The following is a list of new / changed functionality.

RadSec

RadSec (or RADIUS over TLS) is now supported. RADIUS over bare TCP is also supported, but is recommended only for secure networks.

See sites-available/tls for complete details on using TLS. The server can both receive incoming TLS connections, and also originate outgoing TLS connections.

The TLS configuration is taken from the old EAP-TLS configuration. It is largely identical to the old EAP-TLS configuration, so it should be simple to use and configure. It re-uses much of the EAP-TLS code, so it is well-tested and reliable.

Once RadSec is enabled, normal debugging mode will not work. This is because the TLS code requires threading to work properly. Instead of doing:

$ radiusd -X

you will need to do:

$ radiusd -fxx -l stdout

That’s the price to pay for using RadSec. This limitation may be lifted in a future version of the server.

PAP and User-Password

From version 3.0 onwards the server no longer supports authenticating against a cleartext password in the User-Password attribute. Any occurences of this (for instance, in the users file) should now be changed to Cleartext-Password instead.

e.g. change entries like this:

bob User-Password = "hello"

to ones like this:

bob Cleartext-Password := "hello"

If this is not done, authentication will likely fail. The server will also print a helpful message in debugging mode.

If it really is impossible to do this, the following unlang inserted above the call to the pap module may be used to copy User-Password to the correct attribute:

if (!control:Cleartext-Password && control:User-Password) {
    update control {
      Cleartext-Password := "%{control:User-Password}"
    }
}

However, this should only be seen as a temporary, not permanent, fix. It is better to fix your databases to use the correct configuration.