Roadmap
Planned Functionality
Roadmap
These following features (in no particular order) are roadmapped for a future release:
hostable on-premise proxy - convert insecure RADIUS/{UDP,TCP} traffic to a secure RadSec transport suitable for use over the Internet
API with an OpenAPI definition
There is an API (the web UI uses it) though it currently is not stable nor documented
built-in (unique per deployment) private CA used for automatically maintaining RadSec and EAP-(T)TLS server certificates
Control of ciphers and TLS version for RadSec and EAP-(T)TLS
Including EAP-TTLS support for TLS 1.3
MAC Based Authentication (MAB) - supporting compliance without 802.1X
Dynamic Pre-Shared Key (DPSK) - per-device PSK for wireless
Live Metrics and Availability Monitoring
Microsoft Graph support for ‘Change notifications’ - supporting faster detection of updates made in Microsoft Entra ID
Support for updating the managed application, web UI and to some extent the VM service for existing deployments
This will reduce the number of times where it is necessary to migrate to a new deployment of RADNAC to benefit from updates
Support other MFA methods, not just push notifications, such as TOTP and number matching
Primarily this would be used for non-802.1X, such as WPA Enterprise, network access like VPN services
For 802.1X, only TOTP could be supported and require the end user to append the TOTP to their password and not use 'Remember password' on their device
If you think this list is missing an item or you want to register your interest in one of these, do please contact us.
Known Issues
Below is a list of known issues in RADNAC, these are considered bugs, whilst fixed and not yet released issues are listed under our ‘Upcoming Release’ sections of our changelog.
Note | Our internal bug tracking reference for each is listed of the form ‘GH#xyz’ and is useful to refer to if you wish to contact us about it. |
[GH#3]: TLS session resumption and password caches are not shared across VMs.
Fortunately this often not an issue as most vendor equipment poorly implements load-balancing and instead only implements failover sending all requests to the primary server until it determined it is unavailable and then start sending to the backup system instead.
May impact MFA users as TLS session resumption is used to deduplicate MFA requests.
[GH#117]: Backups include the password of local user accounts (not your Microsoft Entra ID accounts) in plaintext.
The administrator should be able to pick a password hashing algorithm (such as SSHA512 or PBKDF2)
[GH#302]: Enabling an MFA policy does not affect already connected devices using TLS resumption
Expectated behavior is the TLS resumption session would be invalidated leading to a full authentication that includes the MFA challenge.
[GH#307]: When creating a device, invalid or unfilled required fields from other tabs are not highlighted