Hi Mikey - Thanks!
Tested fine on Mac OS X 10.7.4. I've also copied it up to the DEV box at NBNCo and it runs fine after installing Digest-SHA-5.71. cheers Hugh On 28 Jun 2012, at 12:04, Mike McCauley wrote: > We are pleased to announce the release of Radiator version 4.10 > > This version contains some new features and minor bug fixes. The > prerequisites > now require Digest::SHA > > As usual, the new version is available to current licensees from: > http://www.open.com.au/radiator/downloads/ > > and to current evaluators from: > http://www.open.com.au/radiator/demo-downloads > > Licensees with expired access contracts can renew at: > http://www.open.com.au/renewal.php > > An extract from the history file > http://www.open.com.au/radiator/history.html is below: > > ----------------------------- > > Revision 4.10 (2012-06-28) Some significant new features. Bug fixes. > > Added support for EAP-PWD per RFC 5931. EAP-PWD is highly secure (the > password > is never transmitted, even in encrypted form), and does not require PKI > certificates, and also requires only 3 authentication round-trips. So it is > considered efficient to roll out in eg Eduroam and other environments. > Requires that the Radiator user database has access to the correct plaintext > password. Sample configuration file and patch for Crypt-OpenSSL-Bignum-0.04 > is > included. > > Added 2 Aruba VSAs to dictionary. Contributed by Matt Alexander. > > Added Tropos and Fortinet VSAs dictionary. > > Added Ukerna GSS and SAML VSAs to dictionary, with the kind assistance of > Luke > Howard. Also modified packing routines to split UKERNA SAML-AAA-Assertion > into > multiple attributes. > > Removed use of 'use timelocal' from radiusd and radpwtst, code now uses > Time::Local instead. > > Removed use of 'use newgotopt', all code now uses Getopt::Long instead. > Added new parameter PasswordUriEscape to AuthBy URL. This optional parameter > specifies whether the password needs to be url-encoded or not. Options are > "Clear", "Encode". Contributed by Matthew Van Kuyk. > > Added Nokia Siemens Networks (NSN) VSAs to dictionary. > > Added support to radpwtst for new command line argument -alive to send > Accounting-Alive requests. Alive is not sent by default if accounting is > enabled. > > Fixed an error in the RPM build control file Radiator.spec, which would cause > /usr/lib64/perl5/ to be deleted if the Radiator RPM package was erased. > Improvements to Log SYSLOG and AuthLog SYSLOG modules so that multiple > differing module logging configurations do not confuse Sys::Syslog. > > Fixed a problem in Server TACACSPLUS that prevented Client-Identifier being > set in Tacacs+ derived RADIUS requests. Reported by Tim Cheyne. > > Improvements to AuthBy WIMAX, which now uses latest WiMAX TLV attribute > definitions for packing and unpacking of WiMAX TLV attributes. AuthBy WIMAX > now uses latet WiMAX-Capability TLVs. goodies/wimaxtest uses the TLVs, and > honours the -capability command line argument where you can specify an > alternate WiMAX-Capability. > > Removed use of 'use newgotopt' from builddbm, buildsql, tacacsplustest, > diapwtst, restartwrappert. Code now uses Getopt::Long instead. > > Added new parameter EAPTLS_AllowUnsafeLegacyRenegotiation to AuthBy *. For > TLS > based EAP types such as TLS, TTLS and PEAP, and with versions of OpenSSL > 0.9.8m and later, this optional parameter enables legacy insecure > renegotiation between OpenSSL and unpatched clients or servers. OpenSSL > 0.9.8m > and later always attempts to use secure renegotiation as described in > RFC5746. > This counters the prefix attack described in CVE-2009-3555 and elsewhere. > > Updated ACME VSA's in dictionary to add many missing VSAs and to adopt > attribute naming consistent with other RADIUS servers. > > Updated sample certificates to expire Nov 15 21:48:28 2013 GMT > > Added support for EAP expanded types per RFC 3748. EAPType parameter can now > be specified as a EAP type number, EAP extended vendornumber:typenumber or as > a traditional well-known EAP type name eg: EAPType TTLS, MSCHAP-V2, > 16776957:4244372217 where 16776957 is the expanded vendor number and > 4244372217 is the expanded type (this example is for 0xfffefd and 0xfcfbfaf9, > the vendor and type of the wpa_supplicant VENDOR-TEST expanded type). > Included > module and config to support testing against wpa_supplicant VENDOR-TEST > expanded type. > > Fixed a possible problem in Stream connections where connection failures may > not be detected correctly. > Improvements to EAP-MSCHAPV2 handling in the case where the underlying > database has a database access problem, causing an IGNORE. > > Testing with RSA Authentication Manager 7.1 SP4. No changes required. > > Early release of AuthBy SAML2 module. This module fetches Moonshot/SAML2 > Assertions for an (already autheticated) user from a Identity Provider (IdP) > and puts the assertion in a SAML-AAA-Assertion reply item. Caution: this is > beta code and not yet widely tested. Feedback requested. Currently only sends > ECP AuthnRequest requests (AAA AttributeRequest is not yet supported). > Signing > of requests and Verifying of responses is not yet proven to work correctly. > EAP-MSCHAPV2 now honours AuthenticateAttribute. > New versions of Authen ACE4 version 1.4 ppms with AuthSDK 8.1 for Windows 32 > and 64 bit. > > Added new parameter RoundRobinOnFailure to all Sql clauses. Normally, if > Radiator gets an error or a timeout from a database connection it will try to > reconect to the database, starting with the first DBSource, and trying them > all in order until a successful reconnection. This flag forces the search to > start at the database following the current DBSource (if there is one). This > can help with some types of overloaded database that can be connected but > then > timeout when a query is sent. > Context is stored in $p->{EAPContext} for all EAP requests. > > Fixed a problem where HUPping an evaluation vesion would result in messages > like Server started: Radiator 4.9 on fmsdev (LOCKED) (LOCKED) (LOCKED) > (LOCKED) (LOCKED) > > Added support for new parameter RequireMessageAuthenticator in Client > clauses. > Normally, Client clause checks the value of any Message-Authenticator > attribute (if present) in incoming requests (EAP or otherwise), and an > incorrect authenticator causes the request to be IGNOREd. The optional > RequireMessageAuthenticator flag causes this Client to require a (correct) > Message-Authenticator attribute to be present in all incoming requests. > ServerHTTP now registers itself with Configurable. > > Additional information in error logs from various TLS operations. Patch from > "Bjoern A. Zeeb". Thanks Bjoern. > ClientList LDAP now supports file in PreHandlerHook and ClientHook. > > Fixed a problem with SessionDatabsse SQL which could cause a crash if the > query contains %{Quote:...}. Patched by Eddie Stassen. Thanks. > > Added VENDOR Ericsson 193 VSAs to dictionary. > > Log FILE now supports %0 (priority) and %1 (og message) as special characters > in Filename parameter. AuthLog FILE now permits use of the '|' vertical bar > leading character in Filename to permit piping to an external program. > > AuthBy LDAP2 and all other LDAP clauses now support an optional MultiHomed > flag parameter. If this is set then Net::LDAP will try all addresses for a > multihomed LDAP host until one is successful. Default is true (set). > > Improvements to AuthBy SQL and AuthBy FREERADIUSSQL to improve > compativ=bility > with some Oracle clients in the group checks. Reported by Emanuel Freitas. > > Added VENDOR Adva 2544 VSAs to dictionary. > > Added VENDOR Siemens 4329 VSAs to dictionary. > > Fixed missing 3GPP- prefix for a number of 3GPP VALUE definitions in the > standard Diameter dictionary > > Fixed problems in Diameter to RADIUS gateway that prevented RADIUS attributes > that are converted to Diameter Grouped attributes being parsed correctly. > > For all TLS related operations, improved error logging if SSLeay::new fails. > > Added StripFromReply and AllowInReply to the parameters permitted in AuthBy > DNSROAM. Patched by Bjoern A. Zeeb. Thanks. > > Added VENDOR TERENA 25178 and eduroam-SP-Country to dictionary > > Added more VENDOR Alcatel-ESAM attributes to dictionary. Contributed by Hugh > Irvine. > > Added new module AuthBy RATELIMIT which can be used to limit the maximum > number of request per second to be served. If more than this number of > request > are received in any second, they will be IGNOREd. > > Added radiusd.conf, a sample Upstart script for Debian/Ubuntu. Contributed by > Adam Thompson > > Server TACACSPLUS now honours DefaultRealm from the Client clause that > matches > the incoming request. If defined in the Client clause, it willl override any > DefaultClient defined in the Server TACACSPLUS clause. > > Global SocketQueueLength was not honoured when creating RADIUS server ports. > > Fixed a typo in the help message in Monitor. Reported by Scott Bertilson. > > Added Authen-Digipass-1.11-1.el6.x86_64.rpm (for perl 5.10, x64 on Centos 6 > and RHEL6) > > All TLS context configuration parameters, such as EAPTLS_CertificateFile now > honour special characters (such as %K etc) from the EAP identity request. > > AuthBy WIMAX incorrectly set WiMAX-Capability Accounting-Capabilities to 0 > (none) instead of 1 (session-based). > > All EAP authentications now log at DEBUG level the elapsed time of the entire > conversation (since the EAP identity) in seconds (and microseconds if > Time::HiRes is available). > > If a Client address cannot be resolved, the log message now includes the > exact > address that was not able to be resolved. > > Updated the prebuilt Authen-Digipass RPM package for RHEL 5 64 bit to version > 1.11. > > Fixed a problem that prevented AuthBy SQLAUTHBY honouring AuthBySelect if > AuthBySelectParam was defined. > > Removed incorrect -authen_args from help in tacacsplustest. > Improvements to handling of EAP-GTC so that UsernameMatchesWithoutRealm is > honoured even if the EAP-GTC client sends the 'RESPONSE=identity\0password' > for of EAP-GTC response. > > Added Arbor-Privilege-Level to dictionary. Thanks to Markku. > RFC 2621 was inadvertently omitted from the distribution. > > Added support for new configuration parameter. PacketDumpOmitAttributes > specifies a comma separated list of RADIUS attribute names which will be > omitted from RADIUS packet dumps in logs. > > ServerHTTP did not permit the creation of ClientListSQL or ClientListLDAP > clauses. Reported by Albesiano Alberto. > > Improved parsing of hooks and display of hooks by ServerHTTP. Reported by > Albesiano Alberto. > > AddToReply AddToReplyIfNotExist when used in Handlers and Clients, would > incorrectly add attributes to Access-Rejects. This does not now occur. > AuthURL > did not correctly honour AddToReply for Access-Accept and Access-Reject. > Reported by Albesiano Alberto. > > RadSec is now an official IETF RFC 6614. RFC 6614 is now included in the > distribution. In accordance with RFC 6614, the default shared secret for > RadSec has been changed to 'radsec', UseTLS is enabled by default, and > TLS_RequireClientCert is enabled in Server RADSEC by default. > > Added RuggedCom VSA RuggedCom-Privilege-level to dictionary. > > Added Alvarion-WiMAX-Classifier VSA to attribute definiitons for WiMAX-Packet- > Flow-Descriptor, per Alvarion's document 'RADIUS-WiMAX R3 Interop Spec_Rel 3 > 0 > v 0 81.doc' > > Added Alvarion-WiMAX-Classifier VSA to attribute definitions for WiMAX-Packet- > Flow-Descriptor to support atttributes like: WiMAX-Packet-Flow- > Descriptor=Alvarion-WiMAX-Classifier="ClassifierID=1,Priority=2,Direction=IN" > Also added Alvarion-R3-IF-Descriptor and Alvarion-DHCP-Option VSA tlvs to > dictionary, to support attributes like: Alvarion-DHCP-Option="Ref-R3-IF- > Name=interface1,DHCP-Option-Container=container1" Alvarion-R3-IF- > Descriptor=R3-IF-Name=aaa,R3-IF-ID=1,PDFID=2,IPv4-addr=1.2.3.4,IPv4- > netmask=5.6.7.8,DGW-IPv4-add=9.8.7.6 Per Alvarion's document 'RADIUS-WiMAX R3 > Interop Spec_Rel 3 0 v 0 81.doc'. > > Fix to Fidelio interface so that LA messages are not queued unless there is a > current connection. > > Fixed a problem where the LDAP group search did not correctly specify the > attributes to fetch, and therefore _all_ attributes were fetched, affecting > performance. Reported by Ben Carbery. > Improvements to AuthBy SQLYUBIKEY to add support for CheckSecretId. If > CheckSecretId is set, then check that the secretId fetched from the database > matches the secretId encoded in the submitted Yubikey OTP. This increases the > security of the Yubikey OTP and is recommended best practice. Also improved > the documentation for for configuring yubikey.cfg and provided a better > sample > database for use with yubikey.cfg > Fixed a problem with EAP-FAST that prevented anaonymous provisioning in some > circumstances where the client asks for several ciphersuites. Reported by > Sudhir.Harwalkar. > > Fixed a problem with Server TACACSPLUS and some authenticators such as AuthBy > ACE whcih issue AccessChallenge to get additional data from the user. > Radiator > was sending the challenge as GETPASS rather than GETDATA and wasn't getting > the NOECHO flag. Tested against a Cisco Catalyst 3560 switch and also a Cisco > ASA 5510 firewall. Reported and patched by Richard Fairhall. > > Updated Authen-Digipass and Authen-ACE4 Windows PPM packages to include Perl > 5.14 x86 and x64 packages. Also updated the prebuilt packages at > http://www.open.com.au/radiator/free-downlaods to include versions for Perl > 5.14 x86 and x64: Chipcard-PCSC.tar.gz Net-SSLeay.tar.gz Socket6.tar.gz Win32- > Lsa.tar.gz > > Fixed a problem where AuthBy LDAP2 would incorrectly log "DEBUG: No entries > for mikem found in LDAP database" if MaxRecords was set larger than the > actual > number of LDAP records retreived. > > Improvents to SQL logging shows the name of the database at DEBUG level when > connection attempts are made. Also prepareAndExecute and do functions log the > database name at DEBUG level. Requested by Philip Herbert. > Fixed a problem where NoIgnoreDuplicates could cause a memory leak. > > > Added VSAs for Ruckus Wireless to dictionary. > > AuthBy NTLM did not reap ntlm_auth if it crashed or exited. Fixed a problem > that prevented the error being correctly printed if ntlm_auth if it crashed > or > exited. > > Removed use of Digest::SHA1, replaced with Digest::SHA,which is now included > with all perls. Digest::SHA is now an absolute prerequisite. > > Added sample config platypus7.cfg for recent Platypus 7 database. > h EAP-LEAP, EAP-TTLS, EAP-PEAP, EAP-MSCHAPV2, EAP-FAST, inner packets are now > logged at DEBUG level _after_ the PreHandlerHook (ie any) is run, so that > attributes added by the hook will be visible. > > Fixed a problem where Client DupInterval 0 sometimes did not act as expected, > causing a leak in EAP contexts. > Improved logging so that AuthBy ACE prompts are not broken up with newlines > in > logs. Requested by Richard Fairhall. > > Fixed a problem that preventeed TACACS+ which prevented AuthBy ACE new pin > mode and other challenges from working correctly. Patch provided by Richard > Fairhall. > > Added support for KeepaliveTimeout to AuthBy RADSEC. KeepaliveTimeout is the > maximum time in seconds that a RadSec connection can be idle before a Status- > Server request is sent to keep the TCP connection alive. This helps to keep > TCP connections open in the face of "smart" firewalls that might try to close > idle connections down. Defaults to 0 seconds, which means inactive. > > Radpwtst has new option -chap_nc that sends a RADIUS CHAP request, but in the > old-fashioned way, with the CHAP Challenge in the authenticator, and not in a > separate CHAP-Challenge attribute. > > Testing on Raspberry Pi running debian6-19-04-2012. It runs out of the box. > http://www.raspberrypi.org > Added hextobase32.pl to goodies. Script to help with entering HOTP and TOTP > codes to Google Authenticator. Converts hex codes to base 32. > > Added VSAs for Anagran ANA to dictionary. Thanks to Bob Shafer. > > Added support for KeepaliveTimeout and UseStatusServerForFailureDetect to > > AuthBy RADIUS and AuthBy RADSEC. If UseStatusServerForFailureDetect is > enabled, use only Status-Server requests (if any) to determine that a target > server is failed when there is no reply. If not enabled (the default) use no- > reply to any type of request. Uses NoreplyTimeout, MaxFailedRequests, > MaxFailedGraceTime, FailureBackoffTime during failure detection. If you > enable > this, you should also ensure KeepaliveTimeout is set to a sensible interval > to > balance between detecting failures early and loading the target server. > KeepaliveTimeout is the maximum time in seconds that a RADIUS connection can > be idle before a Status-Server request is sent to keep the connection alive. > Defaults to 0 seconds. > -- > Mike McCauley [email protected] > Open System Consultants Pty. Ltd > 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au > Phone +61 7 5598-7474 Fax +61 7 5598-7070 > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. > > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine [email protected] Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
