(RADIATOR) Re: Radiator Version 3.8 released

Mike McCauley mikem at open.com.au
Wed Dec 24 00:36:01 CST 2003

On Wed, 24 Dec 2003 10:28 am, Mike McCauley wrote:

but forgot the history extract:

> We are pleased to announce the release of Radiator version 3.8
> This version contains some new features and bug fixes, including
> support for EAP-PEAP Generic Token Card, RSA Mobile,
> and AuthBy OTP customisable One-Time-Password system
> As usual, the new version is available free of charge to current
> licensees from
> http://www.open.com.au/radiator/downloads/
> and to current evaluators from
> http://www.open.com.au/radiator/demo-downloads
> An extract from the history file is attached

Revision 3.8 (2003-12-24 New features and bug fixes) 

Added beta support for EAP Generic Token Card EAP-PEAP Generic Token
Card and conventional Radius Access-Accept/Access-Challenge using
AuthBy RSAMOBILE and the RSA Mobile authentication system from RSA
Security (www.rsasecurity.com) RSA Mobile supports a number of
authentication methods, including - username and password - an access
code sent by SMS to your mobile phone - RSA SecureID Token Cards and
all of these can be configured with AuthBy RSAMOBILE

Fixed a problem with SIGHUP on FreeBSD with the Monitor clause, could
cause 'Could not bind Monitor socket: Address already in use'.

Fixed incorrect references in the documentation to

Changes to Server TACACSPLUS, because some TACACS+ client do not like
success packets containing a server message. No server message is ever
sent now.

Added Redback Acct-Reason VSA to dictionary. Contributed by Kurt

Further improvements to Server TACACSPLUS, contributed by Paul
Schultz, and confirmed operation with various Cisco and Juniper
clients. Added support for CommandAuth, a mechanism for permitting or
denying permission fo specific commands requested on the Tacacs

Added cisco-Policy-Up and cisco-Policy-Down VSAs to dictionary.

Added EAPTLS_PEAPVersion parameter to all AuthBy clauses, which allows
you to control whoch version of the draft PEAP specification to
honour. Defaults to 1. Set it to 0 for unusual clients, such as Funk
Odyssey Client 2.22 or later.

Fixed a problem with PEAP that could prevent the use of
Framed-IP-Address in user records, resulting in an error like:

 Mon Oct 20 15:57:25 2003: ERR: Could not handle an EAP request: Can't
call method "attrByNum" on an undefined value at Radius/Radius.pm line

Fixed problems with Server TACACSPLUS, where some cases of incorrect
message packaging were found and fixed by Paul Schultz. Also some
special characters like %w and %C did not work correctly with requests
originating from Server TACACSPLUS. Reported by Garry Thomas.

Added a number of Unisphere VSAs to dictionary. Contributed by Chris

Fixed a problem with AuthBy RADIUS in Synchronous mode, where if all
hosts failed to get a reply, Radiator would stop answering requests
until the FailureBackoffTime expired.

Fixed problem with incorrect replies to Tacacs accounting
requests. Reported by Garry Thomas.

Fix for broken Breezenet/Breezecom/Alvarion VSA's. These NASs send
Ethernet port data in VSAs (up to 11 per accounting request) but
unfortunately dont use the same attribute numbers each time. Instead,
the attribute number increments each time, then wraps at 256. Radiator
automatically maps the fist one in a packet to Breezecom-Attr1, the
second to Breezecom-Attr2 etc through to Breezecom-Attr11.

Added Packeteer-AVPair to dictionary.

$p->{EAPIdentity} is automatically set to the EAP identity (if known)
during EAP processing.

Added a number of Altiga attributes to dictionary. Contributed by

Added missing documentation for SnmpwalkProg to reference manual.

EAP LEAP now honours RewriteUsername to rewrite the LEAP identity
before authentication.

Added NasType CiscoSessionMIB, which uses the new sessionMIB available
in Cisco IOS 12.2.15T. See
for more details.

EAP TLS authentication did not take notice of the common name in the
certificate when checking the users file. Every users certificate
Common Name is now required to be in the users file.

Some types of errors in initialising the TLS library would only affect
the first EAP request. Subsequent ones could succeed where they should

Added Copper Mountain Networks Vendor Specific Attributes to

Fixed a problem where runt EAP-Message attributes could cause ERR
messages like "Could not load EAP module Radius::EAP_;"

New argument -rawfileseq added to radpwtst. Contributed by Martin

Added generic, configurable one-time-password module AuthBy OTP that
can be used with EAP-OTP, EAP-GTC and standard dialup. Hooks allow you
to generate random passwords and deliver them through a back channel
such as SMS by calling an external program.

Fixed a bug in AuthBy SQLRADIUS where falling back to the secondary
would not occur under some circumstances.

Added new parameter SQLRecoveryFile so that any SQL clause (such as
AuthBy SQL etc can log failed SQL do queries to a file for later
recovery. Performance improvements to AuthBy SQL accounting. Suggested
by Kenneth Cheung.

Fixed some problems with session resumption on Windows XP EAP-TLS and
openssl that could cause a crash.

Added support for RFC 3576 Error-Cause attribute to dictionary. Also
added all recognition for all Radius packet types per RFC 3576. Added
Acct-Tunnel-Packets-Lost per RFC 2867 to dictionary.

AuthLog is now passed the reason (if there is one) even with
accepts. Suggested by Robert Kiessling.

Improvements to PEAP, TTLS and TLS error handling. The SLL context is
now cleared on EAP failures.

Added goodies/multiprofile.txt, which contains a contribution from
Matthias Wamser, showing how to provide different sets of reply items
for different types of Dialup, DSL services etc.

Fixed to Server TACACSPLUS so that special characters that depend on
the OriginalUserName like %u will work.

Added Propel VSAs to dictionary, contributed by Craig Gittens.

In SessionDatabase SQL, username is now always quoted when it is
available as %0.

Added support for DEC VMS style hashed passwords, in the format
{dechpwd}algorithm|salt|hashedpassword eg:
{dechpwd}3|1234|85ad61e72a41dec4 Requires Authen-DecHpwd from CPAN.

Fixed one case of use of LOG_WARN instead of LOG_WARNING in Server
TACACSPLUS. Reported by Robert Kiessling.

Fixed problem where <Handler User-Password=xxx> would cause a crash.

Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list