Radiator revision history 4.0 ->

Revision 4.28 (2023-12-19) enhancements and bug fixes

Selected compatibility notes, enhancements and fixes

  • VENDOR 14823 Aruba VSAs Aruba-PoE-Priority, Aruba-Port-Auth-Mode and Aruba-QoS-Trust-Mode now have symbolic names for their integer type values in the default Radius dictionary.
  • Radiator SIM Pack 2.7 and Carrier Pack 1.7, or later, are strongly recommended

Known caveats and other notes

  • TLSv1.3 remains disabled by default for TLS based EAP methods and Stream based classes, such as RadSec. TLSv1.3 testing reports are welcome.
  • EAP-FAST needs Net::SSLeay 1.94 or later to function correctly with OpenSSL 1.1.1 and later.

Detailed changes

  • Update the default Radius dictionary to include Juniper’s PON related and other attributes: Vendor code 4874, VSAs 141 Downstream-Calculated-Qos-Rate Rate and 142 Upstream-Calculated-Qos-Rate, 143 Jnpr-Max-Clients-Per-Interface, 164 Unisphere-IPv4-Release-Control, 173 Unisphere-Service-Activate-Type and 174 Unisphere-Client-Profile-Name.
  • Update systemd service unit files for Radiator to show how to capture stderr and stdout to files for easier debugging. Also update the reference manual. See Debug in AuthBy LDAP2 for an example.
  • Review and update Docker files. Update installed packages and add comments to cover some scenarios.
  • RADIUS and RadSec HashBalance proxy algorithm now logs more details about next hop failures.
  • Enhanced logging for PAP messages created from EAP-GTC.
  • When TLS connections need to sent alerts, the alerts are now sent in more cases before closing RadSec and other TCP or SCTP connections. Improve logging of Diameter and RadSec connections that have unacceptable header lengths.
  • When a RADIUS or Diameter dictionary entry contains unexpected characters, a warning is logged. Improve RADIUS and Diameter dictionary logging.
  •  AuthBy REST no longer crashes when the server response is not a JSON object.
  •  Diameter Hop-by-Hop and End-to-End identifiers now wrap correctly.
  •  AttrVal::pclean function now returns an empty string when called with an undef value. This avoids later warnings where the processed value is logged.
  • The goodies configuration samples now include evaluation license directly. Previously this information required manual entry.
  • CachePasswords can now use a configurable key with a new configuration parameter CachePasswordKey instead of always using the current username.
  • Add new dictionary file dictionary.huawei-airengine in goodies. Attributes in this file are supported by Huawei’s AirEngine Access Points and Access Controllers. From this dictionary add attributes Huawei-Redirect-ACL, Huawei-IPv6-Redirect-ACL, Huawei-User-Extend-Info, Huawei-MUD-URL, Huawei-VIP-Level-ID, Huawei-EPIV-Info, Huawei-DPSK-Info, Huawei-TAG-Info, Huawei-Web-Authen-Info, Huawei-Ext-Specific and Huawei-Reachable-Detect to the default Radius dictionary.
  • EAP-TLS reject reason is now logged when the authentication fails but client still unsuccessfully tries to restart EAP-TLS handshake. Examples of possible failure reasons are unknown CAs and expired client certificates. Previously the original reject reason was not logged with restart failures.
  • AuthBy INTERNAL now supports StripFromRequest, AddToRequest and AddToRequestIfNotExist.
  • Update sample certificates to expire on Sep 13 12:31:29 2025 GMT. Add file VERSION in the top level Radiator distribution directory. The file tells Radiator version and patch level.
  • Fix two memory leaks seen with AuthBy REST. Leaks happened with Accounting-Request handling and when HTTP connections were unavailable.
  • Remove AuthRODOPI.pm because Rodopi billing system is obsolete and no longer in use.
  • Remove old match_keyword function from Configurable.pm. Minor cleanups.
  • Add support for parameters VendorAuthApplicationIds and VendorAcctApplicationIds in ServerDIAMETER. These set values within Vendor-Specific-Application-Id Diameter AVPs. Fix sending Acct-Application-Id AVPs when no AuthApplicationIds configuration parameter is defined but empty.
  • Add firewall manager profile files to goodies. Newly added files are for firewalld and ufw typically used with Red Hat and Ubuntu and their derivatives. These profiles cover Radius UDP ports 1645, 1646, 1812 and 1813, RadSec TCP port 2083, DIAMETER TCP and SCTP port 3868 and TACACS+ port TCP 49.
  • AuthBy SIP2 now supports new parameter Institution. This sets the value of AO parameter, institution id, in SIP2 patron messages. When Institution is not defined in the Radiator configuration, Radiator continues to use the ACS Status response to learn the institution id.
  • The first SIP2 authentication could fail immediately after Radiator startup. This is caused by a missing institution id in the first patron request Radiator sends to the ACS. Radiator now sends SC status message after ACS login to immediately learn the institution id value and only then starts composing the patron request.
  • Update VENDOR 26928 Aerohive attributes in the default Radius dictionary. New attributes are Aerohive-Data-Usage-Limit, Aerohive-AVPair, Aerohive-Radius-Code, Aerohive-User-Language, Aerohive-Time-Zone-Offset, Aerohive-Daylight-Saving-Offset, Aerohive-Client-Monitor-Session, Aerohive-Client-Monitor-Problem, Aerohive-IDM-Redirect-URL, Aerohive-MGT-MAC-Address and Aerohive-Auth-Source. Note that Aerohive documentation lists all vendor 26928 attributes with Extreme- prefix. Radiator continues to use Aerohive- prefix for backwards compatibility.
  • Add VENDOR 14122 Wireless Broadband Alliance (WBA) attribute WBA-Custom-SLA to Radius dictionary.
  • %{Client:name} format and Client-Identifier check item now use ServerTACACSPLUS values with those TACACS+ derived requests that do not match a specific Client clause.
  • Fix AuthBy FIDELIO and fideliosim.pl which were broken by changes in Radiator 4.26.
  • Update VENDOR 10415 3GPP Radius attributes to include the latest Release 17 definitions: Add new 3G/LTE internetworking attributes 3GPP-UE-Local-IP-Address and 3GPP-UE-Source-Port. Add 5G internetworking attributes 3GPP-DNAI, 3GPP-RSN, 3GPP-Session-Pair-Id and 3GPP-Charging-Id-v2. Add new 3GPP-RAT-Type values.
  • HTTPClient, used for example by AuthBy REST, now immediately acts on HTTP Connection: close header. The connection is avoided for sending and directly closed instead of waiting for a peer initiated TCP shutdown.
  • Add VENDOR 40808 Wi-Fi Alliance (WFA) attributes WFA-HS20-Roaming-Consortium, WFA-HS20-Terms-And-Conditions-Filename, WFA-HS20-Terms-And-Conditions-Timestamp, WFA-HS20-Terms-And-Conditions-Filtering, WFA-HS20-Terms-And-Conditions-Server-URL. WFA-HS20-Roaming-Consortium is contributed by Stefan Paetow. The other attributes are based on values in wpa_supplicant. Add value Release-3 for attribute WFA-HS20-AP-Version. The newly added attributes should now provide support for Passpoint release 3.
  • Add VENDOR 14122 Wireless Broadband Association (WBA) attributes WBA-Offered-Service, WBA-Financial-Clearing-Provider, WBA-Data-Clearing-Provider, WBA-Linear-Volume-Rate and WBA-Identity-Provider. Note that for historical reasons this vendor id is named as WISPr and the previously defined WISPr-prefixed attributes share the same vendor id with the newer WPA-prefixed attributes.
  • Add Protocol-Error Radius packet type from RFC 7930 to known packet types.
  • Update vendor 14823 Aruba, 29671 Meraki and 25461 PaloAlto Radius dictionary entries.
  • Add aliases Aruba-Port-Id and Aruba-Template-User for Aruba-Port-Identifier and Aruba-MMS-User-Template. Add new VSAs Aruba-Auth-SurvMethod, Aruba-AP-MAC-Address, Aruba-Device-MAC-Address and Aruba-PVLAN-Port-Type from Aruba, AOS 10 and AOS-CX 10 documentation. Add values for existing VSAs Aruba-PoE-Priority, Aruba-Port-Auth-Mode and Aruba-QoS-Trust-Mode.
  • Add Meraki VSAs 2, 3 and 4: Meraki-Network-Name, Meraki-Ap-Name and Meraki-Ap-Tags.
  • Add PaloAlto VSAs 6 – 10: PaloAlto-Client-Source-IP, PaloAlto-Client-OS, PaloAlto-Client-Hostname and PaloAlto-GlobalProtect-Client-Version.

 

Revision 4.27 (2022-12-21) major TLSv1.3 features and updates, other enhancements and bug fixes

Selected compatibility notes, enhancements and fixes

  • Significant LDAP updates to connection and TLS handling.
  • Red Hat Enterprise Linux 9 and its derivatives are now supported.
  • Ubuntu 22.04 is now supported.
  • Session resumption is enabled for EAP-TLS with TLSv1.3 but remains disabled for the other TLS based EAP methods.
  • TLSv1.3 is supported by EAP-TLS, EAP-TTLS and PEAP but remains disabled by default.
  • TLSv1.3 is tested with RadSec and other Stream modules but remains disabled by default.
  • Radiator can log TLS key material to a file to allow fully decrypting EAP and Stream SSL/TLS sessions.
  • TLS handshake and state trace logging is now enabled for EAP and Stream modules, such as PEAP and RadSec, when Trace 4 (debugging) or PacketTrace is configured.
  • Fix and enhance EAP-FAST. Requires Net::SSLeay 1.94 or later with OpenSSL 1.1.1 and later.
  • Radiator SIM Pack 2.7 and Carrier Pack 1.7, or later, are strongly recommended.

Known caveats and other notes

  • TLSv1.3 remains disabled by default for TLS based EAP methods and Stream based classes, such as RadSec. TLSv1.3 testing reports are welcome.
  • EAP-FAST needs Net::SSLeay 1.94 or later to function correctly with OpenSSL 1.1.1 and later.

Detailed changes

  • Add Windows Server and Microsoft SQL Server specific TOTP configuration samples in goodies.
  • Update Docker files in goodies directory. Change Centos 8 to AlmaLinux 8, add Alma Linux 9, Ubuntu 22.04 and Windows Server Core 2022.
  • Fix EAP-FAST with TLSv1.1 and TLSv1.2. Requires Net::SSLeay 1.94 or later when OpenSSL version is 1.1.1 or later. Allow server authenticated
  • EAP-FAST to work without PAC.
  • Enhance handling of LDAP server name resolution, TLS configuration, failure backoff handling and logging. When using DNS name to connect to LDAP server, the name can now be resolved before connecting with new flag parameter ResolveHost. When a name has multiple addresses, a connection attempt is made to address until a working server is found. Failure backoff is kept separately for each resolved address. SSLExpectedServerName now supports multiple values that are used together with Host entries.
  • Update generate-totp.pl to do URI escaping when creating QR codes. Previously QR code URI components were not escaped causing problems when issuer and accountname contain special characters. Add support for defining QR code image file name.
  • Updated deprecated MySQL GRANT syntax in goodies examples. Beginning with MySQL 8.0, CREATE USER is needed before GRANT.
  • AuthPLSQL.pm goodies module parameter binding broke when the module was updated in Radiator 4.25 to work with Perl 5.22 and later. Values were left unchanged between query executions.
  • Added VENDOR 42229 Coriant with a number of Coriant prefixed attributes to the default RADIUS dictionary. These may also be under name Infinera in some sources. Infinera aquired Coriant in 2018.
  • Fix uninitialised log trace id triggered by log level changes with USR1 and USR2 signals. Make ServerTACACSPLUS log level for immediate disconnects follow DisconnectTraceLevel parameter. Update builddbm to work outside of Radiator installation directory similarly to radpwtst. Report and contributions by Patrik Forsberg.
  • Update CEF logging in LogFormat.pm. CEF authentication and accounting log messages now add original username, if present, in log messages. Any non-printable octets in CEF log messages are now escaped similarly to packet dumps. This satisfies UTF-8 encoding requirement. Enhanced escaping and whitespace handling.
  • Minor updates to tests to to address SHA-1 deprecation in Red Hat Enterprise Linux 9. Packages are now built for RHEL9 compatible systems.
  • Reject EAP-TLS authentication when post handshake TLS data is received in the final acknowledgement after a successful TLS handshake. No data is needed in this case and its presence is an indication of message corruption, TLS alert or something else unexpected.
  • Session resumption is now supported with EAP-TLS when TLSv1.3 is negotiated. Resumption is prepared for EAP-TTLS and PEAP and will be enabled when more interoperability testing is done.
  • EAP-TLS now supports TLSv1.3 as described in RFC 9190. EAP-TTLS and PEAP support TLSv1.3 based on draft-ietf-emu-tls-eap-types. Session resumption remains disabled for all TLS-based EAP methods with TLSv1.3 and will be enabled separately.
  • TLS-based EAP methods now support TLSv1.3 key exporter needed for MS-MPPE-Send-Key, MS-MPPE-Recv-Key and EAP-Key-Name attributes and other uses.
  • TLS state tracing for EAP and Stream modules is now enabled with configuration parameters EAPTLS_TraceState and TLS_TraceState or when TLS message logging is not available. TLS message logging requires Net::SSLeay 1.92 or later.
  • StreamTLS based modules, such as RadSec, now log and respond better to TLS alerts and handshake messages. TLS alerts are now sent in more cases instead of directly closing the stream transport connection. Logging of TLS events is enhanced and more testing is done with TLSv1.3.
  • TLS based Stream classes, such as RadSec, now support TLS_Ciphersuites configuration parameter that sets allowed cipher suites for TLSv1.3. This parameter is similar to TLS_Ciphers which sets the allowed cipher suites for TLSv1.2 and earlier versions.
  • ServerTACACSPLUS log level for client initiated connection terminations is now DEBUG. It’s normal for the client to close TACACS+ connection. This returns the logging level back to what was used with release 4.20 and earlier. Update NTLM and related Samba winbind configuration instructions in goodies.
  • Add support for SSL_CTX_set_keylog_callback that enables Radiator to log TLS key material. This allows fully decrypting EAP and Stream SSL/TLS sessions, including those that have forward security enabled. TLS keylog should only be used for debugging to avoid security issues. See the reference manual for new parameters EAPTLS_KeylogFilename and TLS_KeylogFilename. Requires Net::SSLeay 1.92 or later.
  • TLS handshake and state trace logging is now enabled for EAP and Stream modules, such as PEAP and RadSec, when Trace 4 (debugging) or PacketTrace is configured. Requires Net::SSLeay 1.92 or later.
  • Enhance Ansible playbooks to use operating system families. Instead of listing, for example all Red Hat Enterprise Linux variants, use RedHat family to cover them all.
  • radpwtst can now send empty EAP-GTC and EAP-OTP responses when needed. Use TLS_Protocols parameter more consistently in goodies samples and recommend it over UseTLS. Replace non-ASCII characters in goodies and other text files with printable ASCII characters.
  • Update the default Radius dictionary with the following 5G attributes from VENDOR 3GPP TS 29.561 v16.8.0: 3GPP-VLAN-Id, 3GPP-TNAP-Identifier, 3GPP-HFC-NodeId, 3GPP-GLI, 3GPP-Line-Type, 3GPP-NID and 3GPP-GCI.
  • Add VENDOR 2011 Huawei attributes Huawei-User-Group-Name, Huawei-User-Service-Type and Huawei-Web-URL to the default Radius dictionary. Add new dictionary file dictionary.huawei2 to goodies directory. This file was received from the vendor and contains attributes used by NetEngine 8000 series and possibly other devices.
  • GossipRedis can now send a Redis ECHO command to probe and keep a connection active. Probing is disabled by default and is enabled with ProbeTimeout GossipRedis configuration parameter.
  • Update Redis session database sample file in goodies.

 

Revision 4.26 (2021-10-29) new features, enhancements and bug fixes

Selected compatibility notes, enhancements and fixes

  • TLSv1.3 is currently disabled for AuthBy DUO.
  • AuthBy SQLTOTP now supports CHAP, MSCHAP and MSCHAPv2. EAP-MSCHAPv2 is supported with MSCHAPv2 conversion. Encrypted PIN is now supported for PAP, EAP-OTP and EAP-GTC.
  • Radiator SIM Pack 2.7 and Carrier Pack 1.7, or later, are strongly recommended.

Known caveats and other notes

  • TLSv1.3 remains disabled by default for TLS based EAP methods and Stream based classes, such as RadSec.
  • EAP-FAST functionality is reported to vary between TLS versions, TLS library security level settings and client implementations.

Detailed changes

  • AuthBy LSA in Radiator 4.24 and 4.25 could crash when Group parameter was not directly configured and LSA group membership check was called from another module, such as AuthBy FILE. Reported by Viktu Pons i Colomer.
  • Radiator now actively closes Diameter peering when Capabilities-Exchange-Answer (CEA) with unsuccessful Result-Code or E flag is received. Previously it was assumed that peer closes the connection. This keeps the non-working peering from being used for sending requests.
  • Fixed a memory leak in SNMP client. The problem is seen on systems that use Perl 5.16, such as Red Hat Enterprise Linux 7 and CentOS 7. For details, see Perl5 Github issue 12309, originally RT 114340.
  • Fix typos in proxy.cfg and package default config file in goodies. Add missing DbDir and LogDir to addressallocator.cfg and n7k-radius.cfg configuration samples.
  • AuthBy DUO with CheckTimerInterval set to zero no longer remains in failed state infinitely. New parameter FailureBackoffTime sets the time the API is considered unavailable. Thanks to Alexander Hartmaier for reporting the problem and suggestion for a fix.
  • AuthBy REST now supports special format characters in URL parameter.
  • Added VENDOR 4115 Arris with a number of Arris prefixed attributes to the default RADIUS dictionary.
  • Updated sample certificates to expire on September 16 2023.
  • Updated RADIUS proxying configuration samples to include Asynchronous parameter to make the AuthBys work similarly to other AuthBys. The default behaviour is to return IGNORE after proxying which complicates configurations with multiple grouped AuthBys.
  • PostProcessingHook, AddToReply and other related adjustments configured for a Handler are now done before AuthLog is called. This makes changes done by Handler visible for logging. If a hook or some special configuration triggers a direct reply, any attempts to send again the same reply are no longer logged with AuthLog or AcctLog.
  • AuthBy DUO now disables TLSv1.3 to avoid blocking problem described by Alexander Hartmaier on Radiator mailing list in June 2021. TLSv1.3 can be re-enabled in a future Radiator versions when a fix is available.
  • Minor enhancement and optimisation to AuthGeneric.pm AuthenProto parameter use. Various logging and goodies updates and fixes to warnings triggered by User-Name not being present in requests.
  • AuthBy SQLTOTP now supports PIN, also called static password, that is stored in a format supported by Encrypted-Password check item. Enabled with EncryptedPIN configuration flag parameter. Supported with PAP, EAP-OTP and EAP-GTC.
  • AuthBy SQLTOTP now supports CHAP, MSCHAP and MSCHAPv2. EAP-MSCHAP-V2 is supported by conversion to MSCHAPv2.
  • HTTPClient now properly handles HTTP chunked encoding.
  • Fix diapwtst -dictionary command line parameter that was broken in release 4.25.
  • AuthBy DNSROAM used ‘mysecret’ as the default shared secret. It now uses ‘radsec’ as required by the RadSec RFC 6614. Updated the reference manual and dnsroam.cfg and dnsroam.txt in goodies.
  • TLS_Ciphers and TLS_Protocols did not have any effect in AuthBy DNSROAM configuration. Reported by Paul Dekkers.
  • Proxy algorithm LOADBALANCE no longer does infinite retries with certain configurations. With the kind help of Frank Danielson.
  • Enhanced logging for all EAP methods and especially for TLS based EAP methods. TLS handshake states and other related information is now logged in text instead of numeric values. Clarified and unified log messages related to TLS alerts and errors. Updated eaptls_resume_post_auth_hook.pl in goodies.
  • Connections accepted by StreamServer can now have a maximum limit. This also allows them to be distributed equally between worker processes when ServerFarm is enabled. The limit is set with StreamMaxClients configuration parameter that is available for all StreamServer derived classes such as ServerDIAMETER.
  • radpwtst, tacacsplustest and other utilities, that use FindBin module to find Radiator installation location, can now be used via symbolic links. Suggested by Patrik Forsberg.
  • Fixed a possible crash if actively used certificate file or its private key is removed or no longer match each other. This can be caused by a local change, such as administrator moving files.
  • AuthBy DIAMETER and Carrier module DiaPeerDef no longer crash when OCSP check is enabled.
  • StreamTLS OCSP defaults were not correctly applied for cache time, cache size and other values. Minor updates to unify PEAP and EAP-FAST error handling with other TLS based EAP methods. This is to allow unifying logging for TLS based EAP methods.
  • Enhanced logging for Stream based modules for protocols such as RadSec, Tacacsplus and Diameter. Log messages now have more consistent information about the module, including its identifier. TLS handshake states and other related information is now logged in text instead of numeric values.
  • All LDAP clauses now support LDAP over TLS and Start TLS debugging. The debug messages are written to STDERR and are not visible in Radiator’s log. See DebugTLS in Radiator reference manual and ldap.cfg file in the goodies directory.
  • Unknown RADIUS request codes are now detected and ignored earlier by radpwtst and radiusd.
  • Updated cisco-avpair VSA handling samples in the goodies directory. New hook sample create-cisco-cmd.pl was created based on the old createavpairs.pl. createavpairs.pl was re-created from a sample in hooks.txt. Also updated radminTacacs.cfg to match the updated hooks.
  • Added VENDOR 674 Dell VSA Dell-Group-Name to the default RADIUS dictionary. Used with Dell EMC devices.
  • HTTPClient.pm RequestHeader parameter could not be configured causing an immediate crash. Added HTTP_Version parameter. This parameter now allows configuring HTTP/1.0 and HTTP/1.1.
  • Enhanced multiple goodies files to clarify comments, instructions, file paths and command samples.
  • Log FILE and Log SYSLOG now skip logging when LogFormatHook returns undef. This allows suppressing log messages with LogFormatHook.
  • Ansible playbooks for deploying and managing Radiator now import Radiator Software product signing key.
  • Mikrotik attribute name Mikrotik-DHCP-Option-Param-STR2 was incorrectly spelled as Mikortik-DHCP-Option-Param-STR2 in the default dictionary. Reported by Eddie Stassen.

Revision 4.25 (2020-10-20) new features, enhancements and bug fixes

Selected compatibility notes, enhancements and fixes

  • Dockerfiles for running Radiator and Radius::UtilXS in a CentOS 8, Ubuntu 20.04 or Windows Server Core 2019 were added in goodies Docker directory.
  • Ansible playbooks for installing, upgrading and managing Radiator with Ansible were added in goodies Ansible directory.
  • Added initial support for RFC 6929 and 8044 formats and data types. If a vendor specific attribute encapsulated by 241.26, 242.26, 243.26 or 244.26 is received but it is not present in the dictionary, it is now named as Extended-Vendor-Specific-1 (or -2, -3, or -4). The value starts with the Vendor-Id octets. Naming may change in the future Radiator releases.
  • Hash balance proxy algorithm was significantly enhanced.
  • Oracle Linux is tested to work with the el7 and el8 packages.
  • New Radiator packages: Red Hat Enterprise Linux 8, CentOS 8 and Ubuntu 20.04.
  • Name Policy-Editor for vendor 3375 F5 attribute F5-LTM-value 800 is now an alias. The preferred name is Web-Application-Security-Administrator.
  • BindV6Only update may in rare configurations change existing behaviour. If you have BindV6Only enabled, see startup debug messages for affected listen sockets.

Known caveats and other notes

  • TLSv1.3 remains disabled by default for TLS based EAP methods and Stream based classes, such as RadSec.
  • EAP-FAST functionality is reported to vary between TLS versions, TLS library security level settings and client implementations.

Detailed changes

  • Added Win32-Lsa module for 64bit Strawberry Perl 5.32.
  • When a Status-Server request is received from a known client without a Message-Authenticator, Radiator now logs a warning before the request. Previously these requests were ignored without any logging. Noted by Michael Hulko.
  • DiaClient no longer creates zero length Destination-Host and Destination-Realm AVPs when child classes leave their DestinationHost and DestinationRealm configuration parameters unset. This affects DiaClient based SIM pack authentication modules AuthBy SIMWX and AuthBy AKAWX which now have better control setting the values for the AVPs. This reverts the behaviour to how Radiator 4.16 and earlier worked.
  • Removed DupInterval 0 from all goodies configuration samples. This no longer needed even with testing because duplicate detection has for a long time used methods recommended by RFC 5080. Updated AuthBy ACE configuration information.
  • Dockerfiles for running Radiator and Radius::UtilXS in a CentOS 8, Ubuntu 20.04 or Windows Server Core 2019 were added in goodies Docker directory. Docker containers based on these files have Radiator and Radius::UtilXS installed, and single Radiator instance running when container is run. Multiple Radiator instances can be run by running multiple Docker containers.
  • Added vendor specific attributes needed by Ruckus ICX devices. For VENDOR 1991 Foundry: Foundry-COA-Command-List, Foundry-Voice-Phone-Config and for VENDOR 25053 Ruckus: Ruckus-FlexAuth-AVP.
  • Updated Radiator MSI package to use Strawberry Perl 5.32.0.1 and Radius::UtilXS 2.3-1.
  • Added initial support for RFC 6929 and 8044 formats and data types. Added IANA registered attributes from RFCs 7499, 7930 and 8559 to the default RADIUS dictionary. Added vendor specific attributes for VENDOR 6527 Nokia (formerly ‘Alcatel-Lucent’) that are encapsulated within IANA attribute 241 Extended-Type-1.
  • Received extended attributes use dictionary names as usually. If a vendor specific attribute encapsulated by 241.26, 242.26, 243.26 or 244.26 is not present in dictionary, it is now named as Extended-Vendor-Specific-1 (or -2, -3, or -4) with a value that starts with the Vendor-Id octets.
  • Attributes added with names such as Extended-Type-1 and Extended-Vendor-Specific-1 are packed without further processing of the value. This is similar to how packing was done previously.
  • Added VENDOR 2636 Juniper attributes Juniper-AV-Pair, Juniper-VoIP-VLAN and Juniper-CWA-Redirect-URL to dictionary.
  • Added VENDOR 16901 Mojo with a number of Mojo prefixed attributes to the default RADIUS dictionary.
  • Added VENDOR 12356 Fortinet attribute Fortinet-Host-Port-AVPair to dictionary.
  • Added PT-RAD-Version and PT-UPP-Profile VSAs in the default dictionary for VENDOR 1556 Sonus Networks. This vendor code was previously assigned to Performance Technologies, Inc.
  • Updated EAP-TLS NoCheckId documentation and configuration sample.
  • AuthByHASHBALANCE and AuthBy RADSEC proxy algorithm HashBalance now distribute requests more equally among remaining next hop hosts when a next hop host fails. Previously the requests destined to a failed host were proxied to only one of the remaining hosts.
  • Added instructions how to edit Radiator Software Ansible playbooks to support other Linux distributions like Oracle Linux.
  • Radiator’s Radius::UtilXS package now provides an interface to AES functions required by SIM pack. This allows using OpenSSL or LibreSSL instead of Crypt::Rijndael.
  • Updated configuration samples to work without changes when using RPM or deb packages. LogDir, DictionaryFile, certificate location and other settings now point to locations the packages use and create.
  • Ansible playbooks for deploying Radiator from RPM/deb packages and managing Radiator instances.
  • DictionaryFile, ClientListSQL flags column, and some other configuration parameters that use a comma to separate file names and other arguments, now allow spaces around the comma.
  • Enhanced virtual systemd service (radiator-instances.service) to control multiple instances without a need to change service file configuration. This change offers an enhanced feature but does not affect previous functionality.
  • Multiple updates to Radius dictionaries: Added VENDOR 9 Cisco attribute Cisco-Ascend-AV-pairs, VENDOR 3076 Altiga attribute Altiga-Group-Name and VENDOR 17713 Cambium attribute Cambium-Networks-Auth-Role to the default Radiator dictionary. Updated VENDOR 5 Acc attributes based on draft-ilgun-radius-accvsa-02.
  • Added a new dictionary file dictionary.cambium-motorola-161 in goodies. This file includes Motorola-Canopy and Cambium-Canopy attributes contributed by Brandon Shiers. These attributes are in a separate file because the default dictionary already contains Motorola WiMAX attributes which use the same overlapping vendor number 161.
  • Updated Radiator and Diameter dictionaries with 3GPP 5G attributes from TS 29.561 version 16.4.0 for Radius and Diameter N6 and DN-AAA support. Added VENDOR 3GPP 10415 VSA 3GPP-Secondary-RAT-Usage from TS 29.061 version 16.0.0 and 3GPP-WLAN-APN-Id, 3GPP-WLAN-QoS-Filter-Rule and 3GPP-WLAN-QoS-Filter-Support from TS 29.234 V11.2.0 to dictionary.
  • DiameterDictionaryFile attributes are now added to all dictionaries in addition to base dictionary. ServerDIAMETER now uses Diameter dictionary of Diameter request or answer when converting to and from Diameter and Radius. Previously base dictionary was used for conversion. Enhanced debug log messages and simplified code related to loading and using dictionaries.
  • Updated VENDOR Mikrotik 14988 attributes with the latest additions.
  • Updated VENDOR Aruba 14823 attributes with the latest additions.
  • Multiple dictionary updates: New file dictionary.nokia-637 was added for vendor 637 Nokia (formerly ‘Alcatel-Lucent’) for those attributes that do not use the special ‘format=2,1’ vendor 637 attributes use in the default dictionary.

Added attributes from multiple vendors to the default dictionary:
Added VENDOR Unix 4 with a number of attributes for Digi IX14, LR and WR routers. Some vendor 4 VSAs are also used by ProFTPD software.
Added VENDOR Cisco-VPN5000 255 for Cisco VPN 5000 Concentrator with a number of CVPN5000 prefixed attributes.
Added VENDOR Adtran 664 with a number of Adtran prefixed attributes.<br>Added VENDOR Cisco-BSSM 5632 for Cisco Building Broadband Service Manager attribute CBSSM-Bandwidth.
Added VENDOR Cisco-Aironet 5842 for Aironet-Session-Timeout attribute.
Added VENDOR Calix 6321 with a number of Calix prefixed attributes.
Added VENDOR Overture 7950 with Overture-User-Access-Level attribute.
Added VENDOR Hatteras 8550 with Hatteras-Auth-Level attribute.
Added VENDOR Ericsson-PCN 10923 for attributes registered for vendor Ericsson AB – Packet Core Networks. Added a number of attributes prefixed with Ericsson-PCN prefix.
Added VENDOR Sandvine 11610 with Sandvine-Group attribute.
Added VENDOR ELTEK 12148 with a number of ELTEK prefixed attributes.
Added VENDOR Overture-4200-4300 16943 with Overture-4200-4300-Access_Level attribute for Overture 4200/4300 devices.
Added VENDOR CyanInc 28533 with CyanInc-User-Roles and CyanInc-Acct-Event-Text attributes.

  • Added to default Radius dictionary a number of Extreme fabric attach VSAs that are defined as VENDOR 562 Nortel. Added VSAs Annex-EAP-Port-Priority, Annex-Cli-Commands, Annex-Command-Access and Annex-Commands for Extreme and Avaya devices that are defined as VENDOR 1584 Bay-Networks. These all use names that does not follow the de-facto VSA naming. Fixed a harmless warning in radpwtst if reject or interactive challenge did not contain a Reply-Message attribute.
  • ClientListSQL now disconnects automatically from DB during server startup when server farm is configured with FarmSize. This avoids passing DB handle copies to farm workers which could cause errors with subsequent DB access.
  • Fixed a memory leak in ServerDIAMETER where a small amount of memory was leaked with every connection. Initial CER timeout logging now also honours log level set with DisconnectTraceLevel.
  • AuthBy REST and other modules based on HTTPClient now honour DisconnectTraceLevel to control how closed connections are logged. AuthBy REST now logs peer initiated disconnects with DEBUG level.
  • Added definitions and VSAs for VENDOR 534 Eaton Corporation, VENDOR 2606 Rittal (Rittal-Werk Rudolf Loh GmbH & Co.KG) and VENDOR 13191 OneAccess (Ekinops OneAccess OneOS) to RADIUS dictionary. Added and updated VSAs for VENDOR 7483 Tropic and VENDOR 30065 Arista.
  • SQL clauses now support a separate timeout for connects and disconnects. Some databases may leak resources, such as file descriptors, when Radiator times out a connection before the DB driver does. With a new parameter ConnectTimeout, SQL connection timeout can different than Timeout that is used for SQL queries.
  • Updated VENDOR 800 Alcatel-Lucent-OS6400, also known as Xylan, attributes in dictionary. Values for Alcatel-Lucent-Access-Priv and new attributes Alcatel-Lucent-Acce-Priv-F-R3, Alcatel-Lucent-Acce-Priv-F-R4, Alcatel-Lucent-Acce-Priv-F-W3 and Alcatel-Lucent-Acce-Priv-F-W4 were added.
  • Added a script in goodies to create CHAP challenge for direct Monitor port access. More logging updates to LDAP ServerChecksPassword failures.
  • Improved AuthBy LDAP2 logging when ServerChecksPassword triggers authentication failure because of bad password.
  • ServerTACACSPLUS now logs more details about connections that get immediately closed after being established.
  • Minor updates to LSA and NTLM configuration samples.
  • Added VENDOR Incognito 3606 VSAs to dictionary.
  • Updated VENDOR 3375 F5 VSA’s in Radiator default dictionary. Attribute F5-LTM-Audit-Msg and seven values for F5-LTM-User-Role were added. Name Policy-Editor for F5-LTM-value 800 is now an alias for name Web-Application-Security-Administrator, which appears to have been used since BIG-IP 10.x, first released in 2009.
  • SSLVerify in LDAP clauses, OutputFormat in AcctLog FILE, Failmode in AuthBy DUO, ProxyAlgorithm in AuthBy RADSEC, APIVersion in AuthBy YUBIKEYVALIDATIONSERVER, Format and Encoding in MessageLog FILE, and StatsType and OutputFormat in StatsLog clauses now support configuration time % formatting typically used with %{GlobalVar:name}.
  • Fixed deprecated syntax in goodies file AuthPLPSQL.pm.
  • Fixed a warning triggered by LDAP modules during configuration loading when UseSSL was set and Port was configured with a % formatted value.
  • Updated radiusd so that it tries to locate Radius::UtilXS similar to how radpwtst already does. This helps manual configuration testing on systems that use packages.
  • AuthBy NTLM can now rewrite the username that is passed to ntlm_auth. Example use is Wi-Fi roaming where roaming username can not be directly used with Windows authentication because of local naming conflicts with roaming requirements. See NtlmRewriteHook in goodies file ntlm.cfg and Radiator reference manual. Updated other AuthBy NTLM configuration samples. This is similar to what was added to AuthBy LSA in release 4.22.
  • StatsLog and ClientList periodic updates are now scheduled based on server start time to avoid slowly occurring time drift between the runs. With FarmSize configuration, it’s now possible to configure a spacing between worker runs to avoid synchronisation across all farm members. This is supported by StatsLog and ClientList clauses with FarmWorkerSpacing configuration parameter.
  • Updated test.pl to be more reliable in finding Radiator modules with CentOS 6 and other systems with Perl earlier than 5.16.
  • When a Stream connection, such as RadSec or Diameter, is closed, the log message level can now be configured with DisconnectTraceLevel parameter. This avoids unnecessary high level log messages when frequently closed connections are normal.
  • Fixed configuration file include directive to work with directories that have whitespace characters, such as “Program Files”. Enhanced include’s error detection and logging in case of unreadable directories and other problems reading the files. A warning is now logged if a wildcard, such as include/*.cfg’, does not expand to any files.
  • Updated RADIUS attribute encoding and decoding to be more flexible with vendor specific formats. This allows, for example, overriding VENDOR 637 Nokia VSA format to use 1 octet long VSA type field instead of forcing hardcoded 2 octets.
  • StreamTLS server now logs more information about failures, for example, when TLS version is not acceptable or when client certificates was required but not received. Reported by Stefan Paetow.
  • StatsLog clauses now support StatsExcludeObject and StatsInclude. These allow, for example, skipping statistics for all Clients while still supporting exceptions for certain clients. See example in statslog.cfg in goodies.
  • Added VENDOR 22420 Accedian attribute Accedian-Skylight-Roles to dictionary.
  • Fixed a crash in ServerTACACSPLUS triggered by an unexpected request type.
  • Fixed a bug in AuthBy DNSROAM when FarmSize is enabled. The bug was introduced in release 4.22 and causes TLS, remote host IP and other settings to remain unitialised. As a result RadSec started by DNS roaming connects nowhere.
  • BindV6Only global configuration parameter now covers proxy listen sockets, Gossip UDP listen sockets and Stream server listen sockets, such as RadSec server socket.
  • System error string corresponding to errno was logged by TLS modules for some errors when errno did not have a useful value. This resulted in misleading log messages.
  • Digest::HMAC for Digest::HMAC_SHA1 or Digest::HMAC_MD5 is no longer required. HMAC calculation is done directly with Digest::SHA or Digest::MD5.
  • Updated expiration timestamps in users. Expired timestamps caused test.pl tests 2l, 2m, 3g and 3h to fail when they should have succeeded.
  • test.pl now requires more modules to be present and tries to automatically run MSCHAP tests.
  • Enhancements to AuthBy DUO Failmode. Failmode no longer applies to non-success API return codes that relate to problems with requests sent by Radiator. Improved Failmode related API reachability and error logging and handling.
  • Log messages now use separate ip/hostname and port instead of ip:port format which is confusing with IPv6 addresses.
  • Radiator now logs a warning if a RADIUS client is defined multiple times. This may happen, for example, when a client is defined in both configuration file and ClientListSQL.
  • IPv6 address did not work as a LDAP Host parameter value because LDAP port number was directly appended to Host parameter values during connect. Appending port is allowed by Net::LDAP API but was not done correctly with IPv6 LDAP server addresses. Port is no longer appended and it’s passed only as a separate parameter. LDAP log messages were enhanced.
  • AuthBy FREERADIUS now handles Cleartext-Password check item as a password check item when the new flag configuration parameter ConvertCleartextPassword is set. Updated configuration sample freeradius.sql in goodies to enable the newly added parameter by default. Did other minor updates in the configuration and AuthBy module.
  • Fixed a memory leak in TLS based EAP methods and Stream classes, such as RadSec, where CRL file loading and re-loading did not free temporary resources. The fix requires Net::SSLeay 1.46 or later. Reported by Jan Tomasek.

Revision 4.24 (2019-12-09) new features, enhancements and bug fixes

Selected compatibility notes, enhancements and fixes

  • Added configuration parameters TLS_SecurityLevel and EAPTLS_SecurityLevel and calls to set accepted TLS version ranges. This allows for Radiator module level control of desired TLS settings without modifications of system defaults.
  • ClientListSQL configuration can now be simplified with ClientColumnDef parameters.
  • AuthBy SQLHOTP and SQLTOTP SQL query parameter support was added.
  • Dynamically updated Diameter RealmTable for request routing and forwarding is now available for advanced Diameter applications.
  • Added a new configuration flag parameter IgnoreIfMissing.
  • Added a new check item ExistsInRequest for matching requests by attribute presence. Useful for Handlers.
  • Added new AuthBy REST, which is built on a new class called HTTPClient.
  • Packages are now available for Red Hat Enterprise Linux 8 and CentOS 8 and Debian 10 (Buster).
  • Added configuration guide and samples for SecureW2 integration.

Known caveats and other notes

  • TLSv1.3 remains disabled by default for TLS based EAP methods and Stream based classes, such as RadSec.
  • EAP-FAST functionality is reported to vary between TLS versions, TLS library security level settings and client implementations.

Detailed changes

  • AuthBy SIP2 sometimes parsed ACS server responses incorrectly causing incorrect authentication rejects.
  • Stream modules that use TLS, such as RadSec, now log the negotiated TLS version and cipher similar to what TLS based EAP methods already do. Short inner EAP messages received by EAP-TTLS and PEAP are now caught earlier instead of generic EAP module.
  • Added new configuration parameters TLS_SecurityLevel and EAPTLS_SecurityLevel to control TLS library’s security level settings. See OpenSSL manual for SSL_CTX_set_security_level() for more about security levels. When TLS_Protocols or EAPTLS_Protocols is configured to set the desired TLS versions, TLS library’s Net::SSLeay::CTX_set_min_proto_version and its ‘max’ counterpart are automatically called. The security level and TLS version settings may be needed on systems with strict defaults. For example, Debian 10 sets the default minimum TLS version to 1.2 and security level to 2. This may be too restrictive with older EAP clients or Diameter and RadSec peers. Support for min/max_proto functions was added in Net::SSLeay 1.83.
  • Updated Lancom and Aerohive attributes in the default dictionary. Aerohive products appear to use attribute 1 for different purposes. For this reason the newly added Aerohive-User-Vlan is an alias for the existing AH-HM-Admin-Group-Id. Both names are usable as reply attributes but incoming attributes are remain named as AH-HM-Admin-Group-Id. Thanks to Stefan Winter for the updated information.
  • Added two new modules that allow temporarily denying logins for users that were rejected because of repetitive bad passwords. These are intial versions AuthBy FAILUREPOLICY and AuthBy SQLFAILUREPOLICY with more enhancements done in subsequent Radiator releases. See failurepolicy.cfg in goodies for a sample configuration.
  • Added radiator-instances.service to goodies. This is a systemd unit configuration file for a virtual service for managing all Radiator instances. It works in conjunction with with radiator@.service unit file.
  • Added 25 VSAs in the default dictionary for VENDOR 12356 Fortinet.
  • Updated sample certificates to expire on November 10 2021.
  • ClientListSQL now supports new configuration parameter ClientColumnDef. This allows for more simple and flexible configuration. Updated ClientList modules based on perlcritic reports.
  • Updated AuthBy SQLHOTP and SQLTOTP to support SQL query parameters. Enhanced the configuration for the both to refuse token lengths shorter than 4 and clarified documentation of Require2Factor and SQL token active field. Other minor updates to SQL schema, sample configurations and code based on perlcritic.
  • ClientListSQL and ClientListLDAP can now fetch TACACSPLUSKey parameter. This allows Clients to have separate values for RADIUS shared secret and TACACS+ key.
  • Check items with regular expression values now use s modifier by default. This allows dot to also match newline.
  • An instance of RealmTable is now dynamically updated for Diameter peerings used by Radiator 3GPPP AAA Server and other advanced Diameter applications. This RealmTable is available for Diameter request routing and forwarding for those Diameter peers that are configured with DiaPeerDef clauses supported by Radiator Carrier Pack.
  • Added RealmTable.pm for genric support for realm routing tables. This can be used with Radius and Diameter to dynamically or statically build routing tables that support quick lookups from a large number of destinations. Aggregates and regexp based lookups are supported. See realmtable.pl in goodies for a sample application.
  • Minor fixes: enhance Radius::SCTP support detection and address messages triggered by recently enabled warnings pragma.
  • Radiator’s Radius::UtilXS package now provides interface to DES functions in OpenSSL and LibreSSL. These alternative functions are automatically used with Radius::UtilXS is available. Radius::UtilXS package is available from Radiator downloads.
  • Digest::MD4 is no longer strictly required with MSCHAP related authentication methods. An alternative MD4 digest implementation is now provided by Radiator’s Radius::UtilXS package. This package is available from Radiator downloads.
  • Added new configuration parameter LeavePassword. LeavePassword is similar to ConsumePassword but leaves beginning of password unchanged and extracts a portion of password from the end.
  • Added integration guide and configuration files for configuring Radiator Software’s RADIUS Server for EAP-TLS using SecureW2 PKI.
  • Added Win32-Lsa module for 64bit Strawberry Perl 5.30. Updated Radiator MSI package to use Strawberry Perl 5.30.0.1.
  • Added new configuration flag parameter IgnoreIfMissing. This parameter is somewhat similar to the previously existing parameter AcceptIfMissing. If the user is not present in the user database, this parameter causes the enclosing AuthBy to return ignore instead of reject. When multiple AuthBys are configured, this allows lookups to continue until the user is found while accept or reject is returned immediately. Suggested by Christian Meutes and Alexander Hartmaier.
  • When PacketTrace is set for a proxied request, the corresponding reply from a proxy now inherits the trace setting and is logged with trace level 5. With RadSec, the proxied request is now also logged with trace level 5.
  • Updated vendor Ruckus attributes in dictionary. Contributed by Michael Newton.
  • Added new check item ExistsInRequest. This is mostly used in Handlers to help matching requests based on attribute presence irrespective of their content. For example, <Handler ExistsInRequest=EAP-Message> selects all EAP requests. Simple alternation is also supported: <Handler ExistsInRequest = OSC-Rate-Limit-Day|OSC-Rate-Limit-Night> matches requests that have one or both of the attributes.
  • RADIUS attribute names are now cheked for uncommon characters. Unexpected names are accepted and a warning is logged when dictionary is loaded.
  • Locked Radiator distribution now honours Windows Service Control Manager state changes when expiry date or other limits have been reached. Previously Locked Radiator service became unstoppable when limits were reached.
  • Added new class called HTTPClient which implements a flexible and asynchronous HTTP and HTTPS client. Added new HTTPClient based AuthBy REST for sending authentication and accounting request over a REST interface.
  • Added support for using different back ends for random generation. The currently preferred source is Net::SSLeay with the default being Perl core rand.
  • AuthDN in AuthBy LDAP2 now supports %0 special. This is replaced with DN escaped value of currently authenticated username. Added special formatters %{LDAPDN:…} and %{LDAPFilter:…} for escaping values with LDAP DN and filter rules. Fixed ServerChecksPassword error logging to be correct about failure reason when no result was received from server because of, for example, unexpected disconnection. Similar changes, and return value unification, was done to function checkPassword for custom code uses. Trailing NUL octets are no longer stripped from attributes received from LDAP. Addressed results reported by Perl::Critic.
  • Multiple LDAP enhancements were added. LDAP modules now support new configuration parameters SSLCAClientKeyPassword and SSLExpectedServerName. SSLCAClientKeyPassword sets the passphrase to decrypt client private key when mutual certificate based LDAP authentication is required. SSLExpectedServerName sets the name the server certificate must match during verification. Misconfigured values for SSLCAFile and other related files are now logged and handled and no longer cause Radiator to exit without logging. Unknown values for SSLVerify are now logged and map to the default value require.
  • SNMPAgent and Monitor with FarmSize configuration no longer require a FarmChildHook to re-open their listen sockets. Their listen sockets are now created after forking the instances. FarmChildHook sample in hooks.txt goodies file was updated to point to an example in farmchildhook.txt goodies file. Updated Ldap.pm and SNMPAgent to better log and refuse incorrect Port configuration values. Minor fix to SNMPAgent to also return SNMPv2-MIB system group values when queried with snmpwalk.
  • Too large port numbers in configuration file for TCP, UDP and SCTP are now more clearly logged and refused.
  • Fixed a memory leak caused by a StatsLog clause and ClientListSQL or ClientListLDAP being enabled in the same configuration. Leak affects Radiator versions 4.17 up to 4.23.
  • Minor updates to IP address packing and resolution functions in Util.pm. Similar updates to old Socket6 module based functions. This makes IPv6 support with Socket6 more similar to what Perl core provides. Minor updates to BigInt functions and fixes to recent quota calculation related utility functions. Addressed a number of perlcritic reports.
  • Unified Radiator internal JSON support. Modules, hooks and other code should now use Radius::JSON which chooses a JSON backend during startup and provides an interface for querying JSON status. The JSON backend and its version, or lack of backend, is logged when Radiator starts. Updated AuthBy DUO to use Radius::JSON instead JSON.pm.
  • Messages logged to global LogFile and by LogFILE, LogSYSLOG and Monitor clauses now support adding farm instance to log messages. This is enabled by new LogFarmInstance configuration flag parameter. Addressed results reported by Perl::Critic.
  • Updated diapwtst and ServerDIAMETER to include Acct-Application-Id in Accounting-Request (ACR) and Accounting-Answer (ACA) commands. Changed diapwtst to use Diameter base accounting in Command Code header field.
  • AuthBy LSA now checks that Win32::NetAdmin is available when the configuration is loaded. This prevents radiusd from starting if the module is not installed. Previously the check happened when group membership check was first done causing radiusd to exit.
  • Upgraded MSI packaging to use Strawberry Perl 5.28.2.1.
  • The local address of AuthBy LDAP2 and other LDAP client connections, configured with BindAddress parameter, now supports formatting characters. Improved logging of LocalAddress for Stream based classes when LocalAddress uses formatting characters.
  • Added VENDOR 14823 Aruba attributes Aruba-Captive-Portal-URL and Aruba-MPSK-Passphrase to dictionary.
  • When global DupCache parameter was set to a non-default value, only duplicates for replied messages were correctly detected. Fixed a related memory leak and addressed Perl::Critic reports.

Revision 4.23 (2019-04-17, initial release 2019-04-10) security fixes, new features, enhancements and bug fixes
Selected compatibility notes, enhancements and fixes 

  • Improved AcctLogFILE to support JSON.
  • Security fixes for EAP-pwd authentication and certain TLS configurations. Raditor team recommends all users to review Radiator Security Notice SEC-2019-01.

Known caveats and other notes

  • TLSv1.3 is not enabled by default for TLS based EAP methods.
  • TLSv1.3 is not enabled by default for Stream based classes, such as RadSec.

Detailed changes

  • A number of configuration parameters were incorrectly removed from AuthBy DNSROAM during 4.23 development. This affects 4.23-1 and 4.23-2 releases. Fixed in 4.23-3. Reported by Paul Dekkers.
  • Formatter %W was calling a non-existent function and caused a crash. This affects the initial 4.23 release only. Fixed in 4.23-2. Reported by Leon Haverkotte.
  • Fixed EAP-pwd implementation security bugs reported by Mathy Vanhoef.
  • Added an example of using SupplementaryGroups option in systemd goodies files radiator.service and radiator@.service. This parameter is typically used with AuthBy NTLM to grant access to winbindd socket.
  • Added support for experimental parameters EAPTLS_CRLCheckUseDeltas and TLS_CRLCheckUseDeltas. These enable Delta Certificate Revocation list support for TLS based EAP and Stream classes, such as EAP-TLS and RadSec. Added test CLRs to Radiator demo ceritificates. See Radiator reference manual for the details.
  • Fixed a crash in EAP-TLS and TLS based Stream classes, such as RadSec, when Radiator tried to log information about a certificate during specially configured verification. Certificate is not made available by TLS library in all verification failure cases. Reported by Stefan Winter.
  • AuthGeneric.pm updates: MSCHAPv2 was incorrectly logged as misspelled when checking AuthenProto configuration parameter. Addressed a number of Perl::Critic reports.
  • AuthBy RADIUSBYATTR HostParamDef now accepts 0 as a possible default value.
  • Update test.pl to clean up temporary files after finishing.
  • DiaClient inheritance was updated to allow better log message control. Updated diapwtst respectively. Addressed a number of DiaClient related Perl::Critic reports.
  • Fixed some log messages that did not correctly interpolate variables. Addressed other minor results reported by Perl::Critic.
  • Added RAdmin + TOTP configuration sample radmin_totp.cfg in goodies.
  • JSON::MaybeXS was mistakenly added as a JSON backend. However it is a wrapper for backends so it is now removed from the list of JSON backends.
  • Peer certificate issuer, subject and serial number in decimal and hexdecimal format is now logged on debug level when Radiator verifies peer certificate during EAP-TLS authentication or TLS based stream connection. This information is logged during verify callback when the TLS/SSL library is doing certificate verification. Logging is now done during successful and failing verification. Previously only some certificate information was logged.
  • Updated dictionary. Added 6 new VSAs for VENDOR 388 Symbol. For VENDOR 4329 Siemens added Siemens-AP-Mac as a new VSAs and Siemens-Ingress-RC-Name and Siemens-Egress-RC-Name as aliases for Siemens-Ingress-RC and Siemens-Egress-RC.
  • LogSYSLOG did not log Trace 5 level messages but printed out warnings about invalid level/facility to STDERR. Reported by Paul Dekkers.
  • Requests without User-Name were triggering warnings that were enabled in Radiator 4.21. Reported cases now avoid warnings, and usernames that are empty instead of not defined are now more clearly logged. Similar work enabling more warnings continues and any reports are welcome. Cases now fixed were reported by Paul Dekkers and Roland Rosenfeld.
  • When malformed attributes are received, sender IP address and port are now included in the message. Suggested by Paul Dekkers.
  • Support configuration parameter AddToRequestIfNotExist added to AuthBy RADIUS, AuthBy RADSEC, and AuthBy DNSROAM.
  • Fixed make zipdist and other non-default targets from failing.
  • Unit test name cleanup and better separation between tests.
  • generate-totp.pl and nthash.pl goodies utilities no longer need Radiator modules. They now require Net::SSLeay and Digest::MD4, respectively.
  • diapwtst now searches its parent directory for Radius-modules. This allows diapwtst to be called in similar fashion as radpwtst.
  • Updated AuthBy HEIMDALDIGEST to wait longer for kdigest to exit. Old behaviour was causing zombie processes on some systems. Reported by Johan Wassberg.
  • Clarified and updated AttrVal.pm API. Notably, add_if_not_exist_attr and change_attr now return 0, as documented, instead of nothing. This return value still evaluates to false but is now defined. Addressed results reported by Perl::Critic.
  • Avoid unnecessary log messages and warnings by not probing SCTP API support on windows and completely avoiding harmless use of undefined variables in AuthGeneric.
  • Added module Radius::JSON, which is a wrapper for various JSON backends. Module exports encode_json and decode_json from the JSON backend it finds. Last resort is JSON::PP, which should be included Perl versions from 5.14.0.
  • Improved AcctLogFILE to support JSON. By default, in addition to trace_id, timestamp, source_host, and type (accounting), all attributes from Accounting-Request are logged. This behaviour can be modified with parameter AcctLogOutputDef.
  • Fixed saving uploaded Radiator configuration via ServerHTTP (Web GUI).
  • Updates to support and other help texts.
  • Add expected result feature for diapwtst. When expected result is set, diapwtst returns 0 (success) even if result was something else. In this way diapwtst can be more useful, for example to periodically test DIAMETER services.
  • A warning log message about missing Proxy-State attribute was added AuthRADIUS::get_psid() in 4.22 to match a warning in AuthRADSEC, but in AuthRADIUS get_psid() is also called when UseExtendedIds is not used which causes Radiator to incorrectly log warnings about missing attributes. This behaviour has been fixed.

 

 

Revision 4.22 (2019-01-09) major packaging update, new features, enhancements and bug fixes
Selected compatibility notes, enhancements and fixes

 

  • New Radiator packages: Red Hat Enterprise Linux 7 and Centos 7, Ubuntu 16.04 and 18.04, and Windows MSI
  • Major updates to Yubikey Validation server support
  • SCTP multihoming support for Diameter and other stream modules

 

Known caveats and other notes

 

  • TLSv1.3 is not enabled by default for TLS based EAP methods.
  • TLSv1.3 is not enabled by default for Stream based classes, such as RadSec.

 

Detailed changes

 

  • Fixed a bug in radiusd where @main::reinitFns and @main::perchildinitFns are initialised after radiusd has loaded modules which already altered @main::reinitFns and/or @main::perchildinitFns. This bug was triggered when radiusd was restarted with a SIGHUP.
  • Fixed a bug in ServerTACACSPLUS where Client clause parameters, such as RewriteUsername, were ignored. This was broken in Radiator 4.21.
  • Corrected SQL syntax in hotp.cfg and totp.cfg goodies sample files. Reported by Denis Pavani.
  • Fixed EAP-FAST to work with OpenSSL 1.1.0 with clients that do not have a valid PAC and need to use unauthenticated provisioning. This requires SSL_set_security_level support which is not available in Net::SSLeay 1.85 and before.
  • Monitor and ServerHTTP now honour UseTLS. TLS_Protocols is still the preferred method to enable TLS.
  • EAPAnonymous %0 can now access inner EAP identity with EAP-FAST.
  • TLS based EAP methods do not enable TLSv1.3 by default. This can be changed with EAPTLS_Protocols configuration parameter.
  • Significant updates to radiator.service and radiator@.service Systemd unit files in goodies. Radiator modules are looked up from a new default location /opt/radiator/radiator. Binding to TACACS+ and other privileged ports is enabled with CAP_NET_BIND_SERVICE. Runtime directory is created as /run/radiator/. Other updates for environment variables and startup control.
  • radpwtst was updated to use its invocation location and /opt/radiator/radiator to search for its modules and dictionary. Modules nor dictionary are no longer looked up from the current working directory.
  • radiusd was updated to use its invocation location to search for its modules. Modules are no longer looked up from the current working directory.
  • An info level message is now logged when license related configuration parameters are set with a fully licensed Radiator. This is a reminder that these parameters are ignored and can be safely removed from the configuration. New configuration parameter LicenseFile is now the recommended method to include license configuration parameters.
  • Removed a number of obsolete files from goodies
  • ClientListLDAP now supports PostSearchHook.
  • Added AuthBy HOTSPOT for operating wired and wireless hotspots with authentication and billing. Added support for handling service and subscription databases with implementations in ServiceDatabase INTERNAL and ServiceDatabase SQL. Added modules for handling services, subscriptions and sessions that are manged by SessionDatabase and ServiceDatabase modules. Enhanced SessionDatabase modules to support the new functionality. See README.hotspot and hotspot.cfg in goodies for more information and a configuration sample.
  • Added AuthBy HOTSPOTFIDELIO that extends AuthBy HOTSPOT with Opera/Fidelio specific functionality. See README.hotspot-fidelio and hotspot-fidelio.cfg in goodies for more information and a configuration sample. This module also supersedes AuthBy FIDELIOHOTSPOT which will continue to work but should not be used in new deployments.
  • Added indexing to fidelio-hotspot.sql.
  • AuthBy FIDELIO, AuthBy FIDELIOHOTSPOT and AuthBy HOTSPOTFIDELIO UserPasswordHook is now passed $p as an additional argument.
  • HandlerFindHook is now available for fast Handler lookup. This is advantageous for configurations, such as proxying based on realm, where maximum packet throughput is required. Configuration sample is in goodies/handler-find-hook.pl
  • Added Base32 decoder to hextobase32.pl in goodies and updated it to match API changes in recent MIME::Base32 modules.
  • AuthBy YUBIKEYVALIDATIONSERVER now supports Validation Protocol 2.0 and 1.0. Tested with YubiCloud and PyHSM hsm-val servers. Previously supported PyHSM yhsm-val short format OTP protocol was updated to include OATH-TOTP protocol. Updated configuration sample with new parameters is in yubikey-validationserver.cfg goodies file.
  • Windows service enhancements: service parameters no longer include command line options relevant only to installing Radiator as a service. This simplifies parameters when installing service and running as service. Service install and uninstall failures now log more details and cause radiusd to exit with failure. Fixed whitespace quoting in service parameters.
  • Added Win32-Lsa module for 64bit Strawberry Perl 5.28.
  • Updated the framework for packing and unpacking complex RADIUS vendor specific attributes (VSA framework) to pass current request to custom pack functions. Request is now passed to both pack and unpack functions.
  • Corrected hooks.txt in goodies to use packed address with Client’s findAddress function.
  • radiusd now accepts command line parameter -prepend_env that prepends its value to an environment variable during radiusd start. The variable is created if it does not exist.
  • Stream based modules, such as ServerDIAMETER, now use sctp_bindx() for all BindAddress values and sctp_connectx() for SCTPPeer values. These require Radiator Radius::SCTP bindings to make libsctp API available for Perl.
  • Fixed a crash triggered by logging of Handler values, such as Identifier, before Handler was chosen.
  • AuthBy LSA can now rewrite the username that is passed to LSA. Example use is Wi-Fi roaming where roaming username can not be directly used with Windows authentication because of local naming conflicts with roaming requirements. See LSARewriteHook in goodies/lsa.cfg and Radiator reference manual. Updated other AuthBy LSA configuration samples.
  • Improvements to AuthBy SAFEWORD. New parameters SSLVersion and SSLCipherList allow configuring SSL/TLS protocol versions and cipher suites when communicating with the server.
  • Improvements to AcctLog and AuthLog clauses. New optional parameter MaxMessageLength specifies a maximum message length (in characters) for each message to be logged, If specified, each log message is truncated to the specified number of characters prior to logging.
  • Improvements to AcctLog, AuthLog and Log clauses. When LogSock is set to unix or stream or pipe, new optional parameter LogPath specifies the syslog path. Defaults to _PATH_LOG macro (if your system defines it).
  • ServerTACACSPLUS authorisation context lookup enhancement: new optional configuration parameter ContextId specifies how to derive a lookup key for TACACS+ authentication context when authorising TACACS+ requests.
  • Stream and StreamServer certificate verification enhancements: new optional parameter TLS_CertificateVerifyHook specifies a perl function that will be called for a custom verification of the client certificate. TLS_CertificateVerifyFailedHook is a new optional parameter that specifies a perl function that will be called if verifying the client certificate fails. These are similar to their EAPTLS counterparts and their return values determine how certificate verification continues. See radsec-server.cfg in goodies and Radiator reference manual for more information.
  • Added VENDOR Ciena 1271 VSAs to dictionary.
  • Added Juniper Junos OS TACACS+ configuration sample in tacacsplusserver.cfg goodies file.
  • AuthBy RADSEC now reconnects more reliably to disconnected peers instead of leaving peers to permanently failed state. This could happen when ConnectOnDemand is set and when UseStatusServerForFailureDetect is set with Radiator 4.20 and 4.21. Reported by Paul Dekkers.
  • AuthBy RADSEC now delays creating sockets when Farmsize is set and ConnectOnDemand is not set. This avoids closing sockets after forking farm members which caused confusing stream related peer disconnect log messages. Reported by Paul Dekkers.
  • AuthBy DNSROAM could connect to the same destination twice. This was fixed in Radiator 4.20 but not mentioned in changes.
  • A number of code clean up and maintenance changes were done based on Perl::Critic and other tools.
  • DictionaryReloadInterval is a new optional parameter that sets an interval in seconds for checking whether the files defined by DictionaryFile have changed. If there are changes, all files are reloaded. Not enabled by default and the files are only loaded during server initialisation.
  • Enhanced AuthBy RADIUS and AuthBy RADSEC logging to include remote address and port when bad authenticator or Proxy-State attribute is received. Requested by Paul Dekkers. Updated Gossip log levels.

 

Revision 4.21 (2018-06-26) bug fixes, enhancements and some new features
Selected compatibility notes, enhancements and fixes

 

  • Fixed nested and cascaded AuthBy GROUPs that stopped working in Radiator 4.20.
  • Unified AuthBy HANDLER functionality and reverted some of its changes done in Radiator 4.20.
  • JSON authentication and accounting log now formats time as numeric type instead of string.
  • ServerTACACSPLUS connection handling had major updates.
  • Custom modules that use initialisation functions may need updates.

 

Known caveats and other notes

 

  • Initial testing is done with OpenSSL 1.1.1 development versions. Not recommended with Radiator yet.

 

Detailed changes

 

  • Updated simple_main_loop to use timeout and timeout handler. These are useful for test and other client programs.
  • Attributes given on command line now override default and option switch values in radpwtst.
  • Fixed a bug where nested and cascaded AuthBy GROUPs stopped working because of changes in Radiator 4.20 asynchronous handling.
  • Unified AuthBy HANDLER functionality and reverted some changes done in Radiator 4.20: AuthLog, AcctLog, PostProcessingHook, AddToReply and similar reply updates are now done by Handlers called by AuthBy HANDLER. If these functionalities are needed when AuthBy RADIUS is used with AuthBy HANDLER, Asynchronous flag is required.
  • Fixed IgnoreReject in AuthBy RADIUS when NoReplyReject is enabled.
  • AuthBy RADSEC now supports Asynchronous and NoReplyReject.
  • Handler now supports AccountingAccepted flag configuration parameter for Handler. This forces Handler to immediately log and unconditionally acknowledge Accounting requests before passing them to AuthBys. Compared to AccountingHandled, this will not wait for a reply from a proxy.
  • Response to a request of any type is now only sent once. This is for special cases, for example, when an accounting request is proxied to multiple servers or a hook or any special handling would cause multiple replies back to the NAS.
  • EAP-TLS now uses subjectAltName email type too when checking match for EAP identity or User-Name.
  • Updated MaxFailedGraceTime algorithm in AuthBy RADIUS and RADSEC
  • Fixed tunnelling EAP methods to work correctly when inner authentication proxies with Asynchronous parameter enabled.
  • Updated demo certificates subjectAltName for client and server certificates. Client now has email and server has URI in addition to the existing alternative names. Other non-CA certifcates have both.
  • Enhanced StreamServer listen socket error logging and handling during configuration time.
  • Updated multiple EAP methods to trigger Access-Reject with EAP-Failure for some messages that were previously ignored.
  • Removed obsolete EAP type 38 EAP-TNC.
  • Updated EAP-PAX and EAP-PSK logging and error handling. EAP-PSK now requires that EAP identity matches identity carried within EAP-PSK messages.
  • Improved Radiator init script goodies/linux-radiator.init and systemd service unit file goodies/radiator.service. A systemd service unit file goodies/radiator@.service which supports systemd service instances was added.
  • Updates to logging. Internal changes to enable more warnings and how Client maintains its client list for client lookups.
  • StatsLog FILE now supports OutputFormat configuration parameter. The possible values are text and json. Default is text.
  • Message-Authenticator is no longer added to Status-Server Access-Accept replies because some clients were not able to process it.
  • Enhancements to logging: Reason in AuthLog is now an empty string instead of undefined value when no specific reason is available. This is typical when result is accept for normal conditions. More results are now available for certain conditions and special configurations such as NoForwardAuthentication.
  • Fixed infinite loop when AuthBy RADIUS was configured with Asynchronous, CachePasswords and CacheOnNoReply.
  • AcctSQLStatement and AuthSQLStatement now support %0 for user name replacement.
  • Added radminYubikey.cfg configuration sample in goodies. All RAdmin configuration samples were updated and now come with Radiator.
  • Custom modules with need for main::reinitFns and addChildInitFn should be updated to use new callback register methods in ServerConfig. ServerConfig now supports methods for registering per-module callback functions that are run for server start and restart, farm child fork, reinit, delayed shutdown and shutdown.
  • Fixed a bug in GossipRedis Sentinel service name use which caused Sentinel connection to fail. GossipRedis log now clearly shows if the connection endpoint is Redis Sentinel or server.
  • Changed format_acct_log_json and format_authlog_json in LogFormat.pm to add time as a numeric type, integer or float, instead of a string. The type depends on LogMicroseconds.
  • Improved Gossip logging and handling of badly formatted messages.
  • Improved radpwtst’s noauth, noacct and related flag handling.
  • ServerTACACSPLUS connection handling is now based on Stream modules similar to RadSec, Diameter and others. This fixes a connection blocking bug when run with FarmSize parameter and allows ServerTACACSPLUS to use all features the Stream modules provide.
  • Internal changes to reinitialisation and farm child initialisation functions custom module writers may be interested in
    Reinitialisation
    • reinitialise functions are now run only when radiusd is reinitialised (i.e. SIGHUP)
    • reinitialise is run before $main::config is destroyed, so registered reinitialisation functions can only read $main::config, if needed
    • if there is a need for functions to be called at startup, i.e. after $main::config has been read, one is encouraged to use $main::config->register_startup_fn(\&coderef, @args)
    • it is now possible to give arguments to reinitialise functions
    • pushing directly to @main::reinitFns will be obsoleted in the future, so preferred way of registering them is via $main::config->register_reinit_fn(\&coderef, @args)

    Farm child initialisation

    • using main::addChildInitFn will be deprecated in the future. Preferred way to register farm child init functions is via $main::config->register_childinit_fn(\&coderef, @args). Function signature is not changed from main::addChildFn.
  • Updates to goodies/*Create.sql files: changed ACCTTERMINATECAUSE to string, updated column types to bigint and longer varchar where applicable. Infrequently used tables and test data are now present only in sql-extra-tables.sql and sql-test-data.sql, respectively. Added oracleCreate.sql. PostgreSQL and SQLite now use the same file postgres-sqliteCreate.sql. SQL Server and Sybase now use the same file sqlserver-sybaseCreate.sql. Removed separate files for mSQL, Informix and InterBase in favour of ansiCreate.sql. The files were tested with Firebird 3.0.3, IBM DB2 Express-C 11.1, IBM Informix 12.10 Developer Edition, InterBase 2017 Developer Edition, MariaDB, Microsoft SQL Server Express 2014 and 2017, MySQL, Oracle Database 11g Express Edition, PostgreSQL, SAP ASE (Sybase) Express Edition 16.0 and SQLite.
  • Fixed a bug in dictionary loading where hex VALUE lines were incorrectly processed. Fixed incorrectly names values is dictionary.acc in goodies.
  • Minor code maintenance related updates to utility programs and modules.
  • Improved logging about attributes that are not in dictionary.
  • On windows a message is now logged when Radiator Windows service stops.

 

Revision 4.20 (2018-02-28) new features, security and bug fixes

Selected compatibility notes, enhancements and fixes

  • Support for OCSP and OCSP stapling for EAP-TLS and RadSec and other Stream based modules.
  • Improvements to Stream connection handling.
  • TACACS+ AuthorizeGroup matching was extended.
  • Check items now check all instances of the named attribute.
  • Updates to TLS based EAP method client certificate checks, including partial chain support and default CA use.
  • Updates to AddressAllocator DHCP
  • Updated VENDOR 388 Symbol attribute names in the default dictionary.
  • Improved LDAP modules failure backoff and certificate verification.
  • Handler and AuthBy GROUP updates for better asynchronous and challenge handling
  • Airespace-QoS-Level dictionary definitions were updated. The updated values are incompatible with the old values
  • PEAP supports inner authentication after session resumption. Value 2 for reused demonstrated in eaptls_resume_post_auth_hook.pl is now possible
  • Multiple updates to EAP, EAP-pwd and other EAP methods. See below for more details.
  • Security fix for certificate validation for EAP-TLS and TLS-based Stream modules such as RadSec. PEAP and EAP-TTLS with unusual configurations are also affected. Raditor team recommends all users to review Radiator Security Notice SEC-2018-01.

Known caveats and other notes

  • Initial testing is done with OpenSSL 1.1.1 development versions. Not recommended with Radiator yet.

Detailed changes

  • Connection state is now correctly reset when streams are reconnected after a disconnect. Affects Diameter, RadSec and other Stream.pm based modules where incorrect connection state after reconnect caused lost messages and eventual connection timeouts.
  • Connection buffers for pending incoming, outgoing and TLS data, and possible TLS session are now cleared during reconnect. This affects Diameter, RadSec and other Stream.pm based modules.
  • goodies/generate-totp.pl can now be used for generating TOTP tokens in plain ASCII without generating QR code images.
  • ServerTACACSPLUS AuthorizeGroups can now include extra checks which can be used to differentiate actions (permit/permitreplace/deny) and/or reply attributes based on TACACS+ client’s Client-Identifier, address (peeraddr) or any Radius attribute from Access-Accept. Updated configuration sample tacacsplusserver.cfg in goodies.
  • Added support to user and Handler check items for checking all instances of the named attribute for a match. If an attribute is present multiple times, all its instances are considered during matching. For example, <Handler OSC-Group-Identifier=B, OSC-Group-Identifier=A> matches when OSC-Group-Identifier is present at least twice with the two values. With the kind help of Alexander Hartmaier
  • Added a new configuration parameter RejectReason to Handler and AuthBy. RejectReason sets the default string to use as the Reply-Message for Access-Reject when configured for a Handler. When configured for an AuthBy, sets the reason for AuthLog logging and Access-Reject Reply-Message if the enclosing Realm or Handler has RejectHasReason enabled.
  • Improved AuthBy DUO’s REST API failure handling.
  • EAP success is now correctly replaced with an EAP failure when a request is first accepted by an EAP AuthBy but later rejected, for example, by a hook or another AuthBy.
  • Introduced new special format variables: RequestAttrs, OuterRequestAttrs and ReplyAttrs. These variables return a string containing all instances of the named attribute separated by a comma.
  • Added a new configuration parameter AddExtraCheck to Handler and AuthBy to make adding extra check items, such as Group check, easier.
  • AuthByPolicy now supports new value ContinueUntilRejectOrChallenge
  • EAP-TLS supports new hook EAPTLS_CertificateVerifyFailedHook which runs when TLS library calls verify_callback with preverify_ok set to false. The return value from the hook decides if certificate verification should continue or not. WARNING: This hook should only be used in special cases and can cause security issues. See the reference manual for details.
  • Added VENDOR Wi-Fi Alliance 40808 VSAs to dictionary
  • Radiator now supports framework for packing and unpacking complex RADIUS vendor specific attributes. For example, many 3GPP attributes have encodings that can not be represented with the RADIUS attribute types. The framework supports vendor specific modules with methods that are called based on how the complex attributes are defined in RADIUS dictionary.
  • Improvements to RADIUS and RadSec Status-Server polling: Only one probe can be active at a time to make sure multiple probes are not sent when there are connectivty or other problems. Polling is now disabled for RadSec when transport connection is not up.
  • When there are multiple Hosts in AuthBy RADIUS, NoReplyReject takes action after all hosts have been tried. Improved logging when proxied requests time out.
  • Updated NoCheckPassword option to cover EAP-MD5 and more authentication methods.
  • Fixes and enhancements to MessageLog FILE text2pcap format command line hints: Ports and addresses are now in correct order and include time format specifier. Log line time format is now seconds.microseconds where microseconds are zero padded. Special format %2 for Filename parameter is now correctly set to default value of ‘none’ when Encoding configuration parameter is not set. Help and suggestions for text2pcap changes by Karl Gaissmaier. Thanks Charly.
  • Internal changes to how information is stored in request and reply objects. Changed ValidTo and other similar information to use this storage. Special formatting variables ReplyVar and RequestVar now get their named parameter values from this internal storage.
  • Special values ‘until Expiration’ and ‘until ValidTo’ for Session-Timeout reply item now correctly work with EAP-MSCHAPV2.
  • Diameter peer connection initialisation sometimes opened a second connection to a peer instead of using an existing connection.
  • Message-Authenticator fixes: AddToRequest and similar methods now automatically set the attribute length and allow adding only one instance. The attribute was added with incorrect length value but correctly calculated content when it was present in proxied request and had incorrect length. Received attribute length must now match exactly. Previously the check was only done for the content.
  • Log SYSLOG now supports LogFormat configuration parameter similar to Log FILE. Fixed a bug where tracing identifier was not available in Log clauses that were configured inside other clauses.
  • AuthBy RADSEC and ServerRADSEC can now write outgoing messages to MessageLog. Reported by Karl Gaissmaier.
  • Status-Server timeout value for AuthBy RADIUS and AuthBy RADSEC can now be separately set with KeepaliveNoreplyTimeout configuration parameter. Suggested by Karl Gaissmaier.
  • Improved logging when Stream modules experience connection errors.
  • MessageLog FILE could crash if Format configuration parameter was unspecified. Diameter message logging did not log remote IP and port correctly in some rare cases when the remote end closed connection and the local process was, for example, stopped.
  • Added new SessionDatabaseOptions value NoDeleteOnSessionStop that tells Radiator to do session database update operation instead of delete. This allows keeping session information when accounting stop is received.
  • Added wrap-text2pcap.pl to goodies for processing MessageLog FILE text2pcap formatted files. Written by Karl Gaissmaier.
  • New module AuthBy RATELIMITSOURCE allows limiting the maximum number of messages per time window for a source. Two policers with different source selection, bucket number, rate and time window parameters allow setting limits for single sources and aggregates. Sample configuration in ratelimitsource.cfg is in goodies.
  • AuthBy LDAP2 UnbindAfterServerChecksPassword when used with HoldServerConnection did LDAP unbind but did not clear binding state correctly causing LDAP error on subsequent query.
  • Renamed AuthBy RADIATORLB to AuthBy RADIATORPROXY and added support for statically configured Host and RadiatorProxy clauses. Added optional configuration parameters for DynAuthPort and DynAuthSecret in AuthBy RADIUS Host clauses for basis for RADIUS dynamic authentication support.
  • Improved debugging support in SNMPAgent. SNMP community string is now logged as **obscured** unless Trace is set to 5. Added port information and updated log message formatting. Added support for new PacketTrace flag configuration parameter to log received and sent SNMP messages in human-readable form. PacketTrace logs the community in plain text.
  • LogSYSLOG now uses setlogsock() as much as possible instead of setting log host directly. Improved detection of setlogsock() capabilities and added error checking for setlogsock calls. Problems with syslog calls are now printed to STDERR too.
  • Updated LogFormat.pm CEF and JSON accounting log formatters to work correctly when called from AcctLog’s LogFormatHook. Previously only Handler’s AcctLogFileFormatHook worked correctly. Updated CEF accounting format to use ‘Accounting received’ as event name when logging accounting before it’s handled.
  • radpwtst now logs in more detail replies that have unexpected message type and EAP message combination.
  • Updated GlobalMessageLog to support RadSec as a separate protocol from RADIUS. MessageLog clauses now support LogSelectHook which allows selecting which messages to log in case not all messages need to be logged. Updated the configuration sample logformat.cfg in goodies. Help and suggestions by Karl Gaissmaier.
  • TACACS+ is now supported by MessageLog clauses.
  • Added Radius::Nas::Generic class which implements two translate/extract functions: one to unify MAC address formats and extract possible SSID and the other one to extract realm from different username formats. Updated vsa-translate.cfg in goodies.
  • AuthBy SIP2 now supports two new configuration options: Retries and FailureBackoffTime. Timeout handling was also improved, but does not work when Radiator is run on Windows.
  • TLS_Ciphers is now correctly initialized with a default value in DiaClient.
  • Enhanced client certificate verification options for TLS based EAP methods with new configuration flag parameters: EAPTLS_CAPartialChain enables X509_V_FLAG_PARTIAL_CHAIN support available since OpenSSL 1.0.2. EAPTLS_UseCADefaultLocations configuration flag parameter specifies that the default locations from which CA certificates are loaded should be used. This was always enabled for previous Radiator versions but is now turned off by default. EAPTLS_NoClientCert disables loading of any CA certificates for client certificate verification. This allows simplyfying PEAP and EAP-TTLS configuration when client certificates are not requested with EAPTLS_RequireClientCert. When EAPTLS_NoClientCert is enabled, EAPTLS_CAFile, EAPTLS_CAPath, EAPTLS_CAPartialChain and EAPTLS_UseCADefaultLocations are not used and need not to be configured. Partial chain suppport suggested by Philip Brusten.
  • Enhanced client certificate verification options for Stream TLS classes, such as RadSec and Diameter, with new configuration flag parameters: TLS_CAPartialChain, TLS_UseCADefaultLocations and TLS_NoClientCert work similar and have similar defaults than their recently added EAPTLS_ counterparts. TLS_NoClientCert will not be supported by all StreamServer clauses. Initial support is added for Monitor and ServerHTTP which use it for turning off all client certicate checks.
  • Updated test.pl to complain first about missing mandatory modules. Enhanced test output and added usage with MSCHAP testing hints.
  • ServerTACACSPLUS now supports Prompt reply attribute for turning off noecho flag in TACACS+ authentication replies. This allows hinting the TACACS+ client that it should echo user’s response as it’s entered. Updated radpwtst, tacacsplustest and diapwtst to honour Prompt attribute to turn on local echo for password challenges. The default is to always turn off echo. Fixed incorrect EAP-GTC length calculation in diapwtst responses. Updated tacacsplustest to display server’s message for interactive authentications.
  • Updates to RADIUS tagged string handling: attributes with dictionary type tagged-string, for example Tunnel-Private-Group-ID, are now decoded so that tag value 0 is ignored. When encoding, tag 0 is only added when it is explicitly defined. Txag with value 0 is no longer implicitly added. Tag values outside from 0 to 31 are now encoded as the part of the value. For this reason Radiator no longer displays tag 0 or proxies by default tag 0 for tagged-string type attributes. Tag values outside from 0 to 31 for Tunnel-Password and other attributes with dictionary flag has_tag are encoded as part of actual value with tag set to 0. Tag value 0 for Tunnel-Password is now ignored during decode. New formatter %{UntaggedVal:attribute} returns the named attribute from the current request without the possible tag.
  • Updates to AddressAllocator DHCP: Subnet Selection Option is no longer required. If configuration has no SubnetSelectionOption set, no SSO is required in DHCP request. Added support for configuration parameters DHCPHostName and DHCPVendorClass for setting DHCP options 12 ‘Host Name’ and 60 ‘Class Identifier’ aka Vendor Class identifier, respectively. Updated addressallocatordhcp.cfg.
    Refactored DHCP code shared by DHCP address allocator and server into a common DHCP peer module. ServerDHCP is available in Radiator Carrier pack.
  • DHCP User-Class option (77) is now correctly encoded. The encoding used format from draft instead of RFC 3004.
  • Updated WiMAX attributes in the default dictionary with WMF-T33-001-R022v04 definitions. WiMAX-IP-Technology is now an alias for the current name WiMAX-Network-Technology. Fixed WiMAX-Packet-Flow-Descriptor-V2 definition. WiMAX-Home-Interface-Id-PMIP6 and WiMAX-Visited-Interface-Id-PMIP6 are now formatted as interface ids.
  • Updated the default dictionary with the currently found definitions for VENDOR Symbol 388. The old names are still available as aliases, but attribute decoding is now done using the new names. The documentation also uses prefix WING- instead of Symbol- as the vendor prefix in the latest documentation. To use the new prefix, create a custom dictionary as documented by Radiator reference manual.
  • Updated generic session database modules, SessionDatabase REDIS and AuthBy DYNAUTH to support sending RFC 5176 dynauth requests to update or disconnect all sessions a user may have. This allows, for example, an external management entity to disconnect all sessions of a user with just a username without knowing the number of sessions or their details.
  • Fixed a bug with uncommon configurations where Handler’s last AuthBy returning ASYNC prevented possible post authentication session database update and other post auth actions from running.
  • Improved configuration parameter error detection and logging for TLS based Stream classes and EAP methods. Errors with configuration file parameters and CRL loading are now logged in more detail. Return values for DH parameter, ECDH curve and Policy OID settings are now correctly checked for errors.
  • Added ForwardHook to AuthBy RADIUS and AuthBy RADSEC and their derived classes. ForwardHook receives the current request and the request to be forwarded as its arguments. ForwardHook is called once for each request before it is forwarded to any of the remote RADIUS or RadSec servers. This hook allows you to modify the forwarded request without changing the current request. Suggested by Jose Borges Ferreira.
  • Updated Stream TLS module to load passphrase protected TLS_PrivateKeyFile with the updated API enabled in OpenSSL 1.1.0f.
  • Updated Radius request debug log dump so that it shows the the recalculated Message-Authenticator value instead of received or all zero value.
  • When sending dynauth requests to a Client, AuthBy DYNAUTH now uses the Client’s configuration to set dynauth secret and dynauth port, and calls Client’s VsaTranslateOut, VsaTranslateIn and VsaTranslationHook.
  • Updated EAP-FAST to work with OpenSSL 1.1.0 and later; and LibreSSL with Net::SSLeay 1.75 and later.
  • Updated goodies/rcrypt usage and environent variable use
  • AuthBy RADIUS and AuthBy RADSEC now support KeepaliveRequestType and AddToKeepaliveRequest to change probe type and contents from an empty Status-Server to any other message type with optional attributes. This allows sending, for example, Access-Request probes with User-Name and User-Password attributes. Suggested by Paul Dekkers.
  • TLS_CRLCheckAll worked only when configured to a Host within AuthBy RADSEC. It now works correctly as a default setting within AuthBy RADSEC and AuthBY DNSROAM.
  • ServerRADSEC now honours RewriteUsername and AddToRequestIfNotExist configuration parameters. Global RewriteUsername is also honoured. Based on suggestion by Nik Mitev.
  • diapwtst now supports tls_protocols, bind_address and outport command line parameters. Fixed -timeout to work as expected.
  • Major update to test certificates: added wildcard, expired and revoked end node certificates and three intermediate CAs. All four CAs sign all five end node certificates. Revocation lists are signed by all CAs. The lists include revoked end node certificate, and for root CA, one intermediate CA. Certificate contents and extensions were updated. The certificates now allow easier testing for revocations, including intermediate CA revocations, partial chains, expirations, policies and other conditions and configurations. Updated README files and included configuration files and scripts for recreating all files with desired algorithms and other settings.
  • Radiator’s LDAP module Ldap.pm now tries connecting each configured Host individually instead of passing all hosts directly to Net::LDAP. Trying hosts one by one allows individual failure backoff time for each host and working TLS certificate check based on host name. Updated ClientListLDAP and AuthBy LDAP2, LDAPDIGIPASS and LDAPRADIUS to use failure backoff for LDAP failures.
  • Updated AuthBy GROUP to work with AuthBys that may return ASYNC. For example, AuthBy RADIUS with Asynchronous flag parameter enabled now works within an AuthBy GROUP. This update also contains initial work in Handler towards supporting imporoved functionality for AuthBy groups where an AuthBy returns CHALLENGE. In this case the next request can be directly handled by the AuthBy that replied with challenge.
  • Monitor log messages now include tracing identifier when LogTraceId is set globally or within a Monitor clause.
  • radiusd now supports -no_pid_file command line option. Updated radiator.service systemd unit configuration file in goodies to use this option and incorporated suggestions from Alexander Hartmaier and Rauno Tuul into radiator.service. Added new Radiator and logrotate configuration sample files linux-simple-config.cfg and logrotate.radiator in goodies. These three files use matching paths and other settings. linux-simple-config.cfg requires minimal, if any, modifications to work on other UNIX or BSD systems too.
  • Airespace-QoS-Level dictionary definitions were updated to match the current definitions used by Cisco WLC. The old values were correct for ACS 4.1.x. The new values are used by ACS 5 and also described in WLC configuration guides. The value names are mostly the same but the actual numeric values are different. If you need the old values, create a custom dictionary file and load it with DictionaryFile configuration parameter.
  • radpwtst now supports -no_random command line option which makes RADIUS authenticator and different CHAP methods to use fixed values. This allows repeating tests with fixed values. radpwtst now logs a detailed warning when incorrect MS-CHAP2-Success is received with Access-Accept. Also fixed radpwtst and diapwtst option file whitespace handling.
  • TLS_Protocols and EAPTLS_Protocols now recognise TLSv1.3. TLSv1.3 is turned off by default for TLS based EAP methods and Stream based protocols, such as RadSec and Diameter. TLSv1.3 is made available for testing and future use and it is not supported yet. Net::SSLeay 1.83 or later is required when using Radiator with TLS 1.3 aware SSL/TLS library. Internal changes to TLS code to use recently added constants and functions in Net::SSLeay.
  • Radiator now sets X509_V_FLAG_TRUSTED_FIRST together with X509_V_FLAG_PARTIAL_CHAIN when EAPTLS_CAPartialChain or TLS_CAPartialChain is set.
  • AuthBy NTLM now logs and rejects directly parameter lengths not supported by ntlm_auth.
  • Tunneling EAP methods, EAP-FAST, EAP-TTLS and PEAP, now support configuration parameter EAPTLS_CopyToInnerReques for copying attributes from outer request to inner request. Previously this required PreHandlerHook or similar method.
  • Updated Acct-Delay-Time handling in RADIUS accounting requests: Radiator no longer adds a zero valued attribute when it’s not present in the request. Acct-Delay-Time is now accessed only when needed making proxying slightly faster. Fixed missing delay adjustment for a request when its retrasmit caused a failover to secondary host. Fixed negative adjustment reported by Vangelis Kyriakakis.
  • radpwtst enhancements: -time option is now an alias for -print_stats. -print_stats option now shows the average requests/second rate and total time. Number of requests is now clearly separated from the number of iterations because each iteration may consist of multiple requests. New option -iteration_delay sets a delay between successive iterations to help testing with different request rates.
  • OCSP peer certificate checking and OCSP stapling are now supported for EAP-TLS and Stream based modules such as RadSec and Diameter. Asynchronous OCSP check is supported for EAP-TLS. See sample configuration files eap_tls.cfg, radsec-server.cfg and radsec-client.cfg in goodies directory for configuration parameters, including OCSP responder location, failure policy and response caching.
  • Updated RADIUS and RadSec proxying MaxFailedRequest and MaxFailedGraceTime to work better with low request rates.
  • Updated many EAP methods to include EAP-Failure in Access-Reject messages where it was still missing. Changed some EAP failure cases to trigger Access-Reject instead of ignoring the message. Added more checks for inner EAP-TTLS requests.
  • Added support for ConsumePassword configuration parameter for AuthBys. This parameter allows shortening and using parts of password by multiple AuthBys when they process a request, for example, during two factor authentication. Updated duo.cfg and digipassStatic.cfg in goodies to use ConsumePassword.
  • Added support for Group-Authorization check item. This check item defines the Identifier of an AuthBy to use for authorising users based on their group membership. Added configuration parameters GroupFilename to AuthBy FILE and GroupMembershipAttr to AuthBy LDAP2. Added support for Windows AD tokenGroups in AuthBy LDAP2 for group based authorisation. Added two new configuration samples in goodies: authorize-group1.cfg shows how to do LSA authentication and direct Wi-Fi users to VLANs based on their AD groups. File authorize-group2.cfg shows how to authorise users with different administrative roles based on what Client they log in from.
  • Updated Resolver clause to never use persistent TCP or UDP sockets. This uses more sockets but is required because of lack of working support for multiple outstanding queries. This allows Radiator to work again with all Net::DNS versions. TCPPersistent and UDPPersistent configuration parameters are now obsolete. Thanks to Fernando Reis for reporting DNS roam problems.
  • Stream based TLS classes, such as RadSec, now support TLS_SubjectAltNameDNS configuration parameter. This works similar to existing TLS_SubjectAltNameURI parameter and is used when subject alternative name type is DNS. Requested by Jan Tomasek.
  • Updated AddressAllocatorSQL to reject request instead of allowing it to timeout when AsynchronousSQL is set and allocate, update or deallocate fails. Methods confirm, deallocate and deallocate_by_nas now return reject with reason if UpdateQuery, DeallocateQuery or DeallocateByNASQuery fails instead of always returning accept.
  • AuthBy DNSROAM now passes to certificate verification the name that was looked up during DNS discovery. The name is used similarly to TLS_SubjectAltNameDNS allowing verification based on name insted of just peer address. Enhanced TLS certificate verification logging for Stream based modules including information about DNSROAM discovered name and SRV records.
  • Fixed AuthBy DNSROAM to refresh route object when rediscovering it with unchanged parameters. This fixes log messages like “AuthBy DNSROAM rediscovered the same target for …” appearing too often.
  • EAP modules configured with EAPType are now loaded during configuration loading. This makes problems with module dependencies visible immediately during the configuration.
  • PEAP now supports inner authentication after session resumption. This fixes problems seen on Windows, for example, when changing between WLANs. Reported by Jan Tomasek and others.
  • Disabled completely non-functional session resumption for TLS-based Stream modules. Enabled no renegotiation flag for TLS-based EAP methods and Stream modules.
  • radpwtst now adds Event-Timestamp to Accounting-Request messages.
  • EAP-pwd now supports RFC 2759 (NT hash) and SASLprep password pre-processing methods. These are configurable with a new parameter EAP_PWD_PrepMethod that supports values ‘NtHash’ and ‘SASLPrep’. See the reference manual for additional information about compatibility and module requirements. This change also adds generic support for adding additional prep methods.
  • Compiled Win32-Lsa for ActivePerl 5.24 and 5.26 and Strawberry Perl 5.26. 32-bit versions are no longer compiled by default. Contact us if you still need them.
Revision 4.19 (2017-06-29) new features and bug fixes

Selected compatibility notes, enhancements and fixes

  • Fixed a memory leak in TLS based EAP methods. This affected configurations that disable session resumption.
  • Unfinished EAP authentications are now logged
  • Ignored authentications are now available for AuthLog logging

Known caveats and other notes

  • PEAP session resumption sometimes fails on Windows and reverts back to full authentication. A fix is known and planned for future releases.
  • Initial testing with OpenSSL 1.1.0. EAP-FAST is not yet functional.

Detailed changes

  • Enhanced log messages generated by TLS based EAP methods. More details are now logged and available with AuthLog reason information.
  • Added two new Context module functions: fetch returns an existing context and resets its timeout. If there’s no existing context, returns nothing. timeout_callback sets a callback function for a context that is called when the context times out.
  • Enhanced EAP logging: EAP authentications that do not finish are now logged both to Radiator log and authentication log. Authentication log entries are logged as rejected authentications. Suggested by David Zych et al.
  • EAP contexts are now freed when the authentication finishes instead of always waiting for context timeout
  • TLS based EAP methods were leaking memory when EAPTLS_SessionResumption was disabled. This option is enabled by default.
  • Added VENDOR Airespace 14179 VSA Airespace-IPv6-ACL-Name to dictionary
  • Application was misspelled in DiaAttrList::REDIRECT_HOST_USAGE_REALM_AND_APPLICATION and Diameter application name ‘SIP Application’
  • Fixed AuthBy SIP2 that rejected both valid and invalid authentication attempts with EAP-GTC. Enhanced SIP2 logging and updated AuthBy SIP2 to more reliably handle unsupported EAP methods.
  • An error message is now logged when quote method is called for a module that is not a SqlDb. Single quotes are now stripped from quoted value. Any custom modules that log this message need to be fixed to use a correct SqlDb derived module when calling quote.
  • Added support for polling a message queue in Gossip. Added a new configuration sample radius-dynauth.cfg in goodies that uses AuthBy DYNAUTH to send RADIUS dynamic authentiation requests. Handler.pm now passes reference to result reason to replyFn it calls. Minor fixes to trace id passing and Gossip.
  • New check items RecvPort, RecvAddress and RecvName match requests based on the local port or address. For example, if Radiator listens on Radius port 1645 and 1812 <Handler RecvPort=1645> selects only those requests that were received by port 1645.
  • Enhanced Monitor for integrating with other systems. Implemented the following Monitor commands:
    ASCII: change both object and line separators to “\n”
    DEFAULT: change both object and line separators back to their default values ASCII SOH and NUL, respectively
    GET: Get a single attribute from an object
    With the kind assistance of Kilian Krause
  • Fixed a crash in SessionDatabase REDIS simultaneous use check
  • Updated Gossip encryption documentation, logging, invalid key handling and changed key index 0 to reserved.
  • StatsLog proxiedNoReply counter is now incremented for Hosts within AuthBy RADIUS and RADSEC and their derived clauses. Previously the counter was incremented only for the AuthBy after all retries had been exhausted. Status-Server timeouts do not increment Host proxiedNoReply counter.
  • All AuthLog clauses now support LogIgnore flag parameter. This parameter defaults to not set and when set, allows logging ignored autentication attempts. An attempt is typically ignored when a user database fails or Radiator can not return a definitive answer for some other reason. Proxied requests that return immediate ignore are not logged because a reply with final result is expected later.
  • Fixes to GossipUDP server farm and peer discovery messaging
  • When User or Group global parameter is set, both effective and real user or group id is set instead of just effective ids.
  • Fixed a problem where advanced debugging, for example with Monitor’s trace predicates, could cause a crash.
  • DynAuthPort in Client now defaults to not set instead of 3799. This allows clauses such as AuthBy DYNAUTH to provide a per request value that is not overwritten by Client’s DynAuthPort.
  • radiusd now supports multiple -I command line parameters.
Revision 4.18 (2017-05-10) new features, security and bug fixes

Selected compatibility notes, enhancements and fixes

  • Added AuthenProto parameter for setting the allowed authentication protocols such as PAP, CHAP and SIP digest. See below for details especially if you use SIP digest.
  • EAP-MSCHAP-V2 requires EAP_MSCHAPv2_UseMultipleAuthBys flag parameter when there are multiple AuthBys in the same Handler.
  • Added AcctLog clauses for logging accounting messages.
  • Added support for proxy algorithms in AuthBy RADSEC.
  • Number of enhancements to logging, EAP and other protocol handling. Custom EAP-TTLS implementations may need updates, see the details below.
  • Empty passwords and usernames with NUL octets are now rejected by most authentication methods when doing local user database lookups.
  • Dash ‘-‘ no longer works as Filename for StatsLog FILE and similar parameters.
  • Security fixes for general authentication, SQL quoting, Digipass authentication and AuthBy HEIMDALDIGEST. Raditor team recommends all users to review Radiator Security Notice SEC-2017-01.

Known caveats and other notes

  • PEAP session resumption sometimes fails on Windows and reverts back to full authentication. A fix is known and planned for future releases.
  • Special % character formatting was updated. Correctly defined format strings should require no changes.
  • No testing with OpenSSL 1.1.0 yet.
  • We have received reports about memory leaks. We are investigating this and would appreciate any reports about unusual process growth.

Detailed changes

  • Added support for new type of clause AcctLog xxxxx. An AcctLog clause logs RADIUS accounting requests to a file, Windows Event Log, SQL or syslog. An AcctLog is configured similar to AuthLog: you configure one more AcctLog clauses for a Handler or Realm. Currently supported AcctLog clauses are: AcctLog EVENTLOG, AcctLog FILE, AcctLog SQL and AcctLogSYSLOG. See logformat.cfg and sql.cfg for configuration samples.
  • Redis endpoint can now corretly be set to Sock. Previously the endpoint was set to 127.0.0.1 even if socket was desired. Reported by Paul Dekkers.
  • Added support for DiaStatsLog FILE and DiaStatsLog SQL for Diameter statistics logging. Enhanced Diameter statistics logging to suppress logging for inactive peers and objects with unchanged counter values. DiaStatsLog SQL requires Diameter application specific columns in the statistics table. Added a configuration sample diastatslog.cfg in goodies.
  • DiaStatsLog clauses can now remove inactive peer from Diameter statistics logging. Peer removal is controlled by new configuration parameters PeerAliveDetectionInterval and PeerRemovalThreshold.
  • Added a number of attributes in dictionary for vendor 6527 Alcatel-Lucent-Service-Router, enterprise number known as Alcatel-Lucent (formerly ‘Panthera Networks, Inc.’).
  • Added various VENDOR 25053 Ruckus VSAs to dictionary. Ruckus VSA 126 name is now Ruckus-Accounting-Status. The previous name Ruckus-Acct-Status is kept as a synonym. VSA 126 in the incoming requests, if present, will be decoded as Ruckus-Accounting-Status. Contributed by Christian ‘wiwi’ Wittenhorst.
  • radpwtst now supports new flag parameter -timestamps. Time stamps are printed, for example, when announcing sent requests and received replies. Time stamps are also automatically printed when multiple iterations are enabled.
  • Updated radiusd Windows service installation to work with Windows Server 2016. Problems with installservice option were reported by Robert Fisher.
  • Added VENDOR 1966 Perle VSAs to dictionary.
  • Message-Authenticator attribute updates: Relaxed RequireMessageAuthenticator to consider only those request types that have RFC support for Message-Authenticator. Message-Authenticator is now automatically added to the reply or the proxied request when the request contained Message-Authenticator. This also affects Status-Server responses. Message-Authenticator is now always required when EAP-Message attribute is present in incoming messages.
  • Locked and evaluation versions of radiusd will now log expiry and other licensing related information to log in addition to stdout.
  • Added VENDOR 2636 Juniper attributes Juniper-Junosspace-Profiles, Juniper-Session-Port, Juniper-CTP-Group, Juniper-CTPView-APP-Group and Juniper-CTPView-OS-Group to dictionary. Also added Juniper-Authentication-Type as an alias for Juniper-Junosspace-Profiles. With the kind assistance of Peter Hendrikx.
  • Added sample configuration file eaptls_resume_post_auth_hook.pl in goodies to show how to store and retrieve information that needs to be kept over resumed TLS sessions. Useful for custom hooks used with EAP-TLS, EAP-TTLS or PEAP. Updated EAP modules to support customised access to stored resume information.
  • Unified logging and handling of EAP responses for which TLS is not intialised. These are now logged as possible duplicate responses. TLS connections are now cleared earlier and similarly for all TLS based EAP methods.
  • Radiator’s SQL module now supports asynchronous queries for MySQL/MariaDB and PostgreSQL. Tested with DBD::mysql 4.035 against 10.1.13-MariaDB. Updated AddressAllocator SQL to use asynchronous queries. Asynchronous queries are enabled with new common SQL configuration parameter AsynchronousSQL. Additional parameters AsynchronousSQLConnections and RoundRobinQueries allow tuning how the asyncronous queries are done. For synchronous and asynchronous operation, ConnectSQLAtStartup is now available to connect to all configured SQL databases when the module is loaded during Radiator startup.
    Configuration sample addressallocator.cfg in goodies for asyncronous allocation.
    AddressAllocator DHCP and DHCPv6 no longer increment dropped request statistics while they return ignore and wait for the DHCP answers.
  • Fixed a bug in GossipRedis where a reconnect after Redis server disconnect caused a crash. Also corrected extra newline in statslog.cfg. Crash reported by Niels Monen.
  • ServerTACACSPLUS can now be configured to disconnect the client without returning TACACS+ error status when an AuthBy returns IGNORE because of authentication database failure. This may trigger the client device to fall back to local authentication that it may not do when Radiator replies with a TACACS+ error status. Note: the client behaviour is implementation specific. This option is controlled by the new configuration flag parameter DisconnectWhenIgnore.
  • Removed unused configuration parameter Table from AuthLog SQL.
  • Prepared PEAP for future implementation of missing features such as cryptobinding, Statement of Health (SoH), capabilities negotiation and starting full authentication from resumed TLS session. Updated PEAP EAP TLV Extensions handling and logging.
  • radpwtst now warns if it can not fully handle IPv6 addresses, prefixes and sockets.
  • Added a startup check for required Perl module Digest::SHA. Note that depending on the configuration, Digest::SHA may be required very early during the configuration which can be before the check has run. Digest::SHA is part of core Perl but packaged separately on some platforms, notably Red Hat and CentOS.
  • Fixed a warning log message in AuthBy RADSEC that was incorrectly changed in Radiator 4.17.
  • radpwtst now supports two new command line arguments: ‘-print_stats’ shows statistics after radpwtst finishes. Useful, for example, when running with -iterations for long period of time. ‘-onlyfailed’ shows only failed requests. This is particularly useful if running radpwtst with either -iterations parameter or when running several radpwtsts in parallel with, for example, GNU Parallel.
  • Added support for proxy algorithms in AuthBy RADSEC. The proxy algorithms supported by RADIUS proxying, such as hash balance and round robin can now be used when proxying to multiple AuthBy RADSEC hosts. The algorithm is chosen with ProxyAlgorithm configuration parameter. See radsec-client.cfg for examples. Special thanks to Christian ‘wiwi’ Wittenhorst for his kind help and Jan Tomasek for suggesting this feature.
  • Removed unnecessary code from RADIUS proxy algorithms, such as AuthBy HASHBALANCE and AuthBy ROUNDROBIN. AuthBy EAPBALANCE now adds State to Access-Request replies only.
  • Updated the remaining LDAP attribute fetching calls to use get_value. Updated LDAP AuthBy clauses to use DN escaping for BaseDN specials instead of using filter escaping which does not cover all DN requirements. Updated digipass_ldap.cfg and ldapradius.cfg configuration samples with the special formats.
  • Updates to AuthLog EVENTLOG: Use Radiator’s logging functions instead of printing to STDERR if there’s a problem with Event Log. Fixed a potential crash if Event Log can not be opened.
  • Added support for filtering TTLS tunnelled AVPs. Two new configuration parameters are available for defining allowed attributes for custom clients: EAP_TTLS_AllowInRequest and EAP_TTLS_AllowInReply. These are not set by default and ‘User-Name, User-Password, CHAP-Password, CHAP-Challenge, EAP-Message, MS-CHAP-Response, MS-CHAP-Challenge, MS-CHAP2-Response’ are allowed in requests and ‘EAP-Message, MS-CHAP2-Success’ are allowed in replies. These are the attributes from TTLS RFC 5281 except of the password change related attributes which are currently not allowed by default.
  • Destination-Realm was missing from Diameter Accounting-Request (ACR) commands sent by diapwtst.
  • Implemented special formatting with recursive subpatterns introduced in Perl 5.10. The old implementation is used with older Perls. This simplifies the implementation and provides possibility for further optimisation in later patches.
  • AuthFIDELIOHOTSPOT now tries to fetch user’s current/existing service class when configured to use ServiceAttribute VSA but Access-Request does not contain one. If no existing service class is found from either request or from a database, then reject the request as before. This helps interoperability with MikroTik where MikroTik does not resend the some VSAs when doing automatic MAC cookie authentication after reboots or other events.
  • Added peer IP:port information to TLS related error messages that are logged by TLS stream based modules. Examples of these are AuthBy and Server RADSEC and DIAMETER. Suggested by Paul Dekkers and Alan Buxey.
  • Added new optional configuration parameter EncryptedSecret for all Gossip methods. EncryptedSecret has the same purpose as Secret but its value is in encrypted format. If both Secret and EncryptedSecret are configured, EncryptedSecret is used.
  • Multiple enhancements to radpwtst: new command line option -log_microsends adds microsecond resolution to radpwtst log time stamps. Existing command line option -noreply is now displayed with usage and documented in reference manual. Identifiers that radpwtst generates start now more randomly. This makes it easier to follow radpwtst logs when multiple radpwtst instances are run in parallel.
  • Command line arguments to radpwtst no override arguments in the radpwtst options file. Badly formatted attribute=value command line or option file arguments are now logged by radpwtst. No messages are sent if the options file or command line arguments are incorrect. Override is only supported with Perl 5.10.0 and later.
  • Current request is now passed to all log messages in EAP FAST for enhanced logging.
  • Enhanced EAP-TTLS inner attribute parsing and logging. Attribute lengths are now compatible with RADIUS lengths and unworkable attribute combinations are now rejected earlier. Trace 5 debug will now show hex dumps for received and sent EAP-TTLS inner messages.
  • Added a new optional configuration parameter EAP_Identity_MaxLength. This optional parameter is available for all AuthBys and sets the maximum length an EAP identity can have. The default is 253 octets. There is typically no need to change the default.
  • Most EAP methods now require a non-empty EAP identity. This avoids unnecessary user database lookups when there’s no usable user identity.
  • Fixed diapwtst to send its AA and Accounting requests with Proxiable flag.
  • EAP GTC now supports optional configuration parameter EAP_GTC_MaxLength for specifying the maximum length of EAP GTC token accepted from the client. Defaults to 253 for RADIUS compatibility. If EAP GTC response uses RFC 5421 EAP-FAST-GTC response format, the identity in response must be equal to EAP identity. Updated the list of attributes copied to PAP request converted from EAP GTC request. Fixed radpwtst to use correct reponse length with -eapgtc option. Added support in radpwtst for RFC 5421 EAP-FAST-GTC response format. When radpwtst is run with -eapfastgtc command line option, the response is formatted according to RFC 5421 response format. Otherwise -eapfastgtc works the same as -eapgtc.
  • The inner message created from PEAP version 0 tunnelled data now has correct EAP length field. The length field did not previously include the EAP header Radiator adds to PEAv0 tunnelled requests. This change helps with interoperability with other servers when inner requests are forwarded.
  • Password from Monitor’s LOGIN command is now sanitised and logged as **obscured**.
  • Updated generic CHAP, MSCHAP, MSCHAPv2 and SIP based authentication to reject requests earlier and log the specific reason when attribute lengths do not meet the expected values. Updated Digipass and Safeword authentication similarly for CHAP protocols, and updated and fixed related logging and error handling for Digipass. Updated AuthBy LSA to always reject CHAP when challenge is not 16 octets that LSA expects. This helps diagnosing login problems of CHAP clients that use less common challenge lengths.
  • Added new optional configuration parameter AuthenProto for setting the allowed authentication protocols for an AuthBy. Defaults to PAP, CHAP, MSCHAP, MSCHAPv2, EAP, AuthorizeOnly. Other possible protocols are SIPDigest and Unknown that matches all other requests.
    AuthenProto can be configured for all AuthBys but currently does not affect proxying or special AuthBys, such as AuthBy INTERNAL which do their own request handling.
    Caution: The default covers the normal user authentication cases. You may need to add Unknown to those AuthBys that handle special authentication requests that do not have User-Passwords, any of the CHAP or MSCHAP(v2) or EAP-Message attributes.
    Caution: If you have an AuthBY for SIP Digest authentication, you must configure it with AuthenProto SIPDigest to allow SIP Digest authentication.
  • Updated EAP MSCHAP-V2 to use states from MS EAP-MSCHAP-V2 document in preparation for password change support. Enhanced logging and log messages content. Enhanced handling of MSCHAPv2 conversion where replies that are not accepts or rejects are now logged with log level warning. Previously all locally generated replies were processed.
    Caution: If a Handler or AuthBy GROUP has multiple EAP-MSCHAP-V2 enabled AuthBys, all AuthBys must now specify a new flag configuration parameterEAP_MSCHAPv2_UseMultipleAuthBys. This parameter is likely not available when password change or other EAP-MSCHAP-V2 functionality is added. Do not use this flag with EAP_PEAP_MSCHAP_Convert parameter.
  • Empty passwords from user userdatabase now cause a reject. If a user has password check item, and the password retrieved from user database is empty or undefined, the authentication is rejected. The cause for empty password in this case is typically a configuration mistake or user database malfunction. The rejects are logged with level warning.
  • Fixes to GossipUDP peer discovery and peer reachability maintenance.
  • Enhanced User-Password and Encrypted-Password check items. MS-CHAP-MPPE-Keys are now returned for MSCHAP only when cleartext password is available. Prefix {clear} now works the same for the both check items. If password’s encrypted format is incompatible with an authentication protocol, more informative message is logged. Encrypted-Password check items with unrecognised format are now clearly logged with a warning. Format for {nthash} prefixed values must now be exactly 32 hex characters or a warning is logged. Note: EAP-MSCHAP-V2 and LEAP do not yet support getting the password or NT hash from user’s Encrypted-Password check item.
  • EAP generic code now logs various error cases and unexpected and broken EAP messages in more detail.
  • Internal updates to use more modern Perl features. Updated DES.pm to work when strict and warnings are enabled. Updated MSCHAP to use warnings and require similar to other modules.
    Updated calls to open use three parameters. Caution: Specifying a dash ‘-‘ for filename to StatsLogFILE, LogFILE, AcctLogFileName and other similar parameters no longer enables logging to stdout. Using a dash for a filename now causes a warning.
  • Updates to AuthBy HEIMDALDIGEST. If there are errors with communicating with kdigest or values returned by it are found faulty, more detailed messages are logged and authentication requests are rejected earlier when possible. Communication with kdigest was improved and is now similar to what AuthBy NTLM uses.
  • AuthGeneric md5_challenge and mschapv2_challenge now return status value in case they are overridden by an authentication method, currently only HEIMDALDIGEST, which may fail to generate a challenge. Updated EAP-MD5 and EAP-MSCHAP-V2 to check the challenge return value.
  • UsernameCharset configuration parameter now applies to EAP identities too.
  • diapwtst now uses $HOME/.diapwtstrc and /etc/diapwtstrc as its configuration file.
  • Rearranged the order of DefaultRealm processing and PreHandlerHook call in Client.pm. DefaultRealm is now added before PreHandlerHook is called which is the order that all other similar modules already use. Suggested by Niels Monen.
  • Optimised special character formatting when the format string has only single character formatters.
  • Password returned by GetNovellUP is now automatically prefixed with {clear}. Updated eDirectory documentation and configuration samples in goodies.
  • Changed EAPTLS_SessionContextId default to include EAP type and original username in addition to Handler. This improves TLS based EAP authentication when Windows tries both computer and user authentication with same TLS session, and keeps different EAP types in different contexts
  • New global configuration parameters PBKDF2_MinRounds and PBKDF2_MaxRounds now control the iteration rounds allowed for PBKDF2 transformed passwords.
  • Updated AuthBy SQLAUTHBY to use %0, SQL quoted realm, in the default AuthBySelect and set the default value of Class parameter to LDAP2. Special %1 is now the SQL quoted realm in AuthBy SQLRADIUS HostSelect. When bind variables are used, these specials are the unquoted realm values. Updated the configuration samples of the both AuthBys to use SQL bind variables.
  • EAP elapsed time is now logged in decimal format always. Negative times are not logged which happened when EAP had not properly started before failure. Improved logging of unexpected EAP NAKs and NAKed methods.
  • Radius messages shorter than 20 or longer than 4096 octets are now discarded earlier and with more informative log message showing source IP address and port.
  • Updated ServerHTTP and Monitor to limit username and password for 253 for RADIUS compatibility.
  • Updated EAP-pwd: Turned off fragmentation support and enhanced logging. Fixed a potential memory leak.
  • Access-Reject is now returned more often for failed EAP authentication attempts instead of ignoring the request. This allows Radius clients to know that the server is still responding to Radius requests. EAP failure is also now returned more often with Access-Rejects for failed EAP authentication attempts. Updated logging of failed EAP messages.
  • ServerDIAMETER and ServerRADSEC now correctly append DefaultRealm if configured to do so.
  • test.pl can now produce Test Anything Protocol (TAP) compatible output with -tap command line parameter.
  • Enhanced AuthBy RSAAM logging, removed old code and improved character encoding to avoid broken query syntax.
  • Usernames with NUL octets now cause a reject by default with user database lookups. AllowNULInUsername flag parameter can be set for an AuthBy if NULs need to be allowed.
Revision 4.17 (2016-09-21) enhancements, new features, security and other fixes

Selected compatibility notes, enhancements and fixes

  • radiusd now exits during startup if it can not load the objects required by the configuration file.
  • Hooks and custom code that calls get_plaintext_password or translate_password should be checked for compatibility
  • AuthBy RADSEC now supports Radiator’s Gossip framework for reachability information
  • Any hooks or custom code that needs to save data across resumed EAP-TLS, EAP-TTLS or PEAP authentication sessions must now use resume context. See EAP.pm for the details.
  • RADIUS dictionary name space was changed for IANA registered attributes. Any hooks or custom code that accesses RADIUS dictionary, or does RADIUS – Diameter conversion may need updates.
  • JSON time stamp formats were corrected and unified in LogFormat.pm
  • AuthBy DUO now does pre-authentication by default
  • AddressAllocator SQL now supports IPv6 prefix allocation
  • Session resumption for TLS based EAP methods was enhanced
  • Many new features and options for SessionDatabase modules
  • AuthBy RADIUS supports configuration parameter Asynchronous for easier AuthByPolicy handling
  • New MessageLog clauses for logging RADIUS and other messages
  • StatsLog updates including cumulative and derivate statistics
  • HTTP digest authentication must now be enabled per AuthBy basis
  • Security fixes for AuthBy LDAP2 when used with EAP. OSC recommends all AuthBy LDAP2 users to review OSC security advisory OSC-SEC-2016-01

Features not in this release yet, known caveats and other notes

  • OCSP support
  • Proxy algorithm selection for AuthBy RADSEC
  • No testing with OpenSSL 1.1.0. Testing with OpenSSL 1.0.2h, Net::SSLeay 1.78, IOS 10, Android 7 and Windows 10
  • PEAP session resumption sometimes fails on Windows. Further investigation is ongoing
  • Major documentation update. Radiator reference manual is available in HTML format again

Detailed changes

  • Updated debug log messages for Stream classes. The stream client and server now log the destination name and its currently resolved address more clearly in the debug log messages. This affects log messages for RadSec, Diameter, ServerHTTP and other Stream based modules.
  • AuthBy RADSEC now logs packet dumps for the Status-Server replies it receives from the next hop proxy. The Port configuration variable is now formatted when RadSec Host is activated. This allows logging the actual port number instead of the unformatted configuration value.
  • Added Gossip support for AuthBy RADSEC. The RadSec Hosts can now distribute next hop proxy reachability information with Gossip. The configured Host name, not the current IP address, is used as the key when determining if the current report should be processed. The behaviour is currently slightly different from AuthBy RADIUS. Updated radsec-client.cfg in goodies. Suggested by Jan Tomasek.
  • Updated AuthBy RADSEC log messages to be more clear about destination name, IP address and port.
  • While loading dictionaries, Radiator now logs a warning when the vendor has not been defined for a vendor specific attribute.
  • Correct configuration file names are now logged when there are errors parsing the included configuration files during radiusd startup. Previously the file name might have been the main configuration file name. Reported by Kilian Krause.
  • Clause ends are now checked for matching starts while the configuration file is read. Possible mismatches and incorrectly ended clauses are logged with a warning, but no other action is currently taken.
  • Gossip messages sent by one AuthBy RADIUS module will now be accepted by all the other AuthBy RADIUS modules within the same radiusd instance. Previously the messages were always ignored when they originated from the same instance. This behaviour is now similar to what AuthBy RADSEC does.
    AuthRADIUS and AuthRADSEC now include the type of the failed request in the Gossip messages. A module using UseStatusServerForFailureDetect will now act only on failed Status-Server requests. With report and help from Paul Dekkers.
  • AuthBy LDAP2 now logs the search filter with the query results
  • Added VENDOR 3GPP 10415 VSA 3GPP-User-Location-Info-Time from document TS 29.061 version 12.10.0 to dictionary.
  • AuthBy DYNADDRESS now uses MapAttribute yiaddr when processing Accounting-Requests. Previously the address was always fetched from Framed-IP-Address.
  • AddressAllocator SQL now supports IPv6 prefix allocation. Updated addressallocator.cfg in goodies.
  • Fixed a problem in ServerTACACSPLUS where some requests sent by a high volume client were discarded during read.
  • New example farmchildhook.txt in goodies shows how to use FarmChildHook to rotate AuthPort, AcctPort and DBSource. Used in FarmChildHook EAP environments with a backend radius behind HASHBALANCE or similar. See the file for full details. Contributed by Christian Kratzer, CK Software GmbH
  • Added support for PoolGroup and Priority configuration parameters for AddressAllocator SQL AddressPools. These parameters set the values for specials %4 and %5 for AddAddressQuery. A PoolGroup defines a name to group multiple pools with different priorities set by Priority. Suggested by Damjan Kukas.
    Added new hook NoAddressHook for the SQL allocator. The hook is called when there are no addresses left or the allocation fails because of too many simultaneous tries. The hook is passed references to $p, $rp, $result, $reason and the value of pool hint. To change the type of reply, you should change $result from $main::REJECT to the desired value.
  • Enhancements to SessionDatabase configuration within Handlers. New Handler parameter SessionDatabaseOptions is available for: turning off session delete to clean up possibly hung sessions during authentication, enabling SessionDatabaseUseRewrittenName, turning on adding sessions before authentication and turning on adding sessions after successful authentication.
  • Gossip framework now supports forget() to remove a message previously posted with note(). In case of Redis backend, forget maps to Redis DEL command.
  • Updated GossipRedis default Timeout from 3 to 1 seconds. Timeout is now also used for: sentinel connections, sentinel reads, sentinel writes, server read and server write in addition to server connections. Fixed some typos in Gossip sample file farmsize.cfg.
  • NAS-IPv6-Address, if present, is now a possible value for NAS identifier if there is no NAS-IP-Address. This allows, for example, session database modules to use NAS-IPv6-Address if present in the request. Removed unneeded code from various modules since RecvFromAddress is always present in the current request.
  • Radiator can now do delayed restart or termination. The action is delayed until there are no more requests to serve from the sockets. The delay is done in two phases: First, a configured number of seconds is waited until the requested restart or termination action is started. Second is to serve the remaining requests from the incoming sockets. This allows processing the queued requests before continuing with the restart or termination.
    The delay is enabled and controlled by a new global configuration parameter DelayedShutdownTime. This defines the length of the first phase in seconds. DelayedShutdownHook is called immediately when the first phase starts. The hook can, for example, signal upstream proxies about the impending shutdown.
  • Added support for OSC’s new load balancer. The LB proxies labeled requests to Radiator which will process them as they were received directly from the NAS. The label support is enabled with the new global configuration flag parameter UseProxyLabel which defaults to off.
  • Internal enhancements for EAPAnonymous handling. Also, $rp->{inner_username} now has the value of inner User-Name, if any, for EAP-TTLS.
  • Added support for using State attribute for identifying ongoing EAP conversations. New global configuration flag parameter EAP_UseState, currently set to off by default, enables or disables the use of State with EAP for the whole server.
    AuthBy EAPBALANCE users should convert to, for example, AuthBy HASHALANCE to avoid adding second State in the proxied requests. Users of other load balancers may find State advantageous when setting up LB rules. The value of State does not change during the EAP message exchange.
  • Server Identifier, the global Identifier parameter, now supports special formatting characters. The format is applied during the server startup. A 32 hex character long hash is calculated from the formatted Identifier for any possible later use.
  • Added new Gossip backend module GossipUDP. GossipUDP provides support for direct UDP communication between Gossip peers. Gossip message format was extended to support optional header for TTL, payload encryption and other future uses.
  • Added peer join and unjoin messages in GossipUDP. These messages allow the use of GossipREDIS, or some other Gossip backend, as a discovery mechanism to set up direct GossipUDP peering.
  • Added new AuthBy GOSSIP module that supports authentication and authorisation against Gossip backends such as GossipUDP and GossipREDIS.
  • PBKDF module now supports HMAC-SHA-256 as the pseudorandom function (PRF).
    Added new module AES_GCM that supports the use of AES in Galois/Counter Mode (GCM). AES_GCM requires Crypt::GCM.
    Enhanced the Gossip framework to support message encryption. Requires the Radiator AES_GCM module.
  • Sending of RFC 5176 Disconnect-Request and CoA-Request messages was enhanced with two new modules and minor changes to Client.pm auth AuthRADIUS.pm. Client.pm has new configuration parameters DynaAuthSecret, DynAuthPort and UseMessagAuthenticator to define the dynamic authorisation capabilities of the NAS. New module AuthDYNAUTH.pm is available for building dynauth requests and dispatching them to Handlers. The dispatched dynauth requests can be matched with <Handler DynAuthRequest=1>. New module AuthRADIUSBYATTR.pm is available for forwarding the newly built dynauth request to the NAS based on the dynauth request contents. AuthBy RADIUSBYATTR is a subclass of AuthBy RADIUS and will automatically handle retransmissions. The dynauth responses will be handled by AuthBy DYNAUTH. AuthBy DYNAUTH can optionally register itself with Gossip to receive requests from, for example, remote management to send dynauth messages pertaining to the online users. Works with SessionDatabase REDIS to share session information between Radiator instances and user management.
  • Added new StatsLog module StatsLog REDIS. StatsLog REDIS logs statistics to Redis for management applications, log transport agents, such as logstash Redis input plugin, or any later use. The statistics are currently logged in JSON format. Added a configuration sample in statslog.cfg in goodies.
  • Diameter OriginHost and OriginRealm configuration parameters now support formatting characters.
  • Added VENDOR Meraki 29671 and VSA Meraki-Device-Name to dictionary.
  • New module AuthRADIATORLB.pm supports proxying requests to OSC’s new Radiator load balancer. This module can be used together with AuthBy DYNAUTH and currently supports only RFC 5176 dynamic authentication requests which need to originate from Radiator and be sent by the LB towards the NAS. Gossip framework is supported for learning the LB addresses and dynauth ports.
  • GossipUDP now logs a warning if Gossip flag parameter or one or more GossipUDPPeer clauses have not been configured. When this happens GossipUDP has no method of knowing about its UDP peeers.
  • Updated Diameter command code list. Command codes now use IANA registered names. This changes Diameter DEBUG message dumps for some command codes. For example, CER is now logged as Capabilities-Exchange.
    Added support for Diameter statistics log. The statistics are collected for Diameter message counts, command codes and errors. Stats are collected for peer, origin, port and application and can be used for Diameter SNMP MIBs. New module DiaStatsLogREDIS provides support for writing the statistics in Redis. Other log modules will be added later.
  • Added an example in goodies/hooks.txt showing how to use AuthBy RADIUS ReplyHook with two AuthBy RADIUS clauses together with 2 Handler’s and an AuthBy HANDLER clause.
  • EAP Identity and MSCHAPv2 name equality check is now case insensitive. Reported by Serge Andrey and René Hennequin.
  • Log messages related to an authentication exchange and to its subsequent accounting session can now be logged with a tracing identifier. A new global and Log clause level configuration parameter LogTraceId enables prepending the tracing id to messages logged to stdout and with Log FILE when LogStdout is enabled.
    A new Handler level configuration parameter AutoClass adds a specially formatted Class attribute in Access-Accept messages. This allows carrying the tracing id to accounting logs and the session database to access the tentative Class value during the request handling.
    New functions compose_state() and decompose_state() in Util.pm will handle adding and extracting state information from State and Class attributes.
    The tracing id works in conjunction with the Radiator load balancer allowing coordinated log message indexing and lookup between front end load balancers and backend workers.
  • Updated AuthLog and Log modules to use the recently added tracing id. The tracing id is now available as a parameter to LogFormatHooks and SQL loggers. Updated LogFormat.pm JSON hooks to log the tracing id. The global LogTraceId configuration parameter now affects only logs sent to stdout and the default log configured with LogFile.
  • Session database clauses now support SessionIdentifier configuration parameter. This parameter defaults to Acct-Session-Id and can be used to change the session identification attribute used by the session database clause. Useful, for example, when the authentication request contains the future, possibly vendor specific, session identifier attribute.
  • The recently added AutoClass configuration parameter now supports optional arguments for further Class attribute formatting. The currently support arguments are uuid and formatted which add a hex value UUID or Radiator formatted string. The default is not to add anything.
  • Configuration parser’s clause start to clause end matching is now case insensitive. Suggested by Alan Buxey.
  • Added two new formatting specifiers ‘RequestVar’ and ‘ReplyVar’ which provide access to request and reply objects. This similar to, for example, the existing ‘Handler’ formatting specifier.
  • Handler now supports returning to AuthBy stack. This allows AuthBy RADIUS and its subclasses to return evaluating AuthByPolicy when a reply is received from the remote proxy. AuthBy RADIUS and its subclasses now support new boolean configuration parameter Asynchronous that enables this new behaviour. AuthBy GOSSIP was changed to always to use the new ASYNC return code.
  • Added the recently introduced tracing id support in AuthBy GOSSIP
  • Enhanced Gossip encryption to support simple key rollover: the key with second highest index is now used for encryption. This allows gradually adding new keys and removing old keys to Gossip enabled instances.
  • Added the recently introduced tracing id support for Radiator Diameter logging.
  • Added support for time limited prepaid plans in AuthBy FIDELIOHOTSPOT. The SQL queries are now fully configurable. Note: support for time limited plans extends SQL table named service. To avoid compatibility problems with current configurations, add a integer column called duration in the service table with value 0. Alternatively, reconfigure the SQL ServiceSelect to return 0 for duration. See the updated fidelio-hotspot.cfg and fidelio-hotspot.sql configuration examples in goodies.
  • New optional global configuration parameter ResponseTimeThreshold parameter tells Radiator to log a warning when the processing time exceeds configured millisecond threshold. The warning contains request’s User-Name and info about the Client, Handler and AuthBy which processed the request.
  • radiusd now clears its child array after fork to avoid incorrectly calling waitpid for parent’s children. Reported by Alan Buxey.
  • Added a new utility script hexdump2wireshark.pl in goodies. This script parses Radiator Trace 5 log and extracts packet hex dumps from it. The hex dumps are written to a separate output file which can be imported into Wireshark or converted into pcap file with text2pcap.
    Usage:
    perl goodies/hexdump2wireshark.pl < /var/log/radius/logfile > radius-logfile-hexdump.txt 
    The .txt file can then be imported into Wireshark or converted into pcap file with text2pcap:
    text2pcap -i 17 -u 1812,1812 radius-logfile-hexdump.txt radius-logfile-hexdump.pcap 
    The script also supports “#TEXT2PCAP” directives in .txt hexdump, but currently text2pcap does not have any directives implemented.
  • Minor correction to Diameter peer state machine: Event I-Rcv-DPA event in Closing state was duplicated and transition for I-Rcv-DPA was missing. Removed extra newline from Diameter state change logging.
  • The linux startup script linux-radiator.init now checks if the PID file or system init utility functions indicate radiusd is already running before starting a new instance.
  • Added support for /preauth endpoint in AuthBy DUO. This endpoint determines if the user is authorised to log in and returns the available authentication factors for the authorised user.
  • Simplified TLS based EAP methods to use TLS session id more frequently with internal ids.
  • Added support for VSA translation. Attributes in incoming and outgoing RADIUS messages can now be translated to and from internal presentations. For example, different MAC address formats can be normalised for logging and values for reply attributes can now be set based on the Client or AuthBy RADIUS vendor type.
    Full example showing the new VsaTranslateIn, VsaTranslateOut and the related new configuration parameters is in goodies/vsa-translate.cfg
  • Diameter BIR (Bootstrapping-Info) command was misspelled as Boostrapping-Info.
  • AuthBy DUO SecretKey and IntegrationKey configuration parameters now support formatting variables. The formatting is done once during the module activation.
  • radpwtst -interactive option now queries the password. The password query is done without local echo. With -interactive, there is no need to specify the password on the command line with the -password option anymore.
    Perl Term::ReadKey is needed on Windows. Some unix based systems are supported directly but Term::ReadKey is recommended for cross platform support.
  • Removed unneeded line BEGIN-VENDOR Freeswitch from dictionary. Reported by Eddie Stassen.
  • Improved debug logging in AuthBy DYNADRRESS and Diameter watchdog state changes. Fixed misspelled LOG_ERROR and LOG_WARN log levels which all mapped to LOG_ERR.
  • Added support for MessageLog to log sent and received RADIUS, Diameter and TACACS+ messages. Initial support includes logging RADIUS messages in text and text2pcap formats to a file. Configuration sample is in goodies/logformat.cfg
  • getTimeHires() in Util.pm now checks the calling context when Time::HiRes is not installed and returns a list or scalar like Time::HiRes does.
  • StatsLog modules now calculate packet rates for each StatsLog module separately. This allows having multiple StatsLog clauses in the configuration, all with their own Interval values. Packet rates are now separate and do not affect other StatsLog clause packet rates.
  • Updates to statistics logging. All StatsLog clauses now support two new configuration parameters: StatsType and RateCalculationInterval.
    StatsType defines the stats output type. Possible values are: cumulative, derivative, packet_rate and all. Cumulative counter shows the number of processed packets. Derivative is the difference (delta) between two counter values in time interval. Packet_rate is the amount of packets transferred within time interval (packets per second). Type all produces output from all available statistic types (cumulative, derivative and packet_rate). The default is cumulative.
    Sometimes you may want to calculate packet rates that are different from the value of Interval. RateCalculationInterval is an optional parameter that defines the time interval (in seconds) in which the packet rate is calculated. For example, if Interval is set to 600 seconds and RateCalculationInterval is set to 60, packet rate then shows the (average) amount of packets in 60 second interval. RateCalculationInterval defaults to value of Interval.
    See statslog.cfg in goodies for detailed examples.
  • SqlDb.pm now logs clearly if connect to a SQL database fails because of missing driver. For example, if DBSource is configured with dbi:mysql:… but DBD::mysql is not present, a verbose error is logged in addition to calling ConnectAttemptFailedHook.
  • Added VENDOR AudioCodes 5003 and VSA AudioCodes-ACL-Auth-Level to dictionary. Contributed by Peter Hendrikx.
  • Added support in MessagLog for Diameter logging. Updated RADIUS MessageLog text format to include time stamps.
  • AddToReply and the related parameters were incorrectly adding to Access-Reject messages too. These are now skipped for Access-Reject replies
  • Host’s adjustReply() for AddToReply and related configuration parameters was not called when a reply was received over RadSec.
  • AuthBy DYNAUTH now supports SessionCheckHook that will be called after SessionChecks have been evaluated. It can be used to implement custom or additional logic for session checking. Setting hook parameter $result as ${$result} = 0; will trigger sending DM/CoA.
  • Added initial support for encrypting and obfuscating secrets, passwords and other sensitive values in configuration files. Client and AuthBy DYNAUTH clauses now support EncryptedDynAuthSecret and Client has support for EncryptedSecret
  • LocalAddress and LocalPort are now common configurable parameters for Stream modules. Updated AuthBy DIAMETER and AuthRADSEC not to use separate definitions for these parameters. The local address is now bound with SO_REUSEADDR socket option when LocalAddress is defined for a stream client.
  • Simplified logformat.cfg: it’s no longer required to use StartupHook to load Radius::LogFormat. Radius::LogFormat is now loaded by the logging modules directly.
  • In AuthBy DIAMETER, Origin-Host and Origin-Realm are now taken from configuration parameters. All reverse lookups for deducing Origin-* are now removed.
    Destination-Realm is first taken from User-Name’s realm part. If there is now realm, then DestinationRealm configuration parameter is used. DestinationRealm now defaults to ‘testdestinatonrealm’ in DiaClient.pm.
    DestinationRealm and DestinationHost parameters now support formatting characters. The formatting is done when the AuthBy DIAMETER, or any other clause derived from DiaClient.pm, is activated.
    AuthBy DIAMETER now supports new configuration parameter EAP_ApplicationId. EAP_ApplicationId defaults to value Diameter-EAP. EAP_ApplicationId defines the Diameter message’s Application-ID value and Auth-Application-Id AVP value for the converted RADIUS EAP requests. The default converts RADIUS EAP authentication to Diameter EAP application. The parameter allows, for example, converting RADIUS EAP-AKA to Diameter 3GPP SWm.
    Updated the configuration diameter-authby.cfg in goodies.
  • Simplified TLS session resumption for TLS based EAP protocols. Sessions are only cached when EAPTLS_SessionResumption is enabled for the AuthBy. EAPTLS_SessionResumption is now completely separate from EAPContextTimeout: EAPContextTimeout no longer limits the session resumption time.
    Note: Any hooks or custom code that needs to save data across resumed sessions must now use resume context. See EAP.pm for the details.
  • EAPContextTimeout now defaults to 120 seconds. The previous value was 1000 seconds.
  • Added new configuration parameter EAPTLS_SessionContextId. For TLS based EAP types such as TLS, TTLS and PEAP, this optional parameter allows you to set the context within which the TLS session resumption is allowed. Defaults to Handler, which means that TLS session resumption is allowed if the resumed and the full authentication were processed by the same Handler. Previously the context was set to an ephemeral value which often forced full TLS handshakes instead of allowing session resumption to happen.
  • Moved IANA registered attributes to ‘IANA’ namespace from vendor 0 namespace. Unknown IANA attributes are now named as Unknown-IANA-191 where 191 is the attribute number. Unknown vendor specific attributes continue to be named like Unknown-9048-120 where 9048 is the vendor number and 120 is the attribute number.
    Note: any custom code that accesses RADIUS attribute definitions in the RADIUS dictionary should now check if the vendor is IANA, not 0, to differentiate between vendor attributes and IANA registered attributes. This may also affect custom code that does Diameter to RADIUS conversion.
    This namespace change fixes the problem where VSAs with vendor id 0 were proxied as non-VSAs when ProxyUnknownAttributes was set. Reported by Alan Buxey.
  • Fixed and unified JSON formats in LogFormat.pm. Time contains unix time. Timestamp contains locale specific time presentation based of the unix time. Timestamp includes microseconds if LogMicroseconds is defined, the format is the same as in Radiator plaintext log. New attribute “datetime” is the localtime for human readers’ convenience. Previously timestamp format incorrectly claimed to use UTC time while it was in fact local time.
  • Improved AddressAllocator DHCP logging and DHCP socket set up. When LocalAddress was not configured and hostname did not resolve to an IP address, radiusd died during the startup. Now an error is logged and the DHCP socket will not be set up.
    If DHCP set up fails for some other reason, the reason is now clearly logged and the DHCP socket will not be set up.
    When the DHCP socket is not set up, address allocation methods return with REJECT and an error is logged. The problem with unresolved hostname was reported by Edward Ocenar.
  • AuthBy DUO now supports optional parameter Failmode that specifies whether to reject, accept or ignore authentication when Duo API is not available or a Duo API call timeouts. Default is to ignore the authentication request. DUO API timeout is now handled separately from the other DUO API call failures.
  • Address allocators now support Acct-Status-Type values Accounting-On and Accounting-Off. The default is to accept the Accounting-Request with no other action. The SQL allocator can now be configured with DeallocateByNASQuery to, for example, release all leases for the NAS. Updated the configuration example addressallocator.cfg with sample DeallocateByNASQuery and updated the SQL example files with a new column for NAS id.
  • Added optional conversion of Diameter Session-Termination-Request (STR) to RADIUS Accounting-Request with Acct-Status-Type set to Stop. This, and possible future conversions, can be enabled with ConvertCommand configuration parameter within ServerDIAMETER. More details are in diameter-server.cfg in goodies. Requested by Jean-Marc MONTENOT.
  • Updated AddressAllocator SQL to support delayed pool activation. When AddressAllocator SQL is configured with DelayedPoolCheckTime, the pool creation, address checks and initial reclamation are delayed to happen the configured amount of seconds after radiusd as started.
    Added a new configuration parameter NasIdentifier for AddressPool clauses. The configured value is made available for AddAddressQuery.
  • Source IP address and source port for incoming TACACS+ and StreamServer based connections, such as RadSec and Diameter, are now immediately logged after they are accepted. This allows logging even the very short lived connections from probes and other sources. Reported by Alexander Hartmaier.
  • Added a new optional configuration parameter AllowInReject for defining which attributes are allowed in Access-Reject. This can be useful in Handlers with multiple AuthBys where the attributes added before a rejecting AuthBy need to be stripped from the resulting Access-Reject.
  • Added a new optional configuration parameter Encoding for MessageLog FILE and its subclasses. This allows, for example, encoding a binary or multiline log entry as a single hex encoded line which might be useful with some log shipping tools and agents. Currently supported encodings are none and hex. Updated the configuration sample in logformat.cfg
  • AttrList and its derived modules now support delete_attr_d() method. This allows deleting attributes by name from DiaMsg and other AttrList objects.
  • Fixed Client IgnoreAcctSignature flag to correctly work as a flag. Previously a defined but false value, such as 0 was interpreted as the flag being set. IgnoreAcctSignature is not defined or set by default. Reported by Niels Monen.
  • Added initial support for encrypting and obfuscating TACACS+ keys in the configuration file. This is similar to the recently added RADIUS client shared secret obfuscation. Client and ServerTACACASPLUS now support EncryptedTACACSPLUSKey and EncryptedKey, respectively. Examples in the tacacsplusserver.cfg sample configuration file.
  • Enhanced logging in ServerTACACSPLUS. Very short lived connections are now logged with the peer IP address and port. Some TACACS+ clients, network monitoring probes and other software may close the newly opened TACACS+ connection immediately without any TACACS+ request exchange. These connections are now more clearly logged. Updated two other infrequently used log messages to include the peer IP and port. Suggested by Alexander Hartmaier.
  • USR1 and USR2 signals are now propagated to the server farm workers by the farm parent. This allows changing the logging trace value for the whole farm at once by sending the signal to the farm parent. Suggested by Jose Borges Ferreira.
  • Added initial support in AuthBy GOSSIP for using backends such as Redis for authentication, voucher lists and black lists.
  • Added new formatter %{TimestampVal:number} where number can be a postive or negative integer, request attribute name or a special. For example %{TimestampVal:3000}, %{TimestampVal:Session-Timeout} or %{TimestampVal:%{Reply:Session-Timeout}}. The replaced value is the current unix time stamp + the number. Useful for replacing hooks with formatters when calculating time stamps.
  • AuthBy GOSSIP can now hint the desired authentication backend, SQL LDAP, etc., to the Gossip peer. The authentication backend is configured with optional configuration parameter AuthenticationMethod.
  • AuthBy DYNADDRESS now supports optional configuration flag parameter RunWhenMissing. When RunWhenMissing is set to off, the confirm and deallocate operations of the configured address allocator are not run if the Accounting-Request does not have the IP address.
    Accounting-Request messages from some types of RADIUS clients may not have contain the allocated IP address. This may happen because the MapAddr yiaddr is missing from the request, or when IPv4 and IPv6 allocators are chained, the yiaddr is not set for the allocator type. In this case you may want to set RunWhenMissing to off. The default is to always run confirm and deallocate.
  • Fixed misleading log message in AuthBy OTP where OTP verify result was logged during failure. The result is only a boolean value while the log message hinted there might be additional information available. Reported by Alexander Hartmaier.
  • Updated log calls in multiple EAP methods to include the current request.
  • Added initial support for logging tracing identifier in ServerTACACSPLUS. Further changes are needed for additional coverage.
  • The value intended for NAS_ID column is now configurable with NasId parameter in AddressAllocator SQL. The default value is %{NAS-Identifier}. Updated the configuration sample addressallocator.cfg in goodies.
  • Overly long locally added attributes were incorrectly packed in the outgoing RADIUS messages. These messages are now logged with ERR log level and no message is sent.
  • AuthBy RADIUS and its subclasses can now return with result REJECT to trigger an Access-Reject when a proxied request times out. This requires setting a new flag parameter called NoReplyReject. NoReplyReject allows rejecting timed out requests without hooks such as NoReplyHook. When returning a result, the reason for the timed out requests is now set to “Upstream timeout”.
  • Added PostSearchHook in AuthBy GOSSIP that is called by AuthGOSSIP’s findUser() after AuthAttrDef’s have been evaluated and possible reply attributes are in place.
  • ServerTACACSPLUS now evaluates global RewriteUsername before dispatching a TACACS+ pseudo RADIUS request to a Handler. Previously global RewriteUsername was not evaluated for TACACS+ requests. Suggested by Tim Cheyne.
  • Updated sample certificates to expire on Aug 10 2018
  • Improved handling of plaintext passwords with prefix {clear}. The plaintext value is now clearly separate from any hashed or encrypted value. Custom modules using AuthGeneric methods get_plaintext_password and translate_password should be checked for compatibility. Reported by Vangelis Kyriakakis.
  • radiusd now exits during startup if it can not load the objects required by the configuration file. For example, if an AuthBy or a SessionDatabase fails to load, radiusd will log the failure and exit immediately. Previous beahaviour was to log the failure and continue.
  • Added 32 and 64 bit Win32-Lsa ppms for Strawberry Perl 5.24. Added 32 and 64 bit Win32-Lsa ppms for ActivePerl 5.22.
  • Fixed a memory leak where duplicate cache entries were not freed when radiusd was reloaded. Reported by Niels Monen.
  • HTTP Digest authentication must now be enabled with configuration flag parameter HTTPDigestAuthentication. This flag is not set by default.
  • Updated system.cfg in goodies. The old Shadow helper module is not needed with the recent Perls for AuthBy SYSTEM.
  • EAP authentication using AuthBy LDAP2 worked incorrectly with some atypical Radiator and LDAP configurations.
  • Improved EAP debug logging for better PacketTrace and trace id support: EAP messages with bad length are now more clearly logged.
  • TLS compression is now disabled for all TLS based EAP methods and all StreamTLS based modules, such as RadSec, Diameter and ServerHTTP with SSL_OP_NO_COMPRESSION option. Current systems should already disable TLS compression by default, so this change makes sure compression is not inadvertently enabled, for example, when system defaults are changed or Radiator runs on an unpatched system. SSL_OP_NO_COMPRESSION is available with OpenSSL 1.0.0 and later.
  • Updated the default HostSelect in AuthBy SQLRADIUS to use quoted realm. Updated the configuration sample sqlradius.cfg to use quotes
  • ServerRADSEC now supports StatusServer parameter similar to RADIUS Clients. Requested by Christian ‘wiwi’ Wittenhorst.
  • fideliosim.pl in goodies now binds to 127.0.0.1 by default but has command line switch to set the addresses to bind.
Revision 4.16 (2015-10-27) EAP compatibility enhancements, security fixes, new features

Selected bug fixes, compatibility notes and enhancements

  • Compatibility update for EAP-based TLS methods for clients that support TLS 1.2. Examples are the future Apple iOS and OS X releases and Android 6 Marshmallow.
  • Two important security fixes. OSC recommends all users to review OSC security advisory OSC-SEC-2015-02
  • TLS session resumption may not currently work with all Windows clients. A workaround is to configure the EAPTLS_SessionResumption parameter to 0 or wait for the client to retry the authentication.
  • Radiator now supports new module AddressAllocator DHCPv6 for IPv6 address allocation and prefix delegation

Detailed changes

  • Created separate directory for PPM files compiled for ActivePerl. Moved files from ppm to ppm/activeperl/ and updated the meta file contents.
    Win32-Lsa is now compiled for both ActivePerl 5.18 and 5.20 flavours up to Perl 5.20: 64bit and 32bit with 64bit integer.
    Created separate directory for PPM files compiled for Strawberry Perl.
    Win32-Lsa is now compiled for all Strawberry Perl flavours up to Perl 5.22: 64bit, 32bit with 32bit integers and 32bit with 64bit integers.
  • Radiator now logs the Net::SSLeay and SSL/TLS library version during the radiusd startup. TLS v1.2 for TLS based EAP methods is not used if it can not be determined that the MPPE keys can be correctly calculated. These changes enhance compatibility with future Apple iOS, OS X and Android 6 Marshmallow. If all TLS versions are not available, details of what can be used is logged. Net::SSLeay 1.53 or later and OpenSSL 1.0.1 or later is required to fully utilise all TLS versions for TLS based EAP methods. Thanks to radiator mailing list members for comments and suggestions.
  • AuthLog SYSLOG and Log SYSLOG clauses now support LogPort configuration parameter. This parameter requires Sys::Syslog version 0.28 or later. Suggested by Michael and Kilian Krause.
  • LDAP modules now support BindFailedHook which is called when LDAP bind operation fails. The default is to log the failure. Bind password is no longer logged. To log the password, configure the hook to log it or configure the LDAP clause with the Debug configuration parameter and see the console output. With the kind help of Scott Bertilson.
  • AuthBy LDAP2 now logs PasswordAttr as **obscured** when debugging is enabled. Binary attribute values are now logged in text format similarly to RADIUS attributes. To debug the password, use the Debug configuration parameter and see the console output or configure PasswordLogFileName for the Handler.
  • Resolver for AuthBy DNSROAM now uses eval to catch exceptions from Net::DNS. The Net:DNS API had been changed around version 0.72 to raise exceptions when errors occurred. Uncaught exceptions could cause Radiator to crash. Reports and help with patches from Bjoern A. Zeeb and Paul Dekkers.
    Updated error levels for Resolver log messages. Most of the log messages are now using WARNING instead of ERR. These messages are logged for example for DNS failures or badly formatted DNS domains.
  • ServerHTTP authentication now creates a request that can be correctly proxied to a remote server. Previously the proxied authentication would always fail.
  • AuthBy RADIUS and its derived modules still required ‘ipv6:’ prefix for LocalAddress parameter. Reported by Claudio Ramirez. Correct address is now logged if binding to LocalAddress fails.
  • Huawei-DNS-Server-IPv6-Address, Huawei-Framed-IPv6-Address, Alc-Ipv6-Address, Alc-Ipv6-Primary-Dns and Alc-Ipv6-Secondary-Dns had incorrect type ipv6addr. The correct type is ipaddrv6 for IPv6 addresses.
  • SqlDb now initialises the DBD::ODBC odbc_query_timeout attribute with the Timeout configuration parameter value. This attribute is valid only for ODBC and is set only when Radiator runs on a Windows host. The default value for odbc_query_timeout is 0 which can cause very long timeouts on Windows with SQL queries.
  • While RADIUS dictionaries are loaded, attributes with unknown types are logged with trace level WARNING. The treatment of unknown types has not changed: the unknown types are treated as binary.
  • Incorrectly formatted textual IPv6 addresses in configuration files or retrieved for example from SQL backend could cause address resolution loops.
  • Added support for additional IPv6 functions in Util.pm and UtilSocket6.pm for AddressAllocator DHCPv6 and other modules that require packing IPv6 socket structures with scope ID number and flow information.
  • AuthBy DYNADDRESS now supports multivalued allocation results. For example, multiple DNS server addresses from DHCPv6 based allocations. The multiple values are mapped to the configured RADIUS attribute, one value per one attribute instance.
    AuthBy DYNADDRESS now supports MapResultHook. This hook allows modifying the allocation results after they have been received, and before Radiator has processed the MapAttribute definitions.
  • Added support for AddressAllocator DHCPv6. AddressAllocator DHCPv6 works in conjunction with AuthBy DYNADDRESS and a DHCPv6 server to dynamically allocate IPv6 addresses and prefixes, and provide other configuration information. Both stateless and stateful DHCPv6 configuration is supported.
    See the configuration sample files addressallocatordhcpv6.cfg and addressallocatordhcpv6-dhcpd.conf for Radiator and ISC DHCP server in goodies for more examples including use of Delegated-IPv6-Prefix and Framed-IPv6-Prefix for prefix delegation.
  • Added better logging for invalid EAPType names. Unknown types are logged during the configuration check. Clarified the error message if the default EAPType is unknown. Thanks to Patrick Honing for informing about the unclear log messages.
  • Failures with send() when sending RADIUS messages over UDP are now correctly logged.
  • TLS based EAP methods EAP-FAST, EAP-TLS, EAP-TTLS and PEAP now log the TLS version and cipher chosen for the EAP session. TLS values related to the EAP session are also available as special formatting variables. You can use, for example, %{EAPTLS:Protocol} and %{EAPTLS:Cipher} with AuthLog. Suggested by Alexander Hartmaier.
  • Updated Stream base class to work correctly with non-blocking sockets on some Windows Perl distributions. Windows returns POSIX::EWOULDBLOCK (140) or WSAEWOULDBLOCK instead of EINPROGRESS. 140 was first seen with Strawberry Perl 5.20 and 5.22
  • Diameter AttrList get_attrs_d now returns empty list instead of single entry with undef value when the requested attribute was not present.
  • Changed the type of Cisco-VPN-WebVPN-HTML-Filter in dictionary.cisco-vpn from unsupported bitmap to integer. Reported by Alex Hartmaier.
  • diapwtst updates: added missing attributes and removed a couple of RADIUS related options
  • Fixed a bug which could result in an infinite loop when formatting special variables and could be used to create a DOS attack crashing the radiusd process. Reported by Øyvind Aabling.
  • AuthBy RADIUS and AuthBy RADSEC now use 32 bit id space when UseExtendedIds is set. While the previous 16 bit id space should be enough, the new value matches the value documented in the reference manual.
  • Unified Session ID based resumption handling for EAP-TLS, EAP-TTLS and PEAP.
  • radpwtst now supports subsecond resolution with the -time command line option when Time::HiRes Perl module is available. Time::HiRes is part of all recent Perl distributions.
  • Updated the recent formatting patch and enhanced its compatibility with older Perl versions.
  • Added support for tracing TLS handshake and session state for the TLS based EAP methods. Tracing can be enabled with one of: new AuthBy level configuration flag parameter EAPTLS_TraceState, setting the Trace configuration parameter to 5 (EXTRA_DEBUG) or with the PacketTrace configuration parameter.
  • LogFILE now checks for recursion allowing runHook to call logging if needed. This avoids infinite recursion if LogFormatHook raises an exception. Added a JSON example in LogFormatHook for Log FILE in goodies/logformat.cfg and Radius/LogFormat.pm.
  • Added LogFormatHook for Log SYSLOG and AuthLog SYSLOG. Updated logformat.cfg with JSON format hook example. Suggested by Craig Simons.
  • Added example of EAPTLS_TraceState in goodies EAP-TLS, EAP-TTLS and PEAP sample files.
Revision 4.15 (2015-07-15) Bug fixes, features and enhancements

Selected bug fixes, compatibility notes, new features and enhancements

  • Fixes an EAP-MSCHAP-V2 and EAP-pwd vulnerability. OSC recommends all users to review OSC security advisory OSC-SEC-2015-01 to see if they are affected.
  • perl-ldap-0.32 or better is required. Should be available in all current systems.
  • EAP-pwd requires Crypt::OpenSSL::Bignum 0.06 or later from CPAN
  • Configurable TLS version and ciphersuite selection for TLS based EAP and stream modules
  • CRL checks for the entire certificate chain can now be enabled
  • Included Gossip framework with Redis based implementation
  • Support for Gossip when communicating next hop proxy failures between Radiator instances
  • Shared duplicate cache for a more simple server farm configuration
  • Windows Event log support
  • Custom format support for logs, authentication logs and accounting logs. CEF and JSON included
  • Support for IEEE 802.1AE, also known as MACsec
  • All AuthBys now support PostAuthHooks
  • Various binary modules are now available from OSC and were removed from the Radiator distribution

Detailed changes

  • Added VENDOR STI (Server Technology Inc.) 1718 and multiple STI VSAs to dictionary. Contributed by Garry Shtern.
  • Added VENDOR PacketDesign 8083 and VSAs PacketDesign-UserClass and PacketDesign-FTP to dictionary. Contributed by Garry Shtern.
  • Added SN-Software-Version to dictionary. Reported by Bruno Tiago Rodrigues.
  • Changed type of VENDORATTR 3076 Cisco-VPN-DHCP-Network-Scope in dictionary.cisco-vpn from text to ipaddr. Reported by Kilian Krause.
  • Dictionary updates: Added H3C proprietary values H3C-SSH and H3C-Console for Login-Service. Changed Lancom LCS-Mac-Address type from string to hexadecimal. Added H3C-Priority. All reported by Philip Herbert.
  • Zero length writes are now skipped in Stream.pm write_pending() used by RadSec, Diameter, SIGTRAN and other stream protocols. SCTP does not support 0 length syswrites on all platforms and may close the socket if zero length write is done.
  • Added VENDOR Airespace 14179 VSAs 7-11 and 13-16 to dictionary.
  • AuthBy GROUP now updates current AuthBy for %{AuthBy:parmname}. When AuthBy GROUP is used, this special formatting now gets the parameter value from the current AuthBy within the group instead of the AuthBy GROUP itself.
  • Updated VENDOR 1991 Foundry VSAs in dictionary. foundry-privilege-level is now a synonym for brocade-privilege-level. Added a number of foundry VSAs.
  • LDAP Version now defaults to 3 instead of 2. Updated a number of LDAP configuration example files in goodies to reflect this change.
  • Ldap.pm now uses the LDAP object’s disconnect method, instead of closing the socket directly.
  • AuthBy LDAP2 and AuthBy LDAPDIGIPASS now use escape_filter_value provided by Net::LDAP::Util instead of escapeLdapLiteral in Ldap.pm Ldap.pm escapeLdapLiteral is now deprecacted and perl-ldap-0.32 or better is required.
  • RefreshPeriod in ClientListSQL and ClientListLDAP now support special % formatting. Suggested by Bengi Sağlam.
  • Updated VENDOR 2011 Huawei VSAs in dictionary. Huawei-Input-Basic-Rate is now an alias for Huawei-Input-Peak-Rate. Huawei-Output-Basic-Rate was changed similarly. Some of the attribute numbers appear to have different names and types between different devices. Huawei-User-Type, Huawei-MIP-Agent-MN-Flag and Huawei-Requested-APN are now aliases but aliasing may be handled with separate dictionary files in the future. Huawei-HW-Portal-Mode was renamed to Huawei-Portal-Mode.
  • WiMAX dictionary updates: changed WiMAX-Session-Termination-Capability type to integer and added one value: Dynamic-Authorization. Changed WiMAX-PPAQ TLV Quota-Identifier type to binary. WiMAX subattributes within single Vendor-Specific attribute are now correctly decoded.
  • Dictionary updates for Huawei: Reverted the recent aliasing changes. The conflicting attributes are now in a new Huawei specific dictionary file goodies/dictionary.huawei1. This new dictionary file contains attributes used by, for example, Huawei packet gateway / Wi-Fi controller. Since Huawei seems to use device specific dictionaries, additional dictionary files are added as needed.
  • Added new AuthLog EVENTLOG and Log EVENTLOG modules for logging to Windows Event Log. Added eventlog.cfg in goodies for configuration example and more information about how to set up registry and DLL Event Log helpers. Precompiled DLLs are available in goodies\windows-dll with source files and compilation examples.
  • radiusd now handles SIGINT (typically from Ctrl-C) similar to SIGTERM.
  • Added support for shared and global DupCache. Radiator now supports 3 different options for the new DupCache configuration parameter: local (the default), shared (uses shared memory) and global (uses Radiator’s Gossip framework). When DupCache is set to shared, DupCacheFile sets the location of the mmapped shared memory file. Shared DupCache is recommend when FarmSize configuration parameter is set. With shared or global DupCache, the backend workers do not need to have UseContentsForDuplicateDetection enabled anymore. DupCache shared requries Cache::FastMmap module. Sample configuration eapbalance.cfg in goodies was updated to demonstrate the new configuration parameters DupCache and DupCacheFile.
  • Added a number of VENDOR 22610 A10-Networks VSAs in dictionary. Contributed by Scott Bertilson.
  • Changed the types of WiMAX-PPAQ TLVs Volume-Quota, Volume-Threshold, Resource-Quota and Resource-Threshold to hexadecimal. This makes the 8 or 12 long values easier to handle in PPAQ applications.
  • Updated shared and global DupCache debugging and initialisation. If the required Cache::FastMmap is not available when DupCache is set to ‘shared’, Radiator will log a message and refuses to start. The availability of Cache::FastMmap is checked during the configuration phase.
  • Added support for Gossip protocol framework and Redis based Gossip implementation. Radiator’s Gossip implementation allows Radiator instances to share information and event notifications. The instances may be part of server farm, completely separate processes running on the same or different hosts or any combination of thereof. Redis based Gossip is configured with GossipRedis clause. At first, Gossip support is provided for RADIUS duplicate cache: When the global configuration parameter DupCache is set to ‘global’, GossipRedis will be used for RADIUS duplicate cache. More Radiator modules will be added and upgraded to use the Gossip framework in the future. Requires Data::MessagePack and Redis Perl modules from CPAN.
  • Updated AuthLog SQL examples in goodies to use SQL bind variables.
  • Added Radiator Gossip framework support to AuthBy RADIUS. Multiple Radiator instances can now communicate next hop host unreachability and reachability information with Gossip messages. This allows, for example, just one member to run Status-Server queries when FarmSize configuration parameter is enabled. Added new configuration parameter NoKeepaliveTimeoutForChildInstances to limit Status-Server probing to the first farm instance only. The new features are also available to AuthBy RADIUS sub-types, such as, ROUNDROBIN and HASHBALANCE. See goodies/farmsize.cfg for a configuration example with shared duplicate cache and Gossip and Redis configuration.
  • Updated EAP-pwd to use unpatched version of Crypt::OpenSSL::Bignum. Radiator 4.14 and earlier required Crypt::OpenSSL::Bignum 0.04 + patches. These patches are no longer needed, and version 0.06 or later from CPAN is now required instead. Caution: Crypt::OpenSSL::Bignum 0.04 + patches in Radiator goodies no longer work with the current version of EAP_52.pm (EAP-pwd). You must update to Crypt::OpenSSL::Bignum 0.06 or later.
  • Updated dictionary with new attributes for vendors 14823 Aruba, 25053 Ruckus and 25506 H3C.
  • Fixed a problem that could cause a crash if AuthBy RADIUS was configured with the Synchronous parameter, FailureBackoffTime was set and the next hop proxy becomes unreachable. Reported by Diogo Gonçalves
  • EAP-pwd now correctly adds the user’s and AuthBy’s reply attributes in the Access-Accept.
  • The first components in @INC, the Perl library search locations, are now checked for readability. Unreadable directories may cause hard to diagnose failures when Perl modules are loaded. This may happen, for example, when radiusd process is started as a user with restricted privileges. Reported by Kilian Krause.
  • Added support for AuthBy specific PostAuthHook configuration parameters. All AuthBys can now define a PostAuthHook that will be called when the AuthBy is done processing the request and has returned. The hook parameters are the same as for Handler’s PostAuthHook. After the optional PostAuthHook has run, result, reason and Identifier from the AuthBy are saved in $p for subsequent AuthBys and other use. Updated duo.cfg in goodies to use PostAuthHook for password splitting.
  • Added support for IEEE 802.1AE, also known as MACsec. Radiator will now return EAP-Key-Name attribute if requested by the RADIUS client. EAP-Key-Name is supported for the following EAP methods: EAP-FAST, EAP-pwd, EAP-TLS, EAP-TTLS and PEAP.
  • RADIUS attributes using encrypt=2 flag or decode/encode_salted directly, now have their initialisation vector set to all zeroes when there would otherwise be a circular dependeny between the RADIUS fixed header Authenticator, the initialisation vector, and the encrypted attribute value. This allows, for example, proxying RFC 5176 dynamic authentication request so that the encrypted values can be correctly recovered, provided that target also uses zero IV similarly. Known to work with vendor 6527.
  • EAP-TLS now rejects possible EAP-TLS conversation restart attempts instead of replying, again, with an alert. Some EAP-TLS peers, such as Windows, may try to restart the EAP-TLS conversation after certain alerts such as ‘Unknown CA’. Reported by Pieter Jan Van Meerbeeck.
  • Updated a number of configuration samples in goodies: ‘DupInterval 0’ is usually not needed and can be harmful. The default value of 10 seconds is preferred and non-default values are only necessary in very unusual circumstances. Handler clauses are in most cases more flexible than Realm clauses. Other typo fixes and small corrections.
  • EAP-FAST now checks Net::SSLeay::get_keyblock_size() calls for error return values. Also, Net::SSLeay 1.68 and earlier with OpenSSL 1.0.1 and later may return incorrect values, not errors, for get_keyblock_size() which cause authentication to fail. Fix in Net::SSLeay 1.69 allows it to return correct values with recent OpenSSL versions, and any error return values are now correctly checked by EAP-FAST.
  • Added new configuration parameter TLS_Protocols to set the supported SSL and TLS protocols for Stream based modules, such as Diameter and RadSec. New configurations should use TLS_Protocols instead of UseSSL or UseTLS. TLS_Protocols overrides UseSSL and UseTLS when defined. TLS_Protocols is not defined by default. Added new configuration parameter EAPTLS_Protocols to set the supported TLS protocols for TLS based EAP methods, such as EAP-TLS, EAP-TTLS and PEAP. EAPTLS_Protocols is not defined by default. Both TLS_Protocols and EAPTLS_Protocols accept a list of comma separated values. The supported values are: SSLv3, TLSv1, TLSv1.1 and TLSv1.2 Added new configuration parameters TLS_Ciphers and EAPTLS_Ciphers to define the allowed cipher suites for Stream protocols and TLS based EAP methods. The parameter format is OpenSSL cipher string format. Both parameters default to DEFAULT:!EXPORT:!LOW TLS_Ciphers and EAPTLS_Ciphers can be defined separately from TLS_Protocols and EAPTLS_Protocols.
  • Updated vendor ZTE 3902 VSAs in dictionary.
  • Added support for TLS_Protocols and TLS_Ciphers parameters to Monitor and Server HTTP
  • TLS_Ciphers and EAPTLS_Ciphers now support formatting characters. Net::SSLeay and SSL library version, if available, are now logged after SSL library initialisation.
  • Added goodies/logformat.cfg, showing how to use LogFormatHook for authentication log and AcctLogFileFormatHook for accounting messages. Added LogFormat.pm with sample hooks for formatting accounting messages in JSON format and authentication log entries in JSON and CEF (ArcSight Common Event Format) formats.
  • Removed non-functional support for the obsolete RSA ephemeral keying. See TLS_DHFile, EAPTLS_DHFile, TLS_ECDH_Curve and EAPTLS_ECDH_Curve for the currently supported forward secrecy methods.
  • Updated Radiator’s Gossip module Perl requirements based on suggestions by Alan Buxey. Testing with Net::SSLeay 1.69 and LibreSSL 2.2.0. OK.
  • Added support for CRL checks for the entire certificate chain. New configuration parameters EAPTLS_CRLCheckAll for TLS based EAP methods and TLS_CRLCheckAll for stream based protocols, such as RadSec and Diameter, enable X509_V_FLAG_CRL_CHECK_ALL to turn on CRL checks for the entire certificate chain. Note: you need to also have EAPTLS_CRLCheck or TLS_CRLCheck enabled for any CRL checks to happen. If the CRL files for the intermediate CAs are not found, certificate check fails with: ‘SSL3_GET_CLIENT_CERTIFICATE:no certificate returned’.
  • Updated configuration samples in goodies to include the recently added TLS and related parameters. Updated other goodies files with various other fixes.
  • Documented SSLCiphers in the reference manual and updated LDAP SSLCiphers default value from ‘ALL’ to ‘DEFAULT:!EXPORT:!LOW’.
  • Updated ldap.cfg to mention possible interoperability problems between HoldServerConnection and ServerChecksPassword when the both are set. Suggested by Niels Monen. Documented SSLCiphers in ldap.cfg
  • Removed Authen::Digipass and Authen::ACE4 binary modules from the Radiator distribution. Direct contact with OSC is now preferred to find out how to compile these modules for your chosen OS, Perl version, Perl distribution and 32 or 64 bit platform. Added 32 and 64 bit Win32-Lsa ppms for Strawberry Perl 5.22.
  • DBM file handling is not working on Strawberry Perl 5.20 or 5.22. Disabled AuthBy DBMFILE checks from test.pl on Windows meanwhile this is investigated.
  • Updates to EAP-MSCHAP-V2 and EAP-pwd identity handling. See OSC security advisory OSC-SEC-2015-01.
Revision 4.14 (2014-12-03) One very important vulnerability and bug fix. Other features and enhancements

Selected bug fixes, compatibility notes and enhancements

  • Fixes a vulnerability and very significant bug in EAP authentication. OSC recommends all users to review OSC security advisory OSC-SEC-2014-01 to see if they are affected.
  • Client findAddress() was changed to lookup CIDR clients before DEFAULT client. Affects ServerTACACSPLUS and in some cases SessionDatabase modules.
  • Added support for non-blocking sockets on Windows
  • SessionDatabase SQL queries now support bind variables

Detailed changes

  • Added VENDOR Allot 2603 and VSA Allot-User-Role to dictionary.
  • Added Diameter AVP flag hints in the Diameter Credit-Control Application dictionary.
  • Prevented crash during startup when configured to support a Diameter application for which no dictionary module was not present. Reported by Arthur. Improved logging of loading of Diameter application dictionary modules.
  • Improvements to AuthBy SIP2 to add support for SIP2Hook. SIP2Hook can be used for patron authorisation and/or authentication. Added an example hook goodies/sip2hook.pl. Added a new optional parameter UsePatronInformationRequest for configurations in which Patron Status Request is not sufficient.
  • Fixed a problem with SNMPAgent which could cause a crash if the configuration had no Clients.
  • Stream and StreamServer sockets are now set to nonblocking mode on Windows too. This allows for example, RadSec to use nonblocking sockets on Windows.
  • radpwtst now honours -message_authenticator option for all request types specified with the -code parameter.
  • Client.pm findAddress() was changed to look up CIDR clients before DEFAULT client. This is the same order Client lookup for incoming RADIUS requests uses. This affects mostly ServerTACACSPLUS. SessionDatabase DBM, INTERNAL and SQL also use findAddress() and are affected when Clients have NasType configured for Simultaneous-Use online checking. Client lookup was simplified in ServerTACACSPLUS.
  • Added VENDOR Cambium 17713 and four Cambium-Canopy VSAs to dictionary. “RADIUS Attributes for IEEE 802 Networks” is now RFC 7268. Updated some of its attribute types.
  • AuthBy MULTICAST now checks first, not after, if the next hop host is working before creating the request to forward. This will save cycles when the next hop is not working.
  • Added VENDOR Apcon 10830 and VSA Apcon-User-Level to dictionary. Contributed by Jason Griffith.
  • Added support for custom password hashes and other user defined password check methods. When the new configuration parameter CheckPasswordHook is defined for an AuthBy and the password retrieved from the user database starts with leading ‘{OSC-pw-hook}’, the request, the submitted password and the retrieved password are passed to the CheckPasswordHook. The hook must return true if the submitted password is deemed correct. TranslatePasswordHook runs before CheckPasswordHook and can be used to add ‘{OSC-pw-hook}’ to the retrieved passwords.
  • AuthLog SYSLOG and Log SYSLOG now check LogOpt during the configuration check phase. Any problems are now logged with the loggers Identifier.
  • The defaults for SessionDatabase SQL AddQuery and CountQuery now use %0 where username is needed. Updated the documentation to clarify the value of %0 for AddQuery, CountQuery, ReplaceQuery, UpdateQuery and DeleteQuery: %0 is the quoted original username. However, if SessionDatabaseUseRewrittenName is set for the Handler and the check is done by Handler (MaxSessions) or AuthBy (DefaultSimultaneousUse), then %0 is the rewritten username. For per-user session database queries %0 is always the original username. Updated the documentation for CountQuery to include %0 and %1. For CountQuery %1 is the value of the simultaneous use limit.
  • Enhanced resolution of vendor names to Vendor-Id values for SupportedVendorIds, VendorAuthApplicationIds and VendorAcctApplicationIds. Keyword DictVendors for SupportedVendorIds now includes vendors from all dictionaries that are loaded. Vendor name in Vendor*ApplicationIds can be in any of the loaded dictionaries in addition of being listed in DiaMsg module.
  • Added VENDOR InMon 4300 and VSA InMon-Access-Level to dictionary. Contributed by Garry Shtern.
  • Added ReplyTimeoutHook to AuthBy RADIUS, called if no reply is heard from the currently tried remote server. The hook is called if no reply is heard for a specific request after the Retries retransmissions and the request is deemed to have failed for that Host. Suggested by David Zych.
  • The default ConnectionAttemptFailedHook no longer logs the real DBAuth value but ‘**obscured**’ instead.
  • Name clash with SqlDb disconnect method caused unnecessary Fidelio interface disconnects and reconnects in AuthBy FIDELIOHOTSPOT after SQL errors. AuthBy FIDELIOHOTSPOT now inherits directly from SqlDb.
  • Added VENDOR 4ipnet 31932 and and 14 4ipnet VSAs to dictionary. These VSA are also used by devices from 4ipnet partners, such as LevelOne. Contributed by Itzik Ben Itzhak.
  • MaxTargetHosts now applies to AuthBy RADIUS and its sub-types AuthBy ROUNDROBIN, VOLUMEBALANCE, LOADBALANCE, HASHBALANCE and EAPBALANCE. MaxTargetHosts was previously implemented only for AuthBy VOLUMEBALANCE. Suggested by David Zych.
  • Added VENDOR ZTE 3902 and multiple VSAs to dictionary with the kind assistance of Nguyen Song Huy. Updated Cisco VSAs in dictionary.
  • Added radiator.service, a sample systemd startup file for Linux.
  • AuthBy FIDELIO and its sub-types now log a warning if the server sends no records during the database resync. This usually indicates a configuration problem on the Fidelio server side, unless there really are no checked in guests. Added a note about this in fidelio.txt in goodies.
  • Added Diameter Base Protocol AVP flag rules in DiaDict. Radiator no longer sends CEA with Firmware-Revision AVP that has M flag set.
  • BogoMips again defaults correctly to 1 when BogoMips is not configured in a Host clause in AuthBy LOADBALANCE or VOLUMEBALANCE. Reported by Serge ANDREY. The default was broken in release 4.12. Updated LOADBALANCE example in proxyalgorithm.cfg in goodies.
  • Ensured that Hosts with BogoMips set to 0 in AuthBy VOLUMEBALANCE will not be a candidates for proxying.
  • Added Diameter AVP flag rules in DiaDict for the following Diameter applications: RFC 4005 and 7155 NASREQ, RFC 4004 Mobile IPv4 Application, RFC 4740 SIP Application and RFC 4072 EAP Application.
  • Added the attributes from RFC 6929 to dictionary. The attributes will now be proxied by default but no specific handling is done for them yet.
  • Added VENDOR Covaro Networks 18022 and multiple Covaro VSAs to dictionary. These VSAs are used by products from ADVA Optical Networking.
  • Significant performance enhancements in ServerDIAMETER and Diameter request processing. Diameter requests are now formatted for debugging only when the Trace level is set to debug or higher.
  • AuthLog FILE and Log FILE now support LogFormatHook to customise the log message. The hook is expected to return a single scalar value containing the log message. This allows formatting the logs, for example, in JSON or any other format suitable for the required postprocessing. Suggestion and help by Alexander Hartmaier.
  • Updated the values for Acct-Terminate-Cause, NAS-Port-Type and Error-Cause in dictionary to match the latest IANA assignments.
  • Updated sample certificates from SHA-1 and RSA 1024 to SHA-256 and RSA 2048 algorithms. Added new directories certificates/sha1-rsa1024 and certificates/sha256-secp256r1 with certificates using the previous and ECC (Elliptic curve cryptography) algorithms. All sample certificates use the same subject and issuer information and extensions. This allows testing the different signature and public key algorithms with minimal configuration changes. Updated mkcertificate.sh in goodies to create certificates with SHA-256 and RSA 2048 algorithms.
  • Added new configuration parameters EAPTLS_ECDH_Curve for TLS based EAP methods and TLS_ECDH_Curve for Stream clients and servers such as RadSec and Diameter. This parameter allows Elliptic Curve ephemeral keying negotiation and its value is the EC ‘short name’ as returned by openssl ecparam -list_curves command. The new parameters require Net-SSLeay 1.56 or later and matching OpenSSL.
  • Tested Radiator with RSA2048/SHA256 and ECDSA(curve secp256r1)/SHA256 certificates on different platforms and with different clients. EAP client support was widely available on both mobile, such as, Android, IOS and WP8, and other operating systems. Updated multiple EAP, RadSec, Diameter and other configuration files in goodies to include examples of the new EAPTLS_ECDH_Curve and TLS_ECDH_Curve configuration parameters.
  • Handler and AuthBy SQL, RADIUS, RADSEC and FREERADIUSSQL now support AcctLogFileFormatHook. This hook is available to customise the Accounting-Request messages logged by AcctLogFileName or AcctFailedLogFileName. The hook is expected to return a single scalar value containing the log message. This allows formatting the logs, for example, in JSON or any other format suitable for the required postprocessing.
  • The Group configuration parameter now supports setting the supplementary group ids in addition to the effective group id. Group can now be specified as comma separated list of groups where the first group is the desired effective group id. If there are names that can not be resolved, groups are not set. The supplementary groups may help with, for example, AuthBy NTLM accessing the winbindd socket.
  • Added multiple Alcatel, vendor 6527, VSAs to dictionary.
  • Name resolution for Radius Clients and IdenticalClients is now tested during configuration check phase. Suggested by Garry Shtern. Incorrectly specified IPv4 and IPv6 CIDR blocks are now clearly logged. The checks also cover clients loaded by ClientListLDAP and ClientListSQL.
  • Special formatting now supports %{AuthBy:parmname} which is replaced by the parmname parameter from the AuthBy clause that is handling the current packet. Suggested by Alexander Hartmaier.
  • Added VENDOR Tropic Networks 7483, now Alcatel-Lucent, and two Tropic VSAs to dictionary. These VSAs are used by some Alcatel-Lucent products, such as the 1830 Photonic Service Switch. Fixed a typo in RB-IPv6-Option attribute.
  • TLS 1.1 and TLS 1.2 are now allowed for EAP methods when supported by OpenSSL and EAP supplicants. Thanks to Nick Lowe of Lugatech.
  • AuthBy FIDELIOHOTSPOT now supports prepaid services, such as plans with different bandwidth. The purchases are posted to Opera with billing records. Configuration files fidelio-hotspot.cfg and fidelio-hotspot.sql in goodies were updated with an example of Mikrotik captive portal integration.
  • AuthBy RADIUS and AuthBy RADSEC now use less-than and equal when comparing time stamps using MaxFailedGraceTime. Previously strict less-than was used causing an off by one second error when marking next hop Hosts down. Debugged and reported by David Zych.
  • AuthBy SQLTOTP was updated to support HMAC-SHA-256 and HMAC-SHA-512 functions. The HMAC hash algorithm can now be parametrised for each token as well as time step and Unix time origin. An empty password will now launch Access-Challenge to prompt for the OTP. SQL and configuration examples were updated. A new utility generate-totp.pl in goodies/ can be used to create shared secrets. The secrets are created in hex and RFC 4648 Base32 text formats and as QR code images which can be imported by authenticators such as Google Authenticator and FreeOTP Authenticator.
  • Reformatted root.pem, cert-clt.pem and cert-srv.pem in the certificates/ directory. The encrypted private keys in these files are now formatted in the traditional SSLeay format instead of PKCS#8 format. Some older systems, such as RHEL 5 and CentOS 5, do not understand the PKCS#8 format and fail with an error message like ‘TLS could not use_PrivateKey_file ./certificates/cert-srv.pem, 1: 27197: 1 – error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm’ when trying to load the keys. The encrypted private keys in sha1-rsa1024 and sha256-secp256r1 directories remain in the PKCS#8 format. A note about the private key format was added in certificates/README.
  • Added new parameter for all AuthBys: EAP_GTC_PAP_Convert forces all EAP-GTC requests to be converted to conventional Radius PAP requests that are redespatched, perhaps to be proxied to another non-EAP-GTC capable Radius server or for local authentication. The converted requests can be detected and handled with Handler ConvertedFromGTC=1.
  • SessionDatabase SQL queries now support bind variables. The query parameters follow the usual naming convention where, for example, AddQueryParam is used for AddQuery bind variables. The updated queries are: AddQuery, DeleteQuery, ReplaceQuery, UpdateQuery, ClearNasQuery, ClearNasSessionQuery, CountQuery and CountNasSessionsQuery.
  • AddressAllocator SQL now supports a new optional parameter UpdateQuery which will run an SQL statement for each accounting message with Acct-Status-Type of Start or Alive. This query can be used to update the expiry time stamp allowing shorter LeaseReclaimInterval. Added an example of UpdateQuery in addressallocator.cfg in goodies.
  • Fixed badly formatted log message in AuthBy RADIUS. Reported by Patrik Forsberg. Fixed log messages in EAP-PAX and EAP-PSK and updated a number of configuration examples in goodies.
  • Compiled Win32-Lsa Windows PPM packages for Perl 5.18 and 5.20 for both x64 and x86 with 32bit integers. The PPMs were compiled with Strawberry Perl 5.18.4.1 and 5.20.1.1. Included these and the previously compiled Win32-Lsa PPMs in the Radiator distribution.
  • Compiled Authen-Digipass Windows PPM packages with Strawberry Perl 5.18.4.1 and 5.20.1.1 for Perl 5.18 and 5.20 for x86 with 32bit integers. Updated digipass.pl to use Getopt::Long instead of deprecated newgetopt.pl. Repacked Authen-Digipass PPM for Perl 5.16 to include the updated digipass.pl.
  • Diameter Address type attributes with IPv6 values are now decoded to human readable IPv6 address text representation. Previously, decode returned the raw attribute value. Reported by Arthur Konovalov.
  • Improved Diameter EAP handling for both AuthBy DIAMETER and ServerDIAMETER. Both modules now advertise Diameter-EAP application by default during the initial capabilities exchange. AuthBy DIAMETER now supports AuthApplicationIds, AcctApplicationIds and SupportedVendorIds configuration parameters
  • Changed the type of Chargeable-User-Identity in dictionary to binary to make sure any trailing NUL characters are not stripped.
  • More updates to example configuration files. Remove ‘DupInterval 0’ and use Handlers instead of Realms
  • Fixed an EAP bug which could allow bypassing EAP method restrictions. Copied the EAP expanded type test module to goodies and changed the test module to always respond with access reject.
  • Added backport notes and backports for older Radiator versions to address the EAP bug in OSC security advisory OSC-SEC-2014-01.
Revision 4.13 (2014-04-16) Radius proxying, IPv6, TACACS+, Diameter and other enhancements. Bug fixes

Selected compatibility notes and enhancements

  • Unknown attributes can now be proxied instead of being dropped
  • Diameter enhancements may require changes to custom Diameter modules
  • Major IPv6 enhancements include: Attributes with IPv6 values can now be proxied without IPv6 support, Socket6 is no longer an absolute prerequisite. ‘ipv6:’ prefix is now optional and not prepended in attribute values
  • TACACS+ authentication and authorization can now be decoupled
  • Bind variables are now available for AuthLog SQL and Log SQL.
  • Status-Server requests without correct Message-Identifier are ignored. Status-Server responses are now configurable.
  • LDAP attributes can now be fetched with base scope after subtree scoped search. Useful for example, tokenGroups AD attributes which are not otherwise available
  • Newly added check for CVE-2014-0160, the OpenSSL Heartbleed vulnerability may log false positives
  • New AuthBy for authenticating against YubiKey validation server added
  • See Radiator SIM pack revision history for supported SIM pack versions

Detailed changes

  • Added the attributes from RFC 6911 to dictionary (Framed-IPv6-Address, DNS-Server-IPv6-Address, Route-IPv6-Information, Delegated-IPv6-Prefix-Pool and Stateful-IPv6-Address-Pool). These attributes override a number of attributes that were previously commandeered by Ascend and Merit. The Ascend ones are still available in ascend.dictionary. The Merit attributes were added under the existing Merit VSA entry and the non-VSA Merit attributes were removed from the main dictionary. The non-VSA Merit attributes will continue to be available in a new file goodies/dictionary.merit
  • AuthBy RADIUS and all its subclasses e.g., AuthBy SQLRADIUS, LDAPRADIUS, MULTICAST and proxy algorithm AuthBys, now support special characters in AuthPort and AcctPort. Suggested by David Zych.
  • Added in dictionary: Huawei-Loopback-Address, vendor 6139 (Alcatel-Lucent OmniAccess), vendor 20942 (China Telecom-Guangzhou Research and Development Center) and vendor 27262 DANTE Ltd.
  • Unknown attributes can now be proxied when the new global configuration flag ProxyUnknownAttributes is set to true. Unknown attributes are now alwasy available with special names such as Unknown-9048-120, where 9048 is the vendor id and 120 is the vendor attribute number. Unknown attributes are now logged with level WARNING instead of ERR. A warning is logged for each attribute once per sender IP address. Attribute names starting with Unknown are reserved in dictionary and ignored when the dictionary is loaded.
  • Added in dictionary: Attributes from RFC 5447, RFC 6519, RFC 6677 and RFC 6930.
  • Added support for dictionary type ipv4prefix required by RFC 6572. An example of ipv4prefix format is ‘192.168.1.0/24’. Added attributes from RFC 6572 in dictionary.
  • Change in 4.12 caused ServerDIAMETER to always create new peer instances for new connections. This caused mainly WatchdogState DOWN log litter.
  • AuthBy DIAMETER and other DiameterClient derived classes, such as Diameter Wx based EAP-SIM, EAP-AKA and EAP-AKAPRIME AuthBys, now support new option SCTPPeer. This option allows defining multiple SCTP peers for the initial SCTP association attempt.
  • Added vendor Arista in dictionary. Updated Netscreen values. Contributed by Garry Shtern.
  • Fixed AuthBy NTLM so it will not leave zombie processes around during reconfigure. Reported by Garry Shtern.
  • AuthBy RATELIMIT now supports optional parameter MaxRateResult, which allows specifying the result when MaxRate is exceeded. MaxRateResult defaults to IGNORE.
  • Significant IPv6 changes. Socket6.pm is no longer required if the core Socket module provides the required IPv6 support. Attributes with IPv6 address or prefix type are now handled as binary if there is no Socket or Socket6 for IPv6 support. This fixes the problem with proxying when Socket6 was not installed. Prefix ‘ipv6:’ for IPv6 addresses is no longer required but will be accepted. Decoded values for IPv6 address type attributes will no longer have ‘ipv6:’ prefix. Startup log messages now contain information about the IPv6 support.
  • Updated 3GPP (vendor 10415) attributes in dictionary. 3GPP-Allocate-IP-Type, 3GPP-External-Identifier and 3GPP-TWAN-Identifier were added. 3GPP-Charging-Gateway-Address, 3GPP-GPRS-Negotiated-QoS-Profile and 3GPP-Charging-Gateway-IPv6-Address are now the main attribute names while 3GPP-CG-Address, 3GPP-GPRS-QoS-Profile and 3GPP-CG-IPv6-address are now aliases. 3GPP-PDP-Context value 0 name is now IPv4 while IP is kept as an alias. Attribute types were corrected to use e.g., ipaddrv6, integer8 and integer16 for correct encoding and decoding. Added values for enumerated integer types.
  • Reverted the previous attribute canonical name changes for vendor 3GPP. 3GPP-CG-Address, 3GPP-GPRS-QoS-Profile and 3GPP-CG-IPv6-address are the names Radiator will use for decoding the attributes. The new names will be recognised as aliases. Also, 3GPP-PDP-Context name for value 0 is IP and IPv4 can be used as an alias.
  • EAP_25.pm now makes inner identity available via outer context improving logging options.
  • Updated Application IDs. Updated vendor 3GPP (10415) RADIUS compatible attribute (1-27) list, added new 3GPP-RAT-Type and 3GPP-PDP-Type type values, fixed 3GPP-*-Address encoding to use OctetString instead of Address type, 3GPP-RAT-Type and other 8 bit enumerated values are encoded correctly. 3GPP attribute Location-Estimate type is now OctetString.
  • Improvements to the sample wimax.sql database schema to support long capabilities values.
  • Added VENDOR Radware 89 and VSA Radware-Role to dictionary.
  • Logging level for rejected authenticaton attempts can now be configured globally and for each Handler or Realm. The level is set with new parameter LogRejectLevel. This optional parameter uses the same values as Trace option, and can be set globally or per Handler or Realm.
  • Further logging enhancements. PacketTrace can now be configured to skip selected Log clauses. New flag parameter IgnorePacketTrace can be set in Log clauses which should not participate in PacketTrace logging. Thanks to David Zych for ideas and assistance with the latest logging improvements.
  • Trailing NULs are now stripped from TACACS+ authorization arguments. Reported by Tim Cheyne.
  • Fixed a bug in Diameter Address format encoding with IPv6 addresses. DiaClient now correctly formats IPv6 address in Host-IP-Address for TCP connections.
  • TacacsClient module now supports connecting to TACACS+ servers over IPv6. This allows tacacsplustest to work with IPv6 enabled TACACS+ servers. Requires IO::Socket::INET6.
  • Account expiry dates starting with ‘Mmm dd’ for Expiration, ValidTo and ValidFrom check items now correctly check for valid month names. Reported by Kennyen Choo.
  • Added Pronto Networks VENDOR Pronto 16521, and Pronto-AVPair to dictionary.
  • Worked around the duplicate name for 3GPP Diameter Gx interface. Fixed typos in Diameter application names.
  • ClientListSQL was calling parent’s initialize twice. Clarified AuthSQLHOTP and AuthSQLTOTP parent initialize calls.
  • Improvements to logging. Added support in Log.pm and LogGeneric.pm for dynamically setting the Trace level. An example of using User-Name from the current request is in goodies/hooks.txt.
  • Enhanced AuthBy DIAMETER Destination-Host and Destination-Realm handling. Worked around the duplicate name for 3GPP Diameter Rx interface.
  • When special %s is used, the microseconds are now left padded with zeroes. Suggested by David Zych.
  • PEAP and EAP-TTLS now make maximum fragment size available for inner authentication protocols. EAP-TLS was improved to use this information. This allows PEAP/EAP-TLS and EAP-TTLS/EAP-TLS to work better with environments with variable Framed-MTU sizes.
  • When reading parameter settings from a file with file:”filename”, any trailing newlines are now removed from the end of file to make sure the value is correctly parsed. Reported by David Zych.
  • Added goodies/address-allocator-sql.txt for further AddressAllocator SQL examples. Initial examples include MySQL and PostgreSQL queries for environments with multiple Radiator instances allocating from the same database.
  • RDict.pm now supports new method vendorByNum which returns vendor data from a given vendor number. Enhanced Starent VSA decoding to make sure invalid lengths do not cause a crash. Added support and attributes for Starent VSAs which use 1 byte for type and 1 byte for length. The Starent VSAs in Radiator default dictionary use 2 bytes for type and length. Loading goodies/dictionary.starent-vsa1 after the default dictionary will cause Starent VSAs to use 1 byte type and length. The Starent VSAs in the default dictionary will not work with dictionary.starent-vsa1 and should not be used.
  • Significant changes in Diameter dictionary handling: The dictionaries can now be separate modules and a specific dictionary is defined for the application. Diameter Credit Control attributes were moved in module DiaDict_4.pm while Diameter base, NASREQ, Mobile Ipv4, base accounting, EAP, SIP and relay applications still use the default dictionary DiaDict.pm. Any new dictionaries will be created as separate modules. Updated the existing modules AuthDIAMETER, DiaDict, DiaPeer, ServerDIAMETER, DiaClient, DiaMsg and DiaUtil. Added new modules DiaUtil and DiaDict_4.
  • Added support for salted and non-salted SHA-2 hashed passwords. Supported formats are {SHA256} {SSHA256} {SHA384} {SSHA384} {SHA512} and {SSHA512}. Updated sha.pl and ssha.pl in goodies to support SHA-2 hashing. Suggested by Alexander Hartmaier.
  • AddressAllocator DHCP can now use Class attribute for allocation state when configured with UseClassForAllocationInfo. This enables allocation and deallocation to work between server farm members. Configuration notes in goodies/addressallocatordhcp.cfg. Clarified some of the AddressAllocator DHCP options in addressallocatordhcp.cfg
  • Functions pack_sockaddr_pton and gethostbyname in Util.pm and UtilSocket6.pm misinterpreted some hostnames as IPv6 addresses. Reported by Emanuel José Freitas.
  • Updated Huawei VSAs in dictionary. Contributed by Alexander Hartmaier.
  • AddressAllocator identifier in AuthBy DYNADDRESS now supports special formatting characters.
  • Change in DiaPeer watchdog to recover better from unresponsive but still open TCP connections.
  • Diameter dictionaries now support attribute flags. Added add_attr_d, get_attr_d and get_attrs_d in AttrList.pm for adding and accessing Diameter attributes with their names. Any flags, such as M flag, are automatically added based on dictionary. DiaAttrList and RadiusDiameterGateway now correctly set dictionary when using DiaAttrlist->new(). DiaDict is more verbose about possible problems with parsing dictionary files.
  • Marked GroupCacheFile option in ServerTACACSPLUS as deprecated and removed code related to it.
  • ServerTACACSPLUS now adds OSC-TACACS-* attributes to the converted TACACS+ authentication and accounting requests in a more consistent manner. Use of deprecated CommanAuth option gives a warning during startup. Minor cleanups to remove warnings when -w is used. Fixed mapping of missing GroupMemberAttribute value to ‘DEFAULT’ broken in the previous patch. Updated tacacsplusserver.cfg in goodies.
  • ServerTACACSPLUS can now create a RADIUS Access-Request when TACACS+ authorization request is received but no authorization info is known for the user. This can happen for example, when Radiator is restarted or the TACACS+ client uses some other protocol for authentication. These RADIUS Access-Requests carry Service-Type attribute with value Authorize-Only. Authorization based requests are enabled with AllowAuthorizeOnly flag which defaults to off. Updated tacacsplusserver.cfg and added OSC-TACACS-Authen-Method in dictionary.
  • AuthBy SIP2 now immediately rejects CHAP, MSCHAP and MSCHAP-V2 authentication attempts instead of letting password check fail each time.
  • Added support for PBKDF2 derived User-Password check items. Uses HMAC-SHA1 as the Pseudo Random Function (PRF). Requires Digest::HMAC_SHA1. Added a small utility goodies/pbkdf2.pl which can be used to create derived password in the form Radiator honours.
  • AuthLog SQL now supports SuccessQueryParam and FailureQueryParam parameters, which allow SQL bind variables to be used.
  • AuthBy RSAAM now supports SSLCAFile for RSA AM HTTPS server certificate verification. New parameter ChallengePrefix allows setting the common prompt for PIN change and other challenge questions. Suggested by Garry Shtern.
  • Log SQL now supports LogQueryParam parameters, which allow SQL bind variables to be used.
  • Changes so that the plaintext password is not logged at debug level during EAP-TTLS/PAP authentication.
  • Added support for SSLVerify, SSLCAPath, SSLVerifyCNName, SSLVerifyCNScheme and SSLCertificateVerifyHook configuration parameters in AuthBy RSAAM. The parameters require Perl LWP 6.0 or later or otherwise they are ignored. SSL client certificate options are now set using LWP if LWP version 6.0 or later is detected. These changes allow RSA AM server HTTPS certificate verification without environment variables.
  • tacacsplustest in goodies now supports -bind_address command line argument. TacacsClient module can now pass local address to the socket constructor.
  • Added eduroam-Monitoring-Inflate VSA to dictionary.
  • Added StripFromRequest parameter to ServerRADSEC. Suggested by Paul Dekkers.
  • Logging enhancements: AuthBy RADSEC and ServerRADSEC now format packet dumps only when the log level is DEBUG or more verbose. IPv6 capability is now logged on DEBUG level if IPv6 functionality is provided by the Perl core or Socket6. INFO level message is logged only when there is no full IPv6 functionality.
  • Added new module AuthBy YUBIKEYVALIDATIONSERVER with example configuration yubikey-validationserver.cfg. Authenticates against Yubikey Validation server. This allows using a YubiHSM Hardware Security Module (HSM) by one or more Radiator servers at the same time. The YubiHSM can be installed on the same server where Radiator runs on, or on a remote dedicated server. Refactored AuthYUBIKEYGENERIC.pm to move common code to AuthYUBIKEYBASE.pm allowing AuthBy YUBIKEYVALIDATIONSERVER to run without any dependencies on Yubikey specific support modules such as Auth::Yubikey_Decrypter.
  • Added in dictionary: Attributes from RFC 7055. These started as UKERNA, vendor 25622, VSAs.
  • Removed unneeded code from EAP_25.pm and TLS.pm.
  • Added new global and Client specific configuration parameter StatusServer. This parameter sets the Status-Server response verbosity. The supported values are off, minimal and default. The global default can be overridden by each Client clause. Status-Server requests without correct Message-Authenticator attribute are now ignored.
  • Added new parameter AttrsWithBaseScope to AuthBy LDAP2. AuthBy LDAP2 can now be configured to do a two step search to first locate the user’s DN and then follow with a second search where the search base set to the DN and scope to ‘base’. This is required for example, to get access to Windows AD constructed attributes, such as tokenGroups, which are only returned when the search scope is set to base. Updated ldap.cfg in goodies.
  • Removed old and unneeded FirstSendTime, LastSendTime and Attempts from Radius.pm.
  • EAP-TTLS now correctly exports the inner identity with $rp->{inner_identity} when the inner authentication is EAP.
  • Added OSC-SIM-* attributes for exporting SIM/USIM authentication information. Added attributes for the upcoming RFC “RADIUS Attributes for IEEE 802”.
  • AuthBy SIP2 now honours Timeout option when connecting to SIP2 servers. The timeout defaults to 3 seconds.
  • Added new parameter FailureBackoffTime to Resolver. If the lookup failed to discover any results and there was a timeout while waiting for the nameserver, this optional value specifies how long Radiator will wait before another lookup is made. Previous behaviour was to try again after NegativeCacheTtl expired. Defaults to 3 seconds. Problem with the old behaviour reported by Paul Dekkers.
  • ServerDIAMETER no longer announces Supported-Vendor-Id with value 0 in CER. This is required by the current Diameter base RFC 6733. Value 0 is no longer announced with Acct-Application-Id in CER. Updated diameter-server.cfg.
  • Added new global parameter KeepSocketsOnReload. Note: this is currently considered experimental. This optional flag controls whether opened RADIUS listen sockets should be left intact on a reload request. When enabled, the changes in BindAddress, AuthPort and AcctPort are ignored during reload. You may consider enabling this option when incoming RADIUS requests should be buffered during the reload instead of ICMP unreachable messages being sent back to the RADIUS clients. Contributed by Garry Shtern.
  • Attributes added to the reply by EAP-FAST inner authentication will now be copied to the outer Access-Accept too. This is similar to how PEAP and EAP-TTLS already function. Suggested by Jakob Schlyter.
  • Added the first version of RuntimeChecks module with two checks. The first uses Net::SSLeay to try to detect OpenSSL versions which may have the Heartbleed (CVE-2014-0160) vulnerability. The second test checks for the availability of Digest::MD4 which is often required because of MSCHAP, MSCHAP-V2 and their derivatives. The individual checks can be disabled with the new configuration parameter DisabledRuntimeChecks. Future checks are added as needed. The module is also available for Hooks to implement site local checks.
  • Check Point attributes CP-Gaia-User-Role and CP-Gaia-SuperUser-Access were incorrectly entered in the dictionary. Reported by Jason Griffith.
  • Ldap.pm could crash while logging with old Net::LDAP versions. Reported by Mauricio Montoya Bustamante.
Revision 4.12.1 (2013-09-17) One bug fix. One enhancement.
  • Fixed a bug that prevented AuthBy SQL from loading when it was defined outside of Realm or Handler.
  • Unknown Diameter attribute types are now logged with a warning when Diameter dictionaries are loaded. Diameter encoder and decoder now use Integer32 and Integer64 for signed 32 bit and 64 bit types instead of Signed32 and Signed64.
Revision 4.12 (2013-09-06) New modules, some significant new features. Bug fixes.
  • Improvements to EAP-MD5 handling: in the event of an authentication failure, the reason messages are more descriptive of the reason why.
  • Updated Mikrotic VSAs in dictionary.
  • Added a number of VSAs for Alcatel-ESAM to dictionary.
  • Fixed a potential crash if there were many unfinished EAP-GTC authentication conversiations through AuthBy ACE. Reported by Richard Fairhall.
  • Added support for a number of new check items for AuthBy SQL: Max-All-Session, Max-Hourly-Session, Max-Daily-Session, Max-Monthly-Session, Max-All-Octets, Max-All-Gigawords, Max-Hourly-Octets, Max-Hourly-Gigawords, Max-Daily-Octets, Max-Daily-Gigawords, Max-Monthly-Octets, Max-Monthly-Gigawords. AuthBy SQL supports the foillowing corrsponding configurable queries: AcctTotalQuery, AcctTotalSinceQuery, AcctTotalSinceQuery, AcctTotalSinceQuery, AcctTotalOctetsQuery, AcctTotalGigawordsQuery, AcctTotalOctetsSinceQuery, AcctTotalGigawordsSinceQuery, AcctTotalOctetsSinceQuery, AcctTotalGigawordsSinceQuery, AcctTotalOctetsSinceQuery, AcctTotalGigawordsSinceQuery. With the kind assistance of Richard Fairhall.
  • Updated AuthLog SYSLOG so that it honours the same %0 and %1 in SuccessFormat and FailureFormat as other loggers.
  • Changed all instances of the poorly defined ‘octets’ type attributes in dictionary to ‘binary’.
  • Added F5 BigIP VSAs to dictionary, per http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11431.html, as sent by Alexander Hartmaier.
  • Added further Trapeze VSAs for MSS 8.0 and later to dictionary, as sent by Vandenbroucke Luc.
  • Altered AuthBy RADIUS and AuthBy RADSEC handleReply so that failedRequests and start_failure_grace_time are updated even if there is no $op->{rp}.
  • Performance improvements for TTLS and PEAP: when used with OpenSSL 1.0.1 and later, NetSSLeay 1.52+latest patches and later, the native OpenSSL tls1_PRF function is used.
  • Altered AuthBy RADIUS and AuthBy RADSEC handleReply so that in the event of an Access-Reject from a proxied request, AuthLog* can log the actual Reply-Message from the reply instead of ‘Proxied’. Requested by David Zych.
  • Improvements to AuthBy RADIUS and AuthBy RADSEC to detect obvious routing loops and to ignore attempts to proxy a packet to the same BindAddress/port a packet was received on.
  • Fixed a problem in SessionDatabase SQL that could cause a crash if UpdateQuery is defined and an Accounting Alive packet was received. Reported by Chris Millington.
  • Improvements to AuthBy SQL AuthColumnDef. Can now have a trailing “, formatted” keyword in an AuthColumnDef. This will cause the value retrieved from the database in that column to be subject to special character processing before its value is used, and can therefore contain %{something} forms which will be replaced at authentication time. The general format is now:
      AuthColumnDef n, attributename, type[, formatted]

    For example:

      AuthColumnDef 1, Filter-Id, reply, formatted
  • Improvements to AuthBy LDAP2 AuthAttrDef. Can now have a trailing “, formatted” keyword in an AuthAttrDef. This will cause the value(s) retrieved from LDAP to be subject to special character processing before its value is used, and can therefore contain %{something} forms which will be replaced at authentication time. The general format is now:
      AuthAttrDef ldapattributename, radiusattributename, type[, formatted]

    For example:

      AuthAttrDef filter, Filter-Id, reply, formatted
  • All configuration parameters of type ‘flag’ can now use special characters. This is especially useful to be able to control flags with GlobalVar’s.
  • Added example hook to hooks.txt: showing a way to call PostAuthHook with additional fixed arguments set at startup time.
  • Fixed some typos in DiaClient that incorrectly mentioned RadSec.
  • uthBy RADIUS and AuthBy RADSEC now remove unnecessary Timestamp attribute (meant for internal use only) from proxied requests.
  • Improvements to Handler: the reply packet is not set if there is already one present. Useful when AuthBy HANDLER or a hook redespatches a request to another Handler: reply items added by earlier Handlers and AuthBys will not be lost.
  • Added Ericsson redback VSAs 207-213 to dictionary. Also added some alternate values for RB-Framed-IPv6-Prefix, RB-Framed-IPv6-Route, RB-Framed-IPv6-Pool, as used by SmartEdge.
  • Added A-10 Networks VSAs to dictionary.
  • Improvements to SYSLOG loggers to be more compatible with later versions of Sys::Syslog.
  • Fixed a problem with using AuthBy Fidelio and Serial ports that caused a failure to start Radiator. Also changed the default serial port flow control for Fidelio modules to ‘rts’, since ‘xoff’ could cause lost characters and bad checksums. Testing with USB-Serial port adapters.
  • Updated goodies/digipass-install.txt to include guidance about how to order Digipass tokens, including the need to order the ‘Digipass User Data Subscription Fee’ (DUD) option.
  • All tar files are now built with TAR_OPTIONS=–format=gnu to ensure compatibility with other tars, notably the one on Solaris.
  • Testing on Solaris 11. OK with builtin perl 5.12.
  • Added Huawei-3Com (H3C) VSAs to dictionary.
  • Improvements to AuthBy KRB5 and Ldap.pm: Credential Cache now uses memory cache instead of file. Added a new option KrbServerRealm to allow server and user to exist in different realms. Hostname is now used for service tickets instead of IP address. Reverse DNS lookup is now done for the host before requesting a service ticket. Patches by Garry Shtern.
  • Added new dictionary file for Cisco/Altiga attributes compiled by Alexander Hartmaier.
  • Fixed a problem that prevented HostSelect from implementing host counter if HostSelectParmam was defined.
  • Added support for SNMP V2c with new configuration parameter SNMPVersion in SNMPAgent. Fixed a problem where some SNMP decode errors were not correctly detected.
  • Configuration file check no longer activates clauses which could cause spurious error messages. Requested by Garry Shtern.
  • Added Palo Alto Networks VSAs to dictionary. Contributed by Garry Shtern.
  • More improvements to LDAP logging. The hostname and port are now logged after a successful connection. This helps determining to which host the connection was made when the Host parameter is configured with multiple host names. Removed redundant GSSAPI related code. Contributed by Garry Shtern.
  • Fixed a problem with EAP-TTLS where EAPAnonymous %0 did not fetch the inner EAP identity. Reported by Neil M. Johnson.
  • Added a number of Aruba VSAs to dictionary with the kind assistance of Michael Hulko.
  • Fixed UseStatusServerForFailureDetect in AuthRADIUS.pm to work correctly when there are multiple Hosts configured. This also affects AuthRADIUS subclasses and small changes were needed for AuthLOADBALANCE, AuthMULTICAST, AuthROUNDROBIN and AuthVOLUMEBALANCE. AuthHASHBALANCE and AuthEAPBALANCE required no changes. When UseStatusServerForFailureDetect is enabled, all Host objects do individual polling. Expiry of FailureBackoffTime will no longer make the Host eligible for forwarding. Only a response to Status-Server request will bring back a failed Host. Other changes include: AuthRADIUS subclasses will now log an INFO level message when the Host starts responding. BogoMips only affects AuthLOADBALANCE and AuthVOLUMEBALANCE as documented. Setting BogoMips to 0 for a Host will no longer disable it for the other subclasses. KeepaliveTimeout can be specified for the AuthBy or individual Host in the AuthBy. The default value for BogoMips in an AuthBy is now correctly passed to the Hosts in the AuthBy. Thanks to Paul Dekkers for reporting the problem and debugging help.
  • Reverted earlier Status-Server polling related change in AuthRADSEC.pm that caused memory leak when requests were not replied to. Reported and narrowed down by Paul Dekkers.
  • EAP-PWD now honours UsernameMatchesWithoutRealm. Also, if the user is not found, the log message now has EAP-PWD instead of EAP MSCHAP-V2.
  • Fixed UseStatusServerForFailureDetect in AuthRADSEC.pm to work correctly when there are multiple Hosts configured. When UseStatusServerForFailureDetect is enabled, all Host objects do individual polling. Expiry of FailureBackoffTime will no longer make the Host eligible for forwarding. Only a response to Status-Server request will bring back a failed Host. This change is similar to the recent AuthRADIUS.pm change.
  • Added new option -message_authenticator to radpwtst for adding correctly calculated Message-Authenticator in the outgoing requests. Currently supported types are Access-Request, Status-Server, Disconnect-Request and Change-Filter-Request aka COA-Request.
  • PEAP EAP context is now cleared immediately when reading encrypted TLS data fails.
  • AuthBy RADSEC did not correctly reinitialize when signalled with SIGHUP leaking TCP connections, memory and TLS references. Fixed similar memory leak in AuthBy RADIUS. TCP connection leak reported by Karl Gaissmaier.
  • Logging enhancements: replies received by AuthBy RADIUS, AuthBy RADSEC, Client, ServerRADSEC and SimpleClient.pm are now dumped using the loggers configured for the respective clauses and module. PacketTrace now affects the replies received by the clauses. Function decode_attrs no longer dumps the received request. Some messages are now logged by the clauses first instead of just the main logger.
  • Added Blue Coat VSAs to dictionary. Contributed by Garry Shtern.
  • LDAP GSSAPI name resolution enhancements. Based on patch by Garry Shtern.
  • Tested with RSA Authentication Manager 8.0. Updated OnDemand mode prompt handling. No other changes required. Added new parameter ChallengeHasPrompt to AuthBy RSAAM to enable sending RADIUS Prompt attribute with Access-Challenge messages based on the RSA AM responses.
  • Status-Server messages sent by AuthBy RADSEC and AuthBy RADIUS no longer carry Proxy-State attribute. Improved logging in AuthBy RADSEC when Proxy-State in reply is missing or mangled.
  • Added Lancom and CheckPoint GAiA VSAs and updated 3Com and H3C VSAs in dictionary with the kind assistance of Philip Herbert.
  • Added new methods for inserting attributes in AttrList. Useful e.g., for Diameter AVP ordering. Added Origin-AAA-Protocol into DiaAttrList, updated DiaDict to always use DiameterIdentity, DiameterURI, IPFilterRule and QoSFilterRule as data type name instead of short-forms. Fixed a number of spelling mistakes.
  • Added support for authentication with Duo Security https://www.duosecurity.com/ . AuthBy DUO supports two-factor authentication provided by Duo Security auth API. Sample configuration file and partial API simulator is included.
  • Registering an object by its Identifier in Configurable.pm is now done just before object loading finishes, not during object activation. This fixes the recently introduced problem where configuration check gave incorrect results when Identifiers were used for references. Reported by Karl Gaissmaier.
  • Added iPass VSAs to dictionary.
  • DiaPeer and DiaClient now support adding Vendor-Specific-Application-Id attributes in Diameter CER message.
  • Configurable now calls check_config for each module just before it is activated. Configuration checks done by modules within activate were moved to check_config so that they will be run also when radiusd is invoked with -c flag to check the config.
  • Updated sample certificates to expire Aug 14 11:37:20 2015 GMT. Updated goodies/mkcertificate.sh to check for CA.pl availability.
  • Added precompiled Authen-Digipass ppm package for Perl 5.16 on Windows.
  • Added precompiled Authen-ACE4 ppm packages for Perl 5.16 on Windows. Recompiled Authen-ACE4 ppm packages for Perl 5.14.
  • Added new global parameter BindV6Only. This optional parameter allows turning on or off IPV6_V6ONLY socket option for IPv6 wildcard listen sockets. Defaults to undefined and hence no setsockopt is done. See RFC 3493 for more about IPV6_V6ONLY.
  • Client clauses now support CIDR notation for IPv6 clients. For example: ipv6:2001:db8:1:2::/126 and ipv6:::ffff:192.168.1.0/120. It is recommended, but not required, to install Math::BigInt::GMP or Math::BigInt::Pari for faster matching. The default is to use slower pure Perl implementation.
  • Updates in many goodies example and other files.
  • Added preliminary support for AuthBy DIAMETER. AuthBy DIAMETER converts RADIUS messages to Diameter messages and sends them to a Diameter server. Currently targets RFCs 4005 and 6733.
  • AuthBy DUO did not indicate the request was handled asynchronously causing problems with certain modules such as ServerTACACSPLUS. Reported by David LaPorte.
  • Enhanced radpwtst help output and options file support. The file format is now documented in the reference manual. The -time option now works even when -notrace option is given.
  • Unnecessary DNS lookups were done when MAC: or CIDR Clients were defined causing possible slowness during startup or ClientList refresh.
  • Testing with Strawberry Perl on Windows. Updated installation documentation and reference manual to include Strawberry Perl on Windows.
Revision 4.11 (2012-12-14) Some significant new features. Bug fixes.
  • Typo prevented MS-CHAP-Challenge being correctly added to when EAP_LEAP_MSCHAP_Convert is enabled.
  • Changes to continued line parsing in 4.10 broke the ability to spread a the first line of a clause over multiple lines with the backslash line continuation operator. Fixed.
  • AuthBy ACE now supports EnableFastPINChange with EAP-GTC, contributed by Richard Fairhall.
  • Fixed a problem that prevented correct operation of ServerDIAMETER listening when FarmSize was in use: some children could block waiting for an accept. Listen socket is now non-blocking. Reported by Rani Assaf.
  • Fixed a problem that prevented AuthBy RADSEC correctly detection downstream server failure under some circumstances with UseStatusServerForFailureDetect. Reported by Paul Dekkers.
  • Added support for authentication via 3M Standard Interchange Protocol 2 as used in 3Ms Automated Circulation Systems (ACS) for book libraries. AuthBy SIP2 supports TCP-IP connection to 3M ACS systems, and authenticates against library patron name and password.
  • SNMPAgent now supports some more items from MIB2: sysDescr (which returns the Radiator name and version) and sysObjectID (which returns the Radiator OID 1.3.6.1.4.1.9048.1.1). Also added sample goodies/snmp.cfg with some documentation about how to configure and test SNMPAgent.
  • radiusd has a new function main::addChildInitFn() which can be used by modules to register a function that is to be called in each child after it is forked by FarmSize. This can be used by module authors to defer or redo some intialisation in the child.
  • Improvements to error detection in Stream handle_socket_read to detect the possibility of EWOULDBLOCK/EAGAIN, reported by Rani Assaf.
  • Added HP-VC-Groups to dictionary.
  • Further improvements to multiline config file parsing, suggested by Michael.
  • Updated comments in HOTP and TOTP examples to clarify the contents of the ‘secret’ field. Also fixed a problem in AuthBy SQLTOTP, which could cause an SQL error if the first ever log-in attempt involves typing an incorrect PIN. Reported by Roy Badami.
  • Improvements to PEAP support for Windows failing to work when PEAP fast reconnect was enabled. EAP Extension TLV/Success is now exchanged over TLS tunnel between the server and client before sending final Access-Accept.
  • Added more Unisphere and Juniper VSAs based on http://www.juniper.net/techpubs/software/junos/junos114/radius-dictionary/unisphereDictionary_for_JUNOS_v11-4.dct
  • Fixed a typo in dictionary for WiMAX-QoS-Descriptor value Transmission-Policy.
  • Fixed a problem that could prevent the correct OutPort being used as the source port for AuthBy RADIUS forwarding.
  • Nas finger now uses the standard perl Net::Finger module intead of the internal Finger client in Radius::Finger. The internal Finger client Radius::Finger is now not shipped with Radiator. If you wish to use finger to check online users, you must install the Perl Net::Finger module.
  • Added OSC VSA for pseudo-attribute PoolHint to dictionary.
  • Updated all Nas/*.pm modules to use numeric OIDs instead of sysmbolic, since some recent versions of snmp tools install without MIBs.
  • Added DEBUG logging of DHCP replies reeceived by AddressAllocator DHCP.
  • Fixed a problem that could cause a crash if AuthBy EAPBALANCE was used with the KeepaliveTimeout option.
  • Fixed a problem that caused UseStatusServerForFailureDetect to not work correctly when defined at the AuthBy RADIUS level instead of the Host level.
  • Added new parameter ClientHardwareAddress to AddressAllocator DHCP. ClientHardwareAddress is the name of an attribute in the incoming address which contains the hex encoded MAC address of the client. If present, it will be used as CHADDR in the DHCP request. If not present, and fake CHADDR based on the request XID will be used. The DHCP server may use this when allocating an address for the client. The MAC address can contain extraneous characters such as . or : as long as it contains the 12 hex characters (case insensitive) of the MAC address. Special characters are supported.
  • Added NetworkPhysics-Attribute to dictionary with the kind assistance of “Caporossi, Steve G.”
  • Added Procera-Local-User-Name to dictionary with the kind assistance of Lucas Hazel.
  • Improvements to consistency of proxiedRequests and proxiedNoReply statistics counters when the request is proxied by multiple AuthBy RADIUS or AuthBy RADSEC clauses.
  • AuthBy RADMIN now supports PostAuthSelectHook.
  • Enhancements to support Diameter client and server required for new Diameter Wx support in Radius-EAP-SIM.
  • Fixed a problem that caused incorrect RecvTime in tunnelled PEAP requests.
  • Implemented checkproc for SuSE in linux-radiator.init. Contributed by “Aeneas Jaißle (sewikom GmbH)”
  • Added support for PostDiaToRadiusConversionHook and PostRadiusToDiaConversionHook to Server DIAMETER.
  • Refactoring of md5 and mschapv2 challenge code prior to integrating Heimdal digest support.
  • Added new module AuthBy HEIMDALDIGEST with example configuration and test setup instructions. Authenticates from Heimdal Kerberos (http://www.h5l.org/). Supports RADIUS-PAP, EAP-MD5, EAP-MSCHAPV2 (and therefore TTLS-PAP, TTLS-EAP-MD5, PEAP-EAP-MD5, PEAP-EAP-MSCHAPV2, TTLS-EAP-MSCHAPV2). With the kind assistance of Fredrik Pettai. Originally written by Klas Lindfors. Contributed by Stefan Wold of Stockholm University.
  • Fixed a problem where file:”filename” syntax in configuration file could cause strange error messages in hooks if the filename was not found.
  • Fixed a problem where PidFile could be incorrectly deleted if any child was killed in a farm. Now it is only deleted if the farm parent is shut down.
  • Fixed a problem in server farms where if a child process was STOPped or hung, the graceful shutdown process could also hang, resulting in possible failure to restart all children correctly.
  • Improvement to Linux startup script to better handle the case where Radiator fails to exit cleanly after stop command.
  • Improvements to SNMP.pm snmpget, so that failures due to Unknown Object Identifier are detected. Suggested by Michael.
Revision 4.10 (2012-06-28) Some significant new features. Bug fixes.
  • Added support for EAP-PWD per RFC 5931. EAP-PWD is highly secure (the password is never transmitted, even in encrypted form), and does not require PKI certificates, and also requires only 3 authentication round-trips. So it is considered efficient to roll out in eg Eduroam and other environments. Requires that the Radiator user database has access to the correct plaintext password. Sample configuration file and patch for Crypt-OpenSSL-Bignum-0.04 is included.
  • Added 2 Aruba VSAs to dictionary. Contributed by Matt Alexander.
  • Added Tropos and Fortinet VSAs dictionary.
  • Added Ukerna GSS and SAML VSAs to dictionary, with the kind assistance of Luke Howard. Also modified packing routines to split UKERNA SAML-AAA-Assertion into multiple attributes.
  • Removed use of ‘use timelocal’ from radiusd and radpwtst, code now uses Time::Local instead.
  • Removed use of ‘use newgotopt’, all code now uses Getopt::Long instead.
  • Added new parameter PasswordUriEscape to AuthBy URL. This optional parameter specifies whether the password needs to be url-encoded or not. Options are “Clear”, “Encode”. Contributed by Matthew Van Kuyk.
  • Added Nokia Siemens Networks (NSN) VSAs to dictionary.
  • Added support to radpwtst for new command line argument -alive to send Accounting-Alive requests. Alive is not sent by default if accounting is enabled.
  • Fixed an error in the RPM build control file Radiator.spec, which would cause /usr/lib64/perl5/ to be deleted if the Radiator RPM package was erased.
  • Improvements to Log SYSLOG and AuthLog SYSLOG modules so that multiple differing module logging configurations do not confuse Sys::Syslog.
  • Fixed a problem in Server TACACSPLUS that prevented Client-Identifier being set in Tacacs+ derived RADIUS requests. Reported by Tim Cheyne.
  • Improvements to AuthBy WIMAX, which now uses latest WiMAX TLV attribute definitions for packing and unpacking of WiMAX TLV attributes. AuthBy WIMAX now uses latet WiMAX-Capability TLVs. goodies/wimaxtest uses the TLVs, and honours the -capability command line argument where you can specify an alternate WiMAX-Capability.
  • Removed use of ‘use newgotopt’ from builddbm, buildsql, tacacsplustest, diapwtst, restartwrappert. Code now uses Getopt::Long instead.
  • Added new parameter EAPTLS_AllowUnsafeLegacyRenegotiation to AuthBy *. For TLS based EAP types such as TLS, TTLS and PEAP, and with versions of OpenSSL 0.9.8m and later, this optional parameter enables legacy insecure renegotiation between OpenSSL and unpatched clients or servers. OpenSSL 0.9.8m and later always attempts to use secure renegotiation as described in RFC5746. This counters the prefix attack described in CVE-2009-3555 and elsewhere.
  • Updated ACME VSA’s in dictionary to add many missing VSAs and to adopt attribute naming consistent with other RADIUS servers.
  • Updated sample certificates to expire Nov 15 21:48:28 2013 GMT
  • Added support for EAP expanded types per RFC 3748. EAPType parameter can now be specified as a EAP type number, EAP extended vendornumber:typenumber or as a traditional well-known EAP type name eg: EAPType TTLS, MSCHAP-V2, 16776957:4244372217 where 16776957 is the expanded vendor number and 4244372217 is the expanded type (this example is for 0xfffefd and 0xfcfbfaf9, the vendor and type of the wpa_supplicant VENDOR-TEST expanded type). Included module and config to support testing against wpa_supplicant VENDOR-TEST expanded type.
  • Fixed a possible problem in Stream connections where connection failures may not be detected correctly.
  • Improvements to EAP-MSCHAPV2 handling in the case where the underlying database has a database access problem, causing an IGNORE.
  • Testing with RSA Authentication Manager 7.1 SP4. No changes required.
  • Early release of AuthBy SAML2 module. This module fetches Moonshot/SAML2 Assertions for an (already autheticated) user from a Identity Provider (IdP) and puts the assertion in a SAML-AAA-Assertion reply item. Caution: this is beta code and not yet widely tested. Feedback requested. Currently only sends ECP AuthnRequest requests (AAA AttributeRequest is not yet supported). Signing of requests and Verifying of responses is not yet proven to work correctly.
  • EAP-MSCHAPV2 now honours AuthenticateAttribute.
  • New versions of Authen ACE4 version 1.4 ppms with AuthSDK 8.1 for Windows 32 and 64 bit.
  • Added new parameter RoundRobinOnFailure to all Sql clauses. Normally, if Radiator gets an error or a timeout from a database connection it will try to reconect to the database, starting with the first DBSource, and trying them all in order until a successful reconnection. This flag forces the search to start at the database following the current DBSource (if there is one). This can help with some types of overloaded database that can be connected but then timeout when a query is sent.
  • Context is stored in $p->{EAPContext} for all EAP requests.
  • Fixed a problem where HUPping an evaluation vesion would result in messages like Server started: Radiator 4.9 on fmsdev (LOCKED) (LOCKED) (LOCKED) (LOCKED) (LOCKED)
  • Added support for new parameter RequireMessageAuthenticator in Client clauses. Normally, Client clause checks the value of any Message-Authenticator attribute (if present) in incoming requests (EAP or otherwise), and an incorrect authenticator causes the request to be IGNOREd. The optional RequireMessageAuthenticator flag causes this Client to require a (correct) Message-Authenticator attribute to be present in all incoming requests.
  • ServerHTTP now registers itself with Configurable.
  • Additional information in error logs from various TLS operations. Patch from “Bjoern A. Zeeb”. Thanks Bjoern.
  • ClientList LDAP now supports file in PreHandlerHook and ClientHook.
  • Fixed a problem with SessionDatabsse SQL which could cause a crash if the query contains %{Quote:…}. Patched by Eddie Stassen. Thanks.
  • Added VENDOR Ericsson 193 VSAs to dictionary.
  • Log FILE now supports %0 (priority) and %1 (og message) as special characters in Filename parameter. AuthLog FILE now permits use of the ‘|’ vertical bar leading character in Filename to permit piping to an external program.
  • AuthBy LDAP2 and all other LDAP clauses now support an optional MultiHomed flag parameter. If this is set then Net::LDAP will try all addresses for a multihomed LDAP host until one is successful. Default is true (set).
  • Improvements to AuthBy SQL and AuthBy FREERADIUSSQL to improve compativ=bility with some Oracle clients in the group checks. Reported by Emanuel Freitas.
  • Added VENDOR Adva 2544 VSAs to dictionary.
  • Added VENDOR Siemens 4329 VSAs to dictionary.
  • Fixed missing 3GPP- prefix for a number of 3GPP VALUE definitions in the standard Diameter dictionary
  • Fixed problems in Diameter to RADIUS gateway that prevented RADIUS attributes that are converted to Diameter Grouped attributes being parsed correctly.
  • For all TLS related operations, improved error logging if SSLeay::new fails.
  • Added StripFromReply and AllowInReply to the parameters permitted in AuthBy DNSROAM. Patched by Bjoern A. Zeeb. Thanks.
  • Added VENDOR TERENA 25178 and eduroam-SP-Country to dictionary
  • Added more VENDOR Alcatel-ESAM attributes to dictionary. Contributed by Hugh Irvine.
  • Added new module AuthBy RATELIMIT which can be used to limit the maximum number of request per second to be served. If more than this number of request are received in any second, they will be IGNOREd.
  • Added radiusd.conf, a sample Upstart script for Debian/Ubuntu. Contributed by Adam Thompson
  • Server TACACSPLUS now honours DefaultRealm from the Client clause that matches the incoming request. If defined in the Client clause, it willl override any DefaultClient defined in the Server TACACSPLUS clause.
  • Global SocketQueueLength was not honoured when creating RADIUS server ports.
  • Fixed a typo in the help message in Monitor. Reported by Scott Bertilson.
  • Added Authen-Digipass-1.11-1.el6.x86_64.rpm (for perl 5.10, x64 on Centos 6 and RHEL6)
  • All TLS context configuration parameters, such as EAPTLS_CertificateFile now honour special characters (such as %K etc) from the EAP identity request.
  • AuthBy WIMAX incorrectly set WiMAX-Capability Accounting-Capabilities to 0 (none) instead of 1 (session-based).
  • All EAP authentications now log at DEBUG level the elapsed time of the entire conversation (since the EAP identity) in seconds (and microseconds if Time::HiRes is available).
  • If a Client address cannot be resolved, the log message now includes the exact address that was not able to be resolved.
  • Updated the prebuilt Authen-Digipass RPM package for RHEL 5 64 bit to version 1.11.
  • Fixed a problem that prevented AuthBy SQLAUTHBY honouring AuthBySelect if AuthBySelectParam was defined.
  • Removed incorrect -authen_args from help in tacacsplustest.
  • Improvements to handling of EAP-GTC so that UsernameMatchesWithoutRealm is honoured even if the EAP-GTC client sends the ‘RESPONSE=identity\0password’ for of EAP-GTC response.
  • Added Arbor-Privilege-Level to dictionary. Thanks to Markku.
  • RFC 2621 was inadvertently omitted from the distribution.
  • Added support for new configuration parameter. PacketDumpOmitAttributes specifies a comma separated list of RADIUS attribute names which will be omitted from RADIUS packet dumps in logs.
  • ServerHTTP did not permit the creation of ClientListSQL or ClientListLDAP clauses. Reported by Albesiano Alberto.
  • Improved parsing of hooks and display of hooks by ServerHTTP. Reported by Albesiano Alberto.
  • AddToReply AddToReplyIfNotExist when used in Handlers and Clients, would incorrectly add attributes to Access-Rejects. This does not now occur. AuthURL did not correctly honour AddToReply for Access-Accept and Access-Reject. Reported by Albesiano Alberto.
  • RadSec is now an official IETF RFC 6614. RFC 6614 is now included in the distribution. In accordance with RFC 6614, the default shared secret for RadSec has been changed to ‘radsec’, UseTLS is enabled by default, and TLS_RequireClientCert is enabled in Server RADSEC by default.
  • Added RuggedCom VSA RuggedCom-Privilege-level to dictionary.
  • Added Alvarion-WiMAX-Classifier VSA to attribute definiitons for WiMAX-Packet-Flow-Descriptor, per Alvarion’s document ‘RADIUS-WiMAX R3 Interop Spec_Rel 3 0 v 0 81.doc’
  • Added Alvarion-WiMAX-Classifier VSA to attribute definitions for WiMAX-Packet-Flow-Descriptor to support atttributes like: WiMAX-Packet-Flow-Descriptor=Alvarion-WiMAX-Classifier="ClassifierID=1,Priority=2,Direction=IN" Also added Alvarion-R3-IF-Descriptor and Alvarion-DHCP-Option VSA tlvs to dictionary, to support attributes like:Alvarion-DHCP-Option="Ref-R3-IF-Name=interface1,DHCP-Option-Container=container1" Alvarion-R3-IF-Descriptor=R3-IF-Name=aaa,R3-IF-ID=1,PDFID=2,IPv4-addr=1.2.3.4,IPv4-netmask=5.6.7.8,DGW-IPv4-add=9.8.7.6 Per Alvarion’s document ‘RADIUS-WiMAX R3 Interop Spec_Rel 3 0 v 0 81.doc’.
  • Fix to Fidelio interface so that LA messages are not queued unless there is a current connection.
  • Fixed a problem where the LDAP group search did not correctly specify the attributes to fetch, and therefore _all_ attributes were fetched, affecting performance. Reported by Ben Carbery.
  • Improvements to AuthBy SQLYUBIKEY to add support for CheckSecretId. If CheckSecretId is set, then check that the secretId fetched from the database matches the secretId encoded in the submitted Yubikey OTP. This increases the security of the Yubikey OTP and is recommended best practice. Also improved the documentation for for configuring yubikey.cfg and provided a better sample database for use with yubikey.cfg
  • Fixed a problem with EAP-FAST that prevented anaonymous provisioning in some circumstances where the client asks for several ciphersuites. Reported by Sudhir.Harwalkar.
  • Fixed a problem with Server TACACSPLUS and some authenticators such as AuthBy ACE whcih issue AccessChallenge to get additional data from the user. Radiator was sending the challenge as GETPASS rather than GETDATA and wasn’t getting the NOECHO flag. Tested against a Cisco Catalyst 3560 switch and also a Cisco ASA 5510 firewall. Reported and patched by Richard Fairhall.
  • Updated Authen-Digipass and Authen-ACE4 Windows PPM packages to include Perl 5.14 x86 and x64 packages. Also updated the prebuilt packages at http://www.open.com.au/radiator/free-downlaods to include versions for Perl 5.14 x86 and x64: Chipcard-PCSC.tar.gz Net-SSLeay.tar.gz Socket6.tar.gz Win32-Lsa.tar.gz
  • Fixed a problem where AuthBy LDAP2 would incorrectly log “DEBUG: No entries for mikem found in LDAP database” if MaxRecords was set larger than the actual number of LDAP records retreived.
  • Improvents to SQL logging shows the name of the database at DEBUG level when connection attempts are made. Also prepareAndExecute and do functions log the database name at DEBUG level. Requested by Philip Herbert.
  • Fixed a problem where NoIgnoreDuplicates could cause a memory leak.
  • Added VSAs for Ruckus Wireless to dictionary.
  • AuthBy NTLM did not reap ntlm_auth if it crashed or exited. Fixed a problem that prevented the error being correctly printed if ntlm_auth if it crashed or exited.
  • Removed use of Digest::SHA1, replaced with Digest::SHA,which is now included with all perls. Digest::SHA is now an absolute prerequisite.
  • Added sample config platypus7.cfg for recent Platypus 7 database.
  • h EAP-LEAP, EAP-TTLS, EAP-PEAP, EAP-MSCHAPV2, EAP-FAST, inner packets are now logged at DEBUG level _after_ the PreHandlerHook (ie any) is run, so that attributes added by the hook will be visible.
  • Fixed a problem where Client DupInterval 0 sometimes did not act as expected, causing a leak in EAP contexts.
  • Improved logging so that AuthBy ACE prompts are not broken up with newlines in logs. Requested by Richard Fairhall.
  • Fixed a problem that preventeed TACACS+ which prevented AuthBy ACE new pin mode and other challenges from working correctly. Patch provided by Richard Fairhall.
  • Added support for KeepaliveTimeout to AuthBy RADSEC. KeepaliveTimeout is the maximum time in seconds that a RadSec connection can be idle before a Status-Server request is sent to keep the TCP connection alive. This helps to keep TCP connections open in the face of “smart” firewalls that might try to close idle connections down. Defaults to 0 seconds, which means inactive.
  • Radpwtst has new option -chap_nc that sends a RADIUS CHAP request, but in the old-fashioned way, with the CHAP Challenge in the authenticator, and not in a separate CHAP-Challenge attribute.
  • Testing on Raspberry Pi running debian6-19-04-2012. It runs out of the box. http://www.raspberrypi.org
  • dded hextobase32.pl to goodies. Script to help with entering HOTP and TOTP codes to Google Authenticator. Converts hex codes to base 32.
  • Added VSAs for Anagran ANA to dictionary. Thanks to Bob Shafer.
  • Added support for KeepaliveTimeout and UseStatusServerForFailureDetect to AuthBy RADIUS and AuthBy RADSEC. If UseStatusServerForFailureDetect is enabled, use only Status-Server requests (if any) to determine that a target server is failed when there is no reply. If not enabled (the default) use no-reply to any type of request. Uses NoreplyTimeout, MaxFailedRequests, MaxFailedGraceTime, FailureBackoffTime during failure detection. If you enable this, you should also ensure KeepaliveTimeout is set to a sensible interval to balance between detecting failures early and loading the target server. KeepaliveTimeout is the maximum time in seconds that a RADIUS connection can be idle before a Status-Server request is sent to keep the connection alive. Defaults to 0 seconds.
  • Added more Unisphere and Juniper VSAs to dictionary based on http://www.juniper.net/techpubs/software/junos/junos114/radius-dictionary/unisphereDictionary_for_JUNOS_v11-4.dct
  • Fixed a problem that could cause a server crash if Framed-IPv6-Prefix was received but Socket6 is not installed.
  • Fixed typos in the names of Management-Transport-Protection and Management-Privilege-Level in dicoitnary. Reported by Ingvar Berg.
Revision 4.9 (2011-09-30) New features and some bug fixes.
  • Fixed an issue with Resolver and AuthBy DNSROAM where the combination Protocol=radius, Transport=tls was incorrectly interprted as UDP RADIUS (for historical reasons). It is now interpreted as TCP RADSEC. Reported by Stefan Winter.
  • Added commands to the sample startup script linux-radiator.init that work for Debian. Submitted by “Michael”.
  • Improvements to AuthBy FIDELIO: During a SIGHUP, AuthBy FIDELIO now sends a LE and closes the TCP connection before reopenaing the connection. This should result in better database reading behaviour during SIGHUP. AuthBy FIDELIO now sends periodic LA commands to the Fidelio to check the integrity of the link. Suggestions by Ralf Ertzinger.
  • Fixed further issue with Resolver and AuthBy DNSROAM where the combination Protocol=radius, Transport=tls was incorrectly interpreted. Reported by Paul Dekkers
  • Improvements to AuthBy DNSROAM so that routes for different realms that are discovered to be to the same proxy server will reuse the existing server. Suggested by Stefan Winter.
  • goodies/fideliosim.pl now prints main details of PS posting records it receives.
  • New module AuthBy FIDELIOHOTSPOT which provides hotel guest authentication by Fidelio, and prepaid session times, billed to the user’s room by Fidelio. Supports various hotspots such as Mikrotik and Open-Mesh etc. Replaces goodies/fidelio-hotspot-hook.pl as the preferred method of providing prepaid sessions billed to room by Fidelio.
  • Added new parameter MessageHook to AuthBy FIDELIO. MessageHook is called after a message from Fidelio has been unpacked into a hash and before the record is passed to handle_message(). It can be used to change or transform any fields in the record before it is passsed to handle_message() and processed by AuthFIDELIO.
  • Improvements so that if the example Radiator init script for linux is invoked as a symlink (eg /etc/rc2.d/S90radiator->../init.d/radiator), it still deduces the correct program name (radiator) and hence sources the correct sysconfig file (/etc/sysconfig/radiator).
  • Fixed a problem where Realm clauses inside AuthBy DNSROAM did not recognise the Secret parameter. Reported by Paul Dekkers.
  • Added negative caching to Resolver, with new parameter NegativeCacheTtl.
  • Added new parameter RedespatchIfNoTarget to AuthBy DNSROAM. For a given request, if Resolver does not find a target and there is no explicit Route, and no DEFAULT Route and this flag is set, the request will be redepatched to the Handler/Realm system for handling. This allows for a flexible fallback in the case where DNSROAM cannot find how to route a request. The redespatched request will have the attribute OSC-Environment-Identifier set to the AuthBy DNSROAM Identifier (or ‘DNSROAM’ Identifier is not set)
  • Fixed problems with the Authen-Digipass PPM packages for Windows missing important files.
  • Fixed an issue with AuthBy RADSEC, where failure to deliver a message could cause continuous attempts to reconnect, even if ConnectOnDemand is set.
  • Fixed an issue with Stream based connections, where ConnectOnDemand and an unresponsive server could cause Radiator to hang. Reported by Paul Dekkers.
  • Added workaround for a bug in some versions of perl 5.12.1 (such in openSUSE 11.3) that caused incorrect packing of some RADIUS requests.
  • Improvements to Server TACACSPLUS so that RADIUS STATE is saved in in the connection rather than the context. Patch provided by Nicholas Waples.
  • Reversed a previous change in 4.8 that Server TACACSPLUS expired authentication result in FAIL instead of ERROR. The change in 4.8 was to result in ERROR, which causes some devices to then revert to the local authorisations.
  • Added a number of attributes from RFC 5090 to dictionary, which override a number of attributes that were previously commandeered by Ascend. The Ascend ones are still available in ascend.dictionary.
  • Fixed a typo in dictionary: Ascend-Call-Attempt-Limit was Agscend-Call-Attempt-Limit.
  • Fixed a problem in linux-radiator.init which prevented traceup working on SuSE. Reported by Aeneas Jaißle.
  • Improvements to ClientListSQL to support DisconnectAfterQuery, which will cause disconnection from the SQL database after each query. This can be helpful in cases where firewalls etc close connections that have been idle for a long time.
  • Added sha.pl, ssha.pl to goodies. Simple perl scripts to generate SHA and SSHA hashes of the first command line argument. Useful for generating SHA and SSHA hashed passwords in the form Radiator honours.
  • Fixed a problem with the Radiator init script that prevented reload, traceup and tracedown working with some versions of SuSE.
  • Added ipoque-class VSA for ipoque PRX Traffic Manager to dictionary. With the assistance of A.Sharaz.
  • Improvements to the sample wimax.sql database schema to improve interoperation with Alvarion.
  • All stream protocols that support TLS now support optional TLS_CertificateFingerprint parameter. When a TLS peer presents a certificate, this optional parameter specifies one or more fingerprints, one of which must match the fingerprint of the peer certificate. Format algorithm:fingerprint. Requires Net::SSLeay 1.37 or later.
  • Improvements to AuthBy EAPBALANCE to permit operation with target RADIUS servers that rely on State, such as Windows IAS etc.
  • Added Freeswitch-Direction and Freeswitch-Other-Leg-Id to dictionar.
  • Added Documentation and sample scripts for how to use Radiator and the AuthBy FIDELIO module to handle authentication and accounting for the Freeswitch VOIP switch (http://www.freeswitch.org). It can be used authenticate and to bill VOIP calls to a Micros-Fidelio Opera Hotel Property Management System (http://www.micros.com).
  • Added Riverbed-Local-User VSA to dictionary.
  • Fixed a problem in AuthBy RADMIN where if the database connection fails once, message logging through AuthRADMIN will stop altogether, and along with that, the bad login counting. Reported an patched by Manuel Kasper.
  • Added Aruba-MMS-User-Template to dictionary, fixed typo in Aruba-Port-Identifier. Added AH-HM-Admin-Group-Id.
  • Added support for EAP AKA-PRIME. Required for version 1.32 or Radius-EAP-SIM module.
  • Added new clause AuthBy SQLAUTHBY, which looks up how to authenticate each user based on information in an SQL database. The columns retrieved from SQL are used to create an AuthBy clause that will actually handle the request. The parameters used to configure the clause come from SQL. The clause is reused for as long as the the target realm yields the same SQL query results. The example works with the sample RADSQLAUTHBY table in mysqlCreate.sql.
  • Added support for new parameter AuthChallengeKeyword to AuthBy URL. This parameter permits URL results that trigger a CHALLENGE reply for use with Challenge/Reponse systems. Contributed by Matthew Van Kuyk.
  • Added new parameter DirectAddressLookup to Resolver. If DirectAddressLookup is enabled, and if there are no NAPTR records for the requestsed Realm, Resolver will attempt lookups of A and AAAA records for _radsec._sctp.REALM, _radsec._tcp.REALM and _radius._udp.REALM Enabled by default. Requested by Paul Dekkers.
  • Added sample hook pwaframedip.pl. This hook fixes a problem with Enterasys switches where Framed-IP-Address is not included in accounting packets, but the information is available via SNMP when for Enterasys captive-portal (PWA) authentication. Contributed by Ben Carbery.
  • In AuthBy RADMIN, it is now possible to disable IncrementBadloginsQuery and ClearBadloginsQuery by setting the query string to be empty.
  • Server farm children now always reseed the random number generator so the children dont share the same seed.
  • Improvements to the RPM spec file so RPM installs with recent 64 bit perls will work.
  • Increased the default MaxBufferSize in streams to 10000000.
  • Added support for passwords encrypted with $2a$, $2x$ and $2y$ blowfish crypt and $5$ SHA-256 crypt (where supported by the underlying crypt()). Improvements to support rounds= notation in SHA-256, SHA512 crypt.
  • Ensure RecvTime is set in RADIUS requests derived from tunnelled EAP types.
  • Changed the type of Framed-Interface-Id in dictionary to be ifid. You can now specify Framed-Interface-Id as strings in the format ‘aaaa:bbbb:cccc:dddd’, which is compatible with FreeRadius.
  • Fixed an issue with TTLS and PEAP: When inner authentication is proxied, e.g. EAP-MSCHAP-V2 to MS NPS, NPS sends back State. If Radiator does not return State, proxying inner auth fails.
  • Added more Nomadix VSAs to dictionary, contributed by Mike Newton.
  • AuthBy EAPBALANCE and AuthBy HASHBALANCE now REJECT if an EAP stream has to be broken up, giving the client and immediate chance to restart. Changed the default protocol version for PEAP in EAPTLS_PEAPVersion from 1 to 0. This is in line with more recent documentation from Microsoft (which contradicts draft-josefsson-pppext-eap-tls-eap-0[35].txt), and it achieves bettter interoperability with Macs.
  • Added more Aruba VSAs, contributed by Alan.
  • EAP-FAST support now follows the recommendations for A_ID: it is now the 16 octet hash of the A_ID_INFO, which is set to the Radiator hostname. Updated instructions for building OpenSSL and Net::SSLeay for more recent versions of Net::SSLeay for use with EAP-FAST.
  • Added sample script goodieshex2base32.pl /to help with entering HOTP and TOTP codes to Google Authenticator. Converts hex codes to base 32.
  • Improvements to ClientList SQL to improve error detection.
  • Improvements to random number seeding: seeding is now done by a new function Radius::Util::seed_random. radiusd calls it at startup and after forking farm children. It can be overridden if necessary to provide local random number initialisation and seeding.
Revision 4.8 (2011-04-28) New features and some bug fixes.
  • Fixed a problem in AuthBy EAPBALANCE where no reply from a proxied request from the middle of an EAP stream would result in unlimited retransmissions of the request. Reported by Keith Ma.
  • Testing on OpenWRT. OK, with caveats as discussed in the updated FAQ.
  • Added Meru-AP-Id and Meru-AP-Name to dictionary. Provided by Neil Johnson.
  • RPM packages were built by default on OpenSuSE with LZMA compression, which is not available for all platforms. This new Radiator.spec disables LZMA and uses BZ2 instead. In future all RPMS will be built with BZ2 comppression. New versions of Radiator-4.7-2.noarch.rpm and Radiator-Locked-4.7-2.noarch.rpm with BZ2 uploaded.
  • Fixed a problem with AuthBy SQLTOTP and AuthBy SQLHOTP where MaxBadLogins, BadLoginWindow, DelayWindow, TimeStep and TimeStepOrigin parameters were not correctly read, resulting in errors like “Unknown keyword ‘MaxBadLogins'”. Reported by Matthew Reeves-Hairs.
  • GetClientQuery was incorrectly using field 25 instead of 27 for flags. Documentation for GetClientQuery incorrectly decribed field 25 as being flags instead of ClientHook.
  • Added SQLRetries parameter to all SQL type clauses. When executing a query, Radiator will try up to SQLRetries attempts to execute the query, retrying if certain types of SQL error are seen. Defaults to 2. Requested by Michael.
  • Fixed some problems with Radius paths in the RPM on some platforms. Rebuilt and uploaded new RPMs.
  • Improved Client CIDR address searches so a more specific cidr would have priority over a less specific cidr. Contributed by Nicholas Waples.
  • Improved ClientListLDAP, added oscRadiusIdentifier & oscRadiusDefaultRealm into the default list of ClientAttrDef’s. were the only attributes missing from oscRadiusClient ldap schema provided (in goodies). Contributed by Nicholas Waples.
  • In Server TACACSPLUS, the call AuthenticationStartHook now includes the priv_lvl and service values from the TACACSPLUS request passed as arguments to the hook.
  • In Server TACACSPLUS, during authetication, we now add cisco-avpair attributes to the RADIUS request for action, authen_type, priv-lvl and service from the incoming TACACSPLUS request.
  • Improvements to AuthBy URL. Improved HTTP and HTML standards compliance by using the LWP::UserAgent methods post() and get(). Can now handle CHAP, MSCHAP and MSCHAPV2 authentication, as well as the previously supported PAP. *CHAP challenges and responses are encoded as HEX and sent as configurable web parameters. Updated the sample config file goodies/url.cfg, and improved documentation. Fixed inconsistant password in sample test_url_md5.cgi. Cleaned up some of the code to be compliant with in-house standards.
  • Added support for BindAddress in all Ldap derived clauses, allowing you to specify a local address for the client side of the LDAP connection with BindAddress, in the form hostname[:port]. Defaults to 0.0.0.0. Updated sample config file. Suggested by Roel Hoek.
  • Updated AuthBy NTLM so that if an authentication fails, the Warning log message records the user name along with the Authentication-Error. Suggested by David Zych.
  • Further improvements to AuthBy URL. Now suports CopyReplyItem parameter. If a successful HTTP reply contains a string like ‘xxx=hexencodedvalue’ the value will be copied to the RADIUS reply as attribute yyy=value the value is expected to be HEX encoded and will be HEX decoded before adding to the reply.
  • Fixed a problem where some SQL modules were not being correctly initialised, which was revealed when the new SQLRetries was added. Reported by Steffen Weinreich.
  • Further improvements to AuthBy URL. Now supports CopyRequestItem parameter. Adds a tagged item to the HTTP request. Format is CopyRequestItem xxx yyy. The text of yyy (which may be contain special characters) will be added to the HTTP request with the tag xxx. In the special case where yyy is not defined, the value of attribute named xxx will be copied from the incoming RADIUS request and added to the HTTP request as the tagged item yyy. All values are HEX encoded before adding to the HTTP request. Multiple CopyRequestItem parameters are permitted, one per line.
  • Improvements to AuthBy SQLTOTP to implement replay detection. This has required an additional column in the sample SQL database schema, and changes to the default AuthSelect and UpdateQuery parameters. Requested by Matthew Reeves-Hairs.
  • Testing with the Mera MVTS Pro Voip gateway. OK. Added mera-mvts.txt. This document briefly outlines the requirements for interfacing Radiator with Mera MVTS Pro VOIP gateways, along with examples of the types of requests and replies Radiator can be expected to handle when interfacing with MVTS Pro.
  • Added new command line argument -min_interval to restartWrapper, which controls the minimum time interval between successive restarts. Contributed by David Zych.
  • Tested AuthBy HOTP and AuthBy TOTP with a range of iphone OATH soft tokens, including DS3 (HOTP), OATH Token (HOTP and TOTP), and Google Authenticator (HOTP and TOTP). External testing with Feitian C200 OTP Tokens and others. All OK.
  • Added a number of Juniper attributes to dictionary.
  • Monitor and Server HTTP now support AddToRequest to add attributes to the internal RADIUS request they generate when authenticating administrator logins to their respecetive interfaces. They also dump these requests when Trace 4 is enabled.
  • Server TACACSPLUS now supports a new parameter AuthorizeGroupAttr. If this parameter is specified, it specifies the name of an attribute in Access-Accept that will contain per-command authorization patterns for authorising TACACS+ commands. These are processed before any configured-in AuthorizeGroup parameters. The command authorization patterns are in the same format as supported by AuthorizeGroup. Added a new VSA to dictionary OSC-Authorize-Group, which is intended to carry per-user reply command authorization patterns.
  • Improvements to Radiator linux startup script so you can have multiple scripts in /etc/init.d/ with different names, and which lookup different parameters in /etc/sysconfig. For example, you can install the script as /etc/init.d/radiator and /etc/init.d/radiator-acct, and it will look up parameters in /etc/sysconfig/radiator and /etc/sysconfig/radiator-acct. Further improvement is to always use -p RADIUS_PIDFILE to killproc the process, rather than the process name.
  • Added Ascend-Session-Svr-Key an NS-Dummy-Attr-10 to dictionary.
  • Added Alcatel-Lucent 7302 ISAM (OLT) VSAs to dictionary, including OLT-TL1-* and added VALUE definitions for some other A-ESAM-*. In some places, A-ESAM-* are named OLT-CLI-*. we have adopted A-ESAM to be compatible with previously existing definitions.
  • Fixed a problem where EAP-MD5 authentications did not honour UsernameMatchesWithoutRealm. Reported by “Sami Keski-Kasari”.
  • Fixed a problem where EAP-MD5 authentication by AuthBy LSA mysteriously failed. Refactoring of EAP_4 check_chap() to AuthGeneric, and thence to AuthLSA Reported by “Sami Keski-Kasari”.
  • Fixed a problem which could cause crashes in Socket6::inet_ntop. Reported by James Harton.
  • Testing on MacOS X 10.6.5. OK.
  • Added lookupauthgroup.pl Sample PostSearchHook for AuthBy LDAP2, which finds user group(s) through an LDAP lookup, then finds corresponding check and reply attributes in SQL, based on the user group(s) for that user and the device groups of the RADIUS/TACACS+ client. This allows you to have a add very fine grained authentication/authorisation in an LDAP/SQL environment, based on user and device group membership.
  • Alter the session shutdown in Server TACACSPLUS to be SHUT_RDWR, to fix possible session shutdown problems with some TACACS+ clients.
  • Fixed incorrect sequence numbers in some TACACS+ packets sent by goodies/tacasplustest and that affected interoperation with tac_plus. Fixed issues with TACACS+ version numbers that affected interoperation with tac_plus.
  • Added new parameter SingleSession to Server TACACSPLUS which can be set to 0 to disable the default behaviour which tries to keep the same TCP session for all requests. Setting SingleSession to 0 forces a TCP disconnect after every authentication, authorisation and accounting session. Some TACACS+ clients need this in order to operate correctly.
  • Improvements to AuthBy SQLTOTP so that tokens whose time drifts into the future can be authenticated. Patch supplied by Steffen Weinreich.
  • Decoupled AuthGeneric userIsInGroup from getUserGroups so subclasses can implement their own group finding.
  • Added new optional parameters GroupSearchFilter GroupBaseDN GroupNameCN to specify an LDAP search which will be used to get the names of groups this user is a member of. Used to check Group check items. Updated sample lookupauthgroup.pl to use the new group search function in AuthBy LDAP2
  • AuthBy LSA now honours UsernameMatchesWithoutRealm correectly for users and groups. Reported by Reported by “Sami Keski-Kasari” and “Johnson, Neil M”.
  • In AuthBy SQL, the optional GroupMembershipQuery now has the groupname available as the second bound variable.
  • Improvements to Server TACACSPLUS so that it honours the TAC_PLUS_SINGLE_CONNECT_FLAG flag in incoming requests. Now a single session will only be maintained if the Server TACACSPLUS SingleSession parameter is set _and_ the client indicates a willingness to support single sessions with the TAC_PLUS_SINGLE_CONNECT_FLAG. Single sessions can be disabled regardless of client options by setting the SingleSession flag to 0 (defaults to 1)
  • Improvements to goodies/tacacsplustest now correctly sets the TAC_PLUS_SINGLE_CONNECT_FLAG in requests if the -single command line parameter is given. It now closes the connection at the end of each session unless the -single flag is set and the server indicates a willingness to support single connections with the TAC_PLUS_SINGLE_CONNECT_FLAG.
  • Fixed a problem where malformed WiMAX attributes could cause a crash. Reported by Mark Sergeant.
  • Further fixes to Server TACACSPLUS: If SingleSession is set, some Cisco TACACS+ clients will close an authentication session after the first reply. This is a bug in the client. As a workaround, ServerTACACSPLUS.pm now never sets the TAC_PLUS_SINGLE_CONNECT_FLAG in its replies. Reported by Aki Tuomi.
  • Fixed a typo in linux-radiator.init that prevented traceup and tracedown working properly on RHEL5.
  • Added LOG_WARNING log message if a Tacacs+ request is received by Server TACACSPLUS for which no Client could be found.
  • Improvements to Server TACACSPLUS so expired authentication result in ERROR instead of FAIL. Tacacs authorisations are now bound to both the username and the peer address, so user can have different authorisations on each device.
  • Added peer address to a number of warning and info messages produced by Server TACACSPLUS for easier diagnosis.
  • Updated Monitor HELP command documentation to include TRACE_PREDICATE.
  • Fixed problems with linux-radiator.init traceup and tracedown on RHEL5.
  • Improvements to Server TACACSPLUS: Fixed a problem with the new AuthorizeGroupAttr that cased authorisation patterns to not be reset properly. Server TACACSPLUS now updates the global packet counts for each Tacacs+ request received. Database failures that IGNORE now cause a Tacacs *_STATUS_ERROR reply.
  • Added goodies/cisco-vpn.txt a short description on how to configure Cisco VPN 3000 Concentrator VPN groups, and the limitations thereof.
  • Fixed a case where Radiator would crash when certain local devices tried to connect to a tacacs port.
  • Added example rule to goodies/tacacsplusserver.cfg showing how to use uptional tacacs roles, including multiple optional roles.
  • Added new parameter UnbindAfterServerChecksPassword to AuthBy LDAP2, which works around problems with some LDAP servers. Normally, when ServerChecksPassword is set, after Radiator checks a users password the LDAP connection is not unbound. This can cause problems with some LDAP servers (notably Oracle ID and Novell eDirectory), where they unexpectedly cause the following LDAP query to fail with LDAP_INAPPROPRIATE_AUTH. Setting this flag causes an unbind after each ServerChecksPassword bind.
  • Added support for new -I command line flag to radiusd, which adds an include directory to the module search path. Patch by Heikki Vatiainen.
  • In SqlDb::do(), Sql connections now detect PostgreSQL duplicate key violations, which are now not a cause for disconnect. Added similar tests to SqlDb::prepareAndExecute().
  • Sample RAdmin configuration file that shows how to record Tacacs+ commands to the Radmin RADCOMMANDAUDIT table for auditing, and viewing (RAdmin 1.14 plus latest patches required)
  • The ServerRADIUS clause now supports AddToRequest, which makes it easy to tag requests that arrive by RADIUS to distinguish them to those arriving by TACACS+ or Diameter.
  • Server HTTP log messages are now escaped so that HTML characters in the log do not cause display errors. Patch provided by Adam Bishop.
  • Fixed a problem in Auth LDAP2 that could cause a crash if ServerChecksPassword and UnbindAfterServerChecksPassword are enabled, and certain LDAP errors occur during the ServerChecksPassword bind.
  • Fixed spelling mistake in VENDORATTR Timetra-Home-Directory, Added further VSAs to VENDOR Panthera 6527 (Alcatel 7450 ESS Router). Added VENDOR Alcatel-Lucent 800 (Alcatel-Lucent OS6400 switches) VSAs. Added Alcatel-Lucent-SAM VENDORATTR SAM-Security-Group-Name .
  • Improvements to IPV6 handling so the absence of Socket6 causes an warning message instead of an exit.
  • Added a number of FreeSwitch accounting VSAs to dictionary. Added a brief discussion paper about how to integrate FreeSwitch with Radiator. FreeSWITCH is a powerful and versatile telephony platform that can scale from a softphone to a PBX and even to a carrier-class softswitch.
  • Log SYSLOG and AuthLog SYSLOG now support special characters in LogIdent, LogOpt and LogHost.
  • TLS Streams, such as used with Radsec did not correctly verify certificates for ‘hostname’ if the Host address was specified in Radiator in the form ipv6:hostname. Reported by Patrick Renkens.
  • Fixed an issue where truncated EAP-Message requests would cause a log message like “Could not load EAP module Radius::EAP_” ….. This is now logged as invalid EAP type in EAP request and rejected. Reported by Daniel Rocha.
  • Server TACACSPLUS now honours reply attributes correctly for ASCII type Tacacs+ authentications. Patch from Heikki Vatiainen.
  • Testing with XAMPP on Windows. XAMPP (http://www.apachefriends.org/en/xampp-windows.html) is an excellent, easy to install bundle of useful tools such as Apache, MySQL, Perl etc for Windows. It is a also good base for installing Radiator on Windows, especially if you wish to use Radiator with RAdmin or a MySQL database. Updated installation documentation to include XAMPP on Windows.
  • Added support for Novell eDirectory NMAS (Novell Modular Authentication System) to AuthBy LDAP2. NMAS allows Novell eDirectory to support and authenticate passwords using the Vasco Digipass NMAS method, and other third party token and non-token systems. Vasco Response-Only (RO) tokens are only supported since NMAS does not curently support challenge-response via RADIUS. Sampple configuration file included.
  • Ldap classes now support the “ipv6:” prefix for Ldap server Host names. If Host begins with “ipv6:” the subsequent host name(s) will be interpreted as IPV6 addresses where possible, and Net::LDAP will use INET6 to connect to the LDAP server.
  • In AddressAllocator SQL, the default AllocateQuery was changed to check the STATE during the allocation to catch certain race conditions.
  • With all Ldap clauses, removed the default BindAddress of 0.0.0.0. This was unnecessary and interferes in a non-obvious way with attempts to use ipv6: in the Host. Reported by Dyonisius Visser.
  • Added attributes from RFC 5904 to dictionary. SNMP Agent now supports:
          RFC4669 - RADIUS Authentication Server MIB for IPv6      RFC4671 - RADIUS Accounting Server MIB for IPv6

    The RFC are included in distribution.

  • Improvements to EAP handling to support multiple desired EAP types in EAP NAK response, per RFC 3748.
  • Fixed incorrect error message that referred to ServerHTTP. Repored by Karl Gaissmaier.
  • Added support for PacketTrace to Server TACACSPLUS, Server DIAMETER, Server RADSEC. Requested by Karl Gaissmaier.
  • Fixed a problem where attributes of type ipv6prefix (such as Framed-IPv6-Prefix) would not be decoded correctly if they had fewere than 16 octets. Reported by Lee, Larry KT.
  • Client addresses in the form MAC:nn-nn-nn-nn-nn-nn now work even if the Called-Station-Id has the SSID of the AP appended as described in http://tools.ietf.org/html/rfc3580#section-3.20
  • Added example perl script rpt.pl which logs packets which match a regexp. Contributed by Bart Dumon.
  • Fixed a problem when using AuthBy RADIUS with Synchronous and Fork that if the secrets don’t match (resulting in “Bad authenticator received in reply to ID 1. Reply is ignored”), this creates forked processes that never terminate and have to be manually force-killed. Reported by David Zych.
  • Fixed a number of innocuous warnings when radiusd is run with perl -w.
  • Added usage documentation for author_args in tacacsplustest.
  • In AuthSQL, GroupMembershipQuery is now not passed and bind variables. If you wish to use bind variables with GroupMembershipQuery, use the new GroupMembershipQueryParam.
  • Fixed a problem with Server HTTP where some versions of Firefox would hang when trying to access localhost:9048. Also fixed som innocuous warnings when run with the -w flag.
  • Fixed a problem with AuthLog SYSLOG and Log SYSLOG where in some cases with some versions of Sys::Syslog, the loghost was not set correctly. Reported by Klara Mall.
  • radiusd now unlinks PidFile during an orderly shutdown. Suggested by Klara Mall to prevent startup scripts being confused by stale PID files.
  • Improvements to AddressAllocator SQL: If CheckPoolQuery is set to an empty string, no pool checking will be done at startup. If AddAddressQuery is set to an empty string, addresses will not be automatically added to the pool.
  • Testing against RadiusGINA, a Windows RADIUS login authenticator from LSE http://lsexperts.de/. Works well, and easy to install.
  • Fixed a problem in TLS Stream based protocols (such as AuthBy RADSEC AuthBy DNSROAM etc, where ConnectOnDemand would not work correctly in the case where a TLS connection was being established and failed. Reported by Stefan Winter.
  • Added goodies/radiusgina.txt, a Brief introduction to RadiusGINA, a Windows RADIUS login authenticator from LSE http://lsexperts.de
Revision 4.7 (2010-08-11) New features and some bug fixes.
  • Added support for Django style passwords in the format:
    sha1$a1976$065f52b49153328da76e13c2b462b860a70eb78bandmd5$a1976$e67d1ca20e9c28321b86e34076cc48ab

    as specified by http://docs.djangoproject.com/en/dev/topics/auth/#passwords. Contributed by Jerome Fleury.

  • Fixed a bug in ServerTACACSPLUS to do with closing the authgroup file. Reported by Wolfgang.Koenig.
  • Added sample configuration file for Radiator, showing how to proxy requests to the WiKID (http://www.wikidsystems.com/) Strong Authentication RADIUS Server.
  • Fixed a problem where AuthBy SQLRADIUS statistics were not kept correctly up to date in the case of recoverd servers. Reported by Dan Cachola.
  • Factored out EAP-FAST PAC creation and retrieving from EAP_43 to AuthGeneric. AuthBy SQL can now override these functions and use SQL queries to save and retrieve PACS, or to retrieve pre-provisioned PACS from the database. If AuthBy SQL does not define CreateEAPFastPACQuery, then it falls back to the default of saving PACS in Radiator memory.
  • Added sample configuration file and detailed installation instructions for the Secure Metric (www.securemetric.com) SecureOTP one-time-password system, including details on how to proxy requests to the SecureOTP RADIUS Server.
  • Minor changes of some log messages from INFO to DEBUG level, to reduce noise level. Additional information in some AuthBy RADIUS and EAP messages to improve diagnostics in load balancing systems. Requested by Myles Fenton.
  • Added support for -retries flag to radpwtst
  • Removed redundant noReplyFromProxy from goodies. The code is in goodies/hooks.txt.
  • Previously, radpwtst would use the same random authenticator for all requests. Now radpwtst now uses a different random authenticator for all requests, which can help with testing of duplicate detection.
  • Added OSC-Device-Identifier, OSC-User-Identifier and OSC-Group-Identifier to dictionary.
  • Added Identifier to logging in Handling request with Handler …. debug message.
  • Fixed an error in the calculation of responseTime statistics.
  • Improvements to detection and use of Time::HiRes. New function Radius::Util::getTimeHires returns (seconds, microseconds). Microseconds is 0 if Time::Hires is not available. responseTime is now measured with microsecond accuracy if Time::HiRes is available, improving the accuracy of statistics calculations.
  • Added a number of DeTeMobil Vendor-Specific Attributes to dictionary. Contributed by Alexander Hartmaier.
  • Improvements to AuthBy LDAP2 performance: if ServerChecksPassword is in use, and if the server rejects the password due to LDAP_INVALID_CREDENTIALS or LDAP_INAPPROPRIATE_AUTH, do not disconnect from the LDAP server. Previously, this would cause an unnecessary disconnect.
  • Added symbolic vendor names for T-Mobile and TMO to dictionary.
  • Added function changePassword to AuthBy LDAP2 to support custom code to change user passwords. Net::LDAP compatibility improvements with use of Net::LDAP::Entry->get_value(…, asref => 1) instead of get(…).
  • Abstracted the generic Yubikey support code into AuthYUBIKEYGENERIC.pm AuthSQLYUBIKEY is now a subclass. Enables the development of new subclasses for supporting Yubikey in other types of database, such as LDAP.
  • Changes to the RPM build spec to accommodate RPM_BUILD_DIR tro circumvent rpm building problems on some platforms.
  • Added more 3GPP attributes to dictionary as per http://www.3gpp2.org/Public_html/specs/X.S0011-005-E_v1.0_091116.pdf
  • Improved behaviour of AuthBy FIDELIO when LA messages are received. Previously they would always cause a database update. NBow this only happens on the first LA. Fixed a bug in fideliosim.pl. fideliosim.pl now implements LA requests every 10 seconds.
  • AuthBy FIDELIO now never uses a posting sequence number of 0000, following advice from Michael Herzig. Starts at 0001 and wraps from 9999 to 0001.
  • AuthBy FIDELIO now implements 2 new configuration parameters: PostingExtraFields allows you to override or extra data fields to be sent in the Opera posting record. PostingRecordID allows you to change the posting record ID from the default of ‘PS’ to, say ‘PR’. Examples in the fidelio.cfg sample configuration file.
  • Fixed a potential memory leak with EAP-TLS. X509_free is used to free the certificate. Reported by Robert Hwang.
  • Fixed an error with the formatting of dates in the DA field in AuthBy FIDELIO: the month and day elements were reversed. Reported by Michael Herzig.
  • Added new convenience function post() to AuthFIDELIO.pm for posting accounting requests to Fidelio, and which can be used by other hooks. Improved a number of separator formatting issues in messages sent to Fidelio.
  • Added sample Radiator configuration, showing how to build a WiFi hotspot with, for example MikroTik (www.mikrotik.com) hotspot and captive portal, which authenticates against Micros-Fidelio Opera hotel management system, and permits the user to purchase WiFi internet access in blocks of 24 hours which are billed to the user’s room through Opera. Example works with MySQL as a session database (schema included), but other databases can be supported.
  • Added new configuration parameter LogOpt to Log SYSLOG and AuthLog SYSLOG clauses, allowing control over the syslog options used. LogOpt is a comma separated list of words from the set cons,ndelay,nofatal,nowait,perror,pid as described in the Perl Sys::Syslog module. Defaults to pid. Contributed by Bjoern A. Zeeb with some changes.
  • Added reload option to goodies/linux-radiator.init. Contributed by David Worth.
  • Added new parameter CheckoutGraceTime to AuthBy FIDELIO. Permits users to log in for this period of time after they have checked out. Contributed by Manuel Kasper, with some minor changes.
  • Improvements to AuthBy LSA to permit machine authentication in groups.
  • Added new parameter NAPTR-Pattern to Resolver. NAPTR-Pattern is an optional parameter that specifies a regexp that will be used to match the contents of NAPTR records during Resolver service discovery. If NAPTR-Pattern is defined and matches a NAPTR DNS record, it will be used to determine the protocol and transport to be used. The regex is expected to match 2 substrings. The first is the protocol and can be ‘radsec’ or ‘radius’. The second is the transport to use, and can be ‘tls’, ‘tcp’ or ‘udp’. This has been added to support proposed new NAPTR standards for Eduroam. Requested by Stefan Winter.
  • Win32-Lsa for Windows 64 bit ActivePerl 5.10 is now available with
    	ppm install http://www.open.com.au/radiator/free-downloads/Win32-Lsa.ppd   
  • Improvements to the “No reply after ….” message in AuthBy RADIUS to include the Identifier and the delay time. Requested by Myles Fenton.
  • Minor improvements to AuthBy NTML for testing.
  • StreamTLS classes, such as ServerRADSEC, ServerDIAMETER, AuthByRADSEC etc. now support EAPTLS_CRLFile with operating system wildcards. Similarly, TLS based classes such as TLS, TTLS, PEAP etc now support TLS_CRLFile with operating system wildcards.
  • Added new parameter TLS_SRVName to StreamTLS classes. This is intended for use by AuthBy RADSEC and AuthBy DNSROAM to specify a DNS SRV Name that will be matched against possible SubjectAltName:SRV extensions in the server certificate. If TLS_SRVName is specified and the server certificate contains SubjectAltName:SRV extensions, none of which match TLS_SRVName, the certificate will not be accepted. Format is _service._transport.name (this is the same format SRV names appear in DNS records). For example “_radsec._tcp.example.com”. Only service and name are matched. Requested by Stefan Winter for Eduroam support.
  • Resolver now saves the SRV Name of any SRV record that was followed in order to get an address in the result set. AuthBy DNSROAM now uses this to set the TLS_SRVName in a target AuthBy RADSEC, which enables checking against any SubjectAltName:SRV extensions in the server certificate. Requested by Stefan Winter for Eduroam support.
  • Improvements to AuthBy FIDELIO so that during an accounting posting, the DD field (Dialed Digits) which is based on the Called-Station-Id contaoins only digits. Micros-Fidelio report that contents other than digits can cause problems in Opera.
  • Added surfnet VSAs to dictionary.
  • Improvements to AuthBy RSAAM for interoperation with AM 7.1 SP3. At AM7.1 SP3, the authentication realm requested by the AM server SOAP interface was changed by RSA, causing earlier versions of AuthBy RSAAM to fail to connect with a 401: Unauthorized error. This change permits AuthBy RSAAM to work with pre and post SP3 as well as improving performance. SessionRealm parameter is now unused and obsolete. Reported by Rene Fleissner.
  • Improvements to the Linux Radiator startup script. Added traceup and tracedown commands which signal Radiator to increase or decrease its trace level. Handy for changing trace levels without having to find the process ID first. Contributed by David Worth.
  • Added version of Authen-Digipass module for Active State perl 5.12.
  • Fixed a problem in AuthBy OTP where a PasswordPattern of aaaaaaaa generates OTPs which are twice as many characters as specified and every odd is an ‘a’. Reported by Alexander Hartmaier.
  • Fixed default AuthGroupCheck AuthGroupReply GroupMembershipQuery queries which incorrectly referred to the usergroup table instead of the radusergroup table. Reported by Mike Wilson.
  • Changed the type of Framed-IPv6-Prefix in the dicitonary from string to ipv6prefix, allowing entry of IPV6 prefixes in a sensible format.
  • Changed the type of NAS-IPv6-Address in the dictionary to ipaddrv6 for correct iencoding and decoding of IPV6 addresses.
  • When AuthBy HANDLER is used and RejectHasReason is specified, now sets the actual rejection reason in the reply instead of “redirected by AuthHANDLER”.
  • AuthBy LSA now honours UsernameMatchesWithoutRealm.
  • Fixed a problem with quoting of parameters passed to the external command by AuthBy EXTERNAL. Reported by KUCZYNSKI, CHRISTOPHE.
  • Updated Coova ChilliSpot VSAs in dictionary.
  • Fixed a problem where EAP type negotiation could remove the EAP-TLS VERIFY_PEER requirement, causing EAP-TLS to sometimes fail when other clients were trying to negotiate TTLS or PEAP. Reported by Keith Ma.
  • Added option to get any configuration parameter from an SQL database with a new form of parameter ParameterName sql:identifer:query which will look for a previously defined AuthBy SQL clause with an Identifier of ‘identifier’ and run the SQL query given by ‘query’. The first row in the result will be used to set the parameter ParameterName. This lookup is only ever done once at startup time.
  • Added new type of special character which will be replaced with a value fetched from an SQL database. Special characters of the form %{SQL:identifier:query} will look for a previously defined AuthBy SQL clause with an Identifier of ‘identifier’ and run the SQL query given by ‘query’. The first row in the result will be used as the value of the special character. This type of lookup is done whenever the special character is evaluated.
  • Fixed a problem with AuthBy FREERADIUS. The test for limit values for Max-All-Session, Max-Daily-Session, Max-Hourly-Session and Max-Monthly-Session was reversed, causing them to fail when they should succeed and vice-versa. Reported by Stanley Thomas.
  • When radpwtst was used to send arbitrary packet types such as CoA-Request, the reply was not decoded and therefore never packet dumped. Reported by Vangelis Kyriakakis.
  • Improvements to the sample gigawords-hook.pl to use 64 bit integers in order to be more proof against overflows with large traffic.
Revision 4.6 (2010-02-05) New features and some bug fixes.
  • Improved AuthLog SYSLOG to support multiple SYSLOG clauses with different LogHost and LogSock options. No comnpatible with multiple Log SYSLOG clauses. Reported by “Martin van der Walle”.
  • Improvements to example init script for Linux in linux-radiator.init, to be compliant with LSB requirements in http://wiki.debian.org/LSBInitScripts
  • AuthBy LDAP2 now detects LDAP_INVALID_DN_SYNTAX errors and interprets them as a per-request error and not a connection failure. When LDAP_INVALID_DN_SYNTAX error occurs, the LDAP connection wil not be shut down. Requested by Dawn Lovell.
  • Fixed a problem in Server TACACSPLUS where an AuthorizeGroup of the form AuthorizeGroup group1 permit service=shell cmd\* {autocmd="telnet 169.163.226.81"} (ie with double quotes surrounding the predicate) would result in the autocmd being sent incorrectly with 2 equals signs.
  • AuthBy SQLYUBIKEY now supports static passwords in any format supported by Radiator, including plaintext, {SHA}, {crypt}, {MD5}, {rcrypt}, {mysql}, {mssql}, {nthash}, {dechpwd}, {NS-MTA-MD5}, {clear} etc. TranslatePasswordHook is also supported. Suggested by Jerome Fleury.
  • Minor updates to Yubikey documentation to reflect the fact that AES keys must be programmed into each Yubikey before being imported into the SQLYUBIKEY database. Changes to AuthBy SQLYUBIKEY default SQL queries to work better with databases where the tokenID and AES key are in Hex. Yubikey keys may now be present in the database in either hex (no spaces) or base64 format. But the default queries assume the Token ID and AES secret are in Hex, and that there is a one-to-one mapping between users and Yubikeys. Other options are available with custom SQL queries.
  • Fixed a problem in AuthBy SQLYUBIKEY where it would sometimes incorrectly detect a replay attack in during multiple authentication of the same Yubikey session. General improvements to the AuthBy SQLYUBIKEY replay detection. Replay detection now uses the session counter and the session_use counter. The timestamp is not used. The database column that previously held the timestamp_low is used for the session_use counter. The database column that previously held the timestamp_high is not used.
  • Updated install.html installation instructions for Windows.
  • Improvements to AuthBy EAPBALANCE and AuthBy HASHBALANCE to work better in multi-AP roaming TTLS/PEAP session resumption environments. The default behaviour of AuthBy HASHBALANCE is to compute the HASH based on the same attributes as the EAP context. This prevents false detection of loss of continuity in EAP streams. AuthBy EAPBALANCE now sets the State in all replies in an EAP stream, not just the first, in order to work correctly with some non-compliant APs. AuthBy HASHBALANCE is deprecated in favour of AuthBy EAPBALANCE in any EAP-capable environment.
  • In Server DIAMETER, fixed a problem that prevented some RADIUS reply attributes being correctly translated into Diameter reply attributes.
  • Added new module AuthBy SQLMOTP for MOTP authentication, a new strong, two-factor authentication with mobile phones. See http://motp.sourceforge.net for details. Sample configuration and SQL schema supplied. Modifications to radpwtst to support new -motp_secret flag, allowing it to be used to test AuthBy SQLMOTP like: radpwtst -noacct -motp_secret 7ac61d4736f51a2b -password 1234 The password argument is used as the MOTP PIN, and the motp_secret is used as the MOTP secret key. AuthBy SQLMOTP originally submitted by Jerome Fleury.
  • In diapwtst, fixed a problem that would result in an incorrect status report: “Unexpected result code: DIAMETER_SUCCESS”.
  • Improvements to the internal structure of ServerDIAMETER.pm, making it easier to override handling of specific Diameter request types.
  • Fixed a problem with AuthBy VOLUMEBALANCE, where if multiple failed hosts are configured with FailureBackoffTime of 0, it was possible for a request to be handed to each host in turn forever.
  • Added new sample configuration file goodies/crypto-mas.cfg, showing how to proxy requests to the Cryptocard MAS (Managed Authentication Service) CRYPTO-MAS. See http://www.cryptocard.com/
  • Added new parameter MaxTargetHosts to AuthBy VOLUMEBALANCE. Limits the number of different hosts a request will be proxied to in the case of no reply. Defaults to 0 which mean no limit: if the load balancer does not receive a reply from a host, it will keep trying until all hosts are exhausted.
  • Improvements tp RPM spec file to permit installation with Perls that do not include /usr/lib/perl5/site_perl/, such as SLES. Reported by Frank Messie.
  • Improvements to the rpm: make target so the RPM build correctly uses the local perl version number for links in the Perl lib. Contributed by Bjoern.
  • Updated expired test certificates.
  • Fixed a problem with incorrect type in replies to proxied Change-Filter-Request. Reported by Belmont Cheung.
  • Added support for UpdateQuery in SessionDatabase SQL. Patch supplied by Jose Borges Ferreira.
  • Added support for RFC 4818 compliant packing and unpacking of Delegated-IPv6-Prefix. Added new dictionary type ipv6prefix.
  • The TacacsPlus group cache GroupCacheFile now uses the IP address of the client as part of the key, so that in situations where the group name depends on the client the correct group name wil be retrieved.
  • Some Expiration check items in the sample users file had actually expired, causing the test suite to incorrectly fail on tests 2l, 2m, 3g and 3h.
  • Fixed a problem that could cause incorrect authentication of HOTP passwords with leading zeroes.
  • Added support for TOTP (Time-based one-time-passwords) as specified in draft-mraihi-totp-timebased-04.txt. Sample configuration and database schema included.
Revision 4.5.1 (2009-11-17) Minor bug fixes
  • Fixed a problem introduced in version 4.5 where AddressAllocatorSQL could cause errors like: “called with 4 bind variables when 3 are needed” with ReclaimQueryBindVar on certain SQL servers. Reported by Stefan Feurle.
  • AuthSQLYUBIKEY.pm was omitted from the 4.5 distribution.
  • Further changes to oscure plaintext passwords in DEBUG messages. Patched by Markus Moeller.
  • Improvements to support multiple Log SYSLOG clauses with different LogHost and LogSock options. Reported by Arjan Broos.
  • Fixed an error in the example AuthSelect in yubikey.cfg. Changed the default for AuthSelect in AuthBy SQLYUBIKEY to always check the userId too. Suggested by Jerome Fleury.
  • Fixed a problem where calling SNMPAgent->activate multiple times on the agent could cause errors with resolving Manager addresses.
  • Added Brocade VSAs to dictionary. Contributed by Alexander Hartmaier.
  • Added support for -raw and -rawfile options to tacacsplustest.
  • Fixed a problem in the unsupported AuthBy PLSQL in goodies that prevented it working correctly with the Server HTTP browser. Reported by Mike Redan.
  • Fixed a problem with the display of splitstringhash parameters in the Server HTTP browser.
  • Fixed a problem with saving of configurations that include a splitstringhash. Reported and patched by Mike Redan.
Revision 4.5 (2009-10-27) New features and bug fixes
  • Fixed a bug that could cause a crash at startup if the listening RADIUS port could not be opened due for example to an unresolvable bind address. The error message was “Not a CODE reference at Radius/ServerRADIUS.pm”. Reported by Thomas Schlottke.
  • Significant performance improvements in Select::add_timeout. Now used binary search for the insertion point, rather than resorting he whole list every time.
  • Added support for authenticating Yubikey tokens from Yubico (http://www.yubico.com). Yubikeys are small, inexpensive USB tokens for one-time-password authentication. Added sample configuration file and descriptive test file. Suports one and 2 factor authentication, replay detection etc.
  • Fixed a problem with AuthBy LDAPRADIUS which would cause a crash during initialization.
  • Improvements to ServerTACACSPLUS so it can find an appropriate Client clause even if the reverse DNS is screwy. Suggested by Ranko Zivojnovic.
  • Fixed a problem with resolution of IPv6 addresses on some plaforms such as Solaris. Some debug messages were inadvertently left in Util::gethostbyname for ipv6. reported by Sami Keski-Kasari.
  • Fixed a problem with heavily loaded server farms where a SIGHUP of the process leader could cause inability to bind to the listening ports after restart. Radiusd now waits for all farm children to die begfore restarting. Reported by Dan Cachola.
  • Added support for HOTP (RFC 4226) one-time-passwords with AuthBy SQLHOTP HOTP one-time-passwords are authenticated based on a secret key stored in an SQL database. Detects replay attacks and brute-force attacks and counter resynchronisation. Can also support static passwords for 2 factor authentication when the user prefixes their static password before the HOTP one-time-password. Supports authentication by RADIUS PAP, EAP-OTP and EAP-GTC. Includes sample configuration file and sample database schema with test users.
  • Added support for IdleTimeout to Server TACACSPLUS. If a client stays connected for more than this number of seconds without sending any requests it will be disconnected. Defaults to 180 seconds. Requested by Yevgeniy Averin.
  • Added new parameter UseContentsForDuplicateDetection to Client. This must be used in a server farm environment. The back end servers in a server farm will receive requests from a range of source ports. Dupliacates received by the front ends and proxied to the back ends may appear to come from a range of source ports and with a range of RADIUS identifiers. This flag causes duplicate detection to be based on the contents of the packet, and not on the ‘envelope’. This permits duplicates to be detected regardless of the path they take to to get from the NAS to the server. It must be set in the Client clauses of the back end servers of a server farm architecture.
  • Fixed a problem with the MIB name in CiscoSessionMIB. Reported by Tim Wolgemuth.
  • Added support for UseContentsForDuplicateDetection to ClientList SQL. If the SQL queries returns a row 26, it will be used as the UseContentsForDuplicateDetection flag.
  • Fixed a problem where some type of authentication would incorrectly succeed when NoEAP was in use. Reported by Heinrich Mislik.
  • Added a new ReplyHook flag to AuthBy RADIUS so that hooks can signal the fact that a request has been redirected, and not to generate a reply from the AuthBy RADIUS. Sample configuration file in goodies/rejectproxy.cfg
  • Fixed a problem with duplicate replies in test suite.
  • When Trace -1 is enabled, prints the PID in the “currently handling” message. Suggested by Robert Patrick.
  • Added various Trapeze VSAs to dictionary, contributed by Andrew Clark.
  • Type of WiMAX-IP-Redirection-Rule in dictionary changed to string. Suggested by Garima Mahadik.
  • Fixed a problem reported with TLS where, under unsual circumstances during a proxied TLS authentication, Net::SSLeay::SESSION_get_master_key could crash due to the TLS session being invalidated. Reported by Matti Saarinen.
  • Added a number of Infoblox VSAs to dictionary. Provided by Andrew D. Clark.
  • Fixed a problem with AuthBy PAM on Solaris: if a request without a username is received, it can case PAM to go into an infinite loop with messages like: “DEBUG: PAM is asking for 2: ‘Please enter user name'”. reported by Markus Moeller.
  • Added a number of Huawei VSAs to dictionary.
  • Reinstated changes to password decoding introduced in version 4 that meant that certain non-compliant password encryptions were not decrypted properly. Reported by Roland Rosenfeld.
  • Fixed a problem in ClientList SQL and ClientListLDAP where if the client creation phase fails, it could cause a subsequent crash when findDuplicate() is called within Client.pm. Reported by Shirley Wou.
  • Added placeholders for Symbol (388) VSAs to dictionary.
  • Packets created by EAP-TTLS for proxying now add Message-Authenticator if there is an EAP-Message. This ensures that if the packet is proxied to another RADIUS server, the lack of EAP-Message wont prevent processing of the request.
  • Fixed a problem in the StreamTLS certificate verificaiton where it does the subjectAltName checks incorrectly if both URI and (IP or DNS) are checked. It never checks the IP or DNS. Reported by Heikki Vatiainen.
  • Fixed a problem where AuthBy DNSROAM would activate AuthBy RADSEC and AuthBy RADIUS too often. Reported by Heikki Vatiainen.
  • Fixed a problem where AuthBy DNSROAM did not correctly set ReplyHook or NoReplyHook in Routes or AuthBy RADSEC or AuthBy RADIUS. Reported by Heikki Vatiainen.
  • Added new attributes from RFC5607 to dictionary.
  • Added new attributes from RFC5580 to dictionary.
  • Fixed a problem that prevented replies to Disconnect-Request and Change-Filter-Request from getting their Authenticator correctly computed. Reported by Jack Ho.
  • For classes that use Stream connections (such as AuthBy RADIUS, ApplePasswordServer, if ConnectOnDemand is set, then, Stream always blocks until the connect either succeeds or fails. Requested by Sam Lin.
  • Stream classes now support special characters in Host, HostAddress, ReconnectTimeout. Requested by Sam Lin.
  • Added example Radiator configuration file and hook, showing how to support both RSA OnDemand and SecurID authentication for the same users.
  • Added new parameter DisableMTUDiscovery to ServerRADIUS and AuthBy RADIUS. Disables MTU discovery on platforms that support that behaviour (currently Linux only). This can be used to prevent discarding of certain large RADIUS packet fragments on supporting operating systems.
  • Added support for FramedGroup, StripFromReply, AllowInReply, AddToReply and AddToReplyIfNotExist to Server RADSEC. Requested by Paul Dekkers.
  • Monitor and SNMPAgent clauses now support the Identifier parameter.
  • Fixed a problem that prevented Origin-Host being set correctly in proxied requests. Reported and patched by Arthur Konovalov.
  • Added sample hook to hooks.txt which runs in each child and closes the Monitor and SNMPAgent ports and re opens them on a different port number.
  • Added OSC-Session-Identifier to dictionary.
  • Added support for new special character Z which is replaced by the RADIUS Identifier in the current packet (if any).
  • Improvements to AuthBy SQLYUBIKEY: Default UpdateQuery now uses current_timestamp() instead of now() for better compatibility with more SQL servers. Static password can now be separated from the token string with a ‘:’ to ensure they can be identified, even with non-standard Yubikey token lengths. Suggestions by Jerome Fleury.
  • Minor change to log message when a requested EAP type is rejected, so the name of the desired type is printed. Patch supplied by Alexander Hartmaier.
  • AuthBy LDAP2 now supports multiple space separated Host names, and Net::LDAP will choose the first available one. Patch supplied by Raphael Luta.
  • Fixed a problem which could result in a blank user name in PEAP or TTLS or other inner requests under some very unusual circumstances. Improved EAP context finding algorithm so inner and outer requests with the same User-Name would not collide.
Revision 4.4 (2009-03-11) Bug fixes and new features.
  • Fixed a problem with AuthBy WIMAX which would fail when TTLS-MSCHAPV2 was used. Improved goodies/wimaxtest to support -mschapv2 flag to cause TTLS-MSCHAPV2 authentication. Reported by “Valentin Tumarkin”.
  • Fixed a memory leak in ClientListSQL and ClientListLDAP where Client clauses may not get reclaimed when the client list is refreshed. Reported by Aaron Mar.
  • Fixed a probem with ServerHTTP where manual editing of a file larger than 16k would cause error ‘413 Request Entity Too Large’. Limit increase to 1Mb. Reported by Tito Macapinlac.
  • Fixed a probem with AuthBy NTLM. UsernameMatchesWithoutRealm worked correctly with MSCHAPV2, but not with PAP or MSCHAPV1. Reported by Sami Keski-Kasari.
  • Altered the behaviour of TLS_SubjectAltNameURI in all StreamTLS based protocols (such as RadSec, DIAMETER etc.) at the suggestion of Stefan Winter. Now TLS_SubjectAltNameURI imposes an additional mandatory constraint on the peer certificate. If TLS_SubjectAltNameURI is defined it MUST match at least one subjectAltNAme:URI in the peer certificate, in addition to any other certificate verfication requirements (such as DNS name, host name etc). Requires NetSSLeay 1.30 or later.
  • Improvements to behaviour of passwords in the form {clear}password, so they will work with CHAP, MSCHAP and MSCHAPV2. Reported by Liam Widdowson.
  • Fixed collisions between some VSAs in dicitonary: renamed Cisco attributes Account-Info, Service-Info, Command-Code, Control-Info to have ‘Cisco-‘ prefix. Renamed Command-Code to Enterasys-Command-Code.
  • AuthBy RSAAM now honours UsernameMatchesWithoutRealm and other username transformation parameters. Reported by Sami Keski-Kasari.
  • Fixed a problem where EAP-MSCHAPV2 would incorrectly authenticate users when misconfigured with AuthBy RSAAM. Reported by Sami Keski-Kasari.
  • EAP Generic Token Card now honours UsernameMatchesWithoutRealm. Reported by Reported by Sami Keski-Kasari.
  • Tested TTLS-MSCHAPV2 with iPhone 2.0. OK.
  • Added instructions and Portfile for installing Radiator on MacOSX. Contributed by Mark Duling. Deprecated INSTALL.MacOSX RadiatorMacOSX.tar.gz.
  • Added goodies/lancom-radsec.txt, instructions and hints for configuring a Lancom L-54g wireless Access Point to authenticate using an external RadSec server.
  • Tested against Lancom L-54g wireless Access Point configured for external RadSec authentication for 802.1X. OK.
  • Improvements to AuthBy WIMAX, in order to support Alvarion WiMAX equipment and various other operator requirements, requested by Manuel Kasper. Can now use AuthSelect and AuthColumnDef to alter the SQL authentication query and add reply attributes. You can customise other SQL queries using during WiMAX processing with GetCachedKeyQuery, GetHotlineProfileQuery, GetQosProfileQuery. Can now handle accounting using AcctSQLStatement the same as AuthBy SQL.
  • Fixed a problem where use of Client CIDR addresses would not alway result in the correct Client being found. Reported by Fabio Prina.
  • In AutbBy LDAP_APS, PasswordServerAddress was working for PAP, but did not work as expected for MSCHAP and Digest-MD5 authentication. Reported by Mark Duling.
  • Added OSC-Version-Identifier to dictionary.
  • Fixed typos in dictionary. Cisco-Maximum-Time was Cisco-Maximun-Time and Cisco-Maximum-Channels was Cisco-Maximun-Channels. Reported by Fabio Prina.
  • Server TACACSPLUS now sets OSC-Version-Identifier in the RADIUS requests from the version number in the incoming Tacacs+ request. The Major and Minor numbers are combined in a single integer as per the Tacacs+ specification (i.e. version 0 is represented as 192 and version 1 is represented as 193).
  • Incoming requests processed by Server RADSEC were logged twice. Reported by Paul Dekkers.
  • Can now properly send Starent VSAs. Receiving was already supported.
  • Fixed a problem that prevented reply attributes from a TTLS inner reply being sent in the reply to a session resumption. Reported by David Spindler.
  • Fixed a problem where certain malformed RADIUS requests could cause a hard loop.
  • Accounting request that are REJECTED (due, say, to UsernameCharset) are now logged at DEBUG level.
  • Added Trapeze Networks attributes to dictionary. Contributed by P Havekes.
  • AuthBy RADIUS would previously die if it was unable to bind to a socket (for example if a non-existent BindAddress was used). Reported by Andrew D. Clark.
  • AuthBy WIMAX now supports ASCII encoding of WiMAX-Packet-Flow-Descriptor and WiMAX-QoS-Descriptor. They are parsed and converted to the WiMAX required binary format automatically.
  • Improvements to Solaris scripts and config file for use by the Solaris package
  • When LogMicroseconds is used, the microseconds are now left padded with zeroes for easier reading.
  • Can now handle Change-Filter-Request requests in AuthINTERNAL and others. Accept will result in a Change-Filter-Request-ACKed replay and a reject will cause a Change-Filter-Request-NAKed.
  • Fixed a problem with AuthBy RADSEC caused by the recently added LocalAddress support: If the Host address is an IPV6 address, an error with binding to 0.0.0.0:0 was reported. The default bind address is now determined by the operating system, except when LocalAddress is specified. Can now specify LocalAddress as an IPV6 address.
  • Error messages from Server TACACSPLUS now include the originating address and port number. Requested by Andrew D. Clark.
  • Added various Nortel OME6500/OM5000 VSAs to dictionary.
  • Added new option -leap to radpwtst for testing EAP-LEAP.
  • Fixed a number of mispellings from ‘redespatched’ to ‘redispatched’
  • Fixed some incorrect behaviour of Resolver under perl5.8.8 on some platforms.
  • Improvements to AuthBy RSAAM so that chains of RSAAM authenticators with different Policy settings will work correctly.
  • Added support for Alcatel/Lucent ESAM VSAs (vendor ID 637) which have non-standard VSA format. Also added A-ESAM-* entries to dictionary. Contributed by John Pendleton.
  • AuthBy LDAPDIGIPASS didn’t close its connection if HoldServerConnection wasn’t set. Reported and patched by Kees Guequierre.
  • Added precompiled RPM for Authen-Digipass for perl 5.10 (Authen-Digipass-1.9-1.i686.rpm is for perl 5.8 only).
  • In AuthBy RSAAM, added translations for some further prompts, POLICY_VIOLATION_* etc. Improved prompts during system-generated-PIN mode. Improved support for AM server failover. AM Server failure now causes an IGNORE, and AuthByPolicy ContinueWhileIgnore can be used to try multiple AM servers in sequence until a successful connection is made. Changes to chaining of RSAAM clauses mean that in order to try one RSAAM Policy, followed by another you must use the AuthByPolicy ContinueUntilAcceptOrChallenge.
  • Added support for new AuthByPolicy settings of ContinueWhileChallenge and ContinueUntilChallenge.
  • Added support for EAPTLS_RequireClientCert to TTLS and PEAP. Setting this optional parameter now requires the clinet to present a valid client certificate during the TLS handshake.
  • Improved documentation in AuthBy ACE examples. Improved misleading user messages when AuthBy ACE is used with AM 7.1. Fixed problems with Authen-ACE4 when used with AM 7.1 and system-generated PINs, requires Authen-ACE4 1.3. New Authen-ACE4 1.3 ppm packages for Windows, including support for Perl 5.10 on Windows.
  • Added precompiled Authen-Digipass ppm package for perl 5.10 on Windows.
  • Improved session resumption in PEAP. Previously, resumed sessions triggered an inner authentication. Now the inner authentication is reused too. Reported by Tom Rixom.
  • Added new hook EAPTLS_CommonNameHook for EAP TLS support. Normally EAP-TLS attempts to match a CN in the client certificate against either the User-Name or EAP identity (either with or without domain names). This hook allows you to extend this matching and match a certificate CN against some other user attribute, such as the Calling-Station-Id as required by some WiMAX devices.
  • Added EAP TLS initialization to add the SHA256 digest, required for some WiMAX devices and certificates. Requested by Jinsong Zhu. Requires Net-SSLeay 1.35 plus latest SVN patches or later and OpenSSL 0.9.8i or later.
  • Fixed a problem with special character %J, which incorrectly had leading spaces before the day number. Reported by Jose Borges Ferreira.
  • Added Citrix-CAG-Groups to dictionary.
  • Added beta version of a new AuthBy EAPBALANCE module. EAPBALANCE distributes EAP conversations among multiple back ends and ensures that a given conversation always goes to the same backend, even in the face of backend failures. Suitable for use with FarmSize for high performance EAP-capable systems on multi-core hosts.
  • Fixed some errors in the types of WiMAX attributes in dictionary. WiMAX-HTTP-Redirection-Rule changed from binary to string. Added WiMAX-Time-Of-Day-Time. Added NAS-Filter-Rule. Requested by Garima Mahadik.
  • Timestamp was incorrectly added twice if a request was redirected through Handler, say by AuthHANDLER or similar.
  • Changes so that the plaintext password is not logged at debug level during Tacacs authentication. Requested by Markus Moeller.
  • Fixed some problems with mixed placeholders causing crashes on Windows when ODBC in use and when Quote: fails to match properly. Improved error reporting in SqlDb when a prepare croaks. Improvements to nested special character matching to exclude trival matched caused by embedded curlies. Reported by Edgard B. Haddad.
  • In AuthBy POP3, paramters Host, Port and LocalAddr did not have packet-specific data available for special characters. Reported by Aaron Holtz.
  • Fixed a problem with incorrect statistics for dropped requests when inner TTLS and PEAP requests are proxied. Reported by Dan Cachola.
  • Improved handling of Security Questions prompts in AuthBy RSAAM.
  • Fixed AuthBy IMAP so it will work with Mail-IMAP versions later than 2.99, using the new Mail::IMAP RawSocket call. Reported and patched by Wolfram Grienert.
  • Fixed a problem with Server HTTP where a configuration that contained an AuthLog clause would incorrectly be saved as an AuthBy clause. Reported by Steven R Sterner.
  • AuthBy WIMAX incorrectly set Session-Timeout to the absolute epoch time, rather than the relative KeyLifetime. Reported by Valentin Tumarkin.
  • Fixed a problem in AuthBy WIMAX with DHCP keys that could cause a crash. Also fixed a problem with session resumption when Pseudo Ids are in use. goodies/wimaxtest now suports session resumption with a [-reauth count] command line argument.
  • Fixed a problem with reused session authentication in EAP-TTLS.
  • Added sample configuration files for Radiator, Cisco Nexus 7000 and sample debug file, showing how to set up RBAC – Role-Based Access Control on the Cisco Nexus 7000. Contributed by Matthew Nichols.
  • Fixed a problem when AuthBy RADIUS tries to forward to a non-existent DNS name, a crash could occur. Reported by Patrick Renkens.
  • Ensure TLS does not resume sessions unless EAPTLS_SessionResumption is set.
  • Added support for new parameter in AuthBy WIMAX. MSKInMPPEKeys forces the MSK to be encoded in MS-MPPE-Send-Key and MS-MPPE-Recv-Key, as well as the usual WiMAX-MSK reply attributes. This is required by some non-compliant clients, such as some Alcatel-Lucent devices.
  • Improved behaviour of AuthBy WIMAX when creating and setting WiMAX-AAA-Session-ID to be compatible with more WiMAX clients. WiMAX-AAA-Session-ID is now only allocated and returned in the Access-Accept. Also made more SQL queries configurable. Parameter Reported by Kasra Kangavari.
  • Changed primary key in device_session in sample wimax.sql to match earlier changes to session saving based on session ID instead of NAI.
Revision 4.3.1 (2008-07-29) Bug fixes
  • Added new parameter PasswordServerAddress to AuthBy LDAP_APS, which forces Radiator to use the specified address as the address of the Apple Password server, instead of deducing it from the user’s password details. Addresses may be one of the forms: 203.63.154.59, dns/yoke.open.com.au, ipv4/203.63.154.59 or ipv6/2001:720:1500:1::a100. This can be useful with replicated password servers. Suggested by Matt Richard.
  • Reverted changes to PreClientHook introduced in 4.3. PreClientHook is now called before despatch to any Client clause. It will always be called even if there is no matching Client, but the attributes will not have been decrypted (as decrypting is done in the context of a particular Client). The new parameter ClientHook has been added to the Client clause, and is called immediately after the attributes have been decrypted by the Client. Requested by Heikki Vatiainen.
  • Fixed problems with trailing NULs not being stripped from User-Name. Reported by Dawn Lovell.
  • Fixed a problem with double logging of reply packeets from AuthBy RADSEC. Reported by Paul Dekkers.
Revision 4.3 (2008-07-17) New modules and bug fixes
  • Added new AuthBy RSAAM module that supports RSA Authentication Manager 7.1 and later. Supports PAP, GTC, OTP, PEAP-GTC, TTLS-PAP etc. Supports all AM authentication methods, including traditional SecurID tokens, static passwords, OnDemand passwords delivered by SMS or email, security questions etc. Runs on all platforms supported by Radiator. Requires SOAP::Lite and prerequisites for SSL, including Crypt::SSLeay or IO::Socket::SSL+Net::SSLeay. Sample configuration files included.
  • Added support for LocalAddress and LocalPort to AuthBy RADSEC. Suggested by Jan Tomasek.
  • AuthBy RADSEC now does case-insensitive matches between the RadSec server certificate DNS name and the target server Host name. Previously, matches were case-sensitive. Suggested by Jan Tomasek.
  • Fixed a number of problems with handling integer64 type, especially when salt encoded
  • Added support for Quote format to format_special, allowing SQL database specific quoting to be used in any configurable parameter in any SQL based module. The new format %{Quote:somestring} will be replaced by the string quoted in the correct format for the SQL database in use. For example when used with a mysql database, %{Quote:somestring} would be replaced by ‘somestring’.
  • Added new AuthBy HANDLER module. This clause allows requests to be redirected to a Handler based on the Handler’s Identifier. Sample configuration file authhandler.cfg included.
  • Fixed a problem where Radiator would crash if PidFile specified a non-existant directory.
  • Added a number of HP VSAs to the dictionary. Also BATM-privilege-group Guests was incorrectly given as 5 instead of 15. Adjusted typed of WiMAX-Hotline-Indicator and WiMAX-Hotline-Profile-ID to string a per NWG docs.
  • Fixed a problem with Monitor and ServerDIAMETER clauses which could cause a crash if the Clients parameter is specified and a request is received from an address not named in that Clients parameter.
  • Added new Configurable function format_ctime that returns the local time formatted to include microseconds if the object or SererConfig has LogMicroseconds set. Used by Log FILE, Monitor, ServerConfig, ServerHTTP.
  • Added and corrected a number of Redback VSAs from data provided by Redback.
  • Fixed problems with dictionary tag-based encrypting of named integer attributes such as RB-LI-Action and others. Required some restructuring of unpackRadiusAttrs/decode_attrs and removal of encode_attrs. Reported by Ian Forster.
  • Fixed a problem with encrypting long strings: the resulting encryption was wrapped with added newlines. Reported by Dan Cachola.
  • Fixed a problem where DefineGlobalVar and DefineFormattedGlobalVar configuration parameters were not saved correctly by the Server HTTP web console.
  • Improvements to ability of Ldap connections with HoldServerConnection to detect disconnection by the server or a firewall. Patch contributed by Bjoern A. Zeeb.
  • Added new parameter PageNotFoundHook to Server HTTP. If a page is requested but not found in the set of built-in pages PageNotFoundHook is called to try to handle the request. PageNotFoundHook is passed the requested URI and a reference to the ServerHTTP connection. If it can handle the request, it returns an array of ($httpcode, $content, @headers). Requested by Marijke Vandecappelle.
  • Moved the location of PreClientHook call to the very beginning of the Client handle_request, so that decoded and decrypted attributes are available to PreClientHooks. Now, PreClientHook will _not_ be called if there is no matching Client clause. Also, within PreClientHook, the $->{Client} member will now be set to the Client clause handling the request, which may be helpful in some PreClientHooks.
  • Improved compatibility with some EAP-TTLS clients that previously would have required EAPTTLS_NoAckRequired. Reported by Ian Forster.
  • TLS/TTLS/PEAP/RadSec and other SSL users will now use any built-in OpenSSL crypto engines provided the installed Net::SSLeay supports ENGINE_load_builtin_engines and Net::SSLeay::ENGINE_register_all_complete (ie 1.33_01 and later). ‘pkcs11’ will be set as the default engine provided it exists.
  • Compatibility with new OSC-IMC TNC collector in latest version of libtnc. Format of OS_DETAIL message and other changed.
  • Improved behaviour of TTLS in the unlikely case that openssl resumes the wrong session. Suggested by Belmont Cheung.
  • Improvements to AuthBy SAFEWORD. The new parameter GroupReply maps SafeWord ActionData group names into sets of reply items. Added examples to sample config file. Suggested by Johan Frid.
  • Fixed a problem where a Monitor port that was not correctly closed would not destroy the Monitor, permitting messages to continue to be buffered and causing memory exhaustion. Reported by Thomas Schlottke.
  • Backed out changes to RADIUS socket opening introduced in 4.2: RADIUS socket was opened with SO_REUSEADDR, to prevent socket reopening issues on FreeBSD, but this results in always being able to bind to an existing socket on some platforms. Reported by Steve Rogers.
  • Added support for Client CIDR address specifications. Can now have <Client 203.63.154.0/24>. Also mermits CIDR specifications and MAC: addresses in the IdenticalClients parameter.
  • Added a number of Nortel and Juniper VSAs to dictionary. Contributed by Ronald van der Pol.
  • Fixed a problem where runt EAP-Messages could cause a confusing but useless Access-Accept. Reported by Tom Rixom.
  • Added OSC-Provider-Identifier and OSC-Environment-Identifier to dictionary.
  • AuthBy RADMIN now supports AuthSelectParam for improved performance and alsop supports bind variables for UserAttrQuery and ServiceAttrQuery. Altered sample config to show how to use it.
  • Changed the name of Expiration attribute (21) to Ascend-PW-Expiration to prevent collisions with the Expiration check item. Also changed the type to string to be compatible with other RADIUS servers.
  • Fixed a problem with incorrect results for %u and %w and %W if a global RewriteUsername was used.
Revision 4.2 (2008-03-10) Minor bug fixes
  • Added support to EAP-TLS for examining the SubjectAltNames in the client certificate and matching against Windows UPN, which is a GEN_OTHERNAME. Suggested by Markus Moeller.
  • Fixed a dictionary syntax error with a Huawei attribute and replaced it with the correct Huawei-Qos-Profile-Name. Reported by Andreas Schwarz.
  • Fixed a problem where HUP on FreeBSD would not result in the RADIUS ports being closed properly, resulting in ‘Could not bind authentication socket: Address already in use’. Reported by Paul Dekkers.
  • Fixed a problem in Monitor, where a quit command would cause a crash. Also improved handling of too many bad authentications. Reported by Ernst Oudhof.
  • Fixed a problem where Server DIAMETER could refuse a reconnection from a previously connected peer. Reported and patched by Jose Borges Ferreira. Thanks Jose.
  • Fixed a problem where Server HTTP could crash during authentication with some configurations.
Revision 4.1 (2008-02-22) Bug fixes
  • Fixed a problem where anonymous logins to ServerHTTP would not get a Privilege Level. Reported by Dominic J. Eidson.
  • Fixed a significant memory leak that affected certain installations with multiple clients.
  • Fixed a problem where the Configuration Edit link was not displayed on the ServerHTTP GUI in the Locked version.
  • Improved configuration file saving for the case where AuthBy objects are referred to by Identifier. Reported by Dominic J. Eidson.
  • OSC now provides precompiled Net::SSLeay+OpenSSL+EAP-FAST-patches bundles for Linux and Windows. Updated documentation in goodies/eap_fast.txt describing how to install these precompiled bundles.
  • Added new function Radius::AuthWIMAX::get_cached_keys to fetch $sessionid, $mip_rk, $mip_spi, $fa_rk from the database given the outer nai. Requested by Ian Forster.
  • SimpleClient now correctly generates a random authenticator instead of a fixed one.
  • Reinstated support for EAPErrorReject which was accidentally lost from some modules.
  • Fixed a problem where EAPTLS_CAPath would not be set correctly if EAPTLS_CAFile was not defined. Reported by Jan Tomasek.
  • Fixed documentation of EAPTLS_CertificateVerifyHook. The list of arguments passed was incorrect, and out by an index of one. Reported by Jan Tomasek.
  • Added new special character %K, which is replaced with the realm name after the last @ in the user name. Requested by Michael Kwan.
  • Added to dictionary 2 new values for Error-Cause defined in RFC 5176.
  • Fixed a problem with fideliosim.pl not working correctly with serial ports.
  • AuthBy PAM now supports AuthenticateAttribute. Contributed by Markus Moeller.
  • A number of improvements to Diameter support, contributed by Jose Borges Ferreira: In Handler clauses you can catch Diameter attributes: <Handler DiaRequest:Auth-Application-Id=NASREQ> or <Handler DiaRequest:Disconnect-Cause=CREDIT_CONTROL>. Added extra methods to allow vendorByName (returns vendor data from a given vendor name) grouped_attr (allows easy manipulations of grouped attributes). Added avp type vendor, witch is a Unsigned32 variant (like enumerated) that tries to translate vendorname to vendornum and vice-versa. Grouped attributes within grouped attributes are logged with alignments. New attribute SupportedVendorIds for Server DIAMETER. This optional parameter allows you to define the Supported Vendor Ids announced in CER. Defaults to BASE(0). Thanks Jose Borges Ferreira.
  • EAP-FAST was not correctly REJECTING with an EAP failure after a RESULT FAILURE message was received from the clinet, causing retransmissions of the original RESULT FAILURE message. Reported by Jim Veneskey.
  • Added support for AuthLog in Server HTTP. Suggested by Markus Moeller.
  • AuthBy TEST did not correctly support the Identifier parameter. Reported by Ian Forster.
  • Changes to Server HTTP so that manually edited configuration files are saved with the correct line endings appropriate for the local machine. Reported by Jin Tao.
  • When running as a service under Windows, did not correctly restart when a ‘restart server’ command was given by either Monitor or ServerHTTP. Reported by Jin Tao.
  • Improvements to ServerHTTP, adding some attributes to the Radius packet used to authenticate Server HTTP access, including NAS-IP-Address and Calling-Station-Id. Contributed by Markus Moeller.
  • Added support for EAPTLS_CertificateChainFile wherever EAPTLS_CertificateFile is supported, and added support for TLS_CertificateChainFile wherever TLS_CertificateFile is supported. The ChainFile parameter specifies the name of a file containing a certificate chain for the Radius server certificate. Suggested by Jan Tomasek.
  • Added more detail to WARNING log when AuthBy HASHBALANCE declines to break up an EAP stream.
  • AuthBy RADSEC would not always reply with the correct type of packet. Reported by Paul Dekkers.
  • Fixed problems when Server RADSEC or Server DIAMETER were in use and a SIGHUP was received. Reported by Paul Dekkers.
Revision 4.0 (2008-01-14) Significant new features and some bug fixes
  • Added support for Radiator monitoring and configuration via a web browser, using the new ServerHTTP module. Sample configuration file in goodies/serverhttp.cfg shows how to enable support in any configuration file.
  • Added AuthBy WIMAX module to handle WiMAX authentication and key generation. Uses an SQL database to hold subscription/authentcation information and to cache keys and save accounting. Supports: Authentication of users and devices from SQL database (most EAP types supported). Generation and caching (in SQL) of MIP-RK, MIP-SPI and FA-RK for each device session. Generation of mobility keys for both NAS and HA requests. Generation, caching (in memory) and refreshing of HA-RK, HA-SPI for each HA. Generation, caching (in memory) and supplying DHCP-RK and Key-Id for NAS and DHCP requests. Hotlining profiles. This is an early release Alpha version of WiMAX support which has not yet received extensive testing. Feedback and bug reports are welcomed.
  • Improved performance and behaviour of RADIUS duplicate and retransmission detection in line with RFC 5080. Duplicates and retransmissions within the DupInterval timeout are now detected using the sender’s source port in line with RFC 2865. Detected retransmissions that have been replied to will have their earlier reply retransmitted, preventing problems with decoding of duplcicate TLS/TTLS/PEAP fragments. A retransmission that has not (yet) been replied to will be dropped as before.
  • radpwtst now generates random Authenticators.
  • Minimum supported version of Perl is now 5.6.0
  • Sample certificates updated to expire Jan 13 03:42:47 2010 GMT
  • Added support for EAP-FAST. Requires patches for OpenSSL and Net-SSLeay, which are included. Includes detailed instructions for patching OpenSSL and Net-SSLeay and configuring for EAP-FAST.
  • Added support for standard WiMAX VSAs to dictionary, and support for WiMAX VSA continuation flags in packing and unpacking, plus automatic salted encryption and decryption of WiMAX attributes that require it (keys etc). As per WiMAX_End-to-End_Network_Systems_Architecture_Stage_2-3_Release_1.1.0, NWG_R1.1.0-Stage-3.pdf.
  • Added support for additional standard dictionary type integer64 required by draft-ietf-radext-design-02.txt. Previous integer8 attributes in dictionary changed to integer64. Integer8 now means one octet. INteger1 is still treated as integer8 for backwards compatibility.
  • Added WiMAXTLV module for packing and unpacking WiMAX TLV sub-attributes, including symbolic definitions of some WiMAX TLVs.
  • Added support for new dictionary attribute types integer8, integer16, signed-integer and ipaddrv4v6, required by WiMAX.
  • Added WiMAX module for computing various WiMAX keys and other WiMAX routines.
  • All EAP types now export the MSK by setting {msk} in the appropriate reply packet. They also optionally export the EMSK in {emsk} if ExportEMSK is set.
  • Added a number of 3GPP attributes to dictionary
  • When using LEAP with EAP_LEAP_MSCHAP_Convert, some clients would not complete the handshake due to an Access-Accept being sent instead of Access-Challenge.
  • Improvements to AuthBy HASHBALANCE so that EAP sequences from any given user will not be split between hosts during a failover.
  • Fixed a problem with undefined getEAPContext when used with some configurations of AuthBy HASHBALANCE. Reported by Alison Lee.
  • Added a number of Motorola-WiMAX attributes to dictionary. Contributed by Thomas Hartley.
  • Improvements to AuthBy SQLRADIUS so that FailureBackoffTime, MaxFailedRequests and MaxFailedGraceTime are fetched from SQL as rows 11, 12 and 13, and failure history, backoff time etc are cached within Radiator memory, so that SQLRADIUS can be used with FailureBackoffTime etc. Suggested by Sami Keski-Kasari.
  • Improvements to AuthBy GROUP so that it better handles chains of authenticators with EAP type requests, such as LEAP, EAP-MSCHAPV2 etc. Reported by Jani Kariniemi.
  • Reinstated behaviour that was removed in Radiator version 3.15: empty attributes, including empty strings are now permitted to be packed into Radius packets.
  • Fixed problem with acknowledgements and Fidelio Opera interface when using TCP. reported by Andrea Coppini.
  • Added new parameter AgentName to AuthBy SAFEWORD. This field is used when authorizing a request to SafeWord, and allows us to do things like enforce ACLs, Roles, which authenticator in the user record to use when they have multiple, whether to send a MobilePass password, etc. It is very useful! Contributed by David LePage.
  • Added 2 new attributes oscRadiusDefaultRealm and oscRadiusIdentifier to the sample LDAP schema in radiator-ldap.schema. Contributed by Jame Schell.
  • Added new special character %X, which is replaced by the EAP identity, with any trailing @realm stripped off. Patch provided by Heikki Vatiainen.
  • When radpwtst is used with -accton or -acctoff it now always an Accounting Session ID. Suggested by Dan Cachola.
  • All modules now generate 32 octet MPPE keys for WPA compatibility. Reported by Dominic J. Eidson.
  • RadSec and Diameter client and server modules now support TLS_SubjectAltNameURI parameter for certificate validation. TLS_SubjectAltNameURI is a regexp which can match against any Subject Alt Name of type URI. If a match is found the certificate will validate. Suggested by Stefan WINTER. Examples added to configs.
  • ServerRADSEC now honours Status-Server requests directly in the same way as Client. Requested by Stefan WINTER.
  • Fixed a problem with resolving ipv6: names with DNS on RadSec and Diameter connections. Reported by Patrick Renkens.
  • A debugging print statement was inadvertently left in AuthBy LDAPDIGIPASS.
  • Fixed a problem that prevented LocalAddress and OutPort being set for all hosts in AuthBy SQLRADIUS. Reported by Yves Martel.
  • Prevent crashes after signal -HUP with multiple AuthBy KRB5. Reported by Barry Ard.
  • Improvements to sample goodies/radiator.sh startup script, allowing /etc/rc.conf to control the radiator_config file. Provided by Erik Klavon.
  • Added sample hook eap_acct_username.pl, which copies the inner username to the Access-Accept User-Name field so a NAS (Access Point) can provide accounting information with correct (inner) User-Name. Contributed by Rok Papez.
  • Module and sample configuration file that allows RADIUS clients to get user presence information from an SQL accounting database. Special Access-Request formatted with Service-Type=Call-Check-User are replied with Access-Accept containing OSC-User-Presence-Indicator, OSC-User-Presence-Location OSC-User-Presence-Timestamp indicating whether and whered the user is last logged in. Can be used by RADIUS enabled VOIP routing modules etc. Supports mapping of NAS IDs into readable location names etc.
  • Fixed possible socket exhaustion in Server TACACSPLUS under certain unusual circumstances.
  • New RPM packages of Authen-Digipass 1.9 module for both 32 and 64 bit Linux platforms. The 32 bit package contains Vacman Controller 3.5 and the 64 bit package contains Vacman Controller 3.7.
  • Updated Windows Authen-Digipass PPM packages to 1.9. Contains Vacman Controller 3.5 libraries.
  • AuthBy SQL and AuthBy SQLRADIUS now support the AuthSelectParam parameter, which allows SQL bind variables to be used. The first 32 SQL queries that use AuthSelectParam are subject to SQL query caching, which can significantly improve the performance of the SQL server. Patches by Dan Cachola.
  • Fixed a case where the server could crash after receiving malformed requests such as those sent by nmap. Reported by Sven Henderson.
  • Added support for Expiration dates in format ‘mmm dd yy(yy)’, such as ’24 Jul 2007′, for compatibility with some SQL database date formats.
  • Added support for Expiration dates in format ‘mmm dd yy(yy)’, such as ’24 Jul 2007′, for compatibility with some SQL database date formats.
  • Added support for new special character %J which produces the request timestamp in the format ‘yyyy-mm-dd hh:mm:ss’
  • Added support for new check items Max-All-Session, Max-Daily-Session, Max-Hourly-Session and Max-Monthly-Session, along with new AuthBy SQL parameters AcctTotalQuery and AcctTotalSinceQuery. The combination provides a way to check that users have not exceeded hourly, daily, weekly or total usage requirements. These check items are compatible with FreeRadius check items of the same name. They are also conpatible with the Session-timeout=until ValidTo, which will compute a session timeout based on the most restrictive Max-*-Session time left.
  • New AuthBy FREERADIUSSQL is compatible with standard FreeRadius SQL databases, and can be used with the daloRADIUS user manager. Enables easy migration from FreeRadius to Radiator, or allows Radiator to be used with a range of FreeRadius user management packages. Includes sample configuration file.
  • Improved modularity of encryption functions. Fixed a problem with encryption of Ascend-Send-Secret and Ascend-Receive-Secret, in the case where the secret was more than 16 octets. Most encryption functions decomposed to decode_salted and encode_salted.
  • Added support for encryption of Motorola-WiMAX-MIP-KEY attribute.
  • Testing with Strawberry Perl 5.8.8 alpha 2 http://win32.perl.org/wiki/index.php?title=Strawberry_Perl on Windows XP. OK (Testing requires Win32::Process to be installed using cpan using ‘force install Win32::Process’).
  • Altered the algorithm Server TACACSPLUS uses to find the encrpyion key for a given Tacacsplus client. The order of preference is now: Per-Client TACACSPLUSKey, ServerTACACSPLUS Key, Per-Client Secret. This means that you can use ClientListSQL to provide per-client Tacacs+ keys. Updated documentation to describe the Key search algorithm.
  • Added support for the FreeRadius style dictionary flags has_tag, encrypt=1, encrypt=2 and encrypt=3. Requested by Dan Cachola.
  • Added support for a number of FreeRadius style dictionary keywords: BEGIN-VENDOR, END-VENDOR, $INCLUDE, as well as Radiator style include commands. Some improvements to dictionary parsing and error reporting.
  • Added new parameter SessionDatabaseUseRewrittenName to Handler and Realm. Causes the rewritten username (instead of the original user name) to be used for session database purposes.
  • Performance improvements and rationalisation in RADIUS packet assembly and disassembly.
  • Testing with Perl CamelPack on Windows XP. OK.
  • Added Motorola Canopy attributes to dictionary.
  • Improved compatibility with some EAP-GTC clients that require CHALLENGE= prompts, and deliver RESPONSE=a\0b responses.
  • Special characters now permit nested contructions of the form %{x:%{y:z}}
  • Added -options flag to radpwtst, which makes it read additional command line flags and arguments from the named file.
  • In AuthBy RADIUS, the Host name can now contain nested special characters. Patch provided by “Valentin Tumarkin”.
  • Disable OpenSSL 0.9.9 SessionTicket support when negotiating RadSec TLS connections, otherwise get TLS ‘unexpected message’ errors.
  • Added support for new dictionary type ‘integer1’ which translates integers encoded as a single octet.
  • Added support for new dictionary type ‘integer2’ which translates integers encoded as a 16 bit unsigned (2 octets).
  • Added a number of BATM, NS and Alcatel attributes to dictionary. Contributed by Ernst Oudhof.
  • ServerTACACSPLUS now puts Acct-Session-Id in Radius packets derived from accounting requests.
  • New TacacsClient module provides basic Tacacs+ client services.
  • goodies/tacacsplustest was rewritten in terms of the new TacacsClient module.
  • ‘make clean’ now removes all files created by ‘make test’.
  • EAP-TLS now hounours machine certificates, ie where the User-Name and/or identity is in the form host/machinename, but the CN in the certificate has just CN=machinename.
  • Radius port listeners refactored into new ServerRADIUS module.
  • Removed SSLeayTrace from all sample configs. Does nothing now.
  • Significant refactoring of code from ServerHTTP, ServerRADSEC, ServerDIAMETER and Monitor to new module StreamServer.
  • ConfigKeywords can now include documentation for the benefit of ServerHTTP
  • Removed dead Synchronous code from AuthRADSEC. Suggested by Bjoern A. Zeeb.
  • AuthBy RADIUS and RADSEC now drop replies with bad signatures in line with documentation and RFCs. AuthBy RADIUS still allows this behaviour to be overridden with the IgnoreReplySignature flag.
  • Added new dictionary type signed-integer, a 32 bit signed integer
  • Added support for new Cisco optional attributes in ServerTACACSPLUS, contributed by Kristian Larsson, for example: AuthorizeGroup xr-friendly permit service=shell cmd\* {task*#root-system,#cisco-support priv-lvl=15}
  • AuthBy DIGIPASS, when validating Challenge-Response (CR) tokens now caches the last challenge internally instead of relying on the RADIUS client and the State atribute. New configuration parameter ChallengeTimeout allows configuration of the maximum time period the challenge is valid for.
  • EAP-TTLS incorrectly copied attributes from the inner ACCPET to the outer ACCEPT change_attr, which prevented multiple instances of the same attribute being copied.
  • In ClientListSQL, the PREHANDLERHOOK value returned by GetClientQuery can now contain either the text of the hook, or a a hook filename in the form `file:/path/to/hook’. Patch supplied by “Jose Borges Ferreira”.
  • Minor changes to SIP authentication in line with forthcoming RFC 5090.
  • Reference manual is no longer shipped as HTML, only as PDF and PostScript.