[RADIATOR-ANNOUNCE] Radiator Version 4.13 released

[Heikki Vatiainen]

We are pleased to announce the release of Radiator version 4.13

This version contains one new module for authenticating against YubiKey
validation server and YubiHSM, some significant new features and bug fixes.

As usual, the new version is available to current licensees from:
https://www.open.com.au/radiator/downloads/

and to current evaluators from:
https://www.open.com.au/radiator/demo-downloads/

Licensees with expired access contracts can renew at:
https://www.open.com.au/renewal.html

An extract from the history file
https://www.open.com.au/radiator/history.html is below:

-----------------------------

Revision 4.13 (2014-04-16) Radius proxying, IPv6, TACACS+, Diameter and
other enhancements. Bug fixes


    Selected compatibility notes and enhancements

Unknown attributes can now be proxied instead of being dropped

Diameter enhancements may require changes to custom Diameter modules

Major IPv6 enhancements include: Attributes with IPv6 values can now be
proxied without IPv6 support, Socket6 is no longer an absolute
prerequisite. 'ipv6:' prefix is now optional and not prepended in
attribute values

TACACS+ authentication and authorization can now be decoupled

Bind variables are now available for AuthLog SQL and Log SQL.

Status-Server requests without correct Message-Identifier are ignored.
Status-Server responses are now configurable.

LDAP attributes can now be fetched with base scope after subtree scoped
search. Useful for example, tokenGroups AD attributes which are not
otherwise available

Newly added check for CVE-2014-0160, the OpenSSL Heartbleed
vulnerability may log false positives

New AuthBy for authenticating against YubiKey validation server added

See Radiator SIM pack revision history for supported SIM pack versions



    Detailed changes

Added the attributes from RFC 6911 to dictionary (Framed-IPv6-Address,
DNS-Server-IPv6-Address, Route-IPv6-Information,
Delegated-IPv6-Prefix-Pool and Stateful-IPv6-Address-Pool). These
attributes override a number of attributes that were previously
commandeered by Ascend and Merit. The Ascend ones are still available in
ascend.dictionary. The Merit attributes were added under the existing
Merit VSA entry and the non-VSA Merit attributes were removed from the
main dictionary. The non-VSA Merit attributes will continue to be
available in a new file goodies/dictionary.merit

AuthBy RADIUS and all its subclasses e.g., AuthBy SQLRADIUS, LDAPRADIUS,
MULTICAST and proxy algorithm AuthBys, now support special characters in
AuthPort and AcctPort. Suggested by David Zych.

Added in dictionary: Huawei-Loopback-Address, vendor 6139
(Alcatel-Lucent OmniAccess), vendor 20942 (China Telecom-Guangzhou
Research and Development Center) and vendor 27262 DANTE Ltd.

Unknown attributes can now be proxied when the new global configuration
flag ProxyUnknownAttributes is set to true. Unknown attributes are now
alwasy available with special names such as Unknown-9048-120, where 9048
is the vendor id and 120 is the vendor attribute number. Unknown
attributes are now logged with level WARNING instead of ERR. A warning
is logged for each attribute once per sender IP address. Attribute names
starting with Unknown are reserved in dictionary and ignored when the
dictionary is loaded.

Added in dictionary: Attributes from RFC 5447, RFC 6519, RFC 6677 and
RFC 6930.

Added support for dictionary type ipv4prefix required by RFC 6572. An
example of ipv4prefix format is '192.168.1.0/24'. Added attributes from
RFC 6572 in dictionary.

Change in 4.12 caused ServerDIAMETER to always create new peer instances
for new connections. This caused mainly WatchdogState DOWN log litter.

AuthBy DIAMETER and other DiameterClient derived classes, such as
Diameter Wx based EAP-SIM, EAP-AKA and EAP-AKAPRIME AuthBys, now support
new option SCTPPeer. This option allows defining multiple SCTP peers for
the initial SCTP association attempt.

Added vendor Arista in dictionary. Updated Netscreen values. Contributed
by Garry Shtern.

Fixed AuthBy NTLM so it will not leave zombie processes around during
reconfigure. Reported by Garry Shtern.

AuthBy RATELIMIT now supports optional parameter MaxRateResult, which
allows specifying the result when MaxRate is exceeded. MaxRateResult
defaults to IGNORE.

Significant IPv6 changes. Socket6.pm is no longer required if the core
Socket module provides the required IPv6 support. Attributes with IPv6
address or prefix type are now handled as binary if there is no Socket
or Socket6 for IPv6 support. This fixes the problem with proxying when
Socket6 was not installed. Prefix 'ipv6:' for IPv6 addresses is no
longer required but will be accepted. Decoded values for IPv6 address
type attributes will no longer have 'ipv6:' prefix. Startup log messages
now contain information about the IPv6 support.

Updated 3GPP (vendor 10415) attributes in dictionary.
3GPP-Allocate-IP-Type, 3GPP-External-Identifier and 3GPP-TWAN-Identifier
were added. 3GPP-Charging-Gateway-Address,
3GPP-GPRS-Negotiated-QoS-Profile and 3GPP-Charging-Gateway-IPv6-Address
are now the main attribute names while 3GPP-CG-Address,
3GPP-GPRS-QoS-Profile and 3GPP-CG-IPv6-address are now aliases.
3GPP-PDP-Context value 0 name is now IPv4 while IP is kept as an alias.
Attribute types were corrected to use e.g., ipaddrv6, integer8 and
integer16 for correct encoding and decoding. Added values for enumerated
integer types.

Reverted the previous attribute canonical name changes for vendor 3GPP.
3GPP-CG-Address, 3GPP-GPRS-QoS-Profile and 3GPP-CG-IPv6-address are the
names Radiator will use for decoding the attributes. The new names will
be recognised as aliases. Also, 3GPP-PDP-Context name for value 0 is IP
and IPv4 can be used as an alias.

EAP_25.pm now makes inner identity available via outer context improving
logging options.

Updated Application IDs. Updated vendor 3GPP (10415) RADIUS compatible
attribute (1-27) list, added new 3GPP-RAT-Type and 3GPP-PDP-Type type
values, fixed 3GPP-*-Address encoding to use OctetString instead of
Address type, 3GPP-RAT-Type and other 8 bit enumerated values are
encoded correctly. 3GPP attribute Location-Estimate type is now OctetString.

Improvements to the sample wimax.sql database schema to support long
capabilities values.

Added VENDOR Radware 89 and VSA Radware-Role to dictionary.

Logging level for rejected authenticaton attempts can now be configured
globally and for each Handler or Realm. The level is set with new
parameter LogRejectLevel. This optional parameter uses the same values
as Trace option, and can be set globally or per Handler or Realm.

Further logging enhancements. PacketTrace can now be configured to skip
selected Log clauses. New flag parameter IgnorePacketTrace can be set in
Log clauses which should not participate in PacketTrace logging. Thanks
to David Zych for ideas and assistance with the latest logging improvements.

Trailing NULs are now stripped from TACACS+ authorization arguments.
Reported by Tim Cheyne.

Fixed a bug in Diameter Address format encoding with IPv6 addresses.
DiaClient now correctly formats IPv6 address in Host-IP-Address for TCP
connections.

TacacsClient module now supports connecting to TACACS+ servers over
IPv6. This allows tacacsplustest to work with IPv6 enabled TACACS+
servers. Requires IO::Socket::INET6.

Account expiry dates starting with 'Mmm dd' for Expiration, ValidTo and
ValidFrom check items now correctly check for valid month names.
Reported by Kennyen Choo.

Added Pronto Networks VENDOR Pronto 16521, and Pronto-AVPair to dictionary.

Worked around the duplicate name for 3GPP Diameter Gx interface. Fixed
typos in Diameter application names.

ClientListSQL was calling parent's initialize twice. Clarified
AuthSQLHOTP and AuthSQLTOTP parent initialize calls.

Improvements to logging. Added support in Log.pm and LogGeneric.pm for
dynamically setting the Trace level. An example of using User-Name from
the current request is in goodies/hooks.txt.
Enhanced AuthBy DIAMETER Destination-Host and Destination-Realm
handling. Worked around the duplicate name for 3GPP Diameter Rx interface.

When special %s is used, the microseconds are now left padded with
zeroes. Suggested by David Zych.

PEAP and EAP-TTLS now make maximum fragment size available for inner
authentication protocols. EAP-TLS was improved to use this information.
This allows PEAP/EAP-TLS and EAP-TTLS/EAP-TLS to work better with
environments with variable Framed-MTU sizes.

When reading parameter settings from a file with file:"filename", any
trailing newlines are now removed from the end of file to make sure the
value is correctly parsed. Reported by David Zych.

Added goodies/address-allocator-sql.txt for further AddressAllocator SQL
examples. Initial examples include MySQL and PostgreSQL queries for
environments with multiple Radiator instances allocating from the same
database.

RDict.pm now supports new method vendorByNum which returns vendor data
from a given vendor number. Enhanced Starent VSA decoding to make sure
invalid lengths do not cause a crash. Added support and attributes for
Starent VSAs which use 1 byte for type and 1 byte for length. The
Starent VSAs in Radiator default dictionary use 2 bytes for type and
length. Loading goodies/dictionary.starent-vsa1 after the default
dictionary will cause Starent VSAs to use 1 byte type and length. The
Starent VSAs in the default dictionary will not work with
dictionary.starent-vsa1 and should not be used.

Significant changes in Diameter dictionary handling: The dictionaries
can now be separate modules and a specific dictionary is defined for the
application. Diameter Credit Control attributes were moved in module
DiaDict_4.pm while Diameter base, NASREQ, Mobile Ipv4, base accounting,
EAP, SIP and relay applications still use the default dictionary
DiaDict.pm. Any new dictionaries will be created as separate modules.
Updated the existing modules AuthDIAMETER, DiaDict, DiaPeer,
ServerDIAMETER, DiaClient, DiaMsg and DiaUtil. Added new modules DiaUtil
and DiaDict_4.

Added support for salted and non-salted SHA-2 hashed passwords.
Supported formats are {SHA256} {SSHA256} {SHA384} {SSHA384} {SHA512} and
{SSHA512}. Updated sha.pl and ssha.pl in goodies to support SHA-2
hashing. Suggested by Alexander Hartmaier.

AddressAllocator DHCP can now use Class attribute for allocation state
when configured with UseClassForAllocationInfo. This enables allocation
and deallocation to work between server farm members. Configuration
notes in goodies/addressallocatordhcp.cfg. Clarified some of the
AddressAllocator DHCP options in addressallocatordhcp.cfg

Functions pack_sockaddr_pton and gethostbyname in Util.pm and
UtilSocket6.pm misinterpreted some hostnames as IPv6 addresses. Reported
by Emanuel José Freitas.

Updated Huawei VSAs in dictionary. Contributed by Alexander Hartmaier.

AddressAllocator identifier in AuthBy DYNADDRESS now supports special
formatting characters.

Change in DiaPeer watchdog to recover better from unresponsive but still
open TCP connections.

Diameter dictionaries now support attribute flags. Added add_attr_d,
get_attr_d and get_attrs_d in AttrList.pm for adding and accessing
Diameter attributes with their names. Any flags, such as M flag, are
automatically added based on dictionary. DiaAttrList and
RadiusDiameterGateway now correctly set dictionary when using
DiaAttrlist->new(). DiaDict is more verbose about possible problems with
parsing dictionary files.

Marked GroupCacheFile option in ServerTACACSPLUS as deprecated and
removed code related to it.

ServerTACACSPLUS now adds OSC-TACACS-* attributes to the converted
TACACS+ authentication and accounting requests in a more consistent
manner. Use of deprecated CommanAuth option gives a warning during
startup. Minor cleanups to remove warnings when -w is used. Fixed
mapping of missing GroupMemberAttribute value to 'DEFAULT' broken in the
previous patch. Updated tacacsplusserver.cfg in goodies.

ServerTACACSPLUS can now create a RADIUS Access-Request when TACACS+
authorization request is received but no authorization info is known for
the user. This can happen for example, when Radiator is restarted or the
TACACS+ client uses some other protocol for authentication. These RADIUS
Access-Requests carry Service-Type attribute with value Authorize-Only.
Authorization based requests are enabled with AllowAuthorizeOnly flag
which defaults to off. Updated tacacsplusserver.cfg and added
OSC-TACACS-Authen-Method in dictionary.

AuthBy SIP2 now immediately rejects CHAP, MSCHAP and MSCHAP-V2
authentication attempts instead of letting password check fail each time.

Added support for PBKDF2 derived User-Password check items. Uses
HMAC-SHA1 as the Pseudo Random Function (PRF). Requires
Digest::HMAC_SHA1. Added a small utility goodies/pbkdf2.pl which can be
used to create derived password in the form Radiator honours.

AuthLog SQL now supports SuccessQueryParam and FailureQueryParam
parameters, which allow SQL bind variables to be used.

AuthBy RSAAM now supports SSLCAFile for RSA AM HTTPS server certificate
verification. New parameter ChallengePrefix allows setting the common
prompt for PIN change and other challenge questions. Suggested by Garry
Shtern.

Log SQL now supports LogQueryParam parameters, which allow SQL bind
variables to be used.

Changes so that the plaintext password is not logged at debug level
during EAP-TTLS/PAP authentication.

Added support for SSLVerify, SSLCAPath, SSLVerifyCNName,
SSLVerifyCNScheme and SSLCertificateVerifyHook configuration parameters
in AuthBy RSAAM. The parameters require Perl LWP 6.0 or later or
otherwise they are ignored. SSL client certificate options are now set
using LWP if LWP version 6.0 or later is detected. These changes allow
RSA AM server HTTPS certificate verification without environment variables.

tacacsplustest in goodies now supports -bind_address command line
argument. TacacsClient module can now pass local address to the socket
constructor.

Added eduroam-Monitoring-Inflate VSA to dictionary.

Added StripFromRequest parameter to ServerRADSEC. Suggested by Paul Dekkers.

Logging enhancements: AuthBy RADSEC and ServerRADSEC now format packet
dumps only when the log level is DEBUG or more verbose. IPv6 capability
is now logged on DEBUG level if IPv6 functionality is provided by the
Perl core or Socket6. INFO level message is logged only when there is no
full IPv6 functionality.

Added new module AuthBy YUBIKEYVALIDATIONSERVER with example
configuration yubikey-validationserver.cfg. Authenticates against
Yubikey Validation server. This allows using a YubiHSM Hardware Security
Module (HSM) by one or more Radiator servers at the same time. The
YubiHSM can be installed on the same server where Radiator runs on, or
on a remote dedicated server. Refactored AuthYUBIKEYGENERIC.pm to move
common code to AuthYUBIKEYBASE.pm allowing AuthBy
YUBIKEYVALIDATIONSERVER to run without any dependencies on Yubikey
specific support modules such as Auth::Yubikey_Decrypter.

Added in dictionary: Attributes from RFC 7055. These started as UKERNA,
vendor 25622, VSAs.

Removed unneeded code from EAP_25.pm and TLS.pm.

Added new global and Client specific configuration parameter
StatusServer. This parameter sets the Status-Server response verbosity.
The supported values are off, minimal and default. The global default
can be overridden by each Client clause. Status-Server requests without
correct Message-Authenticator attribute are now ignored.

Added new parameter AttrsWithBaseScope to AuthBy LDAP2. AuthBy LDAP2 can
now be configured to do a two step search to first locate the user's DN
and then follow with a second search where the search base set to the DN
and scope to 'base'. This is required for example, to get access to
Windows AD constructed attributes, such as tokenGroups, which are only
returned when the search scope is set to base. Updated ldap.cfg in goodies.

Removed old and unneeded FirstSendTime, LastSendTime and Attempts from
Radius.pm.

EAP-TTLS now correctly exports the inner identity with
$rp->{inner_identity} when the inner authentication is EAP.

Added OSC-SIM-* attributes for exporting SIM/USIM authentication
information. Added attributes for the upcoming RFC "RADIUS Attributes
for IEEE 802".

AuthBy SIP2 now honours Timeout option when connecting to SIP2 servers.
The timeout defaults to 3 seconds.

Added new parameter FailureBackoffTime to Resolver. If the lookup failed
to discover any results and there was a timeout while waiting for the
nameserver, this optional value specifies how long Radiator will wait
before another lookup is made. Previous behaviour was to try again after
NegativeCacheTtl expired. Defaults to 3 seconds. Problem with the old
behaviour reported by Paul Dekkers.

ServerDIAMETER no longer announces Supported-Vendor-Id with value 0 in
CER. This is required by the current Diameter base RFC 6733. Value 0 is
no longer announced with Acct-Application-Id in CER. Updated
diameter-server.cfg.

Added new global parameter KeepSocketsOnReload. Note: this is currently
considered experimental. This optional flag controls whether opened
RADIUS listen sockets should be left intact on a reload request. When
enabled, the changes in BindAddress, AuthPort and AcctPort are ignored
during reload. You may consider enabling this option when incoming
RADIUS requests should be buffered during the reload instead of ICMP
unreachable messages being sent back to the RADIUS clients. Contributed
by Garry Shtern.

Attributes added to the reply by EAP-FAST inner authentication will now
be copied to the outer Access-Accept too. This is similar to how PEAP
and EAP-TTLS already function. Suggested by Jakob Schlyter.

Added the first version of RuntimeChecks module with two checks. The
first uses Net::SSLeay to try to detect OpenSSL versions which may have
the Heartbleed (CVE-2014-0160) vulnerability. The second test checks for
the availability of Digest::MD4 which is often required because of
MSCHAP, MSCHAP-V2 and their derivatives. The individual checks can be
disabled with the new configuration parameter DisabledRuntimeChecks.
Future checks are added as needed. The module is also available for
Hooks to implement site local checks.

Check Point attributes CP-Gaia-User-Role and CP-Gaia-SuperUser-Access
were incorrectly entered in the dictionary. Reported by Jason Griffith.

Ldap.pm could crash while logging with old Net::LDAP versions. Reported
by Mauricio Montoya Bustamante.


-
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.