<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hello Heiki,<div class=""><br class=""></div><div class="">Some nice improvements and fixes. I’ve just installed this version on our test environment and i’m seeing some strange behaviour/errors on a configuration that runs fine with 4.22-2.</div><div class=""><br class=""></div><div class="">On performaning proxied mschapv2 authentication (with both TTLS and PEAP) radiator logs the following after receiving an ‘Access-Accept’ from the backend servers:</div><div class=""><br class=""></div><div class=""><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "Liberation Mono for Powerline"; color: rgb(255, 255, 255); background-color: rgb(29, 30, 26);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Thu Apr 11 09:56:37 2019 137963: ERR: Could not handle an EAP request: Can't locate object method "getOriginaluserNameString" via package "Radius::Radius" at </span><span style="font-variant-ligatures: no-common-ligatures; color: #82c12a" class="">/opt/radiator/radiator/Radius/Util.pm</span><span style="font-variant-ligatures: no-common-ligatures" class=""> line 88.</span></div><br class="">Similarly, TTLS-PAP authentication logs the following:</div><div class=""><br class=""></div><div class=""><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "Liberation Mono for Powerline"; color: rgb(255, 255, 255); background-color: rgb(29, 30, 26);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Thu Apr 11 10:00:48 2019 916527: DEBUG: Handling with EAP: code 2, 8, 87, 21</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "Liberation Mono for Powerline"; color: rgb(255, 255, 255); background-color: rgb(29, 30, 26);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Thu Apr 11 10:00:48 2019 916961: DEBUG: Response type 21</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "Liberation Mono for Powerline"; color: rgb(255, 255, 255); background-color: rgb(29, 30, 26);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Thu Apr 11 10:00:48 2019 917282: INFO: EAP Response type 21 in unexpected state. NAS did RADIUS server failover for an ongoing EAP authentication?</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "Liberation Mono for Powerline"; color: rgb(255, 255, 255); background-color: rgb(29, 30, 26);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Thu Apr 11 10:00:48 2019 917746: DEBUG: EAP Failure, elapsed time 0.000003</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "Liberation Mono for Powerline"; color: rgb(255, 255, 255); background-color: rgb(29, 30, 26);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Thu Apr 11 10:00:48 2019 918140: DEBUG: EAP result: 1, EAP Response type 21 in unexpected state. NAS did RADIUS server failover for an ongoing EAP authentication?</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "Liberation Mono for Powerline"; color: rgb(255, 255, 255); background-color: rgb(29, 30, 26);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Thu Apr 11 10:00:48 2019 918586: DEBUG: AuthBy FILE result: REJECT, EAP Response type 21 in unexpected state. NAS did RADIUS server failover for an ongoing EAP authentication?</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "Liberation Mono for Powerline"; color: rgb(255, 255, 255); background-color: rgb(29, 30, 26);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Thu Apr 11 10:00:48 2019 919201: INFO: Access rejected for <a href="mailto:anonymous@utwente.nl" class="">anonymous@utwente.nl</a>: EAP Response type 21 in unexpected state. NAS did RADIUS server failover for an ongoing EAP authentication?</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "Liberation Mono for Powerline"; color: rgb(255, 255, 255); background-color: rgb(29, 30, 26);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Thu Apr 11 10:00:48 2019 920957: DEBUG: EAP Failure, elapsed time 0.000003</span></div><div class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""></span></div><div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class="">Seing that the test environment is a single instance of radiator and the NAS is actually just a single FreeRADIUS eapol_test script the error seems unlikely.</div><div class=""><br class=""></div><div class="">Installation is based on the new radiator_4.23-1_all.deb package.</div><div class=""><br class=""></div><div class="">Kind regards,</div></div></div></div></div></div></div></div><div><br class=""></div><div><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class=""><b class="" style="font-family: "Times New Roman", serif; font-size: 12pt;"><span class="" style="color: gray; font-size: 7pt; font-family: Verdana, sans-serif;">Leon Haverkotte</span><span class="" style="font-size: 7pt; font-family: Verdana, sans-serif;"><font color="#999999" class=""> | </font></span></b><b class="" style="font-family: "Times New Roman", serif; font-size: 12pt;"><span class="" style="color: gray; font-size: 7pt; font-family: Verdana, sans-serif;">Network engineer</span><span class="" style="font-size: 7pt; font-family: Verdana, sans-serif;"><font color="#999999" class=""> | </font></span></b><b class="" style="font-family: "Times New Roman", serif; font-size: 12pt;"><span class="" style="color: gray; font-size: 7pt; font-family: Verdana, sans-serif;">University of Twente</span><span class="" style="font-size: 7pt; font-family: Verdana, sans-serif;"><font color="#999999" class=""> | </font></span></b><b class="" style="font-family: "Times New Roman", serif; font-size: 12pt;"><span class="" style="font-size: 7pt; font-family: Verdana, sans-serif; color: gray;"><b class="" style="color: rgb(0, 0, 0); font-family: "Times New Roman", serif; font-size: 12pt;"><span class="" style="color: gray; font-size: 7pt; font-family: Verdana, sans-serif;">Library, ICT Services & Archive (LISA) / ITO</span></b> | </span></b><span class="" style="color: gray; font-size: 7pt; font-family: Verdana, sans-serif;">Campus building Spiegel, room 226</span><b class="" style="font-family: "Times New Roman", serif; font-size: 12pt;"><span class="" style="font-size: 7pt; font-family: Verdana, sans-serif;"><font color="#999999" class=""> | </font></span></b><span class="" style="color: gray; font-size: 7pt; font-family: Verdana, sans-serif;">T: +31 (0)53 - 489 3016</span><b class="" style="font-family: "Times New Roman", serif; font-size: 12pt;"><span class="" style="font-size: 7pt; font-family: Verdana, sans-serif;"><font color="#999999" class=""> | </font></span></b><span style="color: rgb(128, 128, 128); font-family: Verdana, sans-serif; font-size: 9px;" class=""><a href="mailto:l.m.c.haverkotte@utwente.nl" class="">l.m.c.haverkotte@utwente.nl</a></span><b class="" style="font-family: "Times New Roman", serif; font-size: 12pt;"><span class="" style="font-size: 7pt; font-family: Verdana, sans-serif;"><font color="#999999" class=""> | </font></span></b><span style="color: rgb(128, 128, 128); font-family: Verdana, sans-serif; font-size: 9px;" class=""><a href="http://www.utwente.nl/lisa" class="">www.utwente.nl/lisa</a></span></div><div class=""><br class=""></div></div></div></div></div></div></div></div><div><br class=""></div><div><br class=""><blockquote type="cite" class=""><div class="">On 10 Apr 2019, at 18:02, Heikki Vatiainen <<a href="mailto:hvn@open.com.au" class="">hvn@open.com.au</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">We are pleased to announce the release of Radiator version 4.23<br class=""><br class="">This version contains security fixes for EAP-pwd authentication and certain TLS configurations. Other changes include new features, enhancements and bug fixes. See below for the details.<br class=""><br class="">As usual, the new version is available to current licensees<br class="">and evaluators from:<br class=""><a href="https://www.open.com.au/radiator/downloads.html" class="">https://www.open.com.au/radiator/downloads.html</a><br class=""><br class="">Licensees with expired access contracts can renew at:<br class="">https://www.open.com.au/renewal.html<br class=""><br class="">An extract from the history file<br class="">https://www.open.com.au/radiator/history.html is below:<br class=""><br class="">-----------------------------<br class=""><br class="">Revision 4.23 (2019-04-10) security fixes, new features, enhancements and bug fixes<br class=""><br class=""><br class=""> Selected compatibility notes, enhancements and fixes<br class=""><br class="">Improved AcctLogFILE to support JSON.<br class=""><br class="">Security fixes for EAP-pwd authentication and certain TLS configurations. OSC recommends all users to<br class="">review OSC security advisory OSC-SEC-2019-01<br class="">https://www.open.com.au/OSC-SEC-2019-01.html<br class=""><br class=""><br class=""> Known caveats and other notes<br class=""><br class="">TLSv1.3 is not enabled by default for TLS based EAP methods.<br class=""><br class="">TLSv1.3 is not enabled by default for Stream based classes, such as RadSec.<br class=""><br class=""><br class=""> Detailed changes<br class=""><br class="">Fixed EAP-pwd implementation security bugs reported by Mathy Vanhoef.<br class=""><br class="">Added an example of using SupplementaryGroups option in systemd goodies files radiator.service and radiator@.service. This parameter is typically used with AuthBy NTLM to grant access to winbindd socket.<br class=""><br class="">Added support for experimental parameters EAPTLS_CRLCheckUseDeltas and TLS_CRLCheckUseDeltas. These enable Delta Certificate Revocation list support for TLS based EAP and Stream classes, such as EAP-TLS and RadSec. Added test CLRs to Radiator demo ceritificates. See Radiator reference manual for the details.<br class=""><br class="">Fixed a crash in EAP-TLS and TLS based Stream classes, such as RadSec, when Radiator tried to log information about a certificate during specially configured verification. Certificate is not made available by TLS library in all verification failure cases. Reported by Stefan Winter.<br class=""><br class="">AuthGeneric.pm updates: MSCHAPv2 was incorrectly logged as misspelled when checking AuthenProto configuration parameter. Addressed a number of Perl::Critic reports.<br class=""><br class="">AuthBy RADIUSBYATTR HostParamDef now accepts 0 as a possible default value.<br class=""><br class="">Update test.pl to clean up temporary files after finishing.<br class=""><br class="">DiaClient inheritance was updated to allow better log message control. Updated diapwtst respectively. Addressed a number of DiaClient related Perl::Critic reports.<br class=""><br class="">Fixed some log messages that did not correctly interpolate variables. Addressed other minor results reported by Perl::Critic.<br class=""><br class="">Added RAdmin + TOTP configuration sample radmin_totp.cfg in goodies.<br class=""><br class="">JSON::MaybeXS was mistakenly added as a JSON backend. However it is a wrapper for backends so it is now removed from the list of JSON backends.<br class=""><br class="">Peer certificate issuer, subject and serial number in decimal and hexdecimal format is now logged on debug level when Radiator verifies peer certificate during EAP-TLS authentication or TLS based stream connection. This information is logged during verify callback when the TLS/SSL library is doing certificate verification. Logging is now done during successful and failing verification. Previously only some certificate information was logged.<br class=""><br class="">Updated dictionary. Added 6 new VSAs for VENDOR 388 Symbol. For VENDOR 4329 Siemens added Siemens-AP-Mac as a new VSAs and Siemens-Ingress-RC-Name and Siemens-Egress-RC-Name as aliases for Siemens-Ingress-RC and Siemens-Egress-RC.<br class=""><br class="">LogSYSLOG did not log Trace 5 level messages but printed out warnings about invalid level/facility to STDERR. Reported by Paul Dekkers.<br class=""><br class="">Requests without User-Name were triggering warnings that were enabled in Radiator 4.21. Reported cases now avoid warnings, and usernames that are empty instead of not defined are now more clearly logged. Similar work enabling more warnings continues and any reports are welcome. Cases now fixed were reported by Paul Dekkers and Roland Rosenfeld.<br class=""><br class="">When malformed attributes are received, sender IP address and port are now included in the message. Suggested by Paul Dekkers.<br class=""><br class="">Support configuration parameter AddToRequestIfNotExist added to AuthBy RADIUS, AuthBy RADSEC, and AuthBy DNSROAM.<br class=""><br class="">Fixed make zipdist and other non-default targets from failing.<br class=""><br class="">Unit test name cleanup and better separation between tests.<br class=""><br class="">generate-totp.pl and nthash.pl goodies utilities no longer need Radiator modules. They now require Net::SSLeay and Digest::MD4, respectively.<br class=""><br class="">diapwtst now searches its parent directory for Radius-modules. This allows diapwtst to be called in similar fashion as radpwtst.<br class=""><br class="">Updated AuthBy HEIMDALDIGEST to wait longer for kdigest to exit. Old behaviour was causing zombie processes on some systems. Reported by Johan Wassberg.<br class=""><br class="">Clarified and updated AttrVal.pm API. Notably, add_if_not_exist_attr and change_attr now return 0, as documented, instead of nothing. This return value still evaluates to false but is now defined. Addressed results reported by Perl::Critic.<br class=""><br class="">Avoid unnecessary log messages and warnings by not probing SCTP API support on windows and completely avoiding harmless use of undefined variables in AuthGeneric.<br class=""><br class="">Added module Radius::JSON, which is a wrapper for various JSON backends. Module exports encode_json and decode_json from the JSON backend it finds. Last resort is JSON::PP, which should be included Perl versions from 5.14.0.<br class=""><br class="">Improved AcctLogFILE to support JSON. By default, in addition to trace_id, timestamp, source_host, and type (accounting), all attributes from Accounting-Request are logged. This behaviour can be modified with parameter AcctLogOutputDef.<br class=""><br class="">Fixed saving uploaded Radiator configuration via ServerHTTP (Web GUI).<br class=""><br class="">Updates to support and other help texts.<br class=""><br class="">Add expected result feature for diapwtst. When expected result is set, diapwtst returns 0 (success) even if result was something else. In this way diapwtst can be more useful, for example to periodically test DIAMETER services.<br class=""><br class=""><br class="">-- <br class="">Heikki Vatiainen <hvn@open.com.au><br class=""><br class="">Radiator: the most portable, flexible and configurable RADIUS server<br class="">anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,<br class="">EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,<br class="">DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.<br class=""><br class="">_______________________________________________<br class="">radiator mailing list<br class="">radiator@lists.open.com.au<br class="">https://lists.open.com.au/mailman/listinfo/radiator<br class=""></div></div></blockquote></div><br class=""></div></body></html>