We are pleased to announce the release of Radiator version 4.17
This version contains enhancements, new features, security and other
fixes described below.
As usual, the new version is available to current licensees
and evaluators from:
https://www.open.com.au/radiator/downloads.html
Licensees with expired access contracts can renew at:
https://www.open.com.au/renewal.html
An extract from the history file
https://www.open.com.au/radiator/history.html is below:
-
Revision 4.17 (2016-09-21) enhancements, new features, security and
other fixes
Selected compatibility notes, enhancements and fixes
radiusd now exits during startup if it can not load the objects
required by the configuration file.
Hooks and custom code that calls get_plaintext_password or
translate_password should be checked for compatibility
AuthBy RADSEC now supports Radiator's Gossip framework for
reachability information
Any hooks or custom code that needs to save data across resumed
EAP-TLS, EAP-TTLS or PEAP authentication sessions must now use
resume context. See EAP.pm for the details.
RADIUS dictionary name space was changed for IANA registered
attributes. Any hooks or custom code that accesses RADIUS
dictionary, or does RADIUS - Diameter conversion may need updates.
JSON time stamp formats were corrected and unified in LogFormat.pm
AuthBy DUO now does pre-authentication by default
AddressAllocator SQL now supports IPv6 prefix allocation
Session resumption for TLS based EAP methods was enhanced
Many new features and options for SessionDatabase modules
AuthBy RADIUS supports configuration parameter Asynchronous for
easier AuthByPolicy handling
New MessageLog clauses for logging RADIUS and other messages
StatsLog updates including cumulative and derivate statistics
HTTP digest authentication must now be enabled per AuthBy basis
Security fixes for AuthBy LDAP2 when used with EAP. OSC
recommends all AuthBy LDAP2 users to review OSC security
advisory OSC-SEC-2016-01
https://www.open.com.au/OSC-SEC-2016-01.html
Features not in this release yet, known caveats and other notes
OCSP support
Selection of proxy algorithms for AuthBy RADSEC
No testing with OpenSSL 1.1.0. Testing with OpenSSL 1.0.2h,
Net::SSLeay 1.78, IOS 10, Android 7 and Windows 10
PEAP session resumption sometimes fails on Windows. Further
investigation is ongoing
Major documentation update. Radiator reference manual is
available in HTML format again
Detailed changes
Updated debug log messages for Stream classes. The stream client
and server now log the destination name and its currently
resolved address more clearly in the debug log messages. This
affects log messages for RadSec, Diameter, ServerHTTP and other
Stream based modules.
AuthBy RADSEC now logs packet dumps for the Status-Server
replies it receives from the next hop proxy. The Port
configuration variable is now formatted when RadSec Host is
activated. This allows logging the actual port number instead of
the unformatted configuration value.
Added Gossip support for AuthBy RADSEC. The RadSec Hosts can now
distribute next hop proxy reachability information with Gossip.
The configured Host name, not the current IP address, is used as
the key when determining if the current report should be
processed. The behaviour is currently slightly different from
AuthBy RADIUS. Updated radsec-client.cfg in goodies. Suggested
by Jan Tomasek.
Updated AuthBy RADSEC log messages to be more clear about
destination name, IP address and port.
While loading dictionaries, Radiator now logs a warning when the
vendor has not been defined for a vendor specific attribute.
Correct configuration file names are now logged when there are
errors parsing the included configuration files during radiusd
startup. Previously the file name might have been the main
configuration file name. Reported by Kilian Krause.
Clause ends are now checked for matching starts while the
configuration file is read. Possible mismatches and incorrectly
ended clauses are logged with a warning, but no other action is
currently taken.
Gossip messages sent by one AuthBy RADIUS module will now be
accepted by all the other AuthBy RADIUS modules within the same
radiusd instance. Previously the messages were always ignored
when they originated from the same instance. This behaviour is
now similar to what AuthBy RADSEC does.
AuthRADIUS and AuthRADSEC now include the type of the failed
request in the Gossip messages. A module using
UseStatusServerForFailureDetect will now act only on failed
Status-Server requests. With report and help from Paul Dekkers.
AuthBy LDAP2 now logs the search filter with the query results
Added VENDOR 3GPP 10415 VSA 3GPP-User-Location-Info-Time from
document TS 29.061 version 12.10.0 to dictionary.
AuthBy DYNADDRESS now uses MapAttribute yiaddr when processing
Accounting-Requests. Previously the address was always fetched
from Framed-IP-Address.
