<div dir="ltr">Just noticed a typo in the main dictionary file, line 9820 (o/r switched):<div><br></div><div>VENDORATTR 14988 Mikortik-DHCP-Option-Param-STR2 25 string<br></div><div><br></div><div>Regards,</div><div>Eddie</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Oct 20, 2020 at 5:42 PM Heikki Vatiainen <<a href="mailto:hvn@open.com.au">hvn@open.com.au</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">We are pleased to announce the release of Radiator version 4.25<br>
<br>
This version contains new features, enhancements and bug fixes.<br>
Notable new features relate to Ansible, Docker and extended RADIUS <br>
attribute formats. See below for the details.<br>
<br>
As usual, the new version is available to current licensees<br>
and evaluators from:<br>
<a href="https://radiatorsoftware.com/downloads/" rel="noreferrer" target="_blank">https://radiatorsoftware.com/downloads/</a><br>
<br>
Licensees with expired access contracts can renew at:<br>
<a href="https://radiatorsoftware.com/renewal-order/" rel="noreferrer" target="_blank">https://radiatorsoftware.com/renewal-order/</a><br>
<br>
An extract from the history file<br>
<a href="https://www.open.com.au/radiator/history.html" rel="noreferrer" target="_blank">https://www.open.com.au/radiator/history.html</a> is below:<br>
<br>
-----------------------------<br>
<br>
Revision 4.25 (2020-10-20) new features, enhancements and bug fixes<br>
<br>
<br>
Selected compatibility notes, enhancements and fixes<br>
<br>
Dockerfiles for running Radiator and Radius::UtilXS in a CentOS 8, <br>
Ubuntu 20.04 or Windows Server Core 2019 were added in goodies Docker <br>
directory.<br>
<br>
Ansible playbooks for installing, upgrading and managing Radiator with <br>
Ansible were added in goodies Ansible directory.<br>
<br>
Added initial support for RFC 6929 and 8044 formats and data types. If a <br>
vendor specific attribute encapsulated by 241.26, 242.26, 243.26 or <br>
244.26 is received but it is not present in the dictionary, it is now <br>
named as Extended-Vendor-Specific-1 (or -2, -3, or -4). The value starts <br>
with the Vendor-Id octets. Naming may change in the future Radiator <br>
releases.<br>
<br>
Hash balance proxy algorithm was significantly enhanced.<br>
<br>
Oracle Linux is tested to work with the el7 and el8 packages.<br>
<br>
New Radiator packages: Red Hat Enterprise Linux 8, CentOS 8 and Ubuntu <br>
20.04.<br>
<br>
Name Policy-Editor for vendor 3375 F5 attribute F5-LTM-value 800 is now <br>
an alias. The preferred name is Web-Application-Security-Administrator.<br>
<br>
BindV6Only update may in rare configurations change existing behaviour. <br>
If you have BindV6Only enabled, see startup debug messages for affected <br>
listen sockets.<br>
<br>
<br>
Known caveats and other notes<br>
<br>
TLSv1.3 remains disabled by default for TLS based EAP methods and Stream <br>
based classes, such as RadSec.<br>
<br>
EAP-FAST functionality is reported to vary between TLS versions, TLS <br>
library security level settings and client implementations.<br>
<br>
<br>
Detailed changes<br>
<br>
Added Win32-Lsa module for 64bit Strawberry Perl 5.32.<br>
<br>
When a Status-Server request is received from a known client without a <br>
Message-Authenticator, Radiator now logs a warning before the request. <br>
Previously these requests were ignored without any logging. Noted by <br>
Michael Hulko.<br>
<br>
DiaClient no longer creates zero length Destination-Host and <br>
Destination-Realm AVPs when child classes leave their DestinationHost <br>
and DestinationRealm configuration parameters unset. This affects <br>
DiaClient based SIM pack authentication modules AuthBy SIMWX and AuthBy <br>
AKAWX which now have better control setting the values for the AVPs. <br>
This reverts the behaviour to how Radiator 4.16 and earlier worked.<br>
<br>
Removed DupInterval 0 from all goodies configuration samples. This no <br>
longer needed even with testing because duplicate detection has for a <br>
long time used methods recommended by RFC 5080. Updated AuthBy ACE <br>
configuration information.<br>
<br>
Dockerfiles for running Radiator and Radius::UtilXS in a CentOS 8, <br>
Ubuntu 20.04 or Windows Server Core 2019 were added in goodies Docker <br>
directory. Docker containers based on these files have Radiator and <br>
Radius::UtilXS installed, and single Radiator instance running when <br>
container is run. Multiple Radiator instances can be run by running <br>
multiple Docker containers.<br>
<br>
Added vendor specific attributes needed by Ruckus ICX devices. For <br>
VENDOR 1991 Foundry: Foundry-COA-Command-List, <br>
Foundry-Voice-Phone-Config and for VENDOR 25053 Ruckus: Ruckus-FlexAuth-AVP.<br>
<br>
Updated Radiator MSI package to use Strawberry Perl 5.32.0.1 and <br>
Radius::UtilXS 2.3-1.<br>
<br>
Added initial support for RFC 6929 and 8044 formats and data types. <br>
Added IANA registered attributes from RFCs 7499, 7930 and 8559 to the <br>
default RADIUS dictionary. Added vendor specific attributes for VENDOR <br>
6527 Nokia (formerly 'Alcatel-Lucent') that are encapsulated within IANA <br>
attribute 241 Extended-Type-1.<br>
Received extended attributes use dictionary names as usually. If a <br>
vendor specific attribute encapsulated by 241.26, 242.26, 243.26 or <br>
244.26 is not present in dictionary, it is now named as <br>
Extended-Vendor-Specific-1 (or -2, -3, or -4) with a value that starts <br>
with the Vendor-Id octets.<br>
Attributes added with names such as Extended-Type-1 and <br>
Extended-Vendor-Specific-1 are packed without further processing of the <br>
value. This is similar to how packing was done previously.<br>
<br>
Added VENDOR 2636 Juniper attributes Juniper-AV-Pair, Juniper-VoIP-VLAN <br>
and Juniper-CWA-Redirect-URL to dictionary.<br>
<br>
Added VENDOR 16901 Mojo with a number of Mojo prefixed attributes to the <br>
default RADIUS dictionary.<br>
<br>
Added VENDOR 12356 Fortinet attribute Fortinet-Host-Port-AVPair to <br>
dictionary.<br>
<br>
Added PT-RAD-Version and PT-UPP-Profile VSAs in the default dictionary <br>
for VENDOR 1556 Sonus Networks. This vendor code was previously assigned <br>
to Performance Technologies, Inc.<br>
<br>
Updated EAP-TLS NoCheckId documentation and configuration sample. <br>
Improved Ansible playbook output to show clearly Radiator instance status.<br>
<br>
AuthByHASHBALANCE and AuthBy RADSEC proxy algorithm HashBalance now <br>
distribute requests more equally among remaining next hop hosts when a <br>
next hop host fails. Previously the requests destined to a failed host <br>
were proxied to only one of the remaining hosts.<br>
<br>
Added instructions how to edit Radiator Software Ansible playbooks to <br>
support other Linux distributions like Oracle Linux.<br>
<br>
Radiator's Radius::UtilXS package now provides an interface to AES <br>
functions required by SIM pack. This allows using OpenSSL or LibreSSL <br>
instead of Crypt::Rijndael.<br>
<br>
Updated configuration samples to work without changes when using RPM or <br>
deb packages. LogDir, DictionaryFile, certificate location and other <br>
settings now point to locations the packages use and create.<br>
<br>
Ansible playbooks for deploying Radiator from RPM/deb packages and <br>
managing Radiator instances.<br>
<br>
DictionaryFile, ClientListSQL flags column, and some other configuration <br>
parameters that use a comma to separate file names and other arguments, <br>
now allow spaces around the comma.<br>
<br>
Enhanced virtual systemd service (radiator-instances.service) to control <br>
multiple instances without a need to change service file configuration. <br>
This change offers an enhanced feature but does not affect previous <br>
functionality.<br>
<br>
Multiple updates to Radius dictionaries: Added VENDOR 9 Cisco attribute <br>
Cisco-Ascend-AV-pairs, VENDOR 3076 Altiga attribute Altiga-Group-Name <br>
and VENDOR 17713 Cambium attribute Cambium-Networks-Auth-Role to the <br>
default Radiator dictionary. Updated VENDOR 5 Acc attributes based on <br>
draft-ilgun-radius-accvsa-02.<br>
<br>
Added a new dictionary file dictionary.cambium-motorola-161 in goodies. <br>
This file includes Motorola-Canopy and Cambium-Canopy attributes <br>
contributed by Brandon Shiers. These attributes are in a separate file <br>
because the default dictionary already contains Motorola WiMAX <br>
attributes which use the same overlapping vendor number 161.<br>
<br>
Updated Radiator and Diameter dictionaries with 3GPP 5G attributes from <br>
TS 29.561 version 16.4.0 for Radius and Diameter N6 and DN-AAA support. <br>
Added VENDOR 3GPP 10415 VSA 3GPP-Secondary-RAT-Usage from TS 29.061 <br>
version 16.0.0 and 3GPP-WLAN-APN-Id, 3GPP-WLAN-QoS-Filter-Rule and <br>
3GPP-WLAN-QoS-Filter-Support from TS 29.234 V11.2.0 to dictionary.<br>
<br>
DiameterDictionaryFile attributes are now added to all dictionaries in <br>
addition to base dictionary. ServerDIAMETER now uses Diameter dictionary <br>
of Diameter request or answer when converting to and from Diameter and <br>
Radius. Previously base dictionary was used for conversion. Enhanced <br>
debug log messages and simplified code related to loading and using <br>
dictionaries.<br>
<br>
Updated VENDOR Mikrotik 14988 attributes with the latest additions.<br>
<br>
Updated VENDOR Aruba 14823 attributes with the latest additions.<br>
<br>
Multiple dictionary updates: New file dictionary.nokia-637 was added for <br>
vendor 637 Nokia (formerly 'Alcatel-Lucent') for those attributes that <br>
do not use the special 'format=2,1' vendor 637 attributes use in the <br>
default dictionary.<br>
<br>
Added attributes from multiple vendors to the default dictionary:<br>
Added VENDOR Unix 4 with a number of attributes for Digi IX14, LR <br>
and WR routers. Some vendor 4 VSAs are also used by ProFTPD software.<br>
Added VENDOR Cisco-VPN5000 255 for Cisco VPN 5000 Concentrator with <br>
a number of CVPN5000 prefixed attributes.<br>
Added VENDOR Adtran 664 with a number of Adtran prefixed <br>
attributes.<br>Added VENDOR Cisco-BSSM 5632 for Cisco Building Broadband <br>
Service Manager attribute CBSSM-Bandwidth.<br>
Added VENDOR Cisco-Aironet 5842 for Aironet-Session-Timeout attribute.<br>
Added VENDOR Calix 6321 with a number of Calix prefixed attributes.<br>
Added VENDOR Overture 7950 with Overture-User-Access-Level attribute.<br>
Added VENDOR Hatteras 8550 with Hatteras-Auth-Level attribute.<br>
Added VENDOR Ericsson-PCN 10923 for attributes registered for <br>
vendor Ericsson AB - Packet Core Networks. Added a number of attributes <br>
prefixed with Ericsson-PCN prefix.<br>
Added VENDOR Sandvine 11610 with Sandvine-Group attribute.<br>
Added VENDOR ELTEK 12148 with a number of ELTEK prefixed attributes.<br>
Added VENDOR Overture-4200-4300 16943 with <br>
Overture-4200-4300-Access_Level attribute for Overture 4200/4300 devices.<br>
Added VENDOR CyanInc 28533 with CyanInc-User-Roles and <br>
CyanInc-Acct-Event-Text attributes.<br>
<br>
Added to default Radius dictionary a number of Extreme fabric attach <br>
VSAs that are defined as VENDOR 562 Nortel. Added VSAs <br>
Annex-EAP-Port-Priority, Annex-Cli-Commands, Annex-Command-Access and <br>
Annex-Commands for Extreme and Avaya devices that are defined as VENDOR <br>
1584 Bay-Networks. These all use names that does not follow the de-facto <br>
VSA naming. Fixed a harmless warning in radpwtst if reject or <br>
interactive challenge did not contain a Reply-Message attribute.<br>
<br>
ClientListSQL now disconnects automatically from DB during server <br>
startup when server farm is configured with FarmSize. This avoids <br>
passing DB handle copies to farm workers which could cause errors with <br>
subsequent DB access.<br>
<br>
Fixed a memory leak in ServerDIAMETER where a small amount of memory was <br>
leaked with every connection. Initial CER timeout logging now also <br>
honours log level set with DisconnectTraceLevel.<br>
<br>
AuthBy REST and other modules based on HTTPClient now honour <br>
DisconnectTraceLevel to control how closed connections are logged. <br>
AuthBy REST now logs peer initiated disconnects with DEBUG level.<br>
<br>
Added definitions and VSAs for VENDOR 534 Eaton Corporation, VENDOR 2606 <br>
Rittal (Rittal-Werk Rudolf Loh GmbH & Co.KG) and VENDOR 13191 OneAccess <br>
(Ekinops OneAccess OneOS) to RADIUS dictionary. Added and updated VSAs <br>
for VENDOR 7483 Tropic and VENDOR 30065 Arista.<br>
<br>
SQL clauses now support a separate timeout for connects and disconnects. <br>
Some databases may leak resources, such as file descriptors, when <br>
Radiator times out a connection before the DB driver does. With a new <br>
parameter ConnectTimeout, SQL connection timeout can different than <br>
Timeout that is used for SQL queries.<br>
<br>
Updated VENDOR 800 Alcatel-Lucent-OS6400, also known as Xylan, <br>
attributes in dictionary. Values for Alcatel-Lucent-Access-Priv and new <br>
attributes Alcatel-Lucent-Acce-Priv-F-R3, Alcatel-Lucent-Acce-Priv-F-R4, <br>
Alcatel-Lucent-Acce-Priv-F-W3 and Alcatel-Lucent-Acce-Priv-F-W4 were added.<br>
<br>
Added a script in goodies to create CHAP challenge for direct Monitor <br>
port access. More logging updates to LDAP ServerChecksPassword failures.<br>
<br>
Improved AuthBy LDAP2 logging when ServerChecksPassword triggers <br>
authentication failure because of bad password.<br>
<br>
ServerTACACSPLUS now logs more details about connections that get <br>
immediately closed after being established.<br>
<br>
Minor updates to LSA and NTLM configuration samples.<br>
<br>
Added VENDOR Incognito 3606 VSAs to dictionary.<br>
<br>
Updated VENDOR 3375 F5 VSA's in Radiator default dictionary. Attribute <br>
F5-LTM-Audit-Msg and seven values for F5-LTM-User-Role were added. Name <br>
Policy-Editor for F5-LTM-value 800 is now an alias for name <br>
Web-Application-Security-Administrator, which appears to have been used <br>
since BIG-IP 10.x, first released in 2009.<br>
<br>
SSLVerify in LDAP clauses, OutputFormat in AcctLog FILE, Failmode in <br>
AuthBy DUO, ProxyAlgorithm in AuthBy RADSEC, APIVersion in AuthBy <br>
YUBIKEYVALIDATIONSERVER, Format and Encoding in MessageLog FILE, and <br>
StatsType and OutputFormat in StatsLog clauses now support configuration <br>
time % formatting typically used with %{GlobalVar:name}.<br>
<br>
Fixed deprecated syntax in goodies file AuthPLPSQL.pm.<br>
<br>
Fixed a warning triggered by LDAP modules during configuration loading <br>
when UseSSL was set and Port was configured with a % formatted value.<br>
<br>
Updated radiusd so that it tries to locate Radius::UtilXS similar to how <br>
radpwtst already does. This helps manual configuration testing on <br>
systems that use packages.<br>
<br>
AuthBy NTLM can now rewrite the username that is passed to ntlm_auth. <br>
Example use is Wi-Fi roaming where roaming username can not be directly <br>
used with Windows authentication because of local naming conflicts with <br>
roaming requirements. See NtlmRewriteHook in goodies file ntlm.cfg and <br>
Radiator reference manual. Updated other AuthBy NTLM configuration <br>
samples. This is similar to what was added to AuthBy LSA in release 4.22.<br>
<br>
StatsLog and ClientList periodic updates are now scheduled based on <br>
server start time to avoid slowly occurring time drift between the runs. <br>
With FarmSize configuration, it's now possible to configure a spacing <br>
between worker runs to avoid synchronisation across all farm members. <br>
This is supported by StatsLog and ClientList clauses with <br>
FarmWorkerSpacing configuration parameter.<br>
<br>
Updated <a href="http://test.pl" rel="noreferrer" target="_blank">test.pl</a> to be more reliable in finding Radiator modules with <br>
CentOS 6 and other systems with Perl earlier than 5.16.<br>
<br>
When a Stream connection, such as RadSec or Diameter, is closed, the log <br>
message level can now be configured with DisconnectTraceLevel parameter. <br>
This avoids unnecessary high level log messages when frequently closed <br>
connections are normal.<br>
<br>
Fixed configuration file include directive to work with directories that <br>
have whitespace characters, such as "Program Files". Enhanced include's <br>
error detection and logging in case of unreadable directories and other <br>
problems reading the files. A warning is now logged if a wildcard, such <br>
as include/*.cfg', does not expand to any files.<br>
<br>
Updated RADIUS attribute encoding and decoding to be more flexible with <br>
vendor specific formats. This allows, for example, overriding VENDOR 637 <br>
Nokia VSA format to use 1 octet long VSA type field instead of forcing <br>
hardcoded 2 octets.<br>
<br>
StreamTLS server now logs more information about failures, for example, <br>
when TLS version is not acceptable or when client certificates was <br>
required but not received. Reported by Stefan Paetow.<br>
<br>
StatsLog clauses now support StatsExcludeObject and StatsInclude. These <br>
allow, for example, skipping statistics for all Clients while still <br>
supporting exceptions for certain clients. See example in statslog.cfg <br>
in goodies.<br>
<br>
Added VENDOR 22420 Accedian attribute Accedian-Skylight-Roles to dictionary.<br>
<br>
Fixed a crash in ServerTACACSPLUS triggered by an unexpected request type.<br>
<br>
Fixed a bug in AuthBy DNSROAM when FarmSize is enabled. The bug was <br>
introduced in release 4.22 and causes TLS, remote host IP and other <br>
settings to remain unitialised. As a result RadSec started by DNS <br>
roaming connects nowhere.<br>
<br>
BindV6Only global configuration parameter now covers proxy listen <br>
sockets, Gossip UDP listen sockets and Stream server listen sockets, <br>
such as RadSec server socket.<br>
<br>
System error string corresponding to errno was logged by TLS modules for <br>
some errors when errno did not have a useful value. This resulted in <br>
misleading log messages.<br>
<br>
Digest::HMAC for Digest::HMAC_SHA1 or Digest::HMAC_MD5 is no longer <br>
required. HMAC calculation is done directly with Digest::SHA or Digest::MD5.<br>
<br>
Updated expiration timestamps in users. Expired timestamps caused <br>
<a href="http://test.pl" rel="noreferrer" target="_blank">test.pl</a> tests 2l, 2m, 3g and 3h to fail when they should have succeeded.<br>
<br>
<a href="http://test.pl" rel="noreferrer" target="_blank">test.pl</a> now requires more modules to be present and tries to <br>
automatically run MSCHAP tests.<br>
<br>
Enhancements to AuthBy DUO Failmode. Failmode no longer applies to <br>
non-success API return codes that relate to problems with requests sent <br>
by Radiator. Improved Failmode related API reachability and error <br>
logging and handling.<br>
<br>
Log messages now use separate ip/hostname and port instead of ip:port <br>
format which is confusing with IPv6 addresses.<br>
<br>
Radiator now logs a warning if a RADIUS client is defined multiple <br>
times. This may happen, for example, when a client is defined in both <br>
configuration file and ClientListSQL.<br>
<br>
IPv6 address did not work as a LDAP Host parameter value because LDAP <br>
port number was directly appended to Host parameter values during <br>
connect. Appending port is allowed by Net::LDAP API but was not done <br>
correctly with IPv6 LDAP server addresses. Port is no longer appended <br>
and it's passed only as a separate parameter. LDAP log messages were <br>
enhanced.<br>
<br>
AuthBy FREERADIUS now handles Cleartext-Password check item as a <br>
password check item when the new flag configuration parameter <br>
ConvertCleartextPassword is set. Updated configuration sample <br>
freeradius.sql in goodies to enable the newly added parameter by <br>
default. Did other minor updates in the configuration and AuthBy module.<br>
<br>
Fixed a memory leak in TLS based EAP methods and Stream classes, such as <br>
RadSec, where CRL file loading and re-loading did not free temporary <br>
resources. The fix requires Net::SSLeay 1.46 or later. Reported by Jan <br>
Tomasek.<br>
<br>
<br>
-- <br>
Heikki Vatiainen <<a href="mailto:hvn@open.com.au" target="_blank">hvn@open.com.au</a>><br>
<br>
Radiator: the most portable, flexible and configurable RADIUS server<br>
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,<br>
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,<br>
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.<br>
<br>
_______________________________________________<br>
radiator mailing list<br>
<a href="mailto:radiator@lists.open.com.au" target="_blank">radiator@lists.open.com.au</a><br>
<a href="https://lists.open.com.au/mailman/listinfo/radiator" rel="noreferrer" target="_blank">https://lists.open.com.au/mailman/listinfo/radiator</a><br>
</blockquote></div>