[RADIATOR] Radiator Version 4.19 released - new features and bug fixes

Heikki Vatiainen hvn at open.com.au
Thu Jun 29 19:20:20 UTC 2017


We are pleased to announce the release of Radiator version 4.19

This version contains new features and bug fixes described below. The 
main enhancements are a fix for a memory leak and logging and debugging 
enhancements for unfinished EAP and other authentications.

As usual, the new version is available to current licensees
and evaluators from:
https://www.open.com.au/radiator/downloads.html

Licensees with expired access contracts can renew at:
https://www.open.com.au/renewal.html

An extract from the history file
https://www.open.com.au/radiator/history.html is below:

-----------------------------

Revision 4.19 (2017-06-29) new features and bug fixes

       Selected compatibility notes, enhancements and fixes

Fixed a memory leak in TLS based EAP methods. This affected 
configurations that disable session resumption.

Unfinished EAP authentications are now logged

Ignored authentications are now available for AuthLog logging


       Known caveats and other notes

PEAP session resumption sometimes fails on Windows and reverts back to
full authentication. A fix is known and planned for future releases.

Initial testing with OpenSSL 1.1.0. EAP-FAST is not yet functional.


       Detailed changes

Enhanced log messages generated by TLS based EAP methods. More details 
are now logged and available with AuthLog reason information.

Added two new Context module functions: fetch returns an existing 
context and resets its timeout. If there's no existing context, returns 
nothing. timeout_callback sets a callback function for a context that is 
called when the context times out.

Enhanced EAP logging: EAP authentications that do not finish are now 
logged both to Radiator log and authentication log. Authentication log 
entries are logged as rejected authentications. Suggested by David Zych 
et al.

EAP contexts are now freed when the authentication finishes instead of 
always waiting for context timeout

TLS based EAP methods were leaking memory when EAPTLS_SessionResumption 
was disabled. This option is enabled by default.

Added VENDOR Airespace 14179 VSA Airespace-IPv6-ACL-Name to dictionary

Application was misspelled in 
DiaAttrList::REDIRECT_HOST_USAGE_REALM_AND_APPLICATION and Diameter 
application name 'SIP Application'

Fixed AuthBy SIP2 that rejected both valid and invalid authentication 
attempts with EAP-GTC. Enhanced SIP2 logging and updated AuthBy SIP2 to 
more reliably handle unsupported EAP methods.

An error message is now logged when quote method is called for a module 
that is not a SqlDb. Single quotes are now stripped from quoted value. 
Any custom modules that log this message need to be fixed to use a 
correct SqlDb derived module when calling quote.

Added support for polling a message queue in Gossip. Added a new 
configuration sample radius-dynauth.cfg in goodies that uses AuthBy 
DYNAUTH to send RADIUS dynamic authentiation requests. Handler.pm now 
passes reference to result reason to replyFn it calls. Minor fixes to 
trace id passing and Gossip.

New check items RecvPort, RecvAddress and RecvName match requests based 
on the local port or address. For example, if Radiator listens on Radius 
port 1645 and 1812 <Handler RecvPort=1645> selects only those requests 
that were received by port 1645.

Enhanced Monitor for integrating with other systems. Implemented the 
following Monitor commands:
ASCII: change both object and line separators to "\n"
DEFAULT: change both object and line separators back to their default 
values ASCII SOH and NUL, respectively
GET: Get a single attribute from an object
With the kind assistance of Kilian Krause

Fixed a crash in SessionDatabase REDIS simultaneous use check

Updated Gossip encryption documentation, logging, invalid key handling 
and changed key index 0 to reserved.

StatsLog proxiedNoReply counter is now incremented for Hosts within 
AuthBy RADIUS and RADSEC and their derived clauses. Previously the 
counter was incremented only for the AuthBy after all retries had been 
exhausted. Status-Server timeouts do not increment Host proxiedNoReply 
counter.

All AuthLog clauses now support LogIgnore flag parameter. This parameter 
defaults to not set and when set, allows logging ignored autentication 
attempts. An attempt is typically ignored when a user database fails or 
Radiator can not return a definitive answer for some other reason. 
Proxied requests that return immediate ignore are not logged because a 
reply with final result is expected later.

Fixes to GossipUDP server farm and peer discovery messaging

When User or Group global parameter is set, both effective and real user 
or group id is set instead of just effective ids.

Fixed a problem where advanced debugging, for example with Monitor's 
trace predicates, could cause a crash.

DynAuthPort in Client now defaults to not set instead of 3799. This 
allows clauses such as AuthBy DYNAUTH to provide a per request value 
that is not overwritten by Client's DynAuthPort.

radiusd now supports multiple -I command line parameters.

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.


More information about the radiator mailing list