(RADIATOR) Radiator Version 4.0 released

Mike McCauley mikem at open.com.au
Mon Jan 14 01:47:27 CST 2008

We are pleased to announce the release of Radiator version 4.0

This version contains some new significant new features, such as a full web
based configuration and monitoring GUI, Alpha WiMAX support, improved 
duplicate detection and support for EAP-FAST.

As usual, the new version is available to current licensees from:

and to current evaluators from:

Licensees with expired access contracts can renew at:

An extract from the history file
http://www.open.com.au/radiator/history.html is below:

Revision 4.0 (2008-01-14) Significant new features and some bug fixes 

Added support for Radiator monitoring and configuration via a web browser,
using the new ServerHTTP module. Sample configuration file in
goodies/serverhttp.cfg shows how to enable support in any configuration file.

Added AuthBy WIMAX module to handle WiMAX authentication and key
generation. Uses an SQL database to hold subscription/authentcation
information and to cache keys and save accounting. Supports: Authentication of
users and devices from SQL database (most EAP types supported). Generation and
caching (in SQL) of MIP-RK, MIP-SPI and FA-RK for each device
session. Generation of mobility keys for both NAS and HA requests. Generation,
caching (in memory) and refreshing of HA-RK, HA-SPI for each HA. Generation,
caching (in memory) and supplying DHCP-RK and Key-Id for NAS and DHCP
requests. Hotlining profiles. This is an early release Alpha version of WiMAX
support which has not yet received extensive testing. Feedback and bug reports
are welcomed.

Improved performance and behaviour of RADIUS duplicate and retransmission
detection in line with RFC 5080. Duplicates and retransmissions within the
DupInterval timeout are now detected using the sender's source port in line
with RFC 2865. Detected retransmissions that have been replied to will have
their earlier reply retransmitted, preventing problems with decoding of
duplcicate TLS/TTLS/PEAP fragments. A retransmission that has not (yet) been
replied to will be dropped as before.

radpwtst now generates random Authenticators. 

Minimum supported version of Perl is now 5.6.0 

Sample certificates updated to expire Jan 13 03:42:47 2010 GMT

Added support for EAP-FAST. Requires patches for OpenSSL and Net-SSLeay, which
are included. Includes detailed instructions for patching OpenSSL and
Net-SSLeay and configuring for EAP-FAST.

Added support for standard WiMAX VSAs to dictionary, and support for WiMAX VSA
continuation flags in packing and unpacking, plus automatic salted encryption
and decryption of WiMAX attributes that require it (keys etc). As per

Added support for additional standard dictionary type integer64 required by
draft-ietf-radext-design-02.txt. Previous integer8 attributes in dictionary
changed to integer64. Integer8 now means one octet. INteger1 is still treated
as integer8 for backwards compatibility.

Added WiMAXTLV module for packing and unpacking WiMAX TLV sub-attributes,
including symbolic definitions of some WiMAX TLVs.

Added support for new dictionary attribute types integer8, integer16,
signed-integer and ipaddrv4v6, required by WiMAX.

Added WiMAX module for computing various WiMAX keys and other WiMAX routines.

All EAP types now export the MSK by setting {msk} in the appropriate reply
packet. They also optionally export the EMSK in {emsk} if ExportEMSK is set.

Added a number of 3GPP attributes to dictionary

When using LEAP with EAP_LEAP_MSCHAP_Convert, some clients would not complete
the handshake due to an Access-Accept being sent instead of Access-Challenge.

Improvements to AuthBy HASHBALANCE so that EAP sequences from any given user
will not be split between hosts during a failover.

Fixed a problem with undefined getEAPContext when used with some
configurations of AuthBy HASHBALANCE. Reported by Alison Lee.

Added a number of Motorola-WiMAX attributes to dictionary. Contributed by
Thomas Hartley.

Improvements to AuthBy SQLRADIUS so that FailureBackoffTime, MaxFailedRequests
and MaxFailedGraceTime are fetched from SQL as rows 11, 12 and 13, and failure
history, backoff time etc are cached within Radiator memory, so that SQLRADIUS
can be used with FailureBackoffTime etc. Suggested by Sami Keski-Kasari.

Improvements to AuthBy GROUP so that it better handles chains of
authenticators with EAP type requests, such as LEAP, EAP-MSCHAPV2
etc. Reported by Jani Kariniemi.

Reinstated behaviour that was removed in Radiator version 3.15: empty
attributes, including empty strings are now permitted to be packed into Radius

Fixed problem with acknowledgements and Fidelio Opera interface when using
TCP. reported by Andrea Coppini.

Added new parameter AgentName to AuthBy SAFEWORD. This field is used when
authorizing a request to SafeWord, and allows us to do things like enforce
ACLs, Roles, which authenticator in the user record to use when they have
multiple, whether to send a MobilePass password, etc. It is very useful!
Contributed by David LePage.

Added 2 new attributes oscRadiusDefaultRealm and oscRadiusIdentifier to the
sample LDAP schema in radiator-ldap.schema. Contributed by Jérôme Schell.

Added new special character %X, which is replaced by the EAP identity, with
any trailing @realm stripped off. Patch provided by Heikki Vatiainen.

When radpwtst is used with -accton or -acctoff it now always an Accounting
Session ID. Suggested by Dan Cachola.

All modules now generate 32 octet MPPE keys for WPA compatibility. Reported by
Dominic J. Eidson.

RadSec and Diameter client and server modules now support
TLS_SubjectAltNameURI parameter for certificate
validation. TLS_SubjectAltNameURI is a regexp which can match against any
Subject Alt Name of type URI. If a match is found the certificate will
validate. Suggested by Stefan WINTER. Examples added to configs.

ServerRADSEC now honours Status-Server requests directly in the same way as
Client. Requested by Stefan WINTER.

Fixed a problem with resolving ipv6: names with DNS on RadSec and Diameter
connections. Reported by Patrick Renkens.

A debugging print statement was inadvertently left in AuthBy LDAPDIGIPASS.

Fixed a problem that prevented LocalAddress and OutPort being set for all
hosts in AuthBy SQLRADIUS. Reported by Yves Martel.

Prevent crashes after signal -HUP with multiple AuthBy KRB5. Reported by Barry

Improvements to sample goodies/radiator.sh startup script, allowing
/etc/rc.conf to control the radiator_config file. Provided by Erik Klavon.

Added sample hook eap_acct_username.pl, which copies the inner username to the
Access-Accept User-Name field so a NAS (Access Point) can provide accounting
information with correct (inner) User-Name. Contributed by Rok Papez.

Module and sample configuration file that allows RADIUS clients to get user
presence information from an SQL accounting database. Special Access-Request
formatted with Service-Type=Call-Check-User are replied with Access-Accept
containing OSC-User-Presence-Indicator, OSC-User-Presence-Location
OSC-User-Presence-Timestamp indicating whether and whered the user is last
logged in. Can be used by RADIUS enabled VOIP routing modules etc. Supports
mapping of NAS IDs into readable location names etc.

Fixed possible socket exhaustion in Server TACACSPLUS under certain unusual

New RPM packages of Authen-Digipass 1.9 module for both 32 and 64 bit Linux
platforms. The 32 bit package contains Vacman Controller 3.5 and the 64 bit
package contains Vacman Controller 3.7.

Updated Windows Authen-Digipass PPM packages to 1.9. Contains Vacman
Controller 3.5 libraries.

AuthBy SQL and AuthBy SQLRADIUS now support the AuthSelectParam parameter,
which allows SQL bind variables to be used. The first 32 SQL queries that use
AuthSelectParam are subject to SQL query caching, which can significantly
improve the performance of the SQL server. Patches by Dan Cachola.

Fixed a case where the server could crash after receiving malformed requests
such as those sent by nmap. Reported by Sven Henderson.

Added support for Expiration dates in format 'mmm dd yy(yy)', such as '24 Jul
2007', for compatibility with some SQL database date formats.

Added support for Expiration dates in format 'mmm dd yy(yy)', such as '24 Jul
2007', for compatibility with some SQL database date formats.

Added support for new special character %J which produces the request
timestamp in the format 'yyyy-mm-dd hh:mm:ss'

Added support for new check items Max-All-Session, Max-Daily-Session,
Max-Hourly-Session and Max-Monthly-Session, along with new AuthBy SQL
parameters AcctTotalQuery and AcctTotalSinceQuery. The combination provides a
way to check that users have not exceeded hourly, daily, weekly or total usage
requirements. These check items are compatible with FreeRadius check items of
the same name. They are also conpatible with the Session-timeout=until
ValidTo, which will compute a session timeout based on the most restrictive
Max-*-Session time left.

New AuthBy FREERADIUSSQL is compatible with standard FreeRadius SQL databases,
and can be used with the daloRADIUS user manager. Enables easy migration from
FreeRadius to Radiator, or allows Radiator to be used with a range of
FreeRadius user management packages. Includes sample configuration file.

Improved modularity of encryption functions. Fixed a problem with encryption
of Ascend-Send-Secret and Ascend-Receive-Secret, in the case where the secret
was more than 16 octets. Most encryption functions decomposed to decode_salted
and encode_salted.

Added support for encryption of Motorola-WiMAX-MIP-KEY attribute.

Testing with Strawberry Perl 5.8.8 alpha 2
http://win32.perl.org/wiki/index.php?title=Strawberry_Perl on Windows XP. OK
(Testing requires Win32::Process to be installed using cpan using 'force
install Win32::Process').

Altered the algorithm Server TACACSPLUS uses to find the encrpyion key for a
given Tacacsplus client. The order of preference is now: Per-Client
TACACSPLUSKey, ServerTACACSPLUS Key, Per-Client Secret. This means that you
can use ClientListSQL to provide per-client Tacacs+ keys. Updated
documentation to describe the Key search algorithm.

Added support for the FreeRadius style dictionary flags has_tag, encrypt=1,
encrypt=2 and encrypt=3. Requested by Dan Cachola.

Added support for a number of FreeRadius style dictionary keywords:
BEGIN-VENDOR, END-VENDOR, $INCLUDE, as well as Radiator style include
commands. Some improvements to dictionary parsing and error reporting.

Added new parameter SessionDatabaseUseRewrittenName to Handler and
Realm. Causes the rewritten username (instead of the original user name) to be
used for session database purposes.

Performance improvements and rationalisation in RADIUS packet assembly and

Testing with Perl CamelPack on Windows XP. OK.

Added Motorola Canopy attributes to dictionary.

Improved compatibility with some EAP-GTC clients that require CHALLENGE=
prompts, and deliver RESPONSE=a\0b responses.

Special characters now permit nested contructions of the form %{x:%{y:z}}

Added -options flag to radpwtst, which makes it read additional command line
flags and arguments from the named file.

In AuthBy RADIUS, the Host name can now contain nested special
characters. Patch provided by "Valentin Tumarkin".

Disable OpenSSL 0.9.9 SessionTicket support when negotiating RadSec TLS
connections, otherwise get TLS 'unexpected message' errors.

Added support for new dictionary type 'integer1' which translates integers
encoded as a single octet.

Added support for new dictionary type 'integer2' which translates integers
encoded as a 16 bit unsigned (2 octets).

Added a number of BATM, NS and Alcatel attributes to dictionary. Contributed
by Ernst Oudhof.

ServerTACACSPLUS now puts Acct-Session-Id in Radius packets derived from
accounting requests.

New TacacsClient module provides basic Tacacs+ client services.

goodies/tacacsplustest was rewritten in terms of the new TacacsClient module.

'make clean' now removes all files created by 'make test'.

EAP-TLS now hounours machine certificates, ie where the User-Name and/or
identity is in the form host/machinename, but the CN in the certificate has
just CN=machinename.

Radius port listeners refactored into new ServerRADIUS module.

Removed SSLeayTrace from all sample configs. Does nothing now.

Significant refactoring of code from ServerHTTP, ServerRADSEC, ServerDIAMETER
and Monitor to new module StreamServer.

ConfigKeywords can now include documentation for the benefit of ServerHTTP

Removed dead Synchronous code from AuthRADSEC. Suggested by Bjoern A. Zeeb.

AuthBy RADIUS and RADSEC now drop replies with bad signatures in line withg
documentation and RFCs. AuthBy RADIUS still allows this behaviour to be
overridden with the IgnoreReplySignature flag.

Added new dictionary type signed-integer, a 32 bit signed integer

Added support for new Cisco optional attributes in ServerTACACSPLUS,
contributed by Kristian Larsson, for example: AuthorizeGroup xr-friendly
permit service=shell cmd\* {task*#root-system,#cisco-support priv-lvl=15}

AuthBy DIGIPASS, when validating Challenge-Response (CR) tokens now caches the
last challenge internally instead of relying on the RADIUS client and the
State atribute. New configuration parameter ChallengeTimeout allows
configuration of the maximum time period the challenge is valid for.

EAP-TTLS incorrectly copied attributes from the inner ACCPET to the outer
ACCEPT change_attr, which prevented multiple instances of the same attribute
being copied.

In ClientListSQL, the PREHANDLERHOOK value returned by GetClientQuery can now
contain either the text of the hook, or a a hook filename in the form
`file:/path/to/hook'. Patch supplied by "Jose Borges Ferreira".

Minor changes to SIP authentication in line with forthcoming RFC 5090.

Reference manual is no longer shipped as HTML, only as PDF and PostScript.

Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list