Hello Heiki, Some nice improvements and fixes. I’ve just installed this version on our test environment and i’m seeing some strange behaviour/errors on a configuration that runs fine with 4.22-2.
On performaning proxied mschapv2 authentication (with both TTLS and PEAP) radiator logs the following after receiving an ‘Access-Accept’ from the backend servers: Thu Apr 11 09:56:37 2019 137963: ERR: Could not handle an EAP request: Can't locate object method "getOriginaluserNameString" via package "Radius::Radius" at /opt/radiator/radiator/Radius/Util.pm line 88. Similarly, TTLS-PAP authentication logs the following: Thu Apr 11 10:00:48 2019 916527: DEBUG: Handling with EAP: code 2, 8, 87, 21 Thu Apr 11 10:00:48 2019 916961: DEBUG: Response type 21 Thu Apr 11 10:00:48 2019 917282: INFO: EAP Response type 21 in unexpected state. NAS did RADIUS server failover for an ongoing EAP authentication? Thu Apr 11 10:00:48 2019 917746: DEBUG: EAP Failure, elapsed time 0.000003 Thu Apr 11 10:00:48 2019 918140: DEBUG: EAP result: 1, EAP Response type 21 in unexpected state. NAS did RADIUS server failover for an ongoing EAP authentication? Thu Apr 11 10:00:48 2019 918586: DEBUG: AuthBy FILE result: REJECT, EAP Response type 21 in unexpected state. NAS did RADIUS server failover for an ongoing EAP authentication? Thu Apr 11 10:00:48 2019 919201: INFO: Access rejected for [email protected]: EAP Response type 21 in unexpected state. NAS did RADIUS server failover for an ongoing EAP authentication? Thu Apr 11 10:00:48 2019 920957: DEBUG: EAP Failure, elapsed time 0.000003 Seing that the test environment is a single instance of radiator and the NAS is actually just a single FreeRADIUS eapol_test script the error seems unlikely. Installation is based on the new radiator_4.23-1_all.deb package. Kind regards, Leon Haverkotte | Network engineer | University of Twente | Library, ICT Services & Archive (LISA) / ITO | Campus building Spiegel, room 226 | T: +31 (0)53 - 489 3016 | [email protected] | www.utwente.nl/lisa > On 10 Apr 2019, at 18:02, Heikki Vatiainen <[email protected]> wrote: > > We are pleased to announce the release of Radiator version 4.23 > > This version contains security fixes for EAP-pwd authentication and certain > TLS configurations. Other changes include new features, enhancements and bug > fixes. See below for the details. > > As usual, the new version is available to current licensees > and evaluators from: > https://www.open.com.au/radiator/downloads.html > > Licensees with expired access contracts can renew at: > https://www.open.com.au/renewal.html > > An extract from the history file > https://www.open.com.au/radiator/history.html is below: > > ----------------------------- > > Revision 4.23 (2019-04-10) security fixes, new features, enhancements and bug > fixes > > > Selected compatibility notes, enhancements and fixes > > Improved AcctLogFILE to support JSON. > > Security fixes for EAP-pwd authentication and certain TLS configurations. OSC > recommends all users to > review OSC security advisory OSC-SEC-2019-01 > https://www.open.com.au/OSC-SEC-2019-01.html > > > Known caveats and other notes > > TLSv1.3 is not enabled by default for TLS based EAP methods. > > TLSv1.3 is not enabled by default for Stream based classes, such as RadSec. > > > Detailed changes > > Fixed EAP-pwd implementation security bugs reported by Mathy Vanhoef. > > Added an example of using SupplementaryGroups option in systemd goodies files > radiator.service and [email protected]. This parameter is typically used with > AuthBy NTLM to grant access to winbindd socket. > > Added support for experimental parameters EAPTLS_CRLCheckUseDeltas and > TLS_CRLCheckUseDeltas. These enable Delta Certificate Revocation list support > for TLS based EAP and Stream classes, such as EAP-TLS and RadSec. Added test > CLRs to Radiator demo ceritificates. See Radiator reference manual for the > details. > > Fixed a crash in EAP-TLS and TLS based Stream classes, such as RadSec, when > Radiator tried to log information about a certificate during specially > configured verification. Certificate is not made available by TLS library in > all verification failure cases. Reported by Stefan Winter. > > AuthGeneric.pm updates: MSCHAPv2 was incorrectly logged as misspelled when > checking AuthenProto configuration parameter. Addressed a number of > Perl::Critic reports. > > AuthBy RADIUSBYATTR HostParamDef now accepts 0 as a possible default value. > > Update test.pl to clean up temporary files after finishing. > > DiaClient inheritance was updated to allow better log message control. > Updated diapwtst respectively. Addressed a number of DiaClient related > Perl::Critic reports. > > Fixed some log messages that did not correctly interpolate variables. > Addressed other minor results reported by Perl::Critic. > > Added RAdmin + TOTP configuration sample radmin_totp.cfg in goodies. > > JSON::MaybeXS was mistakenly added as a JSON backend. However it is a wrapper > for backends so it is now removed from the list of JSON backends. > > Peer certificate issuer, subject and serial number in decimal and hexdecimal > format is now logged on debug level when Radiator verifies peer certificate > during EAP-TLS authentication or TLS based stream connection. This > information is logged during verify callback when the TLS/SSL library is > doing certificate verification. Logging is now done during successful and > failing verification. Previously only some certificate information was logged. > > Updated dictionary. Added 6 new VSAs for VENDOR 388 Symbol. For VENDOR 4329 > Siemens added Siemens-AP-Mac as a new VSAs and Siemens-Ingress-RC-Name and > Siemens-Egress-RC-Name as aliases for Siemens-Ingress-RC and > Siemens-Egress-RC. > > LogSYSLOG did not log Trace 5 level messages but printed out warnings about > invalid level/facility to STDERR. Reported by Paul Dekkers. > > Requests without User-Name were triggering warnings that were enabled in > Radiator 4.21. Reported cases now avoid warnings, and usernames that are > empty instead of not defined are now more clearly logged. Similar work > enabling more warnings continues and any reports are welcome. Cases now fixed > were reported by Paul Dekkers and Roland Rosenfeld. > > When malformed attributes are received, sender IP address and port are now > included in the message. Suggested by Paul Dekkers. > > Support configuration parameter AddToRequestIfNotExist added to AuthBy > RADIUS, AuthBy RADSEC, and AuthBy DNSROAM. > > Fixed make zipdist and other non-default targets from failing. > > Unit test name cleanup and better separation between tests. > > generate-totp.pl and nthash.pl goodies utilities no longer need Radiator > modules. They now require Net::SSLeay and Digest::MD4, respectively. > > diapwtst now searches its parent directory for Radius-modules. This allows > diapwtst to be called in similar fashion as radpwtst. > > Updated AuthBy HEIMDALDIGEST to wait longer for kdigest to exit. Old > behaviour was causing zombie processes on some systems. Reported by Johan > Wassberg. > > Clarified and updated AttrVal.pm API. Notably, add_if_not_exist_attr and > change_attr now return 0, as documented, instead of nothing. This return > value still evaluates to false but is now defined. Addressed results reported > by Perl::Critic. > > Avoid unnecessary log messages and warnings by not probing SCTP API support > on windows and completely avoiding harmless use of undefined variables in > AuthGeneric. > > Added module Radius::JSON, which is a wrapper for various JSON backends. > Module exports encode_json and decode_json from the JSON backend it finds. > Last resort is JSON::PP, which should be included Perl versions from 5.14.0. > > Improved AcctLogFILE to support JSON. By default, in addition to trace_id, > timestamp, source_host, and type (accounting), all attributes from > Accounting-Request are logged. This behaviour can be modified with parameter > AcctLogOutputDef. > > Fixed saving uploaded Radiator configuration via ServerHTTP (Web GUI). > > Updates to support and other help texts. > > Add expected result feature for diapwtst. When expected result is set, > diapwtst returns 0 (success) even if result was something else. In this way > diapwtst can be more useful, for example to periodically test DIAMETER > services. > > > -- > Heikki Vatiainen <[email protected]> > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory, > EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc. > > _______________________________________________ > radiator mailing list > [email protected] > https://lists.open.com.au/mailman/listinfo/radiator
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator
