We are pleased to announce the release of Radiator version 4.12 This version contains two new modules, AuthBy DUO and AuthBy DIAMETER, some significant new features and bug fixes.
As usual, the new version is available to current licensees from: http://www.open.com.au/radiator/downloads/ and to current evaluators from: http://www.open.com.au/radiator/demo-downloads Licensees with expired access contracts can renew at: http://www.open.com.au/renewal.php An extract from the history file http://www.open.com.au/radiator/history.html is below: ----------------------------- Revision 4.12 (2013-09-06) Improvements to EAP-MD5 handling: in the event of an authentication failure, the reason messages are more descriptive of the reason why. Updated Mikrotic VSAs in dictionary. Added a number of VSAs for Alcatel-ESAM to dictionary. Fixed a potential crash if there were many unfinished EAP-GTC authentication conversiations through AuthBy ACE. Reported by Richard Fairhall. Added support for a number of new check items for AuthBy SQL: Max-All-Session, Max-Hourly-Session, Max-Daily-Session, Max-Monthly-Session, Max-All-Octets, Max-All-Gigawords, Max-Hourly-Octets, Max-Hourly-Gigawords, Max-Daily-Octets, Max-Daily-Gigawords, Max-Monthly-Octets, Max-Monthly-Gigawords. AuthBy SQL supports the foillowing corrsponding configurable queries: AcctTotalQuery, AcctTotalSinceQuery, AcctTotalSinceQuery, AcctTotalSinceQuery, AcctTotalOctetsQuery, AcctTotalGigawordsQuery, AcctTotalOctetsSinceQuery, AcctTotalGigawordsSinceQuery, AcctTotalOctetsSinceQuery, AcctTotalGigawordsSinceQuery, AcctTotalOctetsSinceQuery, AcctTotalGigawordsSinceQuery. With the kind assistance of Richard Fairhall. Updated AuthLog SYSLOG so that it honours the same %0 and %1 in SuccessFormat and FailureFormat as other loggers. Changed all instances of the poorly defined 'octets' type attributes in dictionary to 'binary'. Added F5 BigIP VSAs to dictionary, per http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11431.html, as sent by Alexander Hartmaier. Added further Trapeze VSAs for MSS 8.0 and later to dictionary, as sent by Vandenbroucke Luc. Altered AuthBy RADIUS and AuthBy RADSEC handleReply so that failedRequests and start_failure_grace_time are updated even if there is no $op->{rp}. Performance improvements for TTLS and PEAP: when used with OpenSSL 1.0.1 and later, NetSSLeay 1.52+latest patches and later, the native OpenSSL tls1_PRF function is used. Altered AuthBy RADIUS and AuthBy RADSEC handleReply so that in the event of an Access-Reject from a proxied request, AuthLog* can log the actual Reply-Message from the reply instead of 'Proxied'. Requested by David Zych. Improvements to AuthBy RADIUS and AuthBy RADSEC to detect obvious routing loops and to ignore attempts to proxy a packet to the same BindAddress/port a packet was received on. Fixed a problem in SessionDatabase SQL that could cause a crash if UpdateQuery is defined and an Accounting Alive packet was received. Reported by Chris Millington. Improvements to AuthBy SQL AuthColumnDef. Can now have a trailing ", formatted" keyword in an AuthColumnDef. This will cause the value retrieved from the database in that column to be subject to special character processing before its value is used, and can therefore contain %{something} forms which will be replaced at authentication time. The general format is now: AuthColumnDef n, attributename, type[, formatted] For example: AuthColumnDef 1, Filter-Id, reply, formatted Improvements to AuthBy LDAP2 AuthAttrDef. Can now have a trailing ", formatted" keyword in an AuthAttrDef. This will cause the value(s) retrieved from LDAP to be subject to special character processing before its value is used, and can therefore contain %{something} forms which will be replaced at authentication time. The general format is now: AuthAttrDef ldapattributename, radiusattributename, type[, formatted] For example: AuthAttrDef filter, Filter-Id, reply, formatted All configuration parameters of type 'flag' can now use special characters. This is especially useful to be able to control flags with GlobalVar's. Added example hook to hooks.txt: showing a way to call PostAuthHook with additional fixed arguments set at startup time. Fixed some typos in DiaClient that incorrectly mentioned RadSec. AuthBy RADIUS and AuthBy RADSEC now remove unnecessary Timestamp attribute (meant for internal use only) from proxied requests. Improvements to Handler: the reply packet is not set if there is already one present. Useful when AuthBy HANDLER or a hook redespatches a request to another Handler: reply items added by earlier Handlers and AuthBys will not be lost. Added Ericsson redback VSAs 207-213 to dictionary. Also added some alternate values for RB-Framed-IPv6-Prefix, RB-Framed-IPv6-Route, RB-Framed-IPv6-Pool, as used by SmartEdge. Added A-10 Networks VSAs to dictionary. Improvements to SYSLOG loggers to be more compatible with later versions of Sys::Syslog. Fixed a problem with using AuthBy Fidelio and Serial ports that caused a failure to start Radiator. Also changed the default serial port flow control for Fidelio modules to 'rts', since 'xoff' could cause lost characters and bad checksums. Testing with USB-Serial port adapters. Updated goodies/digipass-install.txt to include guidance about how to order Digipass tokens, including the need to order the 'Digipass User Data Subscription Fee' (DUD) option. All tar files are now built with TAR_OPTIONS=--format=gnu to ensure compatibility with other tars, notably the one on Solaris. Testing on Solaris 11. OK with builtin perl 5.12. Added Huawei-3Com (H3C) VSAs to dictionary. Improvements to AuthBy KRB5 and Ldap.pm: Credential Cache now uses memory cache instead of file. Added a new option KrbServerRealm to allow server and user to exist in different realms. Hostname is now used for service tickets instead of IP address. Reverse DNS lookup is now done for the host before requesting a service ticket. Patches by Garry Shtern. Added new dictionary file for Cisco/Altiga attributes compiled by Alexander Hartmaier. Fixed a problem that prevented HostSelect from implementing host counter if HostSelectParmam was defined. Added support for SNMP V2c with new configuration parameter SNMPVersion in SNMPAgent. Fixed a problem where some SNMP decode errors were not correctly detected. Configuration file check no longer activates clauses which could cause spurious error messages. Requested by Garry Shtern. Added Palo Alto Networks VSAs to dictionary. Contributed by Garry Shtern. More improvements to LDAP logging. The hostname and port are now logged after a successful connection. This helps determining to which host the connection was made when the Host parameter is configured with multiple host names. Removed redundant GSSAPI related code. Contributed by Garry Shtern. Fixed a problem with EAP-TTLS where EAPAnonymous %0 did not fetch the inner EAP identity. Reported by Neil M. Johnson. Added a number of Aruba VSAs to dictionary with the kind assistance of Michael Hulko. Fixed UseStatusServerForFailureDetect in AuthRADIUS.pm to work correctly when there are multiple Hosts configured. This also affects AuthRADIUS subclasses and small changes were needed for AuthLOADBALANCE, AuthMULTICAST, AuthROUNDROBIN and AuthVOLUMEBALANCE. AuthHASHBALANCE and AuthEAPBALANCE required no changes. When UseStatusServerForFailureDetect is enabled, all Host objects do individual polling. Expiry of FailureBackoffTime will no longer make the Host eligible for forwarding. Only a response to Status-Server request will bring back a failed Host. Other changes include: AuthRADIUS subclasses will now log an INFO level message when the Host starts responding. BogoMips only affects AuthLOADBALANCE and AuthVOLUMEBALANCE as documented. Setting BogoMips to 0 for a Host will no longer disable it for the other subclasses. KeepaliveTimeout can be specified for the AuthBy or individual Host in the AuthBy. The default value for BogoMips in an AuthBy is now correctly passed to the Hosts in the AuthBy. Thanks to Paul Dekkers for reporting the problem and debugging help. Reverted earlier Status-Server polling related change in AuthRADSEC.pm that caused memory leak when requests were not replied to. Reported and narrowed down by Paul Dekkers. EAP-PWD now honours UsernameMatchesWithoutRealm. Also, if the user is not found, the log message now has EAP-PWD instead of EAP MSCHAP-V2. Fixed UseStatusServerForFailureDetect in AuthRADSEC.pm to work correctly when there are multiple Hosts configured. When UseStatusServerForFailureDetect is enabled, all Host objects do individual polling. Expiry of FailureBackoffTime will no longer make the Host eligible for forwarding. Only a response to Status-Server request will bring back a failed Host. This change is similar to the recent AuthRADIUS.pm change. Added new option -message_authenticator to radpwtst for adding correctly calculated Message-Authenticator in the outgoing requests. Currently supported types are Access-Request, Status-Server, Disconnect-Request and Change-Filter-Request aka COA-Request. PEAP EAP context is now cleared immediately when reading encrypted TLS data fails. AuthBy RADSEC did not correctly reinitialize when signalled with SIGHUP leaking TCP connections, memory and TLS references. Fixed similar memory leak in AuthBy RADIUS. TCP connection leak reported by Karl Gaissmaier. Logging enhancements: replies received by AuthBy RADIUS, AuthBy RADSEC, Client, ServerRADSEC and SimpleClient.pm are now dumped using the loggers configured for the respective clauses and module. PacketTrace now affects the replies received by the clauses. Function decode_attrs no longer dumps the received request. Some messages are now logged by the clauses first instead of just the main logger. Added Blue Coat VSAs to dictionary. Contributed by Garry Shtern. LDAP GSSAPI name resolution enhancements. Based on patch by Garry Shtern. Tested with RSA Authentication Manager 8.0. Updated OnDemand mode prompt handling. No other changes required. Added new parameter ChallengeHasPrompt to AuthBy RSAAM to enable sending RADIUS Prompt attribute with Access-Challenge messages based on the RSA AM responses. Status-Server messages sent by AuthBy RADSEC and AuthBy RADIUS no longer carry Proxy-State attribute. Improved logging in AuthBy RADSEC when Proxy-State in reply is missing or mangled. Added Lancom and CheckPoint GAiA VSAs and updated 3Com and H3C VSAs in dictionary with the kind assistance of Philip Herbert. Added new methods for inserting attributes in AttrList. Useful e.g., for Diameter AVP ordering. Added Origin-AAA-Protocol into DiaAttrList, updated DiaDict to always use DiameterIdentity, DiameterURI, IPFilterRule and QoSFilterRule as data type name instead of short-forms. Fixed a number of spelling mistakes. Added support for authentication with Duo Security https://www.duosecurity.com/ . AuthBy DUO supports two-factor authentication provided by Duo Security auth API. Sample configuration file and partial API simulator is included. Registering an object by its Identifier in Configurable.pm is now done just before object loading finishes, not during object activation. This fixes the recently introduced problem where configuration check gave incorrect results when Identifiers were used for references. Reported by Karl Gaissmaier. Added iPass VSAs to dictionary. DiaPeer and DiaClient now support adding Vendor-Specific-Application-Id attributes in Diameter CER message. Configurable now calls check_config for each module just before it is activated. Configuration checks done by modules within activate were moved to check_config so that they will be run also when radiusd is invoked with -c flag to check the config. Updated sample certificates to expire Aug 14 11:37:20 2015 GMT. Updated goodies/mkcertificate.sh to check for CA.pl availability. Added precompiled Authen-Digipass ppm package for Perl 5.16 on Windows. Added precompiled Authen-ACE4 ppm packages for Perl 5.16 on Windows. Recompiled Authen-ACE4 ppm packages for Perl 5.14. Added new global parameter BindV6Only. This optional parameter allows turning on or off IPV6_V6ONLY socket option for IPv6 wildcard listen sockets. Defaults to undefined and hence no setsockopt is done. See RFC 3493 for more about IPV6_V6ONLY. Client clauses now support CIDR notation for IPv6 clients. For example: ipv6:2001:db8:1:2::/126 and ipv6:::ffff:192.168.1.0/120. It is recommended, but not required, to install Math::BigInt::GMP or Math::BigInt::Pari for faster matching. The default is to use slower pure Perl implementation. Updates in many goodies example and other files. Added preliminary support for AuthBy DIAMETER. AuthBy DIAMETER converts RADIUS messages to Diameter messages and sends them to a Diameter server. Currently targets RFCs 4005 and 6733. AuthBy DUO did not indicate the request was handled asynchronously causing problems with certain modules such as ServerTACACSPLUS. Reported by David LaPorte. Enhanced radpwtst help output and options file support. The file format is now documented in the reference manual. The -time option now works even when -notrace option is given. Unnecessary DNS lookups were done when MAC: or CIDR Clients were defined causing possible slowness during startup or ClientList refresh. Testing with Strawberry Perl on Windows. Updated installation documentation and reference manual to include Strawberry Perl on Windows. -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator