We are pleased to announce the release of Radiator version 4.7 This version contains some new features and minor bug fixes.
As usual, the new version is available to current licensees from: http://www.open.com.au/radiator/downloads/ and to current evaluators from: http://www.open.com.au/radiator/demo-downloads Licensees with expired access contracts can renew at: http://www.open.com.au/renewal.php An extract from the history file http://www.open.com.au/radiator/history.html is below: Revision 4.7 (2010-08-11) New features and some bug fixes. Added support for Django style passwords in the format: sha1$a1976$065f52b49153328da76e13c2b462b860a70eb78b and md5$a1976$e67d1ca20e9c28321b86e34076cc48ab as specified by http://docs.djangoproject.com/en/dev/topics/auth/#passwords. Contributed by Jerome Fleury. Fixed a bug in ServerTACACSPLUS to do with closing the authgroup file. Reported by Wolfgang.Koenig. Added sample configuration file for Radiator, showing how to proxy requests to the WiKID (http://www.wikidsystems.com/) Strong Authentication RADIUS Server. Fixed a problem where AuthBy SQLRADIUS statistics were not kept correctly up to date in the case of recoverd servers. Reported by Dan Cachola. Factored out EAP-FAST PAC creation and retrieving from EAP_43 to AuthGeneric. AuthBy SQL can now override these functions and use SQL queries to save and retrieve PACS, or to retrieve pre-provisioned PACS from the database. If AuthBy SQL does not define CreateEAPFastPACQuery, then it falls back to the default of saving PACS in Radiator memory. Added sample configuration file and detailed installation instructions for the Secure Metric (www.securemetric.com) SecureOTP one-time-password system, including details on how to proxy requests to the SecureOTP RADIUS Server. Minor changes of some log messages from INFO to DEBUG level, to reduce noise level. Additional information in some AuthBy RADIUS and EAP messages to improve diagnostics in load balancing systems. Requested by Myles Fenton. Added support for -retries flag to radpwtst Removed redundant noReplyFromProxy from goodies. The code is in goodies/hooks.txt. Previously, radpwtst would use the same random authenticator for all requests. Now radpwtst now uses a different random authenticator for all requests, which can help with testing of duplicate detection. Added OSC-Device-Identifier, OSC-User-Identifier and OSC-Group-Identifier to dictionary. Added Identifier to logging in Handling request with Handler .... debug message. Fixed an error in the calculation of responseTime statistics. Improvements to detection and use of Time::HiRes. New function Radius::Util::getTimeHires returns (seconds, microseconds). Microseconds is 0 if Time::Hires is not available. responseTime is now measured with microsecond accuracy if Time::HiRes is available, improving the accuracy of statistics calculations. Added a number of DeTeMobil Vendor-Specific Attributes to dictionary. Contributed by Alexander Hartmaier. Improvements to AuthBy LDAP2 performance: if ServerChecksPassword is in use, and if the server rejects the password due to LDAP_INVALID_CREDENTIALS or LDAP_INAPPROPRIATE_AUTH, do not disconnect from the LDAP server. Previously, this would cause an unnecessary disconnect. Added symbolic vendor names for T-Mobile and TMO to dictionary. Added function changePassword to AuthBy LDAP2 to support custom code to change user passwords. Net::LDAP compatibility improvements with use of Net::LDAP::Entry->get_value(..., asref => 1) instead of get(...). Abstracted the generic Yubikey support code into AuthYUBIKEYGENERIC.pm AuthSQLYUBIKEY is now a subclass. Enables the development of new subclasses for supporting Yubikey in other types of database, such as LDAP. Changes to the RPM build spec to accommodate RPM_BUILD_DIR tro circumvent rpm building problems on some platforms. Added more 3GPP attributes to dictionary as per http://www.3gpp2.org/Public_html/specs/X.S0011-005-E_v1.0_091116.pdf Improved behaviour of AuthBy FIDELIO when LA messages are received. Previously they would always cause a database update. NBow this only happens on the first LA. Fixed a bug in fideliosim.pl. fideliosim.pl now implements LA requests every 10 seconds. AuthBy FIDELIO now never uses a posting sequence number of 0000, following advice from Michael Herzig. Starts at 0001 and wraps from 9999 to 0001. AuthBy FIDELIO now implements 2 new configuration parameters: PostingExtraFields allows you to override or extra data fields to be sent in the Opera posting record. PostingRecordID allows you to change the posting record ID from the default of 'PS' to, say 'PR'. Examples in the fidelio.cfg sample configuration file. Fixed a potential memory leak with EAP-TLS. X509_free is used to free the certificate. Reported by Robert Hwang. Fixed an error with the formatting of dates in the DA field in AuthBy FIDELIO: the month and day elements were reversed. Reported by Michael Herzig. Added new convenience function post() to AuthFIDELIO.pm for posting accounting requests to Fidelio, and which can be used by other hooks. Improved a number of separator formatting issues in messages sent to Fidelio. Added sample Radiator configuration, showing how to build a WiFi hotspot with, for example MikroTik (www.mikrotik.com) hotspot and captive portal, which authenticates against Micros-Fidelio Opera hotel management system, and permits the user to purchase WiFi internet access in blocks of 24 hours which are billed to the user's room through Opera. Example works with MySQL as a session database (schema included), but other databases can be supported. Added new configuration parameter LogOpt to Log SYSLOG and AuthLog SYSLOG clauses, allowing control over the syslog options used. LogOpt is a comma separated list of words from the set cons,ndelay,nofatal,nowait,perror,pid as described in the Perl Sys::Syslog module. Defaults to pid. Contributed by Bjoern A. Zeeb with some changes. Added reload option to goodies/linux-radiator.init. Contributed by David Worth. Added new parameter CheckoutGraceTime to AuthBy FIDELIO. Permits users to log in for this period of time after they have checked out. Contributed by Manuel Kasper, with some minor changes. Improvements to AuthBy LSA to permit machine authentication in groups. Added new parameter NAPTR-Pattern to Resolver. NAPTR-Pattern is an optional parameter that specifies a regexp that will be used to match the contents of NAPTR records during Resolver service discovery. If NAPTR-Pattern is defined and matches a NAPTR DNS record, it will be used to determine the protocol and transport to be used. The regex is expected to match 2 substrings. The first is the protocol and can be 'radsec' or 'radius'. The second is the transport to use, and can be 'tls', 'tcp' or 'udp'. This has been added to support proposed new NAPTR standards for Eduroam. Requested by Stefan Winter. Win32-Lsa for Windows 64 bit ActivePerl 5.10 is now available with ppm install http://www.open.com.au/radiator/free-downloads/Win32-Lsa.ppd Improvements to the "No reply after ...." message in AuthBy RADIUS to include the Identifier and the delay time. Requested by Myles Fenton. Minor improvements to AuthBy NTML for testing. StreamTLS classes, such as ServerRADSEC, ServerDIAMETER, AuthByRADSEC etc. now support EAPTLS_CRLFile with operating system wildcards. Similarly, TLS based classes such as TLS, TTLS, PEAP etc now support TLS_CRLFile with operating system wildcards. Added new parameter TLS_SRVName to StreamTLS classes. This is intended for use by AuthBy RADSEC and AuthBy DNSROAM to specify a DNS SRV Name that will be matched against possible SubjectAltName:SRV extensions in the server certificate. If TLS_SRVName is specified and the server certificate contains SubjectAltName:SRV extensions, none of which match TLS_SRVName, the certificate will not be accepted. Format is _service._transport.name (this is the same format SRV names appear in DNS records). For example "_radsec._tcp.example.com". Only service and name are matched. Requested by Stefan Winter for Eduroam support. Resolver now saves the SRV Name of any SRV record that was followed in order to get an address in the result set. AuthBy DNSROAM now uses this to set the TLS_SRVName in a target AuthBy RADSEC, which enables checking against any SubjectAltName:SRV extensions in the server certificate. Requested by Stefan Winter for Eduroam support. Improvements to AuthBy FIDELIO so that during an accounting posting, the DD field (Dialed Digits) which is based on the Called-Station-Id contaoins only digits. Micros-Fidelio report that contents other than digits can cause problems in Opera. Added surfnet VSAs to dictionary. Improvements to AuthBy RSAAM for interoperation with AM 7.1 SP3. At AM7.1 SP3, the authentication realm requested by the AM server SOAP interface was changed by RSA, causing earlier versions of AuthBy RSAAM to fail to connect with a 401: Unauthorized error. This change permits AuthBy RSAAM to work with pre and post SP3 as well as improving performance. SessionRealm parameter is now unused and obsolete. Reported by Rene Fleissner. Improvements to the Linux Radiator startup script. Added traceup and tracedown commands which signal Radiator to increase or decrease its trace level. Handy for changing trace levels without having to find the process ID first. Contributed by David Worth. Added version of Authen-Digipass module for Active State perl 5.12. Fixed a problem in AuthBy OTP where a PasswordPattern of aaaaaaaa generates OTPs which are twice as many characters as specified and every odd is an 'a'. Reported by Alexander Hartmaier. Fixed default AuthGroupCheck AuthGroupReply GroupMembershipQuery queries which incorrectly referred to the usergroup table instead of the radusergroup table. Reported by Mike Wilson. Changed the type of Framed-IPv6-Prefix in the dicitonary from string to ipv6prefix, allowing entry of IPV6 prefixes in a sensible format. Changed the type of NAS-IPv6-Address in the dictionary to ipaddrv6 for correct iencoding and decoding of IPV6 addresses. When AuthBy HANDLER is used and RejectHasReason is specified, now sets the actual rejection reason in the reply instead of "redirected by AuthHANDLER". AuthBy LSA now honours UsernameMatchesWithoutRealm. Fixed a problem with quoting of parameters passed to the external command by AuthBy EXTERNAL. Reported by KUCZYNSKI, CHRISTOPHE. Updated Coova ChilliSpot VSAs in dictionary. Fixed a problem where EAP type negotiation could remove the EAP-TLS VERIFY_PEER requirement, causing EAP-TLS to sometimes fail when other clients were trying to negotiate TTLS or PEAP. Reported by Keith Ma. Added option to get any configuration parameter from an SQL database with a new form of parameter ParameterName sql:identifer:query which will look for a previously defined AuthBy SQL clause with an Identifier of 'identifier' and run the SQL query given by 'query'. The first row in the result will be used to set the parameter ParameterName. This lookup is only ever done once at startup time. Added new type of special character which will be replaced with a value fetched from an SQL database. Special characters of the form %{SQL:identifier:query} will look for a previously defined AuthBy SQL clause with an Identifier of 'identifier' and run the SQL query given by 'query'. The first row in the result will be used as the value of the special character. This type of lookup is done whenever the special character is evaluated. Fixed a problem with AuthBy FREERADIUS. The test for limit values for Max-All-Session, Max-Daily-Session, Max-Hourly-Session and Max-Monthly-Session was reversed, causing them to fail when they should succeed and vice-versa. Reported by Stanley Thomas. When radpwtst was used to send arbitrary packet types such as CoA-Request, the reply was not decoded and therefore never packet dumped. Reported by Vangelis Kyriakakis. Improvements to the sample gigawords-hook.pl to use 64 bit integers in order to be more proof against overflows with large traffic. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
