Re: [RADIATOR] What is the "new Radiator load balancer"?
On 21.9.2016 17.37, Nadav Hod wrote: > Looking over the Radiator 4.17 release notes, there is talk of a new > loadbalancer. Any chance someone in the know can elaborate on this > loadbalancer? :) This is the component you can see here: https://www.open.com.au/nfv/ The first image shows traffic arriving via Radius and Diameter load balancers. This is not a generic load balancer but part of distributed Radiator solution, be it NFV, or something that uses Radiator with a load balancer to fan out traffic to Radiator instances. Radiator and its load balancer, which is not a Radiator instance but a specific software that does just load balancing, can communicate with each other and share information. This information is about worker instance health, automatic registration with scale in/out, hints about balancing, for example, to keep EAP streams together. What's currently in Radiator is the first release of Radiator part. The load balancer works currently with NFV only, but will work making it available as a non-NFV package too. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Radius and TACACS+ password obfuscation
Hi everyone, I read this in the Radiator 4.17 release notes: "Added initial support for encrypting and obfuscating TACACS+ keys in the configuration file. This is similar to the recently added RADIUS client shared secret obfuscation. Client and ServerTACACASPLUS now support EncryptedTACACSPLUSKey and EncryptedKey, respectively. Examples in the tacacsplusserver.cfg sample configuration file." I haven't seen anything regarding radius shared secret obfuscation in the documentation. Can anyone give a short example of this? ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] What is the "new Radiator load balancer"?
Hi everyone, Looking over the Radiator 4.17 release notes, there is talk of a new loadbalancer. Any chance someone in the know can elaborate on this loadbalancer? :) ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Radiator Version 4.17 released - enhancements, new features, security and other fixes
We are pleased to announce the release of Radiator version 4.17 This version contains enhancements, new features, security and other fixes described below. As usual, the new version is available to current licensees and evaluators from: https://www.open.com.au/radiator/downloads.html Licensees with expired access contracts can renew at: https://www.open.com.au/renewal.html An extract from the history file https://www.open.com.au/radiator/history.html is below: - Revision 4.17 (2016-09-21) enhancements, new features, security and other fixes Selected compatibility notes, enhancements and fixes radiusd now exits during startup if it can not load the objects required by the configuration file. Hooks and custom code that calls get_plaintext_password or translate_password should be checked for compatibility AuthBy RADSEC now supports Radiator's Gossip framework for reachability information Any hooks or custom code that needs to save data across resumed EAP-TLS, EAP-TTLS or PEAP authentication sessions must now use resume context. See EAP.pm for the details. RADIUS dictionary name space was changed for IANA registered attributes. Any hooks or custom code that accesses RADIUS dictionary, or does RADIUS - Diameter conversion may need updates. JSON time stamp formats were corrected and unified in LogFormat.pm AuthBy DUO now does pre-authentication by default AddressAllocator SQL now supports IPv6 prefix allocation Session resumption for TLS based EAP methods was enhanced Many new features and options for SessionDatabase modules AuthBy RADIUS supports configuration parameter Asynchronous for easier AuthByPolicy handling New MessageLog clauses for logging RADIUS and other messages StatsLog updates including cumulative and derivate statistics HTTP digest authentication must now be enabled per AuthBy basis Security fixes for AuthBy LDAP2 when used with EAP. OSC recommends all AuthBy LDAP2 users to review OSC security advisory OSC-SEC-2016-01 https://www.open.com.au/OSC-SEC-2016-01.html Features not in this release yet, known caveats and other notes OCSP support Selection of proxy algorithms for AuthBy RADSEC No testing with OpenSSL 1.1.0. Testing with OpenSSL 1.0.2h, Net::SSLeay 1.78, IOS 10, Android 7 and Windows 10 PEAP session resumption sometimes fails on Windows. Further investigation is ongoing Major documentation update. Radiator reference manual is available in HTML format again Detailed changes Updated debug log messages for Stream classes. The stream client and server now log the destination name and its currently resolved address more clearly in the debug log messages. This affects log messages for RadSec, Diameter, ServerHTTP and other Stream based modules. AuthBy RADSEC now logs packet dumps for the Status-Server replies it receives from the next hop proxy. The Port configuration variable is now formatted when RadSec Host is activated. This allows logging the actual port number instead of the unformatted configuration value. Added Gossip support for AuthBy RADSEC. The RadSec Hosts can now distribute next hop proxy reachability information with Gossip. The configured Host name, not the current IP address, is used as the key when determining if the current report should be processed. The behaviour is currently slightly different from AuthBy RADIUS. Updated radsec-client.cfg in goodies. Suggested by Jan Tomasek. Updated AuthBy RADSEC log messages to be more clear about destination name, IP address and port. While loading dictionaries, Radiator now logs a warning when the vendor has not been defined for a vendor specific attribute. Correct configuration file names are now logged when there are errors parsing the included configuration files during radiusd startup. Previously the file name might have been the main configuration file name. Reported by Kilian Krause. Clause ends are now checked for matching starts while the configuration file is read. Possible mismatches and incorrectly ended clauses are logged with a warning, but no other action is currently taken. Gossip messages sent by one AuthBy RADIUS module will now be accepted by all the other AuthBy RADIUS modules within the same radiusd instance. Previously the messages were always ignored when they originated from the same instance. This behaviour is now similar to what AuthBy RADSEC does. AuthRADIUS and AuthRADSEC now include the type of the failed request in the Gossip messages. A module using UseStatusServerForFailureDetect will now act only on failed Status-Server requests. With report and help from Paul Dekkers. AuthBy LDAP2 now logs the search filter with the query results Added VENDOR 3GPP 10415 VSA 3GPP-User-Location-Info-Time from document TS 29.061 version 12.10.0 to dictionary. AuthBy DYNADDRESS now uses MapAttribute yiaddr when processing Accounting-Requests. Previously the address was always fetched from Framed-IP-Address. AddressAllocato