[RADIATOR] Radiator Version 4.8 released
Mike McCauley
mikem at open.com.au
Thu Apr 28 16:22:28 CDT 2011
Hi Michael,
thanks for reporting this.
The patch set is now available, although there are currently no patches in it.
Cheers.
On Friday 29 April 2011 07:16:24 am Michael wrote:
> Can't seem to download the patches. after accepting the license agreement,
> it just keeps returning to the license agreement.
>
> On Thu, 28 Apr 2011, Mike McCauley wrote:
> > We are pleased to announce the release of Radiator version 4.8
> >
> > This version contains some new features and minor bug fixes.
> >
> > As usual, the new version is available to current licensees from:
> > http://www.open.com.au/radiator/downloads/
> >
> > and to current evaluators from:
> > http://www.open.com.au/radiator/demo-downloads
> >
> > Licensees with expired access contracts can renew at:
> > http://www.open.com.au/renewal.php
> >
> > An extract from the history file
> > http://www.open.com.au/radiator/history.html is below:
> >
> > -----------------------------
> > Revision 4.8 (2011-04-28) New features and some bug fixes.
> >
> > Fixed a problem in AuthBy EAPBALANCE where no reply from a
> > proxied request from the middle of an EAP stream would result in
> > unlimited retransmissions of the request. Reported by Keith Ma.
> >
> > Testing on OpenWRT. OK, with caveats as discussed in the updated FAQ.
> >
> > Added Meru-AP-Id and Meru-AP-Name to dictionary. Provided by Neil
> > Johnson.
> >
> > RPM packages were built by default on OpenSuSE with LZMA
> > compression, which is not available for all platforms. This new
> > Radiator.spec disables LZMA and uses BZ2 instead. In future all
> > RPMS will be built with BZ2 comppression. New versions of
> > Radiator-4.7-2.noarch.rpm and Radiator-Locked-4.7-2.noarch.rpm
> > with BZ2 uploaded.
> >
> > Fixed a problem with AuthBy SQLTOTP and AuthBy SQLHOTP where
> > MaxBadLogins, BadLoginWindow, DelayWindow, TimeStep and
> > TimeStepOrigin parameters were not correctly read, resulting in
> > errors like "Unknown keyword 'MaxBadLogins'". Reported by Matthew
> > Reeves-Hairs.
> >
> > GetClientQuery was incorrectly using field 25 instead of 27 for
> > flags. Documentation for GetClientQuery incorrectly decribed
> > field 25 as being flags instead of ClientHook.
> >
> > Added SQLRetries parameter to all SQL type clauses. When
> > executing a query, Radiator will try up to SQLRetries attempts to
> > execute the query, retrying if certain types of SQL error are
> > seen. Defaults to 2. Requested by Michael.
> >
> > Fixed some problems with Radius paths in the RPM on some
> > platforms. Rebuilt and uploaded new RPMs.
> >
> > Improved Client CIDR address searches so a more specific cidr
> > would have priority over a less specific cidr. Contributed by
> > Nicholas Waples.
> >
> > Improved ClientListLDAP, added oscRadiusIdentifier &
> > oscRadiusDefaultRealm into the default list of
> > ClientAttrDef's. were the only attributes missing from
> > oscRadiusClient ldap schema provided (in goodies). Contributed by
> > Nicholas Waples.
> >
> > In Server TACACSPLUS, the call AuthenticationStartHook now
> > includes the priv_lvl and service values from the TACACSPLUS
> > request passed as arguments to the hook.
> >
> > In Server TACACSPLUS, during authetication, we now add
> > cisco-avpair attributes to the RADIUS request for action,
> > authen_type, priv-lvl and service from the incoming TACACSPLUS
> > request.
> >
> > Improvements to AuthBy URL. Improved HTTP and HTML standards
> > compliance by using the LWP::UserAgent methods post() and
> > get(). Can now handle CHAP, MSCHAP and MSCHAPV2 authentication,
> > as well as the previously supported PAP. *CHAP challenges and
> > responses are encoded as HEX and sent as configurable web
> > parameters. Updated the sample config file goodies/url.cfg, and
> > improved documentation. Fixed inconsistant password in sample
> > test_url_md5.cgi. Cleaned up some of the code to be compliant
> > with in-house standards.
> >
> > Added support for BindAddress in all Ldap derived clauses,
> > allowing you to specify a local address for the client side of
> > the LDAP connection with BindAddress, in the form
> > hostname[:port]. Defaults to 0.0.0.0. Updated sample config
> > file. Suggested by Roel Hoek.
> >
> > Updated AuthBy NTLM so that if an authentication fails, the
> > Warning log message records the user name along with the
> > Authentication-Error. Suggested by David Zych.
> >
> > Further improvements to AuthBy URL. Now suports CopyReplyItem
> > parameter. If a successful HTTP reply contains a string like
> > 'xxx=hexencodedvalue' the value will be copied to the RADIUS
> > reply as attribute yyy=value the value is expected to be HEX
> > encoded and will be HEX decoded before adding to the reply.
> >
> > Fixed a problem where some SQL modules were not being correctly
> > initialised, which was revealed when the new SQLRetries was
> > added. Reported by Steffen Weinreich.
> >
> > Further improvements to AuthBy URL. Now supports CopyRequestItem
> > parameter. Adds a tagged item to the HTTP request. Format is
> > CopyRequestItem xxx yyy. The text of yyy (which may be contain
> > special characters) will be added to the HTTP request with the
> > tag xxx. In the special case where yyy is not defined, the value
> > of attribute named xxx will be copied from the incoming RADIUS
> > request and added to the HTTP request as the tagged item yyy. All
> > values are HEX encoded before adding to the HTTP
> > request. Multiple CopyRequestItem parameters are permitted, one
> > per line.
> >
> > Improvements to AuthBy SQLTOTP to implement replay
> > detection. This has required an additional column in the sample
> > SQL database schema, and changes to the default AuthSelect and
> > UpdateQuery parameters. Requested by Matthew Reeves-Hairs.
> >
> > Testing with the Mera MVTS Pro Voip gateway. OK. Added
> > mera-mvts.txt. This document briefly outlines the requirements
> > for interfacing Radiator with Mera MVTS Pro VOIP gateways, along
> > with examples of the types of requests and replies Radiator can
> > be expected to handle when interfacing with MVTS Pro.
> >
> > Added new command line argument -min_interval to restartWrapper,
> > which controls the minimum time interval between successive
> > restarts. Contributed by David Zych.
> >
> > Tested AuthBy HOTP and AuthBy TOTP with a range of iphone OATH
> > soft tokens, including DS3 (HOTP), OATH Token (HOTP and TOTP),
> > and Google Authenticator (HOTP and TOTP). External testing with
> > Feitian C200 OTP Tokens and others. All OK.
> >
> > Added a number of Juniper attributes to dictionary.
> >
> > Monitor and Server HTTP now support AddToRequest to add
> > attributes to the internal RADIUS request they generate when
> > authenticating administrator logins to their respecetive
> > interfaces. They also dump these requests when Trace 4 is
> > enabled.
> >
> > Server TACACSPLUS now supports a new parameter
> > AuthorizeGroupAttr. If this parameter is specified, it specifies
> > the name of an attribute in Access-Accept that will contain
> > per-command authorization patterns for authorising TACACS+
> > commands. These are processed before any configured-in
> > AuthorizeGroup parameters. The command authorization patterns are
> > in the same format as supported by AuthorizeGroup. Added a new
> > VSA to dictionary OSC-Authorize-Group, which is intended to carry
> > per-user reply command authorization patterns.
> >
> > Improvements to Radiator linux startup script so you can have
> > multiple scripts in /etc/init.d/ with different names, and which
> > lookup different parameters in /etc/sysconfig. For example, you
> > can install the script as /etc/init.d/radiator and
> > /etc/init.d/radiator-acct, and it will look up parameters in
> > /etc/sysconfig/radiator and /etc/sysconfig/radiator-acct. Further
> > improvement is to always use -p RADIUS_PIDFILE to killproc the
> > process, rather than the process name.
> >
> > Added Ascend-Session-Svr-Key an NS-Dummy-Attr-10 to dictionary.
> >
> > Added Alcatel-Lucent 7302 ISAM (OLT) VSAs to dictionary,
> > including OLT-TL1-* and added VALUE definitions for some other
> > A-ESAM-*. In some places, A-ESAM-* are named OLT-CLI-*. we have
> > adopted A-ESAM to be compatible with previously existing
> > definitions.
> >
> > Fixed a problem where EAP-MD5 authentications did not honour
> > UsernameMatchesWithoutRealm. Reported by "Sami Keski-Kasari".
> >
> > Fixed a problem where EAP-MD5 authentication by AuthBy LSA
> > mysteriously failed. Refactoring of EAP_4 check_chap() to
> > AuthGeneric, and thence to AuthLSA Reported by "Sami
> > Keski-Kasari".
> >
> > Fixed a problem which could cause crashes in
> > Socket6::inet_ntop. Reported by James Harton.
> >
> > Testing on MacOS X 10.6.5. OK.
> >
> > Added lookupauthgroup.pl Sample PostSearchHook for AuthBy LDAP2,
> > which finds user group(s) through an LDAP lookup, then finds
> > corresponding check and reply attributes in SQL, based on the
> > user group(s) for that user and the device groups of the
> > RADIUS/TACACS+ client. This allows you to have a add very fine
> > grained authentication/authorisation in an LDAP/SQL environment,
> > based on user and device group membership.
> >
> > Alter the session shutdown in Server TACACSPLUS to be SHUT_RDWR,
> > to fix possible session shutdown problems with some TACACS+
> > clients.
> >
> > Fixed incorrect sequence numbers in some TACACS+ packets sent by
> > goodies/tacasplustest and that affected interoperation with
> > tac_plus. Fixed issues with TACACS+ version numbers that affected
> > interoperation with tac_plus.
> >
> > Added new parameter SingleSession to Server TACACSPLUS which can
> > be set to 0 to disable the default behaviour which tries to keep
> > the same TCP session for all requests. Setting SingleSession to 0
> > forces a TCP disconnect after every authentication, authorisation
> > and accounting session. Some TACACS+ clients need this in order
> > to operate correctly.
> >
> > Improvements to AuthBy SQLTOTP so that tokens whose time drifts
> > into the future can be authenticated. Patch supplied by Steffen
> > Weinreich.
> >
> > Decoupled AuthGeneric userIsInGroup from getUserGroups so
> > subclasses can implement their own group finding.
> >
> > Added new optional parameters GroupSearchFilter GroupBaseDN
> > GroupNameCN to specify an LDAP search which will be used to get
> > the names of groups this user is a member of. Used to check Group
> > check items. Updated sample lookupauthgroup.pl to use the new
> > group search function in AuthBy LDAP2
> >
> > AuthBy LSA now honours UsernameMatchesWithoutRealm correectly for
> > users and groups. Reported by Reported by "Sami Keski-Kasari"
> > and "Johnson, Neil M".
> >
> > In AuthBy SQL, the optional GroupMembershipQuery now has the
> > groupname available as the second bound variable.
> >
> > Improvements to Server TACACSPLUS so that it honours the
> > TAC_PLUS_SINGLE_CONNECT_FLAG flag in incoming requests. Now a
> > single session will only be maintained if the Server TACACSPLUS
> > SingleSession parameter is set _and_ the client indicates a
> > willingness to support single sessions with the
> > TAC_PLUS_SINGLE_CONNECT_FLAG. Single sessions can be disabled
> > regardless of client options by setting the SingleSession flag to
> > 0 (defaults to 1)
> >
> > Improvements to goodies/tacacsplustest now correctly sets the
> > TAC_PLUS_SINGLE_CONNECT_FLAG in requests if the -single command
> > line parameter is given. It now closes the connection at the end
> > of each session unless the -single flag is set and the server
> > indicates a willingness to support single connections with the
> > TAC_PLUS_SINGLE_CONNECT_FLAG.
> >
> > Fixed a problem where malformed WiMAX attributes could cause a
> > crash. Reported by Mark Sergeant.
> >
> > Further fixes to Server TACACSPLUS: If SingleSession is set, some
> > Cisco TACACS+ clients will close an authentication session after
> > the first reply. This is a bug in the client. As a workaround,
> > ServerTACACSPLUS.pm now never sets the
> > TAC_PLUS_SINGLE_CONNECT_FLAG in its replies. Reported by Aki
> > Tuomi.
> >
> > Fixed a typo in linux-radiator.init that prevented traceup and
> > tracedown working properly on RHEL5.
> >
> > Added LOG_WARNING log message if a Tacacs+ request is received by
> > Server TACACSPLUS for which no Client could be found.
> >
> > Improvements to Server TACACSPLUS so expired authentication
> > result in ERROR instead of FAIL. Tacacs authorisations are now
> > bound to both the username and the peer address, so user can have
> > different authorisations on each device.
> >
> > Added peer address to a number of warning and info messages
> > produced by Server TACACSPLUS for easier diagnosis.
> >
> > Updated Monitor HELP command documentation to include
> > TRACE_PREDICATE.
> >
> > Fixed problems with linux-radiator.init traceup and tracedown on
> > RHEL5.
> >
> > Improvements to Server TACACSPLUS: Fixed a problem with the new
> > AuthorizeGroupAttr that cased authorisation patterns to not be
> > reset properly. Server TACACSPLUS now updates the global packet
> > counts for each Tacacs+ request received. Database failures that
> > IGNORE now cause a Tacacs *_STATUS_ERROR reply.
> >
> > Added goodies/cisco-vpn.txt a short description on how to
> > configure Cisco VPN 3000 Concentrator VPN groups, and the
> > limitations thereof.
> >
> > Fixed a case where Radiator would crash when certain local
> > devices tried to connect to a tacacs port.
> >
> > Added example rule to goodies/tacacsplusserver.cfg showing how to
> > use uptional tacacs roles, including multiple optional roles.
> >
> > Added new parameter UnbindAfterServerChecksPassword to AuthBy
> > LDAP2, which works around problems with some LDAP
> > servers. Normally, when ServerChecksPassword is set, after
> > Radiator checks a users password the LDAP connection is not
> > unbound. This can cause problems with some LDAP servers (notably
> > Oracle ID and Novell eDirectory), where they unexpectedly cause
> > the following LDAP query to fail with
> > LDAP_INAPPROPRIATE_AUTH. Setting this flag causes an unbind after
> > each ServerChecksPassword bind.
> >
> > Added support for new -I command line flag to radiusd, which adds
> > an include directory to the module search path. Patch by Heikki
> > Vatiainen.
> >
> > In SqlDb::do(), Sql connections now detect PostgreSQL duplicate
> > key violations, which are now not a cause for disconnect. Added
> > similar tests to SqlDb::prepareAndExecute().
> >
> > Sample RAdmin configuration file that shows how to record Tacacs+
> > commands to the Radmin RADCOMMANDAUDIT table for auditing, and
> > viewing (RAdmin 1.14 plus latest patches required)
> >
> > The ServerRADIUS clause now supports AddToRequest, which makes it
> > easy to tag requests that arrive by RADIUS to distinguish them to
> > those arriving by TACACS+ or Diameter.
> >
> > Server HTTP log messages are now escaped so that HTML characters
> > in the log do not cause display errors. Patch provided by Adam
> > Bishop.
> >
> > Fixed a problem in Auth LDAP2 that could cause a crash if
> > ServerChecksPassword and UnbindAfterServerChecksPassword are
> > enabled, and certain LDAP errors occur during the
> > ServerChecksPassword bind.
> >
> > Fixed spelling mistake in VENDORATTR Timetra-Home-Directory,
> > Added further VSAs to VENDOR Panthera 6527 (Alcatel 7450 ESS
> > Router). Added VENDOR Alcatel-Lucent 800 (Alcatel-Lucent OS6400
> > switches) VSAs. Added Alcatel-Lucent-SAM VENDORATTR
> > SAM-Security-Group-Name .
> >
> > Improvements to IPV6 handling so the absence of Socket6 causes an
> > warning message instead of an exit.
> >
> > Added a number of FreeSwitch accounting VSAs to dictionary. Added
> > a brief discussion paper about how to integrate FreeSwitch with
> > Radiator. FreeSWITCH is a powerful and versatile telephony
> > platform that can scale from a softphone to a PBX and even to a
> > carrier-class softswitch.
> >
> > Log SYSLOG and AuthLog SYSLOG now support special characters in
> > LogIdent, LogOpt and LogHost.
> >
> > TLS Streams, such as used with Radsec did not correctly verify
> > certificates for 'hostname' if the Host address was specified in
> > Radiator in the form ipv6:hostname. Reported by Patrick Renkens.
> >
> > Fixed an issue where truncated EAP-Message requests would cause a
> > log message like "Could not load EAP module Radius::EAP_"
> > ..... This is now logged as invalid EAP type in EAP request and
> > rejected. Reported by Daniel Rocha.
> >
> > Server TACACSPLUS now honours reply attributes correctly for
> > ASCII type Tacacs+ authentications. Patch from Heikki Vatiainen.
> >
> > Testing with XAMPP on
> > Windows. XAMPP (http://www.apachefriends.org/en/xampp-windows.html)
> > is an excellent, easy to install bundle of useful tools such as
> > Apache, MySQL, Perl etc for Windows. It is a also good base for
> > installing Radiator on Windows, especially if you wish to use
> > Radiator with RAdmin or a MySQL database. Updated installation
> > documentation to include XAMPP on Windows.
> >
> > Added support for Novell eDirectory NMAS (Novell Modular
> > Authentication System) to AuthBy LDAP2. NMAS allows Novell
> > eDirectory to support and authenticate passwords using the Vasco
> > Digipass NMAS method, and other third party token and non-token
> > systems. Vasco Response-Only (RO) tokens are only supported since
> > NMAS does not curently support challenge-response via
> > RADIUS. Sampple configuration file included.
> >
> > Ldap classes now support the "ipv6:" prefix for Ldap server Host
> > names. If Host begins with "ipv6:" the subsequent host name(s)
> > will be interpreted as IPV6 addresses where possible, and
> > Net::LDAP will use INET6 to connect to the LDAP server.
> >
> > In AddressAllocator SQL, the default AllocateQuery was changed to
> > check the STATE during the allocation to catch certain race
> > conditions.
> >
> > With all Ldap clauses, removed the default BindAddress of
> > 0.0.0.0. This was unnecessary and interferes in a non-obvious way
> > with attempts to use ipv6: in the Host. Reported by Dyonisius
> > Visser.
> >
> > Added attributes from RFC 5904 to dictionary. SNMP Agent now supports:
> > RFC4669 - RADIUS Authentication Server MIB for IPv6
> > RFC4671 - RADIUS Accounting Server MIB for IPv6
> > The RFC are included in distribution.
> >
> > Improvements to EAP handling to support multiple desired EAP
> > types in EAP NAK response, per RFC 3748.
> >
> > Fixed incorrect error message that referred to
> > ServerHTTP. Repored by Karl Gaissmaier.
> >
> > Added support for PacketTrace to Server TACACSPLUS, Server
> > DIAMETER, Server RADSEC. Requested by Karl Gaissmaier.
> >
> > Fixed a problem where attributes of type ipv6prefix (such as
> > Framed-IPv6-Prefix) would not be decoded correctly if they had
> > fewere than 16 octets. Reported by Lee, Larry KT.
> >
> > Client addresses in the form MAC:nn-nn-nn-nn-nn-nn now work even
> > if the Called-Station-Id has the SSID of the AP appended as
> > described in http://tools.ietf.org/html/rfc3580#section-3.20
> >
> > Added example perl script rpt.pl which logs packets which match a
> > regexp. Contributed by Bart Dumon.
> >
> > Fixed a problem when using AuthBy RADIUS with Synchronous and
> > Fork that if the secrets don't match (resulting in "Bad
> > authenticator received in reply to ID 1. Reply is ignored"), this
> > creates forked processes that never terminate and have to be
> > manually force-killed. Reported by David Zych.
> >
> > Fixed a number of innocuous warnings when radiusd is run with
> > perl -w.
> >
> > Added usage documentation for author_args in tacacsplustest.
> >
> > In AuthSQL, GroupMembershipQuery is now not passed and bind
> > variables. If you wish to use bind variables with
> > GroupMembershipQuery, use the new GroupMembershipQueryParam.
> >
> > Fixed a problem with Server HTTP where some versions of Firefox
> > would hang when trying to access localhost:9048. Also fixed som
> > innocuous warnings when run with the -w flag.
> >
> > Fixed a problem with AuthLog SYSLOG and Log SYSLOG where in some
> > cases with some versions of Sys::Syslog, the loghost was not set
> > correctly. Reported by Klara Mall.
> >
> > radiusd now unlinks PidFile during an orderly shutdown. Suggested
> > by Klara Mall to prevent startup scripts being confused by stale
> > PID files.
> >
> > Improvements to AddressAllocator SQL: If CheckPoolQuery is set to
> > an empty string, no pool checking will be done at startup. If
> > AddAddressQuery is set to an empty string, addresses will not be
> > automatically added to the pool.
> >
> > Testing against RadiusGINA, a Windows RADIUS login authenticator
> > from LSE http://lsexperts.de/. Works well, and easy to install.
> >
> > Fixed a problem in TLS Stream based protocols (such as AuthBy
> > RADSEC AuthBy DNSROAM etc, where ConnectOnDemand would not work
> > correctly in the case where a TLS connection was being
> > established and failed. Reported by Stefan Winter.
> >
> > Added goodies/radiusgina.txt, a Brief introduction to RadiusGINA,
> > a Windows RADIUS login authenticator from LSE http://lsexperts.de
> >
> > --
> > Mike McCauley mikem at open.com.au
> > Open System Consultants Pty. Ltd
> > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> > http://www.open.com.au Phone +61 7 5598-7474 Fax
> > +61 7 5598-7070
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare
> > etc. _______________________________________________
> > radiator mailing list
> > radiator at open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
More information about the radiator
mailing list