Configuration changes
require_message_authenticator=auto
andlimit_proxy_state=auto
are not applied for wildcard clients. This likely will leave your network in an insecure state. Upgrade all clients!
Feature improvements
- Allow for "auth+acct" dynamic home servers.
- Allow for setting "Home-Server-Pool", etc. for proxying accounting packets, just like authentication packets.
- Fix spelling in starent
SN[1]-Subscriber-Acct-Mode
attribute value. Patch from John Thacker. - Update dictionary.iea. Patch from John Thacker.
- Add warning for secrets that are too short.
- More debugging for SSL ciphers. Patch from Nick Porter.
- Update 3GPP dictionary. Patch from Nick Porter.
- Fix ZTE dictionary.
- Make radsecret more portable and avoid extra dependencies.
- Add timestamp for Client-Lost so we don't think it's 1970. Patch from Alexander Clouter. #5353
Bug fixes
- Dynamic clients now inherit
require_message_authenticator
andlimit_proxy_state
from dynamic client {...} definition. - Fix radsecret build rules to better support parallel builds.
- Checkpoint systems should be reconfigured for the BlastRADIUS attack: https://support.checkpoint.com/results/sk/sk182516 The Checkpoint systems drop packets containing Message-Authenticator, which violates the RFCs and is completely ridiculous.
- Fix duplicate CoA packet issue. #5397
- Several fixes in the event code
- Don't leak memory in rlm_sql_sqlite. #5392
- Don't stop processing RadSec data too early.