From hvn at open.com.au Tue Dec 19 15:26:48 2023 From: hvn at open.com.au (Heikki Vatiainen) Date: Tue, 19 Dec 2023 17:26:48 +0200 Subject: [RADIATOR-ANNOUNCE] Radiator Version 4.28 released - new features, enhancements and bug fixes Message-ID: We are pleased to announce the release of Radiator version 4.28 This version contains new features, enhancements and bug fixes. See below for the details. As usual, the new version is available to current licensees and evaluators from: https://radiatorsoftware.com/downloads/ Licensees with expired access contracts can renew at: https://radiatorsoftware.com/renewal-order/ An extract from the history file https://radiatorsoftware.com/products/radiator/history/ is below: ----------------------------- Revision 4.28 (2023-12-19) new features, enhancements and bug fixes Selected compatibility notes, enhancements and fixes VENDOR 14823 Aruba VSAs Aruba-PoE-Priority, Aruba-Port-Auth-Mode and Aruba-QoS-Trust-Mode now have symbolic names for their integer type values in the default Radius dictionary. Radiator SIM Pack 2.7 and Carrier Pack 1.7, or later, are strongly recommended. Known caveats and other notes TLSv1.3 remains disabled by default for TLS based EAP methods and Stream based classes, such as RadSec. TLSv1.3 testing reports are welcome. EAP-FAST needs Net::SSLeay 1.94 or later to function correctly with OpenSSL 1.1.1 and later. Detailed changes Update the default Radius dictionary to include Juniper's PON related and other attributes: Vendor code 4874, VSAs 141 Downstream-Calculated-Qos-Rate Rate and 142 Upstream-Calculated-Qos-Rate, 143 Jnpr-Max-Clients-Per-Interface, 164 Unisphere-IPv4-Release-Control, 173 Unisphere-Service-Activate-Type and 174 Unisphere-Client-Profile-Name. Update systemd service unit files for Radiator to show how to capture stderr and stdout to files for easier debugging. Also update the reference manual. See Debug in AuthBy LDAP2 for an example. Review and update Docker files. Update installed packages and add comments to cover some scenarios. RADIUS and RadSec HashBalance proxy algorithm now logs more details about next hop failures. Enhanced logging for PAP messages created from EAP-GTC. When TLS connections need to sent alerts, the alerts are now sent in more cases before closing RadSec and other TCP or SCTP connections. Improve logging of Diameter and RadSec connections that have unacceptable header lengths. When a RADIUS or Diameter dictionary entry contains unexpected characters, a warning is logged. Improve RADIUS and Diameter dictionary logging. AuthBy REST no longer crashes when the server response is not a JSON object. Diameter Hop-by-Hop and End-to-End identifiers now wrap correctly. AttrVal::pclean function now returns an empty string when called with an undef value. This avoids later warnings where the processed value is logged. The goodies configuration samples now include evaluation license directly. Previously this information required manual entry. CachePasswords can now use a configurable key with a new configuration parameter CachePasswordKey instead of always using the current username. Add new dictionary file dictionary.huawei-airengine in goodies. Attributes in this file are supported by Huawei's AirEngine Access Points and Access Controllers. From this dictionary add attributes Huawei-Redirect-ACL, Huawei-IPv6-Redirect-ACL, Huawei-User-Extend-Info, Huawei-MUD-URL, Huawei-VIP-Level-ID, Huawei-EPIV-Info, Huawei-DPSK-Info, Huawei-TAG-Info, Huawei-Web-Authen-Info, Huawei-Ext-Specific and Huawei-Reachable-Detect to the default Radius dictionary. EAP-TLS reject reason is now logged when the authentication fails but client still unsuccessfully tries to restart EAP-TLS handshake. Examples of possible failure reasons are unknown CAs and expired client certificates. Previously the original reject reason was not logged with restart failures. AuthBy INTERNAL now supports StripFromRequest, AddToRequest and AddToRequestIfNotExist. Update sample certificates to expire on Sep 13 12:31:29 2025 GMT. Add file VERSION in the top level Radiator distribution directory. The file tells Radiator version and patch level. Fix two memory leaks seen with AuthBy REST. Leaks happened with Accounting-Request handling and when HTTP connections were unavailable. Remove AuthRODOPI.pm because Rodopi billing system is obsolete and no longer in use. Remove old match_keyword function from Configurable.pm. Minor cleanups. Add support for parameters VendorAuthApplicationIds and VendorAcctApplicationIds in ServerDIAMETER. These set values within Vendor-Specific-Application-Id Diameter AVPs. Fix sending Acct-Application-Id AVPs when no AuthApplicationIds configuration parameter is defined but empty. Add firewall manager profile files to goodies. Newly added files are for firewalld and ufw typically used with Red Hat and Ubuntu and their derivatives. These profiles cover Radius UDP ports 1645, 1646, 1812 and 1813, RadSec TCP port 2083, DIAMETER TCP and SCTP port 3868 and TACACS+ port TCP 49. AuthBy SIP2 now supports new parameter Institution. This sets the value of AO parameter, institution id, in SIP2 patron messages. When Institution is not defined in the Radiator configuration, Radiator continues to use the ACS Status response to learn the institution id. The first SIP2 authentication could fail immediately after Radiator startup. This is caused by a missing institution id in the first patron request Radiator sends to the ACS. Radiator now sends SC status message after ACS login to immediately learn the institution id value and only then starts composing the patron request. Update VENDOR 26928 Aerohive attributes in the default Radius dictionary. New attributes are Aerohive-Data-Usage-Limit, Aerohive-AVPair, Aerohive-Radius-Code, Aerohive-User-Language, Aerohive-Time-Zone-Offset, Aerohive-Daylight-Saving-Offset, Aerohive-Client-Monitor-Session, Aerohive-Client-Monitor-Problem, Aerohive-IDM-Redirect-URL, Aerohive-MGT-MAC-Address and Aerohive-Auth-Source. Note that Aerohive documentation lists all vendor 26928 attributes with Extreme- prefix. Radiator continues to use Aerohive- prefix for backwards compatibility. Add VENDOR 14122 Wireless Broadband Alliance (WBA) attribute WBA-Custom-SLA to Radius dictionary. %{Client:name} format and Client-Identifier check item now use ServerTACACSPLUS values with those TACACS+ derived requests that do not match a specific Client clause. Fix AuthBy FIDELIO and fideliosim.pl which were broken by changes in Radiator 4.26. Update VENDOR 10415 3GPP Radius attributes to include the latest Release 17 definitions: Add new 3G/LTE internetworking attributes 3GPP-UE-Local-IP-Address and 3GPP-UE-Source-Port. Add 5G internetworking attributes 3GPP-DNAI, 3GPP-RSN, 3GPP-Session-Pair-Id and 3GPP-Charging-Id-v2. Add new 3GPP-RAT-Type values. HTTPClient, used for example by AuthBy REST, now immediately acts on HTTP Connection: close header. The connection is avoided for sending and directly closed instead of waiting for a peer initiated TCP shutdown. Add VENDOR 40808 Wi-Fi Alliance (WFA) attributes WFA-HS20-Roaming-Consortium, WFA-HS20-Terms-And-Conditions-Filename, WFA-HS20-Terms-And-Conditions-Timestamp, WFA-HS20-Terms-And-Conditions-Filtering, WFA-HS20-Terms-And-Conditions-Server-URL. WFA-HS20-Roaming-Consortium is contributed by Stefan Paetow. The other attributes are based on values in wpa_supplicant. Add value Release-3 for attribute WFA-HS20-AP-Version. The newly added attributes should now provide support for Passpoint release 3. Add VENDOR 14122 Wireless Broadband Association (WBA) attributes WBA-Offered-Service, WBA-Financial-Clearing-Provider, WBA-Data-Clearing-Provider, WBA-Linear-Volume-Rate and WBA-Identity-Provider. Note that for historical reasons this vendor id is named as WISPr and the previously defined WISPr-prefixed attributes share the same vendor id with the newer WPA-prefixed attributes. Add Protocol-Error Radius packet type from RFC 7930 to known packet types. Update vendor 14823 Aruba, 29671 Meraki and 25461 PaloAlto Radius dictionary entries. Add aliases Aruba-Port-Id and Aruba-Template-User for Aruba-Port-Identifier and Aruba-MMS-User-Template. Add new VSAs Aruba-Auth-SurvMethod, Aruba-AP-MAC-Address, Aruba-Device-MAC-Address and Aruba-PVLAN-Port-Type from Aruba, AOS 10 and AOS-CX 10 documentation. Add values for existing VSAs Aruba-PoE-Priority, Aruba-Port-Auth-Mode and Aruba-QoS-Trust-Mode. Add Meraki VSAs 2, 3 and 4: Meraki-Network-Name, Meraki-Ap-Name and Meraki-Ap-Tags. Add PaloAlto VSAs 6 - 10: PaloAlto-Client-Source-IP, PaloAlto-Client-OS, PaloAlto-Client-Hostname and PaloAlto-GlobalProtect-Client-Version. -- Heikki Vatiainen OSC, makers of Radiator Visit radiatorsoftware.com for Radiator AAA server software