(RADIATOR) Radiator Version 3.17 released

Mike McCauley mikem at open.com.au
Sun Mar 25 19:21:24 CST 2007 

We are pleased to announce the release of Radiator version 3.17

This version contains some significant new features, and a number of
fixes. Amongst the new features are support for authenticating from Apple
Directory Server and Apple Password Server on Mac OSX Server, permitting
Radiator to authenticate wireless and 802.1X users against native OSX Server
user administration tools. Support for a number of new EAP protocols such as
EAP-PSK and EAP-PAX were added. A number of other minor features and bug fixes
were also added.

As usual, the new version is available to current licensees from:
http://www.open.com.au/radiator/downloads/

and to current evaluators from:
http://www.open.com.au/radiator/demo-downloads

Licensees with expired access contracts can renew at:
http://www.open.com.au/renewal.html

An extract from the history file
http://www.open.com.au/radiator/history.html is below:

-----------------------------
Revision 3.17 (2007-03-26) Some major new features and bug fixes 

Added new module AuthBy LDAP_APS which finds user details in a Mac OS-X
Directory Server LDAP database, and then authenticates the user password
against a Mac OS-X Apple Password Server. Works on Mac OS-X 10.4 or
later. Sample configuration file in goodies/ldap-aps.cfg. Supports PAP,
MSCHAPV2, TTLS-PAP, TTLS-MSCHAPV2 or PEAP-MSCHAPV2 requests.

Added support for EAP-PSK as per RFC 4764, an EAP method based on a per-user
Pre Shared Key, and which supports strong cryptography and dynamic WEP and WPA
keys. Tested against wpa_supplicant-0.6-2006-12-05. Sample configuration file
included.

Added support for EAP-PAX as per draft-clancy-eap-pax-11, an EAP method based
on a per-user Authentication Key, and which supports strong cryptography and
dynamic WEP and WPA keys. Tested against wpa_supplicant-0.6-2006-12-05. Sample
configuration file

Added a new flag EnableFastPINChange to AuthBy ACE, allowing compatibilty with
some NASs (notably Juniper) that have non-standard behaviour in New Pin Mode:
when the user is asked whether they want to set their PIN, the NAS
automatically gets the new PIN and returns it to the RADIUS server, which is
expected to use it to set the PIN immediately. This flag enables compatibility
with this behaviour if the user/device enters a PIN instead of 'y' or 'n

Fixed potential memory leak in PEAP and TTLS after handshake failure.

Improvements to parseDate so that invalid date formats would not cause a
crash.

Added support for new special character in the format %{OuterRequest:attrname}
which is replaced with the named attribute from the outer request of a
tunnelled request. Useful with PEAP and TTLS tunnelled requests.

Fixed a memory leak that mostly affected failed authentications in TTLS and
PEAP. Reported by David Spindler.

Added a number of new Mikrotik VSAs to dictionary.

Testing with Cisco Secure Services Client 4.0.5.4889 on XP. OK for TTLS-PAP,
TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2, TTLS-EAP-MSCHAPV2, TTLS-MD5,
PEAP-MSCHAPV2, PEAP-GTC, PEAP-TLS, LEAP, GTC, TLS, EAP-MSCHAPV2, MD5

Added support for special characters in EAPTLS_PrivateKeyPassword and
TLS_PrivateKeyPassword. Requested by Redback.

Fixed a problem with interoperation between ServerDIAMETER and some Diameter
clients. Reported by Arthur Konovalov. Also fixed a typo in doc about how to
test ServerDIAMETER.

Fixed some minor interoperation issues to do with SIP authentication and RFC
4590.

Altered dictionary.sip to make it compliant with RFC 4590.

Fixed a problem with the Host-IP-Address in the the CEA by Server
DIAMETER. Reported by Arthur Konovalov.

ServerDIAMETER now converts the contents of Grouped attributes from the
incoming Diameter request into the new Radius request.

Fixed a problem with the Mandatory flag in the Diameter Firmware-Revision
attribute. Removed restriction of only being able to handle NASREQ application
requests. Reported by Arthur Konovalov.

Fixed a problem with conversion of SessionId when using NasType of
CiscoSessionMIB. Reported by Joe (Mobile).

Fixed a problem with incorrect responses to Tacacs accounting
requests. Reported by Mohamed.Raddahi.

Fixed a problem where a check-item Auth-Type which points to a AuthBy RADIUS
inside a GROUP did not work as expected. Reported by Toomas Kärner.

Added support for Starent VSA's, which have a non-standard format. Patch
supplied by Frank Danielson.

Fixed some problems with memory leakage especially in PEAP after a successful
authentication. Reported by Reported by David Spindler.

In AuthBY RADIUS, the Host clause now supports per-host LocalAddress and
OutPort parameters. Patched by Bjoern A. Zeeb.

Added documentation and sample configuration file for ServerDIAMETER.

Removed references to obsolete handle_sigchld, which is not necessary any
more. Reported by Dan Cachola.

Added support for ConnectionAttemptFailedHook and NoConnectionsHook for custom
code to handle various types of SQL connection failure. Patched by Dan
Cachola.

Fixed a problem with conversion of negative integers by valNameToNum in Radius
dictionaries. Reported and patched by Arthur Konovalov.

Minor improvement to performance of Radius::Util::random_string.

Added more Huawei VSAs to dictionary. Contributed by José Borges Ferreira.

Improved handling of multiple reply items, possibly containing spaces in
AuthorizeGroup, PasswordPrompt is now used everywhere to control password
prompts in ServerTACACSPLUS.

Added more WCG VSAs to dictionary.

Fixed a problem where proxied TTLS inner EAP-MSCHAPV2 replies were not
properly processed, resulting in no reply to the originator. Reported by Ian
Forster.

Fixed a problem where Until::inet_ntop could crash when used with RodopiAAA
and TTLS or PEAP.

Cleaned up some attributes in dictionary including Tunnel-Type etc.

Added support for Cisco cisco-li-configuration attribute, which can be used to
enable Lawful Intercepts for selected sessions. Added goodies/cisco_li.txt
explaining how to use it.

Added various Redback VSAs to dictionary to support Radback Lawful
Intercept. Also arranged to support the automatic salt encryption of
attributes that require it. Contributed by Jan De Backer.

Added some Telkom SA VSAs to dictionary.

AuthBy DIGIPASS now honours UsernameMatchesWithoutRealm. Requested by SCHELL
Jérôme.

Structural changes in AuthGeneric.pm and changes to the args passed to
AuthGeneric::check_mschapv2() in order to support Apple Password Server.

Added MS-RAS-Client-Name and MS-RAS-Client-Version to dictionary.

Fixed a problem with proxying of Radius requests received by Server DIAMETER,
where the authenticator was not correctly set. Reported by Blake Ulmer.

Fixed a problem where diapwtst did not correctly handle extra attributes like
'radpwtst Accounting-Session-Id=12345'. Reported by Blake Ulmer.

Testing on Ubuntu 6.10. OK.

Fixed a typo in CLientListLDAP that prevented StripFromRequest working
properly. Reported and patched by Raphaël Luta.


-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list