We are pleased to announce the release of Radiator version 4.15 This version contains fixes for an EAP-MSCHAP-V2 and EAP-pwd vulnerability. Upgrade is recommended. Please review OSC security advisory OSC-SEC-2015-01 for more information: https://www.open.com.au/OSC-SEC-2015-01.html
As usual, the new version is available to current licensees from: https://www.open.com.au/radiator/downloads/ and to current evaluators from: https://www.open.com.au/radiator/demo-downloads Licensees with expired access contracts can renew at: https://www.open.com.au/renewal.html An extract from the history file https://www.open.com.au/radiator/history.html is below: ----------------------------- Revision 4.15 (2015-07-15) Selected fixes, compatibility notes and enhancements Fixes an EAP-MSCHAP-V2 and EAP-pwd vulnerability. OSC recommends all users to review OSC security advisory OSC-SEC-2015-01 to see if they are affected. https://www.open.com.au/OSC-SEC-2015-01.html perl-ldap-0.32 or better is required. Should be available in all current systems. EAP-pwd requires Crypt::OpenSSL::Bignum 0.06 or later from CPAN Configurable TLS version and ciphersuite selection for TLS based EAP and stream modules CRL checks for the entire certificate chain can now be enabled Included Gossip framework with Redis based implementation Support for Gossip when communicating next hop proxy failures between Radiator instances Shared duplicate cache for a more simple server farm configuration Windows Event log support Custom format support for logs, authentication logs and accounting logs. CEF and JSON included Support for IEEE 802.1AE, also known as MACsec All AuthBys now support PostAuthHooks Various binary modules are now available from OSC and were removed from the Radiator distribution Detailed changes Added VENDOR STI (Server Technology Inc.) 1718 and multiple STI VSAs to dictionary. Contributed by Garry Shtern. Added VENDOR PacketDesign 8083 and VSAs PacketDesign-UserClass and PacketDesign-FTP to dictionary. Contributed by Garry Shtern. Added SN-Software-Version to dictionary. Reported by Bruno Tiago Rodrigues. Changed type of VENDORATTR 3076 Cisco-VPN-DHCP-Network-Scope in dictionary.cisco-vpn from text to ipaddr. Reported by Kilian Krause. Dictionary updates: Added H3C proprietary values H3C-SSH and H3C-Console for Login-Service. Changed Lancom LCS-Mac-Address type from string to hexadecimal. Added H3C-Priority. All reported by Philip Herbert. Zero length writes are now skipped in Stream.pm write_pending() used by RadSec, Diameter, SIGTRAN and other stream protocols. SCTP does not support 0 length syswrites on all platforms and may close the socket if zero length write is done. Added VENDOR Airespace 14179 VSAs 7-11 and 13-16 to dictionary. AuthBy GROUP now updates current AuthBy for %{AuthBy:parmname}. When AuthBy GROUP is used, this special formatting now gets the parameter value from the current AuthBy within the group instead of the AuthBy GROUP itself. Updated VENDOR 1991 Foundry VSAs in dictionary. foundry-privilege-level is now a synonym for brocade-privilege-level. Added a number of foundry VSAs. LDAP Version now defaults to 3 instead of 2. Updated a number of LDAP configuration example files in goodies to reflect this change. Ldap.pm now uses the LDAP object's disconnect method, instead of closing the socket directly. AuthBy LDAP2 and AuthBy LDAPDIGIPASS now use escape_filter_value provided by Net::LDAP::Util instead of escapeLdapLiteral in Ldap.pm Ldap.pm escapeLdapLiteral is now deprecacted and perl-ldap-0.32 or better is required. RefreshPeriod in ClientListSQL and ClientListLDAP now support special % formatting. Suggested by Bengi Sağlam. Updated VENDOR 2011 Huawei VSAs in dictionary. Huawei-Input-Basic-Rate is now an alias for Huawei-Input-Peak-Rate. Huawei-Output-Basic-Rate was changed similarly. Some of the attribute numbers appear to have different names and types between different devices. Huawei-User-Type, Huawei-MIP-Agent-MN-Flag and Huawei-Requested-APN are now aliases but aliasing may be handled with separate dictionary files in the future. Huawei-HW-Portal-Mode was renamed to Huawei-Portal-Mode. WiMAX dictionary updates: changed WiMAX-Session-Termination-Capability type to integer and added one value: Dynamic-Authorization. Changed WiMAX-PPAQ TLV Quota-Identifier type to binary. WiMAX subattributes within single Vendor-Specific attribute are now correctly decoded. Dictionary updates for Huawei: Reverted the recent aliasing changes. The conflicting attributes are now in a new Huawei specific dictionary file goodies/dictionary.huawei1. This new dictionary file contains attributes used by, for example, Huawei packet gateway / Wi-Fi controller. Since Huawei seems to use device specific dictionaries, additional dictionary files are added as needed. Added new AuthLog EVENTLOG and Log EVENTLOG modules for logging to Windows Event Log. Added eventlog.cfg in goodies for configuration example and more information about how to set up registry and DLL Event Log helpers. Precompiled DLLs are available in goodies\windows-dll with source files and compilation examples. radiusd now handles SIGINT (typically from Ctrl-C) similar to SIGTERM. Added support for shared and global DupCache. Radiator now supports 3 different options for the new DupCache configuration parameter: local (the default), shared (uses shared memory) and global (uses Radiator's Gossip framework). When DupCache is set to shared, DupCacheFile sets the location of the mmapped shared memory file. Shared DupCache is recommend when FarmSize configuration parameter is set. With shared or global DupCache, the backend workers do not need to have UseContentsForDuplicateDetection enabled anymore. DupCache shared requries Cache::FastMmap module. Sample configuration eapbalance.cfg in goodies was updated to demonstrate the new configuration parameters DupCache and DupCacheFile. Added a number of VENDOR 22610 A10-Networks VSAs in dictionary. Contributed by Scott Bertilson. Changed the types of WiMAX-PPAQ TLVs Volume-Quota, Volume-Threshold, Resource-Quota and Resource-Threshold to hexadecimal. This makes the 8 or 12 long values easier to handle in PPAQ applications. Updated shared and global DupCache debugging and initialisation. If the required Cache::FastMmap is not available when DupCache is set to 'shared', Radiator will log a message and refuses to start. The availability of Cache::FastMmap is checked during the configuration phase. Added support for Gossip protocol framework and Redis based Gossip implementation. Radiator's Gossip implementation allows Radiator instances to share information and event notifications. The instances may be part of server farm, completely separate processes running on the same or different hosts or any combination of thereof. Redis based Gossip is configured with GossipRedis clause. At first, Gossip support is provided for RADIUS duplicate cache: When the global configuration parameter DupCache is set to 'global', GossipRedis will be used for RADIUS duplicate cache. More Radiator modules will be added and upgraded to use the Gossip framework in the future. Requires Data::MessagePack and Redis Perl modules from CPAN. Updated AuthLog SQL examples in goodies to use SQL bind variables. Added Radiator Gossip framework support to AuthBy RADIUS. Multiple Radiator instances can now communicate next hop host unreachability and reachability information with Gossip messages. This allows, for example, just one member to run Status-Server queries when FarmSize configuration parameter is enabled. Added new configuration parameter NoKeepaliveTimeoutForChildInstances to limit Status-Server probing to the first farm instance only. The new features are also available to AuthBy RADIUS sub-types, such as, ROUNDROBIN and HASHBALANCE. See goodies/farmsize.cfg for a configuration example with shared duplicate cache and Gossip and Redis configuration. Updated EAP-pwd to use unpatched version of Crypt::OpenSSL::Bignum. Radiator 4.14 and earlier required Crypt::OpenSSL::Bignum 0.04 + patches. These patches are no longer needed, and version 0.06 or later from CPAN is now required instead. Caution: Crypt::OpenSSL::Bignum 0.04 + patches in Radiator goodies no longer work with the current version of EAP_52.pm (EAP-pwd). You must update to Crypt::OpenSSL::Bignum 0.06 or later. Updated dictionary with new attributes for vendors 14823 Aruba, 25053 Ruckus and 25506 H3C. Fixed a problem that could cause a crash if AuthBy RADIUS was configured with the Synchronous parameter, FailureBackoffTime was set and the next hop proxy becomes unreachable. Reported by Diogo Gonçalves EAP-pwd now correctly adds the user's and AuthBy's reply attributes in the Access-Accept. The first components in @INC, the Perl library search locations, are now checked for readability. Unreadable directories may cause hard to diagnose failures when Perl modules are loaded. This may happen, for example, when radiusd process is started as a user with restricted privileges. Reported by Kilian Krause. Added support for AuthBy specific PostAuthHook configuration parameters. All AuthBys can now define a PostAuthHook that will be called when the AuthBy is done processing the request and has returned. The hook parameters are the same as for Handler's PostAuthHook. After the optional PostAuthHook has run, result, reason and Identifier from the AuthBy are saved in $p for subsequent AuthBys and other use. Updated duo.cfg in goodies to use PostAuthHook for password splitting. Added support for IEEE 802.1AE, also known as MACsec. Radiator will now return EAP-Key-Name attribute if requested by the RADIUS client. EAP-Key-Name is supported for the following EAP methods: EAP-FAST, EAP-pwd, EAP-TLS, EAP-TTLS and PEAP. RADIUS attributes using encrypt=2 flag or decode/encode_salted directly, now have their initialisation vector set to all zeroes when there would otherwise be a circular dependeny between the RADIUS fixed header Authenticator, the initialisation vector, and the encrypted attribute value. This allows, for example, proxying RFC 5176 dynamic authentication request so that the encrypted values can be correctly recovered, provided that target also uses zero IV similarly. Known to work with vendor 6527. EAP-TLS now rejects possible EAP-TLS conversation restart attempts instead of replying, again, with an alert. Some EAP-TLS peers, such as Windows, may try to restart the EAP-TLS conversation after certain alerts such as 'Unknown CA'. Reported by Pieter Jan Van Meerbeeck. Updated a number of configuration samples in goodies: 'DupInterval 0' is usually not needed and can be harmful. The default value of 10 seconds is preferred and non-default values are only necessary in very unusual circumstances. Handler clauses are in most cases more flexible than Realm clauses. Other typo fixes and small corrections. EAP-FAST now checks Net::SSLeay::get_keyblock_size() calls for error return values. Also, Net::SSLeay 1.68 and earlier with OpenSSL 1.0.1 and later may return incorrect values, not errors, for get_keyblock_size() which cause authentication to fail. Fix in Net::SSLeay 1.69 allows it to return correct values with recent OpenSSL versions, and any error return values are now correctly checked by EAP-FAST. Added new configuration parameter TLS_Protocols to set the supported SSL and TLS protocols for Stream based modules, such as Diameter and RadSec. New configurations should use TLS_Protocols instead of UseSSL or UseTLS. TLS_Protocols overrides UseSSL and UseTLS when defined. TLS_Protocols is not defined by default. Added new configuration parameter EAPTLS_Protocols to set the supported TLS protocols for TLS based EAP methods, such as EAP-TLS, EAP-TTLS and PEAP. EAPTLS_Protocols is not defined by default. Both TLS_Protocols and EAPTLS_Protocols accept a list of comma separated values. The supported values are: SSLv3, TLSv1, TLSv1.1 and TLSv1.2 Added new configuration parameters TLS_Ciphers and EAPTLS_Ciphers to define the allowed cipher suites for Stream protocols and TLS based EAP methods. The parameter format is OpenSSL cipher string format. Both parameters default to DEFAULT:!EXPORT:!LOW TLS_Ciphers and EAPTLS_Ciphers can be defined separately from TLS_Protocols and EAPTLS_Protocols. Updated vendor ZTE 3902 VSAs in dictionary. Added support for TLS_Protocols and TLS_Ciphers parameters to Monitor and Server HTTP TLS_Ciphers and EAPTLS_Ciphers now support formatting characters. Net::SSLeay and SSL library version, if available, are now logged after SSL library initialisation. Added goodies/logformat.cfg, showing how to use LogFormatHook for authentication log and AcctLogFileFormatHook for accounting messages. Added LogFormat.pm with sample hooks for formatting accounting messages in JSON format and authentication log entries in JSON and CEF (ArcSight Common Event Format) formats. Removed non-functional support for the obsolete RSA ephemeral keying. See TLS_DHFile, EAPTLS_DHFile, TLS_ECDH_Curve and EAPTLS_ECDH_Curve for the currently supported forward secrecy methods. Updated Radiator's Gossip module Perl requirements based on suggestions by Alan Buxey. Testing with Net::SSLeay 1.69 and LibreSSL 2.2.0. OK. Added support for CRL checks for the entire certificate chain. New configuration parameters EAPTLS_CRLCheckAll for TLS based EAP methods and TLS_CRLCheckAll for stream based protocols, such as RadSec and Diameter, enable X509_V_FLAG_CRL_CHECK_ALL to turn on CRL checks for the entire certificate chain. Note: you need to also have EAPTLS_CRLCheck or TLS_CRLCheck enabled for any CRL checks to happen. If the CRL files for the intermediate CAs are not found, certificate check fails with: 'SSL3_GET_CLIENT_CERTIFICATE:no certificate returned'. Updated configuration samples in goodies to include the recently added TLS and related parameters. Updated other goodies files with various other fixes. Documented SSLCiphers in the reference manual and updated LDAP SSLCiphers default value from 'ALL' to 'DEFAULT:!EXPORT:!LOW'. Updated ldap.cfg to mention possible interoperability problems between HoldServerConnection and ServerChecksPassword when the both are set. Suggested by Niels Monen. Documented SSLCiphers in ldap.cfg Removed Authen::Digipass and Authen::ACE4 binary modules from the Radiator distribution. Direct contact with OSC is now preferred to find out how to compile these modules for your chosen OS, Perl version, Perl distribution and 32 or 64 bit platform. Added 32 and 64 bit Win32-Lsa ppms for Strawberry Perl 5.22. DBM file handling is not working on Strawberry Perl 5.20 or 5.22. Disabled AuthBy DBMFILE checks from test.pl on Windows meanwhile this is investigated. Updates to EAP-MSCHAP-V2 and EAP-pwd identity handling. See OSC security advisory OSC-SEC-2015-01. -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator