Mideye Server Release Notes

5.6.8

Released 2022-08-30

Enhancement: RHEL 8 support

Include service start files for RHEL 8 installation.

5.6.7

Released 2022-06-21

Enhancement: Cached health checks

Healthchecks are cached to reduce the load on mideyeserver.

Enhancement: LDAPs Certitiface with alias

LDAPs Certitiface can be imported with an alias.

Bugfix: Fix certificate management UI

Fix certificate management UI and show proper error message when imported certificate is missing CN.

5.6.6

Released 2022-03-11

Bugfix: Fix file-permissions in deb package

Set up propper file-permissions in deb package.

5.6.5

Released 2022-03-10

Bugfix: LDAP migration bug

Fixed a bug that affected the possibility to migrate certain LDAP profiles from R4 to R5.

5.6.4

Released 2022-01-26

Bugfix: Password encryption bug

Fix of database user password encryption when upgrading from R4 to R5.

Security: Certificate validation

More stringent certificate validation in Mideye Server.

5.6.3

Released 2021-12-16

Enhancement: Removal of Log4j2 dependencies

All Log4j2 dependencies removed from classpaths. This blocks the possibility to manually modify the installation package and enable Log4j instead of the default R5 logging framework (Logback).

5.6.2

Released 2021-10-01

Security: TLS enhancement

TLS version 1.2 or higher enforced in the Mideye server.

5.6.1

Released 2021-06-04

Bugfix: Unresponsive user search

Fix of performance issue with username filtering in authentication and accounting logs in the web GUI.

5.6.0

Released 2021-03-31

Feature: Shared account authentication

New authentication type (Auth Type 10) whereby multiple mobile numbers and token card serial numbers can be registered for a user account. In the login dialog, the user indicates which phone/token to use.

Enhancement: Java update

The bundled JRE is updated to Java 8u282. Oracle JRE is replaced by AdoptOpenJDK JRE.

Enhancement: Database detailed logs

More efficent database architecture for the Detailed Authentication logs. Note that existing Detailed Authentication logs will be lost at upgrade (the default retention time is otherwise 30 days).

Bugfix: Fix of ‘Find User’ issue

Fix of issue whereby the ‘Find User’ button in the LDAP Profile menu of the Web GUI did not always return a correct result.

5.5.6

Released 2021-03-12

Bugfix: Database cleanup

Improved database cleanup. Previous implementation could cause database connection to lock during cleanup of logentries table.

Enhancement: Cluster leader setting

New setting in configuration file, whereby a Mideye server can be configured as cluster leader (default=true). If set to false, database cleanup is disabled. This is to avoid simultaneous operations for clustered servers configured to use a common database.

Enhancement: Database read/write

More efficent way to write and read authentication log details. This solves a potential database deadlock problem.

Enhancement: Assisted login for federated users

Empty federation attributes are not sent to the Mideye+ app. If the approver doesn’t open the app before user login, a proper reply message is returned to ADFS.

5.5.5

Released 2021-01-21

Bugfix: Memory leak

Fix of bug that caused memory leak if Hibernate cache was enabled.

Bugfix: Number correction

Fix of index-out-of-bound-error in phone number correction.

Enhancement: Improved loading of authentication logs

Performance optimization speeding up the loading of authentication logs in the web GUI.

5.5.4

Released 2020-12-21

Feature: Azure AD support

Mideye Server can connect to Azure AD with the Microsoft Graph API to search user accounts.

Feature: Assisted Login for federated users

Assisted Login protection can be applied to federated accounts logging in via ADFS. External users can log in with their home company accounts, but access is only granted if the login is accepted by an internal approver.

Enhancement: Custom LDAP attribute values to logs

In the LDAP profile configuration, additional LDAP attributes can be specified and the corresponding values written to log files at a specified log level. Optionally, the values can also be written to the detailed authentication logs in the database.

Enhancement: Ignore LDAPS certificate validation

As an option, an LDAP profile can be configured to ignore certificate validation. This facilitates automation of LDAP profile provisioning via the server REST API.

Enhancement: Additional Assisted Login info to logs

The detailed log information is extended to also include more information relating to Assisted Login, e.g. the identifier of the Assisted Login profile that is being used.

Bugfix: GUI user, role Operator

Fix of R5.4 bug whereby role Operator lacks access to the web GUI. Also a fix of a general R5 bug, whereby role Operator had write/delete access to some menus and APIs.

Bugfix: Detailed log items not shown in authentication logs

Fix detailed log items bug in R5.4.4, e.g. Assisted Login additional challenges and the corresponding responses, were not shown in the authentication logs.

Bugfix: Checkboxes not working at first attempt

In the web GUI assisted login configuration, approver tab, checkboxes were not working first time they were selected.

Bugfix: Unexpected error in LDAP profile user search

Fix of bug resulting in an unexpected error when testing LDAP profile user search before the LDAP profile was configured.

Bugfix: Assisted login approver ID not honored

Fix of R5.3 bug. When the approver ID attribute in the Assisted Login configuration was specified, this was not honored.

Bugfix: User search with MSISDN not working

Fix of R5 bug. When testing user search via the LDAP profile configuration in the web GUI, MSISDN could not be used as user identity.

Bugfix: LDAP profile user search

Fix of R5 bug. When testing user search via the LDAP profile configuration in the web GUI, the search did not return any results.

5.4.4

Released 2020-10-15

Enhancement: RADIUS client overview list

In the RADIUS clients configurations menu, the start page is modified by replacing the assigned Accounting Server column with assigned LDAP Profiles.

Bugfix: Web GUI causing database overload

Fix of bug introduced in 5.3 whereby detailed authentication log queries from the Web GUI dashboard could cause overload in the database.

5.4.3

Released 2020-10-02

Bugfix: Shared Secret Editing

Fixed a bug where if the Mideye Server contained more than 127 Shared Secrets, prevented the editing of Shared Secret 128 and above.

Change: CentOS 6 & 7 yum repository change

When using yum to install and update the Mideye Server 5.x in CentOS 6 and CentOS 7, the repository folder structure has changed. See the “Linux RPM installation guide” on how to update the “mideye.repo” file to mirror this.

5.4.2

Released 2020-09-29

Feature: Require Mideye+

RADIUS clients can be configured to require that the Mideye+ app is activated for mobile phone users.

Feature: Require local authentication on phone

RADIUS clients can be configured to require that Mideye+ users must authenticate locally on the phone (biometric or PIN) before being able to accept a login.

Enhancement: Configuration and management menus

• In the Vendor Specific Vendors configuration menu, vendors are listed in alphabetical order, and attributes are listed alphabetically in submenus for each vendor.
• In the RADIUS clients configurations menu, the start page is simplified by removing some columns. In the Test client sub pages, the placeholder text in the challenge prompt is modified.
• In the dashboard, certificate expiry is added as a separate information box. The Switch health check text is changed from ‘UP’ to ‘Connected’.
• In the Certificate Managment menu, a more informative error message is presented when the certificate subject is empty.

Enhancement: Authentication log

For failed Assisted Login attempts, the error message now distinguishes between approver not found and approver not authorized.

Enhancement: Automatic database re-connect

If the database connection fails at server startup, the Mideye Server makes automatic retries for a specified time period until connection has succeeded.

Bugfix: RADIUS server concurrency issue

Fix of concurrency issue when RADIUS Server fails to re-start after configuration changes.

Bugfix: Accounting timestamps

Timstamps in accounting logs now presented in local time with correct timezone indicator.

Bugfix: RADIUS client assignment for database users.

Fix of bug affecting database users in MS-SQL. It is now possible to add RADIUS clients.

Bugfix: Vendor Specific Attributes

Data types are now shown correctly, and and it is now possible to edit Vendor Specific Attributes.

Bugfix: SSL certificate management

If CN is missing in an LDAPS certificate, the hostnamne is now used as certificate alias.

• Bug in SSL certificate expiry monitoring is fixed.

Bugfix: Authentication log info message

• Fix of incorrect information message when Touch falls back to OTP due to data push delivery failure.
• Fix of misleading information message when Approver account has missing/invalid phone number.

Bugfix: Authentication logs

Fix of Authentication logs search filter.

Bugfix: LDAP profile default values

Fix of incorrect default attribute names when LDAP server other than Active Directory is selected.

Security: Security

HTTP Trace and Track Methods are disabled in the administrative web interface, and X-Frame-Options response header is added.

5.3.5

Released 2020-09-14

Bugfix: Server GUI unexpected error

Fix of GUI unexpected error that occurred if dashboard health indicators were clicked while loading.

5.3.4

Released 2020-08-18

Bugfix: Windows installation package

“;” (semicolon) no longer needs to be inserted manually when using database-instances old keystore is automatically removed when reinstalling the same version of the Mideye Server

Bugfix: Null pointer exception

Radius requests with null value NAS-ID and NAS-IP attributes will not cause a null pointer exception.

5.3.3

Released 2020-07-14

Feature: RADIUS session management

RADIUS sessions (session start, update and stop) for RADIUS clients that support Accounting are presented as a separate menu in the server web GUI. For RADIUS clients that support Disconnect Message, sessions can be terminated from the GUI.

Enhancement: Assisted Login

Assisted Login is enhanced with the following features

Assisted login feature: Management of assisted login sessions from the Mideye+ app Assisted login feature: Additional challenges Featassisted login featureure: Multiple Assisted Login profiles per RADIUS client Assisted login feature: Enhanced authorization logic Assisted login feature: Session and idle timeout specified in Assisted Login profile Assisted login feature: Size limitation of user id and group name fields removed Assisted login feature: Test of Assisted Login profiles in RADIUS client Enhancement: More detailed authentication logs

Entries in the authentication logs can be extended to view more detailed log information. Old log entries are automatically deleted after a specified retention period. The default retention period for basic authentication and session logs is 365 days. For detailed authentication information, the default retention period is 30 days.

Enhancement: Time-zone information in log files

Information about time zone is added to the time stamp in log files.

Bugfix: Default OTP Presentation type 1

Default OTP Presentation type 1 (inbox SMS) now works also when the checkbox ‘Read Optional Attributes’ is selected.

Bugfix: Either NAS IP or NAS ID must be specified

New check in the RADIUS client configuration in web GUI that prevents NAS IP and NAS Identifier to be empty at the same time, which would cause RADIUS client identification to fail.

Bugfix: Faulty RADIUS attribute links in LDAP-RADIUS translation

Incorrect links associated to RADIUS attributes in LDAP-RADIUS translation are removed.

Bugfix: Not necessary to specify an LDAP profile

It is no longer required to specify an LDAP profile when editing a RADIUS client via the web GUI.

Bugfix: NPE when saving SSL certificate missing CN attribute

Fix of null-pointer exception when an LDAP SSL certificate missing a CN attribute is saved.

5.2.3

Released 2020-02-28

Bugfix: Debian package

Added missing files from debian package.

5.2.2

Released 2020-01-21

Bugfix: R4 Migration Wizard

To prevent memory overflow, the import of R4 login statistics and accounting data is limited to the last 100 000 rows from the last year.

5.2.1

Released 2020-01-14

Feature: Password change in PAP

Support for password change in PAP, using additional challenges to prompt for a new password. This means that password change is now supported for database users. For LDAP users, this means an NPS is no longer required for password change.

Enhancement: Disable Auth Type 1 (Password)

Authentication Type 1 (Password) can be disabled per RADIUS client.

Enhancement: Certificate validation and export

Certificate management via the Web GUI is enhanced to include certificate path validation and an export function.

Enhancement: Enable blocking of self-personalized Yubikeys

Self-personalized Yubikeys can be blocked per RADIUS client by only allowing Yubicloud OTPs with the prefix cc.

Enhancement: Spam filter reset

The number of users affected by a spam filter lockout is shown in the RADIUS Server configuration menu.

Enhancement: Database configuration

The database configuration is now validated in the Windows Installation package. Database passwords containing double-quote characters (“) are now supported, as well as database instances.

Enhancement: Touch failed user message

A new user messages added for the case when Touch login fails.

Enhancement: Assisted login LDAP search

The LDAP user and approver search is improved, avoiding duplicate search of the user. The approver search now continues to next LDAP repository if the authorization check fails.

Enhancement: Dashboard

The Database and Switch connection status information in the GUI dashboard is improved.

Bugfix: Reply message when phone not reachable

For Authentication Type 2 (Mobile), when the phone is not reachable and Mideye+ is not activated (SMS-OTP), the correct reply message is now returned.

Bugfix: Locked LDAP users

LDAP users are now locked the specified time period. The extra minute added in previous releases is removed.

Bugfix: Assisted Login reject reply message

A reply message is added for the case when an Assisted Login is rejected because the Touch accept failed.

Bugfix: Spam filter

Logins rejected by the spamfilter are now shown in the logs. The login failure message when a login is rejected by the spam filter is changed from ‘Invalid/user password’ to ‘Too many attempts, try again later’, with a reference how to manually re-set the filter.

Bugfix: Assisted login approver group membership

The approver group membership can now be specified using Java Regular Expressions.

Bugfix: Default LDAP connect and read timeouts

The default LDAP connect timeout is changed to 2 seconds, and the read timeout is changed to 10 seconds.

Bugfix: Handling of invalid RADIUS requests

When invalid RADIUS requests are discarded, they are now removed from the pending authentications list, thereby preventing the pending request counter from hitting the overload limit.

Bugfix: Assisted login approver search

The search failed if the approver was not found in all LDAP profiles configured for the RADIUS client. This is now fixed, it is sufficient if the approver is found in one profile.

5.1.3

Released 2019-10-25

Bugfix: LDAP user locking release

Fix of bug ‘LDAP locking not released when using MS-CHAPv2’.

Bugfix: Access reject with MS-CHAPv2

Fix of incorrect response authenticator in MS-CHAPv2 Access reject messages. This bug caused multiple Touch prompts when access rejected in the app.

5.1.2

Released 2019-10-18

Feature: Assisted login

A new authentication method, Assisted Login (Auth type 9), for LDAP accounts. Predefined users are authorized to approve access for external users to selected RADIUS clients. Access is approved in the Mideye+ app.This authentication method is intended for users that require temporary access to protected resources.

Feature: Certificate management via web GUI

Simplified administration of certificates for LDAPS and web GUI.

Feature: Managing RADIUS attributes via web GUI

New Vendor-specific Attributes (VSAs) can be added via the web GUI. Also, the default VSA list has been extended to include more vendors.

Feature: Spam filter reset

The OTP spam filter can be reset via the web GUI. This is to prevent users from being locked out if the Max Pending Requests queue is filled up, e.g. after a network incident.

Enhancement: RADIUS reply attributes displayed in test client

When using the test button for RADIUS clients in the web GUI, reply attributes are presented.

Enhancement: Server Accounting

Accounting filtering options are enhanced. It is also possible to export the result as a CSV-file from the web GUI.

Enhancement: Second challenge when token out of sync

If a token is out of sync, a second challenge is presented to the user requesting a new OTP to re-synchronize the token.

Enhancement: Search database users by token number

Database users can be searched using the token serial number.

Enhancement: Search base automatically created for LDAP profile

When creating an LDAP profile, the LDAP root search base is automatically populated when clicking the “Save” button.

Bugfix: Mobile number missing in logs when Touch cannot be used

If authentication type Touch fails, the user’s phone number is now included in the log entry.

Bugfix: Removed re-load redirect to web GUI dashboard

If reloading a page in the web GUI, the user now remains on the reloaded page.

Bugfix: root user default profile

The Web Admin RADIUS client is now assigned to the root user by default.

Bugfix: Redirect after root password change

Root user is now redirected to the web GUI dashboard when the password has been changed.

Bugfix: Reply Message in Web GUI

RADIUS reply messages are now displayed in the Web GUI login.

Bugfix: Timestamp in logs

Log timestamps are now shown in milliseconds instead of seconds.

Bugfix: Top 5 Failing Users case sensitive

The Top 5 Failing usernames presented in the web GUI dashboard are now case-insensitive.

Bugfix: MSISDN/token number validation in Mideye Server

Mobile number and token serial number formats are now verified in the Mideye Server before being forwarded to the Mideye Switch.

Bugfix: Web GUI login hanging after timeout

Page re-load no longer required to login again after session timeout.

5.0.0

Released 2019-04-06

Breaking change: Major release requires new server installation.

Mideye 5.0 requires a new server installation. A migration tool facilitates migration from releases 4.6.5 and later.

Feature: Server config via web admin

A new administrative web interface that also replaces the R3/R4 Configuration Tool. A new super administrator role is introduced, with the same rights as the root user.

Feature: Support for server config via REST API

As an alternative to server configuration via the administrative web interface, a REST API is provided for automated server configuration.

Feature: Configuration changes without restarts

Configuration changes no longer require service restarts to take effect.

Feature: RADIUS client identification based on NAS ID attribute

Improved selection of RADIUS clients based on RADIUS attribute 32 (NAS Identifier) which simplifies implementations with multi-login profiles originating from the same IP address.

Feature: Separate table for source IP – shared secret configuration

Specification of the shared secret is moved from RADIUS clients to a separate table, where source IPs and shared secrets are matched. A default shared secret can be specified that is matched to any IP that is not specified in the table.

Feature: NPS configuration separated from LDAP server configuration

Microsoft Network Policy Server (NPS) settings are moved from LDAP profile configuration to a separate NPS profile. This simplifies the re-use of the same NPS profile in multiple LDAP profiles.

Feature: Docker container support

Mideye server is now available as a Docker image as an alternative to Windows and Linux installation packages.

Feature: Debian support

Mideye server is now available as a Debian-based package in addition to the RPM-based package.

Feature: Enhanced server monitoring

Automatic health checks of Mideye Switch and database connections. Monitoring of LDAPS certificate expiry. Dashboard with login statistics and success rates.

Feature: Enhanced server accounting

Possible to select full calendar months in the web GUI for matching server accounting with monthly invoices.

Feature: Support for database login using NTLMv2