[RADIATOR] Radiator Version 4.27 released - major TLSv1.3 features and updates, other enhancements and bug fixes

Heikki Vatiainen hvn at open.com.au
Wed Dec 21 17:59:56 UTC 2022 

We are pleased to announce the release of Radiator version 4.27
This version contains new features, enhancements and bug fixes. See 
below for the details.

As usual, the new version is available to current licensees
and evaluators from:
https://radiatorsoftware.com/downloads/

Licensees with expired access contracts can renew at:
https://radiatorsoftware.com/renewal-order/

An extract from the history file
https://radiatorsoftware.com/products/radiator/history/ is below:

-----------------------------

Revision 4.27 (2022-12-21) major TLSv1.3 features and updates, other 
enhancements and bug fixes


     Selected compatibility notes, enhancements and fixes

Significant LDAP updates to connection and TLS handling.

Red Hat Enterprise Linux 9 and its derivatives are now supported.

Ubuntu 22.04 is now supported.

Session resumption is enabled for EAP-TLS with TLSv1.3 but remains 
disabled for the other TLS based EAP methods.

TLSv1.3 is supported by EAP-TLS, EAP-TTLS and PEAP but remains disabled 
by default.

TLSv1.3 is tested with RadSec and other Stream modules but remains 
disabled by default.

Radiator can log TLS key material to a file to allow fully decrypting 
EAP and Stream SSL/TLS sessions.

TLS handshake and state trace logging is now enabled for EAP and Stream 
modules, such as PEAP and RadSec, when Trace 4 (debugging) or 
PacketTrace is configured.

Fix and enhance EAP-FAST. Requires Net::SSLeay 1.94 or later with 
OpenSSL 1.1.1 and later.

Radiator SIM Pack 2.7 and Carrier Pack 1.7, or later, are strongly 
recommended.


       Known caveats and other notes

TLSv1.3 remains disabled by default for TLS based EAP methods and Stream 
based classes, such as RadSec. TLSv1.3 testing reports are welcome.

EAP-FAST needs Net::SSLeay 1.94 or later to function correctly with 
OpenSSL 1.1.1 and later.


       Detailed changes

Add Windows Server and Microsoft SQL Server specific TOTP configuration 
samples in goodies.

Update Docker files in goodies directory. Change Centos 8 to AlmaLinux 
8, add Alma Linux 9, Ubuntu 22.04 and Windows Server Core 2022.

Fix EAP-FAST with TLSv1.1 and TLSv1.2. Requires Net::SSLeay 1.94 or 
later when OpenSSL version is 1.1.1 or later. Allow server authenticated 
EAP-FAST to work without PAC.

Enhance handling of LDAP server name resolution, TLS configuration, 
failure backoff handling and logging. When using DNS name to connect to 
LDAP server, the name can now be resolved before connecting with new 
flag parameter ResolveHost. When a name has multiple addresses, a 
connection attempt is made to address until a working server is found. 
Failure backoff is kept separately for each resolved address. 
SSLExpectedServerName now supports multiple values that are used 
together with Host entries.

Update generate-totp.pl to do URI escaping when creating QR codes. 
Previously QR code URI components were not escaped causing problems when 
issuer and accountname contain special characters. Add support for 
defining QR code image file name.

Updated deprecated MySQL GRANT syntax in goodies examples. Beginning 
with MySQL 8.0, CREATE USER is needed before GRANT.

AuthPLSQL.pm goodies module parameter binding broke when the module was 
updated in Radiator 4.25 to work with Perl 5.22 and later. Values were 
left unchanged between query executions.

Added VENDOR 42229 Coriant with a number of Coriant prefixed attributes 
to the default RADIUS dictionary. These may also be under name Infinera 
in some sources. Infinera aquired Coriant in 2018.

Fix uninitialised log trace id triggered by log level changes with USR1 
and USR2 signals. Make ServerTACACSPLUS log level for immediate 
disconnects follow DisconnectTraceLevel parameter. Update builddbm to 
work outside of Radiator installation directory similarly to radpwtst. 
Report and contributions by Patrik Forsberg.

Update CEF logging in LogFormat.pm. CEF authentication and accounting 
log messages now add original username, if present, in log messages. Any 
non-printable octets in CEF log messages are now escaped similarly to 
packet dumps. This satisfies UTF-8 encoding requirement. Enhanced 
escaping and whitespace handling.

Minor updates to tests to to address SHA-1 deprecation in Red Hat 
Enterprise Linux 9. Packages are now built for RHEL9 compatible systems.

Reject EAP-TLS authentication when post handshake TLS data is received 
in the final acknowledgement after a successful TLS handshake. No data 
is needed in this case and its presence is an indication of message 
corruption, TLS alert or something else unexpected.

Session resumption is now supported with EAP-TLS when TLSv1.3 is 
negotiated. Resumption is prepared for EAP-TTLS and PEAP and will be 
enabled when more interoperability testing is done.

EAP-TLS now supports TLSv1.3 as described in RFC 9190. EAP-TTLS and PEAP 
support TLSv1.3 based on draft-ietf-emu-tls-eap-types. Session 
resumption remains disabled for all TLS-based EAP methods with TLSv1.3 
and will be enabled separately.

TLS-based EAP methods now support TLSv1.3 key exporter needed for 
MS-MPPE-Send-Key, MS-MPPE-Recv-Key and EAP-Key-Name attributes and other 
uses.

TLS state tracing for EAP and Stream modules is now enabled with 
configuration parameters EAPTLS_TraceState and TLS_TraceState or when 
TLS message logging is not available. TLS message logging requires 
Net::SSLeay 1.92 or later.

StreamTLS based modules, such as RadSec, now log and respond better to 
TLS alerts and handshake messages. TLS alerts are now sent in more cases 
instead of directly closing the stream transport connection. Logging of 
TLS events is enhanced and more testing is done with TLSv1.3.

TLS based Stream classes, such as RadSec, now support TLS_Ciphersuites 
configuration parameter that sets allowed cipher suites for TLSv1.3. 
This parameter is similar to TLS_Ciphers which sets the allowed cipher 
suites for TLSv1.2 and earlier versions.

ServerTACACSPLUS log level for client initiated connection terminations 
is now DEBUG. It's normal for the client to close TACACS+ connection. 
This returns the logging level back to what was used with release 4.20 
and earlier. Update NTLM and related Samba winbind configuration 
instructions in goodies.

Add support for SSL_CTX_set_keylog_callback that enables Radiator to log 
TLS key material. This allows fully decrypting EAP and Stream SSL/TLS 
sessions, including those that have forward security enabled. TLS keylog 
should only be used for debugging to avoid security issues. See the 
reference manual for new parameters EAPTLS_KeylogFilename and 
TLS_KeylogFilename. Requires Net::SSLeay 1.92 or later.

TLS handshake and state trace logging is now enabled for EAP and Stream 
modules, such as PEAP and RadSec, when Trace 4 (debugging) or 
PacketTrace is configured. Requires Net::SSLeay 1.92 or later.

Enhance Ansible playbooks to use operating system families. Instead of 
listing, for example all Red Hat Enterprise Linux variants, use RedHat 
family to cover them all.

radpwtst can now send empty EAP-GTC and EAP-OTP responses when needed. 
Use TLS_Protocols parameter more consistently in goodies samples and 
recommend it over UseTLS. Replace non-ASCII characters in goodies and 
other text files with printable ASCII characters.

Update the default Radius dictionary with the following 5G attributes 
from VENDOR 3GPP TS 29.561 v16.8.0: 3GPP-VLAN-Id, 3GPP-TNAP-Identifier, 
3GPP-HFC-NodeId, 3GPP-GLI, 3GPP-Line-Type, 3GPP-NID and 3GPP-GCI.

Add VENDOR 2011 Huawei attributes Huawei-User-Group-Name, 
Huawei-User-Service-Type and Huawei-Web-URL to the default Radius 
dictionary. Add new dictionary file dictionary.huawei2 to goodies 
directory. This file was received from the vendor and contains 
attributes used by NetEngine 8000 series and possibly other devices.

GossipRedis can now send a Redis ECHO command to probe and keep a 
connection active. Probing is disabled by default and is enabled with 
ProbeTimeout GossipRedis configuration parameter.

Update Redis session database sample file in goodies.


-- 
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software

More information about the radiator mailing list