(RADIATOR) Radiator Version 3.12 released

Mike McCauley mikem at open.com.au
Wed Mar 16 23:29:22 CST 2005


We are pleased to announce the release of Radiator version 3.12

This version contains some major new features such as:

RADSEC protocol support, which implements Radius transport and proxying over
    a reliable TCP/IP or SCTP connection, with optional TLS encryption and
    optional TLS mutual authentication by PKI certificate. Permits reliable 
secure proxying to other Radiators.
and support for Novell eDirectory Universal Passwords, for use with PAP, CHAP, 
MSCHAP, MSHCAPV2, TLS, TTLS-*, PEAP-* and LEAP.

As usual, the new version is available to current licensees from:
http://www.open.com.au/radiator/downloads/

and to current evaluators from:
http://www.open.com.au/radiator/demo-downloads

Licensees with expired access contracts can renew at :
http://www.open.com.au/renewal.html

An extract from the history file is attached:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Added AuthBy RADSEC, which implements Radius transport over a reliable TCP/IP 
or SCTP connection, with optional TLS encryption and optional TLS mutual 
authentication by PKI certificate. The example config files implement a 
simple proxy from radsec-client.cfg to radsec-server.cfg on localhost.  

Added support for Novell eDirectory Universal Passwords. Added sample 
configuration files and install/configure/test instructions for eDirectory on 
Unix. This support allows Radiator to access each user's Universal Password 
for authenticating PAP, CHAP, MSCHAP, MSCHAPV2, EAP-TLS, EAP_TTLS-*, PEAP, 
EAP_MSCHAP, EAP-MD5, LEAP etc. 

There was a problem with the Solaris Authen-Digipass package included in 3.11 
that caused "ERROR: attempt to process datastream failed". New package 
included. 

A debugging print statement that had been inadvertently left in Log SQL was 
removed. 

Fixed a problem introduced in 3.10 that could cause a crash like 'Undefined 
subroutine ldap_error_name' in AuthBy LDAP2 after an LDAP error. 

Fixed a problem with radpwtst -gui, where changing the name of the destination 
server in the GUI would not actually change the destination. Reported by Ken 
Bell. 

radpwtst -gui incorrectly showed Alteon-Service-Type as well as Service-Type 
options in the Service-Type menu. 

Added new global parameter MaxChildren which limits the number of Fork 
children permitted at any one time. Contributed by Ivan Brawley. 

Added documentation on how to configure Apache 2 for Radius authentication 
with the mod_auth_radius module. Works with any Radiator authentication 
module including ACE and DIGIPASS. 

Added support for Challenge-Response (CR) tokens to AuthBy DIGIPASS. 

Added documentation on how to configure PAM and pam_radius for use with 
Radiator to provide Unix login authentication using SecurID, Digipass or any 
other Radiator supported method. 

Improved behaviour of RPM distributions, when doing rpm -F install over an old 
version. The symlink in /usr/lib/perl5/site_perl/Radius could end up 
incorrect. 

New version of AuthBy IMAP now supports SSL connections to IMAP server. 
Contributed by Karl Gaissmaier. Example configuration file imap.cfg extended 
to show how to configure SSL connections, and TTLS-PAP support too. 

Testing AuthBy ACE and Authen-ACE4 with ACE Server 5.2. OK. No changes 
required. Works with Authen-ACE4 compiled with 5.0 ACE Agent SDK on Unix and 
Windows. Prebuilt Authen-ACE4 binaries from OSC also work fine. 

Testing AuthBy ACE and Authen-ACE4 with RSA Security Authentication Manager 
6.0 (formerly ACE/Server 6.0). OK. No changes required. Works with 
Authen-ACE4 compiled with 5.0 ACE Agent SDK on Unix and Windows. Prebuilt 
Authen-ACE4 binaries from OSC also work fine. Tested standard, Pinpad and AES 
tokens. 

Improvements to the performance of changeUserName, suggested by Nennker, Axel. 

Added a number of IPWireless Vendor Specific Attributes to dictionary. 
Contributed by Mernoz Rostangi. 

Added new test client for TACACS+. See goodies/tacacsplustest -h for help. 

Server TACACSPLUS now allows you to set the group cache file name with the 
GroupCacheFile, which also permits special characters. Also ServerTACSCPLUS 
now uses the accounting type in incoming requests to set the Acct-Status-Type 
in Radius Acounting-Requests. Timestamp is now _not_ added to Radius 
requests, since the following Handler will always do it anyway. Added support 
for authentication using methods that can challenge, such as DIGIPASS, ACE, 
OPIE, OTP, INTERNAL etc. Default AuthorizationTimeout for Server TACACSPLUS 
changed to 600 seconds, to cater for authentication start/challenge/continue 
sequence that are subject to user input and could take a long time, and so 
that authorization replies will be available for longer sessions. Added 
-interactive flag to tacacsplustest to handle Tacacsplus authentications that 
might ask for additional data (such as when authenticating with DIGIPASS, 
ACE, OPIE, OTP, INTERNAL etc). The Tacacs group name now defaults to 
'DEFAULT' if GroupMemberAttr is not defined, or if the Access-Accept does not 
include that named attribute (ie if the Tacacs group name cannot be 
determined). 

Fixed a problem with AddToReplyIfNotExist in all AuthBys, where some special 
reply types such as Session-Timeout were not properly interpreted. Reported 
by "Brian Morris". 

Added simple Tacacsplus test client to goodies. All perl, does not require 
additional perl modules. 

Added new PostAuthSelectHook to AuthBy SQL, which allows a hook to adjust the 
results of the AuthSelect query before being used. Contributed by Karl 
Gaissmaier. 

Testing with ZyXEL ZyAIR B-3000 Wireless access point, using WPA, 802.1x and 
Radius authentication. OK. 

AuthLog SYSLOG did not recognise the LogSock parameter. 

Added -nas_identifier flag and default NAS-Identifier attribute to radpwtst. 
Contributed by Nennker, Axel. 

Added a script goodies/rotateacct.pl to rotate the ACCOUNTING table. 
Contributed by Ray Van Dolson 

Added goodies/eap_acct_username.txt, A sample hook and script for 
de-anonymizing EAP-TTLS accounting requests, and which does not require an 
SQL database. Contributed by Rok Papez, with comments by Roy Badami. 

Added new parameter for EAP-TLS, EAPTLS_NoCheckId, which prevents the 
comparison of the username with the certificate common name. The certificate 
will be acccepted based only on the validity dates and the verification chain 
to the root certificate. This allows Radiator to mimic the behaviour of some 
other Radius servers. Contributed by Martin Noha. 

Added various 3GPP attributes for vendor 10415, contributed by Andy M. 

Fixed a problem with AuthBy RSAMOBILE, where one incorrect tokencode could 
cause the user to exceed their maximum login attempts. Reported by Sylvain 
Maret. 

Added support for NoCheckPassword to AuthBy LDAP2, so that LDAP can be used to 
get check and reply items, but where the authenticaiton is done by another 
module. 

Improvements to date parsing to make it more tolerant of non-standard case in 
month names when useed in Expiration etc. 

Improvements to AuthBy LDAP2 so that when ServerChecksPassword is set, and the 
password check fails, it wont cause a subsequent attempt to do an NT hashed 
password check. 

All modules that can route requests back to the Handlers list now also support 
PreHandlerHook. Suggested by Roy Badami. 

Testing on NetBSD 2.0. OK. 

Fixed a problem with AuthBy PLATYPUS where some versions of perl could result 
in a trailing comma in the SQL for an accouting request. Reported by Jason D. 
Borders. 

Performance improvements in format_special. Added ability to extend 
format_special indefinitely without performance penalties. Added 2 new 
attribute formatting operators. %{IntegerVal:attribute} is replaced by the 
integer value of the named attribute from the current request. 
%{HexAddress:attribute} is replaced by the IPV4 address catinaed in the named 
attribute from the current request, formatted as a hex string. Suggested by 
Pavel A Crasotin. 

The timing of the writing of the PID to PidFile has been deferred until after 
the Radius ports are created, and the server is almost certain to start up. 
Suggested by Karl Gaissmaier. 

Added example RADAUTHLOG and RADLASTAUTH tables to example SQL scripts that 
did not have them (all except mysqlCreate.sql). 

Added new formatter for format_special that can access variable from the 
server configuration. For example, %{Server:Trace} is replaced by the global 
server Trace parameter. 

Fixed a problem with AddressAllocator DHCP that could cause a socket error 
after a HUP on UNix. Reported by Andrew D. Clark 

EAP TLS, TTLS and PEAP now take note of the Framed-MTU, if present, to limit 
the MaxFragmentSize. 

Added goodies/gigawords-hook.pl, a hook for calculating correct total octets 
from Gigawords. Contributed by Igor Briski, Iskon Internet d.d. 

Added goodies/lsa_eap_multi.cfg example config file showing how Radius PAP, 
CHAP, MSCHAP and MSCHAPV2 and also handles the outer and inner requests for 
TTSL and PEAP. You can use it to authenticate almost anything against 
Microsoft Active Directory. 

In ServerTACACSPLUS, BindAddress now defaults to the global BindAddress, and 
you can now specify multiple comma separated addresses to listen on multiple 
interfaces. 

Added support for passwords encrypted with the Microsoft SQL pwdencrypt() 
function. The required format is like: {mssql}
01003A54FC73501798169BEC84C05CA0D2FBB70009C2556313DA7959C1A798ECD34514694A13D29ED57BE9CBE5DA 

AuthBy RADIUS now supports MaxFailedRequests parameter. A proxy host will not 
be marked as failed until at least MaxFailedRequests requests have not 
received a reply. This is useful for some buggy remote radius servers, that 
sometime drop requests for particular users. Also some internal changes to 
the addHost() function. Suggested by Arnauld Michelizza. 

Added goodies/checkOnlineSql.pl, a script that checks that all the users in an 
SQL SessionDatabase are still online, and delete the ones that arent. Uses a 
client table to determine Nas type etc. 

The Authen-Digipass package for Solaris did not include libaal2sdk, resulting 
in an error when tryingg to run Digipass authentication. Reported by Roy 
Badami. 

New versions of AuthBy PLSQL and sample config file, which now supports INOUT 
parameters for Oracle stored procedures. Contributed by Pavel A Crasotin. 

Improvements and refactoring of IPV6 address code. ServerRADSEC, 
ServerTACACSPLUS and Monitor can now listen for connections on multiple IPV4 
and IPV6 BindAddress addresses. 

Fixed a problem with goodies/nntp-redirect.pl where it incorrectly looked for 
case-sensittive AUTHINFO. Reported and patched by Thorsten Huber. 

Added nntp-redirect.pl, A Radius-enabled Net News NNTP port authenticator and 
accountor. This program received NNTP connection requests, authenticates each 
one with Radius, and then forwards the connection to the real NNTP serer. It 
counts bytes in and out, and at the end of the NNTP session sends Radius 
accounting data counting the total news traffic in and out. This allows you 
to integrate NNTP authentication and accounting with the rest of your Radius 
services. Reply attributes in the Access-Accept can be used to configure the 
NNTP server and port to redirect to, allowing per-user NNTP configuration via 
Radius. 

Altered the SQL database connections to use PrintError 0, so that unneccesary 
error messages will not be printed to stderr. 

Testing on SuSE 9.2. OK. 

Added MaxRecords parameter to AuthBy LDAP2. It specifies the max number of 
matching LDAP records to use for check and reply items. Default is 1 to be 
backwards compatible. Only the first match (if any) is used for 
ServerChecksPassword. Suggested by Kenneth Cheung. 

Added a number of Mikrotik Vendor Specific Attributes to dictionary. 
NoContributed by Adrian Tan. 

Added new NoEAP parameter to all AuthBys that will disable EAP authentication 
in that AuthBy. Useful for doing additional authentication besides EAP, such 
as MAC address etc. 

Added simple_main_loop to Select for simple clients etc. 

Fixed a problem with all LDAP modules where an LDAP connection problem could 
cause a Radiator crash. 

Fixed a problem with radpwtst where specifying IPV6 addresses for both -s and 
-bind_address could produce 'bind: Cannot assign requested address'. Reported 
by Paul Dekkers. 

Improved performance of AuthBy LDAP2, especially when used with 
ServerChecksPassword. Some servers would disconnect after an unbind. This fix 
prevents a disconnection after a ServerChecksConection bind, reducing the 
overhead of reconnecting. Overhead for reconencting with TLS enabled is high. 
Fixed ServerChecksPassword so it works in more cases, such as Novell 
eDirectory. Added goodies/edirectory.cfg showing best configuration to use 
with Novell eDirectory. 

Improvements to Linux startup script so it recognises Debian start-stop-daemon 
and uses that to stop and start the server. 

Testing with Debian and Ubuntu 4.10. OK, but minor changes required to RPM, 
Radiator.spec and linux-radiator.init 

Improvements to EAP to prevent multiple MS-MPPE-Send-Key and MS-MPPE-Recv-Key 
attributes in reply. 

Fixed a problem that could cause an error in ServerTACACSPLUS 'Too many 
arguments for open' when runnning on perl 5.005. Reported and patched by Bill 
Ouchark. 

EAP-Token is now supported by all static password authentication methods, such 
as AuthBy FILE, SQL, LDAP etc. goodies/eap_multi.cfg updated to demonstrate 
this. 

EAP-TLS now supports client certificates with multiple CNs. At least one CN 
must match the USer-Name or Identity (after 
EAPTLSRewriteCertificateCommonName rules are applied to each CN). 

Added new flag EAPTLS_PEAPBrokenV1Label to make PEAP Version 1 support 
compatible with nonstandard PEAP V1 clients that use the old broken TLS 
encryption labels that appear to be used frequently, due to Microsofts use of 
the incorrect label in its V0 client. 

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list