[RADIATOR] Radiator Version 4.25 released - Ansible automation, Dockerfiles, new features, enhancements and bug fixes

Eddie Stassen estassen at gmail.com
Tue Oct 27 07:17:34 UTC 2020

Just noticed a typo in the main dictionary file, line 9820 (o/r switched):

VENDORATTR 14988 Mikortik-DHCP-Option-Param-STR2 25 string


On Tue, Oct 20, 2020 at 5:42 PM Heikki Vatiainen <hvn at open.com.au> wrote:

> We are pleased to announce the release of Radiator version 4.25
> This version contains new features, enhancements and bug fixes.
> Notable new features relate to Ansible, Docker and extended RADIUS
> attribute formats. See below for the details.
> As usual, the new version is available to current licensees
> and evaluators from:
> https://radiatorsoftware.com/downloads/
> Licensees with expired access contracts can renew at:
> https://radiatorsoftware.com/renewal-order/
> An extract from the history file
> https://www.open.com.au/radiator/history.html is below:
> -----------------------------
> Revision 4.25 (2020-10-20) new features, enhancements and bug fixes
>      Selected compatibility notes, enhancements and fixes
> Dockerfiles for running Radiator and Radius::UtilXS in a CentOS 8,
> Ubuntu 20.04 or Windows Server Core 2019 were added in goodies Docker
> directory.
> Ansible playbooks for installing, upgrading and managing Radiator with
> Ansible were added in goodies Ansible directory.
> Added initial support for RFC 6929 and 8044 formats and data types. If a
> vendor specific attribute encapsulated by 241.26, 242.26, 243.26 or
> 244.26 is received but it is not present in the dictionary, it is now
> named as Extended-Vendor-Specific-1 (or -2, -3, or -4). The value starts
> with the Vendor-Id octets. Naming may change in the future Radiator
> releases.
> Hash balance proxy algorithm was significantly enhanced.
> Oracle Linux is tested to work with the el7 and el8 packages.
> New Radiator packages: Red Hat Enterprise Linux 8, CentOS 8 and Ubuntu
> 20.04.
> Name Policy-Editor for vendor 3375 F5 attribute F5-LTM-value 800 is now
> an alias. The preferred name is Web-Application-Security-Administrator.
> BindV6Only update may in rare configurations change existing behaviour.
> If you have BindV6Only enabled, see startup debug messages for affected
> listen sockets.
>        Known caveats and other notes
> TLSv1.3 remains disabled by default for TLS based EAP methods and Stream
> based classes, such as RadSec.
> EAP-FAST functionality is reported to vary between TLS versions, TLS
> library security level settings and client implementations.
>        Detailed changes
> Added Win32-Lsa module for 64bit Strawberry Perl 5.32.
> When a Status-Server request is received from a known client without a
> Message-Authenticator, Radiator now logs a warning before the request.
> Previously these requests were ignored without any logging. Noted by
> Michael Hulko.
> DiaClient no longer creates zero length Destination-Host and
> Destination-Realm AVPs when child classes leave their DestinationHost
> and DestinationRealm configuration parameters unset. This affects
> DiaClient based SIM pack authentication modules AuthBy SIMWX and AuthBy
> AKAWX which now have better control setting the values for the AVPs.
> This reverts the behaviour to how Radiator 4.16 and earlier worked.
> Removed DupInterval 0 from all goodies configuration samples. This no
> longer needed even with testing because duplicate detection has for a
> long time used methods recommended by RFC 5080. Updated AuthBy ACE
> configuration information.
> Dockerfiles for running Radiator and Radius::UtilXS in a CentOS 8,
> Ubuntu 20.04 or Windows Server Core 2019 were added in goodies Docker
> directory. Docker containers based on these files have Radiator and
> Radius::UtilXS installed, and single Radiator instance running when
> container is run. Multiple Radiator instances can be run by running
> multiple Docker containers.
> Added vendor specific attributes needed by Ruckus ICX devices. For
> VENDOR 1991 Foundry: Foundry-COA-Command-List,
> Foundry-Voice-Phone-Config and for VENDOR 25053 Ruckus:
> Ruckus-FlexAuth-AVP.
> Updated Radiator MSI package to use Strawberry Perl and
> Radius::UtilXS 2.3-1.
> Added initial support for RFC 6929 and 8044 formats and data types.
> Added IANA registered attributes from RFCs 7499, 7930 and 8559 to the
> default RADIUS dictionary. Added vendor specific attributes for VENDOR
> 6527 Nokia (formerly 'Alcatel-Lucent') that are encapsulated within IANA
> attribute 241 Extended-Type-1.
> Received extended attributes use dictionary names as usually. If a
> vendor specific attribute encapsulated by 241.26, 242.26, 243.26 or
> 244.26 is not present in dictionary, it is now named as
> Extended-Vendor-Specific-1 (or -2, -3, or -4) with a value that starts
> with the Vendor-Id octets.
> Attributes added with names such as Extended-Type-1 and
> Extended-Vendor-Specific-1 are packed without further processing of the
> value. This is similar to how packing was done previously.
> Added VENDOR 2636 Juniper attributes Juniper-AV-Pair, Juniper-VoIP-VLAN
> and Juniper-CWA-Redirect-URL to dictionary.
> Added VENDOR 16901 Mojo with a number of Mojo prefixed attributes to the
> default RADIUS dictionary.
> Added VENDOR 12356 Fortinet attribute Fortinet-Host-Port-AVPair to
> dictionary.
> Added PT-RAD-Version and PT-UPP-Profile VSAs in the default dictionary
> for VENDOR 1556 Sonus Networks. This vendor code was previously assigned
> to Performance Technologies, Inc.
> Updated EAP-TLS NoCheckId documentation and configuration sample.
> Improved Ansible playbook output to show clearly Radiator instance status.
> AuthByHASHBALANCE and AuthBy RADSEC proxy algorithm HashBalance now
> distribute requests more equally among remaining next hop hosts when a
> next hop host fails. Previously the requests destined to a failed host
> were proxied to only one of the remaining hosts.
> Added instructions how to edit Radiator Software Ansible playbooks to
> support other Linux distributions like Oracle Linux.
> Radiator's Radius::UtilXS package now provides an interface to AES
> functions required by SIM pack. This allows using OpenSSL or LibreSSL
> instead of Crypt::Rijndael.
> Updated configuration samples to work without changes when using RPM or
> deb packages. LogDir, DictionaryFile, certificate location and other
> settings now point to locations the packages use and create.
> Ansible playbooks for deploying Radiator from RPM/deb packages and
> managing Radiator instances.
> DictionaryFile, ClientListSQL flags column, and some other configuration
> parameters that use a comma to separate file names and other arguments,
> now allow spaces around the comma.
> Enhanced virtual systemd service (radiator-instances.service) to control
> multiple instances without a need to change service file configuration.
> This change offers an enhanced feature but does not affect previous
> functionality.
> Multiple updates to Radius dictionaries: Added VENDOR 9 Cisco attribute
> Cisco-Ascend-AV-pairs, VENDOR 3076 Altiga attribute Altiga-Group-Name
> and VENDOR 17713 Cambium attribute Cambium-Networks-Auth-Role to the
> default Radiator dictionary. Updated VENDOR 5 Acc attributes based on
> draft-ilgun-radius-accvsa-02.
> Added a new dictionary file dictionary.cambium-motorola-161 in goodies.
> This file includes Motorola-Canopy and Cambium-Canopy attributes
> contributed by Brandon Shiers. These attributes are in a separate file
> because the default dictionary already contains Motorola WiMAX
> attributes which use the same overlapping vendor number 161.
> Updated Radiator and Diameter dictionaries with 3GPP 5G attributes from
> TS 29.561 version 16.4.0 for Radius and Diameter N6 and DN-AAA support.
> Added VENDOR 3GPP 10415 VSA 3GPP-Secondary-RAT-Usage from TS 29.061
> version 16.0.0 and 3GPP-WLAN-APN-Id, 3GPP-WLAN-QoS-Filter-Rule and
> 3GPP-WLAN-QoS-Filter-Support from TS 29.234 V11.2.0 to dictionary.
> DiameterDictionaryFile attributes are now added to all dictionaries in
> addition to base dictionary. ServerDIAMETER now uses Diameter dictionary
> of Diameter request or answer when converting to and from Diameter and
> Radius. Previously base dictionary was used for conversion. Enhanced
> debug log messages and simplified code related to loading and using
> dictionaries.
> Updated VENDOR Mikrotik 14988 attributes with the latest additions.
> Updated VENDOR Aruba 14823 attributes with the latest additions.
> Multiple dictionary updates: New file dictionary.nokia-637 was added for
> vendor 637 Nokia (formerly 'Alcatel-Lucent') for those attributes that
> do not use the special 'format=2,1' vendor 637 attributes use in the
> default dictionary.
> Added attributes from multiple vendors to the default dictionary:
>      Added VENDOR Unix 4 with a number of attributes for Digi IX14, LR
> and WR routers. Some vendor 4 VSAs are also used by ProFTPD software.
>      Added VENDOR Cisco-VPN5000 255 for Cisco VPN 5000 Concentrator with
> a number of CVPN5000 prefixed attributes.
>      Added VENDOR Adtran 664 with a number of Adtran prefixed
> attributes.<br>Added VENDOR Cisco-BSSM 5632 for Cisco Building Broadband
> Service Manager attribute CBSSM-Bandwidth.
>      Added VENDOR Cisco-Aironet 5842 for Aironet-Session-Timeout attribute.
>      Added VENDOR Calix 6321 with a number of Calix prefixed attributes.
>      Added VENDOR Overture 7950 with Overture-User-Access-Level attribute.
>      Added VENDOR Hatteras 8550 with Hatteras-Auth-Level attribute.
>      Added VENDOR Ericsson-PCN 10923 for attributes registered for
> vendor Ericsson AB - Packet Core Networks. Added a number of attributes
> prefixed with Ericsson-PCN prefix.
>      Added VENDOR Sandvine 11610 with Sandvine-Group attribute.
>      Added VENDOR ELTEK 12148 with a number of ELTEK prefixed attributes.
>      Added VENDOR Overture-4200-4300 16943 with
> Overture-4200-4300-Access_Level attribute for Overture 4200/4300 devices.
>      Added VENDOR CyanInc 28533 with CyanInc-User-Roles and
> CyanInc-Acct-Event-Text attributes.
> Added to default Radius dictionary a number of Extreme fabric attach
> VSAs that are defined as VENDOR 562 Nortel. Added VSAs
> Annex-EAP-Port-Priority, Annex-Cli-Commands, Annex-Command-Access and
> Annex-Commands for Extreme and Avaya devices that are defined as VENDOR
> 1584 Bay-Networks. These all use names that does not follow the de-facto
> VSA naming. Fixed a harmless warning in radpwtst if reject or
> interactive challenge did not contain a Reply-Message attribute.
> ClientListSQL now disconnects automatically from DB during server
> startup when server farm is configured with FarmSize. This avoids
> passing DB handle copies to farm workers which could cause errors with
> subsequent DB access.
> Fixed a memory leak in ServerDIAMETER where a small amount of memory was
> leaked with every connection. Initial CER timeout logging now also
> honours log level set with DisconnectTraceLevel.
> AuthBy REST and other modules based on HTTPClient now honour
> DisconnectTraceLevel to control how closed connections are logged.
> AuthBy REST now logs peer initiated disconnects with DEBUG level.
> Added definitions and VSAs for VENDOR 534 Eaton Corporation, VENDOR 2606
> Rittal (Rittal-Werk Rudolf Loh GmbH & Co.KG) and VENDOR 13191 OneAccess
> (Ekinops OneAccess OneOS) to RADIUS dictionary. Added and updated VSAs
> for VENDOR 7483 Tropic and VENDOR 30065 Arista.
> SQL clauses now support a separate timeout for connects and disconnects.
> Some databases may leak resources, such as file descriptors, when
> Radiator times out a connection before the DB driver does. With a new
> parameter ConnectTimeout, SQL connection timeout can different than
> Timeout that is used for SQL queries.
> Updated VENDOR 800 Alcatel-Lucent-OS6400, also known as Xylan,
> attributes in dictionary. Values for Alcatel-Lucent-Access-Priv and new
> attributes Alcatel-Lucent-Acce-Priv-F-R3, Alcatel-Lucent-Acce-Priv-F-R4,
> Alcatel-Lucent-Acce-Priv-F-W3 and Alcatel-Lucent-Acce-Priv-F-W4 were added.
> Added a script in goodies to create CHAP challenge for direct Monitor
> port access. More logging updates to LDAP ServerChecksPassword failures.
> Improved AuthBy LDAP2 logging when ServerChecksPassword triggers
> authentication failure because of bad password.
> ServerTACACSPLUS now logs more details about connections that get
> immediately closed after being established.
> Minor updates to LSA and NTLM configuration samples.
> Added VENDOR Incognito 3606 VSAs to dictionary.
> Updated VENDOR 3375 F5 VSA's in Radiator default dictionary. Attribute
> F5-LTM-Audit-Msg and seven values for F5-LTM-User-Role were added. Name
> Policy-Editor for F5-LTM-value 800 is now an alias for name
> Web-Application-Security-Administrator, which appears to have been used
> since BIG-IP 10.x, first released in 2009.
> SSLVerify in LDAP clauses, OutputFormat in AcctLog FILE, Failmode in
> AuthBy DUO, ProxyAlgorithm in AuthBy RADSEC, APIVersion in AuthBy
> YUBIKEYVALIDATIONSERVER, Format and Encoding in MessageLog FILE, and
> StatsType and OutputFormat in StatsLog clauses now support configuration
> time % formatting typically used with %{GlobalVar:name}.
> Fixed deprecated syntax in goodies file AuthPLPSQL.pm.
> Fixed a warning triggered by LDAP modules during configuration loading
> when UseSSL was set and Port was configured with a % formatted value.
> Updated radiusd so that it tries to locate Radius::UtilXS similar to how
> radpwtst already does. This helps manual configuration testing on
> systems that use packages.
> AuthBy NTLM can now rewrite the username that is passed to ntlm_auth.
> Example use is Wi-Fi roaming where roaming username can not be directly
> used with Windows authentication because of local naming conflicts with
> roaming requirements. See NtlmRewriteHook in goodies file ntlm.cfg and
> Radiator reference manual. Updated other AuthBy NTLM configuration
> samples. This is similar to what was added to AuthBy LSA in release 4.22.
> StatsLog and ClientList periodic updates are now scheduled based on
> server start time to avoid slowly occurring time drift between the runs.
> With FarmSize configuration, it's now possible to configure a spacing
> between worker runs to avoid synchronisation across all farm members.
> This is supported by StatsLog and ClientList clauses with
> FarmWorkerSpacing configuration parameter.
> Updated test.pl to be more reliable in finding Radiator modules with
> CentOS 6 and other systems with Perl earlier than 5.16.
> When a Stream connection, such as RadSec or Diameter, is closed, the log
> message level can now be configured with DisconnectTraceLevel parameter.
> This avoids unnecessary high level log messages when frequently closed
> connections are normal.
> Fixed configuration file include directive to work with directories that
> have whitespace characters, such as "Program Files". Enhanced include's
> error detection and logging in case of unreadable directories and other
> problems reading the files. A warning is now logged if a wildcard, such
> as include/*.cfg', does not expand to any files.
> Updated RADIUS attribute encoding and decoding to be more flexible with
> vendor specific formats. This allows, for example, overriding VENDOR 637
> Nokia VSA format to use 1 octet long VSA type field instead of forcing
> hardcoded 2 octets.
> StreamTLS server now logs more information about failures, for example,
> when TLS version is not acceptable or when client certificates was
> required but not received. Reported by Stefan Paetow.
> StatsLog clauses now support StatsExcludeObject and StatsInclude. These
> allow, for example, skipping statistics for all Clients while still
> supporting exceptions for certain clients. See example in statslog.cfg
> in goodies.
> Added VENDOR 22420 Accedian attribute Accedian-Skylight-Roles to
> dictionary.
> Fixed a crash in ServerTACACSPLUS triggered by an unexpected request type.
> Fixed a bug in AuthBy DNSROAM when FarmSize is enabled. The bug was
> introduced in release 4.22 and causes TLS, remote host IP and other
> settings to remain unitialised. As a result RadSec started by DNS
> roaming connects nowhere.
> BindV6Only global configuration parameter now covers proxy listen
> sockets, Gossip UDP listen sockets and Stream server listen sockets,
> such as RadSec server socket.
> System error string corresponding to errno was logged by TLS modules for
> some errors when errno did not have a useful value. This resulted in
> misleading log messages.
> Digest::HMAC for Digest::HMAC_SHA1 or Digest::HMAC_MD5 is no longer
> required. HMAC calculation is done directly with Digest::SHA or
> Digest::MD5.
> Updated expiration timestamps in users. Expired timestamps caused
> test.pl tests 2l, 2m, 3g and 3h to fail when they should have succeeded.
> test.pl now requires more modules to be present and tries to
> automatically run MSCHAP tests.
> Enhancements to AuthBy DUO Failmode. Failmode no longer applies to
> non-success API return codes that relate to problems with requests sent
> by Radiator. Improved Failmode related API reachability and error
> logging and handling.
> Log messages now use separate ip/hostname and port instead of ip:port
> format which is confusing with IPv6 addresses.
> Radiator now logs a warning if a RADIUS client is defined multiple
> times. This may happen, for example, when a client is defined in both
> configuration file and ClientListSQL.
> IPv6 address did not work as a LDAP Host parameter value because LDAP
> port number was directly appended to Host parameter values during
> connect. Appending port is allowed by Net::LDAP API but was not done
> correctly with IPv6 LDAP server addresses. Port is no longer appended
> and it's passed only as a separate parameter. LDAP log messages were
> enhanced.
> AuthBy FREERADIUS now handles Cleartext-Password check item as a
> password check item when the new flag configuration parameter
> ConvertCleartextPassword is set. Updated configuration sample
> freeradius.sql in goodies to enable the newly added parameter by
> default. Did other minor updates in the configuration and AuthBy module.
> Fixed a memory leak in TLS based EAP methods and Stream classes, such as
> RadSec, where CRL file loading and re-loading did not free temporary
> resources. The fix requires Net::SSLeay 1.46 or later. Reported by Jan
> Tomasek.
> --
> Heikki Vatiainen <hvn at open.com.au>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
> EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://lists.open.com.au/mailman/listinfo/radiator
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20201027/7a397d16/attachment-0001.html>

More information about the radiator mailing list