(RADIATOR) Version 3.2 released

Mike McCauley mikem at open.com.au
Mon Aug 19 20:42:05 CDT 2002 

We are pleased to announce the release of Radiator version 3.2
This version provides some significant new features and 
some bug fixes. 

Among the most important new features is the support for EAP-TTLS 802.1x 
wireless authentication.

Caution: users of MSCHAP authentication should note the need to install 
Digest::SHA1 prior to installing this new version for continued correct 
operation.

As usual, the new version is available free of charge to current 
licensees from 
http://www.open.com.au/radiator/downloads/Radiator-3.2.tgz
and
http://www.open.com.au/radiator/downloads/Radiator-3.2-1.noarch.rpm

and to current evaluators from 
http://www.open.com.au/radiator/demo-downloads/Radiator-Demo-3.2.tgz
and
http://www.open.com.au/radiator/demo-downloads/Radiator-Demo-3.2-1.noarch.rpm

An extract from the history file is attached

Revision 3.2 (20/8/02 New features and fixes) 

Caution: Updated AuthGeneric.pm and MSCHAP.pm to use more modern
Digest::SHA1 instead of SHA. if you are using SHA passwords or MSCHAP
authentication, you must install Digest::SHA1.

Added new AuthBy URL module, contributed by Mauro Crovato
(mauro at crovato.com.ar). This module authenticates by sending the
username and password (optionally encrypted) as tags to a URL by
HTTP. A CGI or ASP program at the URL authenticates the password.

Fixed some interoperability problems with EAP-TLS. Testing with
Aironet AP and Client cards with OpenSSL and Xsupplicant on Linux and
Windows XP.

Beta support for EAP-TTLS as used by Funk Odyssey clients. Supports
TTLS-PAP, TTLS-CHAP, TTLS-MSCHAP and TTLS-MSCHAPV2 for both local and
proxy authentication. See example configuration files
goodies/eap_ttls.cfg and goodies/eap_ttls_proxy.cfg. TTLS is Tunnelled
TLS, as per draft-ietf-pppext-eap-ttls-01.txt., It is supported by
Funk Odyssey wireless clients through a variety of wireless access
points. It provides one-way TLS authentication (the client
authenticates the radius server), and authentication requests are
delivered securely to the radius server via the encrypted TLS
tunnel. Unlike TLS, TTLS does not _require_ a certificate on each
client.

Tested EAP MD5-Challenge with Aironet AP and Client cards and Windows
XP. Added example goodies/eap_md5.cfg config file.

Added more Spring Tide VSAs to the dictionary.Contributed by
atesillo at ctgred.net.co.

AuthBy SQL now runs AuthSQLStatement even if AuthSelect is empty. 

A debug print statement was accidentally left in AuthLog SQL 

AuthBy SQL AcctColumnDef now cannot insert the same column multiple
times. If there are multiple AcctColumnDef definitions for the same
column name and with non-null values, the last one will be the one
inserted. This is most likely to improve the case where there are two
NASIdentifier definitions, and the NAS reports both NAS-IP-Address and
NAS-Identifier. A number of example config files were changed so that
NASIdentifier is preferred if present.

AuthBy SQL now supports HandleAcctStatusTypes parameter, which allows
you to specify a comma separated list of AcctStatusTypes that will be
processed. All other types will by acknowledged, but not inserted or
processed with AcctSQLStatement. This is a more general mechanism than
AccountingStartsOnly, AccountingStopsOnly and AccountingAlivesOnly,
and these parameters are now officially deprecated and will not be
supported in the future.

An typo in Radius.pm prevented Ascend-Xmit-Rate working
properly. Reported by "Romain Vergniol" (romain.vergniol at cegedim.fr).

In the event of no reply from any hosts, AuthBy SQLRADIUS now runs the
NoReplyHook before any FailurePolicy automatic reply. Previously it
was run after the automatic reply.

Added Roaring Penguin VSA's to dictionary. Contributed by "Scott
Helms" . Thanks Scott.

Added to Monitor support for Clients parameter, a comma or space
separated list of IP addresses that Monitor will accept connections
from. Default is to accept from any address.

Added a number of new Altiga VSAs to dictionary, contributed by "neil
d. quiogue" (neil at quiogue.com)

Added /usr/local/etc/radiator to the dictionary search path for
radpwtst. Suggested by "Martin Edge" (medge at affinityinternet.com.au)

Added UseTLS parameter for forcing TLS encryption in AuthBy
LDAP2. Contributed by Carl Litt (carl at execulink.com). Thanks Carl.

Added a new flags to AuthBy NT on Windows. IgnoreAccountExpiry causes
AuthBy NT to ignore the NT account expiry flag when users attempt to
log in. IgnorePasswordExpiry causes it to ignore the password expired
flag. IgnorePasswordChange causes it to ignore the password change
required flag.

radpwtst -gui was not correctly showing packet dumps in the 'Detailed'
trace level.

Fixed a problem where an incorrect data length in an incoming radius
packet could result in reports of a 'Malformed request
packet:'. Reported by "Thilo Wunderlich" (tw at 7eins.net)

New parameter AuthCheckDN in AuthLDAP2 alows you to specify an
alternative DN to use to check a user's password, instead of the one
returned by the search result. Patch supplied by Jeremy Hinton
(jgh at visi.net). Thanks Jeremy.

Fixed a problem where HUP or reinitialise with a broken SNMPAgent
clause could cause a crash.

Fixed goodies/hooks.txt. Example use of replyTo() fixed to be in line
with new API.

Improvements to AuthBy RADIUS (and by inheritance AuthBy SQLRADIUS so
that Host addresses that arent resolved are reported but dont crash
Radiator. Reported by "Sebastian Filzek" (sebastian at filzek.org).

Attempts to use Session-Timeout in the form nnnn would cause a
crash. Reported by "Radius Impsat" (radius at impsat.net.ec).

The MS-CHAP2-Success reply in response to an MSCHAP V2 authentication
was incorrectly formatted.

Crypt encoded password can now be flagged with {crypt}... or
{CRYPT}... Its now case insensitive. Similarly for {rcrypt}, {MD5} and
{SHA}. Suggested by Karl Gaissmaier (karl.gaissmaier at rz.uni-ulm.de)
for compatibility with slappasswd. Thanks Karl.

The internal session database is now tolerant of Session-IDs with
embedded colons, as used by Nortel CVX 1800 etc.

Fixed a problem with AuthBy LDAP2 and UseTLS. Could crash after
multiple authentications. Reported by Karl Gaissmaier
(karl.gaissmaier at rz.uni-ulm.de).

AuthBy RADMIN did not correctly increment bad logins count if
encrypted passwords were in use. Reported by
glenn_pierce at EnterpriseServices.com.au. Thanks Glenn.

When used with MSCHAP V2, the AutoMPPEKeys flag in any AuthBy now
automatically generates MS-MPPE-Send-Key and MS-MPPE-Recv-Key as per
RFC 3079. When used with MSCHAP V1 it still sends
MS-CHAP-MPPE-Keys. Reported by Stephan Schönberger
(sschoenberger at monzoon.net). Fixes interoperability issues with some
PPoE clients.

Some tagged string attribtues such as Tunnel-Client-Endpoint did not
get encoded correctly if no tag was not explicitly specified. Reported
by Bob Shafer (bshafer at du.edu).

AuthBy SQLRADIUS did not correctly handle RewriteUsername in host
definitions. Reported by "James Wiegand" (jwiegand at fiberlink.com).

Added USR-Terminal-Type to dictionary. Required by Roaring
Penguin. Contributed by Andy Linton (asjl at lionra.net.nz).

AuthBy TACACSPLUS now supports an AuthType parameter, which allows you
to force the Tacacs+ protocol to use PAP or ASCII
authentication. Contributed by Jean-Claude Christophe
(jch at oleane.net). Thanks Jean-Claude.

AuthBy RADIUS incorrectly added AddToReply etc to all replies, not
just Access-Accept.

Fixed some problems with radacct.cgi reported by Andy Linton
(asjl at lionra.net.nz)

AcceptIfMissing did not append AddToReply parameters. Reported by Jeje 
(jeje at jeje.org). 

radacct.cgi, radconfig.cgi and radwho.cgi which were previously in the
top level of the distribution were moved to the goodies directory so
that they would be included in RPM distributions.

Fixed a problem in AuthGeneric where conbination of AcceptIfMissing
and Auth-Type=Reject behaved incorrectly. Reported by Jaafar Bin Sarim
(jrsm at staff.singnet.com.sg).

Added some Nomadix VSAs to dictionary. Contributed by Karl Gaissmaier
(karl.gaissmaier at rz.uni-ulm.de).

If radiusd was started through ssh it crashed with an error 'Bad arg
length for Socket::unpack_sockaddr_in'. Reported by Kenya Noshiro
(noshiro at net.sony.co.jp).

Achint Saxena (ASaxena at Walkerwireless.com) reported that Util.pm needs
Time::Local when running on Win32. Added.

EAP MD5-Challenge can now use Password as well as User-Password in
user databases.

Added special character %I that gives the nas identifier as an integer
instead of dotted decimal character string. Contributed by Jerome
Fleury (jeje at jeje.org). Thanks Jerome.

AuthBy PAM now honours Fork. Useful for PAM modules that leak
memory. Use with caution: performance impact.

Added new parameter AcctInsertQuery to AuthBy SQL, allowing the
accounting insert query to be customised.

Server now detaches from the controlling terminal in daemon
mode. Contributed by Jerome Fleury
(jerome.fleury at fr.tiscali.com). Thanks.

Improvment to example linux init file in
goodies/linux-radiator.init. Now prints an error message if the config
file is not found. Contributed by Marc Liyanage
(mliyanage at futurelab.ch). Thanks Marc

All executable progrmas, including those in goodies now use
/usr/bin/perl instead of /usr/local/bin/perl. Suggested by Marc
Liyanage (mliyanage at futurelab.ch).

Testing on SCO OpenServer 5.0.4. OK. Added hints to faq.html.

radiusd now ensures the path to PidFile exists, and creates it if
necessary.

Improvements to RPM for compatibility with Cobalt and
others. Suggested by Daniel Senie (dts at senie.com).

New special characters %w replaced by the user name part of the full
original user name (before any RewriteUsername rules were applied). %W
replaced by the realm part of the full original user name (before any
RewriteUsername rules were applied).


-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc 
on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X etc etc

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list