[Help-gnu-radius] Radius 1.2 released.

[Sergey Poznyakoff]

Hello,

I am pleased to announce the release of GNU Radius 1.2.

GNU Radius is available from ftp://ftp.gnu.org/gnu/radius and
the mirror sites worldwide (see http://www.gnu.org/order/ftp.html
for the list of those).

The MD5 checksums of the files are:

99b5e96118bc79178317eb72819d7027  radius-1.2.tar.bz2
41efba1332ff563e1f88f2aba04d9d24  radius-1.2.tar.gz

The list of user-visible changes is attached.

I would like to thank Maurice Makaay and Gerald Coon for
their patches, suggestions and kind help in running
help-gnu-radius mailing list.

Thanks to all of you for your help.

Regards,
Sergey

Version 1.2: User-Visible Changes

* Important notes for upgrading from earlier versions of GNU Radius

** Upgrade your dictionaries.

This version does a very strict semantic checking on the dictionary
files. Old dictionaries may produce lots of warnings and
errors, therefore you are advised to upgrade them. To do so,
run `make update-dictionary'. It will update your main 
(raddb/dictionary) and secondary dictionaries (raddb/dict/*),
preserving any changes you did to the former. 

Notice, that, starting from this version, the default main dictionary
file will not contain any attribute declarations, instead it will
merely include the necessary dictionaries. However, you may add your
declarations to it and modify it to your linking.

Any modifications to the dictionary files in raddb/dict are now
strongly discouraged, as these files will be updated by each new
release. Put your modifications to the main dictionary file only.
This file will remain unchanged during subsequent installs.

Two new statements are provided to help you customize your dictionary.
See section `** Dictionary' below.

** Update your raddb/config and raddb/rewrite

The rewrite procedures are no longer stored in a single file
`radiusd/rewrite', instead they may occupy several source file.
The rewrite procedures shipped with this version of GNU Radius
are installed in ${prefix}/share/radius/1.2/rewrite. We strongly
advise you to add the following statement to your raddb/config:

rewrite {
        load "checknas.rw";
        load "log-hook.rw";
};

You may then remove the old raddb/rewrite file, *unless* you have
modified it.

If you have modified it, follow the procedure described below:

1. Load this file, by adding the following statement to the above
`rewrite' block:

        load "rewrite";

2. Make sure to remove from this file or rename the following functions:
check_snmp_u, check_snmp_s, decimal, check_max_finger, check_unix.

** Tailor log file format.

The format of log file is now fully customizable via a special Rewrite
procedures, called "hooks" (search for logging-hook in the text below
for the detailed description). To revert to logfile format used in
versions 1.0-1.1, add the following two statements to your raddb/config,
right after `logging {' line:

        prefix-hook "compat_log_prefix";
        suffix-hook "compat_log_suffix";

** Using Guile extensions

If you are using Guile extensions, notice that the default location
for Radius scheme modules is now ${prefix}/share/radius/1.2/scheme.
        
* New features:

** Support for Status-Server request.

** Support for Tunnel Protocol (RFC 2865)

** The main configuration file raddb/config allows to specify several
Rewrite source files to be loaded instead of the single predefined
file raddb/rewrite.

** Arbitrary Rewrite expressions may be used in A/V pairs, for example:

DEFAULT      Auth-Type = SQL
             Framed-IP-Address =
                   "=10.10.10.1 + %[NAS-Port-Id]/16 + %[NAS-Port-Id]"

** Test shell mode considerably improved.

** The internal attributes do not appear in detailed logs. The
special flag 'l' has been added to the dictionary syntax to
turn this feature off. Thus, for example:

ATTRIBUTE Orig-User-Name  2101  string  - [L--R-R]l

will make Orig-User-Name attribute visible in detailed log files.

** Changes to Rewrite language

*** usual dotted-quad notation may be used to represent IP numbers.

*** a number of new built-in functions is added

*** #pragma regexp allows to alter the type of regular expressions
used. The rest of line following `#pragma regexp' must consist of
whitespace-separated regexp modifiers. Each regexp modifier is one
of the following keywords:

  extended      Use extended regular expressions
  icase         Ignore case
  newline       Match-any-character operators don't match a newline.

optionally preceded by plus, indicating enabling the feature, or
minus, indicating disabling it.

Default is `-extended -icase -newline'.

** Realms

*** New flags "auth" and "acct" allow to select which type of requests is
to be proxied to the remote server. For example, the statement:

some.realm   remote.server.net    auth

will send only authentication requests to the server `remote.server.net'

*** New boolean flag "ignorecase". When set, enables case-insensitive
comparison for realm names.

** New configuration file statements

*** radiusd-user <username>

Instructs radiusd to drop root privileges and to switch to uid / gid
of the given user right after becoming daemon.

*** forward ip[:port]...

This statement can be used in `auth' and `acct' blocks to request
forwarding of the requests to remote server or servers. It has the
same syntax as `listen' statement. Forwarding differs from proxying
in that the requests are sent to the remote server *and* processed
locally. The remote server is not expected to reply. This mode is
intended primarily for debugging purposes. It could also be useful in
some very complex configurations. See examples/config.status for
examples of the `forward' statements.

*** trace-rules {yes|no}

Enables tracing of configuration rules matched while processing 
requests. The statement may be used in `auth' and `acct' blocks.
The example of information appearing in trace mode:

Oct 31 11:37:17 [28322]: Auth.info: (Access-Request foo 170 bar):
rule trace: /etc/raddb/users:157,22,3; huntgroups:72; hints:34

This means that when processing an authentication request
from server `foo' for user `bar' with ID 170, the following rules
lead to the decision on whether to accept or reject the requests:

file hints      line 34
file huntgroups line 72 
file users      line 3
file users      line 22
file users      line 157

Notice that the rules are listed in reverse chronological order
(the last processed is listed first) and that the full pathname
appears only on the first file.

*** reject-malformed-names {yes|no}

Used in `auth' block. Normally radiusd does not send access-reject
message if access-request contained invalid user name. Setting
this option to `yes' alters this behavior.

*** listen no

This is a special form of `listen' statement that disables a
particular service. Placing

acct {
     listen no;
};

will effectively disable the accounting server.

** The amount of information output in logs is configurable via the
use of logging-hook rewrite functions. There are two kinds of such hooks:
prefix hooks that generate text to be displayed before the diagnostics
message, and suffix hooks that produce text to be displayed after it.
There are two kinds of such hooks: global ones, that will affect any
logging messages that deal with incoming requests, and category-specific
ones, which affect only messages pertaining to the given category. 

The logging-hook rewrite function should take three arguments and return
a string. See examples/config.syntax and raddb/log-hook.rw for an example.

** File raddb/rewrite is no longer installed. The Rewrite sources are
installed under $prefix/share/radius/1.2/rewrite. 

** Dictionary

Redefinition of an attribute produces a warning message. In future
releases it will be considered an error.

There are two new statements: ALIAS and PROPERTY. ALIAS statement
defines an alternative name for an attribute. PROPERTY redefines
the attribute properties.

Flag 'E' marks attributes encrypted as per RFC 2138. Currently
these are User-Password and CHAP-Password. 

Flag 'T' marks attribute encrypted as per RFC 2868.

** Both raddb/naslist and raddb/clients files allow to specify hosts
using CIDR notation, i.e.

10.10.0.0/24                    nas-1   as5600  community=public
10.10.10.1/255.255.255.224      nas-2   true

The DEFAULT keyword is also accepted in both files.

* Emacs files: Improved radconf-mode.el

* Deprecated features:

** Explicit use of Add-Port-To-IP-Address is no longer allowed.

* Bugfixes
** Renamed LIST to RAD_LIST to eliminate possible name clashes with the
other libraries (namely, libmysqlclient)
** Choose the strictest timeout value between the one imposed by Login-Time
attribute and the one set using Session-Timeout attribute.
** Use sigaction for signal handling whenever it is available.
** Fixed coredumps after unsuccessful error recovery in raddb/users
file.