What is the current status and roadmap for FreeRadius?

Alan DeKok aland at deployingradius.com
Fri Mar 15 20:25:23 CET 2019

On Mar 15, 2019, at 2:47 PM, Joshua Marshall <j.marshall at arroyo.io> wrote:
> Thank you for the speedy reply.  We're implementing stuff with FreeRadius
> and are having to abuse it in a few unorthodox ways.  Config files with
> silent errors or misconfigurations, using what seems to be undocumentd
> interactions with LDAP to handle passwords securely -- challenges which
> feel like they're from a bygone era.

  I'm not sure what that means.  What are "config files with silent errors"?

  What do you mean by "undocumented interactions with LDAP to handle passwords securely"?

  The server reads user passwords from LDAP in any format needed  i.e. crypt, MD5 hash, etc.

  When you configure FreeRADIUS with an LDAP administration account, you have to put the admin password in cleartext in the configuration files.  That's how passwords work...

  If you don't want admin passwords in cleartext, use client certificates.  That's what client certificates are for.

> Looking at the roadmap, and you've probably had to answer these before, why
> not switch the codebase to C++ which has wrapped up much of the threading
> and modularization work already and has a number of good libraries to
> handle networking?

  Uh... really?

  Why not *you* contribute something, instead of asking that other people do *more work*, just to satisfy your desire for engineering purity?

  Are you aware of the cost of re-writing a large software project?  And are you aware that FreeRADIUS has maybe 3 contributors, none of whom work on it full time?

  If you don't like FreeRADIUS, contribute something to make it better.  Or, go write your own RADIUS server.

>  Why not use Antlr4 to run your grammars and make start
> and runtime problems more apparent as well as providing a more robust
> parsing method?

  Neither GCC nor CLANG use auto-generated parsers.  They both use hand-written recursive descent parsers.  Why not go ask them to "fix" their product to suit your desires?

> What we are really feeling over here is a lack of modern behavior and
> features.

  What the heck does that mean?  Perhaps you could discuss facts instead of feelings. 

  What is a "modern feature" in a RADIUS server?  C++?  How does C++ affect the RADIUS protocol?  (hint: it doesn't).

>  Which isn't just one thing, but an enormous amount of work and
> polish.  That isn't a thing we could ever just ask for and get -- it iosn't
> that easy and we know that.  But to know what is OK to ask and what might
> be possible requires context.

  OK, you're asking that *other* people do work to keep *you* happy.  That's not really a polite thing to do.

  Plus, you're not giving any concrete facts to support your argument.  And your comments about LDAP show you're not really clear on how it works today.

  We're willing to fix bugs and to answer questions.  But your comments are vague, confused, and unhelpful.  Please do better.

  Alan DeKok.

More information about the Freeradius-Users mailing list