[RADIATOR] Radiator Version 4.5.1 released

Mike McCauley mikem at open.com.au
Thu Feb 4 22:31:42 CST 2010

We are pleased to announce the release of Radiator version 4.6

This version contains some new features and minor bug fixes.

As usual, the new version is available to current licensees from:

and to current evaluators from:

Licensees with expired access contracts can renew at:

An extract from the history file
http://www.open.com.au/radiator/history.html is below:


Revision 4.6 (2010-02-05) New features and some bug fixes.

Improved AuthLog SYSLOG to support multiple SYSLOG clauses with
different LogHost and LogSock options. No comnpatible with
multiple Log SYSLOG clauses. Reported by "Martin van der Walle".

Improvements to example init script for Linux in linux-radiator.init, to be 
compliant with LSB requirements in http://wiki.debian.org/LSBInitScripts 

AuthBy LDAP2 now detects LDAP_INVALID_DN_SYNTAX errors and
interprets them as a per-request error and not a connection
failure. When LDAP_INVALID_DN_SYNTAX error occurs, the LDAP
connection wil not be shut down. Requested by Dawn Lovell.

Fixed a problem in Server TACACSPLUS where an AuthorizeGroup of the form  
        AuthorizeGroup group1 permit service=shell cmd\* {autocmd="telnet"}
 (ie with double quotes surrounding the predicate) would result
 in the autocmd being sent incorrectly with 2 equals signs.

AuthBy SQLYUBIKEY now supports static passwords in any format
supported by Radiator, including plaintext, {SHA}, {crypt},
{MD5}, {rcrypt}, {mysql}, {mssql}, {nthash}, {dechpwd},
{NS-MTA-MD5}, {clear} etc. TranslatePasswordHook is also
supported. Suggested by Jerome Fleury.

Minor updates to Yubikey documentation to reflect the fact that
AES keys must be programmed into each Yubikey before being
imported into the SQLYUBIKEY database. Changes to AuthBy
SQLYUBIKEY default SQL queries to work better with databases
where the tokenID and AES key are in Hex. Yubikey keys may now be
present in the database in either hex (no spaces) or base64
format. But the default queries assume the Token ID and AES
secret are in Hex, and that there is a one-to-one mapping between
users and Yubikeys. Other options are available with custom SQL

Fixed a problem in AuthBy SQLYUBIKEY where it would sometimes
incorrectly detect a replay attack in during multiple
authentication of the same Yubikey session. General improvements
to the AuthBy SQLYUBIKEY replay detection. Replay detection now
uses the session counter and the session_use counter. The
timestamp is not used. The database column that previously held
the timestamp_low is used for the session_use counter. The
database column that previously held the timestamp_high is not

Updated install.html installation instructions for Windows.

Improvements to AuthBy EAPBALANCE and AuthBy HASHBALANCE to work
better in multi-AP roaming TTLS/PEAP session resumption
environments. The default behaviour of AuthBy HASHBALANCE is to
compute the HASH based on the same attributes as the EAP
context. This prevents false detection of loss of continuity in
EAP streams. AuthBy EAPBALANCE now sets the State in all replies
in an EAP stream, not just the first, in order to work correctly
with some non-compliant APs. AuthBy HASHBALANCE is deprecated in
favour of AuthBy EAPBALANCE in any EAP-capable environment.

In Server DIAMETER, fixed a problem that prevented some RADIUS
reply attributes being correctly translated into Diameter reply

Added new module AuthBy SQLMOTP for MOTP authentication, a new
strong, two-factor authentication with mobile phones. See
http://motp.sourceforge.net for details. Sample configuration and
SQL schema supplied. Modifications to radpwtst to support new
-motp_secret flag, allowing it to be used to test AuthBy SQLMOTP
          radpwtst -noacct -motp_secret 7ac61d4736f51a2b -password 1234


The password argument is used as the MOTP PIN, and the
motp_secret is used as the MOTP secret key. AuthBy SQLMOTP
originally submitted by Jerome Fleury.

In diapwtst, fixed a problem that would result in an incorrect
status report: "Unexpected result code: DIAMETER_SUCCESS".

Improvements to the internal structure of ServerDIAMETER.pm,
making it easier to override handling of specific Diameter
request types.

Fixed a problem with AuthBy VOLUMEBALANCE, where if multiple
failed hosts are configured with FailureBackoffTime of 0, it was
possible for a request to be handed to each host in turn forever.

Added new sample configuration file goodies/crypto-mas.cfg,
showing how to proxy requests to the Cryptocard MAS (Managed
Authentication Service) CRYPTO-MAS. See

Added new parameter MaxTargetHosts to AuthBy
VOLUMEBALANCE. Limits the number of different hosts a request
will be proxied to in the case of no reply. Defaults to 0 which
mean no limit: if the load balancer does not receive a reply from
a host, it will keep trying until all hosts are exhausted.

Improvements tp RPM spec file to permit installation with Perls
that do not include /usr/lib/perl5/site_perl/, such as
SLES. Reported by Frank Messie.

Improvements to the rpm: make target so the RPM build correctly
uses the local perl version number for links in the Perl
lib. Contributed by Bjoern.

Updated expired test certificates.

Fixed a problem with incorrect type in replies to proxied
Change-Filter-Request. Reported by Belmont Cheung.

Added support for UpdateQuery in SessionDatabase SQL. Patch
supplied by Jose Borges Ferreira.

Added support for RFC 4818 compliant packing and unpacking of
Delegated-IPv6-Prefix. Added new dictionary type ipv6prefix.

The TacacsPlus group cache GroupCacheFile now uses the IP address
of the client as part of the key, so that in situations where the
group name depends on the client the correct group name wil be

Some Expiration check items in the sample users file had actually
expired, causing the test suite to incorrectly fail on tests 2l,
2m, 3g and 3h.

Fixed a problem that could cause incorrect authentication of HOTP
passwords with leading zeroes.

Added support for TOTP (Time-based one-time-passwords) as
specified in draft-mraihi-totp-timebased-04.txt. Sample
configuration and database schema included.

Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full source
on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

More information about the radiator mailing list