Radiator revision history for release 2
Revision 2.19 (27/10/01) RSA SecurID certification, SQL->Radius proxying
- Received RSA SecurID Certification, based on 2.19alpha.
- New AuthBy SQLRADIUS provides proxying based on an SQL table. Looks up the target radius server from an SQL table that can depend on Realm, Called-Station-Id etc. Complictated indirect target mapping is also suported. Useful for managing large number of remotes servers, such as in a wholesale ISP. Example tables in goodies/*.sql, plus example config file in goodies/sqlradius.cfg. Obsoletes goodies/AuthSQLRadius.pm.
- New AuthBy INTERNAL allows you to handle different types of requests in fixed, parameterised ways.
- Ships with a beta version of command line utility radwho.pl
- New version of PPM package for Authen-ACE4 works on NT and Win 2000 with AceAgent 4.4.
- Detailed install and test instructions for AuthBy ACE in goodies/ace.txt
- Added MainLoopHook which is called once per second during the main dispatch loop.
- New NASType of Portmaster3 uses SNMP. Contributed by “Griff Hamlin, III” (griff3 at quik.com). Thanks Griff.
- Fixed a problem with timers persisting through a HUP or reset. Identified by “Mariano Absatz” (radiator at lists.com.ar).
- Improvements to Linux startup script so it can be used with chkconfig on RH7.1. Contributed by Levent Sarikaya (levents at de.colt.net).
- Added -interactive flag to radpwtst, allowing easy testing with authentication methods like AuthBy ACE that use multiple Access-Challenge and State attribtues to manage an authentication conversation.
- Test Oracle radius authentication: Oracle 8 can authenticate Oracle users through Radius. Note: Oracle always upper-cases user names. See the Radiator FAQ for more details.
- goodies/sybaseCreate.sql did not drop RADLOG.
- In SessionDatabase SQL, empty DeleteQuery is now handled properly.
- Fixed a problem with AuthBy EMERALD, where user and service radius attributes were not properly extracted from the database.
- Fixed a problem with EAP that prevented correct operation with Windows XP. Found and fixed by Travis Hume (travis.hume at tenzing.com). Thanks Travis.
- Added ShutdownHook which is run just before exiting after a SIGTERM. Suggested by Robert Thomson (sirrmt at dingoblue.net.au).
- Testing with BillMax 1.5.4 on RedHat 7.1. Added example goodies/billmax.cfg and goodies/billmax.txt.
- Fixed problems with EAP code that caused requests with Message-Signature and no EAP-Message to not be handled properly.
- In Handler.pm, removed an unnecessary call to time, use $p->{RecvTime} instead.
- In AuthBy EMERALD, all SQL queries are now configurable.
- Reply item MS-CHAP-MPPE-Keys previously was assumed to contain an encoded and encypted session key. Now, if the legth is not exactly 24 octets, Radiator will generate, encode and encrypt 2 session keys based on the given value. Tested with the patient assistance of “Andre D. Henry” (andre at go-net.com). Requires Digest::MD4.
- Added AutoMPPEKeys parameter to AuthBy, so that if you are doing MS-CHAP authentication with plaintext passwords, and your NAS requires MS-CHAP-MPPE-Keys in the reply, then setting this parameter will force Radiator to automatically reply with MS-CHAP-MPPE-Keys set from the plaintext password.
- AuthBy RADMIN now understands and honours EncryptedPassword parameter, so it can be used with Radmin Unix encryption.
- Added StripFromRequest and AddToRequest parameters to Handler and Realm.
- Added new SQL AcctColumnDef type ‘literal’ that lets you build columns literally. No quotes are applied.
- AuthBy NT now hounrs the Fork paramter, which can be useful on Windows, where checking bad passwords is deliberately slowed down by Microsoft. Contributed by Robert Thomson (sirrmt at dingoblue.net.au). Thanks Robert.
- AuthRADIUS.pm now has virtual function noreply() that is called if there is no reply from any target hosts. Default behaviour is to call the NoReplyHook if there is one.
- Added new global parameter DefineFormattedGlobalVar like DefineGlobalVar but which honours special formatting characters. DefineGlobalVar is now deprecated, and will be removed one day.
- In AuthBy SYSTEM, numeric Group check items are now permitted as well symbolic group names.
- AuthBy LDAPSDK, LDAP and LDAP2, in PostSearchHook the reply packet is now passed as $_[5].
- Added VALUE definitions for MS-MPPE-Encryption-Policy and MS-MPPE-Encryption-Types values to dictionary.
- In AuthBy SQL, improved recovery after a failed AcctSQLStatement.
- Added Tunnel-Client-Auth-ID and Tunnel-Server-Auth-ID and IETF-Token-Immediate to dictionary.
- Added AddToRequestIfNotExist parameter to Handlers and Realms
- AuthBy RADIUS now also honours AccountingStartsOnly, AccountingStopsOnly and AccountingAlivesOnly.
- Added new pseudo reply item Exec-Program which runs an external program only if the user successfully authenticates. Similar to Exec-Program in Cistron. Suggested by “Klaas Koopman” (klaas at isd-holland.nl).
- Improved text of error message for unknown standard attributes.
- Improved duplicate detection in the case (such as Lucent TNT) where the Nas-IP-Address is not necessarily constant. Patch contributed by b.grange at libertysurf.fr.
- hostname.pl utility renamed to radhostname.pl, due to naming conflict with standard hostname.pl library file detected during make install.
- dictionary.redback had DOS CRLF characters in it. Removed.
- Improved detection of NAS reboots, and correctly add the session even if it is session ID 00000000.
- Improvements to test.pl allow selection of individual test sets with the -tests flag.
- More liberal prerequisite for Digest::MD5. Version 2.02 tested OK.
Revision 2.18.4 (9/9/01) Fix one significant problem, new features.
- Fixed yet another problem with SessSQL DeleteQuery, caused username to be used instead of NAS id. This significant problem has prompted an earlier release than usual.
- All code now uses Digest::MD5 instead of MD5, and works with all versions of Digest-MD5. Caution: old installations may require Digest::MD5 to be installed.
- Added goodies/pam-kerberos.cfg showing how to auth from Kerberos via PAM on Unix.
- New Context class provides temp keyed storage with automatic timer based destruction. Useful for holding context between related requests that are not guaranteed to arrive.
- Added new ppm directory to distribution containing pre-built Windows PPM packages for hard-to-build perl modules, such as Authen-ACE4 (required by AuthBy ACE).
- Added cisco-VPNPassword and cisco-VPNGroupInfo to dictionary.
- Fixed a problem with RDict::attrByNum return a ref instead of an array if the attribtues is undefined.
- Fixed a problem in Mib.pm that casued some SNMP clients to think they got no reply from an SNMP set operation. Reported by “Mariano Absatz” (radiator at lists.com.ar).
- Added -c argument to radiusd, exits after reading and parsing the config file. Suggested by “Todd Dokey” (tdokey at inreach.com). Thanks Todd.
- Added documentation to goodies/ace.cfg about how to install Authen-ACE4 binary PPM package for Windows.
- Added Alteon VSA’s to dictionary, contributed by Colin D. Easton.
Revision 2.18.3 (30/8/01) Significant new features, some bug fixes
- Added EAP support for OTP and MD5-Challenge, works with AuthBy OPIE and any authentication database with plaintext passwords (eg AuthBy FILE, AuthBy SQL, etc). Extensible mechanism in EAP.pm permits new EAP protocols to be added.
- Added support for improvements in RAdmin 1.5, including Service Profiles and arbitrary per-user and per-service RADIUS check and reply items. Caution: the default AuthSelect has changed.
- Added beta version of AuthBy ACE, permitting authentication direct to a SecureID ACE server, instead of proxying. Certification by RSA is still pending. Example goodies/ace.cfg is included. Requires Authen-ACE4 perl module from Open System Consultants.
- Default behaviour of Log SYSLOG and AuthLog SYSLOG changed to log via unix sockets by default. This works correctly with more syslog daemons. New parameter LogSock permits this to be changed.
- Added new comand line argument -rawfile to radpwtst.
- SessionDatabase SQL DeleteQuery now has the column values of the record to delete passed as %0 to %4.
- Improvements to RPM packaging suggested by Gustav Foseid (gustavf at initio.no)
- Added AuthSQLStatement, similar to AcctSQLStatement: any number of SQL statements that will run before authentication. Patch provided by (talist at vif.com). Thanks!
- Performance improvements in tunnel password and mppe key encryption and decryption.
- All port parameters (eg AuthPort, AcctPort, Port, OutPort etc) may contain special formatting characters. A typical use of special formatting characters is with GlobalVar and command line arguments.
- Fixes to AuthBy EMERALD so that if HonourDNISGroups is defined but there is no DNIS in the request, or if HonourServerPortAccess is defined, but there is no Nas-Port in the request, the constraints are not applied.
- Improvement to AuthBy LDAP2 so that illegal charcaters in a user name wont cause disconnection from the LDAP server. Identified and patched by Carlos Canau (canau at keka.KPNQwest.pt)
- Added support for group check items to AuthBy PAM, for PAM modules that support the notion of a group (such as pam_teleid).
- Loading database export files now works independently of the export file was generated on Unix or Windows.
- Logging of ‘Handling with $type’ now includes the Identifier of the AuthBy moodule.
- Added example code to goodies/asplog.txt: How to display Radiator SQL accounting logs with an ASP/VB script. Contributed by “Michael Audet” (audet at vectorcore.com) Thanks Michael!
- Fixed problem with AuthBy RODOPI that was broken by 2.18.1.
- Added support for Rcrypt reversibly encrypted passwords. Now your user database can contain passwords that are reversibly encrypted with a secret key. Radius::Rcrypt module provides encrypt and decrypt routines that can be used by any other code. Forthcoming version of RAdmin will also support Rcrypt encryption.
- Structural improvements to AuthGeneric, which allows some modules that previously implemented their own handle_request to piggy-back off AuthGeneric, saving lots of replicated code
- Added CheckGroupServer and CheckGroup to AuthBy ADSI and AuthBy NT, so that you can set a Class in the reply that depends on which NT group the user is in.
- Primary key violation in MySQL and unique constraint violation in Oracle now does not cause disconnection.
- Added example configuration file prepaid.cfg showing how to implement a simple prepaid card system with an SQL database.
- AuthLDAP* now handles multiple LDAP attributes for check, reply and request AuthAttrDef. Multiple LDAP attribtues will be added as multiple instances of the same Radius attribute. Contributed by Robert Kiessling (Robert.Kiessling at de.easynet.net) Thanks Robert.
- In AuthBy LDAP, HoldServerConnection worked in reverse to the correct behaviour.
- Added Global and per-Handler UsernameCharset allowing you to easily specify what characters are permitted in a user name.
- In AuthBy RADIUS, Host names for remote servers can now contain special formatting characaters.
- Added Acct-Input-Gigawords and Acct-Output-Gigawords to dictionary. Reported by Bruno Tiago Rodrigues (bofh at netc.pt).
- Improvements to sample Linux startup script. Now sources /etc/sysconfig/radiator if present, so you can put config file name and arguments there for preference. Suggested by Ted kandell (tedk at encotone.com). Thanks Ted.
- Added AuthLog SYSLOG, contributed by Carlos Canau (Carlos.Canau at KPNQwest.pt). Thanks Carlos!
- Added example hook to goodies/hooks.txt to extract special Cisco format NAS-Port information.
- Added Vendor-specific attribute Command-Code for Enterasys, contributed by “Separovic, Jason” (jseparov at uecomm.com.au). Thanks Jason.
- Fixed a problem whre AuthBy UNIX or AuthBy FILE could fail to refresh a file if it could temporarily be stat’d but not read.
- Fixed a problem with Ascend binary filter attributes and UUnet: UUnet would only let 24 byte filters through, and not the newer format 26 bytes (and larger) filters.
- All file appends are now done by Util::append, which will facilitate threading or piping of logging in the future.
- Fixed a problem in ExcludeRegexFromPasswordLog
- Fixed Radius::unpack so that Vendor Specific Attributes that contain multiple sub-attributes are unpacked correctly. Patch supplied by Roland Rosenfeld (rrosenfeld at netcologne.de). Thanks Roland!
- In radpwtst, Called-Station-Id and Calling-Station-Id are not sent if -called_station_id or -calling_station_id are set to empty strings.
- Fixed cosmetics in AddressAllocatorSQL ReclaimQuery, making ‘state’ uppercase. Suggested by Carlos Canau (canau at keka.KPNQwest.pt).
- Date formats recognised by Expiration and ValidFrom now include simple integer Unix epoch dates. Documented all the valid date formats.
- Added new pseudo check item ValidFrom that can specify the start of a valid time range.
- AddressAllocatorSQL FindQuery now supports special formatting characters including those from the current packet.
- RPM files are no ‘noarch’ instead of i386.
- Improvements to AuthBy LDAP2, contributed by Valentin Tumarkin (tv at xpert.com). NoBindBeforeOp prevents binding before every search operation. Added timeout on ‘LDAP BIND’ operation in ‘sub bind’. Fixes to properly close open LDAP connections after timeouts. Slightly more verbose error messages. Works with perl-ldap-0.24. Thanks Valentin!
- Timeouts have been generalised and moved to Util::exec_timeout. LDAP, SQL and Finger now use it.
Revision 2.18.2 (10/6/01) Minor fixes, EAP proxy support
- Added support for proxying of EAP packets. Requests containing EAP-Message and Message-Authenticator are correctly handled and Message-Authenticator is correctly recomputed with the Radius secret for the next hop.
- More testing with Freeside 1.3.0. OK.
- In AuthBy RADMIN, LogQuery now will not be run if it defined to the empty string. The old string interpolation has been removed, so perl variables will not now be interpolated into LogQuery.
- Fixed a problem with DHCP address allocation where multiple DNS server addresses would cause a crash.
- Configuration file flags now recognise ‘0’ and ‘no’ to turn flags off. Anything else (including empty string) turns a flag on.
- Changes to default logger configuration so that LogFile and Trace in the configuration file have immediate effect on the logger.
- Added Extreme VSA’s to dictionary.
- BaseDN in LDAP2 can now have special characters, which can be used to improve performance of LDAP searches (see the reference manual for more information about how). Contributed by Neale Banks (neale at lowendale.com.au).
- goodies/ad-ldap.cfg was accidentally left out of the distribution. Added.
- radpwtst now supports hex escapes etc in attr-value arguments, eg: radpwtst -noacct “EAP-Message=\x11\x12\x13\x14”
- Added -raw flag to radpwtst to allow the raw packet data to be passed as space separated hex: ./radpwtst -noacct -noauth -raw “01 02 03 04 05 06”
- radpwtst now searches for a dictionary, starting with ./dictionary and /usr/local/etc/raddb/dictionary
- Added rpm build spec in Radiator.spec.
- AuthBy SYSTEM with UseGetspnamf had problems with expiry dates of -1 on some systems.
- Provide RPM packages
- Fix a problem with identifiers in AuthBy RADIUS where 2 AuthBy RADIUS proxying to the same host/port could get occasional identifier collisions.
- Removed interpolation of Perl variables in SearchFilter in AuthBy LDAP*, as promised previously.
- Added support for MS CHAP V2, and the MS-CHAP2-Success reply attribute as per draft-ietf-pppext-mschap-v2-00.txt and RFC 2548.
- In AddressAllocatorSQL, can now specify address ranges in CIDR form, eg 192.1.1.0/24
- Fixed a problem with AddressAllocatorSQL where recovery of a failed SQL database could cause SQL syntax errors.
- Improvements to AuthBy PAM to allow service-specific error messages to be logged, and different password prompts to be recognised.
- Testing with Encotone TeleID and AuthBy PAM. This is a very interesting Token based authentication system. Works fine. See sample teleid.cfg and PAM service definition file in goodies.
- Added GroupList check item, which succeeds if the user is in any of the list of space separated group names.
- Added OSC attributes to dictionary for Uid, Gid etc, also added UsePamEnv to AuthBy PAM. Now you can turn PAM env variables into Radius reply attributes and therefore do remote PAM login authentication via Radius.
- Disabled perl variable interpolation in AuthLogSQL
Revision 2.18.1 (26/4/01) Bug fixes, some new features
- In AuthBy PORTLIMITCHECK, the type of the SessionLimit parameter was incorrectly set to integer instead of string, preventing special formatting characters being used. Reported by Valentin Tumarkin (tv at xpert.com).
- Added AcctFailedLogFileName and AcctLogFileFormat parameters to AuthBy RADIUS and subclasses, which work in the same way as for AuthBy SQL.
- Testing with Hawk-i ISP Billing and customer management system. Required slight changes to AuthSQL.pm, because MS-SQL and ODBC can return strings of NULs for nullable nvarchar columns. Empty strings and all-NULL strings are now ignored by AuthColumnDef. Sample config file in hawki.cfg.
- Fixed typos in ServerConfig .pm and Nas.pm that broke Livingston SNMP sim-use checking.
- Added IgnoreAccountingResponse and OutPort parameters to AuthBy RADIUS. Contributed by “Arjan Waardenburg” (arjanw at gv-nmc.unisource.nl). Thanks Arjan. OutPort allows you to control the origin port number for forwarding packets, which can be helpful for implementing strict firewall rules.
- Fixed a problem with Handlers where a MaxSessions denial would still permit AuthBys to run and perhaps 2 replies to be returned. Reported by Frederic Gargula (frederic.gargula at easynet.fr).
- Added PostSearchHook to AuthBy LDAP, LDAP2 and LDAPSDK, which allows you to do things with the LDAP search results after the AuthBy has finished with them.
- Fixed a problem with logging that would cause the default file logger to stop working after a SIGHUP.
- Fixed a problem where a Synchronous AuthBy RADIUS that was chained after another AuthBy RADIUS would not actually wait for the reply.
- Added CacheReplyHook which runs when a cached reply is about to be sent back to the NAS. Useful for removing previously allocated IP addresses from the cached reply.
- Fixed a problem with Session-Timeout ‘until Time’ where you could get a negative Session-Timeout in the one minute following the end of a permitted time interval.
- Fixed some problems that prevented Log SYSLOG actually doing any logging.
- Altered AuthBy NT so that on windows it checks passwords without changing them. It now uses Win32::AuthenticateUser and also has much better performance. Built and tested with the kind assistance of Kent, Ashley (akent at ue.com.au). Thanks Ash.
- Added support for Redback 64 bit integers with new dictionary data type of integer8. Used for RB-Acct-Input-Octets-64, RB-Acct-Output-Octets-64, RB-Acct-Input-Packets-64 and RB-Acct-Output-Packets-64 in dictionary.redback. Such values are decoded in hex format only, with a leading 0x. Values can be encoded as hex (with leading 0x) or decimal.
- Added support for new AuthBy parameter AllowInReply, which lists the attributes that are permitted in the reply. Useful for applying strict limits to attributes in replies from proxy servers.
- Finished code and documentation for NasType of Hiper for Hiper Arcs, using algorithms contributed by jesus.diaz at telia-iberia.com.
- Fixed a typo in goodies/emerald.cfg
- Added new parameters to AuthBy EMERALD to optionally enable Emerald Servers, Server Port Access, DNIS Groups Roam Servers and Roam Domains. Works with Emerald 2.5 and RadiusNT 2.5 and 3. New version of goodies/emerald.cfg shows how to use them.
- All findUser functions now get the reply packet passed which means that you can use the %{Reply:xxx} macros in more places than before.
- Extensive patches to SNMPAgent contributed by Charly Gaissmaier add ROCommunity, RWCommunity and Managers parameters for more selective access control. Thanks Charly!
- Testing SNMP Agent with SNMP_Session-0.83. OK. Functions receive_request and decode_request that have been subsumed into SNMP_Session have now been removed which means SNMP Agent now requires at least SNMP_Session-0.68.
- Added AuthBy OPIE for one-time password authentication via OPIE (one time passwords in everything) from Craig Metz, www.inner.net/opie
- Fixed a problem in AuthBy ADSI where new AD users with a default logon times setup would not be able to login and get the message Outside allowed login hours.
- Removed a forgotten print statement from AddressAllocator SQL that would cause a message like “deallocate 203.10.203.193” for each deallocation.
- Fixed a typo in Log SQL that caused an SQL syntax error.
- Added the reason string as the fourth argument to PostAuthHook. Contributed by Robert Kiessling (Robert.Kiessling at de.easynet.net). Thanks Robert.
- Added PostProcessingHook to Handler, contributed by Robert Kiessling (Robert.Kiessling at de.easynet.net). Thanks Robert.
- Added a number of experimental attributes from RFC 2869 to dictionary.
- Implemented timeout around the search in AuthBy LDAP2 to work around broken LDAP servers that just hang in the search.
- More testing with Active Directory. Updates to AuthBy ADSI so it will work under a wider variety of conditions, allowing distinct control over how to authenticate and where to get account details from, also added more docs and examples on using with Windows 2000 AD server. Also new example goodies/ad-ldap.cfg shows how to access AD via LDAP from Unix or Windows.
- Fixed a problem where AccountingHandled had no effect if the result was a REJECT.
- Found a problem with SNMPAgent where a BindAddress had no effect. There is a bug in SNMP_Session 0.83 that prevents the fix being deployed.
- Added new check item MS-Login-Hours, which is exactly compatible with the LoginHours user attribute in Microsoft Active Directory, and can therefore be used when accessing Active Directory via LDAP.
- New special character %r for literal newlines.
- Fixed a problem with RejectEmptyPassword where a CHAP login could incorrectly trigger rejection. Reported by “Andy De Petter” (adepette at krameria.net).
- Reinstated NoForwardAuthentication and NoForwardAccounting to AuthBy RADIUS, as the old behaviour was not exactly equivalent to IgnoreAuthentication and IgnoreAccounting.
- Minor improvements to error reporting in AuthBy NT.
Revision 2.18 (9/3/01)
- Added a full suite of Radius load balancing modules that allow you to distribute your Radius load over multiple servers. Round Robin, Volume balancing and Load balancing are supported, along with variable backoffs when remote servers fail to answer.
- Added DHCP address allocation via new module AddressAllocatorDHCP.pm.
- Added support for Nortel/Aptis CVX 4-byte attributes (the ones between 0x84000000 and 0x85ffffff. These are non-standard undocumented VSAs of a special format only used by Nortel. Also added new dictionary data type ‘boolean’ as some CVX attributes require only single byte values. Thanks to assistance of Lisa Goulet (Lisa.Goulet at versatel.nl) Dave Salaman (dsalaman at salaman.org) and others.
- Added LogFormat to Log FILE, allowing customised log file format. Suggested by Paul Oshea (paulo at uma.genie.syncordia.net).
- Added LogMicroseconds to Log FILE, which makes it log microseconds (requires the Perl Time::Hires module from CPAN or ActiveState).
- Fixed a problem with Time check item spanning midnight when used with Session-Timeout=”until Time”. Reported by Deepak Shrestha (deepak at mos.com.np).
- Added called and calling station IDs to radpwtst (and the GUI). Contributed by Bruno Tiago Rodrigues (RODRIGUEBT at telecel.pt). Thanks Bruno.
- Added attributes for Unisphere and Nortel (Aptis) CVX VSA to dictionary. Contributed by Ralf Weber (rw at de.colt.net).
- Added support for NasType of Cyclades. Contributed by Dave Close (dclose at quik.com). Thanks Dave.
- Modifications to AddressAllocatorSQL so that address allocation is more robust when multiple servers allocate from the same table.
- Fixes to AuthBy RADIUS so it uses the new AuthLog features to log details of proxied requests. Identified by Carlos Canau (canau at ionia at EUnet.org) and Dave Lloyd (david at freemm.org). Thanks.
- Added a number of new Livingston attributes to dictionary. Contributed by Keith Olmstead (kolmstea at centurytel.net). Thanks Keith.
- Added ServerHasBrokenAddresses parameter to AuthBy RADIUS.
- Added Nortel CVX 1800 VSAs to dictionary.
- Added the retransmission address to the “No reply after…” message in AuthBy RADIUS. Contributed by Kaj J. Niemi (kajtzu at kpnqwest.fi). Thanks Kaj.
- Fixed a typo in AuthBy LDAPSDK that caused a crash. Reported by “Russell Wilton” (wilton at uleth.ca). Thanks Russell.
- Fixed a problem with initialisation that caused -db_dir command line argument (and others) to be handled inconsistently.
- Acct-Link-Count changed from string to integer in some dictionaries to be consistent with others and the correct value. Reported by Steinar Haug, Nethelp consulting (sthaug at nethelp.no). Thanks Stienar
- Added attributes for Altiga to dictionary
- Added IgnoreReplySignature parameter to AuthBy RADIUS to permit operation with remote servers that implement incorrect signature algorithms.
- Fixed some problems with the standard internal session database that could cause incorrect simultaneous use limits when there are lost stop records. Found and fixed with the welcome assistance of Dave Close (dclose at quik.com)
- Added Ravlin RedCreek VSA attributes to dictionary.
- Added IgnoreErrors parameter to AuthBy PORTLIMITCHECK at the suggestion of Steve Roderick (steve at uspops.com).
- In SessionDatabase SQL, can now set AddQuery, DeleteQuery ClearNasQuery, CountQuery to be empty strings to prevent the query being executed. Implemented with the assistance of Paul Oshea (paulo at uma.genie.syncordia.net).
- Added FindQuery, AllocateQuery, CheckPoolQuery, AddAddressQuery, DeallocateQuery, ReclaimQuery to AddressAllocator SQL to permit customisation of the SQL queries that module uses.
- Added new special character %s, replaced by microseconds in the current second (requires the Perl Time::Hires module from CPAN or ActiveState).
- Changed AuthSelect in SQL so that %0 is now replaced by the quoted escaped user name. Some time in the future, the special handling that makes %n temporarily quoted and escaped will be removed. We recommend converting any custom AuthSelect you may have, and replacing ‘%n’ (including the quotes) with %0 (no quotes).
- Added platradacct.cgi to goodies, a version of radacct.cgi that works with Platypus Calls table. Contributed by “Leigh Spiegel” (leigh at winshop.com.au). Thanks Leigh.
- Added VSAs for Foundry and Unisphere to dictionary.
- If RejectHasReason is set, only one Reply-Message is set in the reply. Previously, 2 would be set. Suggested by Pavel A Crasotin (pavel at ctk.ru).
- Added index on POOL to all RADPOOL creation scripts in goodies to improve address allocate performance.
- Made AuthSelect and AcctSQLStatement configurable for AuthBy RODOPI.
- Permitted bind variables to be passed to SQL prepareAndExecute and do functions. This might be useful for custom SQL code that requires high performance.
- Rationalised sub keyword in all modules, so that permitted keywords are looked up in a table. Saves lots of if/else code and will permit stronger type checking in future.
- Fixed a problem with AuthBy RADIUS that prevented retransmission when ServerHasBrokenPortNumbers is set.
- Added IgnoreAuthentication and IgnoreAccounting to all AuthBy clauses. In the case of AuthBy RADIUS, they are now equivalent to the older (and deprecated) NoForwardAuthentication and NoForwardAccounting.
- Removed snmp_port from command line arguments in radiusd, because it breaks encapsulation.
- Improved ServerConfig intialisation and removed lots of excessive code.
- Moved reply caching from AuthBy RADIUS to AuthGeneric for future use with other authenticators.
- Rationalised AuthRADIUS.pm to allow definition of Host objects and easier subclassing.
- Added lots more Nortel CVX VSAs
- Added special case for SQL Timeout of 0 so it will never issue alarms at all. This is mostly a workaround for Sybase ODBC libraries that muck around with SIGALRM.
- Added Cisco VENDORATTR Control-Info to dictionary, contributed by Gareth Coco (gcoco at aapt.com.au).
- Added Timeout and FailureBackoffTime parameters to AuthBy LDAP and LDAP2 so that failed LDAP servers timeout quickly. Timeout defaults to 10 seconds, instead of the standard 120 seconds coded into perl_ldap.
- Improved docs to make clear that SHA passwords also require Mime::Base64
- Improved evaluation version so the reason for a radiusd die will be obvious.
- builddbm now detects attributes not connected to a user. Reported by Jamie Orzechowski (mhz at ripnet.com).
- Performance improvements to the main loop and packet packing and unpacking.
- Added UseGetspnamf option to AuthBy SYSTEM, which will honour the password expiration date, if there is one. UseGetspnam is now deprecated.
- Added synonyms for a number of attributes to the dictionary for the convenience of users with old standard users files, such as is generated by Optigold by default.
- Testing with Optigold ISP 2.6.7. OK. Added details to FAQ about interfacing, also created sample goodies/optigold.cfg.
- Fixed AuthBy RADIUS Synchronous so it will work on Windows in the event of a Timeout.
- AuthBy PAM now honours password and account expiration, and verifies access hour restrictions. Suggestion and code contributed by Richard Lennerts (richard at staff.vianet.net.au).
- Testing with Digest-MD4 from ActiveState for Windows ActivePerl build 623. OK: MSCHAP passwords work fine.
- Trace level 5 now does a byte dump of outgoing as well as incoming packets.
- Removed instructions to install MD5 for ActiveState: its installed automatically on all recent 6xx releases. Also altered Unix installation instructions to use Digest-MD5 instead.
- Fixed a typo with LAS-Code attributes in dictionary.cisco
- At the suggestion and with the assistance of Michael Audet (audet at vectorcore.com), AuthBy ADSI now does a direct authentication of the user. Administrators username and passwrod are no longer required, performance is improved, and there is no need to to disable password checking in AD. Also added support for Group membership checking.
- AuthBy PORTLIMITCHECK now permits special formatting characters in the SessionLimit parameter. Contributed by Valentin Tumarkin (tv at xpert.com). Thanks Valentin!
- In AuthBy LDAP*, and AuthBy SQL, added support for AuthAttrDef/AuthColumnDef type of ‘request’ which adds the attribute to the current request from where it can be accessed in later checks with %{attributename}. Contributed by Valentin Tumarkin (tv at xpert.com). Thanks Valentin! Valentin says “Very usefull for chaining LDAPSDK lookups (first lookup user, push group attribute into the request, then lookup the group. Works wonders when combined with ‘Auth-Type’).”
- Added special character %z which is replaced with the User-Name in the current packet, hashed with MD5. Contributed by Nick Donaldson (psyclops at psyclops.com). Thanks Nick.
Revision 2.17.1 (22/11/00)
- Fixed a serious problem with a missing update function that could cause crashes with Alive packets.
- AuthBy LDAPSDK alo needed protection against attribtues with trailing NULs from Microsoft LDAP.
- Migrate SQL fixes into goodies/AuthPLSQL.pm. Contributed by Pavel A Crasotin (pavel at ctk.ru). Thanks Pavel.
Revision 2.17 (21/11/00) Some significant new features
- Added new parameters to AuthBy SQL, to permit logging accounting records to a file if the SQL insert fails. See AcctFailedLogFileName and AcctLogFileFormat.
- Added MS-CHAP support as per rfc2548. Like ordinary CHAP, it works with plaintext, not encrypted passwords in the user database. Requires Digest-MD4-1.0 or better from CPAN. Also added support for MS-MPPE-Send-Key and MS-MPPE-Recv-Key reply items as tunnel passwords.
- Fix a problem that prevented AuthBy RADIUS receiving replies after a HUP. Reported by Wim.Biemolt at surfnet.nl. Also fixed some similar issues in AuthFILE and others.
- AuthBy LDAP2 is now compatible with perl-ldap versions before and after 0.20 (changes to the perl-ldap API made this necessary). With patches from Ragnar Kurm (ragnar at uninet.ee). Thanks Ragnar.
- Added Nas support for Patton RAS.
- Fixed a problem with decode_tunnel_password that could cause a crash with various out-of-spec tunnel passwords. Reported and patched by Christophe Wolfhugel (wolf at oleane.net). Thanks Christophe.
- Fixed a problem with Realms and Handlers that prevented old Realms and Handlers being discarded during a SIGHUP.
- Fixed minor error in dictionary: VENDORATTR 307 type 2 was incorrectly called ‘Livingston’. Changed to ‘LE-Terminate-Detail’. Fix identified by Blaz Zupan (blaz at amis.net).
- Added dictionary.redback for Redback NASs
- Added sample NoReplyHook to goodies by knind permission of John Kemp (kemp at network-services.uoregon.edu)
- Separated out a utility function for doing all the magic for replying to a request.
- Testing on HP-UX 10.20. No changes required.
- Improved memory cleanup code in AuthRADIUS.pm to slightly reduce memory requirements. Found by Christophe Wolfhugel (wolf at oleane.net). Thanks Christophe.
- Improved SQL timeout handling, The need for this was revealed by recent versions of Oracle 8 using local transport. Reported by Chris Keladis (Chris.Keladis at cmc.cwo.net.au). Thanks Chris. A similar fix was contributed by David Lloyd (david at freemm.org). Thanks David.
- Fixed a problem that caused excessive memory usage in Client.pm. Found and fixed by Christophe Wolfhugel (wolf at oleane.net). Thanks Christophe.
- Removed incorrect reinitialisation code from AuthFILE, which would cause a crash on SIGHUP.
- Fixed some problems with SIGHUP handling and SNMP Agent, which prevented the Agent receiving requests after a HUP with SNMP_Session-0.77. Fix now works with all versions of SNMP_Session. Reported by Anton Sparrius (asparrius at vivanet.com.au)
- Mods to a number of classes that inherit from SqlDb.pm, to hide use of the dbh handle, in order to support sharing of SQL connections.
- Added CachePasswords to AuthBy RADIUS. It implements a password cache. It allows proxying to be more robust when the remote server is not available. It can be very useful if the remote server is unreliable, or at the end of a saturated or unreliable link.
- Some users have reported that Microsoft LDAP leaves NULs at the end of returned attributes. Added code to AuthLDAP2.pm to strip any trailing NUL.
- Added NoCheckPassword to AuthBy NT, useful in conjunction with other authentication methods that actually check the password
- AuthBy RADIUS now honours the global SocketQueueLength parameter, if it is set. Reported by David Lloyd (david at freemm.org). Thanks David.
- Fixed a problem with AuthLDAP2 that prevented it working with CHAP unless RejectEmptyPassword was cleared. The test is now implemneted witg LDAPRejectEmptyPassword, which defaults to 1 and is only referred to if ServerChecksPassword is set. Reported by Nacho Paredes (iparedes at eurocomercial.es). Thanks Nacho.
- Improved detection of running under inetd so running under cron wint be mistaken for inetd.
- Added Alcatel DANA vendor specific attribute to standard dictionary.
- Added -code flag to radpwtst, allowing it to send any type of request code, eg: radpwtst -noacct -noauth -code Disconnect-Request
- Changes to Client.pm, Radius.pm to permit proxying of any type of code, eg Disconnect-Request
- Added hydrarad to goodies. Hydrarad is an agent for the HydraWeb load distributor (www.hydraweb.com). It probes server performance and produces a Usability figure from 0 to 100.
- In dictionary, the types of CHAP-Password and CHAP-Challenge changed to ‘binary’ to prevent trailing NULs being stripped.
- AddToReply and DefaultReply were not honouring special formatting characters.
- Minor performance improvements in RDict.pm.
- Permit special characters (eg %{GlobalVar:databasename} in DBSource, DBUsername and DBAuth in any SQL connection.
- Added new generic authentication logging support contributed by Dave Lloyd (david at freemm.org). Thanks heaps Dave! Also example config file using <AuthLog FILE> in goodies/authlog.cfg and documentation.
- Added support for USR1Hook, USR2Hook and WINCHHook. Contributed by Dave Lloyd (david at freemm.org). Thanks Dave!
- Fixed Handler.pm so handlerResult is called when MaxSessions is exceeded. Suggested by Dave Lloyd (david at freemm.org). Thanks Dave!
- Added Shasta attributes to dictionary. Contributed by “Mariano Absatz” (lradius at pert.com.ar). Thanks Mariano.
- Improved portability of module importing. Now uses eval(“require RADIUS::classname”) which will work portably on all platforms, including MAC.
- Added goodies/blocktime.txt, a discussion about how to implement prepaid time.
- Hugh added some more examples to goodies/hooks.txt.
- Prevented warnings ‘No CHAP-Password or User-Password in request’ when User-Password is empty. reported by Cortney Thompson (Cortney at wyoming.com). Thanks Cortney.
- Added SNMP MIB 2 variables sysUpTime and sysName. Suggested by Mariano Absatz (lradius at pert.com.ar), since MRTG likes to get them.
- Fixes to AuthBy EMERALD to be compatible with RadiusNT version 3 (suitable for Platypus version 3 with RadiusNT compatibility too). Also now correctly handles per-user and per-service vendor-specific check and reply items.
Revision 2.16.3 (25/8/00) Fix a serious LDAP problem
- Fixed a typo in all AuthBy LDAP which causes an error like: “Not a SCALAR reference at Radius/AuthLDAP.pm line 297.”
- AcctColumnDef now supports the type ‘formatted’ which allows you to use any of the special formatting characters instead of just a Radius attribute name.
- in AuthBy SQL, AcctColumnDef type ‘integer-date’ now allows you to specify your own date formatting string to be used instead of the default DateFormat for that SQL.
- Stop SQL from disconnect/reconnecting if a primary key constraint is violated. Can result in a significant performance impact in some environments.
Revision 2.16.2 (21/8/00) Minor fixes
- Added support for encryption type MD5, which is MD5 and Mime, eg:
Password = {MD5}qP0OV/oViFka8YbFMWEWeg==
Contributed by Robin Gruyters (robin at wish.net). Thanks Robin. - radconfig.cgi incorrectly only allowed one Accounting log file name entry in a handler.
- Testing with MacPerl on PPC iBook with MacOS 9. The default config file under MacPerl is now ‘Macintosh HD:Applications:Radiator:etc:radius.cfg’.
- Fixed minor problems with date parsing on MacPerl. On Mac, times are based on 1904, not 1970.
- Created a clickable MacPerl droplet for radiusd containing command line arguments: MacRadiusd. You can edit this with MacPerl and set up your own command line args. Useful for running with a config file in a non-standard place. As delivered, it uses the radius.cfg in the current folder.
- Changes to configuration file processing in 2.16.1 meant that values for SnmpgetProg, FingerProg and some similar parameters were being overridden.
- Added new check item Client-Identifier that matches the Identifier parameter in the Client clause that received the request.
- Fixed an error in the documentation concerning the use of GENERIC in LDAP AuthAttrDef parameters.
- Added support for new SNMP Radius Authentication and Accounting server MIBs as specified by RFC 2619 and RFC 2621. The old draft MIB is still supported.
- Fixed a problem with AuthAttrDef not working properly in AuthBy LDAP and LDAP2.
- Fixed a problem with AuthBy TEST that prevented it from honouring the Identifier parameter. Reported by Matt Nichols (matt at hunterlink.net.au). Thanks Matt.
- Added new parameter CaseInsensitivePasswords to all AuthBy clauses that support plaintext password checking. This involved some rationalisation of the password checking code in Radius.pm too, with resulting performance improvements.
- Dictionary now permits data type of ‘text’ in line with RFC 2865, and is treated the same as ‘string’.
- Duplicate checking now takes the client port into account, as required by RFC 2865.
- Tested the config file “include” directive with external scripts, at the suggestion of Simon Hackett (simon at internode.com.au). For example:
include %D/myScript.pl|
this allows you to generate some or all of your Radiator configuration programatically. - Added SearchFilter to AuthBy LDAP*, allowing you to fully control the search filter used to find users. This will allow you to select or reject users based on arbitrarily complicated LDAP search filters.
- Added RejectEmptyPassword to AuthBy to handle some broken remote Radius servers that foolishly always accept logins with empty passwords (eg VMS)! Suggested by Simon Hackett (simon at internode.com.au)
- Added UsernameMatchesWithoutRealm to AuthBy to permit matching on the bare user name without rewriting the username and therefore affecting accounting too. Suggested by Simon Hackett (simon at internode.com.au)
- Added missing -h flag to radpwtst
- Improved handling of MD5 passwords so that it supports both hex digests and base64 encodes. This also makes it compatible with Infranet billing passwords. Contributed by Johnathan Ingram (jingram at intekom.com). Thanks Johnathan.
- Added some fixes to AuthLDAP.pm to prevent Radiator running out of file handles in some circumstances.
- Rationalised check_plaintext_password and check_encrypted_password into a single function check_password in AuthGeneric to save lots of duplicate code.
- Modifications to AuthBy RADIUS so that it will create a separate socket for each distinct LocalAddress. This will make sure the right LocalAddress is used for each proxied request, even if there are multiple LocalAddresses in use. From a report by Ivan Brawley (brawley at internode.com.au). Thanks Ivan.
- Fixed a problem with timeouts in Select.pm. The timeout list was not always sorted properly, which would sometimes cause timeouts to go off too late. This was especially significant if very long timeouts were used (as in AddressAllocatorSQL and others).
- Added special characters %q, %Q, %v, %V for days of weeks and months of the year.
- Added new strftime compatible date formatter
- Added DateFormat attribute to all SQL derived objects to control how to format dates for insertion. Can use any of of the special characters supported by strftime
- Added new Description parameter to all objects, mainly for use by radconfig.cgi. Suggested by Matt Nichols (matt at hunterlink.net.au). Thanks Matt.
- Fixed a problem with Proxy-State. Only the first one would be included in the reply. Now all are included, and kept in the same order as in the incoming request. Reported by Thorsten Wystrychowski. Thanks Thorsten.
- Improved error reporting when an SQL connection fails.
- Testing with Informix. Created goodies/informixCreate.sql and added documentation.
- ClientListSQL now permits the FramedGroupBaseAddress column to contain multiple comma-separated addresses.
- Incorporated a patch to goodies/hooks.txt to allow getProfiles to have profiles that span multiple lines. Contributes by Christian Hammers (ch at westend.com). Thanks Christian.
- Added LimitQuery to AuthBy PORTLIMITCHECK, so that the session limit can also be got from the database, instead of being fixed. This allows you to easily get port limits from, say, a customers table in your SQL database.
- Special formatting now supports %{Client:parmname} which is replaced by the parmname parameter from the Client clause that accepted the current packet.
- Special formatting now supports %{Handler:parmname} which is replaced by the parmname parameter from the Handler clause that is handling the current packet.
- Fixed a problem with AuthBy RADIUS that resulted in a Tunnel-Password received from the remote radius or added with AddToReply would not be be encrypted properly. Found and fixed by Christophe Wolfhugel (wolf at oleane.net). Thanks Christophe.
- Fixed a problem with ClientListSQL, where an empty string in the NoIgnoreDuplicates column would cause a crash.
- AuthBy RADIUS now permits multiple comma host names in the Host parameter.
- Fixed some typos in the RADPOOL table creation in some goodies/*.sql scripts. The unique index creation was wrong.
- Altered evaluation expiry mechanism.
- radpwtst now takes notice of the Class in any access replies, and uses it in subsequent accounting requests.
Revision 2.16.1 (13/6/00) Major new feature, and a number of bug fixes, one serious.
- Added support for Windows ActiveDirectory authentication with AuthBy ADSI, see the example config file in goodies/adsi.cfg. Stop Press: also added AuthAttrDef to AuthBy ADSI, so you can get additional attribtues from ADSI.
- Fixed problem with all SessionDatabases, where attempts to deduce the NAS IP address dusring simultaneous-use double checking would fail with this error message:
Could not find a Client for NAS to double-check Simultaneous-Use. Perhaps you do not have a reverse DNS for that NAS?. - Fixed a problem in radacct.cgi where attributes that contained an = character were not displayed properly when showing a detail file. Reported by Matthew Nichols (matt-home at hunterlink.net.au). Thanks Matt.
- Fixed a problem with SNMPAgent where it would report “Undefined subroutine &Radius::Radius::get_port” with some unusual configuration files.
- Fixed a typo in AuthPORTLIMITCHECK.pm where getOneRow was not defined. Reported by Anton Sparrius (anton at vivanet.com.au). Thanks Anton.
- Added support for NasType PortslaveMoxa, for Linux running Portslave and a Moxa multiport. Contributed by “Le Anh Tuan” (latuan at netnam.vn). Thanks!
- Fixed some problems with drilling down and volume summaries in radacct.cgi when using SQL. Reported by John Breeden (rad at ns1.phx2.com)
- SessionDatabase NULL was ignoring all of its configuration, and you could therefore not reference it by Identifier. Reported by Aaron Holtz (aholtz at bright.net). Thanks Aaron.
- Fix to %a special character was not working properly.
- Check items could mistake an exact match for a regular expression if it had multiple embedded slashes. Now the first slash must be at the beginning of the regexp.
- Added workaround for hanging connections when using DBD-Sybase nad MS-SQL.
Revision 2.16 (19/5/00)
- Added totals of sessions, time, octets and packets to the user page in radacct.cgi.
- Session-Timeout as a reply item can now takes a value “until Time” which calculates the session timeout until the end the permitted time period defined by a Time check item.
- Added Auth-Type=Accept, code contributed by David Daney (daney at ibw.com.ni). Thanks David.
- Added PreProcessingHook to Handlers, which fires before accounting log files etc are written. Code contributed by David Daney (daney at ibw.com.ni). Thanks David.
- AddToReplyIfNotExist parameter with multiple attr=val, and with white space before the attribute namew would not be parsed properly, resulting in a “Bad attribute=value pair:” error message.
- Simultaneous-Use would sometimes check the wrong user name for excess sessions when RewriteUsername or Prefix or Suffix was involved.
- Fixes so that multiple DEFAULT users with Prefixes and/or Suffixes wont strip the the user name for the following DEFAULT. Contributed by David Daney (daney at ibw.com.ni)
- Added new <Log EMERALD> module that does logging to a Platypus and RadiusNT compatible message log table.
- Testing with Windows 2000.
- Fixed radpwtst -gui to work with Tk800.018 and better.
- Fixed a bug in AuthLDAPSDK.pm, that produces the following error: Global symbol ” at vals” requires explicit package name at Radius/AuthLDAPSDK.pm line 256, <FILE> chunk 39. Reported by Bradley Clayton (bac at agad.purdue.edu)
- Workaround in AuthRADKEY.pm for problems with password lengths on some MAXen.
- Reinstated the changes that make %a get the Framed-IP-Address from the reply packet instead of the request, and to take ma.overdue into account in in AuthBy EMERALD. These changes were inadvertently lost from the 2.15 distribution.
- Changes to all SQL based modules to fix an infrequent problem with Sybase on some platforms, and in some environments. Some versions would sometimes hang during the SQL finish operation, which was not protected by timeout.
- DefaultRealm now only adds the realm if there actually was a User-Name present in the request. Requests without a User-Name will not now have a fake User-Name added.
- Added cisco-h323* entries to the standard dictionary for Cisco VOIP.
- The password log for CHAP logins now shows “UNKNOWN-CHAP”, instead of “UNKNOWN”, to help distinguish form the case where there is no password in the request.
- Added SessNULL.pm to the distribution, contributed by Daniel Senie (dts at senie.com). Thanks Daniel. SessNULL.pm provides a session database that does not store any session details and always permits multiple logins. Useful for very large user populations where ther is no multiple-login prevention required: this will require much less memory than SessINTERNAL.
- Added support for HoldServerConnection, plus disconnection after each request to AuthBy LDAPSDK, at the request of Thomas Braber (thomas.den.braber at capgemini.nl).
- Special formatting can now refer to any attribute in the current reply with %{Reply:attributename}
- Check items can now refer to attributes in the currently constructed reply. This can be useful for adding more reply items, depending on the reply items that are already there. For example, you might set a Profile psuedo attribute in an AuthBy and in a following AuthBy, add some real reply attributes that depend on the value of the Profile you added before
- Added support for IP address allocation, and a specific SQL implementation. See goodies/addressallocator.cfg for examples on how to use. STOP PRESS: minor changes in database schema since the 2.16 alpha release. Alpha testers will have to recreate their RADPOOL table.
- Fixed algorithm for computing port index for Total Control SNMP access checking. Contributed by Aaron Nabil (nabil at spiritone.com). Thanks Aaron.
- Fixed a problem with AuthAttrDef in AuthBy LDAP and LDAP2.
- Added the -p switch to builddbm to print out a flat file equivalent. Contributed by Joost Stegeman (joosts at kpn.net). Thanks Joost.
- ipaddr type attributes can now be specified as a 4 byte string, as well as dotted-quad notation. Useful for putting IP addresses and netmasks in databases as binary instead of strings. Suggested by Mike Nerone (mnerone at idworld.net).
- Updated GRIC Roaming attributes in various dictionaries.
- Log SQL and AuthBy RADMIN now permit LogQuery parameters configure the query used to insert into the log table database.
- AuthBy DBFILE and SessionDatabase DBM now support a DBType parameter, allowing you to specify the type of DBM database to use.
- AuthBy RADMIN was incorrectly logging all level log messages. Now it honours the global Trace level.
- Fixed a problem with MD5 password encryption when encrypted passwords had a zero length salt.
- Fixed a bug in Client.pm that prevented the client list used by SNMP and StatusServer being cleared during a HUP.
- Added new Bay Annex attributes to dictionary
- Pushed the permitted perl revision level back to 5.003
- Testing on Cobalt CacheQube. OK.
- Fixed a bug in the radwho.cgi and radacct.cgi sort routines that affected user name sorting with mixed alpha and numeric names. Reported by Larry Vaden. Thanks Larry.
- Fixed a problem with apparent floating point attibutes in AuthBy EMERALD.
- Fixed some problems in getProfiles example hook in goodies/hooks.txt. Contributed by Christian Hammers (ch at westend.com). Thanks Christian.
- Added NoReplyHook to AuthBy RADIUS, called if no reply is heard from any remote servers. Useful for storing accounting to an SQL database for later delivery or retransmission (see goodies/reliableaccounting.cfg for example)
- Testing with InterBase 6.0 and DBD-Interbase-0.021. OK. Note that Interbase 6.0 requires /etc/hosts.equiv to contain the name of each client host, so you may need to add ‘localhost’ to /etc/hosts.equiv to enable you to start the Interbase server and access it. Also note that InterBase requires a custom AuthSelect since it does not permit columns named PASSWORD. interbaseCreate.sql creates it as PASS_WORD.
- Due to changes in policy by iPASS, the preferred method of interoperating with iPASS outbound is now to proxy to the iPASS radius server. Altered documentation to suit.
- Added some improvements to extensibility and customisability: The reinitialize and find functions for Client, Handler, Realm et al are now registered at startup. This allows you to add new subclasses of Client and Handler with new ways of finding the right Client or Handler to use. You can also register your own reinitialise function with main. Added examples csid.cfg and CalledStationId.pm to goodies to demonstrate use of all these features, using the example of fast, exact matching on Called-Station-Id.
- radpwtst now takes notice of the Framed-IP-Address in the reply and uses it in subsequent accounting starts and stops, unless -framed_ip_address has been used to force a particular address.
- Added initial version of new radconfig.cgi, a CGI script that will manage a Radiator configuration file.
- Added new Nas Type of Ping, which will attempt to check simultaneous use by pinging the dialup users Framed-IP-Address. This is not foolproof as the Framed-IP-Address may have been reallocated, but its better than nothing, which is what you may have without finger or snmp access to the NAS.
- Added missing documentation for SessionDatabase parameter for Realm and Handler, which allows you to control which Session Database a Realm or Handler will use.
- Fixed a spurious WARNING message if AuthPort or AcctPort was defined as empty (ie no socket to be set up). Reported by Antonio Coloma.
- Added new Scope parameter that allows you to control the LDAP search scope in LDAP2 and LDAPSDK. Suggested by c.w.vandervelden at kpn.com.
Revision 2.15 (15/2/00) Many new features and some fixes.
- Added new check item Request-Type. This is mostly useful in Handlers, to allow you to trigger on different types of requests.
- Fixed a problem with handling escaped octal characters in attribute strings. Contributed by Mike Biesele (wmb at aros.net). Thanks Mike.
- DynamicCheck and DynamicReply were always doing special character replacements of in all check and reply items, instead of just the ones named.
- DynamicReply was incorrectly doing special character replacements from the reply packet instead of the incoming packet.
- The special character %a has been modifed to be replaced with Framed-IP-Address from the reply packet instead of the incoming packet.
- AuthBy clauses did not honour the “include” keyword.
- Added some more USR attributes to dictionary.usr
- Fixed a problem with Tunnel-Password on Intel where it would sometimes produce a non-compliant encrypted password.
- SQL timeouts while doing a select or an insert did not trigger the backoff period.
- Added Synchronous flag to AuthBy RADIUS, which will cause the AuthBy RADIUS to block until a reply is received from the remote radius server (or it times out).
- Rolled the AddToReplyIfNotExist.patch into the base code. This code was contributed by Vincent Gillet (vgi at oleane.net), and implements the AddToReplyIfNotExist parameter, which will append an attribute to a reply if and only if it the attribute is not already present.
- The include keyword for including other files inline is now case insensitive.
- Radius standards rfc2138.txt and rfc2139.txt are now included in the doc directory.
- Added some additional username info to some WARNING and INFO level messages, as suggested by Wim Biemolt (Wim.Biemolt at sec.nl).
- Incorporated significant performance improvements to AuthBy UNIX, contributed by Jamie Hill (hill at networkWCS.com). Thanks Jamie!
- If you explicitly undefine AuthPort or AcctPort, Radiator will not bind a socket. Same effect if you specify -auth_port “” or -acct_port “” on the command line.
- Fixed a problem with compatibility with proxying to Merit server with passwords of exactly 16 octets. Merit incorrectly assumes that passwords are always NUL terminated.
- Fixed typos with MSN style RewriteUsername regexps, that incorrectly assumed the seprator was a forward slash (/) not a backslash (\). Affected documentation and example radius.cfg
- Added new parameter HoldServerConnection to AuthBy LDAP, so LDAP servers that support it can be used to do as many authentications as possible from the same LDAP connection.
- Added details about how to use Radiator with AFS Kerberos to goodies directory. Contributed by Roland Hofmann (hofmann at uni-hohenheim.de). Thanks Roland.
- Fixed a problem with radacct.cgi where an Acct-Session-Id that contained a dot character was not recognised
- Added to the goodies an alternative version of radacct.cgi that supports some sorting of users by time, logins, total octets in or out. Contributed by Andrew Aken. Thanks Andrew.
- AuthBy RADIUS now returns IGNORE if a request is not forwarded due to NoForwardAuthentication or NoForwardAccounting. This is thought to be more correct, but existoing users of multiple AuthBy RADIUS with NoForward* may need to use AuthByPolicy ContinueWhileIgnore.
- AuthBy LDAP, LDAP2 and LDAPSDK now supports AuthAttrDef, which allows you to easily define check and reply items in your LDAP database, similar to the way its done with SQL. Based on code contributed by Steven E Ames. Thanks Steven.
- AuthBy RADIUS now passes some additional arguments to ReplyHook:
${$_[0]} The reply received from the remote server
${$_[1]} The reply packet to be sent back to the original requester
${$_[2]} The original request
${$_[3]} The request sent to the remote server - Added support for old style Ascend password encryption algorithms, new parameter UseOldAscendPasswords for both Client and AuthBy RADIUS. Also added -useoldascendpasswords flag to radpwtst.
- Added Microsoft vendor-sepcific attributes to dictionary. Contributed by sadkins at voyager2.cns.ohiou.edu (Scott Adkins). Thanks Scott.
- Suffix and Prefix incorrectly took notice of regexp special characters (such as +, ., * etc) in them. Changed so that Prefix and Suffix only ever do exact literal matches.
- AuthBy NT did not hounour AddToReply or DefaultReply on Unix.
- Testing with Apache and Apache::AuthenRadius. Item added to the FAQ.
- Workaround for a bug with FreeTDS where a datetime set like ’12-31-1999 12:01:01.000′ comes back as ‘2000-01-00 12:01:01’.
- Added radiatorctl sinmple Radiator management script to goodies. Contributed by Ragnar Kurm (ragnar at uninet.ee). Implements start, stop restart, reload, inc, dec operations. Thanks Ragnar.
- SessDBM has mode sensible mode for new files. Suggested by Ragnar Kurm (ragnar at uninet.ee). Thanks Ragnar.
- DefaultRealm processing was moved to after PreHandlerHook to allow easier manipulation of user names.Suggested by Ragnar Kurm (ragnar at uninet.ee). Thanks Ragnar.
- Added GRIC roaming attributes, including Timestamp to a number of dictionaries that did not have them.
- AuthBy EMERALD was not taking into account the masteraccounts.overdue column. Reported by Ray Carpenter (ray at systec.com). Thanks Ray.
- Session-Timeout reply attribute now supports a new syntax. If you have for example:
Session-Timeout=”until 1800″
Then the Session-Timeout in the reply will be calculated as the number of seconds up until the time of day specified - AddToReply and DefaultReply did not honour special processing for Session-Timeout=”until 1234″, Tunnel-Password, Ascend-Send-Secret or Framed-Group.
- Encrypted-Password can now be in a variety of encrypted password formats: SHA, MD5 and standard Unix crypt. Suggested by Ragnar Kurm (ragnar at uninet.ee). Thanks Ragnar.
- Added ExcludeRegexFromPasswordLog to Handlers. Suggested by Ragnar Kurm (ragnar at uninet.ee). Thanks Ragnar.
- NasType TigrisOld has new improved performance code contributed by Ragnar Kurm (ragnar at uninet.ee). Thanks Ragnar.
- Added ServerHasBrokenPortNumbers parameter to handle broken 3rd party radius servers that reply from a different port number than the one the request was sent to. Required for proxying to GRIC on NT.
- Added -v flag to radiusd to print version number. Also version is printed on startup INFO line.
- Improvements to restartWrapper to show more information about why the child died.
- Fixed a problem with AuthBy LDAP2, where recent versions of Net::LDAP do not support ldap_error_message.
- Added StartupHook which is called during startup and restarts
- Fixed a problem with broken VSAs which casued an entire packet to be ignored. Reported by Steve Suehring (suehring at coredcs.com).
- %M, %H, %S macros always produce 2 digits. Reqested by Daniel Senie (dts at senie.com)
- Fixed a problem with %y and %e that produced only one digit in 2000. Reported by Thomas Voss (tvoss at netcologne.de). Thanks Robert.
- AuthBy NT now optionally honours the User Manager Dialin Permission flag. Only available on NT, and requires Win32-RasADmin package to be installed.
- Fixed a problem with some check attributes. When used to check attributesin a <Handler ….> clause, could get a crash with a message like:
Can't call method "log" on unblessed reference at Radius/AuthGeneric.pm line 644.
- Added support to Auth By NT for Lockout and Account Expiry flags (supported when Radiator tuns on NT). Contributed by talist at vif.com. Thank you!
- Fixed a problem with FramedGroupBaseAddress and RewriteUserName not being properly assigned by ClientList SQL. Fix contributed by jay.pike at voyager.net.
- Improved documentation about hooks and when they are called. Suggested by Richi Plana (richip at mozcom.com)
- Added dictionary.usr.merit to the distribution. This is a copy of http://totalservice.usr.com/ISP/rad/dictnary.dat, and can be used as a source for missing VSA’s or it can be used directly as the Radiator dictionary.
- Further fixes to zombie child reaping, so that we should not miss zombies, even if there is a sigchld collision
- Added StatusServerShowClientDetails to Client to optionally enable full Cleint statistics in the Status-Server reply. This changes the default behaviour, which used to be to always send the statistics for all Clients. The default is now to not send details for any Clients.
- Added new Nas-Type Portmaster4 which is suitable for use by Portmaster 4’s running ComOS 4.1 or later. Uses pmwho.
- Fixed a problem with using AcctColumnDef with AuthBy PLATYPUS that would cause an SQL syntax error. Reported by Simon Woodward (simon at 1earth.net). Thanks Simon.
- Workarounds added to radwho.cgi and radacct.cgi. When used with FreeTDS, messages that FreeTDS prints to stderr would confuse Apache and other web servers. Sterr is redirected to /dev/null on unix during database setup when its FreeTDS.
- Connect-Rate now supports attributes called USR-Connect-Speed if there is no Connect-Info in the incoming packet.
- Fixed a typo with incorrect definition of Connect-Info attribute in Radius.pm
- Added globalvarname=value command line arguments and DefineGlobalVar to the config file. Can now use special formatting like: %{GlobalVar:globalvarname}. Suggested by Christophe Wolfhugel (wolf at oleane.net). Thanks Christophe.
- Added “Time On” column to radwho.cgi, with formatted time interval since they logged in.
- Added Debug parameter to AuthBy LDAP2, to assist debugging the Net::LDAP module.
- The global BindAddress and AuthBy RADIUS BindAddress parameters now permit special formatting macros.
- All the AuthBy LDAP modules now support special formatting characters in the Host parameter.
- All classes now have an optional Identifier parameter
- All classes now honour the “include” keyword.
- Added NoDefault parameter to AuthBy. When set, it stop Radiator from ever looking for a DEFAULT user entry.
- Radiator failed to complain if an integer reply item specified a value name that was not in the dictionary.
- Historical my_crypt was removed from radiusd. It was required for compatibility with the Gursamy Sarathy port of perl on Win 95.
- New module Util.pm added for general purpose utility routines. main::format_special and a number of other functions were moved there.
- Added ServerChecksPassword to AuthBy LDAP2, so that servers that implement proprietary encryption algorithms in their passwords (notably Open Directory from Platinum) can be used. Testing with Open Directory. Added opendirectory.cfg to goodies.
- Added new special character %P that is replaced with the decrypted User-Password from the current request. Code contributed by talist at vif.com. Thanks.
Revision 2.14.1 (29/7/99) Mostly new features
- Added new <ClientListSQL> clause that allows you to have your Client details in an SQL database, rather than in your config file.
- Added example Microsoft Access database to goodies. Works with the example sql.cfg, and also includes some sample queries and charts.
- The fix to default /32 in Ascend filters in 2.14 did not work properly in all circumstances. Found by Ricardo Kustner. Thanks Ricardo.
- Rolled in additional dictionary entries from ACC into the standard dictionary. Added the ACC dictionary to the distribution.
- Added support for NasType and Client-Id check items
- Fixed problems that pevented AuthBy NT working with the latest version of Authen-Smb (Authen-Smb-0.91) on Unix. They changed their naming standards for NTV_NO_ERROR.
Revision 2.14 (14/7/99)
- Added new AuthBy PAM, which can authenticate through any method supported by PAM on your host.
- Added support for RAdmin, the new web-based user administration package from Open System Consultants. Supports, sim-use, static IP address, bad login limits, preallocated time, error logging etc etc etc.
- New authentication module PORTLIMITCHECK, which can check enforce simultaneous-use limits for arbitrary groups of users. This can allow you to sell bundles of ports on a global or per-POP basis, or DNIS etc. It can also set up Class attributes that depend on how many users are currently logged in in that group, so you can have different charging bands for normal and overflow usage etc. Requires a that a <SessionDatabase SQL> be present in your Radiator config.
- Changes to session databases so that when a NAS is checked for a simultaneous use, the original username (prior to any RewriteUsername) will be used.
- Log.pm was ignoring LogFile global parameter and always using %D/logfile.
- Added new parameter DefaultSimultaneousUse to AuthBy. DefaultSimultaneousUse specifies a sim-use limit that will apply if there is no user-specific Simultaneous-Use check item.
- Added new dictionary.ascend2 for Ascends that use Vendor-Specific attributes with vendor 529.
- Added Nas-Type of TotalControlSNMP, which uses SNMP to check a Total Control NAS. Contributed by Stephen Roderick (steve at proaxis.com). Thanks Stephen.
- If you had both DefaultReply and AddToReply, then DefaultReply would have no effect. Fixed.
- In AuthBy SQL, you can now have multiple definition of the same column name in AcctColumnDef. This allows you to save different attributes from different types of NAS into the same column in a mixed NAS environment.
- Fixed a problem in radpwtst that could cause a premature exit if there were problems in receiving a reply.
- Checks for Realm in a Handler clause can now be regexps
- Added a number of Bay VSA’a to standard dictionary. Thanks to Stuart Henderson (stuart at eclipse.net.uk).
- Added new NasType of “ignore” that does not contact the NAS, and always assumes there are no multiple logins. Suggested by Stephen Roderick (root at proaxis.com)
- Some performance improvements in Nas.pm
- Added new Client parameter NoIgnoreDuplicates. You can use this to fine-tune which types of duplicate requests you will handle (regardless of the setting of DupInterval) The value is a space separated list of request types, such as “Access-Request Accounting-Request” etc. Case sensitive. This can sometimes help if you are losing packets. Suggested by Tim Minchin (tom at interact.net.au).
- radpwtst can now take any number of additional attribute=value arguments, so you can add any attributes that are in the dictionary to each request.
- Fixed problem with becoming a daemon on AIX (which doesn’t support setsid()).
- Fixed a problem in the internal SessionDatabase, where it would ask all the NAS ports for all users to double check apparent logins.
- With SNMP, if you use SNMP_Session-0.70.tar.gz instead of SNMP_Session-0.62.tar.gz, snmpget reported “Unrecognizable or unauthentic packet received”. Fixed.
- Testing with perl 5.00401, no changes required.
- Testing with AIX, with the assistance of Dave Close (dclose at quik.com). Some fixes required. Thanks Dave.
- Testing on FreeBSD 2.2.5, no changes required.
- Added NasType support for Tigris (both old and new MIBS), Bay 4000, and Bay by finger, contributed by Rob Thomas (rob at rpi.net.au). Thanks Rob.
- Testing on SCO Open Server 5.0.4, no changes required.
- Added new special character %u, which is replaced by the original full User-Name as it was received and before any RewriteUsernames were applied.
- Added new special charcter %l, which is replaced by the current local time expressed as a string, eg ‘Thu Apr 22 15:39:03 1999’.
- Added ACC vendor-specific attributes to the standard dicitonary
- In AuthBy EXTERNAL, the external program can now return any attribute=value pairs on each line on stdout, not just Reply-Message. Contributed by Richi Plana (richip at mozcom.com). Thanks Richi.
- AuthBy NT was not logging passwords to PasswordLogFileName.
- ON SIGHUP, old realms were not being removed from the old configuration.
- Upgraded AuthTACACSPLUS so it can do PAP and CHAP when you have a recent (0.16 or better) version of the TacacsPlus perl library.
- Now parses Merit style dictionaries, including VENDOR_CODE.
- radacct.cgi now shows summaries by IP address, suggested by Karl Gaissmaier (karl.gaissmaier at rz.uni-ulm.de) which he says is useful for tracking down attacks.
- radacct.cgi will automatically decrypt on the fly files with a .gz extension, also suggested by Karl Gaissmaier (karl.gaissmaier at rz.uni-ulm.de). Thanks Karl.
- radwho.cgi will now automatically refresh every 30 seconds, and also shows the date of the refresh in the title.
- DefaultRealm was not being honoured by Handlers, only Realms. Reported by Richard Lennerts (richard at vianet.net.au). Thanks Richard.
- Fixed a race condition in EXTERNAL that could prevent it replying under some conditions. Also fixed other problems that prevented it getting the return code from the externl program on NT. Still not working properly on Win98.
- Added a new parameter ResultInOutput to AuthBy EXTERNAL so you can use a string in the first line of the output of the external command to signal the type of reply, instead of using the exit status. This is good if you are using Win98 where the exit status is not reliable.
- Using special characters like %a, %c, %C, %n, %N, %R, %T, %U, %u in a context where there is no associated packet would cause a crash. Now they are just replaced by an empty string.
- Handlers did not recognise embedded include directives.
- Changed child reaping to remove the possibility of unreaped child processes if 2 sigchld signals colide.
- Significant changes in AuthBy FILE to greatly reduce the amount of memory required with large user files to about one tenth of previous requirements.
- Fixed a problem with LogSQL where strings with quotes in them caused an SQL error.
- Included in goodies detailed instructions on how to increase the default data size on BSDI, contributed by Paul Thornton (paul at dove.mtx.net.au). Thanks Paul.
- Can now use case insensitivity in regexp Realms like this:
<Realm /realm.com/i>
In fact, you can use either the i or x modifiers - Added -snmp_port argument to radiusd to override whats in the config file.
- Improved the behaviour of changeAttrByNum so it correctly updates the cached value too. This is only interesting for authors of hooks.
- Added code to complain if Client or IdenticalClient names could not be resolved.
- Added ExcludeFromPasswordLog to Handler, to prevent certain user names being logged to the PasswordLogFileName. Its a good idea to list your sysadmins etc.
- Added wtmp support for FreeBSD, contributed by Jason (godsey at fidalgo.net). Thanks Jason.
- AuthBy SYSTEM now checks the primary group as well as the secondary groups. It used only to do the secondaries.
- Fixed a problem with AuthBy PLATYPUS where the select statement was constructed incorrectly.
- Fixed a problem with Prefix and Suffix check items that prevented rejection of there was no match.
- Added new parameter UseGetspnam to AuthBy SYSTEM so it can be used with some systems (notably Solaris) using getspnam
- Added Timeout parameter to all the SQL based clauses, so that you can get predictable timeout from failed SQL operations due to lost connectivity with the SQL server. Defaults to 60 secs.
- Fixed a problem in test.pl that prevent reporting of some errors in the test suite. Fixed some other inaccuracies in the test suite.
- Added new special character %S, which translates to the current second.
- Added ReplyHook to AuthBy RADIUS, which runs after the reply is received from the remote radius server (as opposed to PostAuthHook, which runs after the request was forwarded, but before the reply is received).
- Modifed Nas.pm so that if finger detects a problem or a timeout when using finger to verify simultaneous connections, it assumes that the user is still online (i.e. it assumes that the SessionDatabase is correct).
- Fixed a problem with “include” directives in the configuration file: Recursive includes did not work properly.
- Can now specify LivingstonOffs and LivingstonHole on a per-Client basis.
- Fixed a problem with command line arguments in radiusd. -log_file_name was ignored.
- Changes to Handler.pm and SessINTERNAL.pm to improve behaviour in the face of lost Stops.
- Mods to AuthLDAP2 so it conforms more closely to the expectations of some LDAP servers. In particular, it now maintains the TCP connection to the server, but binds and unbinds for each search.
- Fixed a problem in AuthBy EXTERNAL on some OS, where a sigchld handler could prevent getting the returns status of the external process. The result would be no reply top the request.
- Improved the sort ordering of IP addresses in radacct.cgi.
- Rationalised some code in Nas.pm to make it smaller and easier to maintain, and to facilitate future internal SNMP client. also added some snmpwalk support, and activeSessions support.
- Added 20 second timout to internal finger client
- Added handling of Ascend-Access-Event-Request, which can be used to verify that an SQL SessionDatabase in in sync with reality.
- Deleting a user from a DBM file with builddbm -d username left an empty user entry, rather than deleting it.
- Added new special characters %b %o %e %f %g %i %j %k %p for time components from the Timestamp of the current packet.
- Changed default DupINterval to 2 seconds. This will still detect dups created by duplicate network paths, but now a lost Access-Accpt wont trigger many duplicate requests.
- Ascend-Data-Filter addresses now default to /32 if the mask length is not specified, eg “ip in drop dstip 1.2.3.4” is equivalent to “ip in drop dstip 1.2.3.4/32”.
- Improved error recovery during log file parsing so that unknown object wont silently cause the rest of the file to be ignored
- Binary distribution file changed to .tgz extension to prevent problems unpacking on PCs.
- Improvements to getNasId so it will get an address even if NAS-IP-Address is absent and NAS-Identifier does not include an IP address. Some NAS’s do not conform to the Radius spec and this helps with those NASs.
- Added support for NasType of NortelCVX1800. Contributed by James H. Thompson (jht at lj.net). Thanks James.
- AuthBy RADIUS will now do round-robin proxying for host names with multiple IP addresses. DNS names for proxy Radius hosts are resolved at startup time.
- Changes to API standard for findUser in authentication modules allow you to detect database failure, as opposed to “no such user”, useful for LDAP and similar to fall back to other LDAP databases.
Revision 2.13.1 (18/3/99) Consolidation of some minor bug fixes
- MaxSessions exceeded message now includes user name.
- Fixed a problem with PreAuthHook and PostAuthHook that prevented them being called.
- Added new %U formatting character that gives the user name with the realm stripped off. Contributed by Stephen Roderick (steve at proaxis.com). Thanks Stephen.
- Added parameter values in the form file:”filename” which will load the value from an external file. Probably most useful for putting long code fragments for the hooks in an external file:
PreAuthHook file:”hook.pl”
From a suggestion and code fragment from Lars (lmb at teuto.net). Thanks Lars. - Added auto indexing to the FAQ.
- AuthBy PLATYPUS and AuthBy EMERALD now honour AuthColumnDef and AuthSelect to handle _extra_ columns returned from the standard select statement.
- Added support for Xyplex sim-use checking with finger, with assistance of Nikos Aslanakis (aslan at spark.net.gr). Thanks Nikos.
- Fixed some typos in emerald.cfg that broke Acct-Terminate-Cause.
- Handler.pm was choosing the wrong handler.
- Added AddATDefaults parameter to Auth EMERALD. Contributed by Andrew Ruthven. Only adds the contents of RadATConfigs if AddATDefaults is defined in the configuration file. Thanks Andrew.~
- Added NoDefaultIfFound to AuthGeneric.pm, which stops Radiator looking for any DEFAULT users if an entry for the user was found but their check items failed.
- Fixed a problem that prevented PreClientHook being called.
- Added new AuthBy CDB contributed by Pedro Melo. CDB is a fast, reliable, lightweight package for creating and reading constant databases. More details about CDB at ftp://koobera.math.uic.edu/www/cdb.html Thanks Pedro!
- Fixed some problems where the current trace level was misreported when the trace level was changed with SIGUSR1 and SIGUSR2.
- SNMP was reporting UpTime as an integer instead of timeticks.
Revision 2.13 (17/2/99) Lots of new features, some bug fixes.
- Added SNMP Agent. Now supports SNMP V1 requests as per draft-ietf-radius-servmib-04.txt. That means that you can get various types of server statistics, and even reset the server using SNMP. You might want to use MRTG or similar for monitoring your server.
- Added AuthBy RODOPI and example rodopi.cfg. Rodopi is quite a mature NT/MS-SQL based billing system with a Java/web GUI.
- Added new configurable and subclassable logging modules: Log FILE, Log SYSLOG and Log SQL. You can now log to any and all places at the same time, plus easily add your own logging modules.
- Simultaneous use check with finger for Portslave, Ascend, Shiva or Computone now defaults to using an internal perl finger client. You can still force it to use an external finger program by specifying FingerProg in the config file. The internal client improves portability to NT, and will improve performance, since it avoids the cost of starting an external program.
- Rationalised reporting and logging of rejections: Auth*::handle_request now also returns a reason message, which can optionally be replied to the user with the new Handler keyword RejectHasReason.
- All AuthBy modules now do their logging through a virtual log() function in AuthGeneric, which allows you to override with your own AuthBy specific error logging function. Suggested by Andrea Campi (andrea at planet.it). Thanks Andrea.
- Added AuthTACACSPLUS to authenticate from Tacacs Plus server. requires Authen::TacacsPlus module from CPAN. We used the version in TacacsPlus-0.15.tar.gz. If its not on CPAN, its available from the author here.
- Status-Server message now returns all server and per-client statistics.
- AuthBy NT can now authenticate from an NT domain controller, even when Radiator is running on Unix. Requires the Authen::Smb package from CPAN.
- Testing with Security Dynamics ACE/Server Radius (also known as SecurID). Their radius server is very limited, but Radiator can proxy to it fine, and handles the Access-Challenges that are used to set and change PINs etc.
- Testing with Freeside, a free Unix based ISP billing package. Example freeside.cfg created.
- Forgot to mention previously the addition of several hooks that allow you to get control with your own perl code during authentication: PreClientHook, PreHandlerHook and PreAuthHook, PostAuthHook.
- Changed the default Framed-IP-Address in radpwtst.
- Fixed problem with cached attributes that meant that when a username was rewritten, it was not actually changed in the packet, which made the detail file log incorrectly.
- Added “delete session” link to radwho.cgi so that bogus sessions can be manually deleted.
- Added AuthBy GROUP, which allows authentication clauses to be bundled and grouped to any depth. Its intended for experimenters and early adopters. It only understands AuthByPolicy, StripFromReply, AddToReply, DefaultReply so far. Feedback is solicited.
- Fixed some bugs in radpwtst -gui mode that caused locked windows, false timeouts etc. Now works with Perl 5.005 and Tk800.011 on Unix. Still doesnt work on Win95 (looks like Tk file handlers are still not right on Win95).
- Fixed problems with wtmp format on Linux that prevented who and last from working.
- Created mysqlCreate.sql which correctly builds indexes for mysql.
- Added indexes to all SQL scripts in goodies
- Can now define AuthBy clauses at the top level, and refer to them and reuse them with the AuthBy parameter. Good for reusing complicated SQL database definitions (and reducing the number of SQL licenses required. From a suggeestion by Stephen Roderick (steve at proaxis.com). Thanks Steve.
- Added support for binary data type in dictionaries. Especially for use in Proxy-State which can otherwise get trailing NULs stripped off.
- radwho.cgi now shows the total number of users online, and optionally presents a hotlink to force a user off a NAS, by calling an external progam you specify (not supplied).
- Added NoForwardAuthentication and NoForwardAccounting to AuthBy RADIUS. From patches supplied by Vincent Gillet (vgi at oleane.net). Thanks Vincent.
- Makefile.PL can now do installation on Win95 hosts. No need to use make any more on Win95 (many people don’t have it).
- Added LocalAddress to AuthRADIUS, which forces the proxy forwarding port to bind to a particular address. Defaults to the same as BindAddress. Useful for multi-homed hosts. Patch supplied by Lars (lmb at pointer.teuto.de). Thanks Lars.
- Improved performance of all Hooks by precompiling the code. From a suggestion by Lars (lmb at pointer.teuto.de). Thanks Lars.
- Improved robstness of the session databases in the face of lost stop packets. Now a stop packet will always remove any previous session that we thought was on that NAS/Port combination. This will make the session database “self-healing”. Your existing DBM session database will have to be deleted: the database format for DBM is changed. The table format for the SQL session database is the same, but the indexes have changed: you should probably recreate them if you are using SQL. Also changed radwho.cgi to be compatible with new DBM database format.
- Expiration now understands dates of the form dd/mm/yy(yy), since some SQL databases produce dates in that form.
- Improved robustness of SQL connections, and reconnection during database outages. Prevent crashes when MS-SQL disconnects.
- SQL does not use ping anymore, and will therefore work with DBD-ODBC 0.20 and MS-SQL. Its also faster.
- Included Vincent Gillet’s AddToReplyIfNotExist.patch to the goodies directory. This patch adds attributes to a reply _only_ if they dont already exist. Thanks Vincent.
- Testing on Red Hat 5.2. No changes required.
- Testing with Interbiller 98, a resonable, inexpensive ISP billing package. goodies/interbiller.cfg created.
- Added FramedGroup for all AuthBy clauses, similar in behaviour to Framed-Group, but applying to all requests accepted by an AuthBy clause. Contributed by Garry Shtern (shterng at akula.com). Thanks Garry.
- Testing on Rhapsody. OK, but building MD5 is non-standard. See the FAQ for details.
- Fixed problem where accounting info would be stored twice if the Handler forked (such as AuthBy IPASS)
- Fixed typo in AuthBy IPASS that prevented Acct-Session-Time being properly sent to IPASS.
- Fixed a problem in SessSQL.pm, where if a session proved to be bogus, SessSQL tried to delete a different session. Reported by Andrea Campi (andrea at planet.it). Thanks Andrea.
- Added contribution from Todd A. Green (tagreen at ixl.com): a new sorter in radwho.cgi that will sort by IP addresses and mixed Alpha-numeric NAS-Ports (eg for USR/3COM ). Thanks Todd.
- AuthBy UNIX now correctly uses the password file and group file when checking for primary group membership, instead of using getpwnam etc.
- AuthBy PLATYPUS now honours AcctColumnDef. It allows you to log extra columns from Accounting Stops in the same was as AuthBy SQL. Suggested by Ricardo Freire (ricardo at allways.com.br). Thanks Ricardo.
- Testing with DBI Proxy from Unix to NT. OK.
- Added AccpetIfMissing paramter to AuthBy FILE and AuthBy DBFILE. it will automatically accept a user if they are not in the users file. If they are in the users file, it will accpet them if and only if their check items pass in the ususal way. Useful for applying additional checks on a subset of your user population.
- Added FramedGroupMaxPortsPerClassC to Client, so you can compute Framed-IP-Address on a NAS with more than 255 ports.
- Example config to work with Freeside, a free ISP billing package for Unix. See goodies/freeside.cfg
- AuthBy SQL and PLATYPUS now use the DBI quote function to correctly handle quotes embedded in string data that is inserted with an AcctColumnDef.
- Support Shiva LanRover sim-use detection using finger. Also added detection of config errors for all uses of finger, and runtime errors with snmpget.
- Fixed a problem with Ascend binary filters: if the ‘drop’ keyword was used, it would build an invalid filter.
- AcctColumnDef will not insert attributes that are not present in the request. Previously, it would insert NULL, which upset peoples ability to define column defaults, and to build indexes.
- Added VSAs for ACC to dictionary. Courtesy Ingvar Berg (ERA) (Ingvar.Berg at era.ericsson.se). Thanks Ingvar.
- Added NasType AscendSNMP that will check Ascend with SNMP instead of finger.
- Added nasclear.cgi to goodies directory. Its a CGI script that shows all the unique NASs in your SQL Session Database, and allows you to clear all sessions for a NAS. Contributed by Aaron Holtz (aholtz at bright.net). Thanks Aaron.
- Default behaviour when no handler is found changed from IGNORE to REJECT.
- Auth-Type=Reject now correctly propagates properly back through chains of authenticators. Previously if the chain was more than 1 deep, an immediate reject would be turned back to an ordinary rejection. Thanks to Aaron Holtz for reporting this one.
- Fixed a problem with AuthEXTERNAL that prevented it working properly on NT. Also made example config file and example external program for EXTERNAL in goodies, demonstrating the protocol for passing and receiving attributes.
- Added optional format argument to AcctColumnDef, so you can set up SQL-specific conversions etc.
- PostAuthHook is now given a third arg saying what the result of the authentication is.
- Completed support for SHA encrypted password. Contributed by Justin Daminato (jd at ozemail.camtech.net.au)
- Quoted Check and reply items can now have escaped octals in them like
Tunnel-Server-Endpoint = “\000191.165.126.240 fr:20”
(thats a NULL as the first octet in the string) Which is useful for adding tags to the front of Tunnel attributes like the above. - Added AuthBy LDAP2, which uses Net::LDAP from perl-ldap-0.09 or better. The previous version AuthBy LDAP is now deprecated (since the Net::LDAPapi it uses is now deprected).
- Added DecryptPassword parameter to AuthBy EXTERNAL, which makes it decrypt User-Password before passing it to the external program.
- Testing with Bay Annex Server and tunelling, with the help of Stephen Ollis. Thanks Stephen.
- Now handle Prefix and Suffix check items.
- Added now AcctColumnDef type “formatted-date” that uses Date::Format to build arbitrary date formats. Especially useful for Oracle’s odd date behaviour:
AcctColumnDef TIME_STAMP,Timestamp,formatted-date,to_date\ ('%e %m %Y %H:%M:%S', 'DD MM YYYY HH24:MI:SS')
- AcctColumnDef type integer-date now formats dates in the format ‘Sep 3, 1995 13:37’, ie the full year including the century is now included. Previously it would do ‘Sep 3, 99 13:37’ and was not Y2K compliant. If this breaks your accounting table, consifer using the new formatted-date type described above.
Revision 2.12.1 (21/10/98) Minor release for some desperately required features.
- Added support for Ascend’s Tunnel-Password according to http://ftp.ietf.org/internet-drafts/draft-ietf-radius-tunnel-auth-06.txt
- AuthBy RADIUS now supports multiple Hosts. It will try to forward to the each host in the list until it gets a reply from one, or until the list is exhausted.
- Fixed a bug that causes a crash when Handlers are tested.
- radpwtst now generates its default identifier from the current time, which causes less confusion if you dont have DupInterval set to 0.
- New version of IpassPerl that checks the ipass libraries are installed before the Makefile is built.
- Added -t dbmtype flags to builddbm and buildsql to force them to use a certain DB file format, instead of to accept the “best” one that AnyDBM_File would choose. Can also configure radwho.cgi SessDBM.pm and AuthDBFILE.pm to easily specify the type.
- Fixed problems with MS-SQL 7 and AuthBy EMERALD, where integers such as account_id and attribute numbers are read as floating point.
- Fixed a Y2K compliance issue in formatSQLDate.
Revision 2.12 (17/10/98) Major new features and some bug fixes
- Added <SessionDatabase SQL>, so the external session database can be in SQL. This might be useful to coordinate multiple servers for Simultaneous-Use limits via SQL, or perhaps just to keep a “who is online” database handy. Also added radwho.cgi so you can see the current contents of a DBM or SQL Session Database.
- Added new <Handler> class that allows you to choose how requests will be handled depending on any attribute of the packet, not just the realm. You can still use Realm; its backwards compatible. Realm is now a superclass of Handler, and Handler understands all the same parameters as Realm.
- New AuthBy parameter DynamicCheck allows you to do % substitutions on check items prior to authentication. Now recognise DynamicReply as a synonym for Dynamic. Suggested by Tim Young (Tim_Young at compuware.com).
- Removed hard-coded Radius attribute names from the code.
- Performance improvements in attribute fetching.
- Testing with OpenLinkODBC/iODBC for connectivity between Unix and MS-SQL without using Sybase client libs. Documentation in faq.html.
- Default location for pid file changed from /tmp/radiusd.pid to %L/radiusd.pid as a security measure. Suggested by Andres Kroonmaa.
- SQL AccountingTable can now contain special formatting characters table names based on the current year and month might be very useful. Suggested by Nicholas Barrington (nbarrington at smart.net.au).
- Fixed a problem that would prevent proxy working after a HUP.
- Fixed 2 bugs identified by Andres Kroonmaa (andre at ml.ee) in AuthBy SYSTEM and AuthGeneric that prevented Group membership check items working in SYSTEM, and sometimes with DEFAULTs. Thanks Andres.
- Fixed problem with signals on Win95 that prevents radiusd surviving as an NT service.
- Fixed some typos in AuthPLATYPUS that caused crashes to do with formatSQLDate.
- Fixed some problems with protocol and service specifications in Ascend Binary filters. Reported and diagnosed by Peter Chow. Thanks Peter.
- Dont die if the log file fills up.
- New parameter DomainController in AuthBy NT allows you to force it to use a particular Domain Controller, instead of asking on the network.
- AuthIPASS, AuthEXTERNAL, AuthTEST and AuthNT did not honour StripFromReply, AddToReply or DefaultReply.
- Added code contributed Nicholas Barrington (nbarrington at smart.net.au) to AuthSQL. Implements AccountingStartsOnly, and AcctSQLStatement, which allows you to execute arbitrary SQL statements for each accounting reqest.
- Auth-Type=Reject now does an immediate reject: it will not fall through to any following DEFAULTs.
- Added AcctLogFileFormat, so you can control the format of the accounting log file.
- Fixed AuthGeneric so it wont leave zombie processes around. This mostly occurred with AuthBy IPASS.
- Fixed a bug that prevented Total Control online checking from working properly.
- Added SocketQueueLength parameter, so you can adjust the radius socket queue lengths.
- Removed all uses of non-blocking IO, since too many operating systems dont support it properly.
- Cleaned up test.pl. Regression tests now run on Win95 and NT. Adjust documentation to suit.
- Changes so AuthNT will work with ActiveState perl.
- Added support for Bay to Nas.pm. Can now use Simultaneous-Use with Bay NASs.
- DefaultReply was not getting % variable interpolation.
- Cloned AuthBy LDAP into AuthBy LDAPSDK, which works with Netscape’s new PerLDAP module and the latest LDAP SDK. PerLDAP is readily available as a downloadable module for ActiveState perl on NT. This is the easiest way to get LDAP working on NT without compiling your own modules.
- PasswordLogFile now includes the current date and time in easy-to-read format, as well as in Unix seconds.
- Documentation for RewriteFunction.
- Fixed memory leak in AuthRADIUS that affected packets that are proxied and then exceed their retransmit count.
- The log file directory will now be created if it does not exsit. This makes it easy to have log files rotated into different directories.
- Fixed problem where Simultaneous-Use would not work properly if you had Clients defined by DNS name instead of IP address.
- Tested Platypus in RadiusNT compatibility mode against AuthBy EMERALD. Works fine.
- AuthUNIX did not removed cached passwords if the user was removed from the password file.
- Fixed a leak that affected some integer attributes during proxying on Perl 5.004.
Revision 2.11 (16/8/98) Major new features and some bug fixes
- Applied some patches from Aaron Nabil that should have made it into 2.10: correction to users file with correct hiperarc filter syntax
fix for hiperarc not sending nas_id
patch to ignore false dupe hiperarc sends on restart
fix to separate identifiers for different ports - Implement Auth-Type = Reject and Auth-Type = Ignore check items.
- Patch from Shawn Instenes (*shawni at teleport.com) to log more details of requests with bad authenticators.
- Latest version of USR dictionary in dictionary.usr.
- Standardised spelling of Van-Jacobson in all dictionaries.
- Added patch from Aaron Nabil (nabil at spiritone.com) for hex dump of packets at trace level 5.
- Fixed bug with %C on some platforms that did nothing.
- Be tolerant of trailing white space in check and reply items
- Added -v flag to buildsql to print out all SQL statements issued.
- AuthBy SQL now ACCEPTS Accounting requests if no accounting table or columns is defined. It used to IGNORE, which was not very helpful.
- test.pl now runs the test server on ports 9721 and 9722 so you can test on a live box. Thanks to a suggestion from Andres Kroonmaa (andre at ml.ee)
- AddToReply and StripFromReply have been moved from RADIUS to Generic, so any AuthBy can use them now.
- Check and reply items now silently ignore empty attr-val pairs
- SQL database access has been abstracted out to a separate inheritable module SqlDb.pm, which has the database connect/reconnect and execute code in it. This will allow it to be reused to support SQL session database, client lists etc one day.
- Rolled in AuthColumnDef mods contributed by Lars (lmb at teuto.net) in AuthSqlEXT.pm (which is therfore now obsolete). You can now have arbitrary check and reply items in multiple columns in your user database. For backwards compatibility, if no AuthColumnDef is defined, it will assume Password, Check Items, Reply items, backwards compatible with previous versions.
- Fixes to AuthNT.pm so that it will correctly authenticate in the face of apparent errors that really mean that password policies are in force.
- Added DefaultReply for all AuthBy, which specifies attributes to be returned only if they have none of their own. Contributed by Phil Freed (pfreed at cyberTours.com). Thanks Phil.
- Added NIS+ authentication with AuthNISPLUS.pm
- Following requests from Stephan Forseilles (sf at skynet.be) and others, added include file processing to config files. Thanks for the suggestion.
- Altered Radius.pm, so it would not die due to badly mangled VSAs sent by 3COM Netserver cards at startup. Thanks to Aaron Nabil for helping to identify this one.
- Mods to all executables so they will get the modules in the current directory in preference to any installed ones.
- Some changes to radacct.cgi so it will work with SQL too. Not easily configurable, and not documented yet, but it works. Improvements are scheduled for later.
- Fixed a bug with %{Attribute-Name} macros that could cause a crash.
- Packet dumps at trace level 4 and 5 are now logged to the log file instead of only being printed to stdout.
- AuthBy LDAP now produces more debuggin and error messages. Its now robust in the face of the LDAP server stopping.
- Support optional encrypted passwords in databases where a plaintext password is normally expected. Supported formats are now like
- unix crypt “{crypt}1xMKc0GIVUNbE”
- Netscape SHA encryption “{SHA}0DPiKuNIrrVmD8IUCuw1hQxNqZc=”
- Linux MD5 password encryption “$1$cTpht$Obu9PLSMst1TDou.mN5bk0”
- Plaintext
- Added SSL support for LDAP. This is not supported on the Umich LDAP, as SSL is not supported there. You will need the Netscape SDK if you want SSL support.
- SIGUSR1 increases trace level and SIGUSR2 decreases it for radiusd (suggested by Andrea Campi).
- New AuthBy SYSTEM that authenticates with getpwnam and getgrnam from whatever your systems underlying username database is. This allows you to hide the authentication system whether its password files, NIS+, PAM or whatever else might be installed on your system. Not supported on Win95 or NT, or on systems with shadow password files.
- Timestamp was being adjusted in the wrong direction by Acct-Delay-Time.
- A few lingering “warn”s were changed to LOG_ERR.
- Permit line continuations within a configuration file with \. After a suggestion by Richard Lennerts.
- Can now do RewriteUsername on a global or per-Client basis as well as per-Realm.
- New check item NAS-Address-Port-List specifies a file that contains a list of permitted NAS/Port combinations for the user.
- Can now use the new Client parameter IdenticalClients to congure a large number of identical client configurations
Revision 2.10 (13/7/98) Major new features.
- Now works with Emerald (http://www.emerald.iea.com), both authentication and accounting. Includes a new EMERALD AuthBy module and example config file in goodies/emerald.cfg
- Now works with Platypus (http://www.boardtown.com), both authentication and accounting. Includes a new PLATYPUS AuthBy module and example config file in goodies/platypus.cfg
- Generalised the Session Database for Simultaneous-Use limits. There is now a SessGeneric.pm abtsract class and SessINTERNAL and SessDBM implementations. This means you can now enforce Simultaneous-Use limits across multiple instances of Radiator. The code structure is similar to the Auth… modules, and adding new database formats is fairly simple. The default is INTERNAL as before.
- Added support for Connect-Rate check item, that specifies a max Connect-Info speed permitted for the user.
- Added automatic IP Address allocation with new FramedGroupBaseAddress parameter in Client, and new Framed-Group pseudo-reply item.
- Accounting packets now always get a Timestamp added to them when received. (Suggestion of Guilherme Maranhao (guiga at rio.com.br))
- Some minor changes to Realm.pm to make it a bit more economical of memory.
- Added patch from Aaron Nabil (nabil at spiritone.com) which provides new -bind_address argument to radiusd and BindAddress parameter that allows radiusd to only bind to a single address for multi-homed hosts. Thanks Aaron.
- Added patch from Aaron Nabil (nabil at spiritone.com) which provides SIGTERM handling to shut down cleanly. Thanks Aaron.
- Changed a number of ‘die’s into ‘warn’. We now try very hard never to stop unless its completely impossible to go on.
- Added PasswordLogFileName to Realm. If defined, every login attempt will be logged to the file. Useful for your help desk to diagnose user login problems. Based on a request from Stephan Forseilles (sf at skynet.be).
- Fixed a bug in Radius::unpack. Malformed radius packets could cause an infinite loop that would exhaust all memory.
- Redid performance tests in a more realistic environment, resulting in significant improved throughput figures.
- Added detection of Livingston reboot messages (a Start with Acct-Session-Id = ‘00000000’)
- Added realtime online user detection for Ascend (with finger), Computone (with finger) and Cisco (with snmp)
- Added general attribute replacements, so that for example %{Framed-IP-Address} is the same as %a. Contributed by Lars (lmb at pointer.teuto.de). Thanks.
- AuthRADIUS now logs IP addresses instead of binary. Contributed by Kurt Jaeger (pi at complx.LF.net)
- SQL Accounting can now convert Timestamp values into SQL dates.
- Upgraded dictionary.ascend to be in line with latest from Ascend.
- Tested LDAP on NT with the NETSCAPE DIRECTORY SDK 1.0 and the Net::LDAPapi Windows NT Binaries v1.40 from http://www.wwa.com/~donley/netldap.html
- AuthBy FILE and AuthBy DBFILE can now use per-request replacements like %n in their Filename. Thanks to Paul Rhodes (paul at atlas.net.uk).
- Implement Ascend-Send-Secret reply item. Thanks to Paul Rhodes (paul at atlas.net.uk) for this contribution.
- Changed default DupInterval to 60 secs.
- Altered all DBM accesses to use AnyDBM_File, which will choose the ‘best’ format DBM file availble on the host machine.
- New AuthSQL parameter AccountingStopsOnly, which make SQL only log Accounting Stop requests: all other accounting requests are accepted but not logged.
- Testing with postgreSQL, documentation.
- radacct.cgi now uses CGI.pm, instead of cgi-lib.pl, for better portability.
Revision 2.9.1 (23/6/98) Minor bugfix release
- Fixed bug that altered username in the request when cascading from AuthBy SQL to any other AuthBy method. This only affected cascaded authentications where SQL was not the last method.
- Altered dictionary.ascend so that Password appears as User-Password, which fixes authentication problems with that dictionary.
- Applied patch from Aaron Nabil (nabil at spiritone.com) to issue warnings when dictionary integer artributes are missing.
- Removed some perl5.004 features that inadvertently prevented radiusd running on 5.003.
- Fixed a memory leak in RDict.pm
Revision 2.9 (14/6/98) Mostly new features:
- Added restartWrapper to goodies. Can be used to automatically restart radiusd (or any other program) if it stops unexpectedly and optionally email someone.
- radiusd can now be started automatically by (x)inetd: if stdin is a socket, it assumes it is running under inetd and uses stdin as the authentication port socket.
- Fixed test.pl so radiusd will not incorrectly load previously installed library modules.
- In AuthSQL, If the password (or encrypted password) column for a user is NULL in the database, then any password will be accepted for that user.
- AuthNT now honours the NT account disabled flag. If you check the “Account Disabled” checkbox in the NT User Manager, they wont be able to authenticate. Also AuthNT correctly queries the right Domain Controller, and Group membership is checked against the Global Group (not the Local Group).
- Some NASs append a NUL to string attributes, contrary to the spec. We now always strip trailing NULs from incoming string attributes.
- Can now have any number of RewriteUsername lines in a Realm. The rewrites are applied in the order they appear in the config file.
- radacct.cgi now has a secure option that allows your customers to see only their own usage details on a web page
- Added RewriteFunction to Realm to define a function that will rewrite user names. If defined, its used in preference to RewriteUsername.
- AuthBy UNIX was incorrectly reading the password file twice at startup. Thanks to tom at interact.net.au for reporting this.
- Now can have any number of AcctLogFileName in each Realm, which allows you to have muktiple log files for each realm. Thanks to shawni at teleport.com for this patch.
- AuthBy FILE and AuthBy UNIX now reread and cache their files if their modification time changes while the server is running. AuthBy UNIX now honours Nocache too.
- Now handles Accounting On and Off messages. Accounting On clears all the sessions from that NAS. Radpwtst is also able to send Accounting On and Accounting Off now. Contributed by nabil at spiritone.com. Thanks Aaron.
- Added SNMPCommunity to Client. Thanks to Andrea Campi (andrea at webcom.it) for the suggestion.
- Added AccountingHandled from shawni at teleport.com. This forces Radiator to reply to Accounting request even if they would have been ignored. Useful for ignoring Accounting requests while keeping the NAS happy. Thanks Shawn.
- Now works with clients that dont provide RFC 2138 compliant passwords (some clients, notably some versions of radcheck, dont pad passwords to 16 bytes like they should)
- Added %a to special formatting characters for the Framed-IP-Address of the current request (if any) (Contributed by nabil at spiritone.com)
- Added new attributes to AuthBy. UseAddressHint forces Radiator to honour a Framed-IP-Address in the request unless it is overridden by a Framed-IP-Address in the reply items. Dynamic specifies reply attributes that will get run-time variable substitution. Both of these contributed by nabil at spiritone.com, and can be used together with the new %a to build anti-spoofing filters.
- New AuthBy modules contributed by nabil at spiritone.com are included in the goodies directory for exact Livingston user file compatibility (AuthCOMPAT.pm) and for Digital Unix NDBM passwd files (AuthDBUNIX.pm). Thanks a heap Aaron!
- Added new Realm attribute: AuthByPolicy allows you to control the behaviour of cascaded authentication modules.
- buildsql now can build an SQL database out of flat files and DBM files, as well as Unix password files.
Revision 2.8 (7/5/98)
- Added IPASS authentication. Supports both outbound and inbound authentication and accounting with iPASS
- Added Simultaneous-Use check item for users, which can be either an integer or a filename that contains an integer.
- Added real interrogation of NASs for Simultaneous-Use verification, similar to Cistron. New Client config parameter NasType added. New global config parameters SnmpgetProg, FingerProg PmwhoProg, LivingstonMIB, LivingstonOffs and LivingstonHole added.
- Revamped the SQL accounting table specification to be more regular and scalable. Now specify one or more AcctColumnDef lines to specify the attributes to be stored, the column names to store them in and optionally a data type. Thanks to Phil Freed for the original idea and code.
- Most check items can now be perl regular expressions too.
- Attribute-value parser is smarter: can now have embedded commas and escaped qouble quotes inside check and reply items
- Added Time check item to support multiple time bands on different days like: Time = “MoTuWe0800-1530,Wk2200-0400”
- Added more debugging info
- Added new Fork parameter which forces authentication modules to fork before handling the request. Use with care.
- Added -timeout argument to radpwtst
- Tested ODBC with Oracle and Sybase on Solaris with Intersolve DataDirect ODBC manager and Microsoft SQL 6.5 on NT.
- Testing with the latest version of DBD for mSQL and mysql from Msql-Mysql-modules-1.1828. Older versions named like DBD-mSQL-0.65 did not work properly when getting the names of fields from a select which would break the new accounting table behaviour in AuthSQL.pm
- Added Client DefaultRealm for handling realmless request on the basis of which NAS they arrived on. Thanks to Phil Freed for the code.
- Added Table of Contents in reference manual.
Revision 2.7 (18/4/98)
- Added AuthBy EXTERNAL, which allows requests to be handled by an external program whose command line you can specify.
- Added chaining of AuthBy modules: You can now specify more than one AuthBy clause for a Realm, and it will try each one in turn until one succeeds (ie returns other than IGNORE). This is especially good for recording proxied accounting requests to SQL.
- AuthBy handlers can now return CHALLENGE for an Access-Request, which will cause an Access-Challenge to be replied.
- Testing with Sybase, created a sybaseCreate.sql. Documentation for Sybase.
- Applied patches from Steve Davies to fix interop problem with Merit 3.5.6. Thanks Steve.
- Latest version of USR dictionary.
- Handling of Group check items now conforms to Lucent and Cistron behaviour: for cascaded UNIX modules the /etc/group file is checked. The old behaviour that checked for the Group in the reply items is not supported now. Added new GroupFilename to UNIX module.
- Added Group handling to NT module: it uses LocalGroupIsMember to determine whether the user is in a Group if a Group check item is specified. Documentation and faq entry.
- Added buildsql utility, which can create and update an SQL database from a UNIX password file (DBM file or flat files coming soon).
Revision 2.6 (5/4/98)
- Added Windows NT authentication.
- Added support for Ascend abinary type attributes, as used in Ascend-Data-Filter and Ascend-Call-Filter, both in and out. Includes the new IPX filter support.
- Added support for USR/3COM vendor-specific attributes
- Updates to some dictionaries
- The value for VENDORATTR in dictionaries can now be hex or decimal.
- Radius.pm now uses main::log consistently
- Fixed memory leak in Select that affected timeouts.
Revision 2.5 (28/3/98)
- Added CGI script for usage summaries of accounting logs, including drill-down to per-user and per-session details. Useful for billing summaries, or for investigating service problems.
- Removed code from builddbm that made it grow in size according to how many users in the database. It now stays the same size, regardless of how many users.
- FAQ was missing from distribution
- radpwtst now increments session_id after each Accounting Stop
- Minor changes to dictionary for ascend compatibility
- Added support for multiple databases and fallback to SQL
- Fixed bug that prevented StripFromReply working properly
- Fix interoperation problem with Merit: if reply with Proxy-State but not Proxy-Action, Merit might crash. Now we reply with Proxy-Action if it is present in the request.
Revision 2.4 Production Release (14/3/98)
- Added StripFromRequest, AddToRequest, StripFromReply, AddToReply to AuthBy RADIUS.
- Radpwtst: fixed bug on Linux which prevented waiting for replies if an ICMP bad port message arrives.
- Added %t for current time in special formatting characters
- Ensured detail file output is Radius compliant by quoting strings.
- Improved and enlarged documentation.
Revision 2.3 (6/3/98)
- Fixed bug that made users fall throught to DEFAULT if they existed but authentication failed, even if Fall-Through not set.
- Add time-of-day blocking with Block-Logon-Until and Block-Logon-From check items.
- Added PDF documentation.
- Improved level of DEBUG detail produced when authentication fails. Makes debugging authentication much easier.
- Added Graphical User Interface option to radpwtst. Test your server configuration with the click of a button on Unix. (not quite working on PC yet).
Revision 2.2 (1/3/98)
- Fixed bug in LDAP that causes it to always authenticate if the case of the password attribute is not correct.
- Improved error reporting in radpwtst if no dictionary found.
- Major rationalisation of Auth* hierarchy. There is now a common superclass AuthGeneric that all Auth modules should inherit from.
- Added DEFAULT user handling with Fall-Through. Multiple DEFAULT entries are handled. DEFAULT entries are processed in order until one is found that matches and does not have Fall-Through set to yes. Works for FILE, DBFILE, LDAP, SQL.
- Added handling of Auth-Type check items, which passes authentication to another AuthBy module named with an Identifier parameter. You can therfore cascade from FILE to UNIX to be compatible with other servers or from say FILE to RADIUS to ensure some reply items always go to the NAS irrespective of a downstream servers setup. This is a very deep and verastile feature.
Revision 2.1 Beta (7/2/98)
- Beta revision for external testing
Revision 1.9 (20/1/98)
- Internal alpha testing