project/Development Roadmap

The contents of this page is obsolete as of 2010. It is mostly from 2006-2007.

Version 2.0
TODO
See Also

Version 2.0

The 1.0.x and 1.1.x versions of the server have served us well for the past few years. However, it is more than time for a Version 2.0, which will be taken from the existing CVS head. The changes from 1.x are many, and are highlighted here.

Full IPv6 support

The server can listen on IPv6 sockets, and can proxy requests out IPv6 sockets to IPv6 servers. It also has full support for IPv6 attributes.

Better control flow in the module sections

Some limited "if", "else", and "elsif" is now allowed in the "authorize", etc. sections. This permits branching control flow, which was impossible before.

SQL IP Pool

Dynamic IP's can be allocated from SQL.

LDAP configuration is simpler

"auto_header" directive means that the server usually can figure out what to do with the userPassword entry from LDAP.

PAP module handles all User-Password authentication

It now does clear-text password, NT Hash, Crypt, MD5 hash, SMD5, SHA1, SSHA1, etc. automatically. One instance of the PAP module can handle any combination of the above passwords at run time.

The "files" module can do more

It can be used in most sections.

Configurable Logging

Each Auth step has its own configurable Logging string

More robust proxying

Separation of home servers from realms

Separation of home server pools from realms

Load balance to home servers based on NAS IP (allows load-balancing for EAP requests)

When a home server is marked "dead", requests being proxied to it get sent to the next home server in the home server pool

"Are you alive" requests get sent to dead home servers

When they respond, they are marked alive again

TODO

Rework the rlm_sql module

Fix initial connection failure bug: If an SQL server is not available during radiusd startup then it will not be available until FreeRADIUS is restarted. radiusd SHOULD try to reconnect on new requests in the same it does when there is an SQL backend failure during normal operation.

Run the auth*_reply queries in the post-auth section instead of authorize.

Auto-discover the accounting queries based on the Acct-Status-Type attribute.

Document the differences between 2.0 and 1.x

Configurations are mostly compatible, but to take full advantage of the new features, the configurations need to be re-done using the new features.

Upgrade libtool and libltdl

Version 1.1.3 uses 1.5.22 but CVS head still uses 1.5.10

Implement EAP module changes

May have to wait till after 2.0

Port dialupadmin patches

A number of minor fixes sent by dialupadmin users were included in versions 1.0.x and 1.1.y however the whole patcheset doesn't apply cleanly in CVS head.

URGENT

scan ALL modules, so that they use consistent names for structures and variables in their instantiation (rlm_foo_t *inst), and that they call rlm_foo_detach() if anything goes wrong, instead of just free()'ing 'inst'. The cf_parse_section().. code may have malloc'd memory, and that needs to be free'd, too.
Stop unloading modules on HUP so that we can have persistant handles/socketc/etc from module_init(). Alan D. and Alan C. had a good plan for when to load/reload modules on the list recently...I say run with that.
double-check Cistron 'compat' mode, so that all current users of Cistron can upgrade "out of the box" to FreeRADIUS

MEDIUM PRIORITY

go through all of the code and reformat it, for project standards

LOW PRIORITY

Write better documentation
Manual pages for the daemon, utilities and conffiles (some done)
Fix all FIXME's in the source.
better SNMP statistics support, for the auth/acct servers, and for each client.

WAIT UNTIL NEXT RELEASE

UPDATE accounting requests aren't handled as in 1.5.4.3 for wtmp Is this a problem ? Need to fix in rlm_unix.c
New module: rlm_fastradwtmp. with a radutmp-style active session database to guarantee wtmp records are always written in matching pairs. Because radlast is slow.
replace the module_t method table with a set of register_* functions (so different instances of the same module can offer different methods)
enable server to run with child processes (This is a little more difficult than the threading changes)
switch all timers from time() to gettimeofday() so processing is less bursty
SNMP support for querying users who are on-line.
New module: rlm_nsupdate (dyndns). Because dynamic addresses are cruel.

WILL NOT DO

module initialization AFTER forking, not before. (The modules should NOT be setting up any process-dependent information.)
there should be a way that radius itself could rotate the wtmp file properly. It should write "logout" records for all users, move the file to wtmp.0, and create a new wtmp file with "login" records for all currently online users. (This work is for an external process to do)

DONE

Replace the home-made strNcpy with strlcpy
Add IPv6 support for proxy sockets
Split home servers away from Realms
go through all of the code, removing unnecessary #include's, and generating a standard include file order which will work across all platforms. (see scripts/min-includes.pl)
rad_malloc() fixes: If malloc() fails, calls exit(). It's a catastrophic error.
IPv6 (not IPv6 home server & realms, Raghu has a patch)
proxy receive rbtree stuff
rlm_perl
"listen" directive
fix radwho to read modules{radutmp{filename = }}
Add 'initialize' list in modules, so explicitely give initialization order.
merge OSF/OSFIA patches from Cistron.
Fix DBM support:
- Put DBM into its own module
- Multiple defaults (done)
- Fallthrough (hard for not DEFAULT entries)
modular radutmp and radwtmp, as per Alan Curry's old patches.
Fix multiple/conflicting VALUE names as pointed out on the list. e.g. 'Rlogin' has different values when used with different ATTRIBUTEs,
go through *.c and *.h, adding comments at the top with a copyright, and a GPL license.
Integrated Alan Curry's module failover patch.
add more support for new configuration files
Fixed potentially long locks on radutmp file by radcheck thread This means unlocking the file, forking checkrad, and then locking the file again.
get rlm_unix to work with multiple instances
partial split of rlm_files into rlm_fastusers and rlm_detail
enable server to run in threaded mode
rlm_realm module for COMPLETE control of proxying on any attribute
re-transmits of proxied packets
operator support in pairmove.
stripping Prefix/Suffix in accounting
new configuration file /etc/raddb/radius.conf
Radius proxy support.
Max-Simultaneous-Use parameter to avoid double logins.
Specify a program to be run on succesful login
Prefix/Suffix support
Change radutmp format to v2 (see radutmp.h)
move radutmp to /var/log ?
Compatibility with radius-2.0
Support for pidfile
Configurable logging: both radutmp/radwtmp and details files
session_id is not numeric but an 8-byte (?) string !
Detect reboot packet sent by portmaster and clear radutmp / wtmp
Seperate /etc/raddb/clients into public and private file (secret == secret!) Add ts-type field to clients file for checklogin.pl Better: return clients to old form (no shortname) and add a new file, "nas" or so. Matching on this file is done based on Nas-Ip-Address instead of the IP address of the sender. Better if there's a proxy in between.
Allow spaces in usernames (using " or \ to escape)
Return Proxy-State A/V pairs, in the right order.
retransmits from the terminal server get proxied with a new ID and random_vector. We should check for this!
Limit logins based on time/date (for example, Login-Hour = 8-18, Login-Day = 0-5 for business hours)
take out host-order IP addresses
Support Connect-Rate
have a config file (or section in radiusd.conf) that tells rlm_sql what the names of the tables and columns are instead of hardcoding them
split rlm_files into rlm_users, rlm_fastusers (in-memory hash), rlm_detail, they all should share as much code as possible though, not be big cut-and-paste jobs
fix the request list walking code, to scan each element no more than once per second.