We are pleased to announce the release of Radiator version 3.4 This version provides some significant new features, including support for Microsoft PEAP as used on Windows XP, many minor new features and some bug fixes.
As usual, the new version is available free of charge to current licensees from http://www.open.com.au/radiator/downloads/Radiator-3.4.tgz and http://www.open.com.au/radiator/downloads/Radiator-3.4-1.noarch.rpm and to current evaluators from http://www.open.com.au/radiator/demo-downloads/Radiator-Demo-3.4.tgz and http://www.open.com.au/radiator/demo-downloads/Radiator-Demo-3.4-1.noarch.rpm An extract from the history file is attached ------------------------- Revision 3.4 (2002-11-02 Significant new features and some fixes) Added support for PEAP and EAP-MSCHAPV2 (as used in Windows XP SP1). Significant enhancements to EAP support, including: TTLS session resumption, improved performance, reduced duplicated code, correct use of EAP identities during authentication, more config examples, configurable User-Name during EAP decode-proxying etc. Added support for AutoMPPEKeys for EAP-TLS. Tested with Windows XP etc. Moved some common TLS and TTLS code to a new module Radius/TLS.pm. Requires Digest-HMAC and Digest-SHA1 from CPAN. Now full Dynamic WEP key protection is available for both TLS and TTLS in Radiator. Testing and some minor fixes for Meetinghoue Data Corp's Aegis wireless client, including MD5, TLS, and TTLS (PAP, CHAP, MSCHAPV1 and MSCHAV2) EAPType can now be a comma separated list of permitted EAP types, with the default (most preferred) named first. Changes to EAP_21.pm for improved interoperation with Meetinghouse Aegis TTLS clients. Added support for Certificate Revocation List (CRL) checking to EAP-TLS. Caution: requires Net_SSLeay-1.20 _plus_ patches, and also openssl 0.9.8 or later. Radiusd now support multiple authentication and accounting ports with AuthPort port,port,port... and AcctPort port,port,port... AuthBy FILE now supports quoted user names with embedded white space, eg "fred bloggs" AuthBy ADSI now supports SearchAttribute, permitting searches for users as well as direct binding. Also added GroupRequired to make group membership checking quicker and easier. Also improved performance of CheckGroup, and obsoleted need for CheckGroupServer (CheckGroup now checks the group list returned from the user bind). Much of this code contributed by Mark Motley ([EMAIL PROTECTED]). Thanks Mark. SessionDatabase SQL now suports a new parameter ReplaceQuery. If it is defined it will be used to add a new record to the session database. If it is not defined then DeleteQuery/AddQuery will be used as before. This can improve performance in SQL databases that support the 'insert or replace' type of query, such as MySQL. Special character %W (the realm of the original user name) was not translated correctly. The global Trace parameter did not appear in Radarparamtere inspection. Now appears and can be modified from within Radar. Fixed a problem with setting new effective group ID with Group. On some platforms and with some configurations, it would incorrectly report that setting the egid had failed when in fact it had not. Also fixed a problem where setting the egid would fail on some platforms if User was also used to set the euid. Added dictionary.hiper, a dictionary for 3Com Hiper Access Router Card, in MERIT RADIUS format. This ia added verbatim, and is not compatible with Radiator format. Added Lucent-Vendor-Specific VSA to dictionary When an SNMP sim-use check is run, the community is now quoted with double quotes, not single quotes. Single quotes dont work properly with Windows shells. radwho.pl moved to goodies and out of the standard executables. Fixed a problem with AuthBy INTERNAL, where during Accounting Processing, the AcctAlive and the AcctStop commands never run, while the command AcctStart is executed with Acct-Status-Type=Alive|Start. Reported and fixed by Giuseppe Denora ([EMAIL PROTECTED]). Thanks Giuseppe. AuthBy RADMIN now uses the new ValidFrom and ValidTo check items rather than checking them internally. This will permit NoDefaultIfFound to work correctly with RADMIN. Reported by "Thomas Hartley/NCO/CEtv" ([EMAIL PROTECTED]). Added RFCs 2869 and 2882 to the distribution. Added to goodies/hooks.txt an example hook to add User-Name attributes to accounting requests that may not contain them. Tagged-string attributes were not unpacked correctly if there was no tag present. Reported by Tony Landells ([EMAIL PROTECTED]). DEFAULT users with a Suffix check item did not always work correctly. Reported by Tony Landells ([EMAIL PROTECTED]). Fixed a problem with FramedGroup with large port numbers, where the third octet of the computed address could have silly values. Reported by "Miro Majcen" ([EMAIL PROTECTED]). Fixed a problem where a FramedGroupMaxPortsPerClassC of 0 could cause a crash. Reported by "Miro Majcen" ([EMAIL PROTECTED]). Added example configuration file for Telstra (Australia) Dial Connect Virtual ISP. Testing with Perl 5.8.0. OK. AuthLogSQL always reconnected to the database even when there was nothing to do. Reported by Dan Melomedman ([EMAIL PROTECTED]). AuthBy RADMIN did not correctly handle some integer valued check items. Reported by "Houwer, B" ([EMAIL PROTECTED]). Improvements to SessionDatabase SQL, so that the NAS ID, NAS port and SQL quoted Acct-Session-Id are available in the AddQuery. AuthBy POP3 now permits special characters in the Host field, so that you can handle multiple domains automatically with 'Host pop3.%W' Log SQL and Log EMERALD did not correctly recover from an SQL database outage. No further logging would occur, even after the database came back. In Log SQL, the Table parameter now takes special characters. AuthBy ADSI did not correctly handle some AuthAttrDef attributes. For example if there was more than one otherHomePhone, an incorrect check would be made. Reported by Billy Li ([EMAIL PROTECTED]). More below about this. Added an example xinetd configuration file for Linux and others to the goodies. Added example configuration file for Jet ISP billing in goodies/jet.cfg. Jet is a user management and billing system, specifically designed and created for ISPs. Written in python and Zope, it is highly flexible, and has a modular construction allowing for additional modules to support a customers specific needs. It comes with full source code, and Obsidian's development team is available to produce extensions as required. Added StatisticsOnly flag to Monitor. Added GroupRequired to AuthBy NT on Windows, which ensures the user is a member of the named group. Contributed by "Motley, Mark" ([EMAIL PROTECTED]). Thanks Mark. Most check items now permit alternation with multiple permitted values separated by vertical bar ('|'). Also, in AuthBy ADSI, AuthBy LDAP*, if an AuthAttrDef of type 'check' is multi-valued, it will be automatically converted into alternates, so you can use multi-values to do a one-of check item match Added goodies/rcrypt, a simple command line utility to do Rcrypt encryption and decryption of passwords. Testing with Mandrake 9.0. No issues or changes required. Added Session_Error_Code and Session_Error_Msg to dictionary.redback Fixed a problem with AuthBy ACE that would cause it to hang if run in the background. Improvements to AuthBy SQL for formatted-date. If Date:Format is not available, logs an error and ignores the column. Suggested by Martin Edge ([EMAIL PROTECTED]). AuthBy EXTERNAL now REJECTS if the external program exits due to a signal. Suggested by Inglesant Philip ([EMAIL PROTECTED]) radwho.pl and radwho.cgi were opening /tmp/xxx instead of /dev/null as workaround for freetds problems. Reported by "Utku Er" ([EMAIL PROTECTED]). Improved isonline checking for Cisco. Now handles ISDN ports (ie larger than port 20000) with finger. Contributed by "Utku Er" ([EMAIL PROTECTED]). Can now specify multiple BindAddress addresses, comma separated. Suggested by Jeremy Hinton ([EMAIL PROTECTED]). Added goodies/CiscoDialupIPPools.doc, a document describing how to do basic ip address assignment for Cisco dialup using radiator. Contributed by "Kent, Ashley" ([EMAIL PROTECTED]). Testing EAP with Net::SSLeay 1.21. OK. Fixed a problem with AuthBy POP3 where a failed POP3 connection could cause a crash. Reported by "Johannes Demel" ([EMAIL PROTECTED]). Also testing with POP3Client 2.12. OK. Fixed a problem where HUP signal on FreeBSD could cause crashes with "Could not bind authentication socket: Address already in use at radiusd line ...". Reported by "Giuseppe Denora" ([EMAIL PROTECTED]). Testing with Apple AirPort base station. OK for MAC authentication. 802.1x EAP authentication is not supported by AirPort. Added entry to FAQ describing how to set up. Handler now detects accounting Acct-Status-Type of Interim-Update in the same way as type Alive, for compatibility with some non-standard dictionaries. Fixed a problem with AuthByPolicy ContinueWhileIgnore and Auth-Type=Ignore not working as expected. Reported by Petr Zimak ([EMAIL PROTECTED]). Added new AuthBy IMAP module, to authenticate from an IMAP server. Contributed by Petr Zimak ([EMAIL PROTECTED]). Also example config file goodies/imap.cfg. Added new module AuthBy HTGROUP and example goodies/htgroup.cfg, which can be used to confirm group membership according to an Apache htgroup file. Contributed by Rodger Allen ([EMAIL PROTECTED]). Fixed a problem with unreliable packing of integer8 Radius attributes. In AuthBy PLATYPUS, can now use BaseSelect parameter to alter the basic user select clause. AuthSelect is still used to optionally augment BaseSelect. Added goodies/AlterNASPort.pl, an example hook to convert Cisco-NAS-Port to NAS-port so you can use the standard session database and NasType Cisco. Contributed by Paul Pilsbury . In AuthBy INTERNAL, any error in compiling a hook will result in an IGNORE if the hook is used. Previously, it would ACCEPT. Suggested by "Giuseppe Denora" ([EMAIL PROTECTED]). Improvements to SNMP simultaneous use operations, so that if a NAS fails to respond Radiator will not try to contact it again for SnmpNASErrorTimeout seconds. Contributed by Greg B Zemskov ([EMAIL PROTECTED]). AuthBy RADMIN now ignores bad logins if the bad logins column is set to NULL, or if the MaxBadLogins paramter is set to 0.. Suggested by Nicolai van der Smagt ([EMAIL PROTECTED]) Fixed a problem where an SHA password would cause a crash unless Digest::SHA1 is installed. Reported by Camilo Echeverry ([EMAIL PROTECTED]). Testing with Windows 2000 802.1x hotfix. OK. Improved workaround for UTF8 problems in perl 5.8. All sockets are now binmode to raw mode, preventing wide character interpretations. Performance improvements in Nas.pm for NAS-specific module loading. AuthEMERALD.pm and AuthEMERALinD4.pm needed use Radius::Client to prevent errors when using AuthBy EMERALD with any Client clauses in the config file. Reported by Carlos Molina ([EMAIL PROTECTED]). ReplyHook is now passed a ref to the Radius::Host structure for the downstream radius server. Added Netscreen vendor specific attributes to dictionary. Contributed by [EMAIL PROTECTED] Radius::decode_password is now more generalised. It can decode any argument, not just the password from the current packet. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS etc on Unix, Windows, MacOS etc. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
