(RADIATOR) Radiator Version 3.15 released
Mike McCauley
mikem at open.com.au
Thu Jun 1 02:24:35 CDT 2006
We are pleased to announce the release of Radiator version 3.15
This version contains some significant new features, and a number of
fixes. Amongst the new features are AuthBy RADSEC now supports multiple Hosts,
using the same Host clause syntax as AuthBy RADIUS. A new module AuthBy
SAFEWORD, which authenticates directly to a SafeWord Premier Access server. A
new module AuthBy LDAPDIGIPASS authenticates Vasco Digipass tokens from token
data in an LDAP database. Many other minor improvements and bug fixes
As usual, the new version is available to current licensees from:
http://www.open.com.au/radiator/downloads/
and to current evaluators from:
http://www.open.com.au/radiator/demo-downloads
Licensees with expired access contracts can renew at:
http://www.open.com.au/renewal.html
An extract from the history file
http://www.open.com.au/radiator/history.html is appended:
-----------------------------
Revision 3.15 (2006-06-01)
AuthBy RADSEC now supports multiple Hosts, using the same Host clause syntax
as AuthBy RADIUS. Hosts will be tried in the order given. FailureBackoffTime
can be used to mark unresponsive hosts dead for a period of time and skip
them. Example Host clause syntax is shown in goodies/radsec-client.cfg.
Example config file goodies/eap_leap_proxy.cfg was inadvertently left out of
the distribution.
Fixed a problem where the parent process could crash if AuthBy KRB5 was used
and the server run in the background. Reported by Carol Ward.
Added calling_station_hook_requests.pl, a sample PostAuthHook for PEAP
requests that: 1) Insert the Calling-Station-ID into the inner request 2)
Insert the Called-Station-ID into the inner request 3) Insert the "outer" EAP
identity into the inner request as "Outer-EAP-Id" Contributed by Terry Simons.
Testing on openSUSE 10. OK.
Fixed a bug in mergedetails that prevented it running under perl 5.005 and
earlier. Reported by Greg Schiedler.
Alternative version of RequestHoook added to goodies/hooks.txt. The hook saves
the time of the last Access-Request for each user and conditionally returns an
Access-Accept if the time is less than a preset limit.
A typo prevented EAPTLS_CertificateVerifyHook parameter being
recognised. Reported by Rodrigo Seguel.
Improved logging of LDAP connected host details to include the actual hostname
and port after special character translations. Also Port now supports special
characters. Requested by Michael Hall.
Improved Authen-Digipass RPM to work with perl 5.8.7.
Refactored AuthDIGIPASS.pm to move common code to AuthDIGIPASSGeneric.pm. New
module AuthSQLDIGIPASS.pm replaces AuthDIGIPASS.pm and AuthBy DIGIPASS is now
depreccated in favour of AuthBy SQLDIGIPASS.
New version of Authen-Digipass module for Linux, Solaris and Windows where
digipass.pl now works with LDAP databases, plus some minor bug fixes.
New module AuthBy LDAPDIGIPASS authenticates Vasco Digipass tokens from token
data in an LDAP database. Example configuration file
goodies/digipass_ldap.cfg, and sample LDAP dataabse schema and sample data in
goodies/radiator-ldap.*. Use digipass.pl command line program (part of the
Authen-Digipass supplied with Radiator) to import, assign, inspect, reset
tokens in the LDAP database).
All calls to format_special in AuthBy IMAP now include the current packet so
that %R can be used in Host parameter etc. Requested by Petr Zimak.
AuthBy SQL did not honour AuthenticateAccounting.
Minor fixes, PostSearchHook missing from AuthLDAP2 config options. Reported by
Petr Zimak.
Added a number of Cisco VOIP VSAs to dictionary.
Added a number of VSAs and fixed some errors in dictionary.sip to be in line
with draft-schulzrinne-sipping-radius-accounting-00.txt
Radpwtst now permits octal escapes in the value in attr=value arguments.
Testing with SIP PRoxy Router (SER) from www.iptel.org. Added example
configuration file to goodies/sip.cfg showing how to configure Radiator for
SIP authentication with SER, and with some helpful information and corrections
about configuring SER to work with RADIUS.
Zero-length string attributes are now never sent in Radius packets, but are
ignored, as per RFC 2138. Zero-length Reply-Message strings have been seen in
improperly written hooks. Suggested by Ulrich.
Sample startup scripts linux-radiator.init and solaris-radiator.init now force
-daemon to prevent running in the foreground when started by init script.
Fixed a problem in ClientListSQL and ClientListLDAP that could cause a crash
during an automatic update if there were no hardwired Clinet clauses. Reported
by Alexander List.
Log SYSLOG and AuthLog SYSLOG now support special characters in
LogIdent. Requested by Alexander List.
Fixed a case where Reply-Message could be incorrectly reset in CachedAttrs,
which prevented ServerTACACSPLUS from returning the Reply-Message during a
rejection.
Added new hooks AuthenticationStartHook and AuthenticationContinueHook to
Server TACACSPLUS which can be used for special processing of TACACS+
authentication requests.
Minor improvements to test suite. Now reports total erro count and exits with
non-zero status if there are errors.
Renew test certificates. Previous certificates expired March 16 2006, which
would prevent TLS, TTLS, PEAP and RadSec tests working. Minor improvements to
mkcertificate to add /usr/share/ssl/misc to the path (for standard OpenSUSE).
Improvements to timeout handling for SQL and others for perl 5.8 and later,
requested by Gustavo Moreira.
Improvements to the way nested calls to format_special were
handled. Previously, the value for $cpacket could get clobbered by an error
log message during formatting of a special character. Reported by Robert
Fisher.
Added ChallengeMessage parameter to AuthBy DIGIPASS*, which allows the
Digipass challenge message to be customised or internationalised.
Fixed a problem with SessionDatabase SQL where a countQuery that returned a
username as the fifth field did not alter the user name as expected. Reported
by Vangelis Kyriakakis.
In ServerTACACSPLUS, added a workaround for a bug in some old Cisco routers
where a failed authentication would result in a an unclosed TCP
session. Requested by Patrick, Robert.
Added a workaround for a bug in some EAP TTLS supplicants, (notably PBG4 on
MAC OSX) do not conform to the TTLS protocol specification, and do not
understand the ACK sent by the server at the end of TLS negotiation and
session resumption, resulting in session resumption not completing. The new
EAPTTLS_NoAckRequired flag enables a workaround for such supplicants. Many
other supplicants are happy with this too.
Fixed a problem with session keys when LEAP was used with
EAP_LEAP_MSCHAP_Convert. Reported by Michael Ting.
Added new AuthBy SAFEWORD, which authenticates directly to a SafeWord Premier
Access server. Includes a sample configuration file. Supports PAP, CHAP,
TTLS-PAP, EAP-OTP and EAP-GTC. Supports password changing. Supports fixed
(static) passwords and SafeWord Silver and Gold tokens.
Fixed a problem that could cause a crash if getpeername fails during a Tacacs
connection. Observed on some Solaris platforms. Reported by Ashton, James P.
Added new parameter UsernameMatchesWithoutRealm to AuthBy NTLM, contributed by
Robin Breathe.
Added support for HandleAcctStatusTypes to AuthBy DNSROAM, GROUP, MULTICAST
RADIUS, RADSEC and SQL. Contributed by "Nicholas A Waples".
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list