[RADIATOR] Radiator Version 4.28 released - new features, enhancements and bug fixes

Heikki Vatiainen hvn at open.com.au
Tue Dec 19 15:28:37 UTC 2023 

We are pleased to announce the release of Radiator version 4.28
This version contains new features, enhancements and bug fixes. See 
below for the details.

As usual, the new version is available to current licensees
and evaluators from:
https://radiatorsoftware.com/downloads/

Licensees with expired access contracts can renew at:
https://radiatorsoftware.com/renewal-order/

An extract from the history file
https://radiatorsoftware.com/products/radiator/history/ is below:

-----------------------------

Revision 4.28 (2023-12-19) new features, enhancements and bug fixes


       Selected compatibility notes, enhancements and fixes

VENDOR 14823 Aruba VSAs Aruba-PoE-Priority, Aruba-Port-Auth-Mode and 
Aruba-QoS-Trust-Mode now have symbolic names for their integer type 
values in the default Radius dictionary.

Radiator SIM Pack 2.7 and Carrier Pack 1.7, or later, are strongly 
recommended.


       Known caveats and other notes

TLSv1.3 remains disabled by default for TLS based EAP methods and Stream 
based classes, such as RadSec. TLSv1.3 testing reports are welcome.

EAP-FAST needs Net::SSLeay 1.94 or later to function correctly with 
OpenSSL 1.1.1 and later.


       Detailed changes

Update the default Radius dictionary to include Juniper's PON related 
and other attributes: Vendor code 4874, VSAs 141 
Downstream-Calculated-Qos-Rate Rate and 142 
Upstream-Calculated-Qos-Rate, 143 Jnpr-Max-Clients-Per-Interface, 164 
Unisphere-IPv4-Release-Control, 173 Unisphere-Service-Activate-Type and 
174 Unisphere-Client-Profile-Name.

Update systemd service unit files for Radiator to show how to capture 
stderr and stdout to files for easier debugging. Also update the 
reference manual. See Debug in AuthBy LDAP2 for an example.

Review and update Docker files. Update installed packages and add 
comments to cover some scenarios.

RADIUS and RadSec HashBalance proxy algorithm now logs more details 
about next hop failures.

Enhanced logging for PAP messages created from EAP-GTC.

When TLS connections need to sent alerts, the alerts are now sent in 
more cases before closing RadSec and other TCP or SCTP connections. 
Improve logging of Diameter and RadSec connections that have 
unacceptable header lengths.

When a RADIUS or Diameter dictionary entry contains unexpected 
characters, a warning is logged. Improve RADIUS and Diameter dictionary 
logging.

AuthBy REST no longer crashes when the server response is not a JSON object.

Diameter Hop-by-Hop and End-to-End identifiers now wrap correctly.

AttrVal::pclean function now returns an empty string when called with an 
undef value. This avoids later warnings where the processed value is logged.

The goodies configuration samples now include evaluation license 
directly. Previously this information required manual entry.

CachePasswords can now use a configurable key with a new configuration 
parameter CachePasswordKey instead of always using the current username.

Add new dictionary file dictionary.huawei-airengine in goodies. 
Attributes in this file are supported by Huawei's AirEngine Access 
Points and Access Controllers. From this dictionary add attributes 
Huawei-Redirect-ACL, Huawei-IPv6-Redirect-ACL, Huawei-User-Extend-Info, 
Huawei-MUD-URL, Huawei-VIP-Level-ID, Huawei-EPIV-Info, Huawei-DPSK-Info, 
Huawei-TAG-Info, Huawei-Web-Authen-Info, Huawei-Ext-Specific and 
Huawei-Reachable-Detect to the default Radius dictionary.

EAP-TLS reject reason is now logged when the authentication fails but 
client still unsuccessfully tries to restart EAP-TLS handshake. Examples 
of possible failure reasons are unknown CAs and expired client 
certificates. Previously the original reject reason was not logged with 
restart failures.

AuthBy INTERNAL now supports StripFromRequest, AddToRequest and 
AddToRequestIfNotExist.

Update sample certificates to expire on Sep 13 12:31:29 2025 GMT. Add 
file VERSION in the top level Radiator distribution directory. The file 
tells Radiator version and patch level.

Fix two memory leaks seen with AuthBy REST. Leaks happened with 
Accounting-Request handling and when HTTP connections were unavailable.

Remove AuthRODOPI.pm because Rodopi billing system is obsolete and no 
longer in use.

Remove old match_keyword function from Configurable.pm. Minor cleanups.

Add support for parameters VendorAuthApplicationIds and 
VendorAcctApplicationIds in ServerDIAMETER. These set values within 
Vendor-Specific-Application-Id Diameter AVPs. Fix sending 
Acct-Application-Id AVPs when no AuthApplicationIds configuration 
parameter is defined but empty.

Add firewall manager profile files to goodies. Newly added files are for 
firewalld and ufw typically used with Red Hat and Ubuntu and their 
derivatives. These profiles cover Radius UDP ports 1645, 1646, 1812 and 
1813, RadSec TCP port 2083, DIAMETER TCP and SCTP port 3868 and TACACS+ 
port TCP 49.

AuthBy SIP2 now supports new parameter Institution. This sets the value 
of AO parameter, institution id, in SIP2 patron messages. When 
Institution is not defined in the Radiator configuration, Radiator 
continues to use the ACS Status response to learn the institution id.

The first SIP2 authentication could fail immediately after Radiator 
startup. This is caused by a missing institution id in the first patron 
request Radiator sends to the ACS. Radiator now sends SC status message 
after ACS login to immediately learn the institution id value and only 
then starts composing the patron request.

Update VENDOR 26928 Aerohive attributes in the default Radius 
dictionary. New attributes are Aerohive-Data-Usage-Limit, 
Aerohive-AVPair, Aerohive-Radius-Code, Aerohive-User-Language, 
Aerohive-Time-Zone-Offset, Aerohive-Daylight-Saving-Offset, 
Aerohive-Client-Monitor-Session, Aerohive-Client-Monitor-Problem, 
Aerohive-IDM-Redirect-URL, Aerohive-MGT-MAC-Address and 
Aerohive-Auth-Source. Note that Aerohive documentation lists all vendor 
26928 attributes with Extreme- prefix. Radiator continues to use 
Aerohive- prefix for backwards compatibility.

Add VENDOR 14122 Wireless Broadband Alliance (WBA) attribute 
WBA-Custom-SLA to Radius dictionary.

%{Client:name} format and Client-Identifier check item now use 
ServerTACACSPLUS values with those TACACS+ derived requests that do not 
match a specific Client clause.

Fix AuthBy FIDELIO and fideliosim.pl which were broken by changes in 
Radiator 4.26.

Update VENDOR 10415 3GPP Radius attributes to include the latest Release 
17 definitions: Add new 3G/LTE internetworking attributes 
3GPP-UE-Local-IP-Address and 3GPP-UE-Source-Port. Add 5G internetworking 
attributes 3GPP-DNAI, 3GPP-RSN, 3GPP-Session-Pair-Id and 
3GPP-Charging-Id-v2. Add new 3GPP-RAT-Type values.

HTTPClient, used for example by AuthBy REST, now immediately acts on 
HTTP Connection: close header. The connection is avoided for sending and 
directly closed instead of waiting for a peer initiated TCP shutdown.

Add VENDOR 40808 Wi-Fi Alliance (WFA) attributes 
WFA-HS20-Roaming-Consortium, WFA-HS20-Terms-And-Conditions-Filename, 
WFA-HS20-Terms-And-Conditions-Timestamp, 
WFA-HS20-Terms-And-Conditions-Filtering, 
WFA-HS20-Terms-And-Conditions-Server-URL. WFA-HS20-Roaming-Consortium is 
contributed by Stefan Paetow. The other attributes are based on values 
in wpa_supplicant. Add value Release-3 for attribute 
WFA-HS20-AP-Version. The newly added attributes should now provide 
support for Passpoint release 3.

Add VENDOR 14122 Wireless Broadband Association (WBA) attributes 
WBA-Offered-Service, WBA-Financial-Clearing-Provider, 
WBA-Data-Clearing-Provider, WBA-Linear-Volume-Rate and 
WBA-Identity-Provider. Note that for historical reasons this vendor id 
is named as WISPr and the previously defined WISPr-prefixed attributes 
share the same vendor id with the newer WPA-prefixed attributes.

Add Protocol-Error Radius packet type from RFC 7930 to known packet types.

Update vendor 14823 Aruba, 29671 Meraki and 25461 PaloAlto Radius 
dictionary entries.

Add aliases Aruba-Port-Id and Aruba-Template-User for 
Aruba-Port-Identifier and Aruba-MMS-User-Template. Add new VSAs 
Aruba-Auth-SurvMethod, Aruba-AP-MAC-Address, Aruba-Device-MAC-Address 
and Aruba-PVLAN-Port-Type from Aruba, AOS 10 and AOS-CX 10 
documentation. Add values for existing VSAs Aruba-PoE-Priority, 
Aruba-Port-Auth-Mode and Aruba-QoS-Trust-Mode.

Add Meraki VSAs 2, 3 and 4: Meraki-Network-Name, Meraki-Ap-Name and 
Meraki-Ap-Tags.

Add PaloAlto VSAs 6 - 10: PaloAlto-Client-Source-IP, PaloAlto-Client-OS, 
PaloAlto-Client-Hostname and PaloAlto-GlobalProtect-Client-Version.


-- 
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software

More information about the radiator mailing list