[RADIATOR] Radiator Version 4.22 released - major packaging update, new features, enhancements and bug fixes

[Heikki Vatiainen]

We are pleased to announce the release of Radiator version 4.22

This version comes with additional Radiator package formats and contains 
new features, enhancements and bug fixes.

Radiator is now packaged as RPM for Red Hat Enterprise Linux 7 and 
CentOS 7, deb for Ubuntu 16.04 and 18.04, and MSI for Windows. These are 
in addition to the previous package formats: generic RPM, zip and tgz. 
Other software, such as Radiator SIM pack, will be packaged later.

More information about new packages will be posted separately.

As usual, the new version is available to current licensees
and evaluators from:
https://www.open.com.au/radiator/downloads.html

Licensees with expired access contracts can renew at:
https://www.open.com.au/renewal.html

An extract from the history file
https://www.open.com.au/radiator/history.html is below:

-----------------------------

Revision 4.22 (2019-01-09) major packaging update, new features, 
enhancements and bug fixes


     Selected compatibility notes, enhancements and fixes

New Radiator packages: Red Hat Enterprise Linux 7 and Centos 7, Ubuntu 
16.04 and 18.04, and Windows MSI

Major updates to Yubikey Validation server support

SCTP multihoming support for Diameter and other stream modules


       Known caveats and other notes

TLSv1.3 is not enabled by default for TLS based EAP methods.

TLSv1.3 is not enabled by default for Stream based classes, such as RadSec.


       Detailed changes

Fixed a bug in radiusd where @main::reinitFns and @main::perchildinitFns 
are initialised after radiusd has loaded modules which already altered 
@main::reinitFns and/or @main::perchildinitFns. This bug was triggered 
when radiusd was restarted with a SIGHUP.

Fixed a bug in ServerTACACSPLUS where Client clause parameters, such as 
RewriteUsername, were ignored. This was broken in Radiator 4.21.

Corrected SQL syntax in hotp.cfg and totp.cfg goodies sample files. 
Reported by Denis Pavani.

Fixed EAP-FAST to work with OpenSSL 1.1.0 with clients that do not have 
a valid PAC and need to use unauthenticated provisioning. This requires 
SSL_set_security_level support which is not available in Net::SSLeay 
1.85 and before.

Monitor and ServerHTTP now honour UseTLS. TLS_Protocols is still the 
preferred method to enable TLS.

EAPAnonymous %0 can now access inner EAP identity with EAP-FAST.

TLS based EAP methods do not enable TLSv1.3 by default. This can be 
changed with EAPTLS_Protocols configuration parameter.

Significant updates to radiator.service and radiator at .service Systemd 
unit files in goodies. Radiator modules are looked up from a new default 
location /opt/radiator/radiator. Binding to TACACS+ and other privileged 
ports is enabled with CAP_NET_BIND_SERVICE. Runtime directory is created 
as /run/radiator/. Other updates for environment variables and startup 
control.

radpwtst was updated to use its invocation location and 
/opt/radiator/radiator to search for its modules and dictionary. Modules 
nor dictionary are no longer looked up from the current working directory.

radiusd was updated to use its invocation location to search for its 
modules. Modules are no longer looked up from the current working directory.

An info level message is now logged when license related configuration 
parameters are set with a fully licensed Radiator. This is a reminder 
that these parameters are ignored and can be safely removed from the 
configuration. New configuration parameter LicenseFile is now the 
recommended method to include license configuration parameters.

Removed a number of obsolete files from goodies

ClientListLDAP now supports PostSearchHook.

Added AuthBy HOTSPOT for operating wired and wireless hotspots with 
authentication and billing. Added support for handling service and 
subscription databases with implementations in ServiceDatabase INTERNAL 
and ServiceDatabase SQL. Added modules for handling services, 
subscriptions and sessions that are manged by SessionDatabase and 
ServiceDatabase modules. Enhanced SessionDatabase modules to support the 
new functionality. See README.hotspot and hotspot.cfg in goodies for 
more information and a configuration sample.

Added AuthBy HOTSPOTFIDELIO that extends AuthBy HOTSPOT with 
Opera/Fidelio specific functionality. See README.hotspot-fidelio and 
hotspot-fidelio.cfg in goodies for more information and a configuration 
sample. This module also supersedes AuthBy FIDELIOHOTSPOT which will 
continue to work but should not be used in new deployments.

Added indexing to fidelio-hotspot.sql.

AuthBy FIDELIO, AuthBy FIDELIOHOTSPOT and AuthBy HOTSPOTFIDELIO 
UserPasswordHook is now passed $p as an additional argument.

HandlerFindHook is now available for fast Handler lookup. This is 
advantageous for configurations, such as proxying based on realm, where 
maximum packet throughput is required. Configuration sample is in 
goodies/handler-find-hook.pl

Added Base32 decoder to hextobase32.pl in goodies and updated it to 
match API changes in recent MIME::Base32 modules.

AuthBy YUBIKEYVALIDATIONSERVER now supports Validation Protocol 2.0 and 
1.0. Tested with YubiCloud and PyHSM hsm-val servers. Previously 
supported PyHSM yhsm-val short format OTP protocol was updated to 
include OATH-TOTP protocol. Updated configuration sample with new 
parameters is in yubikey-validationserver.cfg goodies file.

Windows service enhancements: service parameters no longer include 
command line options relevant only to installing Radiator as a service. 
This simplifies parameters when installing service and running as 
service. Service install and uninstall failures now log more details and 
cause radiusd to exit with failure. Fixed whitespace quoting in service 
parameters.

Added Win32-Lsa module for 64bit Strawberry Perl 5.28.

Updated the framework for packing and unpacking complex RADIUS vendor 
specific attributes (VSA framework) to pass current request to custom 
pack functions. Request is now passed to both pack and unpack functions.

Corrected hooks.txt in goodies to use packed address with Client's 
findAddress function.

radiusd now accepts command line parameter -prepend_env that prepends 
its value to an environment variable during radiusd start. The variable 
is created if it does not exist.

Stream based modules, such as ServerDIAMETER, now use sctp_bindx() for 
all BindAddress values and sctp_connectx() for SCTPPeer values. These 
require Radiator Radius::SCTP bindings to make libsctp API available for 
Perl.

Fixed a crash triggered by logging of Handler values, such as 
Identifier, before Handler was chosen.

AuthBy LSA can now rewrite the username that is passed to LSA. Example 
use is Wi-Fi roaming where roaming username can not be directly used 
with Windows authentication because of local naming conflicts with 
roaming requirements. See LSARewriteHook in goodies/lsa.cfg and Radiator 
reference manual. Updated other AuthBy LSA configuration samples.

Improvements to AuthBy SAFEWORD. New parameters SSLVersion and 
SSLCipherList allow configuring SSL/TLS protocol versions and cipher 
suites when communicating with the server.

Improvements to AcctLog and AuthLog clauses. New optional parameter 
MaxMessageLength specifies a maximum message length (in characters) for 
each message to be logged, If specified, each log message is truncated 
to the specified number of characters prior to logging.

Improvements to AcctLog, AuthLog and Log clauses. When LogSock is set to 
unix or stream or pipe, new optional parameter LogPath specifies the 
syslog path. Defaults to _PATH_LOG macro (if your system defines it).

ServerTACACSPLUS authorisation context lookup enhancement: new optional 
configuration parameter ContextId specifies how to derive a lookup key 
for TACACS+ authentication context when authorising TACACS+ requests.

Stream and StreamServer certificate verification enhancements: new 
optional parameter TLS_CertificateVerifyHook specifies a perl function 
that will be called for a custom verification of the client certificate. 
TLS_CertificateVerifyFailedHook is a new optional parameter that 
specifies a perl function that will be called if verifying the client 
certificate fails. These are similar to their EAPTLS counterparts and 
their return values determine how certificate verification continues. 
See radsec-server.cfg in goodies and Radiator reference manual for more 
information.

Added VENDOR Ciena 1271 VSAs to dictionary.

Added Juniper Junos OS TACACS+ configuration sample in 
tacacsplusserver.cfg goodies file.

AuthBy RADSEC now reconnects more reliably to disconnected peers instead 
of leaving peers to permanently failed state. This could happen when 
ConnectOnDemand is set and when UseStatusServerForFailureDetect is set 
with Radiator 4.20 and 4.21. Reported by Paul Dekkers.

AuthBy RADSEC now delays creating sockets when Farmsize is set and 
ConnectOnDemand is not set. This avoids closing sockets after forking 
farm members which caused confusing stream related peer disconnect log 
messages. Reported by Paul Dekkers.

AuthBy DNSROAM could connect to the same destination twice. This was 
fixed in Radiator 4.20 but not mentioned in changes.

A number of code clean up and maintenance changes were done based on 
Perl::Critic and other tools.

DictionaryReloadInterval is a new optional parameter that sets an 
interval in seconds for checking whether the files defined by 
DictionaryFile have changed. If there are changes, all files are 
reloaded. Not enabled by default and the files are only loaded during 
server initialisation.

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.