Just noticed a typo in the main dictionary file, line 9820 (o/r switched): VENDORATTR 14988 Mikortik-DHCP-Option-Param-STR2 25 string
Regards, Eddie On Tue, Oct 20, 2020 at 5:42 PM Heikki Vatiainen <h...@open.com.au> wrote: > We are pleased to announce the release of Radiator version 4.25 > > This version contains new features, enhancements and bug fixes. > Notable new features relate to Ansible, Docker and extended RADIUS > attribute formats. See below for the details. > > As usual, the new version is available to current licensees > and evaluators from: > https://radiatorsoftware.com/downloads/ > > Licensees with expired access contracts can renew at: > https://radiatorsoftware.com/renewal-order/ > > An extract from the history file > https://www.open.com.au/radiator/history.html is below: > > ----------------------------- > > Revision 4.25 (2020-10-20) new features, enhancements and bug fixes > > > Selected compatibility notes, enhancements and fixes > > Dockerfiles for running Radiator and Radius::UtilXS in a CentOS 8, > Ubuntu 20.04 or Windows Server Core 2019 were added in goodies Docker > directory. > > Ansible playbooks for installing, upgrading and managing Radiator with > Ansible were added in goodies Ansible directory. > > Added initial support for RFC 6929 and 8044 formats and data types. If a > vendor specific attribute encapsulated by 241.26, 242.26, 243.26 or > 244.26 is received but it is not present in the dictionary, it is now > named as Extended-Vendor-Specific-1 (or -2, -3, or -4). The value starts > with the Vendor-Id octets. Naming may change in the future Radiator > releases. > > Hash balance proxy algorithm was significantly enhanced. > > Oracle Linux is tested to work with the el7 and el8 packages. > > New Radiator packages: Red Hat Enterprise Linux 8, CentOS 8 and Ubuntu > 20.04. > > Name Policy-Editor for vendor 3375 F5 attribute F5-LTM-value 800 is now > an alias. The preferred name is Web-Application-Security-Administrator. > > BindV6Only update may in rare configurations change existing behaviour. > If you have BindV6Only enabled, see startup debug messages for affected > listen sockets. > > > Known caveats and other notes > > TLSv1.3 remains disabled by default for TLS based EAP methods and Stream > based classes, such as RadSec. > > EAP-FAST functionality is reported to vary between TLS versions, TLS > library security level settings and client implementations. > > > Detailed changes > > Added Win32-Lsa module for 64bit Strawberry Perl 5.32. > > When a Status-Server request is received from a known client without a > Message-Authenticator, Radiator now logs a warning before the request. > Previously these requests were ignored without any logging. Noted by > Michael Hulko. > > DiaClient no longer creates zero length Destination-Host and > Destination-Realm AVPs when child classes leave their DestinationHost > and DestinationRealm configuration parameters unset. This affects > DiaClient based SIM pack authentication modules AuthBy SIMWX and AuthBy > AKAWX which now have better control setting the values for the AVPs. > This reverts the behaviour to how Radiator 4.16 and earlier worked. > > Removed DupInterval 0 from all goodies configuration samples. This no > longer needed even with testing because duplicate detection has for a > long time used methods recommended by RFC 5080. Updated AuthBy ACE > configuration information. > > Dockerfiles for running Radiator and Radius::UtilXS in a CentOS 8, > Ubuntu 20.04 or Windows Server Core 2019 were added in goodies Docker > directory. Docker containers based on these files have Radiator and > Radius::UtilXS installed, and single Radiator instance running when > container is run. Multiple Radiator instances can be run by running > multiple Docker containers. > > Added vendor specific attributes needed by Ruckus ICX devices. For > VENDOR 1991 Foundry: Foundry-COA-Command-List, > Foundry-Voice-Phone-Config and for VENDOR 25053 Ruckus: > Ruckus-FlexAuth-AVP. > > Updated Radiator MSI package to use Strawberry Perl 5.32.0.1 and > Radius::UtilXS 2.3-1. > > Added initial support for RFC 6929 and 8044 formats and data types. > Added IANA registered attributes from RFCs 7499, 7930 and 8559 to the > default RADIUS dictionary. Added vendor specific attributes for VENDOR > 6527 Nokia (formerly 'Alcatel-Lucent') that are encapsulated within IANA > attribute 241 Extended-Type-1. > Received extended attributes use dictionary names as usually. If a > vendor specific attribute encapsulated by 241.26, 242.26, 243.26 or > 244.26 is not present in dictionary, it is now named as > Extended-Vendor-Specific-1 (or -2, -3, or -4) with a value that starts > with the Vendor-Id octets. > Attributes added with names such as Extended-Type-1 and > Extended-Vendor-Specific-1 are packed without further processing of the > value. This is similar to how packing was done previously. > > Added VENDOR 2636 Juniper attributes Juniper-AV-Pair, Juniper-VoIP-VLAN > and Juniper-CWA-Redirect-URL to dictionary. > > Added VENDOR 16901 Mojo with a number of Mojo prefixed attributes to the > default RADIUS dictionary. > > Added VENDOR 12356 Fortinet attribute Fortinet-Host-Port-AVPair to > dictionary. > > Added PT-RAD-Version and PT-UPP-Profile VSAs in the default dictionary > for VENDOR 1556 Sonus Networks. This vendor code was previously assigned > to Performance Technologies, Inc. > > Updated EAP-TLS NoCheckId documentation and configuration sample. > Improved Ansible playbook output to show clearly Radiator instance status. > > AuthByHASHBALANCE and AuthBy RADSEC proxy algorithm HashBalance now > distribute requests more equally among remaining next hop hosts when a > next hop host fails. Previously the requests destined to a failed host > were proxied to only one of the remaining hosts. > > Added instructions how to edit Radiator Software Ansible playbooks to > support other Linux distributions like Oracle Linux. > > Radiator's Radius::UtilXS package now provides an interface to AES > functions required by SIM pack. This allows using OpenSSL or LibreSSL > instead of Crypt::Rijndael. > > Updated configuration samples to work without changes when using RPM or > deb packages. LogDir, DictionaryFile, certificate location and other > settings now point to locations the packages use and create. > > Ansible playbooks for deploying Radiator from RPM/deb packages and > managing Radiator instances. > > DictionaryFile, ClientListSQL flags column, and some other configuration > parameters that use a comma to separate file names and other arguments, > now allow spaces around the comma. > > Enhanced virtual systemd service (radiator-instances.service) to control > multiple instances without a need to change service file configuration. > This change offers an enhanced feature but does not affect previous > functionality. > > Multiple updates to Radius dictionaries: Added VENDOR 9 Cisco attribute > Cisco-Ascend-AV-pairs, VENDOR 3076 Altiga attribute Altiga-Group-Name > and VENDOR 17713 Cambium attribute Cambium-Networks-Auth-Role to the > default Radiator dictionary. Updated VENDOR 5 Acc attributes based on > draft-ilgun-radius-accvsa-02. > > Added a new dictionary file dictionary.cambium-motorola-161 in goodies. > This file includes Motorola-Canopy and Cambium-Canopy attributes > contributed by Brandon Shiers. These attributes are in a separate file > because the default dictionary already contains Motorola WiMAX > attributes which use the same overlapping vendor number 161. > > Updated Radiator and Diameter dictionaries with 3GPP 5G attributes from > TS 29.561 version 16.4.0 for Radius and Diameter N6 and DN-AAA support. > Added VENDOR 3GPP 10415 VSA 3GPP-Secondary-RAT-Usage from TS 29.061 > version 16.0.0 and 3GPP-WLAN-APN-Id, 3GPP-WLAN-QoS-Filter-Rule and > 3GPP-WLAN-QoS-Filter-Support from TS 29.234 V11.2.0 to dictionary. > > DiameterDictionaryFile attributes are now added to all dictionaries in > addition to base dictionary. ServerDIAMETER now uses Diameter dictionary > of Diameter request or answer when converting to and from Diameter and > Radius. Previously base dictionary was used for conversion. Enhanced > debug log messages and simplified code related to loading and using > dictionaries. > > Updated VENDOR Mikrotik 14988 attributes with the latest additions. > > Updated VENDOR Aruba 14823 attributes with the latest additions. > > Multiple dictionary updates: New file dictionary.nokia-637 was added for > vendor 637 Nokia (formerly 'Alcatel-Lucent') for those attributes that > do not use the special 'format=2,1' vendor 637 attributes use in the > default dictionary. > > Added attributes from multiple vendors to the default dictionary: > Added VENDOR Unix 4 with a number of attributes for Digi IX14, LR > and WR routers. Some vendor 4 VSAs are also used by ProFTPD software. > Added VENDOR Cisco-VPN5000 255 for Cisco VPN 5000 Concentrator with > a number of CVPN5000 prefixed attributes. > Added VENDOR Adtran 664 with a number of Adtran prefixed > attributes.<br>Added VENDOR Cisco-BSSM 5632 for Cisco Building Broadband > Service Manager attribute CBSSM-Bandwidth. > Added VENDOR Cisco-Aironet 5842 for Aironet-Session-Timeout attribute. > Added VENDOR Calix 6321 with a number of Calix prefixed attributes. > Added VENDOR Overture 7950 with Overture-User-Access-Level attribute. > Added VENDOR Hatteras 8550 with Hatteras-Auth-Level attribute. > Added VENDOR Ericsson-PCN 10923 for attributes registered for > vendor Ericsson AB - Packet Core Networks. Added a number of attributes > prefixed with Ericsson-PCN prefix. > Added VENDOR Sandvine 11610 with Sandvine-Group attribute. > Added VENDOR ELTEK 12148 with a number of ELTEK prefixed attributes. > Added VENDOR Overture-4200-4300 16943 with > Overture-4200-4300-Access_Level attribute for Overture 4200/4300 devices. > Added VENDOR CyanInc 28533 with CyanInc-User-Roles and > CyanInc-Acct-Event-Text attributes. > > Added to default Radius dictionary a number of Extreme fabric attach > VSAs that are defined as VENDOR 562 Nortel. Added VSAs > Annex-EAP-Port-Priority, Annex-Cli-Commands, Annex-Command-Access and > Annex-Commands for Extreme and Avaya devices that are defined as VENDOR > 1584 Bay-Networks. These all use names that does not follow the de-facto > VSA naming. Fixed a harmless warning in radpwtst if reject or > interactive challenge did not contain a Reply-Message attribute. > > ClientListSQL now disconnects automatically from DB during server > startup when server farm is configured with FarmSize. This avoids > passing DB handle copies to farm workers which could cause errors with > subsequent DB access. > > Fixed a memory leak in ServerDIAMETER where a small amount of memory was > leaked with every connection. Initial CER timeout logging now also > honours log level set with DisconnectTraceLevel. > > AuthBy REST and other modules based on HTTPClient now honour > DisconnectTraceLevel to control how closed connections are logged. > AuthBy REST now logs peer initiated disconnects with DEBUG level. > > Added definitions and VSAs for VENDOR 534 Eaton Corporation, VENDOR 2606 > Rittal (Rittal-Werk Rudolf Loh GmbH & Co.KG) and VENDOR 13191 OneAccess > (Ekinops OneAccess OneOS) to RADIUS dictionary. Added and updated VSAs > for VENDOR 7483 Tropic and VENDOR 30065 Arista. > > SQL clauses now support a separate timeout for connects and disconnects. > Some databases may leak resources, such as file descriptors, when > Radiator times out a connection before the DB driver does. With a new > parameter ConnectTimeout, SQL connection timeout can different than > Timeout that is used for SQL queries. > > Updated VENDOR 800 Alcatel-Lucent-OS6400, also known as Xylan, > attributes in dictionary. Values for Alcatel-Lucent-Access-Priv and new > attributes Alcatel-Lucent-Acce-Priv-F-R3, Alcatel-Lucent-Acce-Priv-F-R4, > Alcatel-Lucent-Acce-Priv-F-W3 and Alcatel-Lucent-Acce-Priv-F-W4 were added. > > Added a script in goodies to create CHAP challenge for direct Monitor > port access. More logging updates to LDAP ServerChecksPassword failures. > > Improved AuthBy LDAP2 logging when ServerChecksPassword triggers > authentication failure because of bad password. > > ServerTACACSPLUS now logs more details about connections that get > immediately closed after being established. > > Minor updates to LSA and NTLM configuration samples. > > Added VENDOR Incognito 3606 VSAs to dictionary. > > Updated VENDOR 3375 F5 VSA's in Radiator default dictionary. Attribute > F5-LTM-Audit-Msg and seven values for F5-LTM-User-Role were added. Name > Policy-Editor for F5-LTM-value 800 is now an alias for name > Web-Application-Security-Administrator, which appears to have been used > since BIG-IP 10.x, first released in 2009. > > SSLVerify in LDAP clauses, OutputFormat in AcctLog FILE, Failmode in > AuthBy DUO, ProxyAlgorithm in AuthBy RADSEC, APIVersion in AuthBy > YUBIKEYVALIDATIONSERVER, Format and Encoding in MessageLog FILE, and > StatsType and OutputFormat in StatsLog clauses now support configuration > time % formatting typically used with %{GlobalVar:name}. > > Fixed deprecated syntax in goodies file AuthPLPSQL.pm. > > Fixed a warning triggered by LDAP modules during configuration loading > when UseSSL was set and Port was configured with a % formatted value. > > Updated radiusd so that it tries to locate Radius::UtilXS similar to how > radpwtst already does. This helps manual configuration testing on > systems that use packages. > > AuthBy NTLM can now rewrite the username that is passed to ntlm_auth. > Example use is Wi-Fi roaming where roaming username can not be directly > used with Windows authentication because of local naming conflicts with > roaming requirements. See NtlmRewriteHook in goodies file ntlm.cfg and > Radiator reference manual. Updated other AuthBy NTLM configuration > samples. This is similar to what was added to AuthBy LSA in release 4.22. > > StatsLog and ClientList periodic updates are now scheduled based on > server start time to avoid slowly occurring time drift between the runs. > With FarmSize configuration, it's now possible to configure a spacing > between worker runs to avoid synchronisation across all farm members. > This is supported by StatsLog and ClientList clauses with > FarmWorkerSpacing configuration parameter. > > Updated test.pl to be more reliable in finding Radiator modules with > CentOS 6 and other systems with Perl earlier than 5.16. > > When a Stream connection, such as RadSec or Diameter, is closed, the log > message level can now be configured with DisconnectTraceLevel parameter. > This avoids unnecessary high level log messages when frequently closed > connections are normal. > > Fixed configuration file include directive to work with directories that > have whitespace characters, such as "Program Files". Enhanced include's > error detection and logging in case of unreadable directories and other > problems reading the files. A warning is now logged if a wildcard, such > as include/*.cfg', does not expand to any files. > > Updated RADIUS attribute encoding and decoding to be more flexible with > vendor specific formats. This allows, for example, overriding VENDOR 637 > Nokia VSA format to use 1 octet long VSA type field instead of forcing > hardcoded 2 octets. > > StreamTLS server now logs more information about failures, for example, > when TLS version is not acceptable or when client certificates was > required but not received. Reported by Stefan Paetow. > > StatsLog clauses now support StatsExcludeObject and StatsInclude. These > allow, for example, skipping statistics for all Clients while still > supporting exceptions for certain clients. See example in statslog.cfg > in goodies. > > Added VENDOR 22420 Accedian attribute Accedian-Skylight-Roles to > dictionary. > > Fixed a crash in ServerTACACSPLUS triggered by an unexpected request type. > > Fixed a bug in AuthBy DNSROAM when FarmSize is enabled. The bug was > introduced in release 4.22 and causes TLS, remote host IP and other > settings to remain unitialised. As a result RadSec started by DNS > roaming connects nowhere. > > BindV6Only global configuration parameter now covers proxy listen > sockets, Gossip UDP listen sockets and Stream server listen sockets, > such as RadSec server socket. > > System error string corresponding to errno was logged by TLS modules for > some errors when errno did not have a useful value. This resulted in > misleading log messages. > > Digest::HMAC for Digest::HMAC_SHA1 or Digest::HMAC_MD5 is no longer > required. HMAC calculation is done directly with Digest::SHA or > Digest::MD5. > > Updated expiration timestamps in users. Expired timestamps caused > test.pl tests 2l, 2m, 3g and 3h to fail when they should have succeeded. > > test.pl now requires more modules to be present and tries to > automatically run MSCHAP tests. > > Enhancements to AuthBy DUO Failmode. Failmode no longer applies to > non-success API return codes that relate to problems with requests sent > by Radiator. Improved Failmode related API reachability and error > logging and handling. > > Log messages now use separate ip/hostname and port instead of ip:port > format which is confusing with IPv6 addresses. > > Radiator now logs a warning if a RADIUS client is defined multiple > times. This may happen, for example, when a client is defined in both > configuration file and ClientListSQL. > > IPv6 address did not work as a LDAP Host parameter value because LDAP > port number was directly appended to Host parameter values during > connect. Appending port is allowed by Net::LDAP API but was not done > correctly with IPv6 LDAP server addresses. Port is no longer appended > and it's passed only as a separate parameter. LDAP log messages were > enhanced. > > AuthBy FREERADIUS now handles Cleartext-Password check item as a > password check item when the new flag configuration parameter > ConvertCleartextPassword is set. Updated configuration sample > freeradius.sql in goodies to enable the newly added parameter by > default. Did other minor updates in the configuration and AuthBy module. > > Fixed a memory leak in TLS based EAP methods and Stream classes, such as > RadSec, where CRL file loading and re-loading did not free temporary > resources. The fix requires Net::SSLeay 1.46 or later. Reported by Jan > Tomasek. > > > -- > Heikki Vatiainen <h...@open.com.au> > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory, > EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc. > > _______________________________________________ > radiator mailing list > radiator@lists.open.com.au > https://lists.open.com.au/mailman/listinfo/radiator >
_______________________________________________ radiator mailing list radiator@lists.open.com.au https://lists.open.com.au/mailman/listinfo/radiator
