We are pleased to announce the release of Radiator version 4.26
This version contains new features, enhancements and bug fixes. See
below for the details.
As usual, the new version is available to current licensees
and evaluators from:
https://radiatorsoftware.com/downloads/
Licensees with expired access contracts can renew at:
https://radiatorsoftware.com/renewal-order/
An extract from the history file
https://radiatorsoftware.com/products/radiator/history/ is below:
-----------------------------
Revision 4.26 (2021-10-29) new features, enhancements and bug fixes
Selected compatibility notes, enhancements and fixes
TLSv1.3 is currently disabled for AuthBy DUO.
AuthBy SQLTOTP now supports CHAP, MSCHAP and MSCHAPv2. EAP-MSCHAPv2 is
supported with MSCHAPv2 conversion. Encrypted PIN is now supported for
PAP, EAP-OTP and EAP-GTC.
Radiator SIM Pack 2.7 and Carrier Pack 1.7, or later, are strongly
recommended.
Known caveats and other notes
TLSv1.3 remains disabled by default for TLS based EAP methods and Stream
based classes, such as RadSec.
EAP-FAST functionality is reported to vary between TLS versions, TLS
library security level settings and client implementations.
Detailed changes
AuthBy LSA in Radiator 4.24 and 4.25 could crash when Group parameter
was not directly configured and LSA group membership check was called
from another module, such as AuthBy FILE. Reported by Viktu Pons i Colomer.
Radiator now actively closes Diameter peering when
Capabilities-Exchange-Answer (CEA) with unsuccessful Result-Code or E
flag is received. Previously it was assumed that peer closes the
connection. This keeps the non-working peering from being used for
sending requests.
Fixed a memory leak in SNMP client. The problem is seen on systems that
use Perl 5.16, such as Red Hat Enterprise Linux 7 and CentOS 7. For
details, see Perl5 Github issue 12309, originally RT 114340.
Fix typos in proxy.cfg and package default config file in goodies. Add
missing DbDir and LogDir to addressallocator.cfg and n7k-radius.cfg
configuration samples.
AuthBy DUO with CheckTimerInterval set to zero no longer remains in
failed state infinitely. New parameter FailureBackoffTime sets the time
the API is considered unavailable. Thanks to Alexander Hartmaier for
reporting the problem and suggestion for a fix.
AuthBy REST now supports special format characters in URL parameter.
Added VENDOR 4115 Arris with a number of Arris prefixed attributes to
the default RADIUS dictionary.
Updated sample certificates to expire on September 16 2023.
Updated RADIUS proxying configuration samples to include Asynchronous
parameter to make the AuthBys work similarly to other AuthBys. The
default behaviour is to return IGNORE after proxying which complicates
configurations with multiple grouped AuthBys.
PostProcessingHook, AddToReply and other related adjustments configured
for a Handler are now done before AuthLog is called. This makes changes
done by Handler visible for logging. If a hook or some special
configuration triggers a direct reply, any attempts to send again the
same reply are no longer logged with AuthLog or AcctLog.
AuthBy DUO now disables TLSv1.3 to avoid blocking problem described by
Alexander Hartmaier on Radiator mailing list in June 2021. TLSv1.3 can
be re-enabled in a future Radiator versions when a fix is available.
Minor enhancement and optimisation to AuthGeneric.pm AuthenProto
parameter use. Various logging and goodies updates and fixes to warnings
triggered by User-Name not being present in requests.
AuthBy SQLTOTP now supports PIN, also called static password, that is
stored in a format supported by Encrypted-Password check item. Enabled
with EncryptedPIN configuration flag parameter. Supported with PAP,
EAP-OTP and EAP-GTC.
AuthBy SQLTOTP now supports CHAP, MSCHAP and MSCHAPv2. EAP-MSCHAP-V2 is
supported by conversion to MSCHAPv2.
HTTPClient now properly handles HTTP chunked encoding.
Fix diapwtst -dictionary command line parameter that was broken in
release 4.25.
AuthBy DNSROAM used 'mysecret' as the default shared secret. It now uses
'radsec' as required by the RadSec RFC 6614. Updated the reference
manual and dnsroam.cfg and dnsroam.txt in goodies.
TLS_Ciphers and TLS_Protocols did not have any effect in AuthBy DNSROAM
configuration. Reported by Paul Dekkers.
Proxy algorithm LOADBALANCE no longer does infinite retries with certain
configurations. With the kind help of Frank Danielson.
Enhanced logging for all EAP methods and especially for TLS based EAP
methods. TLS handshake states and other related information is now
logged in text instead of numeric values. Clarified and unified log
messages related to TLS alerts and errors. Updated
eaptls_resume_post_auth_hook.pl in goodies.
Connections accepted by StreamServer can now have a maximum limit. This
also allows them to be distributed equally between worker processes when
ServerFarm is enabled. The limit is set with StreamMaxClients
configuration parameter that is available for all StreamServer derived
classes such as ServerDIAMETER.
radpwtst, tacacsplustest and other utilities, that use FindBin module to
find Radiator installation location, can now be used via symbolic links.
Suggested by Patrik Forsberg.
Fixed a possible crash if actively used certificate file or its private
key is removed or no longer match each other. This can be caused by a
local change, such as administrator moving files.
AuthBy DIAMETER and Carrier module DiaPeerDef no longer crash when OCSP
check is enabled.
StreamTLS OCSP defaults were not correctly applied for cache time, cache
size and other values. Minor updates to unify PEAP and EAP-FAST error
handling with other TLS based EAP methods. This is to allow unifying
logging for TLS based EAP methods.
Enhanced logging for Stream based modules for protocols such as RadSec,
Tacacsplus and Diameter. Log messages now have more consistent
information about the module, including its identifier. TLS handshake
states and other related information is now logged in text instead of
numeric values.
All LDAP clauses now support LDAP over TLS and Start TLS debugging. The
debug messages are written to STDERR and are not visible in Radiator's
log. See DebugTLS in Radiator reference manual and ldap.cfg file in the
goodies directory.
Unknown RADIUS request codes are now detected and ignored earlier by
radpwtst and radiusd.
Updated cisco-avpair VSA handling samples in the goodies directory. New
hook sample create-cisco-cmd.pl was created based on the old
createavpairs.pl. createavpairs.pl was re-created from a sample in
hooks.txt. Also updated radminTacacs.cfg to match the updated hooks.
Added VENDOR 674 Dell VSA Dell-Group-Name to the default RADIUS
dictionary. Used with Dell EMC devices.
HTTPClient.pm RequestHeader parameter could not be configured causing an
immediate crash. Added HTTP_Version parameter. This parameter now allows
configuring HTTP/1.0 and HTTP/1.1.
Enhanced multiple goodies files to clarify comments, instructions, file
paths and command samples.
Log FILE and Log SYSLOG now skip logging when LogFormatHook returns
undef. This allows suppressing log messages with LogFormatHook.
Ansible playbooks for deploying and managing Radiator now import
Radiator Software product signing key.
Mikrotik attribute name Mikrotik-DHCP-Option-Param-STR2 was incorrectly
spelled as Mikortik-DHCP-Option-Param-STR2 in the default dictionary.
Reported by Eddie Stassen.
--
Heikki Vatiainen <[email protected]>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator
