[RADIATOR] Radiator Version 4.24 released - new features, enhancements and bug fixes
Heikki Vatiainen
hvn at open.com.au
Mon Dec 9 16:40:40 UTC 2019
We are pleased to announce the release of Radiator version 4.24
This version contains new features, enhancements and bug fixes. See
below for the details.
As usual, the new version is available to current licensees
and evaluators from:
https://www.open.com.au/radiator/downloads.html
Licensees with expired access contracts can renew at:
https://radiatorsoftware.com/renewal-order/
An extract from the history file
https://www.open.com.au/radiator/history.html is below:
-----------------------------
Revision 4.24 (2019-12-09) new features, enhancements and bug fixes
Selected compatibility notes, enhancements and fixes
Added configuration parameters TLS_SecurityLevel and
EAPTLS_SecurityLevel and calls to set accepted TLS version ranges. This
allows for Radiator module level control of desired TLS settings without
modifications of system defaults.
ClientListSQL configuration can now be simplified with ClientColumnDef
parameters.
AuthBy SQLHOTP and SQLTOTP SQL query parameter support was added.
Dynamically updated Diameter RealmTable for request routing and
forwarding is now available for advanced Diameter applications.
Added a new configuration flag parameter IgnoreIfMissing.
Added a new check item ExistsInRequest for matching requests by
attribute presence. Useful for Handlers.
Added new AuthBy REST, which is built on a new class called HTTPClient.
Packages are now available for Red Hat Enterprise Linux 8 and CentOS 8
and Debian 10 (Buster).
Added configuration guide and samples for SecureW2 integration.
Known caveats and other notes
TLSv1.3 remains disabled by default for TLS based EAP methods and Stream
based classes, such as RadSec.
EAP-FAST functionality is reported to vary between TLS versions, TLS
library security level settings and client implementations.
Detailed changes
AuthBy SIP2 sometimes parsed ACS server responses incorrectly causing
incorrect authentication rejects.
Stream modules that use TLS, such as RadSec, now log the negotiated TLS
version and cipher similar to what TLS based EAP methods already do.
Short inner EAP messages received by EAP-TTLS and PEAP are now caught
earlier instead of generic EAP module.
Added new configuration parameters TLS_SecurityLevel and
EAPTLS_SecurityLevel to control TLS library's security level settings.
See OpenSSL manual for SSL_CTX_set_security_level() for more about
security levels. When TLS_Protocols or EAPTLS_Protocols is configured to
set the desired TLS versions, TLS library's
Net::SSLeay::CTX_set_min_proto_version and its 'max' counterpart are
automatically called. The security level and TLS version settings may be
needed on systems with strict defaults. For example, Debian 10 sets the
default minimum TLS version to 1.2 and security level to 2. This may be
too restrictive with older EAP clients or Diameter and RadSec peers.
Support for min/max_proto functions was added in Net::SSLeay 1.83.
Updated Lancom and Aerohive attributes in the default dictionary.
Aerohive products appear to use attribute 1 for different purposes. For
this reason the newly added Aerohive-User-Vlan is an alias for the
existing AH-HM-Admin-Group-Id. Both names are usable as reply attributes
but incoming attributes are remain named as AH-HM-Admin-Group-Id. Thanks
to Stefan Winter for the updated information.
Added two new modules that allow temporarily denying logins for users
that were rejected because of repetitive bad passwords. These are intial
versions AuthBy FAILUREPOLICY and AuthBy SQLFAILUREPOLICY with more
enhancements done in subsequent Radiator releases. See failurepolicy.cfg
in goodies for a sample configuration.
Added radiator-instances.service to goodies. This is a systemd unit
configuration file for a virtual service for managing all Radiator
instances. It works in conjunction with with radiator at .service unit file.
Added 25 VSAs in the default dictionary for VENDOR 12356 Fortinet.
Updated sample certificates to expire on November 10 2021.
ClientListSQL now supports new configuration parameter ClientColumnDef.
This allows for more simple and flexible configuration. Updated
ClientList modules based on perlcritic reports.
Updated AuthBy SQLHOTP and SQLTOTP to support SQL query parameters.
Enhanced the configuration for the both to refuse token lengths shorter
than 4 and clarified documentation of Require2Factor and SQL token
active field. Other minor updates to SQL schema, sample configurations
and code based on perlcritic.
ClientListSQL and ClientListLDAP can now fetch TACACSPLUSKey parameter.
This allows Clients to have separate values for RADIUS shared secret and
TACACS+ key.
Check items with regular expression values now use s modifier by
default. This allows dot to also match newline.
An instance of RealmTable is now dynamically updated for Diameter
peerings used by Radiator 3GPPP AAA Server and other advanced Diameter
applications. This RealmTable is available for Diameter request routing
and forwarding for those Diameter peers that are configured with
DiaPeerDef clauses supported by Radiator Carrier Pack.
Added RealmTable.pm for genric support for realm routing tables. This
can be used with Radius and Diameter to dynamically or statically build
routing tables that support quick lookups from a large number of
destinations. Aggregates and regexp based lookups are supported. See
realmtable.pl in goodies for a sample application.
Minor fixes: enhance Radius::SCTP support detection and address messages
triggered by recently enabled warnings pragma.
Radiator's Radius::UtilXS package now provides interface to DES
functions in OpenSSL and LibreSSL. These alternative functions are
automatically used with Radius::UtilXS is available. Radius::UtilXS
package is available from Radiator downloads.
Digest::MD4 is no longer strictly required with MSCHAP related
authentication methods. An alternative MD4 digest implementation is now
provided by Radiator's Radius::UtilXS package. This package is available
from Radiator downloads.
Added new configuration parameter LeavePassword. LeavePassword is
similar to ConsumePassword but leaves beginning of password unchanged
and extracts a portion of password from the end.
Added integration guide and configuration files for configuring Radiator
Software's RADIUS Server for EAP-TLS using SecureW2 PKI.
Added Win32-Lsa module for 64bit Strawberry Perl 5.30.1. Updated
Radiator MSI package to use Strawberry Perl 5.30.1.1.
Added new configuration flag parameter IgnoreIfMissing. This parameter
is somewhat similar to the previously existing parameter
AcceptIfMissing. If the user is not present in the user database, this
parameter causes the enclosing AuthBy to return ignore instead of
reject. When multiple AuthBys are configured, this allows lookups to
continue until the user is found while accept or reject is returned
immediately. Suggested by Christian Meutes and Alexander Hartmaier.
When PacketTrace is set for a proxied request, the corresponding reply
from a proxy now inherits the trace setting and is logged with trace
level 5. With RadSec, the proxied request is now also logged with trace
level 5.
Updated vendor Ruckus attributes in dictionary. Contributed by Michael
Newton.
Added new check item ExistsInRequest. This is mostly used in Handlers to
help matching requests based on attribute presence irrespective of their
content. For example, <Handler ExistsInRequest=EAP-Message> selects all
EAP requests. Simple alternation is also supported: <Handler
ExistsInRequest = OSC-Rate-Limit-Day|OSC-Rate-Limit-Night> matches
requests that have one or both of the attributes.
RADIUS attribute names are now cheked for uncommon characters.
Unexpected names are accepted and a warning is logged when dictionary is
loaded.
Locked Radiator distribution now honours Windows Service Control Manager
state changes when expiry date or other limits have been reached.
Previously Locked Radiator service became unstoppable when limits were
reached.
Added new class called HTTPClient which implements a flexible and
asynchronous HTTP and HTTPS client. Added new HTTPClient based AuthBy
REST for sending authentication and accounting request over a REST
interface.
Added support for using different back ends for random generation. The
currently preferred source is Net::SSLeay with the default being Perl
core rand.
AuthDN in AuthBy LDAP2 now supports %0 special. This is replaced with DN
escaped value of currently authenticated username. Added special
formatters %{LDAPDN:...} and %{LDAPFilter:...} for escaping values with
LDAP DN and filter rules. Fixed ServerChecksPassword error logging to be
correct about failure reason when no result was received from server
because of, for example, unexpected disconnection. Similar changes, and
return value unification, was done to function checkPassword for custom
code uses. Trailing NUL octets are no longer stripped from attributes
received from LDAP. Addressed results reported by Perl::Critic.
Multiple LDAP enhancements were added. LDAP modules now support new
configuration parameters SSLCAClientKeyPassword and
SSLExpectedServerName. SSLCAClientKeyPassword sets the passphrase to
decrypt client private key when mutual certificate based LDAP
authentication is required. SSLExpectedServerName sets the name the
server certificate must match during verification. Misconfigured values
for SSLCAFile and other related files are now logged and handled and no
longer cause Radiator to exit without logging. Unknown values for
SSLVerify are now logged and map to the default value require.
SNMPAgent and Monitor with FarmSize configuration no longer require a
FarmChildHook to re-open their listen sockets. Their listen sockets are
now created after forking the instances. FarmChildHook sample in
hooks.txt goodies file was updated to point to an example in
farmchildhook.txt goodies file. Updated Ldap.pm and SNMPAgent to better
log and refuse incorrect Port configuration values. Minor fix to
SNMPAgent to also return SNMPv2-MIB system group values when queried
with snmpwalk.
Too large port numbers in configuration file for TCP, UDP and SCTP are
now more clearly logged and refused.
Fixed a memory leak caused by a StatsLog clause and ClientListSQL or
ClientListLDAP being enabled in the same configuration. Leak affects
Radiator versions 4.17 up to 4.23.
Minor updates to IP address packing and resolution functions in Util.pm.
Similar updates to old Socket6 module based functions. This makes IPv6
support with Socket6 more similar to what Perl core provides. Minor
updates to BigInt functions and fixes to recent quota calculation
related utility functions. Addressed a number of perlcritic reports.
Unified Radiator internal JSON support. Modules, hooks and other code
should now use Radius::JSON which chooses a JSON backend during startup
and provides an interface for querying JSON status. The JSON backend and
its version, or lack of backend, is logged when Radiator starts. Updated
AuthBy DUO to use Radius::JSON instead JSON.pm.
Messages logged to global LogFile and by LogFILE, LogSYSLOG and Monitor
clauses now support adding farm instance to log messages. This is
enabled by new LogFarmInstance configuration flag parameter. Addressed
results reported by Perl::Critic.
Updated diapwtst and ServerDIAMETER to include Acct-Application-Id in
Accounting-Request (ACR) and Accounting-Answer (ACA) commands. Changed
diapwtst to use Diameter base accounting in Command Code header field.
AuthBy LSA now checks that Win32::NetAdmin is available when the
configuration is loaded. This prevents radiusd from starting if the
module is not installed. Previously the check happened when group
membership check was first done causing radiusd to exit.
The local address of AuthBy LDAP2 and other LDAP client connections,
configured with BindAddress parameter, now supports formatting
characters. Improved logging of LocalAddress for Stream based classes
when LocalAddress uses formatting characters.
Added VENDOR 14823 Aruba attributes Aruba-Captive-Portal-URL and
Aruba-MPSK-Passphrase to dictionary.
When global DupCache parameter was set to a non-default value, only
duplicates for replied messages were correctly detected. Fixed a related
memory leak and addressed Perl::Critic reports.
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
More information about the radiator
mailing list