Skip to content
English
Sign in
Customer Portal
  • There are no suggestions because the search field is empty.

SurePassID RADIUS Server 2026.2 - Release Notes

Release Date: 06/01/2026
Release Type: Major Feature Release

What's New

Configuration Secret Encryption (DPAPI)

Sensitive configuration values (API passwords, shared secrets) are now automatically encrypted at rest using Windows DPAPI with LocalMachine scope. This protects credentials stored in config.xml without requiring any manual key management. See the "Configuration Secret Encryption" section below for full details, caveats, and portability options.

Custom RADIUS Attributes Support

The SurePassID RADIUS Server now supports configurable custom RADIUS attributes in Access-Accept responses. This powerful new feature enables administrators to:

    • Configure Standard RADIUS Attributes: Add any standard RADIUS attribute (types 1-255) to authentication responses
    • Configure Vendor-Specific Attributes (VSAs): Add vendor-specific attributes for Cisco, Microsoft, Juniper, and other network equipment
    • Multiple Data Types: Support for String, Integer, IPv4 address, and Octets (binary) data types
    • Configuration Manager UI: New graphical interface for managing custom attributes without manual XML editing
Key Capabilities:
    • Filter-Id Support: Assign users to VPN groups or apply network policies
    • Session Timeout: Configure maximum session durations per policy
    • Cisco AV-Pairs: Set privilege levels and access control lists for Cisco devices
    • Microsoft RADIUS Attributes: Support for MS-MPPE and other Microsoft-specific attributes
    • Extensible Design: Support for any RFC-compliant RADIUS attribute
Configuration Manager Enhancements:
    • New "Custom Attributes..." button on the RADIUS Settings tab
    • Intuitive dialog for viewing, adding, editing, and removing attributes
    • Dropdown list of known RADIUS attribute names with auto-detection of data types
    • Separate dialogs for standard and vendor-specific attributes
    • Validation to prevent configuration of internal-only attributes
Server Processing:
    • Custom attributes are automatically added to all Access-Accept responses
    • Service-Type override: Custom Service-Type values replace the default Administrative (6) value
    • Full tracing support for debugging attribute configuration and delivery

Improvements

Configuration System Enhancements

    • ConfigurationReader: New centralized configuration loading with support for custom attributes
    • ConfigurationWriter: New methods for persisting custom attribute configuration
    • RadiusConfiguration: Extended model to include custom attributes collection
    • Improved Tracing: Enhanced trace output for custom attribute operations

Code Quality

    • Refactored configuration reading/writing for better maintainability
    • Improved error handling and validation in attribute processing
    • Added comprehensive XML documentation comments

Documentation

    • New Custom Attributes User Guide (docs/CustomAttributes_UserGuide.md)
    • Updated implementation plan documentation
    • Added XML schema documentation for custom attributes

Technical Details

XML Configuration Format

Custom attributes are stored in the config.xml file:

<CustomAttributes>
  <Attribute type="11" value="VPN-Users" dataType="String" name="Filter-Id" />
  <Attribute type="27" value="3600" dataType="Integer" name="Session-Timeout" />
  <VendorAttribute vendorId="9" vendorType="1" value="shell:priv-lvl=15" 
                   dataType="String" name="Cisco-AV-Pair" />
</CustomAttributes>

Supported Data Types

Type

Description

Example

String

ASCII text (default)

VPN-Users

Integer

32-bit unsigned integer

3600

IPv4

IPv4 address

192.168.1.1

Octets

Hex-encoded binary

0A1B2C3D

Common Vendor IDs

ID

Vendor

9

Cisco

311

Microsoft

2636

Juniper

25506

HP/H3C

14988

MikroTik

Migration Notes

    • Backward Compatibility: Existing configurations without <CustomAttributes> section continue to work without modification
    • Default Behavior: The server's default Service-Type=Administrative behavior is preserved unless overridden by custom attributes
    • Configuration Location: No changes to configuration file location or format for existing settings

Configuration Secret Encryption (DPAPI)

Starting with this release, sensitive configuration values are automatically encrypted at rest using Windows DPAPI (Data Protection API) with LocalMachine scope.

Encrypted Fields

The following fields in config.xml are encrypted on save:

    • LoginPW — the API key/password for the SurePassID MFA server
    • RadProxySecret — the shared secret for RADIUS proxy authentication
    • Client SS — each client's shared secret in the whitelist
    • Client LP — per-client login password (multi-tenant mode only)

How It Works

    • On Save: When the Configuration Manager saves settings, sensitive values are encrypted and stored with an enc: prefix followed by base64-encoded ciphertext.
    • On Read: When the service or Configuration Manager reads the config, values starting with enc: are decrypted automatically. Values without the prefix are treated as plaintext (backward compatible).

Identifying Encrypted Values

Encrypted values in config.xml look like this:

<LoginPW>enc:AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA...</LoginPW>

Plaintext values (legacy or portable mode) have no prefix:

<LoginPW>my-api-key-here</LoginPW>

Important: Machine-Local Encryption

DPAPI with LocalMachine scope means the encrypted values are tied to the specific Windows machine where they were encrypted. This has the following implications:

    • ✅ Any user/service account on the same machine can decrypt the values
    • ❌ Encrypted values cannot be decrypted on a different machine
    • ❌ Copying config.xml with encrypted values to another server will result in decryption failure (the raw enc:... value will be returned)

Disabling Encryption for Portable Configurations

If you need to copy config.xml between machines (e.g., for disaster recovery, cloning, or migration), set the EncryptConfigSecrets element to FALSE:

<radius>
  <EncryptConfigSecrets>FALSE</EncryptConfigSecrets>
  ...
</radius>

When EncryptConfigSecrets is FALSE:

    • Secrets are saved as plaintext (no enc: prefix)
    • The config file can be freely copied between machines
    • Note: This reduces security — the secrets are stored in cleartext on disk

When EncryptConfigSecrets is TRUE (the default):

    • Secrets are encrypted with DPAPI on save
    • The config file is protected at rest on the local machine

Migration Workflow (Moving Config Between Machines)

    • On the source machine, set <EncryptConfigSecrets>FALSE</EncryptConfigSecrets> and re-save via Configuration Manager
    • Copy config.xml to the target machine
    • On the target machine, remove the EncryptConfigSecrets element (or set it back to TRUE) and re-save via Configuration Manager — this will re-encrypt the secrets with the target machine's DPAPI keys

Known Limitations

    • Maximum attribute value length: 253 bytes (per RFC 2865)
    • Internal attributes cannot be overridden: User-Name, User-Password, CHAP-Password, Reply-Message, State, Proxy-State, Message-Authenticator

System Requirements

    • .NET Framework: 4.8
    • Operating System: Windows Server 2016, 2019, 2022, or Windows 10/11
    • SurePassID MFA Server: Compatible version with REST API support

Previous Versions

Version 2024.2

    • Maintenance release with bug fixes
    • Performance improvements for high-volume authentication scenarios
    • Updated security libraries

Version 2024.1

    • Added support for local policy enforcement
    • Improved Active Directory integration
    • Enhanced push authentication handling

Upgrade Instructions

    • Backup: Create a backup of your current config.xml file
    • Stop Service: Stop the SurePassID RADIUS Server service
    • Install: Run the updated installer
    • Verify Configuration: Open Configuration Manager and verify settings
    • Start Service: Start the SurePassID RADIUS Server service
    • Test: Verify authentication is working correctly

Post-Upgrade Configuration

To use the new Custom Attributes feature:

    • Open the SurePassID RADIUS Configuration Manager
    • Navigate to RADIUS Settings tab
    • Click Custom Attributes...
    • Add your desired attributes
    • Click OK and then Save
    • Restart the RADIUS service

Support

For support inquiries:

© 2011-2026 SurePassID Corp. All rights reserved.