Roadmap: Planned Functionality
Roadmap
These following features (in no particular order) are roadmapped for a future release:
-
hostable on-premise proxy - convert insecure RADIUS/{UDP,TCP} traffic to a secure RadSec transport suitable for use over the Internet
-
API with an OpenAPI definition
-
There is an API (the web UI uses it) though it currently is not stable nor documented
-
-
built-in (unique per deployment) private CA used for automatically maintaining RadSec and EAP-(T)TLS server certificates
-
Control of ciphers and TLS version for RadSec and EAP-(T)TLS
-
Including EAP-TTLS support for TLS 1.3
-
-
MAC Based Authentication (MAB) - supporting compliance without 802.1X
-
Dynamic Pre-Shared Key (DPSK) - per-device PSK for wireless
-
Live Metrics and Availability Monitoring
-
Microsoft Graph support for ‘Change notifications’ - supporting faster detection of updates made in Microsoft Entra ID
-
Support for updating the managed application, web UI and to some extent the VM service for existing deployments
-
This will reduce the number of times where it is necessary to migrate to a new deployment of RADNAC to benefit from updates
-
-
Support other MFA methods, not just push notifications, such as TOTP and number matching
-
Primarily this would be used for non-802.1X, such as WPA Enterprise, network access like VPN services
-
For 802.1X, only TOTP could be supported and require the end user to append the TOTP to their password and not use 'Remember password' on their device
-
If you think this list is missing an item or you want to register your interest in one of these, do please contact us.
Known Issues
Below is a list of known issues in RADNAC, these are considered bugs, whilst fixed and not yet released issues are listed under our ‘Upcoming Release’ sections of our changelog.
| Our internal bug tracking reference for each is listed of the form ‘GH#xyz’ and is useful to refer to if you wish to contact us about it. |
-
[GH#3]: TLS session resumption and password caches are not shared across VMs.
-
Fortunately this often not an issue as most vendor equipment poorly implements load-balancing and instead only implements failover sending all requests to the primary server until it determined it is unavailable and then start sending to the backup system instead.
-
May impact MFA users as TLS session resumption is used to deduplicate MFA requests.
-
-
[GH#117]: Backups include the password of local user accounts (not your Microsoft Entra ID accounts) in plaintext.
-
The administrator should be able to pick a password hashing algorithm (such as SSHA512 or PBKDF2)
-
-
[GH#302]: Enabling an MFA policy does not affect already connected devices using TLS resumption
-
Expectated behavior is the TLS resumption session would be invalidated leading to a full authentication that includes the MFA challenge.
-
-
[GH#307]: When creating a device, invalid or unfilled required fields from other tabs are not highlighted