We are pleased to announce the release of Radiator version 4.9 This version contains some new features and minor bug fixes.
As usual, the new version is available to current licensees from: http://www.open.com.au/radiator/downloads/ and to current evaluators from: http://www.open.com.au/radiator/demo-downloads Licensees with expired access contracts can renew at: http://www.open.com.au/renewal.php An extract from the history file http://www.open.com.au/radiator/history.html is below: Fixed an issue with Resolver and AuthBy DNSROAM where the combination Protocol=radius, Transport=tls was incorrectly interprted as UDP RADIUS (for historical reasons). It is now interpreted as TCP RADSEC. Reported by Stefan Winter. Added commands to the sample startup script linux-radiator.init that work for Debian. Submitted by "Michael". Improvements to AuthBy FIDELIO: During a SIGHUP, AuthBy FIDELIO now sends a LE and closes the TCP connection before reopenaing the connection. This should result in better database reading behaviour during SIGHUP. AuthBy FIDELIO now sends periodic LA commands to the Fidelio to check the integrity of the link. Suggestions by Ralf Ertzinger. Fixed further issue with Resolver and AuthBy DNSROAM where the combination Protocol=radius, Transport=tls was incorrectly interpreted. Reported by Paul Dekkers Improvements to AuthBy DNSROAM so that routes for different realms that are discovered to be to the same proxy server will reuse the existing server. Suggested by Stefan Winter. goodies/fideliosim.pl now prints main details of PS posting records it receives. New module AuthBy FIDELIOHOTSPOT which provides hotel guest authentication by Fidelio, and prepaid session times, billed to the user's room by Fidelio. Supports various hotspots such as Mikrotik and Open-Mesh etc. Replaces goodies/fidelio-hotspot-hook.pl as the preferred method of providing prepaid sessions billed to room by Fidelio. Added new parameter MessageHook to AuthBy FIDELIO. MessageHook is called after a message from Fidelio has been unpacked into a hash and before the record is passed to handle_message(). It can be used to change or transform any fields in the record before it is passsed to handle_message() and processed by AuthFIDELIO. Improvements so that if the example Radiator init script for linux is invoked as a symlink (eg /etc/rc2.d/S90radiator->../init.d/radiator), it still deduces the correct program name (radiator) and hence sources the correct sysconfig file (/etc/sysconfig/radiator). Fixed a problem where Realm clauses inside AuthBy DNSROAM did not recognise the Secret parameter. Reported by Paul Dekkers. Added negative caching to Resolver, with new parameter NegativeCacheTtl. Added new parameter RedespatchIfNoTarget to AuthBy DNSROAM. For a given request, if Resolver does not find a target and there is no explicit Route, and no DEFAULT Route and this flag is set, the request will be redepatched to the Handler/Realm system for handling. This allows for a flexible fallback in the case where DNSROAM cannot find how to route a request. The redespatched request will have the attribute OSC-Environment-Identifier set to the AuthBy DNSROAM Identifier (or 'DNSROAM' Identifier is not set) Fixed problems with the Authen-Digipass PPM packages for Windows missing important files. Fixed an issue with AuthBy RADSEC, where failure to deliver a message could cause continuous attempts to reconnect, even if ConnectOnDemand is set. Fixed an issue with Stream based connections, where ConnectOnDemand and an unresponsive server could cause Radiator to hang. Reported by Paul Dekkers. Added workaround for a bug in some versions of perl 5.12.1 (such in openSUSE 11.3) that caused incorrect packing of some RADIUS requests. Improvements to Server TACACSPLUS so that RADIUS STATE is saved in in the connection rather than the context. Patch provided by Nicholas Waples. Reversed a previous change in 4.8 that Server TACACSPLUS expired authentication result in FAIL instead of ERROR. The change in 4.8 was to result in ERROR, which causes some devices to then revert to the local authorisations. Added a number of attributes from RFC 5090 to dicitonary, which override a number of attributes that were previously commandeered by Ascend. The Ascend ones are still available in ascend.dictionary. Fixed a typo in dictionary: Ascend-Call-Attempt-Limit was Agscend-Call-Attempt-Limit. Fixed a problem in linux-radiator.init which prevented traceup working on SuSE. Reported by Aeneas Jaißle. Improvements to ClientListSQL to support DisconnectAfterQuery, which will cause disconnection from the SQL database after each query. This can be helpful in cases where firewalls etc close connections that have been idle for a long time. Added sha.pl, ssha.pl to goodies. Simple perl scripts to generate SHA and SSHA hashes of the first command line argument. Useful for generating SHA and SSHA hashed passwords in the form Radiator honours. Fixed a problem with the Radiator init script that prevented reload, traceup and tracedown working with some versions of SuSE. Added ipoque-class VSA for ipoque PRX Traffic Manager to dictionary. With the assistance of A.Sharaz. Improvements to the sample wimax.sql database schema to improve interoperation with Alvarion. All stream protocols that support TLS now support optional TLS_CertificateFingerprint parameter. When a TLS peer presents a certificate, this optional parameter specifies one or more fingerprints, one of which must match the fingerprint of the peer certificate. Format algorithm:fingerprint. Requires Net::SSLeay 1.37 or later. Improvements to AuthBy EAPBALANCE to permit operation with target RADIUS servers that rely on State, such as Windows IAS etc. Added Freeswitch-Direction and Freeswitch-Other-Leg-Id to dictionar. Added Documentation and sample scripts for how to use Radiator and the AuthBy FIDELIO module to handle authentication and accounting for the Freeswitch VOIP switch (http://www.freeswitch.org). It can be used authenticate and to bill VOIP calls to a Micros-Fidelio Opera Hotel Property Management System (http://www.micros.com). Added Riverbed-Local-User VSA to dictionary. Fixed a problem in AuthBy RADMIN where if the database connection fails once, message logging through AuthRADMIN will stop altogether, and along with that, the bad login counting. Reported an patched by Manuel Kasper. Added Aruba-MMS-User-Template to dictionary, fixed typo in Aruba-Port-Identifier. Added AH-HM-Admin-Group-Id. Added support for EAP AKA-PRIME. Required for version 1.32 or Radius-EAP-SIM module. Added new clause AuthBy SQLAUTHBY, which looks up how to authenticate each user based on information in an SQL database. The columns retrieved from SQL are used to create an AuthBy clause that will actually handle the request. The parameters used to configure the clause come from SQL. The clause is reused for as long as the the target realm yields the same SQL query results. The example works with the sample RADSQLAUTHBY table in mysqlCreate.sql. Added support for new parameter AuthChallengeKeyword to AuthBy URL. This parameter permits URL results that trigger a CHALLENGE reply for use with Challenge/Reponse systems. Contributed by Matthew Van Kuyk. Added new parameter DirectAddressLookup to Resolver. If DirectAddressLookup is enabled, and if there are no NAPTR records for the requestsed Realm, Resolver will attempt lookups of A and AAAA records for _radsec._sctp.REALM, _radsec._tcp.REALM and _radius._udp.REALM Enabled by default. Requested by Paul Dekkers. Added sample hook pwaframedip.pl. This hook fixes a problem with Enterasys switches where Framed-IP-Address is not included in accounting packets, but the information is available via SNMP when for Enterasys captive-portal (PWA) authentication. Contributed by Ben Carbery. In AuthBy RADMIN, it is now possible to disable IncrementBadloginsQuery and ClearBadloginsQuery by setting the query string to be empty. Server farm children now always reseed the random number generator so the children dont share the same seed. Improvements to the RPM spec file so RPM installs with recent 64 bit perls will work. Increased the default MaxBufferSize in streams to 10000000. Added support for passwords encrypted with $2a$, $2x$ and $2y$ blowfish crypt and $5$ SHA-256 crypt (where supported by the underlying crypt()). Improvements to support rounds= notation in SHA-256, SHA512 crypt. Ensure RecvTime is set in RADIUS requests derived from tunnelled EAP types. Changed the type of Framed-Interface-Id in dictionary to be ifid. You can now specify Framed-Interface-Id as strings in the format 'aaaa:bbbb:cccc:dddd', which is compatible with FreeRadius. Fixed an issue with TTLS and PEAP: When inner authentication is proxied, e.g. EAP-MSCHAP-V2 to MS NPS, NPS sends back State. If Radiator does not return State, proxying inner auth fails. Added more Nomadix VSAs to dictionary, contributed by Mike Newton. AuthBy EAPBALANCE and AuthBy HASHBALANCE now REJECT if an EAP stream has to be broken up, giving the client and immediate chance to restart. Changed the default protocol version for PEAP in EAPTLS_PEAPVersion from 1 to 0. This is in line with more recent documentation from Microsoft (which contradicts draft-josefsson-pppext-eap-tls-eap-0[35].txt), and it achieves bettter interoperability with Macs. Added more Aruba VSAs, contributed by Alan. EAP-FAST support now follows the recommendations for A_ID: it is now the 16 octet hash of the A_ID_INFO, which is set to the Radiator hostname. Updated instructions for building OpenSSL and Net::SSLeay for more recent versions of Net::SSLeay for use with EAP-FAST. Added sample script goodieshex2base32.pl /to help with entering HOTP and TOTP codes to Google Authenticator. Converts hex codes to base 32. Improvements to ClientList SQL to improve error detection. Improvements to random number seeding: seeding is now done by a new function Radius::Util::seed_random. radiusd calls it at startup and after forking farm children. It can be overridden if necessary to provide local random number initialisation and seeding. -- Mike McCauley [email protected] Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
