[RADIATOR-ANNOUNCE] Radiator Version 4.8 released

Mike McCauley mikem at open.com.au
Wed Apr 27 17:45:41 CDT 2011

We are pleased to announce the release of Radiator version 4.8

This version contains some new features and minor bug fixes.

As usual, the new version is available to current licensees from:

and to current evaluators from:

Licensees with expired access contracts can renew at:

An extract from the history file
http://www.open.com.au/radiator/history.html is below:

Revision 4.8 (2011-04-28) New features and some bug fixes. 

Fixed a problem in AuthBy EAPBALANCE where no reply from a
proxied request from the middle of an EAP stream would result in
unlimited retransmissions of the request. Reported by Keith Ma.

Testing on OpenWRT. OK, with caveats as discussed in the updated FAQ. 

Added Meru-AP-Id and Meru-AP-Name to dictionary. Provided by Neil Johnson. 

RPM packages were built by default on OpenSuSE with LZMA
compression, which is not available for all platforms. This new
Radiator.spec disables LZMA and uses BZ2 instead. In future all
RPMS will be built with BZ2 comppression. New versions of
Radiator-4.7-2.noarch.rpm and Radiator-Locked-4.7-2.noarch.rpm
with BZ2 uploaded.

Fixed a problem with AuthBy SQLTOTP and AuthBy SQLHOTP where
MaxBadLogins, BadLoginWindow, DelayWindow, TimeStep and
TimeStepOrigin parameters were not correctly read, resulting in
errors like "Unknown keyword 'MaxBadLogins'". Reported by Matthew

GetClientQuery was incorrectly using field 25 instead of 27 for
flags. Documentation for GetClientQuery incorrectly decribed
field 25 as being flags instead of ClientHook.

Added SQLRetries parameter to all SQL type clauses. When
executing a query, Radiator will try up to SQLRetries attempts to
execute the query, retrying if certain types of SQL error are
seen. Defaults to 2. Requested by Michael.

Fixed some problems with Radius paths in the RPM on some
platforms. Rebuilt and uploaded new RPMs.

Improved Client CIDR address searches so a more specific cidr
would have priority over a less specific cidr. Contributed by
Nicholas Waples.

Improved ClientListLDAP, added oscRadiusIdentifier &
oscRadiusDefaultRealm into the default list of
ClientAttrDef's. were the only attributes missing from
oscRadiusClient ldap schema provided (in goodies). Contributed by
Nicholas Waples.

In Server TACACSPLUS, the call AuthenticationStartHook now
includes the priv_lvl and service values from the TACACSPLUS
request passed as arguments to the hook.

In Server TACACSPLUS, during authetication, we now add
cisco-avpair attributes to the RADIUS request for action,
authen_type, priv-lvl and service from the incoming TACACSPLUS

Improvements to AuthBy URL. Improved HTTP and HTML standards
compliance by using the LWP::UserAgent methods post() and
get(). Can now handle CHAP, MSCHAP and MSCHAPV2 authentication,
as well as the previously supported PAP. *CHAP challenges and
responses are encoded as HEX and sent as configurable web
parameters. Updated the sample config file goodies/url.cfg, and
improved documentation. Fixed inconsistant password in sample
test_url_md5.cgi. Cleaned up some of the code to be compliant
with in-house standards.

Added support for BindAddress in all Ldap derived clauses,
allowing you to specify a local address for the client side of
the LDAP connection with BindAddress, in the form
hostname[:port]. Defaults to Updated sample config
file. Suggested by Roel Hoek.

Updated AuthBy NTLM so that if an authentication fails, the
Warning log message records the user name along with the
Authentication-Error. Suggested by David Zych.

Further improvements to AuthBy URL. Now suports CopyReplyItem
parameter. If a successful HTTP reply contains a string like
'xxx=hexencodedvalue' the value will be copied to the RADIUS
reply as attribute yyy=value the value is expected to be HEX
encoded and will be HEX decoded before adding to the reply.

Fixed a problem where some SQL modules were not being correctly
initialised, which was revealed when the new SQLRetries was
added. Reported by Steffen Weinreich.

Further improvements to AuthBy URL. Now supports CopyRequestItem
parameter. Adds a tagged item to the HTTP request. Format is
CopyRequestItem xxx yyy. The text of yyy (which may be contain
special characters) will be added to the HTTP request with the
tag xxx. In the special case where yyy is not defined, the value
of attribute named xxx will be copied from the incoming RADIUS
request and added to the HTTP request as the tagged item yyy. All
values are HEX encoded before adding to the HTTP
request. Multiple CopyRequestItem parameters are permitted, one
per line.

Improvements to AuthBy SQLTOTP to implement replay
detection. This has required an additional column in the sample
SQL database schema, and changes to the default AuthSelect and
UpdateQuery parameters. Requested by Matthew Reeves-Hairs.

Testing with the Mera MVTS Pro Voip gateway. OK. Added
mera-mvts.txt. This document briefly outlines the requirements
for interfacing Radiator with Mera MVTS Pro VOIP gateways, along
with examples of the types of requests and replies Radiator can
be expected to handle when interfacing with MVTS Pro.

Added new command line argument -min_interval to restartWrapper,
which controls the minimum time interval between successive
restarts. Contributed by David Zych.

Tested AuthBy HOTP and AuthBy TOTP with a range of iphone OATH
soft tokens, including DS3 (HOTP), OATH Token (HOTP and TOTP),
and Google Authenticator (HOTP and TOTP). External testing with
Feitian C200 OTP Tokens and others. All OK.

Added a number of Juniper attributes to dictionary.

Monitor and Server HTTP now support AddToRequest to add
attributes to the internal RADIUS request they generate when
authenticating administrator logins to their respecetive
interfaces. They also dump these requests when Trace 4 is

Server TACACSPLUS now supports a new parameter
AuthorizeGroupAttr. If this parameter is specified, it specifies
the name of an attribute in Access-Accept that will contain
per-command authorization patterns for authorising TACACS+
commands. These are processed before any configured-in
AuthorizeGroup parameters. The command authorization patterns are
in the same format as supported by AuthorizeGroup. Added a new
VSA to dictionary OSC-Authorize-Group, which is intended to carry
per-user reply command authorization patterns.

Improvements to Radiator linux startup script so you can have
multiple scripts in /etc/init.d/ with different names, and which
lookup different parameters in /etc/sysconfig. For example, you
can install the script as /etc/init.d/radiator and
/etc/init.d/radiator-acct, and it will look up parameters in
/etc/sysconfig/radiator and /etc/sysconfig/radiator-acct. Further
improvement is to always use -p RADIUS_PIDFILE to killproc the
process, rather than the process name.

Added Ascend-Session-Svr-Key an NS-Dummy-Attr-10 to dictionary.

Added Alcatel-Lucent 7302 ISAM (OLT) VSAs to dictionary,
including OLT-TL1-* and added VALUE definitions for some other
A-ESAM-*. In some places, A-ESAM-* are named OLT-CLI-*. we have
adopted A-ESAM to be compatible with previously existing

Fixed a problem where EAP-MD5 authentications did not honour
UsernameMatchesWithoutRealm. Reported by "Sami Keski-Kasari".

Fixed a problem where EAP-MD5 authentication by AuthBy LSA
mysteriously failed. Refactoring of EAP_4 check_chap() to
AuthGeneric, and thence to AuthLSA Reported by "Sami

Fixed a problem which could cause crashes in
Socket6::inet_ntop. Reported by James Harton.

Testing on MacOS X 10.6.5. OK.

Added lookupauthgroup.pl Sample PostSearchHook for AuthBy LDAP2,
which finds user group(s) through an LDAP lookup, then finds
corresponding check and reply attributes in SQL, based on the
user group(s) for that user and the device groups of the
RADIUS/TACACS+ client. This allows you to have a add very fine
grained authentication/authorisation in an LDAP/SQL environment,
based on user and device group membership.

Alter the session shutdown in Server TACACSPLUS to be SHUT_RDWR,
to fix possible session shutdown problems with some TACACS+

Fixed incorrect sequence numbers in some TACACS+ packets sent by
goodies/tacasplustest and that affected interoperation with
tac_plus. Fixed issues with TACACS+ version numbers that affected
interoperation with tac_plus.

Added new parameter SingleSession to Server TACACSPLUS which can
be set to 0 to disable the default behaviour which tries to keep
the same TCP session for all requests. Setting SingleSession to 0
forces a TCP disconnect after every authentication, authorisation
and accounting session. Some TACACS+ clients need this in order
to operate correctly.

Improvements to AuthBy SQLTOTP so that tokens whose time drifts
into the future can be authenticated. Patch supplied by Steffen

Decoupled AuthGeneric userIsInGroup from getUserGroups so
subclasses can implement their own group finding.

Added new optional parameters GroupSearchFilter GroupBaseDN
GroupNameCN to specify an LDAP search which will be used to get
the names of groups this user is a member of. Used to check Group
check items. Updated sample lookupauthgroup.pl to use the new
group search function in AuthBy LDAP2

AuthBy LSA now honours UsernameMatchesWithoutRealm correectly for
users and groups. Reported by Reported by "Sami Keski-Kasari"
and "Johnson, Neil M".

In AuthBy SQL, the optional GroupMembershipQuery now has the
groupname available as the second bound variable.

Improvements to Server TACACSPLUS so that it honours the
TAC_PLUS_SINGLE_CONNECT_FLAG flag in incoming requests. Now a
single session will only be maintained if the Server TACACSPLUS
SingleSession parameter is set _and_ the client indicates a
willingness to support single sessions with the
TAC_PLUS_SINGLE_CONNECT_FLAG. Single sessions can be disabled
regardless of client options by setting the SingleSession flag to
0 (defaults to 1)

Improvements to goodies/tacacsplustest now correctly sets the
TAC_PLUS_SINGLE_CONNECT_FLAG in requests if the -single command
line parameter is given. It now closes the connection at the end
of each session unless the -single flag is set and the server
indicates a willingness to support single connections with the

Fixed a problem where malformed WiMAX attributes could cause a
crash. Reported by Mark Sergeant.

Further fixes to Server TACACSPLUS: If SingleSession is set, some
Cisco TACACS+ clients will close an authentication session after
the first reply. This is a bug in the client. As a workaround,
ServerTACACSPLUS.pm now never sets the
TAC_PLUS_SINGLE_CONNECT_FLAG in its replies. Reported by Aki

Fixed a typo in linux-radiator.init that prevented traceup and
tracedown working properly on RHEL5.

Added LOG_WARNING log message if a Tacacs+ request is received by
Server TACACSPLUS for which no Client could be found.

Improvements to Server TACACSPLUS so expired authentication
result in ERROR instead of FAIL. Tacacs authorisations are now
bound to both the username and the peer address, so user can have
different authorisations on each device.

Added peer address to a number of warning and info messages
produced by Server TACACSPLUS for easier diagnosis.

Updated Monitor HELP command documentation to include

Fixed problems with linux-radiator.init traceup and tracedown on

Improvements to Server TACACSPLUS: Fixed a problem with the new
AuthorizeGroupAttr that cased authorisation patterns to not be
reset properly. Server TACACSPLUS now updates the global packet
counts for each Tacacs+ request received. Database failures that
IGNORE now cause a Tacacs *_STATUS_ERROR reply.

Added goodies/cisco-vpn.txt a short description on how to
configure Cisco VPN 3000 Concentrator VPN groups, and the
limitations thereof.

Fixed a case where Radiator would crash when certain local
devices tried to connect to a tacacs port.

Added example rule to goodies/tacacsplusserver.cfg showing how to
use uptional tacacs roles, including multiple optional roles.

Added new parameter UnbindAfterServerChecksPassword to AuthBy
LDAP2, which works around problems with some LDAP
servers. Normally, when ServerChecksPassword is set, after
Radiator checks a users password the LDAP connection is not
unbound. This can cause problems with some LDAP servers (notably
Oracle ID and Novell eDirectory), where they unexpectedly cause
the following LDAP query to fail with
LDAP_INAPPROPRIATE_AUTH. Setting this flag causes an unbind after
each ServerChecksPassword bind.

Added support for new -I command line flag to radiusd, which adds
an include directory to the module search path. Patch by Heikki

In SqlDb::do(), Sql connections now detect PostgreSQL duplicate
key violations, which are now not a cause for disconnect. Added
similar tests to SqlDb::prepareAndExecute().

Sample RAdmin configuration file that shows how to record Tacacs+
commands to the Radmin RADCOMMANDAUDIT table for auditing, and
viewing (RAdmin 1.14 plus latest patches required)

The ServerRADIUS clause now supports AddToRequest, which makes it
easy to tag requests that arrive by RADIUS to distinguish them to
those arriving by TACACS+ or Diameter.

Server HTTP log messages are now escaped so that HTML characters
in the log do not cause display errors. Patch provided by Adam

Fixed a problem in Auth LDAP2 that could cause a crash if
ServerChecksPassword and UnbindAfterServerChecksPassword are
enabled, and certain LDAP errors occur during the
ServerChecksPassword bind.

Fixed spelling mistake in VENDORATTR Timetra-Home-Directory,
Added further VSAs to VENDOR Panthera 6527 (Alcatel 7450 ESS
Router). Added VENDOR Alcatel-Lucent 800 (Alcatel-Lucent OS6400
switches) VSAs. Added Alcatel-Lucent-SAM VENDORATTR
SAM-Security-Group-Name .

Improvements to IPV6 handling so the absence of Socket6 causes an
warning message instead of an exit.

Added a number of FreeSwitch accounting VSAs to dictionary. Added
a brief discussion paper about how to integrate FreeSwitch with
Radiator. FreeSWITCH is a powerful and versatile telephony
platform that can scale from a softphone to a PBX and even to a
carrier-class softswitch.

Log SYSLOG and AuthLog SYSLOG now support special characters in
LogIdent, LogOpt and LogHost.

TLS Streams, such as used with Radsec did not correctly verify
certificates for 'hostname' if the Host address was specified in
Radiator in the form ipv6:hostname. Reported by Patrick Renkens.

Fixed an issue where truncated EAP-Message requests would cause a
log message like "Could not load EAP module Radius::EAP_"
..... This is now logged as invalid EAP type in EAP request and
rejected. Reported by Daniel Rocha.

Server TACACSPLUS now honours reply attributes correctly for
ASCII type Tacacs+ authentications. Patch from Heikki Vatiainen.

Testing with XAMPP on
Windows. XAMPP (http://www.apachefriends.org/en/xampp-windows.html)
is an excellent, easy to install bundle of useful tools such as
Apache, MySQL, Perl etc for Windows. It is a also good base for
installing Radiator on Windows, especially if you wish to use
Radiator with RAdmin or a MySQL database. Updated installation
documentation to include XAMPP on Windows.

Added support for Novell eDirectory NMAS (Novell Modular
Authentication System) to AuthBy LDAP2. NMAS allows Novell
eDirectory to support and authenticate passwords using the Vasco
Digipass NMAS method, and other third party token and non-token
systems. Vasco Response-Only (RO) tokens are only supported since
NMAS does not curently support challenge-response via
RADIUS. Sampple configuration file included.

Ldap classes now support the "ipv6:" prefix for Ldap server Host
names. If Host begins with "ipv6:" the subsequent host name(s)
will be interpreted as IPV6 addresses where possible, and
Net::LDAP will use INET6 to connect to the LDAP server.

In AddressAllocator SQL, the default AllocateQuery was changed to
check the STATE during the allocation to catch certain race

With all Ldap clauses, removed the default BindAddress of This was unnecessary and interferes in a non-obvious way
with attempts to use ipv6: in the Host. Reported by Dyonisius

Added attributes from RFC 5904 to dictionary. SNMP Agent now supports: 
      RFC4669 - RADIUS Authentication Server MIB for IPv6
      RFC4671 - RADIUS Accounting Server MIB for IPv6
 The RFC are included in distribution. 

Improvements to EAP handling to support multiple desired EAP
types in EAP NAK response, per RFC 3748.

Fixed incorrect error message that referred to
ServerHTTP. Repored by Karl Gaissmaier.

Added support for PacketTrace to Server TACACSPLUS, Server
DIAMETER, Server RADSEC. Requested by Karl Gaissmaier.

Fixed a problem where attributes of type ipv6prefix (such as
Framed-IPv6-Prefix) would not be decoded correctly if they had
fewere than 16 octets. Reported by Lee, Larry KT.

Client addresses in the form MAC:nn-nn-nn-nn-nn-nn now work even
if the Called-Station-Id has the SSID of the AP appended as
described in http://tools.ietf.org/html/rfc3580#section-3.20

Added example perl script rpt.pl which logs packets which match a
regexp. Contributed by Bart Dumon.

Fixed a problem when using AuthBy RADIUS with Synchronous and
Fork that if the secrets don't match (resulting in "Bad
authenticator received in reply to ID 1. Reply is ignored"), this
creates forked processes that never terminate and have to be
manually force-killed. Reported by David Zych.

Fixed a number of innocuous warnings when radiusd is run with
perl -w.

Added usage documentation for author_args in tacacsplustest.

In AuthSQL, GroupMembershipQuery is now not passed and bind
variables. If you wish to use bind variables with
GroupMembershipQuery, use the new GroupMembershipQueryParam.

Fixed a problem with Server HTTP where some versions of Firefox
would hang when trying to access localhost:9048. Also fixed som
innocuous warnings when run with the -w flag.

Fixed a problem with AuthLog SYSLOG and Log SYSLOG where in some
cases with some versions of Sys::Syslog, the loghost was not set
correctly. Reported by Klara Mall.

radiusd now unlinks PidFile during an orderly shutdown. Suggested
by Klara Mall to prevent startup scripts being confused by stale
PID files.

Improvements to AddressAllocator SQL: If CheckPoolQuery is set to
an empty string, no pool checking will be done at startup. If
AddAddressQuery is set to an empty string, addresses will not be
automatically added to the pool.

Testing against RadiusGINA, a Windows RADIUS login authenticator
from LSE http://lsexperts.de/. Works well, and easy to install.

Fixed a problem in TLS Stream based protocols (such as AuthBy
RADSEC AuthBy DNSROAM etc, where ConnectOnDemand would not work
correctly in the case where a TLS connection was being
established and failed. Reported by Stefan Winter.

Added goodies/radiusgina.txt, a Brief introduction to RadiusGINA,
a Windows RADIUS login authenticator from LSE http://lsexperts.de

Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

More information about the radiator-announce mailing list