We are pleased to announce the release of Radiator version 4.17 This version contains enhancements, new features, security and other fixes described below.
As usual, the new version is available to current licensees and evaluators from: https://www.open.com.au/radiator/downloads.html Licensees with expired access contracts can renew at: https://www.open.com.au/renewal.html An extract from the history file https://www.open.com.au/radiator/history.html is below: ----------------------------- Revision 4.17 (2016-09-21) enhancements, new features, security and other fixes Selected compatibility notes, enhancements and fixes radiusd now exits during startup if it can not load the objects required by the configuration file. Hooks and custom code that calls get_plaintext_password or translate_password should be checked for compatibility AuthBy RADSEC now supports Radiator's Gossip framework for reachability information Any hooks or custom code that needs to save data across resumed EAP-TLS, EAP-TTLS or PEAP authentication sessions must now use resume context. See EAP.pm for the details. RADIUS dictionary name space was changed for IANA registered attributes. Any hooks or custom code that accesses RADIUS dictionary, or does RADIUS - Diameter conversion may need updates. JSON time stamp formats were corrected and unified in LogFormat.pm AuthBy DUO now does pre-authentication by default AddressAllocator SQL now supports IPv6 prefix allocation Session resumption for TLS based EAP methods was enhanced Many new features and options for SessionDatabase modules AuthBy RADIUS supports configuration parameter Asynchronous for easier AuthByPolicy handling New MessageLog clauses for logging RADIUS and other messages StatsLog updates including cumulative and derivate statistics HTTP digest authentication must now be enabled per AuthBy basis Security fixes for AuthBy LDAP2 when used with EAP. OSC recommends all AuthBy LDAP2 users to review OSC security advisory OSC-SEC-2016-01 https://www.open.com.au/OSC-SEC-2016-01.html Features not in this release yet, known caveats and other notes OCSP support Selection of proxy algorithms for AuthBy RADSEC No testing with OpenSSL 1.1.0. Testing with OpenSSL 1.0.2h, Net::SSLeay 1.78, IOS 10, Android 7 and Windows 10 PEAP session resumption sometimes fails on Windows. Further investigation is ongoing Major documentation update. Radiator reference manual is available in HTML format again Detailed changes Updated debug log messages for Stream classes. The stream client and server now log the destination name and its currently resolved address more clearly in the debug log messages. This affects log messages for RadSec, Diameter, ServerHTTP and other Stream based modules. AuthBy RADSEC now logs packet dumps for the Status-Server replies it receives from the next hop proxy. The Port configuration variable is now formatted when RadSec Host is activated. This allows logging the actual port number instead of the unformatted configuration value. Added Gossip support for AuthBy RADSEC. The RadSec Hosts can now distribute next hop proxy reachability information with Gossip. The configured Host name, not the current IP address, is used as the key when determining if the current report should be processed. The behaviour is currently slightly different from AuthBy RADIUS. Updated radsec-client.cfg in goodies. Suggested by Jan Tomasek. Updated AuthBy RADSEC log messages to be more clear about destination name, IP address and port. While loading dictionaries, Radiator now logs a warning when the vendor has not been defined for a vendor specific attribute. Correct configuration file names are now logged when there are errors parsing the included configuration files during radiusd startup. Previously the file name might have been the main configuration file name. Reported by Kilian Krause. Clause ends are now checked for matching starts while the configuration file is read. Possible mismatches and incorrectly ended clauses are logged with a warning, but no other action is currently taken. Gossip messages sent by one AuthBy RADIUS module will now be accepted by all the other AuthBy RADIUS modules within the same radiusd instance. Previously the messages were always ignored when they originated from the same instance. This behaviour is now similar to what AuthBy RADSEC does. AuthRADIUS and AuthRADSEC now include the type of the failed request in the Gossip messages. A module using UseStatusServerForFailureDetect will now act only on failed Status-Server requests. With report and help from Paul Dekkers. AuthBy LDAP2 now logs the search filter with the query results Added VENDOR 3GPP 10415 VSA 3GPP-User-Location-Info-Time from document TS 29.061 version 12.10.0 to dictionary. AuthBy DYNADDRESS now uses MapAttribute yiaddr when processing Accounting-Requests. Previously the address was always fetched from Framed-IP-Address. AddressAllocator SQL now supports IPv6 prefix allocation. Updated addressallocator.cfg in goodies. Fixed a problem in ServerTACACSPLUS where some requests sent by a high volume client were discarded during read. New example farmchildhook.txt in goodies shows how to use FarmChildHook to rotate AuthPort, AcctPort and DBSource. Used in FarmChildHook EAP environments with a backend radius behind HASHBALANCE or similar. See the file for full details. Contributed by Christian Kratzer, CK Software GmbH Added support for PoolGroup and Priority configuration parameters for AddressAllocator SQL AddressPools. These parameters set the values for specials %4 and %5 for AddAddressQuery. A PoolGroup defines a name to group multiple pools with different priorities set by Priority. Suggested by Damjan Kukas. Added new hook NoAddressHook for the SQL allocator. The hook is called when there are no addresses left or the allocation fails because of too many simultaneous tries. The hook is passed references to $p, $rp, $result, $reason and the value of pool hint. To change the type of reply, you should change $result from $main::REJECT to the desired value. Enhancements to SessionDatabase configuration within Handlers. New Handler parameter SessionDatabaseOptions is available for: turning off session delete to clean up possibly hung sessions during authentication, enabling SessionDatabaseUseRewrittenName, turning on adding sessions before authentication and turning on adding sessions after successful authentication. Gossip framework now supports forget() to remove a message previously posted with note(). In case of Redis backend, forget maps to Redis DEL command. Updated GossipRedis default Timeout from 3 to 1 seconds. Timeout is now also used for: sentinel connections, sentinel reads, sentinel writes, server read and server write in addition to server connections. Fixed some typos in Gossip sample file farmsize.cfg. NAS-IPv6-Address, if present, is now a possible value for NAS identifier if there is no NAS-IP-Address. This allows, for example, session database modules to use NAS-IPv6-Address if present in the request. Removed unneeded code from various modules since RecvFromAddress is always present in the current request. Radiator can now do delayed restart or termination. The action is delayed until there are no more requests to serve from the sockets. The delay is done in two phases: First, a configured number of seconds is waited until the requested restart or termination action is started. Second is to serve the remaining requests from the incoming sockets. This allows processing the queued requests before continuing with the restart or termination. The delay is enabled and controlled by a new global configuration parameter DelayedShutdownTime. This defines the length of the first phase in seconds. DelayedShutdownHook is called immediately when the first phase starts. The hook can, for example, signal upstream proxies about the impending shutdown. Added support for OSC's new load balancer. The LB proxies labeled requests to Radiator which will process them as they were received directly from the NAS. The label support is enabled with the new global configuration flag parameter UseProxyLabel which defaults to off. Internal enhancements for EAPAnonymous handling. Also, $rp->{inner_username} now has the value of inner User-Name, if any, for EAP-TTLS. Added support for using State attribute for identifying ongoing EAP conversations. New global configuration flag parameter EAP_UseState, currently set to off by default, enables or disables the use of State with EAP for the whole server. AuthBy EAPBALANCE users should convert to, for example, AuthBy HASHALANCE to avoid adding second State in the proxied requests. Users of other load balancers may find State advantageous when setting up LB rules. The value of State does not change during the EAP message exchange. Server Identifier, the global Identifier parameter, now supports special formatting characters. The format is applied during the server startup. A 32 hex character long hash is calculated from the formatted Identifier for any possible later use. Added new Gossip backend module GossipUDP. GossipUDP provides support for direct UDP communication between Gossip peers. Gossip message format was extended to support optional header for TTL, payload encryption and other future uses. Added peer join and unjoin messages in GossipUDP. These messages allow the use of GossipREDIS, or some other Gossip backend, as a discovery mechanism to set up direct GossipUDP peering. Added new AuthBy GOSSIP module that supports authentication and authorisation against Gossip backends such as GossipUDP and GossipREDIS. PBKDF module now supports HMAC-SHA-256 as the pseudorandom function (PRF). Added new module AES_GCM that supports the use of AES in Galois/Counter Mode (GCM). AES_GCM requires Crypt::GCM. Enhanced the Gossip framework to support message encryption. Requires the Radiator AES_GCM module. Sending of RFC 5176 Disconnect-Request and CoA-Request messages was enhanced with two new modules and minor changes to Client.pm auth AuthRADIUS.pm. Client.pm has new configuration parameters DynaAuthSecret, DynAuthPort and UseMessagAuthenticator to define the dynamic authorisation capabilities of the NAS. New module AuthDYNAUTH.pm is available for building dynauth requests and dispatching them to Handlers. The dispatched dynauth requests can be matched with <Handler DynAuthRequest=1>. New module AuthRADIUSBYATTR.pm is available for forwarding the newly built dynauth request to the NAS based on the dynauth request contents. AuthBy RADIUSBYATTR is a subclass of AuthBy RADIUS and will automatically handle retransmissions. The dynauth responses will be handled by AuthBy DYNAUTH. AuthBy DYNAUTH can optionally register itself with Gossip to receive requests from, for example, remote management to send dynauth messages pertaining to the online users. Works with SessionDatabase REDIS to share session information between Radiator instances and user management. Added new StatsLog module StatsLog REDIS. StatsLog REDIS logs statistics to Redis for management applications, log transport agents, such as logstash Redis input plugin, or any later use. The statistics are currently logged in JSON format. Added a configuration sample in statslog.cfg in goodies. Diameter OriginHost and OriginRealm configuration parameters now support formatting characters. Added VENDOR Meraki 29671 and VSA Meraki-Device-Name to dictionary. New module AuthRADIATORLB.pm supports proxying requests to OSC's new Radiator load balancer. This module can be used together with AuthBy DYNAUTH and currently supports only RFC 5176 dynamic authentication requests which need to originate from Radiator and be sent by the LB towards the NAS. Gossip framework is supported for learning the LB addresses and dynauth ports. GossipUDP now logs a warning if Gossip flag parameter or one or more GossipUDPPeer clauses have not been configured. When this happens GossipUDP has no method of knowing about its UDP peeers. Updated Diameter command code list. Command codes now use IANA registered names. This changes Diameter DEBUG message dumps for some command codes. For example, CER is now logged as Capabilities-Exchange. Added support for Diameter statistics log. The statistics are collected for Diameter message counts, command codes and errors. Stats are collected for peer, origin, port and application and can be used for Diameter SNMP MIBs. New module DiaStatsLogREDIS provides support for writing the statistics in Redis. Other log modules will be added later. Added an example in goodies/hooks.txt showing how to use AuthBy RADIUS ReplyHook with two AuthBy RADIUS clauses together with 2 Handler's and an AuthBy HANDLER clause. EAP Identity and MSCHAPv2 name equality check is now case insensitive. Reported by Serge Andrey and René Hennequin. Log messages related to an authentication exchange and to its subsequent accounting session can now be logged with a tracing identifier. A new global and Log clause level configuration parameter LogTraceId enables prepending the tracing id to messages logged to stdout and with Log FILE when LogStdout is enabled. A new Handler level configuration parameter AutoClass adds a specially formatted Class attribute in Access-Accept messages. This allows carrying the tracing id to accounting logs and the session database to access the tentative Class value during the request handling. New functions compose_state() and decompose_state() in Util.pm will handle adding and extracting state information from State and Class attributes. The tracing id works in conjunction with the Radiator load balancer allowing coordinated log message indexing and lookup between front end load balancers and backend workers. Updated AuthLog and Log modules to use the recently added tracing id. The tracing id is now available as a parameter to LogFormatHooks and SQL loggers. Updated LogFormat.pm JSON hooks to log the tracing id. The global LogTraceId configuration parameter now affects only logs sent to stdout and the default log configured with LogFile. Session database clauses now support SessionIdentifier configuration parameter. This parameter defaults to Acct-Session-Id and can be used to change the session identification attribute used by the session database clause. Useful, for example, when the authentication request contains the future, possibly vendor specific, session identifier attribute. The recently added AutoClass configuration parameter now supports optional arguments for further Class attribute formatting. The currently support arguments are uuid and formatted which add a hex value UUID or Radiator formatted string. The default is not to add anything. Configuration parser's clause start to clause end matching is now case insensitive. Suggested by Alan Buxey. Added two new formatting specifiers 'RequestVar' and 'ReplyVar' which provide access to request and reply objects. This similar to, for example, the existing 'Handler' formatting specifier. Handler now supports returning to AuthBy stack. This allows AuthBy RADIUS and its subclasses to return evaluating AuthByPolicy when a reply is received from the remote proxy. AuthBy RADIUS and its subclasses now support new boolean configuration parameter Asynchronous that enables this new behaviour. AuthBy GOSSIP was changed to always to use the new ASYNC return code. Added the recently introduced tracing id support in AuthBy GOSSIP Enhanced Gossip encryption to support simple key rollover: the key with second highest index is now used for encryption. This allows gradually adding new keys and removing old keys to Gossip enabled instances. Added the recently introduced tracing id support for Radiator Diameter logging. Added support for time limited prepaid plans in AuthBy FIDELIOHOTSPOT. The SQL queries are now fully configurable. *Note:* support for time limited plans extends SQL table named service. To avoid compatibility problems with current configurations, add a integer column called duration in the service table with value 0. Alternatively, reconfigure the SQL ServiceSelect to return 0 for duration. See the updated fidelio-hotspot.cfg and fidelio-hotspot.sql configuration examples in goodies. New optional global configuration parameter ResponseTimeThreshold parameter tells Radiator to log a warning when the processing time exceeds configured millisecond threshold. The warning contains request's User-Name and info about the Client, Handler and AuthBy which processed the request. radiusd now clears its child array after fork to avoid incorrectly calling waitpid for parent's children. Reported by Alan Buxey. Added a new utility script hexdump2wireshark.pl in goodies. This script parses Radiator Trace 5 log and extracts packet hex dumps from it. The hex dumps are written to a separate output file which can be imported into Wireshark or converted into pcap file with text2pcap. Usage: perl goodies/hexdump2wireshark.pl < /var/log/radius/logfile > radius-logfile-hexdump.txt The .txt file can then be imported into Wireshark or converted into pcap file with text2pcap: text2pcap -i 17 -u 1812,1812 radius-logfile-hexdump.txt radius-logfile-hexdump.pcap The script also supports "#TEXT2PCAP" directives in .txt hexdump, but currently text2pcap does not have any directives implemented. Minor correction to Diameter peer state machine: Event I-Rcv-DPA event in Closing state was duplicated and transition for I-Rcv-DPA was missing. Removed extra newline from Diameter state change logging. The linux startup script linux-radiator.init now checks if the PID file or system init utility functions indicate radiusd is already running before starting a new instance. Added support for /preauth endpoint in AuthBy DUO. This endpoint determines if the user is authorised to log in and returns the available authentication factors for the authorised user. Simplified TLS based EAP methods to use TLS session id more frequently with internal ids. Added support for VSA translation. Attributes in incoming and outgoing RADIUS messages can now be translated to and from internal presentations. For example, different MAC address formats can be normalised for logging and values for reply attributes can now be set based on the Client or AuthBy RADIUS vendor type. Full example showing the new VsaTranslateIn, VsaTranslateOut and the related new configuration parameters is in goodies/vsa-translate.cfg Diameter BIR (Bootstrapping-Info) command was misspelled as Boostrapping-Info. AuthBy DUO SecretKey and IntegrationKey configuration parameters now support formatting variables. The formatting is done once during the module activation. radpwtst -interactive option now queries the password. The password query is done without local echo. With -interactive, there is no need to specify the password on the command line with the -password option anymore. Perl Term::ReadKey is needed on Windows. Some unix based systems are supported directly but Term::ReadKey is recommended for cross platform support. Removed unneeded line BEGIN-VENDOR Freeswitch from dictionary. Reported by Eddie Stassen. Improved debug logging in AuthBy DYNADRRESS and Diameter watchdog state changes. Fixed misspelled LOG_ERROR and LOG_WARN log levels which all mapped to LOG_ERR. Added support for MessageLog to log sent and received RADIUS, Diameter and TACACS+ messages. Initial support includes logging RADIUS messages in text and text2pcap formats to a file. Configuration sample is in goodies/logformat.cfg getTimeHires() in Util.pm now checks the calling context when Time::HiRes is not installed and returns a list or scalar like Time::HiRes does. StatsLog modules now calculate packet rates for each StatsLog module separately. This allows having multiple StatsLog clauses in the configuration, all with their own Interval values. Packet rates are now separate and do not affect other StatsLog clause packet rates. Updates to statistics logging. All StatsLog clauses now support two new configuration parameters: StatsType and RateCalculationInterval. StatsType defines the stats output type. Possible values are: cumulative, derivative, packet_rate and all. Cumulative counter shows the number of processed packets. Derivative is the difference (delta) between two counter values in time interval. Packet_rate is the amount of packets transferred within time interval (packets per second). Type all produces output from all available statistic types (cumulative, derivative and packet_rate). The default is cumulative. Sometimes you may want to calculate packet rates that are different from the value of Interval. RateCalculationInterval is an optional parameter that defines the time interval (in seconds) in which the packet rate is calculated. For example, if Interval is set to 600 seconds and RateCalculationInterval is set to 60, packet rate then shows the (average) amount of packets in 60 second interval. RateCalculationInterval defaults to value of Interval. See statslog.cfg in goodies for detailed examples. SqlDb.pm now logs clearly if connect to a SQL database fails because of missing driver. For example, if DBSource is configured with dbi:mysql:... but DBD::mysql is not present, a verbose error is logged in addition to calling ConnectAttemptFailedHook. Added VENDOR AudioCodes 5003 and VSA AudioCodes-ACL-Auth-Level to dictionary. Contributed by Peter Hendrikx. Added support in MessagLog for Diameter logging. Updated RADIUS MessageLog text format to include time stamps. AddToReply and the related parameters were incorrectly adding to Access-Reject messages too. These are now skipped for Access-Reject replies Host's adjustReply() for AddToReply and related configuration parameters was not called when a reply was received over RadSec. AuthBy DYNAUTH now supports SessionCheckHook that will be called after SessionChecks have been evaluated. It can be used to implement custom or additional logic for session checking. Setting hook parameter $result as ${$result} = 0; will trigger sending DM/CoA. Added initial support for encrypting and obfuscating secrets, passwords and other sensitive values in configuration files. Client and AuthBy DYNAUTH clauses now support EncryptedDynAuthSecret and Client has support for EncryptedSecret LocalAddress and LocalPort are now common configurable parameters for Stream modules. Updated AuthBy DIAMETER and AuthRADSEC not to use separate definitions for these parameters. The local address is now bound with SO_REUSEADDR socket option when LocalAddress is defined for a stream client. Simplified logformat.cfg: it's no longer required to use StartupHook to load Radius::LogFormat. Radius::LogFormat is now loaded by the logging modules directly. In AuthBy DIAMETER, Origin-Host and Origin-Realm are now taken from configuration parameters. All reverse lookups for deducing Origin-* are now removed. Destination-Realm is first taken from User-Name's realm part. If there is now realm, then DestinationRealm configuration parameter is used. DestinationRealm now defaults to 'testdestinatonrealm' in DiaClient.pm. DestinationRealm and DestinationHost parameters now support formatting characters. The formatting is done when the AuthBy DIAMETER, or any other clause derived from DiaClient.pm, is activated. AuthBy DIAMETER now supports new configuration parameter EAP_ApplicationId. EAP_ApplicationId defaults to value Diameter-EAP. EAP_ApplicationId defines the Diameter message's Application-ID value and Auth-Application-Id AVP value for the converted RADIUS EAP requests. The default converts RADIUS EAP authentication to Diameter EAP application. The parameter allows, for example, converting RADIUS EAP-AKA to Diameter 3GPP SWm. Updated the configuration diameter-authby.cfg in goodies. Simplified TLS session resumption for TLS based EAP protocols. Sessions are only cached when EAPTLS_SessionResumption is enabled for the AuthBy. EAPTLS_SessionResumption is now completely separate from EAPContextTimeout: EAPContextTimeout no longer limits the session resumption time. *Note:* Any hooks or custom code that needs to save data across resumed sessions must now use resume context. See EAP.pm for the details. EAPContextTimeout now defaults to 120 seconds. The previous value was 1000 seconds. Added new configuration parameter EAPTLS_SessionContextId. For TLS based EAP types such as TLS, TTLS and PEAP, this optional parameter allows you to set the context within which the TLS session resumption is allowed. Defaults to Handler, which means that TLS session resumption is allowed if the resumed and the full authentication were processed by the same Handler. Previously the context was set to an ephemeral value which often forced full TLS handshakes instead of allowing session resumption to happen. Moved IANA registered attributes to 'IANA' namespace from vendor 0 namespace. Unknown IANA attributes are now named as Unknown-IANA-191 where 191 is the attribute number. Unknown vendor specific attributes continue to be named like Unknown-9048-120 where 9048 is the vendor number and 120 is the attribute number. *Note:* any custom code that accesses RADIUS attribute definitions in the RADIUS dictionary should now check if the vendor is IANA, not 0, to differentiate between vendor attributes and IANA registered attributes. This may also affect custom code that does Diameter to RADIUS conversion. This namespace change fixes the problem where VSAs with vendor id 0 were proxied as non-VSAs when ProxyUnknownAttributes was set. Reported by Alan Buxey. Fixed and unified JSON formats in LogFormat.pm. Time contains unix time. Timestamp contains locale specific time presentation based of the unix time. Timestamp includes microseconds if LogMicroseconds is defined, the format is the same as in Radiator plaintext log. New attribute "datetime" is the localtime for human readers' convenience. Previously timestamp format incorrectly claimed to use UTC time while it was in fact local time. Improved AddressAllocator DHCP logging and DHCP socket set up. When LocalAddress was not configured and hostname did not resolve to an IP address, radiusd died during the startup. Now an error is logged and the DHCP socket will not be set up. If DHCP set up fails for some other reason, the reason is now clearly logged and the DHCP socket will not be set up. When the DHCP socket is not set up, address allocation methods return with REJECT and an error is logged. The problem with unresolved hostname was reported by Edward Ocenar. AuthBy DUO now supports optional parameter Failmode that specifies whether to reject, accept or ignore authentication when Duo API is not available or a Duo API call timeouts. Default is to ignore the authentication request. DUO API timeout is now handled separately from the other DUO API call failures. Address allocators now support Acct-Status-Type values Accounting-On and Accounting-Off. The default is to accept the Accounting-Request with no other action. The SQL allocator can now be configured with DeallocateByNASQuery to, for example, release all leases for the NAS. Updated the configuration example addressallocator.cfg with sample DeallocateByNASQuery and updated the SQL example files with a new column for NAS id. Added optional conversion of Diameter Session-Termination-Request (STR) to RADIUS Accounting-Request with Acct-Status-Type set to Stop. This, and possible future conversions, can be enabled with ConvertCommand configuration parameter within ServerDIAMETER. More details are in diameter-server.cfg in goodies. Requested by Jean-Marc MONTENOT. Updated AddressAllocator SQL to support delayed pool activation. When AddressAllocator SQL is configured with DelayedPoolCheckTime, the pool creation, address checks and initial reclamation are delayed to happen the configured amount of seconds after radiusd as started. Added a new configuration parameter NasIdentifier for AddressPool clauses. The configured value is made available for AddAddressQuery. Source IP address and source port for incoming TACACS+ and StreamServer based connections, such as RadSec and Diameter, are now immediately logged after they are accepted. This allows logging even the very short lived connections from probes and other sources. Reported by Alexander Hartmaier. Added a new optional configuration parameter AllowInReject for defining which attributes are allowed in Access-Reject. This can be useful in Handlers with multiple AuthBys where the attributes added before a rejecting AuthBy need to be stripped from the resulting Access-Reject. Added a new optional configuration parameter Encoding for MessageLog FILE and its subclasses. This allows, for example, encoding a binary or multiline log entry as a single hex encoded line which might be useful with some log shipping tools and agents. Currently supported encodings are none and hex. Updated the configuration sample in logformat.cfg AttrList and its derived modules now support delete_attr_d() method. This allows deleting attributes by name from DiaMsg and other AttrList objects. Fixed Client IgnoreAcctSignature flag to correctly work as a flag. Previously a defined but false value, such as 0 was interpreted as the flag being set. IgnoreAcctSignature is not defined or set by default. Reported by Niels Monen. Added initial support for encrypting and obfuscating TACACS+ keys in the configuration file. This is similar to the recently added RADIUS client shared secret obfuscation. Client and ServerTACACASPLUS now support EncryptedTACACSPLUSKey and EncryptedKey, respectively. Examples in the tacacsplusserver.cfg sample configuration file. Enhanced logging in ServerTACACSPLUS. Very short lived connections are now logged with the peer IP address and port. Some TACACS+ clients, network monitoring probes and other software may close the newly opened TACACS+ connection immediately without any TACACS+ request exchange. These connections are now more clearly logged. Updated two other infrequently used log messages to include the peer IP and port. Suggested by Alexander Hartmaier. USR1 and USR2 signals are now propagated to the server farm workers by the farm parent. This allows changing the logging trace value for the whole farm at once by sending the signal to the farm parent. Suggested by Jose Borges Ferreira. Added initial support in AuthBy GOSSIP for using backends such as Redis for authentication, voucher lists and black lists. Added new formatter %{TimestampVal:number} where number can be a postive or negative integer, request attribute name or a special. For example %{TimestampVal:3000}, %{TimestampVal:Session-Timeout} or %{TimestampVal:%{Reply:Session-Timeout}}. The replaced value is the current unix time stamp + the number. Useful for replacing hooks with formatters when calculating time stamps. AuthBy GOSSIP can now hint the desired authentication backend, SQL LDAP, etc., to the Gossip peer. The authentication backend is configured with optional configuration parameter AuthenticationMethod. AuthBy DYNADDRESS now supports optional configuration flag parameter RunWhenMissing. When RunWhenMissing is set to off, the confirm and deallocate operations of the configured address allocator are not run if the Accounting-Request does not have the IP address. Accounting-Request messages from some types of RADIUS clients may not have contain the allocated IP address. This may happen because the MapAddr yiaddr is missing from the request, or when IPv4 and IPv6 allocators are chained, the yiaddr is not set for the allocator type. In this case you may want to set RunWhenMissing to off. The default is to always run confirm and deallocate. Fixed misleading log message in AuthBy OTP where OTP verify result was logged during failure. The result is only a boolean value while the log message hinted there might be additional information available. Reported by Alexander Hartmaier. Updated log calls in multiple EAP methods to include the current request. Added initial support for logging tracing identifier in ServerTACACSPLUS. Further changes are needed for additional coverage. The value intended for NAS_ID column is now configurable with NasId parameter in AddressAllocator SQL. The default value is %{NAS-Identifier}. Updated the configuration sample addressallocator.cfg in goodies. Overly long locally added attributes were incorrectly packed in the outgoing RADIUS messages. These messages are now logged with ERR log level and no message is sent. AuthBy RADIUS and its subclasses can now return with result REJECT to trigger an Access-Reject when a proxied request times out. This requires setting a new flag parameter called NoReplyReject. NoReplyReject allows rejecting timed out requests without hooks such as NoReplyHook. When returning a result, the reason for the timed out requests is now set to "Upstream timeout". Added PostSearchHook in AuthBy GOSSIP that is called by AuthGOSSIP's findUser() after AuthAttrDef's have been evaluated and possible reply attributes are in place. ServerTACACSPLUS now evaluates global RewriteUsername before dispatching a TACACS+ pseudo RADIUS request to a Handler. Previously global RewriteUsername was not evaluated for TACACS+ requests. Suggested by Tim Cheyne. Updated sample certificates to expire on Aug 10 2018 Improved handling of plaintext passwords with prefix {clear}. The plaintext value is now clearly separate from any hashed or encrypted value. Custom modules using AuthGeneric methods get_plaintext_password and translate_password should be checked for compatibility. Reported by Vangelis Kyriakakis. radiusd now exits during startup if it can not load the objects required by the configuration file. For example, if an AuthBy or a SessionDatabase fails to load, radiusd will log the failure and exit immediately. Previous beahaviour was to log the failure and continue. Added 32 and 64 bit Win32-Lsa ppms for Strawberry Perl 5.24. Added 32 and 64 bit Win32-Lsa ppms for ActivePerl 5.22. Fixed a memory leak where duplicate cache entries were not freed when radiusd was reloaded. Reported by Niels Monen. HTTP Digest authentication must now be enabled with configuration flag parameter HTTPDigestAuthentication. This flag is not set by default. Updated system.cfg in goodies. The old Shadow helper module is not needed with the recent Perls for AuthBy SYSTEM. EAP authentication using AuthBy LDAP2 worked incorrectly with some atypical Radiator and LDAP configurations. Improved EAP debug logging for better PacketTrace and trace id support: EAP messages with bad length are now more clearly logged. TLS compression is now disabled for all TLS based EAP methods and all StreamTLS based modules, such as RadSec, Diameter and ServerHTTP with SSL_OP_NO_COMPRESSION option. Current systems should already disable TLS compression by default, so this change makes sure compression is not inadvertently enabled, for example, when system defaults are changed or Radiator runs on an unpatched system. SSL_OP_NO_COMPRESSION is available with OpenSSL 1.0.0 and later. Updated the default HostSelect in AuthBy SQLRADIUS to use quoted realm. Updated the configuration sample sqlradius.cfg to use quotes ServerRADSEC now supports StatusServer parameter similar to RADIUS Clients. Requested by Christian 'wiwi' Wittenhorst. fideliosim.pl in goodies now binds to 127.0.0.1 by default but has command line switch to set the addresses to bind. -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator