Hello all, We are pleased to announce the release of Radiator version 3.7
This version contains some significant new features, including Cisco LEAP compatibility, Microsoft LSA authentication and TACACS+ server operation. As usual, the new version is available free of charge to current licensees from http://www.open.com.au/radiator/downloads/ and to current evaluators from http://www.open.com.au/radiator/demo-downloads An extract from the history file is attached Revision 3.7 (2003-09-23 Some significant new features and some minor bug fixes.) Added Cisco LEAP-compatible 802.1x wireless EAP support, and example eap_leap.cfg. Added new AuthBy LSA module which can authenticate PAP, CHAP, MSCHAP, MSCHAPV2, PEAP, LEAP etc against Windows user passwords. Can be run on Windows 2000, 2003 and XP (not Home edition). Requires the Win32-Lsa perl module from Open System Consultants. Added new clause <ServerTACACSPLUS> that acts as a Tacacs+ server and converts Tacacs+ requests into Radius requests. Handles Tacacs+ authentication, authorization and accounting. Sample configuration file in goodies/tacacsplusserver.cfg. New {mysql} password format support did not work correctly on perl 5.005 and earlier, causing failures in the test suite at tests 2w, 2x, 2z, 3a, 3d, 3g, 3h, 4a, 5a, 5f, 6a, 6b, 6c, 6e, 6f, 6g, 6h, 7a, 7b, 7c, 8a, 8b. Performance improvements in regular expression check item matching in AuthGeneric.pm Performance improvements in regular expression Realm selection. Added VSAs for Alcatel BRAS DSL termination gear to dictionary radpwtst now honours the -class flag for Access-Requests as well as Accounting-Requests. Fixed EAP-TTLS so that %u works for the inner authentication. Fixed a problem with UseExtendedIds that could cause a crash with "Can't locate object method "change_attr" via package "Radius::AuthRADIUS"". Testing on Symbol Mobility Server (www.symbol.com). This is a very small ARM Linux server with BusyBox Linux not much bigger than you hand. Takes a CF card as a plug-in file system, and runs Radiator fine, including 802.1x TLS, TTLS and PEAP. Requires cross-compilation of some Perl modules. We can provide instructions if required. Removed logging of password at INFO level during bind in AuthBy LDAP2. Suggested by "Steven P. Crain". Changed the example EAPTLS_MaxFragmentSize in all EAP configuration examples to 1000 to accomodate Enterasys RoamAbout V2 access points, as suggested by Mark Haidl. New -servicename argument to radiusd allows the name of the Windows service to be specified for -installservice and -uninstallservice, allowing multiple instances of Radiator to be run as Windows services at the same time. Fixed typos in isOnline support for Portmaster3, Portmaster4 and Xyplex. radpwtst now sets the authenticator in Disconnect-Request same as for accounting. Some NASs (notably Cisco) require this. Fixed a problem with radpwtst in -gui mode, where the toolbar expands bigger than it should be. Patch contributed by Cameron Moore. Thanks Cameron. Added AllowInRequest parameter to AuthBy RADIUS, which restricts which attributes can be proxied. Suggested by Toomas K�rner. Unrecognised EAP types now result in a REJECT insrtead of IGNORE. Improvements to PEAP for Cisco PEAP compatibility. AuthBy INTERNAL now takes a RejectReason parameter. This string will be used as the Reply-Message if the AuthBy INTERNAL rejects a request. Improvements to logging messages and documentation for SessionDatabase SQL, suggested by Claude Iyi Dogan. Fixed some typos in the example goodies/url.cfg and goodies/test_url_md5.cgi files. AuthBy RADIUS could crash if BindAddress was set to multiple comma-separated addresses. Reported by Anthony Stanton. Added support for Session-Timeout="until ValidTo", which sets the session timeout to be the amount of time left to the end of the ValidTo check item account validity period. In ClientListSQL, PreHandlerHook parameters for each client were not properly compiled, and would not run. Fixed. Added WISPr RADIUS attributes to dictionary, based on Wi-Fi Alliance - Wireless ISP Roaming - Best Current Practices v1, Feb 2003, p 14 http://www.weca.net/OpenSection/downloads/WISPr_V1.0.pdf Dictionary VALUEs that looked like integers would be misinterpreted, especially Tunnel-Medium-Type=802 With PEAP-MSCHAP-V2, per-user reply items did not get sent back in the final Access-Accept. AuthBy SQLRADIUS now honours AddToreply and StripFromReply attrtibutes from the Host as well as the AuthBy SQLRADIUS. Changes so that a proxied Access-Reject does not get multiple Reply-Message. Patch by Toomas K�rner. Thanks Toomas. Testing with Aegis MDC Linux 1.2.0beta client on RedHat 8. Tested all EAP types, including certificate types with Radiator test certificates. See the Radiator FAQ for further remarks. Added certificates suitable for Linux clients (root.pen, cert-clt.pem) to the distribution. Added more KarlNet VSAs to dictionary, contributed by Clinton - Golden IT. SNMPAgent now correctly honours BindAddress when used with SNMP_Session version 0.92 or later. Added EAPTLSRewriteCertificateCommonName parameter for TLS, which rewrites the Common Name from the certificate before using it to fetch user details from the Radiator database. Suggested by Paul Dekkers. When installing as a service on Windows, you can now specify extra arguments to pass to perl on the command line when the service starts. This is useful for specifying an alternative install directory for the Radiator perl modules, eg: perl c:\Radiator\radiusd -installservice -serviceperlargs -Ic:\Radiator Minor changes to AuthBy OPIE, ACE and CRYPTOCARD to better support tunnelled requests. Added example configuration file showing how to authenticate from an IC-ISP mySQL database. IC-ISP is a full source ISP billing package for Unix. See www.ic-isp.com for details about IC-ISP. Accounting is not supported. Works with IC-ISP 2.0.24 and later. AuthBy SQLRADIUS now honours UseExtendedIds as a configuble per-host parameter, and Auth RADIUS now make easch Host inherit its UseExtendedIds from the Auth RADIUS clause. Fixed a problem with AuthBy RADIUS where 2 Proxy-State = OSC-Extended-Id could be added when multiple Hosts were involved. Fixed a problem with PEAP MSCHAPV2: if a Domain was specified, the authentication would fail. Radius packets were incorrectly limited to 8192 bytes on reception. Increased to 65535. The Group parameter did not permit symbolic group names. In SessionDatabase SQL, the session ID (%3) was not always quoted correctly in DeleteQuery. Improvements to storage of VALUE in dictionary allows decoding based on the attribute name rather than the number, which allows correct unpacking of attributes with synonyms, such as Ascend-Disconnect-Cause. This involved changes to RDict::valNumToName. Fixed a potential problem when unpacking non-conforming abinary attributes. Added goodies/logisense.txt, containing example configuration, SQL tables and requirements for interoperation between Radiator and ENGAGE*IP. Contributed by STOWE TELECOM, LLC. Added Slipstream-Auth to dictionary. Under certain circumstances on some platforms with AuthLog SYSLOG and Log SYSLOG, syslog can die. Fixed. Added StartHost parameter to AuthBy SQLRADIUS, contributed by Alexander Mayrhofer. Improvements to error handling in AuthBy LDAP2. Testing on Windows Server 2003. No changes in code or documentation required. Testing on HP PA-RISC Linux (Debian). No changes in code or documentation required. Added -outport and -bind_address options to radpwtst. Fixed a problem where AuthBy URL did not handle AuthUrl starting with https:// Fixed a problem involving EAP, where multiple AuthBy clauses could result in incorrect PEAP-MSCHAPV2 challenge message, or using the wrong challenge during authentication. AuthBy SQL now logs to AcctFailedLogFileName if AcctSQLStatement fails as well as if the usual accounting insert fails. AuthBy URL now supports AcctUrl, a URL that will be used for accouting data Added AuthBy SOAP module for converting Radius requests to SOAP and SOAPRequest.pm for converting SOAP requests back to Radius requests. This SOAP interface is useful for tunnelling through firewalls, improving the reliability of Radius by using TCP as the transport, and for improving security by using HTTPS as the protocol. Added VSAs for Quarry devices. Fixed a problem with parsing of attr=val pairs on some platforms with some locales on perl 5.8.0, due to changes in perl regexp handling. Added new special characters. %A is replaced by the Timestamp in standard SQL date time format eg: Sep 12, 2003 15:48. %B is replaced by the current time in standard SQL date time format eg: Sep 12, 2003 15:48. %F is replaced by the Timestamp in extended SQL date time format eg: Sep 12, 2003 15:48:59. %G is replaced by the current time in extended SQL date time format eg: Sep 12, 2003 15:48:59. In AuthBy SQL, columns inserted by ACctColumnDef are now inserted in alphabetical order by column name. Patch provided by Robert Blayzor. Thanks Robert. On some platforms such as FreeBSD, a Monitor connection would not disconnect properly after a QUIT command. Added a number of new attributes to dictionary for CVX and Valemount. Thanks to Craig Gittens and Greg Schiedler. Dates for Expiration, ValidTo, ValidFrom etc can now have optional hh:mm:ss time component. Also support dd.mm.yy(yy) (hh:mm:ss) format. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
