Release notes

Table of Contents

Mideye Server 5.4.4

Released 2020-10-15

Bugfix: Web GUI causing database overload

Fix of bug introduced in 5.3 whereby detailed authentication log queries from the Web GUI dashboard could cause overload in the database.

Enhancement: RADIUS client overview list

In the RADIUS clients configurations menu, the start page is modified by replacing the assigned Accounting Server column with assigned LDAP Profiles.

Mideye Server 5.4.3

Released 2020-10-02

Bugfix: Shared Secret Editing

Fixed a bug where if the Mideye Server contained more than 127 Shared Secrets, prevented the editing of Shared Secret 128 and above.

CentOS 6 & 7 yum repository change

When using yum to install and update the Mideye Server 5.x in CentOS 6 and CentOS 7, the repository folder structure has changed. See the “Linux RPM installation guide” on how to update the “mideye.repo” file to mirror this.

Mideye Server 5.4.2

Released 2020-09-29

New feature: Require Mideye+

RADIUS clients can be configured to require that the Mideye+ app is activated for mobile phone users.

New feature: Require local authentication on phone

RADIUS clients can be configured to require that Mideye+ users must authenticate locally on the phone (biometric or PIN) before being able to accept a login.

Enhancements: Configuration and management menus

In the Vendor Specific Vendors configuration menu, vendors are listed in alphabetical order, and attributes are listed alphabetically in submenus for each vendor.

In the RADIUS clients configurations menu, the start page is simplified by removing some columns. In the Test client sub pages, the placeholder text in the challenge prompt is modified.

In the dashboard, certificate expiry is added as a separate information box. The Switch health check text is changed from ‘UP’ to ‘Connected’.

In the Certificate Managment menu, a more informative error message is presented when the certificate subject is empty.

Enhancement: Authentication log

For failed Assisted Login attempts, the error message now distinguishes between approver not found and approver not authorized.

Enhancement: Automatic database re-connect

If the database connection fails at server startup, the Mideye Server makes automatic retries for a specified time period until connection has succeeded.

Bugfix: RADIUS server concurrency issue

Fix of concurrency issue when RADIUS Server fails to re-start after configuration changes.

Bugfix: Accounting timestamps

Timstamps in accounting logs now presented in local time with correct timezone indicator.

Bugfix: Not possible to assign RADIUS client to database user

Fix of bug affecting database users in MS-SQL: it is now possible to add RADIUS clients.

Bugfix: Vendor Specific Attributes

Data types are now shown correctly, and and it is now possible to edit Vendor Specific Attributes.

Bugfixes: SSL certificate management

If CN is missing in an LDAPS certificate, the hostnamne is now used as certificate alias. 

Bug in SSL certificate expiry monitoring is fixed.

Bugfixes: Authentication log info message

Fix of incorrect information message when Touch falls back to OTP due to data push delivery failure.

Fix of misleading information message when Approver account has missing/invalid phone number.

Bugfix: Authentication logs

Fix of Authentication logs search filter.

Bugfix: LDAP profile default values

Fix of incorrect default attribute names when LDAP server other than Active Directory is selected.

Security: HTTP Trace and Track Methods and HTTP Header

HTTP Trace and Track Methods are disabled in the administrative web interface, and X-Frame-Options response header is added.

Mideye Server 5.3.5

Released 2020-09-14

Bugfix: Server GUI unexpected error

Fix of GUI unexpected error that occurred if dashboard health indicators were clicked while loading.

Mideye Server 5.3.4

Released 2020-08-18

Bugfixes: Windows installation package

“;” (semicolon) no longer needs to be inserted manually when using database-instances

Old  keystore is automatically removed when reinstalling the same version of the Mideye Server

Bugfix: Null pointer exception

Radius requests with null value NAS-ID and NAS-IP attributes will not cause a null pointer exception.

Mideye Server 5.3.3

Released 2020-07-14

New Feature: RADIUS session management

RADIUS sessions (session start, update and stop) for RADIUS clients that support Accounting are presented as a separate menu in the server web GUI. For RADIUS clients that support Disconnect Message, sessions can be terminated from the GUI.

Enhancements: Assisted Login

Assisted Login is enhanced with the following features:

Management of assisted login sessions from the Mideye+ app

The Approver can see and disconnect approved sessions from the Mideye+ app.

Additional challenges

The User can be prompted to enter more information via additional challenges in the login dialog. This information is presented to the Approver in the Mideye+ app, and is logged for audit purposes.

Multiple Assisted Login profiles per RADIUS client

Multiple Assisted Login profiles can be assigned to a RADIUS client.

Enhanced authorization logic

The authorization logic for Assisted Login is enhanced both for Users and Approvers.  Approvers can be selected based on a None/Any/All combination of assigned manager, group membership and specified users. The possibility for Approvers to approve sessions for themselves can be enabled/disabled in a separate checkbox. Users can be selected based on a None/Any/All combination of assigned authentication type, group membership and specified users.

Session and idle timeout specified in Assisted Login profile

The RADIUS session timeout and idle timeout can be specified in the Assisted Login profile, and are returned as attributes in the Access Accept.

Size limitation of user id and group name fields removed

The previous size limitation of user id and group name fields in Assisted Login configuration is removed.

Test of Assisted Login profiles in RADIUS client

When Assisted Login profiles have been added to a RADIUS client, the logic (match between Approver and User) can be verified in a test menu accessible from the Assisted Login tab in the RADIUS client configuration.

Enhancement: More detailed authentication logs

Entries in the authentication logs can be extended to view more detailed log information. Old log entries are automatically deleted after a specified retention period. The default retention period for basic authentication and session logs is 365 days. For detailed authentication information, the default retention period is 30 days.

Enhancement: Time-zone information in log files

Information about time zone is added to the time stamp in log files.

Bugfix: Default OTP Presentation type 1

Default OTP Presentation type 1 (inbox SMS) now works also when the checkbox ‘Read Optional Attributes’ is selected.

Bugfix: Either NAS IP or NAS ID must be specified

New check in the RADIUS client configuration in web GUI that prevents NAS IP and NAS Identifier to be empty at the same time, which would cause RADIUS client identification to fail.

Bugfix: Faulty RADIUS attribute links in LDAP-RADIUS translation

Incorrect links associated to RADIUS attributes in LDAP-RADIUS translation are removed.

Bugfix: Not necessary to specify an LDAP profile

It is no longer required to specify an LDAP profile when editing a RADIUS client via the web GUI.

Bugfix: NPE when saving SSL certificate missing CN attribute

Fix of null-pointer exception when an LDAP SSL certificate missing a CN attribute is saved.

Mideye Server 5.2.3

Released 2020-02-28

Bugfix: Debian package

Added missing files from debian package.

Mideye Server 5.2.2

Released 2020-01-21

Bugfix: R4 Migration Wizard

To prevent memory overflow, the import of R4 login statistics and accounting data is limited to the last 100 000 rows from the last year.

Mideye Server 5.2.1

Released 2020-01-14

New Feature: Password change in PAP

Support for password change in PAP, using additional challenges to prompt for a new password.  This means that password change is now supported for database users.  For LDAP users, this means an NPS is no longer required for password change.

Enhancement: Disable Auth Type 1 (Password)

Authentication Type 1 (Password) can be disabled per RADIUS client.

Enhancement: Certificate validation and export

Certificate management via the Web GUI is enhanced to include certificate path validation and an export function.

Enhancement: Enable blocking of self-personalized Yubikeys

Self-personalized Yubikeys can be blocked per RADIUS client by only allowing Yubicloud OTPs with the prefix cc.

Enhancement: Spam filter reset

The number of users affected by a spam filter lockout is shown in the RADIUS Server configuration menu.

Enhancement: Database configuration

The database configuration is now validated in the Windows Installation package. Database passwords containing double-quote characters (“) are now supported, as well as database instances.

Enhancement: Touch failed user message

A new  user messages added for the case when Touch login fails.

Enhancement: Assisted login LDAP search

The LDAP user and approver search is improved, avoiding duplicate search of the user. The approver search now continues to next LDAP repository if the authorization check fails.

Enhancement: Dashboard

The Database and Switch connection status information in the GUI dashboard is improved.

Bug fix: Reply message when phone not reachable

For Authentication Type 2 (Mobile), when the phone is not reachable and Mideye+ is not activated (SMS-OTP), the correct reply message is now returned.

Bug fix: Locked LDAP users

LDAP users are now locked the specified time period. The extra minute added in previous releases is removed.

Bug fix: Assisted Login reject reply message

A reply message is added for the case when an Assisted Login is rejected because the Touch accept failed.

Bug fix: Spam filter

Logins rejected by the spamfilter are now shown in the logs. The login failure message when a login is rejected by the spam filter is changed from ‘Invalid/user password’ to ‘Too many attempts, try again later’, with a reference how to manually re-set the filter.

Bug fix: Assisted login approver group membership

The approver group membership can now be specified using Java Regular Expressions.

Bug fix: Default LDAP connect and read timeouts

The default LDAP connect timeout is changed to 2 seconds, and the read timeout is changed to 10 seconds.

Bug fix: Handling of invalid RADIUS requests

When invalid RADIUS requests are discarded, they are now removed from the pending authentications list, thereby preventing the pending request counter from hitting the overload limit.

Bug fix: Assisted login approver search

The search failed if the approver was not found in all LDAP profiles configured for the RADIUS client.  This is now fixed, it is sufficient if the approver is found in one profile.

Mideye Server 5.1.3

Released 2019-10-25

Bug fix: LDAP user locking release

Fix of bug ‘LDAP locking not released when using MS-CHAPv2’.

Bug fix: Access reject with MS-CHAPv2

Fix of incorrect response authenticator in MS-CHAPv2 Access reject messages. This bug caused multiple Touch prompts when access rejected in the app.

Mideye Server 5.1.2

Released 2019-10-18

New Feature: Assisted login

A new authentication method, Assisted Login (Auth type 9), for LDAP accounts. Predefined users are authorized to approve access for external users to selected RADIUS clients. Access is approved in the Mideye+ app.This authentication method is intended for users that require temporary access to protected resources.

New Feature: Certificate management via web GUI

Simplified administration of certificates for LDAPS and web GUI.

New Feature: Managing RADIUS attributes via web GUI

New Vendor-specific Attributes (VSAs) can be added via the web GUI. Also, the default VSA list has been extended to include more vendors.

New Feature: Spam filter reset

The OTP spam filter can be reset via the web GUI.  This is to prevent users from being locked out if the Max Pending Requests queue is filled up, e.g. after a network incident.

Enhancement: RADIUS reply attributes displayed in test client

When using the test button for RADIUS clients in the web GUI, reply attributes are presented.

Enhancement: Server Accounting

Accounting filtering options are enhanced. It is also possible to export the result as a CSV-file from the web GUI.

Enhancement: Second challenge when token out of sync

If a token is out of sync, a second challenge is presented to the user requesting a new OTP to re-synchronize the token.

Enhancement: Search database users by token number

Database users can be searched using the token serial number.

Enhancement: Search base automatically created for LDAP profile

When creating an LDAP profile, the LDAP root search base is automatically populated when clicking the “Save” button.

Bug fix: Mobile number missing in logs when Touch cannot be used

If authentication type Touch fails, the user’s phone number is now included in the log entry.

Bug fix: Removed re-load redirect to web GUI dashboard

If reloading a page in the web GUI, the user now remains on the reloaded page.

Bug fix: root user default profile

The Web Admin RADIUS client is now assigned to the root user by default.

Bug fix: Redirect after root password change

Root user is now redirected to the web GUI dashboard when the password has been changed.

Bug fix: Reply Message in Web GUI

RADIUS reply messages are now displayed in the Web GUI login.

Bug fix: Log timestamps in milliseconds instead of seconds

Bug fix: Top 5 Failing Users case sensitive

The Top 5 Failing usernames presented in the web GUI dashboard are now case-insensitive.

Bug fix: MSISDN/token number validation in Mideye Server

Mobile number and token serial number formats are now verified in the Mideye Server before being forwarded to the Mideye Switch.

Bug fix: Web GUI login hanging after timeout

Page re-load no longer required to login again after session timeout.

Mideye Server 5.0

Mideye 5.0 requires a new server installation.  A migration tool facilitates migration from releases 4.6.5 and later.

Server config via web admin

A new administrative web interface that also replaces the R3/R4 Configuration Tool.  A new super administrator role is introduced, with the same rights as the root user.

Support for server config via REST API

As an alternative to server configuration via the administrative web interface, a REST API is provided for automated server configuration.

Configuration changes without restarts

Configuration changes no longer require service restarts to take effect.

Improved RADIUS client identification based on NAS ID attribute

Improved selection of RADIUS clients based on RADIUS attribute 32 (NAS Identifier) which simplifies implementations with multi-login profiles originating from the same IP address.

Separate table for source IP – shared secret configuration

Specification of the shared secret is moved from RADIUS clients to a separate table, where source IPs and shared secrets are matched. A default shared secret can be specified that is matched to any IP that is not specified in the table.

NPS configuration separated from LDAP server configuration

Microsoft Network Policy Server (NPS) settings are moved from LDAP profile configuration to a separate NPS profile.  This simplifies the re-use of the same NPS profile in multiple LDAP profiles.

Docker container support

Mideye server is now available as a Docker image as an alternative to Windows and Linux installation packages.

Debian support

Mideye server is now available as a Debian-based package in addition to the RPM-based package.

Enhanced server monitoring

Automatic health checks of Mideye Switch and database connections.  Monitoring of LDAPS certificate expiry. Dashboard with login statistics and success rates.

Enhanced server accounting

Possible to select full calendar months in the web GUI for matching server accounting with monthly invoices.

Support for database login using NTLMv2

Mideye Server 4.7.2

Bugfix: Offline challenge (Mideye+) when phone not reachable, authentication type = 2, MSCHAPv2

In previous releases 4.6.X and 4.7.X, the manual offline challenge was not displayed for authentication type 2 (mobile) when MSCHAPv2 was used.

Bugfix: Framed IP Address not returned for all IP addresses

In previous releases 4.6.X and 4.7.X, the Framed IP Address (RADIUS attribute 8) was not returned for IP addresses that were represented by a positive integer in Active Directory.

Mideye Server 4.7.1

New Feature: Support for EAP-authentication

Mideye will now forward any incoming RADIUS-packages using EAP-authentication to Microsoft NPS.

Bugfix: Proxy-State

Mideye is now handling Proxy-State (attribute 33) correctly according to RFC 2865.

Bugfix: User filtering for MS-CHAP-V2 and EAP

User-filtering for RADIUS-clients is now working for MS-CHAP-V2 and EAP. Before release 4.7.1, user-filtering only worked for PAP.

Mideye Server 4.6.5.1

Bugfix: Enabling Event-viewer logging for Windows Server caused Mideye-Radius service to crash

When enabling Event-viewer logging, and restarted the Mideye-services, Mideye-RADIUS did not start.

Mideye Server 4.6.5

New Feature: Token-coupled Mideye+

With this feature, an OTP from a token card (MiniToken or YubiKey) is required when activating the Mideye+ app.  As an enhanced security setting, RADIUS clients can be configured to only accept login with token-coupled Mideye+ apps or token cards.

New Feature: Bundled JRE

JRE bundled with the Mideye installation package. Java Runtime Environment is included in the installation package and does not need to be installed separately.

New Feature:  Automatic read of Framed IP Address (RADIUS attribute 8) from Active Directory.

As an option, Mideye reads the static IP Address (IP v4 only) assigned in Active Directory and returns it in the RADIUS Access Accept, attribute 8 (Framed IP Address).

Bugfix: Incorrect logging of failed OTP deliveries

When authentication type 6,7 or 8 (Touch) is selected, failed OTP deliveries for users without Mideye+ are now logged with the correct error message (‘Phone not reachable’).

Bugfix: Multiple groups when using regex

Mideye Config Tool -> LDAP Servers -> Groups:  Multiple LDAP groups can be specified using Java regular expressions.  (Previously, only a single group could be specified when regular expressions were used).

Bugfix: LDAP profile created with an invalid password

Mideye Config Tool -> LDAP Servers.  Fix of a bug that caused unexpected behavior/error messages in case an LDAP profile was created with an invalid LDAP account password.

Bugfix: Hanging web admin when MySQL connection lost

Fix of problem with hanging web admin when MySQL database connection was lost.

Mideye Server 4.5.2

New Feature: Support for Touch login with Microsoft Remote Desktop Services

By using authentication type 6 (Touch) it is possible to log in with Microsoft Remote Desktop Services (MS RDS) without using challenge-response. This means two-factor authentication with mobile phones can be achieved with the built-in RADIUS support in MS RDS.

New Feature: Support for simplified Mideye+ activation

A new way to activate Mideye+ is introduced. A user no longer needs to enter the mobile phone number manually in the app. The user can activate Mideye+ by entering a ‘+’ sign after the OTP in the challenge dialogue.

New Feature: Support for authentication with YubiKey tokens

YubiKey tokens compatible with Mideye can be ordered from Mideye support. It is possible to specify a Yubikey identifier in the format ‘ubbc0[7 digits]’ as a valid token number.

Bugfix: Root password to the administrative web interface is lost during an upgrade

In previous versions of the Mideye Server package for Windows, the root password to the administrative web interface was lost during upgrade.

Mideye Server 4.4.4

New Feature: LDAP-RADIUS translation with MS-CHAP

RADIUS attributes obtained from LDAP-RADIUS translation can now be returned in MS-CHAP Access Accept messages for authentication types PASSWORD (type 1) and TOUCH (types 6, 7 and 8). Previously, this was only possible with authentication types Mobile (type 2) and Token (type 3) when using MS-CHAP. (For PAP, attributes can be included for all authentication types).

New Feature: Enhanced multiple-click suppression

The (optional) multiple-click suppression feature is enhanced to discard events where the user ignores or cancels OTP prompts.

Bugfix: Authentication Attempts logs

Two bugfixes relating to the Authentication Attempt logs in the administrative web interface:

  • RADIUS client ID is now included also in case of challenge-response timeout when using MS-CHAP (previously this information was missing).
  • Rejects due to OTP spam filter are now explained in the info column also when using MS-CHAP (previously this information was missing).

Bugfix: Upgrade scripts for Linux

Previously, the root user password for the administrative web interface was reset during the upgrade procedure. This is now fixed for Linux, but the problem remains in Windows (this will be addressed in the next release).

Mideye Server 4.4.3

Bugfix: multiple-click suppression disabled

Multiple-click logins disabled per default, since it’s only applicable for certain RADIUS clients and it caused some unexpected behavior.

Mideye Server 4.4.2

New Feature: Suppressing multiple-click logins

This feature suppresses multiple-click logins in RADIUS clients. It is enabled by default and can be configured via Mideye Configuration Tool, tab Radius Servers. Having this feature enabled prevents users from receiving numerous consecutive OTPs if they mistakenly keep pressing the login button in the client.

New Feature: Improved overload handling

This feature improves overload handling by rejecting additional requests if the number of pending requests exceeds a threshold– maximum number of pending requests that can be configured via Mideye Configuration Tool, tab Radius Servers. This makes the Mideye Server more responsive in overload situations.

New Feature: Preventing OTP spamming

This feature limits the number of OTP deliveries to a specific phone number within predefined time windows. The allowed number of OTP deliveries can be configured via Mideye Configuration Tool, tab Radius Servers.

Bugfix: MS-CHAPv2 reject

A previous bug in MS-CHAPv2 reject is fixed. The bug caused some RADIUS clients to send a duplicate request after the first request had been rejected.

Mideye Server 4.4.1

New Feature: Support for Mideye+ Touch Accept

Mideye+ Touch Accept enables Mideye+ users to accept or reject the login directly using the Mideye+ client (on iOS and Android), see Figure 2.1. It improves user experience by removing the need to manually enter the OTP. The following are the requirements for Touch Accept to work:

  • Mideye Server 4.4.x
  • Mideye+ client version 3.x.x
  • Mideye+ is enabled in the customer’s profile in Mideye central system

Mideye Server 4.4.1 introduces three new authentication types, they differ in fallbacks in case the initial Touch Accept attempt fails (e.g. if the user lacks Internet connectivity).

  • Authentication type 6 (Touch): No fallback if Touch Accept fails.
  • Authentication type 7 (Touch-Plus): If Touch Accept fails, the fallback is Mideye+ manual signature.
  • Authentication type 8 (Touch-Mobile): If Touch Accept fails, Mideye attempts to reach the Mideye+ app via SMS. If this also fails, the fallback is Mideye+ manual signature.
Mideye+ Touch Accept on Android client

Mideye+ Touch Accept on Android client

New Feature: Enhanced authentication attempts log in Web Administration Interface

This feature enhances the authentication attempts log with information about failed authentications. The authentication attempts log now also contains phone/token number and authentication type as well as the reason for failure.

Mideye Server 4.3.3

Bugfix: Mideye Server hanging problem while using Mideye Configuration Tool

This bug caused Mideye Server to hang when using Mideye Configuration Tool to modify a RADIUS Client.

Bugfix: Fixed the challenge message when the password is expired

This bug caused database users to receive Password needs to be reset if an LDAP user had to change the password prior to their login.

Mideye Server 4.3.2

Bugfix: Security issue

Prevent the exposure of the content of WEB-INF folder.

Removed unused certificates to improve the security of Mideye Server – Mideye Switch communication.

Bugfix: Log messages

Reduce the log level to warning when the Network Policy Server (NPS) is not configured.
Reduce the log level to debug when parsing an unknown Vendor Specific Attribute.

Mideye Server 4.3.1

New Feature: Password Change

Users in Active Directory can change their expired passwords during the logon process. This feature requires the use of the MS-CHAP v2 protocol and Network Policy Server (NPS).

New Feature: MS-CHAP v2

Mideye Server supports the MS-CHAP v2 protocol. Mideye Server will automatically determine the authentication protocol used: PAP or MS-CHAP v2. To function properly, MS-CHAP v2 needs a configured NPS.

New Feature: New Web Administration Interface

Mideye Server 4.3.0 includes a new Web Administration Interface.

New Feature: LDAP login to Web Administration Interface

The new Web Administration Interface allows login using an LDAP server.

New Feature: Password Comparison Authentication

It is possible to use an alternative field for storing hashed passwords instead of the default Active Directory password field. See Appendix A: Password Comparison in the reference guide for more details.

New Feature: Fortinet RADIUS attributes

Added Fortinet vendor specific attributes (Vendor ID: 12356) to the list of RADIUS attributes sent together with the final RADIUS Access Accept.

New Feature: Automatic Retrieval of LDAP Base Distinguished Name

When adding a new LDAP server, Mideye Server retrieves the base Distinguished Name automatically.

New Feature: Removal of Embedded Java Virtual Machine

Mideye Server 4.3.0 no longer includes Java Virtual Machine (JVM) and it must be installed separately before the installation. This allows more frequent updates of JVM independently from the Mideye Server.

New Feature: Removal of Alarm Manager

Alarm Manager service, installed along with Mideye Server in previous versions, has been removed.

New Feature: Removal of Radius Accounting

The RADIUS accounting server (used to run on port 1813) has been removed.

Mideye server 4.2.6

Bugfix: Windows services start-up

Fixed a bug causing the Mideye windows services not to start automatically after executing windows updates or rebooting the server.

Mideye server 4.2.5

New Feature: R4.2.4 feature support in Windows

All enhancements and bug corrections in 4.2.4 are included in 4.2.5 and made available for Windows.

New Feature: Support for client certificate authentication for the administrative web interface

Client certificates can be generated from the default server certificate that is generated during server installation, and the administrative web interface can be configured to require a client certificate to grant access.

Bugfix: Increased maximum length of LDAP group names

In previous releases, the maximum length of LDAP group names was limited to 30
characters in order for the accounting to work properly. The limit has been increased to 200 characters.

Mideye server 4.2.4 (Linux only)

New Feature: Support for secondary mobile number in LDAP

If no mobile number is found in the assigned (primary) mobile attribute, Mideye can be configured to continue the search in a secondary attribute (e.g. ‘otherMobile’).

New Feature: Default support for SSL in the administrative web interface

The administrative interface is per default protected with SSL, and a self-signed certificate is generated during the installation.

New Feature: Enhanced and modified presentation of logs via the administrative web interface

Several log files in the directories /opt/mideyeserver/log/ and /opt/tomcat/logs/ can be
viewed via the administrative web interface. It is possible to add/exclude files, and also to add other folders. The logs are presented in a separate window and are not protected with the web interface login. It is recommended to restrict web interface access to specific IP addresses, thereby allowing/restricting log access to e.g. helpdesk personnel.

New Feature: SNMP traps

Support for SNMP traps is introduced. The Mideye PEN is 40761.

New Feature: Support for wild-card group check in Active Directory

AD group membership can be specified as a Java regular expression (e.g.
‘CN=mideyeusers,.*’ will now match ‘CN=mideyeusers,OU=Stockholm,OU=Groups,
DC=mideye,DC=com’. This feature is only valid for Active Directory.

New Feature: Java and Tomcat update

Java is updated to Java SE Runtime Environment (build 1.7.0_11-b21), and as web
server TomEE 1.5.1 with Apache Tomcat Version 7.0.34 is used.

Bugfix: Handling hanging LDAPS connections

The LDAP connection timeout parameter is modified to include the LDAP connection pool avoiding the risk of overload in case of hanging LDAPS connections.

Bugfix: Authentication type CONCAT for database users

Authentication type CONCAT now works also for database users. (Bug introduced in 4.1).

Bugfix: Event Viewer disabled on Linux installations

It is no longer possible to enable the Event Viewer on Linux installations.

Bugfix: Special characters in RADIUS shared secret

Special characters (e.g. å, ä, ö) are now allowed in the RADIUS shared secret.

Bugfix: Help button active on Linux installations

The Help button in the Configuration Tool is now active also on Linux installations.

Bugfix: Automatic database upgrade on Linux

Database scripts are now executed automatically when doing upgrades on Linux systems.

Mideye server 4.2.3

New Feature: Configuration Tool enhancements

Config Tool can now automatically identify and upgrade an existing Mideye database (from R3.0 and later). Config Tool automatically prompts for Admin rights when started.

New Feature: RADIUS Server enhancements

Pre-configured Norwegian and Finnish RADIUS reply messages. RADIUS server names can be up to 200 characters long (previously limited to 20 characters).

New Feature: RADIUS Client enhancements

RADIUS clients can be renamed. RADIUS client names can be up to 200 characters long (previously limited to 16 characters). The RADIUS shared secret must be specified (the field cannot be left empty).

New Feature: LDAP Server enhancements

LDAP search base can contain ‘/’ signs. LDAP connection test does not return false
positive if the password field is empty.

New Feature: Number correction enhancements

Numbers containing only one parenthesis are auto-corrected if number correction is
activated.

New Feature: Accounting enhancements

Group names up to 200 characters supported (previously limited to 30 characters).

New Feature: Number filtering in Mideye Server

Mobile numbers (and token serial numbers) that do not follow the required formats are blocked in the Mideye Server before an OTP delivery/verification request is forwarded to the Mideye Switch. For mobile numbers, this means that they must start with a + – sign and contain 3 to 20 digits. Note that this means that mobile numbers in the format 07xxxxx and 00xxxxxxx that previously have occasionally been working are now blocked. Customers with these number formats are recommended to apply automatic number correction in the Mideye Server.

New Feature: LDAP-RADIUS translation enhancements

LDAP-RADIUS translation is no longer case-sensitive. LDAP-RADIUS wildcard translation is supported, whereby a translation rule can be specified as a Java regular expression (e.g. ‘CN=mideyeusers,.*’ will now match ‘CN=mideyeusers,OU=Stockholm,OU=Groups, DC=mideye,DC=com’).

Bugfix: LDAP-RADIUS translation

It is no longer needed to activate the ‘Read optional attribute flag’ in order to use LDAP-RADIUS translation (4.2.2 bug resolved in 4.2.3).

Bugfix: Authentication with suffixes fails when user search continues to next LDAP server

Authentication with user-name suffixes (e.g. @TOKEN, @MOBILE) now works also when the user search continues to the next LDAP server in the search base (4.2.2 bug resolved in 4.2.3).

Bugfix: Help buttons not active

Help buttons in the Configuration Tool are now active again (4.2.2 bug resolved in 4.2.3).

Bugfix: Auth Type = CONCAT gives an unhandled error when group check fails

Failed group check when using authentication type CONCAT is now properly handled.
(4.2.2 bug resolved in 4.2.3).

Bugfix: Web Admin access from a remote computer

The Administrative Web Interface is automatically configured to allow access from a
remote computer (4.2.2 bug resolved in 4.2.3).

Bugfix: Nested group selected without specified groups gives an error

‘Search nested groups’ can now be selected in Config Tool also when no group selection has been specified (4.2.2 bug resolved in 4.2.3).

Mideye server 4.2.2

New Feature: Linux package enhancements

Native look-and-feel in Mideye Config Tool on Linux. Possibility to execute Mideye Config Tool from any directory. Simplified setup of X11 over SSH (making it possible to execute Mideye Config Tool from another workstation).

Bugfix: Not possible to delete a RADIUS client that has an LDAP server assigned

This bug is resolved.

Bugfix: List of pending authentications is cleared after OTP expiry

The internal Mideye Server list of pending authentications is cleared after OTP expiry,
instead of every 5 minutes. This means RADIUS clients that fail to increment the RADIUS packet identifier will not cause user lockout longer than the OTP validity time (default 60 seconds). This resolves a usability issue with e.g. Citrix Access Gateway Standard Edition.

Bugfix: Config Tool enhancements

Config Tool no longer prompts to save unsaved changes when setting up a database for the first time. Miscellaneous enhancements concerning Return key, database name and LDAP Server test connection.

Mideye server 4.2.1

Bugfix: User search via config tool fails if Authentication Type = 1

4.2.0 bug resolved in 4.2.1.

Bugfix: Web Admin ROOT password cannot be changed when using two-way encryption

4.2.0 bug resolved in 4.2.1.

Bugfix: Limited length of user password

In previous releases, the static password maximum length was 48 characters for LDAP users and 16 characters for database users. Both these limitations have been removed.

Bugfix: Unlimited number of log lines presented via Web Interface

4.1.0 bug resolved in 4.2.1. The number of log lines presented via the Administrative Web Interface is now limited to the number specified in the filter settings.

Bugfix: New address field for database connection in Config Tool

In 4.2.1, the database connection address field in the Mideye Configuration Tool is
modified. This resolves previous issues when specifying external databases.

Mideye server 4.2.0

New Feature: LDAP over SSL

Support for SSL protection of connections to LDAP servers. This is implemented via an optional checkbox in the LDAP Server tab of Mideye Configuration Tool. LDAP server certificates can be automatically downloaded.

New Feature: Continued LDAP search in case of group membership requirements not fulfilled

In case a user account is found in an LDAP repository but does not fulfill the specified
group membership requirements, the user search continues to other repositories (if more repositories are defined). In previous releases, an access reject was immediately returned if group membership requirements were not fulfilled, which caused the user search to be discontinued.

New Feature: Removal of user name suffixes and prefixes

As an option, suffixes and prefixes added to user names in the RADIUS access request can be removed before the user name is searched in the user repository. The removal (suffix or prefix, and separator) is specified on a per-RADIUS-client basis.

New Feature: Accounting filtering based on LDAP repository and department

The accounting filtering is enhanced with the option to filter data based on which LDAP server and department the user belongs to. The optional Department attribute is specified in the Mideye Configuration tool. This attribute is read from the user repository and stored in the accounting database in Mideye. Mideye accounting granularity is thereby enhanced, facilitating distribution of Mideye costs based on which LDAP server and department the user belongs to.

New Feature: Enhanced encryption of passwords in the internal database

An enhanced one-way hash encryption is added as an option for passwords stored in the internal database. This encryption alternative cannot be reversed.

New Feature: Increased size of database fields

Database fields with variable input length, such as LDAP search bases and group names, have been increased to the maximum size allowed by the respective database (MS SQL and MySQL).

Mideye server 4.1.0

New Feature: Log enhancements

The Mideye Server logging functions are enhanced. With this release, the logging facility is implemented as a separate service that is configured via the Mideye Configuration Tool. Separate logs are written for the three main services Alarm Manager, RADIUS Server and Administrative Interface. For each log, the level of detail is specified (Error, Warning, Info, Debug, Trace). It is also possible to configure log messages to be forwarded to an external system according to the Syslog standard or to be written to the Windows Event Viewer. The Mideye Server can also be configured to generate emails for certain log events. This is specified directly in an XML file. A bug in previous releases when running on W2008, where the timestamps in the log file were specified with GMT instead of the local server time, is corrected.

New Feature: LDAP enhancements

The LDAP search function is enhanced with two configurable timeout parameters to
improve serial search capabilities in multiple LDAP directories in case one LDAP server is faulty. A bug correction ensures that LDAP directories are searched in the order specified in the Configuration Tool.

New Feature: Automatic retries in case of failed service start-up

In case of Mideye services fail to start properly, subsequent re-starts are attempted with 5-minute intervals during a time period of one hour. This is to enable system recovery in case of start-up failure, e.g. after an automatic update of the server platform operating system.

New Feature: Installation and compatibility issues

An automated upgrade package from Mideye Server releases 3.0.1 – 4.0.3 is available. The upgrade package includes the execution of database scripts and replacement of jar files. The upgrade requires a re-start of Mideye services.
If SSL protection is implemented for the administrative web interface, certificates and the Tomcat server.xml file should be saved before performing the upgrade.
Upgrade from releases prior to Mideye Server 3.0 is not supported, and requires a new server installation.

Mideye server 4.0.3

New Feature: Enhanced database pool handling

Automatic recovery of faulty database connection whereby the connection is closed and removed from the pool. Also, no lower limit is set to the time a database connection is kept in the pool. Previously, the minimum time was 5 minutes, regardless of which value was specified via the Configuration Tool.

New Feature: Compatibility with SQL Server 2008

Enhancement in the installation package, enabling compatibility with SQL Server 2008.

Bugfix: Configurable switch connection timeout

A bug correction whereby the switch connection timeout specified via the Configuration Tool is actually implemented. (In releases 3.0.0 – 4.0.1 it was always 60 seconds, regardless of which value was specified in the Configuration Tool).

Bugfix: Installation and compatibility issues

An automated upgrade package from Mideye Server release 3.0 is available. The upgrade package includes the execution of database scripts and replacement of jar files. The upgrade implies a re-start of Mideye services. Upgrade from releases prior to Mideye Server 3.0 is not supported, and requires a new server installation.

Mideye server 4.0.2

New Feature: Enhanced installation package

The new installation package is enhanced, e.g. it includes a notification that an SQL Server already exists on the server platform, if this is the case.

New Feature: Accounting support for phone numbers longer than 12 characters

Previously, phone numbers longer than 12 characters (including the ‘+’-prefix) were not written to the server accounting tables. In 4.0.1, numbers up to 20 characters (including the ‘+’-prefix) are written to the accounting tables.

New Feature: Password reset / expired information text included in Access Challenge

In case the static AD password has expired or needs to be reset, this information is
presented to the end-user in the Reply-Message included in the RADIUS Access Challenge sent by the Mideye Server to the RADIUS client.

Bugfix: Configurable fallback retry parameter

A bug correction whereby the switch connection fallback retry specified via the
Configuration Tool is actually implemented. (In releases 3.0.0 – 4.0.1 it was always 50, regardless of which value was specified in the Configuration Tool).

Mideye server 4.0.1

New Feature: New installation package

A new installation package, where the Mideye server is installed with an MSI file.

Mideye server 4.0.0

New Feature: Support for Mideye Plus authentication

Server release 4.0 supports Mideye Plus authentication. Mideye Plus enables login when the phone is outside of network coverage. For this to work, it is required that the user’s network operator has implemented support for Mideye Plus on the SIM card.

New Feature: Selection of ISO/UTF encoding on a per-RADIUS-client basis

In R4, UTF-8 or ISO8859_1 encoding can be configured on a per-RADIUS-client basis. This enables handling of special characters (e.g. å, ä, ö, ¤, and €) in user names and passwords, which previously could cause problems because different RADIUS clients have implemented different character encoding schemes.

New Feature: Server keep-alive messages

Server keep-alive messages are sent with 10-minute intervals to the Mideye Switch. The keep-alive messages contain information about Mideye server release, system status (RAM used/available), the status of LDAP connections and the number of database connections in use. The purpose of this feature is to enhance the centralised supervision of the authentication service. The keep-alive function is enabled/disabled via the Configuration Tool.

New Feature: Blocking of LDAP accounts in the Mideye Server

For each LDAP server, a threshold can be defined in the Mideye Server. If for a given
user, the number of consecutive failed LDAP authentications exceeds this threshold, the user is locked in the Mideye Server. A time period can be specified, after which the user is automatically unlocked. It is also possible to unlock the user via the Mideye Administrative Web Interface. The purpose of this feature is to prevent denial-of-service (DOS) attacks aimed at blocking LDAP accounts via Internet.

New Feature: Time-limited accounts for database users

An expiry date can be specified for user accounts in the internal database (database
users). User accounts are automatically disabled when this date has been reached.

New Feature: Automated token card re-synchronisation

If a token card is more than 10 consecutive OTPs out of sync with the central system, but inside a sequence window of 100, the user can automatically re-sync the token card by generating a new OTP and entering it for validation. If this second OTP is within a sequence window of 10 OTPs from the first OTP, the user is granted access and the token card is re-synchronised. The time window for performing the re-synchronisation is 5 minutes from the time when the first OTP was entered for validation. If the RADIUS client supports Mideye reply messages (attribute 18 in RADIUS Access Reject), the user is informed that the token card is out of sync and that a new OTP is required. Automated token card re-synchronisation has been centrally implemented in the Mideye Switch. This means that the feature is automatically implemented for all Mideye Servers, regardless of release. However, the reply message informing the user that the token is out of sync and that a new OTP is required, is only implemented in Server release 4.0.

New Feature: Support for default RADIUS reply and error messages in different languages

Via the configuration tool, default RADIUS reply and error messages can be selected in English and Swedish.

New Feature: Enhanced number correction

Number correction is enhanced. Via the Configuration Tool, it can be selected if numbers within parentheses should be removed and if leading zeros after the default international prefix should be removed.