Other Functionality

The following is a list of new / changed functionality.

RadSec

RadSec (or RADIUS over TLS) is now supported. RADIUS over bare TCP is also supported but is recommended only for secure networks.

See sites-available/tls for complete details on using TLS. The server can both receive incoming TLS connections and originate outgoing TLS connections.

The TLS configuration is taken from the old EAP-TLS configuration. It is largely identical to the old EAP-TLS configuration, so it should be simple to use and to configure. It re-uses much of the EAP-TLS code, so it is well-tested and reliable.

Once RadSec is enabled, normal debugging mode will not work. This is because the TLS code requires threading to work properly. Instead of doing:

$ radiusd -X

do the following:

$ radiusd -fxx -l stdout

That’s the price to pay for using RadSec. This limitation may be lifted in a future version of the server.

PAP and User-Password

From version 3.0 onwards the server no longer supports authenticating against a cleartext password in the 'User-Password' attribute. Any occurrences (for instance, in the users file) should now be changed to 'Cleartext-Password' instead.

e.g.; change entries like this:

bob User-Password = "hello"

to ones like this:

bob Cleartext-Password := "hello"

If the above is not done, authentication will likely fail. The server will also print a helpful message in debugging mode.

If the above instructions really are impossible, the following unlang inserted above the call to the pap module may be used to copy User-Password to the correct attribute:

if (!control:Cleartext-Password && control:User-Password) {
    update control {
        Cleartext-Password := "%{control:User-Password}"
    }
}

However, the above should only be seen as a temporary, not a permanent, fix. It is better to fix all databases to use the correct configuration.