(RADIATOR) Radiator Version 3.10 released

Mike McCauley mikem at open.com.au
Mon Oct 11 02:19:57 CDT 2004


We are pleased to announce the release of Radiator version 3.10

This version contains some significant new features such as Vasco
Digipass support, as well as a number of bug fixes.

As usual, the new version is available to current licensees from:
http://www.open.com.au/radiator/downloads/

and to current evaluators from:
http://www.open.com.au/radiator/demo-downloads

Licensees with expired access contracts can renew at 
http://www.open.com.au/renewal.html

An extract from the history file is attached

-----------------------------

Radiator is now 'Vasco Ready'. Added support for Vasco Digipass
authentication with new AuthBy DIGIPASS module. Example config file in
goodies/digipass.cfg. Sample Digipass token data tables added to
goodies/*.sql. Documentation on installing and configuring Digipass on
Solaris, Linux and Windows in goodies/digipass-install.txt. Prebuilt
binaries of required Authen-Digipass module for Solaris, Linux and
Windows.

New module AuthBy LDAPRADIUS proxies requests to a remote radius host
whose details are found in an LDAP database, looked up against users
Realm (or Calling-Station-ID etc). Similar in functionality to AuthBy
SQLRADIUS. Example LDAP schema, LDAP records and config file are
included.

Added new clause ClientListLDAP, which lets you define your Client
clauses from an LDAP query, similar to ClientListSQL. Also supports
RefreshPeriod, so the Client list can be refreshed
periodically. Example config files, LDAP data and schema included.

New module AuthBy KRB5 for authenticating against Kerberos 5. Works
with Radius PAP and EAP-TTLS-PAP. Substantially contributed by Steve
Harper with fixes by Jeff Wolfe. Tested against realms hosted by DCE
and MIT K5. Example config file in goodies/krb5.cfg

Testing with pGina, a free Windows login program for Win2000 and XP
that uses Radius to authenticate Windows users
(http://pgina.xpasystems.com). Works fine with the example
goodies/simple.cfg.

Further improvements to handling of EAP Requests. Requests other than
Notifications are now IGNORED, except for LEAP.

Fixed a problem with dictionary that could occasionally cause MSCHAPV2
authentication to fail.

Added support for DefaultRealm in Server TACACSPLUS.

Added a number of Nomadix VSAs to dictionary. Contributed by
Ing. Rosario Pingaro.

Fixes to permit <Handler User-Password=xyz> to work with CHAP, MSCHAP
and MSCHAPV2, as well as PAP.

Added Ascend-Session-Svr-Key to dictionary.ascend. Contributed by
tcrholdings.

AuthRSAMOBILE.pm was accidentally left out of the 3.9 distribution.

Fixed a problem with CommandAuth in ServerTACACSPLUS. Patch
contributed by Nick Slager.

Added VSAs for Trapeze Networks to dictionary. Contributed by Matthew
Gast.

In dictionary, MS-MPPE-Encryption-Types of Encryption-40 and
Encryption-128 were reversed.

Disconnect-Request packets did not get a correct authenticator when
proxied.

Added support for AddToRequest in field 22, StripFromRequest in field
23 and AddToRequestIfNotExist in field 24 of ClientListSQL of
GetClientQuery.

Added some more Extreme VSAs to dictionary. Contributed by Carlo
Beronio of Extreme Networks.

Added new script goodies/mergedetails which will combine multiple
accounting details files into a single file in chronological order.

Added new goodies/vlanhooks.txt, with example hooks for handling
multiple downstream authenticators, and NASs with incompatible
interpretations of Tunnel-Private-Group attributes. Contributed by
Matthew Gast.

Added VSAs for Sonic Wall to dictionary, contributed by Joe Levy.

Testing on Lindows 4.5. OK.

Improvements to domain handling in AuthBy LSA. New paramter
DefaultDomain specifies the domain if the user does not specifiy a
domain in their username. PEAP now passes the entire DOMAIN\username
to the authenticating module. If you are using PEAP-MSCHAPV2 with
AuthBy FILE, users should not specify a domain when they log in
(unless you have DOMAIN\user in your users file). Also added new
parameters Group and DomainController to AuthBy LSA. The Group
parameter allows you to specify that each user must be the member of
at least one of the named Windows global groups. More than one
required group can be specified, one per Group line. Requires
Win32::NetAdmin (which is installed by default with ActivePerl). If no
Group parameters are specified, then Group checks will not be
performed. Only Global groups are supported. If Group is required and
DomainController is not specified, it will attempt to find the domain
controller based on the users domain. Example usage in lsa.cfg.

Fixed a problem in goodies/radacctSorted.cgi that could cause a
'divide by zero' error when used with an SQL database.

Improvements to AuthLog SYSLOG and Log SYSLOG, so that multiple
instances of the logger with different Facility parameters will work
as expected. Contributed by Heikki Vatiainen.

Versions of Radiator that require a key for unrestricted operation now
identify themselves as 'LOCKED' rather than 'EVALUATION'.

Added new command line flag to radpwtst. The -eaphex flag allows you
to specify an EAP-Message in hex. Contributed by Martin Noha.

Added new ConnectionHook parameter to SqlDb.pm. This allows any Sql
object (like AuthBy SQL etc) to run database-specific code each time
Radiator (re)connects to the database. This is most useful for
executing func() to configure the database connection in customised
ways. Example hook in goodies/sql.cfg. Suggested by Oleg E. Shubarov.

Fixed a typo in ServerConfig.pm, that resulted in 'acccess requests'
in status reports.

ClearTextTunnelPassword parameter was moved from AuthBy RADIUS to
AuthGeneric, so that all AuthBy modules (not just RADIUS proxying) now
honour it. Suggested by Patrik Forsberg.

New version of Windows Authen-ACE4 PPM package, compiled for both
ActivePerl 5.6 and 5.8 with recent SDK for Server 2003 etc. Also PPM
summary files for use with PPM3.

EAP-MSCHAPV2 in an inner authenticator now honours AddToReply
AddToReplyIfNotExist and DefaultReply.

Fixed an incorrect header length with EAP-PEAP version 1. Fixed a
problem with cached EAP-PEAP version numbers. Reported by Jouni
Malinen.

goodies/radwho.pl now lets you set the table name to use with -table
argument

Modules that use syslog now do openlog;syslog;closelog for each log
message so that is the syslog facility restarts, Radiator will
reconnect to the syslog facility.

ReplyHook can now set $op->{RadiusResult} to force particular
response.

Fixed a problem with goodies/radwho.cgi where some browsers did not
work correctly wuth the 'delete session' link.

AuthBy RADIUS now determines a suitable local source socket address
from LocalAddress, based on whether the destination address is IPV4 or
IPv6. The first suitable address in the LocalAddress list will be used
as the source address. If LocalAddress does not specify a suitable
IPV4 or IPV6 address for the intended destination, the appropriate
'any address' will be used, which generally means the default source
address for that host.

AuthBy RODOPI now supports Rodopi 5.4 Cisco VOIP authentication and
billing. Requests that contain the 'cisco-h323-conf-id' attribute will
be handled with the VoipAuthSelect and VoipAcctSQLStatement
parameters.

Common authentication methods now accept all passwords if
NoCheckPassword is set.

radwho.cgi now sets the refresh time to 0 after terminating a user, so
the automatic browser refresh doesnt keep clobbering the user. Patch
submitted by Richard Vander Reyden.

EAP MD5-Challenge now rewrites the EAP identity using RewriteUsername.

Fixed a problem with EAP TTLS where the TLS client-hello would not be
honoured properly on some coombinations of clinet and AP.

AddressAllocator SQL now does not run the AllocateQuery if it is an
empty string. Also, the expiry time is now calculated once for each
allocation, and passed to FindQuery as %2. Suggested by Andy M.

In dictionary, some 3GPP attributes were incorrectly called just GPP.

Added Giganews VSAs to dictionary. Contributed by Carl Litt.

Testing with jradius-client, a java Radius client from
sourceforge. OK.

Fixed a problem that prevented IPV6 DNS names being used. Reported by
Paul Dekkers.

Fixed problem with a number of authentication modules that could cause
a crash when doing logPassword when used to authenticate for Monitor
or Server TACACSPLUS requests. Reported by Carl Litt.

Improvements to handling of Windows NT Hashed
passwords. Encrypted-Password may now be either 32 bytes of hex
encoded NT hashed password, or 16 bytes of binary NT hashed password
or 13 bytes of Unix crypt password. User-Password now supports NT
Hashed passwords in the form User-Password =
{nthash}DCB8E94AC7D0AADC8A81D9C895ACE5F4. The NT Hashed passwords work
with PAP, and now with MSCHAP, MSCHAPV2, EAP-MSCHAPV2 and
EAP-LEAP. This provides compatibility with Samba SMB passwords (either
in a flat file or in LDAP).

In PEAP, AllowInReply could cause MPPE keys to be unexpectedly
stripped from the reply.

Fixed a potential issue in TTLS session resumption. Reported by Roy
Badami.

Added goodies/radlog.cgi, a CGI script to view the tail of a Radiator
log file. Can be helful for helpdesk troubleshooting. Contributed by
Mohammad Junaid, Cyberia.

Fixed a problem that prevented ClientListSQL properly processing the
last column from the query, which can contain a comma separated list
of flag names.

Changed example LDAP config and sample user data to be compatible with
OpenLDAP 2.1. OpenLDAP now defaults to requiring protocol version 3.

AuthBy RADMIN can now handle Session-Timeout as a string, such as
'until Time'. Reported by Oliver Insanally.

Core LDAP functions moved from AuthLDAP2.pm to new module Ldap.pm to
allow reuse by other LDAP modules such as AuthLDAPRADIUS.pm and
ClientListLDAP.pm

Name of the key-locked distribution file changed from Radiator-Demo to
Radiator-Locked.

AuthLog SYSLOG now supports the LogIdent parameter, similar to Log
SYSLOG.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list