[RADIATOR] Radiator Version 4.12 released

Fri Sep 6 15:56:34 CDT 2013

We are pleased to announce the release of Radiator version 4.12

This version contains two new modules, AuthBy DUO and AuthBy DIAMETER,
some significant new features and bug fixes.

As usual, the new version is available to current licensees from:
http://www.open.com.au/radiator/downloads/

and to current evaluators from:
http://www.open.com.au/radiator/demo-downloads

Licensees with expired access contracts can renew at:
http://www.open.com.au/renewal.php

An extract from the history file
http://www.open.com.au/radiator/history.html is below:

-----------------------------

Revision 4.12 (2013-09-06)

Improvements to EAP-MD5 handling: in the event of an authentication
failure, the reason messages are more descriptive of the reason why.

Updated Mikrotic VSAs in dictionary.

Added a number of VSAs for Alcatel-ESAM to dictionary.

Fixed a potential crash if there were many unfinished EAP-GTC
authentication conversiations through AuthBy ACE. Reported by Richard
Fairhall.

Added support for a number of new check items for AuthBy SQL:
Max-All-Session, Max-Hourly-Session, Max-Daily-Session,
Max-Monthly-Session, Max-All-Octets, Max-All-Gigawords,
Max-Hourly-Octets, Max-Hourly-Gigawords, Max-Daily-Octets,
Max-Daily-Gigawords, Max-Monthly-Octets, Max-Monthly-Gigawords. AuthBy
SQL supports the foillowing corrsponding configurable queries:
AcctTotalQuery, AcctTotalSinceQuery, AcctTotalSinceQuery,
AcctTotalSinceQuery, AcctTotalOctetsQuery, AcctTotalGigawordsQuery,
AcctTotalOctetsSinceQuery, AcctTotalGigawordsSinceQuery,
AcctTotalOctetsSinceQuery, AcctTotalGigawordsSinceQuery,
AcctTotalOctetsSinceQuery, AcctTotalGigawordsSinceQuery. With the kind
assistance of Richard Fairhall.

Updated AuthLog SYSLOG so that it honours the same %0 and %1 in
SuccessFormat and FailureFormat as other loggers.

Changed all instances of the poorly defined 'octets' type attributes
in dictionary to 'binary'.

Added F5 BigIP VSAs to dictionary, per
http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11431.html,
as sent by Alexander Hartmaier.

Added further Trapeze VSAs for MSS 8.0 and later to dictionary, as
sent by Vandenbroucke Luc.

Altered AuthBy RADIUS and AuthBy RADSEC handleReply so that
failedRequests and start_failure_grace_time are updated even if there
is no $op->{rp}.

Performance improvements for TTLS and PEAP: when used with OpenSSL
1.0.1 and later, NetSSLeay 1.52+latest patches and later, the native
OpenSSL tls1_PRF function is used.

Altered AuthBy RADIUS and AuthBy RADSEC handleReply so that in the
event of an Access-Reject from a proxied request, AuthLog* can log the
actual Reply-Message from the reply instead of 'Proxied'. Requested by
David Zych.

Improvements to AuthBy RADIUS and AuthBy RADSEC to detect obvious
routing loops and to ignore attempts to proxy a packet to the same
BindAddress/port a packet was received on.

Fixed a problem in SessionDatabase SQL that could cause a crash if
UpdateQuery is defined and an Accounting Alive packet was
received. Reported by Chris Millington.

Improvements to AuthBy SQL AuthColumnDef. Can now have a trailing ",
formatted" keyword in an AuthColumnDef. This will cause the value
retrieved from the database in that column to be subject to special
character processing before its value is used, and can therefore
contain %{something} forms which will be replaced at authentication
time. The general format is now:
  AuthColumnDef n, attributename, type[, formatted]

 For example:
  AuthColumnDef 1, Filter-Id, reply, formatted

Improvements to AuthBy LDAP2 AuthAttrDef. Can now have a trailing ",
formatted" keyword in an AuthAttrDef. This will cause the value(s)
retrieved from LDAP to be subject to special character processing
before its value is used, and can therefore contain %{something} forms
which will be replaced at authentication time. The general format is
now:
  AuthAttrDef ldapattributename, radiusattributename, type[, formatted]

 For example:
  AuthAttrDef filter, Filter-Id, reply, formatted

All configuration parameters of type 'flag' can now use special
characters. This is especially useful to be able to control flags with
GlobalVar's.

Added example hook to hooks.txt: showing a way to call PostAuthHook
with additional fixed arguments set at startup time.

Fixed some typos in DiaClient that incorrectly mentioned RadSec.

AuthBy RADIUS and AuthBy RADSEC now remove unnecessary Timestamp
attribute (meant for internal use only) from proxied requests.

Improvements to Handler: the reply packet is not set if there is
already one present. Useful when AuthBy HANDLER or a hook redespatches
a request to another Handler: reply items added by earlier Handlers
and AuthBys will not be lost.

Added Ericsson redback VSAs 207-213 to dictionary. Also added some
alternate values for RB-Framed-IPv6-Prefix, RB-Framed-IPv6-Route,
RB-Framed-IPv6-Pool, as used by SmartEdge.

Added A-10 Networks VSAs to dictionary.

Improvements to SYSLOG loggers to be more compatible with later
versions of Sys::Syslog.

Fixed a problem with using AuthBy Fidelio and Serial ports that caused
a failure to start Radiator. Also changed the default serial port flow
control for Fidelio modules to 'rts', since 'xoff' could cause lost
characters and bad checksums. Testing with USB-Serial port adapters.

Updated goodies/digipass-install.txt to include guidance about how to
order Digipass tokens, including the need to order the 'Digipass User
Data Subscription Fee' (DUD) option.

All tar files are now built with TAR_OPTIONS=--format=gnu to ensure
compatibility with other tars, notably the one on Solaris.

Testing on Solaris 11. OK with builtin perl 5.12.

Added Huawei-3Com (H3C) VSAs to dictionary.

Improvements to AuthBy KRB5 and Ldap.pm: Credential Cache now uses
memory cache instead of file. Added a new option KrbServerRealm to
allow server and user to exist in different realms. Hostname is now
used for service tickets instead of IP address. Reverse DNS lookup is
now done for the host before requesting a service ticket. Patches by
Garry Shtern.

Added new dictionary file for Cisco/Altiga attributes compiled by
Alexander Hartmaier.

Fixed a problem that prevented HostSelect from implementing host
counter if HostSelectParmam was defined.

Added support for SNMP V2c with new configuration parameter
SNMPVersion in SNMPAgent. Fixed a problem where some SNMP decode
errors were not correctly detected.

Configuration file check no longer activates clauses which could cause
spurious error messages. Requested by Garry Shtern.

Added Palo Alto Networks VSAs to dictionary. Contributed by Garry
Shtern.

More improvements to LDAP logging. The hostname and port are now
logged after a successful connection. This helps determining to which
host the connection was made when the Host parameter is configured
with multiple host names. Removed redundant GSSAPI related
code. Contributed by Garry Shtern.

Fixed a problem with EAP-TTLS where EAPAnonymous %0 did not fetch the
inner EAP identity. Reported by Neil M. Johnson.

Added a number of Aruba VSAs to dictionary with the kind assistance of
Michael Hulko.

Fixed UseStatusServerForFailureDetect in AuthRADIUS.pm to work
correctly when there are multiple Hosts configured. This also affects
AuthRADIUS subclasses and small changes were needed for
AuthLOADBALANCE, AuthMULTICAST, AuthROUNDROBIN and
AuthVOLUMEBALANCE. AuthHASHBALANCE and AuthEAPBALANCE required no
changes. When UseStatusServerForFailureDetect is enabled, all Host
objects do individual polling. Expiry of FailureBackoffTime will no
longer make the Host eligible for forwarding. Only a response to
Status-Server request will bring back a failed Host. Other changes
include: AuthRADIUS subclasses will now log an INFO level message when
the Host starts responding. BogoMips only affects AuthLOADBALANCE and
AuthVOLUMEBALANCE as documented. Setting BogoMips to 0 for a Host will
no longer disable it for the other subclasses. KeepaliveTimeout can be
specified for the AuthBy or individual Host in the AuthBy. The default
value for BogoMips in an AuthBy is now correctly passed to the Hosts
in the AuthBy. Thanks to Paul Dekkers for reporting the problem and
debugging help.

Reverted earlier Status-Server polling related change in AuthRADSEC.pm
that caused memory leak when requests were not replied to. Reported
and narrowed down by Paul Dekkers.

EAP-PWD now honours UsernameMatchesWithoutRealm. Also, if the user is
not found, the log message now has EAP-PWD instead of EAP MSCHAP-V2.

Fixed UseStatusServerForFailureDetect in AuthRADSEC.pm to work
correctly when there are multiple Hosts configured. When
UseStatusServerForFailureDetect is enabled, all Host objects do
individual polling. Expiry of FailureBackoffTime will no longer make
the Host eligible for forwarding. Only a response to Status-Server
request will bring back a failed Host. This change is similar to the
recent AuthRADIUS.pm change.

Added new option -message_authenticator to radpwtst for adding
correctly calculated Message-Authenticator in the outgoing
requests. Currently supported types are Access-Request, Status-Server,
Disconnect-Request and Change-Filter-Request aka COA-Request.

PEAP EAP context is now cleared immediately when reading encrypted TLS
data fails.

AuthBy RADSEC did not correctly reinitialize when signalled with
SIGHUP leaking TCP connections, memory and TLS references. Fixed
similar memory leak in AuthBy RADIUS. TCP connection leak reported by
Karl Gaissmaier.

Logging enhancements: replies received by AuthBy RADIUS, AuthBy
RADSEC, Client, ServerRADSEC and SimpleClient.pm are now dumped using
the loggers configured for the respective clauses and
module. PacketTrace now affects the replies received by the
clauses. Function decode_attrs no longer dumps the received
request. Some messages are now logged by the clauses first instead of
just the main logger.

Added Blue Coat VSAs to dictionary. Contributed by Garry Shtern.

LDAP GSSAPI name resolution enhancements. Based on patch by Garry
Shtern.

Tested with RSA Authentication Manager 8.0. Updated OnDemand mode
prompt handling. No other changes required. Added new parameter
ChallengeHasPrompt to AuthBy RSAAM to enable sending RADIUS Prompt
attribute with Access-Challenge messages based on the RSA AM
responses.

Status-Server messages sent by AuthBy RADSEC and AuthBy RADIUS no
longer carry Proxy-State attribute. Improved logging in AuthBy RADSEC
when Proxy-State in reply is missing or mangled.

Added Lancom and CheckPoint GAiA VSAs and updated 3Com and H3C VSAs in
dictionary with the kind assistance of Philip Herbert.

Added new methods for inserting attributes in AttrList. Useful e.g.,
for Diameter AVP ordering. Added Origin-AAA-Protocol into DiaAttrList,
updated DiaDict to always use DiameterIdentity, DiameterURI,
IPFilterRule and QoSFilterRule as data type name instead of
short-forms. Fixed a number of spelling mistakes.

Added support for authentication with Duo Security
https://www.duosecurity.com/ . AuthBy DUO supports two-factor
authentication provided by Duo Security auth API. Sample configuration
file and partial API simulator is included.

Registering an object by its Identifier in Configurable.pm is now done
just before object loading finishes, not during object
activation. This fixes the recently introduced problem where
configuration check gave incorrect results when Identifiers were used
for references. Reported by Karl Gaissmaier.

Added iPass VSAs to dictionary.

DiaPeer and DiaClient now support adding
Vendor-Specific-Application-Id attributes in Diameter CER message.

Configurable now calls check_config for each module just before it is
activated. Configuration checks done by modules within activate were
moved to check_config so that they will be run also when radiusd is
invoked with -c flag to check the config.

Updated sample certificates to expire Aug 14 11:37:20 2015
GMT. Updated goodies/mkcertificate.sh to check for CA.pl availability.

Added precompiled Authen-Digipass ppm package for Perl 5.16 on
Windows.

Added precompiled Authen-ACE4 ppm packages for Perl 5.16 on
Windows. Recompiled Authen-ACE4 ppm packages for Perl 5.14.

Added new global parameter BindV6Only. This optional parameter allows
turning on or off IPV6_V6ONLY socket option for IPv6 wildcard listen
sockets. Defaults to undefined and hence no setsockopt is done. See
RFC 3493 for more about IPV6_V6ONLY.

Client clauses now support CIDR notation for IPv6 clients. For
example: ipv6:2001:db8:1:2::/126 and ipv6:::ffff:192.168.1.0/120. It
is recommended, but not required, to install Math::BigInt::GMP or
Math::BigInt::Pari for faster matching. The default is to use slower
pure Perl implementation.

Updates in many goodies example and other files.

Added preliminary support for AuthBy DIAMETER. AuthBy DIAMETER
converts RADIUS messages to Diameter messages and sends them to a
Diameter server. Currently targets RFCs 4005 and 6733.

AuthBy DUO did not indicate the request was handled asynchronously
causing problems with certain modules such as
ServerTACACSPLUS. Reported by David LaPorte.

Enhanced radpwtst help output and options file support. The file
format is now documented in the reference manual. The -time option now
works even when -notrace option is given.

Unnecessary DNS lookups were done when MAC: or CIDR Clients were
defined causing possible slowness during startup or ClientList
refresh.

Testing with Strawberry Perl on Windows. Updated installation
documentation and reference manual to include Strawberry Perl on
Windows.

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.