Can't seem to download the patches. after accepting the license agreement, it just keeps returning to the license agreement.
On Thu, 28 Apr 2011, Mike McCauley wrote: > We are pleased to announce the release of Radiator version 4.8 > > This version contains some new features and minor bug fixes. > > As usual, the new version is available to current licensees from: > http://www.open.com.au/radiator/downloads/ > > and to current evaluators from: > http://www.open.com.au/radiator/demo-downloads > > Licensees with expired access contracts can renew at: > http://www.open.com.au/renewal.php > > An extract from the history file > http://www.open.com.au/radiator/history.html is below: > > ----------------------------- > Revision 4.8 (2011-04-28) New features and some bug fixes. > > Fixed a problem in AuthBy EAPBALANCE where no reply from a > proxied request from the middle of an EAP stream would result in > unlimited retransmissions of the request. Reported by Keith Ma. > > Testing on OpenWRT. OK, with caveats as discussed in the updated FAQ. > > Added Meru-AP-Id and Meru-AP-Name to dictionary. Provided by Neil Johnson. > > RPM packages were built by default on OpenSuSE with LZMA > compression, which is not available for all platforms. This new > Radiator.spec disables LZMA and uses BZ2 instead. In future all > RPMS will be built with BZ2 comppression. New versions of > Radiator-4.7-2.noarch.rpm and Radiator-Locked-4.7-2.noarch.rpm > with BZ2 uploaded. > > Fixed a problem with AuthBy SQLTOTP and AuthBy SQLHOTP where > MaxBadLogins, BadLoginWindow, DelayWindow, TimeStep and > TimeStepOrigin parameters were not correctly read, resulting in > errors like "Unknown keyword 'MaxBadLogins'". Reported by Matthew > Reeves-Hairs. > > GetClientQuery was incorrectly using field 25 instead of 27 for > flags. Documentation for GetClientQuery incorrectly decribed > field 25 as being flags instead of ClientHook. > > Added SQLRetries parameter to all SQL type clauses. When > executing a query, Radiator will try up to SQLRetries attempts to > execute the query, retrying if certain types of SQL error are > seen. Defaults to 2. Requested by Michael. > > Fixed some problems with Radius paths in the RPM on some > platforms. Rebuilt and uploaded new RPMs. > > Improved Client CIDR address searches so a more specific cidr > would have priority over a less specific cidr. Contributed by > Nicholas Waples. > > Improved ClientListLDAP, added oscRadiusIdentifier & > oscRadiusDefaultRealm into the default list of > ClientAttrDef's. were the only attributes missing from > oscRadiusClient ldap schema provided (in goodies). Contributed by > Nicholas Waples. > > In Server TACACSPLUS, the call AuthenticationStartHook now > includes the priv_lvl and service values from the TACACSPLUS > request passed as arguments to the hook. > > In Server TACACSPLUS, during authetication, we now add > cisco-avpair attributes to the RADIUS request for action, > authen_type, priv-lvl and service from the incoming TACACSPLUS > request. > > Improvements to AuthBy URL. Improved HTTP and HTML standards > compliance by using the LWP::UserAgent methods post() and > get(). Can now handle CHAP, MSCHAP and MSCHAPV2 authentication, > as well as the previously supported PAP. *CHAP challenges and > responses are encoded as HEX and sent as configurable web > parameters. Updated the sample config file goodies/url.cfg, and > improved documentation. Fixed inconsistant password in sample > test_url_md5.cgi. Cleaned up some of the code to be compliant > with in-house standards. > > Added support for BindAddress in all Ldap derived clauses, > allowing you to specify a local address for the client side of > the LDAP connection with BindAddress, in the form > hostname[:port]. Defaults to 0.0.0.0. Updated sample config > file. Suggested by Roel Hoek. > > Updated AuthBy NTLM so that if an authentication fails, the > Warning log message records the user name along with the > Authentication-Error. Suggested by David Zych. > > Further improvements to AuthBy URL. Now suports CopyReplyItem > parameter. If a successful HTTP reply contains a string like > 'xxx=hexencodedvalue' the value will be copied to the RADIUS > reply as attribute yyy=value the value is expected to be HEX > encoded and will be HEX decoded before adding to the reply. > > Fixed a problem where some SQL modules were not being correctly > initialised, which was revealed when the new SQLRetries was > added. Reported by Steffen Weinreich. > > Further improvements to AuthBy URL. Now supports CopyRequestItem > parameter. Adds a tagged item to the HTTP request. Format is > CopyRequestItem xxx yyy. The text of yyy (which may be contain > special characters) will be added to the HTTP request with the > tag xxx. In the special case where yyy is not defined, the value > of attribute named xxx will be copied from the incoming RADIUS > request and added to the HTTP request as the tagged item yyy. All > values are HEX encoded before adding to the HTTP > request. Multiple CopyRequestItem parameters are permitted, one > per line. > > Improvements to AuthBy SQLTOTP to implement replay > detection. This has required an additional column in the sample > SQL database schema, and changes to the default AuthSelect and > UpdateQuery parameters. Requested by Matthew Reeves-Hairs. > > Testing with the Mera MVTS Pro Voip gateway. OK. Added > mera-mvts.txt. This document briefly outlines the requirements > for interfacing Radiator with Mera MVTS Pro VOIP gateways, along > with examples of the types of requests and replies Radiator can > be expected to handle when interfacing with MVTS Pro. > > Added new command line argument -min_interval to restartWrapper, > which controls the minimum time interval between successive > restarts. Contributed by David Zych. > > Tested AuthBy HOTP and AuthBy TOTP with a range of iphone OATH > soft tokens, including DS3 (HOTP), OATH Token (HOTP and TOTP), > and Google Authenticator (HOTP and TOTP). External testing with > Feitian C200 OTP Tokens and others. All OK. > > Added a number of Juniper attributes to dictionary. > > Monitor and Server HTTP now support AddToRequest to add > attributes to the internal RADIUS request they generate when > authenticating administrator logins to their respecetive > interfaces. They also dump these requests when Trace 4 is > enabled. > > Server TACACSPLUS now supports a new parameter > AuthorizeGroupAttr. If this parameter is specified, it specifies > the name of an attribute in Access-Accept that will contain > per-command authorization patterns for authorising TACACS+ > commands. These are processed before any configured-in > AuthorizeGroup parameters. The command authorization patterns are > in the same format as supported by AuthorizeGroup. Added a new > VSA to dictionary OSC-Authorize-Group, which is intended to carry > per-user reply command authorization patterns. > > Improvements to Radiator linux startup script so you can have > multiple scripts in /etc/init.d/ with different names, and which > lookup different parameters in /etc/sysconfig. For example, you > can install the script as /etc/init.d/radiator and > /etc/init.d/radiator-acct, and it will look up parameters in > /etc/sysconfig/radiator and /etc/sysconfig/radiator-acct. Further > improvement is to always use -p RADIUS_PIDFILE to killproc the > process, rather than the process name. > > Added Ascend-Session-Svr-Key an NS-Dummy-Attr-10 to dictionary. > > Added Alcatel-Lucent 7302 ISAM (OLT) VSAs to dictionary, > including OLT-TL1-* and added VALUE definitions for some other > A-ESAM-*. In some places, A-ESAM-* are named OLT-CLI-*. we have > adopted A-ESAM to be compatible with previously existing > definitions. > > Fixed a problem where EAP-MD5 authentications did not honour > UsernameMatchesWithoutRealm. Reported by "Sami Keski-Kasari". > > Fixed a problem where EAP-MD5 authentication by AuthBy LSA > mysteriously failed. Refactoring of EAP_4 check_chap() to > AuthGeneric, and thence to AuthLSA Reported by "Sami > Keski-Kasari". > > Fixed a problem which could cause crashes in > Socket6::inet_ntop. Reported by James Harton. > > Testing on MacOS X 10.6.5. OK. > > Added lookupauthgroup.pl Sample PostSearchHook for AuthBy LDAP2, > which finds user group(s) through an LDAP lookup, then finds > corresponding check and reply attributes in SQL, based on the > user group(s) for that user and the device groups of the > RADIUS/TACACS+ client. This allows you to have a add very fine > grained authentication/authorisation in an LDAP/SQL environment, > based on user and device group membership. > > Alter the session shutdown in Server TACACSPLUS to be SHUT_RDWR, > to fix possible session shutdown problems with some TACACS+ > clients. > > Fixed incorrect sequence numbers in some TACACS+ packets sent by > goodies/tacasplustest and that affected interoperation with > tac_plus. Fixed issues with TACACS+ version numbers that affected > interoperation with tac_plus. > > Added new parameter SingleSession to Server TACACSPLUS which can > be set to 0 to disable the default behaviour which tries to keep > the same TCP session for all requests. Setting SingleSession to 0 > forces a TCP disconnect after every authentication, authorisation > and accounting session. Some TACACS+ clients need this in order > to operate correctly. > > Improvements to AuthBy SQLTOTP so that tokens whose time drifts > into the future can be authenticated. Patch supplied by Steffen > Weinreich. > > Decoupled AuthGeneric userIsInGroup from getUserGroups so > subclasses can implement their own group finding. > > Added new optional parameters GroupSearchFilter GroupBaseDN > GroupNameCN to specify an LDAP search which will be used to get > the names of groups this user is a member of. Used to check Group > check items. Updated sample lookupauthgroup.pl to use the new > group search function in AuthBy LDAP2 > > AuthBy LSA now honours UsernameMatchesWithoutRealm correectly for > users and groups. Reported by Reported by "Sami Keski-Kasari" > and "Johnson, Neil M". > > In AuthBy SQL, the optional GroupMembershipQuery now has the > groupname available as the second bound variable. > > Improvements to Server TACACSPLUS so that it honours the > TAC_PLUS_SINGLE_CONNECT_FLAG flag in incoming requests. Now a > single session will only be maintained if the Server TACACSPLUS > SingleSession parameter is set _and_ the client indicates a > willingness to support single sessions with the > TAC_PLUS_SINGLE_CONNECT_FLAG. Single sessions can be disabled > regardless of client options by setting the SingleSession flag to > 0 (defaults to 1) > > Improvements to goodies/tacacsplustest now correctly sets the > TAC_PLUS_SINGLE_CONNECT_FLAG in requests if the -single command > line parameter is given. It now closes the connection at the end > of each session unless the -single flag is set and the server > indicates a willingness to support single connections with the > TAC_PLUS_SINGLE_CONNECT_FLAG. > > Fixed a problem where malformed WiMAX attributes could cause a > crash. Reported by Mark Sergeant. > > Further fixes to Server TACACSPLUS: If SingleSession is set, some > Cisco TACACS+ clients will close an authentication session after > the first reply. This is a bug in the client. As a workaround, > ServerTACACSPLUS.pm now never sets the > TAC_PLUS_SINGLE_CONNECT_FLAG in its replies. Reported by Aki > Tuomi. > > Fixed a typo in linux-radiator.init that prevented traceup and > tracedown working properly on RHEL5. > > Added LOG_WARNING log message if a Tacacs+ request is received by > Server TACACSPLUS for which no Client could be found. > > Improvements to Server TACACSPLUS so expired authentication > result in ERROR instead of FAIL. Tacacs authorisations are now > bound to both the username and the peer address, so user can have > different authorisations on each device. > > Added peer address to a number of warning and info messages > produced by Server TACACSPLUS for easier diagnosis. > > Updated Monitor HELP command documentation to include > TRACE_PREDICATE. > > Fixed problems with linux-radiator.init traceup and tracedown on > RHEL5. > > Improvements to Server TACACSPLUS: Fixed a problem with the new > AuthorizeGroupAttr that cased authorisation patterns to not be > reset properly. Server TACACSPLUS now updates the global packet > counts for each Tacacs+ request received. Database failures that > IGNORE now cause a Tacacs *_STATUS_ERROR reply. > > Added goodies/cisco-vpn.txt a short description on how to > configure Cisco VPN 3000 Concentrator VPN groups, and the > limitations thereof. > > Fixed a case where Radiator would crash when certain local > devices tried to connect to a tacacs port. > > Added example rule to goodies/tacacsplusserver.cfg showing how to > use uptional tacacs roles, including multiple optional roles. > > Added new parameter UnbindAfterServerChecksPassword to AuthBy > LDAP2, which works around problems with some LDAP > servers. Normally, when ServerChecksPassword is set, after > Radiator checks a users password the LDAP connection is not > unbound. This can cause problems with some LDAP servers (notably > Oracle ID and Novell eDirectory), where they unexpectedly cause > the following LDAP query to fail with > LDAP_INAPPROPRIATE_AUTH. Setting this flag causes an unbind after > each ServerChecksPassword bind. > > Added support for new -I command line flag to radiusd, which adds > an include directory to the module search path. Patch by Heikki > Vatiainen. > > In SqlDb::do(), Sql connections now detect PostgreSQL duplicate > key violations, which are now not a cause for disconnect. Added > similar tests to SqlDb::prepareAndExecute(). > > Sample RAdmin configuration file that shows how to record Tacacs+ > commands to the Radmin RADCOMMANDAUDIT table for auditing, and > viewing (RAdmin 1.14 plus latest patches required) > > The ServerRADIUS clause now supports AddToRequest, which makes it > easy to tag requests that arrive by RADIUS to distinguish them to > those arriving by TACACS+ or Diameter. > > Server HTTP log messages are now escaped so that HTML characters > in the log do not cause display errors. Patch provided by Adam > Bishop. > > Fixed a problem in Auth LDAP2 that could cause a crash if > ServerChecksPassword and UnbindAfterServerChecksPassword are > enabled, and certain LDAP errors occur during the > ServerChecksPassword bind. > > Fixed spelling mistake in VENDORATTR Timetra-Home-Directory, > Added further VSAs to VENDOR Panthera 6527 (Alcatel 7450 ESS > Router). Added VENDOR Alcatel-Lucent 800 (Alcatel-Lucent OS6400 > switches) VSAs. Added Alcatel-Lucent-SAM VENDORATTR > SAM-Security-Group-Name . > > Improvements to IPV6 handling so the absence of Socket6 causes an > warning message instead of an exit. > > Added a number of FreeSwitch accounting VSAs to dictionary. Added > a brief discussion paper about how to integrate FreeSwitch with > Radiator. FreeSWITCH is a powerful and versatile telephony > platform that can scale from a softphone to a PBX and even to a > carrier-class softswitch. > > Log SYSLOG and AuthLog SYSLOG now support special characters in > LogIdent, LogOpt and LogHost. > > TLS Streams, such as used with Radsec did not correctly verify > certificates for 'hostname' if the Host address was specified in > Radiator in the form ipv6:hostname. Reported by Patrick Renkens. > > Fixed an issue where truncated EAP-Message requests would cause a > log message like "Could not load EAP module Radius::EAP_" > ..... This is now logged as invalid EAP type in EAP request and > rejected. Reported by Daniel Rocha. > > Server TACACSPLUS now honours reply attributes correctly for > ASCII type Tacacs+ authentications. Patch from Heikki Vatiainen. > > Testing with XAMPP on > Windows. XAMPP (http://www.apachefriends.org/en/xampp-windows.html) > is an excellent, easy to install bundle of useful tools such as > Apache, MySQL, Perl etc for Windows. It is a also good base for > installing Radiator on Windows, especially if you wish to use > Radiator with RAdmin or a MySQL database. Updated installation > documentation to include XAMPP on Windows. > > Added support for Novell eDirectory NMAS (Novell Modular > Authentication System) to AuthBy LDAP2. NMAS allows Novell > eDirectory to support and authenticate passwords using the Vasco > Digipass NMAS method, and other third party token and non-token > systems. Vasco Response-Only (RO) tokens are only supported since > NMAS does not curently support challenge-response via > RADIUS. Sampple configuration file included. > > Ldap classes now support the "ipv6:" prefix for Ldap server Host > names. If Host begins with "ipv6:" the subsequent host name(s) > will be interpreted as IPV6 addresses where possible, and > Net::LDAP will use INET6 to connect to the LDAP server. > > In AddressAllocator SQL, the default AllocateQuery was changed to > check the STATE during the allocation to catch certain race > conditions. > > With all Ldap clauses, removed the default BindAddress of > 0.0.0.0. This was unnecessary and interferes in a non-obvious way > with attempts to use ipv6: in the Host. Reported by Dyonisius > Visser. > > Added attributes from RFC 5904 to dictionary. SNMP Agent now supports: > RFC4669 - RADIUS Authentication Server MIB for IPv6 > RFC4671 - RADIUS Accounting Server MIB for IPv6 > The RFC are included in distribution. > > Improvements to EAP handling to support multiple desired EAP > types in EAP NAK response, per RFC 3748. > > Fixed incorrect error message that referred to > ServerHTTP. Repored by Karl Gaissmaier. > > Added support for PacketTrace to Server TACACSPLUS, Server > DIAMETER, Server RADSEC. Requested by Karl Gaissmaier. > > Fixed a problem where attributes of type ipv6prefix (such as > Framed-IPv6-Prefix) would not be decoded correctly if they had > fewere than 16 octets. Reported by Lee, Larry KT. > > Client addresses in the form MAC:nn-nn-nn-nn-nn-nn now work even > if the Called-Station-Id has the SSID of the AP appended as > described in http://tools.ietf.org/html/rfc3580#section-3.20 > > Added example perl script rpt.pl which logs packets which match a > regexp. Contributed by Bart Dumon. > > Fixed a problem when using AuthBy RADIUS with Synchronous and > Fork that if the secrets don't match (resulting in "Bad > authenticator received in reply to ID 1. Reply is ignored"), this > creates forked processes that never terminate and have to be > manually force-killed. Reported by David Zych. > > Fixed a number of innocuous warnings when radiusd is run with > perl -w. > > Added usage documentation for author_args in tacacsplustest. > > In AuthSQL, GroupMembershipQuery is now not passed and bind > variables. If you wish to use bind variables with > GroupMembershipQuery, use the new GroupMembershipQueryParam. > > Fixed a problem with Server HTTP where some versions of Firefox > would hang when trying to access localhost:9048. Also fixed som > innocuous warnings when run with the -w flag. > > Fixed a problem with AuthLog SYSLOG and Log SYSLOG where in some > cases with some versions of Sys::Syslog, the loghost was not set > correctly. Reported by Klara Mall. > > radiusd now unlinks PidFile during an orderly shutdown. Suggested > by Klara Mall to prevent startup scripts being confused by stale > PID files. > > Improvements to AddressAllocator SQL: If CheckPoolQuery is set to > an empty string, no pool checking will be done at startup. If > AddAddressQuery is set to an empty string, addresses will not be > automatically added to the pool. > > Testing against RadiusGINA, a Windows RADIUS login authenticator > from LSE http://lsexperts.de/. Works well, and easy to install. > > Fixed a problem in TLS Stream based protocols (such as AuthBy > RADSEC AuthBy DNSROAM etc, where ConnectOnDemand would not work > correctly in the case where a TLS connection was being > established and failed. Reported by Stefan Winter. > > Added goodies/radiusgina.txt, a Brief introduction to RadiusGINA, > a Windows RADIUS login authenticator from LSE http://lsexperts.de > > -- > Mike McCauley mi...@open.com.au > Open System Consultants Pty. Ltd > 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au > Phone +61 7 5598-7474 Fax +61 7 5598-7070 > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. > _______________________________________________ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
