[RADIATOR-ANNOUNCE] Radiator Version 4.24 released - new features, enhancements and bug fixes

[Heikki Vatiainen]

We are pleased to announce the release of Radiator version 4.24

This version contains new features, enhancements and bug fixes. See 
below for the details.

As usual, the new version is available to current licensees
and evaluators from:
https://www.open.com.au/radiator/downloads.html

Licensees with expired access contracts can renew at:
https://radiatorsoftware.com/renewal-order/

An extract from the history file
https://www.open.com.au/radiator/history.html is below:

-----------------------------

Revision 4.24 (2019-12-09) new features, enhancements and bug fixes


     Selected compatibility notes, enhancements and fixes

Added configuration parameters TLS_SecurityLevel and 
EAPTLS_SecurityLevel and calls to set accepted TLS version ranges. This 
allows for Radiator module level control of desired TLS settings without 
modifications of system defaults.

ClientListSQL configuration can now be simplified with ClientColumnDef 
parameters.

AuthBy SQLHOTP and SQLTOTP SQL query parameter support was added.

Dynamically updated Diameter RealmTable for request routing and 
forwarding is now available for advanced Diameter applications.

Added a new configuration flag parameter IgnoreIfMissing.

Added a new check item ExistsInRequest for matching requests by 
attribute presence. Useful for Handlers.

Added new AuthBy REST, which is built on a new class called HTTPClient.

Packages are now available for Red Hat Enterprise Linux 8 and CentOS 8 
and Debian 10 (Buster).

Added configuration guide and samples for SecureW2 integration.


       Known caveats and other notes

TLSv1.3 remains disabled by default for TLS based EAP methods and Stream 
based classes, such as RadSec.

EAP-FAST functionality is reported to vary between TLS versions, TLS 
library security level settings and client implementations.


       Detailed changes

AuthBy SIP2 sometimes parsed ACS server responses incorrectly causing 
incorrect authentication rejects.

Stream modules that use TLS, such as RadSec, now log the negotiated TLS 
version and cipher similar to what TLS based EAP methods already do. 
Short inner EAP messages received by EAP-TTLS and PEAP are now caught 
earlier instead of generic EAP module.

Added new configuration parameters TLS_SecurityLevel and 
EAPTLS_SecurityLevel to control TLS library's security level settings. 
See OpenSSL manual for SSL_CTX_set_security_level() for more about 
security levels. When TLS_Protocols or EAPTLS_Protocols is configured to 
set the desired TLS versions, TLS library's 
Net::SSLeay::CTX_set_min_proto_version and its 'max' counterpart are 
automatically called. The security level and TLS version settings may be 
needed on systems with strict defaults. For example, Debian 10 sets the 
default minimum TLS version to 1.2 and security level to 2. This may be 
too restrictive with older EAP clients or Diameter and RadSec peers. 
Support for min/max_proto functions was added in Net::SSLeay 1.83.

Updated Lancom and Aerohive attributes in the default dictionary. 
Aerohive products appear to use attribute 1 for different purposes. For 
this reason the newly added Aerohive-User-Vlan is an alias for the 
existing AH-HM-Admin-Group-Id. Both names are usable as reply attributes 
but incoming attributes are remain named as AH-HM-Admin-Group-Id. Thanks 
to Stefan Winter for the updated information.

Added two new modules that allow temporarily denying logins for users 
that were rejected because of repetitive bad passwords. These are intial 
versions AuthBy FAILUREPOLICY and AuthBy SQLFAILUREPOLICY with more 
enhancements done in subsequent Radiator releases. See failurepolicy.cfg 
in goodies for a sample configuration.

Added radiator-instances.service to goodies. This is a systemd unit 
configuration file for a virtual service for managing all Radiator 
instances. It works in conjunction with with radiator at .service unit file.

Added 25 VSAs in the default dictionary for VENDOR 12356 Fortinet.

Updated sample certificates to expire on November 10 2021.

ClientListSQL now supports new configuration parameter ClientColumnDef. 
This allows for more simple and flexible configuration. Updated 
ClientList modules based on perlcritic reports.

Updated AuthBy SQLHOTP and SQLTOTP to support SQL query parameters. 
Enhanced the configuration for the both to refuse token lengths shorter 
than 4 and clarified documentation of Require2Factor and SQL token 
active field. Other minor updates to SQL schema, sample configurations 
and code based on perlcritic.

ClientListSQL and ClientListLDAP can now fetch TACACSPLUSKey parameter. 
This allows Clients to have separate values for RADIUS shared secret and 
TACACS+ key.

Check items with regular expression values now use s modifier by 
default. This allows dot to also match newline.

An instance of RealmTable is now dynamically updated for Diameter 
peerings used by Radiator 3GPPP AAA Server and other advanced Diameter 
applications. This RealmTable is available for Diameter request routing 
and forwarding for those Diameter peers that are configured with 
DiaPeerDef clauses supported by Radiator Carrier Pack.

Added RealmTable.pm for genric support for realm routing tables. This 
can be used with Radius and Diameter to dynamically or statically build 
routing tables that support quick lookups from a large number of 
destinations. Aggregates and regexp based lookups are supported. See 
realmtable.pl in goodies for a sample application.

Minor fixes: enhance Radius::SCTP support detection and address messages 
triggered by recently enabled warnings pragma.

Radiator's Radius::UtilXS package now provides interface to DES 
functions in OpenSSL and LibreSSL. These alternative functions are 
automatically used with Radius::UtilXS is available. Radius::UtilXS 
package is available from Radiator downloads.

Digest::MD4 is no longer strictly required with MSCHAP related 
authentication methods. An alternative MD4 digest implementation is now 
provided by Radiator's Radius::UtilXS package. This package is available 
from Radiator downloads.

Added new configuration parameter LeavePassword. LeavePassword is 
similar to ConsumePassword but leaves beginning of password unchanged 
and extracts a portion of password from the end.

Added integration guide and configuration files for configuring Radiator 
Software's RADIUS Server for EAP-TLS using SecureW2 PKI.

Added Win32-Lsa module for 64bit Strawberry Perl 5.30.1. Updated 
Radiator MSI package to use Strawberry Perl 5.30.1.1.

Added new configuration flag parameter IgnoreIfMissing. This parameter 
is somewhat similar to the previously existing parameter 
AcceptIfMissing. If the user is not present in the user database, this 
parameter causes the enclosing AuthBy to return ignore instead of 
reject. When multiple AuthBys are configured, this allows lookups to 
continue until the user is found while accept or reject is returned 
immediately. Suggested by Christian Meutes and Alexander Hartmaier.

When PacketTrace is set for a proxied request, the corresponding reply 
from a proxy now inherits the trace setting and is logged with trace 
level 5. With RadSec, the proxied request is now also logged with trace 
level 5.

Updated vendor Ruckus attributes in dictionary. Contributed by Michael 
Newton.

Added new check item ExistsInRequest. This is mostly used in Handlers to 
help matching requests based on attribute presence irrespective of their 
content. For example, <Handler ExistsInRequest=EAP-Message> selects all 
EAP requests. Simple alternation is also supported: <Handler 
ExistsInRequest = OSC-Rate-Limit-Day|OSC-Rate-Limit-Night> matches 
requests that have one or both of the attributes.

RADIUS attribute names are now cheked for uncommon characters. 
Unexpected names are accepted and a warning is logged when dictionary is 
loaded.

Locked Radiator distribution now honours Windows Service Control Manager 
state changes when expiry date or other limits have been reached. 
Previously Locked Radiator service became unstoppable when limits were 
reached.

Added new class called HTTPClient which implements a flexible and 
asynchronous HTTP and HTTPS client. Added new HTTPClient based AuthBy 
REST for sending authentication and accounting request over a REST 
interface.

Added support for using different back ends for random generation. The 
currently preferred source is Net::SSLeay with the default being Perl 
core rand.

AuthDN in AuthBy LDAP2 now supports %0 special. This is replaced with DN 
escaped value of currently authenticated username. Added special 
formatters %{LDAPDN:...} and %{LDAPFilter:...} for escaping values with 
LDAP DN and filter rules. Fixed ServerChecksPassword error logging to be 
correct about failure reason when no result was received from server 
because of, for example, unexpected disconnection. Similar changes, and 
return value unification, was done to function checkPassword for custom 
code uses. Trailing NUL octets are no longer stripped from attributes 
received from LDAP. Addressed results reported by Perl::Critic.

Multiple LDAP enhancements were added. LDAP modules now support new 
configuration parameters SSLCAClientKeyPassword and 
SSLExpectedServerName. SSLCAClientKeyPassword sets the passphrase to 
decrypt client private key when mutual certificate based LDAP 
authentication is required. SSLExpectedServerName sets the name the 
server certificate must match during verification. Misconfigured values 
for SSLCAFile and other related files are now logged and handled and no 
longer cause Radiator to exit without logging. Unknown values for 
SSLVerify are now logged and map to the default value require.

SNMPAgent and Monitor with FarmSize configuration no longer require a 
FarmChildHook to re-open their listen sockets. Their listen sockets are 
now created after forking the instances. FarmChildHook sample in 
hooks.txt goodies file was updated to point to an example in 
farmchildhook.txt goodies file. Updated Ldap.pm and SNMPAgent to better 
log and refuse incorrect Port configuration values. Minor fix to 
SNMPAgent to also return SNMPv2-MIB system group values when queried 
with snmpwalk.

Too large port numbers in configuration file for TCP, UDP and SCTP are 
now more clearly logged and refused.

Fixed a memory leak caused by a StatsLog clause and ClientListSQL or 
ClientListLDAP being enabled in the same configuration. Leak affects 
Radiator versions 4.17 up to 4.23.

Minor updates to IP address packing and resolution functions in Util.pm. 
Similar updates to old Socket6 module based functions. This makes IPv6 
support with Socket6 more similar to what Perl core provides. Minor 
updates to BigInt functions and fixes to recent quota calculation 
related utility functions. Addressed a number of perlcritic reports.

Unified Radiator internal JSON support. Modules, hooks and other code 
should now use Radius::JSON which chooses a JSON backend during startup 
and provides an interface for querying JSON status. The JSON backend and 
its version, or lack of backend, is logged when Radiator starts. Updated 
AuthBy DUO to use Radius::JSON instead JSON.pm.

Messages logged to global LogFile and by LogFILE, LogSYSLOG and Monitor 
clauses now support adding farm instance to log messages. This is 
enabled by new LogFarmInstance configuration flag parameter. Addressed 
results reported by Perl::Critic.

Updated diapwtst and ServerDIAMETER to include Acct-Application-Id in 
Accounting-Request (ACR) and Accounting-Answer (ACA) commands. Changed 
diapwtst to use Diameter base accounting in Command Code header field.

AuthBy LSA now checks that Win32::NetAdmin is available when the 
configuration is loaded. This prevents radiusd from starting if the 
module is not installed. Previously the check happened when group 
membership check was first done causing radiusd to exit.

The local address of AuthBy LDAP2 and other LDAP client connections, 
configured with BindAddress parameter, now supports formatting 
characters. Improved logging of LocalAddress for Stream based classes 
when LocalAddress uses formatting characters.

Added VENDOR 14823 Aruba attributes Aruba-Captive-Portal-URL and 
Aruba-MPSK-Passphrase to dictionary.

When global DupCache parameter was set to a non-default value, only 
duplicates for replied messages were correctly detected. Fixed a related 
memory leak and addressed Perl::Critic reports.


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.