We are pleased to announce that Radiator 2.13 is now available. 2.13 includes lots of new features and some bug fixes. Below is an extract from the history file. (If you think you have seen this before, look again, because there have been some additions since 2.13beta) Existing customers and current testers can download the new version from http://www.open.com.au/radiator/downloads/Radiator-2.13.tar.gz >From the history file: Revision 2.13 (17/2/99) Lots of new features, some bug fixes. Added SNMP Agent. Now supports SNMP V1 requests as per draft-ietf-radius-servmib-04.txt. That means that you can get various types of server statistics, and even reset the server using SNMP. You might want to use MRTG or similar for monitoring your server. Added AuthBy RODOPI and example rodopi.cfg. Rodopi is quite a mature NT/MS-SQL based billing system with a Java/web GUI. Added new configurable and subclassable logging modules: Log FILE, Log SYSLOG and Log SQL. You can now log to any and all places at the same time, plus easily add your own logging modules. Simultaneous use check with finger for Portslave, Ascend, Shiva or Computone now defaults to using an internal perl finger client. You can still force it to use an external finger program by specifying FingerProg in the config file. The internal client improves portability to NT, and will improve performance, since it avoids the cost of starting an external program. Rationalised reporting and logging of rejections: Auth*::handle_request now also returns a reason message, which can optionally be replied to the user with the new Handler keyword RejectHasReason. All AuthBy modules now do their logging through a virtual log() function in AuthGeneric, which allows you to override with your own AuthBy specific error logging function. Suggested by Andrea Campi ([EMAIL PROTECTED]). Thanks Andrea. Added AuthTACACSPLUS to authenticate from Tacacs Plus server. requires Authen::TacacsPlus module from CPAN. We used the version in TacacsPlus-0.15.tar.gz. If its not on CPAN, its available from the author here. Status-Server message now returns all server and per-client statistics. AuthBy NT can now authenticate from an NT domain controller, even when Radiator is running on Unix. Requires the Authen::Smb package from CPAN. Testing with Security Dynamics ACE/Server Radius (also known as SecurID). Their radius server is very limited, but Radiator can proxy to it fine, and handles the Access-Challenges that are used to set and change PINs etc. Testing with Freeside, a free Unix based ISP billing package. Example freeside.cfg created. Forgot to mention previously the addition of several hooks that allow you to get control with your own perl code during authentication: PreClientHook, PreHandlerHook and PreAuthHook, PostAuthHook. Changed the default Framed-IP-Address in radpwtst. Fixed problem with cached attributes that meant that when a username was rewritten, it was not actually changed in the packet, which made the detail file log incorrectly. Added "delete session" link to radwho.cgi so that bogus sessions can be manually deleted. Added AuthBy GROUP, which allows authentication clauses to be bundled and grouped to any depth. Its intended for experimenters and early adopters. It only understands AuthByPolicy, StripFromReply, AddToReply, DefaultReply so far. Feedback is solicited. Fixed some bugs in radpwtst -gui mode that caused locked windows, false timeouts etc. Now works with Perl 5.005 and Tk800.011 on Unix. Still doesnt work on Win95 (looks like Tk file handlers are still not right on Win95). Fixed problems with wtmp format on Linux that prevented who and last from working. Created mysqlCreate.sql which correctly builds indexes for mysql. Added indexes to all SQL scripts in goodies Can now define AuthBy clauses at the top level, and refer to them and reuse them with the AuthBy parameter. Good for reusing complicated SQL database definitions (and reducing the number of SQL licenses required. From a suggeestion by Stephen Roderick ([EMAIL PROTECTED]). Thanks Steve. Added support for binary data type in dictionaries. Especially for use in Proxy-State which can otherwise get trailing NULs stripped off. radwho.cgi now shows the total number of users online, and optionally presents a hotlink to force a user off a NAS, by calling an external progam you specify (not supplied). Added NoForwardAuthentication and NoForwardAccounting to AuthBy RADIUS. From patches supplied by Vincent Gillet ([EMAIL PROTECTED]). Thanks Vincent. Makefile.PL can now do installation on Win95 hosts. No need to use make any more on Win95 (many people don't have it). Added LocalAddress to AuthRADIUS, which forces the proxy forwarding port to bind to a particular address. Defaults to the same as BindAddress. Useful for multi-homed hosts. Patch supplied by Lars Marowsky-Brée ([EMAIL PROTECTED]). Thanks Lars. Improved performance of all Hooks by precompiling the code. From a suggestion by Lars Marowsky-Brée ([EMAIL PROTECTED]). Thanks Lars. Improved robstness of the session databases in the face of lost stop packets. Now a stop packet will always remove any previous session that we thought was on that NAS/Port combination. This will make the session database "self-healing". Your existing DBM session database will have to be deleted: the database format for DBM is changed. The table format for the SQL session database is the same, but the indexes have changed: you should probably recreate them if you are using SQL. Also changed radwho.cgi to be compatible with new DBM database format. Expiration now understands dates of the form dd/mm/yy(yy), since some SQL databases produce dates in that form. Improved robustness of SQL connections, and reconnection during database outages. Prevent crashes when MS-SQL disconnects. SQL does not use ping anymore, and will therefore work with DBD-ODBC 0.20 and MS-SQL. Its also faster. Included Vincent Gillet's AddToReplyIfNotExist.patch to the goodies directory. This patch adds attributes to a reply _only_ if they dont already exist. Thanks Vincent. Testing on Red Hat 5.2. No changes required. Testing with Interbiller 98, a resonable, inexpensive ISP billing package. goodies/interbiller.cfg created. Added FramedGroup for all AuthBy clauses, similar in behaviour to Framed-Group, but applying to all requests accepted by an AuthBy clause. Contributed by Garry Shtern ([EMAIL PROTECTED]). Thanks Garry. Testing on Rhapsody. OK, but building MD5 is non-standard. See the FAQ for details. Fixed problem where accounting info would be stored twice if the Handler forked (such as AuthBy IPASS) Fixed typo in AuthBy IPASS that prevented Acct-Session-Time being properly sent to IPASS. Fixed a problem in SessSQL.pm, where if a session proved to be bogus, SessSQL tried to delete a different session. Reported by Andrea Campi ([EMAIL PROTECTED]). Thanks Andrea. Added contribution from Todd A. Green ([EMAIL PROTECTED]): a new sorter in radwho.cgi that will sort by IP addresses and mixed Alpha-numeric NAS-Ports (eg for USR/3COM ). Thanks Todd. AuthBy UNIX now correctly uses the password file and group file when checking for primary group membership, instead of using getpwnam etc. AuthBy PLATYPUS now honours AcctColumnDef. It allows you to log extra columns from Accounting Stops in the same was as AuthBy SQL. Suggested by Ricardo Freire ([EMAIL PROTECTED]). Thanks Ricardo. Testing with DBI Proxy from Unix to NT. OK. Added AccpetIfMissing paramter to AuthBy FILE and AuthBy DBFILE. it will automatically accept a user if they are not in the users file. If they are in the users file, it will accpet them if and only if their check items pass in the ususal way. Useful for applying additional checks on a subset of your user population. Added FramedGroupMaxPortsPerClassC to Client, so you can compute Framed-IP-Address on a NAS with more than 255 ports. AuthBy SQL and PLATYPUS now use the DBI quote function to correctly handle quotes embedded in string data that is inserted with an AcctColumnDef. Support Shiva LanRover sim-use detection using finger. Also added detection of config errors for all uses of finger, and runtime errors with snmpget. Fixed a problem with Ascend binary filters: if the 'drop' keyword was used, it would build an invalid filter. AcctColumnDef will not insert attributes that are not present in the request. Previously, it would insert NULL, which upset peoples ability to define column defaults, and to build indexes. Added VSAs for ACC to dictionary. Courtesy Ingvar Berg (ERA) ([EMAIL PROTECTED]). Thanks Ingvar. Added NasType AscendSNMP that will check Ascend with SNMP instead of finger. Added nasclear.cgi to goodies directory. Its a CGI script that shows all the unique NASs in your SQL Session Database, and allows you to clear all sessions for a NAS. Contributed by Aaron Holtz ([EMAIL PROTECTED]). Thanks Aaron. Default behaviour when no handler is found changed from IGNORE to REJECT. Auth-Type=Reject now correctly propagates properly back through chains of authenticators. Previously if the chain was more than 1 deep, an immediate reject would be turned back to an ordinary rejection. Thanks to Aaron Holtz for reporting this one. Fixed a problem with AuthEXTERNAL that prevented it working properly on NT. Also made example config file and example external program for EXTERNAL in goodies, demonstrating the protocol for passing and receiving attributes. Added optional format argument to AcctColumnDef, so you can set up SQL-specific conversions etc. PostAuthHook is now given a third arg saying what the result of the authentication is. Completed support for SHA encrypted password. Contributed by Justin Daminato ([EMAIL PROTECTED]) Quoted Check and reply items can now have escaped octals in them like Tunnel-Server-Endpoint = "\000191.165.126.240 fr:20" (thats a NULL as the first octet in the string) Which is useful for adding tags to the front of Tunnel attributes like the above. Added AuthBy LDAP2, which uses Net::LDAP from perl-ldap-0.09 or better. The previous version AuthBy LDAP is now deprecated (since the Net::LDAPapi it uses is now deprected). Added DecryptPassword parameter to AuthBy EXTERNAL, which makes it decrypt User-Password before passing it to the external program. Testing with Bay Annex Server and tunelling, with the help of Stephen Ollis. Thanks Stephen. Now handle Prefix and Suffix check items. Added now AcctColumnDef type "formatted-date" that uses Date::Format to build arbitrary date formats. Especially useful for Oracle's odd date behaviour: AcctColumnDef TIME_STAMP,Timestamp,formatted-date,to_date('%e %m %Y %H:%M:%S', 'DD MM YYYY HH24:MI:SS') AcctColumnDef type integer-date now formats dates in the format 'Sep 3, 1995 13:37', ie the full year including the century is now included. Previously it would do 'Sep 3, 99 13:37' and was not Y2K compliant. If this breaks your accounting table, consider using the new formatted-date type described above. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. Ltd Unix, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia Consulting and development Phone, Fax: +61 3 9598-0985 http://www.open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, external, etc etc etc on Unix, Win95, NT, Rhapsody ˙ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
