[RADIATOR] Radiator Version 4.25 released - Ansible automation, Dockerfiles, new features, enhancements and bug fixes

Heikki Vatiainen hvn at open.com.au
Tue Oct 20 15:42:02 UTC 2020

We are pleased to announce the release of Radiator version 4.25

This version contains new features, enhancements and bug fixes.
Notable new features relate to Ansible, Docker and extended RADIUS 
attribute formats. See below for the details.

As usual, the new version is available to current licensees
and evaluators from:

Licensees with expired access contracts can renew at:

An extract from the history file
https://www.open.com.au/radiator/history.html is below:


Revision 4.25 (2020-10-20) new features, enhancements and bug fixes

     Selected compatibility notes, enhancements and fixes

Dockerfiles for running Radiator and Radius::UtilXS in a CentOS 8, 
Ubuntu 20.04 or Windows Server Core 2019 were added in goodies Docker 

Ansible playbooks for installing, upgrading and managing Radiator with 
Ansible were added in goodies Ansible directory.

Added initial support for RFC 6929 and 8044 formats and data types. If a 
vendor specific attribute encapsulated by 241.26, 242.26, 243.26 or 
244.26 is received but it is not present in the dictionary, it is now 
named as Extended-Vendor-Specific-1 (or -2, -3, or -4). The value starts 
with the Vendor-Id octets. Naming may change in the future Radiator 

Hash balance proxy algorithm was significantly enhanced.

Oracle Linux is tested to work with the el7 and el8 packages.

New Radiator packages: Red Hat Enterprise Linux 8, CentOS 8 and Ubuntu 

Name Policy-Editor for vendor 3375 F5 attribute F5-LTM-value 800 is now 
an alias. The preferred name is Web-Application-Security-Administrator.

BindV6Only update may in rare configurations change existing behaviour. 
If you have BindV6Only enabled, see startup debug messages for affected 
listen sockets.

       Known caveats and other notes

TLSv1.3 remains disabled by default for TLS based EAP methods and Stream 
based classes, such as RadSec.

EAP-FAST functionality is reported to vary between TLS versions, TLS 
library security level settings and client implementations.

       Detailed changes

Added Win32-Lsa module for 64bit Strawberry Perl 5.32.

When a Status-Server request is received from a known client without a 
Message-Authenticator, Radiator now logs a warning before the request. 
Previously these requests were ignored without any logging. Noted by 
Michael Hulko.

DiaClient no longer creates zero length Destination-Host and 
Destination-Realm AVPs when child classes leave their DestinationHost 
and DestinationRealm configuration parameters unset. This affects 
DiaClient based SIM pack authentication modules AuthBy SIMWX and AuthBy 
AKAWX which now have better control setting the values for the AVPs. 
This reverts the behaviour to how Radiator 4.16 and earlier worked.

Removed DupInterval 0 from all goodies configuration samples. This no 
longer needed even with testing because duplicate detection has for a 
long time used methods recommended by RFC 5080. Updated AuthBy ACE 
configuration information.

Dockerfiles for running Radiator and Radius::UtilXS in a CentOS 8, 
Ubuntu 20.04 or Windows Server Core 2019 were added in goodies Docker 
directory. Docker containers based on these files have Radiator and 
Radius::UtilXS installed, and single Radiator instance running when 
container is run. Multiple Radiator instances can be run by running 
multiple Docker containers.

Added vendor specific attributes needed by Ruckus ICX devices. For 
VENDOR 1991 Foundry: Foundry-COA-Command-List, 
Foundry-Voice-Phone-Config and for VENDOR 25053 Ruckus: Ruckus-FlexAuth-AVP.

Updated Radiator MSI package to use Strawberry Perl and 
Radius::UtilXS 2.3-1.

Added initial support for RFC 6929 and 8044 formats and data types. 
Added IANA registered attributes from RFCs 7499, 7930 and 8559 to the 
default RADIUS dictionary. Added vendor specific attributes for VENDOR 
6527 Nokia (formerly 'Alcatel-Lucent') that are encapsulated within IANA 
attribute 241 Extended-Type-1.
Received extended attributes use dictionary names as usually. If a 
vendor specific attribute encapsulated by 241.26, 242.26, 243.26 or 
244.26 is not present in dictionary, it is now named as 
Extended-Vendor-Specific-1 (or -2, -3, or -4) with a value that starts 
with the Vendor-Id octets.
Attributes added with names such as Extended-Type-1 and 
Extended-Vendor-Specific-1 are packed without further processing of the 
value. This is similar to how packing was done previously.

Added VENDOR 2636 Juniper attributes Juniper-AV-Pair, Juniper-VoIP-VLAN 
and Juniper-CWA-Redirect-URL to dictionary.

Added VENDOR 16901 Mojo with a number of Mojo prefixed attributes to the 
default RADIUS dictionary.

Added VENDOR 12356 Fortinet attribute Fortinet-Host-Port-AVPair to 

Added PT-RAD-Version and PT-UPP-Profile VSAs in the default dictionary 
for VENDOR 1556 Sonus Networks. This vendor code was previously assigned 
to Performance Technologies, Inc.

Updated EAP-TLS NoCheckId documentation and configuration sample. 
Improved Ansible playbook output to show clearly Radiator instance status.

AuthByHASHBALANCE and AuthBy RADSEC proxy algorithm HashBalance now 
distribute requests more equally among remaining next hop hosts when a 
next hop host fails. Previously the requests destined to a failed host 
were proxied to only one of the remaining hosts.

Added instructions how to edit Radiator Software Ansible playbooks to 
support other Linux distributions like Oracle Linux.

Radiator's Radius::UtilXS package now provides an interface to AES 
functions required by SIM pack. This allows using OpenSSL or LibreSSL 
instead of Crypt::Rijndael.

Updated configuration samples to work without changes when using RPM or 
deb packages. LogDir, DictionaryFile, certificate location and other 
settings now point to locations the packages use and create.

Ansible playbooks for deploying Radiator from RPM/deb packages and 
managing Radiator instances.

DictionaryFile, ClientListSQL flags column, and some other configuration 
parameters that use a comma to separate file names and other arguments, 
now allow spaces around the comma.

Enhanced virtual systemd service (radiator-instances.service) to control 
multiple instances without a need to change service file configuration. 
This change offers an enhanced feature but does not affect previous 

Multiple updates to Radius dictionaries: Added VENDOR 9 Cisco attribute 
Cisco-Ascend-AV-pairs, VENDOR 3076 Altiga attribute Altiga-Group-Name 
and VENDOR 17713 Cambium attribute Cambium-Networks-Auth-Role to the 
default Radiator dictionary. Updated VENDOR 5 Acc attributes based on 

Added a new dictionary file dictionary.cambium-motorola-161 in goodies. 
This file includes Motorola-Canopy and Cambium-Canopy attributes 
contributed by Brandon Shiers. These attributes are in a separate file 
because the default dictionary already contains Motorola WiMAX 
attributes which use the same overlapping vendor number 161.

Updated Radiator and Diameter dictionaries with 3GPP 5G attributes from 
TS 29.561 version 16.4.0 for Radius and Diameter N6 and DN-AAA support. 
Added VENDOR 3GPP 10415 VSA 3GPP-Secondary-RAT-Usage from TS 29.061 
version 16.0.0 and 3GPP-WLAN-APN-Id, 3GPP-WLAN-QoS-Filter-Rule and 
3GPP-WLAN-QoS-Filter-Support from TS 29.234 V11.2.0 to dictionary.

DiameterDictionaryFile attributes are now added to all dictionaries in 
addition to base dictionary. ServerDIAMETER now uses Diameter dictionary 
of Diameter request or answer when converting to and from Diameter and 
Radius. Previously base dictionary was used for conversion. Enhanced 
debug log messages and simplified code related to loading and using 

Updated VENDOR Mikrotik 14988 attributes with the latest additions.

Updated VENDOR Aruba 14823 attributes with the latest additions.

Multiple dictionary updates: New file dictionary.nokia-637 was added for 
vendor 637 Nokia (formerly 'Alcatel-Lucent') for those attributes that 
do not use the special 'format=2,1' vendor 637 attributes use in the 
default dictionary.

Added attributes from multiple vendors to the default dictionary:
     Added VENDOR Unix 4 with a number of attributes for Digi IX14, LR 
and WR routers. Some vendor 4 VSAs are also used by ProFTPD software.
     Added VENDOR Cisco-VPN5000 255 for Cisco VPN 5000 Concentrator with 
a number of CVPN5000 prefixed attributes.
     Added VENDOR Adtran 664 with a number of Adtran prefixed 
attributes.<br>Added VENDOR Cisco-BSSM 5632 for Cisco Building Broadband 
Service Manager attribute CBSSM-Bandwidth.
     Added VENDOR Cisco-Aironet 5842 for Aironet-Session-Timeout attribute.
     Added VENDOR Calix 6321 with a number of Calix prefixed attributes.
     Added VENDOR Overture 7950 with Overture-User-Access-Level attribute.
     Added VENDOR Hatteras 8550 with Hatteras-Auth-Level attribute.
     Added VENDOR Ericsson-PCN 10923 for attributes registered for 
vendor Ericsson AB - Packet Core Networks. Added a number of attributes 
prefixed with Ericsson-PCN prefix.
     Added VENDOR Sandvine 11610 with Sandvine-Group attribute.
     Added VENDOR ELTEK 12148 with a number of ELTEK prefixed attributes.
     Added VENDOR Overture-4200-4300 16943 with 
Overture-4200-4300-Access_Level attribute for Overture 4200/4300 devices.
     Added VENDOR CyanInc 28533 with CyanInc-User-Roles and 
CyanInc-Acct-Event-Text attributes.

Added to default Radius dictionary a number of Extreme fabric attach 
VSAs that are defined as VENDOR 562 Nortel. Added VSAs 
Annex-EAP-Port-Priority, Annex-Cli-Commands, Annex-Command-Access and 
Annex-Commands for Extreme and Avaya devices that are defined as VENDOR 
1584 Bay-Networks. These all use names that does not follow the de-facto 
VSA naming. Fixed a harmless warning in radpwtst if reject or 
interactive challenge did not contain a Reply-Message attribute.

ClientListSQL now disconnects automatically from DB during server 
startup when server farm is configured with FarmSize. This avoids 
passing DB handle copies to farm workers which could cause errors with 
subsequent DB access.

Fixed a memory leak in ServerDIAMETER where a small amount of memory was 
leaked with every connection. Initial CER timeout logging now also 
honours log level set with DisconnectTraceLevel.

AuthBy REST and other modules based on HTTPClient now honour 
DisconnectTraceLevel to control how closed connections are logged. 
AuthBy REST now logs peer initiated disconnects with DEBUG level.

Added definitions and VSAs for VENDOR 534 Eaton Corporation, VENDOR 2606 
Rittal (Rittal-Werk Rudolf Loh GmbH & Co.KG) and VENDOR 13191 OneAccess 
(Ekinops OneAccess OneOS) to RADIUS dictionary. Added and updated VSAs 
for VENDOR 7483 Tropic and VENDOR 30065 Arista.

SQL clauses now support a separate timeout for connects and disconnects. 
Some databases may leak resources, such as file descriptors, when 
Radiator times out a connection before the DB driver does. With a new 
parameter ConnectTimeout, SQL connection timeout can different than 
Timeout that is used for SQL queries.

Updated VENDOR 800 Alcatel-Lucent-OS6400, also known as Xylan, 
attributes in dictionary. Values for Alcatel-Lucent-Access-Priv and new 
attributes Alcatel-Lucent-Acce-Priv-F-R3, Alcatel-Lucent-Acce-Priv-F-R4, 
Alcatel-Lucent-Acce-Priv-F-W3 and Alcatel-Lucent-Acce-Priv-F-W4 were added.

Added a script in goodies to create CHAP challenge for direct Monitor 
port access. More logging updates to LDAP ServerChecksPassword failures.

Improved AuthBy LDAP2 logging when ServerChecksPassword triggers 
authentication failure because of bad password.

ServerTACACSPLUS now logs more details about connections that get 
immediately closed after being established.

Minor updates to LSA and NTLM configuration samples.

Added VENDOR Incognito 3606 VSAs to dictionary.

Updated VENDOR 3375 F5 VSA's in Radiator default dictionary. Attribute 
F5-LTM-Audit-Msg and seven values for F5-LTM-User-Role were added. Name 
Policy-Editor for F5-LTM-value 800 is now an alias for name 
Web-Application-Security-Administrator, which appears to have been used 
since BIG-IP 10.x, first released in 2009.

SSLVerify in LDAP clauses, OutputFormat in AcctLog FILE, Failmode in 
AuthBy DUO, ProxyAlgorithm in AuthBy RADSEC, APIVersion in AuthBy 
YUBIKEYVALIDATIONSERVER, Format and Encoding in MessageLog FILE, and 
StatsType and OutputFormat in StatsLog clauses now support configuration 
time % formatting typically used with %{GlobalVar:name}.

Fixed deprecated syntax in goodies file AuthPLPSQL.pm.

Fixed a warning triggered by LDAP modules during configuration loading 
when UseSSL was set and Port was configured with a % formatted value.

Updated radiusd so that it tries to locate Radius::UtilXS similar to how 
radpwtst already does. This helps manual configuration testing on 
systems that use packages.

AuthBy NTLM can now rewrite the username that is passed to ntlm_auth. 
Example use is Wi-Fi roaming where roaming username can not be directly 
used with Windows authentication because of local naming conflicts with 
roaming requirements. See NtlmRewriteHook in goodies file ntlm.cfg and 
Radiator reference manual. Updated other AuthBy NTLM configuration 
samples. This is similar to what was added to AuthBy LSA in release 4.22.

StatsLog and ClientList periodic updates are now scheduled based on 
server start time to avoid slowly occurring time drift between the runs. 
With FarmSize configuration, it's now possible to configure a spacing 
between worker runs to avoid synchronisation across all farm members. 
This is supported by StatsLog and ClientList clauses with 
FarmWorkerSpacing configuration parameter.

Updated test.pl to be more reliable in finding Radiator modules with 
CentOS 6 and other systems with Perl earlier than 5.16.

When a Stream connection, such as RadSec or Diameter, is closed, the log 
message level can now be configured with DisconnectTraceLevel parameter. 
This avoids unnecessary high level log messages when frequently closed 
connections are normal.

Fixed configuration file include directive to work with directories that 
have whitespace characters, such as "Program Files". Enhanced include's 
error detection and logging in case of unreadable directories and other 
problems reading the files. A warning is now logged if a wildcard, such 
as include/*.cfg', does not expand to any files.

Updated RADIUS attribute encoding and decoding to be more flexible with 
vendor specific formats. This allows, for example, overriding VENDOR 637 
Nokia VSA format to use 1 octet long VSA type field instead of forcing 
hardcoded 2 octets.

StreamTLS server now logs more information about failures, for example, 
when TLS version is not acceptable or when client certificates was 
required but not received. Reported by Stefan Paetow.

StatsLog clauses now support StatsExcludeObject and StatsInclude. These 
allow, for example, skipping statistics for all Clients while still 
supporting exceptions for certain clients. See example in statslog.cfg 
in goodies.

Added VENDOR 22420 Accedian attribute Accedian-Skylight-Roles to dictionary.

Fixed a crash in ServerTACACSPLUS triggered by an unexpected request type.

Fixed a bug in AuthBy DNSROAM when FarmSize is enabled. The bug was 
introduced in release 4.22 and causes TLS, remote host IP and other 
settings to remain unitialised. As a result RadSec started by DNS 
roaming connects nowhere.

BindV6Only global configuration parameter now covers proxy listen 
sockets, Gossip UDP listen sockets and Stream server listen sockets, 
such as RadSec server socket.

System error string corresponding to errno was logged by TLS modules for 
some errors when errno did not have a useful value. This resulted in 
misleading log messages.

Digest::HMAC for Digest::HMAC_SHA1 or Digest::HMAC_MD5 is no longer 
required. HMAC calculation is done directly with Digest::SHA or Digest::MD5.

Updated expiration timestamps in users. Expired timestamps caused 
test.pl tests 2l, 2m, 3g and 3h to fail when they should have succeeded.

test.pl now requires more modules to be present and tries to 
automatically run MSCHAP tests.

Enhancements to AuthBy DUO Failmode. Failmode no longer applies to 
non-success API return codes that relate to problems with requests sent 
by Radiator. Improved Failmode related API reachability and error 
logging and handling.

Log messages now use separate ip/hostname and port instead of ip:port 
format which is confusing with IPv6 addresses.

Radiator now logs a warning if a RADIUS client is defined multiple 
times. This may happen, for example, when a client is defined in both 
configuration file and ClientListSQL.

IPv6 address did not work as a LDAP Host parameter value because LDAP 
port number was directly appended to Host parameter values during 
connect. Appending port is allowed by Net::LDAP API but was not done 
correctly with IPv6 LDAP server addresses. Port is no longer appended 
and it's passed only as a separate parameter. LDAP log messages were 

AuthBy FREERADIUS now handles Cleartext-Password check item as a 
password check item when the new flag configuration parameter 
ConvertCleartextPassword is set. Updated configuration sample 
freeradius.sql in goodies to enable the newly added parameter by 
default. Did other minor updates in the configuration and AuthBy module.

Fixed a memory leak in TLS based EAP methods and Stream classes, such as 
RadSec, where CRL file loading and re-loading did not free temporary 
resources. The fix requires Net::SSLeay 1.46 or later. Reported by Jan 

Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.

More information about the radiator mailing list