(RADIATOR) Re: Version 3.6 released

Mike McCauley mikem at open.com.au
Mon Apr 14 18:08:48 CDT 2003


Hello all,

There was an error in the links we posted. The correct links are:

As usual, the new version is available free of charge to current 
licensees from 
http://www.open.com.au/radiator/downloads/

and to current evaluators from 
http://www.open.com.au/radiator/demo-downloads

Cheers.


On Mon, 14 Apr 2003 09:56 pm, Mike McCauley wrote:
> We are pleased to announce the release of Radiator version 3.6
>
> This version contains some significant improvements to 802.1x EAP
> wireless compatibility, as well as a number of other minor features
> and bug fixes.
>
> As usual, the new version is available free of charge to current
> licensees from
> http://www.open.com.au/radiator/downloads/Radiator-3.6.tgz
> and
> http://www.open.com.au/radiator/downloads/Radiator-3.6-1.noarch.rpm
>
> and to current evaluators from
> http://www.open.com.au/radiator/demo-downloads/Radiator-Demo-3.6.tgz
> and
> http://www.open.com.au/radiator/demo-downloads/Radiator-Demo-3.6-1.noarch.r
>pm
>
> An extract from the history file is attached
>
> -----------------------------
>
> Revision 3.6 (2003-04-14 Significant improvements to wireless support)
>
> Most AuthBy clauses, including AuthBy RADIUS now support the ability
> to try a previously cached password before authenticating or
> proxying. The new CachePasswords flags causes Radiator to cache the
> password and reply for previously accepted authentication
> requests. The cached password will be tried before subsequent
> authentication attempts. Caution: works with PAP only. Includes
> improvments to Proxy-State behaviour.
>
> AuthBy RADIUS now supports CachePasswords either before or after
> proxying. The new flag CacheOnNoReply controls whether the cache will
> be checked before every request, or only after no reply is
> recieved. It defaults to 1 (ie check the cache if no reply is
> received) to be consistent with historical behaviour.
>
> Significant improvements to Windows installation process.
>
> Added DefaultLimit parameter, allowing you to control the maximum
> number of DEFAULT users. Defaults to no limit.
>
> Added support for password encryption type {digest-md5-hex} which can
> be used with Digest and SIP (Session Initiation Protocol)
> authentication.
>
> Added support for SIP (Session Initiation Protocol) Telephony Digest
> authentication, as per draft-sterman-aaa-sip-00.txt, using attributes
> Digest-Response, Digest-Attributes as defined in the new
> dictionary.sip.
>
> radpwtst now takesd a -sip command line argument that forces it to do
> SIP digest authentication. Requires the new dictionary.sip as well as
> the old dictionary like this:
>         radpwtst -dictionary dictionary,dictionary.sip -sip
>
>
> Ivan Kohler updated the Freeside accounting insert hook, and the file
> name was changed from freesideacct.pl to goodies/sqlradacct.pl to be
> consistent with Ivan's naming convention. Also Ivan's Copyright notice
> had been omitted. See goodies/freeside.cfg.
>
> AddressAllocator SQL now supports SQL bind variables on databases that
> provide them.
>
> SimpleClient.pm now implements retries. Sample code in
> goodies/simpleClient.pl
>
> Previous changes to quote the community in snmp commands with double
> quotes for correct operation on Windows somehow got lost. Reinstated.
>
> In AuthBy LDAP, AuthBy LDAP2 and AuthBy LDAPSDK, AuthDN and
> AuthPassword now permit special characters. Requested by Dan
> Melomedman (dan%dan.dan at devonit.com)
>
> Added AuthenticateAttribute parameter to most AuthBy clauses, allowing
> you to authenticate an attribute other then User-Name.
>
> Newly reorganised dictionary had incorrect types for vendor-specific
> Ascend-Data-Filter and Ascend-Call-Filter. Changed to abinary.
>
> Added goodies/sqlclienthook.pl, sample code showing a way to have a
> ClientListSQL-like database of clients, but still use the
> file:'filename' style of hooks. WrittXen by German Gatica. Thanks
> German.
>
> Improvements to goodies/radacct.cgi to make it tolerant of
> Acct-Session-Ids that include spaces. Contributed by
> petri.maenpaa at satakunnanpuhelin.fi.
>
> Improved sorting of Time On field in radwho.cgi. Suggested by
> petri.maenpaa at satakunnanpuhelin.fi.
>
> PasswordLogFileName and WtmpFileName now ensure that the directory
> exists before writing.
>
> Could get multiple EAP-Message attributes when tunnelling EAP-MSCHAPV2
> through TTLS.
>
> In AuthBy SQL, if there are multiple AuthColumnDef reply definitions,
> they will be added to the reply in the order of the SQL query column
> number. Previously the order was not guaranteed.
>
> Client and Handler clauses incorrectly did not allow you to specify
> AllowInReply.
>
> Added 3GPP and Quintum Vendor-Specific-Attributes to dictionary
>
> Testing with Solaris 9. OK. We tested with the precompiled Solaris 8
> Perl 5.8.0 binary from SunFreeware.
>
> Fixed some compatibility problems for OpenSSL 0.9.7 in the example
> goodies/mkcertificate.sh.
>
> The test suite now tests with a user 'testuser' not 'mikem'.
>
> Added detailed installation instructions for Mac OS X to
> goodies/osx.txt
>
> All EAP configuration parameters involving files now support special
> characters.
>
> Added sample EAP certificates to the distribution. None of these
> certificates should be considered to be secure, and they should NOT be
> used in a production environment, but only for testing and
> proof-of-concept for your project. You should use a reputable
> Certificate Authority package such as CAtool to generate your
> production certificates. See certificates/README for details on how to
> use them.
>
> Updated example goodies/eap_* configuration files to use sample
> certificates.
>
> The default location of the configuration file for radiusd on Unix has
> been changed from /usr/local/etc/radius.cfg to
> /etc/radiator/radius.cfg. On Windows, it now defaults to C:\Program
> Files\Radiator\radius.cfg.
>
> Added goodies/opie.txt, detailed instructions for installing and
> configuring OPIE on RedHat 7.3 for use with FW-1. Contributed by "Mark
> Wellins" (markw at checkpoint.com)
>
> Log SQL now has the SQL quoted User-Name available as %4.
>
> The Microsoft XP SP1 PEAP client uses the wrong MPPE keying
> material. The new version of EAP_25.pm detects the Microsoft client
> and interoperates with it as well as with compliant clients. Reported
> by "Tom Rixom" (tom.rixom at alfa-ariss.com).
>
> Improved compatibility with PEAP compliant 802.1x clients, as well as
> with the broken Microsoft version 0 PEAP client. Now works with
> Meetinghouse Data's Aegis version 2 client with PEAP (and all other
> Aegis client authentication types)
>
> Added support for 'Session Resumption' for EAP-TTLS and 'Fast
> Reconnect' for PEAP. Can be optionally disabled with the
> EAPTLS_SessionResumption flag (defaults to enabled) The time limit for
> session resumption can be specified with
> EAPTLS_SessionResumptionLimit. Defaults to 43200 seconds (12 hours).
>
> Added goodies/eap_anon_hook.pl, a hook which fixes the problem with
> some implementations of TTLS, where the accounting requests have the
> User-Name of anonymous, instead of the real users name. This hook
> caches the real user name in an SQL table and then does a lookaside to
> replace the User-Name in accounting requests. Example usage in
> goodies/eap_ttls.cfg, Example table in goodies/mysqlCreate.sql.
>
> Fixed a problem that would cause a crash if Handler User-Password=xxx
> was used.
>
> Performance improvements in AuthGeneric logging. safeLog no longer
> needed.
>
> Improvements to SessionDatabase SQL, contributed by Jeremy Hinton
> (jgh at visi.net). If your CountQuery SQL statement is written to return
> a fifth argument (the default is just four), the value of the fifth
> argument is used in the querying of the NAS as the username to look
> for.
>
> The new BasicSelect parameter mechanism in AuthBy PLATYPUS was broken
> in version 3.4
>
> Minor error logging improvements in AuthBy UNIX.
>
> When inner PEAP authentications were proxied, there was no
> Message-Authenticator included, which could cause some remote radius
> servers to not reply. Reported by Kawakubo, Ken (kkawakub at fhcrc.org).
>
> Added VSAs for Juniper Networks to dictionary. Contributed by
> eric at ypass.net.
>
> New special character %E is replaced by total time (in seconds) since
> the request was received.
>
> Fixed a problem when %c or %C was used with tunnelled requests,
> causing a crash.
>
> Added support for new check items EAPType and EAPTypeName wich match
> the EAP protocol number (4, 13, 26 etc) and EAP protocol name (MD5,
> TLS, MSCHAP-V2 etc) that the authentication request was carried in.
>
> Added a number of Unisphere, Ascend-Disconnect-Cause and
> Acct-Terminate-Cause attributes to dictionary. Contributed by Rui Lapa
> (rui.lapa at oni.pt)
>
> Example simple users file goodies/linux-users moved to goodies/users
>
> On Windows, 'perl Makefile.PL install' now installs sample config
> file, sample users file and dictionary in 'c:\Program Files\Radiator'
> (if they do not already exist there). The files goodies/linux-users
> was moved to goodies/simple-users. New sample config file for Windows
> in goodies/windows.cfg.
>
> New module Radius/Win32Service.pm to manage automatic installation and
> running of Radiator as a Windows service. Radiusd internals
> reorganised to support this. Requires Win32::Daemon (install with ppm
> install http://www.roth.net/perl/packages/win32-daemon.ppd).
>
> The Server Started message now logs at NOTICE level for improved
> monitoring. Suggested by Scott Worthington (scottw at bnsi.net).
>
> Added VSA's for UTStarcom Issanni DSL router to
> dictionary. Contributed by butch at infowest.com.
>
> SNMP now recognises the 'Timeout' error message from some types of
> SNMP client, especially net-snmp (v5.0.8) (or ucd-snmp v4.2.3) on
> Windows.
>
> Added support for MySQL hashed password, as produced by the MySQL
> password() function, in the format User-Password =
> "{mysql}0569ef75321b8fed".
>
> Client duplicate detection now ignores the source port, due to some
> clients (notably Cisco APs) using a different port for every request,
> resulting in excessive memory usage.
>
> Improved handling of Proxy-State. Proxy-State attributes are now never
> proxied: they are always copied (once) by the proxy server. This
> prevents multiple copies and facilitates other improvements such as
> extended ids support. Further, Proxy-Sate is now expected to work
> correctly with EAP requests, CachedPasswords etc.
>
> Added support for UseExtendedIds in AuthBy RADIUS. This mechanism uses
> a more robust type of Radius packet identifier that is more tolerant
> of large bursts of packets and various other environmental
> problems. This mechanism uses Proxy-State to carry a packet identifier
> with a much larger range, compared with only 256 that the Radius
> protocol specifies. This mechanism will replace the
> ServerHasBrokenPortNumbers and ServerHasBrokenAddresses flags, which
> are now deprecated. Based on code contributed by various staff at
> KPN. Thank You!.
>
> Added a number of attributes from
> http://www.iana.org/assignments/radius-types to dictionary, including
> some new Service-Type, Tunnel-Type, Acct-Terminate-Cause etc.
>
> Added LogIdent paramterer to Log SYSLOG, allowing you to specify an
> alternative ident for syslog. Defaults to the executable name as
> before. Suggested by Stefan Moser (sm at open.ch).
>
> AuthBy RADIUS now support ClearTextTunnelPassword flag which prevents
> Tunnel-Password being decrypted and reencrypted during proxying to
> support older NASs that do not support encrypted Tunnel-Passwords.
>
> Fixed a problem with hanging on Oracle in disconnect with some types
> of network failures. Contributed by Rodney Volz (rodney at LF.net).
>
> Fixed a problem that would cause double logging to files of any
> startup errors detected within ServerConfig.
>
> The ability to match empty string check items was broken in 3.4.
>
> radpwtst now has -eapmd5 flag for testing EAP-MD5 challenge. Test
> suite now uses it.
>
> Removed MacRadiusd.sit.hqx from distribution. It is no defunct and
> caused problems during unpacking on MacOSX.
>
> Fixed a problem with AuthBy RADMIN affecting vendor attributes that
> have no integer definitions. Patch contributed by Stephan Schönberger
> (sschoenberger at monzoon.net).

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list