We are pleased to announce the release of Radiator version 4.29
This version contains a major Radius protocol security fix, some new
features, enhancements and bug fixes. See below for the details.
As usual, the new version is available to current licensees
and evaluators from:
https://radiatorsoftware.com/downloads/
Licensees with expired access contracts can renew at:
https://radiatorsoftware.com/renewal-order/
An extract from the history file
https://radiatorsoftware.com/products/radiator/history/ is below:
-----------------------------
Revision 4.29 (2024-07-09) major Radius protocol security fix, some new
features, enhancements and bug fixes
Selected compatibility notes, enhancements and fixes
Updates to address CVE-2024-3596 BlastRADIUS vulnerability in the RADIUS
protocol. For the vulnerability details, see https://www.blastradius.fail
Support Ubuntu 24.04.
Known caveats and other notes
TLSv1.3 remains disabled by default for TLS based EAP methods and Stream
based classes, such as RadSec. TLSv1.3 testing reports are welcome.
EAP-FAST needs Net::SSLeay 1.94 or later to function correctly with
OpenSSL 1.1.1 and later.
Detailed changes
Add a new flag parameter LimitProxyState to Client clauses. This
parameter allows dropping those requests from non-proxy clients that
contain Proxy-State but do not contain Message-Authenticator. Ensure
that ServeRADSEC drops requests with bad Message-Authenticator instead
of just logging them. The upcoming Radius transport update by IETF's
radext working group will remove the redundant signatures but keep them
for the current transport profile. LimitProxyState addresses CVE-2024-3596.
Update RADIUS Message-Authenticator attribute handling.
Message-Authenticator is always added as the first attribute in Radius
messages. Message-Authenticator is now added automatically to replies to
Access-Request messages and to Access-Request messages when they are
proxied. New parameter RequireMessageAuthenticator is now available for
AuthBy RADIUS and its subclasses. It can be set for all hosts in an
AuthBy or host-by-host basis. This parameter requires a valid
Message-Authenticator in proxy replies. A new configuration flag
-no_message_authenticator is available in radpwtst to skip
Message-Authenticator in Access-Requests. Most of the updates are based
on the work currently done in the IETF's radext working group. Addresses
CVE-2024-3596.
Discard unknown Diameter answers earlier in DiaPeer.pm. Simplify request
sending in DiaPeer.pm.
Add new hooks in goodies: addresspool-statshook.pl for monitoring IP
address allocator pool utilisation, and client-nas-identifier.pl and
client-nas-identifier-2.pl to use together with a new configuration
sample file client-nas-identifier.cfg. This file shows how to define
Client clauses for clients behind NAT that are identified only by
NAS-Identifier attribute.
Ansible playbooks in goodies updated to use FQCN. Minimum Ansible core
version updated to README for Ubuntu 24.04 usage.
Add support for configuring SIGTRAN statistics clauses. SIGTRAN is
supported by Radiator's SIM pack.
Test with Ubuntu 24.04. Add new VENDOR 6027 Force10 in the default
Radius dictionary with attribute Force10-avpair. Also add VENDOR 674
Dell (also known DellEMC) attribute Dell-AVpair.
Add VENDOR 12148 ELTEK attribute ELTEK-SP-UserID to the default RADIUS
dictionary. Add values for ELTEK-SP-AdminLevel. The other ELTEK
attributes were already present in the dictionary. Update VENDOR 30065
Arista and VENDOR 16901 Mojo, also Arista, attributes.
Fix CEF AuthLog and AcctLog header format broken in releases 4.27 and
4.28. Authentication log formatting in LogFormat.pm incorrectly logged
ignored requests as rejected requests with CEF and JSON formats.
Add VENDOR 2007 Teldat attribute Teldat-Access-Level to Radius dictionary.
AuthBy LDAP2 now properly closes LDAP connection when group search
experiences an LDAP error. This avoids errors in subsequent LDAP
queries. Add similar checks to LDAP NMAS functions.
--
Heikki Vatiainen
Radiator Software, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator
