(RADIATOR) Version 3.6 released

Mon Apr 14 06:56:21 CDT 2003

We are pleased to announce the release of Radiator version 3.6

This version contains some significant improvements to 802.1x EAP
wireless compatibility, as well as a number of other minor features
and bug fixes.

As usual, the new version is available free of charge to current 
licensees from 
http://www.open.com.au/radiator/downloads/Radiator-3.6.tgz
and
http://www.open.com.au/radiator/downloads/Radiator-3.6-1.noarch.rpm

and to current evaluators from 
http://www.open.com.au/radiator/demo-downloads/Radiator-Demo-3.6.tgz
and
http://www.open.com.au/radiator/demo-downloads/Radiator-Demo-3.6-1.noarch.rpm

An extract from the history file is attached

-----------------------------

Revision 3.6 (2003-04-14 Significant improvements to wireless support) 

Most AuthBy clauses, including AuthBy RADIUS now support the ability
to try a previously cached password before authenticating or
proxying. The new CachePasswords flags causes Radiator to cache the
password and reply for previously accepted authentication
requests. The cached password will be tried before subsequent
authentication attempts. Caution: works with PAP only. Includes
improvments to Proxy-State behaviour.

AuthBy RADIUS now supports CachePasswords either before or after
proxying. The new flag CacheOnNoReply controls whether the cache will
be checked before every request, or only after no reply is
recieved. It defaults to 1 (ie check the cache if no reply is
received) to be consistent with historical behaviour.

Significant improvements to Windows installation process.

Added DefaultLimit parameter, allowing you to control the maximum
number of DEFAULT users. Defaults to no limit.

Added support for password encryption type {digest-md5-hex} which can
be used with Digest and SIP (Session Initiation Protocol)
authentication.

Added support for SIP (Session Initiation Protocol) Telephony Digest
authentication, as per draft-sterman-aaa-sip-00.txt, using attributes
Digest-Response, Digest-Attributes as defined in the new
dictionary.sip.

radpwtst now takesd a -sip command line argument that forces it to do
SIP digest authentication. Requires the new dictionary.sip as well as
the old dictionary like this:
        radpwtst -dictionary dictionary,dictionary.sip -sip

Ivan Kohler updated the Freeside accounting insert hook, and the file
name was changed from freesideacct.pl to goodies/sqlradacct.pl to be
consistent with Ivan's naming convention. Also Ivan's Copyright notice
had been omitted. See goodies/freeside.cfg.

AddressAllocator SQL now supports SQL bind variables on databases that
provide them.

SimpleClient.pm now implements retries. Sample code in
goodies/simpleClient.pl

Previous changes to quote the community in snmp commands with double
quotes for correct operation on Windows somehow got lost. Reinstated.

In AuthBy LDAP, AuthBy LDAP2 and AuthBy LDAPSDK, AuthDN and
AuthPassword now permit special characters. Requested by Dan
Melomedman (dan%dan.dan at devonit.com)

Added AuthenticateAttribute parameter to most AuthBy clauses, allowing
you to authenticate an attribute other then User-Name.

Newly reorganised dictionary had incorrect types for vendor-specific
Ascend-Data-Filter and Ascend-Call-Filter. Changed to abinary.

Added goodies/sqlclienthook.pl, sample code showing a way to have a
ClientListSQL-like database of clients, but still use the
file:'filename' style of hooks. WrittXen by German Gatica. Thanks
German.

Improvements to goodies/radacct.cgi to make it tolerant of
Acct-Session-Ids that include spaces. Contributed by
petri.maenpaa at satakunnanpuhelin.fi.

Improved sorting of Time On field in radwho.cgi. Suggested by
petri.maenpaa at satakunnanpuhelin.fi.

PasswordLogFileName and WtmpFileName now ensure that the directory
exists before writing.

Could get multiple EAP-Message attributes when tunnelling EAP-MSCHAPV2
through TTLS.

In AuthBy SQL, if there are multiple AuthColumnDef reply definitions,
they will be added to the reply in the order of the SQL query column
number. Previously the order was not guaranteed.

Client and Handler clauses incorrectly did not allow you to specify
AllowInReply.

Added 3GPP and Quintum Vendor-Specific-Attributes to dictionary

Testing with Solaris 9. OK. We tested with the precompiled Solaris 8
Perl 5.8.0 binary from SunFreeware.

Fixed some compatibility problems for OpenSSL 0.9.7 in the example
goodies/mkcertificate.sh.

The test suite now tests with a user 'testuser' not 'mikem'.

Added detailed installation instructions for Mac OS X to
goodies/osx.txt

All EAP configuration parameters involving files now support special
characters.

Added sample EAP certificates to the distribution. None of these
certificates should be considered to be secure, and they should NOT be
used in a production environment, but only for testing and
proof-of-concept for your project. You should use a reputable
Certificate Authority package such as CAtool to generate your
production certificates. See certificates/README for details on how to
use them.

Updated example goodies/eap_* configuration files to use sample
certificates.

The default location of the configuration file for radiusd on Unix has
been changed from /usr/local/etc/radius.cfg to
/etc/radiator/radius.cfg. On Windows, it now defaults to C:\Program
Files\Radiator\radius.cfg.

Added goodies/opie.txt, detailed instructions for installing and
configuring OPIE on RedHat 7.3 for use with FW-1. Contributed by "Mark
Wellins" (markw at checkpoint.com)

Log SQL now has the SQL quoted User-Name available as %4.

The Microsoft XP SP1 PEAP client uses the wrong MPPE keying
material. The new version of EAP_25.pm detects the Microsoft client
and interoperates with it as well as with compliant clients. Reported
by "Tom Rixom" (tom.rixom at alfa-ariss.com).

Improved compatibility with PEAP compliant 802.1x clients, as well as
with the broken Microsoft version 0 PEAP client. Now works with
Meetinghouse Data's Aegis version 2 client with PEAP (and all other
Aegis client authentication types)

Added support for 'Session Resumption' for EAP-TTLS and 'Fast
Reconnect' for PEAP. Can be optionally disabled with the
EAPTLS_SessionResumption flag (defaults to enabled) The time limit for
session resumption can be specified with
EAPTLS_SessionResumptionLimit. Defaults to 43200 seconds (12 hours).

Added goodies/eap_anon_hook.pl, a hook which fixes the problem with
some implementations of TTLS, where the accounting requests have the
User-Name of anonymous, instead of the real users name. This hook
caches the real user name in an SQL table and then does a lookaside to
replace the User-Name in accounting requests. Example usage in
goodies/eap_ttls.cfg, Example table in goodies/mysqlCreate.sql.

Fixed a problem that would cause a crash if Handler User-Password=xxx
was used.

Performance improvements in AuthGeneric logging. safeLog no longer
needed.

Improvements to SessionDatabase SQL, contributed by Jeremy Hinton
(jgh at visi.net). If your CountQuery SQL statement is written to return
a fifth argument (the default is just four), the value of the fifth
argument is used in the querying of the NAS as the username to look
for.

The new BasicSelect parameter mechanism in AuthBy PLATYPUS was broken
in version 3.4

Minor error logging improvements in AuthBy UNIX.

When inner PEAP authentications were proxied, there was no
Message-Authenticator included, which could cause some remote radius
servers to not reply. Reported by Kawakubo, Ken (kkawakub at fhcrc.org).

Added VSAs for Juniper Networks to dictionary. Contributed by
eric at ypass.net.

New special character %E is replaced by total time (in seconds) since
the request was received.

Fixed a problem when %c or %C was used with tunnelled requests,
causing a crash.

Added support for new check items EAPType and EAPTypeName wich match
the EAP protocol number (4, 13, 26 etc) and EAP protocol name (MD5,
TLS, MSCHAP-V2 etc) that the authentication request was carried in.

Added a number of Unisphere, Ascend-Disconnect-Cause and
Acct-Terminate-Cause attributes to dictionary. Contributed by Rui Lapa
(rui.lapa at oni.pt)

Example simple users file goodies/linux-users moved to goodies/users

On Windows, 'perl Makefile.PL install' now installs sample config
file, sample users file and dictionary in 'c:\Program Files\Radiator'
(if they do not already exist there). The files goodies/linux-users
was moved to goodies/simple-users. New sample config file for Windows
in goodies/windows.cfg.

New module Radius/Win32Service.pm to manage automatic installation and
running of Radiator as a Windows service. Radiusd internals
reorganised to support this. Requires Win32::Daemon (install with ppm
install http://www.roth.net/perl/packages/win32-daemon.ppd).

The Server Started message now logs at NOTICE level for improved
monitoring. Suggested by Scott Worthington (scottw at bnsi.net).

Added VSA's for UTStarcom Issanni DSL router to
dictionary. Contributed by butch at infowest.com.

SNMP now recognises the 'Timeout' error message from some types of
SNMP client, especially net-snmp (v5.0.8) (or ucd-snmp v4.2.3) on
Windows.

Added support for MySQL hashed password, as produced by the MySQL
password() function, in the format User-Password =
"{mysql}0569ef75321b8fed".

Client duplicate detection now ignores the source port, due to some
clients (notably Cisco APs) using a different port for every request,
resulting in excessive memory usage.

Improved handling of Proxy-State. Proxy-State attributes are now never
proxied: they are always copied (once) by the proxy server. This
prevents multiple copies and facilitates other improvements such as
extended ids support. Further, Proxy-Sate is now expected to work
correctly with EAP requests, CachedPasswords etc.

Added support for UseExtendedIds in AuthBy RADIUS. This mechanism uses
a more robust type of Radius packet identifier that is more tolerant
of large bursts of packets and various other environmental
problems. This mechanism uses Proxy-State to carry a packet identifier
with a much larger range, compared with only 256 that the Radius
protocol specifies. This mechanism will replace the
ServerHasBrokenPortNumbers and ServerHasBrokenAddresses flags, which
are now deprecated. Based on code contributed by various staff at
KPN. Thank You!.

Added a number of attributes from
http://www.iana.org/assignments/radius-types to dictionary, including
some new Service-Type, Tunnel-Type, Acct-Terminate-Cause etc.

Added LogIdent paramterer to Log SYSLOG, allowing you to specify an
alternative ident for syslog. Defaults to the executable name as
before. Suggested by Stefan Moser (sm at open.ch).

AuthBy RADIUS now support ClearTextTunnelPassword flag which prevents
Tunnel-Password being decrypted and reencrypted during proxying to
support older NASs that do not support encrypted Tunnel-Passwords.

Fixed a problem with hanging on Oracle in disconnect with some types
of network failures. Contributed by Rodney Volz (rodney at LF.net).

Fixed a problem that would cause double logging to files of any
startup errors detected within ServerConfig.

The ability to match empty string check items was broken in 3.4.

radpwtst now has -eapmd5 flag for testing EAP-MD5 challenge. Test
suite now uses it.

Removed MacRadiusd.sit.hqx from distribution. It is no defunct and
caused problems during unpacking on MacOSX.

Fixed a problem with AuthBy RADMIN affecting vendor attributes that
have no integer definitions. Patch contributed by Stephan Schönberger
(sschoenberger at monzoon.net).

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.