[RADIATOR] Radiator Version 4.9 released
Mike McCauley
mikem at open.com.au
Thu Sep 29 20:51:41 CDT 2011
We are pleased to announce the release of Radiator version 4.9
This version contains some new features and minor bug fixes.
As usual, the new version is available to current licensees from:
http://www.open.com.au/radiator/downloads/
and to current evaluators from:
http://www.open.com.au/radiator/demo-downloads
Licensees with expired access contracts can renew at:
http://www.open.com.au/renewal.php
An extract from the history file
http://www.open.com.au/radiator/history.html is below:
Fixed an issue with Resolver and AuthBy DNSROAM where the
combination Protocol=radius, Transport=tls was incorrectly
interprted as UDP RADIUS (for historical reasons). It is now
interpreted as TCP RADSEC. Reported by Stefan Winter.
Added commands to the sample startup script linux-radiator.init
that work for Debian. Submitted by "Michael".
Improvements to AuthBy FIDELIO: During a SIGHUP, AuthBy FIDELIO
now sends a LE and closes the TCP connection before reopenaing
the connection. This should result in better database reading
behaviour during SIGHUP. AuthBy FIDELIO now sends periodic LA
commands to the Fidelio to check the integrity of the
link. Suggestions by Ralf Ertzinger.
Fixed further issue with Resolver and AuthBy DNSROAM where the
combination Protocol=radius, Transport=tls was incorrectly
interpreted. Reported by Paul Dekkers
Improvements to AuthBy DNSROAM so that routes for different
realms that are discovered to be to the same proxy server will
reuse the existing server. Suggested by Stefan Winter.
goodies/fideliosim.pl now prints main details of PS posting
records it receives.
New module AuthBy FIDELIOHOTSPOT which provides hotel guest
authentication by Fidelio, and prepaid session times, billed to
the user's room by Fidelio. Supports various hotspots such as
Mikrotik and Open-Mesh etc. Replaces
goodies/fidelio-hotspot-hook.pl as the preferred method of
providing prepaid sessions billed to room by Fidelio.
Added new parameter MessageHook to AuthBy FIDELIO. MessageHook is
called after a message from Fidelio has been unpacked into a hash
and before the record is passed to handle_message(). It can be
used to change or transform any fields in the record before it is
passsed to handle_message() and processed by AuthFIDELIO.
Improvements so that if the example Radiator init script for
linux is invoked as a symlink (eg
/etc/rc2.d/S90radiator->../init.d/radiator), it still deduces the
correct program name (radiator) and hence sources the correct
sysconfig file (/etc/sysconfig/radiator).
Fixed a problem where Realm clauses inside AuthBy DNSROAM did not
recognise the Secret parameter. Reported by Paul Dekkers.
Added negative caching to Resolver, with new parameter
NegativeCacheTtl.
Added new parameter RedespatchIfNoTarget to AuthBy DNSROAM. For a
given request, if Resolver does not find a target and there is no
explicit Route, and no DEFAULT Route and this flag is set, the
request will be redepatched to the Handler/Realm system for
handling. This allows for a flexible fallback in the case where
DNSROAM cannot find how to route a request. The redespatched
request will have the attribute OSC-Environment-Identifier set to
the AuthBy DNSROAM Identifier (or 'DNSROAM' Identifier is not
set)
Fixed problems with the Authen-Digipass PPM packages for Windows
missing important files.
Fixed an issue with AuthBy RADSEC, where failure to deliver a
message could cause continuous attempts to reconnect, even if
ConnectOnDemand is set.
Fixed an issue with Stream based connections, where
ConnectOnDemand and an unresponsive server could cause Radiator
to hang. Reported by Paul Dekkers.
Added workaround for a bug in some versions of perl 5.12.1 (such
in openSUSE 11.3) that caused incorrect packing of some RADIUS
requests.
Improvements to Server TACACSPLUS so that RADIUS STATE is saved
in in the connection rather than the context. Patch provided by
Nicholas Waples.
Reversed a previous change in 4.8 that Server TACACSPLUS expired
authentication result in FAIL instead of ERROR. The change in 4.8
was to result in ERROR, which causes some devices to then revert
to the local authorisations.
Added a number of attributes from RFC 5090 to dicitonary, which
override a number of attributes that were previously commandeered
by Ascend. The Ascend ones are still available in
ascend.dictionary.
Fixed a typo in dictionary: Ascend-Call-Attempt-Limit was
Agscend-Call-Attempt-Limit.
Fixed a problem in linux-radiator.init which prevented traceup
working on SuSE. Reported by Aeneas Jaißle.
Improvements to ClientListSQL to support DisconnectAfterQuery,
which will cause disconnection from the SQL database after each
query. This can be helpful in cases where firewalls etc close
connections that have been idle for a long time.
Added sha.pl, ssha.pl to goodies. Simple perl scripts to generate
SHA and SSHA hashes of the first command line argument. Useful
for generating SHA and SSHA hashed passwords in the form Radiator
honours.
Fixed a problem with the Radiator init script that prevented
reload, traceup and tracedown working with some versions of SuSE.
Added ipoque-class VSA for ipoque PRX Traffic Manager to
dictionary. With the assistance of A.Sharaz.
Improvements to the sample wimax.sql database schema to improve
interoperation with Alvarion.
All stream protocols that support TLS now support optional
TLS_CertificateFingerprint parameter. When a TLS peer presents a
certificate, this optional parameter specifies one or more
fingerprints, one of which must match the fingerprint of the peer
certificate. Format algorithm:fingerprint. Requires Net::SSLeay
1.37 or later.
Improvements to AuthBy EAPBALANCE to permit operation with target
RADIUS servers that rely on State, such as Windows IAS etc.
Added Freeswitch-Direction and Freeswitch-Other-Leg-Id to
dictionar.
Added Documentation and sample scripts for how to use Radiator
and the AuthBy FIDELIO module to handle authentication and
accounting for the Freeswitch VOIP
switch (http://www.freeswitch.org). It can be used authenticate
and to bill VOIP calls to a Micros-Fidelio Opera Hotel Property
Management System (http://www.micros.com).
Added Riverbed-Local-User VSA to dictionary.
Fixed a problem in AuthBy RADMIN where if the database connection
fails once, message logging through AuthRADMIN will stop
altogether, and along with that, the bad login counting. Reported
an patched by Manuel Kasper.
Added Aruba-MMS-User-Template to dictionary, fixed typo in
Aruba-Port-Identifier. Added AH-HM-Admin-Group-Id.
Added support for EAP AKA-PRIME. Required for version 1.32 or
Radius-EAP-SIM module.
Added new clause AuthBy SQLAUTHBY, which looks up how to
authenticate each user based on information in an SQL
database. The columns retrieved from SQL are used to create an
AuthBy clause that will actually handle the request. The
parameters used to configure the clause come from SQL. The clause
is reused for as long as the the target realm yields the same SQL
query results. The example works with the sample RADSQLAUTHBY
table in mysqlCreate.sql.
Added support for new parameter AuthChallengeKeyword to AuthBy
URL. This parameter permits URL results that trigger a CHALLENGE
reply for use with Challenge/Reponse systems. Contributed by
Matthew Van Kuyk.
Added new parameter DirectAddressLookup to Resolver. If
DirectAddressLookup is enabled, and if there are no NAPTR records
for the requestsed Realm, Resolver will attempt lookups of A and
AAAA records for _radsec._sctp.REALM, _radsec._tcp.REALM and
_radius._udp.REALM Enabled by default. Requested by Paul Dekkers.
Added sample hook pwaframedip.pl. This hook fixes a problem with
Enterasys switches where Framed-IP-Address is not included in
accounting packets, but the information is available via SNMP
when for Enterasys captive-portal (PWA)
authentication. Contributed by Ben Carbery.
In AuthBy RADMIN, it is now possible to disable
IncrementBadloginsQuery and ClearBadloginsQuery by setting the
query string to be empty.
Server farm children now always reseed the random number
generator so the children dont share the same seed.
Improvements to the RPM spec file so RPM installs with recent 64
bit perls will work.
Increased the default MaxBufferSize in streams to 10000000.
Added support for passwords encrypted with $2a$, $2x$ and $2y$
blowfish crypt and $5$ SHA-256 crypt (where supported by the
underlying crypt()). Improvements to support rounds= notation in
SHA-256, SHA512 crypt.
Ensure RecvTime is set in RADIUS requests derived from tunnelled
EAP types.
Changed the type of Framed-Interface-Id in dictionary to be
ifid. You can now specify Framed-Interface-Id as strings in the
format 'aaaa:bbbb:cccc:dddd', which is compatible with
FreeRadius.
Fixed an issue with TTLS and PEAP: When inner authentication is
proxied, e.g. EAP-MSCHAP-V2 to MS NPS, NPS sends back State. If
Radiator does not return State, proxying inner auth fails.
Added more Nomadix VSAs to dictionary, contributed by Mike
Newton.
AuthBy EAPBALANCE and AuthBy HASHBALANCE now REJECT if an EAP
stream has to be broken up, giving the client and immediate
chance to restart. Changed the default protocol version for PEAP
in EAPTLS_PEAPVersion from 1 to 0. This is in line with more
recent documentation from Microsoft (which contradicts
draft-josefsson-pppext-eap-tls-eap-0[35].txt), and it achieves
bettter interoperability with Macs.
Added more Aruba VSAs, contributed by Alan.
EAP-FAST support now follows the recommendations for A_ID: it is
now the 16 octet hash of the A_ID_INFO, which is set to the
Radiator hostname. Updated instructions for building OpenSSL and
Net::SSLeay for more recent versions of Net::SSLeay for use with
EAP-FAST.
Added sample script goodieshex2base32.pl /to help with entering
HOTP and TOTP codes to Google Authenticator. Converts hex codes
to base 32. Improvements to ClientList SQL to improve error
detection.
Improvements to random number seeding: seeding is now done by a
new function Radius::Util::seed_random. radiusd calls it at
startup and after forking farm children. It can be overridden if
necessary to provide local random number initialisation and
seeding.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
More information about the radiator
mailing list