[RADIATOR] Radiator Version 4.25 released - Ansible automation, Dockerfiles, new features, enhancements and bug fixes
Heikki Vatiainen
hvn at open.com.au
Tue Oct 20 15:42:02 UTC 2020
We are pleased to announce the release of Radiator version 4.25
This version contains new features, enhancements and bug fixes.
Notable new features relate to Ansible, Docker and extended RADIUS
attribute formats. See below for the details.
As usual, the new version is available to current licensees
and evaluators from:
https://radiatorsoftware.com/downloads/
Licensees with expired access contracts can renew at:
https://radiatorsoftware.com/renewal-order/
An extract from the history file
https://www.open.com.au/radiator/history.html is below:
-----------------------------
Revision 4.25 (2020-10-20) new features, enhancements and bug fixes
Selected compatibility notes, enhancements and fixes
Dockerfiles for running Radiator and Radius::UtilXS in a CentOS 8,
Ubuntu 20.04 or Windows Server Core 2019 were added in goodies Docker
directory.
Ansible playbooks for installing, upgrading and managing Radiator with
Ansible were added in goodies Ansible directory.
Added initial support for RFC 6929 and 8044 formats and data types. If a
vendor specific attribute encapsulated by 241.26, 242.26, 243.26 or
244.26 is received but it is not present in the dictionary, it is now
named as Extended-Vendor-Specific-1 (or -2, -3, or -4). The value starts
with the Vendor-Id octets. Naming may change in the future Radiator
releases.
Hash balance proxy algorithm was significantly enhanced.
Oracle Linux is tested to work with the el7 and el8 packages.
New Radiator packages: Red Hat Enterprise Linux 8, CentOS 8 and Ubuntu
20.04.
Name Policy-Editor for vendor 3375 F5 attribute F5-LTM-value 800 is now
an alias. The preferred name is Web-Application-Security-Administrator.
BindV6Only update may in rare configurations change existing behaviour.
If you have BindV6Only enabled, see startup debug messages for affected
listen sockets.
Known caveats and other notes
TLSv1.3 remains disabled by default for TLS based EAP methods and Stream
based classes, such as RadSec.
EAP-FAST functionality is reported to vary between TLS versions, TLS
library security level settings and client implementations.
Detailed changes
Added Win32-Lsa module for 64bit Strawberry Perl 5.32.
When a Status-Server request is received from a known client without a
Message-Authenticator, Radiator now logs a warning before the request.
Previously these requests were ignored without any logging. Noted by
Michael Hulko.
DiaClient no longer creates zero length Destination-Host and
Destination-Realm AVPs when child classes leave their DestinationHost
and DestinationRealm configuration parameters unset. This affects
DiaClient based SIM pack authentication modules AuthBy SIMWX and AuthBy
AKAWX which now have better control setting the values for the AVPs.
This reverts the behaviour to how Radiator 4.16 and earlier worked.
Removed DupInterval 0 from all goodies configuration samples. This no
longer needed even with testing because duplicate detection has for a
long time used methods recommended by RFC 5080. Updated AuthBy ACE
configuration information.
Dockerfiles for running Radiator and Radius::UtilXS in a CentOS 8,
Ubuntu 20.04 or Windows Server Core 2019 were added in goodies Docker
directory. Docker containers based on these files have Radiator and
Radius::UtilXS installed, and single Radiator instance running when
container is run. Multiple Radiator instances can be run by running
multiple Docker containers.
Added vendor specific attributes needed by Ruckus ICX devices. For
VENDOR 1991 Foundry: Foundry-COA-Command-List,
Foundry-Voice-Phone-Config and for VENDOR 25053 Ruckus: Ruckus-FlexAuth-AVP.
Updated Radiator MSI package to use Strawberry Perl 5.32.0.1 and
Radius::UtilXS 2.3-1.
Added initial support for RFC 6929 and 8044 formats and data types.
Added IANA registered attributes from RFCs 7499, 7930 and 8559 to the
default RADIUS dictionary. Added vendor specific attributes for VENDOR
6527 Nokia (formerly 'Alcatel-Lucent') that are encapsulated within IANA
attribute 241 Extended-Type-1.
Received extended attributes use dictionary names as usually. If a
vendor specific attribute encapsulated by 241.26, 242.26, 243.26 or
244.26 is not present in dictionary, it is now named as
Extended-Vendor-Specific-1 (or -2, -3, or -4) with a value that starts
with the Vendor-Id octets.
Attributes added with names such as Extended-Type-1 and
Extended-Vendor-Specific-1 are packed without further processing of the
value. This is similar to how packing was done previously.
Added VENDOR 2636 Juniper attributes Juniper-AV-Pair, Juniper-VoIP-VLAN
and Juniper-CWA-Redirect-URL to dictionary.
Added VENDOR 16901 Mojo with a number of Mojo prefixed attributes to the
default RADIUS dictionary.
Added VENDOR 12356 Fortinet attribute Fortinet-Host-Port-AVPair to
dictionary.
Added PT-RAD-Version and PT-UPP-Profile VSAs in the default dictionary
for VENDOR 1556 Sonus Networks. This vendor code was previously assigned
to Performance Technologies, Inc.
Updated EAP-TLS NoCheckId documentation and configuration sample.
Improved Ansible playbook output to show clearly Radiator instance status.
AuthByHASHBALANCE and AuthBy RADSEC proxy algorithm HashBalance now
distribute requests more equally among remaining next hop hosts when a
next hop host fails. Previously the requests destined to a failed host
were proxied to only one of the remaining hosts.
Added instructions how to edit Radiator Software Ansible playbooks to
support other Linux distributions like Oracle Linux.
Radiator's Radius::UtilXS package now provides an interface to AES
functions required by SIM pack. This allows using OpenSSL or LibreSSL
instead of Crypt::Rijndael.
Updated configuration samples to work without changes when using RPM or
deb packages. LogDir, DictionaryFile, certificate location and other
settings now point to locations the packages use and create.
Ansible playbooks for deploying Radiator from RPM/deb packages and
managing Radiator instances.
DictionaryFile, ClientListSQL flags column, and some other configuration
parameters that use a comma to separate file names and other arguments,
now allow spaces around the comma.
Enhanced virtual systemd service (radiator-instances.service) to control
multiple instances without a need to change service file configuration.
This change offers an enhanced feature but does not affect previous
functionality.
Multiple updates to Radius dictionaries: Added VENDOR 9 Cisco attribute
Cisco-Ascend-AV-pairs, VENDOR 3076 Altiga attribute Altiga-Group-Name
and VENDOR 17713 Cambium attribute Cambium-Networks-Auth-Role to the
default Radiator dictionary. Updated VENDOR 5 Acc attributes based on
draft-ilgun-radius-accvsa-02.
Added a new dictionary file dictionary.cambium-motorola-161 in goodies.
This file includes Motorola-Canopy and Cambium-Canopy attributes
contributed by Brandon Shiers. These attributes are in a separate file
because the default dictionary already contains Motorola WiMAX
attributes which use the same overlapping vendor number 161.
Updated Radiator and Diameter dictionaries with 3GPP 5G attributes from
TS 29.561 version 16.4.0 for Radius and Diameter N6 and DN-AAA support.
Added VENDOR 3GPP 10415 VSA 3GPP-Secondary-RAT-Usage from TS 29.061
version 16.0.0 and 3GPP-WLAN-APN-Id, 3GPP-WLAN-QoS-Filter-Rule and
3GPP-WLAN-QoS-Filter-Support from TS 29.234 V11.2.0 to dictionary.
DiameterDictionaryFile attributes are now added to all dictionaries in
addition to base dictionary. ServerDIAMETER now uses Diameter dictionary
of Diameter request or answer when converting to and from Diameter and
Radius. Previously base dictionary was used for conversion. Enhanced
debug log messages and simplified code related to loading and using
dictionaries.
Updated VENDOR Mikrotik 14988 attributes with the latest additions.
Updated VENDOR Aruba 14823 attributes with the latest additions.
Multiple dictionary updates: New file dictionary.nokia-637 was added for
vendor 637 Nokia (formerly 'Alcatel-Lucent') for those attributes that
do not use the special 'format=2,1' vendor 637 attributes use in the
default dictionary.
Added attributes from multiple vendors to the default dictionary:
Added VENDOR Unix 4 with a number of attributes for Digi IX14, LR
and WR routers. Some vendor 4 VSAs are also used by ProFTPD software.
Added VENDOR Cisco-VPN5000 255 for Cisco VPN 5000 Concentrator with
a number of CVPN5000 prefixed attributes.
Added VENDOR Adtran 664 with a number of Adtran prefixed
attributes.<br>Added VENDOR Cisco-BSSM 5632 for Cisco Building Broadband
Service Manager attribute CBSSM-Bandwidth.
Added VENDOR Cisco-Aironet 5842 for Aironet-Session-Timeout attribute.
Added VENDOR Calix 6321 with a number of Calix prefixed attributes.
Added VENDOR Overture 7950 with Overture-User-Access-Level attribute.
Added VENDOR Hatteras 8550 with Hatteras-Auth-Level attribute.
Added VENDOR Ericsson-PCN 10923 for attributes registered for
vendor Ericsson AB - Packet Core Networks. Added a number of attributes
prefixed with Ericsson-PCN prefix.
Added VENDOR Sandvine 11610 with Sandvine-Group attribute.
Added VENDOR ELTEK 12148 with a number of ELTEK prefixed attributes.
Added VENDOR Overture-4200-4300 16943 with
Overture-4200-4300-Access_Level attribute for Overture 4200/4300 devices.
Added VENDOR CyanInc 28533 with CyanInc-User-Roles and
CyanInc-Acct-Event-Text attributes.
Added to default Radius dictionary a number of Extreme fabric attach
VSAs that are defined as VENDOR 562 Nortel. Added VSAs
Annex-EAP-Port-Priority, Annex-Cli-Commands, Annex-Command-Access and
Annex-Commands for Extreme and Avaya devices that are defined as VENDOR
1584 Bay-Networks. These all use names that does not follow the de-facto
VSA naming. Fixed a harmless warning in radpwtst if reject or
interactive challenge did not contain a Reply-Message attribute.
ClientListSQL now disconnects automatically from DB during server
startup when server farm is configured with FarmSize. This avoids
passing DB handle copies to farm workers which could cause errors with
subsequent DB access.
Fixed a memory leak in ServerDIAMETER where a small amount of memory was
leaked with every connection. Initial CER timeout logging now also
honours log level set with DisconnectTraceLevel.
AuthBy REST and other modules based on HTTPClient now honour
DisconnectTraceLevel to control how closed connections are logged.
AuthBy REST now logs peer initiated disconnects with DEBUG level.
Added definitions and VSAs for VENDOR 534 Eaton Corporation, VENDOR 2606
Rittal (Rittal-Werk Rudolf Loh GmbH & Co.KG) and VENDOR 13191 OneAccess
(Ekinops OneAccess OneOS) to RADIUS dictionary. Added and updated VSAs
for VENDOR 7483 Tropic and VENDOR 30065 Arista.
SQL clauses now support a separate timeout for connects and disconnects.
Some databases may leak resources, such as file descriptors, when
Radiator times out a connection before the DB driver does. With a new
parameter ConnectTimeout, SQL connection timeout can different than
Timeout that is used for SQL queries.
Updated VENDOR 800 Alcatel-Lucent-OS6400, also known as Xylan,
attributes in dictionary. Values for Alcatel-Lucent-Access-Priv and new
attributes Alcatel-Lucent-Acce-Priv-F-R3, Alcatel-Lucent-Acce-Priv-F-R4,
Alcatel-Lucent-Acce-Priv-F-W3 and Alcatel-Lucent-Acce-Priv-F-W4 were added.
Added a script in goodies to create CHAP challenge for direct Monitor
port access. More logging updates to LDAP ServerChecksPassword failures.
Improved AuthBy LDAP2 logging when ServerChecksPassword triggers
authentication failure because of bad password.
ServerTACACSPLUS now logs more details about connections that get
immediately closed after being established.
Minor updates to LSA and NTLM configuration samples.
Added VENDOR Incognito 3606 VSAs to dictionary.
Updated VENDOR 3375 F5 VSA's in Radiator default dictionary. Attribute
F5-LTM-Audit-Msg and seven values for F5-LTM-User-Role were added. Name
Policy-Editor for F5-LTM-value 800 is now an alias for name
Web-Application-Security-Administrator, which appears to have been used
since BIG-IP 10.x, first released in 2009.
SSLVerify in LDAP clauses, OutputFormat in AcctLog FILE, Failmode in
AuthBy DUO, ProxyAlgorithm in AuthBy RADSEC, APIVersion in AuthBy
YUBIKEYVALIDATIONSERVER, Format and Encoding in MessageLog FILE, and
StatsType and OutputFormat in StatsLog clauses now support configuration
time % formatting typically used with %{GlobalVar:name}.
Fixed deprecated syntax in goodies file AuthPLPSQL.pm.
Fixed a warning triggered by LDAP modules during configuration loading
when UseSSL was set and Port was configured with a % formatted value.
Updated radiusd so that it tries to locate Radius::UtilXS similar to how
radpwtst already does. This helps manual configuration testing on
systems that use packages.
AuthBy NTLM can now rewrite the username that is passed to ntlm_auth.
Example use is Wi-Fi roaming where roaming username can not be directly
used with Windows authentication because of local naming conflicts with
roaming requirements. See NtlmRewriteHook in goodies file ntlm.cfg and
Radiator reference manual. Updated other AuthBy NTLM configuration
samples. This is similar to what was added to AuthBy LSA in release 4.22.
StatsLog and ClientList periodic updates are now scheduled based on
server start time to avoid slowly occurring time drift between the runs.
With FarmSize configuration, it's now possible to configure a spacing
between worker runs to avoid synchronisation across all farm members.
This is supported by StatsLog and ClientList clauses with
FarmWorkerSpacing configuration parameter.
Updated test.pl to be more reliable in finding Radiator modules with
CentOS 6 and other systems with Perl earlier than 5.16.
When a Stream connection, such as RadSec or Diameter, is closed, the log
message level can now be configured with DisconnectTraceLevel parameter.
This avoids unnecessary high level log messages when frequently closed
connections are normal.
Fixed configuration file include directive to work with directories that
have whitespace characters, such as "Program Files". Enhanced include's
error detection and logging in case of unreadable directories and other
problems reading the files. A warning is now logged if a wildcard, such
as include/*.cfg', does not expand to any files.
Updated RADIUS attribute encoding and decoding to be more flexible with
vendor specific formats. This allows, for example, overriding VENDOR 637
Nokia VSA format to use 1 octet long VSA type field instead of forcing
hardcoded 2 octets.
StreamTLS server now logs more information about failures, for example,
when TLS version is not acceptable or when client certificates was
required but not received. Reported by Stefan Paetow.
StatsLog clauses now support StatsExcludeObject and StatsInclude. These
allow, for example, skipping statistics for all Clients while still
supporting exceptions for certain clients. See example in statslog.cfg
in goodies.
Added VENDOR 22420 Accedian attribute Accedian-Skylight-Roles to dictionary.
Fixed a crash in ServerTACACSPLUS triggered by an unexpected request type.
Fixed a bug in AuthBy DNSROAM when FarmSize is enabled. The bug was
introduced in release 4.22 and causes TLS, remote host IP and other
settings to remain unitialised. As a result RadSec started by DNS
roaming connects nowhere.
BindV6Only global configuration parameter now covers proxy listen
sockets, Gossip UDP listen sockets and Stream server listen sockets,
such as RadSec server socket.
System error string corresponding to errno was logged by TLS modules for
some errors when errno did not have a useful value. This resulted in
misleading log messages.
Digest::HMAC for Digest::HMAC_SHA1 or Digest::HMAC_MD5 is no longer
required. HMAC calculation is done directly with Digest::SHA or Digest::MD5.
Updated expiration timestamps in users. Expired timestamps caused
test.pl tests 2l, 2m, 3g and 3h to fail when they should have succeeded.
test.pl now requires more modules to be present and tries to
automatically run MSCHAP tests.
Enhancements to AuthBy DUO Failmode. Failmode no longer applies to
non-success API return codes that relate to problems with requests sent
by Radiator. Improved Failmode related API reachability and error
logging and handling.
Log messages now use separate ip/hostname and port instead of ip:port
format which is confusing with IPv6 addresses.
Radiator now logs a warning if a RADIUS client is defined multiple
times. This may happen, for example, when a client is defined in both
configuration file and ClientListSQL.
IPv6 address did not work as a LDAP Host parameter value because LDAP
port number was directly appended to Host parameter values during
connect. Appending port is allowed by Net::LDAP API but was not done
correctly with IPv6 LDAP server addresses. Port is no longer appended
and it's passed only as a separate parameter. LDAP log messages were
enhanced.
AuthBy FREERADIUS now handles Cleartext-Password check item as a
password check item when the new flag configuration parameter
ConvertCleartextPassword is set. Updated configuration sample
freeradius.sql in goodies to enable the newly added parameter by
default. Did other minor updates in the configuration and AuthBy module.
Fixed a memory leak in TLS based EAP methods and Stream classes, such as
RadSec, where CRL file loading and re-loading did not free temporary
resources. The fix requires Net::SSLeay 1.46 or later. Reported by Jan
Tomasek.
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
More information about the radiator
mailing list