[RADIATOR] Radiator Version 4.17 released - enhancements, new features, security and other fixes
Heikki Vatiainen
hvn at open.com.au
Wed Sep 21 06:27:41 CDT 2016
We are pleased to announce the release of Radiator version 4.17
This version contains enhancements, new features, security and other
fixes described below.
As usual, the new version is available to current licensees
and evaluators from:
https://www.open.com.au/radiator/downloads.html
Licensees with expired access contracts can renew at:
https://www.open.com.au/renewal.html
An extract from the history file
https://www.open.com.au/radiator/history.html is below:
-----------------------------
Revision 4.17 (2016-09-21) enhancements, new features, security and
other fixes
Selected compatibility notes, enhancements and fixes
radiusd now exits during startup if it can not load the objects
required by the configuration file.
Hooks and custom code that calls get_plaintext_password or
translate_password should be checked for compatibility
AuthBy RADSEC now supports Radiator's Gossip framework for
reachability information
Any hooks or custom code that needs to save data across resumed
EAP-TLS, EAP-TTLS or PEAP authentication sessions must now use
resume context. See EAP.pm for the details.
RADIUS dictionary name space was changed for IANA registered
attributes. Any hooks or custom code that accesses RADIUS
dictionary, or does RADIUS - Diameter conversion may need updates.
JSON time stamp formats were corrected and unified in LogFormat.pm
AuthBy DUO now does pre-authentication by default
AddressAllocator SQL now supports IPv6 prefix allocation
Session resumption for TLS based EAP methods was enhanced
Many new features and options for SessionDatabase modules
AuthBy RADIUS supports configuration parameter Asynchronous for
easier AuthByPolicy handling
New MessageLog clauses for logging RADIUS and other messages
StatsLog updates including cumulative and derivate statistics
HTTP digest authentication must now be enabled per AuthBy basis
Security fixes for AuthBy LDAP2 when used with EAP. OSC
recommends all AuthBy LDAP2 users to review OSC security
advisory OSC-SEC-2016-01
https://www.open.com.au/OSC-SEC-2016-01.html
Features not in this release yet, known caveats and other notes
OCSP support
Selection of proxy algorithms for AuthBy RADSEC
No testing with OpenSSL 1.1.0. Testing with OpenSSL 1.0.2h,
Net::SSLeay 1.78, IOS 10, Android 7 and Windows 10
PEAP session resumption sometimes fails on Windows. Further
investigation is ongoing
Major documentation update. Radiator reference manual is
available in HTML format again
Detailed changes
Updated debug log messages for Stream classes. The stream client
and server now log the destination name and its currently
resolved address more clearly in the debug log messages. This
affects log messages for RadSec, Diameter, ServerHTTP and other
Stream based modules.
AuthBy RADSEC now logs packet dumps for the Status-Server
replies it receives from the next hop proxy. The Port
configuration variable is now formatted when RadSec Host is
activated. This allows logging the actual port number instead of
the unformatted configuration value.
Added Gossip support for AuthBy RADSEC. The RadSec Hosts can now
distribute next hop proxy reachability information with Gossip.
The configured Host name, not the current IP address, is used as
the key when determining if the current report should be
processed. The behaviour is currently slightly different from
AuthBy RADIUS. Updated radsec-client.cfg in goodies. Suggested
by Jan Tomasek.
Updated AuthBy RADSEC log messages to be more clear about
destination name, IP address and port.
While loading dictionaries, Radiator now logs a warning when the
vendor has not been defined for a vendor specific attribute.
Correct configuration file names are now logged when there are
errors parsing the included configuration files during radiusd
startup. Previously the file name might have been the main
configuration file name. Reported by Kilian Krause.
Clause ends are now checked for matching starts while the
configuration file is read. Possible mismatches and incorrectly
ended clauses are logged with a warning, but no other action is
currently taken.
Gossip messages sent by one AuthBy RADIUS module will now be
accepted by all the other AuthBy RADIUS modules within the same
radiusd instance. Previously the messages were always ignored
when they originated from the same instance. This behaviour is
now similar to what AuthBy RADSEC does.
AuthRADIUS and AuthRADSEC now include the type of the failed
request in the Gossip messages. A module using
UseStatusServerForFailureDetect will now act only on failed
Status-Server requests. With report and help from Paul Dekkers.
AuthBy LDAP2 now logs the search filter with the query results
Added VENDOR 3GPP 10415 VSA 3GPP-User-Location-Info-Time from
document TS 29.061 version 12.10.0 to dictionary.
AuthBy DYNADDRESS now uses MapAttribute yiaddr when processing
Accounting-Requests. Previously the address was always fetched
from Framed-IP-Address.
AddressAllocator SQL now supports IPv6 prefix allocation.
Updated addressallocator.cfg in goodies.
Fixed a problem in ServerTACACSPLUS where some requests sent by
a high volume client were discarded during read.
New example farmchildhook.txt in goodies shows how to use
FarmChildHook to rotate AuthPort, AcctPort and DBSource. Used in
FarmChildHook EAP environments with a backend radius behind
HASHBALANCE or similar. See the file for full details.
Contributed by Christian Kratzer, CK Software GmbH
Added support for PoolGroup and Priority configuration
parameters for AddressAllocator SQL AddressPools. These
parameters set the values for specials %4 and %5 for
AddAddressQuery. A PoolGroup defines a name to group multiple
pools with different priorities set by Priority. Suggested by
Damjan Kukas.
Added new hook NoAddressHook for the SQL allocator. The hook is
called when there are no addresses left or the allocation fails
because of too many simultaneous tries. The hook is passed
references to $p, $rp, $result, $reason and the value of pool
hint. To change the type of reply, you should change $result
from $main::REJECT to the desired value.
Enhancements to SessionDatabase configuration within Handlers.
New Handler parameter SessionDatabaseOptions is available for:
turning off session delete to clean up possibly hung sessions
during authentication, enabling SessionDatabaseUseRewrittenName,
turning on adding sessions before authentication and turning on
adding sessions after successful authentication.
Gossip framework now supports forget() to remove a message
previously posted with note(). In case of Redis backend, forget
maps to Redis DEL command.
Updated GossipRedis default Timeout from 3 to 1 seconds. Timeout
is now also used for: sentinel connections, sentinel reads,
sentinel writes, server read and server write in addition to
server connections. Fixed some typos in Gossip sample file
farmsize.cfg.
NAS-IPv6-Address, if present, is now a possible value for NAS
identifier if there is no NAS-IP-Address. This allows, for
example, session database modules to use NAS-IPv6-Address if
present in the request. Removed unneeded code from various
modules since RecvFromAddress is always present in the current
request.
Radiator can now do delayed restart or termination. The action
is delayed until there are no more requests to serve from the
sockets. The delay is done in two phases: First, a configured
number of seconds is waited until the requested restart or
termination action is started. Second is to serve the remaining
requests from the incoming sockets. This allows processing the
queued requests before continuing with the restart or termination.
The delay is enabled and controlled by a new global
configuration parameter DelayedShutdownTime. This defines the
length of the first phase in seconds. DelayedShutdownHook is
called immediately when the first phase starts. The hook can,
for example, signal upstream proxies about the impending shutdown.
Added support for OSC's new load balancer. The LB proxies
labeled requests to Radiator which will process them as they
were received directly from the NAS. The label support is
enabled with the new global configuration flag parameter
UseProxyLabel which defaults to off.
Internal enhancements for EAPAnonymous handling. Also,
$rp->{inner_username} now has the value of inner User-Name, if
any, for EAP-TTLS.
Added support for using State attribute for identifying ongoing
EAP conversations. New global configuration flag parameter
EAP_UseState, currently set to off by default, enables or
disables the use of State with EAP for the whole server.
AuthBy EAPBALANCE users should convert to, for example, AuthBy
HASHALANCE to avoid adding second State in the proxied requests.
Users of other load balancers may find State advantageous when
setting up LB rules. The value of State does not change during
the EAP message exchange.
Server Identifier, the global Identifier parameter, now supports
special formatting characters. The format is applied during the
server startup. A 32 hex character long hash is calculated from
the formatted Identifier for any possible later use.
Added new Gossip backend module GossipUDP. GossipUDP provides
support for direct UDP communication between Gossip peers.
Gossip message format was extended to support optional header
for TTL, payload encryption and other future uses.
Added peer join and unjoin messages in GossipUDP. These messages
allow the use of GossipREDIS, or some other Gossip backend, as a
discovery mechanism to set up direct GossipUDP peering.
Added new AuthBy GOSSIP module that supports authentication and
authorisation against Gossip backends such as GossipUDP and
GossipREDIS.
PBKDF module now supports HMAC-SHA-256 as the pseudorandom
function (PRF).
Added new module AES_GCM that supports the use of AES in
Galois/Counter Mode (GCM). AES_GCM requires Crypt::GCM.
Enhanced the Gossip framework to support message encryption.
Requires the Radiator AES_GCM module.
Sending of RFC 5176 Disconnect-Request and CoA-Request messages
was enhanced with two new modules and minor changes to Client.pm
auth AuthRADIUS.pm. Client.pm has new configuration parameters
DynaAuthSecret, DynAuthPort and UseMessagAuthenticator to define
the dynamic authorisation capabilities of the NAS. New module
AuthDYNAUTH.pm is available for building dynauth requests and
dispatching them to Handlers. The dispatched dynauth requests
can be matched with <Handler DynAuthRequest=1>. New module
AuthRADIUSBYATTR.pm is available for forwarding the newly built
dynauth request to the NAS based on the dynauth request
contents. AuthBy RADIUSBYATTR is a subclass of AuthBy RADIUS and
will automatically handle retransmissions. The dynauth responses
will be handled by AuthBy DYNAUTH. AuthBy DYNAUTH can optionally
register itself with Gossip to receive requests from, for
example, remote management to send dynauth messages pertaining
to the online users. Works with SessionDatabase REDIS to share
session information between Radiator instances and user management.
Added new StatsLog module StatsLog REDIS. StatsLog REDIS logs
statistics to Redis for management applications, log transport
agents, such as logstash Redis input plugin, or any later use.
The statistics are currently logged in JSON format. Added a
configuration sample in statslog.cfg in goodies.
Diameter OriginHost and OriginRealm configuration parameters now
support formatting characters.
Added VENDOR Meraki 29671 and VSA Meraki-Device-Name to dictionary.
New module AuthRADIATORLB.pm supports proxying requests to OSC's
new Radiator load balancer. This module can be used together
with AuthBy DYNAUTH and currently supports only RFC 5176 dynamic
authentication requests which need to originate from Radiator
and be sent by the LB towards the NAS. Gossip framework is
supported for learning the LB addresses and dynauth ports.
GossipUDP now logs a warning if Gossip flag parameter or one or
more GossipUDPPeer clauses have not been configured. When this
happens GossipUDP has no method of knowing about its UDP peeers.
Updated Diameter command code list. Command codes now use IANA
registered names. This changes Diameter DEBUG message dumps for
some command codes. For example, CER is now logged as
Capabilities-Exchange.
Added support for Diameter statistics log. The statistics are
collected for Diameter message counts, command codes and errors.
Stats are collected for peer, origin, port and application and
can be used for Diameter SNMP MIBs. New module DiaStatsLogREDIS
provides support for writing the statistics in Redis. Other log
modules will be added later.
Added an example in goodies/hooks.txt showing how to use AuthBy
RADIUS ReplyHook with two AuthBy RADIUS clauses together with 2
Handler's and an AuthBy HANDLER clause.
EAP Identity and MSCHAPv2 name equality check is now case
insensitive. Reported by Serge Andrey and René Hennequin.
Log messages related to an authentication exchange and to its
subsequent accounting session can now be logged with a tracing
identifier. A new global and Log clause level configuration
parameter LogTraceId enables prepending the tracing id to
messages logged to stdout and with Log FILE when LogStdout is
enabled.
A new Handler level configuration parameter AutoClass adds a
specially formatted Class attribute in Access-Accept messages.
This allows carrying the tracing id to accounting logs and the
session database to access the tentative Class value during the
request handling.
New functions compose_state() and decompose_state() in Util.pm
will handle adding and extracting state information from State
and Class attributes.
The tracing id works in conjunction with the Radiator load
balancer allowing coordinated log message indexing and lookup
between front end load balancers and backend workers.
Updated AuthLog and Log modules to use the recently added
tracing id. The tracing id is now available as a parameter to
LogFormatHooks and SQL loggers. Updated LogFormat.pm JSON hooks
to log the tracing id. The global LogTraceId configuration
parameter now affects only logs sent to stdout and the default
log configured with LogFile.
Session database clauses now support SessionIdentifier
configuration parameter. This parameter defaults to
Acct-Session-Id and can be used to change the session
identification attribute used by the session database clause.
Useful, for example, when the authentication request contains
the future, possibly vendor specific, session identifier attribute.
The recently added AutoClass configuration parameter now
supports optional arguments for further Class attribute
formatting. The currently support arguments are uuid and
formatted which add a hex value UUID or Radiator formatted
string. The default is not to add anything.
Configuration parser's clause start to clause end matching is
now case insensitive. Suggested by Alan Buxey.
Added two new formatting specifiers 'RequestVar' and 'ReplyVar'
which provide access to request and reply objects. This similar
to, for example, the existing 'Handler' formatting specifier.
Handler now supports returning to AuthBy stack. This allows
AuthBy RADIUS and its subclasses to return evaluating
AuthByPolicy when a reply is received from the remote proxy.
AuthBy RADIUS and its subclasses now support new boolean
configuration parameter Asynchronous that enables this new
behaviour. AuthBy GOSSIP was changed to always to use the new
ASYNC return code.
Added the recently introduced tracing id support in AuthBy GOSSIP
Enhanced Gossip encryption to support simple key rollover: the
key with second highest index is now used for encryption. This
allows gradually adding new keys and removing old keys to Gossip
enabled instances.
Added the recently introduced tracing id support for Radiator
Diameter logging.
Added support for time limited prepaid plans in AuthBy
FIDELIOHOTSPOT. The SQL queries are now fully configurable.
*Note:* support for time limited plans extends SQL table named
service. To avoid compatibility problems with current
configurations, add a integer column called duration in the
service table with value 0. Alternatively, reconfigure the SQL
ServiceSelect to return 0 for duration. See the updated
fidelio-hotspot.cfg and fidelio-hotspot.sql configuration
examples in goodies.
New optional global configuration parameter
ResponseTimeThreshold parameter tells Radiator to log a warning
when the processing time exceeds configured millisecond
threshold. The warning contains request's User-Name and info
about the Client, Handler and AuthBy which processed the request.
radiusd now clears its child array after fork to avoid
incorrectly calling waitpid for parent's children. Reported by
Alan Buxey.
Added a new utility script hexdump2wireshark.pl in goodies. This
script parses Radiator Trace 5 log and extracts packet hex dumps
from it. The hex dumps are written to a separate output file
which can be imported into Wireshark or converted into pcap file
with text2pcap.
Usage:
perl goodies/hexdump2wireshark.pl < /var/log/radius/logfile >
radius-logfile-hexdump.txt
The .txt file can then be imported into Wireshark or converted
into pcap file with text2pcap:
text2pcap -i 17 -u 1812,1812 radius-logfile-hexdump.txt
radius-logfile-hexdump.pcap
The script also supports "#TEXT2PCAP" directives in .txt
hexdump, but currently text2pcap does not have any directives
implemented.
Minor correction to Diameter peer state machine: Event I-Rcv-DPA
event in Closing state was duplicated and transition for
I-Rcv-DPA was missing. Removed extra newline from Diameter state
change logging.
The linux startup script linux-radiator.init now checks if the
PID file or system init utility functions indicate radiusd is
already running before starting a new instance.
Added support for /preauth endpoint in AuthBy DUO. This endpoint
determines if the user is authorised to log in and returns the
available authentication factors for the authorised user.
Simplified TLS based EAP methods to use TLS session id more
frequently with internal ids.
Added support for VSA translation. Attributes in incoming and
outgoing RADIUS messages can now be translated to and from
internal presentations. For example, different MAC address
formats can be normalised for logging and values for reply
attributes can now be set based on the Client or AuthBy RADIUS
vendor type.
Full example showing the new VsaTranslateIn, VsaTranslateOut and
the related new configuration parameters is in
goodies/vsa-translate.cfg
Diameter BIR (Bootstrapping-Info) command was misspelled as
Boostrapping-Info.
AuthBy DUO SecretKey and IntegrationKey configuration parameters
now support formatting variables. The formatting is done once
during the module activation.
radpwtst -interactive option now queries the password. The
password query is done without local echo. With -interactive,
there is no need to specify the password on the command line
with the -password option anymore.
Perl Term::ReadKey is needed on Windows. Some unix based systems
are supported directly but Term::ReadKey is recommended for
cross platform support.
Removed unneeded line BEGIN-VENDOR Freeswitch from dictionary.
Reported by Eddie Stassen.
Improved debug logging in AuthBy DYNADRRESS and Diameter
watchdog state changes. Fixed misspelled LOG_ERROR and LOG_WARN
log levels which all mapped to LOG_ERR.
Added support for MessageLog to log sent and received RADIUS,
Diameter and TACACS+ messages. Initial support includes logging
RADIUS messages in text and text2pcap formats to a file.
Configuration sample is in goodies/logformat.cfg
getTimeHires() in Util.pm now checks the calling context when
Time::HiRes is not installed and returns a list or scalar like
Time::HiRes does.
StatsLog modules now calculate packet rates for each StatsLog
module separately. This allows having multiple StatsLog clauses
in the configuration, all with their own Interval values. Packet
rates are now separate and do not affect other StatsLog clause
packet rates.
Updates to statistics logging. All StatsLog clauses now support
two new configuration parameters: StatsType and
RateCalculationInterval.
StatsType defines the stats output type. Possible values are:
cumulative, derivative, packet_rate and all. Cumulative counter
shows the number of processed packets. Derivative is the
difference (delta) between two counter values in time interval.
Packet_rate is the amount of packets transferred within time
interval (packets per second). Type all produces output from all
available statistic types (cumulative, derivative and
packet_rate). The default is cumulative.
Sometimes you may want to calculate packet rates that are
different from the value of Interval. RateCalculationInterval is
an optional parameter that defines the time interval (in
seconds) in which the packet rate is calculated. For example, if
Interval is set to 600 seconds and RateCalculationInterval is
set to 60, packet rate then shows the (average) amount of
packets in 60 second interval. RateCalculationInterval defaults
to value of Interval.
See statslog.cfg in goodies for detailed examples.
SqlDb.pm now logs clearly if connect to a SQL database fails
because of missing driver. For example, if DBSource is
configured with dbi:mysql:... but DBD::mysql is not present, a
verbose error is logged in addition to calling
ConnectAttemptFailedHook.
Added VENDOR AudioCodes 5003 and VSA AudioCodes-ACL-Auth-Level
to dictionary. Contributed by Peter Hendrikx.
Added support in MessagLog for Diameter logging. Updated RADIUS
MessageLog text format to include time stamps.
AddToReply and the related parameters were incorrectly adding to
Access-Reject messages too. These are now skipped for
Access-Reject replies
Host's adjustReply() for AddToReply and related configuration
parameters was not called when a reply was received over RadSec.
AuthBy DYNAUTH now supports SessionCheckHook that will be called
after SessionChecks have been evaluated. It can be used to
implement custom or additional logic for session checking.
Setting hook parameter $result as ${$result} = 0; will trigger
sending DM/CoA.
Added initial support for encrypting and obfuscating secrets,
passwords and other sensitive values in configuration files.
Client and AuthBy DYNAUTH clauses now support
EncryptedDynAuthSecret and Client has support for EncryptedSecret
LocalAddress and LocalPort are now common configurable
parameters for Stream modules. Updated AuthBy DIAMETER and
AuthRADSEC not to use separate definitions for these parameters.
The local address is now bound with SO_REUSEADDR socket option
when LocalAddress is defined for a stream client.
Simplified logformat.cfg: it's no longer required to use
StartupHook to load Radius::LogFormat. Radius::LogFormat is now
loaded by the logging modules directly.
In AuthBy DIAMETER, Origin-Host and Origin-Realm are now taken
from configuration parameters. All reverse lookups for deducing
Origin-* are now removed.
Destination-Realm is first taken from User-Name's realm part. If
there is now realm, then DestinationRealm configuration
parameter is used. DestinationRealm now defaults to
'testdestinatonrealm' in DiaClient.pm.
DestinationRealm and DestinationHost parameters now support
formatting characters. The formatting is done when the AuthBy
DIAMETER, or any other clause derived from DiaClient.pm, is
activated.
AuthBy DIAMETER now supports new configuration parameter
EAP_ApplicationId. EAP_ApplicationId defaults to value
Diameter-EAP. EAP_ApplicationId defines the Diameter message's
Application-ID value and Auth-Application-Id AVP value for the
converted RADIUS EAP requests. The default converts RADIUS EAP
authentication to Diameter EAP application. The parameter
allows, for example, converting RADIUS EAP-AKA to Diameter 3GPP SWm.
Updated the configuration diameter-authby.cfg in goodies.
Simplified TLS session resumption for TLS based EAP protocols.
Sessions are only cached when EAPTLS_SessionResumption is
enabled for the AuthBy. EAPTLS_SessionResumption is now
completely separate from EAPContextTimeout: EAPContextTimeout no
longer limits the session resumption time.
*Note:* Any hooks or custom code that needs to save data across
resumed sessions must now use resume context. See EAP.pm for the
details.
EAPContextTimeout now defaults to 120 seconds. The previous
value was 1000 seconds.
Added new configuration parameter EAPTLS_SessionContextId. For
TLS based EAP types such as TLS, TTLS and PEAP, this optional
parameter allows you to set the context within which the TLS
session resumption is allowed. Defaults to Handler, which means
that TLS session resumption is allowed if the resumed and the
full authentication were processed by the same Handler.
Previously the context was set to an ephemeral value which often
forced full TLS handshakes instead of allowing session
resumption to happen.
Moved IANA registered attributes to 'IANA' namespace from vendor
0 namespace. Unknown IANA attributes are now named as
Unknown-IANA-191 where 191 is the attribute number. Unknown
vendor specific attributes continue to be named like
Unknown-9048-120 where 9048 is the vendor number and 120 is the
attribute number.
*Note:* any custom code that accesses RADIUS attribute
definitions in the RADIUS dictionary should now check if the
vendor is IANA, not 0, to differentiate between vendor
attributes and IANA registered attributes. This may also affect
custom code that does Diameter to RADIUS conversion.
This namespace change fixes the problem where VSAs with vendor
id 0 were proxied as non-VSAs when ProxyUnknownAttributes was
set. Reported by Alan Buxey.
Fixed and unified JSON formats in LogFormat.pm. Time contains
unix time. Timestamp contains locale specific time presentation
based of the unix time. Timestamp includes microseconds if
LogMicroseconds is defined, the format is the same as in
Radiator plaintext log. New attribute "datetime" is the
localtime for human readers' convenience. Previously timestamp
format incorrectly claimed to use UTC time while it was in fact
local time.
Improved AddressAllocator DHCP logging and DHCP socket set up.
When LocalAddress was not configured and hostname did not
resolve to an IP address, radiusd died during the startup. Now
an error is logged and the DHCP socket will not be set up.
If DHCP set up fails for some other reason, the reason is now
clearly logged and the DHCP socket will not be set up.
When the DHCP socket is not set up, address allocation methods
return with REJECT and an error is logged. The problem with
unresolved hostname was reported by Edward Ocenar.
AuthBy DUO now supports optional parameter Failmode that
specifies whether to reject, accept or ignore authentication
when Duo API is not available or a Duo API call timeouts.
Default is to ignore the authentication request. DUO API timeout
is now handled separately from the other DUO API call failures.
Address allocators now support Acct-Status-Type values
Accounting-On and Accounting-Off. The default is to accept the
Accounting-Request with no other action. The SQL allocator can
now be configured with DeallocateByNASQuery to, for example,
release all leases for the NAS. Updated the configuration
example addressallocator.cfg with sample DeallocateByNASQuery
and updated the SQL example files with a new column for NAS id.
Added optional conversion of Diameter
Session-Termination-Request (STR) to RADIUS Accounting-Request
with Acct-Status-Type set to Stop. This, and possible future
conversions, can be enabled with ConvertCommand configuration
parameter within ServerDIAMETER. More details are in
diameter-server.cfg in goodies. Requested by Jean-Marc MONTENOT.
Updated AddressAllocator SQL to support delayed pool activation.
When AddressAllocator SQL is configured with
DelayedPoolCheckTime, the pool creation, address checks and
initial reclamation are delayed to happen the configured amount
of seconds after radiusd as started.
Added a new configuration parameter NasIdentifier for
AddressPool clauses. The configured value is made available for
AddAddressQuery.
Source IP address and source port for incoming TACACS+ and
StreamServer based connections, such as RadSec and Diameter, are
now immediately logged after they are accepted. This allows
logging even the very short lived connections from probes and
other sources. Reported by Alexander Hartmaier.
Added a new optional configuration parameter AllowInReject for
defining which attributes are allowed in Access-Reject. This can
be useful in Handlers with multiple AuthBys where the attributes
added before a rejecting AuthBy need to be stripped from the
resulting Access-Reject.
Added a new optional configuration parameter Encoding for
MessageLog FILE and its subclasses. This allows, for example,
encoding a binary or multiline log entry as a single hex encoded
line which might be useful with some log shipping tools and
agents. Currently supported encodings are none and hex. Updated
the configuration sample in logformat.cfg
AttrList and its derived modules now support delete_attr_d()
method. This allows deleting attributes by name from DiaMsg and
other AttrList objects.
Fixed Client IgnoreAcctSignature flag to correctly work as a
flag. Previously a defined but false value, such as 0 was
interpreted as the flag being set. IgnoreAcctSignature is not
defined or set by default. Reported by Niels Monen.
Added initial support for encrypting and obfuscating TACACS+
keys in the configuration file. This is similar to the recently
added RADIUS client shared secret obfuscation. Client and
ServerTACACASPLUS now support EncryptedTACACSPLUSKey and
EncryptedKey, respectively. Examples in the tacacsplusserver.cfg
sample configuration file.
Enhanced logging in ServerTACACSPLUS. Very short lived
connections are now logged with the peer IP address and port.
Some TACACS+ clients, network monitoring probes and other
software may close the newly opened TACACS+ connection
immediately without any TACACS+ request exchange. These
connections are now more clearly logged. Updated two other
infrequently used log messages to include the peer IP and port.
Suggested by Alexander Hartmaier.
USR1 and USR2 signals are now propagated to the server farm
workers by the farm parent. This allows changing the logging
trace value for the whole farm at once by sending the signal to
the farm parent. Suggested by Jose Borges Ferreira.
Added initial support in AuthBy GOSSIP for using backends such
as Redis for authentication, voucher lists and black lists.
Added new formatter %{TimestampVal:number} where number can be a
postive or negative integer, request attribute name or a
special. For example %{TimestampVal:3000},
%{TimestampVal:Session-Timeout} or
%{TimestampVal:%{Reply:Session-Timeout}}. The replaced value is
the current unix time stamp + the number. Useful for replacing
hooks with formatters when calculating time stamps.
AuthBy GOSSIP can now hint the desired authentication backend,
SQL LDAP, etc., to the Gossip peer. The authentication backend
is configured with optional configuration parameter
AuthenticationMethod.
AuthBy DYNADDRESS now supports optional configuration flag
parameter RunWhenMissing. When RunWhenMissing is set to off, the
confirm and deallocate operations of the configured address
allocator are not run if the Accounting-Request does not have
the IP address.
Accounting-Request messages from some types of RADIUS clients
may not have contain the allocated IP address. This may happen
because the MapAddr yiaddr is missing from the request, or when
IPv4 and IPv6 allocators are chained, the yiaddr is not set for
the allocator type. In this case you may want to set
RunWhenMissing to off. The default is to always run confirm and
deallocate.
Fixed misleading log message in AuthBy OTP where OTP verify
result was logged during failure. The result is only a boolean
value while the log message hinted there might be additional
information available. Reported by Alexander Hartmaier.
Updated log calls in multiple EAP methods to include the current
request.
Added initial support for logging tracing identifier in
ServerTACACSPLUS. Further changes are needed for additional
coverage.
The value intended for NAS_ID column is now configurable with
NasId parameter in AddressAllocator SQL. The default value is
%{NAS-Identifier}. Updated the configuration sample
addressallocator.cfg in goodies.
Overly long locally added attributes were incorrectly packed in
the outgoing RADIUS messages. These messages are now logged with
ERR log level and no message is sent.
AuthBy RADIUS and its subclasses can now return with result
REJECT to trigger an Access-Reject when a proxied request times
out. This requires setting a new flag parameter called
NoReplyReject. NoReplyReject allows rejecting timed out requests
without hooks such as NoReplyHook. When returning a result, the
reason for the timed out requests is now set to "Upstream timeout".
Added PostSearchHook in AuthBy GOSSIP that is called by
AuthGOSSIP's findUser() after AuthAttrDef's have been evaluated
and possible reply attributes are in place.
ServerTACACSPLUS now evaluates global RewriteUsername before
dispatching a TACACS+ pseudo RADIUS request to a Handler.
Previously global RewriteUsername was not evaluated for TACACS+
requests. Suggested by Tim Cheyne.
Updated sample certificates to expire on Aug 10 2018
Improved handling of plaintext passwords with prefix {clear}.
The plaintext value is now clearly separate from any hashed or
encrypted value. Custom modules using AuthGeneric methods
get_plaintext_password and translate_password should be checked
for compatibility. Reported by Vangelis Kyriakakis.
radiusd now exits during startup if it can not load the objects
required by the configuration file. For example, if an AuthBy or
a SessionDatabase fails to load, radiusd will log the failure
and exit immediately. Previous beahaviour was to log the failure
and continue.
Added 32 and 64 bit Win32-Lsa ppms for Strawberry Perl 5.24.
Added 32 and 64 bit Win32-Lsa ppms for ActivePerl 5.22.
Fixed a memory leak where duplicate cache entries were not freed
when radiusd was reloaded. Reported by Niels Monen.
HTTP Digest authentication must now be enabled with
configuration flag parameter HTTPDigestAuthentication. This flag
is not set by default.
Updated system.cfg in goodies. The old Shadow helper module is
not needed with the recent Perls for AuthBy SYSTEM.
EAP authentication using AuthBy LDAP2 worked incorrectly with
some atypical Radiator and LDAP configurations.
Improved EAP debug logging for better PacketTrace and trace id
support: EAP messages with bad length are now more clearly logged.
TLS compression is now disabled for all TLS based EAP methods
and all StreamTLS based modules, such as RadSec, Diameter and
ServerHTTP with SSL_OP_NO_COMPRESSION option. Current systems
should already disable TLS compression by default, so this
change makes sure compression is not inadvertently enabled, for
example, when system defaults are changed or Radiator runs on an
unpatched system. SSL_OP_NO_COMPRESSION is available with
OpenSSL 1.0.0 and later.
Updated the default HostSelect in AuthBy SQLRADIUS to use quoted
realm. Updated the configuration sample sqlradius.cfg to use quotes
ServerRADSEC now supports StatusServer parameter similar to
RADIUS Clients. Requested by Christian 'wiwi' Wittenhorst.
fideliosim.pl in goodies now binds to 127.0.0.1 by default but
has command line switch to set the addresses to bind.
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list