[RADIATOR] Radiator Version 4.5 released
Mike McCauley
mikem at open.com.au
Fri Oct 30 17:51:20 CDT 2009
Hello Jérôme,
On Friday 30 October 2009 08:38:36 pm Jérôme Fleury wrote:
> Hi.
>
> Is it me or AuthSQLYUBIKEY.pm is not included in the tarball ??
Its not you: it was incorrectly omitted. It is now in the latest patch set.
Thanks for reporting it.
Cheers.
>
> On Tue, Oct 27, 2009 at 01:20, Mike McCauley <mikem at open.com.au> wrote:
> > We are pleased to announce the release of Radiator version 4.5
> >
> > This version contains some significant new modules, such as support for
> > Yubikey tokens from Yubico (http://www.yubico.com), suport for HOTP (RFC
> > 4226) one-time-passwords and a number of bug fixes.
> >
> > As usual, the new version is available to current licensees from:
> > http://www.open.com.au/radiator/downloads/
> >
> > and to current evaluators from:
> > http://www.open.com.au/radiator/demo-downloads
> >
> > Licensees with expired access contracts can renew at:
> > http://www.open.com.au/renewal.php
> >
> > An extract from the history file
> > http://www.open.com.au/radiator/history.html is below:
> >
> >
> >
> > Revision 4.5 (2009-10-27) New features and bug fixes
> >
> > Fixed a bug that could cause a crash at startup if the listening
> > RADIUS port could not be opened due for example to an
> > unresolvable bind address. The error message was "Not a CODE
> > reference at Radius/ServerRADIUS.pm". Reported by Thomas
> > Schlottke.
> >
> > Significant performance improvements in Select::add_timeout. Now
> > used binary search for the insertion point, rather than resorting
> > he whole list every time.
> >
> > Added support for authenticating Yubikey tokens from
> > Yubico (http://www.yubico.com). Yubikeys are small, inexpensive
> > USB tokens for one-time-password authentication. Added sample
> > configuration file and descriptive test file. Suports one and 2
> > factor authentication, replay detection etc.
> >
> > Fixed a problem with AuthBy LDAPRADIUS which would cause a crash
> > during initialization.
> >
> > Improvements to ServerTACACSPLUS so it can find an appropriate
> > Client clause even if the reverse DNS is screwy. Suggested by
> > Ranko Zivojnovic.
> >
> > Fixed a problem with resolution of IPv6 addresses on some
> > plaforms such as Solaris. Some debug messages were inadvertently
> > left in Util::gethostbyname for ipv6. reported by Sami
> > Keski-Kasari.
> >
> > Fixed a problem with heavily loaded server farms where a SIGHUP
> > of the process leader could cause inability to bind to the
> > listening ports after restart. Radiusd now waits for all farm
> > children to die begfore restarting. Reported by Dan Cachola.
> >
> > Added support for HOTP (RFC 4226) one-time-passwords with AuthBy
> > SQLHOTP HOTP one-time-passwords are authenticated based on a
> > secret key stored in an SQL database. Detects replay attacks and
> > brute-force attacks and counter resynchronisation. Can also
> > support static passwords for 2 factor authentication when the
> > user prefixes their static password before the HOTP
> > one-time-password. Supports authentication by RADIUS PAP, EAP-OTP
> > and EAP-GTC. Includes sample configuration file and sample
> > database schema with test users.
> >
> > Added support for IdleTimeout to Server TACACSPLUS. If a client
> > stays connected for more than this number of seconds without
> > sending any requests it will be disconnected. Defaults to 180
> > seconds. Requested by Yevgeniy Averin.
> >
> > Added new parameter UseContentsForDuplicateDetection to
> > Client. This must be used in a server farm environment. The back
> > end servers in a server farm will receive requests from a range
> > of source ports. Dupliacates received by the front ends and
> > proxied to the back ends may appear to come from a range of
> > source ports and with a range of RADIUS identifiers. This flag
> > causes duplicate detection to be based on the contents of the
> > packet, and not on the 'envelope'. This permits duplicates to be
> > detected regardless of the path they take to to get from the NAS
> > to the server. It must be set in the Client clauses of the back
> > end servers of a server farm architecture.
> >
> > Fixed a problem with the MIB name in CiscoSessionMIB. Reported by
> > Tim Wolgemuth.
> >
> > Added support for UseContentsForDuplicateDetection to ClientList
> > SQL. If the SQL queries returns a row 26, it will be used as the
> > UseContentsForDuplicateDetection flag.
> >
> > Fixed a problem where some type of authentication would
> > incorrectly succeed when NoEAP was in use. Reported by Heinrich
> > Mislik.
> >
> > Added a new ReplyHook flag to AuthBy RADIUS so that hooks can
> > signal the fact that a request has been redirected, and not to
> > generate a reply from the AuthBy RADIUS. Sample configuration
> > file in goodies/rejectproxy.cfg
> >
> > Fixed a problem with duplicate replies in test suite.
> >
> > When Trace -1 is enabled, prints the PID in the "currently
> > handling" message. Suggested by Robert Patrick.
> >
> > Added various Trapeze VSAs to dictionary, contributed by Andrew
> > Clark.
> >
> > Type of WiMAX-IP-Redirection-Rule in dictionary changed to
> > string. Suggested by Garima Mahadik.
> >
> > Fixed a problem reported with TLS where, under unsual
> > circumstances during a proxied TLS authentication,
> > Net::SSLeay::SESSION_get_master_key could crash due to the TLS
> > session being invalidated. Reported by Matti Saarinen.
> >
> > Added a number of Infoblox VSAs to dictionary. Provided by Andrew
> > D. Clark.
> >
> > Fixed a problem with AuthBy PAM on Solaris: if a request without
> > a username is received, it can case PAM to go into an infinite
> > loop with messages like: "DEBUG: PAM is asking for 2: 'Please
> > enter user name'". reported by Markus Moeller.
> >
> > Added a number of Huawei VSAs to dictionary.
> >
> > Reinstated changes to password decoding introduced in version 4
> > that meant that certain non-compliant password encryptions were
> > not decrypted properly. Reported by Roland Rosenfeld.
> >
> > Fixed a problem in ClientList SQL and ClientListLDAP where if the
> > client creation phase fails, it could cause a subsequent crash
> > when findDuplicate() is called within Client.pm. Reported by
> > Shirley Wou.
> >
> > Added placeholders for Symbol (388) VSAs to dictionary.
> >
> > Packets created by EAP-TTLS for proxying now add
> > Message-Authenticator if there is an EAP-Message. This ensures
> > that if the packet is proxied to another RADIUS server, the lack
> > of EAP-Message wont prevent processing of the request.
> >
> > Fixed a problem in the StreamTLS certificate verificaiton where
> > it does the subjectAltName checks incorrectly if both URI and (IP
> > or DNS) are checked. It never checks the IP or DNS. Reported by
> > Heikki Vatiainen.
> >
> > Fixed a problem where AuthBy DNSROAM would activate AuthBy RADSEC
> > and AuthBy RADIUS too often. Reported by Heikki Vatiainen.
> >
> > Fixed a problem where AuthBy DNSROAM did not correctly set
> > ReplyHook or NoReplyHook in Routes or AuthBy RADSEC or AuthBy
> > RADIUS. Reported by Heikki Vatiainen.
> >
> > Added new attributes from RFC5607 to dictionary.
> >
> > Added new attributes from RFC5580 to dictionary.
> >
> > Fixed a problem that prevented replies to Disconnect-Request and
> > Change-Filter-Request from getting their Authenticator correctly
> > computed. Reported by Jack Ho.
> >
> > For classes that use Stream connections (such as AuthBy RADIUS,
> > ApplePasswordServer, if ConnectOnDemand is set, then, Stream
> > always blocks until the connect either succeeds or
> > fails. Requested by Sam Lin.
> >
> > Stream classes now support special characters in Host,
> > HostAddress, ReconnectTimeout. Requested by Sam Lin.
> >
> > Added example Radiator configuration file and hook, showing how
> > to support both RSA OnDemand and SecurID authentication for the
> > same users.
> >
> > Added new parameter DisableMTUDiscovery to ServerRADIUS and
> > AuthBy RADIUS. Disables MTU discovery on platforms that support
> > that behaviour (currently Linux only). This can be used to
> > prevent discarding of certain large RADIUS packet fragments on
> > supporting operating systems.
> >
> > Added support for FramedGroup, StripFromReply, AllowInReply,
> > AddToReply and AddToReplyIfNotExist to Server RADSEC. Requested
> > by Paul Dekkers.
> >
> > Monitor and SNMPAgent clauses now support the Identifier
> > parameter.
> >
> > Fixed a problem that prevented Origin-Host being set correctly in
> > proxied requests. Reported and patched by Arthur Konovalov.
> >
> > Added sample hook to hooks.txt which runs in each child and
> > closes the Monitor and SNMPAgent ports and re opens them on a
> > different port number.
> >
> > Added OSC-Session-Identifier to dictionary.
> >
> > Added support for new special character Z which is replaced by
> > the RADIUS Identifier in the current packet (if any).
> >
> > Improvements to AuthBy SQLYUBIKEY: Default UpdateQuery now uses
> > current_timestamp() instead of now() for better compatibility
> > with more SQL servers. Static password can now be separated from
> > the token string with a ':' to ensure they can be identified,
> > even with non-standard Yubikey token lengths. Suggestions by
> > Jérôme Fleury.
> >
> > Minor change to log message when a requested EAP type is
> > rejected, so the name of the desired type is printed. Patch
> > supplied by Alexander Hartmaier.
> >
> > AuthBy LDAP2 now supports multiple space separated Host names,
> > and Net::LDAP will choose the first available one. Patch supplied
> > by Raphael Luta.
> >
> > Fixed a problem which could result in a blank user name in PEAP
> > or TTLS or other inner requests under some very unusual
> > circumstances. Improved EAP context finding algorithm so inner
> > and outer requests with the same User-Name would not collide.
> >
> >
> >
> > --
> > Mike McCauley mikem at open.com.au
> > Open System Consultants Pty. Ltd
> > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> > http://www.open.com.au Phone +61 7 5598-7474 Fax
> > +61 7 5598-7070
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full source
> > on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> > _______________________________________________
> > radiator mailing list
> > radiator at open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full source
on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
More information about the radiator
mailing list