(RADIATOR) Radiator Version 3.14 released

Sun Jan 15 19:08:53 CST 2006

We are pleased to announce the release of Radiator version 3.14

This version contains some significant new features, and a number of
fixes. Amongst the new features are DNSROAM, which provides RadSec and
RADIUS proxying to hosts discovered through DNS. Provides secure,
reliable, scalable, low maintenance RADIUS meshes and federations. Uses
similar technology to Diameter (RFC 3588) for host discovery, which
allows target server details to be provided through DNS
lookups. Supports RadSec and RADIUS proxying. Also new AuthBy NTLM
module, which allows Radiator running on a Linux or Unix system to
authenticate to a Windows domain controller.

As usual, the new version is available to current licensees from:
http://www.open.com.au/radiator/downloads/

and to current evaluators from:
http://www.open.com.au/radiator/demo-downloads

Licensees with expired access contracts can renew at:
http://www.open.com.au/renewal.html

An extract from the history file
http://www.open.com.au/radiator/history.html is appended:

-----------------------------
Revision 3.14 (2006-01-16) Significant new features, including DNSROAM
and some fixes.

Added new module DNSROAM, that provides RadSec and RADIUS proxying to
hosts discovered through DNS. Provides secure, reliable, scalable, low
maintenace RADIUS meshes and federations. Uses similar technology to
Diameter (RFC 3588) for host discovery, which allows target server
details to be provided through DNS lookups. Supports RadSec and RADIUS
proxying. Includes new Resolver module for asynchronous DNS
lookups. Requires Net::DNS Perl module (and the IO::Socket::INET6
module if you wish to consult a DNS server via IPV6)

Added new module AuthBy NTLM that allows Radiator running on a Linux
or Unix system to authenticate to a Windows domain controller, with
the assistance of ntlm_auth and winbindd utilities from the Samba
suite (www.samba.org). Sample Radiator and winbindd configurations are
included. Supports PAP, MSCHAP, MSCHAPV2, EAP-MSCHAPV2, and works with
PEAP, and TTLS.

EAP-TTLS-MSCHAPV2 did not correctly copy reply attributes from the
inner accept to the outer accept.

New example hook in goodies/hooks.txt to parse multiple
Digest-Attributes into individual attributes

Testing with Funk Odyssey 4.01 client, including EAP-SIM, EAP-GTC,
EAP-LEAP and TTLS-EAP-MSCHAPV2. OK.

Added cacti_data_query_snmp_get_radius_information.xml
radius_server.xml to goodies. These are configuration files to enable
monitoring of Radiator by Cacti (http://www.cacti.net/), which is
similar to MRTG, except it is web driven and based upon a templating
system. Contributed by Chris Hills.

Fixed a problem with radpwtst -gui where entering a new port number in
the gui had no effect. Reported by Chris Hills. Also fixed a problem
where that could produce an error message: Can't locate object method
"BINMODE" via package "Tk::Event::IO" on some platforms.

Fixed a problem in radpwtst -gui where a Class attribute received
ffrom one user authentication would be incorrectly reused for
subsequent users.

Added new parameter for all AuthBys: EAP_LEAP_MSCHAP_Convert forces
all EAP-LEAP requests to be converted to conventional Radius MSCHAP
requests that are redespatched, perhaps to be proxied to another
non-LEAP capable Radius server or for local authentication. Example
config file goodies/eap_leap_proxy.cfg show how to use it.

Fixed a problem that prevented CRL checking working with some versions
of Net_SSLeay. Requires Net_SSLeay version 1.25 from CPAN and this
patch. Reported by Ilana Kaplan.

Improved the error message printed when TLS certificate verification
fails to include a text string that describes the problem.

Testing with Sybase ASE 12.5, improvements to goodies/sybaseCreate.sql
to prevent warnings about NULL columns.

Added new parameter EAP_LEAP_MSCHAP_Convert that converts incoming
LEAP requests to conventional Radius-MSCHAP requests that can then be
handled locally or proxied to a remote Radius server that cannot
handle LEAP, but which can handle Radius-MSCHAP. Also added example
config file goodies/eap_leap_proxy.cfg. Requested by Michael Ting.

Improved configurability for 'make rpm' in Makefile.PL.

Added support for SASL authentication to LDAP servers. New parameter
UseSASL tells AuthBy LDAP2, AuthBy LDAPRADIUS and ClientListLDAP to
authenticate the connection to the LDAP server with SASL. See the
example config file goodies/ldap-sasl.cfg for details on how to
configure it.

Fixed a problem that prevented DefaultRealm working in Server
TACACSPLUS. Reported by Marc Blum.

Improvements to the sample linux-radiator.init and RPM Linux init
script so it takes notice of configurable variables in
/etc/sysconfig/radiator better. Suggested by Paul Dekkers.

Added new configuration method AuthBy SASLAUTHD, which authenticates
by connecting to a saslauthd server running on the same
host. saslauthd is a Unix authentication server program, part of the
Cyrus SASL suite. It can be configured to authenticate from a variety
of sources, including PAM, Kerberos, DCE, shadow password files, IMAP,
LDAP, SIA or a special SASL user password file. Example configuration
file is in goodies/saslauthd.cfg

Testing with Gentoo 2005.0. OK.

Fixed a problem where AuthBy PLSQL clause did not display its AuthBy
type in Radar. Reported by Jovan Sarai.

Fixed a problem with AuthACE.pm AuthDIGIPASS.pm AuthKRB5.pm AuthLSA.pm
AuthOPIE.pm AuthOTP.pm AuthRSAMOBILE.pm AuthSASLAUTHD.pm that could
prevent correct operation with TTLS-EAP-MSCHAPV2 and Odyssey client.

Testing on Linspire 5.0. OK. 

Testing on Ubuntu 5.04. OK.

Changes to the default behaviour of AuthLog SYSLOG and Log SYSLOG so
that the socket type is only set if LogSock is explicitly
defined. Fixes a problem with the socket type search path on Solaris
failing if syslogd does not open a unix domain socket.

Improvements to EAP-TLS authentication, so that a User-Name with a
domain prefix will match the certificate without a domain
name. Reported by "Dror Ben-Shlomo".

Fixed a problem where EAP-GTC would not work correctly with some
AuthBys that did direct password checking (such as AuthBy LDAP2 with
ServerChecksPassword enabled). Reported by Michal Marciniszyn.

Added a number of Airespace VSAs to dictionary, contributed by Steve
Caporossi.

Change-Filter-Request now includes a correct authenticator. Reported
by Ardolino Antonio.

PEAP outer handler did not set OriginalUserName for the inner packets.

Added sample hook to goodies/hooks.txt that shows how to discover the
socket that received a request on a multihomed host. Contributed by
Miko.

AuthBy DIGIPASS now supports PAP, CHAP, MSCHAPV2, EAP-MSCHAPV2,
EAP-OTP and EAP-GTC requests. Required some changes to the API for
check_mschapv2. Requires Authen-Digipass 1.5 or later (Linux and
Solaris packages included in this distribution. Windows PPM packages
availble for download)

Fixed a problem where ForkClosesFDs would incorrectly close sockets
created by Monitor, Server TACACSPLUS or Server RADSEC if the server
forks or becomes a daemon.

In AuthLog SQL SuccessQuery and FailureQuery, new special character %4
is replaced by the SQL quoted original user name from the incoming
request (before any RewriteUsername rules were applied).

Added support for SALT encryption of
Unisphere-Med-Dev-Handle. Required extensive refactoring of attribute
encryption and decryption. Attributes requiring encryption and
decryption with shared secrets are now done by Radius::encode_attrs
and Radius::decode_attrs. Encoding is now done by Client or
ServerRADSEC just prior to replying. Function encode_tunnel_password
renamed to encode_salt.

Performance and security improvements in Util::format_special

Fixed a problem that prevented one instance of Radiator acting as both
RADSEC server and client or as multiple RADSEC clients at the same
time. Requires patch for Net_SSLeay on Windows.

Fixed some compatibility problems between mkcertificate.sh and the
OpenSSL CA utilites in 0.9.7g and later.

New flag NullPasswordMatchesAny enables wildcard mathcing of NULL
password columns. Defaults to enabled for AuthBy SQL and disabled for
AuthBy RADMIN, to be consistent with current default behaviour.

EAP TLS now supports a new hook. EAPTLS_CertificateVerifyHook runs
after the request username or identity has been matched with the
certificate CN. It is passed the certificate, and various other
details, and returns a different user name which will be used to do
the user database lookup.

Testing with EMIC m/cluster, a MySQL clustering solution from
www.emicnetworks.com. M/cluster provides high availability,
scalability and manageability services for MySQL. OK.

Testing on Fedora Core 4.

Added a number of IPWireless attributes to dictionary. Contributed by
m.tavakolifard.

Testing on Debian 3.1r0a. OK.

Added support for LogMicroseconds to Monitor.

Added to goodies a new AuthBy RADIUSBYATTR that forwards to a RADIUS
server based whose attributes (host, secret etc) are specified in the
request. Useful for various specialised testing
scenarios. radiusbyattr.txt is a description of how to configure and
use it. Contributed by Miko.

SNMPAgent now suports special characters in BindAddress and Port
parameters. Contributed by José Borges Ferreira.

Added Daemon configuration file au.com.open.radiator.plist for OSX
10.4 (Tiger) to goodies. Contributed by Matt Richard.

EAP-TLS now matches certificate CNs even if they are in Unicode.

TTLS and PEAP now always dump the reply to the tunnelled request at
DEBUG level.

ServerChecksPassword now honours Timeout in AuthBy LDAP2. Patch
provided by Campbell Simpson.

In AddressAllocator DHCP, fixed a problem with the "secs" field in the
DHCP header when there are timeouts and retransmissions. Reported by
Ian Amess.

ClientListLDAP did not compile any PreHandlerHook entries from LDAP,
preventing the hook running. Reported by Peter Crystal.

Radpwtst did not use the -acct_port argument properly. Reported and
patched by Ruud Besseling.

Server TACACSPLUS can now use different per-Client Keys by looking for
a TACACSPLUSKey in a Client clause that matches the Tacacs client
address. If no matching Client with a TACACSPLUSKey is found, falls
back to the global Key defined in the Server TACASCSPLUS
clause. Initial idea and patches contributed by James FitzGibbon.

Radpwtst with the -code flag sent to the -acct_port instead of the
-auth_port. Reported by Phillip Lou.

Added new special character %x, which is replaced by the EAP Identity
for PEAP and TTLS inner requests.

Fixed a problem with the SNMP MIB where some values were returned as
integer instead of counter32. Reported by Rani Assaf.

Permit plaintext passwords in the format '{clear}password', in order
to be compatible with some LDAP servers. Suggested by Andreas Meyer.

Testing with Novell NetWare 6.5 with eDirectory 8.7 and iManager
2.5. Improved Makefile.PL to implement the 'install' command under
NetWare (where perl Makefile.PL does not work). 'perl Makefile.PL
install' now installs all Radiator files, config files and startup
script on NetWare. Extended documentation about how to enable
Universal Passwords in eDirectory. Added chapter on NetWare
installation to the Reference Manual.

Testing with DBD::SQLite2. Added example table creation script
goodies/sqliteCreate.sql and added hints to documentation.

Added a number of new Redback VSAs to dictionary, contributed by
Toomas Karner.

Improvements so that ServerTACACSPLUS can now be configured for the
Username: and Password: prompts when authen-type of ASCII is
used. Added new flag -ascii to tacacsplustest to enable use of
authent-type ASCII instead of default PAP. Refactored some constants
and code from ServerTACACSPLUS to use equivalents in Tacacsplus.pm

Fixed some errors in definitions of Airespace-QoS-Level in
dictionary. Contributed by Theodore J. Knab.

Added goodies/radiator.sh, a Radiator startup script for FreeBSD and
rc-ng. Contributed by Paul Dekkers.

Improvements to AuthBy ROUNDROBIN. Now it attempts to deliver only a
limited amount of times. It will remember which server it tried to
send to at first and then on retry it will walk the whole RR list and
try each available server in a row. If it reaches the first server
again, it will abort the request. Patch provided by Rok Papez.

Improvements to allow use of Client-Identifer check items to detect if
a request was received by a Server RADSEC clause. Matches against the
Identifer of the Server RADSEC clause that received the
request. Change to Server RADSEC TLS_ExpectedPeerName now defaults to
the DNS name of the RADSEC client (if resolvable) else the client's IP
address. Server RADSEC did not check the Radius authenticator on
incoming requests. Suggestions by Paul Dekkers.

Fixed problems where multiple TLS RadSec clients were initialised
within the same server. Certificate passwords were incorrect and some
TLS sessions would not initialise properly. Better support for
different certificates in each TLS RadSec client. Reported by Paul
Dekkers.

Fixed some interactions between different uses of Net_SSLeay, where
the verify callback got clobbered by IO::Socket::SSL, which caused
crashes when LDAP+(SSL or TLS) was used with RadSec or
EAP-TLS. Reported by Jan Tomasek and Ross Wakelin.

The LDAP Deref parameter did not work as expected, since it was passed
to LDAP new rather than search. Reported by Matthew Lohier.

AuthBy GROUP now prints the Identifier in the 'Handling with ....'
DEBUG message. Requested by Jethro R Binks.

Improvements to peer certificate verification for RadSec
connections. Client side verifies the configured server Host name
against the server certificate CNs or subjectAltNames (DNS or IPADD
types). Server side verifies the client IP address against the client
certificate CNs or subjectAltNames (IPADD types only). Exact match and
wildcard matches are honoured. If those fail then TLS_ExpectedPeerName
pattern is matched against the entire Subject name. If all those fail,
the certificate is not verified and the RadSec connection will be
terminated. Updated RadSec example configuration files. This is all in
line with RFC 2595. Suggested by Jan Tomasek. Caution, use of
subjectAltNames requires patches for Net_SSLeay from this patch.

Testing on FreeBSD 6.0 RELEASE. OK.

Fixed problems with session database code crashing if there were no
Client clauses defined and Client.pm not loaded, as in purely RadSec
or TACACS+ servers. Reported by Sajeewa Warnakulasuriya.

Fixed a problem with Status-Server and SNMP statistics where proxied
requests were incorrectly counted in the dropped statistics
too. Reported by Miko.

Fixed a compatibility problem with AuthBy KRB5 and krb5-1.4.*, where
krb5_init_ets is not present and not required. Reported by Joon Yun.

Added APC-Service-Type and APC-Outlets to dictionary. Contributed by
"Cassidy B. Larson".

Added support for FailureBackoffTime, MaxFailedRequests and
MaxFailedGraceTime similar to AuthBy RADIUS. This permits RADSEC host
failure detection and also automatic reforwarding to alternate RADSEC
hosts by using NoReplyHook.

Server TACACSPLUS now prints the reply to its Radius request when at
trace level 4.

Added ability to match Client clauses based on client MAC
address. Requested by Steve Shippa.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.