• Group support across rosters
  • Active Directory groups and local groups can now be added to the Assisted Login Users roster — group members are resolved at logon time via LDAP, so there's no need to enumerate individuals when the population is already maintained in AD.
  • The Approvers tab gained a Group picker (Local or Domain) alongside the existing Users list. Add an AD group such as `LAB\approvers` and every current member is eligible to authorise an Assisted Login flow.
  • Group entries carry an explicit Local or Domain tag, so on hosts where a local and a domain group happen to share a name the configuration tool always targets the one the operator picked.
• Identifier form flexibility
  • User and group identifiers are accepted in all three Windows forms — `DOMAIN\name`, `name@domain.tld`, and `dns.tld\name` — and resolve to the same configured roster entry regardless of which form Windows passes at logon.

enhancement

• Configuration tool improvements
  • The configuration tool now reflows and adds a horizontal scrollbar on narrow consoles (1024×768 and smaller), so every control on every tab is reachable on the compact server displays typical of Hyper-V, iLO / iDRAC, and out-of-band management sessions.
  • The Approvers tab layout mirrors the MFA Override tab so adding individual users and adding group sources use the same controls in both places.

known issues

• Upgrade notes
  • Drop-in upgrade from any 0.6.x preview — no manual operator step required.
  • All configuration is preserved across the upgrade — Schedule cells, Break-Glass roster, Approvers, Policy keys, and credentials are kept as configured.

• Reliability improvements
  • Mideye+ push approval requests are sent within the push service's accepted timing range, so prompts reach the device consistently across all Touch-based flows.
  • Stored credentials survive VM cloning, sysprep, P2V migration, and domain re-join. Values migrate automatically on the first configuration apply after the underlying machine identity changes — no operator action required.
  • Approver-list integrity baselines refresh automatically when the operator applies a configuration change. A new `MideyeProviderConfig.exe --refresh-baselines` command is also available for manual rebuilds if the baseline ever needs to be reset out of band.
• Configuration tool improvements
  • Authentication timeouts (MFA, Assisted Login user, Assisted Login approver) are editable directly from the Login Schedule tab instead of requiring a registry change.
  • The Lockdown safety dialog has been reworked — the issue list reads as a list (not an editable text box), the dialog is resizable, and the OK / Cancel buttons stay visible even when the list is long.
  • The Security Policies tab shows a statistics table of how often each policy event has fired in the last 30 days, read from the Windows Application log.
  • External Approvers integrity-check failures emit an alert event instead of blocking logon. An informational event also fires once per startup when an operator runs with a non-AD approver source, so the deployment shape is visible in the Application log without extra tooling.
  • Tab layouts (Break Glass, Approvers, Lockdown, Assisted Login Users, MFA Override) share a consistent right-edge margin and reflow correctly when the configuration window is resized.

known issues

• Upgrade notes
  • Drop-in upgrade from 0.6.7 — no manual operator step required.
  • Existing credential values are preserved and migrated automatically on the first configuration apply after the upgrade.

• Preview release
  • Native Windows credential provider DLL that adds Mideye MFA to RDP and console logon.
  • Cloud mode (OAuth2 against the Mideye Authentication API) and on-prem mode (LAN-hosted Mideye Server, hardware-token OTP only).
  • Touch push (Mideye+ app), hardware-token OTP, OATH HOTP authenticator-app codes, and Assisted Login (4-eye approval).
  • 168-cell weekly Login Routing schedule with MFA / Assisted / Deny cells, per-user MFA-method overrides, and Deny-schedule override for on-call admins.
  • Break-Glass roster required before activation — refuses to enable while empty.
  • Internal AD-resolved approvers and External (registry-only) approver roster with HMAC-sealed integrity.
  • Signed MSI deployable interactively, silently (`msiexec /qn`), or via Group Policy.

known issues

• Preview limitations
  • Microsoft Intune deployment guide and Entra-only joined hosts not yet supported in this preview.
  • Customer-facing documentation is published for the index, quickstart, and architecture pages only; configure / operate / security / use sections remain drafts.

• System error in Mideye Shield (#2571) — Resolved a null-pointer exception that could occur when the AbuseInfo field was empty.
• Improved risk scoring for blocked login attempts (#2578) — Adjusted the score weight for login attempts blocked by static username filter rules to align with the score for “user not found” events. This improves scoring consistency and accuracy.
• Logging issue for blocked events (#2580) — Resolved an issue where the username was logged as NULL for events blocked by Mideye Shield static rules.

enhancement

• Authentication log filtering by client IP address (#2584) — Administrators can now filter authentication logs based on client IP address, improving troubleshooting and audit capabilities.

known issues

• Issues if using installation wizard during first time setup — During installation, only Active Directory repositories can currently be selected in the installation wizard and CIDR subnet notation is not supported for RADIUS Client IPs or Source IPs.

• RADIUS thread pool size (#2415) — Fix of bug introduced in release 6.5 where the maximum RADIUS thread pool size did not follow the maximum pending RADIUS requests setting, which could lead to overloading in some situations.

• Support for Palo Alto Client Source IP and Ivanti Tunnel Client Endpoint — As an alternative to Calling Station ID, Mideye Server can read the client IP address from the Palo Alto vendor-specific attribute 'Client Source IP' and the 'Tunnel Client Endpoint' attribute sent by Ivanti Connect Secure if present in the RADIUS Access Request.

• Memory and performance optimization — Increased JVM initial memory allocation from 512M to 1024M for improved performance.
• Database optimization
  • Added index on blocked attempts table for optimized queries.
  • Optimized query for cleaning up old blocked attempts.
• Configurable retention policies — Introduced configurable retention periods for blocked attempts and IP ingestion cleanup, allowing flexibility in specifying cleanup duration with enhanced logging.
• Platform upgrade — Updated OpenJDK to Eclipse Temurin OpenJDK 17.0.15 and migrated installer to 64-bit architecture.

• Mideye Auth API protocol — Fixed incorrect error message when user fails to respond to Touch Accept in the Mideye+ app.

• Mideye Auth API protocol — Mideye Auth API protocol extended to include the parameter ‘title-text’.
• Mideye Auth API protocol — Fixed bug where Mideye Auth API protocol parameter ‘authentication-text’ was not enforced for endpoints other than the default endpoint.

• Mideye Server GUI — Improved the loading time in Mideye Server GUI when updating the dashboard and Authentication Logs.

• Mideye Auth API protocol — The Mideye Auth API protocol has been extended to include all parameters that can be configured in the server GUI menu ‘Magic Link Endpoints’, submenu ‘User Messages for Touch Accept’.

bug fix

• Empty password field — An empty password field is now accepted when the RADIUS client has been configured to ignore the password.
• EAP challenge-response — Fix to handle an EAP challenge-response dialog between the RADIUS client and NPS.

• Mideye Shield — Mideye Shield is listed as a separate section in the server sidebar menu, with submenus for configuration, auto-blocked IPs and static filter rules. The shield service URL is changed to shield.mideye.com. Shield service connectivity health checks are only activated if the Mideye Shield service is enabled. Shield maximum load capacity is increased by immediately returning Access Rejects (instead of random delay), and by increasing the default Max Pending Requests parameter from 20 to 50 in the RADIUS Server configuration.

bug fix

• Shield classNotFound Exception — Resolved LDAPS connection failures (classNotFoundException) when using Mideye Shield.
• RADIUS translation to VSA:s when using MS-CHAPv2 — Fixed MSCHAPv2 LDAP-RADIUS translation to use configured RADIUS VSA attribute instead of the hardcoded CLASS attribute.

• IP Shielding — A new central service provides real-time fraud rating of IP addresses for clients requesting access to Mideye-protected login services. The server can be configured to reject requests originating from IP addresses with a fraud score above a chosen level. This enables early-stage detection and rejection of attacks such as DoS, brute force, password spray and MFA fatigue, as well as preventing the flooding of authentication logs.
• Automatic locking of inactive user accounts — An optional inactivity timeout for database accounts can be configured, after which accounts that haven’t made a successful login are locked. If enabled, this affects all database accounts except the root user.

enhancement

• Custom password policy for database users — The password policies for database accounts can be customized. Two policies are supported, one for passwords set by server administrators via the server gui and one for passwords set by users via the login dialog. For temporary passwords that are set by server administrators, an optional timeout can be configured, specifying a maximum validity time of the password.
• RADIUS filter can be configured to return Access Rejects — As an alternative to the silent discard of requests blocked by the RADIUS filter, a RADIUS Access Reject can be returned to the RADIUS client.
• Separate log for blocked attempts — A new log page in the web GUI, Blocked Attempts, displays attempts that have been blocked by the RADIUS Filter or IP Shielding. Log information (timestamp, username, IP address) is retained for 48 hours.

bug fix

• Switch failover logic — Modified switch failover logic to prevent the delay experienced by users logging in after the server has been idle for more than 10 minutes and fails to connect to the primary switch.
• Entra ID RADIUS translation — Fixed an issue preventing login to the server web GUI with Administrator / Operator Entra ID accounts due to failing RADIUS translation.
• Authentication Logs Filtering — Improved filtering of authentication logs by pausing the filtering action until the Apply button is pressed.

• Message-Authenticator for PAP — As a further enhancement following CVE-2024-3596 (BlastRADIUS), RADIUS clients can now be configured to include the Message-Authenticator (attribute 80) in all responses, as well as require a message authenticator to be present in all RADIUS access requests. This fix is required for interworking with some later releases of RADIUS clients, e.g. Fortigate 7.2.10.

• MS-CHAPv2 challenge-response stops working after Microsoft patch KB5040437 — Additional fix to handle the challenge-response dialog after the KB5040437 security upgrade is deployed in Microsoft NPS. Complements the fixes introduced in versions 6.4.3 and 6.4.4.

• MS-CHAPv2 stops working after KB5040437 — In this release, we have implemented a complete fix for the issue where MS-CHAPv2 stops working after the KB5040437 security upgrade is deployed in Microsoft NPS. This update corrects the initial fix introduced in version 6.4.3.

• MS-CHAPv2 stops working after KB5040437 — An initial fix for the MS-CHAPv2 issue related to the KB5040437 security upgrade in Microsoft NPS was introduced in this release. However, further refinement was needed to fully resolve the problem. Please refer to version 6.4.4 for the complete fix.

• Support for IP subnets — RADIUS client and shared secret IP addresses can now be specified with IP subnet masks in CIDR format, e.g. 192.168.1.0/24.
• Support TOTP in Auth Type 4 — Authentication type 4 (CONCAT) now also supports on-prem TOTP.

bugfix

• Web GUI — Web GUI encounters an error when viewing Authentication and Audit Logs.

• Authentication types 2,3,4,9,10,11 missing in Accounting logs — Authentication types 2,3,4,9,10,11 were missing in the Accounting logs. This issue has been resolved in this release.

• RADIUS blocking filter — To prevent spamming of server logs, and to counter server overload attacks, custom RADIUS filter rules can be configured in the Mideye server. The filter can block usernames and client IPs that do not meet specified criteria. Blocked requests are silently discarded, are not written to the authentication log table, and do not initiate searches in user repositories.

enhancement

• Separation of server web GUI and self-service portal login — The self-service portal can now be published spearately from the server web GUI, accessible on a dedicated port and configured as a separate RADIUS client.
• TOTP soft token seeds in LDAP repository — TOTP soft token seeds can be stored in an LDAP repository instead of the Mideye database. This reduces the need for database clustering.

bugfix

• • Persistant sort order when reloading page. The selected sort order in the web GUI now persists when the page is reloaded.
  • Not possible to delete hybrid account if the corresponding LDAP account is not found
  • Not possible to create hybrid accounts in Mideye for Azure AD accounts.

• Not possible to verify and change the RADIUS secret via the server web GUI.

• Truncated SMS text in Magic Link migration from release 6.1.

• Assisted Password Reset — The Mideye server provides a web portal for password reset, using the Assisted Login mechanism to give two indepentent factors of authentication. A user that needs to reset his/her static password contacts an authorized approver and initiates the password reset process with username and second-factor authentication (Mideye+ or SMS-OTP). The authorized approver is required to approve the reset in the Mideye+ app before the user is allowed to specify a new password.

security

• • Read access to application-prod.yml configuration file on Windows is now limited to server administrators.
  • GUI Operators and Administrators could access password hashes via the server API. This is now blocked.
  • Some server API endpoints were availble to GUI Operators, although the corresponding views are blocked for Operators in the GUI. Authorization control of server API and web GUI is now aligned.
  • Server info (release version, operating system and database) was available via server web GUI also to non-authenticated users. This is now blocked.

enhancement

• Assisted Login
  • Improved logging for Assisted Login. In addition to more detailed Info-level logging of events, Assisted Login details are now also saved in separate Audit logs for longer retention to facilitate future security audits.
  • The message title 'Assisted Login Request' is now configurable. This title in the Mideye+ app was previously hard-coded, and can now be modified in the RADIUS Server configuration menu.
  • The lead text to the Assisted Login challlenge message requesting Approver identity (previously hardcoded as 'Enter Approver ID') can now be configured in the 'User Messages' tab of the RADIUS Server configuration menu.
  • User name presented to approver in app can be configured. Previously, the username entered by the user was presented. Now the AD Display Name is presented per default, but it can be modified in the Assisted Login configuration.
  • A RADIUS client display name can now be configured. If configured, this display name is presented to the Assisted Login approver instead of the internal Mideye client name.
  • Support for RADIUS session termination cause. The termination cause is now presented in the RADIUS session logs, as well as in the session list in the app.
  • The Assisted Login approver search now continues through the entire search base to find a member of the approver group, not only stopping at the first match.
  • Assisted Login now works with user and approver accounts also in repositories other than Active Directory (e.g. OpenLDAP), as well as with accounts in the Mideye database.
  • Assisted Login now also works for approvers that haven't activated Mideye+. Instead, they can approve the login with a Magic Link.
  • Triggering of Assisted Login with AD groupname keywords. User and approver group membership is specified using wildcards, where the specified part indicates if it's a user or an approver. The remaining (wildcard) part must match between the user and approver. This enables separation of access to multiple systems, without having to specify a separate Assisted Login profile for each system.
• Magic Links
  • More flexible Magic Link configuration, including support for multiple endpoints.
  • Assisted Login with Magic Link endpoints. Approvers are listed to the user in the Magic Link landing page.
  • Magic Link added as an option when searching/filtering authentication logs based on Authentication Type.
  • More detailed logging for Magic Link events in the authentication Logs.
• RADIUS
  • Comment field added to RADIUS shared secrets. Optionally, a comment can be added when creating/editing a shared secret, and this field is displayed when presenting the list of shared secrets.
  • More informative log messages in case of RADIUS accounting requests being rejected.
  • Modified LDAP-RADIUS translation configuration and logic. Now more than one LDAP attribute can be translated.
  • Option to filter out ongoing sessions in the RADIUS sessions logs.
• Mideye GUI
  • Mideye user search based on phone and token number. Mobile phone and token serial number is added as search parameters when searching for user accounts in the Mideye database.
  • Mideye GUI. Clone objects. It is now possible to clone existing objects (LDAP profiles and RADIUS clients) to simplify creation of new objects.
  • Mideye users table. a column is added with an icon indicating if an on-premise token (software or hardware) is assigned to the user.
  • Root password reset. A new forms-based password utility avoids character encoding problems.
  • For Windows installations, a link to the web GUI is added from the desktop and start menu.
  • LDAP and Azure AD connection status indication. The status of connections to user repositories is indicated both in the Directory Settings menues and in the Health Checks menu of the dashboard.
  • User search option now available in the LDAP profile configuration menu.
• Certificate Management
  • Enhanced presentation of certificates in the Certificate Management menu in the web GUI.
  • Support for CSR generation with existing keys and import of new certificate signed by the CA.
• On-Prem Tokens
  • Support for on-prem HOTP tokens provided by default.
  • Support for automatic re-synchronisation of OATH (HOTP and TOTP) tokens via RADIUS.
• Server Logs
  • Support for download of server log files via the web GUI.
  • The host name is now included in the authentication log details. This facilitates troubleshooting when multiple Mideye servers share the same database.
  • Possibility to filter away successful authentications for specified usernames from the authentication logs. This is to prevent certain accounts, e.g keep-alive probes, from spamming the authentication logs.
  • Stack traces removed from info-level logs in order to prevent log spamming.
  • Authentication results including username and phone number are included at Info-level in the log file.
• Service Monitoring — Every hour, the server sends a message to the Mideye Switch with information about server release version, platform version, service connectivity status and server time.

bugfix

• Assisted Login
  • Password hashes removed when admins (Operator or higher) call /api/mideye-users to list users.
  • Limited length of LDAP group name. When specifying LDAP groups in the Web GUI (submenu LDAP Profiles), the group name length was limited to 255 characters.
  • Export of accounting data. In previous versions of R6, only the accounting data currently displayed on the screen was exported to a csv file. Now data from the entire selected period is exported.
  • Assisted Login approver search fails with Azure AD due to list users api only returns first 100 users.
  • Fix of bug where hanging MAS communication could block Assisted Login Touch Accepts.
  • Incorrect links to Mideye documentation in the bottom of the server GUI are now fixed.
  • Assisted Login auth type is not overwritten the Azure AD default auth type when the userPrincipalName is specified in the Assisted Login profile.
  • Assisted Login user search does not work with nested groups.
  • Not possible to set expiration date for Mideye database hybrid accounts.
  • Authentication type Shared account not working with mobile numbers in AD attribute otherMobile.

• Magic Link authentication — A new authentication mechanism whereby the user is authenticated with a magic link distributed via SMS. This enables SMS authentication also for RADIUS clients that lack support for challenge-response. The magic link authentication mechanism is applied for users with Authentication Type 6 (Touch) that haven't activated Mideye+.
• Magic Link authentication API — As alternative to RADIUS, the Mideye server provides a rest API with user's phone number and some optional usability parameters as input.
• Hybrid LDAP accounts — User accounts read from an external LDAP repository can be duplicated in the Mideye Server database. User parameters such as Authentication Type, mobile number, token number, etc., can be assigned to the account in the Mideye server instead of in the user repository, and will override the information read from the user repository.

security

• Fix of cryptobug in Java CVE-2022-21449.

enhancement

• Username filtering — The configuration of RADIUS client username filtering is enhanced to allow the removal of blank spaces or any specified characters from usernames before the authentication request is processed.
• Switch failover logic — Enhanced redundancy logic when the Mideye server fails over to a backup switch.
• GUI menu rearrangement — Web GUI submenu 'Locked Users' moved from section 'Users and Tokens' to section 'Directory Settings'.

• TOTP tokens with on-premise seeds — Support for TOTP (OATH) software and hardware tokens where the token seeds are stored in the on-premise Mideye server database, making token validation independent of the central Mideye service. Users can activate a soft token via a self-service web portal, where they also can manage their own soft and hard tokens. Administrators can import hardware tokens via the GUI, and assign both soft and hard tokens to users. The authentication logic can be configured to either use the TOTP token as fallback to the default authentication type (typically Touch Accept), or as the primary authentication type (with no connection to the Mideye central service).
• HOTP hardware tokens with on-premise seeds

enhancement

• New web GUI — A new web Graphical User Interface for the Mideye Server, with a more intuitive menu structure.
• JRE 17 — Upgrade of the bundled Java platform from Java 8 to Java 17. Spring Boot upgraded to 2.6.6.
• Encryption of shared secrets — RADIUS shared secrets are encrypted in the Mideye server database.

bugfix

• Improved database error handling in Windows — In case of DB connection failure, the Mideye Server now fails within 1 minute and stops the service. Only concerns Windows platforms.
• HTTP headers in server GUI — Security fix in the server web GUI. Content-Security-Policy HTTP security header is added.
• PAP password change — Directory policies for the new password are now enforced.
• HTTP proxy configuration — Incorrect status of the checkbox 'Use Proxy' in the proxy configuration via the web GUI is fixed. The connection to the MAS is now also affected if a proxy is configured.
• Usernames not editable — It is no longer possible to edit usernames of accounts in the Mideye server database.
• MS-CHAP for Assisted Login — Assisted Login now also works with MS-CHAPv2.
• Possible to specify a certificate alias — When importing LDAPS certificates, it is now possible to specify a certificate alias.

• RHEL 8 support — Include service start files for RHEL 8 installation.

• Cached health checks — Healthchecks are cached to reduce the load on mideyeserver.
• LDAPs Certitiface with alias — LDAPs Certitiface can be imported with an alias.

bugfix

• Fix certificate management UI — Fix certificate management UI and show proper error message when imported certificate is missing CN.

• Fix file-permissions in deb package — Set up propper file-permissions in deb package.

• LDAP migration bug — Fixed a bug that affected the possibility to migrate certain LDAP profiles from R4 to R5.

• Password encryption bug — Fix of database user password encryption when upgrading from R4 to R5.

security

• Certificate validation — More stringent certificate validation in Mideye Server.

• Removal of Log4j2 dependencies — All Log4j2 dependencies removed from classpaths. This blocks the possibility to manually modify the installation package and enable Log4j instead of the default R5 logging framework (Logback).

• TLS enhancement — TLS version 1.2 or higher enforced in the Mideye server.

• Unresponsive user search — Fix of performance issue with username filtering in authentication and accounting logs in the web GUI.

• Shared account authentication — New authentication type (Auth Type 10) whereby multiple mobile numbers and token card serial numbers can be registered for a user account. In the login dialog, the user indicates which phone/token to use.

enhancement

• Java update — The bundled JRE is updated to Java 8u282. Oracle JRE is replaced by AdoptOpenJDK JRE.
• Database detailed logs — More efficent database architecture for the Detailed Authentication logs. Note that existing Detailed Authentication logs will be lost at upgrade (the default retention time is otherwise 30 days).

bugfix

• Fix of ‘Find User’ issue — Fix of issue whereby the ‘Find User’ button in the LDAP Profile menu of the Web GUI did not always return a correct result.

• Database cleanup — Improved database cleanup. Previous implementation could cause database connection to lock during cleanup of logentries table.

enhancement

• Cluster leader setting — New setting in configuration file, whereby a Mideye server can be configured as cluster leader (default=true). If set to false, database cleanup is disabled. This is to avoid simultaneous operations for clustered servers configured to use a common database.
• Database read/write — More efficent way to write and read authentication log details. This solves a potential database deadlock problem.
• Assisted login for federated users — Empty federation attributes are not sent to the Mideye+ app. If the approver doesn’t open the app before user login, a proper reply message is returned to ADFS.

• Memory leak — Fix of bug that caused memory leak if Hibernate cache was enabled.
• Number correction — Fix of index-out-of-bound-error in phone number correction.

enhancement

• Improved loading of authentication logs — Performance optimization speeding up the loading of authentication logs in the web GUI.

• Azure AD support — Mideye Server can connect to Azure AD with the Microsoft Graph API to search user accounts.
• Assisted Login for federated users — Assisted Login protection can be applied to federated accounts logging in via ADFS. External users can log in with their home company accounts, but access is only granted if the login is accepted by an internal approver.

enhancement

• Custom LDAP attribute values to logs — In the LDAP profile configuration, additional LDAP attributes can be specified and the corresponding values written to log files at a specified log level. Optionally, the values can also be written to the detailed authentication logs in the database.
• Ignore LDAPS certificate validation — As an option, an LDAP profile can be configured to ignore certificate validation. This facilitates automation of LDAP profile provisioning via the server REST API.
• Additional Assisted Login info to logs — The detailed log information is extended to also include more information relating to Assisted Login, e.g. the identifier of the Assisted Login profile that is being used.

bugfix

• GUI user, role Operator — Fix of R5.4 bug whereby role Operator lacks access to the web GUI. Also a fix of a general R5 bug, whereby role Operator had write/delete access to some menus and APIs.
• Detailed log items not shown in authentication logs — Fix detailed log items bug in R5.4.4, e.g. Assisted Login additional challenges and the corresponding responses, were not shown in the authentication logs.
• Checkboxes not working at first attempt — In the web GUI assisted login configuration, approver tab, checkboxes were not working first time they were selected.
• Unexpected error in LDAP profile user search — Fix of bug resulting in an unexpected error when testing LDAP profile user search before the LDAP profile was configured.
• Assisted login approver ID not honored — Fix of R5.3 bug. When the approver ID attribute in the Assisted Login configuration was specified, this was not honored.
• User search with MSISDN not working — Fix of R5 bug. When testing user search via the LDAP profile configuration in the web GUI, MSISDN could not be used as user identity.
• LDAP profile user search — Fix of R5 bug. When testing user search via the LDAP profile configuration in the web GUI, the search did not return any results.

• RADIUS client overview list — In the RADIUS clients configurations menu, the start page is modified by replacing the assigned Accounting Server column with assigned LDAP Profiles.

bugfix

• Web GUI causing database overload — Fix of bug introduced in 5.3 whereby detailed authentication log queries from the Web GUI dashboard could cause overload in the database.

• Shared Secret Editing — Fixed a bug where if the Mideye Server contained more than 127 Shared Secrets, prevented the editing of Shared Secret 128 and above.

change

• CentOS 6 & 7 yum repository change — When using yum to install and update the Mideye Server 5.x in CentOS 6 and CentOS 7, the repository folder structure has changed. See the “Linux RPM installation guide” on how to update the “mideye.repo” file to mirror this.

• Require Mideye+ — RADIUS clients can be configured to require that the Mideye+ app is activated for mobile phone users.
• Require local authentication on phone — RADIUS clients can be configured to require that Mideye+ users must authenticate locally on the phone (biometric or PIN) before being able to accept a login.

enhancement

• Configuration and management menus
  • In the Vendor Specific Vendors configuration menu, vendors are listed in alphabetical order, and attributes are listed alphabetically in submenus for each vendor.
  • In the RADIUS clients configurations menu, the start page is simplified by removing some columns. In the Test client sub pages, the placeholder text in the challenge prompt is modified.
  • In the dashboard, certificate expiry is added as a separate information box. The Switch health check text is changed from ‘UP’ to ‘Connected’.
  • In the Certificate Managment menu, a more informative error message is presented when the certificate subject is empty.
• Authentication log — For failed Assisted Login attempts, the error message now distinguishes between approver not found and approver not authorized.
• Automatic database re-connect — If the database connection fails at server startup, the Mideye Server makes automatic retries for a specified time period until connection has succeeded.

bugfix

• RADIUS server concurrency issue — Fix of concurrency issue when RADIUS Server fails to re-start after configuration changes.
• Accounting timestamps — Timstamps in accounting logs now presented in local time with correct timezone indicator.
• RADIUS client assignment for database users. — Fix of bug affecting database users in MS-SQL. It is now possible to add RADIUS clients.
• Vendor Specific Attributes — Data types are now shown correctly, and and it is now possible to edit Vendor Specific Attributes.
• SSL certificate management — If CN is missing in an LDAPS certificate, the hostnamne is now used as certificate alias.
  • Bug in SSL certificate expiry monitoring is fixed.
• Authentication log info message
  • Fix of incorrect information message when Touch falls back to OTP due to data push delivery failure.
  • Fix of misleading information message when Approver account has missing/invalid phone number.
• Authentication logs — Fix of Authentication logs search filter.
• LDAP profile default values — Fix of incorrect default attribute names when LDAP server other than Active Directory is selected.

security

• Security — HTTP Trace and Track Methods are disabled in the administrative web interface, and X-Frame-Options response header is added.

• Server GUI unexpected error — Fix of GUI unexpected error that occurred if dashboard health indicators were clicked while loading.

• Windows installation package — “;” (semicolon) no longer needs to be inserted manually when using database-instances old keystore is automatically removed when reinstalling the same version of the Mideye Server
• Null pointer exception — Radius requests with null value NAS-ID and NAS-IP attributes will not cause a null pointer exception.

• RADIUS session management — RADIUS sessions (session start, update and stop) for RADIUS clients that support Accounting are presented as a separate menu in the server web GUI. For RADIUS clients that support Disconnect Message, sessions can be terminated from the GUI.

enhancement

• Assisted Login — Assisted Login is enhanced with the following features
• More detailed authentication logs — Entries in the authentication logs can be extended to view more detailed log information. Old log entries are automatically deleted after a specified retention period. The default retention period for basic authentication and session logs is 365 days. For detailed authentication information, the default retention period is 30 days.
• Time-zone information in log files — Information about time zone is added to the time stamp in log files.

Assisted Login feature

• Management of assisted login sessions from the Mideye+ app
  • The Approver can see and disconnect approved sessions from the Mideye+ app.
• Additional challenges
  • The User can be prompted to enter more information via additional challenges in the login dialog. This information is presented to the Approver in the Mideye+ app, and is logged for audit purposes.
• Enhanced authorization logic
  • The authorization logic for Assisted Login is enhanced both for Users and Approvers. Approvers can be selected based on a None/Any/All combination of assigned manager, group membership and specified users. The possibility for Approvers to approve sessions for themselves can be enabled/disabled in a separate checkbox. Users can be selected based on a None/Any/All combination of assigned authentication type, group membership and specified users.
• Session and idle timeout specified in Assisted Login profile
  • The RADIUS session timeout and idle timeout can be specified in the Assisted Login profile, and are returned as attributes in the Access Accept.
• Size limitation of user id and group name fields removed
  • The previous size limitation of user id and group name fields in Assisted Login configuration is removed.
• Test of Assisted Login profiles in RADIUS client
  • When Assisted Login profiles have been added to a RADIUS client, the logic (match between Approver and User) can be verified in a test menu accessible from the Assisted Login tab in the RADIUS client configuration.

featAssisted Login featureure

• Multiple Assisted Login profiles per RADIUS client
  • Multiple Assisted Login profiles can be assigned to a RADIUS client.

bugfix

• Default OTP Presentation type 1 — Default OTP Presentation type 1 (inbox SMS) now works also when the checkbox ‘Read Optional Attributes’ is selected.
• Either NAS IP or NAS ID must be specified — New check in the RADIUS client configuration in web GUI that prevents NAS IP and NAS Identifier to be empty at the same time, which would cause RADIUS client identification to fail.
• Faulty RADIUS attribute links in LDAP-RADIUS translation — Incorrect links associated to RADIUS attributes in LDAP-RADIUS translation are removed.
• Not necessary to specify an LDAP profile — It is no longer required to specify an LDAP profile when editing a RADIUS client via the web GUI.
• NPE when saving SSL certificate missing CN attribute — Fix of null-pointer exception when an LDAP SSL certificate missing a CN attribute is saved.

• Debian package — Added missing files from debian package.

• R4 Migration Wizard — To prevent memory overflow, the import of R4 login statistics and accounting data is limited to the last 100 000 rows from the last year.

• Password change in PAP — Support for password change in PAP, using additional challenges to prompt for a new password. This means that password change is now supported for database users. For LDAP users, this means an NPS is no longer required for password change.

enhancement

• Disable Auth Type 1 (Password) — Authentication Type 1 (Password) can be disabled per RADIUS client.
• Certificate validation and export — Certificate management via the Web GUI is enhanced to include certificate path validation and an export function.
• Enable blocking of self-personalized Yubikeys — Self-personalized Yubikeys can be blocked per RADIUS client by only allowing Yubicloud OTPs with the prefix cc.
• Spam filter reset — The number of users affected by a spam filter lockout is shown in the RADIUS Server configuration menu.
• Database configuration — The database configuration is now validated in the Windows Installation package. Database passwords containing double-quote characters (“) are now supported, as well as database instances.
• Touch failed user message — A new user messages added for the case when Touch login fails.
• Assisted login LDAP search — The LDAP user and approver search is improved, avoiding duplicate search of the user. The approver search now continues to next LDAP repository if the authorization check fails.
• Dashboard — The Database and Switch connection status information in the GUI dashboard is improved.

bugfix

• Reply message when phone not reachable — For Authentication Type 2 (Mobile), when the phone is not reachable and Mideye+ is not activated (SMS-OTP), the correct reply message is now returned.
• Locked LDAP users — LDAP users are now locked the specified time period. The extra minute added in previous releases is removed.
• Assisted Login reject reply message — A reply message is added for the case when an Assisted Login is rejected because the Touch accept failed.
• Spam filter — Logins rejected by the spamfilter are now shown in the logs. The login failure message when a login is rejected by the spam filter is changed from ‘Invalid/user password’ to ‘Too many attempts, try again later’, with a reference how to manually re-set the filter.
• Assisted login approver group membership — The approver group membership can now be specified using Java Regular Expressions.
• Default LDAP connect and read timeouts — The default LDAP connect timeout is changed to 2 seconds, and the read timeout is changed to 10 seconds.
• Handling of invalid RADIUS requests — When invalid RADIUS requests are discarded, they are now removed from the pending authentications list, thereby preventing the pending request counter from hitting the overload limit.
• Assisted login approver search — The search failed if the approver was not found in all LDAP profiles configured for the RADIUS client. This is now fixed, it is sufficient if the approver is found in one profile.

• LDAP user locking release — Fix of bug ‘LDAP locking not released when using MS-CHAPv2’.
• Access reject with MS-CHAPv2 — Fix of incorrect response authenticator in MS-CHAPv2 Access reject messages. This bug caused multiple Touch prompts when access rejected in the app.

• Assisted login — A new authentication method, Assisted Login (Auth type 9), for LDAP accounts. Predefined users are authorized to approve access for external users to selected RADIUS clients. Access is approved in the Mideye+ app.This authentication method is intended for users that require temporary access to protected resources.
• Certificate management via web GUI — Simplified administration of certificates for LDAPS and web GUI.
• Managing RADIUS attributes via web GUI — New Vendor-specific Attributes (VSAs) can be added via the web GUI. Also, the default VSA list has been extended to include more vendors.
• Spam filter reset — The OTP spam filter can be reset via the web GUI. This is to prevent users from being locked out if the Max Pending Requests queue is filled up, e.g. after a network incident.

enhancement

• RADIUS reply attributes displayed in test client — When using the test button for RADIUS clients in the web GUI, reply attributes are presented.
• Server Accounting — Accounting filtering options are enhanced. It is also possible to export the result as a CSV-file from the web GUI.
• Second challenge when token out of sync — If a token is out of sync, a second challenge is presented to the user requesting a new OTP to re-synchronize the token.
• Search database users by token number — Database users can be searched using the token serial number.
• Search base automatically created for LDAP profile — When creating an LDAP profile, the LDAP root search base is automatically populated when clicking the “Save” button.

bugfix

• Mobile number missing in logs when Touch cannot be used — If authentication type Touch fails, the user’s phone number is now included in the log entry.
• Removed re-load redirect to web GUI dashboard — If reloading a page in the web GUI, the user now remains on the reloaded page.
• root user default profile — The Web Admin RADIUS client is now assigned to the root user by default.
• Redirect after root password change — Root user is now redirected to the web GUI dashboard when the password has been changed.
• Reply Message in Web GUI — RADIUS reply messages are now displayed in the Web GUI login.
• Timestamp in logs — Log timestamps are now shown in milliseconds instead of seconds.
• Top 5 Failing Users case sensitive — The Top 5 Failing usernames presented in the web GUI dashboard are now case-insensitive.
• MSISDN/token number validation in Mideye Server — Mobile number and token serial number formats are now verified in the Mideye Server before being forwarded to the Mideye Switch.
• Web GUI login hanging after timeout — Page re-load no longer required to login again after session timeout.

• Major release requires new server installation. — Mideye 5.0 requires a new server installation. A migration tool facilitates migration from releases 4.6.5 and later.

feature

• Server config via web admin — A new administrative web interface that also replaces the R3/R4 Configuration Tool. A new super administrator role is introduced, with the same rights as the root user.
• Support for server config via REST API — As an alternative to server configuration via the administrative web interface, a REST API is provided for automated server configuration.
• Configuration changes without restarts — Configuration changes no longer require service restarts to take effect.
• RADIUS client identification based on NAS ID attribute — Improved selection of RADIUS clients based on RADIUS attribute 32 (NAS Identifier) which simplifies implementations with multi-login profiles originating from the same IP address.
• Separate table for source IP – shared secret configuration — Specification of the shared secret is moved from RADIUS clients to a separate table, where source IPs and shared secrets are matched. A default shared secret can be specified that is matched to any IP that is not specified in the table.
• NPS configuration separated from LDAP server configuration — Microsoft Network Policy Server (NPS) settings are moved from LDAP profile configuration to a separate NPS profile. This simplifies the re-use of the same NPS profile in multiple LDAP profiles.
• Docker container support — Mideye server is now available as a Docker image as an alternative to Windows and Linux installation packages.
• Debian support — Mideye server is now available as a Debian-based package in addition to the RPM-based package.
• Enhanced server monitoring — Automatic health checks of Mideye Switch and database connections. Monitoring of LDAPS certificate expiry. Dashboard with login statistics and success rates.
• Enhanced server accounting — Possible to select full calendar months in the web GUI for matching server accounting with monthly invoices.
• Support for database login using NTLMv2

• Offline challenge (Mideye+) when phone not reachable, authentication type = 2, MSCHAPv2 — In previous releases 4.6.X and 4.7.X, the manual offline challenge was not displayed for authentication type 2 (mobile) when MSCHAPv2 was used.
• Framed IP Address not returned for all IP addresses — In previous releases 4.6.X and 4.7.X, the Framed IP Address (RADIUS attribute 8) was not returned for IP addresses that were represented by a positive integer in Active Directory.

• Support for EAP-authentication — Mideye will now forward any incoming RADIUS-packages using EAP-authentication to Microsoft NPS.

bugfix

• Proxy-State — Mideye is now handling Proxy-State (attribute 33) correctly according to RFC 2865.
• User filtering for MS-CHAP-V2 and EAP — User-filtering for RADIUS-clients is now working for MS-CHAP-V2 and EAP. Before release 4.7.1, user-filtering only worked for PAP.

• Enabling Event-viewer logging for Windows Server caused Mideye-Radius service to crash — When enabling Event-viewer logging and restarting the Mideye-services, Mideye-RADIUS did not start.

• Token-coupled Mideye+ — With this feature, an OTP from a token card (MiniToken or YubiKey) is required when activating the Mideye+ app. As an enhanced security setting, RADIUS clients can be configured to only accept login with token-coupled Mideye+ apps or token cards.
• Bundled JRE — JRE bundled with the Mideye installation package. Java Runtime Environment is included in the installation package and does not need to be installed separately.
• Automatic read of Framed IP Address (RADIUS attribute 8) from Active Directory — As an option, Mideye reads the static IP Address (IP v4 only) assigned in Active Directory and returns it in the RADIUS Access Accept, attribute 8 (Framed IP Address).

bugfix

• Incorrect logging of failed OTP deliveries — When authentication type 6,7 or 8 (Touch) is selected, failed OTP deliveries for users without Mideye+ are now logged with the correct error message ('Phone not reachable').
• Multiple groups when using regex — Mideye Config Tool -> LDAP Servers -> Groups. Multiple LDAP groups can be specified using Java regular expressions. (Previously, only a single group could be specified when regular expressions were used).
• LDAP profile created with an invalid password — Mideye Config Tool -> LDAP Servers. Fix of a bug that caused unexpected behavior/error messages in case an LDAP profile was created with an invalid LDAP account password.
• Hanging web admin when MySQL connection lost — Fix of problem with hanging web admin when MySQL database connection was lost.

• Support for Touch login with Microsoft Remote Desktop Services — By using authentication type 6 (Touch) it is possible to log in with Microsoft Remote Desktop Services (MS RDS) without using challenge-response. This means two-factor authentication with mobile phones can be achieved with the built-in RADIUS support in MS RDS.
• Support for simplified Mideye+ activation — A new way to activate Mideye+ is introduced. A user no longer needs to enter the mobile phone number manually in the app. The user can activate Mideye+ by entering a '+' sign after the OTP in the challenge dialogue.
• Support for authentication with YubiKey tokens — YubiKey tokens compatible with Mideye can be ordered from Mideye support. It is possible to specify a Yubikey identifier in the format 'ubbc0\[7 digits\]' as a valid token number.

bugfix

• Root password to the administrative web interface is lost during an upgrade — In previous versions of the Mideye Server package for Windows, the root password to the administrative web interface was lost during upgrade.

• LDAP-RADIUS translation with MS-CHAP — RADIUS attributes obtained from LDAP-RADIUS translation can now be returned in MS-CHAP Access Accept messages for authentication types PASSWORD (type 1) and TOUCH (types 6, 7 and 8). Previously, this was only possible with authentication types Mobile (type 2) and Token (type 3) when using MS-CHAP. (For PAP, attributes can be included for all authentication types).
• Enhanced multiple-click suppression — The (optional) multiple-click suppression feature is enhanced to discard events where the user ignores or cancels OTP prompts.

bugfix

• Authentication Attempts logs — Two bugfixes relating to the Authentication Attempt logs in the administrative web interface.
  • RADIUS client ID is now included also in case of challenge-response timeout when using MS-CHAP (previously this information was missing).
  • Rejects due to OTP spam filter are now explained in the info column also when using MS-CHAP (previously this information was missing).
• Upgrade scripts for Linux — Previously, the root user password for the administrative web interface was reset during the upgrade procedure. This is now fixed for Linux, but the problem remains in Windows (this will be addressed in the next release).

• multiple-click suppression disabled — Multiple-click logins disabled per default, since it's only applicable for certain RADIUS clients and it caused some unexpected behavior.

• Suppressing multiple-click logins — This feature suppresses multiple-click logins in RADIUS clients. It is enabled by default and can be configured via Mideye Configuration Tool, tab Radius Servers. Having this feature enabled prevents users from receiving numerous consecutive OTPs if they mistakenly keep pressing the login button in the client.
• Improved overload handling — This feature improves overload handling by rejecting additional requests if the number of pending requests exceeds a threshold– maximum number of pending requests that can be configured via Mideye Configuration Tool, tab Radius Servers. This makes the Mideye Server more responsive in overload situations.
• Preventing OTP spamming — This feature limits the number of OTP deliveries to a specific phone number within predefined time windows. The allowed number of OTP deliveries can be configured via Mideye Configuration Tool, tab Radius Servers.

bugfix

• MS-CHAPv2 reject — A previous bug in MS-CHAPv2 reject is fixed. The bug caused some RADIUS clients to send a duplicate request after the first request had been rejected.'

• Support for Mideye+ Touch Accept — Mideye+ Touch Accept enables Mideye+ users to accept or reject the login directly using the Mideye+ client (on iOS and Android), see Figure 2.1. It improves user experience by removing the need to manually enter the OTP. The following are the requirements for Touch Accept to work.
  • Mideye Server 4.4.x
  • Mideye+ client version 3.x.x
  • Mideye+ is enabled in the customer’s profile in Mideye central system
• New authentication types. — Introduction of three new authentication types, they differ in fallbacks in case the initial Touch Accept attempt fails (e.g. if the user lacks Internet connectivity).
  • Authentication type 6 (Touch) - No fallback if Touch Accept fails.
  • Authentication type 7 (Touch-Plus) - If Touch Accept fails, the fallback is Mideye+ manual signature.
  • Authentication type 8 (Touch-Mobile) - If Touch Accept fails, Mideye attempts to reach the Mideye+ app via SMS. If this also fails, the fallback is Mideye+ manual signature.
• Mideye+ Touch Accept on Android client — Mideye+ Touch Accept is now available on the Android client.
• Enhanced authentication attempts log in Web Administration Interface — This feature enhances the authentication attempts log with information about failed authentications. The authentication attempts log now also contains phone/token number and authentication type as well as the reason for failure.

• Mideye Server hanging problem while using Mideye Configuration Tool — This bug caused Mideye Server to hang when using Mideye Configuration Tool to modify a RADIUS Client.
• Fixed the challenge message when the password is expired — This bug caused database users to receive Password needs to be reset if an LDAP user had to change the password prior to their login.

• Security issue — Prevent the exposure of the content of WEB-INF folder. - Removed unused certificates to improve the security of Mideye Server - Mideye Switch communication.
• Log messages — Reduce the log level to warning when the Network Policy Server (NPS) is not configured. - Reduce the log level to debug when parsing an unknown Vendor Specific Attribute.

• Password Change — Users in Active Directory can change their expired passwords during the logon process. This feature requires the use of the MS-CHAP v2 protocol and Network Policy Server (NPS).
• MS-CHAP v2 — Mideye Server supports the MS-CHAP v2 protocol. Mideye Server will automatically determine the authentication protocol used, PAP or MS-CHAP v2. To function properly, MS-CHAP v2 needs a configured NPS.
• New Web Administration Interface

• Mideye Server 4.3.0 includes a new Web Administration Interface. — The new Web Administration Interface is a web-based tool for managing the Mideye Server.
• LDAP login to Web Administration Interface — The new Web Administration Interface allows login using an LDAP server
• Password Comparison Authentication — It is possible to use an alternative field for storing hashed passwords instead of the default Active Directory password field. See Appendix A: Password Comparison in the reference guide for more details.
• Fortinet RADIUS attributes — Added Fortinet vendor specific attributes (Vendor ID: 12356) to the list of RADIUS attributes sent together with the final RADIUS Access Accept.
• Automatic Retrieval of LDAP Base Distinguished Name — When adding a new LDAP server, Mideye Server retrieves the base Distinguished Name automatically.
• Removal of Embedded Java Virtual Machine — Mideye Server 4.3.0 no longer includes Java Virtual Machine (JVM) and it must be installed separately before the installation. This allows more frequent updates of JVM independently from the Mideye Server.
• Removal of Alarm Manager — Alarm Manager service, installed along with Mideye Server in previous versions, has been removed.
• Removal of Radius Accounting — The RADIUS accounting server (used to run on port 1813) has been removed.

• Windows services start-up — Fixed a bug causing the Mideye windows services not to start automatically after executing windows updates or rebooting the server.

• R4.2.4 feature support in Windows — All enhancements and bug corrections in 4.2.4 are included in 4.2.5 and made available for Windows.
• Support for client certificate authentication for the administrative web interface — Client certificates can be generated from the default server certificate that is generated during server installation, and the administrative web interface can be configured to require a client certificate to grant access.

bugfix

• Increased maximum length of LDAP group names — In previous releases, the maximum length of LDAP group names was limited to 30 - characters in order for the accounting to work properly. The limit has been increased to 200 characters.

• Support for secondary mobile number in LDAP — If no mobile number is found in the assigned (primary) mobile attribute, Mideye can be configured to continue the search in a secondary attribute (e.g. ‘otherMobile’).
• Default support for SSL in the administrative web interface — The administrative interface is per default protected with SSL, and a self-signed certificate is generated during the installation.
• Enhanced and modified presentation of logs via the administrative web interface — Several log files in the directories /opt/mideyeserver/log/ and /opt/tomcat/logs/ can be viewed via the administrative web interface. It is possible to add/exclude files, and also to add other folders. The logs are presented in a separate window and are not protected with the web interface login. It is recommended to restrict web interface access to specific IP addresses, thereby allowing/restricting log access to e.g. helpdesk personnel.
• SNMP traps — Support for SNMP traps is introduced. The Mideye PEN is 40761.
• Support for wild-card group check in Active Directory — AD group membership can be specified as a Java regular expression. ‘CN=mideyeusers,.\*’ will now match ‘CN=mideyeusers,OU=Stockholm,OU=Groups,DC=mideye,DC=com’. This feature is only valid for Active Directory.
• Java and Tomcat update — Java is updated to Java SE Runtime Environment (build 1.7.0\_11-b21), and as web server TomEE 1.5.1 with Apache Tomcat Version 7.0.34 is used.

bugfix

• Handling hanging LDAPS connections — The LDAP connection timeout parameter is modified to include the LDAP connection pool avoiding the risk of overload in case of hanging LDAPS connections.
• Authentication type CONCAT for database users — Authentication type CONCAT now works also for database users. (Bug introduced in 4.1).
• Event Viewer disabled on Linux installations — It is no longer possible to enable the Event Viewer on Linux installations.
• Special characters in RADIUS shared secret — Special characters (e.g. å, ä, ö) are now allowed in the RADIUS shared secret.
• Help button active on Linux installations — The Help button in the Configuration Tool is now active also on Linux installations.
• Automatic database upgrade on Linux — Database scripts are now executed automatically when doing upgrades on Linux systems.

• Configuration Tool enhancements — Config Tool can now automatically identify and upgrade an existing Mideye database (from R3.0 and later). Config Tool automatically prompts for Admin rights when started.
• RADIUS Server enhancements — Pre-configured Norwegian and Finnish RADIUS reply messages. RADIUS server names can be up to 200 characters long (previously limited to 20 characters).
• RADIUS Client enhancements — RADIUS clients can be renamed. RADIUS client names can be up to 200 characters long (previously limited to 16 characters). The RADIUS shared secret must be specified (the field cannot be left empty).
• LDAP Server enhancements — LDAP search base can contain ‘/’ signs. LDAP connection test does not return false positive if the password field is empty.
• Number correction enhancements — Numbers containing only one parenthesis are auto-corrected if number correction is activated.
• Accounting enhancements — Group names up to 200 characters supported (previously limited to 30 characters).
• Number filtering in Mideye Server — Mobile numbers (and token serial numbers) that do not follow the required formats are blocked in the Mideye Server before an OTP delivery/verification request is forwarded to the Mideye Switch. For mobile numbers, this means that they must start with a + – sign and contain 3 to 20 digits. Note that this means that mobile numbers in the format 07xxxxx and 00xxxxxxx that previously have occasionally been working are now blocked. Customers with these number formats are recommended to apply automatic number correction in the Mideye Server.
• LDAP-RADIUS translation enhancements — LDAP-RADIUS translation is no longer case-sensitive. LDAP-RADIUS wildcard translation is supported, whereby a translation rule can be specified as a Java regular expression (e.g. ‘CN=mideyeusers,.\*’ will now match ‘CN=mideyeusers,OU=Stockholm,OU=Groups, DC=mideye,DC=com’).

bugfix

• LDAP-RADIUS translation — It is no longer needed to activate the ‘Read optional attribute flag’ in order to use LDAP-RADIUS translation (4.2.2 bug resolved in 4.2.3).
• Authentication with suffixes fails when user search continues to next LDAP server — Authentication with user-name suffixes (e.g. @TOKEN, @MOBILE) now works also when the user search continues to the next LDAP server in the search base (4.2.2 bug resolved in 4.2.3).
• Help buttons not active — Help buttons in the Configuration Tool are now active again (4.2.2 bug resolved in 4.2.3).
• Auth Type = CONCAT gives an unhandled error when group check fails — Failed group check when using authentication type CONCAT is now properly handled. (4.2.2 bug resolved in 4.2.3).
• Web Admin access from a remote computer — The Administrative Web Interface is automatically configured to allow access from a remote computer (4.2.2 bug resolved in 4.2.3).
• Nested group selected without specified groups gives an error — ‘Search nested groups’ can now be selected in Config Tool also when no group selection has been specified (4.2.2 bug resolved in 4.2.3).

• Linux package enhancements — Native look-and-feel in Mideye Config Tool on Linux. Possibility to execute Mideye Config Tool from any directory. Simplified setup of X11 over SSH (making it possible to execute Mideye Config Tool from another workstation).

bugfix

• Not possible to delete a RADIUS client that has an LDAP server assigned — This bug is resolved.
• List of pending authentications is cleared after OTP expiry — The internal Mideye Server list of pending authentications is cleared after OTP expiry, instead of every 5 minutes. This means RADIUS clients that fail to increment the RADIUS packet identifier will not cause user lockout longer than the OTP validity time (default 60 seconds). This resolves a usability issue with e.g. Citrix Access Gateway Standard Edition.
• Config Tool enhancements — Config Tool no longer prompts to save unsaved changes when setting up a database for the first time. Miscellaneous enhancements concerning Return key, database name and LDAP Server test connection.

• User search via config tool fails if Authentication Type = 1 — 4.2.0 bug resolved in 4.2.1.
• Web Admin ROOT password cannot be changed when using two-way encryption — 4.2.0 bug resolved in 4.2.1.
• Limited length of user password — In previous releases, the static password maximum length was 48 characters for LDAP users and 16 characters for database users. Both these limitations have been removed.
• Unlimited number of log lines presented via Web Interface — 4.1.0 bug resolved in 4.2.1. The number of log lines presented via the Administrative Web Interface is now limited to the number specified in the filter settings.
• New address field for database connection in Config Tool — In 4.2.1, the database connection address field in the Mideye Configuration Tool is modified. This resolves previous issues when specifying external databases.

• LDAP over SSL — Support for SSL protection of connections to LDAP servers. This is implemented via an optional checkbox in the LDAP Server tab of Mideye Configuration Tool. LDAP server certificates can be automatically downloaded.
• Continued LDAP search in case of group membership requirements not fulfilled — In case a user account is found in an LDAP repository but does not fulfill the specified group membership requirements, the user search continues to other repositories (if more repositories are defined). In previous releases, an access reject was immediately returned if group membership requirements were not fulfilled, which caused the user search to be discontinued.
• Removal of user name suffixes and prefixes — As an option, suffixes and prefixes added to user names in the RADIUS access request can be removed before the user name is searched in the user repository. The removal (suffix or prefix, and separator) is specified on a per-RADIUS-client basis.
• Accounting filtering based on LDAP repository and department — The accounting filtering is enhanced with the option to filter data based on which LDAP server and department the user belongs to. The optional Department attribute is specified in the Mideye Configuration tool. This attribute is read from the user repository and stored in the accounting database in Mideye. Mideye accounting granularity is thereby enhanced, facilitating distribution of Mideye costs based on which LDAP server and department the user belongs to.
• Enhanced encryption of passwords in the internal database — An enhanced one-way hash encryption is added as an option for passwords stored in the internal database. This encryption alternative cannot be reversed.
• Increased size of database fields — Database fields with variable input length, such as LDAP search bases and group names, have been increased to the maximum size allowed by the respective database (MS SQL and MySQL).

• Log enhancements — The Mideye Server logging functions are enhanced. With this release, the logging facility is implemented as a separate service that is configured via the Mideye Configuration Tool. Separate logs are written for the three main services Alarm Manager, RADIUS Server and Administrative Interface. For each log, the level of detail is specified (Error, Warning, Info, Debug, Trace). It is also possible to configure log messages to be forwarded to an external system according to the Syslog standard or to be written to the Windows Event Viewer. The Mideye Server can also be configured to generate emails for certain log events. This is specified directly in an XML file. A bug in previous releases when running on W2008, where the timestamps in the log file were specified with GMT instead of the local server time, is corrected.
• LDAP enhancements — The LDAP search function is enhanced with two configurable timeout parameters to improve serial search capabilities in multiple LDAP directories in case one LDAP server is faulty. A bug correction ensures that LDAP directories are searched in the order specified in the Configuration Tool.
• Automatic retries in case of failed service start-up — In case of Mideye services fail to start properly, subsequent re-starts are attempted with 5-minute intervals during a time period of one hour. This is to enable system recovery in case of start-up failure, e.g. after an automatic update of the server platform operating system.
• Installation and compatibility issues — An automated upgrade package from Mideye Server releases 3.0.1 - 4.0.3 is available. The upgrade package includes the execution of database scripts and replacement of jar files. The upgrade requires a re-start of Mideye services. If SSL protection is implemented for the administrative web interface, certificates and the Tomcat server.xml file should be saved before performing the upgrade. - Upgrade from releases prior to Mideye Server 3.0 is not supported, and requires a new server installation.

• Enhanced database pool handling — Automatic recovery of faulty database connection whereby the connection is closed and removed from the pool. Also, no lower limit is set to the time a database connection is kept in the pool. Previously, the minimum time was 5 minutes, regardless of which value was specified via the Configuration Tool.
• Compatibility with SQL Server 2008 — Enhancement in the installation package, enabling compatibility with SQL Server 2008.

bugfix

• Configurable switch connection timeout — A bug correction whereby the switch connection timeout specified via the Configuration Tool is actually implemented. (In releases 3.0.0 – 4.0.1 it was always 60 seconds, regardless of which value was specified in the Configuration Tool).
• Installation and compatibility issues — An automated upgrade package from Mideye Server release 3.0 is available. The upgrade package includes the execution of database scripts and replacement of jar files. The upgrade implies a re-start of Mideye services. Upgrade from releases prior to Mideye Server 3.0 is not supported, and requires a new server installation.

• Enhanced installation package — The new installation package is enhanced, e.g. it includes a notification that an SQL Server already exists on the server platform, if this is the case.
• Accounting support for phone numbers longer than 12 characters — Previously, phone numbers longer than 12 characters (including the ‘+’-prefix) were not written to the server accounting tables. In 4.0.1, numbers up to 20 characters (including the ‘+’-prefix) are written to the accounting tables.
• Password reset / expired information text included in Access Challenge — In case the static AD password has expired or needs to be reset, this information is presented to the end-user in the Reply-Message included in the RADIUS Access Challenge sent by the Mideye Server to the RADIUS client.

bugfix

• Configurable fallback retry parameter — A bug correction whereby the switch connection fallback retry specified via the Configuration Tool is actually implemented. (In releases 3.0.0 – 4.0.1 it was always 50, regardless of which value was specified in the Configuration Tool).

• New installation package — A new installation package, where the Mideye server is installed with an MSI file.

• Support for Mideye Plus authentication — Server release 4.0 supports Mideye Plus authentication. Mideye Plus enables login when the phone is outside of network coverage. For this to work, it is required that the user’s network operator has implemented support for Mideye Plus on the SIM card.
• Selection of ISO/UTF encoding on a per-RADIUS-client basis — In R4, UTF-8 or ISO8859\_1 encoding can be configured on a per-RADIUS-client basis. This enables handling of special characters (e.g. å, ä, ö, ¤, and €) in user names and passwords, which previously could cause problems because different RADIUS clients have implemented different character encoding schemes.
• Server keep-alive messages — Server keep-alive messages are sent with 10-minute intervals to the Mideye Switch. The keep-alive messages contain information about Mideye server release, system status (RAM used/available), the status of LDAP connections and the number of database connections in use. The purpose of this feature is to enhance the centralised supervision of the authentication service. The keep-alive function is enabled/disabled via the Configuration Tool.
• Blocking of LDAP accounts in the Mideye Server — For each LDAP server, a threshold can be defined in the Mideye Server. If for a given user, the number of consecutive failed LDAP authentications exceeds this threshold, the user is locked in the Mideye Server. A time period can be specified, after which the user is automatically unlocked. It is also possible to unlock the user via the Mideye Administrative Web Interface. The purpose of this feature is to prevent denial-of-service (DOS) attacks aimed at blocking LDAP accounts via Internet.
• Time-limited accounts for database users — An expiry date can be specified for user accounts in the internal database (database users). User accounts are automatically disabled when this date has been reached.
• Automated token card re-synchronisation — If a token card is more than 10 consecutive OTPs out of sync with the central system, but inside a sequence window of 100, the user can automatically re-sync the token card by generating a new OTP and entering it for validation. If this second OTP is within a sequence window of 10 OTPs from the first OTP, the user is granted access and the token card is re-synchronised. The time window for performing the re-synchronisation is 5 minutes from the time when the first OTP was entered for validation. If the RADIUS client supports Mideye reply messages (attribute 18 in RADIUS Access Reject), the user is informed that the token card is out of sync and that a new OTP is required. Automated token card re-synchronisation has been centrally implemented in the Mideye Switch. This means that the feature is automatically implemented for all Mideye Servers, regardless of release. However, the reply message informing the user that the token is out of sync and that a new OTP is required, is only implemented in Server release 4.0.
• Support for default RADIUS reply and error messages in different languages — Via the configuration tool, default RADIUS reply and error messages can be selected in English and Swedish.
• Enhanced number correction — Number correction is enhanced. Via the Configuration Tool, it can be selected if numbers within parentheses should be removed and if leading zeros after the default international prefix should be removed.

• ADFS Module improvements
  • Support for passwordless authentication with Mideye set as primary authentication provider.
  • Mideye AD FS module now comes with two adapters, allowing different configurations for each adapter.

enhancement

• ADFS Module enhancements
  • Support for update without previous uninstall.

bugfix

• ADFS Module bugfix
  • Possible to modify adapter friendly name without uninstall (only in single-node installations).

known issues

• Modifying adapter friendly name in ADFS farms still requires uninstall of secondary nodes.

• • Update requires a uninstall.
  • Uninstall of V3.0.0 is done with the install package.

• Added button to RADIUS configuration editor that sets correct permission for the ADFS-module.

• • Updated “Test Connection” tab GUI in ADFS Configuration Tool.
  • Updated language files.
  • Updated design of the login page.

bugfix

• Fixed a bug in ADFS Configuration Tool where changing language removed translations.

• Added functionality to show/hide OTP on login page.

bugfix

• Fixed a bug with supported OTP length.

• Added support for Yubikey.

• Added functionality in ADFS Configuration Tool for verifying Radius server connectivity.

enhancement

• Extended logging capabilities with ‘Off’ and ‘Warnings and Errors’ modes.

• Fixed a bug with users using the Android app.

• Added functionality to set necessary registry and event viewer permissions when starting ADFS Configuration Tool.

• Added functionality to set necessary registry and event viewer permissions when starting ADFS Configuration Tool.

enhancement

• Extended logging capabilities with ‘Info’ and ‘Debug’ modes.

bugfix

• Fixed a bug with user permissions.

• Added functionality to set necessary registry and event viewer permissions when starting ADFS Configuration Tool.

bugfix

• Fixed a bug with user permissions.