Version 2.2.1 has been released.

Alan DeKok aland at
Tue Sep 17 23:23:04 CEST 2013

  After a long wait, we have released the 2.2.1 version of FreeRADIUS.
The focus of this release is stability.  Minor features may be added,
but the goal is to increase system stability at the cost of missing

  People interested in major new features should look at the v3 release
branch.  Our focus now is fixing the last few issues in v3, before
making a new release.

  Once v3 has been released, there will be no further new development on
Version 2.  Bug fixes and security issues will be addressed for three
(3) years after v3 has been released.

  The change log for v2.2.1 is as follows:

  Alan DeKok
  FreeRADIUS Project Leader


Feature improvements
* Updated dictionaries for alcatel, broadsoft, bskyb, dlink, meru,
  telkom, trapeze, proxim, zeus, rfc6677, 6911, and rfc6930.
* Added %{randstr:..} support. Creates random strings in a
  controllable format.
* Added operator support to rlm_python
* Added %{hex:...} for hex version of raw attribute data
* Added %{sha1:...} for SHA1 hashing of data
* Added %{base64:...} for raw attribute data (e.g. 32-bit IP addr),
  and %{tobase64:...} for the printable string form (e.g.,
  and %{base64tohex:...} to convert a base64 string to a hex string.
* rlm_expr is now responsible for registering many of the xlat
  expansions. This is cleaner than bundling them all in the server
  core. You should ensure 'expr' is listed in instantiate to ensure
  correct operation of xlat expansions.
* Use correct terminology when printing errors regarding request/
  response/message authenticators.
* Added keytab support to Heimdal Kerberos. Patch from Ryan Steinmetz.
* radsqlrelay does multiple INSERTs in one transaction.
  Patch from Uwe Meyer-Gruhl.
* Run Post-Proxy-Type Reject {} if the upstream server rejected the
* On startup, the server checks if it was linked with the correct
  OpenSSL libraries.  If not, it errors out.  This prevents later
  crashes in OpenSSL, due to library incompatibilities.
* Added radmin command "hup main.log", to re-open the log files,
  without HUPing any other part of the server.
* Added support for EAP-Key-Name.  See raddb/sites-available/default,
  and look for comments mentioning EAP-Key-Name.  MacSec now works.
* Added support for hex numbers (0x...) to %{expr: ...}
* Backported TLS client certificate validation from 3.0.0.
* Run Post-Auth for EAP inner-tunnel methods.
* Added more RFCs
* Added "show config <path>" to radmin.  You can now examine any
  configuration item in a running server.
* Added TLS-Client-Cert-X509v3-Extended-Key-Usage for TLS-based EAP
  methods.  It is set automatically from the fields in the certificate.
* Add CRLCP attribute in certificate creation script.  Windows phones
  require it.  Patch from Alan Buxey.

Bug fixes
* Skip OCSP if there's no host / port / url, with soft_fail
* Properly decode AT_IDENTITY in EAP-SIM.  Patch from Iliya Peregoudov
* Thread max_queue_size has better bounds checking.
* Use correct variable for warning message if the user misconfigures
  the server.
* radtest is more generous about parsing ppphint
* radeapclient now accepts -4 and -6, just like radclient.
  Patch from John Dennis.
* Ignore ".rpmnew" and a bunch of other files when loading config
  files from a directory.
* Wait for child threads before exiting.  This prevents errors on
  exit, but may increase exit time if databases are blocked!
  Patch from Iliya Peregoudov.
* Wrap rbtree calls in mutexes in rlm_cache to prevent memory
  corruption. Patch from Phil Mayers.
* Port fix for %{3GPP-*} expansion from master branch.
* Fix sample certificate scripts when multiple client certs are
* Track return code priorities across if/else/elsif in unlang.
  Closes #107
* In debug mode, print out DHCP options when sending a DHCP packet.
* Fixes to the redis modules from Brian Candler
* Print better debug message for LDAP "operations error"
* Fix a number of minor issues as found by Coverity
* Frees module config in order to prevent occasional crash on exit
* Update DHCP debugging messages to make it clearer what's
  going on.
* Print multiple DHCP options the correct number of times in
  debugging mode
* On debug builds, don't dlclose() modules when '-m' is used.
  This allows valgrind to show module symbols.
* Don't count Status-Server packets in Access-Request statistics
* Minor cleanups to debug output
* Be more careful handling module configurations to avoid crash
  on otherwise clean exit.
* For raddebug, correctly set the group of the output file.
* renamed dhclient to dhcpclient.  People who install it
  shouldn't have their systems broken.
* for EAP-TLS methods, random_file is no longer required.
  OpenSSL already reads /dev/urandom.
* Fix Suse and Redhat scripts.  Patches from Fajar Nugraha.
* Minor bug fix for base64 decoding.
* Allow two consecutive WiMAX TLVs of the same number.
* Remove requirement that User-Name has to match MS-CHAP-User-Name.
  I18n issues means that the character sets could be different.
* Don't use ephemeral thread states from PyGILState_Ensure(), use
  our own, generated one per thread and stored in TLS.
* Port module processing fixes from v3.  The code is simpler,
  and one or two esoteric bugs are now gone.
* update code handling max_requests_per_server.  It should now
  work correctly.
* wrap ASCTIME_R for systems not supporting the standard API.

More information about the Freeradius-Users mailing list