FreeRADIUS

vrelease_3_2_9 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 2d Network Security

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

aaa arp authentication bfd c daemon

+9 more

dhcp dot1x eap freeradius-server otp policy posix radius vmps

Affected surfaces

auth

Summary

AI summary

Configuration changes add Protocol-Error support, reconnect intervals, cipher suites, and default secret suppression; feature improvements include Protocol-Failure draft implementation, Error-Cause attributes, and various policy tweaks; numerous bug fixes address scalability, EAP issues, TLS handling, and socket edge cases.

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Low	Add `protocol_error = yes` configuration to clients. Add `protocol_error = yes` configuration to clients. Source: llm_adapter@2026-06-02 Confidence: high	—
Feature	Low	radclient can suppress Message-Authenticator in Access-Request with specific pattern. radclient can suppress Message-Authenticator in Access-Request with specific pattern. Source: llm_adapter@2026-06-02 Confidence: high	—
Feature	Low	Set `suppress_secrets = true` by default in new installations. Set `suppress_secrets = true` by default in new installations. Source: llm_adapter@2026-06-02 Confidence: high	—
Feature	Low	Add `connect_fail_interval` to home_server configuration for retry delay. Add `connect_fail_interval` to home_server configuration for retry delay. Source: llm_adapter@2026-06-02 Confidence: high	—
Feature	Low	Add `certificate_fail_interval` to home_server configuration for TLS cert validation failures. Add `certificate_fail_interval` to home_server configuration for TLS cert validation failures. Source: llm_adapter@2026-06-02 Confidence: high	—
Feature	Low	Add `update` section to home_server configuration to customize Status-Server packets. Add `update` section to home_server configuration to customize Status-Server packets. Source: llm_adapter@2026-06-02 Confidence: high	—
Feature	Low	Add `cipher_suites` option to tls{} configuration for TLS‑PSK with TLS 1.3. Add `cipher_suites` option to tls{} configuration for TLS‑PSK with TLS 1.3. Source: llm_adapter@2026-06-02 Confidence: high	—
Feature	Low	Initial implementation of Protocol‑Failure per IETF draft, disabled by default. Initial implementation of Protocol‑Failure per IETF draft, disabled by default. Source: llm_adapter@2026-06-02 Confidence: high	—
Feature	Low	Always allow Protocol‑Error packet as valid response to any RADIUS packet. Always allow Protocol‑Error packet as valid response to any RADIUS packet. Source: llm_adapter@2026-06-02 Confidence: high	—
Feature	Low	Add Error-Cause attributes to CoA-NAK and Disconnect-NAK responses. Add Error-Cause attributes to CoA-NAK and Disconnect-NAK responses. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Feature	Low	Added filter_username_nai policy for eduroam use cases. Added filter_username_nai policy for eduroam use cases. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Feature	Low	Allow 389ds legacy PBKDF2_SHA256 to use arbitrary iteration count. Allow 389ds legacy PBKDF2_SHA256 to use arbitrary iteration count. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Feature	Low	Amend insert_acct_class/acct_unique policy for environments with multiple Class attributes. Amend insert_acct_class/acct_unique policy for environments with multiple Class attributes. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Feature	Low	Tweak sqlippool log messages for clarity. Tweak sqlippool log messages for clarity. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Feature	Low	Log message when server receives correctly authenticated proxy response with unexpected code. Log message when server receives correctly authenticated proxy response with unexpected code. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix
Bugfix	Medium	Fix rlm_cache_redis driver to reconnect on connection failure (Fixes #5651). Fix rlm_cache_redis driver to reconnect on connection failure (Fixes #5651). Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Low	Fix RadSec issues. Fix RadSec issues. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Address scalability‑related socket and event handling bugs. Address scalability‑related socket and event handling bugs. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Fix EAP-MSCHAPv2, EAP-PWD, and EAP-MD5 issues. Fix EAP-MSCHAPv2, EAP-PWD, and EAP-MD5 issues. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Fix run_dir handling (Fixes #5637) and MemoryLimit configuration (Fixes #5639). Fix run_dir handling (Fixes #5637) and MemoryLimit configuration (Fixes #5639). Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Disable PCRE JIT at runtime if executable memory allocation fails. Disable PCRE JIT at runtime if executable memory allocation fails. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Set SELinux boolean to allow PCRE2 JIT usage. Set SELinux boolean to allow PCRE2 JIT usage. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Prevent systemd spam when clock is set far in future (Fixes #5642). Prevent systemd spam when clock is set far in future (Fixes #5642). Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Avoid loading OpenSSL legacy provider with --enable-fips-workaround (Fixes #5644). Avoid loading OpenSSL legacy provider with --enable-fips-workaround (Fixes #5644). Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Address potential memory leaks when opening many RADIUS/TLS proxy sockets. Address potential memory leaks when opening many RADIUS/TLS proxy sockets. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Encode multiple DHCP Option 82 as a single option instead of multiple options. Encode multiple DHCP Option 82 as a single option instead of multiple options. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Fix rlm_dspk support for dynamic filenames. Fix rlm_dspk support for dynamic filenames. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Prevent crashes in corner cases during Post-Proxy-Type Fail processing. Prevent crashes in corner cases during Post-Proxy-Type Fail processing. Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Correct name offsets in rlm_proxy_rate_limit (Fixes #5675). Correct name offsets in rlm_proxy_rate_limit (Fixes #5675). Source: granite4.1:30b@2026-06-02-audit Confidence: low	—
Bugfix	Low	Push fallback virtual server handling to child thread (Fixes #5679). Push fallback virtual server handling to child thread (Fixes #5679). Source: granite4.1:30b@2026-06-02-audit Confidence: low	—

Full changelog

Configuration changes

Add protocol_error = yes configuration to clients. If set, the server can return Protocol-Error responses to the client.
radclient can now suppress Message-Authenticator in Access-Request, when the input packet contains Message-Authenticator !* ANY Don't use this in production!
Set suppress_secrets = true by default.
Add connect_fail_interval to home_server configuration. If a connection fails, the server will wait this time before trying to connect again.
Add certificate_fail_interval to home_server configuration. If a connection succeeds but the home_server certificate is invalid, the server will wait this time before trying to connect again.
Add update section to home_server configuration. Status-Server packets can therefore be customized.
Add cipher_suites to tls{} configuration. See raddb/sites-available/tls. This is mainly used to set the cipher suites for TLS-PSK with TLS 1.3.

Feature improvements

Initial implementation of Protocol-Failure as per IETF draft. The functionality is disabled by default, but can be enabled via new configuration flags.
Always allow Protocol-Error packet as valid response to any packet.
Add Error-Cause attributes to CoA-NAK and Disconnect-NAK
Added filter_username_nai to policy.d/filter, mainly for use in eduroam.
Updates to VSCode default configuration.
Cleanups and add log messages for rlm_proxy_rate_limit.
Allow 389ds legacy PBKDF2_SHA256 to use arbitrary iteration count. (#5654)
Amend policy insert_acct_class/acct_unique to work in environments with multiple Class attributes (#5337)
Tweak sqlippool messages to make them clearer.
Print log message if the server receives a correct authenticated proxy response packet, but which has an unexpected code. e.g. received Access-Accept in response to an Accounting-Request.
New installations now set "suppress_secrets=true" by default. The server also prints messages in debug mode which explains why the secrets are being suppressed.
Allow parallel build for Debian. Fixes #5774.
Add RTBrick and other dictionaries.
Add documentation for ntlm_auth and spaces in passwords. Addresses #5654.

Bug fixes

Many minor bug fixes and cleanups.
Fixes to RadSec.
Many other fixes to socket and event handling, which enable increased scalability.
Fix issues found with EAP-MSCHAPv2, EAP-PWD, and EAP-MD5.
Fix run_dir (#5637) and MemoryLimit (#5639)
Disable the PCRE JIT at run time if it can't allocate executable memory.
Set selinux boolean to allow PCRE2 JIT
If you set the clock 25 years in the future, don't spam systemd. Fixes #5642
Don't load the OpenSSL legacy provider when built with --enable-fips-workaround. Fixes #5644.
Address potential leaks when opening many RADIUS/TLS proxy sockets.
Encode multiple DHCP Option 82 as one option, instead of as multiple options.
Update the rlm_cache_redis driver to reconnect on connection failure. Fixes #5651.
Tweaks to the processing state machine to handle more corner cases / race conditions. Thanks to Paul Dekkers for testing.
Don't close the main listen socket for TCP. Fixes #5661.
Fix rlm_dspk to properly support dynamic filenames.
Don't crash in corner cases when running Post-Proxy-Type Fail.
Use correct name offsets in proxy_rate_limit. Fixes #5675.
push fallback virtual server to child thread. Fixes #5679.
Correct corner case in hash table. Fixes #5680.
Allow new proxy sockets after reaching "too many sockets", when we close an existing proxy connection. Fixes #5964.
fix consistent load balancing. Fixes #5770.
Address pthread APIs. Fixes #5772.
Install headers needed to build modules. Fixes #5778.
Initialize scope in IPv6 address lookups. Fixes #5798.
Don't load legacy provider on --enable-fips-workaround. Fixes #5775.
Hoist mutex lock in TLS sockets. Fixes #5480
Fix occasional EAP-PWD authentication failure.
Fix memcache storing of dates.
Add more debugging information for TEAP. TEAP has limited utility, due to the incompleteness of the spec, and the severe limitations of the Windows TEAP supplicant.
Return stats for "auth+acct" home servers. Fixes #5866.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track FreeRADIUS

Get notified when new releases ship.

About FreeRADIUS

FreeRADIUS - A multi-protocol policy server.

All releases →