We are pleased to announce the release of Radiator version 4.19

This version contains new features and bug fixes described below. The main enhancements are a fix for a memory leak and logging and debugging enhancements for unfinished EAP and other authentications.

As usual, the new version is available to current licensees
and evaluators from:

Licensees with expired access contracts can renew at:

An extract from the history file
https://www.open.com.au/radiator/history.html is below:


Revision 4.19 (2017-06-29) new features and bug fixes

      Selected compatibility notes, enhancements and fixes

Fixed a memory leak in TLS based EAP methods. This affected configurations that disable session resumption.

Unfinished EAP authentications are now logged

Ignored authentications are now available for AuthLog logging

      Known caveats and other notes

PEAP session resumption sometimes fails on Windows and reverts back to
full authentication. A fix is known and planned for future releases.

Initial testing with OpenSSL 1.1.0. EAP-FAST is not yet functional.

      Detailed changes

Enhanced log messages generated by TLS based EAP methods. More details are now logged and available with AuthLog reason information.

Added two new Context module functions: fetch returns an existing context and resets its timeout. If there's no existing context, returns nothing. timeout_callback sets a callback function for a context that is called when the context times out.

Enhanced EAP logging: EAP authentications that do not finish are now logged both to Radiator log and authentication log. Authentication log entries are logged as rejected authentications. Suggested by David Zych et al.

EAP contexts are now freed when the authentication finishes instead of always waiting for context timeout

TLS based EAP methods were leaking memory when EAPTLS_SessionResumption was disabled. This option is enabled by default.

Added VENDOR Airespace 14179 VSA Airespace-IPv6-ACL-Name to dictionary

Application was misspelled in DiaAttrList::REDIRECT_HOST_USAGE_REALM_AND_APPLICATION and Diameter application name 'SIP Application'

Fixed AuthBy SIP2 that rejected both valid and invalid authentication attempts with EAP-GTC. Enhanced SIP2 logging and updated AuthBy SIP2 to more reliably handle unsupported EAP methods.

An error message is now logged when quote method is called for a module that is not a SqlDb. Single quotes are now stripped from quoted value. Any custom modules that log this message need to be fixed to use a correct SqlDb derived module when calling quote.

Added support for polling a message queue in Gossip. Added a new configuration sample radius-dynauth.cfg in goodies that uses AuthBy DYNAUTH to send RADIUS dynamic authentiation requests. Handler.pm now passes reference to result reason to replyFn it calls. Minor fixes to trace id passing and Gossip.

New check items RecvPort, RecvAddress and RecvName match requests based on the local port or address. For example, if Radiator listens on Radius port 1645 and 1812 <Handler RecvPort=1645> selects only those requests that were received by port 1645.

Enhanced Monitor for integrating with other systems. Implemented the following Monitor commands:
ASCII: change both object and line separators to "\n"
DEFAULT: change both object and line separators back to their default values ASCII SOH and NUL, respectively
GET: Get a single attribute from an object
With the kind assistance of Kilian Krause

Fixed a crash in SessionDatabase REDIS simultaneous use check

Updated Gossip encryption documentation, logging, invalid key handling and changed key index 0 to reserved.

StatsLog proxiedNoReply counter is now incremented for Hosts within AuthBy RADIUS and RADSEC and their derived clauses. Previously the counter was incremented only for the AuthBy after all retries had been exhausted. Status-Server timeouts do not increment Host proxiedNoReply counter.

All AuthLog clauses now support LogIgnore flag parameter. This parameter defaults to not set and when set, allows logging ignored autentication attempts. An attempt is typically ignored when a user database fails or Radiator can not return a definitive answer for some other reason. Proxied requests that return immediate ignore are not logged because a reply with final result is expected later.

Fixes to GossipUDP server farm and peer discovery messaging

When User or Group global parameter is set, both effective and real user or group id is set instead of just effective ids.

Fixed a problem where advanced debugging, for example with Monitor's trace predicates, could cause a crash.

DynAuthPort in Client now defaults to not set instead of 3799. This allows clauses such as AuthBy DYNAUTH to provide a per request value that is not overwritten by Client's DynAuthPort.

radiusd now supports multiple -I command line parameters.

Heikki Vatiainen <h...@open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
radiator mailing list

Reply via email to