[RADIATOR-ANNOUNCE] Radiator Version 4.16 released - security fixes, enhancements and new features

Heikki Vatiainen hvn at open.com.au
Tue Oct 27 04:56:41 CDT 2015


We are pleased to announce the release of Radiator version 4.16

This version contains two important security fixes. Upgrade is 
recommended. Please review OSC security
advisory OSC-SEC-2015-02 for more information:
https://www.open.com.au/OSC-SEC-2015-02.html

As usual, the new version is available to current licensees from:
https://www.open.com.au/radiator/downloads/

and to current evaluators from:
https://www.open.com.au/radiator/demo-downloads

Licensees with expired access contracts can renew at:
https://www.open.com.au/renewal.html

An extract from the history file
https://www.open.com.au/radiator/history.html is below:

-----------------------------

Revision 4.16 (2015-10-27)

   Selected bug fixes, compatibility notes, new features and enhancements

Compatibility update for EAP-based TLS methods for clients that support 
TLS 1.2. Examples are the future Apple iOS and OS X releases and Android 
6 Marshmallow.

Two important security fixes. OSC recommends all users to review OSC 
security advisory OSC-SEC-2015-02
https://www.open.com.au/OSC-SEC-2015-02.html

TLS session resumption may not currently work with all Windows clients. 
A workaround is to configure the EAPTLS_SessionResumption parameter to 0 
or wait for the client to retry the authentication.

Radiator now supports new module AddressAllocator DHCPv6 for IPv6 
address allocation and prefix delegation



   Detailed changes


Created separate directory for PPM files compiled for ActivePerl. Moved 
files from ppm to ppm/activeperl/ and updated the meta file contents.
Win32-Lsa is now compiled for both ActivePerl 5.18 and 5.20 flavours up 
to Perl 5.20: 64bit and 32bit with 64bit integer.
Created separate directory for PPM files compiled for Strawberry Perl.
Win32-Lsa is now compiled for all Strawberry Perl flavours up to Perl 
5.22: 64bit, 32bit with 32bit integers and 32bit with 64bit integers.

Radiator now logs the Net::SSLeay and SSL/TLS library version during the 
radiusd startup. TLS v1.2 for TLS based EAP methods is not used if it 
can not be determined that the MPPE keys can be correctly calculated. 
These changes enhance compatibility with future Apple iOS, OS X and 
Android 6 Marshmallow. If all TLS versions are not available, details of 
what can be used is logged. Net::SSLeay 1.53 or later and OpenSSL 1.0.1 
or later is required to fully utilise all TLS versions for TLS based EAP 
methods. Thanks to radiator mailing list members for comments and 
suggestions.

AuthLog SYSLOG and Log SYSLOG clauses now support LogPort configuration 
parameter. This parameter requires Sys::Syslog version 0.28 or later. 
Suggested by Michael and Kilian Krause.

LDAP modules now support BindFailedHook which is called when LDAP bind 
operation fails. The default is to log the failure. Bind password is no 
longer logged. To log the password, configure the hook to log it or 
configure the LDAP clause with the Debug configuration parameter and see 
the console output. With the kind help of Scott Bertilson.

AuthBy LDAP2 now logs PasswordAttr as **obscured** when debugging is 
enabled. Binary attribute values are now logged in text format similarly 
to RADIUS attributes. To debug the password, use the Debug configuration 
parameter and see the console output or configure PasswordLogFileName 
for the Handler.

Resolver for AuthBy DNSROAM now uses eval to catch exceptions from 
Net::DNS. The Net:DNS API had been changed around version 0.72 to raise 
exceptions when errors occurred. Uncaught exceptions could cause 
Radiator to crash. Reports and help with patches from Bjoern A. Zeeb and 
Paul Dekkers.

Updated error levels for Resolver log messages. Most of the log messages 
are now using WARNING instead of ERR. These messages are logged for 
example for DNS failures or badly formatted DNS domains.

ServerHTTP authentication now creates a request that can be correctly 
proxied to a remote server. Previously the proxied authentication would 
always fail.

AuthBy RADIUS and its derived modules still required 'ipv6:' prefix for 
LocalAddress parameter. Reported by Claudio Ramirez. Correct address is 
now logged if binding to LocalAddress fails.

Huawei-DNS-Server-IPv6-Address, Huawei-Framed-IPv6-Address, 
Alc-Ipv6-Address, Alc-Ipv6-Primary-Dns and Alc-Ipv6-Secondary-Dns had 
incorrect type ipv6addr. The correct type is ipaddrv6 for IPv6 addresses.

SqlDb now initialises the DBD::ODBC odbc_query_timeout attribute with 
the Timeout configuration parameter value. This attribute is valid only 
for ODBC and is set only when Radiator runs on a Windows host. The 
default value for odbc_query_timeout is 0 which can cause very long 
timeouts on Windows with SQL queries.

While RADIUS dictionaries are loaded, attributes with unknown types are 
logged with trace level WARNING. The treatment of unknown types has not 
changed: the unknown types are treated as binary.

Incorrectly formatted textual IPv6 addresses in configuration files or 
retrieved for example from SQL backend could cause address resolution loops.

Added support for additional IPv6 functions in Util.pm and 
UtilSocket6.pm for AddressAllocator DHCPv6 and other modules that 
require packing IPv6 socket structures with scope ID number and flow 
information.

AuthBy DYNADDRESS now supports multivalued allocation results. For 
example, multiple DNS server addresses from DHCPv6 based allocations. 
The multiple values are mapped to the configured RADIUS attribute, one 
value per one attribute instance.

AuthBy DYNADDRESS now supports MapResultHook. This hook allows modifying 
the allocation results after they have been received, and before 
Radiator has processed the MapAttribute definitions.

Added support for AddressAllocator DHCPv6. AddressAllocator DHCPv6 works 
in conjunction with AuthBy DYNADDRESS and a DHCPv6 server to dynamically 
allocate IPv6 addresses and prefixes, and provide other configuration 
information. Both stateless and stateful DHCPv6 configuration is supported.

See the configuration sample files addressallocatordhcpv6.cfg and 
addressallocatordhcpv6-dhcpd.conf for Radiator and ISC DHCP server in 
goodies for more examples including use of Delegated-IPv6-Prefix and 
Framed-IPv6-Prefix for prefix delegation.

Added better logging for invalid EAPType names. Unknown types are logged 
during the configuration check. Clarified the error message if the 
default EAPType is unknown. Thanks to Patrick Honing for informing about 
the unclear log messages.

Failures with send() when sending RADIUS messages over UDP are now 
correctly logged.

TLS based EAP methods EAP-FAST, EAP-TLS, EAP-TTLS and PEAP now log the 
TLS version and cipher chosen for the EAP session. TLS values related to 
the EAP session are also available as special formatting variables. You 
can use, for example, %{EAPTLS:Protocol} and %{EAPTLS:Cipher} with 
AuthLog. Suggested by Alexander Hartmaier.

Updated Stream base class to work correctly with non-blocking sockets on 
some Windows Perl distributions. Windows returns POSIX::EWOULDBLOCK 
(140) or WSAEWOULDBLOCK instead of EINPROGRESS. 140 was first seen with 
Strawberry Perl 5.20 and 5.22

Diameter AttrList get_attrs_d now returns empty list instead of single 
entry with undef value when the requested attribute was not present.

Changed the type of Cisco-VPN-WebVPN-HTML-Filter in dictionary.cisco-vpn 
from unsupported bitmap to integer. Reported by Alex Hartmaier.

diapwtst updates: added missing attributes and removed a couple of 
RADIUS related options

Fixed a bug which could result in an infinite loop when formatting 
special variables and could be used to create a DOS attack crashing the 
radiusd process. Reported by Øyvind Aabling.

AuthBy RADIUS and AuthBy RADSEC now use 32 bit id space when 
UseExtendedIds is set. While the previous 16 bit id space should be 
enough, the new value matches the value documented in the reference manual.

Unified Session ID based resumption handling for EAP-TLS, EAP-TTLS and PEAP.

radpwtst now supports subsecond resolution with the -time command line 
option when Time::HiRes Perl module is available. Time::HiRes is part of 
all recent Perl distributions.

Updated the recent formatting patch and enhanced its compatibility with 
older Perl versions.

Added support for tracing TLS handshake and session state for the TLS 
based EAP methods. Tracing can be enabled with one of: new AuthBy level 
configuration flag parameter EAPTLS_TraceState, setting the Trace 
configuration parameter to 5 (EXTRA_DEBUG) or with the PacketTrace 
configuration parameter.

LogFILE now checks for recursion allowing runHook to call logging if 
needed. This avoids infinite recursion if LogFormatHook raises an 
exception. Added a JSON example in LogFormatHook for Log FILE in 
goodies/logformat.cfg and Radius/LogFormat.pm.

Added LogFormatHook for Log SYSLOG and AuthLog SYSLOG. Updated 
logformat.cfg with JSON format hook example. Suggested by Craig Simons.

Added example of EAPTLS_TraceState in goodies EAP-TLS, EAP-TTLS and PEAP 
sample files.

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator-announce mailing list