We are pleased to announce the release of Radiator version 3.4
This version provides some significant new features, including support for
Microsoft PEAP as used on Windows XP,
many minor new features and some bug fixes.
As usual, the new version is available free of charge to current
licensees from
http://www.open.com.au/radiator/downloads/Radiator-3.4.tgz
and
http://www.open.com.au/radiator/downloads/Radiator-3.4-1.noarch.rpm
and to current evaluators from
http://www.open.com.au/radiator/demo-downloads/Radiator-Demo-3.4.tgz
and
http://www.open.com.au/radiator/demo-downloads/Radiator-Demo-3.4-1.noarch.rpm
An extract from the history file is attached
-------------------------
Revision 3.4 (2002-11-02 Significant new features and some fixes)
Added support for PEAP and EAP-MSCHAPV2 (as used in Windows XP SP1).
Significant enhancements to EAP support, including: TTLS session
resumption, improved performance, reduced duplicated code, correct use
of EAP identities during authentication, more config examples,
configurable User-Name during EAP decode-proxying etc.
Added support for AutoMPPEKeys for EAP-TLS. Tested with Windows XP
etc. Moved some common TLS and TTLS code to a new module
Radius/TLS.pm. Requires Digest-HMAC and Digest-SHA1 from CPAN. Now
full Dynamic WEP key protection is available for both TLS and TTLS in
Radiator.
Testing and some minor fixes for Meetinghoue Data Corp's Aegis
wireless client, including MD5, TLS, and TTLS (PAP, CHAP, MSCHAPV1 and
MSCHAV2)
EAPType can now be a comma separated list of permitted EAP types, with
the default (most preferred) named first.
Changes to EAP_21.pm for improved interoperation with Meetinghouse
Aegis TTLS clients.
Added support for Certificate Revocation List (CRL) checking to
EAP-TLS. Caution: requires Net_SSLeay-1.20 _plus_ patches, and also
openssl 0.9.8 or later.
Radiusd now support multiple authentication and accounting ports with
AuthPort port,port,port... and AcctPort port,port,port...
AuthBy FILE now supports quoted user names with embedded white space,
eg "fred bloggs"
AuthBy ADSI now supports SearchAttribute, permitting searches for
users as well as direct binding. Also added GroupRequired to make
group membership checking quicker and easier. Also improved
performance of CheckGroup, and obsoleted need for CheckGroupServer
(CheckGroup now checks the group list returned from the user
bind). Much of this code contributed by Mark Motley
(mark at motleynet.com). Thanks Mark.
SessionDatabase SQL now suports a new parameter ReplaceQuery. If it is
defined it will be used to add a new record to the session
database. If it is not defined then DeleteQuery/AddQuery will be used
as before. This can improve performance in SQL databases that support
the 'insert or replace' type of query, such as MySQL.
Special character %W (the realm of the original user name) was not
translated correctly.
The global Trace parameter did not appear in Radarparamtere
inspection. Now appears and can be modified from within Radar.
Fixed a problem with setting new effective group ID with Group. On
some platforms and with some configurations, it would incorrectly
report that setting the egid had failed when in fact it had not. Also
fixed a problem where setting the egid would fail on some platforms if
User was also used to set the euid.
Added dictionary.hiper, a dictionary for 3Com Hiper Access Router
Card, in MERIT RADIUS format. This ia added verbatim, and is not
compatible with Radiator format.
Added Lucent-Vendor-Specific VSA to dictionary
When an SNMP sim-use check is run, the community is now quoted with
double quotes, not single quotes. Single quotes dont work properly
with Windows shells.
radwho.pl moved to goodies and out of the standard executables.
Fixed a problem with AuthBy INTERNAL, where during Accounting
Processing, the AcctAlive and the AcctStop commands never run, while
the command AcctStart is executed with
Acct-Status-Type=Alive|Start. Reported and fixed by Giuseppe Denora
(g.denora at elitel.it). Thanks Giuseppe.
AuthBy RADMIN now uses the new ValidFrom and ValidTo check items
rather than checking them internally. This will permit
NoDefaultIfFound to work correctly with RADMIN. Reported by "Thomas
Hartley/NCO/CEtv" (thartley at austar.com.au).
Added RFCs 2869 and 2882 to the distribution.
Added to goodies/hooks.txt an example hook to add User-Name attributes
to accounting requests that may not contain them.
Tagged-string attributes were not unpacked correctly if there was no
tag present. Reported by Tony Landells (ahl at austclear.com.au).
DEFAULT users with a Suffix check item did not always work
correctly. Reported by Tony Landells (ahl at austclear.com.au).
Fixed a problem with FramedGroup with large port numbers, where the
third octet of the computed address could have silly values. Reported
by "Miro Majcen" (miro.majcen at smart-com.si).
Fixed a problem where a FramedGroupMaxPortsPerClassC of 0 could cause
a crash. Reported by "Miro Majcen" (miro.majcen at smart-com.si).
Added example configuration file for Telstra (Australia) Dial Connect
Virtual ISP.
Testing with Perl 5.8.0. OK.
AuthLogSQL always reconnected to the database even when there was
nothing to do. Reported by Dan Melomedman (dan at devonit.com).
AuthBy RADMIN did not correctly handle some integer valued check
items. Reported by "Houwer, B" (b.houwer at kpn.com).
Improvements to SessionDatabase SQL, so that the NAS ID, NAS port and
SQL quoted Acct-Session-Id are available in the AddQuery.
AuthBy POP3 now permits special characters in the Host field, so that
you can handle multiple domains automatically with 'Host pop3.%W'
Log SQL and Log EMERALD did not correctly recover from an SQL database
outage. No further logging would occur, even after the database came
back.
In Log SQL, the Table parameter now takes special characters.
AuthBy ADSI did not correctly handle some AuthAttrDef attributes. For
example if there was more than one otherHomePhone, an incorrect check
would be made. Reported by Billy Li (billyl at unitechnetworks.com). More
below about this.
Added an example xinetd configuration file for Linux and others to the
goodies.
Added example configuration file for Jet ISP billing in
goodies/jet.cfg. Jet is a user management and billing system,
specifically designed and created for ISPs. Written in python and
Zope, it is highly flexible, and has a modular construction allowing
for additional modules to support a customers specific needs. It comes
with full source code, and Obsidian's development team is available to
produce extensions as required.
Added StatisticsOnly flag to Monitor.
Added GroupRequired to AuthBy NT on Windows, which ensures the user is
a member of the named group. Contributed by "Motley, Mark"
(Mark_Motley at earthtech.com). Thanks Mark.
Most check items now permit alternation with multiple permitted values
separated by vertical bar ('|'). Also, in AuthBy ADSI, AuthBy LDAP*,
if an AuthAttrDef of type 'check' is multi-valued, it will be
automatically converted into alternates, so you can use multi-values
to do a one-of check item match
Added goodies/rcrypt, a simple command line utility to do Rcrypt
encryption and decryption of passwords.
Testing with Mandrake 9.0. No issues or changes required.
Added Session_Error_Code and Session_Error_Msg to dictionary.redback
Fixed a problem with AuthBy ACE that would cause it to hang if run in
the background.
Improvements to AuthBy SQL for formatted-date. If Date:Format is not
available, logs an error and ignores the column. Suggested by Martin
Edge (martinedge at kbs.net.au).
AuthBy EXTERNAL now REJECTS if the external program exits due to a
signal. Suggested by Inglesant Philip
(Philip.Inglesant at netscalibur.co.uk)
radwho.pl and radwho.cgi were opening /tmp/xxx instead of /dev/null as
workaround for freetds problems. Reported by "Utku Er"
(erutku at netone.net.tr).
Improved isonline checking for Cisco. Now handles ISDN ports (ie
larger than port 20000) with finger. Contributed by "Utku Er"
(erutku at netone.net.tr).
Can now specify multiple BindAddress addresses, comma
separated. Suggested by Jeremy Hinton (jgh at visi.net).
Added goodies/CiscoDialupIPPools.doc, a document describing how to do
basic ip address assignment for Cisco dialup using
radiator. Contributed by "Kent, Ashley" (akent at ue.com.au).
Testing EAP with Net::SSLeay 1.21. OK.
Fixed a problem with AuthBy POP3 where a failed POP3 connection could
cause a crash. Reported by "Johannes Demel"
(demel at zid.tuwien.ac.at). Also testing with POP3Client 2.12. OK.
Fixed a problem where HUP signal on FreeBSD could cause crashes with
"Could not bind authentication socket: Address already in use at
radiusd line ...". Reported by "Giuseppe Denora" (g.denora at elitel.it).
Testing with Apple AirPort base station. OK for MAC
authentication. 802.1x EAP authentication is not supported by
AirPort. Added entry to FAQ describing how to set up.
Handler now detects accounting Acct-Status-Type of Interim-Update in
the same way as type Alive, for compatibility with some non-standard
dictionaries.
Fixed a problem with AuthByPolicy ContinueWhileIgnore and
Auth-Type=Ignore not working as expected. Reported by Petr Zimak
(Petr.Zimak at unibas.ch).
Added new AuthBy IMAP module, to authenticate from an IMAP
server. Contributed by Petr Zimak (Petr.Zimak at unibas.ch). Also example
config file goodies/imap.cfg.
Added new module AuthBy HTGROUP and example goodies/htgroup.cfg, which
can be used to confirm group membership according to an Apache htgroup
file. Contributed by Rodger Allen (rodger at infrasecure.com).
Fixed a problem with unreliable packing of integer8 Radius attributes.
In AuthBy PLATYPUS, can now use BaseSelect parameter to alter the
basic user select clause. AuthSelect is still used to optionally
augment BaseSelect.
Added goodies/AlterNASPort.pl, an example hook to convert
Cisco-NAS-Port to NAS-port so you can use the standard session
database and NasType Cisco. Contributed by Paul Pilsbury .
In AuthBy INTERNAL, any error in compiling a hook will result in an
IGNORE if the hook is used. Previously, it would ACCEPT. Suggested by
"Giuseppe Denora" (g.denora at elitel.it).
Improvements to SNMP simultaneous use operations, so that if a NAS
fails to respond Radiator will not try to contact it again for
SnmpNASErrorTimeout seconds. Contributed by Greg B Zemskov
(tingor at kraft-s.ru).
AuthBy RADMIN now ignores bad logins if the bad logins column is set
to NULL, or if the MaxBadLogins paramter is set to 0.. Suggested by
Nicolai van der Smagt (nicolai.vandersmagt at BBNED.NL)
Fixed a problem where an SHA password would cause a crash unless
Digest::SHA1 is installed. Reported by Camilo Echeverry
(caecheverryj at telesat.com.co).
Testing with Windows 2000 802.1x hotfix. OK.
Improved workaround for UTF8 problems in perl 5.8. All sockets are now
binmode to raw mode, preventing wide character interpretations.
Performance improvements in Nas.pm for NAS-specific module loading.
AuthEMERALD.pm and AuthEMERALinD4.pm needed use Radius::Client to
prevent errors when using AuthBy EMERALD with any Client clauses in
the config file. Reported by Carlos Molina (cmolina at net-uno.net).
ReplyHook is now passed a ref to the Radius::Host structure for the
downstream radius server.
Added Netscreen vendor specific attributes to dictionary. Contributed
by david.loesche at yipes.com.
Radius::decode_password is now more generalised. It can decode any
argument, not just the password from the current packet.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS etc on Unix, Windows, MacOS etc.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.