[RADIATOR] Radiator Version 4.5 released

Fri Oct 30 05:38:36 CDT 2009

Hi.

Is it me or AuthSQLYUBIKEY.pm is not included in the tarball ??

On Tue, Oct 27, 2009 at 01:20, Mike McCauley <mikem at open.com.au> wrote:
> We are pleased to announce the release of Radiator version 4.5
>
> This version contains some significant new modules, such as support for
> Yubikey tokens from Yubico (http://www.yubico.com), suport for HOTP (RFC 4226)
> one-time-passwords and a number of bug fixes.
>
> As usual, the new version is available to current licensees from:
> http://www.open.com.au/radiator/downloads/
>
> and to current evaluators from:
> http://www.open.com.au/radiator/demo-downloads
>
> Licensees with expired access contracts can renew at:
> http://www.open.com.au/renewal.php
>
> An extract from the history file
> http://www.open.com.au/radiator/history.html is below:
>
>
>
> Revision 4.5 (2009-10-27) New features and bug fixes
>
> Fixed a bug that could cause a crash at startup if the listening
> RADIUS port could not be opened due for example to an
> unresolvable bind address. The error message was "Not a CODE
> reference at Radius/ServerRADIUS.pm". Reported by Thomas
> Schlottke.
>
> Significant performance improvements in Select::add_timeout. Now
> used binary search for the insertion point, rather than resorting
> he whole list every time.
>
> Added support for authenticating Yubikey tokens from
> Yubico (http://www.yubico.com). Yubikeys are small, inexpensive
> USB tokens for one-time-password authentication. Added sample
> configuration file and descriptive test file. Suports one and 2
> factor authentication, replay detection etc.
>
> Fixed a problem with AuthBy LDAPRADIUS which would cause a crash
> during initialization.
>
> Improvements to ServerTACACSPLUS so it can find an appropriate
> Client clause even if the reverse DNS is screwy. Suggested by
> Ranko Zivojnovic.
>
> Fixed a problem with resolution of IPv6 addresses on some
> plaforms such as Solaris. Some debug messages were inadvertently
> left in Util::gethostbyname for ipv6. reported by Sami
> Keski-Kasari.
>
> Fixed a problem with heavily loaded server farms where a SIGHUP
> of the process leader could cause inability to bind to the
> listening ports after restart. Radiusd now waits for all farm
> children to die begfore restarting. Reported by Dan Cachola.
>
> Added support for HOTP (RFC 4226) one-time-passwords with AuthBy
> SQLHOTP HOTP one-time-passwords are authenticated based on a
> secret key stored in an SQL database. Detects replay attacks and
> brute-force attacks and counter resynchronisation. Can also
> support static passwords for 2 factor authentication when the
> user prefixes their static password before the HOTP
> one-time-password. Supports authentication by RADIUS PAP, EAP-OTP
> and EAP-GTC. Includes sample configuration file and sample
> database schema with test users.
>
> Added support for IdleTimeout to Server TACACSPLUS. If a client
> stays connected for more than this number of seconds without
> sending any requests it will be disconnected. Defaults to 180
> seconds. Requested by Yevgeniy Averin.
>
> Added new parameter UseContentsForDuplicateDetection to
> Client. This must be used in a server farm environment. The back
> end servers in a server farm will receive requests from a range
> of source ports. Dupliacates received by the front ends and
> proxied to the back ends may appear to come from a range of
> source ports and with a range of RADIUS identifiers. This flag
> causes duplicate detection to be based on the contents of the
> packet, and not on the 'envelope'. This permits duplicates to be
> detected regardless of the path they take to to get from the NAS
> to the server. It must be set in the Client clauses of the back
> end servers of a server farm architecture.
>
> Fixed a problem with the MIB name in CiscoSessionMIB. Reported by
> Tim Wolgemuth.
>
> Added support for UseContentsForDuplicateDetection to ClientList
> SQL. If the SQL queries returns a row 26, it will be used as the
> UseContentsForDuplicateDetection flag.
>
> Fixed a problem where some type of authentication would
> incorrectly succeed when NoEAP was in use. Reported by Heinrich
> Mislik.
>
> Added a new ReplyHook flag to AuthBy RADIUS so that hooks can
> signal the fact that a request has been redirected, and not to
> generate a reply from the AuthBy RADIUS. Sample configuration
> file in goodies/rejectproxy.cfg
>
> Fixed a problem with duplicate replies in test suite.
>
> When Trace -1 is enabled, prints the PID in the "currently
> handling" message. Suggested by Robert Patrick.
>
> Added various Trapeze VSAs to dictionary, contributed by Andrew
> Clark.
>
> Type of WiMAX-IP-Redirection-Rule in dictionary changed to
> string. Suggested by Garima Mahadik.
>
> Fixed a problem reported with TLS where, under unsual
> circumstances during a proxied TLS authentication,
> Net::SSLeay::SESSION_get_master_key could crash due to the TLS
> session being invalidated. Reported by Matti Saarinen.
>
> Added a number of Infoblox VSAs to dictionary. Provided by Andrew
> D. Clark.
>
> Fixed a problem with AuthBy PAM on Solaris: if a request without
> a username is received, it can case PAM to go into an infinite
> loop with messages like: "DEBUG: PAM is asking for 2: 'Please
> enter user name'". reported by Markus Moeller.
>
> Added a number of Huawei VSAs to dictionary.
>
> Reinstated changes to password decoding introduced in version 4
> that meant that certain non-compliant password encryptions were
> not decrypted properly. Reported by Roland Rosenfeld.
>
> Fixed a problem in ClientList SQL and ClientListLDAP where if the
> client creation phase fails, it could cause a subsequent crash
> when findDuplicate() is called within Client.pm. Reported by
> Shirley Wou.
>
> Added placeholders for Symbol (388) VSAs to dictionary.
>
> Packets created by EAP-TTLS for proxying now add
> Message-Authenticator if there is an EAP-Message. This ensures
> that if the packet is proxied to another RADIUS server, the lack
> of EAP-Message wont prevent processing of the request.
>
> Fixed a problem in the StreamTLS certificate verificaiton where
> it does the subjectAltName checks incorrectly if both URI and (IP
> or DNS) are checked. It never checks the IP or DNS. Reported by
> Heikki Vatiainen.
>
> Fixed a problem where AuthBy DNSROAM would activate AuthBy RADSEC
> and AuthBy RADIUS too often. Reported by Heikki Vatiainen.
>
> Fixed a problem where AuthBy DNSROAM did not correctly set
> ReplyHook or NoReplyHook in Routes or AuthBy RADSEC or AuthBy
> RADIUS. Reported by Heikki Vatiainen.
>
> Added new attributes from RFC5607 to dictionary.
>
> Added new attributes from RFC5580 to dictionary.
>
> Fixed a problem that prevented replies to Disconnect-Request and
> Change-Filter-Request from getting their Authenticator correctly
> computed. Reported by Jack Ho.
>
> For classes that use Stream connections (such as AuthBy RADIUS,
> ApplePasswordServer, if ConnectOnDemand is set, then, Stream
> always blocks until the connect either succeeds or
> fails. Requested by Sam Lin.
>
> Stream classes now support special characters in Host,
> HostAddress, ReconnectTimeout. Requested by Sam Lin.
>
> Added example Radiator configuration file and hook, showing how
> to support both RSA OnDemand and SecurID authentication for the
> same users.
>
> Added new parameter DisableMTUDiscovery to ServerRADIUS and
> AuthBy RADIUS. Disables MTU discovery on platforms that support
> that behaviour (currently Linux only). This can be used to
> prevent discarding of certain large RADIUS packet fragments on
> supporting operating systems.
>
> Added support for FramedGroup, StripFromReply, AllowInReply,
> AddToReply and AddToReplyIfNotExist to Server RADSEC. Requested
> by Paul Dekkers.
>
> Monitor and SNMPAgent clauses now support the Identifier
> parameter.
>
> Fixed a problem that prevented Origin-Host being set correctly in
> proxied requests. Reported and patched by Arthur Konovalov.
>
> Added sample hook to hooks.txt which runs in each child and
> closes the Monitor and SNMPAgent ports and re opens them on a
> different port number.
>
> Added OSC-Session-Identifier to dictionary.
>
> Added support for new special character Z which is replaced by
> the RADIUS Identifier in the current packet (if any).
>
> Improvements to AuthBy SQLYUBIKEY: Default UpdateQuery now uses
> current_timestamp() instead of now() for better compatibility
> with more SQL servers. Static password can now be separated from
> the token string with a ':' to ensure they can be identified,
> even with non-standard Yubikey token lengths. Suggestions by
> JÃƒÂ©rÃƒÂ´me Fleury.
>
> Minor change to log message when a requested EAP type is
> rejected, so the name of the desired type is printed. Patch
> supplied by Alexander Hartmaier.
>
> AuthBy LDAP2 now supports multiple space separated Host names,
> and Net::LDAP will choose the first available one. Patch supplied
> by Raphael Luta.
>
> Fixed a problem which could result in a blank user name in PEAP
> or TTLS or other inner requests under some very unusual
> circumstances. Improved EAP context finding algorithm so inner
> and outer requests with the same User-Name would not collide.
>
>
>
> --
> Mike McCauley                               mikem at open.com.au
> Open System Consultants Pty. Ltd
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
> Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full source
> on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator