[RADIATOR] New features and changes in the next Radiator release

Thu Jun 18 03:29:00 CDT 2015

There are a number of new features and changes in the current Radiator 
4.14 patches we thought might be of interest for the list members.

Any comments and questions are welcome.

Windows Eventlog logging
++++++++++++++++++++++++
New modules AuthLog EVENTLOG and Log EVENTLOG are now included. See 
goodies/eventlog.cfg for instructions and more information about DLLs 
that are useful, but not required, to set up eventlog. There are both 
sources and precompiled binaries for the DLLs in goodies.

Clustering control plane support with Gossip framework
++++++++++++++++++++++++++++++++++++++++++++++++++++++
Gossip [1] framework with Redis based implementation was recently added 
in patches. The purpose of the framework is to allow individual Radiator 
instances to share information between each other.

For example, server farm members can use Gossip to relay next hop proxy 
unreachability/reachability information to each other. This allows 
faster recovery from failures and other events as opposed to each 
instance doing detection and recovery individually.

The patches have an implementation for this. Radiator instances, not 
restricted to just farm members, can share next hop proxy status 
information based on Status-Server or lack of responses to normal 
requests. In addition, a farm can be configured so that Status-Server is 
run by only one member whose responsibility is to send reachability 
updates to the other members via Gossip.

The future uses may include distributing TACACS+ authorisation 
information, TLS session tickets, configuration updates or anything a 
custom Radiator installation may require.

TLS updates
+++++++++++
TLS and SSL configuration options for TLS based EAP methods and TLS 
enabled stream protocol modules, RadSec, Diameter, ServerHTTP, etc., 
have been updated.

New configuration parameters EAPTLS_Ciphers and TLS_Ciphers allows 
defining the supported ciphersuites. The current default for the both is 
'DEFAULT:!EXPORT:!LOW'. This should provide the least amount of suprises 
when upgrading.

New configuration parameters EAPTLS_TLS_Protocols and TLS_Protocols are 
available for defining which TLS versions (or SSLv3) to support.

When TLS_Protocols is defined, it overrides UseTLS and UseSSL. 
EAPTLS_Protocols is available for restricting supported TLS versions for 
TLS based EAP methods. The default is to support all available TLS versions.

A useful resource for TLS configuration is for example the Mozilla TLS 
server guide [2]

Server farm
+++++++++++
Server farm users may be interested in the possibility to use shared 
memory for duplicate cache. With this parameter, the 
UseContentsForDuplicateDetection parameter is no longer needed.

Structured logging
++++++++++++++++++
New module LogFormat.pm has examples of how to format Radiator log and 
authentication log messages in JSON and CEF (ArcSight Common Event 
Format) formats. Configuration sample goodies/logformat.cfg has more 
information about how to create a custom module for your local logging 
requirements.

[1] https://en.wikipedia.org/wiki/Gossip_protocol
[2] https://wiki.mozilla.org/Security/Server_Side_TLS

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.