[RADIATOR] Radiator Version 4.21 released - enhancements, bug fixes and some new features
hvn at open.com.au
Tue Jun 26 15:03:54 UTC 2018
We are pleased to announce the release of Radiator version 4.21
This version contains enhancements, bug fixes and some new features
described below. This is mostly a maintenance release.
As usual, the new version is available to current licensees
and evaluators from:
Licensees with expired access contracts can renew at:
An extract from the history file
https://www.open.com.au/radiator/history.html is below:
Revision 4.21 (2018-06-26) bug fixes, enhancements and some new features
Selected compatibility notes, enhancements and fixes
Fixed nested and cascaded AuthBy GROUPs that stopped working in Radiator
Unified AuthBy HANDLER functionality and reverted some of its changes
done in Radiator 4.20.
JSON authentication and accounting log now formats time as numeric type
instead of string.
ServerTACACSPLUS connection handling had major updates.
Custom modules that use initialisation functions may need updates.
Known caveats and other notes
Initial testing is done with OpenSSL 1.1.1 development versions. Not
recommended with Radiator yet.
Updated simple_main_loop to use timeout and timeout handler. These are
useful for test and other client programs.
Attributes given on command line now override default and option switch
values in radpwtst.
Fixed a bug where nested and cascaded AuthBy GROUPs stopped working
because of changes in Radiator 4.20 asynchronous handling.
Unified AuthBy HANDLER functionality and reverted some changes done in
Radiator 4.20: AuthLog, AcctLog, PostProcessingHook, AddToReply and
similar reply updates are now done by Handlers called by AuthBy HANDLER.
If these functionalities are needed when AuthBy RADIUS is used with
AuthBy HANDLER, Asynchronous flag is required.
Fixed IgnoreReject in AuthBy RADIUS when NoReplyReject is enabled.
AuthBy RADSEC now supports Asynchronous and NoReplyReject.
Handler now supports AccountingAccepted flag configuration parameter for
Handler. This forces Handler to immediately log and unconditionally
acknowledge Accounting requests before passing them to AuthBys. Compared
to AccountingHandled, this will not wait for a reply from a proxy.
Response to a request of any type is now only sent once. This is for
special cases, for example, when an accounting request is proxied to
multiple servers or a hook or any special handling would cause multiple
replies back to the NAS.
EAP-TLS now uses subjectAltName email type too when checking match for
EAP identity or User-Name.
Updated MaxFailedGraceTime algorithm in AuthBy RADIUS and RADSEC
Fixed tunnelling EAP methods to work correctly when inner authentication
proxies with Asynchronous parameter enabled.
Updated demo certificates subjectAltName for client and server
certificates. Client now has email and server has URI in addition to the
existing alternative names. Other non-CA certifcates have both.
Enhanced StreamServer listen socket error logging and handling during
Updated multiple EAP methods to trigger Access-Reject with EAP-Failure
for some messages that were previously ignored.
Removed obsolete EAP type 38 EAP-TNC.
Updated EAP-PAX and EAP-PSK logging and error handling. EAP-PSK now
requires that EAP identity matches identity carried within EAP-PSK messages.
Improved Radiator init script goodies/linux-radiator.init and systemd
service unit file goodies/radiator.service. A systemd service unit file
goodies/radiator at .service which supports systemd service instances was
Updates to logging. Internal changes to enable more warnings and how
Client maintains its client list for client lookups.
StatsLog FILE now supports OutputFormat configuration parameter. The
possible values are text and json. Default is text.
Message-Authenticator is no longer added to Status-Server Access-Accept
replies because some clients were not able to process it.
Enhancements to logging: Reason in AuthLog is now an empty string
instead of undefined value when no specific reason is available. This is
typical when result is accept for normal conditions. More results are
now available for certain conditions and special configurations such as
Fixed infinite loop when AuthBy RADIUS was configured with Asynchronous,
CachePasswords and CacheOnNoReply.
AcctSQLStatement and AuthSQLStatement now support %0 for user name
Added radminYubikey.cfg configuration sample in goodies. All RAdmin
configuration samples were updated and now come with Radiator.
Custom modules with need for main::reinitFns and addChildInitFn should
be updated to use new callback register methods in ServerConfig.
ServerConfig now supports methods for registering per-module callback
functions that are run for server start and restart, farm child fork,
reinit, delayed shutdown and shutdown.
Fixed a bug in GossipRedis Sentinel service name use which caused
Sentinel connection to fail. GossipRedis log now clearly shows if the
connection endpoint is Redis Sentinel or server.
Changed format_acct_log_json and format_authlog_json in LogFormat.pm to
add time as a numeric type, integer or float, instead of a string. The
type depends on LogMicroseconds.
Improved Gossip logging and handling of badly formatted messages.
Improved radpwtst's noauth, noacct and related flag handling.
ServerTACACSPLUS connection handling is now based on Stream modules
similar to RadSec, Diameter and others. This fixes a connection blocking
bug when run with FarmSize parameter and allows ServerTACACSPLUS to use
all features the Stream modules provide.
Internal changes to reinitialisation and farm child initialisation
functions custom module writers may be interested in
reinitialise functions are now run only when radiusd is
reinitialised (i.e. SIGHUP)
reinitialise is run before $main::config is destroyed, so
registered reinitialisation functions can only read $main::config, if needed
if there is a need for functions to be called at startup, i.e.
after $main::config has been read, one is encouraged to use
it is now possible to give arguments to reinitialise functions
pushing directly to @main::reinitFns will be obsoleted in the
future, so preferred way of registering them is via
Farm child initialisation
using main::addChildInitFn will be deprecated in the future.
Preferred way to register farm child init functions is via
$main::config->register_childinit_fn(\&coderef, @args). Function
signature is not changed from main::addChildFn.
Updates to goodies/*Create.sql files: changed ACCTTERMINATECAUSE to
string, updated column types to bigint and longer varchar where
applicable. Infrequently used tables and test data are now present only
in sql-extra-tables.sql and sql-test-data.sql, respectively. Added
oracleCreate.sql. PostgreSQL and SQLite now use the same file
postgres-sqliteCreate.sql. SQL Server and Sybase now use the same file
sqlserver-sybaseCreate.sql. Removed separate files for mSQL, Informix
and InterBase in favour of ansiCreate.sql. The files were tested with
Firebird 3.0.3, IBM DB2 Express-C 11.1, IBM Informix 12.10 Developer
Edition, InterBase 2017 Developer Edition, MariaDB, Microsoft SQL Server
Express 2014 and 2017, MySQL, Oracle Database 11g Express Edition,
PostgreSQL, SAP ASE (Sybase) Express Edition 16.0 and SQLite.
Fixed a bug in dictionary loading where hex VALUE lines were incorrectly
processed. Fixed incorrectly names values is dictionary.acc in goodies.
Minor code maintenance related updates to utility programs and modules.
Improved logging about attributes that are not in dictionary.
On windows a message is now logged when Radiator Windows service stops.
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
More information about the radiator