Mideye Server 5.7.2
Available for beta.
New feature: TOTP tokens with on-premise seeds
Support for TOTP (OATH) software and hardware tokens where the token seeds are stored in the on-premise Mideye server database, making token validation independent of the central Mideye service. Users can activate a soft token via the server web GUI, where they also can manage their own soft and hard tokens. Administrators can import hardware tokens via the GUI, and assign both soft and hard tokens to users. The authentication logic can be configured to either use the TOTP token as fallback to the default authentication type (typically Touch Accept), or as the primary authentication type (with no connection to the Mideye central service).
Enhancement: Encryption of shared secrets
RADIUS shared secrets are encrypted in the Mideye server database.
Bugfix: HTTP headers in server GUI
Security fix in the server web GUI: Content-Security-Policy HTTP security header is added.
Bugfix: PAP password change
Directory policies for the new password are now enforced.
Bugfix: HTTP proxy configuration
Incorrect status of the checkbox ‘Use Proxy’ in the proxy configuration via the web GUI is fixed.
Connection to the MAS also affected if a proxy is configured.
Bugfix: Usernames not editable
It is no longer possible to edit usernames of accounts in the Mideye server database.
Mideye Server 5.6.2
Security: TLS enhancement
TLS version 1.2 or higher enforced in the Mideye server.
Mideye Server 5.6.1
Bugfix: Unresponsive user search
Fix of performance issue with username filtering in authentication and accounting logs in the web GUI.
Mideye Server 5.6.0
New feature: Shared account authentication
New authentication type (Auth Type 10) whereby multiple mobile numbers and token card serial numbers can be registered for a user account. In the login dialog, the user indicates which phone/token to use.
Enhancement: Java update
The bundled JRE is updated to Java 8u282. Oracle JRE is replaced by AdoptOpenJDK JRE.
Enhancement: Database detailed logs
More efficent database architecture for the Detailed Authentication logs. Note that existing Detailed Authentication logs will be lost at upgrade (the default retention time is otherwise 30 days).
Bugfix: Fix of ‘Find User’ issue
Fix of issue whereby the ‘Find User’ button in the LDAP Profile menu of the Web GUI did not always return a correct result.
Mideye Server 5.5.6
Bugfix: Database cleanup
Improved database cleanup. Previous implementation could cause database connection to lock during cleanup of logentries table.
Enhancement: Cluster leader setting
New setting in configuration file, whereby a Mideye server can be configured as cluster leader (default: true). If set to false, database cleanup is disabled. This is to avoid simultaneous operations for clustered servers configured to use a common database.
Enhancement: Database read/write
More efficent way to write and read authentication log details. This solves a potential database deadlock problem.
Enhancements: Assisted login for federated users
Empty federation attributes are not sent to the Mideye+ app.
If the approver doesn’t open the app before user login, a proper reply message is returned to ADFS.
Mideye Server 5.5.5
Bugfix: Memory leak
Fix of bug that caused memory leak if Hibernate cache was enabled.
Bugfix: Number correction
Fix of index-out-of-bound-error in phone number correction.
Enhancement: Improved loading of authentication logs
Performance optimization speeding up the loading of authentication logs in the web GUI.
Mideye Server 5.5.4
New feature: Support for Azure AD
Mideye Server can connect to Azure AD with the Microsoft Graph API to search user accounts.
New feature: Assisted Login for federated users
Assisted Login protection can be applied to federated accounts logging in via ADFS. External users can log in with their home company accounts, but access is only granted if the login is accepted by an internal approver.
Enhancement: Custom LDAP attribute values to logs
In the LDAP profile configuration, additional LDAP attributes can be specified and the corresponding values written to log files at a specified log level. Optionally, the values can also be written to the detailed authentication logs in the database.
Enhancement: Ignore LDAPS certificate validation
As an option, an LDAP profile can be configured to ignore certificate validation. This facilitates automation of LDAP profile provisioning via the server REST API.
Enhancement: Additional Assisted Login info to logs
The detailed log information is extended to also include more information relating to Assisted Login, e.g. the identifier of the Assisted Login profile that is being used.
Bugfix: GUI user, role Operator
Fix of R5.4 bug whereby role Operator lacks access to the web GUI. Also a fix of a general R5 bug, whereby role Operator had write/delete access to some menus and APIs.
Bugfix: Detailed log items not shown in authentication logs
Fix of R5.4.4 bug: Detailed log items, e.g. Assisted Login additional challenges and the corresponding responses, were not shown in the authentication logs.
Bugfix: Checkboxes not working at first attempt
In the web GUI assisted login configuration, approver tab, checkboxes were not working first time they were selected.
Bugfix: Unexpected error in LDAP profile user search
Fix of bug resulting in an unexpected error when testing LDAP profile user search before the LDAP profile was configured.
Bugfix: Assisted login approver ID not honored
Fix of R5.3 bug. When the approver ID attribute in the Assisted Login configuration was specified, this was not honored.
Bugfix: User search with MSISDN not working
Fix of R5 bug: When testing user search via the LDAP profile configuration in the web GUI, MSISDN could not be used as user identity.
Bugfix: Number of login attempts incorrectly labeled in detailed logs
In the detailed log information, the number of login attempts was incorrectly labeled as ‘Role’.
Mideye Server 5.4.4
Bugfix: Web GUI causing database overload
Fix of bug introduced in 5.3 whereby detailed authentication log queries from the Web GUI dashboard could cause overload in the database.
Enhancement: RADIUS client overview list
In the RADIUS clients configurations menu, the start page is modified by replacing the assigned Accounting Server column with assigned LDAP Profiles.
Mideye Server 5.4.3
Bugfix: Shared Secret Editing
Fixed a bug where if the Mideye Server contained more than 127 Shared Secrets, prevented the editing of Shared Secret 128 and above.
CentOS 6 & 7 yum repository change
When using yum to install and update the Mideye Server 5.x in CentOS 6 and CentOS 7, the repository folder structure has changed. See the “Linux RPM installation guide” on how to update the “mideye.repo” file to mirror this.
Mideye Server 5.4.2
New feature: Require Mideye+
RADIUS clients can be configured to require that the Mideye+ app is activated for mobile phone users.
New feature: Require local authentication on phone
RADIUS clients can be configured to require that Mideye+ users must authenticate locally on the phone (biometric or PIN) before being able to accept a login.
Enhancements: Configuration and management menus
In the Vendor Specific Vendors configuration menu, vendors are listed in alphabetical order, and attributes are listed alphabetically in submenus for each vendor.
In the RADIUS clients configurations menu, the start page is simplified by removing some columns. In the Test client sub pages, the placeholder text in the challenge prompt is modified.
In the dashboard, certificate expiry is added as a separate information box. The Switch health check text is changed from ‘UP’ to ‘Connected’.
In the Certificate Managment menu, a more informative error message is presented when the certificate subject is empty.
Enhancement: Authentication log
For failed Assisted Login attempts, the error message now distinguishes between approver not found and approver not authorized.
Enhancement: Automatic database re-connect
If the database connection fails at server startup, the Mideye Server makes automatic retries for a specified time period until connection has succeeded.
Bugfix: RADIUS server concurrency issue
Fix of concurrency issue when RADIUS Server fails to re-start after configuration changes.
Bugfix: Accounting timestamps
Timstamps in accounting logs now presented in local time with correct timezone indicator.
Bugfix: Not possible to assign RADIUS client to database user
Fix of bug affecting database users in MS-SQL: it is now possible to add RADIUS clients.
Bugfix: Vendor Specific Attributes
Data types are now shown correctly, and and it is now possible to edit Vendor Specific Attributes.
Bugfixes: SSL certificate management
If CN is missing in an LDAPS certificate, the hostnamne is now used as certificate alias.
Bug in SSL certificate expiry monitoring is fixed.
Bugfixes: Authentication log info message
Fix of incorrect information message when Touch falls back to OTP due to data push delivery failure.
Fix of misleading information message when Approver account has missing/invalid phone number.
Bugfix: Authentication logs
Fix of Authentication logs search filter.
Bugfix: LDAP profile default values
Fix of incorrect default attribute names when LDAP server other than Active Directory is selected.
Security: HTTP Trace and Track Methods and HTTP Header
HTTP Trace and Track Methods are disabled in the administrative web interface, and X-Frame-Options response header is added.
Mideye Server 5.3.5
Bugfix: Server GUI unexpected error
Fix of GUI unexpected error that occurred if dashboard health indicators were clicked while loading.
Mideye Server 5.3.4
Bugfixes: Windows installation package
“;” (semicolon) no longer needs to be inserted manually when using database-instances
Old keystore is automatically removed when reinstalling the same version of the Mideye Server
Bugfix: Null pointer exception
Radius requests with null value NAS-ID and NAS-IP attributes will not cause a null pointer exception.
Mideye Server 5.3.3
New Feature: RADIUS session management
RADIUS sessions (session start, update and stop) for RADIUS clients that support Accounting are presented as a separate menu in the server web GUI. For RADIUS clients that support Disconnect Message, sessions can be terminated from the GUI.
Enhancements: Assisted Login
Assisted Login is enhanced with the following features:
Management of assisted login sessions from the Mideye+ app
The Approver can see and disconnect approved sessions from the Mideye+ app.
The User can be prompted to enter more information via additional challenges in the login dialog. This information is presented to the Approver in the Mideye+ app, and is logged for audit purposes.
Multiple Assisted Login profiles per RADIUS client
Multiple Assisted Login profiles can be assigned to a RADIUS client.
Enhanced authorization logic
The authorization logic for Assisted Login is enhanced both for Users and Approvers. Approvers can be selected based on a None/Any/All combination of assigned manager, group membership and specified users. The possibility for Approvers to approve sessions for themselves can be enabled/disabled in a separate checkbox. Users can be selected based on a None/Any/All combination of assigned authentication type, group membership and specified users.
Session and idle timeout specified in Assisted Login profile
The RADIUS session timeout and idle timeout can be specified in the Assisted Login profile, and are returned as attributes in the Access Accept.
Size limitation of user id and group name fields removed
The previous size limitation of user id and group name fields in Assisted Login configuration is removed.
Test of Assisted Login profiles in RADIUS client
When Assisted Login profiles have been added to a RADIUS client, the logic (match between Approver and User) can be verified in a test menu accessible from the Assisted Login tab in the RADIUS client configuration.
Enhancement: More detailed authentication logs
Entries in the authentication logs can be extended to view more detailed log information. Old log entries are automatically deleted after a specified retention period. The default retention period for basic authentication and session logs is 365 days. For detailed authentication information, the default retention period is 30 days.
Enhancement: Time-zone information in log files
Information about time zone is added to the time stamp in log files.
Bugfix: Default OTP Presentation type 1
Default OTP Presentation type 1 (inbox SMS) now works also when the checkbox ‘Read Optional Attributes’ is selected.
Bugfix: Either NAS IP or NAS ID must be specified
New check in the RADIUS client configuration in web GUI that prevents NAS IP and NAS Identifier to be empty at the same time, which would cause RADIUS client identification to fail.
Bugfix: Faulty RADIUS attribute links in LDAP-RADIUS translation
Incorrect links associated to RADIUS attributes in LDAP-RADIUS translation are removed.
Bugfix: Not necessary to specify an LDAP profile
It is no longer required to specify an LDAP profile when editing a RADIUS client via the web GUI.
Bugfix: NPE when saving SSL certificate missing CN attribute
Fix of null-pointer exception when an LDAP SSL certificate missing a CN attribute is saved.
Mideye Server 5.2.3
Bugfix: Debian package
Added missing files from debian package.
Mideye Server 5.2.2
Bugfix: R4 Migration Wizard
To prevent memory overflow, the import of R4 login statistics and accounting data is limited to the last 100 000 rows from the last year.
Mideye Server 5.2.1
New Feature: Password change in PAP
Support for password change in PAP, using additional challenges to prompt for a new password. This means that password change is now supported for database users. For LDAP users, this means an NPS is no longer required for password change.
Enhancement: Disable Auth Type 1 (Password)
Authentication Type 1 (Password) can be disabled per RADIUS client.
Enhancement: Certificate validation and export
Certificate management via the Web GUI is enhanced to include certificate path validation and an export function.
Enhancement: Enable blocking of self-personalized Yubikeys
Self-personalized Yubikeys can be blocked per RADIUS client by only allowing Yubicloud OTPs with the prefix cc.
Enhancement: Spam filter reset
The number of users affected by a spam filter lockout is shown in the RADIUS Server configuration menu.
Enhancement: Database configuration
The database configuration is now validated in the Windows Installation package. Database passwords containing double-quote characters (“) are now supported, as well as database instances.
Enhancement: Touch failed user message
A new user messages added for the case when Touch login fails.
Enhancement: Assisted login LDAP search
The LDAP user and approver search is improved, avoiding duplicate search of the user. The approver search now continues to next LDAP repository if the authorization check fails.
The Database and Switch connection status information in the GUI dashboard is improved.
Bug fix: Reply message when phone not reachable
For Authentication Type 2 (Mobile), when the phone is not reachable and Mideye+ is not activated (SMS-OTP), the correct reply message is now returned.
Bug fix: Locked LDAP users
LDAP users are now locked the specified time period. The extra minute added in previous releases is removed.
Bug fix: Assisted Login reject reply message
A reply message is added for the case when an Assisted Login is rejected because the Touch accept failed.
Bug fix: Spam filter
Logins rejected by the spamfilter are now shown in the logs. The login failure message when a login is rejected by the spam filter is changed from ‘Invalid/user password’ to ‘Too many attempts, try again later’, with a reference how to manually re-set the filter.
Bug fix: Assisted login approver group membership
The approver group membership can now be specified using Java Regular Expressions.
Bug fix: Default LDAP connect and read timeouts
The default LDAP connect timeout is changed to 2 seconds, and the read timeout is changed to 10 seconds.
Bug fix: Handling of invalid RADIUS requests
When invalid RADIUS requests are discarded, they are now removed from the pending authentications list, thereby preventing the pending request counter from hitting the overload limit.
Bug fix: Assisted login approver search
The search failed if the approver was not found in all LDAP profiles configured for the RADIUS client. This is now fixed, it is sufficient if the approver is found in one profile.
Mideye Server 5.1.3
Bug fix: LDAP user locking release
Fix of bug ‘LDAP locking not released when using MS-CHAPv2’.
Bug fix: Access reject with MS-CHAPv2
Fix of incorrect response authenticator in MS-CHAPv2 Access reject messages. This bug caused multiple Touch prompts when access rejected in the app.
Mideye Server 5.1.2
New Feature: Assisted login
A new authentication method, Assisted Login (Auth type 9), for LDAP accounts. Predefined users are authorized to approve access for external users to selected RADIUS clients. Access is approved in the Mideye+ app.This authentication method is intended for users that require temporary access to protected resources.
New Feature: Certificate management via web GUI
Simplified administration of certificates for LDAPS and web GUI.
New Feature: Managing RADIUS attributes via web GUI
New Vendor-specific Attributes (VSAs) can be added via the web GUI. Also, the default VSA list has been extended to include more vendors.
New Feature: Spam filter reset
The OTP spam filter can be reset via the web GUI. This is to prevent users from being locked out if the Max Pending Requests queue is filled up, e.g. after a network incident.
Enhancement: RADIUS reply attributes displayed in test client
When using the test button for RADIUS clients in the web GUI, reply attributes are presented.
Enhancement: Server Accounting
Accounting filtering options are enhanced. It is also possible to export the result as a CSV-file from the web GUI.
Enhancement: Second challenge when token out of sync
If a token is out of sync, a second challenge is presented to the user requesting a new OTP to re-synchronize the token.
Enhancement: Search database users by token number
Database users can be searched using the token serial number.
Enhancement: Search base automatically created for LDAP profile
When creating an LDAP profile, the LDAP root search base is automatically populated when clicking the “Save” button.
Bug fix: Mobile number missing in logs when Touch cannot be used
If authentication type Touch fails, the user’s phone number is now included in the log entry.
Bug fix: Removed re-load redirect to web GUI dashboard
If reloading a page in the web GUI, the user now remains on the reloaded page.
Bug fix: root user default profile
The Web Admin RADIUS client is now assigned to the root user by default.
Bug fix: Redirect after root password change
Root user is now redirected to the web GUI dashboard when the password has been changed.
Bug fix: Reply Message in Web GUI
RADIUS reply messages are now displayed in the Web GUI login.
Bug fix: Log timestamps in milliseconds instead of seconds
Bug fix: Top 5 Failing Users case sensitive
The Top 5 Failing usernames presented in the web GUI dashboard are now case-insensitive.
Bug fix: MSISDN/token number validation in Mideye Server
Mobile number and token serial number formats are now verified in the Mideye Server before being forwarded to the Mideye Switch.
Bug fix: Web GUI login hanging after timeout
Page re-load no longer required to login again after session timeout.
Mideye Server 5.0
Mideye 5.0 requires a new server installation. A migration tool facilitates migration from releases 4.6.5 and later.
Server config via web admin
A new administrative web interface that also replaces the R3/R4 Configuration Tool. A new super administrator role is introduced, with the same rights as the root user.
Support for server config via REST API
As an alternative to server configuration via the administrative web interface, a REST API is provided for automated server configuration.
Configuration changes without restarts
Configuration changes no longer require service restarts to take effect.
Improved RADIUS client identification based on NAS ID attribute
Improved selection of RADIUS clients based on RADIUS attribute 32 (NAS Identifier) which simplifies implementations with multi-login profiles originating from the same IP address.
Separate table for source IP – shared secret configuration
Specification of the shared secret is moved from RADIUS clients to a separate table, where source IPs and shared secrets are matched. A default shared secret can be specified that is matched to any IP that is not specified in the table.
NPS configuration separated from LDAP server configuration
Microsoft Network Policy Server (NPS) settings are moved from LDAP profile configuration to a separate NPS profile. This simplifies the re-use of the same NPS profile in multiple LDAP profiles.
Docker container support
Mideye server is now available as a Docker image as an alternative to Windows and Linux installation packages.
Mideye server is now available as a Debian-based package in addition to the RPM-based package.
Enhanced server monitoring
Automatic health checks of Mideye Switch and database connections. Monitoring of LDAPS certificate expiry. Dashboard with login statistics and success rates.
Enhanced server accounting
Possible to select full calendar months in the web GUI for matching server accounting with monthly invoices.
Support for database login using NTLMv2
Mideye Server 4.7.2
Bugfix: Offline challenge (Mideye+) when phone not reachable, authentication type = 2, MSCHAPv2
In previous releases 4.6.X and 4.7.X, the manual offline challenge was not displayed for authentication type 2 (mobile) when MSCHAPv2 was used.
Bugfix: Framed IP Address not returned for all IP addresses
In previous releases 4.6.X and 4.7.X, the Framed IP Address (RADIUS attribute 8) was not returned for IP addresses that were represented by a positive integer in Active Directory.
Mideye Server 4.7.1
New Feature: Support for EAP-authentication
Mideye will now forward any incoming RADIUS-packages using EAP-authentication to Microsoft NPS.
Mideye is now handling Proxy-State (attribute 33) correctly according to RFC 2865.
Bugfix: User filtering for MS-CHAP-V2 and EAP
User-filtering for RADIUS-clients is now working for MS-CHAP-V2 and EAP. Before release 4.7.1, user-filtering only worked for PAP.
Mideye Server 18.104.22.168
Bugfix: Enabling Event-viewer logging for Windows Server caused Mideye-Radius service to crash
When enabling Event-viewer logging, and restarted the Mideye-services, Mideye-RADIUS did not start.
Mideye Server 4.6.5
New Feature: Token-coupled Mideye+
With this feature, an OTP from a token card (MiniToken or YubiKey) is required when activating the Mideye+ app. As an enhanced security setting, RADIUS clients can be configured to only accept login with token-coupled Mideye+ apps or token cards.
New Feature: Bundled JRE
JRE bundled with the Mideye installation package. Java Runtime Environment is included in the installation package and does not need to be installed separately.
New Feature: Automatic read of Framed IP Address (RADIUS attribute 8) from Active Directory.
As an option, Mideye reads the static IP Address (IP v4 only) assigned in Active Directory and returns it in the RADIUS Access Accept, attribute 8 (Framed IP Address).
Bugfix: Incorrect logging of failed OTP deliveries
When authentication type 6,7 or 8 (Touch) is selected, failed OTP deliveries for users without Mideye+ are now logged with the correct error message (‘Phone not reachable’).
Bugfix: Multiple groups when using regex
Mideye Config Tool -> LDAP Servers -> Groups: Multiple LDAP groups can be specified using Java regular expressions. (Previously, only a single group could be specified when regular expressions were used).
Bugfix: LDAP profile created with an invalid password
Mideye Config Tool -> LDAP Servers. Fix of a bug that caused unexpected behavior/error messages in case an LDAP profile was created with an invalid LDAP account password.
Bugfix: Hanging web admin when MySQL connection lost
Fix of problem with hanging web admin when MySQL database connection was lost.
Mideye Server 4.5.2
New Feature: Support for Touch login with Microsoft Remote Desktop Services
By using authentication type 6 (Touch) it is possible to log in with Microsoft Remote Desktop Services (MS RDS) without using challenge-response. This means two-factor authentication with mobile phones can be achieved with the built-in RADIUS support in MS RDS.
New Feature: Support for simplified Mideye+ activation
A new way to activate Mideye+ is introduced. A user no longer needs to enter the mobile phone number manually in the app. The user can activate Mideye+ by entering a ‘+’ sign after the OTP in the challenge dialogue.
New Feature: Support for authentication with YubiKey tokens
YubiKey tokens compatible with Mideye can be ordered from Mideye support. It is possible to specify a Yubikey identifier in the format ‘ubbc0[7 digits]’ as a valid token number.
Bugfix: Root password to the administrative web interface is lost during an upgrade
In previous versions of the Mideye Server package for Windows, the root password to the administrative web interface was lost during upgrade.
Mideye Server 4.4.4
New Feature: LDAP-RADIUS translation with MS-CHAP
RADIUS attributes obtained from LDAP-RADIUS translation can now be returned in MS-CHAP Access Accept messages for authentication types PASSWORD (type 1) and TOUCH (types 6, 7 and 8). Previously, this was only possible with authentication types Mobile (type 2) and Token (type 3) when using MS-CHAP. (For PAP, attributes can be included for all authentication types).
New Feature: Enhanced multiple-click suppression
The (optional) multiple-click suppression feature is enhanced to discard events where the user ignores or cancels OTP prompts.
Bugfix: Authentication Attempts logs
Two bugfixes relating to the Authentication Attempt logs in the administrative web interface:
- RADIUS client ID is now included also in case of challenge-response timeout when using MS-CHAP (previously this information was missing).
- Rejects due to OTP spam filter are now explained in the info column also when using MS-CHAP (previously this information was missing).
Bugfix: Upgrade scripts for Linux
Previously, the root user password for the administrative web interface was reset during the upgrade procedure. This is now fixed for Linux, but the problem remains in Windows (this will be addressed in the next release).
Mideye Server 4.4.3
Bugfix: multiple-click suppression disabled
Multiple-click logins disabled per default, since it’s only applicable for certain RADIUS clients and it caused some unexpected behavior.
Mideye Server 4.4.2
New Feature: Suppressing multiple-click logins
This feature suppresses multiple-click logins in RADIUS clients. It is enabled by default and can be configured via Mideye Configuration Tool, tab Radius Servers. Having this feature enabled prevents users from receiving numerous consecutive OTPs if they mistakenly keep pressing the login button in the client.
New Feature: Improved overload handling
This feature improves overload handling by rejecting additional requests if the number of pending requests exceeds a threshold– maximum number of pending requests that can be configured via Mideye Configuration Tool, tab Radius Servers. This makes the Mideye Server more responsive in overload situations.
New Feature: Preventing OTP spamming
This feature limits the number of OTP deliveries to a specific phone number within predefined time windows. The allowed number of OTP deliveries can be configured via Mideye Configuration Tool, tab Radius Servers.
Bugfix: MS-CHAPv2 reject
A previous bug in MS-CHAPv2 reject is fixed. The bug caused some RADIUS clients to send a duplicate request after the first request had been rejected.
Mideye Server 4.4.1
New Feature: Support for Mideye+ Touch Accept
Mideye+ Touch Accept enables Mideye+ users to accept or reject the login directly using the Mideye+ client (on iOS and Android), see Figure 2.1. It improves user experience by removing the need to manually enter the OTP. The following are the requirements for Touch Accept to work:
- Mideye Server 4.4.x
- Mideye+ client version 3.x.x
- Mideye+ is enabled in the customer’s profile in Mideye central system
Mideye Server 4.4.1 introduces three new authentication types, they differ in fallbacks in case the initial Touch Accept attempt fails (e.g. if the user lacks Internet connectivity).
- Authentication type 6 (Touch): No fallback if Touch Accept fails.
- Authentication type 7 (Touch-Plus): If Touch Accept fails, the fallback is Mideye+ manual signature.
- Authentication type 8 (Touch-Mobile): If Touch Accept fails, Mideye attempts to reach the Mideye+ app via SMS. If this also fails, the fallback is Mideye+ manual signature.
New Feature: Enhanced authentication attempts log in Web Administration Interface
This feature enhances the authentication attempts log with information about failed authentications. The authentication attempts log now also contains phone/token number and authentication type as well as the reason for failure.
Mideye Server 4.3.3
Bugfix: Mideye Server hanging problem while using Mideye Configuration Tool
This bug caused Mideye Server to hang when using Mideye Configuration Tool to modify a RADIUS Client.
Bugfix: Fixed the challenge message when the password is expired
This bug caused database users to receive Password needs to be reset if an LDAP user had to change the password prior to their login.
Mideye Server 4.3.2
Bugfix: Security issue
Prevent the exposure of the content of WEB-INF folder.
Removed unused certificates to improve the security of Mideye Server – Mideye Switch communication.
Bugfix: Log messages
Reduce the log level to warning when the Network Policy Server (NPS) is not configured.
Reduce the log level to debug when parsing an unknown Vendor Specific Attribute.
Mideye Server 4.3.1
New Feature: Password Change
Users in Active Directory can change their expired passwords during the logon process. This feature requires the use of the MS-CHAP v2 protocol and Network Policy Server (NPS).
New Feature: MS-CHAP v2
Mideye Server supports the MS-CHAP v2 protocol. Mideye Server will automatically determine the authentication protocol used: PAP or MS-CHAP v2. To function properly, MS-CHAP v2 needs a configured NPS.
New Feature: New Web Administration Interface
Mideye Server 4.3.0 includes a new Web Administration Interface.
New Feature: LDAP login to Web Administration Interface
The new Web Administration Interface allows login using an LDAP server.
New Feature: Password Comparison Authentication
It is possible to use an alternative field for storing hashed passwords instead of the default Active Directory password field. See Appendix A: Password Comparison in the reference guide for more details.
New Feature: Fortinet RADIUS attributes
Added Fortinet vendor specific attributes (Vendor ID: 12356) to the list of RADIUS attributes sent together with the final RADIUS Access Accept.
New Feature: Automatic Retrieval of LDAP Base Distinguished Name
When adding a new LDAP server, Mideye Server retrieves the base Distinguished Name automatically.
New Feature: Removal of Embedded Java Virtual Machine
Mideye Server 4.3.0 no longer includes Java Virtual Machine (JVM) and it must be installed separately before the installation. This allows more frequent updates of JVM independently from the Mideye Server.
New Feature: Removal of Alarm Manager
Alarm Manager service, installed along with Mideye Server in previous versions, has been removed.
New Feature: Removal of Radius Accounting
The RADIUS accounting server (used to run on port 1813) has been removed.
Mideye server 4.2.6
Bugfix: Windows services start-up
Fixed a bug causing the Mideye windows services not to start automatically after executing windows updates or rebooting the server.
Mideye server 4.2.5
New Feature: R4.2.4 feature support in Windows
All enhancements and bug corrections in 4.2.4 are included in 4.2.5 and made available for Windows.
New Feature: Support for client certificate authentication for the administrative web interface
Client certificates can be generated from the default server certificate that is generated during server installation, and the administrative web interface can be configured to require a client certificate to grant access.
Bugfix: Increased maximum length of LDAP group names
In previous releases, the maximum length of LDAP group names was limited to 30
characters in order for the accounting to work properly. The limit has been increased to 200 characters.
Mideye server 4.2.4 (Linux only)
New Feature: Support for secondary mobile number in LDAP
If no mobile number is found in the assigned (primary) mobile attribute, Mideye can be configured to continue the search in a secondary attribute (e.g. ‘otherMobile’).
New Feature: Default support for SSL in the administrative web interface
The administrative interface is per default protected with SSL, and a self-signed certificate is generated during the installation.
New Feature: Enhanced and modified presentation of logs via the administrative web interface
Several log files in the directories /opt/mideyeserver/log/ and /opt/tomcat/logs/ can be
viewed via the administrative web interface. It is possible to add/exclude files, and also to add other folders. The logs are presented in a separate window and are not protected with the web interface login. It is recommended to restrict web interface access to specific IP addresses, thereby allowing/restricting log access to e.g. helpdesk personnel.
New Feature: SNMP traps
Support for SNMP traps is introduced. The Mideye PEN is 40761.
New Feature: Support for wild-card group check in Active Directory
AD group membership can be specified as a Java regular expression (e.g.
‘CN=mideyeusers,.*’ will now match ‘CN=mideyeusers,OU=Stockholm,OU=Groups,
DC=mideye,DC=com’. This feature is only valid for Active Directory.
New Feature: Java and Tomcat update
Java is updated to Java SE Runtime Environment (build 1.7.0_11-b21), and as web
server TomEE 1.5.1 with Apache Tomcat Version 7.0.34 is used.
Bugfix: Handling hanging LDAPS connections
The LDAP connection timeout parameter is modified to include the LDAP connection pool avoiding the risk of overload in case of hanging LDAPS connections.
Bugfix: Authentication type CONCAT for database users
Authentication type CONCAT now works also for database users. (Bug introduced in 4.1).
Bugfix: Event Viewer disabled on Linux installations
It is no longer possible to enable the Event Viewer on Linux installations.
Bugfix: Special characters in RADIUS shared secret
Special characters (e.g. å, ä, ö) are now allowed in the RADIUS shared secret.
Bugfix: Help button active on Linux installations
The Help button in the Configuration Tool is now active also on Linux installations.
Bugfix: Automatic database upgrade on Linux
Database scripts are now executed automatically when doing upgrades on Linux systems.
Mideye server 4.2.3
New Feature: Configuration Tool enhancements
Config Tool can now automatically identify and upgrade an existing Mideye database (from R3.0 and later). Config Tool automatically prompts for Admin rights when started.
New Feature: RADIUS Server enhancements
Pre-configured Norwegian and Finnish RADIUS reply messages. RADIUS server names can be up to 200 characters long (previously limited to 20 characters).
New Feature: RADIUS Client enhancements
RADIUS clients can be renamed. RADIUS client names can be up to 200 characters long (previously limited to 16 characters). The RADIUS shared secret must be specified (the field cannot be left empty).
New Feature: LDAP Server enhancements
LDAP search base can contain ‘/’ signs. LDAP connection test does not return false
positive if the password field is empty.
New Feature: Number correction enhancements
Numbers containing only one parenthesis are auto-corrected if number correction is
New Feature: Accounting enhancements
Group names up to 200 characters supported (previously limited to 30 characters).
New Feature: Number filtering in Mideye Server
Mobile numbers (and token serial numbers) that do not follow the required formats are blocked in the Mideye Server before an OTP delivery/verification request is forwarded to the Mideye Switch. For mobile numbers, this means that they must start with a + – sign and contain 3 to 20 digits. Note that this means that mobile numbers in the format 07xxxxx and 00xxxxxxx that previously have occasionally been working are now blocked. Customers with these number formats are recommended to apply automatic number correction in the Mideye Server.
New Feature: LDAP-RADIUS translation enhancements
LDAP-RADIUS translation is no longer case-sensitive. LDAP-RADIUS wildcard translation is supported, whereby a translation rule can be specified as a Java regular expression (e.g. ‘CN=mideyeusers,.*’ will now match ‘CN=mideyeusers,OU=Stockholm,OU=Groups, DC=mideye,DC=com’).
Bugfix: LDAP-RADIUS translation
It is no longer needed to activate the ‘Read optional attribute flag’ in order to use LDAP-RADIUS translation (4.2.2 bug resolved in 4.2.3).
Bugfix: Authentication with suffixes fails when user search continues to next LDAP server
Authentication with user-name suffixes (e.g. @TOKEN, @MOBILE) now works also when the user search continues to the next LDAP server in the search base (4.2.2 bug resolved in 4.2.3).
Bugfix: Help buttons not active
Help buttons in the Configuration Tool are now active again (4.2.2 bug resolved in 4.2.3).
Bugfix: Auth Type = CONCAT gives an unhandled error when group check fails
Failed group check when using authentication type CONCAT is now properly handled.
(4.2.2 bug resolved in 4.2.3).
Bugfix: Web Admin access from a remote computer
The Administrative Web Interface is automatically configured to allow access from a
remote computer (4.2.2 bug resolved in 4.2.3).
Bugfix: Nested group selected without specified groups gives an error
‘Search nested groups’ can now be selected in Config Tool also when no group selection has been specified (4.2.2 bug resolved in 4.2.3).
Mideye server 4.2.2
New Feature: Linux package enhancements
Native look-and-feel in Mideye Config Tool on Linux. Possibility to execute Mideye Config Tool from any directory. Simplified setup of X11 over SSH (making it possible to execute Mideye Config Tool from another workstation).
Bugfix: Not possible to delete a RADIUS client that has an LDAP server assigned
This bug is resolved.
Bugfix: List of pending authentications is cleared after OTP expiry
The internal Mideye Server list of pending authentications is cleared after OTP expiry,
instead of every 5 minutes. This means RADIUS clients that fail to increment the RADIUS packet identifier will not cause user lockout longer than the OTP validity time (default 60 seconds). This resolves a usability issue with e.g. Citrix Access Gateway Standard Edition.
Bugfix: Config Tool enhancements
Config Tool no longer prompts to save unsaved changes when setting up a database for the first time. Miscellaneous enhancements concerning Return key, database name and LDAP Server test connection.
Mideye server 4.2.1
Bugfix: User search via config tool fails if Authentication Type = 1
4.2.0 bug resolved in 4.2.1.
Bugfix: Web Admin ROOT password cannot be changed when using two-way encryption
4.2.0 bug resolved in 4.2.1.
Bugfix: Limited length of user password
In previous releases, the static password maximum length was 48 characters for LDAP users and 16 characters for database users. Both these limitations have been removed.
Bugfix: Unlimited number of log lines presented via Web Interface
4.1.0 bug resolved in 4.2.1. The number of log lines presented via the Administrative Web Interface is now limited to the number specified in the filter settings.
Bugfix: New address field for database connection in Config Tool
In 4.2.1, the database connection address field in the Mideye Configuration Tool is
modified. This resolves previous issues when specifying external databases.
Mideye server 4.2.0
New Feature: LDAP over SSL
Support for SSL protection of connections to LDAP servers. This is implemented via an optional checkbox in the LDAP Server tab of Mideye Configuration Tool. LDAP server certificates can be automatically downloaded.
New Feature: Continued LDAP search in case of group membership requirements not fulfilled
In case a user account is found in an LDAP repository but does not fulfill the specified
group membership requirements, the user search continues to other repositories (if more repositories are defined). In previous releases, an access reject was immediately returned if group membership requirements were not fulfilled, which caused the user search to be discontinued.
New Feature: Removal of user name suffixes and prefixes
As an option, suffixes and prefixes added to user names in the RADIUS access request can be removed before the user name is searched in the user repository. The removal (suffix or prefix, and separator) is specified on a per-RADIUS-client basis.
New Feature: Accounting filtering based on LDAP repository and department
The accounting filtering is enhanced with the option to filter data based on which LDAP server and department the user belongs to. The optional Department attribute is specified in the Mideye Configuration tool. This attribute is read from the user repository and stored in the accounting database in Mideye. Mideye accounting granularity is thereby enhanced, facilitating distribution of Mideye costs based on which LDAP server and department the user belongs to.
New Feature: Enhanced encryption of passwords in the internal database
An enhanced one-way hash encryption is added as an option for passwords stored in the internal database. This encryption alternative cannot be reversed.
New Feature: Increased size of database fields
Database fields with variable input length, such as LDAP search bases and group names, have been increased to the maximum size allowed by the respective database (MS SQL and MySQL).
Mideye server 4.1.0
New Feature: Log enhancements
The Mideye Server logging functions are enhanced. With this release, the logging facility is implemented as a separate service that is configured via the Mideye Configuration Tool. Separate logs are written for the three main services Alarm Manager, RADIUS Server and Administrative Interface. For each log, the level of detail is specified (Error, Warning, Info, Debug, Trace). It is also possible to configure log messages to be forwarded to an external system according to the Syslog standard or to be written to the Windows Event Viewer. The Mideye Server can also be configured to generate emails for certain log events. This is specified directly in an XML file. A bug in previous releases when running on W2008, where the timestamps in the log file were specified with GMT instead of the local server time, is corrected.
New Feature: LDAP enhancements
The LDAP search function is enhanced with two configurable timeout parameters to
improve serial search capabilities in multiple LDAP directories in case one LDAP server is faulty. A bug correction ensures that LDAP directories are searched in the order specified in the Configuration Tool.
New Feature: Automatic retries in case of failed service start-up
In case of Mideye services fail to start properly, subsequent re-starts are attempted with 5-minute intervals during a time period of one hour. This is to enable system recovery in case of start-up failure, e.g. after an automatic update of the server platform operating system.
New Feature: Installation and compatibility issues
An automated upgrade package from Mideye Server releases 3.0.1 – 4.0.3 is available. The upgrade package includes the execution of database scripts and replacement of jar files. The upgrade requires a re-start of Mideye services.
If SSL protection is implemented for the administrative web interface, certificates and the Tomcat server.xml file should be saved before performing the upgrade.
Upgrade from releases prior to Mideye Server 3.0 is not supported, and requires a new server installation.
Mideye server 4.0.3
New Feature: Enhanced database pool handling
Automatic recovery of faulty database connection whereby the connection is closed and removed from the pool. Also, no lower limit is set to the time a database connection is kept in the pool. Previously, the minimum time was 5 minutes, regardless of which value was specified via the Configuration Tool.
New Feature: Compatibility with SQL Server 2008
Enhancement in the installation package, enabling compatibility with SQL Server 2008.
Bugfix: Configurable switch connection timeout
A bug correction whereby the switch connection timeout specified via the Configuration Tool is actually implemented. (In releases 3.0.0 – 4.0.1 it was always 60 seconds, regardless of which value was specified in the Configuration Tool).
Bugfix: Installation and compatibility issues
An automated upgrade package from Mideye Server release 3.0 is available. The upgrade package includes the execution of database scripts and replacement of jar files. The upgrade implies a re-start of Mideye services. Upgrade from releases prior to Mideye Server 3.0 is not supported, and requires a new server installation.
Mideye server 4.0.2
New Feature: Enhanced installation package
The new installation package is enhanced, e.g. it includes a notification that an SQL Server already exists on the server platform, if this is the case.
New Feature: Accounting support for phone numbers longer than 12 characters
Previously, phone numbers longer than 12 characters (including the ‘+’-prefix) were not written to the server accounting tables. In 4.0.1, numbers up to 20 characters (including the ‘+’-prefix) are written to the accounting tables.
New Feature: Password reset / expired information text included in Access Challenge
In case the static AD password has expired or needs to be reset, this information is
presented to the end-user in the Reply-Message included in the RADIUS Access Challenge sent by the Mideye Server to the RADIUS client.
Bugfix: Configurable fallback retry parameter
A bug correction whereby the switch connection fallback retry specified via the
Configuration Tool is actually implemented. (In releases 3.0.0 – 4.0.1 it was always 50, regardless of which value was specified in the Configuration Tool).
Mideye server 4.0.1
New Feature: New installation package
A new installation package, where the Mideye server is installed with an MSI file.
Mideye server 4.0.0
New Feature: Support for Mideye Plus authentication
Server release 4.0 supports Mideye Plus authentication. Mideye Plus enables login when the phone is outside of network coverage. For this to work, it is required that the user’s network operator has implemented support for Mideye Plus on the SIM card.
New Feature: Selection of ISO/UTF encoding on a per-RADIUS-client basis
In R4, UTF-8 or ISO8859_1 encoding can be configured on a per-RADIUS-client basis. This enables handling of special characters (e.g. å, ä, ö, ¤, and €) in user names and passwords, which previously could cause problems because different RADIUS clients have implemented different character encoding schemes.
New Feature: Server keep-alive messages
Server keep-alive messages are sent with 10-minute intervals to the Mideye Switch. The keep-alive messages contain information about Mideye server release, system status (RAM used/available), the status of LDAP connections and the number of database connections in use. The purpose of this feature is to enhance the centralised supervision of the authentication service. The keep-alive function is enabled/disabled via the Configuration Tool.
New Feature: Blocking of LDAP accounts in the Mideye Server
For each LDAP server, a threshold can be defined in the Mideye Server. If for a given
user, the number of consecutive failed LDAP authentications exceeds this threshold, the user is locked in the Mideye Server. A time period can be specified, after which the user is automatically unlocked. It is also possible to unlock the user via the Mideye Administrative Web Interface. The purpose of this feature is to prevent denial-of-service (DOS) attacks aimed at blocking LDAP accounts via Internet.
New Feature: Time-limited accounts for database users
An expiry date can be specified for user accounts in the internal database (database
users). User accounts are automatically disabled when this date has been reached.
New Feature: Automated token card re-synchronisation
If a token card is more than 10 consecutive OTPs out of sync with the central system, but inside a sequence window of 100, the user can automatically re-sync the token card by generating a new OTP and entering it for validation. If this second OTP is within a sequence window of 10 OTPs from the first OTP, the user is granted access and the token card is re-synchronised. The time window for performing the re-synchronisation is 5 minutes from the time when the first OTP was entered for validation. If the RADIUS client supports Mideye reply messages (attribute 18 in RADIUS Access Reject), the user is informed that the token card is out of sync and that a new OTP is required. Automated token card re-synchronisation has been centrally implemented in the Mideye Switch. This means that the feature is automatically implemented for all Mideye Servers, regardless of release. However, the reply message informing the user that the token is out of sync and that a new OTP is required, is only implemented in Server release 4.0.
New Feature: Support for default RADIUS reply and error messages in different languages
Via the configuration tool, default RADIUS reply and error messages can be selected in English and Swedish.
New Feature: Enhanced number correction
Number correction is enhanced. Via the Configuration Tool, it can be selected if numbers within parentheses should be removed and if leading zeros after the default international prefix should be removed.