[RADIATOR] Radiator Version 4.13 released
We are pleased to announce the release of Radiator version 4.13 This version contains one new module for authenticating against YubiKey validation server and YubiHSM, some significant new features and bug fixes. As usual, the new version is available to current licensees from: https://www.open.com.au/radiator/downloads/ and to current evaluators from: https://www.open.com.au/radiator/demo-downloads/ Licensees with expired access contracts can renew at: https://www.open.com.au/renewal.html An extract from the history file https://www.open.com.au/radiator/history.html is below: - Revision 4.13 (2014-04-16) Radius proxying, IPv6, TACACS+, Diameter and other enhancements. Bug fixes Selected compatibility notes and enhancements Unknown attributes can now be proxied instead of being dropped Diameter enhancements may require changes to custom Diameter modules Major IPv6 enhancements include: Attributes with IPv6 values can now be proxied without IPv6 support, Socket6 is no longer an absolute prerequisite. 'ipv6:' prefix is now optional and not prepended in attribute values TACACS+ authentication and authorization can now be decoupled Bind variables are now available for AuthLog SQL and Log SQL. Status-Server requests without correct Message-Identifier are ignored. Status-Server responses are now configurable. LDAP attributes can now be fetched with base scope after subtree scoped search. Useful for example, tokenGroups AD attributes which are not otherwise available Newly added check for CVE-2014-0160, the OpenSSL Heartbleed vulnerability may log false positives New AuthBy for authenticating against YubiKey validation server added See Radiator SIM pack revision history for supported SIM pack versions Detailed changes Added the attributes from RFC 6911 to dictionary (Framed-IPv6-Address, DNS-Server-IPv6-Address, Route-IPv6-Information, Delegated-IPv6-Prefix-Pool and Stateful-IPv6-Address-Pool). These attributes override a number of attributes that were previously commandeered by Ascend and Merit. The Ascend ones are still available in ascend.dictionary. The Merit attributes were added under the existing Merit VSA entry and the non-VSA Merit attributes were removed from the main dictionary. The non-VSA Merit attributes will continue to be available in a new file goodies/dictionary.merit AuthBy RADIUS and all its subclasses e.g., AuthBy SQLRADIUS, LDAPRADIUS, MULTICAST and proxy algorithm AuthBys, now support special characters in AuthPort and AcctPort. Suggested by David Zych. Added in dictionary: Huawei-Loopback-Address, vendor 6139 (Alcatel-Lucent OmniAccess), vendor 20942 (China Telecom-Guangzhou Research and Development Center) and vendor 27262 DANTE Ltd. Unknown attributes can now be proxied when the new global configuration flag ProxyUnknownAttributes is set to true. Unknown attributes are now alwasy available with special names such as Unknown-9048-120, where 9048 is the vendor id and 120 is the vendor attribute number. Unknown attributes are now logged with level WARNING instead of ERR. A warning is logged for each attribute once per sender IP address. Attribute names starting with Unknown are reserved in dictionary and ignored when the dictionary is loaded. Added in dictionary: Attributes from RFC 5447, RFC 6519, RFC 6677 and RFC 6930. Added support for dictionary type ipv4prefix required by RFC 6572. An example of ipv4prefix format is '192.168.1.0/24'. Added attributes from RFC 6572 in dictionary. Change in 4.12 caused ServerDIAMETER to always create new peer instances for new connections. This caused mainly WatchdogState DOWN log litter. AuthBy DIAMETER and other DiameterClient derived classes, such as Diameter Wx based EAP-SIM, EAP-AKA and EAP-AKAPRIME AuthBys, now support new option SCTPPeer. This option allows defining multiple SCTP peers for the initial SCTP association attempt. Added vendor Arista in dictionary. Updated Netscreen values. Contributed by Garry Shtern. Fixed AuthBy NTLM so it will not leave zombie processes around during reconfigure. Reported by Garry Shtern. AuthBy RATELIMIT now supports optional parameter MaxRateResult, which allows specifying the result when MaxRate is exceeded. MaxRateResult defaults to IGNORE. Significant IPv6 changes. Socket6.pm is no longer required if the core Socket module provides the required IPv6 support. Attributes with IPv6 address or prefix type are now handled as binary if there is no Socket or Socket6 for IPv6 support. This fixes the problem with proxying when Socket6 was not installed. Prefix 'ipv6:' for IPv6 addresses is no longer required but will be accepted. Decoded values for IPv6 address type attributes will no longer have 'ipv6:' prefix. Startup log messages now contain information about the IPv6 support. Updated 3GPP (vendor 10415) attributes in dictionary. 3GPP-Allocate-IP-Type, 3GPP-External-Identifier and 3GPP-TWAN-Identifier were added. 3GPP-Charging-Gateway-Address,
Re: [RADIATOR] Chargeable-User-Identity
On 11 apr 2014, at 20:15, Heikki Vatiainen h...@open.com.au wrote: The functionality provided by the EAP_43.patch will be in the next patchset. It adds what EAP-TTLS and PEAP already have: reply attributes added by the inner authentication are copied to outer Access-Accept when the authentication finishes. Most useful, thank you. Since the Hooks do not need patches to Radiator, those can be added/considered separately perhaps? Yes, I'll take a look at 4.13 at provide more comments later. jakob ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Radiator SIM support version 1.42 with SIM cards for EAP-SIM, EAP-AKA and EAP-AKA' released
Hello Everyone, Radiator SIM support version 1.42 is now released. This version supports Radiator 4.13 and provides small updates to the recently released version 1.41. We are also pleased to announce the availability of SIM cards for those who evaluate Radiator SIM support. We can provide mini, micro and nano sized SIM cards with the authentication information to help with EAP-SIM, EAP-AKA and EAP-AKA' evaluation. The SIM cards are provided free of charge. This allows you to set up a test environment for different SIM based authentication methods, test with real equipment such as phones and tablets running Apple IOS, Android and Windows Phone. The Radiator SIM support includes a simple Diameter Wx and SWx HSS which you can use while setting up your environment. When everything works as required, you can change Radiator to use a real HSS and switch to the operator provided SIM cards. All that is needed is a simple configuration change to direct Radiator to the different HSS. With our SIM cards and HSS it is easy to set up SIM based authentication. There is no need for full access to operator HSS while the system is being set up, configured and tested. We have tested the SIM cards with: - EAP-AKA with Android 4.1 and 4.2, IOS 7.1, Nokia Symbian S60 v3.0 and v3.1. - EAP-SIM with the above and Nokia Windows Phone 8, 8.1 developer preview and Nokia Symbian S80 v2.0. - EAP-AKA', EAP-AKA and EAP-SIM with wpa_supplicant software which Android devices use For more information about the Radiator SIM support, please see: https://www.open.com.au/eap-sim/history.html For the full revision history, please see: https://www.open.com.au/eap-sim/history.html Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator