[RADIATOR] Radiator Version 4.21 released - enhancements, bug fixes and some new features

[Heikki Vatiainen]

We are pleased to announce the release of Radiator version 4.21

This version contains enhancements, bug fixes and some new features 
described below. This is mostly a maintenance release.

As usual, the new version is available to current licensees
and evaluators from:
https://www.open.com.au/radiator/downloads.html

Licensees with expired access contracts can renew at:
https://www.open.com.au/renewal.html

An extract from the history file
https://www.open.com.au/radiator/history.html is below:

-----------------------------

Revision 4.21 (2018-06-26) bug fixes, enhancements and some new features

     Selected compatibility notes, enhancements and fixes

Fixed nested and cascaded AuthBy GROUPs that stopped working in Radiator 
4.20.

Unified AuthBy HANDLER functionality and reverted some of its changes 
done in Radiator 4.20.

JSON authentication and accounting log now formats time as numeric type 
instead of string.

ServerTACACSPLUS connection handling had major updates.

Custom modules that use initialisation functions may need updates.


       Known caveats and other notes

Initial testing is done with OpenSSL 1.1.1 development versions. Not
recommended with Radiator yet.


       Detailed changes

Updated simple_main_loop to use timeout and timeout handler. These are 
useful for test and other client programs.

Attributes given on command line now override default and option switch 
values in radpwtst.

Fixed a bug where nested and cascaded AuthBy GROUPs stopped working 
because of changes in Radiator 4.20 asynchronous handling.

Unified AuthBy HANDLER functionality and reverted some changes done in 
Radiator 4.20: AuthLog, AcctLog, PostProcessingHook, AddToReply and 
similar reply updates are now done by Handlers called by AuthBy HANDLER. 
If these functionalities are needed when AuthBy RADIUS is used with 
AuthBy HANDLER, Asynchronous flag is required.

Fixed IgnoreReject in AuthBy RADIUS when NoReplyReject is enabled.

AuthBy RADSEC now supports Asynchronous and NoReplyReject.

Handler now supports AccountingAccepted flag configuration parameter for 
Handler. This forces Handler to immediately log and unconditionally 
acknowledge Accounting requests before passing them to AuthBys. Compared 
to AccountingHandled, this will not wait for a reply from a proxy.

Response to a request of any type is now only sent once. This is for 
special cases, for example, when an accounting request is proxied to 
multiple servers or a hook or any special handling would cause multiple 
replies back to the NAS.

EAP-TLS now uses subjectAltName email type too when checking match for 
EAP identity or User-Name.

Updated MaxFailedGraceTime algorithm in AuthBy RADIUS and RADSEC

Fixed tunnelling EAP methods to work correctly when inner authentication 
proxies with Asynchronous parameter enabled.

Updated demo certificates subjectAltName for client and server 
certificates. Client now has email and server has URI in addition to the 
existing alternative names. Other non-CA certifcates have both.

Enhanced StreamServer listen socket error logging and handling during 
configuration time.

Updated multiple EAP methods to trigger Access-Reject with EAP-Failure 
for some messages that were previously ignored.

Removed obsolete EAP type 38 EAP-TNC.

Updated EAP-PAX and EAP-PSK logging and error handling. EAP-PSK now 
requires that EAP identity matches identity carried within EAP-PSK messages.

Improved Radiator init script goodies/linux-radiator.init and systemd 
service unit file goodies/radiator.service. A systemd service unit file 
goodies/radiator at .service which supports systemd service instances was 
added.

Updates to logging. Internal changes to enable more warnings and how 
Client maintains its client list for client lookups.

StatsLog FILE now supports OutputFormat configuration parameter. The 
possible values are text and json. Default is text.

Message-Authenticator is no longer added to Status-Server Access-Accept 
replies because some clients were not able to process it.

Enhancements to logging: Reason in AuthLog is now an empty string 
instead of undefined value when no specific reason is available. This is 
typical when result is accept for normal conditions. More results are 
now available for certain conditions and special configurations such as 
NoForwardAuthentication.

Fixed infinite loop when AuthBy RADIUS was configured with Asynchronous, 
CachePasswords and CacheOnNoReply.

AcctSQLStatement and AuthSQLStatement now support %0 for user name 
replacement.

Added radminYubikey.cfg configuration sample in goodies. All RAdmin 
configuration samples were updated and now come with Radiator.

Custom modules with need for main::reinitFns and addChildInitFn should 
be updated to use new callback register methods in ServerConfig. 
ServerConfig now supports methods for registering per-module callback 
functions that are run for server start and restart, farm child fork, 
reinit, delayed shutdown and shutdown.

Fixed a bug in GossipRedis Sentinel service name use which caused 
Sentinel connection to fail. GossipRedis log now clearly shows if the 
connection endpoint is Redis Sentinel or server.

Changed format_acct_log_json and format_authlog_json in LogFormat.pm to 
add time as a numeric type, integer or float, instead of a string. The 
type depends on LogMicroseconds.

Improved Gossip logging and handling of badly formatted messages.

Improved radpwtst's noauth, noacct and related flag handling.

ServerTACACSPLUS connection handling is now based on Stream modules 
similar to RadSec, Diameter and others. This fixes a connection blocking 
bug when run with FarmSize parameter and allows ServerTACACSPLUS to use 
all features the Stream modules provide.

Internal changes to reinitialisation and farm child initialisation 
functions custom module writers may be interested in
     Reinitialisation
         reinitialise functions are now run only when radiusd is 
reinitialised (i.e. SIGHUP)
         reinitialise is run before $main::config is destroyed, so 
registered reinitialisation functions can only read $main::config, if needed
         if there is a need for functions to be called at startup, i.e. 
after $main::config has been read, one is encouraged to use 
$main::config->register_startup_fn(\&coderef, @args)
         it is now possible to give arguments to reinitialise functions
         pushing directly to @main::reinitFns will be obsoleted in the 
future, so preferred way of registering them is via 
$main::config->register_reinit_fn(\&coderef, @args)
     Farm child initialisation
         using main::addChildInitFn will be deprecated in the future. 
Preferred way to register farm child init functions is via 
$main::config->register_childinit_fn(\&coderef, @args). Function 
signature is not changed from main::addChildFn.

Updates to goodies/*Create.sql files: changed ACCTTERMINATECAUSE to 
string, updated column types to bigint and longer varchar where 
applicable. Infrequently used tables and test data are now present only 
in sql-extra-tables.sql and sql-test-data.sql, respectively. Added 
oracleCreate.sql. PostgreSQL and SQLite now use the same file 
postgres-sqliteCreate.sql. SQL Server and Sybase now use the same file 
sqlserver-sybaseCreate.sql. Removed separate files for mSQL, Informix 
and InterBase in favour of ansiCreate.sql. The files were tested with 
Firebird 3.0.3, IBM DB2 Express-C 11.1, IBM Informix 12.10 Developer 
Edition, InterBase 2017 Developer Edition, MariaDB, Microsoft SQL Server 
Express 2014 and 2017, MySQL, Oracle Database 11g Express Edition, 
PostgreSQL, SAP ASE (Sybase) Express Edition 16.0 and SQLite.

Fixed a bug in dictionary loading where hex VALUE lines were incorrectly 
processed. Fixed incorrectly names values is dictionary.acc in goodies.

Minor code maintenance related updates to utility programs and modules.

Improved logging about attributes that are not in dictionary.

On windows a message is now logged when Radiator Windows service stops.

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.