[RADIATOR] Radiator Version 4.8 released
Michael
ringo at vianet.ca
Thu Apr 28 16:16:24 CDT 2011
Can't seem to download the patches. after accepting the license agreement, it
just keeps returning to the license agreement.
On Thu, 28 Apr 2011, Mike McCauley wrote:
> We are pleased to announce the release of Radiator version 4.8
>
> This version contains some new features and minor bug fixes.
>
> As usual, the new version is available to current licensees from:
> http://www.open.com.au/radiator/downloads/
>
> and to current evaluators from:
> http://www.open.com.au/radiator/demo-downloads
>
> Licensees with expired access contracts can renew at:
> http://www.open.com.au/renewal.php
>
> An extract from the history file
> http://www.open.com.au/radiator/history.html is below:
>
> -----------------------------
> Revision 4.8 (2011-04-28) New features and some bug fixes.
>
> Fixed a problem in AuthBy EAPBALANCE where no reply from a
> proxied request from the middle of an EAP stream would result in
> unlimited retransmissions of the request. Reported by Keith Ma.
>
> Testing on OpenWRT. OK, with caveats as discussed in the updated FAQ.
>
> Added Meru-AP-Id and Meru-AP-Name to dictionary. Provided by Neil Johnson.
>
> RPM packages were built by default on OpenSuSE with LZMA
> compression, which is not available for all platforms. This new
> Radiator.spec disables LZMA and uses BZ2 instead. In future all
> RPMS will be built with BZ2 comppression. New versions of
> Radiator-4.7-2.noarch.rpm and Radiator-Locked-4.7-2.noarch.rpm
> with BZ2 uploaded.
>
> Fixed a problem with AuthBy SQLTOTP and AuthBy SQLHOTP where
> MaxBadLogins, BadLoginWindow, DelayWindow, TimeStep and
> TimeStepOrigin parameters were not correctly read, resulting in
> errors like "Unknown keyword 'MaxBadLogins'". Reported by Matthew
> Reeves-Hairs.
>
> GetClientQuery was incorrectly using field 25 instead of 27 for
> flags. Documentation for GetClientQuery incorrectly decribed
> field 25 as being flags instead of ClientHook.
>
> Added SQLRetries parameter to all SQL type clauses. When
> executing a query, Radiator will try up to SQLRetries attempts to
> execute the query, retrying if certain types of SQL error are
> seen. Defaults to 2. Requested by Michael.
>
> Fixed some problems with Radius paths in the RPM on some
> platforms. Rebuilt and uploaded new RPMs.
>
> Improved Client CIDR address searches so a more specific cidr
> would have priority over a less specific cidr. Contributed by
> Nicholas Waples.
>
> Improved ClientListLDAP, added oscRadiusIdentifier &
> oscRadiusDefaultRealm into the default list of
> ClientAttrDef's. were the only attributes missing from
> oscRadiusClient ldap schema provided (in goodies). Contributed by
> Nicholas Waples.
>
> In Server TACACSPLUS, the call AuthenticationStartHook now
> includes the priv_lvl and service values from the TACACSPLUS
> request passed as arguments to the hook.
>
> In Server TACACSPLUS, during authetication, we now add
> cisco-avpair attributes to the RADIUS request for action,
> authen_type, priv-lvl and service from the incoming TACACSPLUS
> request.
>
> Improvements to AuthBy URL. Improved HTTP and HTML standards
> compliance by using the LWP::UserAgent methods post() and
> get(). Can now handle CHAP, MSCHAP and MSCHAPV2 authentication,
> as well as the previously supported PAP. *CHAP challenges and
> responses are encoded as HEX and sent as configurable web
> parameters. Updated the sample config file goodies/url.cfg, and
> improved documentation. Fixed inconsistant password in sample
> test_url_md5.cgi. Cleaned up some of the code to be compliant
> with in-house standards.
>
> Added support for BindAddress in all Ldap derived clauses,
> allowing you to specify a local address for the client side of
> the LDAP connection with BindAddress, in the form
> hostname[:port]. Defaults to 0.0.0.0. Updated sample config
> file. Suggested by Roel Hoek.
>
> Updated AuthBy NTLM so that if an authentication fails, the
> Warning log message records the user name along with the
> Authentication-Error. Suggested by David Zych.
>
> Further improvements to AuthBy URL. Now suports CopyReplyItem
> parameter. If a successful HTTP reply contains a string like
> 'xxx=hexencodedvalue' the value will be copied to the RADIUS
> reply as attribute yyy=value the value is expected to be HEX
> encoded and will be HEX decoded before adding to the reply.
>
> Fixed a problem where some SQL modules were not being correctly
> initialised, which was revealed when the new SQLRetries was
> added. Reported by Steffen Weinreich.
>
> Further improvements to AuthBy URL. Now supports CopyRequestItem
> parameter. Adds a tagged item to the HTTP request. Format is
> CopyRequestItem xxx yyy. The text of yyy (which may be contain
> special characters) will be added to the HTTP request with the
> tag xxx. In the special case where yyy is not defined, the value
> of attribute named xxx will be copied from the incoming RADIUS
> request and added to the HTTP request as the tagged item yyy. All
> values are HEX encoded before adding to the HTTP
> request. Multiple CopyRequestItem parameters are permitted, one
> per line.
>
> Improvements to AuthBy SQLTOTP to implement replay
> detection. This has required an additional column in the sample
> SQL database schema, and changes to the default AuthSelect and
> UpdateQuery parameters. Requested by Matthew Reeves-Hairs.
>
> Testing with the Mera MVTS Pro Voip gateway. OK. Added
> mera-mvts.txt. This document briefly outlines the requirements
> for interfacing Radiator with Mera MVTS Pro VOIP gateways, along
> with examples of the types of requests and replies Radiator can
> be expected to handle when interfacing with MVTS Pro.
>
> Added new command line argument -min_interval to restartWrapper,
> which controls the minimum time interval between successive
> restarts. Contributed by David Zych.
>
> Tested AuthBy HOTP and AuthBy TOTP with a range of iphone OATH
> soft tokens, including DS3 (HOTP), OATH Token (HOTP and TOTP),
> and Google Authenticator (HOTP and TOTP). External testing with
> Feitian C200 OTP Tokens and others. All OK.
>
> Added a number of Juniper attributes to dictionary.
>
> Monitor and Server HTTP now support AddToRequest to add
> attributes to the internal RADIUS request they generate when
> authenticating administrator logins to their respecetive
> interfaces. They also dump these requests when Trace 4 is
> enabled.
>
> Server TACACSPLUS now supports a new parameter
> AuthorizeGroupAttr. If this parameter is specified, it specifies
> the name of an attribute in Access-Accept that will contain
> per-command authorization patterns for authorising TACACS+
> commands. These are processed before any configured-in
> AuthorizeGroup parameters. The command authorization patterns are
> in the same format as supported by AuthorizeGroup. Added a new
> VSA to dictionary OSC-Authorize-Group, which is intended to carry
> per-user reply command authorization patterns.
>
> Improvements to Radiator linux startup script so you can have
> multiple scripts in /etc/init.d/ with different names, and which
> lookup different parameters in /etc/sysconfig. For example, you
> can install the script as /etc/init.d/radiator and
> /etc/init.d/radiator-acct, and it will look up parameters in
> /etc/sysconfig/radiator and /etc/sysconfig/radiator-acct. Further
> improvement is to always use -p RADIUS_PIDFILE to killproc the
> process, rather than the process name.
>
> Added Ascend-Session-Svr-Key an NS-Dummy-Attr-10 to dictionary.
>
> Added Alcatel-Lucent 7302 ISAM (OLT) VSAs to dictionary,
> including OLT-TL1-* and added VALUE definitions for some other
> A-ESAM-*. In some places, A-ESAM-* are named OLT-CLI-*. we have
> adopted A-ESAM to be compatible with previously existing
> definitions.
>
> Fixed a problem where EAP-MD5 authentications did not honour
> UsernameMatchesWithoutRealm. Reported by "Sami Keski-Kasari".
>
> Fixed a problem where EAP-MD5 authentication by AuthBy LSA
> mysteriously failed. Refactoring of EAP_4 check_chap() to
> AuthGeneric, and thence to AuthLSA Reported by "Sami
> Keski-Kasari".
>
> Fixed a problem which could cause crashes in
> Socket6::inet_ntop. Reported by James Harton.
>
> Testing on MacOS X 10.6.5. OK.
>
> Added lookupauthgroup.pl Sample PostSearchHook for AuthBy LDAP2,
> which finds user group(s) through an LDAP lookup, then finds
> corresponding check and reply attributes in SQL, based on the
> user group(s) for that user and the device groups of the
> RADIUS/TACACS+ client. This allows you to have a add very fine
> grained authentication/authorisation in an LDAP/SQL environment,
> based on user and device group membership.
>
> Alter the session shutdown in Server TACACSPLUS to be SHUT_RDWR,
> to fix possible session shutdown problems with some TACACS+
> clients.
>
> Fixed incorrect sequence numbers in some TACACS+ packets sent by
> goodies/tacasplustest and that affected interoperation with
> tac_plus. Fixed issues with TACACS+ version numbers that affected
> interoperation with tac_plus.
>
> Added new parameter SingleSession to Server TACACSPLUS which can
> be set to 0 to disable the default behaviour which tries to keep
> the same TCP session for all requests. Setting SingleSession to 0
> forces a TCP disconnect after every authentication, authorisation
> and accounting session. Some TACACS+ clients need this in order
> to operate correctly.
>
> Improvements to AuthBy SQLTOTP so that tokens whose time drifts
> into the future can be authenticated. Patch supplied by Steffen
> Weinreich.
>
> Decoupled AuthGeneric userIsInGroup from getUserGroups so
> subclasses can implement their own group finding.
>
> Added new optional parameters GroupSearchFilter GroupBaseDN
> GroupNameCN to specify an LDAP search which will be used to get
> the names of groups this user is a member of. Used to check Group
> check items. Updated sample lookupauthgroup.pl to use the new
> group search function in AuthBy LDAP2
>
> AuthBy LSA now honours UsernameMatchesWithoutRealm correectly for
> users and groups. Reported by Reported by "Sami Keski-Kasari"
> and "Johnson, Neil M".
>
> In AuthBy SQL, the optional GroupMembershipQuery now has the
> groupname available as the second bound variable.
>
> Improvements to Server TACACSPLUS so that it honours the
> TAC_PLUS_SINGLE_CONNECT_FLAG flag in incoming requests. Now a
> single session will only be maintained if the Server TACACSPLUS
> SingleSession parameter is set _and_ the client indicates a
> willingness to support single sessions with the
> TAC_PLUS_SINGLE_CONNECT_FLAG. Single sessions can be disabled
> regardless of client options by setting the SingleSession flag to
> 0 (defaults to 1)
>
> Improvements to goodies/tacacsplustest now correctly sets the
> TAC_PLUS_SINGLE_CONNECT_FLAG in requests if the -single command
> line parameter is given. It now closes the connection at the end
> of each session unless the -single flag is set and the server
> indicates a willingness to support single connections with the
> TAC_PLUS_SINGLE_CONNECT_FLAG.
>
> Fixed a problem where malformed WiMAX attributes could cause a
> crash. Reported by Mark Sergeant.
>
> Further fixes to Server TACACSPLUS: If SingleSession is set, some
> Cisco TACACS+ clients will close an authentication session after
> the first reply. This is a bug in the client. As a workaround,
> ServerTACACSPLUS.pm now never sets the
> TAC_PLUS_SINGLE_CONNECT_FLAG in its replies. Reported by Aki
> Tuomi.
>
> Fixed a typo in linux-radiator.init that prevented traceup and
> tracedown working properly on RHEL5.
>
> Added LOG_WARNING log message if a Tacacs+ request is received by
> Server TACACSPLUS for which no Client could be found.
>
> Improvements to Server TACACSPLUS so expired authentication
> result in ERROR instead of FAIL. Tacacs authorisations are now
> bound to both the username and the peer address, so user can have
> different authorisations on each device.
>
> Added peer address to a number of warning and info messages
> produced by Server TACACSPLUS for easier diagnosis.
>
> Updated Monitor HELP command documentation to include
> TRACE_PREDICATE.
>
> Fixed problems with linux-radiator.init traceup and tracedown on
> RHEL5.
>
> Improvements to Server TACACSPLUS: Fixed a problem with the new
> AuthorizeGroupAttr that cased authorisation patterns to not be
> reset properly. Server TACACSPLUS now updates the global packet
> counts for each Tacacs+ request received. Database failures that
> IGNORE now cause a Tacacs *_STATUS_ERROR reply.
>
> Added goodies/cisco-vpn.txt a short description on how to
> configure Cisco VPN 3000 Concentrator VPN groups, and the
> limitations thereof.
>
> Fixed a case where Radiator would crash when certain local
> devices tried to connect to a tacacs port.
>
> Added example rule to goodies/tacacsplusserver.cfg showing how to
> use uptional tacacs roles, including multiple optional roles.
>
> Added new parameter UnbindAfterServerChecksPassword to AuthBy
> LDAP2, which works around problems with some LDAP
> servers. Normally, when ServerChecksPassword is set, after
> Radiator checks a users password the LDAP connection is not
> unbound. This can cause problems with some LDAP servers (notably
> Oracle ID and Novell eDirectory), where they unexpectedly cause
> the following LDAP query to fail with
> LDAP_INAPPROPRIATE_AUTH. Setting this flag causes an unbind after
> each ServerChecksPassword bind.
>
> Added support for new -I command line flag to radiusd, which adds
> an include directory to the module search path. Patch by Heikki
> Vatiainen.
>
> In SqlDb::do(), Sql connections now detect PostgreSQL duplicate
> key violations, which are now not a cause for disconnect. Added
> similar tests to SqlDb::prepareAndExecute().
>
> Sample RAdmin configuration file that shows how to record Tacacs+
> commands to the Radmin RADCOMMANDAUDIT table for auditing, and
> viewing (RAdmin 1.14 plus latest patches required)
>
> The ServerRADIUS clause now supports AddToRequest, which makes it
> easy to tag requests that arrive by RADIUS to distinguish them to
> those arriving by TACACS+ or Diameter.
>
> Server HTTP log messages are now escaped so that HTML characters
> in the log do not cause display errors. Patch provided by Adam
> Bishop.
>
> Fixed a problem in Auth LDAP2 that could cause a crash if
> ServerChecksPassword and UnbindAfterServerChecksPassword are
> enabled, and certain LDAP errors occur during the
> ServerChecksPassword bind.
>
> Fixed spelling mistake in VENDORATTR Timetra-Home-Directory,
> Added further VSAs to VENDOR Panthera 6527 (Alcatel 7450 ESS
> Router). Added VENDOR Alcatel-Lucent 800 (Alcatel-Lucent OS6400
> switches) VSAs. Added Alcatel-Lucent-SAM VENDORATTR
> SAM-Security-Group-Name .
>
> Improvements to IPV6 handling so the absence of Socket6 causes an
> warning message instead of an exit.
>
> Added a number of FreeSwitch accounting VSAs to dictionary. Added
> a brief discussion paper about how to integrate FreeSwitch with
> Radiator. FreeSWITCH is a powerful and versatile telephony
> platform that can scale from a softphone to a PBX and even to a
> carrier-class softswitch.
>
> Log SYSLOG and AuthLog SYSLOG now support special characters in
> LogIdent, LogOpt and LogHost.
>
> TLS Streams, such as used with Radsec did not correctly verify
> certificates for 'hostname' if the Host address was specified in
> Radiator in the form ipv6:hostname. Reported by Patrick Renkens.
>
> Fixed an issue where truncated EAP-Message requests would cause a
> log message like "Could not load EAP module Radius::EAP_"
> ..... This is now logged as invalid EAP type in EAP request and
> rejected. Reported by Daniel Rocha.
>
> Server TACACSPLUS now honours reply attributes correctly for
> ASCII type Tacacs+ authentications. Patch from Heikki Vatiainen.
>
> Testing with XAMPP on
> Windows. XAMPP (http://www.apachefriends.org/en/xampp-windows.html)
> is an excellent, easy to install bundle of useful tools such as
> Apache, MySQL, Perl etc for Windows. It is a also good base for
> installing Radiator on Windows, especially if you wish to use
> Radiator with RAdmin or a MySQL database. Updated installation
> documentation to include XAMPP on Windows.
>
> Added support for Novell eDirectory NMAS (Novell Modular
> Authentication System) to AuthBy LDAP2. NMAS allows Novell
> eDirectory to support and authenticate passwords using the Vasco
> Digipass NMAS method, and other third party token and non-token
> systems. Vasco Response-Only (RO) tokens are only supported since
> NMAS does not curently support challenge-response via
> RADIUS. Sampple configuration file included.
>
> Ldap classes now support the "ipv6:" prefix for Ldap server Host
> names. If Host begins with "ipv6:" the subsequent host name(s)
> will be interpreted as IPV6 addresses where possible, and
> Net::LDAP will use INET6 to connect to the LDAP server.
>
> In AddressAllocator SQL, the default AllocateQuery was changed to
> check the STATE during the allocation to catch certain race
> conditions.
>
> With all Ldap clauses, removed the default BindAddress of
> 0.0.0.0. This was unnecessary and interferes in a non-obvious way
> with attempts to use ipv6: in the Host. Reported by Dyonisius
> Visser.
>
> Added attributes from RFC 5904 to dictionary. SNMP Agent now supports:
> RFC4669 - RADIUS Authentication Server MIB for IPv6
> RFC4671 - RADIUS Accounting Server MIB for IPv6
> The RFC are included in distribution.
>
> Improvements to EAP handling to support multiple desired EAP
> types in EAP NAK response, per RFC 3748.
>
> Fixed incorrect error message that referred to
> ServerHTTP. Repored by Karl Gaissmaier.
>
> Added support for PacketTrace to Server TACACSPLUS, Server
> DIAMETER, Server RADSEC. Requested by Karl Gaissmaier.
>
> Fixed a problem where attributes of type ipv6prefix (such as
> Framed-IPv6-Prefix) would not be decoded correctly if they had
> fewere than 16 octets. Reported by Lee, Larry KT.
>
> Client addresses in the form MAC:nn-nn-nn-nn-nn-nn now work even
> if the Called-Station-Id has the SSID of the AP appended as
> described in http://tools.ietf.org/html/rfc3580#section-3.20
>
> Added example perl script rpt.pl which logs packets which match a
> regexp. Contributed by Bart Dumon.
>
> Fixed a problem when using AuthBy RADIUS with Synchronous and
> Fork that if the secrets don't match (resulting in "Bad
> authenticator received in reply to ID 1. Reply is ignored"), this
> creates forked processes that never terminate and have to be
> manually force-killed. Reported by David Zych.
>
> Fixed a number of innocuous warnings when radiusd is run with
> perl -w.
>
> Added usage documentation for author_args in tacacsplustest.
>
> In AuthSQL, GroupMembershipQuery is now not passed and bind
> variables. If you wish to use bind variables with
> GroupMembershipQuery, use the new GroupMembershipQueryParam.
>
> Fixed a problem with Server HTTP where some versions of Firefox
> would hang when trying to access localhost:9048. Also fixed som
> innocuous warnings when run with the -w flag.
>
> Fixed a problem with AuthLog SYSLOG and Log SYSLOG where in some
> cases with some versions of Sys::Syslog, the loghost was not set
> correctly. Reported by Klara Mall.
>
> radiusd now unlinks PidFile during an orderly shutdown. Suggested
> by Klara Mall to prevent startup scripts being confused by stale
> PID files.
>
> Improvements to AddressAllocator SQL: If CheckPoolQuery is set to
> an empty string, no pool checking will be done at startup. If
> AddAddressQuery is set to an empty string, addresses will not be
> automatically added to the pool.
>
> Testing against RadiusGINA, a Windows RADIUS login authenticator
> from LSE http://lsexperts.de/. Works well, and easy to install.
>
> Fixed a problem in TLS Stream based protocols (such as AuthBy
> RADSEC AuthBy DNSROAM etc, where ConnectOnDemand would not work
> correctly in the case where a TLS connection was being
> established and failed. Reported by Stefan Winter.
>
> Added goodies/radiusgina.txt, a Brief introduction to RadiusGINA,
> a Windows RADIUS login authenticator from LSE http://lsexperts.de
>
> --
> Mike McCauley mikem at open.com.au
> Open System Consultants Pty. Ltd
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
> Phone +61 7 5598-7474 Fax +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
More information about the radiator
mailing list