[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Radius 1.3 released.

From: Sergey Poznyakoff
Subject: Radius 1.3 released.
Date: Sat, 20 Nov 2004 21:11:21 +0200


I am pleased to announce the release of GNU Radius 1.3.

GNU Radius is a set of tools for remote user authentication and accounting.
The package includes server daemon, various client utilities, and a set of
administrator tools.

For more information on Radius, including links to file downloads,
please see the Radius web page:
and the Radius project page    

GNU Radius is available from and
the mirror sites worldwide (see
for the list of those).

The MD5 checksums of the files are:

8bf4ebdc94415d8a25949b12aa04a337  radius-1.3.tar.bz2
ab0223f6504355c4827a7c03cb4e21b0  radius-1.3.tar.gz

The list of user-visible changes follows:

* Important compatibility note.

Previous versions of GNU Radius were silently adding an NAS-IP-Address
attribute/value pair to any requests lacking it. Whereas such behavior
is sometimes useful, it is not always needed. Therefore, the new
version of GNU Radius does not automatically add this attribute.
Instead, a rewrite rule is provided for this purpose. The default
raddb/hints file is shipped with this rule enabled. If you are
upgrading from a previously installed version of GNU Radius, you might
wish to add the following rule to the very beginning of your

  DEFAULT Rewrite-Function = restore_nas_ip
          Fall-Through = Yes

If you chose to do so, add the following statement to the "rewrite"
section of 'raddb/config':
        load "";

* radiusd

** New constructs in dictionary file

*** BEGIN VENDOR blocks.

These simplify declaration of vendor-specific attributes. Instead of
explicitely specifying vendor name for each VSA, you can enclose all
related declarations in BEGIN VENDOR statement:


An alternative form BEGIN-VENDOR ... END-VENDOR is supported for
compatibility with FreeRadius
*** Specifying - (dash) for non-VSA attributes that have syntax flags
specifications is no longer obligatory.

** Improved checking for multiple logins. Previous versions relied entirely
on the contents of /var/log/radutmp file. Starting at this version,
radiusd offers at least two methods of checking for multiple logins:
using the traditional radutmp file and using the SQL database. New
keywords has been added to the sqlserver file that declare the SQL
queries to be used when retrieving information about currently
active sessions.

More methods of checking will be added in future versions.

** New methods of querying the NASes about active user sessions: using
guile function and using an external program.

** When an unsupported authentication type is requested, radiusd first
checks if an extension Scheme module is provided that handles that
authentication type. If such module is found, it is invoked to handle
the authentication.

** System accounting can be turned off by specifying `system no;' in
`acct' section of raddb/config. 

** New configuration statement 'load-module' allows to load arbitrary
Scheme modules.

** The file names of detailed log files are configurable via `detail-file-name'
statements in `auth' and `acct' sections of raddb/config.

** Support for Guile versions prior to 1.6 has been withdrawn.

** Implemented support for locking user accounts based on the number
of authentication failures:

*** New attribute Auth-Failure-Trigger specifies an external program or
a Scheme expression to be run upon an authentication failure. It can
update failure counts that subsequently will be used by
Exec-Program-Wait or Scheme-Procedure.

*** New keywords auth_success_query and auth_failure_query set 
SQL queries to be executed upon authentication success and failure,
respectively. These may maintain failure counts, that can be
used by group_query to control the authentication.

** Rewrite-Function attributes are handled uniformly in hints and
huntgroups. First, the Rewrite-Function attributes from the RHS list
are processed, then the ones from the LHS list. Notice, that in
contrast with the previous versions, any number of Rewrite-Function
attributes is allowed in both lists.

* SQL support has been modified to use dynamic loading. This allows
for easy integration of third-party SQL drivers. All existing SQL
drivers are now built as loadable modules on systems that support
dynamic loading. You may still compile them statically by giving
--disable-shared option to configure.

* Rewrite language

** Added i18n support

** New built-in functions:

*** Functions to access internal fields of a RADIUS request.
*** Interfaces to the Radius NAS database (raddb/naslist).
*** Interfaces to DNS lookup functions.

* libgnuradius

This is a library of functions for creation, handling and sending
requests using RADIUS protocol.

All programs have been rewritten to link with libgnuradius. On most
sites this will mean linking against a shared library, which will
reduce the size of the executables.

* gnuradius.scm

This is a guile module allowing to use libgnuradius functions. It
supersedes radscm program, which has been removed.

* Radtest

The utility is rewritten from scratch. Now it provides a simple yet
powerful scripting language useful for writing RADIUS client applications.

* New contributions added to contrib/ directory:

 php                A php module for interfacing with Radius
 passcvt            Converts system password database to Radius SQL
                    table on systems with shadow password file (e.g.
 passwd_to_db       Converts system password database to Radius SQL
                    table on Free-BSD        
 radsend            Simplified interface to radtest utility

See README files in corresponding directories. 

* Testsuite rewritten in autotest. This allows to run it on almost
any platform.

* Bugfixes

** Allow to omit port numbers in `listen' statements (raddb/config), as
described in the documentation.
** Fixed several inconsistencies in parsing Ascend-Data-Filter and
Ascend-Call-Filter attributes.

** Fixed bugs in SNMP library (CAN-2004-0849)

** Do not use descriptors 0 and 1 for interprocess communications since
user-defined procedures and/or libraries may attempt to write to
stdout and thus interfere in the communication.

** Fixed 'forward' statement in `acct' block. It was incorrectly
enabling forwarding of authentication requests, instead of accounting



reply via email to

[Prev in Thread] Current Thread [Next in Thread]