[RADIATOR] Radiator Version 4.18 released - enhancements, new features, security and other fixes

[Heikki Vatiainen]

We are pleased to announce the release of Radiator version 4.18

This version contains enhancements, new features, security and other
fixes described below.

As usual, the new version is available to current licensees
and evaluators from:
https://www.open.com.au/radiator/downloads.html

Licensees with expired access contracts can renew at:
https://www.open.com.au/renewal.html

An extract from the history file
https://www.open.com.au/radiator/history.html is below:

-----------------------------

Revision 4.18 (2017-05-10) new features, security and bug fixes

       Selected compatibility notes, enhancements and fixes

Added AuthenProto parameter for setting the allowed authentication
protocols such as PAP, CHAP and SIP digest. See below for details
especially if you use SIP digest.

EAP-MSCHAP-V2 requires EAP_MSCHAPv2_UseMultipleAuthBys flag parameter
when there are multiple AuthBys in the same Handler.

Added AcctLog clauses for logging accounting messages.

Added support for proxy algorithms in AuthBy RADSEC.

Number of enhancements to logging, EAP and other protocol
handling. Custom EAP-TTLS implementations may need updates, see the
details below.

Empty passwords and usernames with NUL octets are now rejected by most
authentication methods when doing local user database lookups.

Dash '-' no longer works as Filename for StatsLog FILE and similar
parameters.

Security fixes for general authentication, SQL quoting, Digipass
authentication and AuthBy HEIMDALDIGEST. OSC recommends all users to
review OSC security advisory OSC-SEC-2017-01
https://www.open.com.au/OSC-SEC-2017-01.html


       Known caveats and other notes

PEAP session resumption sometimes fails on Windows and reverts back to
full authentication. A fix is known and planned for future releases.

Special % character formatting was updated. Correctly defined format
strings should require no changes.

No testing with OpenSSL 1.1.0 yet.

We have received reports about memory leaks. We are investigating this
and would appreciate any reports about unusual process growth.


       Detailed changes

Added support for new type of clause AcctLog xxxxx. An AcctLog clause
logs RADIUS accounting requests to a file, Windows Event Log, SQL or
syslog. An AcctLog is configured similar to AuthLog: you configure one
more AcctLog clauses for a Handler or Realm. Currently supported
AcctLog clauses are: AcctLog EVENTLOG, AcctLog FILE, AcctLog SQL and
AcctLogSYSLOG. See logformat.cfg and sql.cfg for configuration
samples.

Redis endpoint can now corretly be set to Sock. Previously the
endpoint was set to 127.0.0.1 even if socket was desired. Reported by
Paul Dekkers.

Added support for DiaStatsLog FILE and DiaStatsLog SQL for Diameter
statistics logging. Enhanced Diameter statistics logging to suppress
logging for inactive peers and objects with unchanged counter
values. DiaStatsLog SQL requires Diameter application specific columns
in the statistics table. Added a configuration sample diastatslog.cfg
in goodies.

DiaStatsLog clauses can now remove inactive peer from Diameter
statistics logging. Peer removal is controlled by new configuration
parameters PeerAliveDetectionInterval and PeerRemovalThreshold.

Added a number of attributes in dictionary for vendor 6527
Alcatel-Lucent-Service-Router, enterprise number known as
Alcatel-Lucent (formerly 'Panthera Networks, Inc.').

Added various VENDOR 25053 Ruckus VSAs to dictionary. Ruckus VSA 126
name is now Ruckus-Accounting-Status. The previous name
Ruckus-Acct-Status is kept as a synonym. VSA 126 in the incoming
requests, if present, will be decoded as
Ruckus-Accounting-Status. Contributed by Christian 'wiwi' Wittenhorst.

radpwtst now supports new flag parameter -timestamps. Time stamps are
printed, for example, when announcing sent requests and received
replies. Time stamps are also automatically printed when multiple
iterations are enabled.

Updated radiusd Windows service installation to work with Windows
Server 2016. Problems with installservice option were reported by
Robert Fisher.

Added VENDOR 1966 Perle VSAs to dictionary.

Message-Authenticator attribute updates: Relaxed
RequireMessageAuthenticator to consider only those request types that
have RFC support for Message-Authenticator. Message-Authenticator is
now automatically added to the reply or the proxied request when the
request contained Message-Authenticator. This also affects
Status-Server responses. Message-Authenticator is now always required
when EAP-Message attribute is present in incoming messages.

Locked and evaluation versions of radiusd will now log expiry and
other licensing related information to log in addition to stdout.

Added VENDOR 2636 Juniper attributes Juniper-Junosspace-Profiles,
Juniper-Session-Port, Juniper-CTP-Group, Juniper-CTPView-APP-Group and
Juniper-CTPView-OS-Group to dictionary. Also added
Juniper-Authentication-Type as an alias for
Juniper-Junosspace-Profiles. With the kind assistance of Peter
Hendrikx.

Added sample configuration file eaptls_resume_post_auth_hook.pl in
goodies to show how to store and retrieve information that needs to be
kept over resumed TLS sessions. Useful for custom hooks used with
EAP-TLS, EAP-TTLS or PEAP. Updated EAP modules to support customised
access to stored resume information.

Unified logging and handling of EAP responses for which TLS is not
intialised. These are now logged as possible duplicate responses. TLS
connections are now cleared earlier and similarly for all TLS based
EAP methods.

Radiator's SQL module now supports asynchronous queries for
MySQL/MariaDB and PostgreSQL. Tested with DBD::mysql 4.035 against
10.1.13-MariaDB. Updated AddressAllocator SQL to use asynchronous
queries. Asynchronous queries are enabled with new common SQL
configuration parameter AsynchronousSQL. Additional parameters
AsynchronousSQLConnections and RoundRobinQueries allow tuning how the
asyncronous queries are done. For synchronous and asynchronous
operation, ConnectSQLAtStartup is now available to connect to all
configured SQL databases when the module is loaded during Radiator
startup.
Configuration sample addressallocator.cfg in goodies for asyncronous
allocation.
AddressAllocator DHCP and DHCPv6 no longer increment dropped request
statistics while they return ignore and wait for the DHCP answers.

Fixed a bug in GossipRedis where a reconnect after Redis server
disconnect caused a crash. Also corrected extra newline in
statslog.cfg. Crash reported by Niels Monen.

ServerTACACSPLUS can now be configured to disconnect the client
without returning TACACS+ error status when an AuthBy returns IGNORE
because of authentication database failure. This may trigger the
client device to fall back to local authentication that it may not do
when Radiator replies with a TACACS+ error status. Note: the client
behaviour is implementation specific. This option is controlled by the
new configuration flag parameter DisconnectWhenIgnore.

Removed unused configuration parameter Table from AuthLog SQL.

Prepared PEAP for future implementation of missing features such as
cryptobinding, Statement of Health (SoH), capabilities negotiation and
starting full authentication from resumed TLS session. Updated PEAP
EAP TLV Extensions handling and logging.

radpwtst now warns if it can not fully handle IPv6 addresses, prefixes
and sockets.

Added a startup check for required Perl module Digest::SHA. Note that
depending on the configuration, Digest::SHA may be required very early
during the configuration which can be before the check has
run. Digest::SHA is part of core Perl but packaged separately on some
platforms, notably Red Hat and CentOS.

Fixed a warning log message in AuthBy RADSEC that was incorrectly
changed in Radiator 4.17.

radpwtst now supports two new command line arguments: '-print_stats'
shows statistics after radpwtst finishes. Useful, for example, when
running with -iterations for long period of time. '-onlyfailed' shows
only failed requests. This is particularly useful if running radpwtst
with either -iterations parameter or when running several radpwtsts in
parallel with, for example, GNU Parallel.

Added support for proxy algorithms in AuthBy RADSEC. The proxy
algorithms supported by RADIUS proxying, such as hash balance and
round robin can now be used when proxying to multiple AuthBy RADSEC
hosts. The algorithm is chosen with ProxyAlgorithm configuration
parameter. See radsec-client.cfg for examples. Special thanks to
Christian 'wiwi' Wittenhorst for his kind help and Jan Tomasek for
suggesting this feature.

Removed unnecessary code from RADIUS proxy algorithms, such as AuthBy
HASHBALANCE and AuthBy ROUNDROBIN. AuthBy EAPBALANCE now adds State to
Access-Request replies only.

Updated the remaining LDAP attribute fetching calls to use
get_value. Updated LDAP AuthBy clauses to use DN escaping for BaseDN
specials instead of using filter escaping which does not cover all DN
requirements. Updated digipass_ldap.cfg and ldapradius.cfg
configuration samples with the special formats.

Updates to AuthLog EVENTLOG: Use Radiator's logging functions instead
of printing to STDERR if there's a problem with Event Log. Fixed a
potential crash if Event Log can not be opened.

Added support for filtering TTLS tunnelled AVPs. Two new configuration
parameters are available for defining allowed attributes for custom
clients: EAP_TTLS_AllowInRequest and EAP_TTLS_AllowInReply. These are
not set by default and 'User-Name, User-Password, CHAP-Password,
CHAP-Challenge, EAP-Message, MS-CHAP-Response, MS-CHAP-Challenge,
MS-CHAP2-Response' are allowed in requests and 'EAP-Message,
MS-CHAP2-Success' are allowed in replies. These are the attributes
from TTLS RFC 5281 except of the password change related attributes
which are currently not allowed by default.

Destination-Realm was missing from Diameter Accounting-Request (ACR)
commands sent by diapwtst.

Implemented special formatting with recursive subpatterns introduced
in Perl 5.10. The old implementation is used with older Perls. This
simplifies the implementation and provides possibility for further
optimisation in later patches.

AuthFIDELIOHOTSPOT now tries to fetch user's current/existing service
class when configured to use ServiceAttribute VSA but Access-Request
does not contain one. If no existing service class is found from
either request or from a database, then reject the request as
before. This helps interoperability with MikroTik where MikroTik does
not resend the some VSAs when doing automatic MAC cookie
authentication after reboots or other events.

Added peer IP:port information to TLS related error messages that are
logged by TLS stream based modules. Examples of these are AuthBy and
Server RADSEC and DIAMETER. Suggested by Paul Dekkers and Alan Buxey.

Added new optional configuration parameter EncryptedSecret for all
Gossip methods. EncryptedSecret has the same purpose as Secret but its
value is in encrypted format. If both Secret and EncryptedSecret are
configured, EncryptedSecret is used.

Multiple enhancements to radpwtst: new command line option
-log_microsends adds microsecond resolution to radpwtst log time
stamps. Existing command line option -noreply is now displayed with
usage and documented in reference manual. Identifiers that radpwtst
generates start now more randomly. This makes it easier to follow
radpwtst logs when multiple radpwtst instances are run in parallel.

Command line arguments to radpwtst no override arguments in the
radpwtst options file. Badly formatted attribute=value command line or
option file arguments are now logged by radpwtst. No messages are sent
if the options file or command line arguments are incorrect. Override
is only supported with Perl 5.10.0 and later.

Current request is now passed to all log messages in EAP FAST for
enhanced logging.

Enhanced EAP-TTLS inner attribute parsing and logging. Attribute
lengths are now compatible with RADIUS lengths and unworkable
attribute combinations are now rejected earlier. Trace 5 debug will
now show hex dumps for received and sent EAP-TTLS inner messages.

Added a new optional configuration parameter
EAP_Identity_MaxLength. This optional parameter is available for all
AuthBys and sets the maximum length an EAP identity can have. The
default is 253 octets. There is typically no need to change the
default.

Most EAP methods now require a non-empty EAP identity. This avoids
unnecessary user database lookups when there's no usable user
identity.

Fixed diapwtst to send its AA and Accounting requests with Proxiable
flag.

EAP GTC now supports optional configuration parameter
EAP_GTC_MaxLength for specifying the maximum length of EAP GTC token
accepted from the client. Defaults to 253 for RADIUS compatibility. If
EAP GTC response uses RFC 5421 EAP-FAST-GTC response format, the
identity in response must be equal to EAP identity. Updated the list
of attributes copied to PAP request converted from EAP GTC
request. Fixed radpwtst to use correct reponse length with -eapgtc
option. Added support in radpwtst for RFC 5421 EAP-FAST-GTC response
format. When radpwtst is run with -eapfastgtc command line option, the
response is formatted according to RFC 5421 response format. Otherwise
-eapfastgtc works the same as -eapgtc.

The inner message created from PEAP version 0 tunnelled data now has
correct EAP length field. The length field did not previously include
the EAP header Radiator adds to PEAv0 tunnelled requests. This change
helps with interoperability with other servers when inner requests are
forwarded.

Password from Monitor's LOGIN command is now sanitised and logged as
**obscured**.

Updated generic CHAP, MSCHAP, MSCHAPv2 and SIP based authentication to
reject requests earlier and log the specific reason when attribute
lengths do not meet the expected values. Updated Digipass and Safeword
authentication similarly for CHAP protocols, and updated and fixed
related logging and error handling for Digipass. Updated AuthBy LSA to
always reject CHAP when challenge is not 16 octets that LSA
expects. This helps diagnosing login problems of CHAP clients that use
less common challenge lengths.

Added new optional configuration parameter AuthenProto for setting the
allowed authentication protocols for an AuthBy. Defaults to PAP, CHAP,
MSCHAP, MSCHAPv2, EAP, AuthorizeOnly. Other possible protocols are
SIPDigest and Unknown that matches all other requests.
AuthenProto can be configured for all AuthBys but currently does not
affect proxying or special AuthBys, such as AuthBy INTERNAL which do
their own request handling.
Caution: The default covers the normal user authentication cases. You
may need to add Unknown to those AuthBys that handle special
authentication requests that do not have User-Passwords, any of the
CHAP or MSCHAP(v2) or EAP-Message attributes.
Caution: If you have an AuthBY for SIP Digest authentication, you must
configure it with AuthenProto SIPDigest to allow SIP Digest
authentication.

Updated EAP MSCHAP-V2 to use states from MS EAP-MSCHAP-V2 document in
preparation for password change support. Enhanced logging and log
messages content. Enhanced handling of MSCHAPv2 conversion where
replies that are not accepts or rejects are now logged with log level
warning. Previously all locally generated replies were processed.
Caution: If a Handler or AuthBy GROUP has multiple EAP-MSCHAP-V2
enabled AuthBys, all AuthBys must now specify a new flag configuration
parameter EAP_MSCHAPv2_UseMultipleAuthBys. This parameter is likely
not available when password change or other EAP-MSCHAP-V2
functionality is added. Do not use this flag with
EAP_PEAP_MSCHAP_Convert parameter.

Empty passwords from user userdatabase now cause a reject. If a user
has password check item, and the password retrieved from user database
is empty or undefined, the authentication is rejected. The cause for
empty password in this case is typically a configuration mistake or
user database malfunction. The rejects are logged with level warning.

Fixes to GossipUDP peer discovery and peer reachability maintenance.

Enhanced User-Password and Encrypted-Password check
items. MS-CHAP-MPPE-Keys are now returned for MSCHAP only when
cleartext password is available. Prefix {clear} now works the same for
the both check items. If password's encrypted format is incompatible
with an authentication protocol, more informative message is
logged. Encrypted-Password check items with unrecognised format are
now clearly logged with a warning. Format for {nthash} prefixed values
must now be exactly 32 hex characters or a warning is logged. Note:
EAP-MSCHAP-V2 and LEAP do not yet support getting the password or NT
hash from user's Encrypted-Password check item.

EAP generic code now logs various error cases and unexpected and
broken EAP messages in more detail.

Internal updates to use more modern Perl features. Updated DES.pm to
work when strict and warnings are enabled. Updated MSCHAP to use
warnings and require similar to other modules.

Updated calls to open use three parameters. Caution: Specifying a dash
'-' for filename to StatsLogFILE, LogFILE, AcctLogFileName and other
similar parameters no longer enables logging to stdout. Using a dash
for a filename now causes a warning.

Updates to AuthBy HEIMDALDIGEST. If there are errors with
communicating with kdigest or values returned by it are found faulty,
more detailed messages are logged and authentication requests are
rejected earlier when possible. Communication with kdigest was
improved and is now similar to what AuthBy NTLM uses.

AuthGeneric md5_challenge and mschapv2_challenge now return status
value in case they are overridden by an authentication method,
currently only HEIMDALDIGEST, which may fail to generate a
challenge. Updated EAP-MD5 and EAP-MSCHAP-V2 to check the challenge
return value.

UsernameCharset configuration parameter now applies to EAP identities
too.

diapwtst now uses $HOME/.diapwtstrc and /etc/diapwtstrc as its
configuration file.

Rearranged the order of DefaultRealm processing and PreHandlerHook
call in Client.pm. DefaultRealm is now added before PreHandlerHook is
called which is the order that all other similar modules already
use. Suggested by Niels Monen.

Optimised special character formatting when the format string has only
single character formatters.

Password returned by GetNovellUP is now automatically prefixed with
{clear}. Updated eDirectory documentation and configuration samples in
goodies.

Changed EAPTLS_SessionContextId default to include EAP type and
original username in addition to Handler. This improves TLS based EAP
authentication when Windows tries both computer and user
authentication with same TLS session, and keeps different EAP types in
different contexts

New global configuration parameters PBKDF2_MinRounds and
PBKDF2_MaxRounds now control the iteration rounds allowed for PBKDF2
transformed passwords.

Updated AuthBy SQLAUTHBY to use %0, SQL quoted realm, in the default
AuthBySelect and set the default value of Class parameter to
LDAP2. Special %1 is now the SQL quoted realm in AuthBy SQLRADIUS
HostSelect. When bind variables are used, these specials are the
unquoted realm values. Updated the configuration samples of the both
AuthBys to use SQL bind variables.

EAP elapsed time is now logged in decimal format always. Negative
times are not logged which happened when EAP had not properly started
before failure. Improved logging of unexpected EAP NAKs and NAKed
methods.

Radius messages shorter than 20 or longer than 4096 octets are now
discarded earlier and with more informative log message showing source
IP address and port.

Updated ServerHTTP and Monitor to limit username and password for 253
for RADIUS compatibility.

Updated EAP-pwd: Turned off fragmentation support and enhanced
logging. Fixed a potential memory leak.

Access-Reject is now returned more often for failed EAP authentication
attempts instead of ignoring the request. This allows Radius clients
to know that the server is still responding to Radius requests. EAP
failure is also now returned more often with Access-Rejects for failed
EAP authentication attempts. Updated logging of failed EAP messages.

ServerDIAMETER and ServerRADSEC now correctly append DefaultRealm if
configured to do so.

test.pl can now produce Test Anything Protocol (TAP) compatible output
with -tap command line parameter.

Enhanced AuthBy RSAAM logging, removed old code and improved character
encoding to avoid broken query syntax.

Usernames with NUL octets now cause a reject by default with user
database lookups. AllowNULInUsername flag parameter can be set for an
AuthBy if NULs need to be allowed.


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.