Mideye Server Release Notes

4.7.2

Released 2018-11-19

Bugfix: Offline challenge (Mideye+) when phone not reachable, authentication type = 2, MSCHAPv2

In previous releases 4.6.X and 4.7.X, the manual offline challenge was not displayed for authentication type 2 (mobile) when MSCHAPv2 was used.

Bugfix: Framed IP Address not returned for all IP addresses

In previous releases 4.6.X and 4.7.X, the Framed IP Address (RADIUS attribute 8) was not returned for IP addresses that were represented by a positive integer in Active Directory.

4.7.1

Released 2018-09-28

Feature: Support for EAP-authentication

Mideye will now forward any incoming RADIUS-packages using EAP-authentication to Microsoft NPS.

Bugfix: Proxy-State

Mideye is now handling Proxy-State (attribute 33) correctly according to RFC 2865.

Bugfix: User filtering for MS-CHAP-V2 and EAP

User-filtering for RADIUS-clients is now working for MS-CHAP-V2 and EAP. Before release 4.7.1, user-filtering only worked for PAP.

4.6.5.1

Released 2018-05-15

Bugfix: Enabling Event-viewer logging for Windows Server caused Mideye-Radius service to crash

When enabling Event-viewer logging and restarting the Mideye-services, Mideye-RADIUS did not start.

4.6.5

Released 2018-01-26

Feature: Token-coupled Mideye+

With this feature, an OTP from a token card (MiniToken or YubiKey) is required when activating the Mideye+ app. As an enhanced security setting, RADIUS clients can be configured to only accept login with token-coupled Mideye+ apps or token cards.

Feature: Bundled JRE

JRE bundled with the Mideye installation package. Java Runtime Environment is included in the installation package and does not need to be installed separately.

Feature: Automatic read of Framed IP Address (RADIUS attribute 8) from Active Directory

As an option, Mideye reads the static IP Address (IP v4 only) assigned in Active Directory and returns it in the RADIUS Access Accept, attribute 8 (Framed IP Address).

Bugfix: Incorrect logging of failed OTP deliveries

When authentication type 6,7 or 8 (Touch) is selected, failed OTP deliveries for users without Mideye+ are now logged with the correct error message ('Phone not reachable').

Bugfix: Multiple groups when using regex

Mideye Config Tool -> LDAP Servers -> Groups. Multiple LDAP groups can be specified using Java regular expressions. (Previously, only a single group could be specified when regular expressions were used).

Bugfix: LDAP profile created with an invalid password

Mideye Config Tool -> LDAP Servers. Fix of a bug that caused unexpected behavior/error messages in case an LDAP profile was created with an invalid LDAP account password.

Bugfix: Hanging web admin when MySQL connection lost

Fix of problem with hanging web admin when MySQL database connection was lost.

4.5.2

Released 2017-06-15

Feature: Support for Touch login with Microsoft Remote Desktop Services

By using authentication type 6 (Touch) it is possible to log in with Microsoft Remote Desktop Services (MS RDS) without using challenge-response. This means two-factor authentication with mobile phones can be achieved with the built-in RADIUS support in MS RDS.

Feature: Support for simplified Mideye+ activation

A new way to activate Mideye+ is introduced. A user no longer needs to enter the mobile phone number manually in the app. The user can activate Mideye+ by entering a '+' sign after the OTP in the challenge dialogue.

Feature: Support for authentication with YubiKey tokens

YubiKey tokens compatible with Mideye can be ordered from Mideye support. It is possible to specify a Yubikey identifier in the format 'ubbc0\[7 digits\]' as a valid token number.

Bugfix: Root password to the administrative web interface is lost during an upgrade

In previous versions of the Mideye Server package for Windows, the root password to the administrative web interface was lost during upgrade.

4.4.4

Released 2017-03-01

Feature: LDAP-RADIUS translation with MS-CHAP

RADIUS attributes obtained from LDAP-RADIUS translation can now be returned in MS-CHAP Access Accept messages for authentication types PASSWORD (type 1) and TOUCH (types 6, 7 and 8). Previously, this was only possible with authentication types Mobile (type 2) and Token (type 3) when using MS-CHAP. (For PAP, attributes can be included for all authentication types).

Feature: Enhanced multiple-click suppression

The (optional) multiple-click suppression feature is enhanced to discard events where the user ignores or cancels OTP prompts.

Bugfix: Authentication Attempts logs

Two bugfixes relating to the Authentication Attempt logs in the administrative web interface.

• RADIUS client ID is now included also in case of challenge-response timeout when using MS-CHAP (previously this information was missing).
• Rejects due to OTP spam filter are now explained in the info column also when using MS-CHAP (previously this information was missing).

Bugfix: Upgrade scripts for Linux

Previously, the root user password for the administrative web interface was reset during the upgrade procedure. This is now fixed for Linux, but the problem remains in Windows (this will be addressed in the next release).

4.4.3

Released 2017-02-10

Bugfix: multiple-click suppression disabled

Multiple-click logins disabled per default, since it's only applicable for certain RADIUS clients and it caused some unexpected behavior.

4.4.2

Released 2016-12-13

Feature: Suppressing multiple-click logins

This feature suppresses multiple-click logins in RADIUS clients. It is enabled by default and can be configured via Mideye Configuration Tool, tab Radius Servers. Having this feature enabled prevents users from receiving numerous consecutive OTPs if they mistakenly keep pressing the login button in the client.

Feature: Improved overload handling

This feature improves overload handling by rejecting additional requests if the number of pending requests exceeds a threshold– maximum number of pending requests that can be configured via Mideye Configuration Tool, tab Radius Servers. This makes the Mideye Server more responsive in overload situations.

Feature: Preventing OTP spamming

This feature limits the number of OTP deliveries to a specific phone number within predefined time windows. The allowed number of OTP deliveries can be configured via Mideye Configuration Tool, tab Radius Servers.

Bugfix: MS-CHAPv2 reject

A previous bug in MS-CHAPv2 reject is fixed. The bug caused some RADIUS clients to send a duplicate request after the first request had been rejected.'

4.4.1

Released 2016-11-02

Feature: Support for Mideye+ Touch Accept

Mideye+ Touch Accept enables Mideye+ users to accept or reject the login directly using the Mideye+ client (on iOS and Android), see Figure 2.1. It improves user experience by removing the need to manually enter the OTP. The following are the requirements for Touch Accept to work.

• Mideye Server 4.4.x
• Mideye+ client version 3.x.x
• Mideye+ is enabled in the customer’s profile in Mideye central system

Feature: New authentication types.

Introduction of three new authentication types, they differ in fallbacks in case the initial Touch Accept attempt fails (e.g. if the user lacks Internet connectivity).

• Authentication type 6 (Touch) - No fallback if Touch Accept fails.
• Authentication type 7 (Touch-Plus) - If Touch Accept fails, the fallback is Mideye+ manual signature.
• Authentication type 8 (Touch-Mobile) - If Touch Accept fails, Mideye attempts to reach the Mideye+ app via SMS. If this also fails, the fallback is Mideye+ manual signature.

Feature: Mideye+ Touch Accept on Android client

Mideye+ Touch Accept is now available on the Android client.

Feature: Enhanced authentication attempts log in Web Administration Interface

This feature enhances the authentication attempts log with information about failed authentications. The authentication attempts log now also contains phone/token number and authentication type as well as the reason for failure.

4.3.3

Released 2015-11-30

Bugfix: Mideye Server hanging problem while using Mideye Configuration Tool

This bug caused Mideye Server to hang when using Mideye Configuration Tool to modify a RADIUS Client.

Bugfix: Fixed the challenge message when the password is expired

This bug caused database users to receive Password needs to be reset if an LDAP user had to change the password prior to their login.

4.3.2

Released 2015-06-03

Bugfix: Security issue

Prevent the exposure of the content of WEB-INF folder. - Removed unused certificates to improve the security of Mideye Server - Mideye Switch communication.

Bugfix: Log messages

Reduce the log level to warning when the Network Policy Server (NPS) is not configured. - Reduce the log level to debug when parsing an unknown Vendor Specific Attribute.

4.3.1

Released 2015-01-21

Feature: Password Change

Users in Active Directory can change their expired passwords during the logon process. This feature requires the use of the MS-CHAP v2 protocol and Network Policy Server (NPS).

Feature: MS-CHAP v2

Mideye Server supports the MS-CHAP v2 protocol. Mideye Server will automatically determine the authentication protocol used, PAP or MS-CHAP v2. To function properly, MS-CHAP v2 needs a configured NPS.

Feature: New Web Administration Interface

4.3.0

Released 2014-11-27

Feature: Mideye Server 4.3.0 includes a new Web Administration Interface.

The new Web Administration Interface is a web-based tool for managing the Mideye Server.

Feature: LDAP login to Web Administration Interface

The new Web Administration Interface allows login using an LDAP server

Feature: Password Comparison Authentication

It is possible to use an alternative field for storing hashed passwords instead of the default Active Directory password field. See Appendix A: Password Comparison in the reference guide for more details.

Feature: Fortinet RADIUS attributes

Added Fortinet vendor specific attributes (Vendor ID: 12356) to the list of RADIUS attributes sent together with the final RADIUS Access Accept.

Feature: Automatic Retrieval of LDAP Base Distinguished Name

When adding a new LDAP server, Mideye Server retrieves the base Distinguished Name automatically.

Feature: Removal of Embedded Java Virtual Machine

Mideye Server 4.3.0 no longer includes Java Virtual Machine (JVM) and it must be installed separately before the installation. This allows more frequent updates of JVM independently from the Mideye Server.

Feature: Removal of Alarm Manager

Alarm Manager service, installed along with Mideye Server in previous versions, has been removed.

Feature: Removal of Radius Accounting

The RADIUS accounting server (used to run on port 1813) has been removed.

4.2.6

Released 2014-01-30

Bugfix: Windows services start-up

Fixed a bug causing the Mideye windows services not to start automatically after executing windows updates or rebooting the server.

4.2.5

Released 2013-04-08

Feature: R4.2.4 feature support in Windows

All enhancements and bug corrections in 4.2.4 are included in 4.2.5 and made available for Windows.

Feature: Support for client certificate authentication for the administrative web interface

Client certificates can be generated from the default server certificate that is generated during server installation, and the administrative web interface can be configured to require a client certificate to grant access.

Bugfix: Increased maximum length of LDAP group names

In previous releases, the maximum length of LDAP group names was limited to 30 - characters in order for the accounting to work properly. The limit has been increased to 200 characters.

4.2.4 linux only

Released 2013-03-04

Feature: Support for secondary mobile number in LDAP

If no mobile number is found in the assigned (primary) mobile attribute, Mideye can be configured to continue the search in a secondary attribute (e.g. ‘otherMobile’).

Feature: Default support for SSL in the administrative web interface

The administrative interface is per default protected with SSL, and a self-signed certificate is generated during the installation.

Feature: Enhanced and modified presentation of logs via the administrative web interface

Several log files in the directories /opt/mideyeserver/log/ and /opt/tomcat/logs/ can be viewed via the administrative web interface. It is possible to add/exclude files, and also to add other folders. The logs are presented in a separate window and are not protected with the web interface login. It is recommended to restrict web interface access to specific IP addresses, thereby allowing/restricting log access to e.g. helpdesk personnel.

Feature: SNMP traps

Support for SNMP traps is introduced. The Mideye PEN is 40761.

Feature: Support for wild-card group check in Active Directory

AD group membership can be specified as a Java regular expression. ‘CN=mideyeusers,.\*’ will now match ‘CN=mideyeusers,OU=Stockholm,OU=Groups,DC=mideye,DC=com’. This feature is only valid for Active Directory.

Feature: Java and Tomcat update

Java is updated to Java SE Runtime Environment (build 1.7.0\_11-b21), and as web server TomEE 1.5.1 with Apache Tomcat Version 7.0.34 is used.

Bugfix: Handling hanging LDAPS connections

The LDAP connection timeout parameter is modified to include the LDAP connection pool avoiding the risk of overload in case of hanging LDAPS connections.

Bugfix: Authentication type CONCAT for database users

Authentication type CONCAT now works also for database users. (Bug introduced in 4.1).

Bugfix: Event Viewer disabled on Linux installations

It is no longer possible to enable the Event Viewer on Linux installations.

Bugfix: Special characters in RADIUS shared secret

Special characters (e.g. å, ä, ö) are now allowed in the RADIUS shared secret.

Bugfix: Help button active on Linux installations

The Help button in the Configuration Tool is now active also on Linux installations.

Bugfix: Automatic database upgrade on Linux

Database scripts are now executed automatically when doing upgrades on Linux systems.

4.2.3

Released 2012-07-24

Feature: Configuration Tool enhancements

Config Tool can now automatically identify and upgrade an existing Mideye database (from R3.0 and later). Config Tool automatically prompts for Admin rights when started.

Feature: RADIUS Server enhancements

Pre-configured Norwegian and Finnish RADIUS reply messages. RADIUS server names can be up to 200 characters long (previously limited to 20 characters).

Feature: RADIUS Client enhancements

RADIUS clients can be renamed. RADIUS client names can be up to 200 characters long (previously limited to 16 characters). The RADIUS shared secret must be specified (the field cannot be left empty).

Feature: LDAP Server enhancements

LDAP search base can contain ‘/’ signs. LDAP connection test does not return false positive if the password field is empty.

Feature: Number correction enhancements

Numbers containing only one parenthesis are auto-corrected if number correction is activated.

Feature: Accounting enhancements

Group names up to 200 characters supported (previously limited to 30 characters).

Feature: Number filtering in Mideye Server

Mobile numbers (and token serial numbers) that do not follow the required formats are blocked in the Mideye Server before an OTP delivery/verification request is forwarded to the Mideye Switch. For mobile numbers, this means that they must start with a + – sign and contain 3 to 20 digits. Note that this means that mobile numbers in the format 07xxxxx and 00xxxxxxx that previously have occasionally been working are now blocked. Customers with these number formats are recommended to apply automatic number correction in the Mideye Server.

Feature: LDAP-RADIUS translation enhancements

LDAP-RADIUS translation is no longer case-sensitive. LDAP-RADIUS wildcard translation is supported, whereby a translation rule can be specified as a Java regular expression (e.g. ‘CN=mideyeusers,.\*’ will now match ‘CN=mideyeusers,OU=Stockholm,OU=Groups, DC=mideye,DC=com’).

Bugfix: LDAP-RADIUS translation

It is no longer needed to activate the ‘Read optional attribute flag’ in order to use LDAP-RADIUS translation (4.2.2 bug resolved in 4.2.3).

Bugfix: Authentication with suffixes fails when user search continues to next LDAP server

Authentication with user-name suffixes (e.g. @TOKEN, @MOBILE) now works also when the user search continues to the next LDAP server in the search base (4.2.2 bug resolved in 4.2.3).

Bugfix: Help buttons not active

Help buttons in the Configuration Tool are now active again (4.2.2 bug resolved in 4.2.3).

Bugfix: Auth Type = CONCAT gives an unhandled error when group check fails

Failed group check when using authentication type CONCAT is now properly handled. (4.2.2 bug resolved in 4.2.3).

Bugfix: Web Admin access from a remote computer

The Administrative Web Interface is automatically configured to allow access from a remote computer (4.2.2 bug resolved in 4.2.3).

Bugfix: Nested group selected without specified groups gives an error

‘Search nested groups’ can now be selected in Config Tool also when no group selection has been specified (4.2.2 bug resolved in 4.2.3).

4.2.2

Released 2011-02-21

Feature: Linux package enhancements

Native look-and-feel in Mideye Config Tool on Linux. Possibility to execute Mideye Config Tool from any directory. Simplified setup of X11 over SSH (making it possible to execute Mideye Config Tool from another workstation).

Bugfix: Not possible to delete a RADIUS client that has an LDAP server assigned

This bug is resolved.

Bugfix: List of pending authentications is cleared after OTP expiry

The internal Mideye Server list of pending authentications is cleared after OTP expiry, instead of every 5 minutes. This means RADIUS clients that fail to increment the RADIUS packet identifier will not cause user lockout longer than the OTP validity time (default 60 seconds). This resolves a usability issue with e.g. Citrix Access Gateway Standard Edition.

Bugfix: Config Tool enhancements

Config Tool no longer prompts to save unsaved changes when setting up a database for the first time. Miscellaneous enhancements concerning Return key, database name and LDAP Server test connection.

4.2.1

Released 2010-12-28

Bugfix: User search via config tool fails if Authentication Type = 1

4.2.0 bug resolved in 4.2.1.

Bugfix: Web Admin ROOT password cannot be changed when using two-way encryption

4.2.0 bug resolved in 4.2.1.

Bugfix: Limited length of user password

In previous releases, the static password maximum length was 48 characters for LDAP users and 16 characters for database users. Both these limitations have been removed.

Bugfix: Unlimited number of log lines presented via Web Interface

4.1.0 bug resolved in 4.2.1. The number of log lines presented via the Administrative Web Interface is now limited to the number specified in the filter settings.

Bugfix: New address field for database connection in Config Tool

In 4.2.1, the database connection address field in the Mideye Configuration Tool is modified. This resolves previous issues when specifying external databases.

4.2.0

Released 2010-12-09

Feature: LDAP over SSL

Support for SSL protection of connections to LDAP servers. This is implemented via an optional checkbox in the LDAP Server tab of Mideye Configuration Tool. LDAP server certificates can be automatically downloaded.

Feature: Continued LDAP search in case of group membership requirements not fulfilled

In case a user account is found in an LDAP repository but does not fulfill the specified group membership requirements, the user search continues to other repositories (if more repositories are defined). In previous releases, an access reject was immediately returned if group membership requirements were not fulfilled, which caused the user search to be discontinued.

Feature: Removal of user name suffixes and prefixes

As an option, suffixes and prefixes added to user names in the RADIUS access request can be removed before the user name is searched in the user repository. The removal (suffix or prefix, and separator) is specified on a per-RADIUS-client basis.

Feature: Accounting filtering based on LDAP repository and department

The accounting filtering is enhanced with the option to filter data based on which LDAP server and department the user belongs to. The optional Department attribute is specified in the Mideye Configuration tool. This attribute is read from the user repository and stored in the accounting database in Mideye. Mideye accounting granularity is thereby enhanced, facilitating distribution of Mideye costs based on which LDAP server and department the user belongs to.

Feature: Enhanced encryption of passwords in the internal database

An enhanced one-way hash encryption is added as an option for passwords stored in the internal database. This encryption alternative cannot be reversed.

Feature: Increased size of database fields

Database fields with variable input length, such as LDAP search bases and group names, have been increased to the maximum size allowed by the respective database (MS SQL and MySQL).

4.1.0

Released

Feature: Log enhancements

The Mideye Server logging functions are enhanced. With this release, the logging facility is implemented as a separate service that is configured via the Mideye Configuration Tool. Separate logs are written for the three main services Alarm Manager, RADIUS Server and Administrative Interface. For each log, the level of detail is specified (Error, Warning, Info, Debug, Trace). It is also possible to configure log messages to be forwarded to an external system according to the Syslog standard or to be written to the Windows Event Viewer. The Mideye Server can also be configured to generate emails for certain log events. This is specified directly in an XML file. A bug in previous releases when running on W2008, where the timestamps in the log file were specified with GMT instead of the local server time, is corrected.

Feature: LDAP enhancements

The LDAP search function is enhanced with two configurable timeout parameters to improve serial search capabilities in multiple LDAP directories in case one LDAP server is faulty. A bug correction ensures that LDAP directories are searched in the order specified in the Configuration Tool.

Feature: Automatic retries in case of failed service start-up

In case of Mideye services fail to start properly, subsequent re-starts are attempted with 5-minute intervals during a time period of one hour. This is to enable system recovery in case of start-up failure, e.g. after an automatic update of the server platform operating system.

Feature: Installation and compatibility issues

An automated upgrade package from Mideye Server releases 3.0.1 - 4.0.3 is available. The upgrade package includes the execution of database scripts and replacement of jar files. The upgrade requires a re-start of Mideye services. If SSL protection is implemented for the administrative web interface, certificates and the Tomcat server.xml file should be saved before performing the upgrade. - Upgrade from releases prior to Mideye Server 3.0 is not supported, and requires a new server installation.

4.0.3

Released

Feature: Enhanced database pool handling

Automatic recovery of faulty database connection whereby the connection is closed and removed from the pool. Also, no lower limit is set to the time a database connection is kept in the pool. Previously, the minimum time was 5 minutes, regardless of which value was specified via the Configuration Tool.

Feature: Compatibility with SQL Server 2008

Enhancement in the installation package, enabling compatibility with SQL Server 2008.

Bugfix: Configurable switch connection timeout

A bug correction whereby the switch connection timeout specified via the Configuration Tool is actually implemented. (In releases 3.0.0 – 4.0.1 it was always 60 seconds, regardless of which value was specified in the Configuration Tool).

Bugfix: Installation and compatibility issues

An automated upgrade package from Mideye Server release 3.0 is available. The upgrade package includes the execution of database scripts and replacement of jar files. The upgrade implies a re-start of Mideye services. Upgrade from releases prior to Mideye Server 3.0 is not supported, and requires a new server installation.

4.0.2

Released

Feature: Enhanced installation package

The new installation package is enhanced, e.g. it includes a notification that an SQL Server already exists on the server platform, if this is the case.

Feature: Accounting support for phone numbers longer than 12 characters

Previously, phone numbers longer than 12 characters (including the ‘+’-prefix) were not written to the server accounting tables. In 4.0.1, numbers up to 20 characters (including the ‘+’-prefix) are written to the accounting tables.

Feature: Password reset / expired information text included in Access Challenge

In case the static AD password has expired or needs to be reset, this information is presented to the end-user in the Reply-Message included in the RADIUS Access Challenge sent by the Mideye Server to the RADIUS client.

Bugfix: Configurable fallback retry parameter

A bug correction whereby the switch connection fallback retry specified via the Configuration Tool is actually implemented. (In releases 3.0.0 – 4.0.1 it was always 50, regardless of which value was specified in the Configuration Tool).

4.0.1

Released

Feature: New installation package

A new installation package, where the Mideye server is installed with an MSI file.

4.0.0

Released

Feature: Support for Mideye Plus authentication

Server release 4.0 supports Mideye Plus authentication. Mideye Plus enables login when the phone is outside of network coverage. For this to work, it is required that the user’s network operator has implemented support for Mideye Plus on the SIM card.

Feature: Selection of ISO/UTF encoding on a per-RADIUS-client basis

In R4, UTF-8 or ISO8859\_1 encoding can be configured on a per-RADIUS-client basis. This enables handling of special characters (e.g. å, ä, ö, ¤, and €) in user names and passwords, which previously could cause problems because different RADIUS clients have implemented different character encoding schemes.

Feature: Server keep-alive messages

Server keep-alive messages are sent with 10-minute intervals to the Mideye Switch. The keep-alive messages contain information about Mideye server release, system status (RAM used/available), the status of LDAP connections and the number of database connections in use. The purpose of this feature is to enhance the centralised supervision of the authentication service. The keep-alive function is enabled/disabled via the Configuration Tool.

Feature: Blocking of LDAP accounts in the Mideye Server

For each LDAP server, a threshold can be defined in the Mideye Server. If for a given user, the number of consecutive failed LDAP authentications exceeds this threshold, the user is locked in the Mideye Server. A time period can be specified, after which the user is automatically unlocked. It is also possible to unlock the user via the Mideye Administrative Web Interface. The purpose of this feature is to prevent denial-of-service (DOS) attacks aimed at blocking LDAP accounts via Internet.

Feature: Time-limited accounts for database users

An expiry date can be specified for user accounts in the internal database (database users). User accounts are automatically disabled when this date has been reached.

Feature: Automated token card re-synchronisation

If a token card is more than 10 consecutive OTPs out of sync with the central system, but inside a sequence window of 100, the user can automatically re-sync the token card by generating a new OTP and entering it for validation. If this second OTP is within a sequence window of 10 OTPs from the first OTP, the user is granted access and the token card is re-synchronised. The time window for performing the re-synchronisation is 5 minutes from the time when the first OTP was entered for validation. If the RADIUS client supports Mideye reply messages (attribute 18 in RADIUS Access Reject), the user is informed that the token card is out of sync and that a new OTP is required. Automated token card re-synchronisation has been centrally implemented in the Mideye Switch. This means that the feature is automatically implemented for all Mideye Servers, regardless of release. However, the reply message informing the user that the token is out of sync and that a new OTP is required, is only implemented in Server release 4.0.

Feature: Support for default RADIUS reply and error messages in different languages

Via the configuration tool, default RADIUS reply and error messages can be selected in English and Swedish.

Feature: Enhanced number correction

Number correction is enhanced. Via the Configuration Tool, it can be selected if numbers within parentheses should be removed and if leading zeros after the default international prefix should be removed.