(RADIATOR) Radiator Version 3.12 released
Mike McCauley
mikem at open.com.au
Wed Mar 16 23:29:22 CST 2005
We are pleased to announce the release of Radiator version 3.12
This version contains some major new features such as:
RADSEC protocol support, which implements Radius transport and proxying over
a reliable TCP/IP or SCTP connection, with optional TLS encryption and
optional TLS mutual authentication by PKI certificate. Permits reliable
secure proxying to other Radiators.
and support for Novell eDirectory Universal Passwords, for use with PAP, CHAP,
MSCHAP, MSHCAPV2, TLS, TTLS-*, PEAP-* and LEAP.
As usual, the new version is available to current licensees from:
http://www.open.com.au/radiator/downloads/
and to current evaluators from:
http://www.open.com.au/radiator/demo-downloads
Licensees with expired access contracts can renew at :
http://www.open.com.au/renewal.html
An extract from the history file is attached:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Added AuthBy RADSEC, which implements Radius transport over a reliable TCP/IP
or SCTP connection, with optional TLS encryption and optional TLS mutual
authentication by PKI certificate. The example config files implement a
simple proxy from radsec-client.cfg to radsec-server.cfg on localhost.
Added support for Novell eDirectory Universal Passwords. Added sample
configuration files and install/configure/test instructions for eDirectory on
Unix. This support allows Radiator to access each user's Universal Password
for authenticating PAP, CHAP, MSCHAP, MSCHAPV2, EAP-TLS, EAP_TTLS-*, PEAP,
EAP_MSCHAP, EAP-MD5, LEAP etc.
There was a problem with the Solaris Authen-Digipass package included in 3.11
that caused "ERROR: attempt to process datastream failed". New package
included.
A debugging print statement that had been inadvertently left in Log SQL was
removed.
Fixed a problem introduced in 3.10 that could cause a crash like 'Undefined
subroutine ldap_error_name' in AuthBy LDAP2 after an LDAP error.
Fixed a problem with radpwtst -gui, where changing the name of the destination
server in the GUI would not actually change the destination. Reported by Ken
Bell.
radpwtst -gui incorrectly showed Alteon-Service-Type as well as Service-Type
options in the Service-Type menu.
Added new global parameter MaxChildren which limits the number of Fork
children permitted at any one time. Contributed by Ivan Brawley.
Added documentation on how to configure Apache 2 for Radius authentication
with the mod_auth_radius module. Works with any Radiator authentication
module including ACE and DIGIPASS.
Added support for Challenge-Response (CR) tokens to AuthBy DIGIPASS.
Added documentation on how to configure PAM and pam_radius for use with
Radiator to provide Unix login authentication using SecurID, Digipass or any
other Radiator supported method.
Improved behaviour of RPM distributions, when doing rpm -F install over an old
version. The symlink in /usr/lib/perl5/site_perl/Radius could end up
incorrect.
New version of AuthBy IMAP now supports SSL connections to IMAP server.
Contributed by Karl Gaissmaier. Example configuration file imap.cfg extended
to show how to configure SSL connections, and TTLS-PAP support too.
Testing AuthBy ACE and Authen-ACE4 with ACE Server 5.2. OK. No changes
required. Works with Authen-ACE4 compiled with 5.0 ACE Agent SDK on Unix and
Windows. Prebuilt Authen-ACE4 binaries from OSC also work fine.
Testing AuthBy ACE and Authen-ACE4 with RSA Security Authentication Manager
6.0 (formerly ACE/Server 6.0). OK. No changes required. Works with
Authen-ACE4 compiled with 5.0 ACE Agent SDK on Unix and Windows. Prebuilt
Authen-ACE4 binaries from OSC also work fine. Tested standard, Pinpad and AES
tokens.
Improvements to the performance of changeUserName, suggested by Nennker, Axel.
Added a number of IPWireless Vendor Specific Attributes to dictionary.
Contributed by Mernoz Rostangi.
Added new test client for TACACS+. See goodies/tacacsplustest -h for help.
Server TACACSPLUS now allows you to set the group cache file name with the
GroupCacheFile, which also permits special characters. Also ServerTACSCPLUS
now uses the accounting type in incoming requests to set the Acct-Status-Type
in Radius Acounting-Requests. Timestamp is now _not_ added to Radius
requests, since the following Handler will always do it anyway. Added support
for authentication using methods that can challenge, such as DIGIPASS, ACE,
OPIE, OTP, INTERNAL etc. Default AuthorizationTimeout for Server TACACSPLUS
changed to 600 seconds, to cater for authentication start/challenge/continue
sequence that are subject to user input and could take a long time, and so
that authorization replies will be available for longer sessions. Added
-interactive flag to tacacsplustest to handle Tacacsplus authentications that
might ask for additional data (such as when authenticating with DIGIPASS,
ACE, OPIE, OTP, INTERNAL etc). The Tacacs group name now defaults to
'DEFAULT' if GroupMemberAttr is not defined, or if the Access-Accept does not
include that named attribute (ie if the Tacacs group name cannot be
determined).
Fixed a problem with AddToReplyIfNotExist in all AuthBys, where some special
reply types such as Session-Timeout were not properly interpreted. Reported
by "Brian Morris".
Added simple Tacacsplus test client to goodies. All perl, does not require
additional perl modules.
Added new PostAuthSelectHook to AuthBy SQL, which allows a hook to adjust the
results of the AuthSelect query before being used. Contributed by Karl
Gaissmaier.
Testing with ZyXEL ZyAIR B-3000 Wireless access point, using WPA, 802.1x and
Radius authentication. OK.
AuthLog SYSLOG did not recognise the LogSock parameter.
Added -nas_identifier flag and default NAS-Identifier attribute to radpwtst.
Contributed by Nennker, Axel.
Added a script goodies/rotateacct.pl to rotate the ACCOUNTING table.
Contributed by Ray Van Dolson
Added goodies/eap_acct_username.txt, A sample hook and script for
de-anonymizing EAP-TTLS accounting requests, and which does not require an
SQL database. Contributed by Rok Papez, with comments by Roy Badami.
Added new parameter for EAP-TLS, EAPTLS_NoCheckId, which prevents the
comparison of the username with the certificate common name. The certificate
will be acccepted based only on the validity dates and the verification chain
to the root certificate. This allows Radiator to mimic the behaviour of some
other Radius servers. Contributed by Martin Noha.
Added various 3GPP attributes for vendor 10415, contributed by Andy M.
Fixed a problem with AuthBy RSAMOBILE, where one incorrect tokencode could
cause the user to exceed their maximum login attempts. Reported by Sylvain
Maret.
Added support for NoCheckPassword to AuthBy LDAP2, so that LDAP can be used to
get check and reply items, but where the authenticaiton is done by another
module.
Improvements to date parsing to make it more tolerant of non-standard case in
month names when useed in Expiration etc.
Improvements to AuthBy LDAP2 so that when ServerChecksPassword is set, and the
password check fails, it wont cause a subsequent attempt to do an NT hashed
password check.
All modules that can route requests back to the Handlers list now also support
PreHandlerHook. Suggested by Roy Badami.
Testing on NetBSD 2.0. OK.
Fixed a problem with AuthBy PLATYPUS where some versions of perl could result
in a trailing comma in the SQL for an accouting request. Reported by Jason D.
Borders.
Performance improvements in format_special. Added ability to extend
format_special indefinitely without performance penalties. Added 2 new
attribute formatting operators. %{IntegerVal:attribute} is replaced by the
integer value of the named attribute from the current request.
%{HexAddress:attribute} is replaced by the IPV4 address catinaed in the named
attribute from the current request, formatted as a hex string. Suggested by
Pavel A Crasotin.
The timing of the writing of the PID to PidFile has been deferred until after
the Radius ports are created, and the server is almost certain to start up.
Suggested by Karl Gaissmaier.
Added example RADAUTHLOG and RADLASTAUTH tables to example SQL scripts that
did not have them (all except mysqlCreate.sql).
Added new formatter for format_special that can access variable from the
server configuration. For example, %{Server:Trace} is replaced by the global
server Trace parameter.
Fixed a problem with AddressAllocator DHCP that could cause a socket error
after a HUP on UNix. Reported by Andrew D. Clark
EAP TLS, TTLS and PEAP now take note of the Framed-MTU, if present, to limit
the MaxFragmentSize.
Added goodies/gigawords-hook.pl, a hook for calculating correct total octets
from Gigawords. Contributed by Igor Briski, Iskon Internet d.d.
Added goodies/lsa_eap_multi.cfg example config file showing how Radius PAP,
CHAP, MSCHAP and MSCHAPV2 and also handles the outer and inner requests for
TTSL and PEAP. You can use it to authenticate almost anything against
Microsoft Active Directory.
In ServerTACACSPLUS, BindAddress now defaults to the global BindAddress, and
you can now specify multiple comma separated addresses to listen on multiple
interfaces.
Added support for passwords encrypted with the Microsoft SQL pwdencrypt()
function. The required format is like: {mssql}
01003A54FC73501798169BEC84C05CA0D2FBB70009C2556313DA7959C1A798ECD34514694A13D29ED57BE9CBE5DA
AuthBy RADIUS now supports MaxFailedRequests parameter. A proxy host will not
be marked as failed until at least MaxFailedRequests requests have not
received a reply. This is useful for some buggy remote radius servers, that
sometime drop requests for particular users. Also some internal changes to
the addHost() function. Suggested by Arnauld Michelizza.
Added goodies/checkOnlineSql.pl, a script that checks that all the users in an
SQL SessionDatabase are still online, and delete the ones that arent. Uses a
client table to determine Nas type etc.
The Authen-Digipass package for Solaris did not include libaal2sdk, resulting
in an error when tryingg to run Digipass authentication. Reported by Roy
Badami.
New versions of AuthBy PLSQL and sample config file, which now supports INOUT
parameters for Oracle stored procedures. Contributed by Pavel A Crasotin.
Improvements and refactoring of IPV6 address code. ServerRADSEC,
ServerTACACSPLUS and Monitor can now listen for connections on multiple IPV4
and IPV6 BindAddress addresses.
Fixed a problem with goodies/nntp-redirect.pl where it incorrectly looked for
case-sensittive AUTHINFO. Reported and patched by Thorsten Huber.
Added nntp-redirect.pl, A Radius-enabled Net News NNTP port authenticator and
accountor. This program received NNTP connection requests, authenticates each
one with Radius, and then forwards the connection to the real NNTP serer. It
counts bytes in and out, and at the end of the NNTP session sends Radius
accounting data counting the total news traffic in and out. This allows you
to integrate NNTP authentication and accounting with the rest of your Radius
services. Reply attributes in the Access-Accept can be used to configure the
NNTP server and port to redirect to, allowing per-user NNTP configuration via
Radius.
Altered the SQL database connections to use PrintError 0, so that unneccesary
error messages will not be printed to stderr.
Testing on SuSE 9.2. OK.
Added MaxRecords parameter to AuthBy LDAP2. It specifies the max number of
matching LDAP records to use for check and reply items. Default is 1 to be
backwards compatible. Only the first match (if any) is used for
ServerChecksPassword. Suggested by Kenneth Cheung.
Added a number of Mikrotik Vendor Specific Attributes to dictionary.
NoContributed by Adrian Tan.
Added new NoEAP parameter to all AuthBys that will disable EAP authentication
in that AuthBy. Useful for doing additional authentication besides EAP, such
as MAC address etc.
Added simple_main_loop to Select for simple clients etc.
Fixed a problem with all LDAP modules where an LDAP connection problem could
cause a Radiator crash.
Fixed a problem with radpwtst where specifying IPV6 addresses for both -s and
-bind_address could produce 'bind: Cannot assign requested address'. Reported
by Paul Dekkers.
Improved performance of AuthBy LDAP2, especially when used with
ServerChecksPassword. Some servers would disconnect after an unbind. This fix
prevents a disconnection after a ServerChecksConection bind, reducing the
overhead of reconnecting. Overhead for reconencting with TLS enabled is high.
Fixed ServerChecksPassword so it works in more cases, such as Novell
eDirectory. Added goodies/edirectory.cfg showing best configuration to use
with Novell eDirectory.
Improvements to Linux startup script so it recognises Debian start-stop-daemon
and uses that to stop and start the server.
Testing with Debian and Ubuntu 4.10. OK, but minor changes required to RPM,
Radiator.spec and linux-radiator.init
Improvements to EAP to prevent multiple MS-MPPE-Send-Key and MS-MPPE-Recv-Key
attributes in reply.
Fixed a problem that could cause an error in ServerTACACSPLUS 'Too many
arguments for open' when runnning on perl 5.005. Reported and patched by Bill
Ouchark.
EAP-Token is now supported by all static password authentication methods, such
as AuthBy FILE, SQL, LDAP etc. goodies/eap_multi.cfg updated to demonstrate
this.
EAP-TLS now supports client certificates with multiple CNs. At least one CN
must match the USer-Name or Identity (after
EAPTLSRewriteCertificateCommonName rules are applied to each CN).
Added new flag EAPTLS_PEAPBrokenV1Label to make PEAP Version 1 support
compatible with nonstandard PEAP V1 clients that use the old broken TLS
encryption labels that appear to be used frequently, due to Microsofts use of
the incorrect label in its V0 client.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list