not logged in | [Login]

The contents of this page is obsolete as of 2010. It is mostly from 2006-2007.

Table of Contents

Version 2.0

The 1.0.x and 1.1.x versions of the server have served us well for the past few years. However, it is more than time for a Version 2.0, which will be taken from the existing CVS head. The changes from 1.x are many, and are highlighted here.

Full IPv6 support
The server can listen on IPv6 sockets, and can proxy requests out IPv6 sockets to IPv6 servers. It also has full support for IPv6 attributes.
Better control flow in the module sections
Some limited "if", "else", and "elsif" is now allowed in the "authorize", etc. sections. This permits branching control flow, which was impossible before.
Dynamic IP's can be allocated from SQL.
LDAP configuration is simpler
"auto_header" directive means that the server usually can figure out what to do with the userPassword entry from LDAP.
PAP module handles all User-Password authentication
It now does clear-text password, NT Hash, Crypt, MD5 hash, SMD5, SHA1, SSHA1, etc. automatically. One instance of the PAP module can handle any combination of the above passwords at run time.
The "files" module can do more
It can be used in most sections.
Configurable Logging
Each Auth step has its own configurable Logging string
More robust proxying
Separation of home servers from realms
Separation of home server pools from realms
Load balance to home servers based on NAS IP (allows load-balancing for EAP requests)
When a home server is marked "dead", requests being proxied to it get sent to the next home server in the home server pool
"Are you alive" requests get sent to dead home servers
When they respond, they are marked alive again


Rework the rlm_sql module
Fix initial connection failure bug: If an SQL server is not available during radiusd startup then it will not be available until FreeRADIUS is restarted. radiusd SHOULD try to reconnect on new requests in the same it does when there is an SQL backend failure during normal operation.
Run the auth*_reply queries in the post-auth section instead of authorize.
Auto-discover the accounting queries based on the Acct-Status-Type attribute.
Document the differences between 2.0 and 1.x
Configurations are mostly compatible, but to take full advantage of the new features, the configurations need to be re-done using the new features.
Upgrade libtool and libltdl
Version 1.1.3 uses 1.5.22 but CVS head still uses 1.5.10
Implement EAP module changes
May have to wait till after 2.0
Port dialupadmin patches
A number of minor fixes sent by dialupadmin users were included in versions 1.0.x and 1.1.y however the whole patcheset doesn't apply cleanly in CVS head.


  • scan ALL modules, so that they use consistent names for structures and variables in their instantiation (rlm_foo_t *inst), and that they call rlm_foo_detach() if anything goes wrong, instead of just free()'ing 'inst'. The cf_parse_section().. code may have malloc'd memory, and that needs to be free'd, too.
  • Stop unloading modules on HUP so that we can have persistant handles/socketc/etc from module_init(). Alan D. and Alan C. had a good plan for when to load/reload modules on the list recently...I say run with that.
  • double-check Cistron 'compat' mode, so that all current users of Cistron can upgrade "out of the box" to FreeRADIUS


  • go through all of the code and reformat it, for project standards


  • Write better documentation
  • Manual pages for the daemon, utilities and conffiles (some done)
  • Fix all FIXME's in the source.
  • better SNMP statistics support, for the auth/acct servers, and for each client.


  • UPDATE accounting requests aren't handled as in for wtmp Is this a problem ? Need to fix in rlm_unix.c
  • New module: rlm_fastradwtmp. with a radutmp-style active session database to guarantee wtmp records are always written in matching pairs. Because radlast is slow.
  • replace the module_t method table with a set of register_* functions (so different instances of the same module can offer different methods)
  • enable server to run with child processes (This is a little more difficult than the threading changes)
  • switch all timers from time() to gettimeofday() so processing is less bursty
  • SNMP support for querying users who are on-line.
  • New module: rlm_nsupdate (dyndns). Because dynamic addresses are cruel.


  • module initialization AFTER forking, not before. (The modules should NOT be setting up any process-dependent information.)
  • there should be a way that radius itself could rotate the wtmp file properly. It should write "logout" records for all users, move the file to wtmp.0, and create a new wtmp file with "login" records for all currently online users. (This work is for an external process to do)


  • Replace the home-made strNcpy with strlcpy
  • Add IPv6 support for proxy sockets
  • Split home servers away from Realms
  • go through all of the code, removing unnecessary #include's, and generating a standard include file order which will work across all platforms. (see scripts/
  • rad_malloc() fixes: If malloc() fails, calls exit(). It's a catastrophic error.
  • IPv6 (not IPv6 home server & realms, Raghu has a patch)
  • proxy receive rbtree stuff
  • rlm_perl
  • "listen" directive
  • fix radwho to read modules{radutmp{filename = }}
  • Add 'initialize' list in modules, so explicitely give initialization order.
  • merge OSF/OSFIA patches from Cistron.
  • Fix DBM support:
    • Put DBM into its own module
    • Multiple defaults (done)
    • Fallthrough (hard for not DEFAULT entries)
  • modular radutmp and radwtmp, as per Alan Curry's old patches.
  • Fix multiple/conflicting VALUE names as pointed out on the list. e.g. 'Rlogin' has different values when used with different ATTRIBUTEs,
  • go through *.c and *.h, adding comments at the top with a copyright, and a GPL license.
  • Integrated Alan Curry's module failover patch.
  • add more support for new configuration files
  • Fixed potentially long locks on radutmp file by radcheck thread This means unlocking the file, forking checkrad, and then locking the file again.
  • get rlm_unix to work with multiple instances
  • partial split of rlm_files into rlm_fastusers and rlm_detail
  • enable server to run in threaded mode
  • rlm_realm module for COMPLETE control of proxying on any attribute
  • re-transmits of proxied packets
  • operator support in pairmove.
  • stripping Prefix/Suffix in accounting
  • new configuration file /etc/raddb/radius.conf
  • Radius proxy support.
  • Max-Simultaneous-Use parameter to avoid double logins.
  • Specify a program to be run on succesful login
  • Prefix/Suffix support
  • Change radutmp format to v2 (see radutmp.h)
  • move radutmp to /var/log ?
  • Compatibility with radius-2.0
  • Support for pidfile
  • Configurable logging: both radutmp/radwtmp and details files
  • session_id is not numeric but an 8-byte (?) string !
  • Detect reboot packet sent by portmaster and clear radutmp / wtmp
  • Seperate /etc/raddb/clients into public and private file (secret == secret!) Add ts-type field to clients file for Better: return clients to old form (no shortname) and add a new file, "nas" or so. Matching on this file is done based on Nas-Ip-Address instead of the IP address of the sender. Better if there's a proxy in between.
  • Allow spaces in usernames (using " or \ to escape)
  • Return Proxy-State A/V pairs, in the right order.
  • retransmits from the terminal server get proxied with a new ID and random_vector. We should check for this!
  • Limit logins based on time/date (for example, Login-Hour = 8-18, Login-Day = 0-5 for business hours)
  • take out host-order IP addresses
  • Support Connect-Rate
  • have a config file (or section in radiusd.conf) that tells rlm_sql what the names of the tables and columns are instead of hardcoding them
  • split rlm_files into rlm_users, rlm_fastusers (in-memory hash), rlm_detail, they all should share as much code as possible though, not be big cut-and-paste jobs
  • fix the request list walking code, to scan each element no more than once per second.

See Also