Hi Michael, thanks for reporting this. The patch set is now available, although there are currently no patches in it.
Cheers. On Friday 29 April 2011 07:16:24 am Michael wrote: > Can't seem to download the patches. after accepting the license agreement, > it just keeps returning to the license agreement. > > On Thu, 28 Apr 2011, Mike McCauley wrote: > > We are pleased to announce the release of Radiator version 4.8 > > > > This version contains some new features and minor bug fixes. > > > > As usual, the new version is available to current licensees from: > > http://www.open.com.au/radiator/downloads/ > > > > and to current evaluators from: > > http://www.open.com.au/radiator/demo-downloads > > > > Licensees with expired access contracts can renew at: > > http://www.open.com.au/renewal.php > > > > An extract from the history file > > http://www.open.com.au/radiator/history.html is below: > > > > ----------------------------- > > Revision 4.8 (2011-04-28) New features and some bug fixes. > > > > Fixed a problem in AuthBy EAPBALANCE where no reply from a > > proxied request from the middle of an EAP stream would result in > > unlimited retransmissions of the request. Reported by Keith Ma. > > > > Testing on OpenWRT. OK, with caveats as discussed in the updated FAQ. > > > > Added Meru-AP-Id and Meru-AP-Name to dictionary. Provided by Neil > > Johnson. > > > > RPM packages were built by default on OpenSuSE with LZMA > > compression, which is not available for all platforms. This new > > Radiator.spec disables LZMA and uses BZ2 instead. In future all > > RPMS will be built with BZ2 comppression. New versions of > > Radiator-4.7-2.noarch.rpm and Radiator-Locked-4.7-2.noarch.rpm > > with BZ2 uploaded. > > > > Fixed a problem with AuthBy SQLTOTP and AuthBy SQLHOTP where > > MaxBadLogins, BadLoginWindow, DelayWindow, TimeStep and > > TimeStepOrigin parameters were not correctly read, resulting in > > errors like "Unknown keyword 'MaxBadLogins'". Reported by Matthew > > Reeves-Hairs. > > > > GetClientQuery was incorrectly using field 25 instead of 27 for > > flags. Documentation for GetClientQuery incorrectly decribed > > field 25 as being flags instead of ClientHook. > > > > Added SQLRetries parameter to all SQL type clauses. When > > executing a query, Radiator will try up to SQLRetries attempts to > > execute the query, retrying if certain types of SQL error are > > seen. Defaults to 2. Requested by Michael. > > > > Fixed some problems with Radius paths in the RPM on some > > platforms. Rebuilt and uploaded new RPMs. > > > > Improved Client CIDR address searches so a more specific cidr > > would have priority over a less specific cidr. Contributed by > > Nicholas Waples. > > > > Improved ClientListLDAP, added oscRadiusIdentifier & > > oscRadiusDefaultRealm into the default list of > > ClientAttrDef's. were the only attributes missing from > > oscRadiusClient ldap schema provided (in goodies). Contributed by > > Nicholas Waples. > > > > In Server TACACSPLUS, the call AuthenticationStartHook now > > includes the priv_lvl and service values from the TACACSPLUS > > request passed as arguments to the hook. > > > > In Server TACACSPLUS, during authetication, we now add > > cisco-avpair attributes to the RADIUS request for action, > > authen_type, priv-lvl and service from the incoming TACACSPLUS > > request. > > > > Improvements to AuthBy URL. Improved HTTP and HTML standards > > compliance by using the LWP::UserAgent methods post() and > > get(). Can now handle CHAP, MSCHAP and MSCHAPV2 authentication, > > as well as the previously supported PAP. *CHAP challenges and > > responses are encoded as HEX and sent as configurable web > > parameters. Updated the sample config file goodies/url.cfg, and > > improved documentation. Fixed inconsistant password in sample > > test_url_md5.cgi. Cleaned up some of the code to be compliant > > with in-house standards. > > > > Added support for BindAddress in all Ldap derived clauses, > > allowing you to specify a local address for the client side of > > the LDAP connection with BindAddress, in the form > > hostname[:port]. Defaults to 0.0.0.0. Updated sample config > > file. Suggested by Roel Hoek. > > > > Updated AuthBy NTLM so that if an authentication fails, the > > Warning log message records the user name along with the > > Authentication-Error. Suggested by David Zych. > > > > Further improvements to AuthBy URL. Now suports CopyReplyItem > > parameter. If a successful HTTP reply contains a string like > > 'xxx=hexencodedvalue' the value will be copied to the RADIUS > > reply as attribute yyy=value the value is expected to be HEX > > encoded and will be HEX decoded before adding to the reply. > > > > Fixed a problem where some SQL modules were not being correctly > > initialised, which was revealed when the new SQLRetries was > > added. Reported by Steffen Weinreich. > > > > Further improvements to AuthBy URL. Now supports CopyRequestItem > > parameter. Adds a tagged item to the HTTP request. Format is > > CopyRequestItem xxx yyy. The text of yyy (which may be contain > > special characters) will be added to the HTTP request with the > > tag xxx. In the special case where yyy is not defined, the value > > of attribute named xxx will be copied from the incoming RADIUS > > request and added to the HTTP request as the tagged item yyy. All > > values are HEX encoded before adding to the HTTP > > request. Multiple CopyRequestItem parameters are permitted, one > > per line. > > > > Improvements to AuthBy SQLTOTP to implement replay > > detection. This has required an additional column in the sample > > SQL database schema, and changes to the default AuthSelect and > > UpdateQuery parameters. Requested by Matthew Reeves-Hairs. > > > > Testing with the Mera MVTS Pro Voip gateway. OK. Added > > mera-mvts.txt. This document briefly outlines the requirements > > for interfacing Radiator with Mera MVTS Pro VOIP gateways, along > > with examples of the types of requests and replies Radiator can > > be expected to handle when interfacing with MVTS Pro. > > > > Added new command line argument -min_interval to restartWrapper, > > which controls the minimum time interval between successive > > restarts. Contributed by David Zych. > > > > Tested AuthBy HOTP and AuthBy TOTP with a range of iphone OATH > > soft tokens, including DS3 (HOTP), OATH Token (HOTP and TOTP), > > and Google Authenticator (HOTP and TOTP). External testing with > > Feitian C200 OTP Tokens and others. All OK. > > > > Added a number of Juniper attributes to dictionary. > > > > Monitor and Server HTTP now support AddToRequest to add > > attributes to the internal RADIUS request they generate when > > authenticating administrator logins to their respecetive > > interfaces. They also dump these requests when Trace 4 is > > enabled. > > > > Server TACACSPLUS now supports a new parameter > > AuthorizeGroupAttr. If this parameter is specified, it specifies > > the name of an attribute in Access-Accept that will contain > > per-command authorization patterns for authorising TACACS+ > > commands. These are processed before any configured-in > > AuthorizeGroup parameters. The command authorization patterns are > > in the same format as supported by AuthorizeGroup. Added a new > > VSA to dictionary OSC-Authorize-Group, which is intended to carry > > per-user reply command authorization patterns. > > > > Improvements to Radiator linux startup script so you can have > > multiple scripts in /etc/init.d/ with different names, and which > > lookup different parameters in /etc/sysconfig. For example, you > > can install the script as /etc/init.d/radiator and > > /etc/init.d/radiator-acct, and it will look up parameters in > > /etc/sysconfig/radiator and /etc/sysconfig/radiator-acct. Further > > improvement is to always use -p RADIUS_PIDFILE to killproc the > > process, rather than the process name. > > > > Added Ascend-Session-Svr-Key an NS-Dummy-Attr-10 to dictionary. > > > > Added Alcatel-Lucent 7302 ISAM (OLT) VSAs to dictionary, > > including OLT-TL1-* and added VALUE definitions for some other > > A-ESAM-*. In some places, A-ESAM-* are named OLT-CLI-*. we have > > adopted A-ESAM to be compatible with previously existing > > definitions. > > > > Fixed a problem where EAP-MD5 authentications did not honour > > UsernameMatchesWithoutRealm. Reported by "Sami Keski-Kasari". > > > > Fixed a problem where EAP-MD5 authentication by AuthBy LSA > > mysteriously failed. Refactoring of EAP_4 check_chap() to > > AuthGeneric, and thence to AuthLSA Reported by "Sami > > Keski-Kasari". > > > > Fixed a problem which could cause crashes in > > Socket6::inet_ntop. Reported by James Harton. > > > > Testing on MacOS X 10.6.5. OK. > > > > Added lookupauthgroup.pl Sample PostSearchHook for AuthBy LDAP2, > > which finds user group(s) through an LDAP lookup, then finds > > corresponding check and reply attributes in SQL, based on the > > user group(s) for that user and the device groups of the > > RADIUS/TACACS+ client. This allows you to have a add very fine > > grained authentication/authorisation in an LDAP/SQL environment, > > based on user and device group membership. > > > > Alter the session shutdown in Server TACACSPLUS to be SHUT_RDWR, > > to fix possible session shutdown problems with some TACACS+ > > clients. > > > > Fixed incorrect sequence numbers in some TACACS+ packets sent by > > goodies/tacasplustest and that affected interoperation with > > tac_plus. Fixed issues with TACACS+ version numbers that affected > > interoperation with tac_plus. > > > > Added new parameter SingleSession to Server TACACSPLUS which can > > be set to 0 to disable the default behaviour which tries to keep > > the same TCP session for all requests. Setting SingleSession to 0 > > forces a TCP disconnect after every authentication, authorisation > > and accounting session. Some TACACS+ clients need this in order > > to operate correctly. > > > > Improvements to AuthBy SQLTOTP so that tokens whose time drifts > > into the future can be authenticated. Patch supplied by Steffen > > Weinreich. > > > > Decoupled AuthGeneric userIsInGroup from getUserGroups so > > subclasses can implement their own group finding. > > > > Added new optional parameters GroupSearchFilter GroupBaseDN > > GroupNameCN to specify an LDAP search which will be used to get > > the names of groups this user is a member of. Used to check Group > > check items. Updated sample lookupauthgroup.pl to use the new > > group search function in AuthBy LDAP2 > > > > AuthBy LSA now honours UsernameMatchesWithoutRealm correectly for > > users and groups. Reported by Reported by "Sami Keski-Kasari" > > and "Johnson, Neil M". > > > > In AuthBy SQL, the optional GroupMembershipQuery now has the > > groupname available as the second bound variable. > > > > Improvements to Server TACACSPLUS so that it honours the > > TAC_PLUS_SINGLE_CONNECT_FLAG flag in incoming requests. Now a > > single session will only be maintained if the Server TACACSPLUS > > SingleSession parameter is set _and_ the client indicates a > > willingness to support single sessions with the > > TAC_PLUS_SINGLE_CONNECT_FLAG. Single sessions can be disabled > > regardless of client options by setting the SingleSession flag to > > 0 (defaults to 1) > > > > Improvements to goodies/tacacsplustest now correctly sets the > > TAC_PLUS_SINGLE_CONNECT_FLAG in requests if the -single command > > line parameter is given. It now closes the connection at the end > > of each session unless the -single flag is set and the server > > indicates a willingness to support single connections with the > > TAC_PLUS_SINGLE_CONNECT_FLAG. > > > > Fixed a problem where malformed WiMAX attributes could cause a > > crash. Reported by Mark Sergeant. > > > > Further fixes to Server TACACSPLUS: If SingleSession is set, some > > Cisco TACACS+ clients will close an authentication session after > > the first reply. This is a bug in the client. As a workaround, > > ServerTACACSPLUS.pm now never sets the > > TAC_PLUS_SINGLE_CONNECT_FLAG in its replies. Reported by Aki > > Tuomi. > > > > Fixed a typo in linux-radiator.init that prevented traceup and > > tracedown working properly on RHEL5. > > > > Added LOG_WARNING log message if a Tacacs+ request is received by > > Server TACACSPLUS for which no Client could be found. > > > > Improvements to Server TACACSPLUS so expired authentication > > result in ERROR instead of FAIL. Tacacs authorisations are now > > bound to both the username and the peer address, so user can have > > different authorisations on each device. > > > > Added peer address to a number of warning and info messages > > produced by Server TACACSPLUS for easier diagnosis. > > > > Updated Monitor HELP command documentation to include > > TRACE_PREDICATE. > > > > Fixed problems with linux-radiator.init traceup and tracedown on > > RHEL5. > > > > Improvements to Server TACACSPLUS: Fixed a problem with the new > > AuthorizeGroupAttr that cased authorisation patterns to not be > > reset properly. Server TACACSPLUS now updates the global packet > > counts for each Tacacs+ request received. Database failures that > > IGNORE now cause a Tacacs *_STATUS_ERROR reply. > > > > Added goodies/cisco-vpn.txt a short description on how to > > configure Cisco VPN 3000 Concentrator VPN groups, and the > > limitations thereof. > > > > Fixed a case where Radiator would crash when certain local > > devices tried to connect to a tacacs port. > > > > Added example rule to goodies/tacacsplusserver.cfg showing how to > > use uptional tacacs roles, including multiple optional roles. > > > > Added new parameter UnbindAfterServerChecksPassword to AuthBy > > LDAP2, which works around problems with some LDAP > > servers. Normally, when ServerChecksPassword is set, after > > Radiator checks a users password the LDAP connection is not > > unbound. This can cause problems with some LDAP servers (notably > > Oracle ID and Novell eDirectory), where they unexpectedly cause > > the following LDAP query to fail with > > LDAP_INAPPROPRIATE_AUTH. Setting this flag causes an unbind after > > each ServerChecksPassword bind. > > > > Added support for new -I command line flag to radiusd, which adds > > an include directory to the module search path. Patch by Heikki > > Vatiainen. > > > > In SqlDb::do(), Sql connections now detect PostgreSQL duplicate > > key violations, which are now not a cause for disconnect. Added > > similar tests to SqlDb::prepareAndExecute(). > > > > Sample RAdmin configuration file that shows how to record Tacacs+ > > commands to the Radmin RADCOMMANDAUDIT table for auditing, and > > viewing (RAdmin 1.14 plus latest patches required) > > > > The ServerRADIUS clause now supports AddToRequest, which makes it > > easy to tag requests that arrive by RADIUS to distinguish them to > > those arriving by TACACS+ or Diameter. > > > > Server HTTP log messages are now escaped so that HTML characters > > in the log do not cause display errors. Patch provided by Adam > > Bishop. > > > > Fixed a problem in Auth LDAP2 that could cause a crash if > > ServerChecksPassword and UnbindAfterServerChecksPassword are > > enabled, and certain LDAP errors occur during the > > ServerChecksPassword bind. > > > > Fixed spelling mistake in VENDORATTR Timetra-Home-Directory, > > Added further VSAs to VENDOR Panthera 6527 (Alcatel 7450 ESS > > Router). Added VENDOR Alcatel-Lucent 800 (Alcatel-Lucent OS6400 > > switches) VSAs. Added Alcatel-Lucent-SAM VENDORATTR > > SAM-Security-Group-Name . > > > > Improvements to IPV6 handling so the absence of Socket6 causes an > > warning message instead of an exit. > > > > Added a number of FreeSwitch accounting VSAs to dictionary. Added > > a brief discussion paper about how to integrate FreeSwitch with > > Radiator. FreeSWITCH is a powerful and versatile telephony > > platform that can scale from a softphone to a PBX and even to a > > carrier-class softswitch. > > > > Log SYSLOG and AuthLog SYSLOG now support special characters in > > LogIdent, LogOpt and LogHost. > > > > TLS Streams, such as used with Radsec did not correctly verify > > certificates for 'hostname' if the Host address was specified in > > Radiator in the form ipv6:hostname. Reported by Patrick Renkens. > > > > Fixed an issue where truncated EAP-Message requests would cause a > > log message like "Could not load EAP module Radius::EAP_" > > ..... This is now logged as invalid EAP type in EAP request and > > rejected. Reported by Daniel Rocha. > > > > Server TACACSPLUS now honours reply attributes correctly for > > ASCII type Tacacs+ authentications. Patch from Heikki Vatiainen. > > > > Testing with XAMPP on > > Windows. XAMPP (http://www.apachefriends.org/en/xampp-windows.html) > > is an excellent, easy to install bundle of useful tools such as > > Apache, MySQL, Perl etc for Windows. It is a also good base for > > installing Radiator on Windows, especially if you wish to use > > Radiator with RAdmin or a MySQL database. Updated installation > > documentation to include XAMPP on Windows. > > > > Added support for Novell eDirectory NMAS (Novell Modular > > Authentication System) to AuthBy LDAP2. NMAS allows Novell > > eDirectory to support and authenticate passwords using the Vasco > > Digipass NMAS method, and other third party token and non-token > > systems. Vasco Response-Only (RO) tokens are only supported since > > NMAS does not curently support challenge-response via > > RADIUS. Sampple configuration file included. > > > > Ldap classes now support the "ipv6:" prefix for Ldap server Host > > names. If Host begins with "ipv6:" the subsequent host name(s) > > will be interpreted as IPV6 addresses where possible, and > > Net::LDAP will use INET6 to connect to the LDAP server. > > > > In AddressAllocator SQL, the default AllocateQuery was changed to > > check the STATE during the allocation to catch certain race > > conditions. > > > > With all Ldap clauses, removed the default BindAddress of > > 0.0.0.0. This was unnecessary and interferes in a non-obvious way > > with attempts to use ipv6: in the Host. Reported by Dyonisius > > Visser. > > > > Added attributes from RFC 5904 to dictionary. SNMP Agent now supports: > > RFC4669 - RADIUS Authentication Server MIB for IPv6 > > RFC4671 - RADIUS Accounting Server MIB for IPv6 > > The RFC are included in distribution. > > > > Improvements to EAP handling to support multiple desired EAP > > types in EAP NAK response, per RFC 3748. > > > > Fixed incorrect error message that referred to > > ServerHTTP. Repored by Karl Gaissmaier. > > > > Added support for PacketTrace to Server TACACSPLUS, Server > > DIAMETER, Server RADSEC. Requested by Karl Gaissmaier. > > > > Fixed a problem where attributes of type ipv6prefix (such as > > Framed-IPv6-Prefix) would not be decoded correctly if they had > > fewere than 16 octets. Reported by Lee, Larry KT. > > > > Client addresses in the form MAC:nn-nn-nn-nn-nn-nn now work even > > if the Called-Station-Id has the SSID of the AP appended as > > described in http://tools.ietf.org/html/rfc3580#section-3.20 > > > > Added example perl script rpt.pl which logs packets which match a > > regexp. Contributed by Bart Dumon. > > > > Fixed a problem when using AuthBy RADIUS with Synchronous and > > Fork that if the secrets don't match (resulting in "Bad > > authenticator received in reply to ID 1. Reply is ignored"), this > > creates forked processes that never terminate and have to be > > manually force-killed. Reported by David Zych. > > > > Fixed a number of innocuous warnings when radiusd is run with > > perl -w. > > > > Added usage documentation for author_args in tacacsplustest. > > > > In AuthSQL, GroupMembershipQuery is now not passed and bind > > variables. If you wish to use bind variables with > > GroupMembershipQuery, use the new GroupMembershipQueryParam. > > > > Fixed a problem with Server HTTP where some versions of Firefox > > would hang when trying to access localhost:9048. Also fixed som > > innocuous warnings when run with the -w flag. > > > > Fixed a problem with AuthLog SYSLOG and Log SYSLOG where in some > > cases with some versions of Sys::Syslog, the loghost was not set > > correctly. Reported by Klara Mall. > > > > radiusd now unlinks PidFile during an orderly shutdown. Suggested > > by Klara Mall to prevent startup scripts being confused by stale > > PID files. > > > > Improvements to AddressAllocator SQL: If CheckPoolQuery is set to > > an empty string, no pool checking will be done at startup. If > > AddAddressQuery is set to an empty string, addresses will not be > > automatically added to the pool. > > > > Testing against RadiusGINA, a Windows RADIUS login authenticator > > from LSE http://lsexperts.de/. Works well, and easy to install. > > > > Fixed a problem in TLS Stream based protocols (such as AuthBy > > RADSEC AuthBy DNSROAM etc, where ConnectOnDemand would not work > > correctly in the case where a TLS connection was being > > established and failed. Reported by Stefan Winter. > > > > Added goodies/radiusgina.txt, a Brief introduction to RadiusGINA, > > a Windows RADIUS login authenticator from LSE http://lsexperts.de > > > > -- > > Mike McCauley [email protected] > > Open System Consultants Pty. Ltd > > 9 Bulbul Place Currumbin Waters QLD 4223 Australia > > http://www.open.com.au Phone +61 7 5598-7474 Fax > > +61 7 5598-7070 > > > > Radiator: the most portable, flexible and configurable RADIUS server > > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare > > etc. _______________________________________________ > > radiator mailing list > > [email protected] > > http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley [email protected] Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
