[RADIATOR] Radiator Version 4.10 released
Hugh Irvine
hugh at open.com.au
Thu Jun 28 00:15:27 CDT 2012
Hi Mikey -
Thanks!
Tested fine on Mac OS X 10.7.4.
I've also copied it up to the DEV box at NBNCo and it runs fine after installing Digest-SHA-5.71.
cheers
Hugh
On 28 Jun 2012, at 12:04, Mike McCauley wrote:
> We are pleased to announce the release of Radiator version 4.10
>
> This version contains some new features and minor bug fixes. The prerequisites
> now require Digest::SHA
>
> As usual, the new version is available to current licensees from:
> http://www.open.com.au/radiator/downloads/
>
> and to current evaluators from:
> http://www.open.com.au/radiator/demo-downloads
>
> Licensees with expired access contracts can renew at:
> http://www.open.com.au/renewal.php
>
> An extract from the history file
> http://www.open.com.au/radiator/history.html is below:
>
> -----------------------------
>
> Revision 4.10 (2012-06-28) Some significant new features. Bug fixes.
>
> Added support for EAP-PWD per RFC 5931. EAP-PWD is highly secure (the password
> is never transmitted, even in encrypted form), and does not require PKI
> certificates, and also requires only 3 authentication round-trips. So it is
> considered efficient to roll out in eg Eduroam and other environments.
> Requires that the Radiator user database has access to the correct plaintext
> password. Sample configuration file and patch for Crypt-OpenSSL-Bignum-0.04 is
> included.
>
> Added 2 Aruba VSAs to dictionary. Contributed by Matt Alexander.
>
> Added Tropos and Fortinet VSAs dictionary.
>
> Added Ukerna GSS and SAML VSAs to dictionary, with the kind assistance of Luke
> Howard. Also modified packing routines to split UKERNA SAML-AAA-Assertion into
> multiple attributes.
>
> Removed use of 'use timelocal' from radiusd and radpwtst, code now uses
> Time::Local instead.
>
> Removed use of 'use newgotopt', all code now uses Getopt::Long instead.
> Added new parameter PasswordUriEscape to AuthBy URL. This optional parameter
> specifies whether the password needs to be url-encoded or not. Options are
> "Clear", "Encode". Contributed by Matthew Van Kuyk.
>
> Added Nokia Siemens Networks (NSN) VSAs to dictionary.
>
> Added support to radpwtst for new command line argument -alive to send
> Accounting-Alive requests. Alive is not sent by default if accounting is
> enabled.
>
> Fixed an error in the RPM build control file Radiator.spec, which would cause
> /usr/lib64/perl5/ to be deleted if the Radiator RPM package was erased.
> Improvements to Log SYSLOG and AuthLog SYSLOG modules so that multiple
> differing module logging configurations do not confuse Sys::Syslog.
>
> Fixed a problem in Server TACACSPLUS that prevented Client-Identifier being
> set in Tacacs+ derived RADIUS requests. Reported by Tim Cheyne.
>
> Improvements to AuthBy WIMAX, which now uses latest WiMAX TLV attribute
> definitions for packing and unpacking of WiMAX TLV attributes. AuthBy WIMAX
> now uses latet WiMAX-Capability TLVs. goodies/wimaxtest uses the TLVs, and
> honours the -capability command line argument where you can specify an
> alternate WiMAX-Capability.
>
> Removed use of 'use newgotopt' from builddbm, buildsql, tacacsplustest,
> diapwtst, restartwrappert. Code now uses Getopt::Long instead.
>
> Added new parameter EAPTLS_AllowUnsafeLegacyRenegotiation to AuthBy *. For TLS
> based EAP types such as TLS, TTLS and PEAP, and with versions of OpenSSL
> 0.9.8m and later, this optional parameter enables legacy insecure
> renegotiation between OpenSSL and unpatched clients or servers. OpenSSL 0.9.8m
> and later always attempts to use secure renegotiation as described in RFC5746.
> This counters the prefix attack described in CVE-2009-3555 and elsewhere.
>
> Updated ACME VSA's in dictionary to add many missing VSAs and to adopt
> attribute naming consistent with other RADIUS servers.
>
> Updated sample certificates to expire Nov 15 21:48:28 2013 GMT
>
> Added support for EAP expanded types per RFC 3748. EAPType parameter can now
> be specified as a EAP type number, EAP extended vendornumber:typenumber or as
> a traditional well-known EAP type name eg: EAPType TTLS, MSCHAP-V2,
> 16776957:4244372217 where 16776957 is the expanded vendor number and
> 4244372217 is the expanded type (this example is for 0xfffefd and 0xfcfbfaf9,
> the vendor and type of the wpa_supplicant VENDOR-TEST expanded type). Included
> module and config to support testing against wpa_supplicant VENDOR-TEST
> expanded type.
>
> Fixed a possible problem in Stream connections where connection failures may
> not be detected correctly.
> Improvements to EAP-MSCHAPV2 handling in the case where the underlying
> database has a database access problem, causing an IGNORE.
>
> Testing with RSA Authentication Manager 7.1 SP4. No changes required.
>
> Early release of AuthBy SAML2 module. This module fetches Moonshot/SAML2
> Assertions for an (already autheticated) user from a Identity Provider (IdP)
> and puts the assertion in a SAML-AAA-Assertion reply item. Caution: this is
> beta code and not yet widely tested. Feedback requested. Currently only sends
> ECP AuthnRequest requests (AAA AttributeRequest is not yet supported). Signing
> of requests and Verifying of responses is not yet proven to work correctly.
> EAP-MSCHAPV2 now honours AuthenticateAttribute.
> New versions of Authen ACE4 version 1.4 ppms with AuthSDK 8.1 for Windows 32
> and 64 bit.
>
> Added new parameter RoundRobinOnFailure to all Sql clauses. Normally, if
> Radiator gets an error or a timeout from a database connection it will try to
> reconect to the database, starting with the first DBSource, and trying them
> all in order until a successful reconnection. This flag forces the search to
> start at the database following the current DBSource (if there is one). This
> can help with some types of overloaded database that can be connected but then
> timeout when a query is sent.
> Context is stored in $p->{EAPContext} for all EAP requests.
>
> Fixed a problem where HUPping an evaluation vesion would result in messages
> like Server started: Radiator 4.9 on fmsdev (LOCKED) (LOCKED) (LOCKED)
> (LOCKED) (LOCKED)
>
> Added support for new parameter RequireMessageAuthenticator in Client clauses.
> Normally, Client clause checks the value of any Message-Authenticator
> attribute (if present) in incoming requests (EAP or otherwise), and an
> incorrect authenticator causes the request to be IGNOREd. The optional
> RequireMessageAuthenticator flag causes this Client to require a (correct)
> Message-Authenticator attribute to be present in all incoming requests.
> ServerHTTP now registers itself with Configurable.
>
> Additional information in error logs from various TLS operations. Patch from
> "Bjoern A. Zeeb". Thanks Bjoern.
> ClientList LDAP now supports file in PreHandlerHook and ClientHook.
>
> Fixed a problem with SessionDatabsse SQL which could cause a crash if the
> query contains %{Quote:...}. Patched by Eddie Stassen. Thanks.
>
> Added VENDOR Ericsson 193 VSAs to dictionary.
>
> Log FILE now supports %0 (priority) and %1 (og message) as special characters
> in Filename parameter. AuthLog FILE now permits use of the '|' vertical bar
> leading character in Filename to permit piping to an external program.
>
> AuthBy LDAP2 and all other LDAP clauses now support an optional MultiHomed
> flag parameter. If this is set then Net::LDAP will try all addresses for a
> multihomed LDAP host until one is successful. Default is true (set).
>
> Improvements to AuthBy SQL and AuthBy FREERADIUSSQL to improve compativ=bility
> with some Oracle clients in the group checks. Reported by Emanuel Freitas.
>
> Added VENDOR Adva 2544 VSAs to dictionary.
>
> Added VENDOR Siemens 4329 VSAs to dictionary.
>
> Fixed missing 3GPP- prefix for a number of 3GPP VALUE definitions in the
> standard Diameter dictionary
>
> Fixed problems in Diameter to RADIUS gateway that prevented RADIUS attributes
> that are converted to Diameter Grouped attributes being parsed correctly.
>
> For all TLS related operations, improved error logging if SSLeay::new fails.
>
> Added StripFromReply and AllowInReply to the parameters permitted in AuthBy
> DNSROAM. Patched by Bjoern A. Zeeb. Thanks.
>
> Added VENDOR TERENA 25178 and eduroam-SP-Country to dictionary
>
> Added more VENDOR Alcatel-ESAM attributes to dictionary. Contributed by Hugh
> Irvine.
>
> Added new module AuthBy RATELIMIT which can be used to limit the maximum
> number of request per second to be served. If more than this number of request
> are received in any second, they will be IGNOREd.
>
> Added radiusd.conf, a sample Upstart script for Debian/Ubuntu. Contributed by
> Adam Thompson
>
> Server TACACSPLUS now honours DefaultRealm from the Client clause that matches
> the incoming request. If defined in the Client clause, it willl override any
> DefaultClient defined in the Server TACACSPLUS clause.
>
> Global SocketQueueLength was not honoured when creating RADIUS server ports.
>
> Fixed a typo in the help message in Monitor. Reported by Scott Bertilson.
>
> Added Authen-Digipass-1.11-1.el6.x86_64.rpm (for perl 5.10, x64 on Centos 6
> and RHEL6)
>
> All TLS context configuration parameters, such as EAPTLS_CertificateFile now
> honour special characters (such as %K etc) from the EAP identity request.
>
> AuthBy WIMAX incorrectly set WiMAX-Capability Accounting-Capabilities to 0
> (none) instead of 1 (session-based).
>
> All EAP authentications now log at DEBUG level the elapsed time of the entire
> conversation (since the EAP identity) in seconds (and microseconds if
> Time::HiRes is available).
>
> If a Client address cannot be resolved, the log message now includes the exact
> address that was not able to be resolved.
>
> Updated the prebuilt Authen-Digipass RPM package for RHEL 5 64 bit to version
> 1.11.
>
> Fixed a problem that prevented AuthBy SQLAUTHBY honouring AuthBySelect if
> AuthBySelectParam was defined.
>
> Removed incorrect -authen_args from help in tacacsplustest.
> Improvements to handling of EAP-GTC so that UsernameMatchesWithoutRealm is
> honoured even if the EAP-GTC client sends the 'RESPONSE=identity\0password'
> for of EAP-GTC response.
>
> Added Arbor-Privilege-Level to dictionary. Thanks to Markku.
> RFC 2621 was inadvertently omitted from the distribution.
>
> Added support for new configuration parameter. PacketDumpOmitAttributes
> specifies a comma separated list of RADIUS attribute names which will be
> omitted from RADIUS packet dumps in logs.
>
> ServerHTTP did not permit the creation of ClientListSQL or ClientListLDAP
> clauses. Reported by Albesiano Alberto.
>
> Improved parsing of hooks and display of hooks by ServerHTTP. Reported by
> Albesiano Alberto.
>
> AddToReply AddToReplyIfNotExist when used in Handlers and Clients, would
> incorrectly add attributes to Access-Rejects. This does not now occur. AuthURL
> did not correctly honour AddToReply for Access-Accept and Access-Reject.
> Reported by Albesiano Alberto.
>
> RadSec is now an official IETF RFC 6614. RFC 6614 is now included in the
> distribution. In accordance with RFC 6614, the default shared secret for
> RadSec has been changed to 'radsec', UseTLS is enabled by default, and
> TLS_RequireClientCert is enabled in Server RADSEC by default.
>
> Added RuggedCom VSA RuggedCom-Privilege-level to dictionary.
>
> Added Alvarion-WiMAX-Classifier VSA to attribute definiitons for WiMAX-Packet-
> Flow-Descriptor, per Alvarion's document 'RADIUS-WiMAX R3 Interop Spec_Rel 3 0
> v 0 81.doc'
>
> Added Alvarion-WiMAX-Classifier VSA to attribute definitions for WiMAX-Packet-
> Flow-Descriptor to support atttributes like: WiMAX-Packet-Flow-
> Descriptor=Alvarion-WiMAX-Classifier="ClassifierID=1,Priority=2,Direction=IN"
> Also added Alvarion-R3-IF-Descriptor and Alvarion-DHCP-Option VSA tlvs to
> dictionary, to support attributes like: Alvarion-DHCP-Option="Ref-R3-IF-
> Name=interface1,DHCP-Option-Container=container1" Alvarion-R3-IF-
> Descriptor=R3-IF-Name=aaa,R3-IF-ID=1,PDFID=2,IPv4-addr=1.2.3.4,IPv4-
> netmask=5.6.7.8,DGW-IPv4-add=9.8.7.6 Per Alvarion's document 'RADIUS-WiMAX R3
> Interop Spec_Rel 3 0 v 0 81.doc'.
>
> Fix to Fidelio interface so that LA messages are not queued unless there is a
> current connection.
>
> Fixed a problem where the LDAP group search did not correctly specify the
> attributes to fetch, and therefore _all_ attributes were fetched, affecting
> performance. Reported by Ben Carbery.
> Improvements to AuthBy SQLYUBIKEY to add support for CheckSecretId. If
> CheckSecretId is set, then check that the secretId fetched from the database
> matches the secretId encoded in the submitted Yubikey OTP. This increases the
> security of the Yubikey OTP and is recommended best practice. Also improved
> the documentation for for configuring yubikey.cfg and provided a better sample
> database for use with yubikey.cfg
> Fixed a problem with EAP-FAST that prevented anaonymous provisioning in some
> circumstances where the client asks for several ciphersuites. Reported by
> Sudhir.Harwalkar.
>
> Fixed a problem with Server TACACSPLUS and some authenticators such as AuthBy
> ACE whcih issue AccessChallenge to get additional data from the user. Radiator
> was sending the challenge as GETPASS rather than GETDATA and wasn't getting
> the NOECHO flag. Tested against a Cisco Catalyst 3560 switch and also a Cisco
> ASA 5510 firewall. Reported and patched by Richard Fairhall.
>
> Updated Authen-Digipass and Authen-ACE4 Windows PPM packages to include Perl
> 5.14 x86 and x64 packages. Also updated the prebuilt packages at
> http://www.open.com.au/radiator/free-downlaods to include versions for Perl
> 5.14 x86 and x64: Chipcard-PCSC.tar.gz Net-SSLeay.tar.gz Socket6.tar.gz Win32-
> Lsa.tar.gz
>
> Fixed a problem where AuthBy LDAP2 would incorrectly log "DEBUG: No entries
> for mikem found in LDAP database" if MaxRecords was set larger than the actual
> number of LDAP records retreived.
>
> Improvents to SQL logging shows the name of the database at DEBUG level when
> connection attempts are made. Also prepareAndExecute and do functions log the
> database name at DEBUG level. Requested by Philip Herbert.
> Fixed a problem where NoIgnoreDuplicates could cause a memory leak.
>
>
> Added VSAs for Ruckus Wireless to dictionary.
>
> AuthBy NTLM did not reap ntlm_auth if it crashed or exited. Fixed a problem
> that prevented the error being correctly printed if ntlm_auth if it crashed or
> exited.
>
> Removed use of Digest::SHA1, replaced with Digest::SHA,which is now included
> with all perls. Digest::SHA is now an absolute prerequisite.
>
> Added sample config platypus7.cfg for recent Platypus 7 database.
> h EAP-LEAP, EAP-TTLS, EAP-PEAP, EAP-MSCHAPV2, EAP-FAST, inner packets are now
> logged at DEBUG level _after_ the PreHandlerHook (ie any) is run, so that
> attributes added by the hook will be visible.
>
> Fixed a problem where Client DupInterval 0 sometimes did not act as expected,
> causing a leak in EAP contexts.
> Improved logging so that AuthBy ACE prompts are not broken up with newlines in
> logs. Requested by Richard Fairhall.
>
> Fixed a problem that preventeed TACACS+ which prevented AuthBy ACE new pin
> mode and other challenges from working correctly. Patch provided by Richard
> Fairhall.
>
> Added support for KeepaliveTimeout to AuthBy RADSEC. KeepaliveTimeout is the
> maximum time in seconds that a RadSec connection can be idle before a Status-
> Server request is sent to keep the TCP connection alive. This helps to keep
> TCP connections open in the face of "smart" firewalls that might try to close
> idle connections down. Defaults to 0 seconds, which means inactive.
>
> Radpwtst has new option -chap_nc that sends a RADIUS CHAP request, but in the
> old-fashioned way, with the CHAP Challenge in the authenticator, and not in a
> separate CHAP-Challenge attribute.
>
> Testing on Raspberry Pi running debian6-19-04-2012. It runs out of the box.
> http://www.raspberrypi.org
> Added hextobase32.pl to goodies. Script to help with entering HOTP and TOTP
> codes to Google Authenticator. Converts hex codes to base 32.
>
> Added VSAs for Anagran ANA to dictionary. Thanks to Bob Shafer.
>
> Added support for KeepaliveTimeout and UseStatusServerForFailureDetect to
>
> AuthBy RADIUS and AuthBy RADSEC. If UseStatusServerForFailureDetect is
> enabled, use only Status-Server requests (if any) to determine that a target
> server is failed when there is no reply. If not enabled (the default) use no-
> reply to any type of request. Uses NoreplyTimeout, MaxFailedRequests,
> MaxFailedGraceTime, FailureBackoffTime during failure detection. If you enable
> this, you should also ensure KeepaliveTimeout is set to a sensible interval to
> balance between detecting failures early and loading the target server.
> KeepaliveTimeout is the maximum time in seconds that a RADIUS connection can
> be idle before a Status-Server request is sent to keep the connection alive.
> Defaults to 0 seconds.
> --
> Mike McCauley mikem at open.com.au
> Open System Consultants Pty. Ltd
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
> Phone +61 7 5598-7474 Fax +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
hugh at open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc.
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
More information about the radiator
mailing list