[RADIATOR] Radiator Version 4.5 released

Mike McCauley mikem at open.com.au
Mon Oct 26 19:20:12 CDT 2009


We are pleased to announce the release of Radiator version 4.5

This version contains some significant new modules, such as support for
Yubikey tokens from Yubico (http://www.yubico.com), suport for HOTP (RFC 4226)
one-time-passwords and a number of bug fixes.

As usual, the new version is available to current licensees from:
http://www.open.com.au/radiator/downloads/

and to current evaluators from:
http://www.open.com.au/radiator/demo-downloads

Licensees with expired access contracts can renew at:
http://www.open.com.au/renewal.php

An extract from the history file
http://www.open.com.au/radiator/history.html is below:



Revision 4.5 (2009-10-27) New features and bug fixes 

Fixed a bug that could cause a crash at startup if the listening
RADIUS port could not be opened due for example to an
unresolvable bind address. The error message was "Not a CODE
reference at Radius/ServerRADIUS.pm". Reported by Thomas
Schlottke.

Significant performance improvements in Select::add_timeout. Now
used binary search for the insertion point, rather than resorting
he whole list every time.

Added support for authenticating Yubikey tokens from
Yubico (http://www.yubico.com). Yubikeys are small, inexpensive
USB tokens for one-time-password authentication. Added sample
configuration file and descriptive test file. Suports one and 2
factor authentication, replay detection etc.

Fixed a problem with AuthBy LDAPRADIUS which would cause a crash
during initialization.

Improvements to ServerTACACSPLUS so it can find an appropriate
Client clause even if the reverse DNS is screwy. Suggested by
Ranko Zivojnovic.

Fixed a problem with resolution of IPv6 addresses on some
plaforms such as Solaris. Some debug messages were inadvertently
left in Util::gethostbyname for ipv6. reported by Sami
Keski-Kasari.

Fixed a problem with heavily loaded server farms where a SIGHUP
of the process leader could cause inability to bind to the
listening ports after restart. Radiusd now waits for all farm
children to die begfore restarting. Reported by Dan Cachola.

Added support for HOTP (RFC 4226) one-time-passwords with AuthBy
SQLHOTP HOTP one-time-passwords are authenticated based on a
secret key stored in an SQL database. Detects replay attacks and
brute-force attacks and counter resynchronisation. Can also
support static passwords for 2 factor authentication when the
user prefixes their static password before the HOTP
one-time-password. Supports authentication by RADIUS PAP, EAP-OTP
and EAP-GTC. Includes sample configuration file and sample
database schema with test users.

Added support for IdleTimeout to Server TACACSPLUS. If a client
stays connected for more than this number of seconds without
sending any requests it will be disconnected. Defaults to 180
seconds. Requested by Yevgeniy Averin.

Added new parameter UseContentsForDuplicateDetection to
Client. This must be used in a server farm environment. The back
end servers in a server farm will receive requests from a range
of source ports. Dupliacates received by the front ends and
proxied to the back ends may appear to come from a range of
source ports and with a range of RADIUS identifiers. This flag
causes duplicate detection to be based on the contents of the
packet, and not on the 'envelope'. This permits duplicates to be
detected regardless of the path they take to to get from the NAS
to the server. It must be set in the Client clauses of the back
end servers of a server farm architecture.

Fixed a problem with the MIB name in CiscoSessionMIB. Reported by
Tim Wolgemuth.

Added support for UseContentsForDuplicateDetection to ClientList
SQL. If the SQL queries returns a row 26, it will be used as the
UseContentsForDuplicateDetection flag.

Fixed a problem where some type of authentication would
incorrectly succeed when NoEAP was in use. Reported by Heinrich
Mislik.

Added a new ReplyHook flag to AuthBy RADIUS so that hooks can
signal the fact that a request has been redirected, and not to
generate a reply from the AuthBy RADIUS. Sample configuration
file in goodies/rejectproxy.cfg

Fixed a problem with duplicate replies in test suite.

When Trace -1 is enabled, prints the PID in the "currently
handling" message. Suggested by Robert Patrick.

Added various Trapeze VSAs to dictionary, contributed by Andrew
Clark.

Type of WiMAX-IP-Redirection-Rule in dictionary changed to
string. Suggested by Garima Mahadik.

Fixed a problem reported with TLS where, under unsual
circumstances during a proxied TLS authentication,
Net::SSLeay::SESSION_get_master_key could crash due to the TLS
session being invalidated. Reported by Matti Saarinen.

Added a number of Infoblox VSAs to dictionary. Provided by Andrew
D. Clark.

Fixed a problem with AuthBy PAM on Solaris: if a request without
a username is received, it can case PAM to go into an infinite
loop with messages like: "DEBUG: PAM is asking for 2: 'Please
enter user name'". reported by Markus Moeller.

Added a number of Huawei VSAs to dictionary.

Reinstated changes to password decoding introduced in version 4
that meant that certain non-compliant password encryptions were
not decrypted properly. Reported by Roland Rosenfeld.

Fixed a problem in ClientList SQL and ClientListLDAP where if the
client creation phase fails, it could cause a subsequent crash
when findDuplicate() is called within Client.pm. Reported by
Shirley Wou.

Added placeholders for Symbol (388) VSAs to dictionary.

Packets created by EAP-TTLS for proxying now add
Message-Authenticator if there is an EAP-Message. This ensures
that if the packet is proxied to another RADIUS server, the lack
of EAP-Message wont prevent processing of the request.

Fixed a problem in the StreamTLS certificate verificaiton where
it does the subjectAltName checks incorrectly if both URI and (IP
or DNS) are checked. It never checks the IP or DNS. Reported by
Heikki Vatiainen.

Fixed a problem where AuthBy DNSROAM would activate AuthBy RADSEC
and AuthBy RADIUS too often. Reported by Heikki Vatiainen.

Fixed a problem where AuthBy DNSROAM did not correctly set
ReplyHook or NoReplyHook in Routes or AuthBy RADSEC or AuthBy
RADIUS. Reported by Heikki Vatiainen.

Added new attributes from RFC5607 to dictionary.

Added new attributes from RFC5580 to dictionary.

Fixed a problem that prevented replies to Disconnect-Request and
Change-Filter-Request from getting their Authenticator correctly
computed. Reported by Jack Ho.

For classes that use Stream connections (such as AuthBy RADIUS,
ApplePasswordServer, if ConnectOnDemand is set, then, Stream
always blocks until the connect either succeeds or
fails. Requested by Sam Lin.

Stream classes now support special characters in Host,
HostAddress, ReconnectTimeout. Requested by Sam Lin.

Added example Radiator configuration file and hook, showing how
to support both RSA OnDemand and SecurID authentication for the
same users.

Added new parameter DisableMTUDiscovery to ServerRADIUS and
AuthBy RADIUS. Disables MTU discovery on platforms that support
that behaviour (currently Linux only). This can be used to
prevent discarding of certain large RADIUS packet fragments on
supporting operating systems.

Added support for FramedGroup, StripFromReply, AllowInReply,
AddToReply and AddToReplyIfNotExist to Server RADSEC. Requested
by Paul Dekkers.

Monitor and SNMPAgent clauses now support the Identifier
parameter.

Fixed a problem that prevented Origin-Host being set correctly in
proxied requests. Reported and patched by Arthur Konovalov.

Added sample hook to hooks.txt which runs in each child and
closes the Monitor and SNMPAgent ports and re opens them on a
different port number.

Added OSC-Session-Identifier to dictionary.

Added support for new special character Z which is replaced by
the RADIUS Identifier in the current packet (if any).

Improvements to AuthBy SQLYUBIKEY: Default UpdateQuery now uses
current_timestamp() instead of now() for better compatibility
with more SQL servers. Static password can now be separated from
the token string with a ':' to ensure they can be identified,
even with non-standard Yubikey token lengths. Suggestions by
Jérôme Fleury.

Minor change to log message when a requested EAP type is
rejected, so the name of the desired type is printed. Patch
supplied by Alexander Hartmaier.

AuthBy LDAP2 now supports multiple space separated Host names,
and Net::LDAP will choose the first available one. Patch supplied
by Raphael Luta.

Fixed a problem which could result in a blank user name in PEAP
or TTLS or other inner requests under some very unusual
circumstances. Improved EAP context finding algorithm so inner
and outer requests with the same User-Name would not collide.



-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full source
on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.


More information about the radiator mailing list