We are pleased to announce the release of Radiator version 4.20
This version contains enhancements, new features, security and other fixes described below. As usual, the new version is available to current licensees and evaluators from: https://www.open.com.au/radiator/downloads.html Licensees with expired access contracts can renew at: https://www.open.com.au/renewal.html An extract from the history file https://www.open.com.au/radiator/history.html is below: ----------------------------- Revision 4.20 (2018-02-28) new features, security and bug fixes Selected compatibility notes, enhancements and fixes Support for OCSP and OCSP stapling for EAP-TLS and RadSec and other Stream based modules. Improvements to Stream connection handling. TACACS+ AuthorizeGroup matching was extended. Check items now check all instances of the named attribute. Updates to TLS based EAP method client certificate checks, including partial chain support and default CA use. Updates to AddressAllocator DHCP Updated VENDOR 388 Symbol attribute names in the default dictionary. Improved LDAP modules failure backoff and certificate verification. Handler and AuthBy GROUP updates for better asynchronous and challenge handling Airespace-QoS-Level dictionary definitions were updated. The updated values are incompatible with the old values PEAP supports inner authentication after session resumption. Value 2 for reused demonstrated in eaptls_resume_post_auth_hook.pl is now possible Multiple updates to EAP, EAP-pwd and other EAP methods. See below for more details. Security fix for certificate validation for EAP-TLS and TLS-based Stream modules such as RadSec. PEAP and EAP-TTLS with unusual configurations are also affected. OSC recommends users to review OSC security advisory OSC-SEC-2018-01 https://www.open.com.au/OSC-SEC-2018-01.html Known caveats and other notes Initial testing is done with OpenSSL 1.1.1 development versions. Not recommended with Radiator yet. Detailed changes Connection state is now correctly reset when streams are reconnected after a disconnect. Affects Diameter, RadSec and other Stream.pm based modules where incorrect connection state after reconnect caused lost messages and eventual connection timeouts. Connection buffers for pending incoming, outgoing and TLS data, and possible TLS session are now cleared during reconnect. This affects Diameter, RadSec and other Stream.pm based modules. goodies/generate-totp.pl can now be used for generating TOTP tokens in plain ASCII without generating QR code images. ServerTACACSPLUS AuthorizeGroups can now include extra checks which can be used to differentiate actions (permit/permitreplace/deny) and/or reply attributes based on TACACS+ client's Client-Identifier, address (peeraddr) or any Radius attribute from Access-Accept. Updated configuration sample tacacsplusserver.cfg in goodies. Added support to user and Handler check items for checking all instances of the named attribute for a match. If an attribute is present multiple times, all its instances are considered during matching. For example, <Handler OSC-Group-Identifier=B, OSC-Group-Identifier=A> matches when OSC-Group-Identifier is present at least twice with the two values. With the kind help of Alexander Hartmaier Added a new configuration parameter RejectReason to Handler and AuthBy. RejectReason sets the default string to use as the Reply-Message for Access-Reject when configured for a Handler. When configured for an AuthBy, sets the reason for AuthLog logging and Access-Reject Reply-Message if the enclosing Realm or Handler has RejectHasReason enabled. Improved AuthBy DUO's REST API failure handling. EAP success is now correctly replaced with an EAP failure when a request is first accepted by an EAP AuthBy but later rejected, for example, by a hook or another AuthBy. Introduced new special format variables: RequestAttrs, OuterRequestAttrs and ReplyAttrs. These variables return a string containing all instances of the named attribute separated by a comma. Added a new configuration parameter AddExtraCheck to Handler and AuthBy to make adding extra check items, such as Group check, easier. AuthByPolicy now supports new value ContinueUntilRejectOrChallenge EAP-TLS supports new hook EAPTLS_CertificateVerifyFailedHook which runs when TLS library calls verify_callback with preverify_ok set to false. The return value from the hook decides if certificate verification should continue or not. WARNING: This hook should only be used in special cases and can cause security issues. See the reference manual for details. Added VENDOR Wi-Fi Alliance 40808 VSAs to dictionary Radiator now supports framework for packing and unpacking complex RADIUS vendor specific attributes. For example, many 3GPP attributes have encodings that can not be represented with the RADIUS attribute types. The framework supports vendor specific modules with methods that are called based on how the complex attributes are defined in RADIUS dictionary. Improvements to RADIUS and RadSec Status-Server polling: Only one probe can be active at a time to make sure multiple probes are not sent when there are connectivty or other problems. Polling is now disabled for RadSec when transport connection is not up. When there are multiple Hosts in AuthBy RADIUS, NoReplyReject takes action after all hosts have been tried. Improved logging when proxied requests time out. Updated NoCheckPassword option to cover EAP-MD5 and more authentication methods. Fixes and enhancements to MessageLog FILE text2pcap format command line hints: Ports and addresses are now in correct order and include time format specifier. Log line time format is now seconds.microseconds where microseconds are zero padded. Special format %2 for Filename parameter is now correctly set to default value of 'none' when Encoding configuration parameter is not set. Help and suggestions for text2pcap changes by Karl Gaissmaier. Thanks Charly. Internal changes to how information is stored in request and reply objects. Changed ValidTo and other similar information to use this storage. Special formatting variables ReplyVar and RequestVar now get their named parameter values from this internal storage. Special values 'until Expiration' and 'until ValidTo' for Session-Timeout reply item now correctly work with EAP-MSCHAPV2. Diameter peer connection initialisation sometimes opened a second connection to a peer instead of using an existing connection. Message-Authenticator fixes: AddToRequest and similar methods now automatically set the attribute length and allow adding only one instance. The attribute was added with incorrect length value but correctly calculated content when it was present in proxied request and had incorrect length. Received attribute length must now match exactly. Previously the check was only done for the content. Log SYSLOG now supports LogFormat configuration parameter similar to Log FILE. Fixed a bug where tracing identifier was not available in Log clauses that were configured inside other clauses. AuthBy RADSEC and ServerRADSEC can now write outgoing messages to MessageLog. Reported by Karl Gaissmaier. Status-Server timeout value for AuthBy RADIUS and AuthBy RADSEC can now be separately set with KeepaliveNoreplyTimeout configuration parameter. Suggested by Karl Gaissmaier. Improved logging when Stream modules experience connection errors. MessageLog FILE could crash if Format configuration parameter was unspecified. Diameter message logging did not log remote IP and port correctly in some rare cases when the remote end closed connection and the local process was, for example, stopped. Added new SessionDatabaseOptions value NoDeleteOnSessionStop that tells Radiator to do session database update operation instead of delete. This allows keeping session information when accounting stop is received. Added wrap-text2pcap.pl to goodies for processing MessageLog FILE text2pcap formatted files. Written by Karl Gaissmaier. New module AuthBy RATELIMITSOURCE allows limiting the maximum number of messages per time window for a source. Two policers with different source selection, bucket number, rate and time window parameters allow setting limits for single sources and aggregates. Sample configuration in ratelimitsource.cfg is in goodies. AuthBy LDAP2 UnbindAfterServerChecksPassword when used with HoldServerConnection did LDAP unbind but did not clear binding state correctly causing LDAP error on subsequent query. Renamed AuthBy RADIATORLB to AuthBy RADIATORPROXY and added support for statically configured Host and RadiatorProxy clauses. Added optional configuration parameters for DynAuthPort and DynAuthSecret in AuthBy RADIUS Host clauses for basis for RADIUS dynamic authentication support. Improved debugging support in SNMPAgent. SNMP community string is now logged as **obscured** unless Trace is set to 5. Added port information and updated log message formatting. Added support for new PacketTrace flag configuration parameter to log received and sent SNMP messages in human-readable form. PacketTrace logs the community in plain text. LogSYSLOG now uses setlogsock() as much as possible instead of setting log host directly. Improved detection of setlogsock() capabilities and added error checking for setlogsock calls. Problems with syslog calls are now printed to STDERR too. Updated LogFormat.pm CEF and JSON accounting log formatters to work correctly when called from AcctLog's LogFormatHook. Previously only Handler's AcctLogFileFormatHook worked correctly. Updated CEF accounting format to use 'Accounting received' as event name when logging accounting before it's handled. radpwtst now logs in more detail replies that have unexpected message type and EAP message combination. Updated GlobalMessageLog to support RadSec as a separate protocol from RADIUS. MessageLog clauses now support LogSelectHook which allows selecting which messages to log in case not all messages need to be logged. Updated the configuration sample logformat.cfg in goodies. Help and suggestions by Karl Gaissmaier. TACACS+ is now supported by MessageLog clauses. Added Radius::Nas::Generic class which implements two translate/extract functions: one to unify MAC address formats and extract possible SSID and the other one to extract realm from different username formats. Updated vsa-translate.cfg in goodies. AuthBy SIP2 now supports two new configuration options: Retries and FailureBackoffTime. Timeout handling was also improved, but does not work when Radiator is run on Windows. TLS_Ciphers is now correctly initialized with a default value in DiaClient. Enhanced client certificate verification options for TLS based EAP methods with new configuration flag parameters: EAPTLS_CAPartialChain enables X509_V_FLAG_PARTIAL_CHAIN support available since OpenSSL 1.0.2. EAPTLS_UseCADefaultLocations configuration flag parameter specifies that the default locations from which CA certificates are loaded should be used. This was always enabled for previous Radiator versions but is now turned off by default. EAPTLS_NoClientCert disables loading of any CA certificates for client certificate verification. This allows simplyfying PEAP and EAP-TTLS configuration when client certificates are not requested with EAPTLS_RequireClientCert. When EAPTLS_NoClientCert is enabled, EAPTLS_CAFile, EAPTLS_CAPath, EAPTLS_CAPartialChain and EAPTLS_UseCADefaultLocations are not used and need not to be configured. Partial chain suppport suggested by Philip Brusten. Enhanced client certificate verification options for Stream TLS classes, such as RadSec and Diameter, with new configuration flag parameters: TLS_CAPartialChain, TLS_UseCADefaultLocations and TLS_NoClientCert work similar and have similar defaults than their recently added EAPTLS_ counterparts. TLS_NoClientCert will not be supported by all StreamServer clauses. Initial support is added for Monitor and ServerHTTP which use it for turning off all client certicate checks. Updated test.pl to complain first about missing mandatory modules. Enhanced test output and added usage with MSCHAP testing hints. ServerTACACSPLUS now supports Prompt reply attribute for turning off noecho flag in TACACS+ authentication replies. This allows hinting the TACACS+ client that it should echo user's response as it's entered. Updated radpwtst, tacacsplustest and diapwtst to honour Prompt attribute to turn on local echo for password challenges. The default is to always turn off echo. Fixed incorrect EAP-GTC length calculation in diapwtst responses. Updated tacacsplustest to display server's message for interactive authentications. Updates to RADIUS tagged string handling: attributes with dictionary type tagged-string, for example Tunnel-Private-Group-ID, are now decoded so that tag value 0 is ignored. When encoding, tag 0 is only added when it is explicitly defined. Txag with value 0 is no longer implicitly added. Tag values outside from 0 to 31 are now encoded as the part of the value. For this reason Radiator no longer displays tag 0 or proxies by default tag 0 for tagged-string type attributes. Tag values outside from 0 to 31 for Tunnel-Password and other attributes with dictionary flag has_tag are encoded as part of actual value with tag set to 0. Tag value 0 for Tunnel-Password is now ignored during decode. New formatter %{UntaggedVal:attribute} returns the named attribute from the current request without the possible tag. Updates to AddressAllocator DHCP: Subnet Selection Option is no longer required. If configuration has no SubnetSelectionOption set, no SSO is required in DHCP request. Added support for configuration parameters DHCPHostName and DHCPVendorClass for setting DHCP options 12 'Host Name' and 60 'Class Identifier' aka Vendor Class identifier, respectively. Updated addressallocatordhcp.cfg. Refactored DHCP code shared by DHCP address allocator and server into a common DHCP peer module. ServerDHCP is available in Radiator Carrier pack. DHCP User-Class option (77) is now correctly encoded. The encoding used format from draft instead of RFC 3004. Updated WiMAX attributes in the default dictionary with WMF-T33-001-R022v04 definitions. WiMAX-IP-Technology is now an alias for the current name WiMAX-Network-Technology. Fixed WiMAX-Packet-Flow-Descriptor-V2 definition. WiMAX-Home-Interface-Id-PMIP6 and WiMAX-Visited-Interface-Id-PMIP6 are now formatted as interface ids. Updated the default dictionary with the currently found definitions for VENDOR Symbol 388. The old names are still available as aliases, but attribute decoding is now done using the new names. The documentation also uses prefix WING- instead of Symbol- as the vendor prefix in the latest documentation. To use the new prefix, create a custom dictionary as documented by Radiator reference manual. Updated generic session database modules, SessionDatabase REDIS and AuthBy DYNAUTH to support sending RFC 5176 dynauth requests to update or disconnect all sessions a user may have. This allows, for example, an external management entity to disconnect all sessions of a user with just a username without knowing the number of sessions or their details. Fixed a bug with uncommon configurations where Handler's last AuthBy returning ASYNC prevented possible post authentication session database update and other post auth actions from running. Improved configuration parameter error detection and logging for TLS based Stream classes and EAP methods. Errors with configuration file parameters and CRL loading are now logged in more detail. Return values for DH parameter, ECDH curve and Policy OID settings are now correctly checked for errors. Added ForwardHook to AuthBy RADIUS and AuthBy RADSEC and their derived classes. ForwardHook receives the current request and the request to be forwarded as its arguments. ForwardHook is called once for each request before it is forwarded to any of the remote RADIUS or RadSec servers. This hook allows you to modify the forwarded request without changing the current request. Suggested by Jose Borges Ferreira. Updated Stream TLS module to load passphrase protected TLS_PrivateKeyFile with the updated API enabled in OpenSSL 1.1.0f. Updated Radius request debug log dump so that it shows the the recalculated Message-Authenticator value instead of received or all zero value. When sending dynauth requests to a Client, AuthBy DYNAUTH now uses the Client's configuration to set dynauth secret and dynauth port, and calls Client's VsaTranslateOut, VsaTranslateIn and VsaTranslationHook. Updated EAP-FAST to work with OpenSSL 1.1.0 and later; and LibreSSL with Net::SSLeay 1.75 and later. Updated goodies/rcrypt usage and environent variable use AuthBy RADIUS and AuthBy RADSEC now support KeepaliveRequestType and AddToKeepaliveRequest to change probe type and contents from an empty Status-Server to any other message type with optional attributes. This allows sending, for example, Access-Request probes with User-Name and User-Password attributes. Suggested by Paul Dekkers. TLS_CRLCheckAll worked only when configured to a Host within AuthBy RADSEC. It now works correctly as a default setting within AuthBy RADSEC and AuthBY DNSROAM. ServerRADSEC now honours RewriteUsername and AddToRequestIfNotExist configuration parameters. Global RewriteUsername is also honoured. Based on suggestion by Nik Mitev. diapwtst now supports tls_protocols, bind_address and outport command line parameters. Fixed -timeout to work as expected. Major update to test certificates: added wildcard, expired and revoked end node certificates and three intermediate CAs. All four CAs sign all five end node certificates. Revocation lists are signed by all CAs. The lists include revoked end node certificate, and for root CA, one intermediate CA. Certificate contents and extensions were updated. The certificates now allow easier testing for revocations, including intermediate CA revocations, partial chains, expirations, policies and other conditions and configurations. Updated README files and included configuration files and scripts for recreating all files with desired algorithms and other settings. Radiator's LDAP module Ldap.pm now tries connecting each configured Host individually instead of passing all hosts directly to Net::LDAP. Trying hosts one by one allows individual failure backoff time for each host and working TLS certificate check based on host name. Updated ClientListLDAP and AuthBy LDAP2, LDAPDIGIPASS and LDAPRADIUS to use failure backoff for LDAP failures. Updated AuthBy GROUP to work with AuthBys that may return ASYNC. For example, AuthBy RADIUS with Asynchronous flag parameter enabled now works within an AuthBy GROUP. This update also contains initial work in Handler towards supporting imporoved functionality for AuthBy groups where an AuthBy returns CHALLENGE. In this case the next request can be directly handled by the AuthBy that replied with challenge. Monitor log messages now include tracing identifier when LogTraceId is set globally or within a Monitor clause. radiusd now supports -no_pid_file command line option. Updated radiator.service systemd unit configuration file in goodies to use this option and incorporated suggestions from Alexander Hartmaier and Rauno Tuul into radiator.service. Added new Radiator and logrotate configuration sample files linux-simple-config.cfg and logrotate.radiator in goodies. These three files use matching paths and other settings. linux-simple-config.cfg requires minimal, if any, modifications to work on other UNIX or BSD systems too. Airespace-QoS-Level dictionary definitions were updated to match the current definitions used by Cisco WLC. The old values were correct for ACS 4.1.x. The new values are used by ACS 5 and also described in WLC configuration guides. The value names are mostly the same but the actual numeric values are different. If you need the old values, create a custom dictionary file and load it with DictionaryFile configuration parameter. radpwtst now supports -no_random command line option which makes RADIUS authenticator and different CHAP methods to use fixed values. This allows repeating tests with fixed values. radpwtst now logs a detailed warning when incorrect MS-CHAP2-Success is received with Access-Accept. Also fixed radpwtst and diapwtst option file whitespace handling. TLS_Protocols and EAPTLS_Protocols now recognise TLSv1.3. TLSv1.3 is turned off by default for TLS based EAP methods and Stream based protocols, such as RadSec and Diameter. TLSv1.3 is made available for testing and future use and it is not supported yet. Net::SSLeay 1.83 or later is required when using Radiator with TLS 1.3 aware SSL/TLS library. Internal changes to TLS code to use recently added constants and functions in Net::SSLeay. Radiator now sets X509_V_FLAG_TRUSTED_FIRST together with X509_V_FLAG_PARTIAL_CHAIN when EAPTLS_CAPartialChain or TLS_CAPartialChain is set. AuthBy NTLM now logs and rejects directly parameter lengths not supported by ntlm_auth. Tunneling EAP methods, EAP-FAST, EAP-TTLS and PEAP, now support configuration parameter EAPTLS_CopyToInnerReques for copying attributes from outer request to inner request. Previously this required PreHandlerHook or similar method. Updated Acct-Delay-Time handling in RADIUS accounting requests: Radiator no longer adds a zero valued attribute when it's not present in the request. Acct-Delay-Time is now accessed only when needed making proxying slightly faster. Fixed missing delay adjustment for a request when its retrasmit caused a failover to secondary host. Fixed negative adjustment reported by Vangelis Kyriakakis. radpwtst enhancements: -time option is now an alias for -print_stats. -print_stats option now shows the average requests/second rate and total time. Number of requests is now clearly separated from the number of iterations because each iteration may consist of multiple requests. New option -iteration_delay sets a delay between successive iterations to help testing with different request rates. OCSP peer certificate checking and OCSP stapling are now supported for EAP-TLS and Stream based modules such as RadSec and Diameter. Asynchronous OCSP check is supported for EAP-TLS. See sample configuration files eap_tls.cfg, radsec-server.cfg and radsec-client.cfg in goodies directory for configuration parameters, including OCSP responder location, failure policy and response caching. Updated RADIUS and RadSec proxying MaxFailedRequest and MaxFailedGraceTime to work better with low request rates. Updated many EAP methods to include EAP-Failure in Access-Reject messages where it was still missing. Changed some EAP failure cases to trigger Access-Reject instead of ignoring the message. Added more checks for inner EAP-TTLS requests. Added support for ConsumePassword configuration parameter for AuthBys. This parameter allows shortening and using parts of password by multiple AuthBys when they process a request, for example, during two factor authentication. Updated duo.cfg and digipassStatic.cfg in goodies to use ConsumePassword. Added support for Group-Authorization check item. This check item defines the Identifier of an AuthBy to use for authorising users based on their group membership. Added configuration parameters GroupFilename to AuthBy FILE and GroupMembershipAttr to AuthBy LDAP2. Added support for Windows AD tokenGroups in AuthBy LDAP2 for group based authorisation. Added two new configuration samples in goodies: authorize-group1.cfg shows how to do LSA authentication and direct Wi-Fi users to VLANs based on their AD groups. File authorize-group2.cfg shows how to authorise users with different administrative roles based on what Client they log in from. Updated Resolver clause to never use persistent TCP or UDP sockets. This uses more sockets but is required because of lack of working support for multiple outstanding queries. This allows Radiator to work again with all Net::DNS versions. TCPPersistent and UDPPersistent configuration parameters are now obsolete. Thanks to Fernando Reis for reporting DNS roam problems. Stream based TLS classes, such as RadSec, now support TLS_SubjectAltNameDNS configuration parameter. This works similar to existing TLS_SubjectAltNameURI parameter and is used when subject alternative name type is DNS. Requested by Jan Tomasek. Updated AddressAllocatorSQL to reject request instead of allowing it to timeout when AsynchronousSQL is set and allocate, update or deallocate fails. Methods confirm, deallocate and deallocate_by_nas now return reject with reason if UpdateQuery, DeallocateQuery or DeallocateByNASQuery fails instead of always returning accept. AuthBy DNSROAM now passes to certificate verification the name that was looked up during DNS discovery. The name is used similarly to TLS_SubjectAltNameDNS allowing verification based on name insted of just peer address. Enhanced TLS certificate verification logging for Stream based modules including information about DNSROAM discovered name and SRV records. Fixed AuthBy DNSROAM to refresh route object when rediscovering it with unchanged parameters. This fixes log messages like "AuthBy DNSROAM rediscovered the same target for ..." appearing too often. EAP modules configured with EAPType are now loaded during configuration loading. This makes problems with module dependencies visible immediately during the configuration. PEAP now supports inner authentication after session resumption. This fixes problems seen on Windows, for example, when changing between WLANs. Reported by Jan Tomasek and others. Disabled completely non-functional session resumption for TLS-based Stream modules. Enabled no renegotiation flag for TLS-based EAP methods and Stream modules. radpwtst now adds Event-Timestamp to Accounting-Request messages. EAP-pwd now supports RFC 2759 (NT hash) and SASLprep password pre-processing methods. These are configurable with a new parameter EAP_PWD_PrepMethod that supports values 'NtHash' and 'SASLPrep'. See the reference manual for additional information about compatibility and module requirements. This change also adds generic support for adding additional prep methods. Compiled Win32-Lsa for ActivePerl 5.24 and 5.26 and Strawberry Perl 5.26. 32-bit versions are no longer compiled by default. Contact us if you still need them. -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory, EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc. _______________________________________________ radiator mailing list radiator@lists.open.com.au http://lists.open.com.au/mailman/listinfo/radiator