We are pleased to announce the release of Radiator version 4.27
This version contains new features, enhancements and bug fixes. See
below for the details.
As usual, the new version is available to current licensees
and evaluators from:
https://radiatorsoftware.com/downloads/
Licensees with expired access contracts can renew at:
https://radiatorsoftware.com/renewal-order/
An extract from the history file
https://radiatorsoftware.com/products/radiator/history/ is below:
-----------------------------
Revision 4.27 (2022-12-21) major TLSv1.3 features and updates, other
enhancements and bug fixes
Selected compatibility notes, enhancements and fixes
Significant LDAP updates to connection and TLS handling.
Red Hat Enterprise Linux 9 and its derivatives are now supported.
Ubuntu 22.04 is now supported.
Session resumption is enabled for EAP-TLS with TLSv1.3 but remains
disabled for the other TLS based EAP methods.
TLSv1.3 is supported by EAP-TLS, EAP-TTLS and PEAP but remains disabled
by default.
TLSv1.3 is tested with RadSec and other Stream modules but remains
disabled by default.
Radiator can log TLS key material to a file to allow fully decrypting
EAP and Stream SSL/TLS sessions.
TLS handshake and state trace logging is now enabled for EAP and Stream
modules, such as PEAP and RadSec, when Trace 4 (debugging) or
PacketTrace is configured.
Fix and enhance EAP-FAST. Requires Net::SSLeay 1.94 or later with
OpenSSL 1.1.1 and later.
Radiator SIM Pack 2.7 and Carrier Pack 1.7, or later, are strongly
recommended.
Known caveats and other notes
TLSv1.3 remains disabled by default for TLS based EAP methods and Stream
based classes, such as RadSec. TLSv1.3 testing reports are welcome.
EAP-FAST needs Net::SSLeay 1.94 or later to function correctly with
OpenSSL 1.1.1 and later.
Detailed changes
Add Windows Server and Microsoft SQL Server specific TOTP configuration
samples in goodies.
Update Docker files in goodies directory. Change Centos 8 to AlmaLinux
8, add Alma Linux 9, Ubuntu 22.04 and Windows Server Core 2022.
Fix EAP-FAST with TLSv1.1 and TLSv1.2. Requires Net::SSLeay 1.94 or
later when OpenSSL version is 1.1.1 or later. Allow server authenticated
EAP-FAST to work without PAC.
Enhance handling of LDAP server name resolution, TLS configuration,
failure backoff handling and logging. When using DNS name to connect to
LDAP server, the name can now be resolved before connecting with new
flag parameter ResolveHost. When a name has multiple addresses, a
connection attempt is made to address until a working server is found.
Failure backoff is kept separately for each resolved address.
SSLExpectedServerName now supports multiple values that are used
together with Host entries.
Update generate-totp.pl to do URI escaping when creating QR codes.
Previously QR code URI components were not escaped causing problems when
issuer and accountname contain special characters. Add support for
defining QR code image file name.
Updated deprecated MySQL GRANT syntax in goodies examples. Beginning
with MySQL 8.0, CREATE USER is needed before GRANT.
AuthPLSQL.pm goodies module parameter binding broke when the module was
updated in Radiator 4.25 to work with Perl 5.22 and later. Values were
left unchanged between query executions.
Added VENDOR 42229 Coriant with a number of Coriant prefixed attributes
to the default RADIUS dictionary. These may also be under name Infinera
in some sources. Infinera aquired Coriant in 2018.
Fix uninitialised log trace id triggered by log level changes with USR1
and USR2 signals. Make ServerTACACSPLUS log level for immediate
disconnects follow DisconnectTraceLevel parameter. Update builddbm to
work outside of Radiator installation directory similarly to radpwtst.
Report and contributions by Patrik Forsberg.
Update CEF logging in LogFormat.pm. CEF authentication and accounting
log messages now add original username, if present, in log messages. Any
non-printable octets in CEF log messages are now escaped similarly to
packet dumps. This satisfies UTF-8 encoding requirement. Enhanced
escaping and whitespace handling.
Minor updates to tests to to address SHA-1 deprecation in Red Hat
Enterprise Linux 9. Packages are now built for RHEL9 compatible systems.
Reject EAP-TLS authentication when post handshake TLS data is received
in the final acknowledgement after a successful TLS handshake. No data
is needed in this case and its presence is an indication of message
corruption, TLS alert or something else unexpected.
Session resumption is now supported with EAP-TLS when TLSv1.3 is
negotiated. Resumption is prepared for EAP-TTLS and PEAP and will be
enabled when more interoperability testing is done.
EAP-TLS now supports TLSv1.3 as described in RFC 9190. EAP-TTLS and PEAP
support TLSv1.3 based on draft-ietf-emu-tls-eap-types. Session
resumption remains disabled for all TLS-based EAP methods with TLSv1.3
and will be enabled separately.
TLS-based EAP methods now support TLSv1.3 key exporter needed for
MS-MPPE-Send-Key, MS-MPPE-Recv-Key and EAP-Key-Name attributes and other
uses.
TLS state tracing for EAP and Stream modules is now enabled with
configuration parameters EAPTLS_TraceState and TLS_TraceState or when
TLS message logging is not available. TLS message logging requires
Net::SSLeay 1.92 or later.
StreamTLS based modules, such as RadSec, now log and respond better to
TLS alerts and handshake messages. TLS alerts are now sent in more cases
instead of directly closing the stream transport connection. Logging of
TLS events is enhanced and more testing is done with TLSv1.3.
TLS based Stream classes, such as RadSec, now support TLS_Ciphersuites
configuration parameter that sets allowed cipher suites for TLSv1.3.
This parameter is similar to TLS_Ciphers which sets the allowed cipher
suites for TLSv1.2 and earlier versions.
ServerTACACSPLUS log level for client initiated connection terminations
is now DEBUG. It's normal for the client to close TACACS+ connection.
This returns the logging level back to what was used with release 4.20
and earlier. Update NTLM and related Samba winbind configuration
instructions in goodies.
Add support for SSL_CTX_set_keylog_callback that enables Radiator to log
TLS key material. This allows fully decrypting EAP and Stream SSL/TLS
sessions, including those that have forward security enabled. TLS keylog
should only be used for debugging to avoid security issues. See the
reference manual for new parameters EAPTLS_KeylogFilename and
TLS_KeylogFilename. Requires Net::SSLeay 1.92 or later.
TLS handshake and state trace logging is now enabled for EAP and Stream
modules, such as PEAP and RadSec, when Trace 4 (debugging) or
PacketTrace is configured. Requires Net::SSLeay 1.92 or later.
Enhance Ansible playbooks to use operating system families. Instead of
listing, for example all Red Hat Enterprise Linux variants, use RedHat
family to cover them all.
radpwtst can now send empty EAP-GTC and EAP-OTP responses when needed.
Use TLS_Protocols parameter more consistently in goodies samples and
recommend it over UseTLS. Replace non-ASCII characters in goodies and
other text files with printable ASCII characters.
Update the default Radius dictionary with the following 5G attributes
from VENDOR 3GPP TS 29.561 v16.8.0: 3GPP-VLAN-Id, 3GPP-TNAP-Identifier,
3GPP-HFC-NodeId, 3GPP-GLI, 3GPP-Line-Type, 3GPP-NID and 3GPP-GCI.
Add VENDOR 2011 Huawei attributes Huawei-User-Group-Name,
Huawei-User-Service-Type and Huawei-Web-URL to the default Radius
dictionary. Add new dictionary file dictionary.huawei2 to goodies
directory. This file was received from the vendor and contains
attributes used by NetEngine 8000 series and possibly other devices.
GossipRedis can now send a Redis ECHO command to probe and keep a
connection active. Probing is disabled by default and is enabled with
ProbeTimeout GossipRedis configuration parameter.
Update Redis session database sample file in goodies.
--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator
