[RADIATOR] Radiator Version 4.20 released - enhancements, new features, security and other fixes

Heikki Vatiainen hvn at open.com.au
Wed Feb 28 08:15:17 UTC 2018

We are pleased to announce the release of Radiator version 4.20

This version contains enhancements, new features, security and other
fixes described below.

As usual, the new version is available to current licensees
and evaluators from:

Licensees with expired access contracts can renew at:

An extract from the history file
https://www.open.com.au/radiator/history.html is below:


Revision 4.20 (2018-02-28) new features, security and bug fixes

       Selected compatibility notes, enhancements and fixes

Support for OCSP and OCSP stapling for EAP-TLS and RadSec and other
Stream based modules.

Improvements to Stream connection handling.

TACACS+ AuthorizeGroup matching was extended.

Check items now check all instances of the named attribute.

Updates to TLS based EAP method client certificate checks, including
partial chain support and default CA use.

Updates to AddressAllocator DHCP

Updated VENDOR 388 Symbol attribute names in the default dictionary.

Improved LDAP modules failure backoff and certificate verification.

Handler and AuthBy GROUP updates for better asynchronous and challenge

Airespace-QoS-Level dictionary definitions were updated. The updated
values are incompatible with the old values

PEAP supports inner authentication after session resumption. Value 2
for reused demonstrated in eaptls_resume_post_auth_hook.pl is now

Multiple updates to EAP, EAP-pwd and other EAP methods. See below for
more details.

Security fix for certificate validation for EAP-TLS and TLS-based
Stream modules such as RadSec. PEAP and EAP-TTLS with unusual
configurations are also affected. OSC recommends users to review OSC
security advisory OSC-SEC-2018-01

       Known caveats and other notes

Initial testing is done with OpenSSL 1.1.1 development versions. Not
recommended with Radiator yet.

       Detailed changes

Connection state is now correctly reset when streams are reconnected
after a disconnect. Affects Diameter, RadSec and other Stream.pm based
modules where incorrect connection state after reconnect caused lost
messages and eventual connection timeouts.

Connection buffers for pending incoming, outgoing and TLS data, and
possible TLS session are now cleared during reconnect. This affects
Diameter, RadSec and other Stream.pm based modules.

goodies/generate-totp.pl can now be used for generating TOTP tokens in
plain ASCII without generating QR code images.

ServerTACACSPLUS AuthorizeGroups can now include extra checks which
can be used to differentiate actions (permit/permitreplace/deny)
and/or reply attributes based on TACACS+ client's Client-Identifier,
address (peeraddr) or any Radius attribute from Access-Accept. Updated
configuration sample tacacsplusserver.cfg in goodies.

Added support to user and Handler check items for checking all
instances of the named attribute for a match. If an attribute is
present multiple times, all its instances are considered during
matching. For example, <Handler OSC-Group-Identifier=B,
OSC-Group-Identifier=A> matches when OSC-Group-Identifier is present
at least twice with the two values. With the kind help of Alexander

Added a new configuration parameter RejectReason to Handler and
AuthBy. RejectReason sets the default string to use as the
Reply-Message for Access-Reject when configured for a Handler. When
configured for an AuthBy, sets the reason for AuthLog logging and
Access-Reject Reply-Message if the enclosing Realm or Handler has
RejectHasReason enabled.

Improved AuthBy DUO's REST API failure handling.

EAP success is now correctly replaced with an EAP failure when a
request is first accepted by an EAP AuthBy but later rejected, for
example, by a hook or another AuthBy.

Introduced new special format variables: RequestAttrs,
OuterRequestAttrs and ReplyAttrs. These variables return a string
containing all instances of the named attribute separated by a comma.

Added a new configuration parameter AddExtraCheck to Handler and
AuthBy to make adding extra check items, such as Group check, easier.

AuthByPolicy now supports new value ContinueUntilRejectOrChallenge

EAP-TLS supports new hook EAPTLS_CertificateVerifyFailedHook which
runs when TLS library calls verify_callback with preverify_ok set to
false. The return value from the hook decides if certificate
verification should continue or not. WARNING: This hook should only be
used in special cases and can cause security issues. See the reference
manual for details.

Added VENDOR Wi-Fi Alliance 40808 VSAs to dictionary

Radiator now supports framework for packing and unpacking complex
RADIUS vendor specific attributes. For example, many 3GPP attributes
have encodings that can not be represented with the RADIUS attribute
types. The framework supports vendor specific modules with methods
that are called based on how the complex attributes are defined in
RADIUS dictionary.

Improvements to RADIUS and RadSec Status-Server polling: Only one
probe can be active at a time to make sure multiple probes are not
sent when there are connectivty or other problems. Polling is now
disabled for RadSec when transport connection is not up.

When there are multiple Hosts in AuthBy RADIUS, NoReplyReject takes
action after all hosts have been tried. Improved logging when proxied
requests time out.

Updated NoCheckPassword option to cover EAP-MD5 and more
authentication methods.

Fixes and enhancements to MessageLog FILE text2pcap format command
line hints: Ports and addresses are now in correct order and include
time format specifier. Log line time format is now
seconds.microseconds where microseconds are zero padded. Special
format %2 for Filename parameter is now correctly set to default value
of 'none' when Encoding configuration parameter is not set. Help and
suggestions for text2pcap changes by Karl Gaissmaier. Thanks Charly.

Internal changes to how information is stored in request and reply
objects. Changed ValidTo and other similar information to use this
storage. Special formatting variables ReplyVar and RequestVar now get
their named parameter values from this internal storage.

Special values 'until Expiration' and 'until ValidTo' for
Session-Timeout reply item now correctly work with EAP-MSCHAPV2.

Diameter peer connection initialisation sometimes opened a second
connection to a peer instead of using an existing connection.

Message-Authenticator fixes: AddToRequest and similar methods now
automatically set the attribute length and allow adding only one
instance. The attribute was added with incorrect length value but
correctly calculated content when it was present in proxied request
and had incorrect length. Received attribute length must now match
exactly. Previously the check was only done for the content.

Log SYSLOG now supports LogFormat configuration parameter similar to
Log FILE. Fixed a bug where tracing identifier was not available in
Log clauses that were configured inside other clauses.

AuthBy RADSEC and ServerRADSEC can now write outgoing messages to
MessageLog. Reported by Karl Gaissmaier.

Status-Server timeout value for AuthBy RADIUS and AuthBy RADSEC can
now be separately set with KeepaliveNoreplyTimeout configuration
parameter. Suggested by Karl Gaissmaier.

Improved logging when Stream modules experience connection errors.

MessageLog FILE could crash if Format configuration parameter was
unspecified. Diameter message logging did not log remote IP and port
correctly in some rare cases when the remote end closed connection and
the local process was, for example, stopped.

Added new SessionDatabaseOptions value NoDeleteOnSessionStop that
tells Radiator to do session database update operation instead of
delete. This allows keeping session information when accounting stop
is received.

Added wrap-text2pcap.pl to goodies for processing MessageLog FILE
text2pcap formatted files. Written by Karl Gaissmaier.

New module AuthBy RATELIMITSOURCE allows limiting the maximum number
of messages per time window for a source. Two policers with different
source selection, bucket number, rate and time window parameters allow
setting limits for single sources and aggregates. Sample configuration
in ratelimitsource.cfg is in goodies.

AuthBy LDAP2 UnbindAfterServerChecksPassword when used with
HoldServerConnection did LDAP unbind but did not clear binding state
correctly causing LDAP error on subsequent query.

Renamed AuthBy RADIATORLB to AuthBy RADIATORPROXY and added support
for statically configured Host and RadiatorProxy clauses. Added
optional configuration parameters for DynAuthPort and DynAuthSecret in
AuthBy RADIUS Host clauses for basis for RADIUS dynamic authentication

Improved debugging support in SNMPAgent. SNMP community string is now
logged as **obscured** unless Trace is set to 5. Added port
information and updated log message formatting. Added support for new
PacketTrace flag configuration parameter to log received and sent SNMP
messages in human-readable form. PacketTrace logs the community in
plain text.

LogSYSLOG now uses setlogsock() as much as possible instead of setting
log host directly. Improved detection of setlogsock() capabilities and
added error checking for setlogsock calls. Problems with syslog calls
are now printed to STDERR too.

Updated LogFormat.pm CEF and JSON accounting log formatters to work
correctly when called from AcctLog's LogFormatHook. Previously only
Handler's AcctLogFileFormatHook worked correctly. Updated CEF
accounting format to use 'Accounting received' as event name when
logging accounting before it's handled.

radpwtst now logs in more detail replies that have unexpected message
type and EAP message combination.

Updated GlobalMessageLog to support RadSec as a separate protocol from
RADIUS. MessageLog clauses now support LogSelectHook which allows
selecting which messages to log in case not all messages need to be
logged. Updated the configuration sample logformat.cfg in goodies.
Help and suggestions by Karl Gaissmaier.

TACACS+ is now supported by MessageLog clauses.

Added Radius::Nas::Generic class which implements two
translate/extract functions: one to unify MAC address formats and
extract possible SSID and the other one to extract realm from
different username formats. Updated vsa-translate.cfg in goodies.

AuthBy SIP2 now supports two new configuration options: Retries and
FailureBackoffTime. Timeout handling was also improved, but does not
work when Radiator is run on Windows.

TLS_Ciphers is now correctly initialized with a default value in

Enhanced client certificate verification options for TLS based EAP
methods with new configuration flag parameters: EAPTLS_CAPartialChain
enables X509_V_FLAG_PARTIAL_CHAIN support available since OpenSSL
1.0.2. EAPTLS_UseCADefaultLocations configuration flag parameter
specifies that the default locations from which CA certificates are
loaded should be used. This was always enabled for previous Radiator
versions but is now turned off by default. EAPTLS_NoClientCert
disables loading of any CA certificates for client certificate
verification. This allows simplyfying PEAP and EAP-TTLS configuration
when client certificates are not requested with
EAPTLS_RequireClientCert. When EAPTLS_NoClientCert is enabled,
EAPTLS_UseCADefaultLocations are not used and need not to be
configured. Partial chain suppport suggested by Philip Brusten.

Enhanced client certificate verification options for Stream TLS
classes, such as RadSec and Diameter, with new configuration flag
parameters: TLS_CAPartialChain, TLS_UseCADefaultLocations and
TLS_NoClientCert work similar and have similar defaults than their
recently added EAPTLS_ counterparts. TLS_NoClientCert will not be
supported by all StreamServer clauses. Initial support is added for
Monitor and ServerHTTP which use it for turning off all client
certicate checks.

Updated test.pl to complain first about missing mandatory modules.
Enhanced test output and added usage with MSCHAP testing hints.

ServerTACACSPLUS now supports Prompt reply attribute for turning off
noecho flag in TACACS+ authentication replies. This allows hinting the
TACACS+ client that it should echo user's response as it's entered.
Updated radpwtst, tacacsplustest and diapwtst to honour Prompt
attribute to turn on local echo for password challenges. The default
is to always turn off echo. Fixed incorrect EAP-GTC length calculation
in diapwtst responses. Updated tacacsplustest to display server's
message for interactive authentications.

Updates to RADIUS tagged string handling: attributes with dictionary
type tagged-string, for example Tunnel-Private-Group-ID, are now
decoded so that tag value 0 is ignored. When encoding, tag 0 is only
added when it is explicitly defined. Txag with value 0 is no longer
implicitly added. Tag values outside from 0 to 31 are now encoded as
the part of the value. For this reason Radiator no longer displays tag
0 or proxies by default tag 0 for tagged-string type attributes. Tag
values outside from 0 to 31 for Tunnel-Password and other attributes
with dictionary flag has_tag are encoded as part of actual value with
tag set to 0. Tag value 0 for Tunnel-Password is now ignored during
decode. New formatter %{UntaggedVal:attribute} returns the named
attribute from the current request without the possible tag.

Updates to AddressAllocator DHCP: Subnet Selection Option is no longer
required. If configuration has no SubnetSelectionOption set, no SSO is
required in DHCP request. Added support for configuration parameters
DHCPHostName and DHCPVendorClass for setting DHCP options 12 'Host
Name' and 60 'Class Identifier' aka Vendor Class identifier,
respectively. Updated addressallocatordhcp.cfg.

Refactored DHCP code shared by DHCP address allocator and server into
a common DHCP peer module. ServerDHCP is available in Radiator Carrier

DHCP User-Class option (77) is now correctly encoded. The encoding
used format from draft instead of RFC 3004.

Updated WiMAX attributes in the default dictionary with
WMF-T33-001-R022v04 definitions. WiMAX-IP-Technology is now an alias
for the current name WiMAX-Network-Technology. Fixed
WiMAX-Packet-Flow-Descriptor-V2 definition.
WiMAX-Home-Interface-Id-PMIP6 and WiMAX-Visited-Interface-Id-PMIP6 are
now formatted as interface ids.

Updated the default dictionary with the currently found definitions
for VENDOR Symbol 388. The old names are still available as aliases,
but attribute decoding is now done using the new names. The
documentation also uses prefix WING- instead of Symbol- as the vendor
prefix in the latest documentation. To use the new prefix, create a
custom dictionary as documented by Radiator reference manual.

Updated generic session database modules, SessionDatabase REDIS and
AuthBy DYNAUTH to support sending RFC 5176 dynauth requests to update
or disconnect all sessions a user may have. This allows, for example,
an external management entity to disconnect all sessions of a user
with just a username without knowing the number of sessions or their

Fixed a bug with uncommon configurations where Handler's last AuthBy
returning ASYNC prevented possible post authentication session
database update and other post auth actions from running.

Improved configuration parameter error detection and logging for TLS
based Stream classes and EAP methods. Errors with configuration file
parameters and CRL loading are now logged in more detail. Return
values for DH parameter, ECDH curve and Policy OID settings are now
correctly checked for errors.

Added ForwardHook to AuthBy RADIUS and AuthBy RADSEC and their derived
classes. ForwardHook receives the current request and the request to
be forwarded as its arguments. ForwardHook is called once for each
request before it is forwarded to any of the remote RADIUS or RadSec
servers. This hook allows you to modify the forwarded request without
changing the current request. Suggested by Jose Borges Ferreira.

Updated Stream TLS module to load passphrase protected
TLS_PrivateKeyFile with the updated API enabled in OpenSSL 1.1.0f.

Updated Radius request debug log dump so that it shows the the
recalculated Message-Authenticator value instead of received or all
zero value.

When sending dynauth requests to a Client, AuthBy DYNAUTH now uses the
Client's configuration to set dynauth secret and dynauth port, and
calls Client's VsaTranslateOut, VsaTranslateIn and VsaTranslationHook.

Updated EAP-FAST to work with OpenSSL 1.1.0 and later; and LibreSSL
with Net::SSLeay 1.75 and later.

Updated goodies/rcrypt usage and environent variable use

AuthBy RADIUS and AuthBy RADSEC now support KeepaliveRequestType and
AddToKeepaliveRequest to change probe type and contents from an empty
Status-Server to any other message type with optional attributes. This
allows sending, for example, Access-Request probes with User-Name and
User-Password attributes. Suggested by Paul Dekkers.

TLS_CRLCheckAll worked only when configured to a Host within AuthBy
RADSEC. It now works correctly as a default setting within AuthBy

ServerRADSEC now honours RewriteUsername and AddToRequestIfNotExist
configuration parameters. Global RewriteUsername is also honoured.
Based on suggestion by Nik Mitev.

diapwtst now supports tls_protocols, bind_address and outport command
line parameters. Fixed -timeout to work as expected.

Major update to test certificates: added wildcard, expired and revoked
end node certificates and three intermediate CAs. All four CAs sign
all five end node certificates. Revocation lists are signed by all
CAs. The lists include revoked end node certificate, and for root CA,
one intermediate CA. Certificate contents and extensions were updated.
The certificates now allow easier testing for revocations, including
intermediate CA revocations, partial chains, expirations, policies and
other conditions and configurations. Updated README files and included
configuration files and scripts for recreating all files with desired
algorithms and other settings.

Radiator's LDAP module Ldap.pm now tries connecting each configured
Host individually instead of passing all hosts directly to Net::LDAP.
Trying hosts one by one allows individual failure backoff time for
each host and working TLS certificate check based on host name.
to use failure backoff for LDAP failures.

Updated AuthBy GROUP to work with AuthBys that may return ASYNC. For
example, AuthBy RADIUS with Asynchronous flag parameter enabled now
works within an AuthBy GROUP. This update also contains initial work
in Handler towards supporting imporoved functionality for AuthBy
groups where an AuthBy returns CHALLENGE. In this case the next
request can be directly handled by the AuthBy that replied with

Monitor log messages now include tracing identifier when LogTraceId is
set globally or within a Monitor clause.

radiusd now supports -no_pid_file command line option. Updated
radiator.service systemd unit configuration file in goodies to use
this option and incorporated suggestions from Alexander Hartmaier and
Rauno Tuul into radiator.service. Added new Radiator and logrotate
configuration sample files linux-simple-config.cfg and
logrotate.radiator in goodies. These three files use matching paths
and other settings. linux-simple-config.cfg requires minimal, if any,
modifications to work on other UNIX or BSD systems too.

Airespace-QoS-Level dictionary definitions were updated to match the
current definitions used by Cisco WLC. The old values were correct for
ACS 4.1.x. The new values are used by ACS 5 and also described in WLC
configuration guides. The value names are mostly the same but the
actual numeric values are different. If you need the old values,
create a custom dictionary file and load it with DictionaryFile
configuration parameter.

radpwtst now supports -no_random command line option which makes
RADIUS authenticator and different CHAP methods to use fixed values.
This allows repeating tests with fixed values. radpwtst now logs a
detailed warning when incorrect MS-CHAP2-Success is received with
Access-Accept. Also fixed radpwtst and diapwtst option file whitespace

TLS_Protocols and EAPTLS_Protocols now recognise TLSv1.3. TLSv1.3 is
turned off by default for TLS based EAP methods and Stream based
protocols, such as RadSec and Diameter. TLSv1.3 is made available for
testing and future use and it is not supported yet. Net::SSLeay 1.83
or later is required when using Radiator with TLS 1.3 aware SSL/TLS
library. Internal changes to TLS code to use recently added constants
and functions in Net::SSLeay.

Radiator now sets X509_V_FLAG_TRUSTED_FIRST together with
TLS_CAPartialChain is set.

AuthBy NTLM now logs and rejects directly parameter lengths not
supported by ntlm_auth.

Tunneling EAP methods, EAP-FAST, EAP-TTLS and PEAP, now support
configuration parameter EAPTLS_CopyToInnerReques for copying
attributes from outer request to inner request. Previously this
required PreHandlerHook or similar method.

Updated Acct-Delay-Time handling in RADIUS accounting requests:
Radiator no longer adds a zero valued attribute when it's not present
in the request. Acct-Delay-Time is now accessed only when needed
making proxying slightly faster. Fixed missing delay adjustment for a
request when its retrasmit caused a failover to secondary host. Fixed
negative adjustment reported by Vangelis Kyriakakis.

radpwtst enhancements: -time option is now an alias for -print_stats.
-print_stats option now shows the average requests/second rate and
total time. Number of requests is now clearly separated from the
number of iterations because each iteration may consist of multiple
requests. New option -iteration_delay sets a delay between successive
iterations to help testing with different request rates.

OCSP peer certificate checking and OCSP stapling are now supported for
EAP-TLS and Stream based modules such as RadSec and Diameter.
Asynchronous OCSP check is supported for EAP-TLS. See sample
configuration files eap_tls.cfg, radsec-server.cfg and
radsec-client.cfg in goodies directory for configuration parameters,
including OCSP responder location, failure policy and response

Updated RADIUS and RadSec proxying MaxFailedRequest and
MaxFailedGraceTime to work better with low request rates.

Updated many EAP methods to include EAP-Failure in Access-Reject
messages where it was still missing. Changed some EAP failure cases to
trigger Access-Reject instead of ignoring the message. Added more
checks for inner EAP-TTLS requests.

Added support for ConsumePassword configuration parameter for AuthBys.
This parameter allows shortening and using parts of password by
multiple AuthBys when they process a request, for example, during two
factor authentication. Updated duo.cfg and digipassStatic.cfg in
goodies to use ConsumePassword.

Added support for Group-Authorization check item. This check item
defines the Identifier of an AuthBy to use for authorising users based
on their group membership. Added configuration parameters
GroupFilename to AuthBy FILE and GroupMembershipAttr to AuthBy LDAP2.
Added support for Windows AD tokenGroups in AuthBy LDAP2 for group
based authorisation. Added two new configuration samples in goodies:
authorize-group1.cfg shows how to do LSA authentication and direct
Wi-Fi users to VLANs based on their AD groups. File
authorize-group2.cfg shows how to authorise users with different
administrative roles based on what Client they log in from.

Updated Resolver clause to never use persistent TCP or UDP sockets.
This uses more sockets but is required because of lack of working
support for multiple outstanding queries. This allows Radiator to work
again with all Net::DNS versions. TCPPersistent and UDPPersistent
configuration parameters are now obsolete. Thanks to Fernando Reis for
reporting DNS roam problems.

Stream based TLS classes, such as RadSec, now support
TLS_SubjectAltNameDNS configuration parameter. This works similar to
existing TLS_SubjectAltNameURI parameter and is used when subject
alternative name type is DNS. Requested by Jan Tomasek.

Updated AddressAllocatorSQL to reject request instead of allowing it
to timeout when AsynchronousSQL is set and allocate, update or
deallocate fails. Methods confirm, deallocate and deallocate_by_nas
now return reject with reason if UpdateQuery, DeallocateQuery or
DeallocateByNASQuery fails instead of always returning accept.

AuthBy DNSROAM now passes to certificate verification the name that
was looked up during DNS discovery. The name is used similarly to
TLS_SubjectAltNameDNS allowing verification based on name insted of
just peer address. Enhanced TLS certificate verification logging for
Stream based modules including information about DNSROAM discovered
name and SRV records.

Fixed AuthBy DNSROAM to refresh route object when rediscovering it
with unchanged parameters. This fixes log messages like "AuthBy
DNSROAM rediscovered the same target for ..." appearing too often.

EAP modules configured with EAPType are now loaded during
configuration loading. This makes problems with module dependencies
visible immediately during the configuration.

PEAP now supports inner authentication after session resumption. This
fixes problems seen on Windows, for example, when changing between
WLANs. Reported by Jan Tomasek and others.

Disabled completely non-functional session resumption for TLS-based
Stream modules. Enabled no renegotiation flag for TLS-based EAP
methods and Stream modules.

radpwtst now adds Event-Timestamp to Accounting-Request messages.

EAP-pwd now supports RFC 2759 (NT hash) and SASLprep password
pre-processing methods. These are configurable with a new parameter
EAP_PWD_PrepMethod that supports values 'NtHash' and 'SASLPrep'. See
the reference manual for additional information about compatibility
and module requirements. This change also adds generic support for
adding additional prep methods.

Compiled Win32-Lsa for ActivePerl 5.24 and 5.26 and Strawberry Perl
5.26. 32-bit versions are no longer compiled by default. Contact us if
you still need them.

Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.

More information about the radiator mailing list