Versionsanteckningar

Resolved a null-pointer exception that could occur when the AbuseInfo field was empty.

Adjusted the score weight for login attempts blocked by static username filter rules to align with the score for “user not found” events. This improves scoring consistency and accuracy.

Resolved an issue where the username was logged as NULL for events blocked by Mideye Shield static rules.

Administrators can now filter authentication logs based on client IP address, improving troubleshooting and audit capabilities.

During installation, only Active Directory repositories can currently be selected in the installation wizard and CIDR subnet notation is not supported for RADIUS Client IPs or Source IPs.

Fix of bug introduced in release 6.5 where the maximum RADIUS thread pool size did not follow the maximum pending RADIUS requests setting, which could lead to overloading in some situations.

As an alternative to Calling Station ID, Mideye Server can read the client IP address from the Palo Alto vendor-specific attribute 'Client Source IP' and the 'Tunnel Client Endpoint' attribute sent by Ivanti Connect Secure if present in the RADIUS Access Request.

Increased JVM initial memory allocation from 512M to 1024M for improved performance.

• Added index on blocked attempts table for optimized queries.
• Optimized query for cleaning up old blocked attempts.

Introduced configurable retention periods for blocked attempts and IP ingestion cleanup, allowing flexibility in specifying cleanup duration with enhanced logging.

Updated OpenJDK to Eclipse Temurin OpenJDK 17.0.15 and migrated installer to 64-bit architecture.

Fixed incorrect error message when user fails to respond to Touch Accept in the Mideye+ app.

Magic Link API protocol extended to include the parameter ‘title-text’.

Fixed bug where Magic Link API protocol parameter ‘authentication-text’ was not enforced for endpoints other than the default endpoint.

Improved the loading time in Mideye Server GUI when updating the dashboard and Authentication Logs.

The Magic Link API protocol has been extended to include all parameters that can be configured in the server GUI menu ‘Magic Link Endpoints’, submenu ‘User Messages for Touch Accept’.

An empty password field is now accepted when the RADIUS client has been configured to ignore the password.

Fix to handle an EAP challenge-response dialog between the RADIUS client and NPS.

Mideye Shield is listed as a separate section in the server sidebar menu, with submenus for configuration, auto-blocked IPs and static filter rules. The shield service URL is changed to shield.mideye.com. Shield service connectivity health checks are only activated if the Mideye Shield service is enabled. Shield maximum load capacity is increased by immediately returning Access Rejects (instead of random delay), and by increasing the default Max Pending Requests parameter from 20 to 50 in the RADIUS Server configuration.

Resolved LDAPS connection failures (classNotFoundException) when using Mideye Shield.

Fixed MSCHAPv2 LDAP-RADIUS translation to use configured RADIUS VSA attribute instead of the hardcoded CLASS attribute.

A new central service provides real-time fraud rating of IP addresses for clients requesting access to Mideye-protected login services. The server can be configured to reject requests originating from IP addresses with a fraud score above a chosen level. This enables early-stage detection and rejection of attacks such as DoS, brute force, password spray and MFA fatigue, as well as preventing the flooding of authentication logs.

An optional inactivity timeout for database accounts can be configured, after which accounts that haven’t made a successful login are locked. If enabled, this affects all database accounts except the root user.

The password policies for database accounts can be customized. Two policies are supported, one for passwords set by server administrators via the server gui and one for passwords set by users via the login dialog. For temporary passwords that are set by server administrators, an optional timeout can be configured, specifying a maximum validity time of the password.

As an alternative to the silent discard of requests blocked by the RADIUS filter, a RADIUS Access Reject can be returned to the RADIUS client.

A new log page in the web GUI, Blocked Attempts, displays attempts that have been blocked by the RADIUS Filter or IP Shielding. Log information (timestamp, username, IP address) is retained for 48 hours.

Modified switch failover logic to prevent the delay experienced by users logging in after the server has been idle for more than 10 minutes and fails to connect to the primary switch.

Fixed an issue preventing login to the server web GUI with Administrator / Operator Entra ID accounts due to failing RADIUS translation.

Improved filtering of authentication logs by pausing the filtering action until the Apply button is pressed.

As a further enhancement following CVE-2024-3596 (BlastRADIUS), RADIUS clients can now be configured to include the Message-Authenticator (attribute 80) in all responses, as well as require a message authenticator to be present in all RADIUS access requests. This fix is required for interworking with some later releases of RADIUS clients, e.g. Fortigate 7.2.10.

Additional fix to handle the challenge-response dialog after the KB5040437 security upgrade is deployed in Microsoft NPS. Complements the fixes introduced in versions 6.4.3 and 6.4.4.

In this release, we have implemented a complete fix for the issue where MS-CHAPv2 stops working after the KB5040437 security upgrade is deployed in Microsoft NPS. This update corrects the initial fix introduced in version 6.4.3.

An initial fix for the MS-CHAPv2 issue related to the KB5040437 security upgrade in Microsoft NPS was introduced in this release. However, further refinement was needed to fully resolve the problem. Please refer to version 6.4.4 for the complete fix.

RADIUS client and shared secret IP addresses can now be specified with IP subnet masks in CIDR format, e.g. 192.168.1.0/24.

Authentication type 4 (CONCAT) now also supports on-prem TOTP.

Web GUI encounters an error when viewing Authentication and Audit Logs.

Authentication types 2,3,4,9,10,11 were missing in the Accounting logs. This issue has been resolved in this release.

To prevent spamming of server logs, and to counter server overload attacks, custom RADIUS filter rules can be configured in the Mideye server. The filter can block usernames and client IPs that do not meet specified criteria. Blocked requests are silently discarded, are not written to the authentication log table, and do not initiate searches in user repositories.

The self-service portal can now be published spearately from the server web GUI, accessible on a dedicated port and configured as a separate RADIUS client.

TOTP soft token seeds can be stored in an LDAP repository instead of the Mideye database. This reduces the need for database clustering.

• Persistant sort order when reloading page. The selected sort order in the web GUI now persists when the page is reloaded.
• Not possible to delete hybrid account if the corresponding LDAP account is not found
• Not possible to create hybrid accounts in Mideye for Azure AD accounts.

The Mideye server provides a web portal for password reset, using the Assisted Login mechanism to give two indepentent factors of authentication. A user that needs to reset his/her static password contacts an authorized approver and initiates the password reset process with username and second-factor authentication (Mideye+ or SMS-OTP). The authorized approver is required to approve the reset in the Mideye+ app before the user is allowed to specify a new password.

• Read access to application-prod.yml configuration file on Windows is now limited to server administrators.
• GUI Operators and Administrators could access password hashes via the server API. This is now blocked.
• Some server API endpoints were availble to GUI Operators, although the corresponding views are blocked for Operators in the GUI. Authorization control of server API and web GUI is now aligned.
• Server info (release version, operating system and database) was available via server web GUI also to non-authenticated users. This is now blocked.

• Improved logging for Assisted Login. In addition to more detailed Info-level logging of events, Assisted Login details are now also saved in separate Audit logs for longer retention to facilitate future security audits.
• The message title 'Assisted Login Request' is now configurable. This title in the Mideye+ app was previously hard-coded, and can now be modified in the RADIUS Server configuration menu.
• The lead text to the Assisted Login challlenge message requesting Approver identity (previously hardcoded as 'Enter Approver ID') can now be configured in the 'User Messages' tab of the RADIUS Server configuration menu.
• User name presented to approver in app can be configured. Previously, the username entered by the user was presented. Now the AD Display Name is presented per default, but it can be modified in the Assisted Login configuration.
• A RADIUS client display name can now be configured. If configured, this display name is presented to the Assisted Login approver instead of the internal Mideye client name.
• Support for RADIUS session termination cause. The termination cause is now presented in the RADIUS session logs, as well as in the session list in the app.
• The Assisted Login approver search now continues through the entire search base to find a member of the approver group, not only stopping at the first match.
• Assisted Login now works with user and approver accounts also in repositories other than Active Directory (e.g. OpenLDAP), as well as with accounts in the Mideye database.
• Assisted Login now also works for approvers that haven't activated Mideye+. Instead, they can approve the login with a Magic Link.
• Triggering of Assisted Login with AD groupname keywords. User and approver group membership is specified using wildcards, where the specified part indicates if it's a user or an approver. The remaining (wildcard) part must match between the user and approver. This enables separation of access to multiple systems, without having to specify a separate Assisted Login profile for each system.

• More flexible Magic Link configuration, including support for multiple endpoints.
• Assisted Login with Magic Link endpoints. Approvers are listed to the user in the Magic Link landing page.
• Magic Link added as an option when searching/filtering authentication logs based on Authentication Type.
• More detailed logging for Magic Link events in the authentication Logs.

• Comment field added to RADIUS shared secrets. Optionally, a comment can be added when creating/editing a shared secret, and this field is displayed when presenting the list of shared secrets.
• More informative log messages in case of RADIUS accounting requests being rejected.
• Modified LDAP-RADIUS translation configuration and logic. Now more than one LDAP attribute can be translated.
• Option to filter out ongoing sessions in the RADIUS sessions logs.

• Mideye user search based on phone and token number. Mobile phone and token serial number is added as search parameters when searching for user accounts in the Mideye database.
• Mideye GUI. Clone objects. It is now possible to clone existing objects (LDAP profiles and RADIUS clients) to simplify creation of new objects.
• Mideye users table. a column is added with an icon indicating if an on-premise token (software or hardware) is assigned to the user.
• Root password reset. A new forms-based password utility avoids character encoding problems.
• For Windows installations, a link to the web GUI is added from the desktop and start menu.
• LDAP and Azure AD connection status indication. The status of connections to user repositories is indicated both in the Directory Settings menues and in the Health Checks menu of the dashboard.
• User search option now available in the LDAP profile configuration menu.

• Enhanced presentation of certificates in the Certificate Management menu in the web GUI.
• Support for CSR generation with existing keys and import of new certificate signed by the CA.

• Support for on-prem HOTP tokens provided by default.
• Support for automatic re-synchronisation of OATH (HOTP and TOTP) tokens via RADIUS.

• Support for download of server log files via the web GUI.
• The host name is now included in the authentication log details. This facilitates troubleshooting when multiple Mideye servers share the same database.
• Possibility to filter away successful authentications for specified usernames from the authentication logs. This is to prevent certain accounts, e.g keep-alive probes, from spamming the authentication logs.
• Stack traces removed from info-level logs in order to prevent log spamming.
• Authentication results including username and phone number are included at Info-level in the log file.

Every hour, the server sends a message to the Mideye Switch with information about server release version, platform version, service connectivity status and server time.

• Password hashes removed when admins (Operator or higher) call /api/mideye-users to list users.
• Limited length of LDAP group name. When specifying LDAP groups in the Web GUI (submenu LDAP Profiles), the group name length was limited to 255 characters.
• Export of accounting data. In previous versions of R6, only the accounting data currently displayed on the screen was exported to a csv file. Now data from the entire selected period is exported.
• Assisted Login approver search fails with Azure AD due to list users api only returns first 100 users.
• Fix of bug where hanging MAS communication could block Assisted Login Touch Accepts.
• Incorrect links to Mideye documentation in the bottom of the server GUI are now fixed.
• Assisted Login auth type is not overwritten the Azure AD default auth type when the userPrincipalName is specified in the Assisted Login profile.
• Assisted Login user search does not work with nested groups.
• Not possible to set expiration date for Mideye database hybrid accounts.
• Authentication type Shared account not working with mobile numbers in AD attribute otherMobile.

A new authentication mechanism whereby the user is authenticated with a magic link distributed via SMS. This enables SMS authentication also for RADIUS clients that lack support for challenge-response. The magic link authentication mechanism is applied for users with Authentication Type 6 (Touch) that haven't activated Mideye+.

As alternative to RADIUS, the Mideye server provides a rest API with user's phone number and some optional usability parameters as input.

User accounts read from an external LDAP repository can be duplicated in the Mideye Server database. User parameters such as Authentication Type, mobile number, token number, etc., can be assigned to the account in the Mideye server instead of in the user repository, and will override the information read from the user repository.

The configuration of RADIUS client username filtering is enhanced to allow the removal of blank spaces or any specified characters from usernames before the authentication request is processed.

Enhanced redundancy logic when the Mideye server fails over to a backup switch.

Web GUI submenu 'Locked Users' moved from section 'Users and Tokens' to section 'Directory Settings'.

Support for TOTP (OATH) software and hardware tokens where the token seeds are stored in the on-premise Mideye server database, making token validation independent of the central Mideye service. Users can activate a soft token via a self-service web portal, where they also can manage their own soft and hard tokens. Administrators can import hardware tokens via the GUI, and assign both soft and hard tokens to users. The authentication logic can be configured to either use the TOTP token as fallback to the default authentication type (typically Touch Accept), or as the primary authentication type (with no connection to the Mideye central service).

A new web Graphical User Interface for the Mideye Server, with a more intuitive menu structure.

Upgrade of the bundled Java platform from Java 8 to Java 17. Spring Boot upgraded to 2.6.6.

RADIUS shared secrets are encrypted in the Mideye server database.

In case of DB connection failure, the Mideye Server now fails within 1 minute and stops the service. Only concerns Windows platforms.

Security fix in the server web GUI. Content-Security-Policy HTTP security header is added.

Directory policies for the new password are now enforced.

Incorrect status of the checkbox 'Use Proxy' in the proxy configuration via the web GUI is fixed. The connection to the MAS is now also affected if a proxy is configured.

It is no longer possible to edit usernames of accounts in the Mideye server database.

Assisted Login now also works with MS-CHAPv2.

When importing LDAPS certificates, it is now possible to specify a certificate alias.

Include service start files for RHEL 8 installation.

Healthchecks are cached to reduce the load on mideyeserver.

LDAPs Certitiface can be imported with an alias.

Fix certificate management UI and show proper error message when imported certificate is missing CN.

Set up propper file-permissions in deb package.

Fixed a bug that affected the possibility to migrate certain LDAP profiles from R4 to R5.

Fix of database user password encryption when upgrading from R4 to R5.

More stringent certificate validation in Mideye Server.

All Log4j2 dependencies removed from classpaths. This blocks the possibility to manually modify the installation package and enable Log4j instead of the default R5 logging framework (Logback).

TLS version 1.2 or higher enforced in the Mideye server.

Fix of performance issue with username filtering in authentication and accounting logs in the web GUI.

New authentication type (Auth Type 10) whereby multiple mobile numbers and token card serial numbers can be registered for a user account. In the login dialog, the user indicates which phone/token to use.

The bundled JRE is updated to Java 8u282. Oracle JRE is replaced by AdoptOpenJDK JRE.

More efficent database architecture for the Detailed Authentication logs. Note that existing Detailed Authentication logs will be lost at upgrade (the default retention time is otherwise 30 days).

Fix of issue whereby the ‘Find User’ button in the LDAP Profile menu of the Web GUI did not always return a correct result.

Improved database cleanup. Previous implementation could cause database connection to lock during cleanup of logentries table.

New setting in configuration file, whereby a Mideye server can be configured as cluster leader (default=true). If set to false, database cleanup is disabled. This is to avoid simultaneous operations for clustered servers configured to use a common database.

More efficent way to write and read authentication log details. This solves a potential database deadlock problem.

Empty federation attributes are not sent to the Mideye+ app. If the approver doesn’t open the app before user login, a proper reply message is returned to ADFS.

Fix of bug that caused memory leak if Hibernate cache was enabled.

Fix of index-out-of-bound-error in phone number correction.

Performance optimization speeding up the loading of authentication logs in the web GUI.

Mideye Server can connect to Azure AD with the Microsoft Graph API to search user accounts.

Assisted Login protection can be applied to federated accounts logging in via ADFS. External users can log in with their home company accounts, but access is only granted if the login is accepted by an internal approver.

In the LDAP profile configuration, additional LDAP attributes can be specified and the corresponding values written to log files at a specified log level. Optionally, the values can also be written to the detailed authentication logs in the database.

As an option, an LDAP profile can be configured to ignore certificate validation. This facilitates automation of LDAP profile provisioning via the server REST API.

The detailed log information is extended to also include more information relating to Assisted Login, e.g. the identifier of the Assisted Login profile that is being used.

Fix of R5.4 bug whereby role Operator lacks access to the web GUI. Also a fix of a general R5 bug, whereby role Operator had write/delete access to some menus and APIs.

Fix detailed log items bug in R5.4.4, e.g. Assisted Login additional challenges and the corresponding responses, were not shown in the authentication logs.

In the web GUI assisted login configuration, approver tab, checkboxes were not working first time they were selected.

Fix of bug resulting in an unexpected error when testing LDAP profile user search before the LDAP profile was configured.

Fix of R5.3 bug. When the approver ID attribute in the Assisted Login configuration was specified, this was not honored.

Fix of R5 bug. When testing user search via the LDAP profile configuration in the web GUI, MSISDN could not be used as user identity.

Fix of R5 bug. When testing user search via the LDAP profile configuration in the web GUI, the search did not return any results.

In the RADIUS clients configurations menu, the start page is modified by replacing the assigned Accounting Server column with assigned LDAP Profiles.

Fix of bug introduced in 5.3 whereby detailed authentication log queries from the Web GUI dashboard could cause overload in the database.

Fixed a bug where if the Mideye Server contained more than 127 Shared Secrets, prevented the editing of Shared Secret 128 and above.

When using yum to install and update the Mideye Server 5.x in CentOS 6 and CentOS 7, the repository folder structure has changed. See the “Linux RPM installation guide” on how to update the “mideye.repo” file to mirror this.

RADIUS clients can be configured to require that the Mideye+ app is activated for mobile phone users.

RADIUS clients can be configured to require that Mideye+ users must authenticate locally on the phone (biometric or PIN) before being able to accept a login.

• In the Vendor Specific Vendors configuration menu, vendors are listed in alphabetical order, and attributes are listed alphabetically in submenus for each vendor.
• In the RADIUS clients configurations menu, the start page is simplified by removing some columns. In the Test client sub pages, the placeholder text in the challenge prompt is modified.
• In the dashboard, certificate expiry is added as a separate information box. The Switch health check text is changed from ‘UP’ to ‘Connected’.
• In the Certificate Managment menu, a more informative error message is presented when the certificate subject is empty.

For failed Assisted Login attempts, the error message now distinguishes between approver not found and approver not authorized.

If the database connection fails at server startup, the Mideye Server makes automatic retries for a specified time period until connection has succeeded.

Fix of concurrency issue when RADIUS Server fails to re-start after configuration changes.

Timstamps in accounting logs now presented in local time with correct timezone indicator.

Fix of bug affecting database users in MS-SQL. It is now possible to add RADIUS clients.

Data types are now shown correctly, and and it is now possible to edit Vendor Specific Attributes.

If CN is missing in an LDAPS certificate, the hostnamne is now used as certificate alias.

• Bug in SSL certificate expiry monitoring is fixed.

• Fix of incorrect information message when Touch falls back to OTP due to data push delivery failure.
• Fix of misleading information message when Approver account has missing/invalid phone number.

Fix of Authentication logs search filter.

Fix of incorrect default attribute names when LDAP server other than Active Directory is selected.

HTTP Trace and Track Methods are disabled in the administrative web interface, and X-Frame-Options response header is added.

Fix of GUI unexpected error that occurred if dashboard health indicators were clicked while loading.

“;” (semicolon) no longer needs to be inserted manually when using database-instances old keystore is automatically removed when reinstalling the same version of the Mideye Server

Radius requests with null value NAS-ID and NAS-IP attributes will not cause a null pointer exception.

RADIUS sessions (session start, update and stop) for RADIUS clients that support Accounting are presented as a separate menu in the server web GUI. For RADIUS clients that support Disconnect Message, sessions can be terminated from the GUI.

Assisted Login is enhanced with the following features

• The Approver can see and disconnect approved sessions from the Mideye+ app.

• The User can be prompted to enter more information via additional challenges in the login dialog. This information is presented to the Approver in the Mideye+ app, and is logged for audit purposes.

• Multiple Assisted Login profiles can be assigned to a RADIUS client.

• The authorization logic for Assisted Login is enhanced both for Users and Approvers. Approvers can be selected based on a None/Any/All combination of assigned manager, group membership and specified users. The possibility for Approvers to approve sessions for themselves can be enabled/disabled in a separate checkbox. Users can be selected based on a None/Any/All combination of assigned authentication type, group membership and specified users.

• The RADIUS session timeout and idle timeout can be specified in the Assisted Login profile, and are returned as attributes in the Access Accept.

• The previous size limitation of user id and group name fields in Assisted Login configuration is removed.

• When Assisted Login profiles have been added to a RADIUS client, the logic (match between Approver and User) can be verified in a test menu accessible from the Assisted Login tab in the RADIUS client configuration.

Entries in the authentication logs can be extended to view more detailed log information. Old log entries are automatically deleted after a specified retention period. The default retention period for basic authentication and session logs is 365 days. For detailed authentication information, the default retention period is 30 days.

Information about time zone is added to the time stamp in log files.

Default OTP Presentation type 1 (inbox SMS) now works also when the checkbox ‘Read Optional Attributes’ is selected.

New check in the RADIUS client configuration in web GUI that prevents NAS IP and NAS Identifier to be empty at the same time, which would cause RADIUS client identification to fail.

Incorrect links associated to RADIUS attributes in LDAP-RADIUS translation are removed.

It is no longer required to specify an LDAP profile when editing a RADIUS client via the web GUI.

Fix of null-pointer exception when an LDAP SSL certificate missing a CN attribute is saved.

Added missing files from debian package.

To prevent memory overflow, the import of R4 login statistics and accounting data is limited to the last 100 000 rows from the last year.

Support for password change in PAP, using additional challenges to prompt for a new password. This means that password change is now supported for database users. For LDAP users, this means an NPS is no longer required for password change.

Authentication Type 1 (Password) can be disabled per RADIUS client.

Certificate management via the Web GUI is enhanced to include certificate path validation and an export function.

Self-personalized Yubikeys can be blocked per RADIUS client by only allowing Yubicloud OTPs with the prefix cc.

The number of users affected by a spam filter lockout is shown in the RADIUS Server configuration menu.

The database configuration is now validated in the Windows Installation package. Database passwords containing double-quote characters (“) are now supported, as well as database instances.

A new user messages added for the case when Touch login fails.

The LDAP user and approver search is improved, avoiding duplicate search of the user. The approver search now continues to next LDAP repository if the authorization check fails.

The Database and Switch connection status information in the GUI dashboard is improved.

For Authentication Type 2 (Mobile), when the phone is not reachable and Mideye+ is not activated (SMS-OTP), the correct reply message is now returned.

LDAP users are now locked the specified time period. The extra minute added in previous releases is removed.

A reply message is added for the case when an Assisted Login is rejected because the Touch accept failed.

Logins rejected by the spamfilter are now shown in the logs. The login failure message when a login is rejected by the spam filter is changed from ‘Invalid/user password’ to ‘Too many attempts, try again later’, with a reference how to manually re-set the filter.

The approver group membership can now be specified using Java Regular Expressions.

The default LDAP connect timeout is changed to 2 seconds, and the read timeout is changed to 10 seconds.

When invalid RADIUS requests are discarded, they are now removed from the pending authentications list, thereby preventing the pending request counter from hitting the overload limit.

The search failed if the approver was not found in all LDAP profiles configured for the RADIUS client. This is now fixed, it is sufficient if the approver is found in one profile.

The Mideye Server logging functions are enhanced. With this release, the logging facility is implemented as a separate service that is configured via the Mideye Configuration Tool. Separate logs are written for the three main services Alarm Manager, RADIUS Server and Administrative Interface. For each log, the level of detail is specified (Error, Warning, Info, Debug, Trace). It is also possible to configure log messages to be forwarded to an external system according to the Syslog standard or to be written to the Windows Event Viewer. The Mideye Server can also be configured to generate emails for certain log events. This is specified directly in an XML file. A bug in previous releases when running on W2008, where the timestamps in the log file were specified with GMT instead of the local server time, is corrected.

The LDAP search function is enhanced with two configurable timeout parameters to improve serial search capabilities in multiple LDAP directories in case one LDAP server is faulty. A bug correction ensures that LDAP directories are searched in the order specified in the Configuration Tool.

In case of Mideye services fail to start properly, subsequent re-starts are attempted with 5-minute intervals during a time period of one hour. This is to enable system recovery in case of start-up failure, e.g. after an automatic update of the server platform operating system.

An automated upgrade package from Mideye Server releases 3.0.1 - 4.0.3 is available. The upgrade package includes the execution of database scripts and replacement of jar files. The upgrade requires a re-start of Mideye services. If SSL protection is implemented for the administrative web interface, certificates and the Tomcat server.xml file should be saved before performing the upgrade. - Upgrade from releases prior to Mideye Server 3.0 is not supported, and requires a new server installation.

Automatic recovery of faulty database connection whereby the connection is closed and removed from the pool. Also, no lower limit is set to the time a database connection is kept in the pool. Previously, the minimum time was 5 minutes, regardless of which value was specified via the Configuration Tool.

Enhancement in the installation package, enabling compatibility with SQL Server 2008.

A bug correction whereby the switch connection timeout specified via the Configuration Tool is actually implemented. (In releases 3.0.0 – 4.0.1 it was always 60 seconds, regardless of which value was specified in the Configuration Tool).

An automated upgrade package from Mideye Server release 3.0 is available. The upgrade package includes the execution of database scripts and replacement of jar files. The upgrade implies a re-start of Mideye services. Upgrade from releases prior to Mideye Server 3.0 is not supported, and requires a new server installation.

The new installation package is enhanced, e.g. it includes a notification that an SQL Server already exists on the server platform, if this is the case.

Previously, phone numbers longer than 12 characters (including the ‘+’-prefix) were not written to the server accounting tables. In 4.0.1, numbers up to 20 characters (including the ‘+’-prefix) are written to the accounting tables.

In case the static AD password has expired or needs to be reset, this information is presented to the end-user in the Reply-Message included in the RADIUS Access Challenge sent by the Mideye Server to the RADIUS client.

A bug correction whereby the switch connection fallback retry specified via the Configuration Tool is actually implemented. (In releases 3.0.0 – 4.0.1 it was always 50, regardless of which value was specified in the Configuration Tool).

A new installation package, where the Mideye server is installed with an MSI file.

Server release 4.0 supports Mideye Plus authentication. Mideye Plus enables login when the phone is outside of network coverage. For this to work, it is required that the user’s network operator has implemented support for Mideye Plus on the SIM card.

In R4, UTF-8 or ISO8859\_1 encoding can be configured on a per-RADIUS-client basis. This enables handling of special characters (e.g. å, ä, ö, ¤, and €) in user names and passwords, which previously could cause problems because different RADIUS clients have implemented different character encoding schemes.

Server keep-alive messages are sent with 10-minute intervals to the Mideye Switch. The keep-alive messages contain information about Mideye server release, system status (RAM used/available), the status of LDAP connections and the number of database connections in use. The purpose of this feature is to enhance the centralised supervision of the authentication service. The keep-alive function is enabled/disabled via the Configuration Tool.

For each LDAP server, a threshold can be defined in the Mideye Server. If for a given user, the number of consecutive failed LDAP authentications exceeds this threshold, the user is locked in the Mideye Server. A time period can be specified, after which the user is automatically unlocked. It is also possible to unlock the user via the Mideye Administrative Web Interface. The purpose of this feature is to prevent denial-of-service (DOS) attacks aimed at blocking LDAP accounts via Internet.

An expiry date can be specified for user accounts in the internal database (database users). User accounts are automatically disabled when this date has been reached.

If a token card is more than 10 consecutive OTPs out of sync with the central system, but inside a sequence window of 100, the user can automatically re-sync the token card by generating a new OTP and entering it for validation. If this second OTP is within a sequence window of 10 OTPs from the first OTP, the user is granted access and the token card is re-synchronised. The time window for performing the re-synchronisation is 5 minutes from the time when the first OTP was entered for validation. If the RADIUS client supports Mideye reply messages (attribute 18 in RADIUS Access Reject), the user is informed that the token card is out of sync and that a new OTP is required. Automated token card re-synchronisation has been centrally implemented in the Mideye Switch. This means that the feature is automatically implemented for all Mideye Servers, regardless of release. However, the reply message informing the user that the token is out of sync and that a new OTP is required, is only implemented in Server release 4.0.

Via the configuration tool, default RADIUS reply and error messages can be selected in English and Swedish.

Number correction is enhanced. Via the Configuration Tool, it can be selected if numbers within parentheses should be removed and if leading zeros after the default international prefix should be removed.

• Support for passwordless authentication with Mideye set as primary authentication provider.
• Mideye AD FS module now comes with two adapters, allowing different configurations for each adapter.

• Support for update without previous uninstall.

• Possible to modify adapter friendly name without uninstall (only in single-node installations).

• Update requires a uninstall.
• Uninstall of V3.0.0 is done with the install package.

• Updated “Test Connection” tab GUI in ADFS Configuration Tool.
• Updated language files.
• Updated design of the login page.

Fix of bug ‘LDAP locking not released when using MS-CHAPv2’.

Fix of incorrect response authenticator in MS-CHAPv2 Access reject messages. This bug caused multiple Touch prompts when access rejected in the app.

A new authentication method, Assisted Login (Auth type 9), for LDAP accounts. Predefined users are authorized to approve access for external users to selected RADIUS clients. Access is approved in the Mideye+ app.This authentication method is intended for users that require temporary access to protected resources.

Simplified administration of certificates for LDAPS and web GUI.

New Vendor-specific Attributes (VSAs) can be added via the web GUI. Also, the default VSA list has been extended to include more vendors.

The OTP spam filter can be reset via the web GUI. This is to prevent users from being locked out if the Max Pending Requests queue is filled up, e.g. after a network incident.

When using the test button for RADIUS clients in the web GUI, reply attributes are presented.

Accounting filtering options are enhanced. It is also possible to export the result as a CSV-file from the web GUI.

If a token is out of sync, a second challenge is presented to the user requesting a new OTP to re-synchronize the token.

Database users can be searched using the token serial number.

When creating an LDAP profile, the LDAP root search base is automatically populated when clicking the “Save” button.

If authentication type Touch fails, the user’s phone number is now included in the log entry.

If reloading a page in the web GUI, the user now remains on the reloaded page.

The Web Admin RADIUS client is now assigned to the root user by default.

Root user is now redirected to the web GUI dashboard when the password has been changed.

RADIUS reply messages are now displayed in the Web GUI login.

Log timestamps are now shown in milliseconds instead of seconds.

The Top 5 Failing usernames presented in the web GUI dashboard are now case-insensitive.

Mobile number and token serial number formats are now verified in the Mideye Server before being forwarded to the Mideye Switch.

Page re-load no longer required to login again after session timeout.

Mideye 5.0 requires a new server installation. A migration tool facilitates migration from releases 4.6.5 and later.

A new administrative web interface that also replaces the R3/R4 Configuration Tool. A new super administrator role is introduced, with the same rights as the root user.

As an alternative to server configuration via the administrative web interface, a REST API is provided for automated server configuration.

Configuration changes no longer require service restarts to take effect.

Improved selection of RADIUS clients based on RADIUS attribute 32 (NAS Identifier) which simplifies implementations with multi-login profiles originating from the same IP address.

Specification of the shared secret is moved from RADIUS clients to a separate table, where source IPs and shared secrets are matched. A default shared secret can be specified that is matched to any IP that is not specified in the table.

Microsoft Network Policy Server (NPS) settings are moved from LDAP profile configuration to a separate NPS profile. This simplifies the re-use of the same NPS profile in multiple LDAP profiles.

Mideye server is now available as a Docker image as an alternative to Windows and Linux installation packages.

Mideye server is now available as a Debian-based package in addition to the RPM-based package.

Automatic health checks of Mideye Switch and database connections. Monitoring of LDAPS certificate expiry. Dashboard with login statistics and success rates.

Possible to select full calendar months in the web GUI for matching server accounting with monthly invoices.

In previous releases 4.6.X and 4.7.X, the manual offline challenge was not displayed for authentication type 2 (mobile) when MSCHAPv2 was used.

In previous releases 4.6.X and 4.7.X, the Framed IP Address (RADIUS attribute 8) was not returned for IP addresses that were represented by a positive integer in Active Directory.

Mideye will now forward any incoming RADIUS-packages using EAP-authentication to Microsoft NPS.

Mideye is now handling Proxy-State (attribute 33) correctly according to RFC 2865.

User-filtering for RADIUS-clients is now working for MS-CHAP-V2 and EAP. Before release 4.7.1, user-filtering only worked for PAP.

When enabling Event-viewer logging and restarting the Mideye-services, Mideye-RADIUS did not start.

With this feature, an OTP from a token card (MiniToken or YubiKey) is required when activating the Mideye+ app. As an enhanced security setting, RADIUS clients can be configured to only accept login with token-coupled Mideye+ apps or token cards.

JRE bundled with the Mideye installation package. Java Runtime Environment is included in the installation package and does not need to be installed separately.

As an option, Mideye reads the static IP Address (IP v4 only) assigned in Active Directory and returns it in the RADIUS Access Accept, attribute 8 (Framed IP Address).

When authentication type 6,7 or 8 (Touch) is selected, failed OTP deliveries for users without Mideye+ are now logged with the correct error message ('Phone not reachable').

Mideye Config Tool -> LDAP Servers -> Groups. Multiple LDAP groups can be specified using Java regular expressions. (Previously, only a single group could be specified when regular expressions were used).

Mideye Config Tool -> LDAP Servers. Fix of a bug that caused unexpected behavior/error messages in case an LDAP profile was created with an invalid LDAP account password.

Fix of problem with hanging web admin when MySQL database connection was lost.

By using authentication type 6 (Touch) it is possible to log in with Microsoft Remote Desktop Services (MS RDS) without using challenge-response. This means two-factor authentication with mobile phones can be achieved with the built-in RADIUS support in MS RDS.

A new way to activate Mideye+ is introduced. A user no longer needs to enter the mobile phone number manually in the app. The user can activate Mideye+ by entering a '+' sign after the OTP in the challenge dialogue.

YubiKey tokens compatible with Mideye can be ordered from Mideye support. It is possible to specify a Yubikey identifier in the format 'ubbc0\[7 digits\]' as a valid token number.

In previous versions of the Mideye Server package for Windows, the root password to the administrative web interface was lost during upgrade.

RADIUS attributes obtained from LDAP-RADIUS translation can now be returned in MS-CHAP Access Accept messages for authentication types PASSWORD (type 1) and TOUCH (types 6, 7 and 8). Previously, this was only possible with authentication types Mobile (type 2) and Token (type 3) when using MS-CHAP. (For PAP, attributes can be included for all authentication types).

The (optional) multiple-click suppression feature is enhanced to discard events where the user ignores or cancels OTP prompts.

Two bugfixes relating to the Authentication Attempt logs in the administrative web interface.

• RADIUS client ID is now included also in case of challenge-response timeout when using MS-CHAP (previously this information was missing).
• Rejects due to OTP spam filter are now explained in the info column also when using MS-CHAP (previously this information was missing).

Previously, the root user password for the administrative web interface was reset during the upgrade procedure. This is now fixed for Linux, but the problem remains in Windows (this will be addressed in the next release).

Multiple-click logins disabled per default, since it's only applicable for certain RADIUS clients and it caused some unexpected behavior.

This feature suppresses multiple-click logins in RADIUS clients. It is enabled by default and can be configured via Mideye Configuration Tool, tab Radius Servers. Having this feature enabled prevents users from receiving numerous consecutive OTPs if they mistakenly keep pressing the login button in the client.

This feature improves overload handling by rejecting additional requests if the number of pending requests exceeds a threshold– maximum number of pending requests that can be configured via Mideye Configuration Tool, tab Radius Servers. This makes the Mideye Server more responsive in overload situations.

This feature limits the number of OTP deliveries to a specific phone number within predefined time windows. The allowed number of OTP deliveries can be configured via Mideye Configuration Tool, tab Radius Servers.

A previous bug in MS-CHAPv2 reject is fixed. The bug caused some RADIUS clients to send a duplicate request after the first request had been rejected.'

Mideye+ Touch Accept enables Mideye+ users to accept or reject the login directly using the Mideye+ client (on iOS and Android), see Figure 2.1. It improves user experience by removing the need to manually enter the OTP. The following are the requirements for Touch Accept to work.

• Mideye Server 4.4.x
• Mideye+ client version 3.x.x
• Mideye+ is enabled in the customer’s profile in Mideye central system

Introduction of three new authentication types, they differ in fallbacks in case the initial Touch Accept attempt fails (e.g. if the user lacks Internet connectivity).

• Authentication type 6 (Touch) - No fallback if Touch Accept fails.
• Authentication type 7 (Touch-Plus) - If Touch Accept fails, the fallback is Mideye+ manual signature.
• Authentication type 8 (Touch-Mobile) - If Touch Accept fails, Mideye attempts to reach the Mideye+ app via SMS. If this also fails, the fallback is Mideye+ manual signature.

Mideye+ Touch Accept is now available on the Android client.

This feature enhances the authentication attempts log with information about failed authentications. The authentication attempts log now also contains phone/token number and authentication type as well as the reason for failure.

This bug caused Mideye Server to hang when using Mideye Configuration Tool to modify a RADIUS Client.

This bug caused database users to receive Password needs to be reset if an LDAP user had to change the password prior to their login.

Prevent the exposure of the content of WEB-INF folder. - Removed unused certificates to improve the security of Mideye Server - Mideye Switch communication.

Reduce the log level to warning when the Network Policy Server (NPS) is not configured. - Reduce the log level to debug when parsing an unknown Vendor Specific Attribute.

Users in Active Directory can change their expired passwords during the logon process. This feature requires the use of the MS-CHAP v2 protocol and Network Policy Server (NPS).

Mideye Server supports the MS-CHAP v2 protocol. Mideye Server will automatically determine the authentication protocol used, PAP or MS-CHAP v2. To function properly, MS-CHAP v2 needs a configured NPS.

The new Web Administration Interface is a web-based tool for managing the Mideye Server.

The new Web Administration Interface allows login using an LDAP server

It is possible to use an alternative field for storing hashed passwords instead of the default Active Directory password field. See Appendix A: Password Comparison in the reference guide for more details.

Added Fortinet vendor specific attributes (Vendor ID: 12356) to the list of RADIUS attributes sent together with the final RADIUS Access Accept.

When adding a new LDAP server, Mideye Server retrieves the base Distinguished Name automatically.

Mideye Server 4.3.0 no longer includes Java Virtual Machine (JVM) and it must be installed separately before the installation. This allows more frequent updates of JVM independently from the Mideye Server.

Alarm Manager service, installed along with Mideye Server in previous versions, has been removed.

The RADIUS accounting server (used to run on port 1813) has been removed.

Fixed a bug causing the Mideye windows services not to start automatically after executing windows updates or rebooting the server.

All enhancements and bug corrections in 4.2.4 are included in 4.2.5 and made available for Windows.

Client certificates can be generated from the default server certificate that is generated during server installation, and the administrative web interface can be configured to require a client certificate to grant access.

In previous releases, the maximum length of LDAP group names was limited to 30 - characters in order for the accounting to work properly. The limit has been increased to 200 characters.

If no mobile number is found in the assigned (primary) mobile attribute, Mideye can be configured to continue the search in a secondary attribute (e.g. ‘otherMobile’).

The administrative interface is per default protected with SSL, and a self-signed certificate is generated during the installation.

Several log files in the directories /opt/mideyeserver/log/ and /opt/tomcat/logs/ can be viewed via the administrative web interface. It is possible to add/exclude files, and also to add other folders. The logs are presented in a separate window and are not protected with the web interface login. It is recommended to restrict web interface access to specific IP addresses, thereby allowing/restricting log access to e.g. helpdesk personnel.

Support for SNMP traps is introduced. The Mideye PEN is 40761.

AD group membership can be specified as a Java regular expression. ‘CN=mideyeusers,.\*’ will now match ‘CN=mideyeusers,OU=Stockholm,OU=Groups,DC=mideye,DC=com’. This feature is only valid for Active Directory.

Java is updated to Java SE Runtime Environment (build 1.7.0\_11-b21), and as web server TomEE 1.5.1 with Apache Tomcat Version 7.0.34 is used.

The LDAP connection timeout parameter is modified to include the LDAP connection pool avoiding the risk of overload in case of hanging LDAPS connections.

Authentication type CONCAT now works also for database users. (Bug introduced in 4.1).

It is no longer possible to enable the Event Viewer on Linux installations.

Special characters (e.g. å, ä, ö) are now allowed in the RADIUS shared secret.

The Help button in the Configuration Tool is now active also on Linux installations.

Database scripts are now executed automatically when doing upgrades on Linux systems.

Config Tool can now automatically identify and upgrade an existing Mideye database (from R3.0 and later). Config Tool automatically prompts for Admin rights when started.

Pre-configured Norwegian and Finnish RADIUS reply messages. RADIUS server names can be up to 200 characters long (previously limited to 20 characters).

RADIUS clients can be renamed. RADIUS client names can be up to 200 characters long (previously limited to 16 characters). The RADIUS shared secret must be specified (the field cannot be left empty).

LDAP search base can contain ‘/’ signs. LDAP connection test does not return false positive if the password field is empty.

Numbers containing only one parenthesis are auto-corrected if number correction is activated.

Group names up to 200 characters supported (previously limited to 30 characters).

Mobile numbers (and token serial numbers) that do not follow the required formats are blocked in the Mideye Server before an OTP delivery/verification request is forwarded to the Mideye Switch. For mobile numbers, this means that they must start with a + – sign and contain 3 to 20 digits. Note that this means that mobile numbers in the format 07xxxxx and 00xxxxxxx that previously have occasionally been working are now blocked. Customers with these number formats are recommended to apply automatic number correction in the Mideye Server.

LDAP-RADIUS translation is no longer case-sensitive. LDAP-RADIUS wildcard translation is supported, whereby a translation rule can be specified as a Java regular expression (e.g. ‘CN=mideyeusers,.\*’ will now match ‘CN=mideyeusers,OU=Stockholm,OU=Groups, DC=mideye,DC=com’).

It is no longer needed to activate the ‘Read optional attribute flag’ in order to use LDAP-RADIUS translation (4.2.2 bug resolved in 4.2.3).

Authentication with user-name suffixes (e.g. @TOKEN, @MOBILE) now works also when the user search continues to the next LDAP server in the search base (4.2.2 bug resolved in 4.2.3).

Help buttons in the Configuration Tool are now active again (4.2.2 bug resolved in 4.2.3).

Failed group check when using authentication type CONCAT is now properly handled. (4.2.2 bug resolved in 4.2.3).

The Administrative Web Interface is automatically configured to allow access from a remote computer (4.2.2 bug resolved in 4.2.3).

‘Search nested groups’ can now be selected in Config Tool also when no group selection has been specified (4.2.2 bug resolved in 4.2.3).

Native look-and-feel in Mideye Config Tool on Linux. Possibility to execute Mideye Config Tool from any directory. Simplified setup of X11 over SSH (making it possible to execute Mideye Config Tool from another workstation).

This bug is resolved.

The internal Mideye Server list of pending authentications is cleared after OTP expiry, instead of every 5 minutes. This means RADIUS clients that fail to increment the RADIUS packet identifier will not cause user lockout longer than the OTP validity time (default 60 seconds). This resolves a usability issue with e.g. Citrix Access Gateway Standard Edition.

Config Tool no longer prompts to save unsaved changes when setting up a database for the first time. Miscellaneous enhancements concerning Return key, database name and LDAP Server test connection.

4.2.0 bug resolved in 4.2.1.

4.2.0 bug resolved in 4.2.1.

In previous releases, the static password maximum length was 48 characters for LDAP users and 16 characters for database users. Both these limitations have been removed.

4.1.0 bug resolved in 4.2.1. The number of log lines presented via the Administrative Web Interface is now limited to the number specified in the filter settings.

In 4.2.1, the database connection address field in the Mideye Configuration Tool is modified. This resolves previous issues when specifying external databases.

Support for SSL protection of connections to LDAP servers. This is implemented via an optional checkbox in the LDAP Server tab of Mideye Configuration Tool. LDAP server certificates can be automatically downloaded.

In case a user account is found in an LDAP repository but does not fulfill the specified group membership requirements, the user search continues to other repositories (if more repositories are defined). In previous releases, an access reject was immediately returned if group membership requirements were not fulfilled, which caused the user search to be discontinued.

As an option, suffixes and prefixes added to user names in the RADIUS access request can be removed before the user name is searched in the user repository. The removal (suffix or prefix, and separator) is specified on a per-RADIUS-client basis.

The accounting filtering is enhanced with the option to filter data based on which LDAP server and department the user belongs to. The optional Department attribute is specified in the Mideye Configuration tool. This attribute is read from the user repository and stored in the accounting database in Mideye. Mideye accounting granularity is thereby enhanced, facilitating distribution of Mideye costs based on which LDAP server and department the user belongs to.

An enhanced one-way hash encryption is added as an option for passwords stored in the internal database. This encryption alternative cannot be reversed.

Database fields with variable input length, such as LDAP search bases and group names, have been increased to the maximum size allowed by the respective database (MS SQL and MySQL).