[RADIATOR-ANNOUNCE] Radiator Version 4.10 released
Mike McCauley
mikem at open.com.au
Wed Jun 27 21:04:28 CDT 2012
We are pleased to announce the release of Radiator version 4.10
This version contains some new features and minor bug fixes. The prerequisites
now require Digest::SHA
As usual, the new version is available to current licensees from:
http://www.open.com.au/radiator/downloads/
and to current evaluators from:
http://www.open.com.au/radiator/demo-downloads
Licensees with expired access contracts can renew at:
http://www.open.com.au/renewal.php
An extract from the history file
http://www.open.com.au/radiator/history.html is below:
-----------------------------
Revision 4.10 (2012-06-28) Some significant new features. Bug fixes.
Added support for EAP-PWD per RFC 5931. EAP-PWD is highly secure (the password
is never transmitted, even in encrypted form), and does not require PKI
certificates, and also requires only 3 authentication round-trips. So it is
considered efficient to roll out in eg Eduroam and other environments.
Requires that the Radiator user database has access to the correct plaintext
password. Sample configuration file and patch for Crypt-OpenSSL-Bignum-0.04 is
included.
Added 2 Aruba VSAs to dictionary. Contributed by Matt Alexander.
Added Tropos and Fortinet VSAs dictionary.
Added Ukerna GSS and SAML VSAs to dictionary, with the kind assistance of Luke
Howard. Also modified packing routines to split UKERNA SAML-AAA-Assertion into
multiple attributes.
Removed use of 'use timelocal' from radiusd and radpwtst, code now uses
Time::Local instead.
Removed use of 'use newgotopt', all code now uses Getopt::Long instead.
Added new parameter PasswordUriEscape to AuthBy URL. This optional parameter
specifies whether the password needs to be url-encoded or not. Options are
"Clear", "Encode". Contributed by Matthew Van Kuyk.
Added Nokia Siemens Networks (NSN) VSAs to dictionary.
Added support to radpwtst for new command line argument -alive to send
Accounting-Alive requests. Alive is not sent by default if accounting is
enabled.
Fixed an error in the RPM build control file Radiator.spec, which would cause
/usr/lib64/perl5/ to be deleted if the Radiator RPM package was erased.
Improvements to Log SYSLOG and AuthLog SYSLOG modules so that multiple
differing module logging configurations do not confuse Sys::Syslog.
Fixed a problem in Server TACACSPLUS that prevented Client-Identifier being
set in Tacacs+ derived RADIUS requests. Reported by Tim Cheyne.
Improvements to AuthBy WIMAX, which now uses latest WiMAX TLV attribute
definitions for packing and unpacking of WiMAX TLV attributes. AuthBy WIMAX
now uses latet WiMAX-Capability TLVs. goodies/wimaxtest uses the TLVs, and
honours the -capability command line argument where you can specify an
alternate WiMAX-Capability.
Removed use of 'use newgotopt' from builddbm, buildsql, tacacsplustest,
diapwtst, restartwrappert. Code now uses Getopt::Long instead.
Added new parameter EAPTLS_AllowUnsafeLegacyRenegotiation to AuthBy *. For TLS
based EAP types such as TLS, TTLS and PEAP, and with versions of OpenSSL
0.9.8m and later, this optional parameter enables legacy insecure
renegotiation between OpenSSL and unpatched clients or servers. OpenSSL 0.9.8m
and later always attempts to use secure renegotiation as described in RFC5746.
This counters the prefix attack described in CVE-2009-3555 and elsewhere.
Updated ACME VSA's in dictionary to add many missing VSAs and to adopt
attribute naming consistent with other RADIUS servers.
Updated sample certificates to expire Nov 15 21:48:28 2013 GMT
Added support for EAP expanded types per RFC 3748. EAPType parameter can now
be specified as a EAP type number, EAP extended vendornumber:typenumber or as
a traditional well-known EAP type name eg: EAPType TTLS, MSCHAP-V2,
16776957:4244372217 where 16776957 is the expanded vendor number and
4244372217 is the expanded type (this example is for 0xfffefd and 0xfcfbfaf9,
the vendor and type of the wpa_supplicant VENDOR-TEST expanded type). Included
module and config to support testing against wpa_supplicant VENDOR-TEST
expanded type.
Fixed a possible problem in Stream connections where connection failures may
not be detected correctly.
Improvements to EAP-MSCHAPV2 handling in the case where the underlying
database has a database access problem, causing an IGNORE.
Testing with RSA Authentication Manager 7.1 SP4. No changes required.
Early release of AuthBy SAML2 module. This module fetches Moonshot/SAML2
Assertions for an (already autheticated) user from a Identity Provider (IdP)
and puts the assertion in a SAML-AAA-Assertion reply item. Caution: this is
beta code and not yet widely tested. Feedback requested. Currently only sends
ECP AuthnRequest requests (AAA AttributeRequest is not yet supported). Signing
of requests and Verifying of responses is not yet proven to work correctly.
EAP-MSCHAPV2 now honours AuthenticateAttribute.
New versions of Authen ACE4 version 1.4 ppms with AuthSDK 8.1 for Windows 32
and 64 bit.
Added new parameter RoundRobinOnFailure to all Sql clauses. Normally, if
Radiator gets an error or a timeout from a database connection it will try to
reconect to the database, starting with the first DBSource, and trying them
all in order until a successful reconnection. This flag forces the search to
start at the database following the current DBSource (if there is one). This
can help with some types of overloaded database that can be connected but then
timeout when a query is sent.
Context is stored in $p->{EAPContext} for all EAP requests.
Fixed a problem where HUPping an evaluation vesion would result in messages
like Server started: Radiator 4.9 on fmsdev (LOCKED) (LOCKED) (LOCKED)
(LOCKED) (LOCKED)
Added support for new parameter RequireMessageAuthenticator in Client clauses.
Normally, Client clause checks the value of any Message-Authenticator
attribute (if present) in incoming requests (EAP or otherwise), and an
incorrect authenticator causes the request to be IGNOREd. The optional
RequireMessageAuthenticator flag causes this Client to require a (correct)
Message-Authenticator attribute to be present in all incoming requests.
ServerHTTP now registers itself with Configurable.
Additional information in error logs from various TLS operations. Patch from
"Bjoern A. Zeeb". Thanks Bjoern.
ClientList LDAP now supports file in PreHandlerHook and ClientHook.
Fixed a problem with SessionDatabsse SQL which could cause a crash if the
query contains %{Quote:...}. Patched by Eddie Stassen. Thanks.
Added VENDOR Ericsson 193 VSAs to dictionary.
Log FILE now supports %0 (priority) and %1 (og message) as special characters
in Filename parameter. AuthLog FILE now permits use of the '|' vertical bar
leading character in Filename to permit piping to an external program.
AuthBy LDAP2 and all other LDAP clauses now support an optional MultiHomed
flag parameter. If this is set then Net::LDAP will try all addresses for a
multihomed LDAP host until one is successful. Default is true (set).
Improvements to AuthBy SQL and AuthBy FREERADIUSSQL to improve compativ=bility
with some Oracle clients in the group checks. Reported by Emanuel Freitas.
Added VENDOR Adva 2544 VSAs to dictionary.
Added VENDOR Siemens 4329 VSAs to dictionary.
Fixed missing 3GPP- prefix for a number of 3GPP VALUE definitions in the
standard Diameter dictionary
Fixed problems in Diameter to RADIUS gateway that prevented RADIUS attributes
that are converted to Diameter Grouped attributes being parsed correctly.
For all TLS related operations, improved error logging if SSLeay::new fails.
Added StripFromReply and AllowInReply to the parameters permitted in AuthBy
DNSROAM. Patched by Bjoern A. Zeeb. Thanks.
Added VENDOR TERENA 25178 and eduroam-SP-Country to dictionary
Added more VENDOR Alcatel-ESAM attributes to dictionary. Contributed by Hugh
Irvine.
Added new module AuthBy RATELIMIT which can be used to limit the maximum
number of request per second to be served. If more than this number of request
are received in any second, they will be IGNOREd.
Added radiusd.conf, a sample Upstart script for Debian/Ubuntu. Contributed by
Adam Thompson
Server TACACSPLUS now honours DefaultRealm from the Client clause that matches
the incoming request. If defined in the Client clause, it willl override any
DefaultClient defined in the Server TACACSPLUS clause.
Global SocketQueueLength was not honoured when creating RADIUS server ports.
Fixed a typo in the help message in Monitor. Reported by Scott Bertilson.
Added Authen-Digipass-1.11-1.el6.x86_64.rpm (for perl 5.10, x64 on Centos 6
and RHEL6)
All TLS context configuration parameters, such as EAPTLS_CertificateFile now
honour special characters (such as %K etc) from the EAP identity request.
AuthBy WIMAX incorrectly set WiMAX-Capability Accounting-Capabilities to 0
(none) instead of 1 (session-based).
All EAP authentications now log at DEBUG level the elapsed time of the entire
conversation (since the EAP identity) in seconds (and microseconds if
Time::HiRes is available).
If a Client address cannot be resolved, the log message now includes the exact
address that was not able to be resolved.
Updated the prebuilt Authen-Digipass RPM package for RHEL 5 64 bit to version
1.11.
Fixed a problem that prevented AuthBy SQLAUTHBY honouring AuthBySelect if
AuthBySelectParam was defined.
Removed incorrect -authen_args from help in tacacsplustest.
Improvements to handling of EAP-GTC so that UsernameMatchesWithoutRealm is
honoured even if the EAP-GTC client sends the 'RESPONSE=identity\0password'
for of EAP-GTC response.
Added Arbor-Privilege-Level to dictionary. Thanks to Markku.
RFC 2621 was inadvertently omitted from the distribution.
Added support for new configuration parameter. PacketDumpOmitAttributes
specifies a comma separated list of RADIUS attribute names which will be
omitted from RADIUS packet dumps in logs.
ServerHTTP did not permit the creation of ClientListSQL or ClientListLDAP
clauses. Reported by Albesiano Alberto.
Improved parsing of hooks and display of hooks by ServerHTTP. Reported by
Albesiano Alberto.
AddToReply AddToReplyIfNotExist when used in Handlers and Clients, would
incorrectly add attributes to Access-Rejects. This does not now occur. AuthURL
did not correctly honour AddToReply for Access-Accept and Access-Reject.
Reported by Albesiano Alberto.
RadSec is now an official IETF RFC 6614. RFC 6614 is now included in the
distribution. In accordance with RFC 6614, the default shared secret for
RadSec has been changed to 'radsec', UseTLS is enabled by default, and
TLS_RequireClientCert is enabled in Server RADSEC by default.
Added RuggedCom VSA RuggedCom-Privilege-level to dictionary.
Added Alvarion-WiMAX-Classifier VSA to attribute definiitons for WiMAX-Packet-
Flow-Descriptor, per Alvarion's document 'RADIUS-WiMAX R3 Interop Spec_Rel 3 0
v 0 81.doc'
Added Alvarion-WiMAX-Classifier VSA to attribute definitions for WiMAX-Packet-
Flow-Descriptor to support atttributes like: WiMAX-Packet-Flow-
Descriptor=Alvarion-WiMAX-Classifier="ClassifierID=1,Priority=2,Direction=IN"
Also added Alvarion-R3-IF-Descriptor and Alvarion-DHCP-Option VSA tlvs to
dictionary, to support attributes like: Alvarion-DHCP-Option="Ref-R3-IF-
Name=interface1,DHCP-Option-Container=container1" Alvarion-R3-IF-
Descriptor=R3-IF-Name=aaa,R3-IF-ID=1,PDFID=2,IPv4-addr=1.2.3.4,IPv4-
netmask=5.6.7.8,DGW-IPv4-add=9.8.7.6 Per Alvarion's document 'RADIUS-WiMAX R3
Interop Spec_Rel 3 0 v 0 81.doc'.
Fix to Fidelio interface so that LA messages are not queued unless there is a
current connection.
Fixed a problem where the LDAP group search did not correctly specify the
attributes to fetch, and therefore _all_ attributes were fetched, affecting
performance. Reported by Ben Carbery.
Improvements to AuthBy SQLYUBIKEY to add support for CheckSecretId. If
CheckSecretId is set, then check that the secretId fetched from the database
matches the secretId encoded in the submitted Yubikey OTP. This increases the
security of the Yubikey OTP and is recommended best practice. Also improved
the documentation for for configuring yubikey.cfg and provided a better sample
database for use with yubikey.cfg
Fixed a problem with EAP-FAST that prevented anaonymous provisioning in some
circumstances where the client asks for several ciphersuites. Reported by
Sudhir.Harwalkar.
Fixed a problem with Server TACACSPLUS and some authenticators such as AuthBy
ACE whcih issue AccessChallenge to get additional data from the user. Radiator
was sending the challenge as GETPASS rather than GETDATA and wasn't getting
the NOECHO flag. Tested against a Cisco Catalyst 3560 switch and also a Cisco
ASA 5510 firewall. Reported and patched by Richard Fairhall.
Updated Authen-Digipass and Authen-ACE4 Windows PPM packages to include Perl
5.14 x86 and x64 packages. Also updated the prebuilt packages at
http://www.open.com.au/radiator/free-downlaods to include versions for Perl
5.14 x86 and x64: Chipcard-PCSC.tar.gz Net-SSLeay.tar.gz Socket6.tar.gz Win32-
Lsa.tar.gz
Fixed a problem where AuthBy LDAP2 would incorrectly log "DEBUG: No entries
for mikem found in LDAP database" if MaxRecords was set larger than the actual
number of LDAP records retreived.
Improvents to SQL logging shows the name of the database at DEBUG level when
connection attempts are made. Also prepareAndExecute and do functions log the
database name at DEBUG level. Requested by Philip Herbert.
Fixed a problem where NoIgnoreDuplicates could cause a memory leak.
Added VSAs for Ruckus Wireless to dictionary.
AuthBy NTLM did not reap ntlm_auth if it crashed or exited. Fixed a problem
that prevented the error being correctly printed if ntlm_auth if it crashed or
exited.
Removed use of Digest::SHA1, replaced with Digest::SHA,which is now included
with all perls. Digest::SHA is now an absolute prerequisite.
Added sample config platypus7.cfg for recent Platypus 7 database.
h EAP-LEAP, EAP-TTLS, EAP-PEAP, EAP-MSCHAPV2, EAP-FAST, inner packets are now
logged at DEBUG level _after_ the PreHandlerHook (ie any) is run, so that
attributes added by the hook will be visible.
Fixed a problem where Client DupInterval 0 sometimes did not act as expected,
causing a leak in EAP contexts.
Improved logging so that AuthBy ACE prompts are not broken up with newlines in
logs. Requested by Richard Fairhall.
Fixed a problem that preventeed TACACS+ which prevented AuthBy ACE new pin
mode and other challenges from working correctly. Patch provided by Richard
Fairhall.
Added support for KeepaliveTimeout to AuthBy RADSEC. KeepaliveTimeout is the
maximum time in seconds that a RadSec connection can be idle before a Status-
Server request is sent to keep the TCP connection alive. This helps to keep
TCP connections open in the face of "smart" firewalls that might try to close
idle connections down. Defaults to 0 seconds, which means inactive.
Radpwtst has new option -chap_nc that sends a RADIUS CHAP request, but in the
old-fashioned way, with the CHAP Challenge in the authenticator, and not in a
separate CHAP-Challenge attribute.
Testing on Raspberry Pi running debian6-19-04-2012. It runs out of the box.
http://www.raspberrypi.org
Added hextobase32.pl to goodies. Script to help with entering HOTP and TOTP
codes to Google Authenticator. Converts hex codes to base 32.
Added VSAs for Anagran ANA to dictionary. Thanks to Bob Shafer.
Added support for KeepaliveTimeout and UseStatusServerForFailureDetect to
AuthBy RADIUS and AuthBy RADSEC. If UseStatusServerForFailureDetect is
enabled, use only Status-Server requests (if any) to determine that a target
server is failed when there is no reply. If not enabled (the default) use no-
reply to any type of request. Uses NoreplyTimeout, MaxFailedRequests,
MaxFailedGraceTime, FailureBackoffTime during failure detection. If you enable
this, you should also ensure KeepaliveTimeout is set to a sensible interval to
balance between detecting failures early and loading the target server.
KeepaliveTimeout is the maximum time in seconds that a RADIUS connection can
be idle before a Status-Server request is sent to keep the connection alive.
Defaults to 0 seconds.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
More information about the radiator-announce
mailing list