to better control usage status polling * Fixed average realtime throughput in whos online list is improperly labled as bits per second where data shown is bytes per second 2.0.12 - Aug 29 2008 -- * Added Framed-IP-Address RADIUS attribute option to enable association of an external IP with users internal IP in NAT routing mode * Added transparent http port local account and profile setting enabling transparent proxy server configuration for local accounts * Added options restricting configuration interface access to authorized addresses * Fixed when running in NAT routing mode established http connections may not be blocked right away when the session terminates * Fixed intermittent SSL message authentication check failures can occur with high numbers of concurrent SSL connections 2.0.9 - May 22 2008 -- * Added 'support' debug flag to enable reliable logging of messages * Added YYMMDD filename tokens for splitting portal log files on a daily monthly and yearly basis * Fixed AV possible when logging messages to the portal log file during periods of high message volume 2.0.8 - Apr 27 2008 -- * Added mac variable for making client mac address avaliable to client web interface * Added allow MAC preauth listeners to immediatly reauthenticate sessions closed with the termination reason of lost service * Fixed malformed web server post request may cause AV * Fixed open connections to http ports by non http clients may prevent a successful controlled restart 2.0.5 - Feb 15 2008 -- * Added when the idle timeout attribute is used only the session status popup window is able to keep the users session active in L2 and L3 session modes 2.0.4 - Dec 28 2007 -- * Fixed upload bandwidth restrictions may not be enforced * Fixed POD disconnect listener may not listen for requests after clicking save changes to apply some configuration changes online 2.0.3 - Oct 17 2007 -- * Fixed when saving active configuration changes the system no longer attempts to reconfigure preauth listener ports if the listeners have already started * Added enable automatic reboot should a hardware or driver related system error occur * Added connection track modules are now loaded only when the NAT routing mode is enabled * Added filter http connection reset errors * Fixed custom POD disconnect port setting was ignored with the default POD port of 3799 used unconditionally * Fixed assert error displayed when a accounting retry fails due to the selected UDP port not being avaliable after a timeout of the first attempt 2.0.1 - Sep 14 2007 -- * Added allow transparent http proxy port configuration from anonymous access menu 2.0.0 - Aug 5 2007 -- * Fixed local session accounting log incorrectly records incoming and outgoing byte counts, term code and session state * Fixed debug value set from the command line (-debug) were ignored with the configured debug level used in its place * Fixed string AVPs decoded through the Tunnel-Password attribute may sometimes show incorrectly decoded values * Fixed javascript error occurs when clicking the end session button in the tos UI status display * Fixed increased default session linger period to better support authorization key * Fixed Ascend binary data filters were not being properly enforced * Fixed per session data usage counters are now able to aggregate byte and packet count usage across many filtering rules * Fixed when starting portald from the command line it may on occassion return without starting the server 2.0.0.b.7 (BETA 2) - Aug 2 2007 -- * Added default interim accounting interval option to RADIUS Accounting menu * Fixed RADIUS POD support should be avaliable even while RADIUS authentication is disabled * Fixed not all options requiring a restart were tagged with the '**' prefix * Fixed sessions authorized anonymously had no username. Anonymous sessions should have the username of the client MAC * Fixed local accounts with a set expiration date must limit their session-timeout so that the client can not maintain an active session after their expiration date has passed * Fixed CHAP authentication was not being performed when the CHAP authentication method was chosen * Fixed CHAP authentication was not supported for local accounts not authenticated via RADIUS * Added while RADIUS authentication is not enabled the use of CHAP for local account authentication is forced * Fixed when a commercial interrupt was not cleared before the clients session is closed the interrupted sessions filtering rules remain in effect until Air Marshal is restarted * Fixed corrected missing authentication method requirement validation checks * Added General settings / server threads no longer concidered an advanced option * Fixed a startup configuration error occurs while using the layer 2 bridge network routing mode * Fixed allow DHCP/DNS traffic while the bridge network routing mode is enabled * Added cause popup blocker warning on default html UI to provide the opportunity for the status popup window to be seen * Fixed server hangs when authenticating a local account which already has an established session * Added support for external custom signaling via the FILTERAVP:extcmd (Framed-Filter=extcmd=x) RADIUS reply attribute * Added support for directing HTTP traffic to tansparent proxies running on the Air Marshal server via the RADIUS reply attribute AM-HTTP-Proxy-Port 2.0.0.b.1 (BETA 1) - July 26 2007 -- * Added support for server initiated RADIUS disconnect messages (RFC3576) * Added preauthorization TCP/UDP listeners to authenticate non-interactive servers and clients such as Nintendo DS * Added RADIUS, local account and anonymous preauthorization based on the end users L2 MAC address * Added multiple subnets and network interfaces can now be managed from a single Air Marshal installation * Added walled garden configuration interface * Added unmonitored Layer 3 IP exception listing * Added bandwidth management in bps for upload and download traffic via WISPr RADIUS VSAs, local and anonymous accounts * Added commercial interrupt timer allows commercial messages to be displayed in the browser and acknowledged at configurable intervals * Added WISPr VSA support (Location-Name, Location-ID, Redirect-URL, Bandwidth-Max-Up, Bandwidth-Max-Down, Session-I/O) * Added L2 bridging mode allowing Air Marshal to control network access without IP level configuration * Added aliasing improvements to enable configuration of DNS named shortcuts to access account status * Added anonymous access option with daily time and data usage limits. Feature can also be used to bypass RADIUS authentication in emergencies * Added informational messages can be passed to the Air Marshal local whos online listing by sending whomsg=mymessage in the RADIUS access accept * Added expanded online reconfiguration to allow configuration changes to most settings without having to restart * Added option to restart Air Marshal from the admin web interface * Added improved administrative UI with new layout, menu features and server status information * Added local account management allowing administrators the ability to quickly configure local accounts without RADIUS * Added support for the Acct-Interim-Interval RADIUS attribute to enable periodic interim accounting updates * Added limited ascend data filters are now supported for RADIUS authenticated sessions allowing network access filtering on a per-user basis * Added client data mirroring enables all of a clients data traffic to be mirrored to a remote host for diagnostic or intercept for sessions authenticated via RADIUS (mirror=x.x.x.x:port) * Added support for the use of Tunnel-Password to send encrpyted AVP commands to Air Marshal * Added optional client DNS server settings to further lock down DNS access to specific servers before authentication * Added ability to operate without a RADIUS server using anonymous access, local accounts and a local accounting log file * Added improved support for large numbers of concurrent clients * Added auth keys forcing clients to first view and accept TOS or advertising before they are able to login * Added allow up to five concurrent connections without a license key * Added alternate client login interfaces * Added client login interfaces now support an account status popup box with disconnect option * Added var1 and var2 variables for passing data between ptl files * Added changed no-cache to no-store to prevent stale data from being displayed in some browsers * Added option to disable enforcement of Ascend-Data-Filter VSAs for RADIUS authenticated sessions 1.0.22 - May 22 2006 -- * Added send accounting interim update on successful re-authorization 1.0.21 - March 14 2006 -- * Added session re-authorization via Termination-Action RADIUS attribute 1.0.20 - May 12 2005 -- * Added licensing updates 1.0.19 - Mar 16 2005 -- * Added additional attributes are now send with RADIUS access requests (Acct-Session-ID,NAS-IP,NAS-ID,NAS-Port,Framed-Address) 1.0.18 - Nov 22 2004 -- * Fixed RADIUS requests may sometimes wait indefinately for a response * Fixed rare 'ses->state...' assert message if a user attempts to concurrently logon and logout * Fixed limit concurrent access to Linux session start and stop scripts as workaround to iptables 'resource temporarily unavailable' bug * Fixed intermittent RADIUS authentication and accounting request timeouts while using a setting of more than 30 'server threads' 1.0.16 - Oct 12 2004 -- * Added routed mode session timeouts are now based upon amount of incoming data from clients * Added additional connection timeout checking for HTTP(S) requests * Fixed AV while processing accounting information * Added additional usage info debug messages while using IPTables 1.0.15 - Sep 30 2004 -- * Added session variables are now accessable from '.ptl' files * Fixed cases where the wrong MAC address is displayed in RADIUS accounting and whos online listing * Added RADIUS accounting status information to debug messages * Fixed DOS handling for HTTP and HTTPS sessions 1.0.11 - Jan 28 2004 -- * Added support for sending clients MAC as Calling-Station-ID attribute in the RADIUS authentication request 10.0.10 - Nov 22 2003 -- * Added support for Emerald license keys. An Emerald license enables a two session concurrent login limit 1.0.9 - Sep 18 2003 -- * Fixed server won't start if its not configured 1.0.8 - Sep 12 2003 -- * Added support for RADIUS Accounting-On and Accounting-Off startup/shutdown messages * Added support for 'htmlack' filter attribute to specify an alternate html interface after authentication 1.0.7 - Aug 8 2003 -- * Fixed configuring 'Server URL' should be required * Fixed a problem with stuck accounting records on some versions of Linux 1.0.6 - Jul 28 2003 -- * Added support for IPTables. Use of IPChains or IPTables is auto-selected 1.0.5 - Jul 7 2003 -- * Added updated default Linux session script to unload iptables and load the ipchains kernel modules to work around a known problem with some popular linux distributions * Fixed a problem that may cause sessions to incorrectly terminate if a user views their account status while the admin interface is in active use 1.0.4 - Mar 24 2003 -- * Fixed Win32 ARP timeouts would cause end of session with reason 'Port Preempted' 1.0.3 - Mar 7 2003 -- * Added initial support for the windows platform * Fixed admin images would not load if there is a configuration problem