Radiator revision history
Revision 4.27 (2022-12-21) major TLSv1.3 features and updates, other enhancements and bug fixes
Selected compatibility notes, enhancements and fixes
- Significant LDAP updates to connection and TLS handling.
- Red Hat Enterprise Linux 9 and its derivatives are now supported.
- Ubuntu 22.04 is now supported.
- Session resumption is enabled for EAP-TLS with TLSv1.3 but remains disabled for the other TLS based EAP methods.
- TLSv1.3 is supported by EAP-TLS, EAP-TTLS and PEAP but remains disabled by default.
- TLSv1.3 is tested with RadSec and other Stream modules but remains disabled by default.
- Radiator can log TLS key material to a file to allow fully decrypting EAP and Stream SSL/TLS sessions.
- TLS handshake and state trace logging is now enabled for EAP and Stream modules, such as PEAP and RadSec, when Trace 4 (debugging) or PacketTrace is configured.
- Fix and enhance EAP-FAST. Requires Net::SSLeay 1.94 or later with OpenSSL 1.1.1 and later.
- Radiator SIM Pack 2.7 and Carrier Pack 1.7, or later, are strongly recommended.
Known caveats and other notes
- TLSv1.3 remains disabled by default for TLS based EAP methods and Stream based classes, such as RadSec. TLSv1.3 testing reports are welcome.
- EAP-FAST needs Net::SSLeay 1.94 or later to function correctly with OpenSSL 1.1.1 and later.
Detailed changes
- Add Windows Server and Microsoft SQL Server specific TOTP configuration samples in goodies.
- Update Docker files in goodies directory. Change Centos 8 to AlmaLinux 8, add Alma Linux 9, Ubuntu 22.04 and Windows Server Core 2022.
- Fix EAP-FAST with TLSv1.1 and TLSv1.2. Requires Net::SSLeay 1.94 or later when OpenSSL version is 1.1.1 or later. Allow server authenticated
- EAP-FAST to work without PAC.
- Enhance handling of LDAP server name resolution, TLS configuration, failure backoff handling and logging. When using DNS name to connect to LDAP server, the name can now be resolved before connecting with new flag parameter ResolveHost. When a name has multiple addresses, a connection attempt is made to address until a working server is found. Failure backoff is kept separately for each resolved address. SSLExpectedServerName now supports multiple values that are used together with Host entries.
- Update generate-totp.pl to do URI escaping when creating QR codes. Previously QR code URI components were not escaped causing problems when issuer and accountname contain special characters. Add support for defining QR code image file name.
- Updated deprecated MySQL GRANT syntax in goodies examples. Beginning with MySQL 8.0, CREATE USER is needed before GRANT.
- AuthPLSQL.pm goodies module parameter binding broke when the module was updated in Radiator 4.25 to work with Perl 5.22 and later. Values were left unchanged between query executions.
- Added VENDOR 42229 Coriant with a number of Coriant prefixed attributes to the default RADIUS dictionary. These may also be under name Infinera in some sources. Infinera aquired Coriant in 2018.
- Fix uninitialised log trace id triggered by log level changes with USR1 and USR2 signals. Make ServerTACACSPLUS log level for immediate disconnects follow DisconnectTraceLevel parameter. Update builddbm to work outside of Radiator installation directory similarly to radpwtst. Report and contributions by Patrik Forsberg.
- Update CEF logging in LogFormat.pm. CEF authentication and accounting log messages now add original username, if present, in log messages. Any non-printable octets in CEF log messages are now escaped similarly to packet dumps. This satisfies UTF-8 encoding requirement. Enhanced escaping and whitespace handling.
- Minor updates to tests to to address SHA-1 deprecation in Red Hat Enterprise Linux 9. Packages are now built for RHEL9 compatible systems.
- Reject EAP-TLS authentication when post handshake TLS data is received in the final acknowledgement after a successful TLS handshake. No data is needed in this case and its presence is an indication of message corruption, TLS alert or something else unexpected.
- Session resumption is now supported with EAP-TLS when TLSv1.3 is negotiated. Resumption is prepared for EAP-TTLS and PEAP and will be enabled when more interoperability testing is done.
- EAP-TLS now supports TLSv1.3 as described in RFC 9190. EAP-TTLS and PEAP support TLSv1.3 based on draft-ietf-emu-tls-eap-types. Session resumption remains disabled for all TLS-based EAP methods with TLSv1.3 and will be enabled separately.
- TLS-based EAP methods now support TLSv1.3 key exporter needed for MS-MPPE-Send-Key, MS-MPPE-Recv-Key and EAP-Key-Name attributes and other uses.
- TLS state tracing for EAP and Stream modules is now enabled with configuration parameters EAPTLS_TraceState and TLS_TraceState or when TLS message logging is not available. TLS message logging requires Net::SSLeay 1.92 or later.
- StreamTLS based modules, such as RadSec, now log and respond better to TLS alerts and handshake messages. TLS alerts are now sent in more cases instead of directly closing the stream transport connection. Logging of TLS events is enhanced and more testing is done with TLSv1.3.
- TLS based Stream classes, such as RadSec, now support TLS_Ciphersuites configuration parameter that sets allowed cipher suites for TLSv1.3. This parameter is similar to TLS_Ciphers which sets the allowed cipher suites for TLSv1.2 and earlier versions.
- ServerTACACSPLUS log level for client initiated connection terminations is now DEBUG. It’s normal for the client to close TACACS+ connection. This returns the logging level back to what was used with release 4.20 and earlier. Update NTLM and related Samba winbind configuration instructions in goodies.
- Add support for SSL_CTX_set_keylog_callback that enables Radiator to log TLS key material. This allows fully decrypting EAP and Stream SSL/TLS sessions, including those that have forward security enabled. TLS keylog should only be used for debugging to avoid security issues. See the reference manual for new parameters EAPTLS_KeylogFilename and TLS_KeylogFilename. Requires Net::SSLeay 1.92 or later.
- TLS handshake and state trace logging is now enabled for EAP and Stream modules, such as PEAP and RadSec, when Trace 4 (debugging) or PacketTrace is configured. Requires Net::SSLeay 1.92 or later.
- Enhance Ansible playbooks to use operating system families. Instead of listing, for example all Red Hat Enterprise Linux variants, use RedHat family to cover them all.
- radpwtst can now send empty EAP-GTC and EAP-OTP responses when needed. Use TLS_Protocols parameter more consistently in goodies samples and recommend it over UseTLS. Replace non-ASCII characters in goodies and other text files with printable ASCII characters.
- Update the default Radius dictionary with the following 5G attributes from VENDOR 3GPP TS 29.561 v16.8.0: 3GPP-VLAN-Id, 3GPP-TNAP-Identifier, 3GPP-HFC-NodeId, 3GPP-GLI, 3GPP-Line-Type, 3GPP-NID and 3GPP-GCI.
- Add VENDOR 2011 Huawei attributes Huawei-User-Group-Name, Huawei-User-Service-Type and Huawei-Web-URL to the default Radius dictionary. Add new dictionary file dictionary.huawei2 to goodies directory. This file was received from the vendor and contains attributes used by NetEngine 8000 series and possibly other devices.
- GossipRedis can now send a Redis ECHO command to probe and keep a connection active. Probing is disabled by default and is enabled with ProbeTimeout GossipRedis configuration parameter.
- Update Redis session database sample file in goodies.
Revision 4.26 (2021-10-29) new features, enhancements and bug fixes
Selected compatibility notes, enhancements and fixes
- TLSv1.3 is currently disabled for AuthBy DUO.
- AuthBy SQLTOTP now supports CHAP, MSCHAP and MSCHAPv2. EAP-MSCHAPv2 is supported with MSCHAPv2 conversion. Encrypted PIN is now supported for PAP, EAP-OTP and EAP-GTC.
- Radiator SIM Pack 2.7 and Carrier Pack 1.7, or later, are strongly recommended.
Known caveats and other notes
- TLSv1.3 remains disabled by default for TLS based EAP methods and Stream based classes, such as RadSec.
- EAP-FAST functionality is reported to vary between TLS versions, TLS library security level settings and client implementations.
Detailed changes
- AuthBy LSA in Radiator 4.24 and 4.25 could crash when Group parameter was not directly configured and LSA group membership check was called from another module, such as AuthBy FILE. Reported by Viktu Pons i Colomer.
- Radiator now actively closes Diameter peering when Capabilities-Exchange-Answer (CEA) with unsuccessful Result-Code or E flag is received. Previously it was assumed that peer closes the connection. This keeps the non-working peering from being used for sending requests.
- Fixed a memory leak in SNMP client. The problem is seen on systems that use Perl 5.16, such as Red Hat Enterprise Linux 7 and CentOS 7. For details, see Perl5 Github issue 12309, originally RT 114340.
- Fix typos in proxy.cfg and package default config file in goodies. Add missing DbDir and LogDir to addressallocator.cfg and n7k-radius.cfg configuration samples.
- AuthBy DUO with CheckTimerInterval set to zero no longer remains in failed state infinitely. New parameter FailureBackoffTime sets the time the API is considered unavailable. Thanks to Alexander Hartmaier for reporting the problem and suggestion for a fix.
- AuthBy REST now supports special format characters in URL parameter.
- Added VENDOR 4115 Arris with a number of Arris prefixed attributes to the default RADIUS dictionary.
- Updated sample certificates to expire on September 16 2023.
- Updated RADIUS proxying configuration samples to include Asynchronous parameter to make the AuthBys work similarly to other AuthBys. The default behaviour is to return IGNORE after proxying which complicates configurations with multiple grouped AuthBys.
- PostProcessingHook, AddToReply and other related adjustments configured for a Handler are now done before AuthLog is called. This makes changes done by Handler visible for logging. If a hook or some special configuration triggers a direct reply, any attempts to send again the same reply are no longer logged with AuthLog or AcctLog.
- AuthBy DUO now disables TLSv1.3 to avoid blocking problem described by Alexander Hartmaier on Radiator mailing list in June 2021. TLSv1.3 can be re-enabled in a future Radiator versions when a fix is available.
- Minor enhancement and optimisation to AuthGeneric.pm AuthenProto parameter use. Various logging and goodies updates and fixes to warnings triggered by User-Name not being present in requests.
- AuthBy SQLTOTP now supports PIN, also called static password, that is stored in a format supported by Encrypted-Password check item. Enabled with EncryptedPIN configuration flag parameter. Supported with PAP, EAP-OTP and EAP-GTC.
- AuthBy SQLTOTP now supports CHAP, MSCHAP and MSCHAPv2. EAP-MSCHAP-V2 is supported by conversion to MSCHAPv2.
- HTTPClient now properly handles HTTP chunked encoding.
- Fix diapwtst -dictionary command line parameter that was broken in release 4.25.
- AuthBy DNSROAM used ‘mysecret’ as the default shared secret. It now uses ‘radsec’ as required by the RadSec RFC 6614. Updated the reference manual and dnsroam.cfg and dnsroam.txt in goodies.
- TLS_Ciphers and TLS_Protocols did not have any effect in AuthBy DNSROAM configuration. Reported by Paul Dekkers.
- Proxy algorithm LOADBALANCE no longer does infinite retries with certain configurations. With the kind help of Frank Danielson.
- Enhanced logging for all EAP methods and especially for TLS based EAP methods. TLS handshake states and other related information is now logged in text instead of numeric values. Clarified and unified log messages related to TLS alerts and errors. Updated eaptls_resume_post_auth_hook.pl in goodies.
- Connections accepted by StreamServer can now have a maximum limit. This also allows them to be distributed equally between worker processes when ServerFarm is enabled. The limit is set with StreamMaxClients configuration parameter that is available for all StreamServer derived classes such as ServerDIAMETER.
- radpwtst, tacacsplustest and other utilities, that use FindBin module to find Radiator installation location, can now be used via symbolic links. Suggested by Patrik Forsberg.
- Fixed a possible crash if actively used certificate file or its private key is removed or no longer match each other. This can be caused by a local change, such as administrator moving files.
- AuthBy DIAMETER and Carrier module DiaPeerDef no longer crash when OCSP check is enabled.
- StreamTLS OCSP defaults were not correctly applied for cache time, cache size and other values. Minor updates to unify PEAP and EAP-FAST error handling with other TLS based EAP methods. This is to allow unifying logging for TLS based EAP methods.
- Enhanced logging for Stream based modules for protocols such as RadSec, Tacacsplus and Diameter. Log messages now have more consistent information about the module, including its identifier. TLS handshake states and other related information is now logged in text instead of numeric values.
- All LDAP clauses now support LDAP over TLS and Start TLS debugging. The debug messages are written to STDERR and are not visible in Radiator’s log. See DebugTLS in Radiator reference manual and ldap.cfg file in the goodies directory.
- Unknown RADIUS request codes are now detected and ignored earlier by radpwtst and radiusd.
- Updated cisco-avpair VSA handling samples in the goodies directory. New hook sample create-cisco-cmd.pl was created based on the old createavpairs.pl. createavpairs.pl was re-created from a sample in hooks.txt. Also updated radminTacacs.cfg to match the updated hooks.
- Added VENDOR 674 Dell VSA Dell-Group-Name to the default RADIUS dictionary. Used with Dell EMC devices.
- HTTPClient.pm RequestHeader parameter could not be configured causing an immediate crash. Added HTTP_Version parameter. This parameter now allows configuring HTTP/1.0 and HTTP/1.1.
- Enhanced multiple goodies files to clarify comments, instructions, file paths and command samples.
- Log FILE and Log SYSLOG now skip logging when LogFormatHook returns undef. This allows suppressing log messages with LogFormatHook.
- Ansible playbooks for deploying and managing Radiator now import Radiator Software product signing key.
- Mikrotik attribute name Mikrotik-DHCP-Option-Param-STR2 was incorrectly spelled as Mikortik-DHCP-Option-Param-STR2 in the default dictionary. Reported by Eddie Stassen.
Revision 4.25 (2020-10-20) new features, enhancements and bug fixes
Selected compatibility notes, enhancements and fixes
- Dockerfiles for running Radiator and Radius::UtilXS in a CentOS 8, Ubuntu 20.04 or Windows Server Core 2019 were added in goodies Docker directory.
- Ansible playbooks for installing, upgrading and managing Radiator with Ansible were added in goodies Ansible directory.
- Added initial support for RFC 6929 and 8044 formats and data types. If a vendor specific attribute encapsulated by 241.26, 242.26, 243.26 or 244.26 is received but it is not present in the dictionary, it is now named as Extended-Vendor-Specific-1 (or -2, -3, or -4). The value starts with the Vendor-Id octets. Naming may change in the future Radiator releases.
- Hash balance proxy algorithm was significantly enhanced.
- Oracle Linux is tested to work with the el7 and el8 packages.
- New Radiator packages: Red Hat Enterprise Linux 8, CentOS 8 and Ubuntu 20.04.
- Name Policy-Editor for vendor 3375 F5 attribute F5-LTM-value 800 is now an alias. The preferred name is Web-Application-Security-Administrator.
- BindV6Only update may in rare configurations change existing behaviour. If you have BindV6Only enabled, see startup debug messages for affected listen sockets.
Known caveats and other notes
- TLSv1.3 remains disabled by default for TLS based EAP methods and Stream based classes, such as RadSec.
- EAP-FAST functionality is reported to vary between TLS versions, TLS library security level settings and client implementations.
Detailed changes
- Added Win32-Lsa module for 64bit Strawberry Perl 5.32.
- When a Status-Server request is received from a known client without a Message-Authenticator, Radiator now logs a warning before the request. Previously these requests were ignored without any logging. Noted by Michael Hulko.
- DiaClient no longer creates zero length Destination-Host and Destination-Realm AVPs when child classes leave their DestinationHost and DestinationRealm configuration parameters unset. This affects DiaClient based SIM pack authentication modules AuthBy SIMWX and AuthBy AKAWX which now have better control setting the values for the AVPs. This reverts the behaviour to how Radiator 4.16 and earlier worked.
- Removed DupInterval 0 from all goodies configuration samples. This no longer needed even with testing because duplicate detection has for a long time used methods recommended by RFC 5080. Updated AuthBy ACE configuration information.
- Dockerfiles for running Radiator and Radius::UtilXS in a CentOS 8, Ubuntu 20.04 or Windows Server Core 2019 were added in goodies Docker directory. Docker containers based on these files have Radiator and Radius::UtilXS installed, and single Radiator instance running when container is run. Multiple Radiator instances can be run by running multiple Docker containers.
- Added vendor specific attributes needed by Ruckus ICX devices. For VENDOR 1991 Foundry: Foundry-COA-Command-List, Foundry-Voice-Phone-Config and for VENDOR 25053 Ruckus: Ruckus-FlexAuth-AVP.
- Updated Radiator MSI package to use Strawberry Perl 5.32.0.1 and Radius::UtilXS 2.3-1.
- Added initial support for RFC 6929 and 8044 formats and data types. Added IANA registered attributes from RFCs 7499, 7930 and 8559 to the default RADIUS dictionary. Added vendor specific attributes for VENDOR 6527 Nokia (formerly ‘Alcatel-Lucent’) that are encapsulated within IANA attribute 241 Extended-Type-1.
- Received extended attributes use dictionary names as usually. If a vendor specific attribute encapsulated by 241.26, 242.26, 243.26 or 244.26 is not present in dictionary, it is now named as Extended-Vendor-Specific-1 (or -2, -3, or -4) with a value that starts with the Vendor-Id octets.
- Attributes added with names such as Extended-Type-1 and Extended-Vendor-Specific-1 are packed without further processing of the value. This is similar to how packing was done previously.
- Added VENDOR 2636 Juniper attributes Juniper-AV-Pair, Juniper-VoIP-VLAN and Juniper-CWA-Redirect-URL to dictionary.
- Added VENDOR 16901 Mojo with a number of Mojo prefixed attributes to the default RADIUS dictionary.
- Added VENDOR 12356 Fortinet attribute Fortinet-Host-Port-AVPair to dictionary.
- Added PT-RAD-Version and PT-UPP-Profile VSAs in the default dictionary for VENDOR 1556 Sonus Networks. This vendor code was previously assigned to Performance Technologies, Inc.
- Updated EAP-TLS NoCheckId documentation and configuration sample.
- AuthByHASHBALANCE and AuthBy RADSEC proxy algorithm HashBalance now distribute requests more equally among remaining next hop hosts when a next hop host fails. Previously the requests destined to a failed host were proxied to only one of the remaining hosts.
- Added instructions how to edit Radiator Software Ansible playbooks to support other Linux distributions like Oracle Linux.
- Radiator’s Radius::UtilXS package now provides an interface to AES functions required by SIM pack. This allows using OpenSSL or LibreSSL instead of Crypt::Rijndael.
- Updated configuration samples to work without changes when using RPM or deb packages. LogDir, DictionaryFile, certificate location and other settings now point to locations the packages use and create.
- Ansible playbooks for deploying Radiator from RPM/deb packages and managing Radiator instances.
- DictionaryFile, ClientListSQL flags column, and some other configuration parameters that use a comma to separate file names and other arguments, now allow spaces around the comma.
- Enhanced virtual systemd service (radiator-instances.service) to control multiple instances without a need to change service file configuration. This change offers an enhanced feature but does not affect previous functionality.
- Multiple updates to Radius dictionaries: Added VENDOR 9 Cisco attribute Cisco-Ascend-AV-pairs, VENDOR 3076 Altiga attribute Altiga-Group-Name and VENDOR 17713 Cambium attribute Cambium-Networks-Auth-Role to the default Radiator dictionary. Updated VENDOR 5 Acc attributes based on draft-ilgun-radius-accvsa-02.
- Added a new dictionary file dictionary.cambium-motorola-161 in goodies. This file includes Motorola-Canopy and Cambium-Canopy attributes contributed by Brandon Shiers. These attributes are in a separate file because the default dictionary already contains Motorola WiMAX attributes which use the same overlapping vendor number 161.
- Updated Radiator and Diameter dictionaries with 3GPP 5G attributes from TS 29.561 version 16.4.0 for Radius and Diameter N6 and DN-AAA support. Added VENDOR 3GPP 10415 VSA 3GPP-Secondary-RAT-Usage from TS 29.061 version 16.0.0 and 3GPP-WLAN-APN-Id, 3GPP-WLAN-QoS-Filter-Rule and 3GPP-WLAN-QoS-Filter-Support from TS 29.234 V11.2.0 to dictionary.
- DiameterDictionaryFile attributes are now added to all dictionaries in addition to base dictionary. ServerDIAMETER now uses Diameter dictionary of Diameter request or answer when converting to and from Diameter and Radius. Previously base dictionary was used for conversion. Enhanced debug log messages and simplified code related to loading and using dictionaries.
- Updated VENDOR Mikrotik 14988 attributes with the latest additions.
- Updated VENDOR Aruba 14823 attributes with the latest additions.
- Multiple dictionary updates: New file dictionary.nokia-637 was added for vendor 637 Nokia (formerly ‘Alcatel-Lucent’) for those attributes that do not use the special ‘format=2,1’ vendor 637 attributes use in the default dictionary.
Added attributes from multiple vendors to the default dictionary:
Added VENDOR Unix 4 with a number of attributes for Digi IX14, LR and WR routers. Some vendor 4 VSAs are also used by ProFTPD software.
Added VENDOR Cisco-VPN5000 255 for Cisco VPN 5000 Concentrator with a number of CVPN5000 prefixed attributes.
Added VENDOR Adtran 664 with a number of Adtran prefixed attributes.<br>Added VENDOR Cisco-BSSM 5632 for Cisco Building Broadband Service Manager attribute CBSSM-Bandwidth.
Added VENDOR Cisco-Aironet 5842 for Aironet-Session-Timeout attribute.
Added VENDOR Calix 6321 with a number of Calix prefixed attributes.
Added VENDOR Overture 7950 with Overture-User-Access-Level attribute.
Added VENDOR Hatteras 8550 with Hatteras-Auth-Level attribute.
Added VENDOR Ericsson-PCN 10923 for attributes registered for vendor Ericsson AB – Packet Core Networks. Added a number of attributes prefixed with Ericsson-PCN prefix.
Added VENDOR Sandvine 11610 with Sandvine-Group attribute.
Added VENDOR ELTEK 12148 with a number of ELTEK prefixed attributes.
Added VENDOR Overture-4200-4300 16943 with Overture-4200-4300-Access_Level attribute for Overture 4200/4300 devices.
Added VENDOR CyanInc 28533 with CyanInc-User-Roles and CyanInc-Acct-Event-Text attributes.
- Added to default Radius dictionary a number of Extreme fabric attach VSAs that are defined as VENDOR 562 Nortel. Added VSAs Annex-EAP-Port-Priority, Annex-Cli-Commands, Annex-Command-Access and Annex-Commands for Extreme and Avaya devices that are defined as VENDOR 1584 Bay-Networks. These all use names that does not follow the de-facto VSA naming. Fixed a harmless warning in radpwtst if reject or interactive challenge did not contain a Reply-Message attribute.
- ClientListSQL now disconnects automatically from DB during server startup when server farm is configured with FarmSize. This avoids passing DB handle copies to farm workers which could cause errors with subsequent DB access.
- Fixed a memory leak in ServerDIAMETER where a small amount of memory was leaked with every connection. Initial CER timeout logging now also honours log level set with DisconnectTraceLevel.
- AuthBy REST and other modules based on HTTPClient now honour DisconnectTraceLevel to control how closed connections are logged. AuthBy REST now logs peer initiated disconnects with DEBUG level.
- Added definitions and VSAs for VENDOR 534 Eaton Corporation, VENDOR 2606 Rittal (Rittal-Werk Rudolf Loh GmbH & Co.KG) and VENDOR 13191 OneAccess (Ekinops OneAccess OneOS) to RADIUS dictionary. Added and updated VSAs for VENDOR 7483 Tropic and VENDOR 30065 Arista.
- SQL clauses now support a separate timeout for connects and disconnects. Some databases may leak resources, such as file descriptors, when Radiator times out a connection before the DB driver does. With a new parameter ConnectTimeout, SQL connection timeout can different than Timeout that is used for SQL queries.
- Updated VENDOR 800 Alcatel-Lucent-OS6400, also known as Xylan, attributes in dictionary. Values for Alcatel-Lucent-Access-Priv and new attributes Alcatel-Lucent-Acce-Priv-F-R3, Alcatel-Lucent-Acce-Priv-F-R4, Alcatel-Lucent-Acce-Priv-F-W3 and Alcatel-Lucent-Acce-Priv-F-W4 were added.
- Added a script in goodies to create CHAP challenge for direct Monitor port access. More logging updates to LDAP ServerChecksPassword failures.
- Improved AuthBy LDAP2 logging when ServerChecksPassword triggers authentication failure because of bad password.
- ServerTACACSPLUS now logs more details about connections that get immediately closed after being established.
- Minor updates to LSA and NTLM configuration samples.
- Added VENDOR Incognito 3606 VSAs to dictionary.
- Updated VENDOR 3375 F5 VSA’s in Radiator default dictionary. Attribute F5-LTM-Audit-Msg and seven values for F5-LTM-User-Role were added. Name Policy-Editor for F5-LTM-value 800 is now an alias for name Web-Application-Security-Administrator, which appears to have been used since BIG-IP 10.x, first released in 2009.
- SSLVerify in LDAP clauses, OutputFormat in AcctLog FILE, Failmode in AuthBy DUO, ProxyAlgorithm in AuthBy RADSEC, APIVersion in AuthBy YUBIKEYVALIDATIONSERVER, Format and Encoding in MessageLog FILE, and StatsType and OutputFormat in StatsLog clauses now support configuration time % formatting typically used with %{GlobalVar:name}.
- Fixed deprecated syntax in goodies file AuthPLPSQL.pm.
- Fixed a warning triggered by LDAP modules during configuration loading when UseSSL was set and Port was configured with a % formatted value.
- Updated radiusd so that it tries to locate Radius::UtilXS similar to how radpwtst already does. This helps manual configuration testing on systems that use packages.
- AuthBy NTLM can now rewrite the username that is passed to ntlm_auth. Example use is Wi-Fi roaming where roaming username can not be directly used with Windows authentication because of local naming conflicts with roaming requirements. See NtlmRewriteHook in goodies file ntlm.cfg and Radiator reference manual. Updated other AuthBy NTLM configuration samples. This is similar to what was added to AuthBy LSA in release 4.22.
- StatsLog and ClientList periodic updates are now scheduled based on server start time to avoid slowly occurring time drift between the runs. With FarmSize configuration, it’s now possible to configure a spacing between worker runs to avoid synchronisation across all farm members. This is supported by StatsLog and ClientList clauses with FarmWorkerSpacing configuration parameter.
- Updated test.pl to be more reliable in finding Radiator modules with CentOS 6 and other systems with Perl earlier than 5.16.
- When a Stream connection, such as RadSec or Diameter, is closed, the log message level can now be configured with DisconnectTraceLevel parameter. This avoids unnecessary high level log messages when frequently closed connections are normal.
- Fixed configuration file include directive to work with directories that have whitespace characters, such as “Program Files”. Enhanced include’s error detection and logging in case of unreadable directories and other problems reading the files. A warning is now logged if a wildcard, such as include/*.cfg’, does not expand to any files.
- Updated RADIUS attribute encoding and decoding to be more flexible with vendor specific formats. This allows, for example, overriding VENDOR 637 Nokia VSA format to use 1 octet long VSA type field instead of forcing hardcoded 2 octets.
- StreamTLS server now logs more information about failures, for example, when TLS version is not acceptable or when client certificates was required but not received. Reported by Stefan Paetow.
- StatsLog clauses now support StatsExcludeObject and StatsInclude. These allow, for example, skipping statistics for all Clients while still supporting exceptions for certain clients. See example in statslog.cfg in goodies.
- Added VENDOR 22420 Accedian attribute Accedian-Skylight-Roles to dictionary.
- Fixed a crash in ServerTACACSPLUS triggered by an unexpected request type.
- Fixed a bug in AuthBy DNSROAM when FarmSize is enabled. The bug was introduced in release 4.22 and causes TLS, remote host IP and other settings to remain unitialised. As a result RadSec started by DNS roaming connects nowhere.
- BindV6Only global configuration parameter now covers proxy listen sockets, Gossip UDP listen sockets and Stream server listen sockets, such as RadSec server socket.
- System error string corresponding to errno was logged by TLS modules for some errors when errno did not have a useful value. This resulted in misleading log messages.
- Digest::HMAC for Digest::HMAC_SHA1 or Digest::HMAC_MD5 is no longer required. HMAC calculation is done directly with Digest::SHA or Digest::MD5.
- Updated expiration timestamps in users. Expired timestamps caused test.pl tests 2l, 2m, 3g and 3h to fail when they should have succeeded.
- test.pl now requires more modules to be present and tries to automatically run MSCHAP tests.
- Enhancements to AuthBy DUO Failmode. Failmode no longer applies to non-success API return codes that relate to problems with requests sent by Radiator. Improved Failmode related API reachability and error logging and handling.
- Log messages now use separate ip/hostname and port instead of ip:port format which is confusing with IPv6 addresses.
- Radiator now logs a warning if a RADIUS client is defined multiple times. This may happen, for example, when a client is defined in both configuration file and ClientListSQL.
- IPv6 address did not work as a LDAP Host parameter value because LDAP port number was directly appended to Host parameter values during connect. Appending port is allowed by Net::LDAP API but was not done correctly with IPv6 LDAP server addresses. Port is no longer appended and it’s passed only as a separate parameter. LDAP log messages were enhanced.
- AuthBy FREERADIUS now handles Cleartext-Password check item as a password check item when the new flag configuration parameter ConvertCleartextPassword is set. Updated configuration sample freeradius.sql in goodies to enable the newly added parameter by default. Did other minor updates in the configuration and AuthBy module.
- Fixed a memory leak in TLS based EAP methods and Stream classes, such as RadSec, where CRL file loading and re-loading did not free temporary resources. The fix requires Net::SSLeay 1.46 or later. Reported by Jan Tomasek.
Revision 4.24 (2019-12-09) new features, enhancements and bug fixes
Selected compatibility notes, enhancements and fixes
- Added configuration parameters TLS_SecurityLevel and EAPTLS_SecurityLevel and calls to set accepted TLS version ranges. This allows for Radiator module level control of desired TLS settings without modifications of system defaults.
- ClientListSQL configuration can now be simplified with ClientColumnDef parameters.
- AuthBy SQLHOTP and SQLTOTP SQL query parameter support was added.
- Dynamically updated Diameter RealmTable for request routing and forwarding is now available for advanced Diameter applications.
- Added a new configuration flag parameter IgnoreIfMissing.
- Added a new check item ExistsInRequest for matching requests by attribute presence. Useful for Handlers.
- Added new AuthBy REST, which is built on a new class called HTTPClient.
- Packages are now available for Red Hat Enterprise Linux 8 and CentOS 8 and Debian 10 (Buster).
- Added configuration guide and samples for SecureW2 integration.
Known caveats and other notes
- TLSv1.3 remains disabled by default for TLS based EAP methods and Stream based classes, such as RadSec.
- EAP-FAST functionality is reported to vary between TLS versions, TLS library security level settings and client implementations.
Detailed changes
- AuthBy SIP2 sometimes parsed ACS server responses incorrectly causing incorrect authentication rejects.
- Stream modules that use TLS, such as RadSec, now log the negotiated TLS version and cipher similar to what TLS based EAP methods already do. Short inner EAP messages received by EAP-TTLS and PEAP are now caught earlier instead of generic EAP module.
- Added new configuration parameters TLS_SecurityLevel and EAPTLS_SecurityLevel to control TLS library’s security level settings. See OpenSSL manual for SSL_CTX_set_security_level() for more about security levels. When TLS_Protocols or EAPTLS_Protocols is configured to set the desired TLS versions, TLS library’s Net::SSLeay::CTX_set_min_proto_version and its ‘max’ counterpart are automatically called. The security level and TLS version settings may be needed on systems with strict defaults. For example, Debian 10 sets the default minimum TLS version to 1.2 and security level to 2. This may be too restrictive with older EAP clients or Diameter and RadSec peers. Support for min/max_proto functions was added in Net::SSLeay 1.83.
- Updated Lancom and Aerohive attributes in the default dictionary. Aerohive products appear to use attribute 1 for different purposes. For this reason the newly added Aerohive-User-Vlan is an alias for the existing AH-HM-Admin-Group-Id. Both names are usable as reply attributes but incoming attributes are remain named as AH-HM-Admin-Group-Id. Thanks to Stefan Winter for the updated information.
- Added two new modules that allow temporarily denying logins for users that were rejected because of repetitive bad passwords. These are intial versions AuthBy FAILUREPOLICY and AuthBy SQLFAILUREPOLICY with more enhancements done in subsequent Radiator releases. See failurepolicy.cfg in goodies for a sample configuration.
- Added radiator-instances.service to goodies. This is a systemd unit configuration file for a virtual service for managing all Radiator instances. It works in conjunction with with radiator@.service unit file.
- Added 25 VSAs in the default dictionary for VENDOR 12356 Fortinet.
- Updated sample certificates to expire on November 10 2021.
- ClientListSQL now supports new configuration parameter ClientColumnDef. This allows for more simple and flexible configuration. Updated ClientList modules based on perlcritic reports.
- Updated AuthBy SQLHOTP and SQLTOTP to support SQL query parameters. Enhanced the configuration for the both to refuse token lengths shorter than 4 and clarified documentation of Require2Factor and SQL token active field. Other minor updates to SQL schema, sample configurations and code based on perlcritic.
- ClientListSQL and ClientListLDAP can now fetch TACACSPLUSKey parameter. This allows Clients to have separate values for RADIUS shared secret and TACACS+ key.
- Check items with regular expression values now use s modifier by default. This allows dot to also match newline.
- An instance of RealmTable is now dynamically updated for Diameter peerings used by Radiator 3GPPP AAA Server and other advanced Diameter applications. This RealmTable is available for Diameter request routing and forwarding for those Diameter peers that are configured with DiaPeerDef clauses supported by Radiator Carrier Pack.
- Added RealmTable.pm for genric support for realm routing tables. This can be used with Radius and Diameter to dynamically or statically build routing tables that support quick lookups from a large number of destinations. Aggregates and regexp based lookups are supported. See realmtable.pl in goodies for a sample application.
- Minor fixes: enhance Radius::SCTP support detection and address messages triggered by recently enabled warnings pragma.
- Radiator’s Radius::UtilXS package now provides interface to DES functions in OpenSSL and LibreSSL. These alternative functions are automatically used with Radius::UtilXS is available. Radius::UtilXS package is available from Radiator downloads.
- Digest::MD4 is no longer strictly required with MSCHAP related authentication methods. An alternative MD4 digest implementation is now provided by Radiator’s Radius::UtilXS package. This package is available from Radiator downloads.
- Added new configuration parameter LeavePassword. LeavePassword is similar to ConsumePassword but leaves beginning of password unchanged and extracts a portion of password from the end.
- Added integration guide and configuration files for configuring Radiator Software’s RADIUS Server for EAP-TLS using SecureW2 PKI.
- Added Win32-Lsa module for 64bit Strawberry Perl 5.30. Updated Radiator MSI package to use Strawberry Perl 5.30.0.1.
- Added new configuration flag parameter IgnoreIfMissing. This parameter is somewhat similar to the previously existing parameter AcceptIfMissing. If the user is not present in the user database, this parameter causes the enclosing AuthBy to return ignore instead of reject. When multiple AuthBys are configured, this allows lookups to continue until the user is found while accept or reject is returned immediately. Suggested by Christian Meutes and Alexander Hartmaier.
- When PacketTrace is set for a proxied request, the corresponding reply from a proxy now inherits the trace setting and is logged with trace level 5. With RadSec, the proxied request is now also logged with trace level 5.
- Updated vendor Ruckus attributes in dictionary. Contributed by Michael Newton.
- Added new check item ExistsInRequest. This is mostly used in Handlers to help matching requests based on attribute presence irrespective of their content. For example, <Handler ExistsInRequest=EAP-Message> selects all EAP requests. Simple alternation is also supported: <Handler ExistsInRequest = OSC-Rate-Limit-Day|OSC-Rate-Limit-Night> matches requests that have one or both of the attributes.
- RADIUS attribute names are now cheked for uncommon characters. Unexpected names are accepted and a warning is logged when dictionary is loaded.
- Locked Radiator distribution now honours Windows Service Control Manager state changes when expiry date or other limits have been reached. Previously Locked Radiator service became unstoppable when limits were reached.
- Added new class called HTTPClient which implements a flexible and asynchronous HTTP and HTTPS client. Added new HTTPClient based AuthBy REST for sending authentication and accounting request over a REST interface.
- Added support for using different back ends for random generation. The currently preferred source is Net::SSLeay with the default being Perl core rand.
- AuthDN in AuthBy LDAP2 now supports %0 special. This is replaced with DN escaped value of currently authenticated username. Added special formatters %{LDAPDN:…} and %{LDAPFilter:…} for escaping values with LDAP DN and filter rules. Fixed ServerChecksPassword error logging to be correct about failure reason when no result was received from server because of, for example, unexpected disconnection. Similar changes, and return value unification, was done to function checkPassword for custom code uses. Trailing NUL octets are no longer stripped from attributes received from LDAP. Addressed results reported by Perl::Critic.
- Multiple LDAP enhancements were added. LDAP modules now support new configuration parameters SSLCAClientKeyPassword and SSLExpectedServerName. SSLCAClientKeyPassword sets the passphrase to decrypt client private key when mutual certificate based LDAP authentication is required. SSLExpectedServerName sets the name the server certificate must match during verification. Misconfigured values for SSLCAFile and other related files are now logged and handled and no longer cause Radiator to exit without logging. Unknown values for SSLVerify are now logged and map to the default value require.
- SNMPAgent and Monitor with FarmSize configuration no longer require a FarmChildHook to re-open their listen sockets. Their listen sockets are now created after forking the instances. FarmChildHook sample in hooks.txt goodies file was updated to point to an example in farmchildhook.txt goodies file. Updated Ldap.pm and SNMPAgent to better log and refuse incorrect Port configuration values. Minor fix to SNMPAgent to also return SNMPv2-MIB system group values when queried with snmpwalk.
- Too large port numbers in configuration file for TCP, UDP and SCTP are now more clearly logged and refused.
- Fixed a memory leak caused by a StatsLog clause and ClientListSQL or ClientListLDAP being enabled in the same configuration. Leak affects Radiator versions 4.17 up to 4.23.
- Minor updates to IP address packing and resolution functions in Util.pm. Similar updates to old Socket6 module based functions. This makes IPv6 support with Socket6 more similar to what Perl core provides. Minor updates to BigInt functions and fixes to recent quota calculation related utility functions. Addressed a number of perlcritic reports.
- Unified Radiator internal JSON support. Modules, hooks and other code should now use Radius::JSON which chooses a JSON backend during startup and provides an interface for querying JSON status. The JSON backend and its version, or lack of backend, is logged when Radiator starts. Updated AuthBy DUO to use Radius::JSON instead JSON.pm.
- Messages logged to global LogFile and by LogFILE, LogSYSLOG and Monitor clauses now support adding farm instance to log messages. This is enabled by new LogFarmInstance configuration flag parameter. Addressed results reported by Perl::Critic.
- Updated diapwtst and ServerDIAMETER to include Acct-Application-Id in Accounting-Request (ACR) and Accounting-Answer (ACA) commands. Changed diapwtst to use Diameter base accounting in Command Code header field.
- AuthBy LSA now checks that Win32::NetAdmin is available when the configuration is loaded. This prevents radiusd from starting if the module is not installed. Previously the check happened when group membership check was first done causing radiusd to exit.
- Upgraded MSI packaging to use Strawberry Perl 5.28.2.1.
- The local address of AuthBy LDAP2 and other LDAP client connections, configured with BindAddress parameter, now supports formatting characters. Improved logging of LocalAddress for Stream based classes when LocalAddress uses formatting characters.
- Added VENDOR 14823 Aruba attributes Aruba-Captive-Portal-URL and Aruba-MPSK-Passphrase to dictionary.
- When global DupCache parameter was set to a non-default value, only duplicates for replied messages were correctly detected. Fixed a related memory leak and addressed Perl::Critic reports.
Revision 4.23 (2019-04-17, initial release 2019-04-10) security fixes, new features, enhancements and bug fixes
Selected compatibility notes, enhancements and fixes
- Improved AcctLogFILE to support JSON.
- Security fixes for EAP-pwd authentication and certain TLS configurations. OSC recommends all users to review OSC security advisory OSC-SEC-2019-01.
Known caveats and other notes
- TLSv1.3 is not enabled by default for TLS based EAP methods.
- TLSv1.3 is not enabled by default for Stream based classes, such as RadSec.
Detailed changes
- A number of configuration parameters were incorrectly removed from AuthBy DNSROAM during 4.23 development. This affects 4.23-1 and 4.23-2 releases. Fixed in 4.23-3. Reported by Paul Dekkers.
- Formatter %W was calling a non-existent function and caused a crash. This affects the initial 4.23 release only. Fixed in 4.23-2. Reported by Leon Haverkotte.
- Fixed EAP-pwd implementation security bugs reported by Mathy Vanhoef.
- Added an example of using SupplementaryGroups option in systemd goodies files radiator.service and radiator@.service. This parameter is typically used with AuthBy NTLM to grant access to winbindd socket.
- Added support for experimental parameters EAPTLS_CRLCheckUseDeltas and TLS_CRLCheckUseDeltas. These enable Delta Certificate Revocation list support for TLS based EAP and Stream classes, such as EAP-TLS and RadSec. Added test CLRs to Radiator demo ceritificates. See Radiator reference manual for the details.
- Fixed a crash in EAP-TLS and TLS based Stream classes, such as RadSec, when Radiator tried to log information about a certificate during specially configured verification. Certificate is not made available by TLS library in all verification failure cases. Reported by Stefan Winter.
- AuthGeneric.pm updates: MSCHAPv2 was incorrectly logged as misspelled when checking AuthenProto configuration parameter. Addressed a number of Perl::Critic reports.
- AuthBy RADIUSBYATTR HostParamDef now accepts 0 as a possible default value.
- Update test.pl to clean up temporary files after finishing.
- DiaClient inheritance was updated to allow better log message control. Updated diapwtst respectively. Addressed a number of DiaClient related Perl::Critic reports.
- Fixed some log messages that did not correctly interpolate variables. Addressed other minor results reported by Perl::Critic.
- Added RAdmin + TOTP configuration sample radmin_totp.cfg in goodies.
- JSON::MaybeXS was mistakenly added as a JSON backend. However it is a wrapper for backends so it is now removed from the list of JSON backends.
- Peer certificate issuer, subject and serial number in decimal and hexdecimal format is now logged on debug level when Radiator verifies peer certificate during EAP-TLS authentication or TLS based stream connection. This information is logged during verify callback when the TLS/SSL library is doing certificate verification. Logging is now done during successful and failing verification. Previously only some certificate information was logged.
- Updated dictionary. Added 6 new VSAs for VENDOR 388 Symbol. For VENDOR 4329 Siemens added Siemens-AP-Mac as a new VSAs and Siemens-Ingress-RC-Name and Siemens-Egress-RC-Name as aliases for Siemens-Ingress-RC and Siemens-Egress-RC.
- LogSYSLOG did not log Trace 5 level messages but printed out warnings about invalid level/facility to STDERR. Reported by Paul Dekkers.
- Requests without User-Name were triggering warnings that were enabled in Radiator 4.21. Reported cases now avoid warnings, and usernames that are empty instead of not defined are now more clearly logged. Similar work enabling more warnings continues and any reports are welcome. Cases now fixed were reported by Paul Dekkers and Roland Rosenfeld.
- When malformed attributes are received, sender IP address and port are now included in the message. Suggested by Paul Dekkers.
- Support configuration parameter AddToRequestIfNotExist added to AuthBy RADIUS, AuthBy RADSEC, and AuthBy DNSROAM.
- Fixed make zipdist and other non-default targets from failing.
- Unit test name cleanup and better separation between tests.
- generate-totp.pl and nthash.pl goodies utilities no longer need Radiator modules. They now require Net::SSLeay and Digest::MD4, respectively.
- diapwtst now searches its parent directory for Radius-modules. This allows diapwtst to be called in similar fashion as radpwtst.
- Updated AuthBy HEIMDALDIGEST to wait longer for kdigest to exit. Old behaviour was causing zombie processes on some systems. Reported by Johan Wassberg.
- Clarified and updated AttrVal.pm API. Notably, add_if_not_exist_attr and change_attr now return 0, as documented, instead of nothing. This return value still evaluates to false but is now defined. Addressed results reported by Perl::Critic.
- Avoid unnecessary log messages and warnings by not probing SCTP API support on windows and completely avoiding harmless use of undefined variables in AuthGeneric.
- Added module Radius::JSON, which is a wrapper for various JSON backends. Module exports encode_json and decode_json from the JSON backend it finds. Last resort is JSON::PP, which should be included Perl versions from 5.14.0.
- Improved AcctLogFILE to support JSON. By default, in addition to trace_id, timestamp, source_host, and type (accounting), all attributes from Accounting-Request are logged. This behaviour can be modified with parameter AcctLogOutputDef.
- Fixed saving uploaded Radiator configuration via ServerHTTP (Web GUI).
- Updates to support and other help texts.
- Add expected result feature for diapwtst. When expected result is set, diapwtst returns 0 (success) even if result was something else. In this way diapwtst can be more useful, for example to periodically test DIAMETER services.
- A warning log message about missing Proxy-State attribute was added AuthRADIUS::get_psid() in 4.22 to match a warning in AuthRADSEC, but in AuthRADIUS get_psid() is also called when UseExtendedIds is not used which causes Radiator to incorrectly log warnings about missing attributes. This behaviour has been fixed.
Revision 4.22 (2019-01-09) major packaging update, new features, enhancements and bug fixes
Selected compatibility notes, enhancements and fixes
- New Radiator packages: Red Hat Enterprise Linux 7 and Centos 7, Ubuntu 16.04 and 18.04, and Windows MSI
- Major updates to Yubikey Validation server support
- SCTP multihoming support for Diameter and other stream modules
Known caveats and other notes
- TLSv1.3 is not enabled by default for TLS based EAP methods.
- TLSv1.3 is not enabled by default for Stream based classes, such as RadSec.
Detailed changes
- Fixed a bug in radiusd where @main::reinitFns and @main::perchildinitFns are initialised after radiusd has loaded modules which already altered @main::reinitFns and/or @main::perchildinitFns. This bug was triggered when radiusd was restarted with a SIGHUP.
- Fixed a bug in ServerTACACSPLUS where Client clause parameters, such as RewriteUsername, were ignored. This was broken in Radiator 4.21.
- Corrected SQL syntax in hotp.cfg and totp.cfg goodies sample files. Reported by Denis Pavani.
- Fixed EAP-FAST to work with OpenSSL 1.1.0 with clients that do not have a valid PAC and need to use unauthenticated provisioning. This requires SSL_set_security_level support which is not available in Net::SSLeay 1.85 and before.
- Monitor and ServerHTTP now honour UseTLS. TLS_Protocols is still the preferred method to enable TLS.
- EAPAnonymous %0 can now access inner EAP identity with EAP-FAST.
- TLS based EAP methods do not enable TLSv1.3 by default. This can be changed with EAPTLS_Protocols configuration parameter.
- Significant updates to radiator.service and radiator@.service Systemd unit files in goodies. Radiator modules are looked up from a new default location /opt/radiator/radiator. Binding to TACACS+ and other privileged ports is enabled with CAP_NET_BIND_SERVICE. Runtime directory is created as /run/radiator/. Other updates for environment variables and startup control.
- radpwtst was updated to use its invocation location and /opt/radiator/radiator to search for its modules and dictionary. Modules nor dictionary are no longer looked up from the current working directory.
- radiusd was updated to use its invocation location to search for its modules. Modules are no longer looked up from the current working directory.
- An info level message is now logged when license related configuration parameters are set with a fully licensed Radiator. This is a reminder that these parameters are ignored and can be safely removed from the configuration. New configuration parameter LicenseFile is now the recommended method to include license configuration parameters.
- Removed a number of obsolete files from goodies
- ClientListLDAP now supports PostSearchHook.
- Added AuthBy HOTSPOT for operating wired and wireless hotspots with authentication and billing. Added support for handling service and subscription databases with implementations in ServiceDatabase INTERNAL and ServiceDatabase SQL. Added modules for handling services, subscriptions and sessions that are manged by SessionDatabase and ServiceDatabase modules. Enhanced SessionDatabase modules to support the new functionality. See README.hotspot and hotspot.cfg in goodies for more information and a configuration sample.
- Added AuthBy HOTSPOTFIDELIO that extends AuthBy HOTSPOT with Opera/Fidelio specific functionality. See README.hotspot-fidelio and hotspot-fidelio.cfg in goodies for more information and a configuration sample. This module also supersedes AuthBy FIDELIOHOTSPOT which will continue to work but should not be used in new deployments.
- Added indexing to fidelio-hotspot.sql.
- AuthBy FIDELIO, AuthBy FIDELIOHOTSPOT and AuthBy HOTSPOTFIDELIO UserPasswordHook is now passed $p as an additional argument.
- HandlerFindHook is now available for fast Handler lookup. This is advantageous for configurations, such as proxying based on realm, where maximum packet throughput is required. Configuration sample is in goodies/handler-find-hook.pl
- Added Base32 decoder to hextobase32.pl in goodies and updated it to match API changes in recent MIME::Base32 modules.
- AuthBy YUBIKEYVALIDATIONSERVER now supports Validation Protocol 2.0 and 1.0. Tested with YubiCloud and PyHSM hsm-val servers. Previously supported PyHSM yhsm-val short format OTP protocol was updated to include OATH-TOTP protocol. Updated configuration sample with new parameters is in yubikey-validationserver.cfg goodies file.
- Windows service enhancements: service parameters no longer include command line options relevant only to installing Radiator as a service. This simplifies parameters when installing service and running as service. Service install and uninstall failures now log more details and cause radiusd to exit with failure. Fixed whitespace quoting in service parameters.
- Added Win32-Lsa module for 64bit Strawberry Perl 5.28.
- Updated the framework for packing and unpacking complex RADIUS vendor specific attributes (VSA framework) to pass current request to custom pack functions. Request is now passed to both pack and unpack functions.
- Corrected hooks.txt in goodies to use packed address with Client’s findAddress function.
- radiusd now accepts command line parameter -prepend_env that prepends its value to an environment variable during radiusd start. The variable is created if it does not exist.
- Stream based modules, such as ServerDIAMETER, now use sctp_bindx() for all BindAddress values and sctp_connectx() for SCTPPeer values. These require Radiator Radius::SCTP bindings to make libsctp API available for Perl.
- Fixed a crash triggered by logging of Handler values, such as Identifier, before Handler was chosen.
- AuthBy LSA can now rewrite the username that is passed to LSA. Example use is Wi-Fi roaming where roaming username can not be directly used with Windows authentication because of local naming conflicts with roaming requirements. See LSARewriteHook in goodies/lsa.cfg and Radiator reference manual. Updated other AuthBy LSA configuration samples.
- Improvements to AuthBy SAFEWORD. New parameters SSLVersion and SSLCipherList allow configuring SSL/TLS protocol versions and cipher suites when communicating with the server.
- Improvements to AcctLog and AuthLog clauses. New optional parameter MaxMessageLength specifies a maximum message length (in characters) for each message to be logged, If specified, each log message is truncated to the specified number of characters prior to logging.
- Improvements to AcctLog, AuthLog and Log clauses. When LogSock is set to unix or stream or pipe, new optional parameter LogPath specifies the syslog path. Defaults to _PATH_LOG macro (if your system defines it).
- ServerTACACSPLUS authorisation context lookup enhancement: new optional configuration parameter ContextId specifies how to derive a lookup key for TACACS+ authentication context when authorising TACACS+ requests.
- Stream and StreamServer certificate verification enhancements: new optional parameter TLS_CertificateVerifyHook specifies a perl function that will be called for a custom verification of the client certificate. TLS_CertificateVerifyFailedHook is a new optional parameter that specifies a perl function that will be called if verifying the client certificate fails. These are similar to their EAPTLS counterparts and their return values determine how certificate verification continues. See radsec-server.cfg in goodies and Radiator reference manual for more information.
- Added VENDOR Ciena 1271 VSAs to dictionary.
- Added Juniper Junos OS TACACS+ configuration sample in tacacsplusserver.cfg goodies file.
- AuthBy RADSEC now reconnects more reliably to disconnected peers instead of leaving peers to permanently failed state. This could happen when ConnectOnDemand is set and when UseStatusServerForFailureDetect is set with Radiator 4.20 and 4.21. Reported by Paul Dekkers.
- AuthBy RADSEC now delays creating sockets when Farmsize is set and ConnectOnDemand is not set. This avoids closing sockets after forking farm members which caused confusing stream related peer disconnect log messages. Reported by Paul Dekkers.
- AuthBy DNSROAM could connect to the same destination twice. This was fixed in Radiator 4.20 but not mentioned in changes.
- A number of code clean up and maintenance changes were done based on Perl::Critic and other tools.
- DictionaryReloadInterval is a new optional parameter that sets an interval in seconds for checking whether the files defined by DictionaryFile have changed. If there are changes, all files are reloaded. Not enabled by default and the files are only loaded during server initialisation.
- Enhanced AuthBy RADIUS and AuthBy RADSEC logging to include remote address and port when bad authenticator or Proxy-State attribute is received. Requested by Paul Dekkers. Updated Gossip log levels.
Revision 4.21 (2018-06-26) bug fixes, enhancements and some new features
Selected compatibility notes, enhancements and fixes
- Fixed nested and cascaded AuthBy GROUPs that stopped working in Radiator 4.20.
- Unified AuthBy HANDLER functionality and reverted some of its changes done in Radiator 4.20.
- JSON authentication and accounting log now formats time as numeric type instead of string.
- ServerTACACSPLUS connection handling had major updates.
- Custom modules that use initialisation functions may need updates.
Known caveats and other notes
- Initial testing is done with OpenSSL 1.1.1 development versions. Not recommended with Radiator yet.
Detailed changes
- Updated simple_main_loop to use timeout and timeout handler. These are useful for test and other client programs.
- Attributes given on command line now override default and option switch values in radpwtst.
- Fixed a bug where nested and cascaded AuthBy GROUPs stopped working because of changes in Radiator 4.20 asynchronous handling.
- Unified AuthBy HANDLER functionality and reverted some changes done in Radiator 4.20: AuthLog, AcctLog, PostProcessingHook, AddToReply and similar reply updates are now done by Handlers called by AuthBy HANDLER. If these functionalities are needed when AuthBy RADIUS is used with AuthBy HANDLER, Asynchronous flag is required.
- Fixed IgnoreReject in AuthBy RADIUS when NoReplyReject is enabled.
- AuthBy RADSEC now supports Asynchronous and NoReplyReject.
- Handler now supports AccountingAccepted flag configuration parameter for Handler. This forces Handler to immediately log and unconditionally acknowledge Accounting requests before passing them to AuthBys. Compared to AccountingHandled, this will not wait for a reply from a proxy.
- Response to a request of any type is now only sent once. This is for special cases, for example, when an accounting request is proxied to multiple servers or a hook or any special handling would cause multiple replies back to the NAS.
- EAP-TLS now uses subjectAltName email type too when checking match for EAP identity or User-Name.
- Updated MaxFailedGraceTime algorithm in AuthBy RADIUS and RADSEC
- Fixed tunnelling EAP methods to work correctly when inner authentication proxies with Asynchronous parameter enabled.
- Updated demo certificates subjectAltName for client and server certificates. Client now has email and server has URI in addition to the existing alternative names. Other non-CA certifcates have both.
- Enhanced StreamServer listen socket error logging and handling during configuration time.
- Updated multiple EAP methods to trigger Access-Reject with EAP-Failure for some messages that were previously ignored.
- Removed obsolete EAP type 38 EAP-TNC.
- Updated EAP-PAX and EAP-PSK logging and error handling. EAP-PSK now requires that EAP identity matches identity carried within EAP-PSK messages.
- Improved Radiator init script goodies/linux-radiator.init and systemd service unit file goodies/radiator.service. A systemd service unit file goodies/radiator@.service which supports systemd service instances was added.
- Updates to logging. Internal changes to enable more warnings and how Client maintains its client list for client lookups.
- StatsLog FILE now supports OutputFormat configuration parameter. The possible values are text and json. Default is text.
- Message-Authenticator is no longer added to Status-Server Access-Accept replies because some clients were not able to process it.
- Enhancements to logging: Reason in AuthLog is now an empty string instead of undefined value when no specific reason is available. This is typical when result is accept for normal conditions. More results are now available for certain conditions and special configurations such as NoForwardAuthentication.
- Fixed infinite loop when AuthBy RADIUS was configured with Asynchronous, CachePasswords and CacheOnNoReply.
- AcctSQLStatement and AuthSQLStatement now support %0 for user name replacement.
- Added radminYubikey.cfg configuration sample in goodies. All RAdmin configuration samples were updated and now come with Radiator.
- Custom modules with need for main::reinitFns and addChildInitFn should be updated to use new callback register methods in ServerConfig. ServerConfig now supports methods for registering per-module callback functions that are run for server start and restart, farm child fork, reinit, delayed shutdown and shutdown.
- Fixed a bug in GossipRedis Sentinel service name use which caused Sentinel connection to fail. GossipRedis log now clearly shows if the connection endpoint is Redis Sentinel or server.
- Changed format_acct_log_json and format_authlog_json in LogFormat.pm to add time as a numeric type, integer or float, instead of a string. The type depends on LogMicroseconds.
- Improved Gossip logging and handling of badly formatted messages.
- Improved radpwtst’s noauth, noacct and related flag handling.
- ServerTACACSPLUS connection handling is now based on Stream modules similar to RadSec, Diameter and others. This fixes a connection blocking bug when run with FarmSize parameter and allows ServerTACACSPLUS to use all features the Stream modules provide.
- Internal changes to reinitialisation and farm child initialisation functions custom module writers may be interested in
Reinitialisation- reinitialise functions are now run only when radiusd is reinitialised (i.e. SIGHUP)
- reinitialise is run before $main::config is destroyed, so registered reinitialisation functions can only read $main::config, if needed
- if there is a need for functions to be called at startup, i.e. after $main::config has been read, one is encouraged to use $main::config->register_startup_fn(\&coderef, @args)
- it is now possible to give arguments to reinitialise functions
- pushing directly to @main::reinitFns will be obsoleted in the future, so preferred way of registering them is via $main::config->register_reinit_fn(\&coderef, @args)
Farm child initialisation
- using main::addChildInitFn will be deprecated in the future. Preferred way to register farm child init functions is via $main::config->register_childinit_fn(\&coderef, @args). Function signature is not changed from main::addChildFn.
- Updates to goodies/*Create.sql files: changed ACCTTERMINATECAUSE to string, updated column types to bigint and longer varchar where applicable. Infrequently used tables and test data are now present only in sql-extra-tables.sql and sql-test-data.sql, respectively. Added oracleCreate.sql. PostgreSQL and SQLite now use the same file postgres-sqliteCreate.sql. SQL Server and Sybase now use the same file sqlserver-sybaseCreate.sql. Removed separate files for mSQL, Informix and InterBase in favour of ansiCreate.sql. The files were tested with Firebird 3.0.3, IBM DB2 Express-C 11.1, IBM Informix 12.10 Developer Edition, InterBase 2017 Developer Edition, MariaDB, Microsoft SQL Server Express 2014 and 2017, MySQL, Oracle Database 11g Express Edition, PostgreSQL, SAP ASE (Sybase) Express Edition 16.0 and SQLite.
- Fixed a bug in dictionary loading where hex VALUE lines were incorrectly processed. Fixed incorrectly names values is dictionary.acc in goodies.
- Minor code maintenance related updates to utility programs and modules.
- Improved logging about attributes that are not in dictionary.
- On windows a message is now logged when Radiator Windows service stops.
- Revision 4.20 (2018-02-28) new features, security and bug fixes
-
Selected compatibility notes, enhancements and fixes
- Support for OCSP and OCSP stapling for EAP-TLS and RadSec and other Stream based modules.
- Improvements to Stream connection handling.
- TACACS+ AuthorizeGroup matching was extended.
- Check items now check all instances of the named attribute.
- Updates to TLS based EAP method client certificate checks, including partial chain support and default CA use.
- Updates to AddressAllocator DHCP
- Updated VENDOR 388 Symbol attribute names in the default dictionary.
- Improved LDAP modules failure backoff and certificate verification.
- Handler and AuthBy GROUP updates for better asynchronous and challenge handling
- Airespace-QoS-Level dictionary definitions were updated. The updated values are incompatible with the old values
- PEAP supports inner authentication after session resumption. Value 2 for reused demonstrated in eaptls_resume_post_auth_hook.pl is now possible
- Multiple updates to EAP, EAP-pwd and other EAP methods. See below for more details.
- Security fix for certificate validation for EAP-TLS and TLS-based Stream modules such as RadSec. PEAP and EAP-TTLS with unusual configurations are also affected. OSC recommends users to review OSC security advisory OSC-SEC-2018-01
Known caveats and other notes
- Initial testing is done with OpenSSL 1.1.1 development versions. Not recommended with Radiator yet.
Detailed changes
- Connection state is now correctly reset when streams are reconnected after a disconnect. Affects Diameter, RadSec and other Stream.pm based modules where incorrect connection state after reconnect caused lost messages and eventual connection timeouts.
- Connection buffers for pending incoming, outgoing and TLS data, and possible TLS session are now cleared during reconnect. This affects Diameter, RadSec and other Stream.pm based modules.
- goodies/generate-totp.pl can now be used for generating TOTP tokens in plain ASCII without generating QR code images.
- ServerTACACSPLUS AuthorizeGroups can now include extra checks which can be used to differentiate actions (permit/permitreplace/deny) and/or reply attributes based on TACACS+ client’s Client-Identifier, address (peeraddr) or any Radius attribute from Access-Accept. Updated configuration sample tacacsplusserver.cfg in goodies.
- Added support to user and Handler check items for checking all instances of the named attribute for a match. If an attribute is present multiple times, all its instances are considered during matching. For example, <Handler OSC-Group-Identifier=B, OSC-Group-Identifier=A> matches when OSC-Group-Identifier is present at least twice with the two values. With the kind help of Alexander Hartmaier
- Added a new configuration parameter RejectReason to Handler and AuthBy. RejectReason sets the default string to use as the Reply-Message for Access-Reject when configured for a Handler. When configured for an AuthBy, sets the reason for AuthLog logging and Access-Reject Reply-Message if the enclosing Realm or Handler has RejectHasReason enabled.
- Improved AuthBy DUO’s REST API failure handling.
- EAP success is now correctly replaced with an EAP failure when a request is first accepted by an EAP AuthBy but later rejected, for example, by a hook or another AuthBy.
- Introduced new special format variables: RequestAttrs, OuterRequestAttrs and ReplyAttrs. These variables return a string containing all instances of the named attribute separated by a comma.
- Added a new configuration parameter AddExtraCheck to Handler and AuthBy to make adding extra check items, such as Group check, easier.
- AuthByPolicy now supports new value ContinueUntilRejectOrChallenge
- EAP-TLS supports new hook EAPTLS_CertificateVerifyFailedHook which runs when TLS library calls verify_callback with preverify_ok set to false. The return value from the hook decides if certificate verification should continue or not. WARNING: This hook should only be used in special cases and can cause security issues. See the reference manual for details.
- Added VENDOR Wi-Fi Alliance 40808 VSAs to dictionary
- Radiator now supports framework for packing and unpacking complex RADIUS vendor specific attributes. For example, many 3GPP attributes have encodings that can not be represented with the RADIUS attribute types. The framework supports vendor specific modules with methods that are called based on how the complex attributes are defined in RADIUS dictionary.
- Improvements to RADIUS and RadSec Status-Server polling: Only one probe can be active at a time to make sure multiple probes are not sent when there are connectivty or other problems. Polling is now disabled for RadSec when transport connection is not up.
- When there are multiple Hosts in AuthBy RADIUS, NoReplyReject takes action after all hosts have been tried. Improved logging when proxied requests time out.
- Updated NoCheckPassword option to cover EAP-MD5 and more authentication methods.
- Fixes and enhancements to MessageLog FILE text2pcap format command line hints: Ports and addresses are now in correct order and include time format specifier. Log line time format is now seconds.microseconds where microseconds are zero padded. Special format %2 for Filename parameter is now correctly set to default value of ‘none’ when Encoding configuration parameter is not set. Help and suggestions for text2pcap changes by Karl Gaissmaier. Thanks Charly.
- Internal changes to how information is stored in request and reply objects. Changed ValidTo and other similar information to use this storage. Special formatting variables ReplyVar and RequestVar now get their named parameter values from this internal storage.
- Special values ‘until Expiration’ and ‘until ValidTo’ for Session-Timeout reply item now correctly work with EAP-MSCHAPV2.
- Diameter peer connection initialisation sometimes opened a second connection to a peer instead of using an existing connection.
- Message-Authenticator fixes: AddToRequest and similar methods now automatically set the attribute length and allow adding only one instance. The attribute was added with incorrect length value but correctly calculated content when it was present in proxied request and had incorrect length. Received attribute length must now match exactly. Previously the check was only done for the content.
- Log SYSLOG now supports LogFormat configuration parameter similar to Log FILE. Fixed a bug where tracing identifier was not available in Log clauses that were configured inside other clauses.
- AuthBy RADSEC and ServerRADSEC can now write outgoing messages to MessageLog. Reported by Karl Gaissmaier.
- Status-Server timeout value for AuthBy RADIUS and AuthBy RADSEC can now be separately set with KeepaliveNoreplyTimeout configuration parameter. Suggested by Karl Gaissmaier.
- Improved logging when Stream modules experience connection errors.
- MessageLog FILE could crash if Format configuration parameter was unspecified. Diameter message logging did not log remote IP and port correctly in some rare cases when the remote end closed connection and the local process was, for example, stopped.
- Added new SessionDatabaseOptions value NoDeleteOnSessionStop that tells Radiator to do session database update operation instead of delete. This allows keeping session information when accounting stop is received.
- Added wrap-text2pcap.pl to goodies for processing MessageLog FILE text2pcap formatted files. Written by Karl Gaissmaier.
- New module AuthBy RATELIMITSOURCE allows limiting the maximum number of messages per time window for a source. Two policers with different source selection, bucket number, rate and time window parameters allow setting limits for single sources and aggregates. Sample configuration in ratelimitsource.cfg is in goodies.
- AuthBy LDAP2 UnbindAfterServerChecksPassword when used with HoldServerConnection did LDAP unbind but did not clear binding state correctly causing LDAP error on subsequent query.
- Renamed AuthBy RADIATORLB to AuthBy RADIATORPROXY and added support for statically configured Host and RadiatorProxy clauses. Added optional configuration parameters for DynAuthPort and DynAuthSecret in AuthBy RADIUS Host clauses for basis for RADIUS dynamic authentication support.
- Improved debugging support in SNMPAgent. SNMP community string is now logged as **obscured** unless Trace is set to 5. Added port information and updated log message formatting. Added support for new PacketTrace flag configuration parameter to log received and sent SNMP messages in human-readable form. PacketTrace logs the community in plain text.
- LogSYSLOG now uses setlogsock() as much as possible instead of setting log host directly. Improved detection of setlogsock() capabilities and added error checking for setlogsock calls. Problems with syslog calls are now printed to STDERR too.
- Updated LogFormat.pm CEF and JSON accounting log formatters to work correctly when called from AcctLog’s LogFormatHook. Previously only Handler’s AcctLogFileFormatHook worked correctly. Updated CEF accounting format to use ‘Accounting received’ as event name when logging accounting before it’s handled.
- radpwtst now logs in more detail replies that have unexpected message type and EAP message combination.
- Updated GlobalMessageLog to support RadSec as a separate protocol from RADIUS. MessageLog clauses now support LogSelectHook which allows selecting which messages to log in case not all messages need to be logged. Updated the configuration sample logformat.cfg in goodies. Help and suggestions by Karl Gaissmaier.
- TACACS+ is now supported by MessageLog clauses.
- Added Radius::Nas::Generic class which implements two translate/extract functions: one to unify MAC address formats and extract possible SSID and the other one to extract realm from different username formats. Updated vsa-translate.cfg in goodies.
- AuthBy SIP2 now supports two new configuration options: Retries and FailureBackoffTime. Timeout handling was also improved, but does not work when Radiator is run on Windows.
- TLS_Ciphers is now correctly initialized with a default value in DiaClient.
- Enhanced client certificate verification options for TLS based EAP methods with new configuration flag parameters: EAPTLS_CAPartialChain enables X509_V_FLAG_PARTIAL_CHAIN support available since OpenSSL 1.0.2. EAPTLS_UseCADefaultLocations configuration flag parameter specifies that the default locations from which CA certificates are loaded should be used. This was always enabled for previous Radiator versions but is now turned off by default. EAPTLS_NoClientCert disables loading of any CA certificates for client certificate verification. This allows simplyfying PEAP and EAP-TTLS configuration when client certificates are not requested with EAPTLS_RequireClientCert. When EAPTLS_NoClientCert is enabled, EAPTLS_CAFile, EAPTLS_CAPath, EAPTLS_CAPartialChain and EAPTLS_UseCADefaultLocations are not used and need not to be configured. Partial chain suppport suggested by Philip Brusten.
- Enhanced client certificate verification options for Stream TLS classes, such as RadSec and Diameter, with new configuration flag parameters: TLS_CAPartialChain, TLS_UseCADefaultLocations and TLS_NoClientCert work similar and have similar defaults than their recently added EAPTLS_ counterparts. TLS_NoClientCert will not be supported by all StreamServer clauses. Initial support is added for Monitor and ServerHTTP which use it for turning off all client certicate checks.
- Updated test.pl to complain first about missing mandatory modules. Enhanced test output and added usage with MSCHAP testing hints.
- ServerTACACSPLUS now supports Prompt reply attribute for turning off noecho flag in TACACS+ authentication replies. This allows hinting the TACACS+ client that it should echo user’s response as it’s entered. Updated radpwtst, tacacsplustest and diapwtst to honour Prompt attribute to turn on local echo for password challenges. The default is to always turn off echo. Fixed incorrect EAP-GTC length calculation in diapwtst responses. Updated tacacsplustest to display server’s message for interactive authentications.
- Updates to RADIUS tagged string handling: attributes with dictionary type tagged-string, for example Tunnel-Private-Group-ID, are now decoded so that tag value 0 is ignored. When encoding, tag 0 is only added when it is explicitly defined. Txag with value 0 is no longer implicitly added. Tag values outside from 0 to 31 are now encoded as the part of the value. For this reason Radiator no longer displays tag 0 or proxies by default tag 0 for tagged-string type attributes. Tag values outside from 0 to 31 for Tunnel-Password and other attributes with dictionary flag has_tag are encoded as part of actual value with tag set to 0. Tag value 0 for Tunnel-Password is now ignored during decode. New formatter %{UntaggedVal:attribute} returns the named attribute from the current request without the possible tag.
- Updates to AddressAllocator DHCP: Subnet Selection Option is no longer required. If configuration has no SubnetSelectionOption set, no SSO is required in DHCP request. Added support for configuration parameters DHCPHostName and DHCPVendorClass for setting DHCP options 12 ‘Host Name’ and 60 ‘Class Identifier’ aka Vendor Class identifier, respectively. Updated addressallocatordhcp.cfg.
Refactored DHCP code shared by DHCP address allocator and server into a common DHCP peer module. ServerDHCP is available in Radiator Carrier pack. - DHCP User-Class option (77) is now correctly encoded. The encoding used format from draft instead of RFC 3004.
- Updated WiMAX attributes in the default dictionary with WMF-T33-001-R022v04 definitions. WiMAX-IP-Technology is now an alias for the current name WiMAX-Network-Technology. Fixed WiMAX-Packet-Flow-Descriptor-V2 definition. WiMAX-Home-Interface-Id-PMIP6 and WiMAX-Visited-Interface-Id-PMIP6 are now formatted as interface ids.
- Updated the default dictionary with the currently found definitions for VENDOR Symbol 388. The old names are still available as aliases, but attribute decoding is now done using the new names. The documentation also uses prefix WING- instead of Symbol- as the vendor prefix in the latest documentation. To use the new prefix, create a custom dictionary as documented by Radiator reference manual.
- Updated generic session database modules, SessionDatabase REDIS and AuthBy DYNAUTH to support sending RFC 5176 dynauth requests to update or disconnect all sessions a user may have. This allows, for example, an external management entity to disconnect all sessions of a user with just a username without knowing the number of sessions or their details.
- Fixed a bug with uncommon configurations where Handler’s last AuthBy returning ASYNC prevented possible post authentication session database update and other post auth actions from running.
- Improved configuration parameter error detection and logging for TLS based Stream classes and EAP methods. Errors with configuration file parameters and CRL loading are now logged in more detail. Return values for DH parameter, ECDH curve and Policy OID settings are now correctly checked for errors.
- Added ForwardHook to AuthBy RADIUS and AuthBy RADSEC and their derived classes. ForwardHook receives the current request and the request to be forwarded as its arguments. ForwardHook is called once for each request before it is forwarded to any of the remote RADIUS or RadSec servers. This hook allows you to modify the forwarded request without changing the current request. Suggested by Jose Borges Ferreira.
- Updated Stream TLS module to load passphrase protected TLS_PrivateKeyFile with the updated API enabled in OpenSSL 1.1.0f.
- Updated Radius request debug log dump so that it shows the the recalculated Message-Authenticator value instead of received or all zero value.
- When sending dynauth requests to a Client, AuthBy DYNAUTH now uses the Client’s configuration to set dynauth secret and dynauth port, and calls Client’s VsaTranslateOut, VsaTranslateIn and VsaTranslationHook.
- Updated EAP-FAST to work with OpenSSL 1.1.0 and later; and LibreSSL with Net::SSLeay 1.75 and later.
- Updated goodies/rcrypt usage and environent variable use
- AuthBy RADIUS and AuthBy RADSEC now support KeepaliveRequestType and AddToKeepaliveRequest to change probe type and contents from an empty Status-Server to any other message type with optional attributes. This allows sending, for example, Access-Request probes with User-Name and User-Password attributes. Suggested by Paul Dekkers.
- TLS_CRLCheckAll worked only when configured to a Host within AuthBy RADSEC. It now works correctly as a default setting within AuthBy RADSEC and AuthBY DNSROAM.
- ServerRADSEC now honours RewriteUsername and AddToRequestIfNotExist configuration parameters. Global RewriteUsername is also honoured. Based on suggestion by Nik Mitev.
- diapwtst now supports tls_protocols, bind_address and outport command line parameters. Fixed -timeout to work as expected.
- Major update to test certificates: added wildcard, expired and revoked end node certificates and three intermediate CAs. All four CAs sign all five end node certificates. Revocation lists are signed by all CAs. The lists include revoked end node certificate, and for root CA, one intermediate CA. Certificate contents and extensions were updated. The certificates now allow easier testing for revocations, including intermediate CA revocations, partial chains, expirations, policies and other conditions and configurations. Updated README files and included configuration files and scripts for recreating all files with desired algorithms and other settings.
- Radiator’s LDAP module Ldap.pm now tries connecting each configured Host individually instead of passing all hosts directly to Net::LDAP. Trying hosts one by one allows individual failure backoff time for each host and working TLS certificate check based on host name. Updated ClientListLDAP and AuthBy LDAP2, LDAPDIGIPASS and LDAPRADIUS to use failure backoff for LDAP failures.
- Updated AuthBy GROUP to work with AuthBys that may return ASYNC. For example, AuthBy RADIUS with Asynchronous flag parameter enabled now works within an AuthBy GROUP. This update also contains initial work in Handler towards supporting imporoved functionality for AuthBy groups where an AuthBy returns CHALLENGE. In this case the next request can be directly handled by the AuthBy that replied with challenge.
- Monitor log messages now include tracing identifier when LogTraceId is set globally or within a Monitor clause.
- radiusd now supports -no_pid_file command line option. Updated radiator.service systemd unit configuration file in goodies to use this option and incorporated suggestions from Alexander Hartmaier and Rauno Tuul into radiator.service. Added new Radiator and logrotate configuration sample files linux-simple-config.cfg and logrotate.radiator in goodies. These three files use matching paths and other settings. linux-simple-config.cfg requires minimal, if any, modifications to work on other UNIX or BSD systems too.
- Airespace-QoS-Level dictionary definitions were updated to match the current definitions used by Cisco WLC. The old values were correct for ACS 4.1.x. The new values are used by ACS 5 and also described in WLC configuration guides. The value names are mostly the same but the actual numeric values are different. If you need the old values, create a custom dictionary file and load it with DictionaryFile configuration parameter.
- radpwtst now supports -no_random command line option which makes RADIUS authenticator and different CHAP methods to use fixed values. This allows repeating tests with fixed values. radpwtst now logs a detailed warning when incorrect MS-CHAP2-Success is received with Access-Accept. Also fixed radpwtst and diapwtst option file whitespace handling.
- TLS_Protocols and EAPTLS_Protocols now recognise TLSv1.3. TLSv1.3 is turned off by default for TLS based EAP methods and Stream based protocols, such as RadSec and Diameter. TLSv1.3 is made available for testing and future use and it is not supported yet. Net::SSLeay 1.83 or later is required when using Radiator with TLS 1.3 aware SSL/TLS library. Internal changes to TLS code to use recently added constants and functions in Net::SSLeay.
- Radiator now sets X509_V_FLAG_TRUSTED_FIRST together with X509_V_FLAG_PARTIAL_CHAIN when EAPTLS_CAPartialChain or TLS_CAPartialChain is set.
- AuthBy NTLM now logs and rejects directly parameter lengths not supported by ntlm_auth.
- Tunneling EAP methods, EAP-FAST, EAP-TTLS and PEAP, now support configuration parameter EAPTLS_CopyToInnerReques for copying attributes from outer request to inner request. Previously this required PreHandlerHook or similar method.
- Updated Acct-Delay-Time handling in RADIUS accounting requests: Radiator no longer adds a zero valued attribute when it’s not present in the request. Acct-Delay-Time is now accessed only when needed making proxying slightly faster. Fixed missing delay adjustment for a request when its retrasmit caused a failover to secondary host. Fixed negative adjustment reported by Vangelis Kyriakakis.
- radpwtst enhancements: -time option is now an alias for -print_stats. -print_stats option now shows the average requests/second rate and total time. Number of requests is now clearly separated from the number of iterations because each iteration may consist of multiple requests. New option -iteration_delay sets a delay between successive iterations to help testing with different request rates.
- OCSP peer certificate checking and OCSP stapling are now supported for EAP-TLS and Stream based modules such as RadSec and Diameter. Asynchronous OCSP check is supported for EAP-TLS. See sample configuration files eap_tls.cfg, radsec-server.cfg and radsec-client.cfg in goodies directory for configuration parameters, including OCSP responder location, failure policy and response caching.
- Updated RADIUS and RadSec proxying MaxFailedRequest and MaxFailedGraceTime to work better with low request rates.
- Updated many EAP methods to include EAP-Failure in Access-Reject messages where it was still missing. Changed some EAP failure cases to trigger Access-Reject instead of ignoring the message. Added more checks for inner EAP-TTLS requests.
- Added support for ConsumePassword configuration parameter for AuthBys. This parameter allows shortening and using parts of password by multiple AuthBys when they process a request, for example, during two factor authentication. Updated duo.cfg and digipassStatic.cfg in goodies to use ConsumePassword.
- Added support for Group-Authorization check item. This check item defines the Identifier of an AuthBy to use for authorising users based on their group membership. Added configuration parameters GroupFilename to AuthBy FILE and GroupMembershipAttr to AuthBy LDAP2. Added support for Windows AD tokenGroups in AuthBy LDAP2 for group based authorisation. Added two new configuration samples in goodies: authorize-group1.cfg shows how to do LSA authentication and direct Wi-Fi users to VLANs based on their AD groups. File authorize-group2.cfg shows how to authorise users with different administrative roles based on what Client they log in from.
- Updated Resolver clause to never use persistent TCP or UDP sockets. This uses more sockets but is required because of lack of working support for multiple outstanding queries. This allows Radiator to work again with all Net::DNS versions. TCPPersistent and UDPPersistent configuration parameters are now obsolete. Thanks to Fernando Reis for reporting DNS roam problems.
- Stream based TLS classes, such as RadSec, now support TLS_SubjectAltNameDNS configuration parameter. This works similar to existing TLS_SubjectAltNameURI parameter and is used when subject alternative name type is DNS. Requested by Jan Tomasek.
- Updated AddressAllocatorSQL to reject request instead of allowing it to timeout when AsynchronousSQL is set and allocate, update or deallocate fails. Methods confirm, deallocate and deallocate_by_nas now return reject with reason if UpdateQuery, DeallocateQuery or DeallocateByNASQuery fails instead of always returning accept.
- AuthBy DNSROAM now passes to certificate verification the name that was looked up during DNS discovery. The name is used similarly to TLS_SubjectAltNameDNS allowing verification based on name insted of just peer address. Enhanced TLS certificate verification logging for Stream based modules including information about DNSROAM discovered name and SRV records.
- Fixed AuthBy DNSROAM to refresh route object when rediscovering it with unchanged parameters. This fixes log messages like “AuthBy DNSROAM rediscovered the same target for …” appearing too often.
- EAP modules configured with EAPType are now loaded during configuration loading. This makes problems with module dependencies visible immediately during the configuration.
- PEAP now supports inner authentication after session resumption. This fixes problems seen on Windows, for example, when changing between WLANs. Reported by Jan Tomasek and others.
- Disabled completely non-functional session resumption for TLS-based Stream modules. Enabled no renegotiation flag for TLS-based EAP methods and Stream modules.
- radpwtst now adds Event-Timestamp to Accounting-Request messages.
- EAP-pwd now supports RFC 2759 (NT hash) and SASLprep password pre-processing methods. These are configurable with a new parameter EAP_PWD_PrepMethod that supports values ‘NtHash’ and ‘SASLPrep’. See the reference manual for additional information about compatibility and module requirements. This change also adds generic support for adding additional prep methods.
- Compiled Win32-Lsa for ActivePerl 5.24 and 5.26 and Strawberry Perl 5.26. 32-bit versions are no longer compiled by default. Contact us if you still need them.
- Revision 4.19 (2017-06-29) new features and bug fixes
-
Selected compatibility notes, enhancements and fixes
- Fixed a memory leak in TLS based EAP methods. This affected configurations that disable session resumption.
- Unfinished EAP authentications are now logged
- Ignored authentications are now available for AuthLog logging
Known caveats and other notes
- PEAP session resumption sometimes fails on Windows and reverts back to full authentication. A fix is known and planned for future releases.
- Initial testing with OpenSSL 1.1.0. EAP-FAST is not yet functional.
Detailed changes
- Enhanced log messages generated by TLS based EAP methods. More details are now logged and available with AuthLog reason information.
- Added two new Context module functions: fetch returns an existing context and resets its timeout. If there’s no existing context, returns nothing. timeout_callback sets a callback function for a context that is called when the context times out.
- Enhanced EAP logging: EAP authentications that do not finish are now logged both to Radiator log and authentication log. Authentication log entries are logged as rejected authentications. Suggested by David Zych et al.
- EAP contexts are now freed when the authentication finishes instead of always waiting for context timeout
- TLS based EAP methods were leaking memory when EAPTLS_SessionResumption was disabled. This option is enabled by default.
- Added VENDOR Airespace 14179 VSA Airespace-IPv6-ACL-Name to dictionary
- Application was misspelled in DiaAttrList::REDIRECT_HOST_USAGE_REALM_AND_APPLICATION and Diameter application name ‘SIP Application’
- Fixed AuthBy SIP2 that rejected both valid and invalid authentication attempts with EAP-GTC. Enhanced SIP2 logging and updated AuthBy SIP2 to more reliably handle unsupported EAP methods.
- An error message is now logged when quote method is called for a module that is not a SqlDb. Single quotes are now stripped from quoted value. Any custom modules that log this message need to be fixed to use a correct SqlDb derived module when calling quote.
- Added support for polling a message queue in Gossip. Added a new configuration sample radius-dynauth.cfg in goodies that uses AuthBy DYNAUTH to send RADIUS dynamic authentiation requests. Handler.pm now passes reference to result reason to replyFn it calls. Minor fixes to trace id passing and Gossip.
- New check items RecvPort, RecvAddress and RecvName match requests based on the local port or address. For example, if Radiator listens on Radius port 1645 and 1812 <Handler RecvPort=1645> selects only those requests that were received by port 1645.
- Enhanced Monitor for integrating with other systems. Implemented the following Monitor commands:
ASCII: change both object and line separators to “\n”
DEFAULT: change both object and line separators back to their default values ASCII SOH and NUL, respectively
GET: Get a single attribute from an object
With the kind assistance of Kilian Krause - Fixed a crash in SessionDatabase REDIS simultaneous use check
- Updated Gossip encryption documentation, logging, invalid key handling and changed key index 0 to reserved.
- StatsLog proxiedNoReply counter is now incremented for Hosts within AuthBy RADIUS and RADSEC and their derived clauses. Previously the counter was incremented only for the AuthBy after all retries had been exhausted. Status-Server timeouts do not increment Host proxiedNoReply counter.
- All AuthLog clauses now support LogIgnore flag parameter. This parameter defaults to not set and when set, allows logging ignored autentication attempts. An attempt is typically ignored when a user database fails or Radiator can not return a definitive answer for some other reason. Proxied requests that return immediate ignore are not logged because a reply with final result is expected later.
- Fixes to GossipUDP server farm and peer discovery messaging
- When User or Group global parameter is set, both effective and real user or group id is set instead of just effective ids.
- Fixed a problem where advanced debugging, for example with Monitor’s trace predicates, could cause a crash.
- DynAuthPort in Client now defaults to not set instead of 3799. This allows clauses such as AuthBy DYNAUTH to provide a per request value that is not overwritten by Client’s DynAuthPort.
- radiusd now supports multiple -I command line parameters.
- Revision 4.18 (2017-05-10) new features, security and bug fixes
-
Selected compatibility notes, enhancements and fixes
- Added AuthenProto parameter for setting the allowed authentication protocols such as PAP, CHAP and SIP digest. See below for details especially if you use SIP digest.
- EAP-MSCHAP-V2 requires EAP_MSCHAPv2_UseMultipleAuthBys flag parameter when there are multiple AuthBys in the same Handler.
- Added AcctLog clauses for logging accounting messages.
- Added support for proxy algorithms in AuthBy RADSEC.
- Number of enhancements to logging, EAP and other protocol handling. Custom EAP-TTLS implementations may need updates, see the details below.
- Empty passwords and usernames with NUL octets are now rejected by most authentication methods when doing local user database lookups.
- Dash ‘-‘ no longer works as Filename for StatsLog FILE and similar parameters.
- Security fixes for general authentication, SQL quoting, Digipass authentication and AuthBy HEIMDALDIGEST. OSC recommends all users to review OSC security advisory OSC-SEC-2017-01
Known caveats and other notes
- PEAP session resumption sometimes fails on Windows and reverts back to full authentication. A fix is known and planned for future releases.
- Special % character formatting was updated. Correctly defined format strings should require no changes.
- No testing with OpenSSL 1.1.0 yet.
- We have received reports about memory leaks. We are investigating this and would appreciate any reports about unusual process growth.
Detailed changes
- Added support for new type of clause AcctLog xxxxx. An AcctLog clause logs RADIUS accounting requests to a file, Windows Event Log, SQL or syslog. An AcctLog is configured similar to AuthLog: you configure one more AcctLog clauses for a Handler or Realm. Currently supported AcctLog clauses are: AcctLog EVENTLOG, AcctLog FILE, AcctLog SQL and AcctLogSYSLOG. See logformat.cfg and sql.cfg for configuration samples.
- Redis endpoint can now corretly be set to Sock. Previously the endpoint was set to 127.0.0.1 even if socket was desired. Reported by Paul Dekkers.
- Added support for DiaStatsLog FILE and DiaStatsLog SQL for Diameter statistics logging. Enhanced Diameter statistics logging to suppress logging for inactive peers and objects with unchanged counter values. DiaStatsLog SQL requires Diameter application specific columns in the statistics table. Added a configuration sample diastatslog.cfg in goodies.
- DiaStatsLog clauses can now remove inactive peer from Diameter statistics logging. Peer removal is controlled by new configuration parameters PeerAliveDetectionInterval and PeerRemovalThreshold.
- Added a number of attributes in dictionary for vendor 6527 Alcatel-Lucent-Service-Router, enterprise number known as Alcatel-Lucent (formerly ‘Panthera Networks, Inc.’).
- Added various VENDOR 25053 Ruckus VSAs to dictionary. Ruckus VSA 126 name is now Ruckus-Accounting-Status. The previous name Ruckus-Acct-Status is kept as a synonym. VSA 126 in the incoming requests, if present, will be decoded as Ruckus-Accounting-Status. Contributed by Christian ‘wiwi’ Wittenhorst.
- radpwtst now supports new flag parameter -timestamps. Time stamps are printed, for example, when announcing sent requests and received replies. Time stamps are also automatically printed when multiple iterations are enabled.
- Updated radiusd Windows service installation to work with Windows Server 2016. Problems with installservice option were reported by Robert Fisher.
- Added VENDOR 1966 Perle VSAs to dictionary.
- Message-Authenticator attribute updates: Relaxed RequireMessageAuthenticator to consider only those request types that have RFC support for Message-Authenticator. Message-Authenticator is now automatically added to the reply or the proxied request when the request contained Message-Authenticator. This also affects Status-Server responses. Message-Authenticator is now always required when EAP-Message attribute is present in incoming messages.
- Locked and evaluation versions of radiusd will now log expiry and other licensing related information to log in addition to stdout.
- Added VENDOR 2636 Juniper attributes Juniper-Junosspace-Profiles, Juniper-Session-Port, Juniper-CTP-Group, Juniper-CTPView-APP-Group and Juniper-CTPView-OS-Group to dictionary. Also added Juniper-Authentication-Type as an alias for Juniper-Junosspace-Profiles. With the kind assistance of Peter Hendrikx.
- Added sample configuration file eaptls_resume_post_auth_hook.pl in goodies to show how to store and retrieve information that needs to be kept over resumed TLS sessions. Useful for custom hooks used with EAP-TLS, EAP-TTLS or PEAP. Updated EAP modules to support customised access to stored resume information.
- Unified logging and handling of EAP responses for which TLS is not intialised. These are now logged as possible duplicate responses. TLS connections are now cleared earlier and similarly for all TLS based EAP methods.
- Radiator’s SQL module now supports asynchronous queries for MySQL/MariaDB and PostgreSQL. Tested with DBD::mysql 4.035 against 10.1.13-MariaDB. Updated AddressAllocator SQL to use asynchronous queries. Asynchronous queries are enabled with new common SQL configuration parameter AsynchronousSQL. Additional parameters AsynchronousSQLConnections and RoundRobinQueries allow tuning how the asyncronous queries are done. For synchronous and asynchronous operation, ConnectSQLAtStartup is now available to connect to all configured SQL databases when the module is loaded during Radiator startup.
Configuration sample addressallocator.cfg in goodies for asyncronous allocation.
AddressAllocator DHCP and DHCPv6 no longer increment dropped request statistics while they return ignore and wait for the DHCP answers. - Fixed a bug in GossipRedis where a reconnect after Redis server disconnect caused a crash. Also corrected extra newline in statslog.cfg. Crash reported by Niels Monen.
- ServerTACACSPLUS can now be configured to disconnect the client without returning TACACS+ error status when an AuthBy returns IGNORE because of authentication database failure. This may trigger the client device to fall back to local authentication that it may not do when Radiator replies with a TACACS+ error status. Note: the client behaviour is implementation specific. This option is controlled by the new configuration flag parameter DisconnectWhenIgnore.
- Removed unused configuration parameter Table from AuthLog SQL.
- Prepared PEAP for future implementation of missing features such as cryptobinding, Statement of Health (SoH), capabilities negotiation and starting full authentication from resumed TLS session. Updated PEAP EAP TLV Extensions handling and logging.
- radpwtst now warns if it can not fully handle IPv6 addresses, prefixes and sockets.
- Added a startup check for required Perl module Digest::SHA. Note that depending on the configuration, Digest::SHA may be required very early during the configuration which can be before the check has run. Digest::SHA is part of core Perl but packaged separately on some platforms, notably Red Hat and CentOS.
- Fixed a warning log message in AuthBy RADSEC that was incorrectly changed in Radiator 4.17.
- radpwtst now supports two new command line arguments: ‘-print_stats’ shows statistics after radpwtst finishes. Useful, for example, when running with -iterations for long period of time. ‘-onlyfailed’ shows only failed requests. This is particularly useful if running radpwtst with either -iterations parameter or when running several radpwtsts in parallel with, for example, GNU Parallel.
- Added support for proxy algorithms in AuthBy RADSEC. The proxy algorithms supported by RADIUS proxying, such as hash balance and round robin can now be used when proxying to multiple AuthBy RADSEC hosts. The algorithm is chosen with ProxyAlgorithm configuration parameter. See radsec-client.cfg for examples. Special thanks to Christian ‘wiwi’ Wittenhorst for his kind help and Jan Tomasek for suggesting this feature.
- Removed unnecessary code from RADIUS proxy algorithms, such as AuthBy HASHBALANCE and AuthBy ROUNDROBIN. AuthBy EAPBALANCE now adds State to Access-Request replies only.
- Updated the remaining LDAP attribute fetching calls to use get_value. Updated LDAP AuthBy clauses to use DN escaping for BaseDN specials instead of using filter escaping which does not cover all DN requirements. Updated digipass_ldap.cfg and ldapradius.cfg configuration samples with the special formats.
- Updates to AuthLog EVENTLOG: Use Radiator’s logging functions instead of printing to STDERR if there’s a problem with Event Log. Fixed a potential crash if Event Log can not be opened.
- Added support for filtering TTLS tunnelled AVPs. Two new configuration parameters are available for defining allowed attributes for custom clients: EAP_TTLS_AllowInRequest and EAP_TTLS_AllowInReply. These are not set by default and ‘User-Name, User-Password, CHAP-Password, CHAP-Challenge, EAP-Message, MS-CHAP-Response, MS-CHAP-Challenge, MS-CHAP2-Response’ are allowed in requests and ‘EAP-Message, MS-CHAP2-Success’ are allowed in replies. These are the attributes from TTLS RFC 5281 except of the password change related attributes which are currently not allowed by default.
- Destination-Realm was missing from Diameter Accounting-Request (ACR) commands sent by diapwtst.
- Implemented special formatting with recursive subpatterns introduced in Perl 5.10. The old implementation is used with older Perls. This simplifies the implementation and provides possibility for further optimisation in later patches.
- AuthFIDELIOHOTSPOT now tries to fetch user’s current/existing service class when configured to use ServiceAttribute VSA but Access-Request does not contain one. If no existing service class is found from either request or from a database, then reject the request as before. This helps interoperability with MikroTik where MikroTik does not resend the some VSAs when doing automatic MAC cookie authentication after reboots or other events.
- Added peer IP:port information to TLS related error messages that are logged by TLS stream based modules. Examples of these are AuthBy and Server RADSEC and DIAMETER. Suggested by Paul Dekkers and Alan Buxey.
- Added new optional configuration parameter EncryptedSecret for all Gossip methods. EncryptedSecret has the same purpose as Secret but its value is in encrypted format. If both Secret and EncryptedSecret are configured, EncryptedSecret is used.
- Multiple enhancements to radpwtst: new command line option -log_microsends adds microsecond resolution to radpwtst log time stamps. Existing command line option -noreply is now displayed with usage and documented in reference manual. Identifiers that radpwtst generates start now more randomly. This makes it easier to follow radpwtst logs when multiple radpwtst instances are run in parallel.
- Command line arguments to radpwtst no override arguments in the radpwtst options file. Badly formatted attribute=value command line or option file arguments are now logged by radpwtst. No messages are sent if the options file or command line arguments are incorrect. Override is only supported with Perl 5.10.0 and later.
- Current request is now passed to all log messages in EAP FAST for enhanced logging.
- Enhanced EAP-TTLS inner attribute parsing and logging. Attribute lengths are now compatible with RADIUS lengths and unworkable attribute combinations are now rejected earlier. Trace 5 debug will now show hex dumps for received and sent EAP-TTLS inner messages.
- Added a new optional configuration parameter EAP_Identity_MaxLength. This optional parameter is available for all AuthBys and sets the maximum length an EAP identity can have. The default is 253 octets. There is typically no need to change the default.
- Most EAP methods now require a non-empty EAP identity. This avoids unnecessary user database lookups when there’s no usable user identity.
- Fixed diapwtst to send its AA and Accounting requests with Proxiable flag.
- EAP GTC now supports optional configuration parameter EAP_GTC_MaxLength for specifying the maximum length of EAP GTC token accepted from the client. Defaults to 253 for RADIUS compatibility. If EAP GTC response uses RFC 5421 EAP-FAST-GTC response format, the identity in response must be equal to EAP identity. Updated the list of attributes copied to PAP request converted from EAP GTC request. Fixed radpwtst to use correct reponse length with -eapgtc option. Added support in radpwtst for RFC 5421 EAP-FAST-GTC response format. When radpwtst is run with -eapfastgtc command line option, the response is formatted according to RFC 5421 response format. Otherwise -eapfastgtc works the same as -eapgtc.
- The inner message created from PEAP version 0 tunnelled data now has correct EAP length field. The length field did not previously include the EAP header Radiator adds to PEAv0 tunnelled requests. This change helps with interoperability with other servers when inner requests are forwarded.
- Password from Monitor’s LOGIN command is now sanitised and logged as **obscured**.
- Updated generic CHAP, MSCHAP, MSCHAPv2 and SIP based authentication to reject requests earlier and log the specific reason when attribute lengths do not meet the expected values. Updated Digipass and Safeword authentication similarly for CHAP protocols, and updated and fixed related logging and error handling for Digipass. Updated AuthBy LSA to always reject CHAP when challenge is not 16 octets that LSA expects. This helps diagnosing login problems of CHAP clients that use less common challenge lengths.
- Added new optional configuration parameter AuthenProto for setting the allowed authentication protocols for an AuthBy. Defaults to PAP, CHAP, MSCHAP, MSCHAPv2, EAP, AuthorizeOnly. Other possible protocols are SIPDigest and Unknown that matches all other requests.
AuthenProto can be configured for all AuthBys but currently does not affect proxying or special AuthBys, such as AuthBy INTERNAL which do their own request handling.
Caution: The default covers the normal user authentication cases. You may need to add Unknown to those AuthBys that handle special authentication requests that do not have User-Passwords, any of the CHAP or MSCHAP(v2) or EAP-Message attributes.
Caution: If you have an AuthBY for SIP Digest authentication, you must configure it with AuthenProto SIPDigest to allow SIP Digest authentication. - Updated EAP MSCHAP-V2 to use states from MS EAP-MSCHAP-V2 document in preparation for password change support. Enhanced logging and log messages content. Enhanced handling of MSCHAPv2 conversion where replies that are not accepts or rejects are now logged with log level warning. Previously all locally generated replies were processed.
Caution: If a Handler or AuthBy GROUP has multiple EAP-MSCHAP-V2 enabled AuthBys, all AuthBys must now specify a new flag configuration parameterEAP_MSCHAPv2_UseMultipleAuthBys. This parameter is likely not available when password change or other EAP-MSCHAP-V2 functionality is added. Do not use this flag with EAP_PEAP_MSCHAP_Convert parameter. - Empty passwords from user userdatabase now cause a reject. If a user has password check item, and the password retrieved from user database is empty or undefined, the authentication is rejected. The cause for empty password in this case is typically a configuration mistake or user database malfunction. The rejects are logged with level warning.
- Fixes to GossipUDP peer discovery and peer reachability maintenance.
- Enhanced User-Password and Encrypted-Password check items. MS-CHAP-MPPE-Keys are now returned for MSCHAP only when cleartext password is available. Prefix {clear} now works the same for the both check items. If password’s encrypted format is incompatible with an authentication protocol, more informative message is logged. Encrypted-Password check items with unrecognised format are now clearly logged with a warning. Format for {nthash} prefixed values must now be exactly 32 hex characters or a warning is logged. Note: EAP-MSCHAP-V2 and LEAP do not yet support getting the password or NT hash from user’s Encrypted-Password check item.
- EAP generic code now logs various error cases and unexpected and broken EAP messages in more detail.
- Internal updates to use more modern Perl features. Updated DES.pm to work when strict and warnings are enabled. Updated MSCHAP to use warnings and require similar to other modules.
Updated calls to open use three parameters. Caution: Specifying a dash ‘-‘ for filename to StatsLogFILE, LogFILE, AcctLogFileName and other similar parameters no longer enables logging to stdout. Using a dash for a filename now causes a warning. - Updates to AuthBy HEIMDALDIGEST. If there are errors with communicating with kdigest or values returned by it are found faulty, more detailed messages are logged and authentication requests are rejected earlier when possible. Communication with kdigest was improved and is now similar to what AuthBy NTLM uses.
- AuthGeneric md5_challenge and mschapv2_challenge now return status value in case they are overridden by an authentication method, currently only HEIMDALDIGEST, which may fail to generate a challenge. Updated EAP-MD5 and EAP-MSCHAP-V2 to check the challenge return value.
- UsernameCharset configuration parameter now applies to EAP identities too.
- diapwtst now uses $HOME/.diapwtstrc and /etc/diapwtstrc as its configuration file.
- Rearranged the order of DefaultRealm processing and PreHandlerHook call in Client.pm. DefaultRealm is now added before PreHandlerHook is called which is the order that all other similar modules already use. Suggested by Niels Monen.
- Optimised special character formatting when the format string has only single character formatters.
- Password returned by GetNovellUP is now automatically prefixed with {clear}. Updated eDirectory documentation and configuration samples in goodies.
- Changed EAPTLS_SessionContextId default to include EAP type and original username in addition to Handler. This improves TLS based EAP authentication when Windows tries both computer and user authentication with same TLS session, and keeps different EAP types in different contexts
- New global configuration parameters PBKDF2_MinRounds and PBKDF2_MaxRounds now control the iteration rounds allowed for PBKDF2 transformed passwords.
- Updated AuthBy SQLAUTHBY to use %0, SQL quoted realm, in the default AuthBySelect and set the default value of Class parameter to LDAP2. Special %1 is now the SQL quoted realm in AuthBy SQLRADIUS HostSelect. When bind variables are used, these specials are the unquoted realm values. Updated the configuration samples of the both AuthBys to use SQL bind variables.
- EAP elapsed time is now logged in decimal format always. Negative times are not logged which happened when EAP had not properly started before failure. Improved logging of unexpected EAP NAKs and NAKed methods.
- Radius messages shorter than 20 or longer than 4096 octets are now discarded earlier and with more informative log message showing source IP address and port.
- Updated ServerHTTP and Monitor to limit username and password for 253 for RADIUS compatibility.
- Updated EAP-pwd: Turned off fragmentation support and enhanced logging. Fixed a potential memory leak.
- Access-Reject is now returned more often for failed EAP authentication attempts instead of ignoring the request. This allows Radius clients to know that the server is still responding to Radius requests. EAP failure is also now returned more often with Access-Rejects for failed EAP authentication attempts. Updated logging of failed EAP messages.
- ServerDIAMETER and ServerRADSEC now correctly append DefaultRealm if configured to do so.
- test.pl can now produce Test Anything Protocol (TAP) compatible output with -tap command line parameter.
- Enhanced AuthBy RSAAM logging, removed old code and improved character encoding to avoid broken query syntax.
- Usernames with NUL octets now cause a reject by default with user database lookups. AllowNULInUsername flag parameter can be set for an AuthBy if NULs need to be allowed.
- Revision 4.17 (2016-09-21) enhancements, new features, security and other fixes
-
Selected compatibility notes, enhancements and fixes
- radiusd now exits during startup if it can not load the objects required by the configuration file.
- Hooks and custom code that calls get_plaintext_password or translate_password should be checked for compatibility
- AuthBy RADSEC now supports Radiator’s Gossip framework for reachability information
- Any hooks or custom code that needs to save data across resumed EAP-TLS, EAP-TTLS or PEAP authentication sessions must now use resume context. See EAP.pm for the details.
- RADIUS dictionary name space was changed for IANA registered attributes. Any hooks or custom code that accesses RADIUS dictionary, or does RADIUS – Diameter conversion may need updates.
- JSON time stamp formats were corrected and unified in LogFormat.pm
- AuthBy DUO now does pre-authentication by default
- AddressAllocator SQL now supports IPv6 prefix allocation
- Session resumption for TLS based EAP methods was enhanced
- Many new features and options for SessionDatabase modules
- AuthBy RADIUS supports configuration parameter Asynchronous for easier AuthByPolicy handling
- New MessageLog clauses for logging RADIUS and other messages
- StatsLog updates including cumulative and derivate statistics
- HTTP digest authentication must now be enabled per AuthBy basis
- Security fixes for AuthBy LDAP2 when used with EAP. OSC recommends all AuthBy LDAP2 users to review OSC security advisory OSC-SEC-2016-01
Features not in this release yet, known caveats and other notes
- OCSP support
- Proxy algorithm selection for AuthBy RADSEC
- No testing with OpenSSL 1.1.0. Testing with OpenSSL 1.0.2h, Net::SSLeay 1.78, IOS 10, Android 7 and Windows 10
- PEAP session resumption sometimes fails on Windows. Further investigation is ongoing
- Major documentation update. Radiator reference manual is available in HTML format again
Detailed changes
- Updated debug log messages for Stream classes. The stream client and server now log the destination name and its currently resolved address more clearly in the debug log messages. This affects log messages for RadSec, Diameter, ServerHTTP and other Stream based modules.
- AuthBy RADSEC now logs packet dumps for the Status-Server replies it receives from the next hop proxy. The Port configuration variable is now formatted when RadSec Host is activated. This allows logging the actual port number instead of the unformatted configuration value.
- Added Gossip support for AuthBy RADSEC. The RadSec Hosts can now distribute next hop proxy reachability information with Gossip. The configured Host name, not the current IP address, is used as the key when determining if the current report should be processed. The behaviour is currently slightly different from AuthBy RADIUS. Updated radsec-client.cfg in goodies. Suggested by Jan Tomasek.
- Updated AuthBy RADSEC log messages to be more clear about destination name, IP address and port.
- While loading dictionaries, Radiator now logs a warning when the vendor has not been defined for a vendor specific attribute.
- Correct configuration file names are now logged when there are errors parsing the included configuration files during radiusd startup. Previously the file name might have been the main configuration file name. Reported by Kilian Krause.
- Clause ends are now checked for matching starts while the configuration file is read. Possible mismatches and incorrectly ended clauses are logged with a warning, but no other action is currently taken.
- Gossip messages sent by one AuthBy RADIUS module will now be accepted by all the other AuthBy RADIUS modules within the same radiusd instance. Previously the messages were always ignored when they originated from the same instance. This behaviour is now similar to what AuthBy RADSEC does.
AuthRADIUS and AuthRADSEC now include the type of the failed request in the Gossip messages. A module using UseStatusServerForFailureDetect will now act only on failed Status-Server requests. With report and help from Paul Dekkers. - AuthBy LDAP2 now logs the search filter with the query results
- Added VENDOR 3GPP 10415 VSA 3GPP-User-Location-Info-Time from document TS 29.061 version 12.10.0 to dictionary.
- AuthBy DYNADDRESS now uses MapAttribute yiaddr when processing Accounting-Requests. Previously the address was always fetched from Framed-IP-Address.
- AddressAllocator SQL now supports IPv6 prefix allocation. Updated addressallocator.cfg in goodies.
- Fixed a problem in ServerTACACSPLUS where some requests sent by a high volume client were discarded during read.
- New example farmchildhook.txt in goodies shows how to use FarmChildHook to rotate AuthPort, AcctPort and DBSource. Used in FarmChildHook EAP environments with a backend radius behind HASHBALANCE or similar. See the file for full details. Contributed by Christian Kratzer, CK Software GmbH
- Added support for PoolGroup and Priority configuration parameters for AddressAllocator SQL AddressPools. These parameters set the values for specials %4 and %5 for AddAddressQuery. A PoolGroup defines a name to group multiple pools with different priorities set by Priority. Suggested by Damjan Kukas.
Added new hook NoAddressHook for the SQL allocator. The hook is called when there are no addresses left or the allocation fails because of too many simultaneous tries. The hook is passed references to $p, $rp, $result, $reason and the value of pool hint. To change the type of reply, you should change $result from $main::REJECT to the desired value. - Enhancements to SessionDatabase configuration within Handlers. New Handler parameter SessionDatabaseOptions is available for: turning off session delete to clean up possibly hung sessions during authentication, enabling SessionDatabaseUseRewrittenName, turning on adding sessions before authentication and turning on adding sessions after successful authentication.
- Gossip framework now supports forget() to remove a message previously posted with note(). In case of Redis backend, forget maps to Redis DEL command.
- Updated GossipRedis default Timeout from 3 to 1 seconds. Timeout is now also used for: sentinel connections, sentinel reads, sentinel writes, server read and server write in addition to server connections. Fixed some typos in Gossip sample file farmsize.cfg.
- NAS-IPv6-Address, if present, is now a possible value for NAS identifier if there is no NAS-IP-Address. This allows, for example, session database modules to use NAS-IPv6-Address if present in the request. Removed unneeded code from various modules since RecvFromAddress is always present in the current request.
- Radiator can now do delayed restart or termination. The action is delayed until there are no more requests to serve from the sockets. The delay is done in two phases: First, a configured number of seconds is waited until the requested restart or termination action is started. Second is to serve the remaining requests from the incoming sockets. This allows processing the queued requests before continuing with the restart or termination.
The delay is enabled and controlled by a new global configuration parameter DelayedShutdownTime. This defines the length of the first phase in seconds. DelayedShutdownHook is called immediately when the first phase starts. The hook can, for example, signal upstream proxies about the impending shutdown. - Added support for OSC’s new load balancer. The LB proxies labeled requests to Radiator which will process them as they were received directly from the NAS. The label support is enabled with the new global configuration flag parameter UseProxyLabel which defaults to off.
- Internal enhancements for EAPAnonymous handling. Also, $rp->{inner_username} now has the value of inner User-Name, if any, for EAP-TTLS.
- Added support for using State attribute for identifying ongoing EAP conversations. New global configuration flag parameter EAP_UseState, currently set to off by default, enables or disables the use of State with EAP for the whole server.
AuthBy EAPBALANCE users should convert to, for example, AuthBy HASHALANCE to avoid adding second State in the proxied requests. Users of other load balancers may find State advantageous when setting up LB rules. The value of State does not change during the EAP message exchange. - Server Identifier, the global Identifier parameter, now supports special formatting characters. The format is applied during the server startup. A 32 hex character long hash is calculated from the formatted Identifier for any possible later use.
- Added new Gossip backend module GossipUDP. GossipUDP provides support for direct UDP communication between Gossip peers. Gossip message format was extended to support optional header for TTL, payload encryption and other future uses.
- Added peer join and unjoin messages in GossipUDP. These messages allow the use of GossipREDIS, or some other Gossip backend, as a discovery mechanism to set up direct GossipUDP peering.
- Added new AuthBy GOSSIP module that supports authentication and authorisation against Gossip backends such as GossipUDP and GossipREDIS.
- PBKDF module now supports HMAC-SHA-256 as the pseudorandom function (PRF).
Added new module AES_GCM that supports the use of AES in Galois/Counter Mode (GCM). AES_GCM requires Crypt::GCM.
Enhanced the Gossip framework to support message encryption. Requires the Radiator AES_GCM module. - Sending of RFC 5176 Disconnect-Request and CoA-Request messages was enhanced with two new modules and minor changes to Client.pm auth AuthRADIUS.pm. Client.pm has new configuration parameters DynaAuthSecret, DynAuthPort and UseMessagAuthenticator to define the dynamic authorisation capabilities of the NAS. New module AuthDYNAUTH.pm is available for building dynauth requests and dispatching them to Handlers. The dispatched dynauth requests can be matched with <Handler DynAuthRequest=1>. New module AuthRADIUSBYATTR.pm is available for forwarding the newly built dynauth request to the NAS based on the dynauth request contents. AuthBy RADIUSBYATTR is a subclass of AuthBy RADIUS and will automatically handle retransmissions. The dynauth responses will be handled by AuthBy DYNAUTH. AuthBy DYNAUTH can optionally register itself with Gossip to receive requests from, for example, remote management to send dynauth messages pertaining to the online users. Works with SessionDatabase REDIS to share session information between Radiator instances and user management.
- Added new StatsLog module StatsLog REDIS. StatsLog REDIS logs statistics to Redis for management applications, log transport agents, such as logstash Redis input plugin, or any later use. The statistics are currently logged in JSON format. Added a configuration sample in statslog.cfg in goodies.
- Diameter OriginHost and OriginRealm configuration parameters now support formatting characters.
- Added VENDOR Meraki 29671 and VSA Meraki-Device-Name to dictionary.
- New module AuthRADIATORLB.pm supports proxying requests to OSC’s new Radiator load balancer. This module can be used together with AuthBy DYNAUTH and currently supports only RFC 5176 dynamic authentication requests which need to originate from Radiator and be sent by the LB towards the NAS. Gossip framework is supported for learning the LB addresses and dynauth ports.
- GossipUDP now logs a warning if Gossip flag parameter or one or more GossipUDPPeer clauses have not been configured. When this happens GossipUDP has no method of knowing about its UDP peeers.
- Updated Diameter command code list. Command codes now use IANA registered names. This changes Diameter DEBUG message dumps for some command codes. For example, CER is now logged as Capabilities-Exchange.
Added support for Diameter statistics log. The statistics are collected for Diameter message counts, command codes and errors. Stats are collected for peer, origin, port and application and can be used for Diameter SNMP MIBs. New module DiaStatsLogREDIS provides support for writing the statistics in Redis. Other log modules will be added later. - Added an example in goodies/hooks.txt showing how to use AuthBy RADIUS ReplyHook with two AuthBy RADIUS clauses together with 2 Handler’s and an AuthBy HANDLER clause.
- EAP Identity and MSCHAPv2 name equality check is now case insensitive. Reported by Serge Andrey and René Hennequin.
- Log messages related to an authentication exchange and to its subsequent accounting session can now be logged with a tracing identifier. A new global and Log clause level configuration parameter LogTraceId enables prepending the tracing id to messages logged to stdout and with Log FILE when LogStdout is enabled.
A new Handler level configuration parameter AutoClass adds a specially formatted Class attribute in Access-Accept messages. This allows carrying the tracing id to accounting logs and the session database to access the tentative Class value during the request handling.
New functions compose_state() and decompose_state() in Util.pm will handle adding and extracting state information from State and Class attributes.
The tracing id works in conjunction with the Radiator load balancer allowing coordinated log message indexing and lookup between front end load balancers and backend workers. - Updated AuthLog and Log modules to use the recently added tracing id. The tracing id is now available as a parameter to LogFormatHooks and SQL loggers. Updated LogFormat.pm JSON hooks to log the tracing id. The global LogTraceId configuration parameter now affects only logs sent to stdout and the default log configured with LogFile.
- Session database clauses now support SessionIdentifier configuration parameter. This parameter defaults to Acct-Session-Id and can be used to change the session identification attribute used by the session database clause. Useful, for example, when the authentication request contains the future, possibly vendor specific, session identifier attribute.
- The recently added AutoClass configuration parameter now supports optional arguments for further Class attribute formatting. The currently support arguments are uuid and formatted which add a hex value UUID or Radiator formatted string. The default is not to add anything.
- Configuration parser’s clause start to clause end matching is now case insensitive. Suggested by Alan Buxey.
- Added two new formatting specifiers ‘RequestVar’ and ‘ReplyVar’ which provide access to request and reply objects. This similar to, for example, the existing ‘Handler’ formatting specifier.
- Handler now supports returning to AuthBy stack. This allows AuthBy RADIUS and its subclasses to return evaluating AuthByPolicy when a reply is received from the remote proxy. AuthBy RADIUS and its subclasses now support new boolean configuration parameter Asynchronous that enables this new behaviour. AuthBy GOSSIP was changed to always to use the new ASYNC return code.
- Added the recently introduced tracing id support in AuthBy GOSSIP
- Enhanced Gossip encryption to support simple key rollover: the key with second highest index is now used for encryption. This allows gradually adding new keys and removing old keys to Gossip enabled instances.
- Added the recently introduced tracing id support for Radiator Diameter logging.
- Added support for time limited prepaid plans in AuthBy FIDELIOHOTSPOT. The SQL queries are now fully configurable. Note: support for time limited plans extends SQL table named service. To avoid compatibility problems with current configurations, add a integer column called duration in the service table with value 0. Alternatively, reconfigure the SQL ServiceSelect to return 0 for duration. See the updated fidelio-hotspot.cfg and fidelio-hotspot.sql configuration examples in goodies.
- New optional global configuration parameter ResponseTimeThreshold parameter tells Radiator to log a warning when the processing time exceeds configured millisecond threshold. The warning contains request’s User-Name and info about the Client, Handler and AuthBy which processed the request.
- radiusd now clears its child array after fork to avoid incorrectly calling waitpid for parent’s children. Reported by Alan Buxey.
- Added a new utility script hexdump2wireshark.pl in goodies. This script parses Radiator Trace 5 log and extracts packet hex dumps from it. The hex dumps are written to a separate output file which can be imported into Wireshark or converted into pcap file with text2pcap.
Usage:perl goodies/hexdump2wireshark.pl < /var/log/radius/logfile > radius-logfile-hexdump.txt
The .txt file can then be imported into Wireshark or converted into pcap file with text2pcap:text2pcap -i 17 -u 1812,1812 radius-logfile-hexdump.txt radius-logfile-hexdump.pcap
The script also supports “#TEXT2PCAP” directives in .txt hexdump, but currently text2pcap does not have any directives implemented. - Minor correction to Diameter peer state machine: Event I-Rcv-DPA event in Closing state was duplicated and transition for I-Rcv-DPA was missing. Removed extra newline from Diameter state change logging.
- The linux startup script linux-radiator.init now checks if the PID file or system init utility functions indicate radiusd is already running before starting a new instance.
- Added support for /preauth endpoint in AuthBy DUO. This endpoint determines if the user is authorised to log in and returns the available authentication factors for the authorised user.
- Simplified TLS based EAP methods to use TLS session id more frequently with internal ids.
- Added support for VSA translation. Attributes in incoming and outgoing RADIUS messages can now be translated to and from internal presentations. For example, different MAC address formats can be normalised for logging and values for reply attributes can now be set based on the Client or AuthBy RADIUS vendor type.
Full example showing the new VsaTranslateIn, VsaTranslateOut and the related new configuration parameters is in goodies/vsa-translate.cfg - Diameter BIR (Bootstrapping-Info) command was misspelled as Boostrapping-Info.
- AuthBy DUO SecretKey and IntegrationKey configuration parameters now support formatting variables. The formatting is done once during the module activation.
- radpwtst -interactive option now queries the password. The password query is done without local echo. With -interactive, there is no need to specify the password on the command line with the -password option anymore.
Perl Term::ReadKey is needed on Windows. Some unix based systems are supported directly but Term::ReadKey is recommended for cross platform support. - Removed unneeded line BEGIN-VENDOR Freeswitch from dictionary. Reported by Eddie Stassen.
- Improved debug logging in AuthBy DYNADRRESS and Diameter watchdog state changes. Fixed misspelled LOG_ERROR and LOG_WARN log levels which all mapped to LOG_ERR.
- Added support for MessageLog to log sent and received RADIUS, Diameter and TACACS+ messages. Initial support includes logging RADIUS messages in text and text2pcap formats to a file. Configuration sample is in goodies/logformat.cfg
- getTimeHires() in Util.pm now checks the calling context when Time::HiRes is not installed and returns a list or scalar like Time::HiRes does.
- StatsLog modules now calculate packet rates for each StatsLog module separately. This allows having multiple StatsLog clauses in the configuration, all with their own Interval values. Packet rates are now separate and do not affect other StatsLog clause packet rates.
- Updates to statistics logging. All StatsLog clauses now support two new configuration parameters: StatsType and RateCalculationInterval.
StatsType defines the stats output type. Possible values are: cumulative, derivative, packet_rate and all. Cumulative counter shows the number of processed packets. Derivative is the difference (delta) between two counter values in time interval. Packet_rate is the amount of packets transferred within time interval (packets per second). Type all produces output from all available statistic types (cumulative, derivative and packet_rate). The default is cumulative.
Sometimes you may want to calculate packet rates that are different from the value of Interval. RateCalculationInterval is an optional parameter that defines the time interval (in seconds) in which the packet rate is calculated. For example, if Interval is set to 600 seconds and RateCalculationInterval is set to 60, packet rate then shows the (average) amount of packets in 60 second interval. RateCalculationInterval defaults to value of Interval.
See statslog.cfg in goodies for detailed examples. - SqlDb.pm now logs clearly if connect to a SQL database fails because of missing driver. For example, if DBSource is configured with dbi:mysql:… but DBD::mysql is not present, a verbose error is logged in addition to calling ConnectAttemptFailedHook.
- Added VENDOR AudioCodes 5003 and VSA AudioCodes-ACL-Auth-Level to dictionary. Contributed by Peter Hendrikx.
- Added support in MessagLog for Diameter logging. Updated RADIUS MessageLog text format to include time stamps.
- AddToReply and the related parameters were incorrectly adding to Access-Reject messages too. These are now skipped for Access-Reject replies
- Host’s adjustReply() for AddToReply and related configuration parameters was not called when a reply was received over RadSec.
- AuthBy DYNAUTH now supports SessionCheckHook that will be called after SessionChecks have been evaluated. It can be used to implement custom or additional logic for session checking. Setting hook parameter $result as ${$result} = 0; will trigger sending DM/CoA.
- Added initial support for encrypting and obfuscating secrets, passwords and other sensitive values in configuration files. Client and AuthBy DYNAUTH clauses now support EncryptedDynAuthSecret and Client has support for EncryptedSecret
- LocalAddress and LocalPort are now common configurable parameters for Stream modules. Updated AuthBy DIAMETER and AuthRADSEC not to use separate definitions for these parameters. The local address is now bound with SO_REUSEADDR socket option when LocalAddress is defined for a stream client.
- Simplified logformat.cfg: it’s no longer required to use StartupHook to load Radius::LogFormat. Radius::LogFormat is now loaded by the logging modules directly.
- In AuthBy DIAMETER, Origin-Host and Origin-Realm are now taken from configuration parameters. All reverse lookups for deducing Origin-* are now removed.
Destination-Realm is first taken from User-Name’s realm part. If there is now realm, then DestinationRealm configuration parameter is used. DestinationRealm now defaults to ‘testdestinatonrealm’ in DiaClient.pm.
DestinationRealm and DestinationHost parameters now support formatting characters. The formatting is done when the AuthBy DIAMETER, or any other clause derived from DiaClient.pm, is activated.
AuthBy DIAMETER now supports new configuration parameter EAP_ApplicationId. EAP_ApplicationId defaults to value Diameter-EAP. EAP_ApplicationId defines the Diameter message’s Application-ID value and Auth-Application-Id AVP value for the converted RADIUS EAP requests. The default converts RADIUS EAP authentication to Diameter EAP application. The parameter allows, for example, converting RADIUS EAP-AKA to Diameter 3GPP SWm.
Updated the configuration diameter-authby.cfg in goodies. - Simplified TLS session resumption for TLS based EAP protocols. Sessions are only cached when EAPTLS_SessionResumption is enabled for the AuthBy. EAPTLS_SessionResumption is now completely separate from EAPContextTimeout: EAPContextTimeout no longer limits the session resumption time.
Note: Any hooks or custom code that needs to save data across resumed sessions must now use resume context. See EAP.pm for the details. - EAPContextTimeout now defaults to 120 seconds. The previous value was 1000 seconds.
- Added new configuration parameter EAPTLS_SessionContextId. For TLS based EAP types such as TLS, TTLS and PEAP, this optional parameter allows you to set the context within which the TLS session resumption is allowed. Defaults to Handler, which means that TLS session resumption is allowed if the resumed and the full authentication were processed by the same Handler. Previously the context was set to an ephemeral value which often forced full TLS handshakes instead of allowing session resumption to happen.
- Moved IANA registered attributes to ‘IANA’ namespace from vendor 0 namespace. Unknown IANA attributes are now named as Unknown-IANA-191 where 191 is the attribute number. Unknown vendor specific attributes continue to be named like Unknown-9048-120 where 9048 is the vendor number and 120 is the attribute number.
Note: any custom code that accesses RADIUS attribute definitions in the RADIUS dictionary should now check if the vendor is IANA, not 0, to differentiate between vendor attributes and IANA registered attributes. This may also affect custom code that does Diameter to RADIUS conversion.
This namespace change fixes the problem where VSAs with vendor id 0 were proxied as non-VSAs when ProxyUnknownAttributes was set. Reported by Alan Buxey. - Fixed and unified JSON formats in LogFormat.pm. Time contains unix time. Timestamp contains locale specific time presentation based of the unix time. Timestamp includes microseconds if LogMicroseconds is defined, the format is the same as in Radiator plaintext log. New attribute “datetime” is the localtime for human readers’ convenience. Previously timestamp format incorrectly claimed to use UTC time while it was in fact local time.
- Improved AddressAllocator DHCP logging and DHCP socket set up. When LocalAddress was not configured and hostname did not resolve to an IP address, radiusd died during the startup. Now an error is logged and the DHCP socket will not be set up.
If DHCP set up fails for some other reason, the reason is now clearly logged and the DHCP socket will not be set up.
When the DHCP socket is not set up, address allocation methods return with REJECT and an error is logged. The problem with unresolved hostname was reported by Edward Ocenar. - AuthBy DUO now supports optional parameter Failmode that specifies whether to reject, accept or ignore authentication when Duo API is not available or a Duo API call timeouts. Default is to ignore the authentication request. DUO API timeout is now handled separately from the other DUO API call failures.
- Address allocators now support Acct-Status-Type values Accounting-On and Accounting-Off. The default is to accept the Accounting-Request with no other action. The SQL allocator can now be configured with DeallocateByNASQuery to, for example, release all leases for the NAS. Updated the configuration example addressallocator.cfg with sample DeallocateByNASQuery and updated the SQL example files with a new column for NAS id.
- Added optional conversion of Diameter Session-Termination-Request (STR) to RADIUS Accounting-Request with Acct-Status-Type set to Stop. This, and possible future conversions, can be enabled with ConvertCommand configuration parameter within ServerDIAMETER. More details are in diameter-server.cfg in goodies. Requested by Jean-Marc MONTENOT.
- Updated AddressAllocator SQL to support delayed pool activation. When AddressAllocator SQL is configured with DelayedPoolCheckTime, the pool creation, address checks and initial reclamation are delayed to happen the configured amount of seconds after radiusd as started.
Added a new configuration parameter NasIdentifier for AddressPool clauses. The configured value is made available for AddAddressQuery. - Source IP address and source port for incoming TACACS+ and StreamServer based connections, such as RadSec and Diameter, are now immediately logged after they are accepted. This allows logging even the very short lived connections from probes and other sources. Reported by Alexander Hartmaier.
- Added a new optional configuration parameter AllowInReject for defining which attributes are allowed in Access-Reject. This can be useful in Handlers with multiple AuthBys where the attributes added before a rejecting AuthBy need to be stripped from the resulting Access-Reject.
- Added a new optional configuration parameter Encoding for MessageLog FILE and its subclasses. This allows, for example, encoding a binary or multiline log entry as a single hex encoded line which might be useful with some log shipping tools and agents. Currently supported encodings are none and hex. Updated the configuration sample in logformat.cfg
- AttrList and its derived modules now support delete_attr_d() method. This allows deleting attributes by name from DiaMsg and other AttrList objects.
- Fixed Client IgnoreAcctSignature flag to correctly work as a flag. Previously a defined but false value, such as 0 was interpreted as the flag being set. IgnoreAcctSignature is not defined or set by default. Reported by Niels Monen.
- Added initial support for encrypting and obfuscating TACACS+ keys in the configuration file. This is similar to the recently added RADIUS client shared secret obfuscation. Client and ServerTACACASPLUS now support EncryptedTACACSPLUSKey and EncryptedKey, respectively. Examples in the tacacsplusserver.cfg sample configuration file.
- Enhanced logging in ServerTACACSPLUS. Very short lived connections are now logged with the peer IP address and port. Some TACACS+ clients, network monitoring probes and other software may close the newly opened TACACS+ connection immediately without any TACACS+ request exchange. These connections are now more clearly logged. Updated two other infrequently used log messages to include the peer IP and port. Suggested by Alexander Hartmaier.
- USR1 and USR2 signals are now propagated to the server farm workers by the farm parent. This allows changing the logging trace value for the whole farm at once by sending the signal to the farm parent. Suggested by Jose Borges Ferreira.
- Added initial support in AuthBy GOSSIP for using backends such as Redis for authentication, voucher lists and black lists.
- Added new formatter %{TimestampVal:number} where number can be a postive or negative integer, request attribute name or a special. For example %{TimestampVal:3000}, %{TimestampVal:Session-Timeout} or %{TimestampVal:%{Reply:Session-Timeout}}. The replaced value is the current unix time stamp + the number. Useful for replacing hooks with formatters when calculating time stamps.
- AuthBy GOSSIP can now hint the desired authentication backend, SQL LDAP, etc., to the Gossip peer. The authentication backend is configured with optional configuration parameter AuthenticationMethod.
- AuthBy DYNADDRESS now supports optional configuration flag parameter RunWhenMissing. When RunWhenMissing is set to off, the confirm and deallocate operations of the configured address allocator are not run if the Accounting-Request does not have the IP address.
Accounting-Request messages from some types of RADIUS clients may not have contain the allocated IP address. This may happen because the MapAddr yiaddr is missing from the request, or when IPv4 and IPv6 allocators are chained, the yiaddr is not set for the allocator type. In this case you may want to set RunWhenMissing to off. The default is to always run confirm and deallocate. - Fixed misleading log message in AuthBy OTP where OTP verify result was logged during failure. The result is only a boolean value while the log message hinted there might be additional information available. Reported by Alexander Hartmaier.
- Updated log calls in multiple EAP methods to include the current request.
- Added initial support for logging tracing identifier in ServerTACACSPLUS. Further changes are needed for additional coverage.
- The value intended for NAS_ID column is now configurable with NasId parameter in AddressAllocator SQL. The default value is %{NAS-Identifier}. Updated the configuration sample addressallocator.cfg in goodies.
- Overly long locally added attributes were incorrectly packed in the outgoing RADIUS messages. These messages are now logged with ERR log level and no message is sent.
- AuthBy RADIUS and its subclasses can now return with result REJECT to trigger an Access-Reject when a proxied request times out. This requires setting a new flag parameter called NoReplyReject. NoReplyReject allows rejecting timed out requests without hooks such as NoReplyHook. When returning a result, the reason for the timed out requests is now set to “Upstream timeout”.
- Added PostSearchHook in AuthBy GOSSIP that is called by AuthGOSSIP’s findUser() after AuthAttrDef’s have been evaluated and possible reply attributes are in place.
- ServerTACACSPLUS now evaluates global RewriteUsername before dispatching a TACACS+ pseudo RADIUS request to a Handler. Previously global RewriteUsername was not evaluated for TACACS+ requests. Suggested by Tim Cheyne.
- Updated sample certificates to expire on Aug 10 2018
- Improved handling of plaintext passwords with prefix {clear}. The plaintext value is now clearly separate from any hashed or encrypted value. Custom modules using AuthGeneric methods get_plaintext_password and translate_password should be checked for compatibility. Reported by Vangelis Kyriakakis.
- radiusd now exits during startup if it can not load the objects required by the configuration file. For example, if an AuthBy or a SessionDatabase fails to load, radiusd will log the failure and exit immediately. Previous beahaviour was to log the failure and continue.
- Added 32 and 64 bit Win32-Lsa ppms for Strawberry Perl 5.24. Added 32 and 64 bit Win32-Lsa ppms for ActivePerl 5.22.
- Fixed a memory leak where duplicate cache entries were not freed when radiusd was reloaded. Reported by Niels Monen.
- HTTP Digest authentication must now be enabled with configuration flag parameter HTTPDigestAuthentication. This flag is not set by default.
- Updated system.cfg in goodies. The old Shadow helper module is not needed with the recent Perls for AuthBy SYSTEM.
- EAP authentication using AuthBy LDAP2 worked incorrectly with some atypical Radiator and LDAP configurations.
- Improved EAP debug logging for better PacketTrace and trace id support: EAP messages with bad length are now more clearly logged.
- TLS compression is now disabled for all TLS based EAP methods and all StreamTLS based modules, such as RadSec, Diameter and ServerHTTP with SSL_OP_NO_COMPRESSION option. Current systems should already disable TLS compression by default, so this change makes sure compression is not inadvertently enabled, for example, when system defaults are changed or Radiator runs on an unpatched system. SSL_OP_NO_COMPRESSION is available with OpenSSL 1.0.0 and later.
- Updated the default HostSelect in AuthBy SQLRADIUS to use quoted realm. Updated the configuration sample sqlradius.cfg to use quotes
- ServerRADSEC now supports StatusServer parameter similar to RADIUS Clients. Requested by Christian ‘wiwi’ Wittenhorst.
- fideliosim.pl in goodies now binds to 127.0.0.1 by default but has command line switch to set the addresses to bind.
- Revision 4.16 (2015-10-27) EAP compatibility enhancements, security fixes, new features
-
Selected bug fixes, compatibility notes and enhancements
- Compatibility update for EAP-based TLS methods for clients that support TLS 1.2. Examples are the future Apple iOS and OS X releases and Android 6 Marshmallow.
- Two important security fixes. OSC recommends all users to review OSC security advisory OSC-SEC-2015-02
- TLS session resumption may not currently work with all Windows clients. A workaround is to configure the EAPTLS_SessionResumption parameter to 0 or wait for the client to retry the authentication.
- Radiator now supports new module AddressAllocator DHCPv6 for IPv6 address allocation and prefix delegation
Detailed changes
- Created separate directory for PPM files compiled for ActivePerl. Moved files from ppm to ppm/activeperl/ and updated the meta file contents.
Win32-Lsa is now compiled for both ActivePerl 5.18 and 5.20 flavours up to Perl 5.20: 64bit and 32bit with 64bit integer.
Created separate directory for PPM files compiled for Strawberry Perl.
Win32-Lsa is now compiled for all Strawberry Perl flavours up to Perl 5.22: 64bit, 32bit with 32bit integers and 32bit with 64bit integers. - Radiator now logs the Net::SSLeay and SSL/TLS library version during the radiusd startup. TLS v1.2 for TLS based EAP methods is not used if it can not be determined that the MPPE keys can be correctly calculated. These changes enhance compatibility with future Apple iOS, OS X and Android 6 Marshmallow. If all TLS versions are not available, details of what can be used is logged. Net::SSLeay 1.53 or later and OpenSSL 1.0.1 or later is required to fully utilise all TLS versions for TLS based EAP methods. Thanks to radiator mailing list members for comments and suggestions.
- AuthLog SYSLOG and Log SYSLOG clauses now support LogPort configuration parameter. This parameter requires Sys::Syslog version 0.28 or later. Suggested by Michael and Kilian Krause.
- LDAP modules now support BindFailedHook which is called when LDAP bind operation fails. The default is to log the failure. Bind password is no longer logged. To log the password, configure the hook to log it or configure the LDAP clause with the Debug configuration parameter and see the console output. With the kind help of Scott Bertilson.
- AuthBy LDAP2 now logs PasswordAttr as **obscured** when debugging is enabled. Binary attribute values are now logged in text format similarly to RADIUS attributes. To debug the password, use the Debug configuration parameter and see the console output or configure PasswordLogFileName for the Handler.
- Resolver for AuthBy DNSROAM now uses eval to catch exceptions from Net::DNS. The Net:DNS API had been changed around version 0.72 to raise exceptions when errors occurred. Uncaught exceptions could cause Radiator to crash. Reports and help with patches from Bjoern A. Zeeb and Paul Dekkers.
Updated error levels for Resolver log messages. Most of the log messages are now using WARNING instead of ERR. These messages are logged for example for DNS failures or badly formatted DNS domains. - ServerHTTP authentication now creates a request that can be correctly proxied to a remote server. Previously the proxied authentication would always fail.
- AuthBy RADIUS and its derived modules still required ‘ipv6:’ prefix for LocalAddress parameter. Reported by Claudio Ramirez. Correct address is now logged if binding to LocalAddress fails.
- Huawei-DNS-Server-IPv6-Address, Huawei-Framed-IPv6-Address, Alc-Ipv6-Address, Alc-Ipv6-Primary-Dns and Alc-Ipv6-Secondary-Dns had incorrect type ipv6addr. The correct type is ipaddrv6 for IPv6 addresses.
- SqlDb now initialises the DBD::ODBC odbc_query_timeout attribute with the Timeout configuration parameter value. This attribute is valid only for ODBC and is set only when Radiator runs on a Windows host. The default value for odbc_query_timeout is 0 which can cause very long timeouts on Windows with SQL queries.
- While RADIUS dictionaries are loaded, attributes with unknown types are logged with trace level WARNING. The treatment of unknown types has not changed: the unknown types are treated as binary.
- Incorrectly formatted textual IPv6 addresses in configuration files or retrieved for example from SQL backend could cause address resolution loops.
- Added support for additional IPv6 functions in Util.pm and UtilSocket6.pm for AddressAllocator DHCPv6 and other modules that require packing IPv6 socket structures with scope ID number and flow information.
- AuthBy DYNADDRESS now supports multivalued allocation results. For example, multiple DNS server addresses from DHCPv6 based allocations. The multiple values are mapped to the configured RADIUS attribute, one value per one attribute instance.
AuthBy DYNADDRESS now supports MapResultHook. This hook allows modifying the allocation results after they have been received, and before Radiator has processed the MapAttribute definitions. - Added support for AddressAllocator DHCPv6. AddressAllocator DHCPv6 works in conjunction with AuthBy DYNADDRESS and a DHCPv6 server to dynamically allocate IPv6 addresses and prefixes, and provide other configuration information. Both stateless and stateful DHCPv6 configuration is supported.
See the configuration sample files addressallocatordhcpv6.cfg and addressallocatordhcpv6-dhcpd.conf for Radiator and ISC DHCP server in goodies for more examples including use of Delegated-IPv6-Prefix and Framed-IPv6-Prefix for prefix delegation. - Added better logging for invalid EAPType names. Unknown types are logged during the configuration check. Clarified the error message if the default EAPType is unknown. Thanks to Patrick Honing for informing about the unclear log messages.
- Failures with send() when sending RADIUS messages over UDP are now correctly logged.
- TLS based EAP methods EAP-FAST, EAP-TLS, EAP-TTLS and PEAP now log the TLS version and cipher chosen for the EAP session. TLS values related to the EAP session are also available as special formatting variables. You can use, for example, %{EAPTLS:Protocol} and %{EAPTLS:Cipher} with AuthLog. Suggested by Alexander Hartmaier.
- Updated Stream base class to work correctly with non-blocking sockets on some Windows Perl distributions. Windows returns POSIX::EWOULDBLOCK (140) or WSAEWOULDBLOCK instead of EINPROGRESS. 140 was first seen with Strawberry Perl 5.20 and 5.22
- Diameter AttrList get_attrs_d now returns empty list instead of single entry with undef value when the requested attribute was not present.
- Changed the type of Cisco-VPN-WebVPN-HTML-Filter in dictionary.cisco-vpn from unsupported bitmap to integer. Reported by Alex Hartmaier.
- diapwtst updates: added missing attributes and removed a couple of RADIUS related options
- Fixed a bug which could result in an infinite loop when formatting special variables and could be used to create a DOS attack crashing the radiusd process. Reported by Øyvind Aabling.
- AuthBy RADIUS and AuthBy RADSEC now use 32 bit id space when UseExtendedIds is set. While the previous 16 bit id space should be enough, the new value matches the value documented in the reference manual.
- Unified Session ID based resumption handling for EAP-TLS, EAP-TTLS and PEAP.
- radpwtst now supports subsecond resolution with the -time command line option when Time::HiRes Perl module is available. Time::HiRes is part of all recent Perl distributions.
- Updated the recent formatting patch and enhanced its compatibility with older Perl versions.
- Added support for tracing TLS handshake and session state for the TLS based EAP methods. Tracing can be enabled with one of: new AuthBy level configuration flag parameter EAPTLS_TraceState, setting the Trace configuration parameter to 5 (EXTRA_DEBUG) or with the PacketTrace configuration parameter.
- LogFILE now checks for recursion allowing runHook to call logging if needed. This avoids infinite recursion if LogFormatHook raises an exception. Added a JSON example in LogFormatHook for Log FILE in goodies/logformat.cfg and Radius/LogFormat.pm.
- Added LogFormatHook for Log SYSLOG and AuthLog SYSLOG. Updated logformat.cfg with JSON format hook example. Suggested by Craig Simons.
- Added example of EAPTLS_TraceState in goodies EAP-TLS, EAP-TTLS and PEAP sample files.
- Revision 4.15 (2015-07-15) Bug fixes, features and enhancements
-
Selected bug fixes, compatibility notes, new features and enhancements
- Fixes an EAP-MSCHAP-V2 and EAP-pwd vulnerability. OSC recommends all users to review OSC security advisory OSC-SEC-2015-01 to see if they are affected.
- perl-ldap-0.32 or better is required. Should be available in all current systems.
- EAP-pwd requires Crypt::OpenSSL::Bignum 0.06 or later from CPAN
- Configurable TLS version and ciphersuite selection for TLS based EAP and stream modules
- CRL checks for the entire certificate chain can now be enabled
- Included Gossip framework with Redis based implementation
- Support for Gossip when communicating next hop proxy failures between Radiator instances
- Shared duplicate cache for a more simple server farm configuration
- Windows Event log support
- Custom format support for logs, authentication logs and accounting logs. CEF and JSON included
- Support for IEEE 802.1AE, also known as MACsec
- All AuthBys now support PostAuthHooks
- Various binary modules are now available from OSC and were removed from the Radiator distribution
Detailed changes
- Added VENDOR STI (Server Technology Inc.) 1718 and multiple STI VSAs to dictionary. Contributed by Garry Shtern.
- Added VENDOR PacketDesign 8083 and VSAs PacketDesign-UserClass and PacketDesign-FTP to dictionary. Contributed by Garry Shtern.
- Added SN-Software-Version to dictionary. Reported by Bruno Tiago Rodrigues.
- Changed type of VENDORATTR 3076 Cisco-VPN-DHCP-Network-Scope in dictionary.cisco-vpn from text to ipaddr. Reported by Kilian Krause.
- Dictionary updates: Added H3C proprietary values H3C-SSH and H3C-Console for Login-Service. Changed Lancom LCS-Mac-Address type from string to hexadecimal. Added H3C-Priority. All reported by Philip Herbert.
- Zero length writes are now skipped in Stream.pm write_pending() used by RadSec, Diameter, SIGTRAN and other stream protocols. SCTP does not support 0 length syswrites on all platforms and may close the socket if zero length write is done.
- Added VENDOR Airespace 14179 VSAs 7-11 and 13-16 to dictionary.
- AuthBy GROUP now updates current AuthBy for %{AuthBy:parmname}. When AuthBy GROUP is used, this special formatting now gets the parameter value from the current AuthBy within the group instead of the AuthBy GROUP itself.
- Updated VENDOR 1991 Foundry VSAs in dictionary. foundry-privilege-level is now a synonym for brocade-privilege-level. Added a number of foundry VSAs.
- LDAP Version now defaults to 3 instead of 2. Updated a number of LDAP configuration example files in goodies to reflect this change.
- Ldap.pm now uses the LDAP object’s disconnect method, instead of closing the socket directly.
- AuthBy LDAP2 and AuthBy LDAPDIGIPASS now use escape_filter_value provided by Net::LDAP::Util instead of escapeLdapLiteral in Ldap.pm Ldap.pm escapeLdapLiteral is now deprecacted and perl-ldap-0.32 or better is required.
- RefreshPeriod in ClientListSQL and ClientListLDAP now support special % formatting. Suggested by Bengi Sağlam.
- Updated VENDOR 2011 Huawei VSAs in dictionary. Huawei-Input-Basic-Rate is now an alias for Huawei-Input-Peak-Rate. Huawei-Output-Basic-Rate was changed similarly. Some of the attribute numbers appear to have different names and types between different devices. Huawei-User-Type, Huawei-MIP-Agent-MN-Flag and Huawei-Requested-APN are now aliases but aliasing may be handled with separate dictionary files in the future. Huawei-HW-Portal-Mode was renamed to Huawei-Portal-Mode.
- WiMAX dictionary updates: changed WiMAX-Session-Termination-Capability type to integer and added one value: Dynamic-Authorization. Changed WiMAX-PPAQ TLV Quota-Identifier type to binary. WiMAX subattributes within single Vendor-Specific attribute are now correctly decoded.
- Dictionary updates for Huawei: Reverted the recent aliasing changes. The conflicting attributes are now in a new Huawei specific dictionary file goodies/dictionary.huawei1. This new dictionary file contains attributes used by, for example, Huawei packet gateway / Wi-Fi controller. Since Huawei seems to use device specific dictionaries, additional dictionary files are added as needed.
- Added new AuthLog EVENTLOG and Log EVENTLOG modules for logging to Windows Event Log. Added eventlog.cfg in goodies for configuration example and more information about how to set up registry and DLL Event Log helpers. Precompiled DLLs are available in goodies\windows-dll with source files and compilation examples.
- radiusd now handles SIGINT (typically from Ctrl-C) similar to SIGTERM.
- Added support for shared and global DupCache. Radiator now supports 3 different options for the new DupCache configuration parameter: local (the default), shared (uses shared memory) and global (uses Radiator’s Gossip framework). When DupCache is set to shared, DupCacheFile sets the location of the mmapped shared memory file. Shared DupCache is recommend when FarmSize configuration parameter is set. With shared or global DupCache, the backend workers do not need to have UseContentsForDuplicateDetection enabled anymore. DupCache shared requries Cache::FastMmap module. Sample configuration eapbalance.cfg in goodies was updated to demonstrate the new configuration parameters DupCache and DupCacheFile.
- Added a number of VENDOR 22610 A10-Networks VSAs in dictionary. Contributed by Scott Bertilson.
- Changed the types of WiMAX-PPAQ TLVs Volume-Quota, Volume-Threshold, Resource-Quota and Resource-Threshold to hexadecimal. This makes the 8 or 12 long values easier to handle in PPAQ applications.
- Updated shared and global DupCache debugging and initialisation. If the required Cache::FastMmap is not available when DupCache is set to ‘shared’, Radiator will log a message and refuses to start. The availability of Cache::FastMmap is checked during the configuration phase.
- Added support for Gossip protocol framework and Redis based Gossip implementation. Radiator’s Gossip implementation allows Radiator instances to share information and event notifications. The instances may be part of server farm, completely separate processes running on the same or different hosts or any combination of thereof. Redis based Gossip is configured with GossipRedis clause. At first, Gossip support is provided for RADIUS duplicate cache: When the global configuration parameter DupCache is set to ‘global’, GossipRedis will be used for RADIUS duplicate cache. More Radiator modules will be added and upgraded to use the Gossip framework in the future. Requires Data::MessagePack and Redis Perl modules from CPAN.
- Updated AuthLog SQL examples in goodies to use SQL bind variables.
- Added Radiator Gossip framework support to AuthBy RADIUS. Multiple Radiator instances can now communicate next hop host unreachability and reachability information with Gossip messages. This allows, for example, just one member to run Status-Server queries when FarmSize configuration parameter is enabled. Added new configuration parameter NoKeepaliveTimeoutForChildInstances to limit Status-Server probing to the first farm instance only. The new features are also available to AuthBy RADIUS sub-types, such as, ROUNDROBIN and HASHBALANCE. See goodies/farmsize.cfg for a configuration example with shared duplicate cache and Gossip and Redis configuration.
- Updated EAP-pwd to use unpatched version of Crypt::OpenSSL::Bignum. Radiator 4.14 and earlier required Crypt::OpenSSL::Bignum 0.04 + patches. These patches are no longer needed, and version 0.06 or later from CPAN is now required instead. Caution: Crypt::OpenSSL::Bignum 0.04 + patches in Radiator goodies no longer work with the current version of EAP_52.pm (EAP-pwd). You must update to Crypt::OpenSSL::Bignum 0.06 or later.
- Updated dictionary with new attributes for vendors 14823 Aruba, 25053 Ruckus and 25506 H3C.
- Fixed a problem that could cause a crash if AuthBy RADIUS was configured with the Synchronous parameter, FailureBackoffTime was set and the next hop proxy becomes unreachable. Reported by Diogo Gonçalves
- EAP-pwd now correctly adds the user’s and AuthBy’s reply attributes in the Access-Accept.
- The first components in @INC, the Perl library search locations, are now checked for readability. Unreadable directories may cause hard to diagnose failures when Perl modules are loaded. This may happen, for example, when radiusd process is started as a user with restricted privileges. Reported by Kilian Krause.
- Added support for AuthBy specific PostAuthHook configuration parameters. All AuthBys can now define a PostAuthHook that will be called when the AuthBy is done processing the request and has returned. The hook parameters are the same as for Handler’s PostAuthHook. After the optional PostAuthHook has run, result, reason and Identifier from the AuthBy are saved in $p for subsequent AuthBys and other use. Updated duo.cfg in goodies to use PostAuthHook for password splitting.
- Added support for IEEE 802.1AE, also known as MACsec. Radiator will now return EAP-Key-Name attribute if requested by the RADIUS client. EAP-Key-Name is supported for the following EAP methods: EAP-FAST, EAP-pwd, EAP-TLS, EAP-TTLS and PEAP.
- RADIUS attributes using encrypt=2 flag or decode/encode_salted directly, now have their initialisation vector set to all zeroes when there would otherwise be a circular dependeny between the RADIUS fixed header Authenticator, the initialisation vector, and the encrypted attribute value. This allows, for example, proxying RFC 5176 dynamic authentication request so that the encrypted values can be correctly recovered, provided that target also uses zero IV similarly. Known to work with vendor 6527.
- EAP-TLS now rejects possible EAP-TLS conversation restart attempts instead of replying, again, with an alert. Some EAP-TLS peers, such as Windows, may try to restart the EAP-TLS conversation after certain alerts such as ‘Unknown CA’. Reported by Pieter Jan Van Meerbeeck.
- Updated a number of configuration samples in goodies: ‘DupInterval 0’ is usually not needed and can be harmful. The default value of 10 seconds is preferred and non-default values are only necessary in very unusual circumstances. Handler clauses are in most cases more flexible than Realm clauses. Other typo fixes and small corrections.
- EAP-FAST now checks Net::SSLeay::get_keyblock_size() calls for error return values. Also, Net::SSLeay 1.68 and earlier with OpenSSL 1.0.1 and later may return incorrect values, not errors, for get_keyblock_size() which cause authentication to fail. Fix in Net::SSLeay 1.69 allows it to return correct values with recent OpenSSL versions, and any error return values are now correctly checked by EAP-FAST.
- Added new configuration parameter TLS_Protocols to set the supported SSL and TLS protocols for Stream based modules, such as Diameter and RadSec. New configurations should use TLS_Protocols instead of UseSSL or UseTLS. TLS_Protocols overrides UseSSL and UseTLS when defined. TLS_Protocols is not defined by default. Added new configuration parameter EAPTLS_Protocols to set the supported TLS protocols for TLS based EAP methods, such as EAP-TLS, EAP-TTLS and PEAP. EAPTLS_Protocols is not defined by default. Both TLS_Protocols and EAPTLS_Protocols accept a list of comma separated values. The supported values are: SSLv3, TLSv1, TLSv1.1 and TLSv1.2 Added new configuration parameters TLS_Ciphers and EAPTLS_Ciphers to define the allowed cipher suites for Stream protocols and TLS based EAP methods. The parameter format is OpenSSL cipher string format. Both parameters default to DEFAULT:!EXPORT:!LOW TLS_Ciphers and EAPTLS_Ciphers can be defined separately from TLS_Protocols and EAPTLS_Protocols.
- Updated vendor ZTE 3902 VSAs in dictionary.
- Added support for TLS_Protocols and TLS_Ciphers parameters to Monitor and Server HTTP
- TLS_Ciphers and EAPTLS_Ciphers now support formatting characters. Net::SSLeay and SSL library version, if available, are now logged after SSL library initialisation.
- Added goodies/logformat.cfg, showing how to use LogFormatHook for authentication log and AcctLogFileFormatHook for accounting messages. Added LogFormat.pm with sample hooks for formatting accounting messages in JSON format and authentication log entries in JSON and CEF (ArcSight Common Event Format) formats.
- Removed non-functional support for the obsolete RSA ephemeral keying. See TLS_DHFile, EAPTLS_DHFile, TLS_ECDH_Curve and EAPTLS_ECDH_Curve for the currently supported forward secrecy methods.
- Updated Radiator’s Gossip module Perl requirements based on suggestions by Alan Buxey. Testing with Net::SSLeay 1.69 and LibreSSL 2.2.0. OK.
- Added support for CRL checks for the entire certificate chain. New configuration parameters EAPTLS_CRLCheckAll for TLS based EAP methods and TLS_CRLCheckAll for stream based protocols, such as RadSec and Diameter, enable X509_V_FLAG_CRL_CHECK_ALL to turn on CRL checks for the entire certificate chain. Note: you need to also have EAPTLS_CRLCheck or TLS_CRLCheck enabled for any CRL checks to happen. If the CRL files for the intermediate CAs are not found, certificate check fails with: ‘SSL3_GET_CLIENT_CERTIFICATE:no certificate returned’.
- Updated configuration samples in goodies to include the recently added TLS and related parameters. Updated other goodies files with various other fixes.
- Documented SSLCiphers in the reference manual and updated LDAP SSLCiphers default value from ‘ALL’ to ‘DEFAULT:!EXPORT:!LOW’.
- Updated ldap.cfg to mention possible interoperability problems between HoldServerConnection and ServerChecksPassword when the both are set. Suggested by Niels Monen. Documented SSLCiphers in ldap.cfg
- Removed Authen::Digipass and Authen::ACE4 binary modules from the Radiator distribution. Direct contact with OSC is now preferred to find out how to compile these modules for your chosen OS, Perl version, Perl distribution and 32 or 64 bit platform. Added 32 and 64 bit Win32-Lsa ppms for Strawberry Perl 5.22.
- DBM file handling is not working on Strawberry Perl 5.20 or 5.22. Disabled AuthBy DBMFILE checks from test.pl on Windows meanwhile this is investigated.
- Updates to EAP-MSCHAP-V2 and EAP-pwd identity handling. See OSC security advisory OSC-SEC-2015-01.
- Revision 4.14 (2014-12-03) One very important vulnerability and bug fix. Other features and enhancements
-
Selected bug fixes, compatibility notes and enhancements
- Fixes a vulnerability and very significant bug in EAP authentication. OSC recommends all users to review OSC security advisory OSC-SEC-2014-01 to see if they are affected.
- Client findAddress() was changed to lookup CIDR clients before DEFAULT client. Affects ServerTACACSPLUS and in some cases SessionDatabase modules.
- Added support for non-blocking sockets on Windows
- SessionDatabase SQL queries now support bind variables
Detailed changes
- Added VENDOR Allot 2603 and VSA Allot-User-Role to dictionary.
- Added Diameter AVP flag hints in the Diameter Credit-Control Application dictionary.
- Prevented crash during startup when configured to support a Diameter application for which no dictionary module was not present. Reported by Arthur. Improved logging of loading of Diameter application dictionary modules.
- Improvements to AuthBy SIP2 to add support for SIP2Hook. SIP2Hook can be used for patron authorisation and/or authentication. Added an example hook goodies/sip2hook.pl. Added a new optional parameter UsePatronInformationRequest for configurations in which Patron Status Request is not sufficient.
- Fixed a problem with SNMPAgent which could cause a crash if the configuration had no Clients.
- Stream and StreamServer sockets are now set to nonblocking mode on Windows too. This allows for example, RadSec to use nonblocking sockets on Windows.
- radpwtst now honours -message_authenticator option for all request types specified with the -code parameter.
- Client.pm findAddress() was changed to look up CIDR clients before DEFAULT client. This is the same order Client lookup for incoming RADIUS requests uses. This affects mostly ServerTACACSPLUS. SessionDatabase DBM, INTERNAL and SQL also use findAddress() and are affected when Clients have NasType configured for Simultaneous-Use online checking. Client lookup was simplified in ServerTACACSPLUS.
- Added VENDOR Cambium 17713 and four Cambium-Canopy VSAs to dictionary. “RADIUS Attributes for IEEE 802 Networks” is now RFC 7268. Updated some of its attribute types.
- AuthBy MULTICAST now checks first, not after, if the next hop host is working before creating the request to forward. This will save cycles when the next hop is not working.
- Added VENDOR Apcon 10830 and VSA Apcon-User-Level to dictionary. Contributed by Jason Griffith.
- Added support for custom password hashes and other user defined password check methods. When the new configuration parameter CheckPasswordHook is defined for an AuthBy and the password retrieved from the user database starts with leading ‘{OSC-pw-hook}’, the request, the submitted password and the retrieved password are passed to the CheckPasswordHook. The hook must return true if the submitted password is deemed correct. TranslatePasswordHook runs before CheckPasswordHook and can be used to add ‘{OSC-pw-hook}’ to the retrieved passwords.
- AuthLog SYSLOG and Log SYSLOG now check LogOpt during the configuration check phase. Any problems are now logged with the loggers Identifier.
- The defaults for SessionDatabase SQL AddQuery and CountQuery now use %0 where username is needed. Updated the documentation to clarify the value of %0 for AddQuery, CountQuery, ReplaceQuery, UpdateQuery and DeleteQuery: %0 is the quoted original username. However, if SessionDatabaseUseRewrittenName is set for the Handler and the check is done by Handler (MaxSessions) or AuthBy (DefaultSimultaneousUse), then %0 is the rewritten username. For per-user session database queries %0 is always the original username. Updated the documentation for CountQuery to include %0 and %1. For CountQuery %1 is the value of the simultaneous use limit.
- Enhanced resolution of vendor names to Vendor-Id values for SupportedVendorIds, VendorAuthApplicationIds and VendorAcctApplicationIds. Keyword DictVendors for SupportedVendorIds now includes vendors from all dictionaries that are loaded. Vendor name in Vendor*ApplicationIds can be in any of the loaded dictionaries in addition of being listed in DiaMsg module.
- Added VENDOR InMon 4300 and VSA InMon-Access-Level to dictionary. Contributed by Garry Shtern.
- Added ReplyTimeoutHook to AuthBy RADIUS, called if no reply is heard from the currently tried remote server. The hook is called if no reply is heard for a specific request after the Retries retransmissions and the request is deemed to have failed for that Host. Suggested by David Zych.
- The default ConnectionAttemptFailedHook no longer logs the real DBAuth value but ‘**obscured**’ instead.
- Name clash with SqlDb disconnect method caused unnecessary Fidelio interface disconnects and reconnects in AuthBy FIDELIOHOTSPOT after SQL errors. AuthBy FIDELIOHOTSPOT now inherits directly from SqlDb.
- Added VENDOR 4ipnet 31932 and and 14 4ipnet VSAs to dictionary. These VSA are also used by devices from 4ipnet partners, such as LevelOne. Contributed by Itzik Ben Itzhak.
- MaxTargetHosts now applies to AuthBy RADIUS and its sub-types AuthBy ROUNDROBIN, VOLUMEBALANCE, LOADBALANCE, HASHBALANCE and EAPBALANCE. MaxTargetHosts was previously implemented only for AuthBy VOLUMEBALANCE. Suggested by David Zych.
- Added VENDOR ZTE 3902 and multiple VSAs to dictionary with the kind assistance of Nguyen Song Huy. Updated Cisco VSAs in dictionary.
- Added radiator.service, a sample systemd startup file for Linux.
- AuthBy FIDELIO and its sub-types now log a warning if the server sends no records during the database resync. This usually indicates a configuration problem on the Fidelio server side, unless there really are no checked in guests. Added a note about this in fidelio.txt in goodies.
- Added Diameter Base Protocol AVP flag rules in DiaDict. Radiator no longer sends CEA with Firmware-Revision AVP that has M flag set.
- BogoMips again defaults correctly to 1 when BogoMips is not configured in a Host clause in AuthBy LOADBALANCE or VOLUMEBALANCE. Reported by Serge ANDREY. The default was broken in release 4.12. Updated LOADBALANCE example in proxyalgorithm.cfg in goodies.
- Ensured that Hosts with BogoMips set to 0 in AuthBy VOLUMEBALANCE will not be a candidates for proxying.
- Added Diameter AVP flag rules in DiaDict for the following Diameter applications: RFC 4005 and 7155 NASREQ, RFC 4004 Mobile IPv4 Application, RFC 4740 SIP Application and RFC 4072 EAP Application.
- Added the attributes from RFC 6929 to dictionary. The attributes will now be proxied by default but no specific handling is done for them yet.
- Added VENDOR Covaro Networks 18022 and multiple Covaro VSAs to dictionary. These VSAs are used by products from ADVA Optical Networking.
- Significant performance enhancements in ServerDIAMETER and Diameter request processing. Diameter requests are now formatted for debugging only when the Trace level is set to debug or higher.
- AuthLog FILE and Log FILE now support LogFormatHook to customise the log message. The hook is expected to return a single scalar value containing the log message. This allows formatting the logs, for example, in JSON or any other format suitable for the required postprocessing. Suggestion and help by Alexander Hartmaier.
- Updated the values for Acct-Terminate-Cause, NAS-Port-Type and Error-Cause in dictionary to match the latest IANA assignments.
- Updated sample certificates from SHA-1 and RSA 1024 to SHA-256 and RSA 2048 algorithms. Added new directories certificates/sha1-rsa1024 and certificates/sha256-secp256r1 with certificates using the previous and ECC (Elliptic curve cryptography) algorithms. All sample certificates use the same subject and issuer information and extensions. This allows testing the different signature and public key algorithms with minimal configuration changes. Updated mkcertificate.sh in goodies to create certificates with SHA-256 and RSA 2048 algorithms.
- Added new configuration parameters EAPTLS_ECDH_Curve for TLS based EAP methods and TLS_ECDH_Curve for Stream clients and servers such as RadSec and Diameter. This parameter allows Elliptic Curve ephemeral keying negotiation and its value is the EC ‘short name’ as returned by openssl ecparam -list_curves command. The new parameters require Net-SSLeay 1.56 or later and matching OpenSSL.
- Tested Radiator with RSA2048/SHA256 and ECDSA(curve secp256r1)/SHA256 certificates on different platforms and with different clients. EAP client support was widely available on both mobile, such as, Android, IOS and WP8, and other operating systems. Updated multiple EAP, RadSec, Diameter and other configuration files in goodies to include examples of the new EAPTLS_ECDH_Curve and TLS_ECDH_Curve configuration parameters.
- Handler and AuthBy SQL, RADIUS, RADSEC and FREERADIUSSQL now support AcctLogFileFormatHook. This hook is available to customise the Accounting-Request messages logged by AcctLogFileName or AcctFailedLogFileName. The hook is expected to return a single scalar value containing the log message. This allows formatting the logs, for example, in JSON or any other format suitable for the required postprocessing.
- The Group configuration parameter now supports setting the supplementary group ids in addition to the effective group id. Group can now be specified as comma separated list of groups where the first group is the desired effective group id. If there are names that can not be resolved, groups are not set. The supplementary groups may help with, for example, AuthBy NTLM accessing the winbindd socket.
- Added multiple Alcatel, vendor 6527, VSAs to dictionary.
- Name resolution for Radius Clients and IdenticalClients is now tested during configuration check phase. Suggested by Garry Shtern. Incorrectly specified IPv4 and IPv6 CIDR blocks are now clearly logged. The checks also cover clients loaded by ClientListLDAP and ClientListSQL.
- Special formatting now supports %{AuthBy:parmname} which is replaced by the parmname parameter from the AuthBy clause that is handling the current packet. Suggested by Alexander Hartmaier.
- Added VENDOR Tropic Networks 7483, now Alcatel-Lucent, and two Tropic VSAs to dictionary. These VSAs are used by some Alcatel-Lucent products, such as the 1830 Photonic Service Switch. Fixed a typo in RB-IPv6-Option attribute.
- TLS 1.1 and TLS 1.2 are now allowed for EAP methods when supported by OpenSSL and EAP supplicants. Thanks to Nick Lowe of Lugatech.
- AuthBy FIDELIOHOTSPOT now supports prepaid services, such as plans with different bandwidth. The purchases are posted to Opera with billing records. Configuration files fidelio-hotspot.cfg and fidelio-hotspot.sql in goodies were updated with an example of Mikrotik captive portal integration.
- AuthBy RADIUS and AuthBy RADSEC now use less-than and equal when comparing time stamps using MaxFailedGraceTime. Previously strict less-than was used causing an off by one second error when marking next hop Hosts down. Debugged and reported by David Zych.
- AuthBy SQLTOTP was updated to support HMAC-SHA-256 and HMAC-SHA-512 functions. The HMAC hash algorithm can now be parametrised for each token as well as time step and Unix time origin. An empty password will now launch Access-Challenge to prompt for the OTP. SQL and configuration examples were updated. A new utility generate-totp.pl in goodies/ can be used to create shared secrets. The secrets are created in hex and RFC 4648 Base32 text formats and as QR code images which can be imported by authenticators such as Google Authenticator and FreeOTP Authenticator.
- Reformatted root.pem, cert-clt.pem and cert-srv.pem in the certificates/ directory. The encrypted private keys in these files are now formatted in the traditional SSLeay format instead of PKCS#8 format. Some older systems, such as RHEL 5 and CentOS 5, do not understand the PKCS#8 format and fail with an error message like ‘TLS could not use_PrivateKey_file ./certificates/cert-srv.pem, 1: 27197: 1 – error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm’ when trying to load the keys. The encrypted private keys in sha1-rsa1024 and sha256-secp256r1 directories remain in the PKCS#8 format. A note about the private key format was added in certificates/README.
- Added new parameter for all AuthBys: EAP_GTC_PAP_Convert forces all EAP-GTC requests to be converted to conventional Radius PAP requests that are redespatched, perhaps to be proxied to another non-EAP-GTC capable Radius server or for local authentication. The converted requests can be detected and handled with
Handler ConvertedFromGTC=1
. - SessionDatabase SQL queries now support bind variables. The query parameters follow the usual naming convention where, for example, AddQueryParam is used for AddQuery bind variables. The updated queries are: AddQuery, DeleteQuery, ReplaceQuery, UpdateQuery, ClearNasQuery, ClearNasSessionQuery, CountQuery and CountNasSessionsQuery.
- AddressAllocator SQL now supports a new optional parameter UpdateQuery which will run an SQL statement for each accounting message with Acct-Status-Type of Start or Alive. This query can be used to update the expiry time stamp allowing shorter LeaseReclaimInterval. Added an example of UpdateQuery in addressallocator.cfg in goodies.
- Fixed badly formatted log message in AuthBy RADIUS. Reported by Patrik Forsberg. Fixed log messages in EAP-PAX and EAP-PSK and updated a number of configuration examples in goodies.
- Compiled Win32-Lsa Windows PPM packages for Perl 5.18 and 5.20 for both x64 and x86 with 32bit integers. The PPMs were compiled with Strawberry Perl 5.18.4.1 and 5.20.1.1. Included these and the previously compiled Win32-Lsa PPMs in the Radiator distribution.
- Compiled Authen-Digipass Windows PPM packages with Strawberry Perl 5.18.4.1 and 5.20.1.1 for Perl 5.18 and 5.20 for x86 with 32bit integers. Updated digipass.pl to use Getopt::Long instead of deprecated newgetopt.pl. Repacked Authen-Digipass PPM for Perl 5.16 to include the updated digipass.pl.
- Diameter Address type attributes with IPv6 values are now decoded to human readable IPv6 address text representation. Previously, decode returned the raw attribute value. Reported by Arthur Konovalov.
- Improved Diameter EAP handling for both AuthBy DIAMETER and ServerDIAMETER. Both modules now advertise Diameter-EAP application by default during the initial capabilities exchange. AuthBy DIAMETER now supports AuthApplicationIds, AcctApplicationIds and SupportedVendorIds configuration parameters
- Changed the type of Chargeable-User-Identity in dictionary to binary to make sure any trailing NUL characters are not stripped.
- More updates to example configuration files. Remove ‘DupInterval 0’ and use Handlers instead of Realms
- Fixed an EAP bug which could allow bypassing EAP method restrictions. Copied the EAP expanded type test module to goodies and changed the test module to always respond with access reject.
- Added backport notes and backports for older Radiator versions to address the EAP bug in OSC security advisory OSC-SEC-2014-01.
- Revision 4.13 (2014-04-16) Radius proxying, IPv6, TACACS+, Diameter and other enhancements. Bug fixes
-
Selected compatibility notes and enhancements
- Unknown attributes can now be proxied instead of being dropped
- Diameter enhancements may require changes to custom Diameter modules
- Major IPv6 enhancements include: Attributes with IPv6 values can now be proxied without IPv6 support, Socket6 is no longer an absolute prerequisite. ‘ipv6:’ prefix is now optional and not prepended in attribute values
- TACACS+ authentication and authorization can now be decoupled
- Bind variables are now available for AuthLog SQL and Log SQL.
- Status-Server requests without correct Message-Identifier are ignored. Status-Server responses are now configurable.
- LDAP attributes can now be fetched with base scope after subtree scoped search. Useful for example, tokenGroups AD attributes which are not otherwise available
- Newly added check for CVE-2014-0160, the OpenSSL Heartbleed vulnerability may log false positives
- New AuthBy for authenticating against YubiKey validation server added
- See Radiator SIM pack revision history for supported SIM pack versions
Detailed changes
- Added the attributes from RFC 6911 to dictionary (Framed-IPv6-Address, DNS-Server-IPv6-Address, Route-IPv6-Information, Delegated-IPv6-Prefix-Pool and Stateful-IPv6-Address-Pool). These attributes override a number of attributes that were previously commandeered by Ascend and Merit. The Ascend ones are still available in ascend.dictionary. The Merit attributes were added under the existing Merit VSA entry and the non-VSA Merit attributes were removed from the main dictionary. The non-VSA Merit attributes will continue to be available in a new file goodies/dictionary.merit
- AuthBy RADIUS and all its subclasses e.g., AuthBy SQLRADIUS, LDAPRADIUS, MULTICAST and proxy algorithm AuthBys, now support special characters in AuthPort and AcctPort. Suggested by David Zych.
- Added in dictionary: Huawei-Loopback-Address, vendor 6139 (Alcatel-Lucent OmniAccess), vendor 20942 (China Telecom-Guangzhou Research and Development Center) and vendor 27262 DANTE Ltd.
- Unknown attributes can now be proxied when the new global configuration flag ProxyUnknownAttributes is set to true. Unknown attributes are now alwasy available with special names such as Unknown-9048-120, where 9048 is the vendor id and 120 is the vendor attribute number. Unknown attributes are now logged with level WARNING instead of ERR. A warning is logged for each attribute once per sender IP address. Attribute names starting with Unknown are reserved in dictionary and ignored when the dictionary is loaded.
- Added in dictionary: Attributes from RFC 5447, RFC 6519, RFC 6677 and RFC 6930.
- Added support for dictionary type ipv4prefix required by RFC 6572. An example of ipv4prefix format is ‘192.168.1.0/24’. Added attributes from RFC 6572 in dictionary.
- Change in 4.12 caused ServerDIAMETER to always create new peer instances for new connections. This caused mainly WatchdogState DOWN log litter.
- AuthBy DIAMETER and other DiameterClient derived classes, such as Diameter Wx based EAP-SIM, EAP-AKA and EAP-AKAPRIME AuthBys, now support new option SCTPPeer. This option allows defining multiple SCTP peers for the initial SCTP association attempt.
- Added vendor Arista in dictionary. Updated Netscreen values. Contributed by Garry Shtern.
- Fixed AuthBy NTLM so it will not leave zombie processes around during reconfigure. Reported by Garry Shtern.
- AuthBy RATELIMIT now supports optional parameter MaxRateResult, which allows specifying the result when MaxRate is exceeded. MaxRateResult defaults to IGNORE.
- Significant IPv6 changes. Socket6.pm is no longer required if the core Socket module provides the required IPv6 support. Attributes with IPv6 address or prefix type are now handled as binary if there is no Socket or Socket6 for IPv6 support. This fixes the problem with proxying when Socket6 was not installed. Prefix ‘ipv6:’ for IPv6 addresses is no longer required but will be accepted. Decoded values for IPv6 address type attributes will no longer have ‘ipv6:’ prefix. Startup log messages now contain information about the IPv6 support.
- Updated 3GPP (vendor 10415) attributes in dictionary. 3GPP-Allocate-IP-Type, 3GPP-External-Identifier and 3GPP-TWAN-Identifier were added. 3GPP-Charging-Gateway-Address, 3GPP-GPRS-Negotiated-QoS-Profile and 3GPP-Charging-Gateway-IPv6-Address are now the main attribute names while 3GPP-CG-Address, 3GPP-GPRS-QoS-Profile and 3GPP-CG-IPv6-address are now aliases. 3GPP-PDP-Context value 0 name is now IPv4 while IP is kept as an alias. Attribute types were corrected to use e.g., ipaddrv6, integer8 and integer16 for correct encoding and decoding. Added values for enumerated integer types.
- Reverted the previous attribute canonical name changes for vendor 3GPP. 3GPP-CG-Address, 3GPP-GPRS-QoS-Profile and 3GPP-CG-IPv6-address are the names Radiator will use for decoding the attributes. The new names will be recognised as aliases. Also, 3GPP-PDP-Context name for value 0 is IP and IPv4 can be used as an alias.
- EAP_25.pm now makes inner identity available via outer context improving logging options.
- Updated Application IDs. Updated vendor 3GPP (10415) RADIUS compatible attribute (1-27) list, added new 3GPP-RAT-Type and 3GPP-PDP-Type type values, fixed 3GPP-*-Address encoding to use OctetString instead of Address type, 3GPP-RAT-Type and other 8 bit enumerated values are encoded correctly. 3GPP attribute Location-Estimate type is now OctetString.
- Improvements to the sample wimax.sql database schema to support long capabilities values.
- Added VENDOR Radware 89 and VSA Radware-Role to dictionary.
- Logging level for rejected authenticaton attempts can now be configured globally and for each Handler or Realm. The level is set with new parameter LogRejectLevel. This optional parameter uses the same values as Trace option, and can be set globally or per Handler or Realm.
- Further logging enhancements. PacketTrace can now be configured to skip selected Log clauses. New flag parameter IgnorePacketTrace can be set in Log clauses which should not participate in PacketTrace logging. Thanks to David Zych for ideas and assistance with the latest logging improvements.
- Trailing NULs are now stripped from TACACS+ authorization arguments. Reported by Tim Cheyne.
- Fixed a bug in Diameter Address format encoding with IPv6 addresses. DiaClient now correctly formats IPv6 address in Host-IP-Address for TCP connections.
- TacacsClient module now supports connecting to TACACS+ servers over IPv6. This allows tacacsplustest to work with IPv6 enabled TACACS+ servers. Requires IO::Socket::INET6.
- Account expiry dates starting with ‘Mmm dd’ for Expiration, ValidTo and ValidFrom check items now correctly check for valid month names. Reported by Kennyen Choo.
- Added Pronto Networks VENDOR Pronto 16521, and Pronto-AVPair to dictionary.
- Worked around the duplicate name for 3GPP Diameter Gx interface. Fixed typos in Diameter application names.
- ClientListSQL was calling parent’s initialize twice. Clarified AuthSQLHOTP and AuthSQLTOTP parent initialize calls.
- Improvements to logging. Added support in Log.pm and LogGeneric.pm for dynamically setting the Trace level. An example of using User-Name from the current request is in goodies/hooks.txt.
- Enhanced AuthBy DIAMETER Destination-Host and Destination-Realm handling. Worked around the duplicate name for 3GPP Diameter Rx interface.
- When special %s is used, the microseconds are now left padded with zeroes. Suggested by David Zych.
- PEAP and EAP-TTLS now make maximum fragment size available for inner authentication protocols. EAP-TLS was improved to use this information. This allows PEAP/EAP-TLS and EAP-TTLS/EAP-TLS to work better with environments with variable Framed-MTU sizes.
- When reading parameter settings from a file with file:”filename”, any trailing newlines are now removed from the end of file to make sure the value is correctly parsed. Reported by David Zych.
- Added goodies/address-allocator-sql.txt for further AddressAllocator SQL examples. Initial examples include MySQL and PostgreSQL queries for environments with multiple Radiator instances allocating from the same database.
- RDict.pm now supports new method vendorByNum which returns vendor data from a given vendor number. Enhanced Starent VSA decoding to make sure invalid lengths do not cause a crash. Added support and attributes for Starent VSAs which use 1 byte for type and 1 byte for length. The Starent VSAs in Radiator default dictionary use 2 bytes for type and length. Loading goodies/dictionary.starent-vsa1 after the default dictionary will cause Starent VSAs to use 1 byte type and length. The Starent VSAs in the default dictionary will not work with dictionary.starent-vsa1 and should not be used.
- Significant changes in Diameter dictionary handling: The dictionaries can now be separate modules and a specific dictionary is defined for the application. Diameter Credit Control attributes were moved in module DiaDict_4.pm while Diameter base, NASREQ, Mobile Ipv4, base accounting, EAP, SIP and relay applications still use the default dictionary DiaDict.pm. Any new dictionaries will be created as separate modules. Updated the existing modules AuthDIAMETER, DiaDict, DiaPeer, ServerDIAMETER, DiaClient, DiaMsg and DiaUtil. Added new modules DiaUtil and DiaDict_4.
- Added support for salted and non-salted SHA-2 hashed passwords. Supported formats are {SHA256} {SSHA256} {SHA384} {SSHA384} {SHA512} and {SSHA512}. Updated sha.pl and ssha.pl in goodies to support SHA-2 hashing. Suggested by Alexander Hartmaier.
- AddressAllocator DHCP can now use Class attribute for allocation state when configured with UseClassForAllocationInfo. This enables allocation and deallocation to work between server farm members. Configuration notes in goodies/addressallocatordhcp.cfg. Clarified some of the AddressAllocator DHCP options in addressallocatordhcp.cfg
- Functions pack_sockaddr_pton and gethostbyname in Util.pm and UtilSocket6.pm misinterpreted some hostnames as IPv6 addresses. Reported by Emanuel José Freitas.
- Updated Huawei VSAs in dictionary. Contributed by Alexander Hartmaier.
- AddressAllocator identifier in AuthBy DYNADDRESS now supports special formatting characters.
- Change in DiaPeer watchdog to recover better from unresponsive but still open TCP connections.
- Diameter dictionaries now support attribute flags. Added add_attr_d, get_attr_d and get_attrs_d in AttrList.pm for adding and accessing Diameter attributes with their names. Any flags, such as M flag, are automatically added based on dictionary. DiaAttrList and RadiusDiameterGateway now correctly set dictionary when using DiaAttrlist->new(). DiaDict is more verbose about possible problems with parsing dictionary files.
- Marked GroupCacheFile option in ServerTACACSPLUS as deprecated and removed code related to it.
- ServerTACACSPLUS now adds OSC-TACACS-* attributes to the converted TACACS+ authentication and accounting requests in a more consistent manner. Use of deprecated CommanAuth option gives a warning during startup. Minor cleanups to remove warnings when -w is used. Fixed mapping of missing GroupMemberAttribute value to ‘DEFAULT’ broken in the previous patch. Updated tacacsplusserver.cfg in goodies.
- ServerTACACSPLUS can now create a RADIUS Access-Request when TACACS+ authorization request is received but no authorization info is known for the user. This can happen for example, when Radiator is restarted or the TACACS+ client uses some other protocol for authentication. These RADIUS Access-Requests carry Service-Type attribute with value Authorize-Only. Authorization based requests are enabled with AllowAuthorizeOnly flag which defaults to off. Updated tacacsplusserver.cfg and added OSC-TACACS-Authen-Method in dictionary.
- AuthBy SIP2 now immediately rejects CHAP, MSCHAP and MSCHAP-V2 authentication attempts instead of letting password check fail each time.
- Added support for PBKDF2 derived User-Password check items. Uses HMAC-SHA1 as the Pseudo Random Function (PRF). Requires Digest::HMAC_SHA1. Added a small utility goodies/pbkdf2.pl which can be used to create derived password in the form Radiator honours.
- AuthLog SQL now supports SuccessQueryParam and FailureQueryParam parameters, which allow SQL bind variables to be used.
- AuthBy RSAAM now supports SSLCAFile for RSA AM HTTPS server certificate verification. New parameter ChallengePrefix allows setting the common prompt for PIN change and other challenge questions. Suggested by Garry Shtern.
- Log SQL now supports LogQueryParam parameters, which allow SQL bind variables to be used.
- Changes so that the plaintext password is not logged at debug level during EAP-TTLS/PAP authentication.
- Added support for SSLVerify, SSLCAPath, SSLVerifyCNName, SSLVerifyCNScheme and SSLCertificateVerifyHook configuration parameters in AuthBy RSAAM. The parameters require Perl LWP 6.0 or later or otherwise they are ignored. SSL client certificate options are now set using LWP if LWP version 6.0 or later is detected. These changes allow RSA AM server HTTPS certificate verification without environment variables.
- tacacsplustest in goodies now supports -bind_address command line argument. TacacsClient module can now pass local address to the socket constructor.
- Added eduroam-Monitoring-Inflate VSA to dictionary.
- Added StripFromRequest parameter to ServerRADSEC. Suggested by Paul Dekkers.
- Logging enhancements: AuthBy RADSEC and ServerRADSEC now format packet dumps only when the log level is DEBUG or more verbose. IPv6 capability is now logged on DEBUG level if IPv6 functionality is provided by the Perl core or Socket6. INFO level message is logged only when there is no full IPv6 functionality.
- Added new module AuthBy YUBIKEYVALIDATIONSERVER with example configuration yubikey-validationserver.cfg. Authenticates against Yubikey Validation server. This allows using a YubiHSM Hardware Security Module (HSM) by one or more Radiator servers at the same time. The YubiHSM can be installed on the same server where Radiator runs on, or on a remote dedicated server. Refactored AuthYUBIKEYGENERIC.pm to move common code to AuthYUBIKEYBASE.pm allowing AuthBy YUBIKEYVALIDATIONSERVER to run without any dependencies on Yubikey specific support modules such as Auth::Yubikey_Decrypter.
- Added in dictionary: Attributes from RFC 7055. These started as UKERNA, vendor 25622, VSAs.
- Removed unneeded code from EAP_25.pm and TLS.pm.
- Added new global and Client specific configuration parameter StatusServer. This parameter sets the Status-Server response verbosity. The supported values are off, minimal and default. The global default can be overridden by each Client clause. Status-Server requests without correct Message-Authenticator attribute are now ignored.
- Added new parameter AttrsWithBaseScope to AuthBy LDAP2. AuthBy LDAP2 can now be configured to do a two step search to first locate the user’s DN and then follow with a second search where the search base set to the DN and scope to ‘base’. This is required for example, to get access to Windows AD constructed attributes, such as tokenGroups, which are only returned when the search scope is set to base. Updated ldap.cfg in goodies.
- Removed old and unneeded FirstSendTime, LastSendTime and Attempts from Radius.pm.
- EAP-TTLS now correctly exports the inner identity with $rp->{inner_identity} when the inner authentication is EAP.
- Added OSC-SIM-* attributes for exporting SIM/USIM authentication information. Added attributes for the upcoming RFC “RADIUS Attributes for IEEE 802”.
- AuthBy SIP2 now honours Timeout option when connecting to SIP2 servers. The timeout defaults to 3 seconds.
- Added new parameter FailureBackoffTime to Resolver. If the lookup failed to discover any results and there was a timeout while waiting for the nameserver, this optional value specifies how long Radiator will wait before another lookup is made. Previous behaviour was to try again after NegativeCacheTtl expired. Defaults to 3 seconds. Problem with the old behaviour reported by Paul Dekkers.
- ServerDIAMETER no longer announces Supported-Vendor-Id with value 0 in CER. This is required by the current Diameter base RFC 6733. Value 0 is no longer announced with Acct-Application-Id in CER. Updated diameter-server.cfg.
- Added new global parameter KeepSocketsOnReload. Note: this is currently considered experimental. This optional flag controls whether opened RADIUS listen sockets should be left intact on a reload request. When enabled, the changes in BindAddress, AuthPort and AcctPort are ignored during reload. You may consider enabling this option when incoming RADIUS requests should be buffered during the reload instead of ICMP unreachable messages being sent back to the RADIUS clients. Contributed by Garry Shtern.
- Attributes added to the reply by EAP-FAST inner authentication will now be copied to the outer Access-Accept too. This is similar to how PEAP and EAP-TTLS already function. Suggested by Jakob Schlyter.
- Added the first version of RuntimeChecks module with two checks. The first uses Net::SSLeay to try to detect OpenSSL versions which may have the Heartbleed (CVE-2014-0160) vulnerability. The second test checks for the availability of Digest::MD4 which is often required because of MSCHAP, MSCHAP-V2 and their derivatives. The individual checks can be disabled with the new configuration parameter DisabledRuntimeChecks. Future checks are added as needed. The module is also available for Hooks to implement site local checks.
- Check Point attributes CP-Gaia-User-Role and CP-Gaia-SuperUser-Access were incorrectly entered in the dictionary. Reported by Jason Griffith.
- Ldap.pm could crash while logging with old Net::LDAP versions. Reported by Mauricio Montoya Bustamante.
- Revision 4.12.1 (2013-09-17) One bug fix. One enhancement.
-
- Fixed a bug that prevented AuthBy SQL from loading when it was defined outside of Realm or Handler.
- Unknown Diameter attribute types are now logged with a warning when Diameter dictionaries are loaded. Diameter encoder and decoder now use Integer32 and Integer64 for signed 32 bit and 64 bit types instead of Signed32 and Signed64.
- Revision 4.12 (2013-09-06) New modules, some significant new features. Bug fixes.
-
- Improvements to EAP-MD5 handling: in the event of an authentication failure, the reason messages are more descriptive of the reason why.
- Updated Mikrotic VSAs in dictionary.
- Added a number of VSAs for Alcatel-ESAM to dictionary.
- Fixed a potential crash if there were many unfinished EAP-GTC authentication conversiations through AuthBy ACE. Reported by Richard Fairhall.
- Added support for a number of new check items for AuthBy SQL: Max-All-Session, Max-Hourly-Session, Max-Daily-Session, Max-Monthly-Session, Max-All-Octets, Max-All-Gigawords, Max-Hourly-Octets, Max-Hourly-Gigawords, Max-Daily-Octets, Max-Daily-Gigawords, Max-Monthly-Octets, Max-Monthly-Gigawords. AuthBy SQL supports the foillowing corrsponding configurable queries: AcctTotalQuery, AcctTotalSinceQuery, AcctTotalSinceQuery, AcctTotalSinceQuery, AcctTotalOctetsQuery, AcctTotalGigawordsQuery, AcctTotalOctetsSinceQuery, AcctTotalGigawordsSinceQuery, AcctTotalOctetsSinceQuery, AcctTotalGigawordsSinceQuery, AcctTotalOctetsSinceQuery, AcctTotalGigawordsSinceQuery. With the kind assistance of Richard Fairhall.
- Updated AuthLog SYSLOG so that it honours the same %0 and %1 in SuccessFormat and FailureFormat as other loggers.
- Changed all instances of the poorly defined ‘octets’ type attributes in dictionary to ‘binary’.
- Added F5 BigIP VSAs to dictionary, per http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11431.html, as sent by Alexander Hartmaier.
- Added further Trapeze VSAs for MSS 8.0 and later to dictionary, as sent by Vandenbroucke Luc.
- Altered AuthBy RADIUS and AuthBy RADSEC handleReply so that failedRequests and start_failure_grace_time are updated even if there is no $op->{rp}.
- Performance improvements for TTLS and PEAP: when used with OpenSSL 1.0.1 and later, NetSSLeay 1.52+latest patches and later, the native OpenSSL tls1_PRF function is used.
- Altered AuthBy RADIUS and AuthBy RADSEC handleReply so that in the event of an Access-Reject from a proxied request, AuthLog* can log the actual Reply-Message from the reply instead of ‘Proxied’. Requested by David Zych.
- Improvements to AuthBy RADIUS and AuthBy RADSEC to detect obvious routing loops and to ignore attempts to proxy a packet to the same BindAddress/port a packet was received on.
- Fixed a problem in SessionDatabase SQL that could cause a crash if UpdateQuery is defined and an Accounting Alive packet was received. Reported by Chris Millington.
- Improvements to AuthBy SQL AuthColumnDef. Can now have a trailing “, formatted” keyword in an AuthColumnDef. This will cause the value retrieved from the database in that column to be subject to special character processing before its value is used, and can therefore contain %{something} forms which will be replaced at authentication time. The general format is now:
AuthColumnDef n, attributename, type[, formatted]
For example:
AuthColumnDef 1, Filter-Id, reply, formatted
- Improvements to AuthBy LDAP2 AuthAttrDef. Can now have a trailing “, formatted” keyword in an AuthAttrDef. This will cause the value(s) retrieved from LDAP to be subject to special character processing before its value is used, and can therefore contain %{something} forms which will be replaced at authentication time. The general format is now:
AuthAttrDef ldapattributename, radiusattributename, type[, formatted]
For example:
AuthAttrDef filter, Filter-Id, reply, formatted
- All configuration parameters of type ‘flag’ can now use special characters. This is especially useful to be able to control flags with GlobalVar’s.
- Added example hook to hooks.txt: showing a way to call PostAuthHook with additional fixed arguments set at startup time.
- Fixed some typos in DiaClient that incorrectly mentioned RadSec.
- uthBy RADIUS and AuthBy RADSEC now remove unnecessary Timestamp attribute (meant for internal use only) from proxied requests.
- Improvements to Handler: the reply packet is not set if there is already one present. Useful when AuthBy HANDLER or a hook redespatches a request to another Handler: reply items added by earlier Handlers and AuthBys will not be lost.
- Added Ericsson redback VSAs 207-213 to dictionary. Also added some alternate values for RB-Framed-IPv6-Prefix, RB-Framed-IPv6-Route, RB-Framed-IPv6-Pool, as used by SmartEdge.
- Added A-10 Networks VSAs to dictionary.
- Improvements to SYSLOG loggers to be more compatible with later versions of Sys::Syslog.
- Fixed a problem with using AuthBy Fidelio and Serial ports that caused a failure to start Radiator. Also changed the default serial port flow control for Fidelio modules to ‘rts’, since ‘xoff’ could cause lost characters and bad checksums. Testing with USB-Serial port adapters.
- Updated goodies/digipass-install.txt to include guidance about how to order Digipass tokens, including the need to order the ‘Digipass User Data Subscription Fee’ (DUD) option.
- All tar files are now built with TAR_OPTIONS=–format=gnu to ensure compatibility with other tars, notably the one on Solaris.
- Testing on Solaris 11. OK with builtin perl 5.12.
- Added Huawei-3Com (H3C) VSAs to dictionary.
- Improvements to AuthBy KRB5 and Ldap.pm: Credential Cache now uses memory cache instead of file. Added a new option KrbServerRealm to allow server and user to exist in different realms. Hostname is now used for service tickets instead of IP address. Reverse DNS lookup is now done for the host before requesting a service ticket. Patches by Garry Shtern.
- Added new dictionary file for Cisco/Altiga attributes compiled by Alexander Hartmaier.
- Fixed a problem that prevented HostSelect from implementing host counter if HostSelectParmam was defined.
- Added support for SNMP V2c with new configuration parameter SNMPVersion in SNMPAgent. Fixed a problem where some SNMP decode errors were not correctly detected.
- Configuration file check no longer activates clauses which could cause spurious error messages. Requested by Garry Shtern.
- Added Palo Alto Networks VSAs to dictionary. Contributed by Garry Shtern.
- More improvements to LDAP logging. The hostname and port are now logged after a successful connection. This helps determining to which host the connection was made when the Host parameter is configured with multiple host names. Removed redundant GSSAPI related code. Contributed by Garry Shtern.
- Fixed a problem with EAP-TTLS where EAPAnonymous %0 did not fetch the inner EAP identity. Reported by Neil M. Johnson.
- Added a number of Aruba VSAs to dictionary with the kind assistance of Michael Hulko.
- Fixed UseStatusServerForFailureDetect in AuthRADIUS.pm to work correctly when there are multiple Hosts configured. This also affects AuthRADIUS subclasses and small changes were needed for AuthLOADBALANCE, AuthMULTICAST, AuthROUNDROBIN and AuthVOLUMEBALANCE. AuthHASHBALANCE and AuthEAPBALANCE required no changes. When UseStatusServerForFailureDetect is enabled, all Host objects do individual polling. Expiry of FailureBackoffTime will no longer make the Host eligible for forwarding. Only a response to Status-Server request will bring back a failed Host. Other changes include: AuthRADIUS subclasses will now log an INFO level message when the Host starts responding. BogoMips only affects AuthLOADBALANCE and AuthVOLUMEBALANCE as documented. Setting BogoMips to 0 for a Host will no longer disable it for the other subclasses. KeepaliveTimeout can be specified for the AuthBy or individual Host in the AuthBy. The default value for BogoMips in an AuthBy is now correctly passed to the Hosts in the AuthBy. Thanks to Paul Dekkers for reporting the problem and debugging help.
- Reverted earlier Status-Server polling related change in AuthRADSEC.pm that caused memory leak when requests were not replied to. Reported and narrowed down by Paul Dekkers.
- EAP-PWD now honours UsernameMatchesWithoutRealm. Also, if the user is not found, the log message now has EAP-PWD instead of EAP MSCHAP-V2.
- Fixed UseStatusServerForFailureDetect in AuthRADSEC.pm to work correctly when there are multiple Hosts configured. When UseStatusServerForFailureDetect is enabled, all Host objects do individual polling. Expiry of FailureBackoffTime will no longer make the Host eligible for forwarding. Only a response to Status-Server request will bring back a failed Host. This change is similar to the recent AuthRADIUS.pm change.
- Added new option -message_authenticator to radpwtst for adding correctly calculated Message-Authenticator in the outgoing requests. Currently supported types are Access-Request, Status-Server, Disconnect-Request and Change-Filter-Request aka COA-Request.
- PEAP EAP context is now cleared immediately when reading encrypted TLS data fails.
- AuthBy RADSEC did not correctly reinitialize when signalled with SIGHUP leaking TCP connections, memory and TLS references. Fixed similar memory leak in AuthBy RADIUS. TCP connection leak reported by Karl Gaissmaier.
- Logging enhancements: replies received by AuthBy RADIUS, AuthBy RADSEC, Client, ServerRADSEC and SimpleClient.pm are now dumped using the loggers configured for the respective clauses and module. PacketTrace now affects the replies received by the clauses. Function decode_attrs no longer dumps the received request. Some messages are now logged by the clauses first instead of just the main logger.
- Added Blue Coat VSAs to dictionary. Contributed by Garry Shtern.
- LDAP GSSAPI name resolution enhancements. Based on patch by Garry Shtern.
- Tested with RSA Authentication Manager 8.0. Updated OnDemand mode prompt handling. No other changes required. Added new parameter ChallengeHasPrompt to AuthBy RSAAM to enable sending RADIUS Prompt attribute with Access-Challenge messages based on the RSA AM responses.
- Status-Server messages sent by AuthBy RADSEC and AuthBy RADIUS no longer carry Proxy-State attribute. Improved logging in AuthBy RADSEC when Proxy-State in reply is missing or mangled.
- Added Lancom and CheckPoint GAiA VSAs and updated 3Com and H3C VSAs in dictionary with the kind assistance of Philip Herbert.
- Added new methods for inserting attributes in AttrList. Useful e.g., for Diameter AVP ordering. Added Origin-AAA-Protocol into DiaAttrList, updated DiaDict to always use DiameterIdentity, DiameterURI, IPFilterRule and QoSFilterRule as data type name instead of short-forms. Fixed a number of spelling mistakes.
- Added support for authentication with Duo Security https://www.duosecurity.com/ . AuthBy DUO supports two-factor authentication provided by Duo Security auth API. Sample configuration file and partial API simulator is included.
- Registering an object by its Identifier in Configurable.pm is now done just before object loading finishes, not during object activation. This fixes the recently introduced problem where configuration check gave incorrect results when Identifiers were used for references. Reported by Karl Gaissmaier.
- Added iPass VSAs to dictionary.
- DiaPeer and DiaClient now support adding Vendor-Specific-Application-Id attributes in Diameter CER message.
- Configurable now calls check_config for each module just before it is activated. Configuration checks done by modules within activate were moved to check_config so that they will be run also when radiusd is invoked with -c flag to check the config.
- Updated sample certificates to expire Aug 14 11:37:20 2015 GMT. Updated goodies/mkcertificate.sh to check for CA.pl availability.
- Added precompiled Authen-Digipass ppm package for Perl 5.16 on Windows.
- Added precompiled Authen-ACE4 ppm packages for Perl 5.16 on Windows. Recompiled Authen-ACE4 ppm packages for Perl 5.14.
- Added new global parameter BindV6Only. This optional parameter allows turning on or off IPV6_V6ONLY socket option for IPv6 wildcard listen sockets. Defaults to undefined and hence no setsockopt is done. See RFC 3493 for more about IPV6_V6ONLY.
- Client clauses now support CIDR notation for IPv6 clients. For example: ipv6:2001:db8:1:2::/126 and ipv6:::ffff:192.168.1.0/120. It is recommended, but not required, to install Math::BigInt::GMP or Math::BigInt::Pari for faster matching. The default is to use slower pure Perl implementation.
- Updates in many goodies example and other files.
- Added preliminary support for AuthBy DIAMETER. AuthBy DIAMETER converts RADIUS messages to Diameter messages and sends them to a Diameter server. Currently targets RFCs 4005 and 6733.
- AuthBy DUO did not indicate the request was handled asynchronously causing problems with certain modules such as ServerTACACSPLUS. Reported by David LaPorte.
- Enhanced radpwtst help output and options file support. The file format is now documented in the reference manual. The -time option now works even when -notrace option is given.
- Unnecessary DNS lookups were done when MAC: or CIDR Clients were defined causing possible slowness during startup or ClientList refresh.
- Testing with Strawberry Perl on Windows. Updated installation documentation and reference manual to include Strawberry Perl on Windows.
- Revision 4.11 (2012-12-14) Some significant new features. Bug fixes.
-
- Typo prevented MS-CHAP-Challenge being correctly added to when EAP_LEAP_MSCHAP_Convert is enabled.
- Changes to continued line parsing in 4.10 broke the ability to spread a the first line of a clause over multiple lines with the backslash line continuation operator. Fixed.
- AuthBy ACE now supports EnableFastPINChange with EAP-GTC, contributed by Richard Fairhall.
- Fixed a problem that prevented correct operation of ServerDIAMETER listening when FarmSize was in use: some children could block waiting for an accept. Listen socket is now non-blocking. Reported by Rani Assaf.
- Fixed a problem that prevented AuthBy RADSEC correctly detection downstream server failure under some circumstances with UseStatusServerForFailureDetect. Reported by Paul Dekkers.
- Added support for authentication via 3M Standard Interchange Protocol 2 as used in 3Ms Automated Circulation Systems (ACS) for book libraries. AuthBy SIP2 supports TCP-IP connection to 3M ACS systems, and authenticates against library patron name and password.
- SNMPAgent now supports some more items from MIB2: sysDescr (which returns the Radiator name and version) and sysObjectID (which returns the Radiator OID 1.3.6.1.4.1.9048.1.1). Also added sample goodies/snmp.cfg with some documentation about how to configure and test SNMPAgent.
- radiusd has a new function main::addChildInitFn() which can be used by modules to register a function that is to be called in each child after it is forked by FarmSize. This can be used by module authors to defer or redo some intialisation in the child.
- Improvements to error detection in Stream handle_socket_read to detect the possibility of EWOULDBLOCK/EAGAIN, reported by Rani Assaf.
- Added HP-VC-Groups to dictionary.
- Further improvements to multiline config file parsing, suggested by Michael.
- Updated comments in HOTP and TOTP examples to clarify the contents of the ‘secret’ field. Also fixed a problem in AuthBy SQLTOTP, which could cause an SQL error if the first ever log-in attempt involves typing an incorrect PIN. Reported by Roy Badami.
- Improvements to PEAP support for Windows failing to work when PEAP fast reconnect was enabled. EAP Extension TLV/Success is now exchanged over TLS tunnel between the server and client before sending final Access-Accept.
- Added more Unisphere and Juniper VSAs based on http://www.juniper.net/techpubs/software/junos/junos114/radius-dictionary/unisphereDictionary_for_JUNOS_v11-4.dct
- Fixed a typo in dictionary for WiMAX-QoS-Descriptor value Transmission-Policy.
- Fixed a problem that could prevent the correct OutPort being used as the source port for AuthBy RADIUS forwarding.
- Nas finger now uses the standard perl Net::Finger module intead of the internal Finger client in Radius::Finger. The internal Finger client Radius::Finger is now not shipped with Radiator. If you wish to use finger to check online users, you must install the Perl Net::Finger module.
- Added OSC VSA for pseudo-attribute PoolHint to dictionary.
- Updated all Nas/*.pm modules to use numeric OIDs instead of sysmbolic, since some recent versions of snmp tools install without MIBs.
- Added DEBUG logging of DHCP replies reeceived by AddressAllocator DHCP.
- Fixed a problem that could cause a crash if AuthBy EAPBALANCE was used with the KeepaliveTimeout option.
- Fixed a problem that caused UseStatusServerForFailureDetect to not work correctly when defined at the AuthBy RADIUS level instead of the Host level.
- Added new parameter ClientHardwareAddress to AddressAllocator DHCP. ClientHardwareAddress is the name of an attribute in the incoming address which contains the hex encoded MAC address of the client. If present, it will be used as CHADDR in the DHCP request. If not present, and fake CHADDR based on the request XID will be used. The DHCP server may use this when allocating an address for the client. The MAC address can contain extraneous characters such as . or : as long as it contains the 12 hex characters (case insensitive) of the MAC address. Special characters are supported.
- Added NetworkPhysics-Attribute to dictionary with the kind assistance of “Caporossi, Steve G.”
- Added Procera-Local-User-Name to dictionary with the kind assistance of Lucas Hazel.
- Improvements to consistency of proxiedRequests and proxiedNoReply statistics counters when the request is proxied by multiple AuthBy RADIUS or AuthBy RADSEC clauses.
- AuthBy RADMIN now supports PostAuthSelectHook.
- Enhancements to support Diameter client and server required for new Diameter Wx support in Radius-EAP-SIM.
- Fixed a problem that caused incorrect RecvTime in tunnelled PEAP requests.
- Implemented checkproc for SuSE in linux-radiator.init. Contributed by “Aeneas Jaißle (sewikom GmbH)”
- Added support for PostDiaToRadiusConversionHook and PostRadiusToDiaConversionHook to Server DIAMETER.
- Refactoring of md5 and mschapv2 challenge code prior to integrating Heimdal digest support.
- Added new module AuthBy HEIMDALDIGEST with example configuration and test setup instructions. Authenticates from Heimdal Kerberos (http://www.h5l.org/). Supports RADIUS-PAP, EAP-MD5, EAP-MSCHAPV2 (and therefore TTLS-PAP, TTLS-EAP-MD5, PEAP-EAP-MD5, PEAP-EAP-MSCHAPV2, TTLS-EAP-MSCHAPV2). With the kind assistance of Fredrik Pettai. Originally written by Klas Lindfors. Contributed by Stefan Wold of Stockholm University.
- Fixed a problem where file:”filename” syntax in configuration file could cause strange error messages in hooks if the filename was not found.
- Fixed a problem where PidFile could be incorrectly deleted if any child was killed in a farm. Now it is only deleted if the farm parent is shut down.
- Fixed a problem in server farms where if a child process was STOPped or hung, the graceful shutdown process could also hang, resulting in possible failure to restart all children correctly.
- Improvement to Linux startup script to better handle the case where Radiator fails to exit cleanly after stop command.
- Improvements to SNMP.pm snmpget, so that failures due to Unknown Object Identifier are detected. Suggested by Michael.
- Revision 4.10 (2012-06-28) Some significant new features. Bug fixes.
-
- Added support for EAP-PWD per RFC 5931. EAP-PWD is highly secure (the password is never transmitted, even in encrypted form), and does not require PKI certificates, and also requires only 3 authentication round-trips. So it is considered efficient to roll out in eg Eduroam and other environments. Requires that the Radiator user database has access to the correct plaintext password. Sample configuration file and patch for Crypt-OpenSSL-Bignum-0.04 is included.
- Added 2 Aruba VSAs to dictionary. Contributed by Matt Alexander.
- Added Tropos and Fortinet VSAs dictionary.
- Added Ukerna GSS and SAML VSAs to dictionary, with the kind assistance of Luke Howard. Also modified packing routines to split UKERNA SAML-AAA-Assertion into multiple attributes.
- Removed use of ‘use timelocal’ from radiusd and radpwtst, code now uses Time::Local instead.
- Removed use of ‘use newgotopt’, all code now uses Getopt::Long instead.
- Added new parameter PasswordUriEscape to AuthBy URL. This optional parameter specifies whether the password needs to be url-encoded or not. Options are “Clear”, “Encode”. Contributed by Matthew Van Kuyk.
- Added Nokia Siemens Networks (NSN) VSAs to dictionary.
- Added support to radpwtst for new command line argument -alive to send Accounting-Alive requests. Alive is not sent by default if accounting is enabled.
- Fixed an error in the RPM build control file Radiator.spec, which would cause /usr/lib64/perl5/ to be deleted if the Radiator RPM package was erased.
- Improvements to Log SYSLOG and AuthLog SYSLOG modules so that multiple differing module logging configurations do not confuse Sys::Syslog.
- Fixed a problem in Server TACACSPLUS that prevented Client-Identifier being set in Tacacs+ derived RADIUS requests. Reported by Tim Cheyne.
- Improvements to AuthBy WIMAX, which now uses latest WiMAX TLV attribute definitions for packing and unpacking of WiMAX TLV attributes. AuthBy WIMAX now uses latet WiMAX-Capability TLVs. goodies/wimaxtest uses the TLVs, and honours the -capability command line argument where you can specify an alternate WiMAX-Capability.
- Removed use of ‘use newgotopt’ from builddbm, buildsql, tacacsplustest, diapwtst, restartwrappert. Code now uses Getopt::Long instead.
- Added new parameter EAPTLS_AllowUnsafeLegacyRenegotiation to AuthBy *. For TLS based EAP types such as TLS, TTLS and PEAP, and with versions of OpenSSL 0.9.8m and later, this optional parameter enables legacy insecure renegotiation between OpenSSL and unpatched clients or servers. OpenSSL 0.9.8m and later always attempts to use secure renegotiation as described in RFC5746. This counters the prefix attack described in CVE-2009-3555 and elsewhere.
- Updated ACME VSA’s in dictionary to add many missing VSAs and to adopt attribute naming consistent with other RADIUS servers.
- Updated sample certificates to expire Nov 15 21:48:28 2013 GMT
- Added support for EAP expanded types per RFC 3748. EAPType parameter can now be specified as a EAP type number, EAP extended vendornumber:typenumber or as a traditional well-known EAP type name eg:
EAPType TTLS, MSCHAP-V2, 16776957:4244372217
where 16776957 is the expanded vendor number and 4244372217 is the expanded type (this example is for 0xfffefd and 0xfcfbfaf9, the vendor and type of the wpa_supplicant VENDOR-TEST expanded type). Included module and config to support testing against wpa_supplicant VENDOR-TEST expanded type. - Fixed a possible problem in Stream connections where connection failures may not be detected correctly.
- Improvements to EAP-MSCHAPV2 handling in the case where the underlying database has a database access problem, causing an IGNORE.
- Testing with RSA Authentication Manager 7.1 SP4. No changes required.
- Early release of AuthBy SAML2 module. This module fetches Moonshot/SAML2 Assertions for an (already autheticated) user from a Identity Provider (IdP) and puts the assertion in a SAML-AAA-Assertion reply item. Caution: this is beta code and not yet widely tested. Feedback requested. Currently only sends ECP AuthnRequest requests (AAA AttributeRequest is not yet supported). Signing of requests and Verifying of responses is not yet proven to work correctly.
- EAP-MSCHAPV2 now honours AuthenticateAttribute.
- New versions of Authen ACE4 version 1.4 ppms with AuthSDK 8.1 for Windows 32 and 64 bit.
- Added new parameter RoundRobinOnFailure to all Sql clauses. Normally, if Radiator gets an error or a timeout from a database connection it will try to reconect to the database, starting with the first DBSource, and trying them all in order until a successful reconnection. This flag forces the search to start at the database following the current DBSource (if there is one). This can help with some types of overloaded database that can be connected but then timeout when a query is sent.
- Context is stored in $p->{EAPContext} for all EAP requests.
- Fixed a problem where HUPping an evaluation vesion would result in messages like Server started: Radiator 4.9 on fmsdev (LOCKED) (LOCKED) (LOCKED) (LOCKED) (LOCKED)
- Added support for new parameter RequireMessageAuthenticator in Client clauses. Normally, Client clause checks the value of any Message-Authenticator attribute (if present) in incoming requests (EAP or otherwise), and an incorrect authenticator causes the request to be IGNOREd. The optional RequireMessageAuthenticator flag causes this Client to require a (correct) Message-Authenticator attribute to be present in all incoming requests.
- ServerHTTP now registers itself with Configurable.
- Additional information in error logs from various TLS operations. Patch from “Bjoern A. Zeeb”. Thanks Bjoern.
- ClientList LDAP now supports file in PreHandlerHook and ClientHook.
- Fixed a problem with SessionDatabsse SQL which could cause a crash if the query contains %{Quote:…}. Patched by Eddie Stassen. Thanks.
- Added VENDOR Ericsson 193 VSAs to dictionary.
- Log FILE now supports %0 (priority) and %1 (og message) as special characters in Filename parameter. AuthLog FILE now permits use of the ‘|’ vertical bar leading character in Filename to permit piping to an external program.
- AuthBy LDAP2 and all other LDAP clauses now support an optional MultiHomed flag parameter. If this is set then Net::LDAP will try all addresses for a multihomed LDAP host until one is successful. Default is true (set).
- Improvements to AuthBy SQL and AuthBy FREERADIUSSQL to improve compativ=bility with some Oracle clients in the group checks. Reported by Emanuel Freitas.
- Added VENDOR Adva 2544 VSAs to dictionary.
- Added VENDOR Siemens 4329 VSAs to dictionary.
- Fixed missing 3GPP- prefix for a number of 3GPP VALUE definitions in the standard Diameter dictionary
- Fixed problems in Diameter to RADIUS gateway that prevented RADIUS attributes that are converted to Diameter Grouped attributes being parsed correctly.
- For all TLS related operations, improved error logging if SSLeay::new fails.
- Added StripFromReply and AllowInReply to the parameters permitted in AuthBy DNSROAM. Patched by Bjoern A. Zeeb. Thanks.
- Added VENDOR TERENA 25178 and eduroam-SP-Country to dictionary
- Added more VENDOR Alcatel-ESAM attributes to dictionary. Contributed by Hugh Irvine.
- Added new module AuthBy RATELIMIT which can be used to limit the maximum number of request per second to be served. If more than this number of request are received in any second, they will be IGNOREd.
- Added radiusd.conf, a sample Upstart script for Debian/Ubuntu. Contributed by Adam Thompson
- Server TACACSPLUS now honours DefaultRealm from the Client clause that matches the incoming request. If defined in the Client clause, it willl override any DefaultClient defined in the Server TACACSPLUS clause.
- Global SocketQueueLength was not honoured when creating RADIUS server ports.
- Fixed a typo in the help message in Monitor. Reported by Scott Bertilson.
- Added Authen-Digipass-1.11-1.el6.x86_64.rpm (for perl 5.10, x64 on Centos 6 and RHEL6)
- All TLS context configuration parameters, such as EAPTLS_CertificateFile now honour special characters (such as %K etc) from the EAP identity request.
- AuthBy WIMAX incorrectly set WiMAX-Capability Accounting-Capabilities to 0 (none) instead of 1 (session-based).
- All EAP authentications now log at DEBUG level the elapsed time of the entire conversation (since the EAP identity) in seconds (and microseconds if Time::HiRes is available).
- If a Client address cannot be resolved, the log message now includes the exact address that was not able to be resolved.
- Updated the prebuilt Authen-Digipass RPM package for RHEL 5 64 bit to version 1.11.
- Fixed a problem that prevented AuthBy SQLAUTHBY honouring AuthBySelect if AuthBySelectParam was defined.
- Removed incorrect -authen_args from help in tacacsplustest.
- Improvements to handling of EAP-GTC so that UsernameMatchesWithoutRealm is honoured even if the EAP-GTC client sends the ‘RESPONSE=identity\0password’ for of EAP-GTC response.
- Added Arbor-Privilege-Level to dictionary. Thanks to Markku.
- RFC 2621 was inadvertently omitted from the distribution.
- Added support for new configuration parameter. PacketDumpOmitAttributes specifies a comma separated list of RADIUS attribute names which will be omitted from RADIUS packet dumps in logs.
- ServerHTTP did not permit the creation of ClientListSQL or ClientListLDAP clauses. Reported by Albesiano Alberto.
- Improved parsing of hooks and display of hooks by ServerHTTP. Reported by Albesiano Alberto.
- AddToReply AddToReplyIfNotExist when used in Handlers and Clients, would incorrectly add attributes to Access-Rejects. This does not now occur. AuthURL did not correctly honour AddToReply for Access-Accept and Access-Reject. Reported by Albesiano Alberto.
- RadSec is now an official IETF RFC 6614. RFC 6614 is now included in the distribution. In accordance with RFC 6614, the default shared secret for RadSec has been changed to ‘radsec’, UseTLS is enabled by default, and TLS_RequireClientCert is enabled in Server RADSEC by default.
- Added RuggedCom VSA RuggedCom-Privilege-level to dictionary.
- Added Alvarion-WiMAX-Classifier VSA to attribute definiitons for WiMAX-Packet-Flow-Descriptor, per Alvarion’s document ‘RADIUS-WiMAX R3 Interop Spec_Rel 3 0 v 0 81.doc’
- Added Alvarion-WiMAX-Classifier VSA to attribute definitions for WiMAX-Packet-Flow-Descriptor to support atttributes like:
WiMAX-Packet-Flow-Descriptor=Alvarion-WiMAX-Classifier="ClassifierID=1,Priority=2,Direction=IN"
Also added Alvarion-R3-IF-Descriptor and Alvarion-DHCP-Option VSA tlvs to dictionary, to support attributes like:Alvarion-DHCP-Option="Ref-R3-IF-Name=interface1,DHCP-Option-Container=container1" Alvarion-R3-IF-Descriptor=R3-IF-Name=aaa,R3-IF-ID=1,PDFID=2,IPv4-addr=1.2.3.4,IPv4-netmask=5.6.7.8,DGW-IPv4-add=9.8.7.6
Per Alvarion’s document ‘RADIUS-WiMAX R3 Interop Spec_Rel 3 0 v 0 81.doc’. - Fix to Fidelio interface so that LA messages are not queued unless there is a current connection.
- Fixed a problem where the LDAP group search did not correctly specify the attributes to fetch, and therefore _all_ attributes were fetched, affecting performance. Reported by Ben Carbery.
- Improvements to AuthBy SQLYUBIKEY to add support for CheckSecretId. If CheckSecretId is set, then check that the secretId fetched from the database matches the secretId encoded in the submitted Yubikey OTP. This increases the security of the Yubikey OTP and is recommended best practice. Also improved the documentation for for configuring yubikey.cfg and provided a better sample database for use with yubikey.cfg
- Fixed a problem with EAP-FAST that prevented anaonymous provisioning in some circumstances where the client asks for several ciphersuites. Reported by Sudhir.Harwalkar.
- Fixed a problem with Server TACACSPLUS and some authenticators such as AuthBy ACE whcih issue AccessChallenge to get additional data from the user. Radiator was sending the challenge as GETPASS rather than GETDATA and wasn’t getting the NOECHO flag. Tested against a Cisco Catalyst 3560 switch and also a Cisco ASA 5510 firewall. Reported and patched by Richard Fairhall.
- Updated Authen-Digipass and Authen-ACE4 Windows PPM packages to include Perl 5.14 x86 and x64 packages. Also updated the prebuilt packages at http://www.open.com.au/radiator/free-downlaods to include versions for Perl 5.14 x86 and x64: Chipcard-PCSC.tar.gz Net-SSLeay.tar.gz Socket6.tar.gz Win32-Lsa.tar.gz
- Fixed a problem where AuthBy LDAP2 would incorrectly log “DEBUG: No entries for mikem found in LDAP database” if MaxRecords was set larger than the actual number of LDAP records retreived.
- Improvents to SQL logging shows the name of the database at DEBUG level when connection attempts are made. Also prepareAndExecute and do functions log the database name at DEBUG level. Requested by Philip Herbert.
- Fixed a problem where NoIgnoreDuplicates could cause a memory leak.
- Added VSAs for Ruckus Wireless to dictionary.
- AuthBy NTLM did not reap ntlm_auth if it crashed or exited. Fixed a problem that prevented the error being correctly printed if ntlm_auth if it crashed or exited.
- Removed use of Digest::SHA1, replaced with Digest::SHA,which is now included with all perls. Digest::SHA is now an absolute prerequisite.
- Added sample config platypus7.cfg for recent Platypus 7 database.
- h EAP-LEAP, EAP-TTLS, EAP-PEAP, EAP-MSCHAPV2, EAP-FAST, inner packets are now logged at DEBUG level _after_ the PreHandlerHook (ie any) is run, so that attributes added by the hook will be visible.
- Fixed a problem where Client DupInterval 0 sometimes did not act as expected, causing a leak in EAP contexts.
- Improved logging so that AuthBy ACE prompts are not broken up with newlines in logs. Requested by Richard Fairhall.
- Fixed a problem that preventeed TACACS+ which prevented AuthBy ACE new pin mode and other challenges from working correctly. Patch provided by Richard Fairhall.
- Added support for KeepaliveTimeout to AuthBy RADSEC. KeepaliveTimeout is the maximum time in seconds that a RadSec connection can be idle before a Status-Server request is sent to keep the TCP connection alive. This helps to keep TCP connections open in the face of “smart” firewalls that might try to close idle connections down. Defaults to 0 seconds, which means inactive.
- Radpwtst has new option -chap_nc that sends a RADIUS CHAP request, but in the old-fashioned way, with the CHAP Challenge in the authenticator, and not in a separate CHAP-Challenge attribute.
- Testing on Raspberry Pi running debian6-19-04-2012. It runs out of the box. http://www.raspberrypi.org
- dded hextobase32.pl to goodies. Script to help with entering HOTP and TOTP codes to Google Authenticator. Converts hex codes to base 32.
- Added VSAs for Anagran ANA to dictionary. Thanks to Bob Shafer.
- Added support for KeepaliveTimeout and UseStatusServerForFailureDetect to AuthBy RADIUS and AuthBy RADSEC. If UseStatusServerForFailureDetect is enabled, use only Status-Server requests (if any) to determine that a target server is failed when there is no reply. If not enabled (the default) use no-reply to any type of request. Uses NoreplyTimeout, MaxFailedRequests, MaxFailedGraceTime, FailureBackoffTime during failure detection. If you enable this, you should also ensure KeepaliveTimeout is set to a sensible interval to balance between detecting failures early and loading the target server. KeepaliveTimeout is the maximum time in seconds that a RADIUS connection can be idle before a Status-Server request is sent to keep the connection alive. Defaults to 0 seconds.
- Added more Unisphere and Juniper VSAs to dictionary based on http://www.juniper.net/techpubs/software/junos/junos114/radius-dictionary/unisphereDictionary_for_JUNOS_v11-4.dct
- Fixed a problem that could cause a server crash if Framed-IPv6-Prefix was received but Socket6 is not installed.
- Fixed typos in the names of Management-Transport-Protection and Management-Privilege-Level in dicoitnary. Reported by Ingvar Berg.
- Revision 4.9 (2011-09-30) New features and some bug fixes.
-
- Fixed an issue with Resolver and AuthBy DNSROAM where the combination Protocol=radius, Transport=tls was incorrectly interprted as UDP RADIUS (for historical reasons). It is now interpreted as TCP RADSEC. Reported by Stefan Winter.
- Added commands to the sample startup script linux-radiator.init that work for Debian. Submitted by “Michael”.
- Improvements to AuthBy FIDELIO: During a SIGHUP, AuthBy FIDELIO now sends a LE and closes the TCP connection before reopenaing the connection. This should result in better database reading behaviour during SIGHUP. AuthBy FIDELIO now sends periodic LA commands to the Fidelio to check the integrity of the link. Suggestions by Ralf Ertzinger.
- Fixed further issue with Resolver and AuthBy DNSROAM where the combination Protocol=radius, Transport=tls was incorrectly interpreted. Reported by Paul Dekkers
- Improvements to AuthBy DNSROAM so that routes for different realms that are discovered to be to the same proxy server will reuse the existing server. Suggested by Stefan Winter.
- goodies/fideliosim.pl now prints main details of PS posting records it receives.
- New module AuthBy FIDELIOHOTSPOT which provides hotel guest authentication by Fidelio, and prepaid session times, billed to the user’s room by Fidelio. Supports various hotspots such as Mikrotik and Open-Mesh etc. Replaces goodies/fidelio-hotspot-hook.pl as the preferred method of providing prepaid sessions billed to room by Fidelio.
- Added new parameter MessageHook to AuthBy FIDELIO. MessageHook is called after a message from Fidelio has been unpacked into a hash and before the record is passed to handle_message(). It can be used to change or transform any fields in the record before it is passsed to handle_message() and processed by AuthFIDELIO.
- Improvements so that if the example Radiator init script for linux is invoked as a symlink (eg /etc/rc2.d/S90radiator->../init.d/radiator), it still deduces the correct program name (radiator) and hence sources the correct sysconfig file (/etc/sysconfig/radiator).
- Fixed a problem where Realm clauses inside AuthBy DNSROAM did not recognise the Secret parameter. Reported by Paul Dekkers.
- Added negative caching to Resolver, with new parameter NegativeCacheTtl.
- Added new parameter RedespatchIfNoTarget to AuthBy DNSROAM. For a given request, if Resolver does not find a target and there is no explicit Route, and no DEFAULT Route and this flag is set, the request will be redepatched to the Handler/Realm system for handling. This allows for a flexible fallback in the case where DNSROAM cannot find how to route a request. The redespatched request will have the attribute OSC-Environment-Identifier set to the AuthBy DNSROAM Identifier (or ‘DNSROAM’ Identifier is not set)
- Fixed problems with the Authen-Digipass PPM packages for Windows missing important files.
- Fixed an issue with AuthBy RADSEC, where failure to deliver a message could cause continuous attempts to reconnect, even if ConnectOnDemand is set.
- Fixed an issue with Stream based connections, where ConnectOnDemand and an unresponsive server could cause Radiator to hang. Reported by Paul Dekkers.
- Added workaround for a bug in some versions of perl 5.12.1 (such in openSUSE 11.3) that caused incorrect packing of some RADIUS requests.
- Improvements to Server TACACSPLUS so that RADIUS STATE is saved in in the connection rather than the context. Patch provided by Nicholas Waples.
- Reversed a previous change in 4.8 that Server TACACSPLUS expired authentication result in FAIL instead of ERROR. The change in 4.8 was to result in ERROR, which causes some devices to then revert to the local authorisations.
- Added a number of attributes from RFC 5090 to dictionary, which override a number of attributes that were previously commandeered by Ascend. The Ascend ones are still available in ascend.dictionary.
- Fixed a typo in dictionary: Ascend-Call-Attempt-Limit was Agscend-Call-Attempt-Limit.
- Fixed a problem in linux-radiator.init which prevented traceup working on SuSE. Reported by Aeneas Jaißle.
- Improvements to ClientListSQL to support DisconnectAfterQuery, which will cause disconnection from the SQL database after each query. This can be helpful in cases where firewalls etc close connections that have been idle for a long time.
- Added sha.pl, ssha.pl to goodies. Simple perl scripts to generate SHA and SSHA hashes of the first command line argument. Useful for generating SHA and SSHA hashed passwords in the form Radiator honours.
- Fixed a problem with the Radiator init script that prevented reload, traceup and tracedown working with some versions of SuSE.
- Added ipoque-class VSA for ipoque PRX Traffic Manager to dictionary. With the assistance of A.Sharaz.
- Improvements to the sample wimax.sql database schema to improve interoperation with Alvarion.
- All stream protocols that support TLS now support optional TLS_CertificateFingerprint parameter. When a TLS peer presents a certificate, this optional parameter specifies one or more fingerprints, one of which must match the fingerprint of the peer certificate. Format algorithm:fingerprint. Requires Net::SSLeay 1.37 or later.
- Improvements to AuthBy EAPBALANCE to permit operation with target RADIUS servers that rely on State, such as Windows IAS etc.
- Added Freeswitch-Direction and Freeswitch-Other-Leg-Id to dictionar.
- Added Documentation and sample scripts for how to use Radiator and the AuthBy FIDELIO module to handle authentication and accounting for the Freeswitch VOIP switch (http://www.freeswitch.org). It can be used authenticate and to bill VOIP calls to a Micros-Fidelio Opera Hotel Property Management System (http://www.micros.com).
- Added Riverbed-Local-User VSA to dictionary.
- Fixed a problem in AuthBy RADMIN where if the database connection fails once, message logging through AuthRADMIN will stop altogether, and along with that, the bad login counting. Reported an patched by Manuel Kasper.
- Added Aruba-MMS-User-Template to dictionary, fixed typo in Aruba-Port-Identifier. Added AH-HM-Admin-Group-Id.
- Added support for EAP AKA-PRIME. Required for version 1.32 or Radius-EAP-SIM module.
- Added new clause AuthBy SQLAUTHBY, which looks up how to authenticate each user based on information in an SQL database. The columns retrieved from SQL are used to create an AuthBy clause that will actually handle the request. The parameters used to configure the clause come from SQL. The clause is reused for as long as the the target realm yields the same SQL query results. The example works with the sample RADSQLAUTHBY table in mysqlCreate.sql.
- Added support for new parameter AuthChallengeKeyword to AuthBy URL. This parameter permits URL results that trigger a CHALLENGE reply for use with Challenge/Reponse systems. Contributed by Matthew Van Kuyk.
- Added new parameter DirectAddressLookup to Resolver. If DirectAddressLookup is enabled, and if there are no NAPTR records for the requestsed Realm, Resolver will attempt lookups of A and AAAA records for _radsec._sctp.REALM, _radsec._tcp.REALM and _radius._udp.REALM Enabled by default. Requested by Paul Dekkers.
- Added sample hook pwaframedip.pl. This hook fixes a problem with Enterasys switches where Framed-IP-Address is not included in accounting packets, but the information is available via SNMP when for Enterasys captive-portal (PWA) authentication. Contributed by Ben Carbery.
- In AuthBy RADMIN, it is now possible to disable IncrementBadloginsQuery and ClearBadloginsQuery by setting the query string to be empty.
- Server farm children now always reseed the random number generator so the children dont share the same seed.
- Improvements to the RPM spec file so RPM installs with recent 64 bit perls will work.
- Increased the default MaxBufferSize in streams to 10000000.
- Added support for passwords encrypted with $2a$, $2x$ and $2y$ blowfish crypt and $5$ SHA-256 crypt (where supported by the underlying crypt()). Improvements to support rounds= notation in SHA-256, SHA512 crypt.
- Ensure RecvTime is set in RADIUS requests derived from tunnelled EAP types.
- Changed the type of Framed-Interface-Id in dictionary to be ifid. You can now specify Framed-Interface-Id as strings in the format ‘aaaa:bbbb:cccc:dddd’, which is compatible with FreeRadius.
- Fixed an issue with TTLS and PEAP: When inner authentication is proxied, e.g. EAP-MSCHAP-V2 to MS NPS, NPS sends back State. If Radiator does not return State, proxying inner auth fails.
- Added more Nomadix VSAs to dictionary, contributed by Mike Newton.
- AuthBy EAPBALANCE and AuthBy HASHBALANCE now REJECT if an EAP stream has to be broken up, giving the client and immediate chance to restart. Changed the default protocol version for PEAP in EAPTLS_PEAPVersion from 1 to 0. This is in line with more recent documentation from Microsoft (which contradicts draft-josefsson-pppext-eap-tls-eap-0[35].txt), and it achieves bettter interoperability with Macs.
- Added more Aruba VSAs, contributed by Alan.
- EAP-FAST support now follows the recommendations for A_ID: it is now the 16 octet hash of the A_ID_INFO, which is set to the Radiator hostname. Updated instructions for building OpenSSL and Net::SSLeay for more recent versions of Net::SSLeay for use with EAP-FAST.
- Added sample script goodieshex2base32.pl /to help with entering HOTP and TOTP codes to Google Authenticator. Converts hex codes to base 32.
- Improvements to ClientList SQL to improve error detection.
- Improvements to random number seeding: seeding is now done by a new function Radius::Util::seed_random. radiusd calls it at startup and after forking farm children. It can be overridden if necessary to provide local random number initialisation and seeding.
- Revision 4.8 (2011-04-28) New features and some bug fixes.
-
- Fixed a problem in AuthBy EAPBALANCE where no reply from a proxied request from the middle of an EAP stream would result in unlimited retransmissions of the request. Reported by Keith Ma.
- Testing on OpenWRT. OK, with caveats as discussed in the updated FAQ.
- Added Meru-AP-Id and Meru-AP-Name to dictionary. Provided by Neil Johnson.
- RPM packages were built by default on OpenSuSE with LZMA compression, which is not available for all platforms. This new Radiator.spec disables LZMA and uses BZ2 instead. In future all RPMS will be built with BZ2 comppression. New versions of Radiator-4.7-2.noarch.rpm and Radiator-Locked-4.7-2.noarch.rpm with BZ2 uploaded.
- Fixed a problem with AuthBy SQLTOTP and AuthBy SQLHOTP where MaxBadLogins, BadLoginWindow, DelayWindow, TimeStep and TimeStepOrigin parameters were not correctly read, resulting in errors like “Unknown keyword ‘MaxBadLogins'”. Reported by Matthew Reeves-Hairs.
- GetClientQuery was incorrectly using field 25 instead of 27 for flags. Documentation for GetClientQuery incorrectly decribed field 25 as being flags instead of ClientHook.
- Added SQLRetries parameter to all SQL type clauses. When executing a query, Radiator will try up to SQLRetries attempts to execute the query, retrying if certain types of SQL error are seen. Defaults to 2. Requested by Michael.
- Fixed some problems with Radius paths in the RPM on some platforms. Rebuilt and uploaded new RPMs.
- Improved Client CIDR address searches so a more specific cidr would have priority over a less specific cidr. Contributed by Nicholas Waples.
- Improved ClientListLDAP, added oscRadiusIdentifier & oscRadiusDefaultRealm into the default list of ClientAttrDef’s. were the only attributes missing from oscRadiusClient ldap schema provided (in goodies). Contributed by Nicholas Waples.
- In Server TACACSPLUS, the call AuthenticationStartHook now includes the priv_lvl and service values from the TACACSPLUS request passed as arguments to the hook.
- In Server TACACSPLUS, during authetication, we now add cisco-avpair attributes to the RADIUS request for action, authen_type, priv-lvl and service from the incoming TACACSPLUS request.
- Improvements to AuthBy URL. Improved HTTP and HTML standards compliance by using the LWP::UserAgent methods post() and get(). Can now handle CHAP, MSCHAP and MSCHAPV2 authentication, as well as the previously supported PAP. *CHAP challenges and responses are encoded as HEX and sent as configurable web parameters. Updated the sample config file goodies/url.cfg, and improved documentation. Fixed inconsistant password in sample test_url_md5.cgi. Cleaned up some of the code to be compliant with in-house standards.
- Added support for BindAddress in all Ldap derived clauses, allowing you to specify a local address for the client side of the LDAP connection with BindAddress, in the form hostname[:port]. Defaults to 0.0.0.0. Updated sample config file. Suggested by Roel Hoek.
- Updated AuthBy NTLM so that if an authentication fails, the Warning log message records the user name along with the Authentication-Error. Suggested by David Zych.
- Further improvements to AuthBy URL. Now suports CopyReplyItem parameter. If a successful HTTP reply contains a string like ‘xxx=hexencodedvalue’ the value will be copied to the RADIUS reply as attribute yyy=value the value is expected to be HEX encoded and will be HEX decoded before adding to the reply.
- Fixed a problem where some SQL modules were not being correctly initialised, which was revealed when the new SQLRetries was added. Reported by Steffen Weinreich.
- Further improvements to AuthBy URL. Now supports CopyRequestItem parameter. Adds a tagged item to the HTTP request. Format is CopyRequestItem xxx yyy. The text of yyy (which may be contain special characters) will be added to the HTTP request with the tag xxx. In the special case where yyy is not defined, the value of attribute named xxx will be copied from the incoming RADIUS request and added to the HTTP request as the tagged item yyy. All values are HEX encoded before adding to the HTTP request. Multiple CopyRequestItem parameters are permitted, one per line.
- Improvements to AuthBy SQLTOTP to implement replay detection. This has required an additional column in the sample SQL database schema, and changes to the default AuthSelect and UpdateQuery parameters. Requested by Matthew Reeves-Hairs.
- Testing with the Mera MVTS Pro Voip gateway. OK. Added mera-mvts.txt. This document briefly outlines the requirements for interfacing Radiator with Mera MVTS Pro VOIP gateways, along with examples of the types of requests and replies Radiator can be expected to handle when interfacing with MVTS Pro.
- Added new command line argument -min_interval to restartWrapper, which controls the minimum time interval between successive restarts. Contributed by David Zych.
- Tested AuthBy HOTP and AuthBy TOTP with a range of iphone OATH soft tokens, including DS3 (HOTP), OATH Token (HOTP and TOTP), and Google Authenticator (HOTP and TOTP). External testing with Feitian C200 OTP Tokens and others. All OK.
- Added a number of Juniper attributes to dictionary.
- Monitor and Server HTTP now support AddToRequest to add attributes to the internal RADIUS request they generate when authenticating administrator logins to their respecetive interfaces. They also dump these requests when Trace 4 is enabled.
- Server TACACSPLUS now supports a new parameter AuthorizeGroupAttr. If this parameter is specified, it specifies the name of an attribute in Access-Accept that will contain per-command authorization patterns for authorising TACACS+ commands. These are processed before any configured-in AuthorizeGroup parameters. The command authorization patterns are in the same format as supported by AuthorizeGroup. Added a new VSA to dictionary OSC-Authorize-Group, which is intended to carry per-user reply command authorization patterns.
- Improvements to Radiator linux startup script so you can have multiple scripts in /etc/init.d/ with different names, and which lookup different parameters in /etc/sysconfig. For example, you can install the script as /etc/init.d/radiator and /etc/init.d/radiator-acct, and it will look up parameters in /etc/sysconfig/radiator and /etc/sysconfig/radiator-acct. Further improvement is to always use -p RADIUS_PIDFILE to killproc the process, rather than the process name.
- Added Ascend-Session-Svr-Key an NS-Dummy-Attr-10 to dictionary.
- Added Alcatel-Lucent 7302 ISAM (OLT) VSAs to dictionary, including OLT-TL1-* and added VALUE definitions for some other A-ESAM-*. In some places, A-ESAM-* are named OLT-CLI-*. we have adopted A-ESAM to be compatible with previously existing definitions.
- Fixed a problem where EAP-MD5 authentications did not honour UsernameMatchesWithoutRealm. Reported by “Sami Keski-Kasari”.
- Fixed a problem where EAP-MD5 authentication by AuthBy LSA mysteriously failed. Refactoring of EAP_4 check_chap() to AuthGeneric, and thence to AuthLSA Reported by “Sami Keski-Kasari”.
- Fixed a problem which could cause crashes in Socket6::inet_ntop. Reported by James Harton.
- Testing on MacOS X 10.6.5. OK.
- Added lookupauthgroup.pl Sample PostSearchHook for AuthBy LDAP2, which finds user group(s) through an LDAP lookup, then finds corresponding check and reply attributes in SQL, based on the user group(s) for that user and the device groups of the RADIUS/TACACS+ client. This allows you to have a add very fine grained authentication/authorisation in an LDAP/SQL environment, based on user and device group membership.
- Alter the session shutdown in Server TACACSPLUS to be SHUT_RDWR, to fix possible session shutdown problems with some TACACS+ clients.
- Fixed incorrect sequence numbers in some TACACS+ packets sent by goodies/tacasplustest and that affected interoperation with tac_plus. Fixed issues with TACACS+ version numbers that affected interoperation with tac_plus.
- Added new parameter SingleSession to Server TACACSPLUS which can be set to 0 to disable the default behaviour which tries to keep the same TCP session for all requests. Setting SingleSession to 0 forces a TCP disconnect after every authentication, authorisation and accounting session. Some TACACS+ clients need this in order to operate correctly.
- Improvements to AuthBy SQLTOTP so that tokens whose time drifts into the future can be authenticated. Patch supplied by Steffen Weinreich.
- Decoupled AuthGeneric userIsInGroup from getUserGroups so subclasses can implement their own group finding.
- Added new optional parameters GroupSearchFilter GroupBaseDN GroupNameCN to specify an LDAP search which will be used to get the names of groups this user is a member of. Used to check Group check items. Updated sample lookupauthgroup.pl to use the new group search function in AuthBy LDAP2
- AuthBy LSA now honours UsernameMatchesWithoutRealm correectly for users and groups. Reported by Reported by “Sami Keski-Kasari” and “Johnson, Neil M”.
- In AuthBy SQL, the optional GroupMembershipQuery now has the groupname available as the second bound variable.
- Improvements to Server TACACSPLUS so that it honours the TAC_PLUS_SINGLE_CONNECT_FLAG flag in incoming requests. Now a single session will only be maintained if the Server TACACSPLUS SingleSession parameter is set _and_ the client indicates a willingness to support single sessions with the TAC_PLUS_SINGLE_CONNECT_FLAG. Single sessions can be disabled regardless of client options by setting the SingleSession flag to 0 (defaults to 1)
- Improvements to goodies/tacacsplustest now correctly sets the TAC_PLUS_SINGLE_CONNECT_FLAG in requests if the -single command line parameter is given. It now closes the connection at the end of each session unless the -single flag is set and the server indicates a willingness to support single connections with the TAC_PLUS_SINGLE_CONNECT_FLAG.
- Fixed a problem where malformed WiMAX attributes could cause a crash. Reported by Mark Sergeant.
- Further fixes to Server TACACSPLUS: If SingleSession is set, some Cisco TACACS+ clients will close an authentication session after the first reply. This is a bug in the client. As a workaround, ServerTACACSPLUS.pm now never sets the TAC_PLUS_SINGLE_CONNECT_FLAG in its replies. Reported by Aki Tuomi.
- Fixed a typo in linux-radiator.init that prevented traceup and tracedown working properly on RHEL5.
- Added LOG_WARNING log message if a Tacacs+ request is received by Server TACACSPLUS for which no Client could be found.
- Improvements to Server TACACSPLUS so expired authentication result in ERROR instead of FAIL. Tacacs authorisations are now bound to both the username and the peer address, so user can have different authorisations on each device.
- Added peer address to a number of warning and info messages produced by Server TACACSPLUS for easier diagnosis.
- Updated Monitor HELP command documentation to include TRACE_PREDICATE.
- Fixed problems with linux-radiator.init traceup and tracedown on RHEL5.
- Improvements to Server TACACSPLUS: Fixed a problem with the new AuthorizeGroupAttr that cased authorisation patterns to not be reset properly. Server TACACSPLUS now updates the global packet counts for each Tacacs+ request received. Database failures that IGNORE now cause a Tacacs *_STATUS_ERROR reply.
- Added goodies/cisco-vpn.txt a short description on how to configure Cisco VPN 3000 Concentrator VPN groups, and the limitations thereof.
- Fixed a case where Radiator would crash when certain local devices tried to connect to a tacacs port.
- Added example rule to goodies/tacacsplusserver.cfg showing how to use uptional tacacs roles, including multiple optional roles.
- Added new parameter UnbindAfterServerChecksPassword to AuthBy LDAP2, which works around problems with some LDAP servers. Normally, when ServerChecksPassword is set, after Radiator checks a users password the LDAP connection is not unbound. This can cause problems with some LDAP servers (notably Oracle ID and Novell eDirectory), where they unexpectedly cause the following LDAP query to fail with LDAP_INAPPROPRIATE_AUTH. Setting this flag causes an unbind after each ServerChecksPassword bind.
- Added support for new -I command line flag to radiusd, which adds an include directory to the module search path. Patch by Heikki Vatiainen.
- In SqlDb::do(), Sql connections now detect PostgreSQL duplicate key violations, which are now not a cause for disconnect. Added similar tests to SqlDb::prepareAndExecute().
- Sample RAdmin configuration file that shows how to record Tacacs+ commands to the Radmin RADCOMMANDAUDIT table for auditing, and viewing (RAdmin 1.14 plus latest patches required)
- The ServerRADIUS clause now supports AddToRequest, which makes it easy to tag requests that arrive by RADIUS to distinguish them to those arriving by TACACS+ or Diameter.
- Server HTTP log messages are now escaped so that HTML characters in the log do not cause display errors. Patch provided by Adam Bishop.
- Fixed a problem in Auth LDAP2 that could cause a crash if ServerChecksPassword and UnbindAfterServerChecksPassword are enabled, and certain LDAP errors occur during the ServerChecksPassword bind.
- Fixed spelling mistake in VENDORATTR Timetra-Home-Directory, Added further VSAs to VENDOR Panthera 6527 (Alcatel 7450 ESS Router). Added VENDOR Alcatel-Lucent 800 (Alcatel-Lucent OS6400 switches) VSAs. Added Alcatel-Lucent-SAM VENDORATTR SAM-Security-Group-Name .
- Improvements to IPV6 handling so the absence of Socket6 causes an warning message instead of an exit.
- Added a number of FreeSwitch accounting VSAs to dictionary. Added a brief discussion paper about how to integrate FreeSwitch with Radiator. FreeSWITCH is a powerful and versatile telephony platform that can scale from a softphone to a PBX and even to a carrier-class softswitch.
- Log SYSLOG and AuthLog SYSLOG now support special characters in LogIdent, LogOpt and LogHost.
- TLS Streams, such as used with Radsec did not correctly verify certificates for ‘hostname’ if the Host address was specified in Radiator in the form ipv6:hostname. Reported by Patrick Renkens.
- Fixed an issue where truncated EAP-Message requests would cause a log message like “Could not load EAP module Radius::EAP_” ….. This is now logged as invalid EAP type in EAP request and rejected. Reported by Daniel Rocha.
- Server TACACSPLUS now honours reply attributes correctly for ASCII type Tacacs+ authentications. Patch from Heikki Vatiainen.
- Testing with XAMPP on Windows. XAMPP (http://www.apachefriends.org/en/xampp-windows.html) is an excellent, easy to install bundle of useful tools such as Apache, MySQL, Perl etc for Windows. It is a also good base for installing Radiator on Windows, especially if you wish to use Radiator with RAdmin or a MySQL database. Updated installation documentation to include XAMPP on Windows.
- Added support for Novell eDirectory NMAS (Novell Modular Authentication System) to AuthBy LDAP2. NMAS allows Novell eDirectory to support and authenticate passwords using the Vasco Digipass NMAS method, and other third party token and non-token systems. Vasco Response-Only (RO) tokens are only supported since NMAS does not curently support challenge-response via RADIUS. Sampple configuration file included.
- Ldap classes now support the “ipv6:” prefix for Ldap server Host names. If Host begins with “ipv6:” the subsequent host name(s) will be interpreted as IPV6 addresses where possible, and Net::LDAP will use INET6 to connect to the LDAP server.
- In AddressAllocator SQL, the default AllocateQuery was changed to check the STATE during the allocation to catch certain race conditions.
- With all Ldap clauses, removed the default BindAddress of 0.0.0.0. This was unnecessary and interferes in a non-obvious way with attempts to use ipv6: in the Host. Reported by Dyonisius Visser.
- Added attributes from RFC 5904 to dictionary. SNMP Agent now supports:
RFC4669 - RADIUS Authentication Server MIB for IPv6 RFC4671 - RADIUS Accounting Server MIB for IPv6
The RFC are included in distribution.
- Improvements to EAP handling to support multiple desired EAP types in EAP NAK response, per RFC 3748.
- Fixed incorrect error message that referred to ServerHTTP. Repored by Karl Gaissmaier.
- Added support for PacketTrace to Server TACACSPLUS, Server DIAMETER, Server RADSEC. Requested by Karl Gaissmaier.
- Fixed a problem where attributes of type ipv6prefix (such as Framed-IPv6-Prefix) would not be decoded correctly if they had fewere than 16 octets. Reported by Lee, Larry KT.
- Client addresses in the form MAC:nn-nn-nn-nn-nn-nn now work even if the Called-Station-Id has the SSID of the AP appended as described in http://tools.ietf.org/html/rfc3580#section-3.20
- Added example perl script rpt.pl which logs packets which match a regexp. Contributed by Bart Dumon.
- Fixed a problem when using AuthBy RADIUS with Synchronous and Fork that if the secrets don’t match (resulting in “Bad authenticator received in reply to ID 1. Reply is ignored”), this creates forked processes that never terminate and have to be manually force-killed. Reported by David Zych.
- Fixed a number of innocuous warnings when radiusd is run with perl -w.
- Added usage documentation for author_args in tacacsplustest.
- In AuthSQL, GroupMembershipQuery is now not passed and bind variables. If you wish to use bind variables with GroupMembershipQuery, use the new GroupMembershipQueryParam.
- Fixed a problem with Server HTTP where some versions of Firefox would hang when trying to access localhost:9048. Also fixed som innocuous warnings when run with the -w flag.
- Fixed a problem with AuthLog SYSLOG and Log SYSLOG where in some cases with some versions of Sys::Syslog, the loghost was not set correctly. Reported by Klara Mall.
- radiusd now unlinks PidFile during an orderly shutdown. Suggested by Klara Mall to prevent startup scripts being confused by stale PID files.
- Improvements to AddressAllocator SQL: If CheckPoolQuery is set to an empty string, no pool checking will be done at startup. If AddAddressQuery is set to an empty string, addresses will not be automatically added to the pool.
- Testing against RadiusGINA, a Windows RADIUS login authenticator from LSE http://lsexperts.de/. Works well, and easy to install.
- Fixed a problem in TLS Stream based protocols (such as AuthBy RADSEC AuthBy DNSROAM etc, where ConnectOnDemand would not work correctly in the case where a TLS connection was being established and failed. Reported by Stefan Winter.
- Added goodies/radiusgina.txt, a Brief introduction to RadiusGINA, a Windows RADIUS login authenticator from LSE http://lsexperts.de
- Revision 4.7 (2010-08-11) New features and some bug fixes.
-
- Added support for Django style passwords in the format:
sha1$a1976$065f52b49153328da76e13c2b462b860a70eb78bandmd5$a1976$e67d1ca20e9c28321b86e34076cc48ab
as specified by http://docs.djangoproject.com/en/dev/topics/auth/#passwords. Contributed by Jerome Fleury.
- Fixed a bug in ServerTACACSPLUS to do with closing the authgroup file. Reported by Wolfgang.Koenig.
- Added sample configuration file for Radiator, showing how to proxy requests to the WiKID (http://www.wikidsystems.com/) Strong Authentication RADIUS Server.
- Fixed a problem where AuthBy SQLRADIUS statistics were not kept correctly up to date in the case of recoverd servers. Reported by Dan Cachola.
- Factored out EAP-FAST PAC creation and retrieving from EAP_43 to AuthGeneric. AuthBy SQL can now override these functions and use SQL queries to save and retrieve PACS, or to retrieve pre-provisioned PACS from the database. If AuthBy SQL does not define CreateEAPFastPACQuery, then it falls back to the default of saving PACS in Radiator memory.
- Added sample configuration file and detailed installation instructions for the Secure Metric (www.securemetric.com) SecureOTP one-time-password system, including details on how to proxy requests to the SecureOTP RADIUS Server.
- Minor changes of some log messages from INFO to DEBUG level, to reduce noise level. Additional information in some AuthBy RADIUS and EAP messages to improve diagnostics in load balancing systems. Requested by Myles Fenton.
- Added support for -retries flag to radpwtst
- Removed redundant noReplyFromProxy from goodies. The code is in goodies/hooks.txt.
- Previously, radpwtst would use the same random authenticator for all requests. Now radpwtst now uses a different random authenticator for all requests, which can help with testing of duplicate detection.
- Added OSC-Device-Identifier, OSC-User-Identifier and OSC-Group-Identifier to dictionary.
- Added Identifier to logging in Handling request with Handler …. debug message.
- Fixed an error in the calculation of responseTime statistics.
- Improvements to detection and use of Time::HiRes. New function Radius::Util::getTimeHires returns (seconds, microseconds). Microseconds is 0 if Time::Hires is not available. responseTime is now measured with microsecond accuracy if Time::HiRes is available, improving the accuracy of statistics calculations.
- Added a number of DeTeMobil Vendor-Specific Attributes to dictionary. Contributed by Alexander Hartmaier.
- Improvements to AuthBy LDAP2 performance: if ServerChecksPassword is in use, and if the server rejects the password due to LDAP_INVALID_CREDENTIALS or LDAP_INAPPROPRIATE_AUTH, do not disconnect from the LDAP server. Previously, this would cause an unnecessary disconnect.
- Added symbolic vendor names for T-Mobile and TMO to dictionary.
- Added function changePassword to AuthBy LDAP2 to support custom code to change user passwords. Net::LDAP compatibility improvements with use of Net::LDAP::Entry->get_value(…, asref => 1) instead of get(…).
- Abstracted the generic Yubikey support code into AuthYUBIKEYGENERIC.pm AuthSQLYUBIKEY is now a subclass. Enables the development of new subclasses for supporting Yubikey in other types of database, such as LDAP.
- Changes to the RPM build spec to accommodate RPM_BUILD_DIR tro circumvent rpm building problems on some platforms.
- Added more 3GPP attributes to dictionary as per http://www.3gpp2.org/Public_html/specs/X.S0011-005-E_v1.0_091116.pdf
- Improved behaviour of AuthBy FIDELIO when LA messages are received. Previously they would always cause a database update. NBow this only happens on the first LA. Fixed a bug in fideliosim.pl. fideliosim.pl now implements LA requests every 10 seconds.
- AuthBy FIDELIO now never uses a posting sequence number of 0000, following advice from Michael Herzig. Starts at 0001 and wraps from 9999 to 0001.
- AuthBy FIDELIO now implements 2 new configuration parameters: PostingExtraFields allows you to override or extra data fields to be sent in the Opera posting record. PostingRecordID allows you to change the posting record ID from the default of ‘PS’ to, say ‘PR’. Examples in the fidelio.cfg sample configuration file.
- Fixed a potential memory leak with EAP-TLS. X509_free is used to free the certificate. Reported by Robert Hwang.
- Fixed an error with the formatting of dates in the DA field in AuthBy FIDELIO: the month and day elements were reversed. Reported by Michael Herzig.
- Added new convenience function post() to AuthFIDELIO.pm for posting accounting requests to Fidelio, and which can be used by other hooks. Improved a number of separator formatting issues in messages sent to Fidelio.
- Added sample Radiator configuration, showing how to build a WiFi hotspot with, for example MikroTik (www.mikrotik.com) hotspot and captive portal, which authenticates against Micros-Fidelio Opera hotel management system, and permits the user to purchase WiFi internet access in blocks of 24 hours which are billed to the user’s room through Opera. Example works with MySQL as a session database (schema included), but other databases can be supported.
- Added new configuration parameter LogOpt to Log SYSLOG and AuthLog SYSLOG clauses, allowing control over the syslog options used. LogOpt is a comma separated list of words from the set cons,ndelay,nofatal,nowait,perror,pid as described in the Perl Sys::Syslog module. Defaults to pid. Contributed by Bjoern A. Zeeb with some changes.
- Added reload option to goodies/linux-radiator.init. Contributed by David Worth.
- Added new parameter CheckoutGraceTime to AuthBy FIDELIO. Permits users to log in for this period of time after they have checked out. Contributed by Manuel Kasper, with some minor changes.
- Improvements to AuthBy LSA to permit machine authentication in groups.
- Added new parameter NAPTR-Pattern to Resolver. NAPTR-Pattern is an optional parameter that specifies a regexp that will be used to match the contents of NAPTR records during Resolver service discovery. If NAPTR-Pattern is defined and matches a NAPTR DNS record, it will be used to determine the protocol and transport to be used. The regex is expected to match 2 substrings. The first is the protocol and can be ‘radsec’ or ‘radius’. The second is the transport to use, and can be ‘tls’, ‘tcp’ or ‘udp’. This has been added to support proposed new NAPTR standards for Eduroam. Requested by Stefan Winter.
- Win32-Lsa for Windows 64 bit ActivePerl 5.10 is now available with
ppm install http://www.open.com.au/radiator/free-downloads/Win32-Lsa.ppd
- Improvements to the “No reply after ….” message in AuthBy RADIUS to include the Identifier and the delay time. Requested by Myles Fenton.
- Minor improvements to AuthBy NTML for testing.
- StreamTLS classes, such as ServerRADSEC, ServerDIAMETER, AuthByRADSEC etc. now support EAPTLS_CRLFile with operating system wildcards. Similarly, TLS based classes such as TLS, TTLS, PEAP etc now support TLS_CRLFile with operating system wildcards.
- Added new parameter TLS_SRVName to StreamTLS classes. This is intended for use by AuthBy RADSEC and AuthBy DNSROAM to specify a DNS SRV Name that will be matched against possible SubjectAltName:SRV extensions in the server certificate. If TLS_SRVName is specified and the server certificate contains SubjectAltName:SRV extensions, none of which match TLS_SRVName, the certificate will not be accepted. Format is _service._transport.name (this is the same format SRV names appear in DNS records). For example “_radsec._tcp.example.com”. Only service and name are matched. Requested by Stefan Winter for Eduroam support.
- Resolver now saves the SRV Name of any SRV record that was followed in order to get an address in the result set. AuthBy DNSROAM now uses this to set the TLS_SRVName in a target AuthBy RADSEC, which enables checking against any SubjectAltName:SRV extensions in the server certificate. Requested by Stefan Winter for Eduroam support.
- Improvements to AuthBy FIDELIO so that during an accounting posting, the DD field (Dialed Digits) which is based on the Called-Station-Id contaoins only digits. Micros-Fidelio report that contents other than digits can cause problems in Opera.
- Added surfnet VSAs to dictionary.
- Improvements to AuthBy RSAAM for interoperation with AM 7.1 SP3. At AM7.1 SP3, the authentication realm requested by the AM server SOAP interface was changed by RSA, causing earlier versions of AuthBy RSAAM to fail to connect with a 401: Unauthorized error. This change permits AuthBy RSAAM to work with pre and post SP3 as well as improving performance. SessionRealm parameter is now unused and obsolete. Reported by Rene Fleissner.
- Improvements to the Linux Radiator startup script. Added traceup and tracedown commands which signal Radiator to increase or decrease its trace level. Handy for changing trace levels without having to find the process ID first. Contributed by David Worth.
- Added version of Authen-Digipass module for Active State perl 5.12.
- Fixed a problem in AuthBy OTP where a PasswordPattern of aaaaaaaa generates OTPs which are twice as many characters as specified and every odd is an ‘a’. Reported by Alexander Hartmaier.
- Fixed default AuthGroupCheck AuthGroupReply GroupMembershipQuery queries which incorrectly referred to the usergroup table instead of the radusergroup table. Reported by Mike Wilson.
- Changed the type of Framed-IPv6-Prefix in the dicitonary from string to ipv6prefix, allowing entry of IPV6 prefixes in a sensible format.
- Changed the type of NAS-IPv6-Address in the dictionary to ipaddrv6 for correct iencoding and decoding of IPV6 addresses.
- When AuthBy HANDLER is used and RejectHasReason is specified, now sets the actual rejection reason in the reply instead of “redirected by AuthHANDLER”.
- AuthBy LSA now honours UsernameMatchesWithoutRealm.
- Fixed a problem with quoting of parameters passed to the external command by AuthBy EXTERNAL. Reported by KUCZYNSKI, CHRISTOPHE.
- Updated Coova ChilliSpot VSAs in dictionary.
- Fixed a problem where EAP type negotiation could remove the EAP-TLS VERIFY_PEER requirement, causing EAP-TLS to sometimes fail when other clients were trying to negotiate TTLS or PEAP. Reported by Keith Ma.
- Added option to get any configuration parameter from an SQL database with a new form of parameter
ParameterName sql:identifer:query
which will look for a previously defined AuthBy SQL clause with an Identifier of ‘identifier’ and run the SQL query given by ‘query’. The first row in the result will be used to set the parameter ParameterName. This lookup is only ever done once at startup time. - Added new type of special character which will be replaced with a value fetched from an SQL database. Special characters of the form
%{SQL:identifier:query}
will look for a previously defined AuthBy SQL clause with an Identifier of ‘identifier’ and run the SQL query given by ‘query’. The first row in the result will be used as the value of the special character. This type of lookup is done whenever the special character is evaluated. - Fixed a problem with AuthBy FREERADIUS. The test for limit values for Max-All-Session, Max-Daily-Session, Max-Hourly-Session and Max-Monthly-Session was reversed, causing them to fail when they should succeed and vice-versa. Reported by Stanley Thomas.
- When radpwtst was used to send arbitrary packet types such as CoA-Request, the reply was not decoded and therefore never packet dumped. Reported by Vangelis Kyriakakis.
- Improvements to the sample gigawords-hook.pl to use 64 bit integers in order to be more proof against overflows with large traffic.
- Added support for Django style passwords in the format:
- Revision 4.6 (2010-02-05) New features and some bug fixes.
-
- Improved AuthLog SYSLOG to support multiple SYSLOG clauses with different LogHost and LogSock options. No comnpatible with multiple Log SYSLOG clauses. Reported by “Martin van der Walle”.
- Improvements to example init script for Linux in linux-radiator.init, to be compliant with LSB requirements in http://wiki.debian.org/LSBInitScripts
- AuthBy LDAP2 now detects LDAP_INVALID_DN_SYNTAX errors and interprets them as a per-request error and not a connection failure. When LDAP_INVALID_DN_SYNTAX error occurs, the LDAP connection wil not be shut down. Requested by Dawn Lovell.
- Fixed a problem in Server TACACSPLUS where an AuthorizeGroup of the form
AuthorizeGroup group1 permit service=shell cmd\* {autocmd="telnet 169.163.226.81"}
(ie with double quotes surrounding the predicate) would result in the autocmd being sent incorrectly with 2 equals signs. - AuthBy SQLYUBIKEY now supports static passwords in any format supported by Radiator, including plaintext, {SHA}, {crypt}, {MD5}, {rcrypt}, {mysql}, {mssql}, {nthash}, {dechpwd}, {NS-MTA-MD5}, {clear} etc. TranslatePasswordHook is also supported. Suggested by Jerome Fleury.
- Minor updates to Yubikey documentation to reflect the fact that AES keys must be programmed into each Yubikey before being imported into the SQLYUBIKEY database. Changes to AuthBy SQLYUBIKEY default SQL queries to work better with databases where the tokenID and AES key are in Hex. Yubikey keys may now be present in the database in either hex (no spaces) or base64 format. But the default queries assume the Token ID and AES secret are in Hex, and that there is a one-to-one mapping between users and Yubikeys. Other options are available with custom SQL queries.
- Fixed a problem in AuthBy SQLYUBIKEY where it would sometimes incorrectly detect a replay attack in during multiple authentication of the same Yubikey session. General improvements to the AuthBy SQLYUBIKEY replay detection. Replay detection now uses the session counter and the session_use counter. The timestamp is not used. The database column that previously held the timestamp_low is used for the session_use counter. The database column that previously held the timestamp_high is not used.
- Updated install.html installation instructions for Windows.
- Improvements to AuthBy EAPBALANCE and AuthBy HASHBALANCE to work better in multi-AP roaming TTLS/PEAP session resumption environments. The default behaviour of AuthBy HASHBALANCE is to compute the HASH based on the same attributes as the EAP context. This prevents false detection of loss of continuity in EAP streams. AuthBy EAPBALANCE now sets the State in all replies in an EAP stream, not just the first, in order to work correctly with some non-compliant APs. AuthBy HASHBALANCE is deprecated in favour of AuthBy EAPBALANCE in any EAP-capable environment.
- In Server DIAMETER, fixed a problem that prevented some RADIUS reply attributes being correctly translated into Diameter reply attributes.
- Added new module AuthBy SQLMOTP for MOTP authentication, a new strong, two-factor authentication with mobile phones. See http://motp.sourceforge.net for details. Sample configuration and SQL schema supplied. Modifications to radpwtst to support new -motp_secret flag, allowing it to be used to test AuthBy SQLMOTP like:
radpwtst -noacct -motp_secret 7ac61d4736f51a2b -password 1234
The password argument is used as the MOTP PIN, and the motp_secret is used as the MOTP secret key. AuthBy SQLMOTP originally submitted by Jerome Fleury. - In diapwtst, fixed a problem that would result in an incorrect status report: “Unexpected result code: DIAMETER_SUCCESS”.
- Improvements to the internal structure of ServerDIAMETER.pm, making it easier to override handling of specific Diameter request types.
- Fixed a problem with AuthBy VOLUMEBALANCE, where if multiple failed hosts are configured with FailureBackoffTime of 0, it was possible for a request to be handed to each host in turn forever.
- Added new sample configuration file goodies/crypto-mas.cfg, showing how to proxy requests to the Cryptocard MAS (Managed Authentication Service) CRYPTO-MAS. See http://www.cryptocard.com/
- Added new parameter MaxTargetHosts to AuthBy VOLUMEBALANCE. Limits the number of different hosts a request will be proxied to in the case of no reply. Defaults to 0 which mean no limit: if the load balancer does not receive a reply from a host, it will keep trying until all hosts are exhausted.
- Improvements tp RPM spec file to permit installation with Perls that do not include /usr/lib/perl5/site_perl/, such as SLES. Reported by Frank Messie.
- Improvements to the rpm: make target so the RPM build correctly uses the local perl version number for links in the Perl lib. Contributed by Bjoern.
- Updated expired test certificates.
- Fixed a problem with incorrect type in replies to proxied Change-Filter-Request. Reported by Belmont Cheung.
- Added support for UpdateQuery in SessionDatabase SQL. Patch supplied by Jose Borges Ferreira.
- Added support for RFC 4818 compliant packing and unpacking of Delegated-IPv6-Prefix. Added new dictionary type ipv6prefix.
- The TacacsPlus group cache GroupCacheFile now uses the IP address of the client as part of the key, so that in situations where the group name depends on the client the correct group name wil be retrieved.
- Some Expiration check items in the sample users file had actually expired, causing the test suite to incorrectly fail on tests 2l, 2m, 3g and 3h.
- Fixed a problem that could cause incorrect authentication of HOTP passwords with leading zeroes.
- Added support for TOTP (Time-based one-time-passwords) as specified in draft-mraihi-totp-timebased-04.txt. Sample configuration and database schema included.
- Revision 4.5.1 (2009-11-17) Minor bug fixes
-
- Fixed a problem introduced in version 4.5 where AddressAllocatorSQL could cause errors like: “called with 4 bind variables when 3 are needed” with ReclaimQueryBindVar on certain SQL servers. Reported by Stefan Feurle.
- AuthSQLYUBIKEY.pm was omitted from the 4.5 distribution.
- Further changes to oscure plaintext passwords in DEBUG messages. Patched by Markus Moeller.
- Improvements to support multiple Log SYSLOG clauses with different LogHost and LogSock options. Reported by Arjan Broos.
- Fixed an error in the example AuthSelect in yubikey.cfg. Changed the default for AuthSelect in AuthBy SQLYUBIKEY to always check the userId too. Suggested by Jerome Fleury.
- Fixed a problem where calling SNMPAgent->activate multiple times on the agent could cause errors with resolving Manager addresses.
- Added Brocade VSAs to dictionary. Contributed by Alexander Hartmaier.
- Added support for -raw and -rawfile options to tacacsplustest.
- Fixed a problem in the unsupported AuthBy PLSQL in goodies that prevented it working correctly with the Server HTTP browser. Reported by Mike Redan.
- Fixed a problem with the display of splitstringhash parameters in the Server HTTP browser.
- Fixed a problem with saving of configurations that include a splitstringhash. Reported and patched by Mike Redan.
- Revision 4.5 (2009-10-27) New features and bug fixes
-
- Fixed a bug that could cause a crash at startup if the listening RADIUS port could not be opened due for example to an unresolvable bind address. The error message was “Not a CODE reference at Radius/ServerRADIUS.pm”. Reported by Thomas Schlottke.
- Significant performance improvements in Select::add_timeout. Now used binary search for the insertion point, rather than resorting he whole list every time.
- Added support for authenticating Yubikey tokens from Yubico (http://www.yubico.com). Yubikeys are small, inexpensive USB tokens for one-time-password authentication. Added sample configuration file and descriptive test file. Suports one and 2 factor authentication, replay detection etc.
- Fixed a problem with AuthBy LDAPRADIUS which would cause a crash during initialization.
- Improvements to ServerTACACSPLUS so it can find an appropriate Client clause even if the reverse DNS is screwy. Suggested by Ranko Zivojnovic.
- Fixed a problem with resolution of IPv6 addresses on some plaforms such as Solaris. Some debug messages were inadvertently left in Util::gethostbyname for ipv6. reported by Sami Keski-Kasari.
- Fixed a problem with heavily loaded server farms where a SIGHUP of the process leader could cause inability to bind to the listening ports after restart. Radiusd now waits for all farm children to die begfore restarting. Reported by Dan Cachola.
- Added support for HOTP (RFC 4226) one-time-passwords with AuthBy SQLHOTP HOTP one-time-passwords are authenticated based on a secret key stored in an SQL database. Detects replay attacks and brute-force attacks and counter resynchronisation. Can also support static passwords for 2 factor authentication when the user prefixes their static password before the HOTP one-time-password. Supports authentication by RADIUS PAP, EAP-OTP and EAP-GTC. Includes sample configuration file and sample database schema with test users.
- Added support for IdleTimeout to Server TACACSPLUS. If a client stays connected for more than this number of seconds without sending any requests it will be disconnected. Defaults to 180 seconds. Requested by Yevgeniy Averin.
- Added new parameter UseContentsForDuplicateDetection to Client. This must be used in a server farm environment. The back end servers in a server farm will receive requests from a range of source ports. Dupliacates received by the front ends and proxied to the back ends may appear to come from a range of source ports and with a range of RADIUS identifiers. This flag causes duplicate detection to be based on the contents of the packet, and not on the ‘envelope’. This permits duplicates to be detected regardless of the path they take to to get from the NAS to the server. It must be set in the Client clauses of the back end servers of a server farm architecture.
- Fixed a problem with the MIB name in CiscoSessionMIB. Reported by Tim Wolgemuth.
- Added support for UseContentsForDuplicateDetection to ClientList SQL. If the SQL queries returns a row 26, it will be used as the UseContentsForDuplicateDetection flag.
- Fixed a problem where some type of authentication would incorrectly succeed when NoEAP was in use. Reported by Heinrich Mislik.
- Added a new ReplyHook flag to AuthBy RADIUS so that hooks can signal the fact that a request has been redirected, and not to generate a reply from the AuthBy RADIUS. Sample configuration file in goodies/rejectproxy.cfg
- Fixed a problem with duplicate replies in test suite.
- When Trace -1 is enabled, prints the PID in the “currently handling” message. Suggested by Robert Patrick.
- Added various Trapeze VSAs to dictionary, contributed by Andrew Clark.
- Type of WiMAX-IP-Redirection-Rule in dictionary changed to string. Suggested by Garima Mahadik.
- Fixed a problem reported with TLS where, under unsual circumstances during a proxied TLS authentication, Net::SSLeay::SESSION_get_master_key could crash due to the TLS session being invalidated. Reported by Matti Saarinen.
- Added a number of Infoblox VSAs to dictionary. Provided by Andrew D. Clark.
- Fixed a problem with AuthBy PAM on Solaris: if a request without a username is received, it can case PAM to go into an infinite loop with messages like: “DEBUG: PAM is asking for 2: ‘Please enter user name'”. reported by Markus Moeller.
- Added a number of Huawei VSAs to dictionary.
- Reinstated changes to password decoding introduced in version 4 that meant that certain non-compliant password encryptions were not decrypted properly. Reported by Roland Rosenfeld.
- Fixed a problem in ClientList SQL and ClientListLDAP where if the client creation phase fails, it could cause a subsequent crash when findDuplicate() is called within Client.pm. Reported by Shirley Wou.
- Added placeholders for Symbol (388) VSAs to dictionary.
- Packets created by EAP-TTLS for proxying now add Message-Authenticator if there is an EAP-Message. This ensures that if the packet is proxied to another RADIUS server, the lack of EAP-Message wont prevent processing of the request.
- Fixed a problem in the StreamTLS certificate verificaiton where it does the subjectAltName checks incorrectly if both URI and (IP or DNS) are checked. It never checks the IP or DNS. Reported by Heikki Vatiainen.
- Fixed a problem where AuthBy DNSROAM would activate AuthBy RADSEC and AuthBy RADIUS too often. Reported by Heikki Vatiainen.
- Fixed a problem where AuthBy DNSROAM did not correctly set ReplyHook or NoReplyHook in Routes or AuthBy RADSEC or AuthBy RADIUS. Reported by Heikki Vatiainen.
- Added new attributes from RFC5607 to dictionary.
- Added new attributes from RFC5580 to dictionary.
- Fixed a problem that prevented replies to Disconnect-Request and Change-Filter-Request from getting their Authenticator correctly computed. Reported by Jack Ho.
- For classes that use Stream connections (such as AuthBy RADIUS, ApplePasswordServer, if ConnectOnDemand is set, then, Stream always blocks until the connect either succeeds or fails. Requested by Sam Lin.
- Stream classes now support special characters in Host, HostAddress, ReconnectTimeout. Requested by Sam Lin.
- Added example Radiator configuration file and hook, showing how to support both RSA OnDemand and SecurID authentication for the same users.
- Added new parameter DisableMTUDiscovery to ServerRADIUS and AuthBy RADIUS. Disables MTU discovery on platforms that support that behaviour (currently Linux only). This can be used to prevent discarding of certain large RADIUS packet fragments on supporting operating systems.
- Added support for FramedGroup, StripFromReply, AllowInReply, AddToReply and AddToReplyIfNotExist to Server RADSEC. Requested by Paul Dekkers.
- Monitor and SNMPAgent clauses now support the Identifier parameter.
- Fixed a problem that prevented Origin-Host being set correctly in proxied requests. Reported and patched by Arthur Konovalov.
- Added sample hook to hooks.txt which runs in each child and closes the Monitor and SNMPAgent ports and re opens them on a different port number.
- Added OSC-Session-Identifier to dictionary.
- Added support for new special character Z which is replaced by the RADIUS Identifier in the current packet (if any).
- Improvements to AuthBy SQLYUBIKEY: Default UpdateQuery now uses current_timestamp() instead of now() for better compatibility with more SQL servers. Static password can now be separated from the token string with a ‘:’ to ensure they can be identified, even with non-standard Yubikey token lengths. Suggestions by Jerome Fleury.
- Minor change to log message when a requested EAP type is rejected, so the name of the desired type is printed. Patch supplied by Alexander Hartmaier.
- AuthBy LDAP2 now supports multiple space separated Host names, and Net::LDAP will choose the first available one. Patch supplied by Raphael Luta.
- Fixed a problem which could result in a blank user name in PEAP or TTLS or other inner requests under some very unusual circumstances. Improved EAP context finding algorithm so inner and outer requests with the same User-Name would not collide.
- Revision 4.4 (2009-03-11) Bug fixes and new features.
-
- Fixed a problem with AuthBy WIMAX which would fail when TTLS-MSCHAPV2 was used. Improved goodies/wimaxtest to support -mschapv2 flag to cause TTLS-MSCHAPV2 authentication. Reported by “Valentin Tumarkin”.
- Fixed a memory leak in ClientListSQL and ClientListLDAP where Client clauses may not get reclaimed when the client list is refreshed. Reported by Aaron Mar.
- Fixed a probem with ServerHTTP where manual editing of a file larger than 16k would cause error ‘413 Request Entity Too Large’. Limit increase to 1Mb. Reported by Tito Macapinlac.
- Fixed a probem with AuthBy NTLM. UsernameMatchesWithoutRealm worked correctly with MSCHAPV2, but not with PAP or MSCHAPV1. Reported by Sami Keski-Kasari.
- Altered the behaviour of TLS_SubjectAltNameURI in all StreamTLS based protocols (such as RadSec, DIAMETER etc.) at the suggestion of Stefan Winter. Now TLS_SubjectAltNameURI imposes an additional mandatory constraint on the peer certificate. If TLS_SubjectAltNameURI is defined it MUST match at least one subjectAltNAme:URI in the peer certificate, in addition to any other certificate verfication requirements (such as DNS name, host name etc). Requires NetSSLeay 1.30 or later.
- Improvements to behaviour of passwords in the form {clear}password, so they will work with CHAP, MSCHAP and MSCHAPV2. Reported by Liam Widdowson.
- Fixed collisions between some VSAs in dicitonary: renamed Cisco attributes Account-Info, Service-Info, Command-Code, Control-Info to have ‘Cisco-‘ prefix. Renamed Command-Code to Enterasys-Command-Code.
- AuthBy RSAAM now honours UsernameMatchesWithoutRealm and other username transformation parameters. Reported by Sami Keski-Kasari.
- Fixed a problem where EAP-MSCHAPV2 would incorrectly authenticate users when misconfigured with AuthBy RSAAM. Reported by Sami Keski-Kasari.
- EAP Generic Token Card now honours UsernameMatchesWithoutRealm. Reported by Reported by Sami Keski-Kasari.
- Tested TTLS-MSCHAPV2 with iPhone 2.0. OK.
- Added instructions and Portfile for installing Radiator on MacOSX. Contributed by Mark Duling. Deprecated INSTALL.MacOSX RadiatorMacOSX.tar.gz.
- Added goodies/lancom-radsec.txt, instructions and hints for configuring a Lancom L-54g wireless Access Point to authenticate using an external RadSec server.
- Tested against Lancom L-54g wireless Access Point configured for external RadSec authentication for 802.1X. OK.
- Improvements to AuthBy WIMAX, in order to support Alvarion WiMAX equipment and various other operator requirements, requested by Manuel Kasper. Can now use AuthSelect and AuthColumnDef to alter the SQL authentication query and add reply attributes. You can customise other SQL queries using during WiMAX processing with GetCachedKeyQuery, GetHotlineProfileQuery, GetQosProfileQuery. Can now handle accounting using AcctSQLStatement the same as AuthBy SQL.
- Fixed a problem where use of Client CIDR addresses would not alway result in the correct Client being found. Reported by Fabio Prina.
- In AutbBy LDAP_APS, PasswordServerAddress was working for PAP, but did not work as expected for MSCHAP and Digest-MD5 authentication. Reported by Mark Duling.
- Added OSC-Version-Identifier to dictionary.
- Fixed typos in dictionary. Cisco-Maximum-Time was Cisco-Maximun-Time and Cisco-Maximum-Channels was Cisco-Maximun-Channels. Reported by Fabio Prina.
- Server TACACSPLUS now sets OSC-Version-Identifier in the RADIUS requests from the version number in the incoming Tacacs+ request. The Major and Minor numbers are combined in a single integer as per the Tacacs+ specification (i.e. version 0 is represented as 192 and version 1 is represented as 193).
- Incoming requests processed by Server RADSEC were logged twice. Reported by Paul Dekkers.
- Can now properly send Starent VSAs. Receiving was already supported.
- Fixed a problem that prevented reply attributes from a TTLS inner reply being sent in the reply to a session resumption. Reported by David Spindler.
- Fixed a problem where certain malformed RADIUS requests could cause a hard loop.
- Accounting request that are REJECTED (due, say, to UsernameCharset) are now logged at DEBUG level.
- Added Trapeze Networks attributes to dictionary. Contributed by P Havekes.
- AuthBy RADIUS would previously die if it was unable to bind to a socket (for example if a non-existent BindAddress was used). Reported by Andrew D. Clark.
- AuthBy WIMAX now supports ASCII encoding of WiMAX-Packet-Flow-Descriptor and WiMAX-QoS-Descriptor. They are parsed and converted to the WiMAX required binary format automatically.
- Improvements to Solaris scripts and config file for use by the Solaris package
- When LogMicroseconds is used, the microseconds are now left padded with zeroes for easier reading.
- Can now handle Change-Filter-Request requests in AuthINTERNAL and others. Accept will result in a Change-Filter-Request-ACKed replay and a reject will cause a Change-Filter-Request-NAKed.
- Fixed a problem with AuthBy RADSEC caused by the recently added LocalAddress support: If the Host address is an IPV6 address, an error with binding to 0.0.0.0:0 was reported. The default bind address is now determined by the operating system, except when LocalAddress is specified. Can now specify LocalAddress as an IPV6 address.
- Error messages from Server TACACSPLUS now include the originating address and port number. Requested by Andrew D. Clark.
- Added various Nortel OME6500/OM5000 VSAs to dictionary.
- Added new option -leap to radpwtst for testing EAP-LEAP.
- Fixed a number of mispellings from ‘redespatched’ to ‘redispatched’
- Fixed some incorrect behaviour of Resolver under perl5.8.8 on some platforms.
- Improvements to AuthBy RSAAM so that chains of RSAAM authenticators with different Policy settings will work correctly.
- Added support for Alcatel/Lucent ESAM VSAs (vendor ID 637) which have non-standard VSA format. Also added A-ESAM-* entries to dictionary. Contributed by John Pendleton.
- AuthBy LDAPDIGIPASS didn’t close its connection if HoldServerConnection wasn’t set. Reported and patched by Kees Guequierre.
- Added precompiled RPM for Authen-Digipass for perl 5.10 (Authen-Digipass-1.9-1.i686.rpm is for perl 5.8 only).
- In AuthBy RSAAM, added translations for some further prompts, POLICY_VIOLATION_* etc. Improved prompts during system-generated-PIN mode. Improved support for AM server failover. AM Server failure now causes an IGNORE, and AuthByPolicy ContinueWhileIgnore can be used to try multiple AM servers in sequence until a successful connection is made. Changes to chaining of RSAAM clauses mean that in order to try one RSAAM Policy, followed by another you must use the AuthByPolicy ContinueUntilAcceptOrChallenge.
- Added support for new AuthByPolicy settings of ContinueWhileChallenge and ContinueUntilChallenge.
- Added support for EAPTLS_RequireClientCert to TTLS and PEAP. Setting this optional parameter now requires the clinet to present a valid client certificate during the TLS handshake.
- Improved documentation in AuthBy ACE examples. Improved misleading user messages when AuthBy ACE is used with AM 7.1. Fixed problems with Authen-ACE4 when used with AM 7.1 and system-generated PINs, requires Authen-ACE4 1.3. New Authen-ACE4 1.3 ppm packages for Windows, including support for Perl 5.10 on Windows.
- Added precompiled Authen-Digipass ppm package for perl 5.10 on Windows.
- Improved session resumption in PEAP. Previously, resumed sessions triggered an inner authentication. Now the inner authentication is reused too. Reported by Tom Rixom.
- Added new hook EAPTLS_CommonNameHook for EAP TLS support. Normally EAP-TLS attempts to match a CN in the client certificate against either the User-Name or EAP identity (either with or without domain names). This hook allows you to extend this matching and match a certificate CN against some other user attribute, such as the Calling-Station-Id as required by some WiMAX devices.
- Added EAP TLS initialization to add the SHA256 digest, required for some WiMAX devices and certificates. Requested by Jinsong Zhu. Requires Net-SSLeay 1.35 plus latest SVN patches or later and OpenSSL 0.9.8i or later.
- Fixed a problem with special character %J, which incorrectly had leading spaces before the day number. Reported by Jose Borges Ferreira.
- Added Citrix-CAG-Groups to dictionary.
- Added beta version of a new AuthBy EAPBALANCE module. EAPBALANCE distributes EAP conversations among multiple back ends and ensures that a given conversation always goes to the same backend, even in the face of backend failures. Suitable for use with FarmSize for high performance EAP-capable systems on multi-core hosts.
- Fixed some errors in the types of WiMAX attributes in dictionary. WiMAX-HTTP-Redirection-Rule changed from binary to string. Added WiMAX-Time-Of-Day-Time. Added NAS-Filter-Rule. Requested by Garima Mahadik.
- Timestamp was incorrectly added twice if a request was redirected through Handler, say by AuthHANDLER or similar.
- Changes so that the plaintext password is not logged at debug level during Tacacs authentication. Requested by Markus Moeller.
- Fixed some problems with mixed placeholders causing crashes on Windows when ODBC in use and when Quote: fails to match properly. Improved error reporting in SqlDb when a prepare croaks. Improvements to nested special character matching to exclude trival matched caused by embedded curlies. Reported by Edgard B. Haddad.
- In AuthBy POP3, paramters Host, Port and LocalAddr did not have packet-specific data available for special characters. Reported by Aaron Holtz.
- Fixed a problem with incorrect statistics for dropped requests when inner TTLS and PEAP requests are proxied. Reported by Dan Cachola.
- Improved handling of Security Questions prompts in AuthBy RSAAM.
- Fixed AuthBy IMAP so it will work with Mail-IMAP versions later than 2.99, using the new Mail::IMAP RawSocket call. Reported and patched by Wolfram Grienert.
- Fixed a problem with Server HTTP where a configuration that contained an AuthLog clause would incorrectly be saved as an AuthBy clause. Reported by Steven R Sterner.
- AuthBy WIMAX incorrectly set Session-Timeout to the absolute epoch time, rather than the relative KeyLifetime. Reported by Valentin Tumarkin.
- Fixed a problem in AuthBy WIMAX with DHCP keys that could cause a crash. Also fixed a problem with session resumption when Pseudo Ids are in use. goodies/wimaxtest now suports session resumption with a [-reauth count] command line argument.
- Fixed a problem with reused session authentication in EAP-TTLS.
- Added sample configuration files for Radiator, Cisco Nexus 7000 and sample debug file, showing how to set up RBAC – Role-Based Access Control on the Cisco Nexus 7000. Contributed by Matthew Nichols.
- Fixed a problem when AuthBy RADIUS tries to forward to a non-existent DNS name, a crash could occur. Reported by Patrick Renkens.
- Ensure TLS does not resume sessions unless EAPTLS_SessionResumption is set.
- Added support for new parameter in AuthBy WIMAX. MSKInMPPEKeys forces the MSK to be encoded in MS-MPPE-Send-Key and MS-MPPE-Recv-Key, as well as the usual WiMAX-MSK reply attributes. This is required by some non-compliant clients, such as some Alcatel-Lucent devices.
- Improved behaviour of AuthBy WIMAX when creating and setting WiMAX-AAA-Session-ID to be compatible with more WiMAX clients. WiMAX-AAA-Session-ID is now only allocated and returned in the Access-Accept. Also made more SQL queries configurable. Parameter Reported by Kasra Kangavari.
- Changed primary key in device_session in sample wimax.sql to match earlier changes to session saving based on session ID instead of NAI.
- Revision 4.3.1 (2008-07-29) Bug fixes
-
- Added new parameter PasswordServerAddress to AuthBy LDAP_APS, which forces Radiator to use the specified address as the address of the Apple Password server, instead of deducing it from the user’s password details. Addresses may be one of the forms: 203.63.154.59, dns/yoke.open.com.au, ipv4/203.63.154.59 or ipv6/2001:720:1500:1::a100. This can be useful with replicated password servers. Suggested by Matt Richard.
- Reverted changes to PreClientHook introduced in 4.3. PreClientHook is now called before despatch to any Client clause. It will always be called even if there is no matching Client, but the attributes will not have been decrypted (as decrypting is done in the context of a particular Client). The new parameter ClientHook has been added to the Client clause, and is called immediately after the attributes have been decrypted by the Client. Requested by Heikki Vatiainen.
- Fixed problems with trailing NULs not being stripped from User-Name. Reported by Dawn Lovell.
- Fixed a problem with double logging of reply packeets from AuthBy RADSEC. Reported by Paul Dekkers.
- Revision 4.3 (2008-07-17) New modules and bug fixes
-
- Added new AuthBy RSAAM module that supports RSA Authentication Manager 7.1 and later. Supports PAP, GTC, OTP, PEAP-GTC, TTLS-PAP etc. Supports all AM authentication methods, including traditional SecurID tokens, static passwords, OnDemand passwords delivered by SMS or email, security questions etc. Runs on all platforms supported by Radiator. Requires SOAP::Lite and prerequisites for SSL, including Crypt::SSLeay or IO::Socket::SSL+Net::SSLeay. Sample configuration files included.
- Added support for LocalAddress and LocalPort to AuthBy RADSEC. Suggested by Jan Tomasek.
- AuthBy RADSEC now does case-insensitive matches between the RadSec server certificate DNS name and the target server Host name. Previously, matches were case-sensitive. Suggested by Jan Tomasek.
- Fixed a number of problems with handling integer64 type, especially when salt encoded
- Added support for Quote format to format_special, allowing SQL database specific quoting to be used in any configurable parameter in any SQL based module. The new format %{Quote:somestring} will be replaced by the string quoted in the correct format for the SQL database in use. For example when used with a mysql database, %{Quote:somestring} would be replaced by ‘somestring’.
- Added new AuthBy HANDLER module. This clause allows requests to be redirected to a Handler based on the Handler’s Identifier. Sample configuration file authhandler.cfg included.
- Fixed a problem where Radiator would crash if PidFile specified a non-existant directory.
- Added a number of HP VSAs to the dictionary. Also BATM-privilege-group Guests was incorrectly given as 5 instead of 15. Adjusted typed of WiMAX-Hotline-Indicator and WiMAX-Hotline-Profile-ID to string a per NWG docs.
- Fixed a problem with Monitor and ServerDIAMETER clauses which could cause a crash if the Clients parameter is specified and a request is received from an address not named in that Clients parameter.
- Added new Configurable function format_ctime that returns the local time formatted to include microseconds if the object or SererConfig has LogMicroseconds set. Used by Log FILE, Monitor, ServerConfig, ServerHTTP.
- Added and corrected a number of Redback VSAs from data provided by Redback.
- Fixed problems with dictionary tag-based encrypting of named integer attributes such as RB-LI-Action and others. Required some restructuring of unpackRadiusAttrs/decode_attrs and removal of encode_attrs. Reported by Ian Forster.
- Fixed a problem with encrypting long strings: the resulting encryption was wrapped with added newlines. Reported by Dan Cachola.
- Fixed a problem where DefineGlobalVar and DefineFormattedGlobalVar configuration parameters were not saved correctly by the Server HTTP web console.
- Improvements to ability of Ldap connections with HoldServerConnection to detect disconnection by the server or a firewall. Patch contributed by Bjoern A. Zeeb.
- Added new parameter PageNotFoundHook to Server HTTP. If a page is requested but not found in the set of built-in pages PageNotFoundHook is called to try to handle the request. PageNotFoundHook is passed the requested URI and a reference to the ServerHTTP connection. If it can handle the request, it returns an array of ($httpcode, $content, @headers). Requested by Marijke Vandecappelle.
- Moved the location of PreClientHook call to the very beginning of the Client handle_request, so that decoded and decrypted attributes are available to PreClientHooks. Now, PreClientHook will _not_ be called if there is no matching Client clause. Also, within PreClientHook, the $->{Client} member will now be set to the Client clause handling the request, which may be helpful in some PreClientHooks.
- Improved compatibility with some EAP-TTLS clients that previously would have required EAPTTLS_NoAckRequired. Reported by Ian Forster.
- TLS/TTLS/PEAP/RadSec and other SSL users will now use any built-in OpenSSL crypto engines provided the installed Net::SSLeay supports ENGINE_load_builtin_engines and Net::SSLeay::ENGINE_register_all_complete (ie 1.33_01 and later). ‘pkcs11’ will be set as the default engine provided it exists.
- Compatibility with new OSC-IMC TNC collector in latest version of libtnc. Format of OS_DETAIL message and other changed.
- Improved behaviour of TTLS in the unlikely case that openssl resumes the wrong session. Suggested by Belmont Cheung.
- Improvements to AuthBy SAFEWORD. The new parameter GroupReply maps SafeWord ActionData group names into sets of reply items. Added examples to sample config file. Suggested by Johan Frid.
- Fixed a problem where a Monitor port that was not correctly closed would not destroy the Monitor, permitting messages to continue to be buffered and causing memory exhaustion. Reported by Thomas Schlottke.
- Backed out changes to RADIUS socket opening introduced in 4.2: RADIUS socket was opened with SO_REUSEADDR, to prevent socket reopening issues on FreeBSD, but this results in always being able to bind to an existing socket on some platforms. Reported by Steve Rogers.
- Added support for Client CIDR address specifications. Can now have <Client 203.63.154.0/24>. Also mermits CIDR specifications and MAC: addresses in the IdenticalClients parameter.
- Added a number of Nortel and Juniper VSAs to dictionary. Contributed by Ronald van der Pol.
- Fixed a problem where runt EAP-Messages could cause a confusing but useless Access-Accept. Reported by Tom Rixom.
- Added OSC-Provider-Identifier and OSC-Environment-Identifier to dictionary.
- AuthBy RADMIN now supports AuthSelectParam for improved performance and alsop supports bind variables for UserAttrQuery and ServiceAttrQuery. Altered sample config to show how to use it.
- Changed the name of Expiration attribute (21) to Ascend-PW-Expiration to prevent collisions with the Expiration check item. Also changed the type to string to be compatible with other RADIUS servers.
- Fixed a problem with incorrect results for %u and %w and %W if a global RewriteUsername was used.
- Revision 4.2 (2008-03-10) Minor bug fixes
-
- Added support to EAP-TLS for examining the SubjectAltNames in the client certificate and matching against Windows UPN, which is a GEN_OTHERNAME. Suggested by Markus Moeller.
- Fixed a dictionary syntax error with a Huawei attribute and replaced it with the correct Huawei-Qos-Profile-Name. Reported by Andreas Schwarz.
- Fixed a problem where HUP on FreeBSD would not result in the RADIUS ports being closed properly, resulting in ‘Could not bind authentication socket: Address already in use’. Reported by Paul Dekkers.
- Fixed a problem in Monitor, where a quit command would cause a crash. Also improved handling of too many bad authentications. Reported by Ernst Oudhof.
- Fixed a problem where Server DIAMETER could refuse a reconnection from a previously connected peer. Reported and patched by Jose Borges Ferreira. Thanks Jose.
- Fixed a problem where Server HTTP could crash during authentication with some configurations.
- Revision 4.1 (2008-02-22) Bug fixes
-
- Fixed a problem where anonymous logins to ServerHTTP would not get a Privilege Level. Reported by Dominic J. Eidson.
- Fixed a significant memory leak that affected certain installations with multiple clients.
- Fixed a problem where the Configuration Edit link was not displayed on the ServerHTTP GUI in the Locked version.
- Improved configuration file saving for the case where AuthBy objects are referred to by Identifier. Reported by Dominic J. Eidson.
- OSC now provides precompiled Net::SSLeay+OpenSSL+EAP-FAST-patches bundles for Linux and Windows. Updated documentation in goodies/eap_fast.txt describing how to install these precompiled bundles.
- Added new function Radius::AuthWIMAX::get_cached_keys to fetch $sessionid, $mip_rk, $mip_spi, $fa_rk from the database given the outer nai. Requested by Ian Forster.
- SimpleClient now correctly generates a random authenticator instead of a fixed one.
- Reinstated support for EAPErrorReject which was accidentally lost from some modules.
- Fixed a problem where EAPTLS_CAPath would not be set correctly if EAPTLS_CAFile was not defined. Reported by Jan Tomasek.
- Fixed documentation of EAPTLS_CertificateVerifyHook. The list of arguments passed was incorrect, and out by an index of one. Reported by Jan Tomasek.
- Added new special character %K, which is replaced with the realm name after the last @ in the user name. Requested by Michael Kwan.
- Added to dictionary 2 new values for Error-Cause defined in RFC 5176.
- Fixed a problem with fideliosim.pl not working correctly with serial ports.
- AuthBy PAM now supports AuthenticateAttribute. Contributed by Markus Moeller.
- A number of improvements to Diameter support, contributed by Jose Borges Ferreira: In Handler clauses you can catch Diameter attributes: <Handler DiaRequest:Auth-Application-Id=NASREQ> or <Handler DiaRequest:Disconnect-Cause=CREDIT_CONTROL>. Added extra methods to allow vendorByName (returns vendor data from a given vendor name) grouped_attr (allows easy manipulations of grouped attributes). Added avp type vendor, witch is a Unsigned32 variant (like enumerated) that tries to translate vendorname to vendornum and vice-versa. Grouped attributes within grouped attributes are logged with alignments. New attribute SupportedVendorIds for Server DIAMETER. This optional parameter allows you to define the Supported Vendor Ids announced in CER. Defaults to BASE(0). Thanks Jose Borges Ferreira.
- EAP-FAST was not correctly REJECTING with an EAP failure after a RESULT FAILURE message was received from the clinet, causing retransmissions of the original RESULT FAILURE message. Reported by Jim Veneskey.
- Added support for AuthLog in Server HTTP. Suggested by Markus Moeller.
- AuthBy TEST did not correctly support the Identifier parameter. Reported by Ian Forster.
- Changes to Server HTTP so that manually edited configuration files are saved with the correct line endings appropriate for the local machine. Reported by Jin Tao.
- When running as a service under Windows, did not correctly restart when a ‘restart server’ command was given by either Monitor or ServerHTTP. Reported by Jin Tao.
- Improvements to ServerHTTP, adding some attributes to the Radius packet used to authenticate Server HTTP access, including NAS-IP-Address and Calling-Station-Id. Contributed by Markus Moeller.
- Added support for EAPTLS_CertificateChainFile wherever EAPTLS_CertificateFile is supported, and added support for TLS_CertificateChainFile wherever TLS_CertificateFile is supported. The ChainFile parameter specifies the name of a file containing a certificate chain for the Radius server certificate. Suggested by Jan Tomasek.
- Added more detail to WARNING log when AuthBy HASHBALANCE declines to break up an EAP stream.
- AuthBy RADSEC would not always reply with the correct type of packet. Reported by Paul Dekkers.
- Fixed problems when Server RADSEC or Server DIAMETER were in use and a SIGHUP was received. Reported by Paul Dekkers.
- Revision 4.0 (2008-01-14) Significant new features and some bug fixes
-
- Added support for Radiator monitoring and configuration via a web browser, using the new ServerHTTP module. Sample configuration file in goodies/serverhttp.cfg shows how to enable support in any configuration file.
- Added AuthBy WIMAX module to handle WiMAX authentication and key generation. Uses an SQL database to hold subscription/authentcation information and to cache keys and save accounting. Supports: Authentication of users and devices from SQL database (most EAP types supported). Generation and caching (in SQL) of MIP-RK, MIP-SPI and FA-RK for each device session. Generation of mobility keys for both NAS and HA requests. Generation, caching (in memory) and refreshing of HA-RK, HA-SPI for each HA. Generation, caching (in memory) and supplying DHCP-RK and Key-Id for NAS and DHCP requests. Hotlining profiles. This is an early release Alpha version of WiMAX support which has not yet received extensive testing. Feedback and bug reports are welcomed.
- Improved performance and behaviour of RADIUS duplicate and retransmission detection in line with RFC 5080. Duplicates and retransmissions within the DupInterval timeout are now detected using the sender’s source port in line with RFC 2865. Detected retransmissions that have been replied to will have their earlier reply retransmitted, preventing problems with decoding of duplcicate TLS/TTLS/PEAP fragments. A retransmission that has not (yet) been replied to will be dropped as before.
- radpwtst now generates random Authenticators.
- Minimum supported version of Perl is now 5.6.0
- Sample certificates updated to expire Jan 13 03:42:47 2010 GMT
- Added support for EAP-FAST. Requires patches for OpenSSL and Net-SSLeay, which are included. Includes detailed instructions for patching OpenSSL and Net-SSLeay and configuring for EAP-FAST.
- Added support for standard WiMAX VSAs to dictionary, and support for WiMAX VSA continuation flags in packing and unpacking, plus automatic salted encryption and decryption of WiMAX attributes that require it (keys etc). As per WiMAX_End-to-End_Network_Systems_Architecture_Stage_2-3_Release_1.1.0, NWG_R1.1.0-Stage-3.pdf.
- Added support for additional standard dictionary type integer64 required by draft-ietf-radext-design-02.txt. Previous integer8 attributes in dictionary changed to integer64. Integer8 now means one octet. INteger1 is still treated as integer8 for backwards compatibility.
- Added WiMAXTLV module for packing and unpacking WiMAX TLV sub-attributes, including symbolic definitions of some WiMAX TLVs.
- Added support for new dictionary attribute types integer8, integer16, signed-integer and ipaddrv4v6, required by WiMAX.
- Added WiMAX module for computing various WiMAX keys and other WiMAX routines.
- All EAP types now export the MSK by setting {msk} in the appropriate reply packet. They also optionally export the EMSK in {emsk} if ExportEMSK is set.
- Added a number of 3GPP attributes to dictionary
- When using LEAP with EAP_LEAP_MSCHAP_Convert, some clients would not complete the handshake due to an Access-Accept being sent instead of Access-Challenge.
- Improvements to AuthBy HASHBALANCE so that EAP sequences from any given user will not be split between hosts during a failover.
- Fixed a problem with undefined getEAPContext when used with some configurations of AuthBy HASHBALANCE. Reported by Alison Lee.
- Added a number of Motorola-WiMAX attributes to dictionary. Contributed by Thomas Hartley.
- Improvements to AuthBy SQLRADIUS so that FailureBackoffTime, MaxFailedRequests and MaxFailedGraceTime are fetched from SQL as rows 11, 12 and 13, and failure history, backoff time etc are cached within Radiator memory, so that SQLRADIUS can be used with FailureBackoffTime etc. Suggested by Sami Keski-Kasari.
- Improvements to AuthBy GROUP so that it better handles chains of authenticators with EAP type requests, such as LEAP, EAP-MSCHAPV2 etc. Reported by Jani Kariniemi.
- Reinstated behaviour that was removed in Radiator version 3.15: empty attributes, including empty strings are now permitted to be packed into Radius packets.
- Fixed problem with acknowledgements and Fidelio Opera interface when using TCP. reported by Andrea Coppini.
- Added new parameter AgentName to AuthBy SAFEWORD. This field is used when authorizing a request to SafeWord, and allows us to do things like enforce ACLs, Roles, which authenticator in the user record to use when they have multiple, whether to send a MobilePass password, etc. It is very useful! Contributed by David LePage.
- Added 2 new attributes oscRadiusDefaultRealm and oscRadiusIdentifier to the sample LDAP schema in radiator-ldap.schema. Contributed by Jame Schell.
- Added new special character %X, which is replaced by the EAP identity, with any trailing @realm stripped off. Patch provided by Heikki Vatiainen.
- When radpwtst is used with -accton or -acctoff it now always an Accounting Session ID. Suggested by Dan Cachola.
- All modules now generate 32 octet MPPE keys for WPA compatibility. Reported by Dominic J. Eidson.
- RadSec and Diameter client and server modules now support TLS_SubjectAltNameURI parameter for certificate validation. TLS_SubjectAltNameURI is a regexp which can match against any Subject Alt Name of type URI. If a match is found the certificate will validate. Suggested by Stefan WINTER. Examples added to configs.
- ServerRADSEC now honours Status-Server requests directly in the same way as Client. Requested by Stefan WINTER.
- Fixed a problem with resolving ipv6: names with DNS on RadSec and Diameter connections. Reported by Patrick Renkens.
- A debugging print statement was inadvertently left in AuthBy LDAPDIGIPASS.
- Fixed a problem that prevented LocalAddress and OutPort being set for all hosts in AuthBy SQLRADIUS. Reported by Yves Martel.
- Prevent crashes after signal -HUP with multiple AuthBy KRB5. Reported by Barry Ard.
- Improvements to sample goodies/radiator.sh startup script, allowing /etc/rc.conf to control the radiator_config file. Provided by Erik Klavon.
- Added sample hook eap_acct_username.pl, which copies the inner username to the Access-Accept User-Name field so a NAS (Access Point) can provide accounting information with correct (inner) User-Name. Contributed by Rok Papez.
- Module and sample configuration file that allows RADIUS clients to get user presence information from an SQL accounting database. Special Access-Request formatted with Service-Type=Call-Check-User are replied with Access-Accept containing OSC-User-Presence-Indicator, OSC-User-Presence-Location OSC-User-Presence-Timestamp indicating whether and whered the user is last logged in. Can be used by RADIUS enabled VOIP routing modules etc. Supports mapping of NAS IDs into readable location names etc.
- Fixed possible socket exhaustion in Server TACACSPLUS under certain unusual circumstances.
- New RPM packages of Authen-Digipass 1.9 module for both 32 and 64 bit Linux platforms. The 32 bit package contains Vacman Controller 3.5 and the 64 bit package contains Vacman Controller 3.7.
- Updated Windows Authen-Digipass PPM packages to 1.9. Contains Vacman Controller 3.5 libraries.
- AuthBy SQL and AuthBy SQLRADIUS now support the AuthSelectParam parameter, which allows SQL bind variables to be used. The first 32 SQL queries that use AuthSelectParam are subject to SQL query caching, which can significantly improve the performance of the SQL server. Patches by Dan Cachola.
- Fixed a case where the server could crash after receiving malformed requests such as those sent by nmap. Reported by Sven Henderson.
- Added support for Expiration dates in format ‘mmm dd yy(yy)’, such as ’24 Jul 2007′, for compatibility with some SQL database date formats.
- Added support for Expiration dates in format ‘mmm dd yy(yy)’, such as ’24 Jul 2007′, for compatibility with some SQL database date formats.
- Added support for new special character %J which produces the request timestamp in the format ‘yyyy-mm-dd hh:mm:ss’
- Added support for new check items Max-All-Session, Max-Daily-Session, Max-Hourly-Session and Max-Monthly-Session, along with new AuthBy SQL parameters AcctTotalQuery and AcctTotalSinceQuery. The combination provides a way to check that users have not exceeded hourly, daily, weekly or total usage requirements. These check items are compatible with FreeRadius check items of the same name. They are also conpatible with the Session-timeout=until ValidTo, which will compute a session timeout based on the most restrictive Max-*-Session time left.
- New AuthBy FREERADIUSSQL is compatible with standard FreeRadius SQL databases, and can be used with the daloRADIUS user manager. Enables easy migration from FreeRadius to Radiator, or allows Radiator to be used with a range of FreeRadius user management packages. Includes sample configuration file.
- Improved modularity of encryption functions. Fixed a problem with encryption of Ascend-Send-Secret and Ascend-Receive-Secret, in the case where the secret was more than 16 octets. Most encryption functions decomposed to decode_salted and encode_salted.
- Added support for encryption of Motorola-WiMAX-MIP-KEY attribute.
- Testing with Strawberry Perl 5.8.8 alpha 2 http://win32.perl.org/wiki/index.php?title=Strawberry_Perl on Windows XP. OK (Testing requires Win32::Process to be installed using cpan using ‘force install Win32::Process’).
- Altered the algorithm Server TACACSPLUS uses to find the encrpyion key for a given Tacacsplus client. The order of preference is now: Per-Client TACACSPLUSKey, ServerTACACSPLUS Key, Per-Client Secret. This means that you can use ClientListSQL to provide per-client Tacacs+ keys. Updated documentation to describe the Key search algorithm.
- Added support for the FreeRadius style dictionary flags has_tag, encrypt=1, encrypt=2 and encrypt=3. Requested by Dan Cachola.
- Added support for a number of FreeRadius style dictionary keywords: BEGIN-VENDOR, END-VENDOR, $INCLUDE, as well as Radiator style include commands. Some improvements to dictionary parsing and error reporting.
- Added new parameter SessionDatabaseUseRewrittenName to Handler and Realm. Causes the rewritten username (instead of the original user name) to be used for session database purposes.
- Performance improvements and rationalisation in RADIUS packet assembly and disassembly.
- Testing with Perl CamelPack on Windows XP. OK.
- Added Motorola Canopy attributes to dictionary.
- Improved compatibility with some EAP-GTC clients that require CHALLENGE= prompts, and deliver RESPONSE=a\0b responses.
- Special characters now permit nested contructions of the form %{x:%{y:z}}
- Added -options flag to radpwtst, which makes it read additional command line flags and arguments from the named file.
- In AuthBy RADIUS, the Host name can now contain nested special characters. Patch provided by “Valentin Tumarkin”.
- Disable OpenSSL 0.9.9 SessionTicket support when negotiating RadSec TLS connections, otherwise get TLS ‘unexpected message’ errors.
- Added support for new dictionary type ‘integer1’ which translates integers encoded as a single octet.
- Added support for new dictionary type ‘integer2’ which translates integers encoded as a 16 bit unsigned (2 octets).
- Added a number of BATM, NS and Alcatel attributes to dictionary. Contributed by Ernst Oudhof.
- ServerTACACSPLUS now puts Acct-Session-Id in Radius packets derived from accounting requests.
- New TacacsClient module provides basic Tacacs+ client services.
- goodies/tacacsplustest was rewritten in terms of the new TacacsClient module.
- ‘make clean’ now removes all files created by ‘make test’.
- EAP-TLS now hounours machine certificates, ie where the User-Name and/or identity is in the form host/machinename, but the CN in the certificate has just CN=machinename.
- Radius port listeners refactored into new ServerRADIUS module.
- Removed SSLeayTrace from all sample configs. Does nothing now.
- Significant refactoring of code from ServerHTTP, ServerRADSEC, ServerDIAMETER and Monitor to new module StreamServer.
- ConfigKeywords can now include documentation for the benefit of ServerHTTP
- Removed dead Synchronous code from AuthRADSEC. Suggested by Bjoern A. Zeeb.
- AuthBy RADIUS and RADSEC now drop replies with bad signatures in line with documentation and RFCs. AuthBy RADIUS still allows this behaviour to be overridden with the IgnoreReplySignature flag.
- Added new dictionary type signed-integer, a 32 bit signed integer
- Added support for new Cisco optional attributes in ServerTACACSPLUS, contributed by Kristian Larsson, for example: AuthorizeGroup xr-friendly permit service=shell cmd\* {task*#root-system,#cisco-support priv-lvl=15}
- AuthBy DIGIPASS, when validating Challenge-Response (CR) tokens now caches the last challenge internally instead of relying on the RADIUS client and the State atribute. New configuration parameter ChallengeTimeout allows configuration of the maximum time period the challenge is valid for.
- EAP-TTLS incorrectly copied attributes from the inner ACCPET to the outer ACCEPT change_attr, which prevented multiple instances of the same attribute being copied.
- In ClientListSQL, the PREHANDLERHOOK value returned by GetClientQuery can now contain either the text of the hook, or a a hook filename in the form `file:/path/to/hook’. Patch supplied by “Jose Borges Ferreira”.
- Minor changes to SIP authentication in line with forthcoming RFC 5090.
- Reference manual is no longer shipped as HTML, only as PDF and PostScript.
- Revision 3.17.1 (2007-04-12) Some new features and bug fixes
-
- Added new load balancing module AuthBy HASHBALANCE, which will use information in the incoming request to choose the preferred host, with the intention that all requests in a single EAP conversation will all go to the same target server, enabling EAP and other stateful RADIUS transactions to be loadbalanced without interfering with streams of related requests. If the preferred host is not available try the following ones until all are exhausted. Sample configuration file in goodies/hashbalance.cfg.
- ldap-aps.cfg was left out of the 3.17 distribution. Reported by Ken Kawakubo. Other Apple Password Server modules were also omitted.
- Added EAP_38.pm for TNC support to the distribution.
- Added RB-DHCP-Vendor-Class-Id to dictionary.
- Fixed a bug in TLS support when used with TTLS-PAP-EAP-TNC. Reported by Chris Hessing.
- TranslatePasswordHook now works for EAP-MSCHAPV2, EAP-PAX, EAP-PSK, LEAP and MD5-Challenge. Reported by Rogier Krieger.
- Added a number of new Redback and DSLForum VSAs to dictionary.
- Improvements to AuthBy KRB5 to allow it to acquire credentials for a service principal. Includes 3 new configuration parameters: KrbKeyTab, KrbService, KrbServer. Patch contributed by Erik Klavon.
- Improvements to AuthBy SQLRADIUS so that FailureBackoffTime, MaxFailedRequests and MaxFailedGraceTime are fetched from SQL as rows 11, 12 and 13, and failure history, backoff time etc are cached within Radiator memory, so that SQLRADIUS can be used with FailureBackoffTime etc. Suggested by Sami Keski-Kasari.
- Revision 3.17 (2007-03-26) Some major new features and bug fixes
-
- Added new module AuthBy LDAP_APS which finds user details in a Mac OS-X Directory Server LDAP database, and then authenticates the user password against a Mac OS-X Apple Password Server. Works on Mac OS-X 10.4 or later. Sample configuration file in goodies/ldap-aps.cfg. Supports PAP, MSCHAPV2, TTLS-PAP, TTLS-MSCHAPV2 or PEAP-MSCHAPV2 requests.
- Added support for EAP-PSK as per RFC 4764, an EAP method based on a per-user Pre Shared Key, and which supports strong cryptography and dynamic WEP and WPA keys. Tested against wpa_supplicant-0.6-2006-12-05. Sample configuration file included.
- Added support for EAP-PAX as per draft-clancy-eap-pax-11, an EAP method based on a per-user Authentication Key, and which supports strong cryptography and dynamic WEP and WPA keys. Tested against wpa_supplicant-0.6-2006-12-05. Sample configuration file
- Added a new flag EnableFastPINChange to AuthBy ACE, allowing compatibilty with some NASs (notably Juniper) that have non-standard behaviour in New Pin Mode: when the user is asked whether they want to set their PIN, the NAS automatically gets the new PIN and returns it to the RADIUS server, which is expected to use it to set the PIN immediately. This flag enables compatibility with this behaviour if the user/device enters a PIN instead of ‘y’ or ‘n
- Fixed potential memory leak in PEAP and TTLS after handshake failure.
- Improvements to parseDate so that invalid date formats would not cause a crash.
- Added support for new special character in the format %{OuterRequest:attrname} which is replaced with the named attribute from the outer request of a tunnelled request. Useful with PEAP and TTLS tunnelled requests.
- Fixed a memory leak that mostly affected failed authentications in TTLS and PEAP. Reported by David Spindler.
- Added a number of new Mikrotik VSAs to dictionary.
- Testing with Cisco Secure Services Client 4.0.5.4889 on XP. OK for TTLS-PAP, TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2, TTLS-EAP-MSCHAPV2, TTLS-MD5, PEAP-MSCHAPV2, PEAP-GTC, PEAP-TLS, LEAP, GTC, TLS, EAP-MSCHAPV2, MD5
- Added support for special characters in EAPTLS_PrivateKeyPassword and TLS_PrivateKeyPassword. Requested by Redback.
- Fixed a problem with interoperation between ServerDIAMETER and some Diameter clients. Reported by Arthur Konovalov. Also fixed a typo in doc about how to test ServerDIAMETER.
- Fixed some minor interoperation issues to do with SIP authentication and RFC 4590.
- Altered dictionary.sip to make it compliant with RFC 4590.
- Fixed a problem with the Host-IP-Address in the the CEA by Server DIAMETER. Reported by Arthur Konovalov.
- ServerDIAMETER now converts the contents of Grouped attributes from the incoming Diameter request into the new Radius request.
- Fixed a problem with the Mandatory flag in the Diameter Firmware-Revision attribute. Removed restriction of only being able to handle NASREQ application requests. Reported by Arthur Konovalov.
- Fixed a problem with conversion of SessionId when using NasType of CiscoSessionMIB. Reported by Joe (Mobile).
- Fixed a problem with incorrect responses to Tacacs accounting requests. Reported by Mohamed.Raddahi.
- Fixed a problem where a check-item Auth-Type which points to a AuthBy RADIUS inside a GROUP did not work as expected. Reported by Toomas Karner.
- Added support for Starent VSA’s, which have a non-standard format. Patch supplied by Frank Danielson.
- Fixed some problems with memory leakage especially in PEAP after a successful authentication. Reported by Reported by David Spindler.
- In AuthBY RADIUS, the Host clause now supports per-host LocalAddress and OutPort parameters. Patched by Bjoern A. Zeeb.
- Added documentation and sample configuration file for ServerDIAMETER.
- Removed references to obsolete handle_sigchld, which is not necessary any more. Reported by Dan Cachola.
- Added support for ConnectionAttemptFailedHook and NoConnectionsHook for custom code to handle various types of SQL connection failure. Patched by Dan Cachola.
- Fixed a problem with conversion of negative integers by valNameToNum in Radius dictionaries. Reported and patched by Arthur Konovalov.
- Minor improvement to performance of Radius::Util::random_string.
- Added more Huawei VSAs to dictionary. Contributed by Jose Borges Ferreira.
- Improved handling of multiple reply items, possibly containing spaces in AuthorizeGroup, PasswordPrompt is now used everywhere to control password prompts in ServerTACACSPLUS.
- Added more WCG VSAs to dictionary.
- Fixed a problem where proxied TTLS inner EAP-MSCHAPV2 replies were not properly processed, resulting in no reply to the originator. Reported by Ian Forster.
- Fixed a problem where Until::inet_ntop could crash when used with RodopiAAA and TTLS or PEAP.
- Cleaned up some attributes in dictionary including Tunnel-Type etc.
- Added support for Cisco cisco-li-configuration attribute, which can be used to enable Lawful Intercepts for selected sessions. Added goodies/cisco_li.txt explaining how to use it.
- Added various Redback VSAs to dictionary to support Radback Lawful Intercept. Also arranged to support the automatic salt encryption of attributes that require it. Contributed by Jan De Backer.
- Added some Telkom SA VSAs to dictionary.
- AuthBy DIGIPASS now honours UsernameMatchesWithoutRealm. Requested by SCHELL .
- Structural changes in AuthGeneric.pm and changes to the args passed to AuthGeneric::check_mschapv2() in order to support Apple Password Server.
- Added MS-RAS-Client-Name and MS-RAS-Client-Version to dictionary.
- Fixed a problem with proxying of Radius requests received by Server DIAMETER, where the authenticator was not correctly set. Reported by Blake Ulmer.
- Fixed a problem where diapwtst did not correctly handle extra attributes like ‘radpwtst Accounting-Session-Id=12345’. Reported by Blake Ulmer.
- Testing on Ubuntu 6.10. OK.
- Fixed a typo in CLientListLDAP that prevented StripFromRequest working properly. Reported and patched by Luta.
- Revision 3.16 (2006-11-09) Some major new features and a few bug fixes.
-
- Added early release of Diameter support. ServerDIAMETER implements a stateless Diameter to Radius translation agent. Incoming Diameter requests are converted to Radius requests which can be served internally by Radiator or proxied to another Radius server. Includes simple Diameter client for testing (diapwtst) and sample configuration file. Supports RFCs 3588, 4005, 4072. Supports TLS encryption, TCP or SCTP transport. Interoperates with OpenDiameter.
- AuthBy DIGIPASS now supports Vasco Virtual Digipass. This allows Vasco token support even of the user does not have a physical token (or has lost it). AuthBy DIGIPASS generates the correct tokencode and passes it to a hook, where it can be delivered to the user by SMS etc. Example config file digipass.cfg shows how to enable it. New versions of Authen-Digipass that support AAL2GenPassword for Virtual Digipass support.
- Added new module for sending SMS messages using the Internode NodeText Gateway, a commercial SMS gateway available from Internode in Australia. Also added fully working example configuration file showing how to do One-Time-Passwords delivered by SMS. The NodeText Gateway is a high reliability, high performance SMS Gateway for Australian SMS numbers. Works with GSM, CDMA. Works with Telstra, Optus and Vodafone networks. Billing of SMS delivery charges can be to the sender, or the receiver. The Internode NodeText Gateway can also apply a range of special features, such as name to SMS number translation etc. Multiple recipients, message splitting etc are supported. They also offer an email-to-SMS gateway. This fully working example allows your users to be administered with Radmin, using One-Time-Passwords delivered to the user by SMS. Internode SMS gateway access for Australian SMS numbers is available from http://www.internode.on.net and http://www.internode.on.net/products/sms.htm
- Added tutorial and config files for installing ChilliSpot, Radiator and RAdmin to provide a complete, locally administered captive portal wireless hotspot solution, including prepaid time for users, user statistics, monitoring etc. See http://www.chillispot.org
- Ensured SNMP and Status-Server statistics are correctly updated by requests received via RADSEC and TACACSPLUS.
- Testing on Syllable 0.6. OK, except Any_DBM tie is not implemented on Syllable so that AuthBy DBFILE does not work, resulting in failed tests 1a, 3a, 3d, 3g, 3h.
- Minor cleanups to remove various warnings when -w is used
- Special character %z was using a deprecated MD5 hashing routine. Now uses Digest::MD5::md5_hex.
- Fixed a problem that prevented reply attributes from EAP_PEAP_MSCHAP_Convert converted requests being replied to the client. Reported by Alex Sharaz.
- Fixed a problem in ClientListLDAP where attributes that expect a stringarray (such as IdenticalClients, FramedGroupBaseAddress, RewriteUsername, DynamicReply) could cause a crash if there were multiple values for that attribute in the LDAP database. Reported by Lohier, Matthew.
- Fixed a problem withe AcctLogFileName where a file name with a leading ‘|’ for a pipe would incorrectly cause bogus directories to be created. Reported by Anne Bennett.
- Fixed a problem with AuthBy DIGIPASS clauses that are not contained within a Realm or Handler causing a crash. Reported by Paul Dekkers.
- Added a number of Unisphere VSAs to dictionary. Contributed by Gareth Coco.
- Testing on Windows Vista Beta build 5384. OK, using ActiveState ActivePerl 5.8.8.
- Fixed an error in the definitions of 3GPP2-IP-Technology in dictionary. Reported by Frank Danielson.
- AuthBy LSA and AuthBy NT on Windows now suport Local as well as Global groups when using the Group parameter.
- Fixed a problem with anonymous bind not working correctly, resulting in LDAP_INAPPROPRIATE_AUTH. Reported by R.H.Hoek.
- Fixed a problem with TTLS and PEAP where a proxied reply to the inner request of a session that has been lost or closed would cause a crash. Reported by Shahid Khan.
- Fixed a problem with goodies/CalledStationId.pm that would cause ERR: Bad attribute=value pair.
- Improvements to goodies/CalledStationId.pm to support regexps in stations.
- Added a number of Aruba VSAs to dictionary. Contributed by steven.quek.
- In AuthBy RADMIN, changed the default MaxMEsageLength to 200 to comply with the standard Radmin database size.
- Fixed a problem with client certificate verification in EAP TLS that could cause an error ‘EAP TLS No peer certificate’.
- Fixed a problem with EAP-TLS authentication when EAPTLS_NoCheckId was set. reported by Dawn Lovell.
- Added various VSA to support ChilliSpot, an open source captive portal for wireless with Radius support. http://www.chillispot.org/
- Testing with ChilliSpot http://www.chillispot.org/ OK. ChilliSpot is a wireless hotspot portal that authenticates users before letting them get access to the internet. ChilliSpot can work with both UAM (where the ChilliSpot hotspotlogin.cgi script solicits a passwords and ChilliSpot sends Radius/CHAP to Radiator), and with EAP (where ChilliSpot forwards Radius/EAP requests to Radiator). Tested with UAM, EAP, TTLS, PEAP. Caution: ChilliSpot 1.1.0 has a bug where Radius replies that contain a Service-Type reply attribute will cause the chilli process to crash. A patch has been submitted to chillispot.
- Enabled SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS in PEAP TLS, to work around a problem with Vista Beta 2 clients, where the extra empty fragment (sent as a security measure by OpenSSL) confuses the Vista PEAP supplicant. See http://www.openssl.org/~bodo/tls-cbc.txt for reasons behind the empty fragments. Reported by David Spindler.
- Improvements to EAP LEAP handling to be compatible with some types of LEAP-ignorant APs. Reported by Russ Jones.
- Revision 3.15 (2006-06-01)
-
- AuthBy RADSEC now supports multiple Hosts, using the same Host clause syntax as AuthBy RADIUS. Hosts will be tried in the order given. FailureBackoffTime can be used to mark unresponsive hosts dead for a period of time and skip them. Example Host clause syntax is shown in goodies/radsec-client.cfg.
- Example config file goodies/eap_leap_proxy.cfg was inadvertently left out of the distribution.
- Fixed a problem where the parent process could crash if AuthBy KRB5 was used and the server run in the background. Reported by Carol Ward.
- Added calling_station_hook_requests.pl, a sample PostAuthHook for PEAP requests that: 1) Insert the Calling-Station-ID into the inner request 2) Insert the Called-Station-ID into the inner request 3) Insert the “outer” EAP identity into the inner request as “Outer-EAP-Id” Contributed by Terry Simons.
- Testing on openSUSE 10. OK.
- Fixed a bug in mergedetails that prevented it running under perl 5.005 and earlier. Reported by Greg Schiedler.
- Alternative version of RequestHoook added to goodies/hooks.txt. The hook saves the time of the last Access-Request for each user and conditionally returns an Access-Accept if the time is less than a preset limit.
- A typo prevented EAPTLS_CertificateVerifyHook parameter being recognised. Reported by Rodrigo Seguel.
- Improved logging of LDAP connected host details to include the actual hostname and port after special character translations. Also Port now supports special characters. Requested by Michael Hall.
- Improved Authen-Digipass RPM to work with perl 5.8.7.
- Refactored AuthDIGIPASS.pm to move common code to AuthDIGIPASSGeneric.pm. New module AuthSQLDIGIPASS.pm replaces AuthDIGIPASS.pm and AuthBy DIGIPASS is now depreccated in favour of AuthBy SQLDIGIPASS.
- New version of Authen-Digipass module for Linux, Solaris and Windows where digipass.pl now works with LDAP databases, plus some minor bug fixes.
- New module AuthBy LDAPDIGIPASS authenticates Vasco Digipass tokens from token data in an LDAP database. Example configuration file goodies/digipass_ldap.cfg, and sample LDAP dataabse schema and sample data in goodies/radiator-ldap.*. Use digipass.pl command line program (part of the Authen-Digipass supplied with Radiator) to import, assign, inspect, reset tokens in the LDAP database).
- All calls to format_special in AuthBy IMAP now include the current packet so that %R can be used in Host parameter etc. Requested by Petr Zimak.
- AuthBy SQL did not honour AuthenticateAccounting.
- Minor fixes, PostSearchHook missing from AuthLDAP2 config options. Reported by Petr Zimak.
- Added a number of Cisco VOIP VSAs to dictionary.
- Added a number of VSAs and fixed some errors in dictionary.sip to be in line with draft-schulzrinne-sipping-radius-accounting-00.txt
- Radpwtst now permits octal escapes in the value in attr=value arguments.
- Testing with SIP PRoxy Router (SER) from www.iptel.org. Added example configuration file to goodies/sip.cfg showing how to configure Radiator for SIP authentication with SER, and with some helpful information and corrections about configuring SER to work with RADIUS.
- Zero-length string attributes are now never sent in Radius packets, but are ignored, as per RFC 2138. Zero-length Reply-Message strings have been seen in improperly written hooks. Suggested by Ulrich.
- Sample startup scripts linux-radiator.init and solaris-radiator.init now force -daemon to prevent running in the foreground when started by init script.
- Fixed a problem in ClientListSQL and ClientListLDAP that could cause a crash during an automatic update if there were no hardwired Clinet clauses. Reported by Alexander List.
- Log SYSLOG and AuthLog SYSLOG now support special characters in LogIdent. Requested by Alexander List.
- Fixed a case where Reply-Message could be incorrectly reset in CachedAttrs, which prevented ServerTACACSPLUS from returning the Reply-Message during a rejection.
- Added new hooks AuthenticationStartHook and AuthenticationContinueHook to Server TACACSPLUS which can be used for special processing of TACACS+ authentication requests.
- Minor improvements to test suite. Now reports total erro count and exits with non-zero status if there are errors.
- Renew test certificates. Previous certificates expired March 16 2006, which would prevent TLS, TTLS, PEAP and RadSec tests working. Minor improvements to mkcertificate to add /usr/share/ssl/misc to the path (for standard OpenSUSE).
- Improvements to timeout handling for SQL and others for perl 5.8 and later, requested by Gustavo Moreira.
- Improvements to the way nested calls to format_special were handled. Previously, the value for $cpacket could get clobbered by an error log message during formatting of a special character. Reported by Robert Fisher.
- Added ChallengeMessage parameter to AuthBy DIGIPASS*, which allows the Digipass challenge message to be customised or internationalised.
- Fixed a problem with SessionDatabase SQL where a countQuery that returned a username as the fifth field did not alter the user name as expected. Reported by Vangelis Kyriakakis.
- In ServerTACACSPLUS, added a workaround for a bug in some old Cisco routers where a failed authentication would result in a an unclosed TCP session. Requested by Patrick, Robert.
- Added a workaround for a bug in some EAP TTLS supplicants, (notably PBG4 on MAC OSX) do not conform to the TTLS protocol specification, and do not understand the ACK sent by the server at the end of TLS negotiation and session resumption, resulting in session resumption not completing. The new EAPTTLS_NoAckRequired flag enables a workaround for such supplicants. Many other supplicants are happy with this too.
- Fixed a problem with session keys when LEAP was used with EAP_LEAP_MSCHAP_Convert. Reported by Michael Ting.
- Added new AuthBy SAFEWORD, which authenticates directly to a SafeWord Premier Access server. Includes a sample configuration file. Supports PAP, CHAP, TTLS-PAP, EAP-OTP and EAP-GTC. Supports password changing. Supports fixed (static) passwords and SafeWord Silver and Gold tokens.
- Fixed a problem that could cause a crash if getpeername fails during a Tacacs connection. Observed on some Solaris platforms. Reported by Ashton, James P.
- Added new parameter UsernameMatchesWithoutRealm to AuthBy NTLM, contributed by Robin Breathe.
- Added support for HandleAcctStatusTypes to AuthBy DNSROAM, GROUP, MULTICAST RADIUS, RADSEC and SQL. Contributed by “Nicholas A Waples”.
- Revision 3.14 (2006-01-16) Significant new features, including DNSROAM and some fixes.
-
- Added new module DNSROAM, that provides RadSec and RADIUS proxying to hosts discovered through DNS. Provides secure, reliable, scalable, low maintenace RADIUS meshes and federations. Uses similar technology to Diameter (RFC 3588) for host discovery, which allows target server details to be provided through DNS lookups. Supports RadSec and RADIUS proxying. Includes new Resolver module for asynchronous DNS lookups. Requires Net::DNS Perl module (and the IO::Socket::INET6 module if you wish to consult a DNS server via IPV6)
- Added new module AuthBy NTLM that allows Radiator running on a Linux or Unix system to authenticate to a Windows domain controller, with the assistance of ntlm_auth and winbindd utilities from the Samba suite (www.samba.org). Sample Radiator and winbindd configurations are included. Supports PAP, MSCHAP, MSCHAPV2, EAP-MSCHAPV2, and works with PEAP, and TTLS.
- EAP-TTLS-MSCHAPV2 did not correctly copy reply attributes from the inner accept to the outer accept.
- New example hook in goodies/hooks.txt to parse multiple Digest-Attributes into individual attributes
- Testing with Funk Odyssey 4.01 client, including EAP-SIM, EAP-GTC, EAP-LEAP and TTLS-EAP-MSCHAPV2. OK.
- Added cacti_data_query_snmp_get_radius_information.xml radius_server.xml to goodies. These are configuration files to enable monitoring of Radiator by Cacti (http://www.cacti.net/), which is similar to MRTG, except it is web driven and based upon a templating system. Contributed by Chris Hills.
- Fixed a problem with radpwtst -gui where entering a new port number in the gui had no effect. Reported by Chris Hills. Also fixed a problem where that could produce an error message: Can’t locate object method “BINMODE” via package “Tk::Event::IO” on some platforms.
- Fixed a problem with radpwtst -gui where entering a new port number in the gui had no effect. Reported by Chris Hills. Also fixed a problem where that could produce an error message: Can’t locate object method “BINMODE” via package “Tk::Event::IO” on some platforms.
- Fixed a problem in radpwtst -gui where a Class attribute received ffrom one user authentication would be incorrectly reused for subsequent users.
- Added new parameter for all AuthBys: EAP_LEAP_MSCHAP_Convert forces all EAP-LEAP requests to be converted to conventional Radius MSCHAP requests that are redespatched, perhaps to be proxied to another non-LEAP capable Radius server or for local authentication. Example config file goodies/eap_leap_proxy.cfg show how to use it.
- Fixed a problem that prevented CRL checking working with some versions of Net_SSLeay. Requires Net_SSLeay version 1.25 from CPAN and this patch. Reported by Ilana Kaplan.
- Improved the error message printed when TLS certificate verification fails to include a text string that describes the problem.
- Testing with Sybase ASE 12.5, improvements to goodies/sybaseCreate.sql to prevent warnings about NULL columns.
- Added new parameter EAP_LEAP_MSCHAP_Convert that converts incoming LEAP requests to conventional Radius-MSCHAP requests that can then be handled locally or proxied to a remote Radius server that cannot handle LEAP, but which can handle Radius-MSCHAP. Also added example config file goodies/eap_leap_proxy.cfg. Requested by Michael Ting.
- Improved configurability for ‘make rpm’ in Makefile.PL.
- Added support for SASL authentication to LDAP servers. New parameter UseSASL tells AuthBy LDAP2, AuthBy LDAPRADIUS and ClientListLDAP to authenticate the connection to the LDAP server with SASL. See the example config file goodies/ldap-sasl.cfg for details on how to configure it.
- Fixed a problem that prevented DefaultRealm working in Server TACACSPLUS. Reported by Marc Blum.
- Improvements to the sample linux-radiator.init and RPM Linux init script so it takes notice of configurable variables in /etc/sysconfig/radiator better. Suggested by Paul Dekkers.
- Added new configuration method AuthBy SASLAUTHD, which authenticates by connecting to a saslauthd server running on the same host. saslauthd is a Unix authentication server program, part of the Cyrus SASL suite. It can be configured to authenticate from a variety of sources, including PAM, Kerberos, DCE, shadow password files, IMAP, LDAP, SIA or a special SASL user password file. Example configuration file is in goodies/saslauthd.cfg
- Testing with Gentoo 2005.0. OK.
- Fixed a problem where AuthBy PLSQL clause did not display its AuthBy type in Radar. Reported by Jovan Sarai.
- Fixed a problem with AuthACE.pm AuthDIGIPASS.pm AuthKRB5.pm AuthLSA.pm AuthOPIE.pm AuthOTP.pm AuthRSAMOBILE.pm AuthSASLAUTHD.pm that could prevent correct operation with TTLS-EAP-MSCHAPV2 and Odyssey client.
- Testing on Linspire 5.0. OK.
- Testing on Ubuntu 5.04. OK.
- Changes to the default behaviour of AuthLog SYSLOG and Log SYSLOG so that the socket type is only set if LogSock is explicitly defined. Fixes a problem with the socket type search path on Solaris failing if syslogd does not open a unix domain socket.
- Improvements to EAP-TLS authentication, so that a User-Name with a domain prefix will match the certificate without a domain name. Reported by “Dror Ben-Shlomo”.
- Fixed a problem where EAP-GTC would not work correctly with some AuthBys that did direct password checking (such as AuthBy LDAP2 with ServerChecksPassword enabled). Reported by Michal Marciniszyn.
- Added a number of Airespace VSAs to dictionary, contributed by Steve Caporossi.
- Change-Filter-Request now includes a correct authenticator. Reported by Ardolino Antonio.
- PEAP outer handler did not set OriginalUserName for the inner packets.
- Added sample hook to goodies/hooks.txt that shows how to discover the socket that received a request on a multihomed host. Contributed by Miko.
- AuthBy DIGIPASS now supports PAP, CHAP, MSCHAPV2, EAP-MSCHAPV2, EAP-OTP and EAP-GTC requests. Required some changes to the API for check_mschapv2. Requires Authen-Digipass 1.5 or later (Linux and Solaris packages included in this distribution. Windows PPM packages availble for download)
- Fixed a problem where ForkClosesFDs would incorrectly close sockets created by Monitor, Server TACACSPLUS or Server RADSEC if the server forks or becomes a daemon.
- In AuthLog SQL SuccessQuery and FailureQuery, new special character %4 is replaced by the SQL quoted original user name from the incoming request (before any RewriteUsername rules were applied).
- Added support for SALT encryption of Unisphere-Med-Dev-Handle. Required extensive refactoring of attribute encryption and decryption. Attributes requiring encryption and decryption with shared secrets are now done by Radius::encode_attrs and Radius::decode_attrs. Encoding is now done by Client or ServerRADSEC just prior to replying. Function encode_tunnel_password renamed to encode_salt.
- Performance and security improvements in Util::format_special
- Fixed a problem that prevented one instance of Radiator acting as both RADSEC server and client or as multiple RADSEC clients at the same time. Requires patch for Net_SSLeay on Windows.
- Fixed some compatibility problems between mkcertificate.sh and the OpenSSL CA utilites in 0.9.7g and later.
- New flag NullPasswordMatchesAny enables wildcard mathcing of NULL password columns. Defaults to enabled for AuthBy SQL and disabled for AuthBy RADMIN, to be consistent with current default behaviour.
- EAP TLS now supports a new hook. EAPTLS_CertificateVerifyHook runs after the request username or identity has been matched with the certificate CN. It is passed the certificate, and various other details, and returns a different user name which will be used to do the user database lookup.
- Testing with EMIC m/cluster, a MySQL clustering solution from www.emicnetworks.com. M/cluster provides high availability, scalability and manageability services for MySQL. OK.
- Testing on Fedora Core 4.
- Added a number of IPWireless attributes to dictionary. Contributed by m.tavakolifard.
- Testing on Debian 3.1r0a. OK.
- Added support for LogMicroseconds to Monitor.
- Added to goodies a new AuthBy RADIUSBYATTR that forwards to a RADIUS server based whose attributes (host, secret etc) are specified in the request. Useful for various specialised testing scenarios. radiusbyattr.txt is a description of how to configure and use it. Contributed by Miko.
- SNMPAgent now suports special characters in BindAddress and Port parameters. Contributed by Jose Borges Ferreira.
- Added Daemon configuration file au.com.open.radiator.plist for OSX 10.4 (Tiger) to goodies. Contributed by Matt Richard.
- EAP-TLS now matches certificate CNs even if they are in Unicode.
- TTLS and PEAP now always dump the reply to the tunnelled request at DEBUG level.
- ServerChecksPassword now honours Timeout in AuthBy LDAP2. Patch provided by Campbell Simpson.
- In AddressAllocator DHCP, fixed a problem with the “secs” field in the DHCP header when there are timeouts and retransmissions. Reported by Ian Amess.
- ClientListLDAP did not compile any PreHandlerHook entries from LDAP, preventing the hook running. Reported by Peter Crystal.
- Radpwtst did not use the -acct_port argument properly. Reported and patched by Ruud Besseling.
- Server TACACSPLUS can now use different per-Client Keys by looking for a TACACSPLUSKey in a Client clause that matches the Tacacs client address. If no matching Client with a TACACSPLUSKey is found, falls back to the global Key defined in the Server TACASCSPLUS clause. Initial idea and patches contributed by James FitzGibbon.
- Radpwtst with the -code flag sent to the -acct_port instead of the -auth_port. Reported by Phillip Lou.
- Added new special character %x, which is replaced by the EAP Identity for PEAP and TTLS inner requests.
- Fixed a problem with the SNMP MIB where some values were returned as integer instead of counter32. Reported by Rani Assaf.
- Permit plaintext passwords in the format ‘{clear}password’, in order to be compatible with some LDAP servers. Suggested by Andreas Meyer.
- Testing with Novell NetWare 6.5 with eDirectory 8.7 and iManager 2.5. Improved Makefile.PL to implement the ‘install’ command under NetWare (where perl Makefile.PL does not work). ‘perl Makefile.PL install’ now installs all Radiator files, config files and startup script on NetWare. Extended documentation about how to enable Universal Passwords in eDirectory. Added chapter on NetWare installation to the Reference Manual.
- Testing with DBD::SQLite2. Added example table creation script goodies/sqliteCreate.sql and added hints to documentation.
- Added a number of new Redback VSAs to dictionary, contributed by Toomas Karner.
- Improvements so that ServerTACACSPLUS can now be configured for the Username: and Password: prompts when authen-type of ASCII is used. Added new flag -ascii to tacacsplustest to enable use of authent-type ASCII instead of default PAP. Refactored some constants and code from ServerTACACSPLUS to use equivalents in Tacacsplus.pm
- Fixed some errors in definitions of Airespace-QoS-Level in dictionary. Contributed by Theodore J. Knab.
- Added goodies/radiator.sh, a Radiator startup script for FreeBSD and rc-ng. Contributed by Paul Dekkers.
- Improvements to AuthBy ROUNDROBIN. Now it attempts to deliver only a limited amount of times. It will remember which server it tried to send to at first and then on retry it will walk the whole RR list and try each available server in a row. If it reaches the first server again, it will abort the request. Patch provided by Rok Papez.
- Improvements to allow use of Client-Identifer check items to detect if a request was received by a Server RADSEC clause. Matches against the Identifer of the Server RADSEC clause that received the request. Change to Server RADSEC TLS_ExpectedPeerName now defaults to the DNS name of the RADSEC client (if resolvable) else the client’s IP address. Server RADSEC did not check the Radius authenticator on incoming requests. Suggestions by Paul Dekkers.
- Fixed problems where multiple TLS RadSec clients were initialised within the same server. Certificate passwords were incorrect and some TLS sessions would not initialise properly. Better support for different certificates in each TLS RadSec client. Reported by Paul Dekkers.
- Fixed some interactions between different uses of Net_SSLeay, where the verify callback got clobbered by IO::Socket::SSL, which caused crashes when LDAP+(SSL or TLS) was used with RadSec or EAP-TLS. Reported by Jan Tomasek and Ross Wakelin.
- The LDAP Deref parameter did not work as expected, since it was passed to LDAP new rather than search. Reported by Matthew Lohier.
- AuthBy GROUP now prints the Identifier in the ‘Handling with ….’ DEBUG message. Requested by Jethro R Binks.
- Improvements to peer certificate verification for RadSec connections. Client side verifies the configured server Host name against the server certificate CNs or subjectAltNames (DNS or IPADD types). Server side verifies the client IP address against the client certificate CNs or subjectAltNames (IPADD types only). Exact match and wildcard matches are honoured. If those fail then TLS_ExpectedPeerName pattern is matched against the entire Subject name. If all those fail, the certificate is not verified and the RadSec connection will be terminated. Updated RadSec example configuration files. This is all in line with RFC 2595. Suggested by Jan Tomasek. Caution, use of subjectAltNames requires patches for Net_SSLeay from this patch.
- Testing on FreeBSD 6.0 RELEASE. OK.
- Fixed problems with session database code crashing if there were no Client clauses defined and Client.pm not loaded, as in purely RadSec or TACACS+ servers. Reported by Sajeewa Warnakulasuriya.
- Fixed a problem with Status-Server and SNMP statistics where proxied requests were incorrectly counted in the dropped statistics too. Reported by Miko.
- Fixed a compatibility problem with AuthBy KRB5 and krb5-1.4.*, where krb5_init_ets is not present and not required. Reported by Joon Yun.
- Added APC-Service-Type and APC-Outlets to dictionary. Contributed by “Cassidy B. Larson”.
- Added support for FailureBackoffTime, MaxFailedRequests and MaxFailedGraceTime similar to AuthBy RADIUS. This permits RADSEC host failure detection and also automatic reforwarding to alternate RADSEC hosts by using NoReplyHook.
- Server TACACSPLUS now prints the reply to its Radius request when at trace level 4.
- Added ability to match Client clauses based on client MAC address. Requested by Steve Shippa.
- Revision 3.13 (2005-06-02) New features and bug fixes
-
- Added several more USR-Bogus-* entries for unknown USR attributes. Suggested by Robert Blayzor.
- Fixed a problem with startup file on Suse, causing error message
Starting Radiator: /usr/bin/radiusd/sbin/start-stop-daemon: (null): Bad address.
Reported by Frank Messie. - Testing on various Debian distros, aGNUla/DeMuDi. OK.
- Testing on Xandros 2.0. OK.
- Testing on Xandros 3.0.1. OK.
- Testing on Fedora Core 3. OK.
- Fixed a problem with format_special that prevented %nn numeric replacements working correctly for %10, %11 etc. This affected AuthBy RODOPI accounting, causing multiple identical date fields to be included in SQL queries.
- Testing on Solaris 10. OK.
- Testing on Sun Java Desktop Release 2. OK.
- Testing on Knoppix 3.7. OK.
- Testing on Flash Linux 0.3.1. OK.
- Testing on SuSE 9.2. OK.
- Testing on FreeSBIE 1.1. OK.
- Testing on MEPIS 3.3. OK.
- Testing on CentOS 3.4. OK.
- Monitor now supports more advanced methods for filtering packets to be printed by TRACE. New command TRACE_PREDICATE takes a comma separated list of name op value tests. Operators ==, !=, <, <=, >, >= and =~ (regexp) are supported, eg: TRACE_PREDICATE User-Name =~ “mi”,NAS-Port == 1234 Also TRACE_NOPACKET causes messages without an associated packet (ie general server level mesages) to be traced (defaults to 1).
- Fixed a typo in Giganews-gbpm definition that could cause a crash: Can’t use string (“”) as a subroutine ref while “strict refs” in use at Radius/Radius.pm line 630.
- Performance improvements and refactoring in RDict.pm
- Added support for online checking of Colubris Wi-fi NASes. Tested with Colubris CN3200. Contributed by Vangelis Kyriakakis.
- Fixed a problem that could cause an error opening the DHCP socket after a restart on some platforms. Reported by Bill Ouchark and Andrew D. Clark.
- When doing a RefreshPeriod, ClientListSQL and ClientListLDAP now only replaces Clients that were previously loaded by that clause. Clients defined in the configuration file will not be clobbered.
- New class Predicate to support new command TRACE_PREDICATE in Monitor. TRACE_PREDICATE allows Monitor to select log messages based on multiple attributes in incoming requests, such as:
TRACE_PREDICATE User-Name=~"^mik",NAS-Port="1234"
Support tests include ==, !=, <, <=, >, >= and =~ (regexp). Also added support for new command TRACE_NOPACKET, which can be used to disable tracing of log messages that are not relevant to a particular incoming request.TRACE_NOPACKET 0
- The recent change to the type of User-Password in dictionary, combined with broken behaviour of Xsupplicant 1.0 when passwords are 8 chars long resulted in failed authentications with TTLS-PAP. TTLS inner User-Password is now NUL stripped.
- You can now ‘include’ multiple files from the configuration file by using file csh style wildcards, and filename expansions such as *, ?, […], {….}, ~, etc. Files whose first character is a ‘.’ are ignored unless explicitly matched.
- In Log SYSLOG and AuthLog SYSLOG, a new parameter LogHost allows you to specify the host name of the syslog host when using LogSock of ‘tcp’ or ‘udp’. Defaults to the local host.
- On BSD/OS encrypted passwords with length 20 are also considered to be crypt(3) encrypted, using DES extended format. Patch provided by Baron Fujimoto.
- Added sample LDAP schema and example data file for use with OPenLDAP and AuthBy LDAPRADIUS to goodies/radiator-ldap.ldif and goodies/radiator-ldap.schema
- Fixed a problem with Linux startup file ‘/etc/init.d/radiator status’ hanging with an infinite loop.
- Added new argument for the current request to pass to TranslatePasswordHook. Requested by Pavel A Crasotin.
- Added goodies/solaris-radiator.init, a startup script for Solaris 8, 9 and 10. Install as /etc/init.d/radiator and check the other instructions at the top of the file.
- Added ‘make rpm’ target to the Makefile to make it easy to build Linux RPMs.
- Fixed a problem with the type of the State attribute which prevented interoperation with Windows Server 2003 with SP1. Reported by Yoann Foucher and Denis Pavani.
- Added new parameters MaxFailedRequests and MaxFailedGraceTime, allowing configuration on how AuthBy RADIUS will determine proxy host failure. Requested by Arjan Waardenburg. Briefly: For any remote Host to which a request is sent, if no reply is heard for a specific request after the Retries retransmissions, that request is deemed to have failed for that Host. AuthBy RADIUS keeps track of how many requests failed for each host since the last time a reply was heard from that Host. If more than MaxFailedRequests are deemed to have failed within MaxFailedGraceTime seconds of the last reply heard from that Host, the Host is deemed to have failed until a further FailureBackoffTime seconds have elapsed.
- Following assignment of an official IANA port number for RadSec protocol, the default port number for RadSec has been changed to 2083.
- Testing with Linksys wrt54g wireless router with WPA/Radius. OK. The wrt54g does not send accounting requests.
- Revision 3.12 (2005-03-17) Major new features. Some bug fixes.
-
- Added AuthBy RADSEC, which implements Radius transport over a reliable TCP/IP or SCTP connection, with optional TLS encryption and optional TLS mutual authentication by PKI certificate. The example config files implement a simple proxy from radsec-client.cfg to radsec-server.cfg on localhost.
- Added support for Novell eDirectory Universal Passwords. Added sample configuration files and install/configure/test instructions for eDirectory on Unix. This support allows Radiator to access each user’s Universal Password for authenticating PAP, CHAP, MSCHAP, MSCHAPV2, EAP-TLS, EAP_TTLS-*, PEAP, EAP_MSCHAP, EAP-MD5, LEAP etc.
- There was a problem with the Solaris Authen-Digipass package included in 3.11 that caused “ERROR: attempt to process datastream failed”. New package included.
- A debugging print statement that had been inadvertently left in Log SQL was removed.
- Fixed a problem introduced in 3.10 that could cause a crash like ‘Undefined subroutine ldap_error_name’ in AuthBy LDAP2 after an LDAP error.
- Fixed a problem with radpwtst -gui, where changing the name of the destination server in the GUI would not actually change the destination. Reported by Ken Bell.
- radpwtst -gui incorrectly showed Alteon-Service-Type as well as Service-Type options in the Service-Type menu.
- Added new global parameter MaxChildren which limits the number of Fork children permitted at any one time. Contributed by Ivan Brawley.
- Added documentation on how to configure Apache 2 for Radius authentication with the mod_auth_radius module. Works with any Radiator authentication module including ACE and DIGIPASS.
- Added support for Challenge-Response (CR) tokens to AuthBy DIGIPASS.
- Added documentation on how to configure PAM and pam_radius for use with Radiator to provide Unix login authentication using SecurID, Digipass or any other Radiator supported method.
- Improved behaviour of RPM distributions, when doing rpm -F install over an old version. The symlink in /usr/lib/perl5/site_perl/Radius could end up incorrect.
- New version of AuthBy IMAP now supports SSL connections to IMAP server. Contributed by Karl Gaissmaier. Example configuration file imap.cfg extended to show how to configure SSL connections, and TTLS-PAP support too.
- Testing AuthBy ACE and Authen-ACE4 with ACE Server 5.2. OK. No changes required. Works with Authen-ACE4 compiled with 5.0 ACE Agent SDK on Unix and Windows. Prebuilt Authen-ACE4 binaries from OSC also work fine.
- Testing AuthBy ACE and Authen-ACE4 with RSA Security Authentication Manager 6.0 (formerly ACE/Server 6.0). OK. No changes required. Works with Authen-ACE4 compiled with 5.0 ACE Agent SDK on Unix and Windows. Prebuilt Authen-ACE4 binaries from OSC also work fine. Tested standard, Pinpad and AES tokens.
- Improvements to the performance of changeUserName, suggested by Nennker, Axel.
- Added a number of IPWireless Vendor Specific Attributes to dictionary. Contributed by Mernoz Rostangi.
- Added new test client for TACACS+. See goodies/tacacsplustest -h for help.
- Server TACACSPLUS now allows you to set the group cache file name with the GroupCacheFile, which also permits special characters. Also ServerTACSCPLUS now uses the accounting type in incoming requests to set the Acct-Status-Type in Radius Acounting-Requests. Timestamp is now _not_ added to Radius requests, since the following Handler will always do it anyway. Added support for authentication using methods that can challenge, such as DIGIPASS, ACE, OPIE, OTP, INTERNAL etc. Default AuthorizationTimeout for Server TACACSPLUS changed to 600 seconds, to cater for authentication start/challenge/continue sequence that are subject to user input and could take a long time, and so that authorization replies will be available for longer sessions. Added -interactive flag to tacacsplustest to handle Tacacsplus authentications that might ask for additional data (such as when authenticating with DIGIPASS, ACE, OPIE, OTP, INTERNAL etc). The Tacacs group name now defaults to ‘DEFAULT’ if GroupMemberAttr is not defined, or if the Access-Accept does not include that named attribute (ie if the Tacacs group name cannot be determined).
- Fixed a problem with AddToReplyIfNotExist in all AuthBys, where some special reply types such as Session-Timeout were not properly interpreted. Reported by “Brian Morris”.
- Added simple Tacacsplus test client to goodies. All perl, does not require additional perl modules.
- Added new PostAuthSelectHook to AuthBy SQL, which allows a hook to adjust the results of the AuthSelect query before being used. Contributed by Karl Gaissmaier.
- Testing with ZyXEL ZyAIR B-3000 Wireless access point, using WPA, 802.1x and Radius authentication. OK.
- AuthLog SYSLOG did not recognise the LogSock parameter.
- Added -nas_identifier flag and default NAS-Identifier attribute to radpwtst. Contributed by Nennker, Axel.
- Added a script goodies/rotateacct.pl to rotate the ACCOUNTING table. Contributed by Ray Van Dolson
- Added goodies/eap_acct_username.txt, A sample hook and script for de-anonymizing EAP-TTLS accounting requests, and which does not require an SQL database. Contributed by Rok Papez, with comments by Roy Badami.
- Added new parameter for EAP-TLS, EAPTLS_NoCheckId, which prevents the comparison of the username with the certificate common name. The certificate will be acccepted based only on the validity dates and the verification chain to the root certificate. This allows Radiator to mimic the behaviour of some other Radius servers. Contributed by Martin Noha.
- Added various 3GPP attributes for vendor 10415, contributed by Andy M.
- Fixed a problem with AuthBy RSAMOBILE, where one incorrect tokencode could cause the user to exceed their maximum login attempts. Reported by Sylvain Maret.
- Added support for NoCheckPassword to AuthBy LDAP2, so that LDAP can be used to get check and reply items, but where the authenticaiton is done by another module.
- Improvements to date parsing to make it more tolerant of non-standard case in month names when useed in Expiration etc.
- Improvements to AuthBy LDAP2 so that when ServerChecksPassword is set, and the password check fails, it wont cause a subsequent attempt to do an NT hashed password check.
- All modules that can route requests back to the Handlers list now also support PreHandlerHook. Suggested by Roy Badami.
- Testing on NetBSD 2.0. OK.
- Fixed a problem with AuthBy PLATYPUS where some versions of perl could result in a trailing comma in the SQL for an accouting request. Reported by Jason D. Borders.
- Performance improvements in format_special. Added ability to extend format_special indefinitely without performance penalties. Added 2 new attribute formatting operators. %{IntegerVal:attribute} is replaced by the integer value of the named attribute from the current request. %{HexAddress:attribute} is replaced by the IPV4 address catinaed in the named attribute from the current request, formatted as a hex string. Suggested by Pavel A Crasotin.
- The timing of the writing of the PID to PidFile has been deferred until after the Radius ports are created, and the server is almost certain to start up. Suggested by Karl Gaissmaier.
- Added example RADAUTHLOG and RADLASTAUTH tables to example SQL scripts that did not have them (all except mysqlCreate.sql).
- Added new formatter for format_special that can access variable from the server configuration. For example, %{Server:Trace} is replaced by the global server Trace parameter.
- Fixed a problem with AddressAllocator DHCP that could cause a socket error after a HUP on UNix. Reported by Andrew D. Clark
- EAP TLS, TTLS and PEAP now take note of the Framed-MTU, if present, to limit the MaxFragmentSize.
- Added goodies/gigawords-hook.pl, a hook for calculating correct total octets from Gigawords. Contributed by Igor Briski, Iskon Internet d.d.
- Added goodies/lsa_eap_multi.cfg example config file showing how Radius PAP, CHAP, MSCHAP and MSCHAPV2 and also handles the outer and inner requests for TTSL and PEAP. You can use it to authenticate almost anything against Microsoft Active Directory.
- In ServerTACACSPLUS, BindAddress now defaults to the global BindAddress, and you can now specify multiple comma separated addresses to listen on multiple interfaces.
- Added support for passwords encrypted with the Microsoft SQL pwdencrypt() function. The required format is like: {mssql}01003A54FC73501798169BEC84C05CA0D2FBB70009C2556313DA79 59C1A798ECD34514694A13D29ED57BE9CBE5DA
- AuthBy RADIUS now supports MaxFailedRequests parameter. A proxy host will not be marked as failed until at least MaxFailedRequests requests have not received a reply. This is useful for some buggy remote radius servers, that sometime drop requests for particular users. Also some internal changes to the addHost() function. Suggested by Arnauld Michelizza.
- Added goodies/checkOnlineSql.pl, a script that checks that all the users in an SQL SessionDatabase are still online, and delete the ones that arent. Uses a client table to determine Nas type etc.
- The Authen-Digipass package for Solaris did not include libaal2sdk, resulting in an error when tryingg to run Digipass authentication. Reported by Roy Badami.
- New versions of AuthBy PLSQL and sample config file, which now supports INOUT parameters for Oracle stored procedures. Contributed by Pavel A Crasotin.
- Improvements and refactoring of IPV6 address code. ServerRADSEC, ServerTACACSPLUS and Monitor can now listen for connections on multiple IPV4 and IPV6 BindAddress addresses.
- Fixed a problem with goodies/nntp-redirect.pl where it incorrectly looked for case-sensittive AUTHINFO. Reported and patched by Thorsten Huber.
- Added nntp-redirect.pl, A Radius-enabled Net News NNTP port authenticator and accountor. This program received NNTP connection requests, authenticates each one with Radius, and then forwards the connection to the real NNTP serer. It counts bytes in and out, and at the end of the NNTP session sends Radius accounting data counting the total news traffic in and out. This allows you to integrate NNTP authentication and accounting with the rest of your Radius services. Reply attributes in the Access-Accept can be used to configure the NNTP server and port to redirect to, allowing per-user NNTP configuration via Radius.
- Altered the SQL database connections to use PrintError 0, so that unneccesary error messages will not be printed to stderr.
- Testing on SuSE 9.2. OK.
- Added MaxRecords parameter to AuthBy LDAP2. It specifies the max number of matching LDAP records to use for check and reply items. Default is 1 to be backwards compatible. Only the first match (if any) is used for ServerChecksPassword. Suggested by Kenneth Cheung.
- Added a number of Mikrotik Vendor Specific Attributes to dictionary. NoContributed by Adrian Tan.
- Added new NoEAP parameter to all AuthBys that will disable EAP authentication in that AuthBy. Useful for doing additional authentication besides EAP, such as MAC address etc.
- Added simple_main_loop to Select for simple clients etc.
- Fixed a problem with all LDAP modules where an LDAP connection problem could cause a Radiator crash.
- Fixed a problem with radpwtst where specifying IPV6 addresses for both -s and -bind_address could produce ‘bind: Cannot assign requested address’. Reported by Paul Dekkers.
- Improved performance of AuthBy LDAP2, especially when used with ServerChecksPassword. Some servers would disconnect after an unbind. This fix prevents a disconnection after a ServerChecksConection bind, reducing the overhead of reconnecting. Overhead for reconencting with TLS enabled is high. Fixed ServerChecksPassword so it works in more cases, such as Novell eDirectory. Added goodies/edirectory.cfg showing best configuration to use with Novell eDirectory.
- Improvements to Linux startup script so it recognises Debian start-stop-daemon and uses that to stop and start the server.
- Testing with Debian and Ubuntu 4.10. OK, but minor changes required to RPM, Radiator.spec and linux-radiator.init
- Improvements to EAP to prevent multiple MS-MPPE-Send-Key and MS-MPPE-Recv-Key attributes in reply.
- Fixed a problem that could cause an error in ServerTACACSPLUS ‘Too many arguments for open’ when runnning on perl 5.005. Reported and patched by Bill Ouchark.
- EAP-Token is now supported by all static password authentication methods, such as AuthBy FILE, SQL, LDAP etc. goodies/eap_multi.cfg updated to demonstrate this.
- EAP-TLS now supports client certificates with multiple CNs. At least one CN must match the USer-Name or Identity (after EAPTLSRewriteCertificateCommonName rules are applied to each CN).
- Added new flag EAPTLS_PEAPBrokenV1Label to make PEAP Version 1 support compatible with nonstandard PEAP V1 clients that use the old broken TLS encryption labels that appear to be used frequently, due to Microsofts use of the incorrect label in its V0 client.
- Revision 3.11 (2004-10-25) Some new fxeatures and an important bug fix.
-
- New module AuthBy MULTICAST proxies some or all requests to _all_ Hosts in a list. Contributed by Andrew Ivins and Swiftel.
- New example code in goodies/hooks.txt for processing multiple cisco-avpair attributes. Contributed by Chris.Patterson.
- Improvements to Monitor.pm so that stringarray and splitstringarray types can be displayed in Radar.
- Improvements to AuthBy FILE so that a Filename of the form %D/users.%R (where the file to be loked at depends on the users Realm) will work correctly with caching turned on. Contributed by Ivan Brawley.
- Improvements to ClientListSQL, so that SQL failures during reloading of the client list will result in the old list being continued to be used. Contributed by Ivan Brawley. Similar changes to ClientListLDAP.
- Testing on Fedora Core 2. OK.
- Testing on SuSE 9.1. OK, but fixes required for /etc/init.d/radiator in RPM.
- Testing on Slackware 10.0. OK, but fixes required for RPM installs. Slackware requires rpm –nodeps to install the RPM
- Fixed a problem that prevented logging of some incoming packets through Monitor. Reported and patched by Ivan Brawley.
- Fixed a problem introduced in 3.10 with reassociating after poor coverage. Reported by Roy Badami.
- Fixed a problem with AcceptIfMissing which did not work correctly if the user did not exist in the database.
- Fixed a problem where logging at trace level 4 to an SQL database could cause problems with quoting on Informix due to a newline in the log message.
- We now ensure the openssl session resumption time limit is set in accordance with EAPTLS_SessionResumptionLimit. Reported and patched by Roy Badami.
- Improvements to restartWrapper so it can log to syslog through /usr/bin/logger. Contributed by Nennker, Axel.
- Log SQL and Log SYSLOG loggers now support MaxMessageLength parameter which trucates the log message (prior to any quoting in the case of SQL). Useful for some types of SQL server that complain if given a string longer than the column its going in to.
- Revision 3.10 (2004-10-11) Significant new features. Bug fixes.
-
- Radiator is now ‘Vasco Ready’. Added support for Vasco Digipass authentication with new AuthBy DIGIPASS module. Example config file in goodies/digipass.cfg. Sample Digipass token data tables added to goodies/*.sql. Documentation on installing and configuring Digipass on Solaris, Linux and Windows in goodies/digipass-install.txt. Prebuilt binaries of required Authen-Digipass module for Solaris, Linux and Windows.
- New module AuthBy LDAPRADIUS proxies requests to a remote radius host whose details are found in an LDAP database, looked up against users Realm (or Calling-Station-ID etc). Similar in functionality to AuthBy SQLRADIUS. Example LDAP schema, LDAP records and config file are included.
- Added new clause ClientListLDAP, which lets you define your Client clauses from an LDAP query, similar to ClientListSQL. Also supports RefreshPeriod, so the Client list can be refreshed periodically. Example config files, LDAP data and schema included.
- New module AuthBy KRB5 for authenticating against Kerberos 5. Works with Radius PAP and EAP-TTLS-PAP. Substantially contributed by Steve Harper with fixes by Jeff Wolfe. Tested against realms hosted by DCE and MIT K5. Example config file in goodies/krb5.cfg
- Testing with pGina, a free Windows login program for Win2000 and XP that uses Radius to authenticate Windows users (http://sourceforge.net/projects/pgina). Works fine with the example goodies/simple.cfg.
- Further improvements to handling of EAP Requests. Requests other than Notifications are now IGNORED, except for LEAP.
- Fixed a problem with dictionary that could occasionally cause MSCHAPV2 authentication to fail.
- Added support for DefaultRealm in Server TACACSPLUS.
- Added a number of Nomadix VSAs to dictionary. Contributed by Ing. Rosario Pingaro.
- Fixes to permit <Handler User-Password=xyz> to work with CHAP, MSCHAP and MSCHAPV2, as well as PAP.
- Added Ascend-Session-Svr-Key to dictionary.ascend. Contributed by tcrholdings.
- AuthRSAMOBILE.pm was accidentally left out of the 3.9 distribution.
- Fixed a problem with CommandAuth in ServerTACACSPLUS. Patch contributed by Nick Slager.
- Added VSAs for Trapeze Networks to dictionary. Contributed by Matthew Gast.
- In dictionary, MS-MPPE-Encryption-Types of Encryption-40 and Encryption-128 were reversed.
- Disconnect-Request packets did not get a correct authenticator when proxied.
- Added support for AddToRequest in field 22, StripFromRequest in field 23 and AddToRequestIfNotExist in field 24 of ClientListSQL of GetClientQuery.
- Added some more Extreme VSAs to dictionary. Contributed by Carlo Beronio of Extreme Networks.
- Added new script goodies/mergedetails which will combine multiple accounting details files into a single file in chronological order.
- Added new goodies/vlanhooks.txt, with example hooks for handling multiple downstream authenticators, and NASs with incompatible interpretations of Tunnel-Private-Group attributes. Contributed by Matthew Gast.
- Added VSAs for Sonic Wall to dictionary, contributed by Joe Levy.
- Testing on Lindows 4.5. OK.
- Improvements to domain handling in AuthBy LSA. New paramter DefaultDomain specifies the domain if the user does not specifiy a domain in their username. PEAP now passes the entire DOMAIN\username to the authenticating module. If you are using PEAP-MSCHAPV2 with AuthBy FILE, users should not specify a domain when they log in (unless you have DOMAIN\user in your users file). Also added new parameters Group and DomainController to AuthBy LSA. The Group parameter allows you to specify that each user must be the member of at least one of the named Windows global groups. More than one required group can be specified, one per Group line. Requires Win32::NetAdmin (which is installed by default with ActivePerl). If no Group parameters are specified, then Group checks will not be performed. Only Global groups are supported. If Group is required and DomainController is not specified, it will attempt to find the domain controller based on the users domain. Example usage in lsa.cfg.
- Fixed a problem in goodies/radacctSorted.cgi that could cause a ‘divide by zero’ error when used with an SQL database.
- Improvements to AuthLog SYSLOG and Log SYSLOG, so that multiple instances of the logger with different Facility parameters will work as expected. Contributed by Heikki Vatiainen.
- Versions of Radiator that require a key for unrestricted operation now identify themselves as ‘LOCKED’ rather than ‘EVALUATION’.
- Added new command line flag to radpwtst. The -eaphex flag allows you to specify an EAP-Message in hex. Contributed by Martin Noha.
- Added new ConnectionHook parameter to SqlDb.pm. This allows any Sql object (like AuthBy SQL etc) to run database-specific code each time Radiator (re)connects to the database. This is most useful for executing func() to configure the database connection in customised ways. Example hook in goodies/sql.cfg. Suggested by Oleg E. Shubarov.
- Fixed a typo in ServerConfig.pm, that resulted in ‘acccess requests’ in status reports.
- ClearTextTunnelPassword parameter was moved from AuthBy RADIUS to AuthGeneric, so that all AuthBy modules (not just RADIUS proxying) now honour it. Suggested by Patrik Forsberg.
- New version of Windows Authen-ACE4 PPM package, compiled for both ActivePerl 5.6 and 5.8 with recent SDK for Server 2003 etc. Also PPM summary files for use with PPM3.
- EAP-MSCHAPV2 in an inner authenticator now honours AddToReply AddToReplyIfNotExist and DefaultReply.
- Fixed an incorrect header length with EAP-PEAP version 1. Fixed a problem with cached EAP-PEAP version numbers. Reported by Jouni Malinen.
- goodies/radwho.pl now lets you set the table name to use with -table argument
- Modules that use syslog now do openlog;syslog;closelog for each log message so that is the syslog facility restarts, Radiator will reconnect to the syslog facility.
- ReplyHook can now set $op->{RadiusResult} to force particular response.
- Fixed a problem with goodies/radwho.cgi where some browsers did not work correctly wuth the ‘delete session’ link.
- AuthBy RADIUS now determines a suitable local source socket address from LocalAddress, based on whether the destination address is IPV4 or IPv6. The first suitable address in the LocalAddress list will be used as the source address. If LocalAddress does not specify a suitable IPV4 or IPV6 address for the intended destination, the appropriate ‘any address’ will be used, which generally means the default source address for that host.
- AuthBy RODOPI now supports Rodopi 5.4 Cisco VOIP authentication and billing. Requests that contain the ‘cisco-h323-conf-id’ attribute will be handled with the VoipAuthSelect and VoipAcctSQLStatement parameters.
- Common authentication methods now accept all passwords if NoCheckPassword is set.
- radwho.cgi now sets the refresh time to 0 after terminating a user, so the automatic browser refresh doesnt keep clobbering the user. Patch submitted by Richard Vander Reyden.
- EAP MD5-Challenge now rewrites the EAP identity using RewriteUsername.
- Fixed a problem with EAP TTLS where the TLS client-hello would not be honoured properly on some coombinations of clinet and AP.
- AddressAllocator SQL now does not run the AllocateQuery if it is an empty string. Also, the expiry time is now calculated once for each allocation, and passed to FindQuery as %2. Suggested by Andy M.
- In dictionary, some 3GPP attributes were incorrectly called just GPP.
- Added Giganews VSAs to dictionary. Contributed by Carl Litt.
- Testing with jradius-client, a java Radius client from sourceforge. OK.
- Fixed a problem that prevented IPV6 DNS names being used. Reported by Paul Dekkers.
- Fixed problem with a number of authentication modules that could cause a crash when doing logPassword when used to authenticate for Monitor or Server TACACSPLUS requests. Reported by Carl Litt.
- Improvements to handling of Windows NT Hashed passwords. Encrypted-Password may now be either 32 bytes of hex encoded NT hashed password, or 16 bytes of binary NT hashed password or 13 bytes of Unix crypt password. User-Password now supports NT Hashed passwords in the form User-Password = {nthash}DCB8E94AC7D0AADC8A81D9C895ACE5F4. The NT Hashed passwords work with PAP, and now with MSCHAP, MSCHAPV2, EAP-MSCHAPV2 and EAP-LEAP. This provides compatibility with Samba SMB passwords (either in a flat file or in LDAP).
- In PEAP, AllowInReply could cause MPPE keys to be unexpectedly stripped from the reply.
- Fixed a potential issue in TTLS session resumption. Reported by Roy Badami.
- Added goodies/radlog.cgi, a CGI script to view the tail of a Radiator log file. Can be helful for helpdesk troubleshooting. Contributed by Mohammad Junaid, Cyberia.
- Fixed a problem that prevented ClientListSQL properly processing the last column from the query, which can contain a comma separated list of flag names.
- Changed example LDAP config and sample user data to be compatible with OpenLDAP 2.1. OpenLDAP now defaults to requiring protocol version 3.
- AuthBy RADMIN can now handle Session-Timeout as a string, such as ‘until Time’. Reported by Oliver Insanally.
- Core LDAP functions moved from AuthLDAP2.pm to new module Ldap.pm to allow reuse by other LDAP modules such as AuthLDAPRADIUS.pm and ClientListLDAP.pm
- Name of the key-locked distribution file changed from Radiator-Demo to Radiator-Locked.
- AuthLog SYSLOG now supports the LogIdent parameter, similar to Log SYSLOG.
- Revision 3.9 (2004-03-17 New features)
-
- Added support for Radius over IPV6. Radiator can new receive Radius requests over IPV6, and proxy to remote servers over IPV6. radpwtst can now send requests over IPV6. See goodies/ipv6.cfg for examples. Requires the Socket6 module from CPAN.
- radwho.cgi now honours the correct sort order after deleting. Contributed by Cameron Moore.
- Added support for NAS-Type of NomadixSNMP, contributed by Toomas Karner.
- Fixed a problem that could affect EAP TTLS where the inner requests was proxied to another Radius server. Could result in no reply sent back to the AP. Reported by Roy Arends.
- Added support for NasType of Redback by SNMP. Contributed by Toomas Karner.
- AddressAllocator SQL now does not run the DeallocateQuery or ReclaimQuery if they are empty strings. Suggested by Kwang Moon.
- Added more USR VSAs to dictionary, contributed by Joseph Eapen.
- Improvement to AuthBy RSAMOBILE, so the Tokencode prompt includes the expected SMS message ID if possible.
- Added support for encrypted passwords in ancient Netscape Mail server format: {NS-MTA-MD5}b6b49e37d494a09bfde663033274bc83cd1bf318fa32c5866166a7edcb1e1c87
- New hook TranslatePasswordHook for all AuthBy clauses. This hook can be used to apply site-specific transaltions to passwords, such as forcing lowercase, decrypting or otherwise transforming passwords retrieved from the user database, prior to checking. Works with plaintext, CHAP, MSCHAP etc.
- Added support for non-standard VSA format for Ascend/Lucent TAOS code 4846. Also added Ascend-MOH-Timeout to dictionary, which will be decoded according to this non-standard format. Requested by Jeroen.
- Renamed Redback VSA Acct-Reason to RB-Acct-Reason for consistency with all others Redback attributes.
- Server TACACSPLUS will now print a hex dump of the raw incoming TACACS request if Trace is set to 5.
- New certificates for testing TLS/TTLS/PEAP. Previous certificates expired in Feb 2004. These new ones expire in March 2006.
- Added a number of new attributes to the standard dicitonary, such as VSAs for Juniper ERX, RB-Client-MAC
- Revision 3.8 (2003-12-24 New features and bug fixes)
-
- Added beta support for EAP Generic Token Card EAP-PEAP Generic Token Card and conventional Radius Access-Accept/Access-Challenge using AuthBy RSAMOBILE and the RSA Mobile authentication system from RSA Security (www.rsasecurity.com) RSA Mobile supports a number of authentication methods, including – username and password – an access code sent by SMS to your mobile phone – RSA SecureID Token Cards and all of these can be configured with AuthBy RSAMOBILE
- Fixed a problem with SIGHUP on FreeBSD with the Monitor clause, could cause ‘Could not bind Monitor socket: Address already in use’.
- Fixed incorrect references in the documentation to /usr/local/etc/radius.cfg.
- Changes to Server TACACSPLUS, because some TACACS+ client do not like success packets containing a server message. No server message is ever sent now.
- Added Redback Acct-Reason VSA to dictionary. Contributed by Kurt Jaeger.
- Further improvements to Server TACACSPLUS, contributed by Paul Schultz, and confirmed operation with various Cisco and Juniper clients. Added support for CommandAuth, a mechanism for permitting or denying permission fo specific commands requested on the Tacacs client.
- Added cisco-Policy-Up and cisco-Policy-Down VSAs to dictionary.
- Added EAPTLS_PEAPVersion parameter to all AuthBy clauses, which allows you to control whoch version of the draft PEAP specification to honour. Defaults to 1. Set it to 0 for unusual clients, such as Funk Odyssey Client 2.22 or later.
- Fixed a problem with PEAP that could prevent the use of Framed-IP-Address in user records, resulting in an error like:
Mon Oct 20 15:57:25 2003: ERR: Could not handle an EAP request: Can’t call method “attrByNum” on an undefined value at Radius/Radius.pm line 1440. - Fixed problems with Server TACACSPLUS, where some cases of incorrect message packaging were found and fixed by Paul Schultz. Also some special characters like %w and %C did not work correctly with requests originating from Server TACACSPLUS. Reported by Garry Thomas.
- Added a number of Unisphere VSAs to dictionary. Contributed by Chris Patterson.
- Fixed a problem with AuthBy RADIUS in Synchronous mode, where if all hosts failed to get a reply, Radiator would stop answering requests until the FailureBackoffTime expired.
- Fixed problem with incorrect replies to Tacacs accounting requests. Reported by Garry Thomas.
- Fix for broken Breezenet/Breezecom/Alvarion VSA’s. These NASs send Ethernet port data in VSAs (up to 11 per accounting request) but unfortunately dont use the same attribute numbers each time. Instead, the attribute number increments each time, then wraps at 256. Radiator automatically maps the fist one in a packet to Breezecom-Attr1, the second to Breezecom-Attr2 etc through to Breezecom-Attr11.
- Added Packeteer-AVPair to dictionary.
- $p->{EAPIdentity} is automatically set to the EAP identity (if known) during EAP processing.
- Added a number of Altiga attributes to dictionary. Contributed by Karl.Gaissmaier.
- Added missing documentation for SnmpwalkProg to reference manual.
- EAP LEAP now honours RewriteUsername to rewrite the LEAP identity before authentication.
- Added NasType CiscoSessionMIB, which uses the new sessionMIB available in Cisco IOS 12.2.15T. See http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t3/dt_asmib.htm for more details.
- EAP TLS authentication did not take notice of the common name in the certificate when checking the users file. Every users certificate Common Name is now required to be in the users file.
- Some types of errors in initialising the TLS library would only affect the first EAP request. Subsequent ones could succeed where they should not.
- Added Copper Mountain Networks Vendor Specific Attributes to dictionary
- Fixed a problem where runt EAP-Message attributes could cause ERR messages like “Could not load EAP module Radius::EAP_;”
- New argument -rawfileseq added to radpwtst. Contributed by Martin Noha.
- Added generic, configurable one-time-password module AuthBy OTP that can be used with EAP-OTP, EAP-GTC and standard dialup. Hooks allow you to generate random passwords and deliver them through a back channel such as SMS by calling an external program.
- Fixed a bug in AuthBy SQLRADIUS where falling back to the secondary would not occur under some circumstances.
- Added new parameter SQLRecoveryFile so that any SQL clause (such as AuthBy SQL etc can log failed SQL do queries to a file for later recovery. Performance improvements to AuthBy SQL accounting. Suggested by Kenneth Cheung.
- Fixed some problems with session resumption on Windows XP EAP-TLS and openssl that could cause a crash.
- Added support for RFC 3576 Error-Cause attribute to dictionary. Also added all recognition for all Radius packet types per RFC 3576. Added Acct-Tunnel-Packets-Lost per RFC 2867 to dictionary.
- AuthLog is now passed the reason (if there is one) even with accepts. Suggested by Robert Kiessling.
- Improvements to PEAP, TTLS and TLS error handling. The SLL context is now cleared on EAP failures.
- Added goodies/multiprofile.txt, which contains a contribution from Matthias Wamser, showing how to provide different sets of reply items for different types of Dialup, DSL services etc.
- Fixed to Server TACACSPLUS so that special characters that depend on the OriginalUserName like %u will work.
- Added Propel VSAs to dictionary, contributed by Craig Gittens.
- In SessionDatabase SQL, username is now always quoted when it is available as %0.
- Added support for DEC VMS style hashed passwords, in the format
{dechpwd}algorithm|salt|hashedpassword
eg: {dechpwd}3|1234|85ad61e72a41dec4
Requires Authen-DecHpwd from CPAN. - Fixed one case of use of LOG_WARN instead of LOG_WARNING in Server TACACSPLUS. Reported by Robert Kiessling.
- Fixed problem where <Handler User-Password=xxx> would cause a crash.
- Revision 3.7.1 (2003-09-26 Important bug fix, support for EAP Generic Token Card)
-
- AuthBy RADIUS now correctly handles replies of type Disconnect-Request-ACKed. Contributed by Robert Thomson.
- Added support for EAP Generic Token Card (EAP type 6). Modifications so that AuthBy OPIE can be used to authenticate EAP-One-Time-Password, EAP-Token Card and EAP-PEAP Token Card from the OPIE one-time-password system. Tested with Funk Odyssey client. Improvments to radpwtst, added the -eapotp and -eapgtc arguemnts to support testing of EAP One-Time-Password and EAP Generic Token Card.
- Added support for EAP Generic Token Card and EAP-PEAP Token Card with AuthBy ACE and the SecurID ACE server token code system. Sample config file in goodies/eap_gtc_ace.cfg. AuthBy ACE will also work with EAP PEAP Generic Token Card similar to eap_peap_gtc_opie.cfg.
- Fixed a typo in attribute parsing that could cause an error like
ERR: Bad attribute=value pair:
. This typo was introduced in version 3.7. - In dictionary, Unisphere-Service-Bundle was incorrectly set as an integer instead of a string. Reported by Jan Munkhammar.
- Improvements to Server TACACSPLUS by Robert Kiessling: Translate TACACS+ attributes for NAS-Port-Id and Calling-Station-Id for Accounting requests too, not only for Authentication and Authorization requests as before.
- Typo in dictionary: alreadyDisconneted should have been alreadyDisconnected.
- Improvements to Server TACACSPLUS suggested by Robert Kiessling: can now use Client-Identifier as a check item to identify requests originated by ServerTACACSPLUS.
- Revision 3.7 (2003-09-23 Some significant new features and some minor bug fixes.)
-
- Added Cisco LEAP-compatible 802.1x wireless EAP support, and example eap_leap.cfg.
- Added new AuthBy LSA module which can authenticate PAP, CHAP, MSCHAP, MSCHAPV2, PEAP, LEAP etc against Windows user passwords. Can be run on Windows 2000, 2003 and XP (not Home edition). Requires the Win32-Lsa perl module from Open System Consultants.
- Added new clause <ServerTACACSPLUS> that acts as a Tacacs+ server and converts Tacacs+ requests into Radius requests. Handles Tacacs+ authentication, authorization and accounting. Sample configuration file in goodies/tacacsplusserver.cfg.
- New {mysql} password format support did not work correctly on perl 5.005 and earlier, causing failures in the test suite at tests 2w, 2x, 2z, 3a, 3d, 3g, 3h, 4a, 5a, 5f, 6a, 6b, 6c, 6e, 6f, 6g, 6h, 7a, 7b, 7c, 8a, 8b.
- Performance improvements in regular expression check item matching in AuthGeneric.pm
- Performance improvements in regular expression Realm selection.
- Added VSAs for Alcatel BRAS DSL termination gear to dictionary
- radpwtst now honours the -class flag for Access-Requests as well as Accounting-Requests.
- Fixed EAP-TTLS so that %u works for the inner authentication.
- Fixed a problem with UseExtendedIds that could cause a crash with “Can’t locate object method “change_attr” via package “Radius::AuthRADIUS””.
- Testing on Symbol Mobility Server (www.symbol.com). This is a very small ARM Linux server with BusyBox Linux not much bigger than you hand. Takes a CF card as a plug-in file system, and runs Radiator fine, including 802.1x TLS, TTLS and PEAP. Requires cross-compilation of some Perl modules. We can provide instructions if required.
- Removed logging of password at INFO level during bind in AuthBy LDAP2. Suggested by “Steven P. Crain”.
- Changed the example EAPTLS_MaxFragmentSize in all EAP configuration examples to 1000 to accomodate Enterasys RoamAbout V2 access points, as suggested by Mark Haidl.
- New -servicename argument to radiusd allows the name of the Windows service to be specified for -installservice and -uninstallservice, allowing multiple instances of Radiator to be run as Windows services at the same time.
- Fixed typos in isOnline support for Portmaster3, Portmaster4 and Xyplex.
- radpwtst now sets the authenticator in Disconnect-Request same as for accounting. Some NASs (notably Cisco) require this.
- Fixed a problem with radpwtst in -gui mode, where the toolbar expands bigger than it should be. Patch contributed by Cameron Moore. Thanks Cameron.
- Added AllowInRequest parameter to AuthBy RADIUS, which restricts which attributes can be proxied. Suggested by Toomas Karner.
- Unrecognised EAP types now result in a REJECT insrtead of IGNORE.
- Improvements to PEAP for Cisco PEAP compatibility.
- AuthBy INTERNAL now takes a RejectReason parameter. This string will be used as the Reply-Message if the AuthBy INTERNAL rejects a request.
- Improvements to logging messages and documentation for SessionDatabase SQL, suggested by Claude Iyi Dogan.
- Fixed some typos in the example goodies/url.cfg and goodies/test_url_md5.cgi files.
- AuthBy RADIUS could crash if BindAddress was set to multiple comma-separated addresses. Reported by Anthony Stanton.
- Added support for Session-Timeout=”until ValidTo”, which sets the session timeout to be the amount of time left to the end of the ValidTo check item account validity period.
- In ClientListSQL, PreHandlerHook parameters for each client were not properly compiled, and would not run. Fixed.
- Added WISPr RADIUS attributes to dictionary, based on Wi-Fi Alliance – Wireless ISP Roaming – Best Current Practices v1, Feb 2003, p 14 http://www.weca.net/OpenSection/downloads/WISPr_V1.0.pdf
- Dictionary VALUEs that looked like integers would be misinterpreted, especially Tunnel-Medium-Type=802
- With PEAP-MSCHAP-V2, per-user reply items did not get sent back in the final Access-Accept.
- AuthBy SQLRADIUS now honours AddToreply and StripFromReply attrtibutes from the Host as well as the AuthBy SQLRADIUS.
- Changes so that a proxied Access-Reject does not get multiple Reply-Message. Patch by Toomas Karner. Thanks Toomas.
- Testing with Aegis MDC Linux 1.2.0beta client on RedHat 8. Tested all EAP types, including certificate types with Radiator test certificates. See the Radiator FAQ for further remarks. Added certificates suitable for Linux clients (root.pen, cert-clt.pem) to the distribution.
- Added more KarlNet VSAs to dictionary, contributed by Clinton – Golden IT.
- SNMPAgent now correctly honours BindAddress when used with SNMP_Session version 0.92 or later.
- Added EAPTLSRewriteCertificateCommonName parameter for TLS, which rewrites the Common Name from the certificate before using it to fetch user details from the Radiator database. Suggested by Paul Dekkers.
- When installing as a service on Windows, you can now specify extra arguments to pass to perl on the command line when the service starts. This is useful for specifying an alternative install directory for the Radiator perl modules, eg: perl c:\Radiator\radiusd -installservice -serviceperlargs -Ic:\Radiator
- Minor changes to AuthBy OPIE, ACE and CRYPTOCARD to better support tunnelled requests.
- Added example configuration file showing how to authenticate from an IC-ISP mySQL database. IC-ISP is a full source ISP billing package for Unix. See www.ic-isp.com for details about IC-ISP. Accounting is not supported. Works with IC-ISP 2.0.24 and later.
- AuthBy SQLRADIUS now honours UseExtendedIds as a configuble per-host parameter, and Auth RADIUS now make easch Host inherit its UseExtendedIds from the Auth RADIUS clause.
- Fixed a problem with AuthBy RADIUS where 2 Proxy-State = OSC-Extended-Id could be added when multiple Hosts were involved.
- Fixed a problem with PEAP MSCHAPV2: if a Domain was specified, the authentication would fail.
- Radius packets were incorrectly limited to 8192 bytes on reception. Increased to 65535.
- The Group parameter did not permit symbolic group names.
- In SessionDatabase SQL, the session ID (%3) was not always quoted correctly in DeleteQuery.
- Improvements to storage of VALUE in dictionary allows decoding based on the attribute name rather than the number, which allows correct unpacking of attributes with synonyms, such as Ascend-Disconnect-Cause. This involved changes to RDict::valNumToName.
- Fixed a potential problem when unpacking non-conforming abinary attributes.
- Added goodies/logisense.txt, containing example configuration, SQL tables and requirements for interoperation between Radiator and ENGAGE*IP. Contributed by STOWE TELECOM, LLC.
- Added Slipstream-Auth to dictionary.
- Under certain circumstances on some platforms with AuthLog SYSLOG and Log SYSLOG, syslog can die. Fixed.
- Added StartHost parameter to AuthBy SQLRADIUS, contributed by Alexander Mayrhofer.
- Improvements to error handling in AuthBy LDAP2.
- Testing on Windows Server 2003. No changes in code or documentation required.
- Testing on HP PA-RISC Linux (Debian). No changes in code or documentation required.
- Added -outport and -bind_address options to radpwtst.
- Fixed a problem where AuthBy URL did not handle AuthUrl starting with https://
- Fixed a problem involving EAP, where multiple AuthBy clauses could result in incorrect PEAP-MSCHAPV2 challenge message, or using the wrong challenge during authentication.
- AuthBy SQL now logs to AcctFailedLogFileName if AcctSQLStatement fails as well as if the usual accounting insert fails.
- AuthBy URL now supports AcctUrl, a URL that will be used for accouting data
- Added AuthBy SOAP module for converting Radius requests to SOAP and SOAPRequest.pm for converting SOAP requests back to Radius requests. This SOAP interface is useful for tunnelling through firewalls, improving the reliability of Radius by using TCP as the transport, and for improving security by using HTTPS as the protocol.
- Added VSAs for Quarry devices.
- Fixed a problem with parsing of attr=val pairs on some platforms with some locales on perl 5.8.0, due to changes in perl regexp handling.
- Added new special characters. %A is replaced by the Timestamp in standard SQL date time format eg: Sep 12, 2003 15:48. %B is replaced by the current time in standard SQL date time format eg: Sep 12, 2003 15:48. %F is replaced by the Timestamp in extended SQL date time format eg: Sep 12, 2003 15:48:59. %G is replaced by the current time in extended SQL date time format eg: Sep 12, 2003 15:48:59.
- In AuthBy SQL, columns inserted by ACctColumnDef are now inserted in alphabetical order by column name. Patch provided by Robert Blayzor. Thanks Robert.
- On some platforms such as FreeBSD, a Monitor connection would not disconnect properly after a QUIT command.
- Added a number of new attributes to dictionary for CVX and Valemount. Thanks to Craig Gittens and Greg Schiedler.
- Dates for Expiration, ValidTo, ValidFrom etc can now have optional hh:mm:ss time component. Also support dd.mm.yy(yy) (hh:mm:ss) format.
- Revision 3.6 (2003-04-14 Significant improvements to wireless support)
-
- Most AuthBy clauses, including AuthBy RADIUS now support the ability to try a previously cached password before authenticating or proxying. The new CachePasswords flags causes Radiator to cache the password and reply for previously accepted authentication requests. The cached password will be tried before subsequent authentication attempts. Caution: works with PAP only. Includes improvments to Proxy-State behaviour.
- AuthBy RADIUS now supports CachePasswords either before or after proxying. The new flag CacheOnNoReply controls whether the cache will be checked before every request, or only after no reply is recieved. It defaults to 1 (ie check the cache if no reply is received) to be consistent with historical behaviour.
- Significant improvements to Windows installation process.
- Added DefaultLimit parameter, allowing you to control the maximum number of DEFAULT users. Defaults to no limit.
- Added support for password encryption type {digest-md5-hex} which can be used with Digest and SIP (Session Initiation Protocol) authentication.
- Added support for SIP (Session Initiation Protocol) Telephony Digest authentication, as per draft-sterman-aaa-sip-00.txt, using attributes Digest-Response, Digest-Attributes as defined in the new dictionary.sip.
- radpwtst now takesd a -sip command line argument that forces it to do SIP digest authentication. Requires the new dictionary.sip as well as the old dictionary like this:
radpwtst -dictionary dictionary,dictionary.sip -sip
- Ivan Kohler updated the Freeside accounting insert hook, and the file name was changed from freesideacct.pl to goodies/sqlradacct.pl to be consistent with Ivan’s naming convention. Also Ivan’s Copyright notice had been omitted. See goodies/freeside.cfg.
- AddressAllocator SQL now supports SQL bind variables on databases that provide them.
- SimpleClient.pm now implements retries. Sample code in goodies/simpleClient.pl
- Previous changes to quote the community in snmp commands with double quotes for correct operation on Windows somehow got lost. Reinstated.
- In AuthBy LDAP, AuthBy LDAP2 and AuthBy LDAPSDK, AuthDN and AuthPassword now permit special characters. Requested by Dan Melomedman (dan%dan.dan at devonit.com)
- Added AuthenticateAttribute parameter to most AuthBy clauses, allowing you to authenticate an attribute other then User-Name.
- Newly reorganised dictionary had incorrect types for vendor-specific Ascend-Data-Filter and Ascend-Call-Filter. Changed to abinary.
- Added goodies/sqlclienthook.pl, sample code showing a way to have a ClientListSQL-like database of clients, but still use the file:’filename’ style of hooks. WrittXen by German Gatica. Thanks German.
- Improvements to goodies/radacct.cgi to make it tolerant of Acct-Session-Ids that include spaces. Contributed by petri.maenpaa at satakunnanpuhelin.fi.
- Improved sorting of Time On field in radwho.cgi. Suggested by petri.maenpaa at satakunnanpuhelin.fi.
- PasswordLogFileName and WtmpFileName now ensure that the directory exists before writing.
- Could get multiple EAP-Message attributes when tunnelling EAP-MSCHAPV2 through TTLS.
- In AuthBy SQL, if there are multiple AuthColumnDef reply definitions, they will be added to the reply in the order of the SQL query column number. Previously the order was not guaranteed.
- Client and Handler clauses incorrectly did not allow you to specify AllowInReply.
- Added 3GPP and Quintum Vendor-Specific-Attributes to dictionary
- Testing with Solaris 9. OK. We tested with the precompiled Solaris 8 Perl 5.8.0 binary from SunFreeware.
- Fixed some compatibility problems for OpenSSL 0.9.7 in the example goodies/mkcertificate.sh.
- The test suite now tests with a user ‘testuser’ not ‘mikem’.
- Added detailed installation instructions for Mac OS X to goodies/osx.txt
- All EAP configuration parameters involving files now support special characters.
- Added sample EAP certificates to the distribution. None of these certificates should be considered to be secure, and they should NOT be used in a production environment, but only for testing and proof-of-concept for your project. You should use a reputable Certificate Authority package such as CAtool to generate your production certificates. See certificates/README for details on how to use them.
- Updated example goodies/eap_* configuration files to use sample certificates.
- The default location of the configuration file for radiusd on Unix has been changed from /usr/local/etc/radius.cfg to /etc/radiator/radius.cfg. On Windows, it now defaults to C:\Program Files\Radiator\radius.cfg.
- Added goodies/opie.txt, detailed instructions for installing and configuring OPIE on RedHat 7.3 for use with FW-1. Contributed by “Mark Wellins” (markw at checkpoint.com)
- Log SQL now has the SQL quoted User-Name available as %4.
- The Microsoft XP SP1 PEAP client uses the wrong MPPE keying material. The new version of EAP_25.pm detects the Microsoft client and interoperates with it as well as with compliant clients. Reported by “Tom Rixom” (tom.rixom at alfa-ariss.com).
- Improved compatibility with PEAP compliant 802.1x clients, as well as with the broken Microsoft version 0 PEAP client. Now works with Meetinghouse Data’s Aegis version 2 client with PEAP (and all other Aegis client authentication types)
- Added support for ‘Session Resumption’ for EAP-TTLS and ‘Fast Reconnect’ for PEAP. Can be optionally disabled with the EAPTLS_SessionResumption flag (defaults to enabled) The time limit for session resumption can be specified with EAPTLS_SessionResumptionLimit. Defaults to 43200 seconds (12 hours).
- Added goodies/eap_anon_hook.pl, a hook which fixes the problem with some implementations of TTLS, where the accounting requests have the User-Name of anonymous, instead of the real users name. This hook caches the real user name in an SQL table and then does a lookaside to replace the User-Name in accounting requests. Example usage in goodies/eap_ttls.cfg, Example table in goodies/mysqlCreate.sql.
- Fixed a problem that would cause a crash if Handler User-Password=xxx was used.
- Performance improvements in AuthGeneric logging. safeLog no longer needed.
- Improvements to SessionDatabase SQL, contributed by Jeremy Hinton (jgh at visi.net). If your CountQuery SQL statement is written to return a fifth argument (the default is just four), the value of the fifth argument is used in the querying of the NAS as the username to look for.
- The new BasicSelect parameter mechanism in AuthBy PLATYPUS was broken in version 3.4
- Minor error logging improvements in AuthBy UNIX.
- When inner PEAP authentications were proxied, there was no Message-Authenticator included, which could cause some remote radius servers to not reply. Reported by Kawakubo, Ken (kkawakub at fhcrc.org).
- Added VSAs for Juniper Networks to dictionary. Contributed by eric at ypass.net.
- New special character %E is replaced by total time (in seconds) since the request was received.
- Fixed a problem when %c or %C was used with tunnelled requests, causing a crash.
- Added support for new check items EAPType and EAPTypeName wich match the EAP protocol number (4, 13, 26 etc) and EAP protocol name (MD5, TLS, MSCHAP-V2 etc) that the authentication request was carried in.
- Added a number of Unisphere, Ascend-Disconnect-Cause and Acct-Terminate-Cause attributes to dictionary. Contributed by Rui Lapa (rui.lapa at oni.pt)
- Example simple users file goodies/linux-users moved to goodies/users
- On Windows, ‘perl Makefile.PL install’ now installs sample config file, sample users file and dictionary in ‘c:\Program Files\Radiator’ (if they do not already exist there). The files goodies/linux-users was moved to goodies/simple-users. New sample config file for Windows in goodies/windows.cfg.
- New module Radius/Win32Service.pm to manage automatic installation and running of Radiator as a Windows service. Radiusd internals reorganised to support this. Requires Win32::Daemon (install with
ppm install http://www.roth.net/perl/packages/win32-daemon.ppd
). - The Server Started message now logs at NOTICE level for improved monitoring. Suggested by Scott Worthington (scottw at bnsi.net).
- Added VSA’s for UTStarcom Issanni DSL router to dictionary. Contributed by butch at infowest.com.
- SNMP now recognises the ‘Timeout’ error message from some types of SNMP client, especially net-snmp (v5.0.8) (or ucd-snmp v4.2.3) on Windows.
- Added support for MySQL hashed password, as produced by the MySQL password() function, in the format User-Password = “{mysql}0569ef75321b8fed”.
- Client duplicate detection now ignores the source port, due to some clients (notably Cisco APs) using a different port for every request, resulting in excessive memory usage.
- Improved handling of Proxy-State. Proxy-State attributes are now never proxied: they are always copied (once) by the proxy server. This prevents multiple copies and facilitates other improvements such as extended ids support. Further, Proxy-Sate is now expected to work correctly with EAP requests, CachedPasswords etc.
- Added support for UseExtendedIds in AuthBy RADIUS. This mechanism uses a more robust type of Radius packet identifier that is more tolerant of large bursts of packets and various other environmental problems. This mechanism uses Proxy-State to carry a packet identifier with a much larger range, compared with only 256 that the Radius protocol specifies. This mechanism will replace the ServerHasBrokenPortNumbers and ServerHasBrokenAddresses flags, which are now deprecated. Based on code contributed by various staff at KPN. Thank You!.
- Added a number of attributes from http://www.iana.org/assignments/radius-types to dictionary, including some new Service-Type, Tunnel-Type, Acct-Terminate-Cause etc.
- Added LogIdent paramterer to Log SYSLOG, allowing you to specify an alternative ident for syslog. Defaults to the executable name as before. Suggested by Stefan Moser (sm at open.ch).
- AuthBy RADIUS now support ClearTextTunnelPassword flag which prevents Tunnel-Password being decrypted and reencrypted during proxying to support older NASs that do not support encrypted Tunnel-Passwords.
- Fixed a problem with hanging on Oracle in disconnect with some types of network failures. Contributed by Rodney Volz (rodney at LF.net).
- Fixed a problem that would cause double logging to files of any startup errors detected within ServerConfig.
- The ability to match empty string check items was broken in 3.4.
- radpwtst now has -eapmd5 flag for testing EAP-MD5 challenge. Test suite now uses it.
- Removed MacRadiusd.sit.hqx from distribution. It is no defunct and caused problems during unpacking on MacOSX.
- Fixed a problem with AuthBy RADMIN affecting vendor attributes that have no integer definitions. Patch contributed by Stephan (sschoenberger at monzoon.net).
- Revision 3.5 (2002-12-17 Minor fixes)
-
- Added files EAP_24.pm and EAP_26.pm which were omitted from the previous release. They are required for PEAP and EAP-MSCHAP-V2.
- Attributes from all dictionaries have been reorganised and amalgamated into a single dictionary file called ‘dictionary’ in the main distribution directory. There is still a dictionary.ascend that contains the oldfashioned non-vendor-specific Ascend attributes that may be required by some installations. All the dictionaries that were previously shipped in the main distribution are now redundant and have been moved to the goodies directory for reference only.
- Fixed typo in SessSQL.pm.
- Pavel A Crasotin (pavel at ctk.ru) provided a new version of his goodies/AuthPLSQL.pm patched to support ‘request’ type.
- Fixed a problem in example goodies/kerberos.txt caused by change in args to decode_password in version 3.4. Reported by Chris Myers (c.myers at its.uq.edu.au)
- RPM adjusted so shutdown scripts are not present for run levels 3, 4, 5, 6. Suggested by Gustav Foseid (gustavf-radiator at initio.no). Thanks Gustav.
- goodies/radimportacct now exits with non-zero status if any inserts failed. Suggested by “Eli Tovbeyn” (eli at xpert.com).
- Example goodies/jet.cfg updated to use the new external progrem recommended by Obsidian.
- Now log DEBUG message at startup when dictionary file(s) and configuration files are read, showing the name of the files.
- Added SimpleClient.pm, a module that makes writing a simple Radius client simple.
- Revision 3.4 (2002-11-29 Significant new features and some fixes)
-
- Added support for PEAP and EAP-MSCHAPV2 (as used in Windows XP SP1).
- Significant enhancements to EAP support, including: TTLS session resumption, improved performance, reduced duplicated code, correct use of EAP identities during authentication, more config examples, configurable User-Name during EAP decode-proxying etc.
- Added support for AutoMPPEKeys for EAP-TLS. Tested with Windows XP etc. Moved some common TLS and TTLS code to a new module Radius/TLS.pm. Requires Digest-HMAC and Digest-SHA1 from CPAN. Now full Dynamic WEP key protection is available for both TLS and TTLS in Radiator.
- Testing and some minor fixes for Meetinghoue Data Corp’s Aegis wireless client, including MD5, TLS, and TTLS (PAP, CHAP, MSCHAPV1 and MSCHAV2)
- EAPType can now be a comma separated list of permitted EAP types, with the default (most preferred) named first.
- Changes to EAP_21.pm for improved interoperation with Meetinghouse Aegis TTLS clients.
- Added support for Certificate Revocation List (CRL) checking to EAP-TLS. Caution: requires Net_SSLeay-1.20 _plus_ patches, and also openssl 0.9.8 or later.
- Radiusd now support multiple authentication and accounting ports with AuthPort port,port,port… and AcctPort port,port,port…
- AuthBy FILE now supports quoted user names with embedded white space, eg “fred bloggs”
- AuthBy ADSI now supports SearchAttribute, permitting searches for users as well as direct binding. Also added GroupRequired to make group membership checking quicker and easier. Also improved performance of CheckGroup, and obsoleted need for CheckGroupServer (CheckGroup now checks the group list returned from the user bind). Much of this code contributed by Mark Motley (mark at motleynet.com). Thanks Mark.
- SessionDatabase SQL now suports a new parameter ReplaceQuery. If it is defined it will be used to add a new record to the session database. If it is not defined then DeleteQuery/AddQuery will be used as before. This can improve performance in SQL databases that support the ‘insert or replace’ type of query, such as MySQL.
- Special character %W (the realm of the original user name) was not translated correctly.
- The global Trace parameter did not appear in Radarparamtere inspection. Now appears and can be modified from within Radar.
- Fixed a problem with setting new effective group ID with Group. On some platforms and with some configurations, it would incorrectly report that setting the egid had failed when in fact it had not. Also fixed a problem where setting the egid would fail on some platforms if User was also used to set the euid.
- Added dictionary.hiper, a dictionary for 3Com Hiper Access Router Card, in MERIT RADIUS format. This ia added verbatim, and is not compatible with Radiator format.
- Added Lucent-Vendor-Specific VSA to dictionary
- When an SNMP sim-use check is run, the community is now quoted with double quotes, not single quotes. Single quotes dont work properly with Windows shells.
- radwho.pl moved to goodies and out of the standard executables.
- Fixed a problem with AuthBy INTERNAL, where during Accounting Processing, the AcctAlive and the AcctStop commands never run, while the command AcctStart is executed with Acct-Status-Type=Alive|Start. Reported and fixed by Giuseppe Denora (g.denora at elitel.it). Thanks Giuseppe.
- AuthBy RADMIN now uses the new ValidFrom and ValidTo check items rather than checking them internally. This will permit NoDefaultIfFound to work correctly with RADMIN. Reported by “Thomas Hartley/NCO/CEtv” (thartley at austar.com.au).
- Added RFCs 2869 and 2882 to the distribution.
- Added to goodies/hooks.txt an example hook to add User-Name attributes to accounting requests that may not contain them.
- Tagged-string attributes were not unpacked correctly if there was no tag present. Reported by Tony Landells (ahl at austclear.com.au).
- DEFAULT users with a Suffix check item did not always work correctly. Reported by Tony Landells (ahl at austclear.com.au).
- Fixed a problem with FramedGroup with large port numbers, where the third octet of the computed address could have silly values. Reported by “Miro Majcen” (miro.majcen at smart-com.si).
- Fixed a problem where a FramedGroupMaxPortsPerClassC of 0 could cause a crash. Reported by “Miro Majcen” (miro.majcen at smart-com.si).
- Added example configuration file for Telstra (Australia) Dial Connect Virtual ISP.
- Testing with Perl 5.8.0. OK.
- AuthLogSQL always reconnected to the database even when there was nothing to do. Reported by Dan Melomedman (dan at devonit.com).
- AuthBy RADMIN did not correctly handle some integer valued check items.
- Improvements to SessionDatabase SQL, so that the NAS ID, NAS port and SQL quoted Acct-Session-Id are available in the AddQuery.
- AuthBy POP3 now permits special characters in the Host field, so that you can handle multiple domains automatically with ‘Host pop3.%W’
- Log SQL and Log EMERALD did not correctly recover from an SQL database outage. No further logging would occur, even after the database came back.
- In Log SQL, the Table parameter now takes special characters.
- AuthBy ADSI did not correctly handle some AuthAttrDef attributes. For example if there was more than one otherHomePhone, an incorrect check would be made. Reported by Billy Li (billyl at unitechnetworks.com). More below about this.
- Added an example xinetd configuration file for Linux and others to the goodies.
- Added example configuration file for Jet ISP billing in goodies/jet.cfg. Jet is a user management and billing system, specifically designed and created for ISPs. Written in python and Zope, it is highly flexible, and has a modular construction allowing for additional modules to support a customers specific needs. It comes with full source code, and Obsidian’s development team is available to produce extensions as required.
- Added StatisticsOnly flag to Monitor.
- Added GroupRequired to AuthBy NT on Windows, which ensures the user is a member of the named group. Contributed by “Motley, Mark” (Mark_Motley at earthtech.com). Thanks Mark.
- Most check items now permit alternation with multiple permitted values separated by vertical bar (‘|’). Also, in AuthBy ADSI, AuthBy LDAP*, if an AuthAttrDef of type ‘check’ is multi-valued, it will be automatically converted into alternates, so you can use multi-values to do a one-of check item match
- Added goodies/rcrypt, a simple command line utility to do Rcrypt encryption and decryption of passwords.
- Testing with Mandrake 9.0. No issues or changes required.
- Added Session_Error_Code and Session_Error_Msg to dictionary.redback
- Fixed a problem with AuthBy ACE that would cause it to hang if run in the background.
- Improvements to AuthBy SQL for formatted-date. If Date:Format is not available, logs an error and ignores the column. Suggested by Martin Edge (martinedge at kbs.net.au).
- AuthBy EXTERNAL now REJECTS if the external program exits due to a signal. Suggested by Inglesant Philip (Philip.Inglesant at netscalibur.co.uk)
- radwho.pl and radwho.cgi were opening /tmp/xxx instead of /dev/null as workaround for freetds problems. Reported by “Utku Er” (erutku at netone.net.tr).
- Improved isonline checking for Cisco. Now handles ISDN ports (ie larger than port 20000) with finger. Contributed by “Utku Er” (erutku at netone.net.tr).
- Can now specify multiple BindAddress addresses, comma separated. Suggested by Jeremy Hinton (jgh at visi.net).
- Added goodies/CiscoDialupIPPools.doc, a document describing how to do basic ip address assignment for Cisco dialup using radiator. Contributed by “Kent, Ashley” (akent at ue.com.au).
- Testing EAP with Net::SSLeay 1.21. OK.
- Fixed a problem with AuthBy POP3 where a failed POP3 connection could cause a crash. Reported by “Johannes Demel” (demel at zid.tuwien.ac.at). Also testing with POP3Client 2.12. OK.
- Fixed a problem where HUP signal on FreeBSD could cause crashes with “Could not bind authentication socket: Address already in use at radiusd line …”. Reported by “Giuseppe Denora” (g.denora at elitel.it).
- Testing with Apple AirPort base station. OK for MAC authentication. 802.1x EAP authentication is not supported by AirPort. Added entry to FAQ describing how to set up.
- Handler now detects accounting Acct-Status-Type of Interim-Update in the same way as type Alive, for compatibility with some non-standard dictionaries.
- Fixed a problem with AuthByPolicy ContinueWhileIgnore and Auth-Type=Ignore not working as expected. Reported by Petr Zimak (Petr.Zimak at unibas.ch).
- Added new AuthBy IMAP module, to authenticate from an IMAP server. Contributed by Petr Zimak (Petr.Zimak at unibas.ch). Also example config file goodies/imap.cfg.
- Added new module AuthBy HTGROUP and example goodies/htgroup.cfg, which can be used to confirm group membership according to an Apache htgroup file. Contributed by Rodger Allen (rodger at infrasecure.com).
- Fixed a problem with unreliable packing of integer8 Radius attributes.
- In AuthBy PLATYPUS, can now use BasicSelect parameter to alter the basic user select clause. AuthSelect is still used to optionally augment BaseSelect.
- Added goodies/AlterNASPort.pl, an example hook to convert Cisco-NAS-Port to NAS-port so you can use the standard session database and NasType Cisco. Contributed by Paul Pilsbury (ppilsbur at connect.com.au).
- In AuthBy INTERNAL, any error in compiling a hook will result in an IGNORE if the hook is used. Previously, it would ACCEPT. Suggested by “Giuseppe Denora” (g.denora at elitel.it).
- Improvements to SNMP simultaneous use operations, so that if a NAS fails to respond Radiator will not try to contact it again for SnmpNASErrorTimeout seconds. Contributed by Greg B Zemskov (tingor at kraft-s.ru).
- AuthBy RADMIN now ignores bad logins if the bad logins column is set to NULL, or if the MaxBadLogins paramter is set to 0.. Suggested by Nicolai van der Smagt (nicolai.vandersmagt at BBNED.NL)
- Fixed a problem where an SHA password would cause a crash unless Digest::SHA1 is installed. Reported by Camilo Echeverry (caecheverryj at telesat.com.co).
- Testing with Windows 2000 802.1x hotfix. OK.
- Improved workaround for UTF8 problems in perl 5.8. All sockets are now binmode to raw mode, preventing wide character interpretations.
- Performance improvements in Nas.pm for NAS-specific module loading.
- AuthEMERALD.pm and AuthEMERALinD4.pm needed use Radius::Client to prevent errors when using AuthBy EMERALD with any Client clauses in the config file. Reported by Carlos Molina (cmolina at net-uno.net).
- ReplyHook is now passed a ref to the Radius::Host structure for the downstream radius server.
- Added Netscreen vendor specific attributes to dictionary. Contributed by david.loesche at yipes.com.
- Radius::decode_password is now more generalised. It can decode any argument, not just the password from the current packet.
- Revision 3.3.1 (30/8/02 Minor release to fix install problems)
-
- Makefile.PL used SITEPREFIX to determine where to install library files, but this is not available on all platforms. removed
- Added Unisphere-Pppoe-Description to dictionary. Contributed by “Brian Morris” (brian at netspeed.com.au) and Chris Patterson at TransACT.
- Fixed a typo in EAP_13.pm which meant that sometime EAP-TLS would fail if multiple simultaneous authentications were in progress.
- SessionDatabase SQL did not allow you to configure ClearNasSessionQuery. Reported by Frederic Olivie (alf at club-internet.fr)
- AcceptIfMissing did not operate correctly if the user existed by a check item was incorrect. Reported by “Simon Dixon” (sdixon at highway1.com.au).
- Added new DisconnectAfterQuery to SQlDb.pm that causes all SQL modules to disconnect after a do or a getOneRow. Can be useful for some broken SQL servers that try to disconnect idle SQL connections, but then hang when trying to reconnect.
- Revision 3.3 (27/8/02 Important Security Update and some minor new features)
-
- Important Security Update: Removed support for the %Eval special character syntax due to security issues that can effect AuthBy SQL and AuthBy LDAP*. We recommend that all operators of Radiator 3.0, 3.1 and 3.2 upgrade to this version immediately.
- Testing EAP TTLS with Net_SSLeay-1.20. OK. No patches to Net_SSLeay are required now.
- Added handling for StripFromRequest, AddToRequest and AddToRequestIfNotExist to Client and AuthBy GROUP.
- Default install directory for Radius/*.pm library files changed to be independent of perl version and for improved RPM installation.
- Improved handling of failure to open dictionary. Patched by Frederic Olivie (alf at club-internet.fr). Thanks Frederic.
- Fixed a typo on AuthBy PLATYPUS that can cause an error like: (Missing operator before EQ?). Reported by Justin White-Lowther (jw351898 at oak.cats.ohiou.edu).
- Added goodies/rcradiator, a Linux LSB comliant startup script, contributed by Carlos Perasso (carlosrp at idea.com.py). Thanks Carlos.
- AuthBy GROUP was incorrectly checking DefaultSimultaneousUse for accounting as well as Access-Request packets. Reported by “James M. Luedke” (james at enabledsites.com).
- Revision 3.2 (20/8/02 New features and fixes)
-
- Caution: Updated AuthGeneric.pm and MSCHAP.pm to use more modern Digest::SHA1 instead of SHA. if you are using SHA passwords or MSCHAP authentication, you must install Digest::SHA1.
- Added new AuthBy URL module, contributed by Mauro Crovato (mauro at crovato.com.ar). This module authenticates by sending the username and password (optionally encrypted) as tags to a URL by HTTP. A CGI or ASP program at the URL authenticates the password.
- Fixed some interoperability problems with EAP-TLS. Testing with Aironet AP and Client cards with OpenSSL and Xsupplicant on Linux and Windows XP.
- Beta support for EAP-TTLS as used by Funk Odyssey clients. Supports TTLS-PAP, TTLS-CHAP, TTLS-MSCHAP and TTLS-MSCHAPV2 for both local and proxy authentication. See example configuration files goodies/eap_ttls.cfg and goodies/eap_ttls_proxy.cfg. TTLS is Tunnelled TLS, as per draft-ietf-pppext-eap-ttls-01.txt., It is supported by Funk Odyssey wireless clients through a variety of wireless access points. It provides one-way TLS authentication (the client authenticates the radius server), and authentication requests are delivered securely to the radius server via the encrypted TLS tunnel. Unlike TLS, TTLS does not _require_ a certificate on each client.
- Tested EAP MD5-Challenge with Aironet AP and Client cards and Windows XP. Added example goodies/eap_md5.cfg config file.
- Added more Spring Tide VSAs to the dictionary.Contributed by atesillo at ctgred.net.co.
- AuthBy SQL now runs AuthSQLStatement even if AuthSelect is empty.
- A debug print statement was accidentally left in AuthLog SQL
- AuthBy SQL AcctColumnDef now cannot insert the same column multiple times. If there are multiple AcctColumnDef definitions for the same column name and with non-null values, the last one will be the one inserted. This is most likely to improve the case where there are two NASIdentifier definitions, and the NAS reports both NAS-IP-Address and NAS-Identifier. A number of example config files were changed so that NASIdentifier is preferred if present.
- AuthBy SQL now supports HandleAcctStatusTypes parameter, which allows you to specify a comma separated list of AcctStatusTypes that will be processed. All other types will by acknowledged, but not inserted or processed with AcctSQLStatement. This is a more general mechanism than AccountingStartsOnly, AccountingStopsOnly and AccountingAlivesOnly, and these parameters are now officially deprecated and will not be supported in the future.
- An typo in Radius.pm prevented Ascend-Xmit-Rate working properly. Reported by “Romain Vergniol” (romain.vergniol at cegedim.fr).
- In the event of no reply from any hosts, AuthBy SQLRADIUS now runs the NoReplyHook before any FailurePolicy automatic reply. Previously it was run after the automatic reply.
- Added Roaring Penguin VSA’s to dictionary. Contributed by “Scott Helms” (khelms at zcorum.com). Thanks Scott.
- Added to Monitor support for Clients parameter, a comma or space separated list of IP addresses that Monitor will accept connections from. Default is to accept from any address.
- Added a number of new Altiga VSAs to dictionary, contributed by “neil d. quiogue” (neil at quiogue.com)
- Added /usr/local/etc/radiator to the dictionary search path for radpwtst. Suggested by “Martin Edge” (medge at affinityinternet.com.au)
- Added UseTLS parameter for forcing TLS encryption in AuthBy LDAP2. Contributed by Carl Litt (carl at execulink.com). Thanks Carl.
- Added a new flags to AuthBy NT on Windows. IgnoreAccountExpiry causes AuthBy NT to ignore the NT account expiry flag when users attempt to log in. IgnorePasswordExpiry causes it to ignore the password expired flag. IgnorePasswordChange causes it to ignore the password change required flag.
- radpwtst -gui was not correctly showing packet dumps in the ‘Detailed’ trace level.
- Fixed a problem where an incorrect data length in an incoming radius packet could result in reports of a ‘Malformed request packet:’. Reported by “Thilo Wunderlich” (tw at 7eins.net)
- New parameter AuthCheckDN in AuthLDAP2 alows you to specify an alternative DN to use to check a user’s password, instead of the one returned by the search result. Patch supplied by Jeremy Hinton (jgh at visi.net). Thanks Jeremy.
- Fixed a problem where HUP or reinitialise with a broken SNMPAgent clause could cause a crash.
- Fixed goodies/hooks.txt. Example use of replyTo() fixed to be in line with new API.
- Improvements to AuthBy RADIUS (and by inheritance AuthBy SQLRADIUS so that Host addresses that arent resolved are reported but dont crash Radiator. Reported by “Sebastian Filzek” (sebastian at filzek.org).
- Attempts to use Session-Timeout in the form nnnn would cause a crash. Reported by “Radius Impsat” (radius at impsat.net.ec).
- The MS-CHAP2-Success reply in response to an MSCHAP V2 authentication was incorrectly formatted.
- Crypt encoded password can now be flagged with {crypt}… or {CRYPT}… Its now case insensitive. Similarly for {rcrypt}, {MD5} and {SHA}. Suggested by Karl Gaissmaier (karl.gaissmaier at rz.uni-ulm.de) for compatibility with slappasswd. Thanks Karl.
- The internal session database is now tolerant of Session-IDs with embedded colons, as used by Nortel CVX 1800 etc.
- Fixed a problem with AuthBy LDAP2 and UseTLS. Could crash after multiple authentications. Reported by Karl Gaissmaier (karl.gaissmaier at rz.uni-ulm.de).
- AuthBy RADMIN did not correctly increment bad logins count if encrypted passwords were in use. Reported by glenn_pierce at EnterpriseServices.com.au. Thanks Glenn.
- When used with MSCHAP V2, the AutoMPPEKeys flag in any AuthBy now automatically generates MS-MPPE-Send-Key and MS-MPPE-Recv-Key as per RFC 3079. When used with MSCHAP V1 it still sends MS-CHAP-MPPE-Keys. Reported by Stephan (sschoenberger at monzoon.net). Fixes interoperability issues with some PPoE clients.
- Some tagged string attribtues such as Tunnel-Client-Endpoint did not get encoded correctly if no tag was not explicitly specified. Reported by Bob Shafer (bshafer at du.edu).
- AuthBy SQLRADIUS did not correctly handle RewriteUsername in host definitions. Reported by “James Wiegand” (jwiegand at fiberlink.com).
- Added USR-Terminal-Type to dictionary. Required by Roaring Penguin. Contributed by Andy Linton (asjl at lionra.net.nz).
- AuthBy TACACSPLUS now supports an AuthType parameter, which allows you to force the Tacacs+ protocol to use PAP or ASCII authentication. Contributed by Jean-Claude Christophe (jch at oleane.net). Thanks Jean-Claude.
- AuthBy RADIUS incorrectly added AddToReply etc to all replies, not just Access-Accept.
- Fixed some problems with radacct.cgi reported by Andy Linton (asjl at lionra.net.nz)
- AcceptIfMissing did not append AddToReply parameters. Reported by Jeje (jeje at jeje.org).
- radacct.cgi, radconfig.cgi and radwho.cgi which were previously in the top level of the distribution were moved to the goodies directory so that they would be included in RPM distributions.
- Fixed a problem in AuthGeneric where conbination of AcceptIfMissing and Auth-Type=Reject behaved incorrectly. Reported by Jaafar Bin Sarim (jrsm at staff.singnet.com.sg).
- Added some Nomadix VSAs to dictionary. Contributed by Karl Gaissmaier (karl.gaissmaier at rz.uni-ulm.de).
- If radiusd was started through ssh it crashed with an error ‘Bad arg length for Socket::unpack_sockaddr_in’. Reported by Kenya Noshiro (noshiro at net.sony.co.jp).
- Achint Saxena (ASaxena at Walkerwireless.com) reported that Util.pm needs Time::Local when running on Win32. Added.
- EAP MD5-Challenge can now use Password as well as User-Password in user databases.
- Added special character %I that gives the nas identifier as an integer instead of dotted decimal character string. Contributed by Jerome Fleury (jeje at jeje.org). Thanks Jerome.
- AuthBy PAM now honours Fork. Useful for PAM modules that leak memory. Use with caution: performance impact.
- Added new parameter AcctInsertQuery to AuthBy SQL, allowing the accounting insert query to be customised.
- Server now detaches from the controlling terminal in daemon mode. Contributed by Jerome Fleury (jerome.fleury at fr.tiscali.com). Thanks.
- Improvment to example linux init file in goodies/linux-radiator.init. Now prints an error message if the config file is not found. Contributed by Marc Liyanage (mliyanage at futurelab.ch). Thanks Marc
- All executable progrmas, including those in goodies now use /usr/bin/perl instead of /usr/local/bin/perl. Suggested by Marc Liyanage (mliyanage at futurelab.ch).
- Testing on SCO OpenServer 5.0.4. OK. Added hints to faq.html.
- radiusd now ensures the path to PidFile exists, and creates it if necessary.
- Improvements to RPM for compatibility with Cobalt and others. Suggested by Daniel Senie (dts at senie.com).
- New special characters %w replaced by the user name part of the full original user name (before any RewriteUsername rules were applied). %W replaced by the realm part of the full original user name (before any RewriteUsername rules were applied).
- Fixed a problem in AuthBy LDAP2 that could cause a crash with the message: Can’t use an undefined value as a symbol reference at /usr/lib/perl5/site_perl/5.8.0/Radius/AuthLDAP2.pm line 232, <DATA> line 450.. Reported by Paul Swainbank.
- Added documentation for AuthBy RSAMOBILE to the reference manual.
- Added documentation for common EAP and EAP-TLS configuraiton parameters to the refereence manual.
- Revision 3.1 (23/5/02 New features and fixes)
-
- Added and documented UseSSL for AuthBy LDAP2.
- Monitor clause did not permit multiple instances on different Ports.
- Fixed a problem with DefaultSimultaneousUse that did not correctly detect users affected by RewriteUsername. Reported by “Scott Rothgaber” (scott at easley.net). Thanks Scott.
- Added all Radiator pseudo-attributes to the dictionary for reference, and also to facilitate use by packages like RAdmin.
- Changes to AddressAllocatorDHCP.pm and DHCP.pm to support the User Class Option (option 77) in the ISC DHCP server (www.isc.org). Additional changes to comply with RFC3011 (Subnet Selection Option) and to simplify and streamline the code.
- radwho.pl did not separate lines with a newline when showing SQL. Reported by “Stephen Malenshek” (stephen at valuelinx.net).
- In Nas/AscendSNMP.pm, there is alternative code for MAX6000 (TAOS 8.0.1+), suggested by Pavel A Crasotin (pavel at ctk.ru)
- Added support for HTTP Digest Authentication per RFC2617. QOP’s of auth and unspecified are supported. Algorithm of MD5 and unspecified are supported. QOP of auth-int and algorithm of md5-sess are not supported. Also provided patch file goodies/Apache-AuthenRadius-0.3-digest.patch which adds Digest authentication to Apache-AuthenRadius, plus goodies/RadiusPerl-0.05-0.06.patch for RadiusPerl-0.05 to fix long password problems.
- New flag for buildsql, -f Force DB update for non defined fields. Contributed by Jorge Morgado (jorge.morgado at kpnqwest.com). Thanks Jorge.
- ClientListSQL now lists its clients in the ServerConfig Client list, so they can be seen by Radar. Reported by “Romain Vergniol” (romain.vergniol at cegedim.fr).
- ClientListSQL now permits a trailing column that contains a list of comma separated flag parameter names. Contributed by “Tony B” (tonyb at go-concepts.com). Thanks Tony.
- At 3.0 ClientListSQL (correctly) complains if there is no password for a Client. The error message now says which Client has the problem.
- AuthGeneric now emits an error If MD4 is not present but is required for an MSCHAP request. Suggested by niceman at att.net.
- RewriteFunction was broken, resulting in messages like:
ERR: Error in RewriteFunction(mikem): Can't use string ("sub {print "hello world\n"}") as a subroutine ref while "strict refs" in use at (eval 23) line 1
Reported by “Andy De Petter” (adepette at krameria.net). Thanks Andy.
- AuthBy NT and AuthBy TEST had typos that prevented keywords being recognised.
- Fixed further problems with special character handling. Could get incorrect behaviour if the resulting transformation resulted in %0, %1 etc. Now single char and positional args are all converted in one operation. Reported by “Tristan Woerth” (tristan.woerth at securalis.com). Thanks Tristan.
- Fixed problems with sending SNMP requests for NasType iff the community contained whitespace or shell special characters. Reported by “Rolando Riley” (rriley at ayayai.com). Thanks Rolando.
- LogFile, AcctLogFileName and PasswordLogFileName now support pipes. If the first character if the filename is |, then the output is sent to the pipe, else it is appended to the named file. Suggested by “Sergey Y. Afonin” (asy at kraft-s.ru). Thanks Sergey.
- Fixed an infinite recursion problem with Trace 4 in Log SQL and Log EMERALD.
- Fixed a problem with log dates in Log EMERALD.
- Log EMERALD now has configurable LogQuery, defaults to: insert into RadLogs (RadLogMsgID, LogDate, Username, Data) values (%4, \’%5\’, %6, %2)
- Added example config file for working with Advanced ISP Billing.
- Added AuthBy EMERALD4 to work with IEA Emerald 4 or later. Also an example config file in goodies/emerald4.cfg.
- Exec-Program now logs the command and the result at DEBUG level. Suggested by “Dave Kitabjian” (dave at netcarrier.com).
- AuthBy NT now does not crash if attempting to do group checking on Unix. Found and patched by “neil d. quiogue” (quioguen at cpcnet-hk.com). Thanks Neil.
- Testing with Vasco VACMAN Radius middleware software. Vacman is a very interesting and easy way to add token-based authentication to an existing Radius infrastructure.
- The value for integer Radius attributes can now be specified as hex, with a leading 0x.
- handlerFork and safeFork now take an optional subroutine ref that will be called when the child is reaped. The PID of the reaped child will be passed to the function. This is only of interest to code customisers.
- SqlDb::quote now automatically reconnects to the database if necessary.
- AddressAlocatorSQL default AllocateQuery was changes, since %2 (the username) is now automatically quoted. This fixes a problem with SQL syntax errors in the event of a disconnect/reconnect. Reported by Eric Lackey (eric at isdn.net). Thanks Eric.
- Fixed a problem with AuthLogSQL, where SQL errors could cause recursive calls to the log function. This involved changing the name of the log function in all the AuthLog modules from ‘log’ to ‘authlog’. Reported by “Dan Melomedman” (dmelomed at devonitnet.com). Thanks Dan.
- Added TRACE_USERNAME command to Monitor clause to support user-specific tracing in Radar.
- Added TraceOnly flag to Monitor clause. If you set TraceOnly, connections through this Monitor are prevented from getting statistics, ort getting or setting configuration data, or restarting the server.
- AddressAllocatorDHCP incorrectly always defaulted SubnetSelectionOption to SUBNET_SELECTION. This should only happen if SubnetSelectionOption is specified as an empty string.
- Added IgnoreAccountDisable and IgnoreAccountLockout flags to AuthBy NT. On Windows, these parameters stop AuthBy NT from taking notice of the NT account flags.
- Added NAS-Port-Type xDSL to dictionary. Provided by Thomas.Krumm at tesion.de. Thanks Thomas.
- Added CVX-Terminate-Cause, CVX-Reject-Reason and Level 3 VSAs to the dictionary. Contributed by briand at Level3.net. Thanks Brian.
- Added beta support for EAP TLS. Requires Net::SSLeay 1.15 plus patches or later. Requires openssl 0.9.8 or later. See example in goodies/eap_tls.cfg. Tested with xsupplicant and Aironet wireless card on Linux.
- Added sample utility for importing accounting data from a detail file into and SQL database. See goodies/radimportacct
- Added sample command line utility for adding users to an SQL database. See goodies/raduseradd
- Revision 3.0 (25/3/02) Significant architectural changes, new features, Radar 1.0 compatibility
-
- Significant architectural changes to support remote monitoring, introspection, remote debugging, remote tracing, local and remote stats gathering, improve performance, simplify some code, remove duplicated code etc.
- Any clause mxgay now have any number of private <Log xxx> clauses, which will be used to log errors and messages originating from within that clause before being logged by any global loggers. Can also use ‘Log identifier’ to refer to an already existing <Log xxxx> clause from within any other clause.
- Improved and expanded statistics gathering mechanisms. Many more statistics are collected, including average response time for the server as a whole and for each Client, Realm, Handler, AuthBy and Host.
- Added new statistics logging clauses that will log various server and ‘per-clause’ statistics with StatsLog FILE and StatsLog SQL. Example configuration in goodies/statslog.cfg. Example tables for StatsLog SQL in goodies/*.sql.
- New Monitor class permits an (authenticated) TCP connection to the server allowing telnet and specialised clients to inspect, alter, and collect statistics and tracing etc.
- Improved support for tagged tunnel attributes. Can now have things like: Tunnel-Type=1:L2F and Tunnel-Password=2:1234. Tagged attribues that dont use the n:value syntax default to a tag of 0.
- New module AuthBy POP3 allows authentication from a POP3 server, includes APOP support. PAP only.
- On Unix, you can now control the effective user ID and group ID that the server runs as with the new User and Group parameters.
- New type of special formatting character %{Eval:expression} is replaced by the value of the perl expression.
- Merges latest Livingston attributes into dictionary, and converted latest Ascend dictionary to dictionary.ascend2
- New type for AcctColumnDef in AuthBy SQL. inet_aton formats a dotted quad IP address as an unsigned 32 bit integer. Contributed by Benoit Grange (b.grange at libertysurf.fr) and Jerome Fleury (jerome.fleury at freesbee.net). Thanks.
- Client, Realm, Handler, and AuthBy clauses now all support a PacketTrace parameter that can turn up the trace level for packets passing ‘through’ that clause.
- Added discussion of how to use “daemontools” (http://cr.yp.to/daemontools.html) with Radiator to goodies/highavail.txt. Contributed by “Mariano Absatz” (radiator at lists.com.ar).
- Additional features in AuthSQLRADUS.pm, permits customisation of the columns returned from HostSelect, including per-host RewriteUsername. Contributed by Steve Roderick (steve at uspops.com). Thanks Steve.
- In AuthLog SQL SuccessQuery and FailureQuery did not quote the reason string. %1 is now quoted and escaped. Caution: Existing users of AuthLogSQL will need to remove any quotes from around %1.
- Added KarlNet VSA’a to dictionary.
- Parameter values in configuration file now permit escaped octal characters.
- Testing with DBD::CSV. OK with octal character patch described above. Added goodies/dbd-csv.txt discussion of how to configure Radiator to use a DBD::CSV database.
- Added documentation for Handler HandleAscendAccessEventRequest.
- Fixed a problem with handlerResult not handling HandleAscendAccessEventRequest correctly.
- Select::remove_file now takes extra args to indicate whether its read, write or exception callbacks to remove.
- Performance improvements in Select::select.
- Sample profiling code in ddprof.pm, contributed by Damir Dzeko (ddzeko at iskon.hr). Thanks Damir. In SessSQL sub delete, $session_id and $framed_ip_address were not passed to format_special. Found and fixed by Damir Dzeko (ddzeko at iskon.hr). Thanks Damir.
- radiusd in daemon mode now no longer attempts to detach from the controlling terminal: not portably supported on most platforms.
- New global parameter ForkClosesFDs makes radiusd close file descriptors 3 to 20 inclusive in the child after a Fork. This fixes a problem with some versions of Oracle where the connection to the database would be lost after a Fork with the message ORA-03113: end-of-file on communication channel (DBD ERROR: OCIStmtExecute).
- Error message for ‘Unknown keyword ….’ was incorrect. Found and fixed by Stephen Frede (Stephen.Frede at optus.com.au). Thanks Stephen.
- Fixed CPU hog problem when proxying with AuthBy RADIUS, with Synchronous and there was a network error. Found and fixed by Damir Dzeko (ddzeko at iskon.hr). Thanks Damir.
- In AddressAllocator SQL, a new Step parameter for AddressPool allows the step size between consecutive addresses to be controlled, permitting the allocation of subnets as well as host addresses. Suggested by (jesus.diaz at ono-sp.com).
- Added long discussion about how Cisco VOIP and accounting works with examples, contributed by Simon Hackett (simon at internode.com.au) to goodies/voip.txt
- Calling convention for the constructor for a number of classes changed to come into line with all other constructors. Affects Log::addModule, ClientListSQL, Client, Handler, LogGeneric, Realm etc. AuthBy* is unaffected.
- Removed many redundant ‘new’ constructors.
- Rationalised many ‘sub object’ config handlers. Uniform argument standards, streamlined code etc.
- Simplified and streamlined package initialisation in all packages for load-time performance improvement.
- All loggers can now receive logs of packet dumps, independent of the the global logging level.
- As previously indicated, UseHint as an alias for UseAddressHint and Dynamic as an alias for DynamicReply in AuthGeneric are now now longer supported.
- Most classes now have all their configurable keywords defined in a ConfigKeywords hash. You can stil override sub keyword if you need specialised keyword handling. Simplifies and speeds up object initialisation. Legacy classes that still use the sub keyword interface are unaffected.
- Fixed a problem with the NoBindBeforeOp parameter. Test was round the wrong way. Found by Christophe Wolfhugel (wolf at oleane.net). Thanks Christophe.
- In AuthBy ADSI, GroupBindString and GroupUserBindString did not have access to special characters from the current packet.
- AcceptIfMissing is now a generic AuthBy parameter, available in most AuthBy clauses.
- Added documentation for IgnoreErrors in AuthBy PORTLIMITCHECK.
- In AuthBy DYNADDRESS, the parameter Allocator has been renamed AddressAllocator for consistency. Allocator is still supported, but support will be removed in the future.
- When searching for a Handler to use, Realms are not now re-considered. Realms are only considered one. Previously they were re-considered when the Handlers were considered. This meakes it easier and faster to mix Realms and Handlers. No changes should be required to configuration files.
- Rationalised away many sub object and sub keyword functions, removing much duplicated and similar code.
- Configurable now automatically tries to load an object for any subclause found in a clause: you can now invent and create your own clause types and packages without changing a single line of standard code.
- The current reply packet is now always available as $p->{rp}.
- All internal APIs changed so that $rp is not passed as an argument. External APIs such as handle_request are unchanged.
- format_special now does not need $rp passed to it: its deduced from $p->{rp}.
- Significant performance improvements in format_special for special character formatting.
- CAUTION: APIs for Handler::handlerResult and Client::replyTo changed.
- DefineGlobalVar and DefineFormattedGlobalVar can now have embedded spaces. Contributed by r.c.w.besseling at kpn.com. Thanks Ruud.
- Fixed a problem when proxying requests that already contain an Acct-Delay-Time: the delay time in the proxied request now takes into account the delay time in the originally received request. Found and fixed by Nuno Nunes (nfn at isp.novis.pt). Thanks Nuno.
- Fixed a problem with 0 source mask and dest mask in Ascend binary filters. Found and fixed by Inglesant Philip (Philip.Inglesant at netscalibur.co.uk). Thanks Philip.
- Workaround for broken Breezecom VSA’s, where the VSA length is incorrectly set by Breezecom to 2, irrespective of the actual length. Also added some generic names for Breezecom VSAs to dictionary.
- AuthBy RADMIN now has configurable queries IncrementBadloginsQuery and ClearBadloginsQuery.
- Fixed some problems with secure mode in radacct.cgi, reported by various people.
- If SocketQueueLength was set, the socket length was set for both auth and accounting sockets, even if only one was created. Reported by hill at world.evansville.net. Thanks Jamie.
- Added Colubris-AVPAIR VSA to dictionary. Sent by “Tito Macapinlac” (titom at aebc.com). Thanks Tito.
- radpwtst now takes an optional trace level to the -trace flag. If you just use -trace, you get effectively trace level 4. -trace 5 gets hex packet dumps of incoming and outgoing packets.
- Can now have DefaultReply, FramedGroup, StripFromReply, AllowInReply, AddToReply, AddToReplyIfNotExist and DynamicReply parameters for Client, Realm and Handler, as well as AuthBy. Also optionally supported by ClientListSQL.
- AuthLog FILE now creates the path to the log file if necessary.
- RPM package now includes all dictionaries in the doc area.
- Improved error reporting in SNMP module.
- NAS support has been separated out into a module per NAS-type, in Radius/Nas/*.pm. This makes it easier to add suport for new NAS types and to submit new NAS type modules for distribution.
- get_port moved from Radius to Util for consistency.
- AuthBy GROUP now honours DefaultSimultaneousUse.
- AuthBy LDAP2 now supports Version and Deref parameters. Suggested by Eli Tovbeyn (eli at xpert.com). Thanks Eli.
- Changes to Radiator.spec so that RPM files will be compatible with SuSE Linux and similar. Suggested by Alfredo Sola (alfredo at intelideas.com) Thanks Alfredo.
- Changed the order of replacement of special characters in format_special. Previously, %0, %1 etc were replaced first, but this would cause problems of any of the replaced values had % special chars in them. %0, %1 etc are now done after the spoecial chars, but before GlobalVar etc. Reported by David Miller (dmiller at newportnet.com). Thanks David.
- Fixed a bug in AuthBy RODOPI that prevented AcctSQLStatement being changed.
- AuthBy RADMIN now permits a validfrom time of 0 to mean the beginning of time, and a validto time of 0 to mean the end of time.
- In AuthBy DYNADDRESS, if the PoolHint resolves to an empty string, no address will be allocated. This way you can let the NAS allocate addresses for some users.
- AuthBy RODOPI now quotes usernames, protecting it from problems where a username is the same as an SQL keyword. Reported by “Hector Lopez” (hlopez at caribe.net)
- In AuthBy NISPLUS, the Query now has the username being authenticated available as %0. %n will be phased out in a future revision.
- Revision 2.19 (27/10/01) RSA SecurID certification, SQL->Radius proxying
-
- Received RSA SecurID Certification, based on 2.19alpha.
- New AuthBy SQLRADIUS provides proxying based on an SQL table. Looks up the target radius server from an SQL table that can depend on Realm, Called-Station-Id etc. Complictated indirect target mapping is also suported. Useful for managing large number of remotes servers, such as in a wholesale ISP. Example tables in goodies/*.sql, plus example config file in goodies/sqlradius.cfg. Obsoletes goodies/AuthSQLRadius.pm.
- New AuthBy INTERNAL allows you to handle different types of requests in fixed, parameterised ways.
- Ships with a beta version of command line utility radwho.pl
- New version of PPM package for Authen-ACE4 works on NT and Win 2000 with AceAgent 4.4.
- Detailed install and test instructions for AuthBy ACE in goodies/ace.txt
- Added MainLoopHook which is called once per second during the main dispatch loop.
- New NASType of Portmaster3 uses SNMP. Contributed by “Griff Hamlin, III” (griff3 at quik.com). Thanks Griff.
- Fixed a problem with timers persisting through a HUP or reset. Identified by “Mariano Absatz” (radiator at lists.com.ar).
- Improvements to Linux startup script so it can be used with chkconfig on RH7.1. Contributed by Levent Sarikaya (levents at de.colt.net).
- Added -interactive flag to radpwtst, allowing easy testing with authentication methods like AuthBy ACE that use multiple Access-Challenge and State attribtues to manage an authentication conversation.
- Test Oracle radius authentication: Oracle 8 can authenticate Oracle users through Radius. Note: Oracle always upper-cases user names. See the Radiator FAQ for more details.
- goodies/sybaseCreate.sql did not drop RADLOG.
- In SessionDatabase SQL, empty DeleteQuery is now handled properly.
- Fixed a problem with AuthBy EMERALD, where user and service radius attributes were not properly extracted from the database.
- Fixed a problem with EAP that prevented correct operation with Windows XP. Found and fixed by Travis Hume (travis.hume at tenzing.com). Thanks Travis.
- Added ShutdownHook which is run just before exiting after a SIGTERM. Suggested by Robert Thomson (sirrmt at dingoblue.net.au).
- Testing with BillMax 1.5.4 on RedHat 7.1. Added example goodies/billmax.cfg and goodies/billmax.txt.
- Fixed problems with EAP code that caused requests with Message-Signature and no EAP-Message to not be handled properly.
- In Handler.pm, removed an unnecessary call to time, use $p->{RecvTime} instead.
- In AuthBy EMERALD, all SQL queries are now configurable.
- Reply item MS-CHAP-MPPE-Keys previously was assumed to contain an encoded and encypted session key. Now, if the legth is not exactly 24 octets, Radiator will generate, encode and encrypt 2 session keys based on the given value. Tested with the patient assistance of “Andre D. Henry” (andre at go-net.com). Requires Digest::MD4.
- Added AutoMPPEKeys parameter to AuthBy, so that if you are doing MS-CHAP authentication with plaintext passwords, and your NAS requires MS-CHAP-MPPE-Keys in the reply, then setting this parameter will force Radiator to automatically reply with MS-CHAP-MPPE-Keys set from the plaintext password.
- AuthBy RADMIN now understands and honours EncryptedPassword parameter, so it can be used with Radmin Unix encryption.
- Added StripFromRequest and AddToRequest parameters to Handler and Realm.
- Added new SQL AcctColumnDef type ‘literal’ that lets you build columns literally. No quotes are applied.
- AuthBy NT now hounrs the Fork paramter, which can be useful on Windows, where checking bad passwords is deliberately slowed down by Microsoft. Contributed by Robert Thomson (sirrmt at dingoblue.net.au). Thanks Robert.
- AuthRADIUS.pm now has virtual function noreply() that is called if there is no reply from any target hosts. Default behaviour is to call the NoReplyHook if there is one.
- Added new global parameter DefineFormattedGlobalVar like DefineGlobalVar but which honours special formatting characters. DefineGlobalVar is now deprecated, and will be removed one day.
- In AuthBy SYSTEM, numeric Group check items are now permitted as well symbolic group names.
- AuthBy LDAPSDK, LDAP and LDAP2, in PostSearchHook the reply packet is now passed as $_[5].
- Added VALUE definitions for MS-MPPE-Encryption-Policy and MS-MPPE-Encryption-Types values to dictionary.
- In AuthBy SQL, improved recovery after a failed AcctSQLStatement.
- Added Tunnel-Client-Auth-ID and Tunnel-Server-Auth-ID and IETF-Token-Immediate to dictionary.
- Added AddToRequestIfNotExist parameter to Handlers and Realms
- AuthBy RADIUS now also honours AccountingStartsOnly, AccountingStopsOnly and AccountingAlivesOnly.
- Added new pseudo reply item Exec-Program which runs an external program only if the user successfully authenticates. Similar to Exec-Program in Cistron. Suggested by “Klaas Koopman” (klaas at isd-holland.nl).
- Improved text of error message for unknown standard attributes.
- Improved duplicate detection in the case (such as Lucent TNT) where the Nas-IP-Address is not necessarily constant. Patch contributed by b.grange at libertysurf.fr.
- hostname.pl utility renamed to radhostname.pl, due to naming conflict with standard hostname.pl library file detected during make install.
- dictionary.redback had DOS CRLF characters in it. Removed.
- Improved detection of NAS reboots, and correctly add the session even if it is session ID 00000000.
- Improvements to test.pl allow selection of individual test sets with the -tests flag.
- More liberal prerequisite for Digest::MD5. Version 2.02 tested OK.
- Revision 2.18.4 (9/9/01) Fix one significant problem, new features.
-
- Fixed yet another problem with SessSQL DeleteQuery, caused username to be used instead of NAS id. This significant problem has prompted an earlier release than usual.
- All code now uses Digest::MD5 instead of MD5, and works with all versions of Digest-MD5. Caution: old installations may require Digest::MD5 to be installed.
- Added goodies/pam-kerberos.cfg showing how to auth from Kerberos via PAM on Unix.
- New Context class provides temp keyed storage with automatic timer based destruction. Useful for holding context between related requests that are not guaranteed to arrive.
- Added new ppm directory to distribution containing pre-built Windows PPM packages for hard-to-build perl modules, such as Authen-ACE4 (required by AuthBy ACE).
- Added cisco-VPNPassword and cisco-VPNGroupInfo to dictionary.
- Fixed a problem with RDict::attrByNum return a ref instead of an array if the attribtues is undefined.
- Fixed a problem in Mib.pm that casued some SNMP clients to think they got no reply from an SNMP set operation. Reported by “Mariano Absatz” (radiator at lists.com.ar).
- Added -c argument to radiusd, exits after reading and parsing the config file. Suggested by “Todd Dokey” (tdokey at inreach.com). Thanks Todd.
- Added documentation to goodies/ace.cfg about how to install Authen-ACE4 binary PPM package for Windows.
- Added Alteon VSA’s to dictionary, contributed by Colin D. Easton.
- Revision 2.18.3 (30/8/01) Significant new features, some bug fixes
-
- Added EAP support for OTP and MD5-Challenge, works with AuthBy OPIE and any authentication database with plaintext passwords (eg AuthBy FILE, AuthBy SQL, etc). Extensible mechanism in EAP.pm permits new EAP protocols to be added.
- Added support for improvements in RAdmin 1.5, including Service Profiles and arbitrary per-user and per-service RADIUS check and reply items. Caution: the default AuthSelect has changed.
- Added beta version of AuthBy ACE, permitting authentication direct to a SecureID ACE server, instead of proxying. Certification by RSA is still pending. Example goodies/ace.cfg is included. Requires Authen-ACE4 perl module from Open System Consultants.
- Default behaviour of Log SYSLOG and AuthLog SYSLOG changed to log via unix sockets by default. This works correctly with more syslog daemons. New parameter LogSock permits this to be changed.
- Added new comand line argument -rawfile to radpwtst.
- SessionDatabase SQL DeleteQuery now has the column values of the record to delete passed as %0 to %4.
- Improvements to RPM packaging suggested by Gustav Foseid (gustavf at initio.no)
- Added AuthSQLStatement, similar to AcctSQLStatement: any number of SQL statements that will run before authentication. Patch provided by (talist at vif.com). Thanks!
- Performance improvements in tunnel password and mppe key encryption and decryption.
- All port parameters (eg AuthPort, AcctPort, Port, OutPort etc) may contain special formatting characters. A typical use of special formatting characters is with GlobalVar and command line arguments.
- Fixes to AuthBy EMERALD so that if HonourDNISGroups is defined but there is no DNIS in the request, or if HonourServerPortAccess is defined, but there is no Nas-Port in the request, the constraints are not applied.
- Improvement to AuthBy LDAP2 so that illegal charcaters in a user name wont cause disconnection from the LDAP server. Identified and patched by Carlos Canau (canau at keka.KPNQwest.pt)
- Added support for group check items to AuthBy PAM, for PAM modules that support the notion of a group (such as pam_teleid).
- Loading database export files now works independently of the export file was generated on Unix or Windows.
- Logging of ‘Handling with $type’ now includes the Identifier of the AuthBy moodule.
- Added example code to goodies/asplog.txt: How to display Radiator SQL accounting logs with an ASP/VB script. Contributed by “Michael Audet” (audet at vectorcore.com) Thanks Michael!
- Fixed problem with AuthBy RODOPI that was broken by 2.18.1.
- Added support for Rcrypt reversibly encrypted passwords. Now your user database can contain passwords that are reversibly encrypted with a secret key. Radius::Rcrypt module provides encrypt and decrypt routines that can be used by any other code. Forthcoming version of RAdmin will also support Rcrypt encryption.
- Structural improvements to AuthGeneric, which allows some modules that previously implemented their own handle_request to piggy-back off AuthGeneric, saving lots of replicated code
- Added CheckGroupServer and CheckGroup to AuthBy ADSI and AuthBy NT, so that you can set a Class in the reply that depends on which NT group the user is in.
- Primary key violation in MySQL and unique constraint violation in Oracle now does not cause disconnection.
- Added example configuration file prepaid.cfg showing how to implement a simple prepaid card system with an SQL database.
- AuthLDAP* now handles multiple LDAP attributes for check, reply and request AuthAttrDef. Multiple LDAP attribtues will be added as multiple instances of the same Radius attribute. Contributed by Robert Kiessling (Robert.Kiessling at de.easynet.net) Thanks Robert.
- In AuthBy LDAP, HoldServerConnection worked in reverse to the correct behaviour.
- Added Global and per-Handler UsernameCharset allowing you to easily specify what characters are permitted in a user name.
- In AuthBy RADIUS, Host names for remote servers can now contain special formatting characaters.
- Added Acct-Input-Gigawords and Acct-Output-Gigawords to dictionary. Reported by Bruno Tiago Rodrigues (bofh at netc.pt).
- Improvements to sample Linux startup script. Now sources /etc/sysconfig/radiator if present, so you can put config file name and arguments there for preference. Suggested by Ted kandell (tedk at encotone.com). Thanks Ted.
- Added AuthLog SYSLOG, contributed by Carlos Canau (Carlos.Canau at KPNQwest.pt). Thanks Carlos!
- Added example hook to goodies/hooks.txt to extract special Cisco format NAS-Port information.
- Added Vendor-specific attribute Command-Code for Enterasys, contributed by “Separovic, Jason” (jseparov at uecomm.com.au). Thanks Jason.
- Fixed a problem whre AuthBy UNIX or AuthBy FILE could fail to refresh a file if it could temporarily be stat’d but not read.
- Fixed a problem with Ascend binary filter attributes and UUnet: UUnet would only let 24 byte filters through, and not the newer format 26 bytes (and larger) filters.
- All file appends are now done by Util::append, which will facilitate threading or piping of logging in the future.
- Fixed a problem in ExcludeRegexFromPasswordLog
- Fixed Radius::unpack so that Vendor Specific Attributes that contain multiple sub-attributes are unpacked correctly. Patch supplied by Roland Rosenfeld (rrosenfeld at netcologne.de). Thanks Roland!
- In radpwtst, Called-Station-Id and Calling-Station-Id are not sent if -called_station_id or -calling_station_id are set to empty strings.
- Fixed cosmetics in AddressAllocatorSQL ReclaimQuery, making ‘state’ uppercase. Suggested by Carlos Canau (canau at keka.KPNQwest.pt).
- Date formats recognised by Expiration and ValidFrom now include simple integer Unix epoch dates. Documented all the valid date formats.
- Added new pseudo check item ValidFrom that can specify the start of a valid time range.
- AddressAllocatorSQL FindQuery now supports special formatting characters including those from the current packet.
- RPM files are no ‘noarch’ instead of i386.
- Improvements to AuthBy LDAP2, contributed by Valentin Tumarkin (tv at xpert.com). NoBindBeforeOp prevents binding before every search operation. Added timeout on ‘LDAP BIND’ operation in ‘sub bind’. Fixes to properly close open LDAP connections after timeouts. Slightly more verbose error messages. Works with perl-ldap-0.24. Thanks Valentin!
- Timeouts have been generalised and moved to Util::exec_timeout. LDAP, SQL and Finger now use it.
- Revision 2.18.2 (10/6/01) Minor fixes, EAP proxy support
-
- Added support for proxying of EAP packets. Requests containing EAP-Message and Message-Authenticator are correctly handled and Message-Authenticator is correctly recomputed with the Radius secret for the next hop.
- More testing with Freeside 1.3.0. OK.
- In AuthBy RADMIN, LogQuery now will not be run if it defined to the empty string. The old string interpolation has been removed, so perl variables will not now be interpolated into LogQuery.
- Fixed a problem with DHCP address allocation where multiple DNS server addresses would cause a crash.
- Configuration file flags now recognise ‘0’ and ‘no’ to turn flags off. Anything else (including empty string) turns a flag on.
- Changes to default logger configuration so that LogFile and Trace in the configuration file have immediate effect on the logger.
- Added Extreme VSA’s to dictionary.
- BaseDN in LDAP2 can now have special characters, which can be used to improve performance of LDAP searches (see the reference manual for more information about how). Contributed by Neale Banks (neale at lowendale.com.au).
- goodies/ad-ldap.cfg was accidentally left out of the distribution. Added.
- radpwtst now supports hex escapes etc in attr-value arguments, eg: radpwtst -noacct “EAP-Message=\x11\x12\x13\x14”
- Added -raw flag to radpwtst to allow the raw packet data to be passed as space separated hex: ./radpwtst -noacct -noauth -raw “01 02 03 04 05 06”
- radpwtst now searches for a dictionary, starting with ./dictionary and /usr/local/etc/raddb/dictionary
- Added rpm build spec in Radiator.spec.
- AuthBy SYSTEM with UseGetspnamf had problems with expiry dates of -1 on some systems.
- Provide RPM packages
- Fix a problem with identifiers in AuthBy RADIUS where 2 AuthBy RADIUS proxying to the same host/port could get occasional identifier collisions.
- Removed interpolation of Perl variables in SearchFilter in AuthBy LDAP*, as promised previously.
- Added support for MS CHAP V2, and the MS-CHAP2-Success reply attribute as per draft-ietf-pppext-mschap-v2-00.txt and RFC 2548.
- In AddressAllocatorSQL, can now specify address ranges in CIDR form, eg 192.1.1.0/24
- Fixed a problem with AddressAllocatorSQL where recovery of a failed SQL database could cause SQL syntax errors.
- Improvements to AuthBy PAM to allow service-specific error messages to be logged, and different password prompts to be recognised.
- Testing with Encotone TeleID and AuthBy PAM. This is a very interesting Token based authentication system. Works fine. See sample teleid.cfg and PAM service definition file in goodies.
- Added GroupList check item, which succeeds if the user is in any of the list of space separated group names.
- Added OSC attributes to dictionary for Uid, Gid etc, also added UsePamEnv to AuthBy PAM. Now you can turn PAM env variables into Radius reply attributes and therefore do remote PAM login authentication via Radius.
- Disabled perl variable interpolation in AuthLogSQL
- Revision 2.18.1 (26/4/01) Bug fixes, some new features
-
- In AuthBy PORTLIMITCHECK, the type of the SessionLimit parameter was incorrectly set to integer instead of string, preventing special formatting characters being used. Reported by Valentin Tumarkin (tv at xpert.com).
- Added AcctFailedLogFileName and AcctLogFileFormat parameters to AuthBy RADIUS and subclasses, which work in the same way as for AuthBy SQL.
- Testing with Hawk-i ISP Billing and customer management system. Required slight changes to AuthSQL.pm, because MS-SQL and ODBC can return strings of NULs for nullable nvarchar columns. Empty strings and all-NULL strings are now ignored by AuthColumnDef. Sample config file in hawki.cfg.
- Fixed typos in ServerConfig .pm and Nas.pm that broke Livingston SNMP sim-use checking.
- Added IgnoreAccountingResponse and OutPort parameters to AuthBy RADIUS. Contributed by “Arjan Waardenburg” (arjanw at gv-nmc.unisource.nl). Thanks Arjan. OutPort allows you to control the origin port number for forwarding packets, which can be helpful for implementing strict firewall rules.
- Fixed a problem with Handlers where a MaxSessions denial would still permit AuthBys to run and perhaps 2 replies to be returned. Reported by Frederic Gargula (frederic.gargula at easynet.fr).
- Added PostSearchHook to AuthBy LDAP, LDAP2 and LDAPSDK, which allows you to do things with the LDAP search results after the AuthBy has finished with them.
- Fixed a problem with logging that would cause the default file logger to stop working after a SIGHUP.
- Fixed a problem where a Synchronous AuthBy RADIUS that was chained after another AuthBy RADIUS would not actually wait for the reply.
- Added CacheReplyHook which runs when a cached reply is about to be sent back to the NAS. Useful for removing previously allocated IP addresses from the cached reply.
- Fixed a problem with Session-Timeout ‘until Time’ where you could get a negative Session-Timeout in the one minute following the end of a permitted time interval.
- Fixed some problems that prevented Log SYSLOG actually doing any logging.
- Altered AuthBy NT so that on windows it checks passwords without changing them. It now uses Win32::AuthenticateUser and also has much better performance. Built and tested with the kind assistance of Kent, Ashley (akent at ue.com.au). Thanks Ash.
- Added support for Redback 64 bit integers with new dictionary data type of integer8. Used for RB-Acct-Input-Octets-64, RB-Acct-Output-Octets-64, RB-Acct-Input-Packets-64 and RB-Acct-Output-Packets-64 in dictionary.redback. Such values are decoded in hex format only, with a leading 0x. Values can be encoded as hex (with leading 0x) or decimal.
- Added support for new AuthBy parameter AllowInReply, which lists the attributes that are permitted in the reply. Useful for applying strict limits to attributes in replies from proxy servers.
- Finished code and documentation for NasType of Hiper for Hiper Arcs, using algorithms contributed by jesus.diaz at telia-iberia.com.
- Fixed a typo in goodies/emerald.cfg
- Added new parameters to AuthBy EMERALD to optionally enable Emerald Servers, Server Port Access, DNIS Groups Roam Servers and Roam Domains. Works with Emerald 2.5 and RadiusNT 2.5 and 3. New version of goodies/emerald.cfg shows how to use them.
- All findUser functions now get the reply packet passed which means that you can use the %{Reply:xxx} macros in more places than before.
- Extensive patches to SNMPAgent contributed by Charly Gaissmaier add ROCommunity, RWCommunity and Managers parameters for more selective access control. Thanks Charly!
- Testing SNMP Agent with SNMP_Session-0.83. OK. Functions receive_request and decode_request that have been subsumed into SNMP_Session have now been removed which means SNMP Agent now requires at least SNMP_Session-0.68.
- Added AuthBy OPIE for one-time password authentication via OPIE (one time passwords in everything) from Craig Metz, www.inner.net/opie
- Fixed a problem in AuthBy ADSI where new AD users with a default logon times setup would not be able to login and get the message Outside allowed login hours.
- Removed a forgotten print statement from AddressAllocator SQL that would cause a message like “deallocate 203.10.203.193” for each deallocation.
- Fixed a typo in Log SQL that caused an SQL syntax error.
- Added the reason string as the fourth argument to PostAuthHook. Contributed by Robert Kiessling (Robert.Kiessling at de.easynet.net). Thanks Robert.
- Added PostProcessingHook to Handler, contributed by Robert Kiessling (Robert.Kiessling at de.easynet.net). Thanks Robert.
- Added a number of experimental attributes from RFC 2869 to dictionary.
- Implemented timeout around the search in AuthBy LDAP2 to work around broken LDAP servers that just hang in the search.
- More testing with Active Directory. Updates to AuthBy ADSI so it will work under a wider variety of conditions, allowing distinct control over how to authenticate and where to get account details from, also added more docs and examples on using with Windows 2000 AD server. Also new example goodies/ad-ldap.cfg shows how to access AD via LDAP from Unix or Windows.
- Fixed a problem where AccountingHandled had no effect if the result was a REJECT.
- Found a problem with SNMPAgent where a BindAddress had no effect. There is a bug in SNMP_Session 0.83 that prevents the fix being deployed.
- Added new check item MS-Login-Hours, which is exactly compatible with the LoginHours user attribute in Microsoft Active Directory, and can therefore be used when accessing Active Directory via LDAP.
- New special character %r for literal newlines.
- Fixed a problem with RejectEmptyPassword where a CHAP login could incorrectly trigger rejection. Reported by “Andy De Petter” (adepette at krameria.net).
- Reinstated NoForwardAuthentication and NoForwardAccounting to AuthBy RADIUS, as the old behaviour was not exactly equivalent to IgnoreAuthentication and IgnoreAccounting.
- Minor improvements to error reporting in AuthBy NT.
- Revision 2.18 (9/3/01)
-
- Added a full suite of Radius load balancing modules that allow you to distribute your Radius load over multiple servers. Round Robin, Volume balancing and Load balancing are supported, along with variable backoffs when remote servers fail to answer.
- Added DHCP address allocation via new module AddressAllocatorDHCP.pm.
- Added support for Nortel/Aptis CVX 4-byte attributes (the ones between 0x84000000 and 0x85ffffff. These are non-standard undocumented VSAs of a special format only used by Nortel. Also added new dictionary data type ‘boolean’ as some CVX attributes require only single byte values. Thanks to assistance of Lisa Goulet (Lisa.Goulet at versatel.nl) Dave Salaman (dsalaman at salaman.org) and others.
- Added LogFormat to Log FILE, allowing customised log file format. Suggested by Paul Oshea (paulo at uma.genie.syncordia.net).
- Added LogMicroseconds to Log FILE, which makes it log microseconds (requires the Perl Time::Hires module from CPAN or ActiveState).
- Fixed a problem with Time check item spanning midnight when used with Session-Timeout=”until Time”. Reported by Deepak Shrestha (deepak at mos.com.np).
- Added called and calling station IDs to radpwtst (and the GUI). Contributed by Bruno Tiago Rodrigues (RODRIGUEBT at telecel.pt). Thanks Bruno.
- Added attributes for Unisphere and Nortel (Aptis) CVX VSA to dictionary. Contributed by Ralf Weber (rw at de.colt.net).
- Added support for NasType of Cyclades. Contributed by Dave Close (dclose at quik.com). Thanks Dave.
- Modifications to AddressAllocatorSQL so that address allocation is more robust when multiple servers allocate from the same table.
- Fixes to AuthBy RADIUS so it uses the new AuthLog features to log details of proxied requests. Identified by Carlos Canau (canau at ionia at EUnet.org) and Dave Lloyd (david at freemm.org). Thanks.
- Added a number of new Livingston attributes to dictionary. Contributed by Keith Olmstead (kolmstea at centurytel.net). Thanks Keith.
- Added ServerHasBrokenAddresses parameter to AuthBy RADIUS.
- Added Nortel CVX 1800 VSAs to dictionary.
- Added the retransmission address to the “No reply after…” message in AuthBy RADIUS. Contributed by Kaj J. Niemi (kajtzu at kpnqwest.fi). Thanks Kaj.
- Fixed a typo in AuthBy LDAPSDK that caused a crash. Reported by “Russell Wilton” (wilton at uleth.ca). Thanks Russell.
- Fixed a problem with initialisation that caused -db_dir command line argument (and others) to be handled inconsistently.
- Acct-Link-Count changed from string to integer in some dictionaries to be consistent with others and the correct value. Reported by Steinar Haug, Nethelp consulting (sthaug at nethelp.no). Thanks Stienar
- Added attributes for Altiga to dictionary
- Added IgnoreReplySignature parameter to AuthBy RADIUS to permit operation with remote servers that implement incorrect signature algorithms.
- Fixed some problems with the standard internal session database that could cause incorrect simultaneous use limits when there are lost stop records. Found and fixed with the welcome assistance of Dave Close (dclose at quik.com)
- Added Ravlin RedCreek VSA attributes to dictionary.
- Added IgnoreErrors parameter to AuthBy PORTLIMITCHECK at the suggestion of Steve Roderick (steve at uspops.com).
- In SessionDatabase SQL, can now set AddQuery, DeleteQuery ClearNasQuery, CountQuery to be empty strings to prevent the query being executed. Implemented with the assistance of Paul Oshea (paulo at uma.genie.syncordia.net).
- Added FindQuery, AllocateQuery, CheckPoolQuery, AddAddressQuery, DeallocateQuery, ReclaimQuery to AddressAllocator SQL to permit customisation of the SQL queries that module uses.
- Added new special character %s, replaced by microseconds in the current second (requires the Perl Time::Hires module from CPAN or ActiveState).
- Changed AuthSelect in SQL so that %0 is now replaced by the quoted escaped user name. Some time in the future, the special handling that makes %n temporarily quoted and escaped will be removed. We recommend converting any custom AuthSelect you may have, and replacing ‘%n’ (including the quotes) with %0 (no quotes).
- Added platradacct.cgi to goodies, a version of radacct.cgi that works with Platypus Calls table. Contributed by “Leigh Spiegel” (leigh at winshop.com.au). Thanks Leigh.
- Added VSAs for Foundry and Unisphere to dictionary.
- If RejectHasReason is set, only one Reply-Message is set in the reply. Previously, 2 would be set. Suggested by Pavel A Crasotin (pavel at ctk.ru).
- Added index on POOL to all RADPOOL creation scripts in goodies to improve address allocate performance.
- Made AuthSelect and AcctSQLStatement configurable for AuthBy RODOPI.
- Permitted bind variables to be passed to SQL prepareAndExecute and do functions. This might be useful for custom SQL code that requires high performance.
- Rationalised sub keyword in all modules, so that permitted keywords are looked up in a table. Saves lots of if/else code and will permit stronger type checking in future.
- Fixed a problem with AuthBy RADIUS that prevented retransmission when ServerHasBrokenPortNumbers is set.
- Added IgnoreAuthentication and IgnoreAccounting to all AuthBy clauses. In the case of AuthBy RADIUS, they are now equivalent to the older (and deprecated) NoForwardAuthentication and NoForwardAccounting.
- Removed snmp_port from command line arguments in radiusd, because it breaks encapsulation.
- Improved ServerConfig intialisation and removed lots of excessive code.
- Moved reply caching from AuthBy RADIUS to AuthGeneric for future use with other authenticators.
- Rationalised AuthRADIUS.pm to allow definition of Host objects and easier subclassing.
- Added lots more Nortel CVX VSAs
- Added special case for SQL Timeout of 0 so it will never issue alarms at all. This is mostly a workaround for Sybase ODBC libraries that muck around with SIGALRM.
- Added Cisco VENDORATTR Control-Info to dictionary, contributed by Gareth Coco (gcoco at aapt.com.au).
- Added Timeout and FailureBackoffTime parameters to AuthBy LDAP and LDAP2 so that failed LDAP servers timeout quickly. Timeout defaults to 10 seconds, instead of the standard 120 seconds coded into perl_ldap.
- Improved docs to make clear that SHA passwords also require Mime::Base64
- Improved evaluation version so the reason for a radiusd die will be obvious.
- builddbm now detects attributes not connected to a user. Reported by Jamie Orzechowski (mhz at ripnet.com).
- Performance improvements to the main loop and packet packing and unpacking.
- Added UseGetspnamf option to AuthBy SYSTEM, which will honour the password expiration date, if there is one. UseGetspnam is now deprecated.
- Added synonyms for a number of attributes to the dictionary for the convenience of users with old standard users files, such as is generated by Optigold by default.
- Testing with Optigold ISP 2.6.7. OK. Added details to FAQ about interfacing, also created sample goodies/optigold.cfg.
- Fixed AuthBy RADIUS Synchronous so it will work on Windows in the event of a Timeout.
- AuthBy PAM now honours password and account expiration, and verifies access hour restrictions. Suggestion and code contributed by Richard Lennerts (richard at staff.vianet.net.au).
- Testing with Digest-MD4 from ActiveState for Windows ActivePerl build 623. OK: MSCHAP passwords work fine.
- Trace level 5 now does a byte dump of outgoing as well as incoming packets.
- Removed instructions to install MD5 for ActiveState: its installed automatically on all recent 6xx releases. Also altered Unix installation instructions to use Digest-MD5 instead.
- Fixed a typo with LAS-Code attributes in dictionary.cisco
- At the suggestion and with the assistance of Michael Audet (audet at vectorcore.com), AuthBy ADSI now does a direct authentication of the user. Administrators username and passwrod are no longer required, performance is improved, and there is no need to to disable password checking in AD. Also added support for Group membership checking.
- AuthBy PORTLIMITCHECK now permits special formatting characters in the SessionLimit parameter. Contributed by Valentin Tumarkin (tv at xpert.com). Thanks Valentin!
- In AuthBy LDAP*, and AuthBy SQL, added support for AuthAttrDef/AuthColumnDef type of ‘request’ which adds the attribute to the current request from where it can be accessed in later checks with %{attributename}. Contributed by Valentin Tumarkin (tv at xpert.com). Thanks Valentin! Valentin says “Very usefull for chaining LDAPSDK lookups (first lookup user, push group attribute into the request, then lookup the group. Works wonders when combined with ‘Auth-Type’).”
- Added special character %z which is replaced with the User-Name in the current packet, hashed with MD5. Contributed by Nick Donaldson (psyclops at psyclops.com). Thanks Nick.
- Revision 2.17.1 (22/11/00)
-
- Fixed a serious problem with a missing update function that could cause crashes with Alive packets.
- AuthBy LDAPSDK alo needed protection against attribtues with trailing NULs from Microsoft LDAP.
- Migrate SQL fixes into goodies/AuthPLSQL.pm. Contributed by Pavel A Crasotin (pavel at ctk.ru). Thanks Pavel.
- Revision 2.17 (21/11/00) Some significant new features
-
- Added new parameters to AuthBy SQL, to permit logging accounting records to a file if the SQL insert fails. See AcctFailedLogFileName and AcctLogFileFormat.
- Added MS-CHAP support as per rfc2548. Like ordinary CHAP, it works with plaintext, not encrypted passwords in the user database. Requires Digest-MD4-1.0 or better from CPAN. Also added support for MS-MPPE-Send-Key and MS-MPPE-Recv-Key reply items as tunnel passwords.
- Fix a problem that prevented AuthBy RADIUS receiving replies after a HUP. Reported by Wim.Biemolt at surfnet.nl. Also fixed some similar issues in AuthFILE and others.
- AuthBy LDAP2 is now compatible with perl-ldap versions before and after 0.20 (changes to the perl-ldap API made this necessary). With patches from Ragnar Kurm (ragnar at uninet.ee). Thanks Ragnar.
- Added Nas support for Patton RAS.
- Fixed a problem with decode_tunnel_password that could cause a crash with various out-of-spec tunnel passwords. Reported and patched by Christophe Wolfhugel (wolf at oleane.net). Thanks Christophe.
- Fixed a problem with Realms and Handlers that prevented old Realms and Handlers being discarded during a SIGHUP.
- Fixed minor error in dictionary: VENDORATTR 307 type 2 was incorrectly called ‘Livingston’. Changed to ‘LE-Terminate-Detail’. Fix identified by Blaz Zupan (blaz at amis.net).
- Added dictionary.redback for Redback NASs
- Added sample NoReplyHook to goodies by knind permission of John Kemp (kemp at network-services.uoregon.edu)
- Separated out a utility function for doing all the magic for replying to a request.
- Testing on HP-UX 10.20. No changes required.
- Improved memory cleanup code in AuthRADIUS.pm to slightly reduce memory requirements. Found by Christophe Wolfhugel (wolf at oleane.net). Thanks Christophe.
- Improved SQL timeout handling, The need for this was revealed by recent versions of Oracle 8 using local transport. Reported by Chris Keladis (Chris.Keladis at cmc.cwo.net.au). Thanks Chris. A similar fix was contributed by David Lloyd (david at freemm.org). Thanks David.
- Fixed a problem that caused excessive memory usage in Client.pm. Found and fixed by Christophe Wolfhugel (wolf at oleane.net). Thanks Christophe.
- Removed incorrect reinitialisation code from AuthFILE, which would cause a crash on SIGHUP.
- Fixed some problems with SIGHUP handling and SNMP Agent, which prevented the Agent receiving requests after a HUP with SNMP_Session-0.77. Fix now works with all versions of SNMP_Session. Reported by Anton Sparrius (asparrius at vivanet.com.au)
- Mods to a number of classes that inherit from SqlDb.pm, to hide use of the dbh handle, in order to support sharing of SQL connections.
- Added CachePasswords to AuthBy RADIUS. It implements a password cache. It allows proxying to be more robust when the remote server is not available. It can be very useful if the remote server is unreliable, or at the end of a saturated or unreliable link.
- Some users have reported that Microsoft LDAP leaves NULs at the end of returned attributes. Added code to AuthLDAP2.pm to strip any trailing NUL.
- Added NoCheckPassword to AuthBy NT, useful in conjunction with other authentication methods that actually check the password
- AuthBy RADIUS now honours the global SocketQueueLength parameter, if it is set. Reported by David Lloyd (david at freemm.org). Thanks David.
- Fixed a problem with AuthLDAP2 that prevented it working with CHAP unless RejectEmptyPassword was cleared. The test is now implemneted witg LDAPRejectEmptyPassword, which defaults to 1 and is only referred to if ServerChecksPassword is set. Reported by Nacho Paredes (iparedes at eurocomercial.es). Thanks Nacho.
- Improved detection of running under inetd so running under cron wint be mistaken for inetd.
- Added Alcatel DANA vendor specific attribute to standard dictionary.
- Added -code flag to radpwtst, allowing it to send any type of request code, eg: radpwtst -noacct -noauth -code Disconnect-Request
- Changes to Client.pm, Radius.pm to permit proxying of any type of code, eg Disconnect-Request
- Added hydrarad to goodies. Hydrarad is an agent for the HydraWeb load distributor (www.hydraweb.com). It probes server performance and produces a Usability figure from 0 to 100.
- In dictionary, the types of CHAP-Password and CHAP-Challenge changed to ‘binary’ to prevent trailing NULs being stripped.
- AddToReply and DefaultReply were not honouring special formatting characters.
- Minor performance improvements in RDict.pm.
- Permit special characters (eg %{GlobalVar:databasename} in DBSource, DBUsername and DBAuth in any SQL connection.
- Added new generic authentication logging support contributed by Dave Lloyd (david at freemm.org). Thanks heaps Dave! Also example config file using <AuthLog FILE> in goodies/authlog.cfg and documentation.
- Added support for USR1Hook, USR2Hook and WINCHHook. Contributed by Dave Lloyd (david at freemm.org). Thanks Dave!
- Fixed Handler.pm so handlerResult is called when MaxSessions is exceeded. Suggested by Dave Lloyd (david at freemm.org). Thanks Dave!
- Added Shasta attributes to dictionary. Contributed by “Mariano Absatz” (lradius at pert.com.ar). Thanks Mariano.
- Improved portability of module importing. Now uses eval(“require RADIUS::classname”) which will work portably on all platforms, including MAC.
- Added goodies/blocktime.txt, a discussion about how to implement prepaid time.
- Hugh added some more examples to goodies/hooks.txt.
- Prevented warnings ‘No CHAP-Password or User-Password in request’ when User-Password is empty. reported by Cortney Thompson (Cortney at wyoming.com). Thanks Cortney.
- Added SNMP MIB 2 variables sysUpTime and sysName. Suggested by Mariano Absatz (lradius at pert.com.ar), since MRTG likes to get them.
- Fixes to AuthBy EMERALD to be compatible with RadiusNT version 3 (suitable for Platypus version 3 with RadiusNT compatibility too). Also now correctly handles per-user and per-service vendor-specific check and reply items.
- Revision 2.16.3 (25/8/00) Fix a serious LDAP problem
-
- Fixed a typo in all AuthBy LDAP which causes an error like: “Not a SCALAR reference at Radius/AuthLDAP.pm line 297.”
- AcctColumnDef now supports the type ‘formatted’ which allows you to use any of the special formatting characters instead of just a Radius attribute name.
- in AuthBy SQL, AcctColumnDef type ‘integer-date’ now allows you to specify your own date formatting string to be used instead of the default DateFormat for that SQL.
- Stop SQL from disconnect/reconnecting if a primary key constraint is violated. Can result in a significant performance impact in some environments.
- Revision 2.16.2 (21/8/00) Minor fixes
-
- Added support for encryption type MD5, which is MD5 and Mime, eg:
Password = {MD5}qP0OV/oViFka8YbFMWEWeg==
Contributed by Robin Gruyters (robin at wish.net). Thanks Robin. - radconfig.cgi incorrectly only allowed one Accounting log file name entry in a handler.
- Testing with MacPerl on PPC iBook with MacOS 9. The default config file under MacPerl is now ‘Macintosh HD:Applications:Radiator:etc:radius.cfg’.
- Fixed minor problems with date parsing on MacPerl. On Mac, times are based on 1904, not 1970.
- Created a clickable MacPerl droplet for radiusd containing command line arguments: MacRadiusd. You can edit this with MacPerl and set up your own command line args. Useful for running with a config file in a non-standard place. As delivered, it uses the radius.cfg in the current folder.
- Changes to configuration file processing in 2.16.1 meant that values for SnmpgetProg, FingerProg and some similar parameters were being overridden.
- Added new check item Client-Identifier that matches the Identifier parameter in the Client clause that received the request.
- Fixed an error in the documentation concerning the use of GENERIC in LDAP AuthAttrDef parameters.
- Added support for new SNMP Radius Authentication and Accounting server MIBs as specified by RFC 2619 and RFC 2621. The old draft MIB is still supported.
- Fixed a problem with AuthAttrDef not working properly in AuthBy LDAP and LDAP2.
- Fixed a problem with AuthBy TEST that prevented it from honouring the Identifier parameter. Reported by Matt Nichols (matt at hunterlink.net.au). Thanks Matt.
- Added new parameter CaseInsensitivePasswords to all AuthBy clauses that support plaintext password checking. This involved some rationalisation of the password checking code in Radius.pm too, with resulting performance improvements.
- Dictionary now permits data type of ‘text’ in line with RFC 2865, and is treated the same as ‘string’.
- Duplicate checking now takes the client port into account, as required by RFC 2865.
- Tested the config file “include” directive with external scripts, at the suggestion of Simon Hackett (simon at internode.com.au). For example:
include %D/myScript.pl|
this allows you to generate some or all of your Radiator configuration programatically. - Added SearchFilter to AuthBy LDAP*, allowing you to fully control the search filter used to find users. This will allow you to select or reject users based on arbitrarily complicated LDAP search filters.
- Added RejectEmptyPassword to AuthBy to handle some broken remote Radius servers that foolishly always accept logins with empty passwords (eg VMS)! Suggested by Simon Hackett (simon at internode.com.au)
- Added UsernameMatchesWithoutRealm to AuthBy to permit matching on the bare user name without rewriting the username and therefore affecting accounting too. Suggested by Simon Hackett (simon at internode.com.au)
- Added missing -h flag to radpwtst
- Improved handling of MD5 passwords so that it supports both hex digests and base64 encodes. This also makes it compatible with Infranet billing passwords. Contributed by Johnathan Ingram (jingram at intekom.com). Thanks Johnathan.
- Added some fixes to AuthLDAP.pm to prevent Radiator running out of file handles in some circumstances.
- Rationalised check_plaintext_password and check_encrypted_password into a single function check_password in AuthGeneric to save lots of duplicate code.
- Modifications to AuthBy RADIUS so that it will create a separate socket for each distinct LocalAddress. This will make sure the right LocalAddress is used for each proxied request, even if there are multiple LocalAddresses in use. From a report by Ivan Brawley (brawley at internode.com.au). Thanks Ivan.
- Fixed a problem with timeouts in Select.pm. The timeout list was not always sorted properly, which would sometimes cause timeouts to go off too late. This was especially significant if very long timeouts were used (as in AddressAllocatorSQL and others).
- Added special characters %q, %Q, %v, %V for days of weeks and months of the year.
- Added new strftime compatible date formatter
- Added DateFormat attribute to all SQL derived objects to control how to format dates for insertion. Can use any of of the special characters supported by strftime
- Added new Description parameter to all objects, mainly for use by radconfig.cgi. Suggested by Matt Nichols (matt at hunterlink.net.au). Thanks Matt.
- Fixed a problem with Proxy-State. Only the first one would be included in the reply. Now all are included, and kept in the same order as in the incoming request. Reported by Thorsten Wystrychowski. Thanks Thorsten.
- Improved error reporting when an SQL connection fails.
- Testing with Informix. Created goodies/informixCreate.sql and added documentation.
- ClientListSQL now permits the FramedGroupBaseAddress column to contain multiple comma-separated addresses.
- Incorporated a patch to goodies/hooks.txt to allow getProfiles to have profiles that span multiple lines. Contributes by Christian Hammers (ch at westend.com). Thanks Christian.
- Added LimitQuery to AuthBy PORTLIMITCHECK, so that the session limit can also be got from the database, instead of being fixed. This allows you to easily get port limits from, say, a customers table in your SQL database.
- Special formatting now supports %{Client:parmname} which is replaced by the parmname parameter from the Client clause that accepted the current packet.
- Special formatting now supports %{Handler:parmname} which is replaced by the parmname parameter from the Handler clause that is handling the current packet.
- Fixed a problem with AuthBy RADIUS that resulted in a Tunnel-Password received from the remote radius or added with AddToReply would not be be encrypted properly. Found and fixed by Christophe Wolfhugel (wolf at oleane.net). Thanks Christophe.
- Fixed a problem with ClientListSQL, where an empty string in the NoIgnoreDuplicates column would cause a crash.
- AuthBy RADIUS now permits multiple comma host names in the Host parameter.
- Fixed some typos in the RADPOOL table creation in some goodies/*.sql scripts. The unique index creation was wrong.
- Altered evaluation expiry mechanism.
- radpwtst now takes notice of the Class in any access replies, and uses it in subsequent accounting requests.
- Added support for encryption type MD5, which is MD5 and Mime, eg:
- Revision 2.16.1 (13/6/00) Major new feature, and a number of bug fixes, one serious.
-
- Added support for Windows ActiveDirectory authentication with AuthBy ADSI, see the example config file in goodies/adsi.cfg. Stop Press: also added AuthAttrDef to AuthBy ADSI, so you can get additional attribtues from ADSI.
- Fixed problem with all SessionDatabases, where attempts to deduce the NAS IP address dusring simultaneous-use double checking would fail with this error message:
Could not find a Client for NAS to double-check Simultaneous-Use. Perhaps you do not have a reverse DNS for that NAS?. - Fixed a problem in radacct.cgi where attributes that contained an = character were not displayed properly when showing a detail file. Reported by Matthew Nichols (matt-home at hunterlink.net.au). Thanks Matt.
- Fixed a problem with SNMPAgent where it would report “Undefined subroutine &Radius::Radius::get_port” with some unusual configuration files.
- Fixed a typo in AuthPORTLIMITCHECK.pm where getOneRow was not defined. Reported by Anton Sparrius (anton at vivanet.com.au). Thanks Anton.
- Added support for NasType PortslaveMoxa, for Linux running Portslave and a Moxa multiport. Contributed by “Le Anh Tuan” (latuan at netnam.vn). Thanks!
- Fixed some problems with drilling down and volume summaries in radacct.cgi when using SQL. Reported by John Breeden (rad at ns1.phx2.com)
- SessionDatabase NULL was ignoring all of its configuration, and you could therefore not reference it by Identifier. Reported by Aaron Holtz (aholtz at bright.net). Thanks Aaron.
- Fix to %a special character was not working properly.
- Check items could mistake an exact match for a regular expression if it had multiple embedded slashes. Now the first slash must be at the beginning of the regexp.
- Added workaround for hanging connections when using DBD-Sybase nad MS-SQL.
- Revision 2.16 (19/5/00)
-
- Added totals of sessions, time, octets and packets to the user page in radacct.cgi.
- Session-Timeout as a reply item can now takes a value “until Time” which calculates the session timeout until the end the permitted time period defined by a Time check item.
- Added Auth-Type=Accept, code contributed by David Daney (daney at ibw.com.ni). Thanks David.
- Added PreProcessingHook to Handlers, which fires before accounting log files etc are written. Code contributed by David Daney (daney at ibw.com.ni). Thanks David.
- AddToReplyIfNotExist parameter with multiple attr=val, and with white space before the attribute namew would not be parsed properly, resulting in a “Bad attribute=value pair:” error message.
- Simultaneous-Use would sometimes check the wrong user name for excess sessions when RewriteUsername or Prefix or Suffix was involved.
- Fixes so that multiple DEFAULT users with Prefixes and/or Suffixes wont strip the the user name for the following DEFAULT. Contributed by David Daney (daney at ibw.com.ni)
- Added new <Log EMERALD> module that does logging to a Platypus and RadiusNT compatible message log table.
- Testing with Windows 2000.
- Fixed radpwtst -gui to work with Tk800.018 and better.
- Fixed a bug in AuthLDAPSDK.pm, that produces the following error: Global symbol ” at vals” requires explicit package name at Radius/AuthLDAPSDK.pm line 256, <FILE> chunk 39. Reported by Bradley Clayton (bac at agad.purdue.edu)
- Workaround in AuthRADKEY.pm for problems with password lengths on some MAXen.
- Reinstated the changes that make %a get the Framed-IP-Address from the reply packet instead of the request, and to take ma.overdue into account in in AuthBy EMERALD. These changes were inadvertently lost from the 2.15 distribution.
- Changes to all SQL based modules to fix an infrequent problem with Sybase on some platforms, and in some environments. Some versions would sometimes hang during the SQL finish operation, which was not protected by timeout.
- DefaultRealm now only adds the realm if there actually was a User-Name present in the request. Requests without a User-Name will not now have a fake User-Name added.
- Added cisco-h323* entries to the standard dictionary for Cisco VOIP.
- The password log for CHAP logins now shows “UNKNOWN-CHAP”, instead of “UNKNOWN”, to help distinguish form the case where there is no password in the request.
- Added SessNULL.pm to the distribution, contributed by Daniel Senie (dts at senie.com). Thanks Daniel. SessNULL.pm provides a session database that does not store any session details and always permits multiple logins. Useful for very large user populations where ther is no multiple-login prevention required: this will require much less memory than SessINTERNAL.
- Added support for HoldServerConnection, plus disconnection after each request to AuthBy LDAPSDK, at the request of Thomas Braber (thomas.den.braber at capgemini.nl).
- Special formatting can now refer to any attribute in the current reply with %{Reply:attributename}
- Check items can now refer to attributes in the currently constructed reply. This can be useful for adding more reply items, depending on the reply items that are already there. For example, you might set a Profile psuedo attribute in an AuthBy and in a following AuthBy, add some real reply attributes that depend on the value of the Profile you added before
- Added support for IP address allocation, and a specific SQL implementation. See goodies/addressallocator.cfg for examples on how to use. STOP PRESS: minor changes in database schema since the 2.16 alpha release. Alpha testers will have to recreate their RADPOOL table.
- Fixed algorithm for computing port index for Total Control SNMP access checking. Contributed by Aaron Nabil (nabil at spiritone.com). Thanks Aaron.
- Fixed a problem with AuthAttrDef in AuthBy LDAP and LDAP2.
- Added the -p switch to builddbm to print out a flat file equivalent. Contributed by Joost Stegeman (joosts at kpn.net). Thanks Joost.
- ipaddr type attributes can now be specified as a 4 byte string, as well as dotted-quad notation. Useful for putting IP addresses and netmasks in databases as binary instead of strings. Suggested by Mike Nerone (mnerone at idworld.net).
- Updated GRIC Roaming attributes in various dictionaries.
- Log SQL and AuthBy RADMIN now permit LogQuery parameters configure the query used to insert into the log table database.
- AuthBy DBFILE and SessionDatabase DBM now support a DBType parameter, allowing you to specify the type of DBM database to use.
- AuthBy RADMIN was incorrectly logging all level log messages. Now it honours the global Trace level.
- Fixed a problem with MD5 password encryption when encrypted passwords had a zero length salt.
- Fixed a bug in Client.pm that prevented the client list used by SNMP and StatusServer being cleared during a HUP.
- Added new Bay Annex attributes to dictionary
- Pushed the permitted perl revision level back to 5.003
- Testing on Cobalt CacheQube. OK.
- Fixed a bug in the radwho.cgi and radacct.cgi sort routines that affected user name sorting with mixed alpha and numeric names. Reported by Larry Vaden. Thanks Larry.
- Fixed a problem with apparent floating point attibutes in AuthBy EMERALD.
- Fixed some problems in getProfiles example hook in goodies/hooks.txt. Contributed by Christian Hammers (ch at westend.com). Thanks Christian.
- Added NoReplyHook to AuthBy RADIUS, called if no reply is heard from any remote servers. Useful for storing accounting to an SQL database for later delivery or retransmission (see goodies/reliableaccounting.cfg for example)
- Testing with InterBase 6.0 and DBD-Interbase-0.021. OK. Note that Interbase 6.0 requires /etc/hosts.equiv to contain the name of each client host, so you may need to add ‘localhost’ to /etc/hosts.equiv to enable you to start the Interbase server and access it. Also note that InterBase requires a custom AuthSelect since it does not permit columns named PASSWORD. interbaseCreate.sql creates it as PASS_WORD.
- Due to changes in policy by iPASS, the preferred method of interoperating with iPASS outbound is now to proxy to the iPASS radius server. Altered documentation to suit.
- Added some improvements to extensibility and customisability: The reinitialize and find functions for Client, Handler, Realm et al are now registered at startup. This allows you to add new subclasses of Client and Handler with new ways of finding the right Client or Handler to use. You can also register your own reinitialise function with main. Added examples csid.cfg and CalledStationId.pm to goodies to demonstrate use of all these features, using the example of fast, exact matching on Called-Station-Id.
- radpwtst now takes notice of the Framed-IP-Address in the reply and uses it in subsequent accounting starts and stops, unless -framed_ip_address has been used to force a particular address.
- Added initial version of new radconfig.cgi, a CGI script that will manage a Radiator configuration file.
- Added new Nas Type of Ping, which will attempt to check simultaneous use by pinging the dialup users Framed-IP-Address. This is not foolproof as the Framed-IP-Address may have been reallocated, but its better than nothing, which is what you may have without finger or snmp access to the NAS.
- Added missing documentation for SessionDatabase parameter for Realm and Handler, which allows you to control which Session Database a Realm or Handler will use.
- Fixed a spurious WARNING message if AuthPort or AcctPort was defined as empty (ie no socket to be set up). Reported by Antonio Coloma.
- Added new Scope parameter that allows you to control the LDAP search scope in LDAP2 and LDAPSDK. Suggested by c.w.vandervelden at kpn.com.
- Revision 2.15 (15/2/00) Many new features and some fixes.
-
- Added new check item Request-Type. This is mostly useful in Handlers, to allow you to trigger on different types of requests.
- Fixed a problem with handling escaped octal characters in attribute strings. Contributed by Mike Biesele (wmb at aros.net). Thanks Mike.
- DynamicCheck and DynamicReply were always doing special character replacements of in all check and reply items, instead of just the ones named.
- DynamicReply was incorrectly doing special character replacements from the reply packet instead of the incoming packet.
- The special character %a has been modifed to be replaced with Framed-IP-Address from the reply packet instead of the incoming packet.
- AuthBy clauses did not honour the “include” keyword.
- Added some more USR attributes to dictionary.usr
- Fixed a problem with Tunnel-Password on Intel where it would sometimes produce a non-compliant encrypted password.
- SQL timeouts while doing a select or an insert did not trigger the backoff period.
- Added Synchronous flag to AuthBy RADIUS, which will cause the AuthBy RADIUS to block until a reply is received from the remote radius server (or it times out).
- Rolled the AddToReplyIfNotExist.patch into the base code. This code was contributed by Vincent Gillet (vgi at oleane.net), and implements the AddToReplyIfNotExist parameter, which will append an attribute to a reply if and only if it the attribute is not already present.
- The include keyword for including other files inline is now case insensitive.
- Radius standards rfc2138.txt and rfc2139.txt are now included in the doc directory.
- Added some additional username info to some WARNING and INFO level messages, as suggested by Wim Biemolt (Wim.Biemolt at sec.nl).
- Incorporated significant performance improvements to AuthBy UNIX, contributed by Jamie Hill (hill at networkWCS.com). Thanks Jamie!
- If you explicitly undefine AuthPort or AcctPort, Radiator will not bind a socket. Same effect if you specify -auth_port “” or -acct_port “” on the command line.
- Fixed a problem with compatibility with proxying to Merit server with passwords of exactly 16 octets. Merit incorrectly assumes that passwords are always NUL terminated.
- Fixed typos with MSN style RewriteUsername regexps, that incorrectly assumed the seprator was a forward slash (/) not a backslash (\). Affected documentation and example radius.cfg
- Added new parameter HoldServerConnection to AuthBy LDAP, so LDAP servers that support it can be used to do as many authentications as possible from the same LDAP connection.
- Added details about how to use Radiator with AFS Kerberos to goodies directory. Contributed by Roland Hofmann (hofmann at uni-hohenheim.de). Thanks Roland.
- Fixed a problem with radacct.cgi where an Acct-Session-Id that contained a dot character was not recognised
- Added to the goodies an alternative version of radacct.cgi that supports some sorting of users by time, logins, total octets in or out. Contributed by Andrew Aken. Thanks Andrew.
- AuthBy RADIUS now returns IGNORE if a request is not forwarded due to NoForwardAuthentication or NoForwardAccounting. This is thought to be more correct, but existoing users of multiple AuthBy RADIUS with NoForward* may need to use AuthByPolicy ContinueWhileIgnore.
- AuthBy LDAP, LDAP2 and LDAPSDK now supports AuthAttrDef, which allows you to easily define check and reply items in your LDAP database, similar to the way its done with SQL. Based on code contributed by Steven E Ames. Thanks Steven.
- AuthBy RADIUS now passes some additional arguments to ReplyHook:
${$_[0]} The reply received from the remote server
${$_[1]} The reply packet to be sent back to the original requester
${$_[2]} The original request
${$_[3]} The request sent to the remote server - Added support for old style Ascend password encryption algorithms, new parameter UseOldAscendPasswords for both Client and AuthBy RADIUS. Also added -useoldascendpasswords flag to radpwtst.
- Added Microsoft vendor-sepcific attributes to dictionary. Contributed by sadkins at voyager2.cns.ohiou.edu (Scott Adkins). Thanks Scott.
- Suffix and Prefix incorrectly took notice of regexp special characters (such as +, ., * etc) in them. Changed so that Prefix and Suffix only ever do exact literal matches.
- AuthBy NT did not hounour AddToReply or DefaultReply on Unix.
- Testing with Apache and Apache::AuthenRadius. Item added to the FAQ.
- Workaround for a bug with FreeTDS where a datetime set like ’12-31-1999 12:01:01.000′ comes back as ‘2000-01-00 12:01:01’.
- Added radiatorctl sinmple Radiator management script to goodies. Contributed by Ragnar Kurm (ragnar at uninet.ee). Implements start, stop restart, reload, inc, dec operations. Thanks Ragnar.
- SessDBM has mode sensible mode for new files. Suggested by Ragnar Kurm (ragnar at uninet.ee). Thanks Ragnar.
- DefaultRealm processing was moved to after PreHandlerHook to allow easier manipulation of user names.Suggested by Ragnar Kurm (ragnar at uninet.ee). Thanks Ragnar.
- Added GRIC roaming attributes, including Timestamp to a number of dictionaries that did not have them.
- AuthBy EMERALD was not taking into account the masteraccounts.overdue column. Reported by Ray Carpenter (ray at systec.com). Thanks Ray.
- Session-Timeout reply attribute now supports a new syntax. If you have for example:
Session-Timeout=”until 1800″
Then the Session-Timeout in the reply will be calculated as the number of seconds up until the time of day specified - AddToReply and DefaultReply did not honour special processing for Session-Timeout=”until 1234″, Tunnel-Password, Ascend-Send-Secret or Framed-Group.
- Encrypted-Password can now be in a variety of encrypted password formats: SHA, MD5 and standard Unix crypt. Suggested by Ragnar Kurm (ragnar at uninet.ee). Thanks Ragnar.
- Added ExcludeRegexFromPasswordLog to Handlers. Suggested by Ragnar Kurm (ragnar at uninet.ee). Thanks Ragnar.
- NasType TigrisOld has new improved performance code contributed by Ragnar Kurm (ragnar at uninet.ee). Thanks Ragnar.
- Added ServerHasBrokenPortNumbers parameter to handle broken 3rd party radius servers that reply from a different port number than the one the request was sent to. Required for proxying to GRIC on NT.
- Added -v flag to radiusd to print version number. Also version is printed on startup INFO line.
- Improvements to restartWrapper to show more information about why the child died.
- Fixed a problem with AuthBy LDAP2, where recent versions of Net::LDAP do not support ldap_error_message.
- Added StartupHook which is called during startup and restarts
- Fixed a problem with broken VSAs which casued an entire packet to be ignored. Reported by Steve Suehring (suehring at coredcs.com).
- %M, %H, %S macros always produce 2 digits. Reqested by Daniel Senie (dts at senie.com)
- Fixed a problem with %y and %e that produced only one digit in 2000. Reported by Thomas Voss (tvoss at netcologne.de). Thanks Robert.
- AuthBy NT now optionally honours the User Manager Dialin Permission flag. Only available on NT, and requires Win32-RasADmin package to be installed.
- Fixed a problem with some check attributes. When used to check attributesin a <Handler ….> clause, could get a crash with a message like:
Can't call method "log" on unblessed reference at Radius/AuthGeneric.pm line 644.
- Added support to Auth By NT for Lockout and Account Expiry flags (supported when Radiator tuns on NT). Contributed by talist at vif.com. Thank you!
- Fixed a problem with FramedGroupBaseAddress and RewriteUserName not being properly assigned by ClientList SQL. Fix contributed by jay.pike at voyager.net.
- Improved documentation about hooks and when they are called. Suggested by Richi Plana (richip at mozcom.com)
- Added dictionary.usr.merit to the distribution. This is a copy of http://totalservice.usr.com/ISP/rad/dictnary.dat, and can be used as a source for missing VSA’s or it can be used directly as the Radiator dictionary.
- Further fixes to zombie child reaping, so that we should not miss zombies, even if there is a sigchld collision
- Added StatusServerShowClientDetails to Client to optionally enable full Cleint statistics in the Status-Server reply. This changes the default behaviour, which used to be to always send the statistics for all Clients. The default is now to not send details for any Clients.
- Added new Nas-Type Portmaster4 which is suitable for use by Portmaster 4’s running ComOS 4.1 or later. Uses pmwho.
- Fixed a problem with using AcctColumnDef with AuthBy PLATYPUS that would cause an SQL syntax error. Reported by Simon Woodward (simon at 1earth.net). Thanks Simon.
- Workarounds added to radwho.cgi and radacct.cgi. When used with FreeTDS, messages that FreeTDS prints to stderr would confuse Apache and other web servers. Sterr is redirected to /dev/null on unix during database setup when its FreeTDS.
- Connect-Rate now supports attributes called USR-Connect-Speed if there is no Connect-Info in the incoming packet.
- Fixed a typo with incorrect definition of Connect-Info attribute in Radius.pm
- Added globalvarname=value command line arguments and DefineGlobalVar to the config file. Can now use special formatting like: %{GlobalVar:globalvarname}. Suggested by Christophe Wolfhugel (wolf at oleane.net). Thanks Christophe.
- Added “Time On” column to radwho.cgi, with formatted time interval since they logged in.
- Added Debug parameter to AuthBy LDAP2, to assist debugging the Net::LDAP module.
- The global BindAddress and AuthBy RADIUS BindAddress parameters now permit special formatting macros.
- All the AuthBy LDAP modules now support special formatting characters in the Host parameter.
- All classes now have an optional Identifier parameter
- All classes now honour the “include” keyword.
- Added NoDefault parameter to AuthBy. When set, it stop Radiator from ever looking for a DEFAULT user entry.
- Radiator failed to complain if an integer reply item specified a value name that was not in the dictionary.
- Historical my_crypt was removed from radiusd. It was required for compatibility with the Gursamy Sarathy port of perl on Win 95.
- New module Util.pm added for general purpose utility routines. main::format_special and a number of other functions were moved there.
- Added ServerChecksPassword to AuthBy LDAP2, so that servers that implement proprietary encryption algorithms in their passwords (notably Open Directory from Platinum) can be used. Testing with Open Directory. Added opendirectory.cfg to goodies.
- Added new special character %P that is replaced with the decrypted User-Password from the current request. Code contributed by talist at vif.com. Thanks.
- Revision 2.14.1 (29/7/99) Mostly new features
-
- Added new <ClientListSQL> clause that allows you to have your Client details in an SQL database, rather than in your config file.
- Added example Microsoft Access database to goodies. Works with the example sql.cfg, and also includes some sample queries and charts.
- The fix to default /32 in Ascend filters in 2.14 did not work properly in all circumstances. Found by Ricardo Kustner. Thanks Ricardo.
- Rolled in additional dictionary entries from ACC into the standard dictionary. Added the ACC dictionary to the distribution.
- Added support for NasType and Client-Id check items
- Fixed problems that pevented AuthBy NT working with the latest version of Authen-Smb (Authen-Smb-0.91) on Unix. They changed their naming standards for NTV_NO_ERROR.
- Revision 2.14 (14/7/99)
-
- Added new AuthBy PAM, which can authenticate through any method supported by PAM on your host.
- Added support for RAdmin, the new web-based user administration package from Open System Consultants. Supports, sim-use, static IP address, bad login limits, preallocated time, error logging etc etc etc.
- New authentication module PORTLIMITCHECK, which can check enforce simultaneous-use limits for arbitrary groups of users. This can allow you to sell bundles of ports on a global or per-POP basis, or DNIS etc. It can also set up Class attributes that depend on how many users are currently logged in in that group, so you can have different charging bands for normal and overflow usage etc. Requires a that a <SessionDatabase SQL> be present in your Radiator config.
- Changes to session databases so that when a NAS is checked for a simultaneous use, the original username (prior to any RewriteUsername) will be used.
- Log.pm was ignoring LogFile global parameter and always using %D/logfile.
- Added new parameter DefaultSimultaneousUse to AuthBy. DefaultSimultaneousUse specifies a sim-use limit that will apply if there is no user-specific Simultaneous-Use check item.
- Added new dictionary.ascend2 for Ascends that use Vendor-Specific attributes with vendor 529.
- Added Nas-Type of TotalControlSNMP, which uses SNMP to check a Total Control NAS. Contributed by Stephen Roderick (steve at proaxis.com). Thanks Stephen.
- If you had both DefaultReply and AddToReply, then DefaultReply would have no effect. Fixed.
- In AuthBy SQL, you can now have multiple definition of the same column name in AcctColumnDef. This allows you to save different attributes from different types of NAS into the same column in a mixed NAS environment.
- Fixed a problem in radpwtst that could cause a premature exit if there were problems in receiving a reply.
- Checks for Realm in a Handler clause can now be regexps
- Added a number of Bay VSA’a to standard dictionary. Thanks to Stuart Henderson (stuart at eclipse.net.uk).
- Added new NasType of “ignore” that does not contact the NAS, and always assumes there are no multiple logins. Suggested by Stephen Roderick (root at proaxis.com)
- Some performance improvements in Nas.pm
- Added new Client parameter NoIgnoreDuplicates. You can use this to fine-tune which types of duplicate requests you will handle (regardless of the setting of DupInterval) The value is a space separated list of request types, such as “Access-Request Accounting-Request” etc. Case sensitive. This can sometimes help if you are losing packets. Suggested by Tim Minchin (tom at interact.net.au).
- radpwtst can now take any number of additional attribute=value arguments, so you can add any attributes that are in the dictionary to each request.
- Fixed problem with becoming a daemon on AIX (which doesn’t support setsid()).
- Fixed a problem in the internal SessionDatabase, where it would ask all the NAS ports for all users to double check apparent logins.
- With SNMP, if you use SNMP_Session-0.70.tar.gz instead of SNMP_Session-0.62.tar.gz, snmpget reported “Unrecognizable or unauthentic packet received”. Fixed.
- Testing with perl 5.00401, no changes required.
- Testing with AIX, with the assistance of Dave Close (dclose at quik.com). Some fixes required. Thanks Dave.
- Testing on FreeBSD 2.2.5, no changes required.
- Added NasType support for Tigris (both old and new MIBS), Bay 4000, and Bay by finger, contributed by Rob Thomas (rob at rpi.net.au). Thanks Rob.
- Testing on SCO Open Server 5.0.4, no changes required.
- Added new special character %u, which is replaced by the original full User-Name as it was received and before any RewriteUsernames were applied.
- Added new special charcter %l, which is replaced by the current local time expressed as a string, eg ‘Thu Apr 22 15:39:03 1999’.
- Added ACC vendor-specific attributes to the standard dicitonary
- In AuthBy EXTERNAL, the external program can now return any attribute=value pairs on each line on stdout, not just Reply-Message. Contributed by Richi Plana (richip at mozcom.com). Thanks Richi.
- AuthBy NT was not logging passwords to PasswordLogFileName.
- ON SIGHUP, old realms were not being removed from the old configuration.
- Upgraded AuthTACACSPLUS so it can do PAP and CHAP when you have a recent (0.16 or better) version of the TacacsPlus perl library.
- Now parses Merit style dictionaries, including VENDOR_CODE.
- radacct.cgi now shows summaries by IP address, suggested by Karl Gaissmaier (karl.gaissmaier at rz.uni-ulm.de) which he says is useful for tracking down attacks.
- radacct.cgi will automatically decrypt on the fly files with a .gz extension, also suggested by Karl Gaissmaier (karl.gaissmaier at rz.uni-ulm.de). Thanks Karl.
- radwho.cgi will now automatically refresh every 30 seconds, and also shows the date of the refresh in the title.
- DefaultRealm was not being honoured by Handlers, only Realms. Reported by Richard Lennerts (richard at vianet.net.au). Thanks Richard.
- Fixed a race condition in EXTERNAL that could prevent it replying under some conditions. Also fixed other problems that prevented it getting the return code from the externl program on NT. Still not working properly on Win98.
- Added a new parameter ResultInOutput to AuthBy EXTERNAL so you can use a string in the first line of the output of the external command to signal the type of reply, instead of using the exit status. This is good if you are using Win98 where the exit status is not reliable.
- Using special characters like %a, %c, %C, %n, %N, %R, %T, %U, %u in a context where there is no associated packet would cause a crash. Now they are just replaced by an empty string.
- Handlers did not recognise embedded include directives.
- Changed child reaping to remove the possibility of unreaped child processes if 2 sigchld signals colide.
- Significant changes in AuthBy FILE to greatly reduce the amount of memory required with large user files to about one tenth of previous requirements.
- Fixed a problem with LogSQL where strings with quotes in them caused an SQL error.
- Included in goodies detailed instructions on how to increase the default data size on BSDI, contributed by Paul Thornton (paul at dove.mtx.net.au). Thanks Paul.
- Can now use case insensitivity in regexp Realms like this:
<Realm /realm.com/i>
In fact, you can use either the i or x modifiers - Added -snmp_port argument to radiusd to override whats in the config file.
- Improved the behaviour of changeAttrByNum so it correctly updates the cached value too. This is only interesting for authors of hooks.
- Added code to complain if Client or IdenticalClient names could not be resolved.
- Added ExcludeFromPasswordLog to Handler, to prevent certain user names being logged to the PasswordLogFileName. Its a good idea to list your sysadmins etc.
- Added wtmp support for FreeBSD, contributed by Jason (godsey at fidalgo.net). Thanks Jason.
- AuthBy SYSTEM now checks the primary group as well as the secondary groups. It used only to do the secondaries.
- Fixed a problem with AuthBy PLATYPUS where the select statement was constructed incorrectly.
- Fixed a problem with Prefix and Suffix check items that prevented rejection of there was no match.
- Added new parameter UseGetspnam to AuthBy SYSTEM so it can be used with some systems (notably Solaris) using getspnam
- Added Timeout parameter to all the SQL based clauses, so that you can get predictable timeout from failed SQL operations due to lost connectivity with the SQL server. Defaults to 60 secs.
- Fixed a problem in test.pl that prevent reporting of some errors in the test suite. Fixed some other inaccuracies in the test suite.
- Added new special character %S, which translates to the current second.
- Added ReplyHook to AuthBy RADIUS, which runs after the reply is received from the remote radius server (as opposed to PostAuthHook, which runs after the request was forwarded, but before the reply is received).
- Modifed Nas.pm so that if finger detects a problem or a timeout when using finger to verify simultaneous connections, it assumes that the user is still online (i.e. it assumes that the SessionDatabase is correct).
- Fixed a problem with “include” directives in the configuration file: Recursive includes did not work properly.
- Can now specify LivingstonOffs and LivingstonHole on a per-Client basis.
- Fixed a problem with command line arguments in radiusd. -log_file_name was ignored.
- Changes to Handler.pm and SessINTERNAL.pm to improve behaviour in the face of lost Stops.
- Mods to AuthLDAP2 so it conforms more closely to the expectations of some LDAP servers. In particular, it now maintains the TCP connection to the server, but binds and unbinds for each search.
- Fixed a problem in AuthBy EXTERNAL on some OS, where a sigchld handler could prevent getting the returns status of the external process. The result would be no reply top the request.
- Improved the sort ordering of IP addresses in radacct.cgi.
- Rationalised some code in Nas.pm to make it smaller and easier to maintain, and to facilitate future internal SNMP client. also added some snmpwalk support, and activeSessions support.
- Added 20 second timout to internal finger client
- Added handling of Ascend-Access-Event-Request, which can be used to verify that an SQL SessionDatabase in in sync with reality.
- Deleting a user from a DBM file with builddbm -d username left an empty user entry, rather than deleting it.
- Added new special characters %b %o %e %f %g %i %j %k %p for time components from the Timestamp of the current packet.
- Changed default DupINterval to 2 seconds. This will still detect dups created by duplicate network paths, but now a lost Access-Accpt wont trigger many duplicate requests.
- Ascend-Data-Filter addresses now default to /32 if the mask length is not specified, eg “ip in drop dstip 1.2.3.4” is equivalent to “ip in drop dstip 1.2.3.4/32”.
- Improved error recovery during log file parsing so that unknown object wont silently cause the rest of the file to be ignored
- Binary distribution file changed to .tgz extension to prevent problems unpacking on PCs.
- Improvements to getNasId so it will get an address even if NAS-IP-Address is absent and NAS-Identifier does not include an IP address. Some NAS’s do not conform to the Radius spec and this helps with those NASs.
- Added support for NasType of NortelCVX1800. Contributed by James H. Thompson (jht at lj.net). Thanks James.
- AuthBy RADIUS will now do round-robin proxying for host names with multiple IP addresses. DNS names for proxy Radius hosts are resolved at startup time.
- Changes to API standard for findUser in authentication modules allow you to detect database failure, as opposed to “no such user”, useful for LDAP and similar to fall back to other LDAP databases.
- Revision 2.13.1 (18/3/99) Consolidation of some minor bug fixes
-
- MaxSessions exceeded message now includes user name.
- Fixed a problem with PreAuthHook and PostAuthHook that prevented them being called.
- Added new %U formatting character that gives the user name with the realm stripped off. Contributed by Stephen Roderick (steve at proaxis.com). Thanks Stephen.
- Added parameter values in the form file:”filename” which will load the value from an external file. Probably most useful for putting long code fragments for the hooks in an external file:
PreAuthHook file:”hook.pl”
From a suggestion and code fragment from Lars (lmb at teuto.net). Thanks Lars. - Added auto indexing to the FAQ.
- AuthBy PLATYPUS and AuthBy EMERALD now honour AuthColumnDef and AuthSelect to handle _extra_ columns returned from the standard select statement.
- Added support for Xyplex sim-use checking with finger, with assistance of Nikos Aslanakis (aslan at spark.net.gr). Thanks Nikos.
- Fixed some typos in emerald.cfg that broke Acct-Terminate-Cause.
- Handler.pm was choosing the wrong handler.
- Added AddATDefaults parameter to Auth EMERALD. Contributed by Andrew Ruthven. Only adds the contents of RadATConfigs if AddATDefaults is defined in the configuration file. Thanks Andrew.~
- Added NoDefaultIfFound to AuthGeneric.pm, which stops Radiator looking for any DEFAULT users if an entry for the user was found but their check items failed.
- Fixed a problem that prevented PreClientHook being called.
- Added new AuthBy CDB contributed by Pedro Melo. CDB is a fast, reliable, lightweight package for creating and reading constant databases. More details about CDB at ftp://koobera.math.uic.edu/www/cdb.html Thanks Pedro!
- Fixed some problems where the current trace level was misreported when the trace level was changed with SIGUSR1 and SIGUSR2.
- SNMP was reporting UpTime as an integer instead of timeticks.
- Revision 2.13 (17/2/99) Lots of new features, some bug fixes.
-
- Added SNMP Agent. Now supports SNMP V1 requests as per draft-ietf-radius-servmib-04.txt. That means that you can get various types of server statistics, and even reset the server using SNMP. You might want to use MRTG or similar for monitoring your server.
- Added AuthBy RODOPI and example rodopi.cfg. Rodopi is quite a mature NT/MS-SQL based billing system with a Java/web GUI.
- Added new configurable and subclassable logging modules: Log FILE, Log SYSLOG and Log SQL. You can now log to any and all places at the same time, plus easily add your own logging modules.
- Simultaneous use check with finger for Portslave, Ascend, Shiva or Computone now defaults to using an internal perl finger client. You can still force it to use an external finger program by specifying FingerProg in the config file. The internal client improves portability to NT, and will improve performance, since it avoids the cost of starting an external program.
- Rationalised reporting and logging of rejections: Auth*::handle_request now also returns a reason message, which can optionally be replied to the user with the new Handler keyword RejectHasReason.
- All AuthBy modules now do their logging through a virtual log() function in AuthGeneric, which allows you to override with your own AuthBy specific error logging function. Suggested by Andrea Campi (andrea at planet.it). Thanks Andrea.
- Added AuthTACACSPLUS to authenticate from Tacacs Plus server. requires Authen::TacacsPlus module from CPAN. We used the version in TacacsPlus-0.15.tar.gz. If its not on CPAN, its available from the author here.
- Status-Server message now returns all server and per-client statistics.
- AuthBy NT can now authenticate from an NT domain controller, even when Radiator is running on Unix. Requires the Authen::Smb package from CPAN.
- Testing with Security Dynamics ACE/Server Radius (also known as SecurID). Their radius server is very limited, but Radiator can proxy to it fine, and handles the Access-Challenges that are used to set and change PINs etc.
- Testing with Freeside, a free Unix based ISP billing package. Example freeside.cfg created.
- Forgot to mention previously the addition of several hooks that allow you to get control with your own perl code during authentication: PreClientHook, PreHandlerHook and PreAuthHook, PostAuthHook.
- Changed the default Framed-IP-Address in radpwtst.
- Fixed problem with cached attributes that meant that when a username was rewritten, it was not actually changed in the packet, which made the detail file log incorrectly.
- Added “delete session” link to radwho.cgi so that bogus sessions can be manually deleted.
- Added AuthBy GROUP, which allows authentication clauses to be bundled and grouped to any depth. Its intended for experimenters and early adopters. It only understands AuthByPolicy, StripFromReply, AddToReply, DefaultReply so far. Feedback is solicited.
- Fixed some bugs in radpwtst -gui mode that caused locked windows, false timeouts etc. Now works with Perl 5.005 and Tk800.011 on Unix. Still doesnt work on Win95 (looks like Tk file handlers are still not right on Win95).
- Fixed problems with wtmp format on Linux that prevented who and last from working.
- Created mysqlCreate.sql which correctly builds indexes for mysql.
- Added indexes to all SQL scripts in goodies
- Can now define AuthBy clauses at the top level, and refer to them and reuse them with the AuthBy parameter. Good for reusing complicated SQL database definitions (and reducing the number of SQL licenses required. From a suggeestion by Stephen Roderick (steve at proaxis.com). Thanks Steve.
- Added support for binary data type in dictionaries. Especially for use in Proxy-State which can otherwise get trailing NULs stripped off.
- radwho.cgi now shows the total number of users online, and optionally presents a hotlink to force a user off a NAS, by calling an external progam you specify (not supplied).
- Added NoForwardAuthentication and NoForwardAccounting to AuthBy RADIUS. From patches supplied by Vincent Gillet (vgi at oleane.net). Thanks Vincent.
- Makefile.PL can now do installation on Win95 hosts. No need to use make any more on Win95 (many people don’t have it).
- Added LocalAddress to AuthRADIUS, which forces the proxy forwarding port to bind to a particular address. Defaults to the same as BindAddress. Useful for multi-homed hosts. Patch supplied by Lars (lmb at pointer.teuto.de). Thanks Lars.
- Improved performance of all Hooks by precompiling the code. From a suggestion by Lars (lmb at pointer.teuto.de). Thanks Lars.
- Improved robstness of the session databases in the face of lost stop packets. Now a stop packet will always remove any previous session that we thought was on that NAS/Port combination. This will make the session database “self-healing”. Your existing DBM session database will have to be deleted: the database format for DBM is changed. The table format for the SQL session database is the same, but the indexes have changed: you should probably recreate them if you are using SQL. Also changed radwho.cgi to be compatible with new DBM database format.
- Expiration now understands dates of the form dd/mm/yy(yy), since some SQL databases produce dates in that form.
- Improved robustness of SQL connections, and reconnection during database outages. Prevent crashes when MS-SQL disconnects.
- SQL does not use ping anymore, and will therefore work with DBD-ODBC 0.20 and MS-SQL. Its also faster.
- Included Vincent Gillet’s AddToReplyIfNotExist.patch to the goodies directory. This patch adds attributes to a reply _only_ if they dont already exist. Thanks Vincent.
- Testing on Red Hat 5.2. No changes required.
- Testing with Interbiller 98, a resonable, inexpensive ISP billing package. goodies/interbiller.cfg created.
- Added FramedGroup for all AuthBy clauses, similar in behaviour to Framed-Group, but applying to all requests accepted by an AuthBy clause. Contributed by Garry Shtern (shterng at akula.com). Thanks Garry.
- Testing on Rhapsody. OK, but building MD5 is non-standard. See the FAQ for details.
- Fixed problem where accounting info would be stored twice if the Handler forked (such as AuthBy IPASS)
- Fixed typo in AuthBy IPASS that prevented Acct-Session-Time being properly sent to IPASS.
- Fixed a problem in SessSQL.pm, where if a session proved to be bogus, SessSQL tried to delete a different session. Reported by Andrea Campi (andrea at planet.it). Thanks Andrea.
- Added contribution from Todd A. Green (tagreen at ixl.com): a new sorter in radwho.cgi that will sort by IP addresses and mixed Alpha-numeric NAS-Ports (eg for USR/3COM ). Thanks Todd.
- AuthBy UNIX now correctly uses the password file and group file when checking for primary group membership, instead of using getpwnam etc.
- AuthBy PLATYPUS now honours AcctColumnDef. It allows you to log extra columns from Accounting Stops in the same was as AuthBy SQL. Suggested by Ricardo Freire (ricardo at allways.com.br). Thanks Ricardo.
- Testing with DBI Proxy from Unix to NT. OK.
- Added AccpetIfMissing paramter to AuthBy FILE and AuthBy DBFILE. it will automatically accept a user if they are not in the users file. If they are in the users file, it will accpet them if and only if their check items pass in the ususal way. Useful for applying additional checks on a subset of your user population.
- Added FramedGroupMaxPortsPerClassC to Client, so you can compute Framed-IP-Address on a NAS with more than 255 ports.
- Example config to work with Freeside, a free ISP billing package for Unix. See goodies/freeside.cfg
- AuthBy SQL and PLATYPUS now use the DBI quote function to correctly handle quotes embedded in string data that is inserted with an AcctColumnDef.
- Support Shiva LanRover sim-use detection using finger. Also added detection of config errors for all uses of finger, and runtime errors with snmpget.
- Fixed a problem with Ascend binary filters: if the ‘drop’ keyword was used, it would build an invalid filter.
- AcctColumnDef will not insert attributes that are not present in the request. Previously, it would insert NULL, which upset peoples ability to define column defaults, and to build indexes.
- Added VSAs for ACC to dictionary. Courtesy Ingvar Berg (ERA) (Ingvar.Berg at era.ericsson.se). Thanks Ingvar.
- Added NasType AscendSNMP that will check Ascend with SNMP instead of finger.
- Added nasclear.cgi to goodies directory. Its a CGI script that shows all the unique NASs in your SQL Session Database, and allows you to clear all sessions for a NAS. Contributed by Aaron Holtz (aholtz at bright.net). Thanks Aaron.
- Default behaviour when no handler is found changed from IGNORE to REJECT.
- Auth-Type=Reject now correctly propagates properly back through chains of authenticators. Previously if the chain was more than 1 deep, an immediate reject would be turned back to an ordinary rejection. Thanks to Aaron Holtz for reporting this one.
- Fixed a problem with AuthEXTERNAL that prevented it working properly on NT. Also made example config file and example external program for EXTERNAL in goodies, demonstrating the protocol for passing and receiving attributes.
- Added optional format argument to AcctColumnDef, so you can set up SQL-specific conversions etc.
- PostAuthHook is now given a third arg saying what the result of the authentication is.
- Completed support for SHA encrypted password. Contributed by Justin Daminato (jd at ozemail.camtech.net.au)
- Quoted Check and reply items can now have escaped octals in them like
Tunnel-Server-Endpoint = “\000191.165.126.240 fr:20”
(thats a NULL as the first octet in the string) Which is useful for adding tags to the front of Tunnel attributes like the above. - Added AuthBy LDAP2, which uses Net::LDAP from perl-ldap-0.09 or better. The previous version AuthBy LDAP is now deprecated (since the Net::LDAPapi it uses is now deprected).
- Added DecryptPassword parameter to AuthBy EXTERNAL, which makes it decrypt User-Password before passing it to the external program.
- Testing with Bay Annex Server and tunelling, with the help of Stephen Ollis. Thanks Stephen.
- Now handle Prefix and Suffix check items.
- Added now AcctColumnDef type “formatted-date” that uses Date::Format to build arbitrary date formats. Especially useful for Oracle’s odd date behaviour:
AcctColumnDef TIME_STAMP,Timestamp,formatted-date,to_date\ ('%e %m %Y %H:%M:%S', 'DD MM YYYY HH24:MI:SS')
- AcctColumnDef type integer-date now formats dates in the format ‘Sep 3, 1995 13:37’, ie the full year including the century is now included. Previously it would do ‘Sep 3, 99 13:37’ and was not Y2K compliant. If this breaks your accounting table, consifer using the new formatted-date type described above.
- Revision 2.12.1 (21/10/98) Minor release for some desperately required features.
-
- Added support for Ascend’s Tunnel-Password according to http://ftp.ietf.org/internet-drafts/draft-ietf-radius-tunnel-auth-06.txt
- AuthBy RADIUS now supports multiple Hosts. It will try to forward to the each host in the list until it gets a reply from one, or until the list is exhausted.
- Fixed a bug that causes a crash when Handlers are tested.
- radpwtst now generates its default identifier from the current time, which causes less confusion if you dont have DupInterval set to 0.
- New version of IpassPerl that checks the ipass libraries are installed before the Makefile is built.
- Added -t dbmtype flags to builddbm and buildsql to force them to use a certain DB file format, instead of to accept the “best” one that AnyDBM_File would choose. Can also configure radwho.cgi SessDBM.pm and AuthDBFILE.pm to easily specify the type.
- Fixed problems with MS-SQL 7 and AuthBy EMERALD, where integers such as account_id and attribute numbers are read as floating point.
- Fixed a Y2K compliance issue in formatSQLDate.
- Revision 2.12 (17/10/98) Major new features and some bug fixes
-
- Added <SessionDatabase SQL>, so the external session database can be in SQL. This might be useful to coordinate multiple servers for Simultaneous-Use limits via SQL, or perhaps just to keep a “who is online” database handy. Also added radwho.cgi so you can see the current contents of a DBM or SQL Session Database.
- Added new <Handler> class that allows you to choose how requests will be handled depending on any attribute of the packet, not just the realm. You can still use Realm; its backwards compatible. Realm is now a superclass of Handler, and Handler understands all the same parameters as Realm.
- New AuthBy parameter DynamicCheck allows you to do % substitutions on check items prior to authentication. Now recognise DynamicReply as a synonym for Dynamic. Suggested by Tim Young (Tim_Young at compuware.com).
- Removed hard-coded Radius attribute names from the code.
- Performance improvements in attribute fetching.
- Testing with OpenLinkODBC/iODBC for connectivity between Unix and MS-SQL without using Sybase client libs. Documentation in faq.html.
- Default location for pid file changed from /tmp/radiusd.pid to %L/radiusd.pid as a security measure. Suggested by Andres Kroonmaa.
- SQL AccountingTable can now contain special formatting characters table names based on the current year and month might be very useful. Suggested by Nicholas Barrington (nbarrington at smart.net.au).
- Fixed a problem that would prevent proxy working after a HUP.
- Fixed 2 bugs identified by Andres Kroonmaa (andre at ml.ee) in AuthBy SYSTEM and AuthGeneric that prevented Group membership check items working in SYSTEM, and sometimes with DEFAULTs. Thanks Andres.
- Fixed problem with signals on Win95 that prevents radiusd surviving as an NT service.
- Fixed some typos in AuthPLATYPUS that caused crashes to do with formatSQLDate.
- Fixed some problems with protocol and service specifications in Ascend Binary filters. Reported and diagnosed by Peter Chow. Thanks Peter.
- Dont die if the log file fills up.
- New parameter DomainController in AuthBy NT allows you to force it to use a particular Domain Controller, instead of asking on the network.
- AuthIPASS, AuthEXTERNAL, AuthTEST and AuthNT did not honour StripFromReply, AddToReply or DefaultReply.
- Added code contributed Nicholas Barrington (nbarrington at smart.net.au) to AuthSQL. Implements AccountingStartsOnly, and AcctSQLStatement, which allows you to execute arbitrary SQL statements for each accounting reqest.
- Auth-Type=Reject now does an immediate reject: it will not fall through to any following DEFAULTs.
- Added AcctLogFileFormat, so you can control the format of the accounting log file.
- Fixed AuthGeneric so it wont leave zombie processes around. This mostly occurred with AuthBy IPASS.
- Fixed a bug that prevented Total Control online checking from working properly.
- Added SocketQueueLength parameter, so you can adjust the radius socket queue lengths.
- Removed all uses of non-blocking IO, since too many operating systems dont support it properly.
- Cleaned up test.pl. Regression tests now run on Win95 and NT. Adjust documentation to suit.
- Changes so AuthNT will work with ActiveState perl.
- Added support for Bay to Nas.pm. Can now use Simultaneous-Use with Bay NASs.
- DefaultReply was not getting % variable interpolation.
- Cloned AuthBy LDAP into AuthBy LDAPSDK, which works with Netscape’s new PerLDAP module and the latest LDAP SDK. PerLDAP is readily available as a downloadable module for ActiveState perl on NT. This is the easiest way to get LDAP working on NT without compiling your own modules.
- PasswordLogFile now includes the current date and time in easy-to-read format, as well as in Unix seconds.
- Documentation for RewriteFunction.
- Fixed memory leak in AuthRADIUS that affected packets that are proxied and then exceed their retransmit count.
- The log file directory will now be created if it does not exsit. This makes it easy to have log files rotated into different directories.
- Fixed problem where Simultaneous-Use would not work properly if you had Clients defined by DNS name instead of IP address.
- Tested Platypus in RadiusNT compatibility mode against AuthBy EMERALD. Works fine.
- AuthUNIX did not removed cached passwords if the user was removed from the password file.
- Fixed a leak that affected some integer attributes during proxying on Perl 5.004.
- Revision 2.11 (16/8/98) Major new features and some bug fixes
-
- Applied some patches from Aaron Nabil that should have made it into 2.10: correction to users file with correct hiperarc filter syntax
fix for hiperarc not sending nas_id
patch to ignore false dupe hiperarc sends on restart
fix to separate identifiers for different ports - Implement Auth-Type = Reject and Auth-Type = Ignore check items.
- Patch from Shawn Instenes (*shawni at teleport.com) to log more details of requests with bad authenticators.
- Latest version of USR dictionary in dictionary.usr.
- Standardised spelling of Van-Jacobson in all dictionaries.
- Added patch from Aaron Nabil (nabil at spiritone.com) for hex dump of packets at trace level 5.
- Fixed bug with %C on some platforms that did nothing.
- Be tolerant of trailing white space in check and reply items
- Added -v flag to buildsql to print out all SQL statements issued.
- AuthBy SQL now ACCEPTS Accounting requests if no accounting table or columns is defined. It used to IGNORE, which was not very helpful.
- test.pl now runs the test server on ports 9721 and 9722 so you can test on a live box. Thanks to a suggestion from Andres Kroonmaa (andre at ml.ee)
- AddToReply and StripFromReply have been moved from RADIUS to Generic, so any AuthBy can use them now.
- Check and reply items now silently ignore empty attr-val pairs
- SQL database access has been abstracted out to a separate inheritable module SqlDb.pm, which has the database connect/reconnect and execute code in it. This will allow it to be reused to support SQL session database, client lists etc one day.
- Rolled in AuthColumnDef mods contributed by Lars (lmb at teuto.net) in AuthSqlEXT.pm (which is therfore now obsolete). You can now have arbitrary check and reply items in multiple columns in your user database. For backwards compatibility, if no AuthColumnDef is defined, it will assume Password, Check Items, Reply items, backwards compatible with previous versions.
- Fixes to AuthNT.pm so that it will correctly authenticate in the face of apparent errors that really mean that password policies are in force.
- Added DefaultReply for all AuthBy, which specifies attributes to be returned only if they have none of their own. Contributed by Phil Freed (pfreed at cyberTours.com). Thanks Phil.
- Added NIS+ authentication with AuthNISPLUS.pm
- Following requests from Stephan Forseilles (sf at skynet.be) and others, added include file processing to config files. Thanks for the suggestion.
- Altered Radius.pm, so it would not die due to badly mangled VSAs sent by 3COM Netserver cards at startup. Thanks to Aaron Nabil for helping to identify this one.
- Mods to all executables so they will get the modules in the current directory in preference to any installed ones.
- Some changes to radacct.cgi so it will work with SQL too. Not easily configurable, and not documented yet, but it works. Improvements are scheduled for later.
- Fixed a bug with %{Attribute-Name} macros that could cause a crash.
- Packet dumps at trace level 4 and 5 are now logged to the log file instead of only being printed to stdout.
- AuthBy LDAP now produces more debuggin and error messages. Its now robust in the face of the LDAP server stopping.
- Support optional encrypted passwords in databases where a plaintext password is normally expected. Supported formats are now like
- unix crypt “{crypt}1xMKc0GIVUNbE”
- Netscape SHA encryption “{SHA}0DPiKuNIrrVmD8IUCuw1hQxNqZc=”
- Linux MD5 password encryption “$1$cTpht$Obu9PLSMst1TDou.mN5bk0”
- Plaintext
- Added SSL support for LDAP. This is not supported on the Umich LDAP, as SSL is not supported there. You will need the Netscape SDK if you want SSL support.
- SIGUSR1 increases trace level and SIGUSR2 decreases it for radiusd (suggested by Andrea Campi).
- New AuthBy SYSTEM that authenticates with getpwnam and getgrnam from whatever your systems underlying username database is. This allows you to hide the authentication system whether its password files, NIS+, PAM or whatever else might be installed on your system. Not supported on Win95 or NT, or on systems with shadow password files.
- Timestamp was being adjusted in the wrong direction by Acct-Delay-Time.
- A few lingering “warn”s were changed to LOG_ERR.
- Permit line continuations within a configuration file with \. After a suggestion by Richard Lennerts.
- Can now do RewriteUsername on a global or per-Client basis as well as per-Realm.
- New check item NAS-Address-Port-List specifies a file that contains a list of permitted NAS/Port combinations for the user.
- Can now use the new Client parameter IdenticalClients to congure a large number of identical client configurations
- Applied some patches from Aaron Nabil that should have made it into 2.10: correction to users file with correct hiperarc filter syntax
- Revision 2.10 (13/7/98) Major new features.
-
- Now works with Emerald (http://www.emerald.iea.com), both authentication and accounting. Includes a new EMERALD AuthBy module and example config file in goodies/emerald.cfg
- Now works with Platypus (http://www.boardtown.com), both authentication and accounting. Includes a new PLATYPUS AuthBy module and example config file in goodies/platypus.cfg
- Generalised the Session Database for Simultaneous-Use limits. There is now a SessGeneric.pm abtsract class and SessINTERNAL and SessDBM implementations. This means you can now enforce Simultaneous-Use limits across multiple instances of Radiator. The code structure is similar to the Auth… modules, and adding new database formats is fairly simple. The default is INTERNAL as before.
- Added support for Connect-Rate check item, that specifies a max Connect-Info speed permitted for the user.
- Added automatic IP Address allocation with new FramedGroupBaseAddress parameter in Client, and new Framed-Group pseudo-reply item.
- Accounting packets now always get a Timestamp added to them when received. (Suggestion of Guilherme Maranhao (guiga at rio.com.br))
- Some minor changes to Realm.pm to make it a bit more economical of memory.
- Added patch from Aaron Nabil (nabil at spiritone.com) which provides new -bind_address argument to radiusd and BindAddress parameter that allows radiusd to only bind to a single address for multi-homed hosts. Thanks Aaron.
- Added patch from Aaron Nabil (nabil at spiritone.com) which provides SIGTERM handling to shut down cleanly. Thanks Aaron.
- Changed a number of ‘die’s into ‘warn’. We now try very hard never to stop unless its completely impossible to go on.
- Added PasswordLogFileName to Realm. If defined, every login attempt will be logged to the file. Useful for your help desk to diagnose user login problems. Based on a request from Stephan Forseilles (sf at skynet.be).
- Fixed a bug in Radius::unpack. Malformed radius packets could cause an infinite loop that would exhaust all memory.
- Redid performance tests in a more realistic environment, resulting in significant improved throughput figures.
- Added detection of Livingston reboot messages (a Start with Acct-Session-Id = ‘00000000’)
- Added realtime online user detection for Ascend (with finger), Computone (with finger) and Cisco (with snmp)
- Added general attribute replacements, so that for example %{Framed-IP-Address} is the same as %a. Contributed by Lars (lmb at pointer.teuto.de). Thanks.
- AuthRADIUS now logs IP addresses instead of binary. Contributed by Kurt Jaeger (pi at complx.LF.net)
- SQL Accounting can now convert Timestamp values into SQL dates.
- Upgraded dictionary.ascend to be in line with latest from Ascend.
- Tested LDAP on NT with the NETSCAPE DIRECTORY SDK 1.0 and the Net::LDAPapi Windows NT Binaries v1.40 from http://www.wwa.com/~donley/netldap.html
- AuthBy FILE and AuthBy DBFILE can now use per-request replacements like %n in their Filename. Thanks to Paul Rhodes (paul at atlas.net.uk).
- Implement Ascend-Send-Secret reply item. Thanks to Paul Rhodes (paul at atlas.net.uk) for this contribution.
- Changed default DupInterval to 60 secs.
- Altered all DBM accesses to use AnyDBM_File, which will choose the ‘best’ format DBM file availble on the host machine.
- New AuthSQL parameter AccountingStopsOnly, which make SQL only log Accounting Stop requests: all other accounting requests are accepted but not logged.
- Testing with postgreSQL, documentation.
- radacct.cgi now uses CGI.pm, instead of cgi-lib.pl, for better portability.
- Revision 2.9.1 (23/6/98) Minor bugfix release
-
- Fixed bug that altered username in the request when cascading from AuthBy SQL to any other AuthBy method. This only affected cascaded authentications where SQL was not the last method.
- Altered dictionary.ascend so that Password appears as User-Password, which fixes authentication problems with that dictionary.
- Applied patch from Aaron Nabil (nabil at spiritone.com) to issue warnings when dictionary integer artributes are missing.
- Removed some perl5.004 features that inadvertently prevented radiusd running on 5.003.
- Fixed a memory leak in RDict.pm
- Revision 2.9 (14/6/98) Mostly new features:
-
- Added restartWrapper to goodies. Can be used to automatically restart radiusd (or any other program) if it stops unexpectedly and optionally email someone.
- radiusd can now be started automatically by (x)inetd: if stdin is a socket, it assumes it is running under inetd and uses stdin as the authentication port socket.
- Fixed test.pl so radiusd will not incorrectly load previously installed library modules.
- In AuthSQL, If the password (or encrypted password) column for a user is NULL in the database, then any password will be accepted for that user.
- AuthNT now honours the NT account disabled flag. If you check the “Account Disabled” checkbox in the NT User Manager, they wont be able to authenticate. Also AuthNT correctly queries the right Domain Controller, and Group membership is checked against the Global Group (not the Local Group).
- Some NASs append a NUL to string attributes, contrary to the spec. We now always strip trailing NULs from incoming string attributes.
- Can now have any number of RewriteUsername lines in a Realm. The rewrites are applied in the order they appear in the config file.
- radacct.cgi now has a secure option that allows your customers to see only their own usage details on a web page
- Added RewriteFunction to Realm to define a function that will rewrite user names. If defined, its used in preference to RewriteUsername.
- AuthBy UNIX was incorrectly reading the password file twice at startup. Thanks to tom at interact.net.au for reporting this.
- Now can have any number of AcctLogFileName in each Realm, which allows you to have muktiple log files for each realm. Thanks to shawni at teleport.com for this patch.
- AuthBy FILE and AuthBy UNIX now reread and cache their files if their modification time changes while the server is running. AuthBy UNIX now honours Nocache too.
- Now handles Accounting On and Off messages. Accounting On clears all the sessions from that NAS. Radpwtst is also able to send Accounting On and Accounting Off now. Contributed by nabil at spiritone.com. Thanks Aaron.
- Added SNMPCommunity to Client. Thanks to Andrea Campi (andrea at webcom.it) for the suggestion.
- Added AccountingHandled from shawni at teleport.com. This forces Radiator to reply to Accounting request even if they would have been ignored. Useful for ignoring Accounting requests while keeping the NAS happy. Thanks Shawn.
- Now works with clients that dont provide RFC 2138 compliant passwords (some clients, notably some versions of radcheck, dont pad passwords to 16 bytes like they should)
- Added %a to special formatting characters for the Framed-IP-Address of the current request (if any) (Contributed by nabil at spiritone.com)
- Added new attributes to AuthBy. UseAddressHint forces Radiator to honour a Framed-IP-Address in the request unless it is overridden by a Framed-IP-Address in the reply items. Dynamic specifies reply attributes that will get run-time variable substitution. Both of these contributed by nabil at spiritone.com, and can be used together with the new %a to build anti-spoofing filters.
- New AuthBy modules contributed by nabil at spiritone.com are included in the goodies directory for exact Livingston user file compatibility (AuthCOMPAT.pm) and for Digital Unix NDBM passwd files (AuthDBUNIX.pm). Thanks a heap Aaron!
- Added new Realm attribute: AuthByPolicy allows you to control the behaviour of cascaded authentication modules.
- buildsql now can build an SQL database out of flat files and DBM files, as well as Unix password files.
- Revision 2.8 (7/5/98)
-
- Added IPASS authentication. Supports both outbound and inbound authentication and accounting with iPASS
- Added Simultaneous-Use check item for users, which can be either an integer or a filename that contains an integer.
- Added real interrogation of NASs for Simultaneous-Use verification, similar to Cistron. New Client config parameter NasType added. New global config parameters SnmpgetProg, FingerProg PmwhoProg, LivingstonMIB, LivingstonOffs and LivingstonHole added.
- Revamped the SQL accounting table specification to be more regular and scalable. Now specify one or more AcctColumnDef lines to specify the attributes to be stored, the column names to store them in and optionally a data type. Thanks to Phil Freed for the original idea and code.
- Most check items can now be perl regular expressions too.
- Attribute-value parser is smarter: can now have embedded commas and escaped qouble quotes inside check and reply items
- Added Time check item to support multiple time bands on different days like: Time = “MoTuWe0800-1530,Wk2200-0400”
- Added more debugging info
- Added new Fork parameter which forces authentication modules to fork before handling the request. Use with care.
- Added -timeout argument to radpwtst
- Tested ODBC with Oracle and Sybase on Solaris with Intersolve DataDirect ODBC manager and Microsoft SQL 6.5 on NT.
- Testing with the latest version of DBD for mSQL and mysql from Msql-Mysql-modules-1.1828. Older versions named like DBD-mSQL-0.65 did not work properly when getting the names of fields from a select which would break the new accounting table behaviour in AuthSQL.pm
- Added Client DefaultRealm for handling realmless request on the basis of which NAS they arrived on. Thanks to Phil Freed for the code.
- Added Table of Contents in reference manual.
- Revision 2.7 (18/4/98)
-
- Added AuthBy EXTERNAL, which allows requests to be handled by an external program whose command line you can specify.
- Added chaining of AuthBy modules: You can now specify more than one AuthBy clause for a Realm, and it will try each one in turn until one succeeds (ie returns other than IGNORE). This is especially good for recording proxied accounting requests to SQL.
- AuthBy handlers can now return CHALLENGE for an Access-Request, which will cause an Access-Challenge to be replied.
- Testing with Sybase, created a sybaseCreate.sql. Documentation for Sybase.
- Applied patches from Steve Davies to fix interop problem with Merit 3.5.6. Thanks Steve.
- Latest version of USR dictionary.
- Handling of Group check items now conforms to Lucent and Cistron behaviour: for cascaded UNIX modules the /etc/group file is checked. The old behaviour that checked for the Group in the reply items is not supported now. Added new GroupFilename to UNIX module.
- Added Group handling to NT module: it uses LocalGroupIsMember to determine whether the user is in a Group if a Group check item is specified. Documentation and faq entry.
- Added buildsql utility, which can create and update an SQL database from a UNIX password file (DBM file or flat files coming soon).
- Revision 2.6 (5/4/98)
-
- Added Windows NT authentication.
- Added support for Ascend abinary type attributes, as used in Ascend-Data-Filter and Ascend-Call-Filter, both in and out. Includes the new IPX filter support.
- Added support for USR/3COM vendor-specific attributes
- Updates to some dictionaries
- The value for VENDORATTR in dictionaries can now be hex or decimal.
- Radius.pm now uses main::log consistently
- Fixed memory leak in Select that affected timeouts.
- Revision 2.5 (28/3/98)
-
- Added CGI script for usage summaries of accounting logs, including drill-down to per-user and per-session details. Useful for billing summaries, or for investigating service problems.
- Removed code from builddbm that made it grow in size according to how many users in the database. It now stays the same size, regardless of how many users.
- FAQ was missing from distribution
- radpwtst now increments session_id after each Accounting Stop
- Minor changes to dictionary for ascend compatibility
- Added support for multiple databases and fallback to SQL
- Fixed bug that prevented StripFromReply working properly
- Fix interoperation problem with Merit: if reply with Proxy-State but not Proxy-Action, Merit might crash. Now we reply with Proxy-Action if it is present in the request.
- Revision 2.4 Production Release (14/3/98)
-
- Added StripFromRequest, AddToRequest, StripFromReply, AddToReply to AuthBy RADIUS.
- Radpwtst: fixed bug on Linux which prevented waiting for replies if an ICMP bad port message arrives.
- Added %t for current time in special formatting characters
- Ensured detail file output is Radius compliant by quoting strings.
- Improved and enlarged documentation.
- Revision 2.3 (6/3/98)
-
- Fixed bug that made users fall throught to DEFAULT if they existed but authentication failed, even if Fall-Through not set.
- Add time-of-day blocking with Block-Logon-Until and Block-Logon-From check items.
- Added PDF documentation.
- Improved level of DEBUG detail produced when authentication fails. Makes debugging authentication much easier.
- Added Graphical User Interface option to radpwtst. Test your server configuration with the click of a button on Unix. (not quite working on PC yet).
- Revision 2.2 (1/3/98)
-
- Fixed bug in LDAP that causes it to always authenticate if the case of the password attribute is not correct.
- Improved error reporting in radpwtst if no dictionary found.
- Major rationalisation of Auth* hierarchy. There is now a common superclass AuthGeneric that all Auth modules should inherit from.
- Added DEFAULT user handling with Fall-Through. Multiple DEFAULT entries are handled. DEFAULT entries are processed in order until one is found that matches and does not have Fall-Through set to yes. Works for FILE, DBFILE, LDAP, SQL.
- Added handling of Auth-Type check items, which passes authentication to another AuthBy module named with an Identifier parameter. You can therfore cascade from FILE to UNIX to be compatible with other servers or from say FILE to RADIUS to ensure some reply items always go to the NAS irrespective of a downstream servers setup. This is a very deep and verastile feature.
- Revision 2.1 Beta (7/2/98)
-
- Beta revision for external testing
- Revision 1.9 (20/1/98)
-
- Internal alpha testing