[RADIATOR] Radiator Version 4.26 released - new features, enhancements and bug fixes

Fri Oct 29 17:43:18 UTC 2021

We are pleased to announce the release of Radiator version 4.26

This version contains new features, enhancements and bug fixes. See 
below for the details.

As usual, the new version is available to current licensees
and evaluators from:
https://radiatorsoftware.com/downloads/

Licensees with expired access contracts can renew at:
https://radiatorsoftware.com/renewal-order/

An extract from the history file
https://radiatorsoftware.com/products/radiator/history/ is below:

-----------------------------

Revision 4.26 (2021-10-29) new features, enhancements and bug fixes

     Selected compatibility notes, enhancements and fixes

TLSv1.3 is currently disabled for AuthBy DUO.

AuthBy SQLTOTP now supports CHAP, MSCHAP and MSCHAPv2. EAP-MSCHAPv2 is 
supported with MSCHAPv2 conversion. Encrypted PIN is now supported for 
PAP, EAP-OTP and EAP-GTC.

Radiator SIM Pack 2.7 and Carrier Pack 1.7, or later, are strongly 
recommended.

       Known caveats and other notes

TLSv1.3 remains disabled by default for TLS based EAP methods and Stream 
based classes, such as RadSec.

EAP-FAST functionality is reported to vary between TLS versions, TLS 
library security level settings and client implementations.

       Detailed changes

AuthBy LSA in Radiator 4.24 and 4.25 could crash when Group parameter 
was not directly configured and LSA group membership check was called 
from another module, such as AuthBy FILE. Reported by Viktu Pons i Colomer.

Radiator now actively closes Diameter peering when 
Capabilities-Exchange-Answer (CEA) with unsuccessful Result-Code or E 
flag is received. Previously it was assumed that peer closes the 
connection. This keeps the non-working peering from being used for 
sending requests.

Fixed a memory leak in SNMP client. The problem is seen on systems that 
use Perl 5.16, such as Red Hat Enterprise Linux 7 and CentOS 7. For 
details, see Perl5 Github issue 12309, originally RT 114340.

Fix typos in proxy.cfg and package default config file in goodies. Add 
missing DbDir and LogDir to addressallocator.cfg and n7k-radius.cfg 
configuration samples.

AuthBy DUO with CheckTimerInterval set to zero no longer remains in 
failed state infinitely. New parameter FailureBackoffTime sets the time 
the API is considered unavailable. Thanks to Alexander Hartmaier for 
reporting the problem and suggestion for a fix.

AuthBy REST now supports special format characters in URL parameter.

Added VENDOR 4115 Arris with a number of Arris prefixed attributes to 
the default RADIUS dictionary.

Updated sample certificates to expire on September 16 2023.

Updated RADIUS proxying configuration samples to include Asynchronous 
parameter to make the AuthBys work similarly to other AuthBys. The 
default behaviour is to return IGNORE after proxying which complicates 
configurations with multiple grouped AuthBys.

PostProcessingHook, AddToReply and other related adjustments configured 
for a Handler are now done before AuthLog is called. This makes changes 
done by Handler visible for logging. If a hook or some special 
configuration triggers a direct reply, any attempts to send again the 
same reply are no longer logged with AuthLog or AcctLog.

AuthBy DUO now disables TLSv1.3 to avoid blocking problem described by 
Alexander Hartmaier on Radiator mailing list in June 2021. TLSv1.3 can 
be re-enabled in a future Radiator versions when a fix is available.

Minor enhancement and optimisation to AuthGeneric.pm AuthenProto 
parameter use. Various logging and goodies updates and fixes to warnings 
triggered by User-Name not being present in requests.

AuthBy SQLTOTP now supports PIN, also called static password, that is 
stored in a format supported by Encrypted-Password check item. Enabled 
with EncryptedPIN configuration flag parameter. Supported with PAP, 
EAP-OTP and EAP-GTC.

AuthBy SQLTOTP now supports CHAP, MSCHAP and MSCHAPv2. EAP-MSCHAP-V2 is 
supported by conversion to MSCHAPv2.

HTTPClient now properly handles HTTP chunked encoding.

Fix diapwtst -dictionary command line parameter that was broken in 
release 4.25.

AuthBy DNSROAM used 'mysecret' as the default shared secret. It now uses 
'radsec' as required by the RadSec RFC 6614. Updated the reference 
manual and dnsroam.cfg and dnsroam.txt in goodies.

TLS_Ciphers and TLS_Protocols did not have any effect in AuthBy DNSROAM 
configuration. Reported by Paul Dekkers.

Proxy algorithm LOADBALANCE no longer does infinite retries with certain 
configurations. With the kind help of Frank Danielson.

Enhanced logging for all EAP methods and especially for TLS based EAP 
methods. TLS handshake states and other related information is now 
logged in text instead of numeric values. Clarified and unified log 
messages related to TLS alerts and errors. Updated 
eaptls_resume_post_auth_hook.pl in goodies.

Connections accepted by StreamServer can now have a maximum limit. This 
also allows them to be distributed equally between worker processes when 
ServerFarm is enabled. The limit is set with StreamMaxClients 
configuration parameter that is available for all StreamServer derived 
classes such as ServerDIAMETER.

radpwtst, tacacsplustest and other utilities, that use FindBin module to 
find Radiator installation location, can now be used via symbolic links. 
Suggested by Patrik Forsberg.

Fixed a possible crash if actively used certificate file or its private 
key is removed or no longer match each other. This can be caused by a 
local change, such as administrator moving files.

AuthBy DIAMETER and Carrier module DiaPeerDef no longer crash when OCSP 
check is enabled.

StreamTLS OCSP defaults were not correctly applied for cache time, cache 
size and other values. Minor updates to unify PEAP and EAP-FAST error 
handling with other TLS based EAP methods. This is to allow unifying 
logging for TLS based EAP methods.

Enhanced logging for Stream based modules for protocols such as RadSec, 
Tacacsplus and Diameter. Log messages now have more consistent 
information about the module, including its identifier. TLS handshake 
states and other related information is now logged in text instead of 
numeric values.

All LDAP clauses now support LDAP over TLS and Start TLS debugging. The 
debug messages are written to STDERR and are not visible in Radiator's 
log. See DebugTLS in Radiator reference manual and ldap.cfg file in the 
goodies directory.

Unknown RADIUS request codes are now detected and ignored earlier by 
radpwtst and radiusd.

Updated cisco-avpair VSA handling samples in the goodies directory. New 
hook sample create-cisco-cmd.pl was created based on the old 
createavpairs.pl. createavpairs.pl was re-created from a sample in 
hooks.txt. Also updated radminTacacs.cfg to match the updated hooks.

Added VENDOR 674 Dell VSA Dell-Group-Name to the default RADIUS 
dictionary. Used with Dell EMC devices.

HTTPClient.pm RequestHeader parameter could not be configured causing an 
immediate crash. Added HTTP_Version parameter. This parameter now allows 
configuring HTTP/1.0 and HTTP/1.1.

Enhanced multiple goodies files to clarify comments, instructions, file 
paths and command samples.

Log FILE and Log SYSLOG now skip logging when LogFormatHook returns 
undef. This allows suppressing log messages with LogFormatHook.

Ansible playbooks for deploying and managing Radiator now import 
Radiator Software product signing key.

Mikrotik attribute name Mikrotik-DHCP-Option-Param-STR2 was incorrectly 
spelled as Mikortik-DHCP-Option-Param-STR2 in the default dictionary. 
Reported by Eddie Stassen.

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.