We are pleased to announce the release of Radiator version 2.14
2.14 includes a few significant new features and a number minor new features
and fixes. Existing customers and current testers are entitled to download the
new version from http://www.open.com.au/radiator/downloads/Radiator-2.14.tgz
Extract from the history file follows:
Revision 2.14 (14/7/99)
Added new AuthBy PAM, which can authenticate
through any method supported by PAM on your
Added support for RAdmin, the new web-based user administration
package from Open System Consultants. Supports, sim-use, static
IP address, bad login limits, preallocated time, error logging etc etc
New authentication module PORTLIMITCHECK, which can check
enforce simultaneous-use limits for arbitrary groups of users. This
can allow you to sell bundles of ports on a global or per-POP basis,
or DNIS etc. It can also set up Class attributes that depend on how
many users are currently logged in in that group, so you can have
different charging bands for normal and overflow usage etc. Requires
a that a be present in your Radiator config.
Changes to session databases so that when a NAS is checked for a
simultaneous use, the original username (prior to any
RewriteUsername) will be used.
Log.pm was ignoring LogFile global parameter and always using
Added new parameter DefaultSimultaneousUse to AuthBy.
DefaultSimultaneousUse specifies a sim-use limit that will apply if
there is no user-specific Simultaneous-Use check item.
Added new dictionary.ascend2 for Ascends that use Vendor-Specific
attributes with vendor 529.
Added Nas-Type of TotalControlSNMP, which uses SNMP to check
a Total Control NAS. Contributed by Stephen Roderick
([EMAIL PROTECTED]). Thanks Stephen.
If you had both DefaultReply and AddToReply, then DefaultReply
would have no effect. Fixed.
In AuthBy SQL, you can now have multiple definition of the same
column name in AcctColumnDef. This allows you to save different
attributes from different types of NAS into the same column in a
mixed NAS environment.
Fixed a problem in radpwtst that could cause a premature exit if there
were problems in receiving a reply.
Checks for Realm in a Handler clause can now be regexps
Added a number of Bay VSA'a to standard dictionary. Thanks to
Stuart Henderson ([EMAIL PROTECTED]).
Added new NasType of "ignore" that does not contact the NAS, and
always assumes there are no multiple logins. Suggested by Stephen
Roderick ([EMAIL PROTECTED])
Some performance improvements in Nas.pm
Added new Client parameter NoIgnoreDuplicates. You can use this
to fine-tune which types of duplicate requests you will handle
(regardless of the setting of DupInterval) The value is a space
separated list of request types, such as "Access-Request
Accounting-Request" etc. Case sensitive. This can sometimes help
if you are losing packets. Suggested by Tim Minchin
radpwtst can now take any number of additional attribute=value
arguments, so you can add any attributes that are in the dictionary to
Fixed problem with becoming a daemon on AIX (which doesn't
Fixed a problem in the internal SessionDatabase, where it would ask
all the NAS ports for all users to double check apparent logins.
With SNMP, if you use SNMP_Session-0.70.tar.gz instead of
SNMP_Session-0.62.tar.gz, snmpget reported "Unrecognizable or
unauthentic packet received". Fixed.
Testing with perl 5.00401, no changes required.
Testing with AIX, with the assistance of Dave Close
([EMAIL PROTECTED]). Some fixes required. Thanks Dave.
Testing on FreeBSD 2.2.5, no changes required.
Added NasType support for Tigris (both old and new MIBS), Bay
4000, and Bay by finger, contributed by Rob Thomas
([EMAIL PROTECTED]). Thanks Rob.
Testing on SCO Open Server 5.0.4, no changes required.
Added new special character %u, which is replaced by the original full
User-Name as it was received and before any RewriteUsernames
Added new special charcter %l, which is replaced by the current local
time expressed as a string, eg 'Thu Apr 22 15:39:03 1999'.
Added ACC vendor-specific attributes to the standard dicitonary
In AuthBy EXTERNAL, the external program can now return any
attribute=value pairs on each line on stdout, not just
Reply-Message. Contributed by Richi Plana ([EMAIL PROTECTED]).
AuthBy NT was not logging passwords to PasswordLogFileName.
ON SIGHUP, old realms were not being removed from the old
Upgraded AuthTACACSPLUS so it can do PAP and CHAP when you
have a recent (0.16 or better) version of the TacacsPlus perl library.
Now parses Merit style dictionaries, including VENDOR_CODE.
radacct.cgi now shows summaries by IP address, suggested by Karl
Gaissmaier ([EMAIL PROTECTED]) which he says is useful
for tracking down attacks.
radacct.cgi will automatically decrypt on the fly files with a .gz
extension, also suggested by Karl Gaissmaier
([EMAIL PROTECTED]). Thanks Karl.
radwho.cgi will now automatically refresh every 30 seconds, and also
shows the date of the refresh in the title.
DefaultRealm was not being honoured by Handlers, only Realms.
Reported by Richard Lennerts ([EMAIL PROTECTED]). Thanks
Fixed a race condition in EXTERNAL that could prevent it replying
under some conditions. Also fixed other problems that prevented it
getting the return code from the externl program on NT. Still not
working properly on Win98.
Added a new parameter ResultInOutput to AuthBy EXTERNAL so
you can use a string in the first line of the output of the external
command to signal the type of reply, instead of using the exit status.
This is good if you are using Win98 where the exit status is not
Using special characters like %a, %c, %C, %n, %N, %R, %T, %U, %u
in a context where there is no associated packet would cause a crash.
Now they are just replaced by an empty string.
Handlers did not recognise embedded include directives.
Changed child reaping to remove the possibility of unreaped child
processes if 2 sigchld signals colide.
Significant changes in AuthBy FILE to greatly reduce the amount of
memory required with large user files to about one tenth of previous
Fixed a problem with LogSQL where strings with quotes in them
caused an SQL error.
Included in goodies detailed instructions on how to increase the
default data size on BSDI, contributed by Paul Thornton
([EMAIL PROTECTED]). Thanks Paul.
Can now use case insensitivity in regexp Realms like this:
In fact, you can use either the i or x modifiers
Added -snmp_port argument to radiusd to override whats in the
Improved the behaviour of changeAttrByNum so it correctly updates
the cached value too. This is only interesting for authors of hooks.
Added code to complain if Client or IdenticalClient names could not
Added ExcludeFromPasswordLog to Handler, to prevent certain user
names being logged to the PasswordLogFileName. Its a good idea to
list your sysadmins etc.
Added wtmp support for FreeBSD, contributed by Jason
([EMAIL PROTECTED]). Thanks Jason.
AuthBy SYSTEM now checks the primary group as well as the
secondary groups. It used only to do the secondaries.
Fixed a problem with AuthBy PLATYPUS where the select
statement was constructed incorrectly.
Fixed a problem with Prefix and Suffix check items that prevented
rejection of there was no match.
Added new parameter UseGetspnam to AuthBy SYSTEM so it can
be used with some systems (notably Solaris) using getspnam
Added Timeout parameter to all the SQL based clauses, so that you
can get predictable timeout from failed SQL operations due to lost
connectivity with the SQL server. Defaults to 60 secs.
Fixed a problem in test.pl that prevent reporting of some errors in the
test suite. Fixed some other inaccuracies in the test suite.
Added new special character %S, which translates to the current
Added ReplyHook to AuthBy RADIUS, which runs after the reply is
received from the remote radius server (as opposed to
PostAuthHook, which runs after the request was forwarded, but
before the reply is received).
Modifed Nas.pm so that if finger detects a problem or a timeout when
using finger to verify simultaneous connections, it assumes that the
user is still online (i.e. it assumes that the SessionDatabase is
Fixed a problem with "include" directives in the configuration file:
Recursive includes did not work properly.
Can now specify LivingstonOffs and LivingstonHole on a per-Client
Fixed a problem with command line arguments in radiusd.
-log_file_name was ignored.
Changes to Handler.pm and SessINTERNAL.pm to improve
behaviour in the face of lost Stops.
Mods to AuthLDAP2 so it conforms more closely to the expectations
of some LDAP servers. In particular, it now maintains the TCP
connection to the server, but binds and unbinds for each search.
Fixed a problem in AuthBy EXTERNAL on some OS, where a
sigchld handler could prevent getting the returns status of the
external process. The result would be no reply top the request.
Improved the sort ordering of IP addresses in radacct.cgi.
Rationalised some code in Nas.pm to make it smaller and easier to
maintain, and to facilitate future internal SNMP client. also added
some snmpwalk support, and activeSessions support.
Added 20 second timout to internal finger client
Added handling of Ascend-Access-Event-Request, which can be
used to verify that an SQL SessionDatabase in in sync with reality.
Deleting a user from a DBM file with builddbm -d username left an
empty user entry, rather than deleting it.
Added new special characters %b %o %e %f %g %i %j %k %p for time
components from the Timestamp of the current packet.
Changed default DupINterval to 2 seconds. This will still detect dups
created by duplicate network paths, but now a lost Access-Accpt
wont trigger many duplicate requests.
Ascend-Data-Filter addresses now default to /32 if the mask length
is not specified, eg "ip in drop dstip 22.214.171.124" is equivalent to "ip in
drop dstip 126.96.36.199/32".
Improved error recovery during log file parsing so that unknown
object wont silently cause the rest of the file to be ignored
Binary distribution file changed to .tgz extension to prevent problems
unpacking on PCs.
Improvements to getNasId so it will get an address even if
NAS-IP-Address is absent and NAS-Identifier does not include an
IP address. Some NAS's do not conform to the Radius spec and this
helps with those NASs.
Added support for NasType of NortelCVX1800. Contributed by
James H. Thompson ([EMAIL PROTECTED]). Thanks James.
AuthBy RADIUS will now do round-robin proxying for host names
with multiple IP addresses. DNS names for proxy Radius hosts are
resolved at startup time.
Changes to API standard for findUser in authentication modules
allow you to detect database failure, as opposed to "no such user",
useful for LDAP and similar to fall back to other LDAP databases.
Mike McCauley [EMAIL PROTECTED]
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.