Mideye Server Release Notes

6.4.6

Released 2024-11-18

Security: Message-Authenticator for PAP
As a further enhancement following CVE-2024-3596 (BlastRADIUS), RADIUS clients can now be configured to include the Message-Authenticator (attribute 80) in all responses, as well as require a message authenticator to be present in all RADIUS access requests. This fix is required for interworking with some later releases of RADIUS clients, e.g. Fortigate 7.2.10.

6.4.5

Released 2024-10-01

Bugfix: MS-CHAPv2 challenge-response stops working after Microsoft patch KB5040437
Additional fix to handle the challenge-response dialog after the KB5040437 security upgrade is deployed in Microsoft NPS. Complements the fixes introduced in versions 6.4.3 and 6.4.4.

6.4.4

Released 2024-08-30

Bugfix: MS-CHAPv2 stops working after KB5040437
In this release, we have implemented a complete fix for the issue where MS-CHAPv2 stops working after the KB5040437 security upgrade is deployed in Microsoft NPS. This update corrects the initial fix introduced in version 6.4.3.

6.4.3

Released 2024-08-09

Bugfix: MS-CHAPv2 stops working after KB5040437
An initial fix for the MS-CHAPv2 issue related to the KB5040437 security upgrade in Microsoft NPS was introduced in this release. However, further refinement was needed to fully resolve the problem. Please refer to version 6.4.4 for the complete fix.

6.4.2

Released 2024-05-31

Enhancement: Support for IP subnets '#2270' '#2273'
RADIUS client and shared secret IP addresses can now be specified with IP subnet masks in CIDR format, e.g. 192.168.1.0/24.
Enhancement: Support TOTP in Auth Type 4 '#2270', '#2274'
Authentication type 4 (CONCAT) now also supports on-prem TOTP.
Bugfix: Web GUI '#2277'
Web GUI encounters an error when viewing Authentication and Audit Logs.

6.3.2

Released 2024-03-22

Bugfix: Authentication types 2,3,4,9,10,11 missing in Accounting logs '#2269'
Authentication types 2,3,4,9,10,11 were missing in the Accounting logs. This issue has been resolved in this release.

6.3.1

Released 2024-03-08

Feature: RADIUS blocking filter '#2084'
To prevent spamming of server logs, and to counter server overload attacks, custom RADIUS filter rules can be configured in the Mideye server. The filter can block usernames and client IPs that do not meet specified criteria. Blocked requests are silently discarded, are not written to the authentication log table, and do not initiate searches in user repositories.
Enhancement: Separation of server web GUI and self-service portal login '#1259' '#2025' '#2230'
The self-service portal can now be published spearately from the server web GUI, accessible on a dedicated port and configured as a separate RADIUS client.
Enhancement: TOTP soft token seeds in LDAP repository '#2200'
TOTP soft token seeds can be stored in an LDAP repository instead of the Mideye database. This reduces the need for database clustering.
Bugfix:
  • Persistant sort order when reloading page. The selected sort order in the web GUI now persists when the page is reloaded. '#1795'
  • Not possible to delete hybrid account if the corresponding LDAP account is not found '#2259'
  • Not possible to create hybrid accounts in Mideye for Azure AD accounts. '#2264'

6.2.10

Released 2024-02-20

Bugfix: Not possible to verify and change the RADIUS secret via the server web GUI. '#2252'

6.2.9

Released 2023-12-20

Bugfix: Truncated SMS text in Magic Link migration from release 6.1. '#2238'

6.2.8

Released 2023-10-30

Feature: Assisted Password Reset
The Mideye server provides a web portal for password reset, using the Assisted Login mechanism to give two indepentent factors of authentication. A user that needs to reset his/her static password contacts an authorized approver and initiates the password reset process with username and second-factor authentication (Mideye+ or SMS-OTP). The authorized approver is required to approve the reset in the Mideye+ app before the user is allowed to specify a new password. '#825'
Security:
  • Read access to application-prod.yml configuration file on Windows is now limited to server administrators. '#2013'
  • GUI Operators and Administrators could access password hashes via the server API. This is now blocked. '#2004'
  • Some server API endpoints were availble to GUI Operators, although the corresponding views are blocked for Operators in the GUI. Authorization control of server API and web GUI is now aligned. '#1997'
  • Server info (release version, operating system and database) was available via server web GUI also to non-authenticated users. This is now blocked. '#1996'
Enhancement: Assisted Login
  • Improved logging for Assisted Login. In addition to more detailed Info-level logging of events, Assisted Login details are now also saved in separate Audit logs for longer retention to facilitate future security audits. '#1781'
  • The message title 'Assisted Login Request' is now configurable. This title in the Mideye+ app was previously hard-coded, and can now be modified in the RADIUS Server configuration menu. '#1868'
  • The lead text to the Assisted Login challlenge message requesting Approver identity (previously hardcoded as 'Enter Approver ID') can now be configured in the 'User Messages' tab of the RADIUS Server configuration menu. '#1856'
  • User name presented to approver in app can be configured. Previously, the username entered by the user was presented. Now the AD Display Name is presented per default, but it can be modified in the Assisted Login configuration. '#1229'
  • A RADIUS client display name can now be configured. If configured, this display name is presented to the Assisted Login approver instead of the internal Mideye client name. '#931'
  • Support for RADIUS session termination cause. The termination cause is now presented in the RADIUS session logs, as well as in the session list in the app. '#1059'
  • The Assisted Login approver search now continues through the entire search base to find a member of the approver group, not only stopping at the first match. '#1238'
  • Assisted Login now works with user and approver accounts also in repositories other than Active Directory (e.g. OpenLDAP), as well as with accounts in the Mideye database. '#1152'
  • Assisted Login now also works for approvers that haven't activated Mideye+. Instead, they can approve the login with a Magic Link. '#1879'
  • Triggering of Assisted Login with AD groupname keywords. User and approver group membership is specified using wildcards, where the specified part indicates if it's a user or an approver. The remaining (wildcard) part must match between the user and approver. This enables separation of access to multiple systems, without having to specify a separate Assisted Login profile for each system. '#1748'
Enhancement: Magic Links
  • More flexible Magic Link configuration, including support for multiple endpoints. '#1923'
  • Assisted Login with Magic Link endpoints. Approvers are listed to the user in the Magic Link landing page. '#1762'
  • Magic Link added as an option when searching/filtering authentication logs based on Authentication Type. '#2029'
  • More detailed logging for Magic Link events in the authentication Logs. '#2022'
Enhancement: RADIUS
  • Comment field added to RADIUS shared secrets. Optionally, a comment can be added when creating/editing a shared secret, and this field is displayed when presenting the list of shared secrets. '#1780'
  • More informative log messages in case of RADIUS accounting requests being rejected. '#1971'
  • Modified LDAP-RADIUS translation configuration and logic. Now more than one LDAP attribute can be translated. '#1336'
  • Option to filter out ongoing sessions in the RADIUS sessions logs. '#1187'
Enhancement: Mideye GUI
  • Mideye user search based on phone and token number. Mobile phone and token serial number is added as search parameters when searching for user accounts in the Mideye database. '#1822'
  • Mideye GUI. Clone objects. It is now possible to clone existing objects (LDAP profiles and RADIUS clients) to simplify creation of new objects. '#1779'
  • Mideye users table. a column is added with an icon indicating if an on-premise token (software or hardware) is assigned to the user. '#1887'
  • Root password reset. A new forms-based password utility avoids character encoding problems. '#1930'
  • For Windows installations, a link to the web GUI is added from the desktop and start menu. '#1874'
  • LDAP and Azure AD connection status indication. The status of connections to user repositories is indicated both in the Directory Settings menues and in the Health Checks menu of the dashboard. '#1770'
  • User search option now available in the LDAP profile configuration menu. '#1769'
Enhancement: Certificate Management
  • Enhanced presentation of certificates in the Certificate Management menu in the web GUI. '#1841'
  • Support for CSR generation with existing keys and import of new certificate signed by the CA. '#1225'
Enhancement: On-Prem Tokens
  • Support for on-prem HOTP tokens provided by default. '#1789'
  • Support for automatic re-synchronisation of OATH (HOTP and TOTP) tokens via RADIUS. '#1782'
Enhancement: Server Logs
  • Support for download of server log files via the web GUI. '#1785'
  • The host name is now included in the authentication log details. This facilitates troubleshooting when multiple Mideye servers share the same database. '#1442'
  • Possibility to filter away successful authentications for specified usernames from the authentication logs. This is to prevent certain accounts, e.g keep-alive probes, from spamming the authentication logs. '#1335'
  • Stack traces removed from info-level logs in order to prevent log spamming. '#1838 | '#2068'
  • Authentication results including username and phone number are included at Info-level in the log file. '#1837'
Enhancement: Service Monitoring
Every hour, the server sends a message to the Mideye Switch with information about server release version, platform version, service connectivity status and server time. '#2154'
Bugfix: Assisted Login

6.1.4

Released 2023-02-15*

Feature: Magic Link authentication
A new authentication mechanism whereby the user is authenticated with a magic link distributed via SMS. This enables SMS authentication also for RADIUS clients that lack support for challenge-response. The magic link authentication mechanism is applied for users with Authentication Type 6 (Touch) that haven't activated Mideye+.
Feature: Magic Link authentication API
As alternative to RADIUS, the Mideye server provides a rest API with user's phone number and some optional usability parameters as input.
Feature: Hybrid LDAP accounts
User accounts read from an external LDAP repository can be duplicated in the Mideye Server database. User parameters such as Authentication Type, mobile number, token number, etc., can be assigned to the account in the Mideye server instead of in the user repository, and will override the information read from the user repository.
Security:
Security: Fix of cryptobug in Java CVE-2022-21449.
Enhancement: Username filtering
The configuration of RADIUS client username filtering is enhanced to allow the removal of blank spaces or any specified characters from usernames before the authentication request is processed.
Enhancement: Switch failover logic
Enhanced redundancy logic when the Mideye server fails over to a backup switch.
Enhancement: GUI menu rearrangement
Web GUI submenu 'Locked Users' moved from section 'Users and Tokens' to section 'Directory Settings'.

6.0.2

Released 2022-09-05*

Feature: TOTP tokens with on-premise seeds
Support for TOTP (OATH) software and hardware tokens where the token seeds are stored in the on-premise Mideye server database, making token validation independent of the central Mideye service. Users can activate a soft token via a self-service web portal, where they also can manage their own soft and hard tokens. Administrators can import hardware tokens via the GUI, and assign both soft and hard tokens to users. The authentication logic can be configured to either use the TOTP token as fallback to the default authentication type (typically Touch Accept), or as the primary authentication type (with no connection to the Mideye central service).
Feature: HOTP hardware tokens with on-premise seeds
Enhancement: New web GUI
A new web Graphical User Interface for the Mideye Server, with a more intuitive menu structure.
Enhancement: JRE 17
Upgrade of the bundled Java platform from Java 8 to Java 17. Spring Boot upgraded to 2.6.6.
Enhancement: Encryption of shared secrets
RADIUS shared secrets are encrypted in the Mideye server database.
Bugfix: Improved database error handling in Windows
In case of DB connection failure, the Mideye Server now fails within 1 minute and stops the service. Only concerns Windows platforms.
Bugfix: HTTP headers in server GUI
Security fix in the server web GUI. Content-Security-Policy HTTP security header is added.
Bugfix: PAP password change
Directory policies for the new password are now enforced.
Bugfix: HTTP proxy configuration
Incorrect status of the checkbox 'Use Proxy' in the proxy configuration via the web GUI is fixed. The connection to the MAS is now also affected if a proxy is configured.
Bugfix: Usernames not editable
It is no longer possible to edit usernames of accounts in the Mideye server database.
Bugfix: MS-CHAP for Assisted Login
Assisted Login now also works with MS-CHAPv2.
Bugfix: Possible to specify a certificate alias
When importing LDAPS certificates, it is now possible to specify a certificate alias.