From hvn at open.com.au Tue Oct 20 15:43:47 2020 From: hvn at open.com.au (Heikki Vatiainen) Date: Tue, 20 Oct 2020 18:43:47 +0300 Subject: [RADIATOR-ANNOUNCE] Radiator Version 4.25 released - Ansible automation, Dockerfiles, new features, enhancements and bug fixes Message-ID: We are pleased to announce the release of Radiator version 4.25 This version contains new features, enhancements and bug fixes. Notable new features relate to Ansible, Docker and extended RADIUS attribute formats. See below for the details. As usual, the new version is available to current licensees and evaluators from: https://radiatorsoftware.com/downloads/ Licensees with expired access contracts can renew at: https://radiatorsoftware.com/renewal-order/ An extract from the history file https://www.open.com.au/radiator/history.html is below: ----------------------------- Revision 4.25 (2020-10-20) new features, enhancements and bug fixes Selected compatibility notes, enhancements and fixes Dockerfiles for running Radiator and Radius::UtilXS in a CentOS 8, Ubuntu 20.04 or Windows Server Core 2019 were added in goodies Docker directory. Ansible playbooks for installing, upgrading and managing Radiator with Ansible were added in goodies Ansible directory. Added initial support for RFC 6929 and 8044 formats and data types. If a vendor specific attribute encapsulated by 241.26, 242.26, 243.26 or 244.26 is received but it is not present in the dictionary, it is now named as Extended-Vendor-Specific-1 (or -2, -3, or -4). The value starts with the Vendor-Id octets. Naming may change in the future Radiator releases. Hash balance proxy algorithm was significantly enhanced. Oracle Linux is tested to work with the el7 and el8 packages. New Radiator packages: Red Hat Enterprise Linux 8, CentOS 8 and Ubuntu 20.04. Name Policy-Editor for vendor 3375 F5 attribute F5-LTM-value 800 is now an alias. The preferred name is Web-Application-Security-Administrator. BindV6Only update may in rare configurations change existing behaviour. If you have BindV6Only enabled, see startup debug messages for affected listen sockets. Known caveats and other notes TLSv1.3 remains disabled by default for TLS based EAP methods and Stream based classes, such as RadSec. EAP-FAST functionality is reported to vary between TLS versions, TLS library security level settings and client implementations. Detailed changes Added Win32-Lsa module for 64bit Strawberry Perl 5.32. When a Status-Server request is received from a known client without a Message-Authenticator, Radiator now logs a warning before the request. Previously these requests were ignored without any logging. Noted by Michael Hulko. DiaClient no longer creates zero length Destination-Host and Destination-Realm AVPs when child classes leave their DestinationHost and DestinationRealm configuration parameters unset. This affects DiaClient based SIM pack authentication modules AuthBy SIMWX and AuthBy AKAWX which now have better control setting the values for the AVPs. This reverts the behaviour to how Radiator 4.16 and earlier worked. Removed DupInterval 0 from all goodies configuration samples. This no longer needed even with testing because duplicate detection has for a long time used methods recommended by RFC 5080. Updated AuthBy ACE configuration information. Dockerfiles for running Radiator and Radius::UtilXS in a CentOS 8, Ubuntu 20.04 or Windows Server Core 2019 were added in goodies Docker directory. Docker containers based on these files have Radiator and Radius::UtilXS installed, and single Radiator instance running when container is run. Multiple Radiator instances can be run by running multiple Docker containers. Added vendor specific attributes needed by Ruckus ICX devices. For VENDOR 1991 Foundry: Foundry-COA-Command-List, Foundry-Voice-Phone-Config and for VENDOR 25053 Ruckus: Ruckus-FlexAuth-AVP. Updated Radiator MSI package to use Strawberry Perl 5.32.0.1 and Radius::UtilXS 2.3-1. Added initial support for RFC 6929 and 8044 formats and data types. Added IANA registered attributes from RFCs 7499, 7930 and 8559 to the default RADIUS dictionary. Added vendor specific attributes for VENDOR 6527 Nokia (formerly 'Alcatel-Lucent') that are encapsulated within IANA attribute 241 Extended-Type-1. Received extended attributes use dictionary names as usually. If a vendor specific attribute encapsulated by 241.26, 242.26, 243.26 or 244.26 is not present in dictionary, it is now named as Extended-Vendor-Specific-1 (or -2, -3, or -4) with a value that starts with the Vendor-Id octets. Attributes added with names such as Extended-Type-1 and Extended-Vendor-Specific-1 are packed without further processing of the value. This is similar to how packing was done previously. Added VENDOR 2636 Juniper attributes Juniper-AV-Pair, Juniper-VoIP-VLAN and Juniper-CWA-Redirect-URL to dictionary. Added VENDOR 16901 Mojo with a number of Mojo prefixed attributes to the default RADIUS dictionary. Added VENDOR 12356 Fortinet attribute Fortinet-Host-Port-AVPair to dictionary. Added PT-RAD-Version and PT-UPP-Profile VSAs in the default dictionary for VENDOR 1556 Sonus Networks. This vendor code was previously assigned to Performance Technologies, Inc. Updated EAP-TLS NoCheckId documentation and configuration sample. Improved Ansible playbook output to show clearly Radiator instance status. AuthByHASHBALANCE and AuthBy RADSEC proxy algorithm HashBalance now distribute requests more equally among remaining next hop hosts when a next hop host fails. Previously the requests destined to a failed host were proxied to only one of the remaining hosts. Added instructions how to edit Radiator Software Ansible playbooks to support other Linux distributions like Oracle Linux. Radiator's Radius::UtilXS package now provides an interface to AES functions required by SIM pack. This allows using OpenSSL or LibreSSL instead of Crypt::Rijndael. Updated configuration samples to work without changes when using RPM or deb packages. LogDir, DictionaryFile, certificate location and other settings now point to locations the packages use and create. Ansible playbooks for deploying Radiator from RPM/deb packages and managing Radiator instances. DictionaryFile, ClientListSQL flags column, and some other configuration parameters that use a comma to separate file names and other arguments, now allow spaces around the comma. Enhanced virtual systemd service (radiator-instances.service) to control multiple instances without a need to change service file configuration. This change offers an enhanced feature but does not affect previous functionality. Multiple updates to Radius dictionaries: Added VENDOR 9 Cisco attribute Cisco-Ascend-AV-pairs, VENDOR 3076 Altiga attribute Altiga-Group-Name and VENDOR 17713 Cambium attribute Cambium-Networks-Auth-Role to the default Radiator dictionary. Updated VENDOR 5 Acc attributes based on draft-ilgun-radius-accvsa-02. Added a new dictionary file dictionary.cambium-motorola-161 in goodies. This file includes Motorola-Canopy and Cambium-Canopy attributes contributed by Brandon Shiers. These attributes are in a separate file because the default dictionary already contains Motorola WiMAX attributes which use the same overlapping vendor number 161. Updated Radiator and Diameter dictionaries with 3GPP 5G attributes from TS 29.561 version 16.4.0 for Radius and Diameter N6 and DN-AAA support. Added VENDOR 3GPP 10415 VSA 3GPP-Secondary-RAT-Usage from TS 29.061 version 16.0.0 and 3GPP-WLAN-APN-Id, 3GPP-WLAN-QoS-Filter-Rule and 3GPP-WLAN-QoS-Filter-Support from TS 29.234 V11.2.0 to dictionary. DiameterDictionaryFile attributes are now added to all dictionaries in addition to base dictionary. ServerDIAMETER now uses Diameter dictionary of Diameter request or answer when converting to and from Diameter and Radius. Previously base dictionary was used for conversion. Enhanced debug log messages and simplified code related to loading and using dictionaries. Updated VENDOR Mikrotik 14988 attributes with the latest additions. Updated VENDOR Aruba 14823 attributes with the latest additions. Multiple dictionary updates: New file dictionary.nokia-637 was added for vendor 637 Nokia (formerly 'Alcatel-Lucent') for those attributes that do not use the special 'format=2,1' vendor 637 attributes use in the default dictionary. Added attributes from multiple vendors to the default dictionary: Added VENDOR Unix 4 with a number of attributes for Digi IX14, LR and WR routers. Some vendor 4 VSAs are also used by ProFTPD software. Added VENDOR Cisco-VPN5000 255 for Cisco VPN 5000 Concentrator with a number of CVPN5000 prefixed attributes. Added VENDOR Adtran 664 with a number of Adtran prefixed attributes.
Added VENDOR Cisco-BSSM 5632 for Cisco Building Broadband Service Manager attribute CBSSM-Bandwidth. Added VENDOR Cisco-Aironet 5842 for Aironet-Session-Timeout attribute. Added VENDOR Calix 6321 with a number of Calix prefixed attributes. Added VENDOR Overture 7950 with Overture-User-Access-Level attribute. Added VENDOR Hatteras 8550 with Hatteras-Auth-Level attribute. Added VENDOR Ericsson-PCN 10923 for attributes registered for vendor Ericsson AB - Packet Core Networks. Added a number of attributes prefixed with Ericsson-PCN prefix. Added VENDOR Sandvine 11610 with Sandvine-Group attribute. Added VENDOR ELTEK 12148 with a number of ELTEK prefixed attributes. Added VENDOR Overture-4200-4300 16943 with Overture-4200-4300-Access_Level attribute for Overture 4200/4300 devices. Added VENDOR CyanInc 28533 with CyanInc-User-Roles and CyanInc-Acct-Event-Text attributes. Added to default Radius dictionary a number of Extreme fabric attach VSAs that are defined as VENDOR 562 Nortel. Added VSAs Annex-EAP-Port-Priority, Annex-Cli-Commands, Annex-Command-Access and Annex-Commands for Extreme and Avaya devices that are defined as VENDOR 1584 Bay-Networks. These all use names that does not follow the de-facto VSA naming. Fixed a harmless warning in radpwtst if reject or interactive challenge did not contain a Reply-Message attribute. ClientListSQL now disconnects automatically from DB during server startup when server farm is configured with FarmSize. This avoids passing DB handle copies to farm workers which could cause errors with subsequent DB access. Fixed a memory leak in ServerDIAMETER where a small amount of memory was leaked with every connection. Initial CER timeout logging now also honours log level set with DisconnectTraceLevel. AuthBy REST and other modules based on HTTPClient now honour DisconnectTraceLevel to control how closed connections are logged. AuthBy REST now logs peer initiated disconnects with DEBUG level. Added definitions and VSAs for VENDOR 534 Eaton Corporation, VENDOR 2606 Rittal (Rittal-Werk Rudolf Loh GmbH & Co.KG) and VENDOR 13191 OneAccess (Ekinops OneAccess OneOS) to RADIUS dictionary. Added and updated VSAs for VENDOR 7483 Tropic and VENDOR 30065 Arista. SQL clauses now support a separate timeout for connects and disconnects. Some databases may leak resources, such as file descriptors, when Radiator times out a connection before the DB driver does. With a new parameter ConnectTimeout, SQL connection timeout can different than Timeout that is used for SQL queries. Updated VENDOR 800 Alcatel-Lucent-OS6400, also known as Xylan, attributes in dictionary. Values for Alcatel-Lucent-Access-Priv and new attributes Alcatel-Lucent-Acce-Priv-F-R3, Alcatel-Lucent-Acce-Priv-F-R4, Alcatel-Lucent-Acce-Priv-F-W3 and Alcatel-Lucent-Acce-Priv-F-W4 were added. Added a script in goodies to create CHAP challenge for direct Monitor port access. More logging updates to LDAP ServerChecksPassword failures. Improved AuthBy LDAP2 logging when ServerChecksPassword triggers authentication failure because of bad password. ServerTACACSPLUS now logs more details about connections that get immediately closed after being established. Minor updates to LSA and NTLM configuration samples. Added VENDOR Incognito 3606 VSAs to dictionary. Updated VENDOR 3375 F5 VSA's in Radiator default dictionary. Attribute F5-LTM-Audit-Msg and seven values for F5-LTM-User-Role were added. Name Policy-Editor for F5-LTM-value 800 is now an alias for name Web-Application-Security-Administrator, which appears to have been used since BIG-IP 10.x, first released in 2009. SSLVerify in LDAP clauses, OutputFormat in AcctLog FILE, Failmode in AuthBy DUO, ProxyAlgorithm in AuthBy RADSEC, APIVersion in AuthBy YUBIKEYVALIDATIONSERVER, Format and Encoding in MessageLog FILE, and StatsType and OutputFormat in StatsLog clauses now support configuration time % formatting typically used with %{GlobalVar:name}. Fixed deprecated syntax in goodies file AuthPLPSQL.pm. Fixed a warning triggered by LDAP modules during configuration loading when UseSSL was set and Port was configured with a % formatted value. Updated radiusd so that it tries to locate Radius::UtilXS similar to how radpwtst already does. This helps manual configuration testing on systems that use packages. AuthBy NTLM can now rewrite the username that is passed to ntlm_auth. Example use is Wi-Fi roaming where roaming username can not be directly used with Windows authentication because of local naming conflicts with roaming requirements. See NtlmRewriteHook in goodies file ntlm.cfg and Radiator reference manual. Updated other AuthBy NTLM configuration samples. This is similar to what was added to AuthBy LSA in release 4.22. StatsLog and ClientList periodic updates are now scheduled based on server start time to avoid slowly occurring time drift between the runs. With FarmSize configuration, it's now possible to configure a spacing between worker runs to avoid synchronisation across all farm members. This is supported by StatsLog and ClientList clauses with FarmWorkerSpacing configuration parameter. Updated test.pl to be more reliable in finding Radiator modules with CentOS 6 and other systems with Perl earlier than 5.16. When a Stream connection, such as RadSec or Diameter, is closed, the log message level can now be configured with DisconnectTraceLevel parameter. This avoids unnecessary high level log messages when frequently closed connections are normal. Fixed configuration file include directive to work with directories that have whitespace characters, such as "Program Files". Enhanced include's error detection and logging in case of unreadable directories and other problems reading the files. A warning is now logged if a wildcard, such as include/*.cfg', does not expand to any files. Updated RADIUS attribute encoding and decoding to be more flexible with vendor specific formats. This allows, for example, overriding VENDOR 637 Nokia VSA format to use 1 octet long VSA type field instead of forcing hardcoded 2 octets. StreamTLS server now logs more information about failures, for example, when TLS version is not acceptable or when client certificates was required but not received. Reported by Stefan Paetow. StatsLog clauses now support StatsExcludeObject and StatsInclude. These allow, for example, skipping statistics for all Clients while still supporting exceptions for certain clients. See example in statslog.cfg in goodies. Added VENDOR 22420 Accedian attribute Accedian-Skylight-Roles to dictionary. Fixed a crash in ServerTACACSPLUS triggered by an unexpected request type. Fixed a bug in AuthBy DNSROAM when FarmSize is enabled. The bug was introduced in release 4.22 and causes TLS, remote host IP and other settings to remain unitialised. As a result RadSec started by DNS roaming connects nowhere. BindV6Only global configuration parameter now covers proxy listen sockets, Gossip UDP listen sockets and Stream server listen sockets, such as RadSec server socket. System error string corresponding to errno was logged by TLS modules for some errors when errno did not have a useful value. This resulted in misleading log messages. Digest::HMAC for Digest::HMAC_SHA1 or Digest::HMAC_MD5 is no longer required. HMAC calculation is done directly with Digest::SHA or Digest::MD5. Updated expiration timestamps in users. Expired timestamps caused test.pl tests 2l, 2m, 3g and 3h to fail when they should have succeeded. test.pl now requires more modules to be present and tries to automatically run MSCHAP tests. Enhancements to AuthBy DUO Failmode. Failmode no longer applies to non-success API return codes that relate to problems with requests sent by Radiator. Improved Failmode related API reachability and error logging and handling. Log messages now use separate ip/hostname and port instead of ip:port format which is confusing with IPv6 addresses. Radiator now logs a warning if a RADIUS client is defined multiple times. This may happen, for example, when a client is defined in both configuration file and ClientListSQL. IPv6 address did not work as a LDAP Host parameter value because LDAP port number was directly appended to Host parameter values during connect. Appending port is allowed by Net::LDAP API but was not done correctly with IPv6 LDAP server addresses. Port is no longer appended and it's passed only as a separate parameter. LDAP log messages were enhanced. AuthBy FREERADIUS now handles Cleartext-Password check item as a password check item when the new flag configuration parameter ConvertCleartextPassword is set. Updated configuration sample freeradius.sql in goodies to enable the newly added parameter by default. Did other minor updates in the configuration and AuthBy module. Fixed a memory leak in TLS based EAP methods and Stream classes, such as RadSec, where CRL file loading and re-loading did not free temporary resources. The fix requires Net::SSLeay 1.46 or later. Reported by Jan Tomasek. -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory, EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.