[RADIATOR-ANNOUNCE] Radiator Version 4.22 released - major packaging update, new features, enhancements and bug fixes
hvn at open.com.au
Wed Jan 9 20:34:03 UTC 2019
We are pleased to announce the release of Radiator version 4.22
This version comes with additional Radiator package formats and contains
new features, enhancements and bug fixes.
Radiator is now packaged as RPM for Red Hat Enterprise Linux 7 and
CentOS 7, deb for Ubuntu 16.04 and 18.04, and MSI for Windows. These are
in addition to the previous package formats: generic RPM, zip and tgz.
Other software, such as Radiator SIM pack, will be packaged later.
More information about new packages will be posted separately.
As usual, the new version is available to current licensees
and evaluators from:
Licensees with expired access contracts can renew at:
An extract from the history file
https://www.open.com.au/radiator/history.html is below:
Revision 4.22 (2019-01-09) major packaging update, new features,
enhancements and bug fixes
Selected compatibility notes, enhancements and fixes
New Radiator packages: Red Hat Enterprise Linux 7 and Centos 7, Ubuntu
16.04 and 18.04, and Windows MSI
Major updates to Yubikey Validation server support
SCTP multihoming support for Diameter and other stream modules
Known caveats and other notes
TLSv1.3 is not enabled by default for TLS based EAP methods.
TLSv1.3 is not enabled by default for Stream based classes, such as RadSec.
Fixed a bug in radiusd where @main::reinitFns and @main::perchildinitFns
are initialised after radiusd has loaded modules which already altered
@main::reinitFns and/or @main::perchildinitFns. This bug was triggered
when radiusd was restarted with a SIGHUP.
Fixed a bug in ServerTACACSPLUS where Client clause parameters, such as
RewriteUsername, were ignored. This was broken in Radiator 4.21.
Corrected SQL syntax in hotp.cfg and totp.cfg goodies sample files.
Reported by Denis Pavani.
Fixed EAP-FAST to work with OpenSSL 1.1.0 with clients that do not have
a valid PAC and need to use unauthenticated provisioning. This requires
SSL_set_security_level support which is not available in Net::SSLeay
1.85 and before.
Monitor and ServerHTTP now honour UseTLS. TLS_Protocols is still the
preferred method to enable TLS.
EAPAnonymous %0 can now access inner EAP identity with EAP-FAST.
TLS based EAP methods do not enable TLSv1.3 by default. This can be
changed with EAPTLS_Protocols configuration parameter.
Significant updates to radiator.service and radiator at .service Systemd
unit files in goodies. Radiator modules are looked up from a new default
location /opt/radiator/radiator. Binding to TACACS+ and other privileged
ports is enabled with CAP_NET_BIND_SERVICE. Runtime directory is created
as /run/radiator/. Other updates for environment variables and startup
radpwtst was updated to use its invocation location and
/opt/radiator/radiator to search for its modules and dictionary. Modules
nor dictionary are no longer looked up from the current working directory.
radiusd was updated to use its invocation location to search for its
modules. Modules are no longer looked up from the current working directory.
An info level message is now logged when license related configuration
parameters are set with a fully licensed Radiator. This is a reminder
that these parameters are ignored and can be safely removed from the
configuration. New configuration parameter LicenseFile is now the
recommended method to include license configuration parameters.
Removed a number of obsolete files from goodies
ClientListLDAP now supports PostSearchHook.
Added AuthBy HOTSPOT for operating wired and wireless hotspots with
authentication and billing. Added support for handling service and
subscription databases with implementations in ServiceDatabase INTERNAL
and ServiceDatabase SQL. Added modules for handling services,
subscriptions and sessions that are manged by SessionDatabase and
ServiceDatabase modules. Enhanced SessionDatabase modules to support the
new functionality. See README.hotspot and hotspot.cfg in goodies for
more information and a configuration sample.
Added AuthBy HOTSPOTFIDELIO that extends AuthBy HOTSPOT with
Opera/Fidelio specific functionality. See README.hotspot-fidelio and
hotspot-fidelio.cfg in goodies for more information and a configuration
sample. This module also supersedes AuthBy FIDELIOHOTSPOT which will
continue to work but should not be used in new deployments.
Added indexing to fidelio-hotspot.sql.
AuthBy FIDELIO, AuthBy FIDELIOHOTSPOT and AuthBy HOTSPOTFIDELIO
UserPasswordHook is now passed $p as an additional argument.
HandlerFindHook is now available for fast Handler lookup. This is
advantageous for configurations, such as proxying based on realm, where
maximum packet throughput is required. Configuration sample is in
Added Base32 decoder to hextobase32.pl in goodies and updated it to
match API changes in recent MIME::Base32 modules.
AuthBy YUBIKEYVALIDATIONSERVER now supports Validation Protocol 2.0 and
1.0. Tested with YubiCloud and PyHSM hsm-val servers. Previously
supported PyHSM yhsm-val short format OTP protocol was updated to
include OATH-TOTP protocol. Updated configuration sample with new
parameters is in yubikey-validationserver.cfg goodies file.
Windows service enhancements: service parameters no longer include
command line options relevant only to installing Radiator as a service.
This simplifies parameters when installing service and running as
service. Service install and uninstall failures now log more details and
cause radiusd to exit with failure. Fixed whitespace quoting in service
Added Win32-Lsa module for 64bit Strawberry Perl 5.28.
Updated the framework for packing and unpacking complex RADIUS vendor
specific attributes (VSA framework) to pass current request to custom
pack functions. Request is now passed to both pack and unpack functions.
Corrected hooks.txt in goodies to use packed address with Client's
radiusd now accepts command line parameter -prepend_env that prepends
its value to an environment variable during radiusd start. The variable
is created if it does not exist.
Stream based modules, such as ServerDIAMETER, now use sctp_bindx() for
all BindAddress values and sctp_connectx() for SCTPPeer values. These
require Radiator Radius::SCTP bindings to make libsctp API available for
Fixed a crash triggered by logging of Handler values, such as
Identifier, before Handler was chosen.
AuthBy LSA can now rewrite the username that is passed to LSA. Example
use is Wi-Fi roaming where roaming username can not be directly used
with Windows authentication because of local naming conflicts with
roaming requirements. See LSARewriteHook in goodies/lsa.cfg and Radiator
reference manual. Updated other AuthBy LSA configuration samples.
Improvements to AuthBy SAFEWORD. New parameters SSLVersion and
SSLCipherList allow configuring SSL/TLS protocol versions and cipher
suites when communicating with the server.
Improvements to AcctLog and AuthLog clauses. New optional parameter
MaxMessageLength specifies a maximum message length (in characters) for
each message to be logged, If specified, each log message is truncated
to the specified number of characters prior to logging.
Improvements to AcctLog, AuthLog and Log clauses. When LogSock is set to
unix or stream or pipe, new optional parameter LogPath specifies the
syslog path. Defaults to _PATH_LOG macro (if your system defines it).
ServerTACACSPLUS authorisation context lookup enhancement: new optional
configuration parameter ContextId specifies how to derive a lookup key
for TACACS+ authentication context when authorising TACACS+ requests.
Stream and StreamServer certificate verification enhancements: new
optional parameter TLS_CertificateVerifyHook specifies a perl function
that will be called for a custom verification of the client certificate.
TLS_CertificateVerifyFailedHook is a new optional parameter that
specifies a perl function that will be called if verifying the client
certificate fails. These are similar to their EAPTLS counterparts and
their return values determine how certificate verification continues.
See radsec-server.cfg in goodies and Radiator reference manual for more
Added VENDOR Ciena 1271 VSAs to dictionary.
Added Juniper Junos OS TACACS+ configuration sample in
tacacsplusserver.cfg goodies file.
AuthBy RADSEC now reconnects more reliably to disconnected peers instead
of leaving peers to permanently failed state. This could happen when
ConnectOnDemand is set and when UseStatusServerForFailureDetect is set
with Radiator 4.20 and 4.21. Reported by Paul Dekkers.
AuthBy RADSEC now delays creating sockets when Farmsize is set and
ConnectOnDemand is not set. This avoids closing sockets after forking
farm members which caused confusing stream related peer disconnect log
messages. Reported by Paul Dekkers.
AuthBy DNSROAM could connect to the same destination twice. This was
fixed in Radiator 4.20 but not mentioned in changes.
A number of code clean up and maintenance changes were done based on
Perl::Critic and other tools.
DictionaryReloadInterval is a new optional parameter that sets an
interval in seconds for checking whether the files defined by
DictionaryFile have changed. If there are changes, all files are
reloaded. Not enabled by default and the files are only loaded during
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
More information about the radiator-announce