(RADIATOR) Version 3.7 released

Mon Sep 22 19:08:22 CDT 2003

Hello all,

We are pleased to announce the release of Radiator version 3.7

This version contains some significant new features, including
Cisco LEAP compatibility, Microsoft LSA authentication
and TACACS+ server operation.

As usual, the new version is available free of charge to current 
licensees from 
http://www.open.com.au/radiator/downloads/

and to current evaluators from 
http://www.open.com.au/radiator/demo-downloads

An extract from the history file is attached

Revision 3.7 (2003-09-23 Some significant new features and some minor bug 
fixes.) 

Added Cisco LEAP-compatible 802.1x wireless EAP support, and example
eap_leap.cfg.

Added new AuthBy LSA module which can authenticate PAP, CHAP, MSCHAP,
MSCHAPV2, PEAP, LEAP etc against Windows user passwords. Can be run on
Windows 2000, 2003 and XP (not Home edition). Requires the Win32-Lsa
perl module from Open System Consultants.

Added new clause <ServerTACACSPLUS> that acts as a Tacacs+ server and
converts Tacacs+ requests into Radius requests. Handles Tacacs+
authentication, authorization and accounting. Sample configuration
file in goodies/tacacsplusserver.cfg.

New {mysql} password format support did not work correctly on perl
5.005 and earlier, causing failures in the test suite at tests 2w, 2x,
2z, 3a, 3d, 3g, 3h, 4a, 5a, 5f, 6a, 6b, 6c, 6e, 6f, 6g, 6h, 7a, 7b,
7c, 8a, 8b.

Performance improvements in regular expression check item matching in
AuthGeneric.pm

Performance improvements in regular expression Realm selection.

Added VSAs for Alcatel BRAS DSL termination gear to dictionary

radpwtst now honours the -class flag for Access-Requests as well as
Accounting-Requests.

Fixed EAP-TTLS so that %u works for the inner authentication.

Fixed a problem with UseExtendedIds that could cause a crash with
"Can't locate object method "change_attr" via package
"Radius::AuthRADIUS"".

Testing on Symbol Mobility Server (www.symbol.com). This is a very
small ARM Linux server with BusyBox Linux not much bigger than you
hand. Takes a CF card as a plug-in file system, and runs Radiator
fine, including 802.1x TLS, TTLS and PEAP. Requires cross-compilation
of some Perl modules. We can provide instructions if required.

Removed logging of password at INFO level during bind in AuthBy
LDAP2. Suggested by "Steven P. Crain".

Changed the example EAPTLS_MaxFragmentSize in all EAP configuration
examples to 1000 to accomodate Enterasys RoamAbout V2 access points,
as suggested by Mark Haidl.

New -servicename argument to radiusd allows the name of the Windows
service to be specified for -installservice and -uninstallservice,
allowing multiple instances of Radiator to be run as Windows services
at the same time.

Fixed typos in isOnline support for Portmaster3, Portmaster4 and
Xyplex.

radpwtst now sets the authenticator in Disconnect-Request same as for
accounting. Some NASs (notably Cisco) require this.

Fixed a problem with radpwtst in -gui mode, where the toolbar expands
bigger than it should be. Patch contributed by Cameron Moore. Thanks
Cameron.

Added AllowInRequest parameter to AuthBy RADIUS, which restricts which
attributes can be proxied. Suggested by Toomas Kärner.

Unrecognised EAP types now result in a REJECT insrtead of IGNORE.

Improvements to PEAP for Cisco PEAP compatibility.

AuthBy INTERNAL now takes a RejectReason parameter. This string will
be used as the Reply-Message if the AuthBy INTERNAL rejects a request.

Improvements to logging messages and documentation for SessionDatabase
SQL, suggested by Claude Iyi Dogan.

Fixed some typos in the example goodies/url.cfg and
goodies/test_url_md5.cgi files.

AuthBy RADIUS could crash if BindAddress was set to multiple
comma-separated addresses. Reported by Anthony Stanton.

Added support for Session-Timeout="until ValidTo", which sets the
session timeout to be the amount of time left to the end of the
ValidTo check item account validity period.

In ClientListSQL, PreHandlerHook parameters for each client were not
properly compiled, and would not run. Fixed.

Added WISPr RADIUS attributes to dictionary, based on Wi-Fi Alliance -
Wireless ISP Roaming - Best Current Practices v1, Feb 2003, p 14
http://www.weca.net/OpenSection/downloads/WISPr_V1.0.pdf

Dictionary VALUEs that looked like integers would be misinterpreted,
especially Tunnel-Medium-Type=802

With PEAP-MSCHAP-V2, per-user reply items did not get sent back in the
final Access-Accept.

AuthBy SQLRADIUS now honours AddToreply and StripFromReply attrtibutes
from the Host as well as the AuthBy SQLRADIUS.

Changes so that a proxied Access-Reject does not get multiple
Reply-Message. Patch by Toomas Kärner. Thanks Toomas.

Testing with Aegis MDC Linux 1.2.0beta client on RedHat 8. Tested all
EAP types, including certificate types with Radiator test
certificates. See the Radiator FAQ for further remarks. Added
certificates suitable for Linux clients (root.pen, cert-clt.pem) to
the distribution.

Added more KarlNet VSAs to dictionary, contributed by Clinton - Golden
IT.

SNMPAgent now correctly honours BindAddress when used with
SNMP_Session version 0.92 or later.

Added EAPTLSRewriteCertificateCommonName parameter for TLS, which
rewrites the Common Name from the certificate before using it to fetch
user details from the Radiator database. Suggested by Paul Dekkers.

When installing as a service on Windows, you can now specify extra
arguments to pass to perl on the command line when the service
starts. This is useful for specifying an alternative install directory
for the Radiator perl modules, eg: perl c:\Radiator\radiusd
-installservice -serviceperlargs -Ic:\Radiator

Minor changes to AuthBy OPIE, ACE and CRYPTOCARD to better support
tunnelled requests.

Added example configuration file showing how to authenticate from an
IC-ISP mySQL database. IC-ISP is a full source ISP billing package for
Unix. See www.ic-isp.com for details about IC-ISP. Accounting is not
supported. Works with IC-ISP 2.0.24 and later.

AuthBy SQLRADIUS now honours UseExtendedIds as a configuble per-host
parameter, and Auth RADIUS now make easch Host inherit its
UseExtendedIds from the Auth RADIUS clause.

Fixed a problem with AuthBy RADIUS where 2 Proxy-State =
OSC-Extended-Id could be added when multiple Hosts were involved.

Fixed a problem with PEAP MSCHAPV2: if a Domain was specified, the
authentication would fail.

Radius packets were incorrectly limited to 8192 bytes on
reception. Increased to 65535.

The Group parameter did not permit symbolic group names.

In SessionDatabase SQL, the session ID (%3) was not always quoted
correctly in DeleteQuery.

Improvements to storage of VALUE in dictionary allows decoding based
on the attribute name rather than the number, which allows correct
unpacking of attributes with synonyms, such as
Ascend-Disconnect-Cause. This involved changes to RDict::valNumToName.

Fixed a potential problem when unpacking non-conforming abinary
attributes.

Added goodies/logisense.txt, containing example configuration, SQL
tables and requirements for interoperation between Radiator and
ENGAGE*IP. Contributed by STOWE TELECOM, LLC.

Added Slipstream-Auth to dictionary.

Under certain circumstances on some platforms with AuthLog SYSLOG and
Log SYSLOG, syslog can die. Fixed.

Added StartHost parameter to AuthBy SQLRADIUS, contributed by
Alexander Mayrhofer.

Improvements to error handling in AuthBy LDAP2.

Testing on Windows Server 2003. No changes in code or documentation
required.

Testing on HP PA-RISC Linux (Debian). No changes in code or
documentation required.

Added -outport and -bind_address options to radpwtst.

Fixed a problem where AuthBy URL did not handle AuthUrl starting with
https://

Fixed a problem involving EAP, where multiple AuthBy clauses could
result in incorrect PEAP-MSCHAPV2 challenge message, or using the
wrong challenge during authentication.

AuthBy SQL now logs to AcctFailedLogFileName if AcctSQLStatement fails
as well as if the usual accounting insert fails.

AuthBy URL now supports AcctUrl, a URL that will be used for accouting
data

Added AuthBy SOAP module for converting Radius requests to SOAP and
SOAPRequest.pm for converting SOAP requests back to Radius
requests. This SOAP interface is useful for tunnelling through
firewalls, improving the reliability of Radius by using TCP as the
transport, and for improving security by using HTTPS as the protocol.

Added VSAs for Quarry devices.

Fixed a problem with parsing of attr=val pairs on some platforms with some 
locales on perl 5.8.0, due to changes in perl regexp handling. 

Added new special characters. %A is replaced by the Timestamp in
standard SQL date time format eg: Sep 12, 2003 15:48. %B is replaced
by the current time in standard SQL date time format eg: Sep 12, 2003
15:48. %F is replaced by the Timestamp in extended SQL date time
format eg: Sep 12, 2003 15:48:59. %G is replaced by the current time
in extended SQL date time format eg: Sep 12, 2003 15:48:59.

In AuthBy SQL, columns inserted by ACctColumnDef are now inserted in
alphabetical order by column name. Patch provided by Robert
Blayzor. Thanks Robert.

On some platforms such as FreeBSD, a Monitor connection would not
disconnect properly after a QUIT command.

Added a number of new attributes to dictionary for CVX and
Valemount. Thanks to Craig Gittens and Greg Schiedler.

Dates for Expiration, ValidTo, ValidFrom etc can now have optional
hh:mm:ss time component. Also support dd.mm.yy(yy) (hh:mm:ss) format.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.