[RADIATOR-ANNOUNCE] Radiator Version 4.7 released

Mike McCauley mikem at open.com.au
Tue Aug 10 18:53:37 CDT 2010


We are pleased to announce the release of Radiator version 4.7

This version contains some new features and minor bug fixes.

As usual, the new version is available to current licensees from:
http://www.open.com.au/radiator/downloads/

and to current evaluators from:
http://www.open.com.au/radiator/demo-downloads

Licensees with expired access contracts can renew at:
http://www.open.com.au/renewal.php

An extract from the history file
http://www.open.com.au/radiator/history.html is below:

Revision 4.7 (2010-08-11) New features and some bug fixes. 

Added support for Django style passwords in the format: 
sha1$a1976$065f52b49153328da76e13c2b462b860a70eb78b
and
md5$a1976$e67d1ca20e9c28321b86e34076cc48ab
 as specified by http://docs.djangoproject.com/en/dev/topics/auth/#passwords. 
Contributed by Jerome Fleury. 

Fixed a bug in ServerTACACSPLUS to do with closing the authgroup
file. Reported by Wolfgang.Koenig.

Added sample configuration file for Radiator, showing how to
proxy requests to the WiKID (http://www.wikidsystems.com/) Strong
Authentication RADIUS Server.

Fixed a problem where AuthBy SQLRADIUS statistics were not kept
correctly up to date in the case of recoverd servers. Reported by
Dan Cachola.

Factored out EAP-FAST PAC creation and retrieving from EAP_43 to
AuthGeneric. AuthBy SQL can now override these functions and use
SQL queries to save and retrieve PACS, or to retrieve
pre-provisioned PACS from the database. If AuthBy SQL does not
define CreateEAPFastPACQuery, then it falls back to the default
of saving PACS in Radiator memory.

Added sample configuration file and detailed installation
instructions for the Secure Metric (www.securemetric.com)
SecureOTP one-time-password system, including details on how to
proxy requests to the SecureOTP RADIUS Server.

Minor changes of some log messages from INFO to DEBUG level, to
reduce noise level. Additional information in some AuthBy RADIUS
and EAP messages to improve diagnostics in load balancing
systems. Requested by Myles Fenton.

Added support for -retries flag to radpwtst

Removed redundant noReplyFromProxy from goodies. The code is in
goodies/hooks.txt.

Previously, radpwtst would use the same random authenticator for
all requests. Now radpwtst now uses a different random
authenticator for all requests, which can help with testing of
duplicate detection.

Added OSC-Device-Identifier, OSC-User-Identifier and
OSC-Group-Identifier to dictionary.

Added Identifier to logging in Handling request with Handler
.... debug message.

Fixed an error in the calculation of responseTime statistics.

Improvements to detection and use of Time::HiRes. New function
Radius::Util::getTimeHires returns (seconds,
microseconds). Microseconds is 0 if Time::Hires is not
available. responseTime is now measured with microsecond accuracy
if Time::HiRes is available, improving the accuracy of statistics
calculations.

Added a number of DeTeMobil Vendor-Specific Attributes to
dictionary. Contributed by Alexander Hartmaier.

Improvements to AuthBy LDAP2 performance: if ServerChecksPassword
is in use, and if the server rejects the password due to
LDAP_INVALID_CREDENTIALS or LDAP_INAPPROPRIATE_AUTH, do not
disconnect from the LDAP server. Previously, this would cause an
unnecessary disconnect.

Added symbolic vendor names for T-Mobile and TMO to dictionary.

Added function changePassword to AuthBy LDAP2 to support custom
code to change user passwords. Net::LDAP compatibility
improvements with use of Net::LDAP::Entry->get_value(..., asref
=> 1) instead of get(...).

Abstracted the generic Yubikey support code into
AuthYUBIKEYGENERIC.pm AuthSQLYUBIKEY is now a subclass. Enables
the development of new subclasses for supporting Yubikey in other
types of database, such as LDAP.

Changes to the RPM build spec to accommodate RPM_BUILD_DIR tro
circumvent rpm building problems on some platforms.

Added more 3GPP attributes to dictionary as per
http://www.3gpp2.org/Public_html/specs/X.S0011-005-E_v1.0_091116.pdf

Improved behaviour of AuthBy FIDELIO when LA messages are
received. Previously they would always cause a database
update. NBow this only happens on the first LA. Fixed a bug in
fideliosim.pl. fideliosim.pl now implements LA requests every 10
seconds.

AuthBy FIDELIO now never uses a posting sequence number of 0000,
following advice from Michael Herzig. Starts at 0001 and wraps
from 9999 to 0001.

AuthBy FIDELIO now implements 2 new configuration parameters:
PostingExtraFields allows you to override or extra data fields to
be sent in the Opera posting record. PostingRecordID allows you
to change the posting record ID from the default of 'PS' to, say
'PR'. Examples in the fidelio.cfg sample configuration file.

Fixed a potential memory leak with EAP-TLS. X509_free is used to
free the certificate. Reported by Robert Hwang.

Fixed an error with the formatting of dates in the DA field in
AuthBy FIDELIO: the month and day elements were
reversed. Reported by Michael Herzig.

Added new convenience function post() to AuthFIDELIO.pm for
posting accounting requests to Fidelio, and which can be used by
other hooks. Improved a number of separator formatting issues in
messages sent to Fidelio.

Added sample Radiator configuration, showing how to build a WiFi
hotspot with, for example MikroTik (www.mikrotik.com) hotspot and
captive portal, which authenticates against Micros-Fidelio Opera
hotel management system, and permits the user to purchase WiFi
internet access in blocks of 24 hours which are billed to the
user's room through Opera. Example works with MySQL as a session
database (schema included), but other databases can be supported.

Added new configuration parameter LogOpt to Log SYSLOG and
AuthLog SYSLOG clauses, allowing control over the syslog options
used. LogOpt is a comma separated list of words from the set
cons,ndelay,nofatal,nowait,perror,pid as described in the Perl
Sys::Syslog module. Defaults to pid. Contributed by Bjoern
A. Zeeb with some changes.

Added reload option to goodies/linux-radiator.init. Contributed
by David Worth.

Added new parameter CheckoutGraceTime to AuthBy FIDELIO. Permits
users to log in for this period of time after they have checked
out. Contributed by Manuel Kasper, with some minor changes.

Improvements to AuthBy LSA to permit machine authentication in
groups.

Added new parameter NAPTR-Pattern to Resolver. NAPTR-Pattern is an optional 
parameter that specifies a regexp that will be used to match the contents of 
NAPTR records during Resolver service discovery. If NAPTR-Pattern is defined 
and matches a NAPTR DNS record, it will be used to determine the protocol and 
transport to be used. The regex is expected to match 2 substrings. The first 
is the protocol and can be 'radsec' or 'radius'. The second is the transport 
to use, and can be 'tls', 'tcp' or 'udp'. This has been added to support 
proposed new NAPTR standards for Eduroam. Requested by Stefan Winter. 

Win32-Lsa for Windows 64 bit ActivePerl 5.10 is now available
with
        ppm install 
http://www.open.com.au/radiator/free-downloads/Win32-Lsa.ppd
   
   
Improvements to the "No reply after ...." message in AuthBy
RADIUS to include the Identifier and the delay time. Requested by
Myles Fenton.

Minor improvements to AuthBy NTML for testing.

StreamTLS classes, such as ServerRADSEC, ServerDIAMETER,
AuthByRADSEC etc. now support EAPTLS_CRLFile with operating
system wildcards. Similarly, TLS based classes such as TLS, TTLS,
PEAP etc now support TLS_CRLFile with operating system wildcards.

Added new parameter TLS_SRVName to StreamTLS classes. This is
intended for use by AuthBy RADSEC and AuthBy DNSROAM to specify a
DNS SRV Name that will be matched against possible
SubjectAltName:SRV extensions in the server certificate. If
TLS_SRVName is specified and the server certificate contains
SubjectAltName:SRV extensions, none of which match TLS_SRVName,
the certificate will not be accepted. Format is
_service._transport.name (this is the same format SRV names
appear in DNS records). For
example "_radsec._tcp.example.com". Only service and name are
matched. Requested by Stefan Winter for Eduroam support.

Resolver now saves the SRV Name of any SRV record that was
followed in order to get an address in the result set. AuthBy
DNSROAM now uses this to set the TLS_SRVName in a target AuthBy
RADSEC, which enables checking against any SubjectAltName:SRV
extensions in the server certificate. Requested by Stefan Winter
for Eduroam support.

Improvements to AuthBy FIDELIO so that during an accounting
posting, the DD field (Dialed Digits) which is based on the
Called-Station-Id contaoins only digits. Micros-Fidelio report
that contents other than digits can cause problems in Opera.

Added surfnet VSAs to dictionary. 

Improvements to AuthBy RSAAM for interoperation with AM 7.1
SP3. At AM7.1 SP3, the authentication realm requested by the AM
server SOAP interface was changed by RSA, causing earlier
versions of AuthBy RSAAM to fail to connect with a 401:
Unauthorized error. This change permits AuthBy RSAAM to work with
pre and post SP3 as well as improving performance. SessionRealm
parameter is now unused and obsolete. Reported by Rene Fleissner.

Improvements to the Linux Radiator startup script. Added traceup
and tracedown commands which signal Radiator to increase or
decrease its trace level. Handy for changing trace levels without
having to find the process ID first. Contributed by David Worth.

Added version of Authen-Digipass module for Active State perl 5.12. 

Fixed a problem in AuthBy OTP where a PasswordPattern of aaaaaaaa
generates OTPs which are twice as many characters as specified
and every odd is an 'a'. Reported by Alexander Hartmaier.

Fixed default AuthGroupCheck AuthGroupReply GroupMembershipQuery
queries which incorrectly referred to the usergroup table
instead of the radusergroup table. Reported by Mike Wilson.

Changed the type of Framed-IPv6-Prefix in the dicitonary from
string to ipv6prefix, allowing entry of IPV6 prefixes in a
sensible format.

Changed the type of NAS-IPv6-Address in the dictionary to
ipaddrv6 for correct iencoding and decoding of IPV6 addresses.

When AuthBy HANDLER is used and RejectHasReason is specified, now
sets the actual rejection reason in the reply instead
of "redirected by AuthHANDLER".

AuthBy LSA now honours UsernameMatchesWithoutRealm.

Fixed a problem with quoting of parameters passed to the external
command by AuthBy EXTERNAL. Reported by KUCZYNSKI, CHRISTOPHE.

Updated Coova ChilliSpot VSAs in dictionary.

Fixed a problem where EAP type negotiation could remove the
EAP-TLS VERIFY_PEER requirement, causing EAP-TLS to sometimes
fail when other clients were trying to negotiate TTLS or
PEAP. Reported by Keith Ma.

Added option to get any configuration parameter from an SQL
database with a new form of parameter ParameterName
sql:identifer:query which will look for a previously defined
AuthBy SQL clause with an Identifier of 'identifier' and run the
SQL query given by 'query'. The first row in the result will be
used to set the parameter ParameterName. This lookup is only ever
done once at startup time.

Added new type of special character which will be replaced with a
value fetched from an SQL database. Special characters of the
form %{SQL:identifier:query} will look for a previously defined
AuthBy SQL clause with an Identifier of 'identifier' and run the
SQL query given by 'query'. The first row in the result will be
used as the value of the special character. This type of lookup
is done whenever the special character is evaluated.

Fixed a problem with AuthBy FREERADIUS. The test for limit values
for Max-All-Session, Max-Daily-Session, Max-Hourly-Session and
Max-Monthly-Session was reversed, causing them to fail when they
should succeed and vice-versa. Reported by Stanley Thomas.

When radpwtst was used to send arbitrary packet types such as
CoA-Request, the reply was not decoded and therefore never packet
dumped. Reported by Vangelis Kyriakakis.

Improvements to the sample gigawords-hook.pl to use 64 bit
integers in order to be more proof against overflows with large
traffic.
-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.


More information about the radiator-announce mailing list