[RADIATOR-ANNOUNCE] Radiator Version 4.4 released

Mike McCauley mikem at open.com.au
Tue Mar 10 18:33:29 CST 2009


We are pleased to announce the release of Radiator version 4.4

This version contains a number of bug fixes as well as
improvements to WiMAX and RSA Authentication Manager 7.1 support.


As usual, the new version is available to current licensees from:
http://www.open.com.au/radiator/downloads/

and to current evaluators from:
http://www.open.com.au/radiator/demo-downloads

Licensees with expired access contracts can renew at:
http://www.open.com.au/renewal.html

An extract from the history file
http://www.open.com.au/radiator/history.html is below:

-----------------------------
Revision 4.4 (2009-03-11) Bug fixes and new features. 

Fixed a problem with AuthBy WIMAX which would fail when TTLS-MSCHAPV2 was
used. Improved goodies/wimaxtest to support -mschapv2 flag to cause
TTLS-MSCHAPV2 authentication. Reported by "Valentin Tumarkin".

Fixed a memory leak in ClientListSQL and ClientListLDAP where Client clauses
may not get reclaimed when the client list is refreshed. Reported by Aaron
Mar.

Fixed a problem with ServerHTTP where manual editing of a file larger than 16k
would cause error '413 Request Entity Too Large'. Limit increase to
1Mb. Reported by Tito Macapinlac.

Fixed a probem with AuthBy NTLM. UsernameMatchesWithoutRealm worked correctly
with MSCHAPV2, but not with PAP or MSCHAPV1. Reported by Sami Keski-Kasari.

Altered the behaviour of TLS_SubjectAltNameURI in all StreamTLS based
protocols (such as RadSec, DIAMETER etc.) at the suggestion of Stefan
Winter. Now TLS_SubjectAltNameURI imposes an additional mandatory constraint
on the peer certificate. If TLS_SubjectAltNameURI is defined it MUST match at
least one subjectAltNAme:URI in the peer certificate, in addition to any other
certificate verfication requirements (such as DNS name, host name
etc). Requires NetSSLeay 1.30 or later.

Improvements to behaviour of passwords in the form {clear}password, so they
will work with CHAP, MSCHAP and MSCHAPV2. Reported by Liam Widdowson.

Fixed collisions between some VSAs in dicitonary: renamed Cisco attributes
Account-Info, Service-Info, Command-Code, Control-Info to have 'Cisco-'
prefix. Renamed Command-Code to Enterasys-Command-Code.

AuthBy RSAAM now honours UsernameMatchesWithoutRealm and other username
transformation parameters. Reported by Sami Keski-Kasari.

Fixed a problem where EAP-MSCHAPV2 would incorrectly authenticate users when
misconfigured with AuthBy RSAAM. Reported by Sami Keski-Kasari.

EAP Generic Token Card now honours UsernameMatchesWithoutRealm. Reported by
Reported by Sami Keski-Kasari.

Tested TTLS-MSCHAPV2 with iPhone 2.0. OK.

Added instructions and Portfile for installing Radiator on MacOSX. Contributed
by Mark Duling. Deprecated INSTALL.MacOSX RadiatorMacOSX.tar.gz.

Added goodies/lancom-radsec.txt, instructions and hints for configuring a
Lancom L-54g wireless Access Point to authenticate using an external RadSec
server.

Tested against Lancom L-54g wireless Access Point configured for external
RadSec authentication for 802.1X. OK.

Improvements to AuthBy WIMAX, in order to support Alvarion WiMAX equipment and
various other operator requirements, requested by Manuel Kasper. Can now use
AuthSelect and AuthColumnDef to alter the SQL authentication query and add
reply attributes. You can customise other SQL queries using during WiMAX
processing with GetCachedKeyQuery, GetHotlineProfileQuery,
GetQosProfileQuery. Can now handle accounting using AcctSQLStatement the same
as AuthBy SQL.

Fixed a problem where use of Client CIDR addresses would not alway result in
the correct Client being found. Reported by Fabio Prina.

In AutbBy LDAP_APS, PasswordServerAddress was working for PAP, but did not
work as expected for MSCHAP and Digest-MD5 authentication. Reported by Mark
Duling.

Added OSC-Version-Identifier to dictionary.

Fixed typos in dictionary. Cisco-Maximum-Time was Cisco-Maximun-Time and
Cisco-Maximum-Channels was Cisco-Maximun-Channels. Reported by Fabio Prina.

Server TACACSPLUS now sets OSC-Version-Identifier in the RADIUS requests from
the version number in the incoming Tacacs+ request. The Major and Minor
numbers are combined in a single integer as per the Tacacs+ specification
(i.e. version 0 is represented as 192 and version 1 is represented as 193).

Incoming requests processed by Server RADSEC were logged twice. Reported by
Paul Dekkers.

Can now properly send Starent VSAs. Receiving was already supported.

Fixed a problem that prevented reply attributes from a TTLS inner reply being
sent in the reply to a session resumption. Reported by David Spindler.

Fixed a problem where certain malformed RADIUS requests could cause a hard
loop.

Accounting request that are REJECTED (due, say, to UsernameCharset) are now
logged at DEBUG level.

Added Trapeze Networks attributes to dictionary. Contributed by P Havekes.

AuthBy RADIUS would previously die if it was unable to bind to a socket (for
example if a non-existent BindAddress was used). Reported by Andrew D. Clark.

AuthBy WIMAX now supports ASCII encoding of WiMAX-Packet-Flow-Descriptor and
WiMAX-QoS-Descriptor. They are parsed and converted to the WiMAX required
binary format automatically.

Improvements to Solaris scripts and config file for use by the Solaris package

When LogMicroseconds is used, the microseconds are now left padded with zeroes
for easier reading.

Can now handle Change-Filter-Request requests in AuthINTERNAL and
others. Accept will result in a Change-Filter-Request-ACKed replay and a
reject will cause a Change-Filter-Request-NAKed.

Fixed a problem with AuthBy RADSEC caused by the recently added LocalAddress
support: If the Host address is an IPV6 address, an error with binding to
0.0.0.0:0 was reported. The default bind address is now determined by the
operating system, except when LocalAddress is specified. Can now specify
LocalAddress as an IPV6 address.

Error messages from Server TACACSPLUS now include the originating address and
port number. Requested by Andrew D. Clark.

Added various Nortel OME6500/OM5000 VSAs to dictionary.

Added new option -leap to radpwtst for testing EAP-LEAP.

Fixed a number of mispellings from 'redespatched' to 'redispatched'

Fixed some incorrect behaviour of Resolver under perl5.8.8 on some platforms.

Improvements to AuthBy RSAAM so that chains of RSAAM authenticators with
different Policy settings will work correctly.

Added support for Alcatel/Lucent ESAM VSAs (vendor ID 637) which have
non-standard VSA format. Also added A-ESAM-* entries to
dictionary. Contributed by John Pendleton.

AuthBy LDAPDIGIPASS didn't close its connection if HoldServerConnection wasn't
set. Reported and patched by Kees Guequierre.

Added precompiled RPM for Authen-Digipass for perl 5.10
(Authen-Digipass-1.9-1.i686.rpm is for perl 5.8 only).

In AuthBy RSAAM, added translations for some further prompts,
POLICY_VIOLATION_* etc. Improved prompts during system-generated-PIN
mode. Improved support for AM server failover. AM Server failure now causes an
IGNORE, and AuthByPolicy ContinueWhileIgnore can be used to try multiple AM
servers in sequence until a successful connection is made. Changes to chaining
of RSAAM clauses mean that in order to try one RSAAM Policy, followed by
another you must use the AuthByPolicy ContinueUntilAcceptOrChallenge.

Added support for new AuthByPolicy settings of ContinueWhileChallenge and
ContinueUntilChallenge.

Added support for EAPTLS_RequireClientCert to TTLS and PEAP. Setting this
optional parameter now requires the clinet to present a valid client
certificate during the TLS handshake.

Improved documentation in AuthBy ACE examples. Improved misleading user
messages when AuthBy ACE is used with AM 7.1. Fixed problems with Authen-ACE4
when used with AM 7.1 and system-generated PINs, requires Authen-ACE4 1.3. New
Authen-ACE4 1.3 ppm packages for Windows, including support for Perl 5.10 on
Windows.

Added precompiled Authen-Digipass ppm package for perl 5.10 on Windows.

Improved session resumption in PEAP. Previously, resumed sessions triggered an
inner authentication. Now the inner authentication is reused too. Reported by
Tom Rixom.

Added new hook EAPTLS_CommonNameHook for EAP TLS support. Normally EAP-TLS
attempts to match a CN in the client certificate against either the User-Name
or EAP identity (either with or without domain names). This hook allows you to
extend this matching and match a certificate CN against some other user
attribute, such as the Calling-Station-Id as required by some WiMAX devices.

Added EAP TLS initialization to add the SHA256 digest, required for some WiMAX
devices and certificates. Requested by Jinsong Zhu. Requires Net-SSLeay 1.35
plus latest SVN patches or later and OpenSSL 0.9.8i or later.

Fixed a problem with special character %J, which incorrectly had leading
spaces before the day number. Reported by
Jose Ferreira.

Added Citrix-CAG-Groups to dictionary.

Added beta version of a new AuthBy EAPBALANCE module. EAPBALANCE distributes
EAP conversations among multiple back ends and ensures that a given
conversation always goes to the same backend, even in the face of backend
failures. Suitable for use with FarmSize for high performance EAP-capable
systems on multi-core hosts.

Fixed some errors in the types of WiMAX attributes in
dictionary. WiMAX-HTTP-Redirection-Rule changed from binary to string. Added
WiMAX-Time-Of-Day-Time. Added NAS-Filter-Rule. Requested by Garima Mahadik.

Timestamp was incorrectly added twice if a request was redirected through
Handler, say by AuthHANDLER or similar.

Changes so that the plaintext password is not logged at debug level during
Tacacs authentication. Requested by Markus Moeller.

Fixed some problems with mixed placeholders causing crashes on Windows when
ODBC in use and when Quote: fails to match properly. Improved error reporting
in SqlDb when a prepare croaks. Improvements to nested special character
matching to exclude trival matched caused by embedded curlies. Reported by
Edgard B. Haddad.

In AuthBy POP3, paramters Host, Port and LocalAddr did not have
packet-specific data available for special characters. Reported by Aaron
Holtz.

Fixed a problem with incorrect statistics for dropped requests when inner TTLS
and PEAP requests are proxied. Reported by Dan Cachola.

Improved handling of Security Questions prompts in AuthBy RSAAM.

Fixed AuthBy IMAP so it will work with Mail-IMAP versions later than 2.99,
using the new Mail::IMAP RawSocket call. Reported and patched by Wolfram
Grienert.

Fixed a problem with Server HTTP where a configuration that contained an
AuthLog clause would incorrectly be saved as an AuthBy clause. Reported by
Steven R Sterner.

AuthBy WIMAX incorrectly set Session-Timeout to the absolute epoch time,
rather than the relative KeyLifetime. Reported by Valentin Tumarkin.

Fixed a problem in AuthBy WIMAX with DHCP keys that could cause a crash. Also
fixed a problem with session resumption when Pseudo Ids are in
use. goodies/wimaxtest now suports session resumption with a [-reauth count]
command line argument.

Fixed a problem with reused session authentication in EAP-TTLS.

Added sample configuration files for Radiator, Cisco Nexus 7000 and sample
debug file, showing how to set up RBAC - Role-Based Access Control on the
Cisco Nexus 7000. Contributed by Matthew Nichols.

Fixed a problem when AuthBy RADIUS tries to forward to a non-existent DNS
name, a crash could occur. Reported by Patrick Renkens.

Ensure TLS does not resume sessions unless EAPTLS_SessionResumption is set.

Added support for new parameter in AuthBy WIMAX. MSKInMPPEKeys forces the MSK
to be encoded in MS-MPPE-Send-Key and MS-MPPE-Recv-Key, as well as the usual
WiMAX-MSK reply attributes. This is required by some non-compliant clients,
such as some Alcatel-Lucent devices.

Improved behaviour of AuthBy WIMAX when creating and setting
WiMAX-AAA-Session-ID to be compatible with more WiMAX
clients. WiMAX-AAA-Session-ID is now only allocated and returned in the
Access-Accept. Also made more SQL queries configurable. Parameter Reported by
Kasra Kangavari.

Changed primary key in device_session in sample wimax.sql to match earlier
changes to session saving based on session ID instead of NAI.
-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, DIAMETER etc. Full source
on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.



More information about the radiator-announce mailing list