[RADIATOR] Radiator Version 4.29 released - major Radius protocol security fix, minor features, enhancements and bug fixes

Heikki Vatiainen hvn at open.com.au
Tue Jul 9 14:57:06 UTC 2024 

We are pleased to announce the release of Radiator version 4.29
This version contains a major Radius protocol security fix, some new 
features, enhancements and bug fixes. See below for the details.

As usual, the new version is available to current licensees
and evaluators from:
https://radiatorsoftware.com/downloads/

Licensees with expired access contracts can renew at:
https://radiatorsoftware.com/renewal-order/

An extract from the history file
https://radiatorsoftware.com/products/radiator/history/ is below:

-----------------------------

Revision 4.29 (2024-07-09) major Radius protocol security fix, some new 
features, enhancements and bug fixes


       Selected compatibility notes, enhancements and fixes

Updates to address CVE-2024-3596 BlastRADIUS vulnerability in the RADIUS 
protocol. For the vulnerability details, see https://www.blastradius.fail

Support Ubuntu 24.04.


       Known caveats and other notes

TLSv1.3 remains disabled by default for TLS based EAP methods and Stream 
based classes, such as RadSec. TLSv1.3 testing reports are welcome.

EAP-FAST needs Net::SSLeay 1.94 or later to function correctly with 
OpenSSL 1.1.1 and later.


       Detailed changes

Add a new flag parameter LimitProxyState to Client clauses. This 
parameter allows dropping those requests from non-proxy clients that 
contain Proxy-State but do not contain Message-Authenticator. Ensure 
that ServeRADSEC drops requests with bad Message-Authenticator instead 
of just logging them. The upcoming Radius transport update by IETF's 
radext working group will remove the redundant signatures but keep them 
for the current transport profile. LimitProxyState addresses CVE-2024-3596.

Update RADIUS Message-Authenticator attribute handling. 
Message-Authenticator is always added as the first attribute in Radius 
messages. Message-Authenticator is now added automatically to replies to 
Access-Request messages and to Access-Request messages when they are 
proxied. New parameter RequireMessageAuthenticator is now available for 
AuthBy RADIUS and its subclasses. It can be set for all hosts in an 
AuthBy or host-by-host basis. This parameter requires a valid 
Message-Authenticator in proxy replies. A new configuration flag 
-no_message_authenticator is available in radpwtst to skip 
Message-Authenticator in Access-Requests. Most of the updates are based 
on the work currently done in the IETF's radext working group. Addresses 
CVE-2024-3596.

Discard unknown Diameter answers earlier in DiaPeer.pm. Simplify request 
sending in DiaPeer.pm.

Add new hooks in goodies: addresspool-statshook.pl for monitoring IP 
address allocator pool utilisation, and client-nas-identifier.pl and 
client-nas-identifier-2.pl to use together with a new configuration 
sample file client-nas-identifier.cfg. This file shows how to define 
Client clauses for clients behind NAT that are identified only by 
NAS-Identifier attribute.

Ansible playbooks in goodies updated to use FQCN. Minimum Ansible core 
version updated to README for Ubuntu 24.04 usage.

Add support for configuring SIGTRAN statistics clauses. SIGTRAN is 
supported by Radiator's SIM pack.

Test with Ubuntu 24.04. Add new VENDOR 6027 Force10 in the default 
Radius dictionary with attribute Force10-avpair. Also add VENDOR 674 
Dell (also known DellEMC) attribute Dell-AVpair.

Add VENDOR 12148 ELTEK attribute ELTEK-SP-UserID to the default RADIUS 
dictionary. Add values for ELTEK-SP-AdminLevel. The other ELTEK 
attributes were already present in the dictionary. Update VENDOR 30065 
Arista and VENDOR 16901 Mojo, also Arista, attributes.

Fix CEF AuthLog and AcctLog header format broken in releases 4.27 and 
4.28. Authentication log formatting in LogFormat.pm incorrectly logged 
ignored requests as rejected requests with CEF and JSON formats.

Add VENDOR 2007 Teldat attribute Teldat-Access-Level to Radius dictionary.

AuthBy LDAP2 now properly closes LDAP connection when group search 
experiences an LDAP error. This avoids errors in subsequent LDAP 
queries. Add similar checks to LDAP NMAS functions.


-- 
Heikki Vatiainen
Radiator Software, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software

More information about the radiator mailing list