[RADIATOR] Radiator Version 4.13 released

[Hartmaier Alexander]

Hi,
the following new feature seems to not work as I'd expect it:
PEAP and EAP-TTLS now make maximum fragment size available for inner
authentication protocols. EAP-TLS was improved to use this information.
This allows PEAP/EAP-TLS and EAP-TTLS/EAP-TLS to work better with
environments with variable Framed-MTU sizes.

I've configured the outer PEAP Handler with EAPTLS_MaxFragmentSize 1350
and removed the value 1250 (1300 which we use for wired dot1x seems to
be too large) from the inner TLS handler which makes it fail the same
way as when configuring 1300.
Is the other value too large or how is the inner size calculated?

Thanks, Alex

On 2014-04-16 14:45, Heikki Vatiainen wrote:
> We are pleased to announce the release of Radiator version 4.13
>
> This version contains one new module for authenticating against YubiKey
> validation server and YubiHSM, some significant new features and bug fixes.
>
> As usual, the new version is available to current licensees from:
> https://www.open.com.au/radiator/downloads/
>
> and to current evaluators from:
> https://www.open.com.au/radiator/demo-downloads/
>
> Licensees with expired access contracts can renew at:
> https://www.open.com.au/renewal.html
>
> An extract from the history file
> https://www.open.com.au/radiator/history.html is below:
>
> -----------------------------
>
> Revision 4.13 (2014-04-16) Radius proxying, IPv6, TACACS+, Diameter and
> other enhancements. Bug fixes
>
>
>     Selected compatibility notes and enhancements
>
> Unknown attributes can now be proxied instead of being dropped
>
> Diameter enhancements may require changes to custom Diameter modules
>
> Major IPv6 enhancements include: Attributes with IPv6 values can now be
> proxied without IPv6 support, Socket6 is no longer an absolute
> prerequisite. 'ipv6:' prefix is now optional and not prepended in
> attribute values
>
> TACACS+ authentication and authorization can now be decoupled
>
> Bind variables are now available for AuthLog SQL and Log SQL.
>
> Status-Server requests without correct Message-Identifier are ignored.
> Status-Server responses are now configurable.
>
> LDAP attributes can now be fetched with base scope after subtree scoped
> search. Useful for example, tokenGroups AD attributes which are not
> otherwise available
>
> Newly added check for CVE-2014-0160, the OpenSSL Heartbleed
> vulnerability may log false positives
>
> New AuthBy for authenticating against YubiKey validation server added
>
> See Radiator SIM pack revision history for supported SIM pack versions
>
>
>
>     Detailed changes
>
> Added the attributes from RFC 6911 to dictionary (Framed-IPv6-Address,
> DNS-Server-IPv6-Address, Route-IPv6-Information,
> Delegated-IPv6-Prefix-Pool and Stateful-IPv6-Address-Pool). These
> attributes override a number of attributes that were previously
> commandeered by Ascend and Merit. The Ascend ones are still available in
> ascend.dictionary. The Merit attributes were added under the existing
> Merit VSA entry and the non-VSA Merit attributes were removed from the
> main dictionary. The non-VSA Merit attributes will continue to be
> available in a new file goodies/dictionary.merit
>
> AuthBy RADIUS and all its subclasses e.g., AuthBy SQLRADIUS, LDAPRADIUS,
> MULTICAST and proxy algorithm AuthBys, now support special characters in
> AuthPort and AcctPort. Suggested by David Zych.
>
> Added in dictionary: Huawei-Loopback-Address, vendor 6139
> (Alcatel-Lucent OmniAccess), vendor 20942 (China Telecom-Guangzhou
> Research and Development Center) and vendor 27262 DANTE Ltd.
>
> Unknown attributes can now be proxied when the new global configuration
> flag ProxyUnknownAttributes is set to true. Unknown attributes are now
> alwasy available with special names such as Unknown-9048-120, where 9048
> is the vendor id and 120 is the vendor attribute number. Unknown
> attributes are now logged with level WARNING instead of ERR. A warning
> is logged for each attribute once per sender IP address. Attribute names
> starting with Unknown are reserved in dictionary and ignored when the
> dictionary is loaded.
>
> Added in dictionary: Attributes from RFC 5447, RFC 6519, RFC 6677 and
> RFC 6930.
>
> Added support for dictionary type ipv4prefix required by RFC 6572. An
> example of ipv4prefix format is '192.168.1.0/24'. Added attributes from
> RFC 6572 in dictionary.
>
> Change in 4.12 caused ServerDIAMETER to always create new peer instances
> for new connections. This caused mainly WatchdogState DOWN log litter.
>
> AuthBy DIAMETER and other DiameterClient derived classes, such as
> Diameter Wx based EAP-SIM, EAP-AKA and EAP-AKAPRIME AuthBys, now support
> new option SCTPPeer. This option allows defining multiple SCTP peers for
> the initial SCTP association attempt.
>
> Added vendor Arista in dictionary. Updated Netscreen values. Contributed
> by Garry Shtern.
>
> Fixed AuthBy NTLM so it will not leave zombie processes around during
> reconfigure. Reported by Garry Shtern.
>
> AuthBy RATELIMIT now supports optional parameter MaxRateResult, which
> allows specifying the result when MaxRate is exceeded. MaxRateResult
> defaults to IGNORE.
>
> Significant IPv6 changes. Socket6.pm is no longer required if the core
> Socket module provides the required IPv6 support. Attributes with IPv6
> address or prefix type are now handled as binary if there is no Socket
> or Socket6 for IPv6 support. This fixes the problem with proxying when
> Socket6 was not installed. Prefix 'ipv6:' for IPv6 addresses is no
> longer required but will be accepted. Decoded values for IPv6 address
> type attributes will no longer have 'ipv6:' prefix. Startup log messages
> now contain information about the IPv6 support.
>
> Updated 3GPP (vendor 10415) attributes in dictionary.
> 3GPP-Allocate-IP-Type, 3GPP-External-Identifier and 3GPP-TWAN-Identifier
> were added. 3GPP-Charging-Gateway-Address,
> 3GPP-GPRS-Negotiated-QoS-Profile and 3GPP-Charging-Gateway-IPv6-Address
> are now the main attribute names while 3GPP-CG-Address,
> 3GPP-GPRS-QoS-Profile and 3GPP-CG-IPv6-address are now aliases.
> 3GPP-PDP-Context value 0 name is now IPv4 while IP is kept as an alias.
> Attribute types were corrected to use e.g., ipaddrv6, integer8 and
> integer16 for correct encoding and decoding. Added values for enumerated
> integer types.
>
> Reverted the previous attribute canonical name changes for vendor 3GPP.
> 3GPP-CG-Address, 3GPP-GPRS-QoS-Profile and 3GPP-CG-IPv6-address are the
> names Radiator will use for decoding the attributes. The new names will
> be recognised as aliases. Also, 3GPP-PDP-Context name for value 0 is IP
> and IPv4 can be used as an alias.
>
> EAP_25.pm now makes inner identity available via outer context improving
> logging options.
>
> Updated Application IDs. Updated vendor 3GPP (10415) RADIUS compatible
> attribute (1-27) list, added new 3GPP-RAT-Type and 3GPP-PDP-Type type
> values, fixed 3GPP-*-Address encoding to use OctetString instead of
> Address type, 3GPP-RAT-Type and other 8 bit enumerated values are
> encoded correctly. 3GPP attribute Location-Estimate type is now OctetString.
>
> Improvements to the sample wimax.sql database schema to support long
> capabilities values.
>
> Added VENDOR Radware 89 and VSA Radware-Role to dictionary.
>
> Logging level for rejected authenticaton attempts can now be configured
> globally and for each Handler or Realm. The level is set with new
> parameter LogRejectLevel. This optional parameter uses the same values
> as Trace option, and can be set globally or per Handler or Realm.
>
> Further logging enhancements. PacketTrace can now be configured to skip
> selected Log clauses. New flag parameter IgnorePacketTrace can be set in
> Log clauses which should not participate in PacketTrace logging. Thanks
> to David Zych for ideas and assistance with the latest logging improvements.
>
> Trailing NULs are now stripped from TACACS+ authorization arguments.
> Reported by Tim Cheyne.
>
> Fixed a bug in Diameter Address format encoding with IPv6 addresses.
> DiaClient now correctly formats IPv6 address in Host-IP-Address for TCP
> connections.
>
> TacacsClient module now supports connecting to TACACS+ servers over
> IPv6. This allows tacacsplustest to work with IPv6 enabled TACACS+
> servers. Requires IO::Socket::INET6.
>
> Account expiry dates starting with 'Mmm dd' for Expiration, ValidTo and
> ValidFrom check items now correctly check for valid month names.
> Reported by Kennyen Choo.
>
> Added Pronto Networks VENDOR Pronto 16521, and Pronto-AVPair to dictionary.
>
> Worked around the duplicate name for 3GPP Diameter Gx interface. Fixed
> typos in Diameter application names.
>
> ClientListSQL was calling parent's initialize twice. Clarified
> AuthSQLHOTP and AuthSQLTOTP parent initialize calls.
>
> Improvements to logging. Added support in Log.pm and LogGeneric.pm for
> dynamically setting the Trace level. An example of using User-Name from
> the current request is in goodies/hooks.txt.
> Enhanced AuthBy DIAMETER Destination-Host and Destination-Realm
> handling. Worked around the duplicate name for 3GPP Diameter Rx interface.
>
> When special %s is used, the microseconds are now left padded with
> zeroes. Suggested by David Zych.
>
> PEAP and EAP-TTLS now make maximum fragment size available for inner
> authentication protocols. EAP-TLS was improved to use this information.
> This allows PEAP/EAP-TLS and EAP-TTLS/EAP-TLS to work better with
> environments with variable Framed-MTU sizes.
>
> When reading parameter settings from a file with file:"filename", any
> trailing newlines are now removed from the end of file to make sure the
> value is correctly parsed. Reported by David Zych.
>
> Added goodies/address-allocator-sql.txt for further AddressAllocator SQL
> examples. Initial examples include MySQL and PostgreSQL queries for
> environments with multiple Radiator instances allocating from the same
> database.
>
> RDict.pm now supports new method vendorByNum which returns vendor data
> from a given vendor number. Enhanced Starent VSA decoding to make sure
> invalid lengths do not cause a crash. Added support and attributes for
> Starent VSAs which use 1 byte for type and 1 byte for length. The
> Starent VSAs in Radiator default dictionary use 2 bytes for type and
> length. Loading goodies/dictionary.starent-vsa1 after the default
> dictionary will cause Starent VSAs to use 1 byte type and length. The
> Starent VSAs in the default dictionary will not work with
> dictionary.starent-vsa1 and should not be used.
>
> Significant changes in Diameter dictionary handling: The dictionaries
> can now be separate modules and a specific dictionary is defined for the
> application. Diameter Credit Control attributes were moved in module
> DiaDict_4.pm while Diameter base, NASREQ, Mobile Ipv4, base accounting,
> EAP, SIP and relay applications still use the default dictionary
> DiaDict.pm. Any new dictionaries will be created as separate modules.
> Updated the existing modules AuthDIAMETER, DiaDict, DiaPeer,
> ServerDIAMETER, DiaClient, DiaMsg and DiaUtil. Added new modules DiaUtil
> and DiaDict_4.
>
> Added support for salted and non-salted SHA-2 hashed passwords.
> Supported formats are {SHA256} {SSHA256} {SHA384} {SSHA384} {SHA512} and
> {SSHA512}. Updated sha.pl and ssha.pl in goodies to support SHA-2
> hashing. Suggested by Alexander Hartmaier.
>
> AddressAllocator DHCP can now use Class attribute for allocation state
> when configured with UseClassForAllocationInfo. This enables allocation
> and deallocation to work between server farm members. Configuration
> notes in goodies/addressallocatordhcp.cfg. Clarified some of the
> AddressAllocator DHCP options in addressallocatordhcp.cfg
>
> Functions pack_sockaddr_pton and gethostbyname in Util.pm and
> UtilSocket6.pm misinterpreted some hostnames as IPv6 addresses. Reported
> by Emanuel José Freitas.
>
> Updated Huawei VSAs in dictionary. Contributed by Alexander Hartmaier.
>
> AddressAllocator identifier in AuthBy DYNADDRESS now supports special
> formatting characters.
>
> Change in DiaPeer watchdog to recover better from unresponsive but still
> open TCP connections.
>
> Diameter dictionaries now support attribute flags. Added add_attr_d,
> get_attr_d and get_attrs_d in AttrList.pm for adding and accessing
> Diameter attributes with their names. Any flags, such as M flag, are
> automatically added based on dictionary. DiaAttrList and
> RadiusDiameterGateway now correctly set dictionary when using
> DiaAttrlist->new(). DiaDict is more verbose about possible problems with
> parsing dictionary files.
>
> Marked GroupCacheFile option in ServerTACACSPLUS as deprecated and
> removed code related to it.
>
> ServerTACACSPLUS now adds OSC-TACACS-* attributes to the converted
> TACACS+ authentication and accounting requests in a more consistent
> manner. Use of deprecated CommanAuth option gives a warning during
> startup. Minor cleanups to remove warnings when -w is used. Fixed
> mapping of missing GroupMemberAttribute value to 'DEFAULT' broken in the
> previous patch. Updated tacacsplusserver.cfg in goodies.
>
> ServerTACACSPLUS can now create a RADIUS Access-Request when TACACS+
> authorization request is received but no authorization info is known for
> the user. This can happen for example, when Radiator is restarted or the
> TACACS+ client uses some other protocol for authentication. These RADIUS
> Access-Requests carry Service-Type attribute with value Authorize-Only.
> Authorization based requests are enabled with AllowAuthorizeOnly flag
> which defaults to off. Updated tacacsplusserver.cfg and added
> OSC-TACACS-Authen-Method in dictionary.
>
> AuthBy SIP2 now immediately rejects CHAP, MSCHAP and MSCHAP-V2
> authentication attempts instead of letting password check fail each time.
>
> Added support for PBKDF2 derived User-Password check items. Uses
> HMAC-SHA1 as the Pseudo Random Function (PRF). Requires
> Digest::HMAC_SHA1. Added a small utility goodies/pbkdf2.pl which can be
> used to create derived password in the form Radiator honours.
>
> AuthLog SQL now supports SuccessQueryParam and FailureQueryParam
> parameters, which allow SQL bind variables to be used.
>
> AuthBy RSAAM now supports SSLCAFile for RSA AM HTTPS server certificate
> verification. New parameter ChallengePrefix allows setting the common
> prompt for PIN change and other challenge questions. Suggested by Garry
> Shtern.
>
> Log SQL now supports LogQueryParam parameters, which allow SQL bind
> variables to be used.
>
> Changes so that the plaintext password is not logged at debug level
> during EAP-TTLS/PAP authentication.
>
> Added support for SSLVerify, SSLCAPath, SSLVerifyCNName,
> SSLVerifyCNScheme and SSLCertificateVerifyHook configuration parameters
> in AuthBy RSAAM. The parameters require Perl LWP 6.0 or later or
> otherwise they are ignored. SSL client certificate options are now set
> using LWP if LWP version 6.0 or later is detected. These changes allow
> RSA AM server HTTPS certificate verification without environment variables.
>
> tacacsplustest in goodies now supports -bind_address command line
> argument. TacacsClient module can now pass local address to the socket
> constructor.
>
> Added eduroam-Monitoring-Inflate VSA to dictionary.
>
> Added StripFromRequest parameter to ServerRADSEC. Suggested by Paul Dekkers.
>
> Logging enhancements: AuthBy RADSEC and ServerRADSEC now format packet
> dumps only when the log level is DEBUG or more verbose. IPv6 capability
> is now logged on DEBUG level if IPv6 functionality is provided by the
> Perl core or Socket6. INFO level message is logged only when there is no
> full IPv6 functionality.
>
> Added new module AuthBy YUBIKEYVALIDATIONSERVER with example
> configuration yubikey-validationserver.cfg. Authenticates against
> Yubikey Validation server. This allows using a YubiHSM Hardware Security
> Module (HSM) by one or more Radiator servers at the same time. The
> YubiHSM can be installed on the same server where Radiator runs on, or
> on a remote dedicated server. Refactored AuthYUBIKEYGENERIC.pm to move
> common code to AuthYUBIKEYBASE.pm allowing AuthBy
> YUBIKEYVALIDATIONSERVER to run without any dependencies on Yubikey
> specific support modules such as Auth::Yubikey_Decrypter.
>
> Added in dictionary: Attributes from RFC 7055. These started as UKERNA,
> vendor 25622, VSAs.
>
> Removed unneeded code from EAP_25.pm and TLS.pm.
>
> Added new global and Client specific configuration parameter
> StatusServer. This parameter sets the Status-Server response verbosity.
> The supported values are off, minimal and default. The global default
> can be overridden by each Client clause. Status-Server requests without
> correct Message-Authenticator attribute are now ignored.
>
> Added new parameter AttrsWithBaseScope to AuthBy LDAP2. AuthBy LDAP2 can
> now be configured to do a two step search to first locate the user's DN
> and then follow with a second search where the search base set to the DN
> and scope to 'base'. This is required for example, to get access to
> Windows AD constructed attributes, such as tokenGroups, which are only
> returned when the search scope is set to base. Updated ldap.cfg in goodies.
>
> Removed old and unneeded FirstSendTime, LastSendTime and Attempts from
> Radius.pm.
>
> EAP-TTLS now correctly exports the inner identity with
> $rp->{inner_identity} when the inner authentication is EAP.
>
> Added OSC-SIM-* attributes for exporting SIM/USIM authentication
> information. Added attributes for the upcoming RFC "RADIUS Attributes
> for IEEE 802".
>
> AuthBy SIP2 now honours Timeout option when connecting to SIP2 servers.
> The timeout defaults to 3 seconds.
>
> Added new parameter FailureBackoffTime to Resolver. If the lookup failed
> to discover any results and there was a timeout while waiting for the
> nameserver, this optional value specifies how long Radiator will wait
> before another lookup is made. Previous behaviour was to try again after
> NegativeCacheTtl expired. Defaults to 3 seconds. Problem with the old
> behaviour reported by Paul Dekkers.
>
> ServerDIAMETER no longer announces Supported-Vendor-Id with value 0 in
> CER. This is required by the current Diameter base RFC 6733. Value 0 is
> no longer announced with Acct-Application-Id in CER. Updated
> diameter-server.cfg.
>
> Added new global parameter KeepSocketsOnReload. Note: this is currently
> considered experimental. This optional flag controls whether opened
> RADIUS listen sockets should be left intact on a reload request. When
> enabled, the changes in BindAddress, AuthPort and AcctPort are ignored
> during reload. You may consider enabling this option when incoming
> RADIUS requests should be buffered during the reload instead of ICMP
> unreachable messages being sent back to the RADIUS clients. Contributed
> by Garry Shtern.
>
> Attributes added to the reply by EAP-FAST inner authentication will now
> be copied to the outer Access-Accept too. This is similar to how PEAP
> and EAP-TTLS already function. Suggested by Jakob Schlyter.
>
> Added the first version of RuntimeChecks module with two checks. The
> first uses Net::SSLeay to try to detect OpenSSL versions which may have
> the Heartbleed (CVE-2014-0160) vulnerability. The second test checks for
> the availability of Digest::MD4 which is often required because of
> MSCHAP, MSCHAP-V2 and their derivatives. The individual checks can be
> disabled with the new configuration parameter DisabledRuntimeChecks.
> Future checks are added as needed. The module is also available for
> Hooks to implement site local checks.
>
> Check Point attributes CP-Gaia-User-Role and CP-Gaia-SuperUser-Access
> were incorrectly entered in the dictionary. Reported by Jason Griffith.
>
> Ldap.pm could crash while logging with old Net::LDAP versions. Reported
> by Mauricio Montoya Bustamante.
>
>
> -
> Heikki Vatiainen <hvn at open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*