Module interface
   Packet handling


   Using VSAs
   Installing on OSX

Mailing list...


Other software...

Download OpenRADIUS


0.9.12c: openradius-0.9.12c.tar.gz changelog release notes
0.9.12b: openradius-0.9.12b.tar.gz changelog release notes
0.9.11a: openradius-0.9.11a.tar.gz changelog release notes
0.9.10: openradius-0.9.10.tar.gz changelog release notes
0.9.9: openradius-0.9.9.tar.gz changelog release notes
0.9.8: openradius-0.9.8.tar.gz changelog release notes
0.9.7: openradius-0.9.7.tar.gz changelog release notes
0.9.6: openradius-0.9.6.tar.gz changelog release notes
0.9.5: openradius-0.9.5.tar.gz changelog release notes
0.9.4: openradius-0.9.4.tar.gz changelog release notes
0.9.3: openradius-0.9.3.tar.gz changelog release notes
0.9.2: openradius-0.9.2.tar.gz changelog release notes
0.9.1: openradius-0.9.1.tar.gz changelog release notes
0.9: openradius-0.9.tar.gz changelog release notes
0.8: openradius-0.8.tar.gz changelog release notes

Patches, pre-releases, not-yet-merged contributions

See the download directory.


The kind folks at have put up a mirror in Australia. It contains the complete OpenRADIUS download directory. Thanks!

Release notes for OpenRADIUS v0.9.12c - 2007/03/24

This is the third mainenance release for 0.9.12. A security bug was fixed in the LDAP module.

Details: if the DN-as-pseudo-attribute feature was activated on by adding 'dn' to your radldap.attrmap, long DN values could trigger a buffer overflow in the radldap sub module, possibly allowing arbitrary code originating from the database to be run as the user radldap runs as, which is the same as the user the main server runs as in default installations.

Workarounds: remove the 'dn' from radldap.attrmap if it's not needed by your behaviour file, consider your LDAP database trusted, or upgrade to 0.9.12c.

Release notes for OpenRADIUS v0.9.12b - 2006/03/24

This is the second mainenance release for 0.9.12, containing a number of fixes for LDAP backends. LDAP support had not been updated to reflect recent changes in the internal dictionary, causing it to fail completely.

Also, the LDAP module's error handling when dealing with server side disconnects has been improved, removing the need for setting the 'rebind-after-every-search' flag in many installations, thus improving performance.

For more information, please see the changelog.

Release notes for OpenRADIUS v0.9.12a - 2006/03/17

This is the first maintenance release for 0.9.12, fixing a problem in the installation script and removing unused EAP stub work, as that was unusable and is done completely differently in 0.9.13 anyway.

Because 0.9.13 will break compatibility so severely that no existing behaviour file will run unchanged, I will do bugfixes and maintenance on 0.9.12 and release them as letter-revisions. Consider 0.9.12 the "last stable release before the big behaviour language changes".

Release notes for OpenRADIUS v0.9.12 - 2005/12/08

This release mostly concerns new features for use with SQL backends. The example configuration and behaviour files for SQL are modernized to reflect recent improvements. You can now use SQL transactions without being limited to a single radsql subprocess, because of an elegant way to allow all subsequent calls to a module to be routed to the same subprocess, even if the module interface defines more than one. Also, radsql allows you to obtain the sequence number that was used as the primary key for newly inserted records, for databases that support it.

Some minor changes were made to the behaviour language as well. Please see the changelog for more details.

Release notes for OpenRADIUS v0.9.11a - 2005/11/10

In 0.9.11, I completely forgot to verify that the distributed configuration files where up to date with my development set. This caused a non-functioning default install. Sorry. For the remainder of the release notes and the changelog, please see below.

Release notes for OpenRADIUS v0.9.11 - 2005/11/09

A lot of time has passed, during which a lot of bugfixes and new features were done. New language operators, updated example behaviour files, a fix that prevented the server to work on AMD64 at all (and other platforms with 'interesting' stdarg implementations), complete RFC2869 support, including Message-Authenticator and a framework for EAP support, including a subserver to decode EAP packets and execute EAP policies (that module is work in progress, don't rely on it yet) attribute splitting and joining, long password support, and much more good things. Please see the changelog.

One important thing to note: if you have written binary modules, you must update your check for the received magic value in the header, as the value has been changed. The change is necessary to prepare for modules that may send 'RADIUS' requests via the module interface to the main server as well as regular module responses. Please see the changelog for more details.

Release notes for OpenRADIUS v0.9.10 - 2005/02/20

A complete example configuration for keeping metered pre-paid accounts in MySQL has been added. The dictionary has been restructured to allow access to the whole packet. Together with the new 'pokeav' operator, this makes checking of packet signatures much cleaner and easier, preparing for Message-Authenticator support. A contributed improvement to radldap allows you to bind on an object that was returned by a prior search. Logging has been made friendlier. An operator was added to rewrite MAC addresses in a canonical format. Some minor bugfixes were made as well; for details, please see the changelog.

Release notes for OpenRADIUS v0.9.9 - 2004/08/11

This release adds an example schema and configuration/behaviour combo for PostgreSQL, and a feature to radsql to turn autocommit off for databases that support it. The new behaviour files demonstrates how you can use that to create multi-statement transactions.

Much more important is that complete proxying support is finally done!

This was achieved by extending the radius client to allow specification of target servers, ports and secrets in RADIUS attributes, and enhancing the module interface to allow modules to generate interleaved responses. This feature can be enabled on a per-interface basis in the configuration file, by increasing the default window size of 1 and specifying an attribute to hold job reference numbers. See the new configuration- and behaviour files for ASCII files and Postgres for details.

This work was sponsored by WinQ B.V., many thanks.

Note: this release contains a minor bug in the default example configuration. Please run 'touch /usr/local/etc/openradius/legacy/nases' if you see an instance of 'ascfile' restarting every second. There is also a recommended patch that fixes a compiler error and a border case when recovering from a crashing module.

Release notes for OpenRADIUS v0.9.8 - 2004/08/11

This release contains a number of enhancements to the behaviour language, most notably the accept, reject and acctresp versions of the halt operator, that set RAD-Code and filter inappropriate reply attributes for the response as defined in the dictionary.

It's been out for a quite while, but I hadn't announced it because I first wanted to move the mailing list to a new machine, in order to make it available 24/7 again. This project suffered a few delays, sadly, but it's finally done.

There's also a few bugs fixed, some enhancements to the example MySQL configuration, a tool for creating precompiled Ascend-Data-Filter attributes, some enhancements to radlogger, radldap and radclient, and a new module to authenticate users using SMB (Windows NT). Thanks, Brian BcGraw and Brian Candler, for your contributions!

Release notes for OpenRADIUS v0.9.7 - 2003/04/28

This release's focus is SQL support. OpenRADIUS now supports MySQL, Postgres, Oracle, Sybase, DB2, Informix, Interbase, and others, through Perl's stable and powerful DBD drivers. A few small improvements were made in other areas as well. See the changelog for more information.

Release notes for OpenRADIUS v0.9.6 - 2003/04/03

This is a minor release that contains some bugfixes and documentation for the new RADIUS client. For details, please see the changelog.

Release notes for OpenRADIUS v0.9.5 - 2003/02/25

A lot of improvements over 0.9.4. Highlights:

  • a completely new build system that handles transparent automatic dependency tracking and contains a lot of platform compatibility enhancements;
  • a full featured RADIUS client and debugging tool that handles multiple simultaneous queries, redundant target servers and PAP and CHAP password encoding.
Starting with this version, configuration files are installed in /usr/local/etc/openradius by default, as opposed to /usr/local/etc/raddb; this makes it more obvious that the configuration files are not compatible with Lucent-, Cistron- or FreeRADIUS.

Also, the installation procedure will not install any files in that directory if it already exists, but inform you that your old configuration will be used instead.

As always, please see the changelog for more information.

Release notes for OpenRADIUS v0.9.4 - 2002/06/25

This is a long overdue cleanup and bugfix release, that also includes some changes to the behaviour language.

These changes were indicated earlier, but sadly cause some incompatibilities that cannot be avoided if the current mess in the naming of the conversion operators is to be cleaned up. Instead of the 'as...' operators that sometimes indicated the source type and sometimes the destination type, a clearer scheme is implemented now that uses these unary postfix operators:

  • toint, toip, todate and tostr convert any type to the type indicated by the name. If both the source and the destination type is an ordinal value, the conversion is just a typecast; otherwise the standard auto-conversion behaviour applies, using the selected destination type. (When converting strings to ints, the base is autodetected, so that a 0x-prefix indicates hexadecimal, a 0-prefix indicates octal, otherwise the number is decimal; and when converting strings to dates or vice versa, the format is yyyymmddHHMMSS).
  • fromoct, fromdec, fromhex and fromraw convert strings in the indicated format to integer values. These can be used if the default auto-base detection is undesired, such as when you want to convert a zero-padded decimal string to its value (under the normal rules the number would be treated as an octal string because of its 0-prefix), and also to convert binary strings in network order to their integer values.
  • tooct, todec, tohex and toraw do the reverse and convert integer values to strings in the indicated format.
After version 1.0, no such changes will be done other than through phased depreciation.

As for the bugfixes, most notably the second vulnerability in CERT CA-2002-06 has now been addressed as well. The first hasn't been present since 0.9.3 - see also this message. As a nice side effect, it now gives much better diagnostic information about invalid packets.

For all other changes, please refer to the changelog. And as always, test before upgrading, and make a copy of your raddb directory before typing 'make install', as that installs the distributed example files, overwriting your current configuration.

Release notes for OpenRADIUS v0.9.3 - 2002/03/22

A couple of important bugs in last release's sample behaviour files were fixed; specifically one that caused CHAP to not work at all, and one in behaviour.sample-ldap-authbind that allowed all non-PAP users in, regardless of their password, if a user's LDAP object could be accessed using an anonymous bind.

Another bug was introduced in last release caused by a last-minute change to the current directory setting for modules, which caused the ascfile module as used in some of the example behaviour files to look for its data in the wrong place. This has been fixed; modules now get the raddb directory used by the server as their cwd, and their configuration files will be stored under raddb/modules.

The last release wasn't a particularly successful one. This one should be better; see the changelog for more information.

Release notes for OpenRADIUS v0.9.2 - 2002/03/20

This release adds a lot of LDAP functionality: an example schema, a more complete LDAP-to-RADIUS mapping file, and working examples for the configuration- and behaviour files.

Other than that, this is most of all a bugfix release: some cleanups were done, some rare corner cases properly tested and fixed where necessary, and a few memory leaks were plugged. There should be none left.

Also, some portability enhancements have been made; the server now runs on GNU/Linux, NetBSD, BSDi, Solaris (only tested with gcc) and Compaq Tru64 Unix (built with Compaq's own compiler). Note that still only GNU make is supported, although NetBSD's appeared to work as well.

As always, make sure your raddb directory is backed up before doing 'make install' after compiling; there is no automated upgrade procedure.

Release notes for OpenRADIUS v0.9.1 - 2001/12/07

The most important thing in this release is the new LDAP module. It can be used to perform arbitrary directory searches from the behaviour file, and for doing authentication using LDAP bind operations. It supports persistent connections and a fully configurable LDAP to RADIUS attribute mapping.

The module was tested with OpenLDAP, but should also support the University of Michigan's implementaion and others based on it.

As always, make sure your raddb directory is backed up before doing 'make install' after compiling; there is no automated upgrade procedure.

Contrary to the previous (0.9) release, this one has been actually tested again on the three platforms I currently have access to (GNU/Linux, BSDi and Solaris). It should work on many more, so please tell me about problems and successes, especially when building.

Some other minor bugfixes and feature additions were done as well; see the changelog for more details.

Release notes for OpenRADIUS v0.9 - 2001/11/22

This release adds a simple Unix password database module, an example behaviour file that makes use of that, a lot more documentation and a few less bugs. See the changelog for more details.

There is no automated upgrade procedure, so be sure to back up your raddb directory before doing 'make install'.

Sadly, some incompatible changes to the dictionary and behaviour file language were necessary. Review your current configuration-, behaviour- and/or legacy users files to check if you used any of the following attributes before copying any of them back over the newly installed files in raddb:

  • Auth-Type (now auth-type, lowercase. See the changelog for details);
  • Clear-Password (idem)
  • Md5-Hex-Password (idem)
  • Trusted-Proxy (idem)
  • Strip-Realm (idem)
You will have to convert these attribute names to lowercase in each of the files you intend to copy back from the previous release. If you used a Livingston-style users file, this will most likely have to be updated.

As part of the language cleanup, the precedence of the operators '.', 'md5' and 'hex' was changed, to group them more sensibly. Now, all unary operators have precedence above binary ones, and all ordinal operators have precedence over string handling ones. See the language documentation, paragraph 4.1 and below for more details.

In some very rare cases (eg. if you placed a term immediately after 'abort'), you may need to verify that the behaviour file is still accepted when the server is started. This is due to the change made to a few operators which now return an integer (context) instead of resetting the context, which caused terms to be re-allowed immediately after they are closed. The affected operators are:

  • halt
  • abort
  • del
  • delall
  • moveall

Lastly, the comma operator is not allowed anymore in context 'none', so expressions like 1,,2 or 1+(,3) are not valid anymore.

Release notes for OpenRADIUS v0.8 - 2001/11/05

This is the first public release. The server should definitely be stable, but hasn't been proven yet. Although great care went into error handling and memory leak prevention, I'm sure that bugs will still be present. So please, try it out, and report any problems you may find.

The server and modules distributed in this release were built and tested successfully on the following platforms:

  • Debian GNU/Linux 2.2 i386 / glibc 2.1.3 / gcc 2.95.2 / GNU make
  • Debian GNU/Linux 2.2 Alpha (64-bit) / glibc 2.1.3 / gcc 2.95.2 / GNU make
  • SunOS 5.7 sparcv9 (32-bit) / gcc 2.95.2 / GNU make
  • BSD/OS 4.0 i386 / gcc 2.95.2 / GNU make
I haven't tried any other compiler myself, but I've taken good care to avoid GCC extensions, and my aim is to support any halfway decent ANSI-C compiler. I'm interested to hear your reports on other platforms.

I also haven't been able to get the same makefiles to work on both GNU and BSD make - if anybody knows a portable way of doing makefile includes, please let me know.

This release includes the following:

  • Main server, with fully complete dictionary/VSA handling support, behaviour rule language and ASCII and binary module interfaces
  • ASCII file reader module
  • Accounting- and request logging module
  • Quick and dirty script to generate md5-hex passwords
  • A sample configuration and behaviour file that make it work quite similar to a Livingston-type server, supporting standard ASCII clients- and users files. Be sure to read the notes in the behaviour file and the ascfile module before using it as a drop-in replacement though.
NOT yet included are, in random order:
  • DNS resolver module
  • RADIUS client (proxying) module
  • Duplicate detection module
  • LDAP module
  • Sub-dictionaries defining VSAs for NAS vendors other than Cisco
  • Commandline client for testing
  • Portable script to generate md5-hex passwords

Generated on Sat Jul 2 01:18:04 2011 by /