[RADIATOR] Radiator Version 4.15 released - security fixes and enhancements

Heikki Vatiainen hvn at open.com.au
Thu Jul 16 08:07:08 CDT 2015 

On 16.7.2015 13.42, Hartmaier Alexander wrote:

> I couldn't find info about CEF and JSON logging in the reference manual,
> should be included at least as keywords with a pointer to the
> 'logformat.cfg' goodies file although I'd prefer having it in the main docs.

Good point. I'll see that CEF and JSON will be mentioned in ref.pdf

The configuration sample file 'logformat.cfg' is mentioned where 
LogFormatHook for Log FILE and AuthLog FILE are described. It's also 
mentioned where AcctLogFileFormatHook for accounting messages is described.

The configuration sample shows how to use the new module 
Radius/LogFormat.pm. This module includes CEF and JSON authentication 
log formatting and JSON accounting log formatting.

There's also an example of how to use a custom module, possibly modified 
from Radius/LogFormat.pm, to change the formatting or add new formats.

> Is there a way to log the used TLS version and cipher to find out which
> ones are in use before restricting it with the new EAPTLS_Protocols and
> EAPTLS_Ciphers config options?

I think the ciphers are the ones that can be listed with 'openssl 
ciphers -v' these depend on the SSL/TLS library. Older OpenSSL versions 
seem to have quite different set of ciphers than the most recent 
LibreSSL for example.

In other words the ciphers could be listed by radiusd, but you can also 
see them from the command line. Also, new DEBUG level log message was 
added to show which Net::SSLeay version and SSL/TLS libary is used to 
make sure radiusd uses what you expect it to.

The protocols also depend on what's compiled in the SSL/TLS library. I 
think the recent LibreSSLs do not have SSLv3 support anymore. Are you 
thinking about printing the available SSL/TLS versions before 
restricting them? Note that for TLS based EAPs, TLSv1 is the minimum so 
SSLv3 is not possible which means what you can use is TLSv1 or better.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.

More information about the radiator mailing list