Freeradius Upgrade from 3.0.1 to 3.2.2

Alan DeKok aland at deployingradius.com
Tue Feb 21 22:47:47 UTC 2023


On Feb 21, 2023, at 4:47 PM, Steven Walters <steven.walters1 at gmail.com> wrote:
> Below is debug from version 3.0.1

  To be honest... 3.0.1 is about ten years old.  We're not going to worry a lot about compatibility with every little piece of it.

  Plus, there have been many bug fixes since then, including security fixes.  If you don't like people attacking your RADIUS server, it should have been updated regularly.
> ...
> Below is debug from version 3.2.2
> ...
> (5)     [ldap-mobile] = updated
> (5)     if (!ok) {

  Change that to:

	if (!ok || !updated) {
		...

  and it will work.

> Any advice would be appreciated?

  Upgrade regularly.

  Plus, it helps to explain *why* you have this configuration.  You generally don't have to explicitly reject users who don't have passwords. The server will do this automatically.

  So you don't need a "if not found in LDAP, reject" configuration.  Just check LDAP.  If the user isn't found, they won't have a password read from LDAP.  And the server won't be able to authenticate them.

  Alan DeKok.



More information about the Freeradius-Users mailing list