2025-11-04

v10.31.0

Breaking Changes

Execution pipeline improvements - post-authentication now runs strictly after authentication (not after authorization). Added final-* pipeline variants. See Execution Pipelines
File path resolution now relative to config file location instead of working directory. Use <root> prefix for config root references or <cwd> for legacy behavior. See File path resolution changes section below.

Summary

Execution pipeline improvements with breaking changes to post-authentication timing and new final-* pipeline variants. See Execution Pipelines
File path resolution now relative to config file location instead of working directory (breaking change)
Improved signal handling - Shutdown attempted only once even if multiple signals are received, Handle SIGINT (Ctrl-C), Second SIGINT signal forces immediate exit
Timeout configuration values now support human-readable unit suffixes (s, m, h, etc.). See Duration Units
HTTP Management requests can now be authenticated with policies for flexible access control. See Management API Privileges
Documentation is now bundled with the Radiator Server UI
Add Instance and Cluster Identifiers support for HA and fleet operations naming. See High Availability Identifiers
Fix scroll behavior for long-content views in UI
Improve Counters page performance with 24-hour sparklines and automatic down-sampling
Format counter values with SI notation and time units for better readability
New aaa.errors context variable for capturing and logging pipeline errors during AAA processing
Add error sampling system to prevent log flooding with intelligent rate-limiting by error category
Allow using filters with any expressions. Ex. vars.username = user.username | uppercase;
Per-user Management UI settings stored as individual JSON files (<config_dir>/ui-settings/<sanitized-username>.json)
New json, jsonpath, regex, recover, join and type filters. See Filters
Add "else if" support to if conditionals. See if action
Add configuration zip import & export for backups and easy migration between instances
Add jsonfile backend
Dot (.) in regexes now matches newlines
Add env.* accessor for reading environment variables in expressions. See Execution Context
Allow referencing enviroment variables in config strings using the format string syntax. Ex. "%{ENV_VAR_NAME}". See Data Types
radiator-client can now send attributes using dictionaries with the new --attr flag. See radiator-client --help for details.
Rename template action and configuration block to invoke and pipeline respectively for clarity - template action is now a deprecated alias for invoke and template block is now a deprecated alias for pipeline block
Show operation progress in shutdown and restart buttons in UI
Remove target and id log fields from API as they are being deprecated
Setting export RADIATOR_LOG_LEVEL=trace will now log http request/responses details in http backend.
LDAP - Allow referencing the entry DN using entry::dn
JSON log file time stamps are now RFC3339. See Logging
Management UI sessions now automatically refresh every 5 minutes to prevent logout during active use
Counter values now use SI notation (K, M, G, T) for >= 1000 and time units (µs, ms, s, min) for TimeSpent counters
Add build metadata - build_kind, build_timestamp, cpu_target, git_branch, and git_commit (available in logs, API, Prometheus, and UI)
Add configuration file upload - Select and upload local files directly to Configuration page
Add configuration ZIP import/export for backups and migration between instances
Improve trace logging - detailed policy logging, handler matching logs, reduced dictionary noise
Service now closes connections immediately when configuration is broken (TCP closes after accept, UDP no response)

Execution pipeline improvements

🚨 BREAKING CHANGE

Fix the post-authentication execution position to run strictly after the authentication pipeline (not after authorization).

Add final-* pipeline variants (final-authorization, final-authentication, final-accounting) that always execute at the very end regardless of outcome.

See the Execution Pipelines article for complete details.

File path resolution changes

🚨 BREAKING CHANGE

All file and directory references are now relative to the config file location. They used to be relative to the current working directory.

For example, with this config file structure when the current working directory is /var/lib/radiator:

/var/lib/radiator/conf.d/certificates.conf
/var/lib/radiator/certs/server.pem

certificates.conf references the certificate file relative to its own location:

certificates {
    x509 "EAP_SERVER_CERT" {
        filename "../certs/server.pem";
    }
}

E.g., when migrating from the old version, you must change the path in the config file from certs/server.pem to ../certs/server.pem.

File relation helpers

It is now possible to reference files and config includes to the config root with the <root> prefix:

include "<root>/conf.d/certificates.conf";

certificates {
    x509 "EAP_SERVER_CERT" {
        filename "<root>/certs/server.pem";
    }
}

The root is defined as the directory passsed to -c. If it is a file the root is the file's parent directory.

If you really need the legacy behaviour, you can use the <cwd> prefix:

certificates {
    x509 "EAP_SERVER_CERT" {
        filename "<cwd>/certs/server.pem";
    }
}

AAA Error Context Variable

Add aaa.errors context variable to capture pipeline errors during AAA processing. Errors previously written to aaa.reason are now in aaa.errors to avoid exposing internal details to clients.

Recommended: Add aaa.errors logging to all log configurations.

Usage:

String format: %{aaa.errors} (semicolon-separated errors)
JSON format: aaa.errors (structured array)

Example log output:

{
    "errors": "main pipeline Authentication: Radius dictionary attribute 'erx-egress-policy-name' not found",
    "errors_json": [
        {
            "context": "main pipeline Authentication",
            "message": "Radius dictionary attribute 'erx-egress-policy-name' not found"
        }
    ]
}