We are pleased to announce the release of Radiator version 4.13 This version contains one new module for authenticating against YubiKey validation server and YubiHSM, some significant new features and bug fixes.
As usual, the new version is available to current licensees from: https://www.open.com.au/radiator/downloads/ and to current evaluators from: https://www.open.com.au/radiator/demo-downloads/ Licensees with expired access contracts can renew at: https://www.open.com.au/renewal.html An extract from the history file https://www.open.com.au/radiator/history.html is below: ----------------------------- Revision 4.13 (2014-04-16) Radius proxying, IPv6, TACACS+, Diameter and other enhancements. Bug fixes Selected compatibility notes and enhancements Unknown attributes can now be proxied instead of being dropped Diameter enhancements may require changes to custom Diameter modules Major IPv6 enhancements include: Attributes with IPv6 values can now be proxied without IPv6 support, Socket6 is no longer an absolute prerequisite. 'ipv6:' prefix is now optional and not prepended in attribute values TACACS+ authentication and authorization can now be decoupled Bind variables are now available for AuthLog SQL and Log SQL. Status-Server requests without correct Message-Identifier are ignored. Status-Server responses are now configurable. LDAP attributes can now be fetched with base scope after subtree scoped search. Useful for example, tokenGroups AD attributes which are not otherwise available Newly added check for CVE-2014-0160, the OpenSSL Heartbleed vulnerability may log false positives New AuthBy for authenticating against YubiKey validation server added See Radiator SIM pack revision history for supported SIM pack versions Detailed changes Added the attributes from RFC 6911 to dictionary (Framed-IPv6-Address, DNS-Server-IPv6-Address, Route-IPv6-Information, Delegated-IPv6-Prefix-Pool and Stateful-IPv6-Address-Pool). These attributes override a number of attributes that were previously commandeered by Ascend and Merit. The Ascend ones are still available in ascend.dictionary. The Merit attributes were added under the existing Merit VSA entry and the non-VSA Merit attributes were removed from the main dictionary. The non-VSA Merit attributes will continue to be available in a new file goodies/dictionary.merit AuthBy RADIUS and all its subclasses e.g., AuthBy SQLRADIUS, LDAPRADIUS, MULTICAST and proxy algorithm AuthBys, now support special characters in AuthPort and AcctPort. Suggested by David Zych. Added in dictionary: Huawei-Loopback-Address, vendor 6139 (Alcatel-Lucent OmniAccess), vendor 20942 (China Telecom-Guangzhou Research and Development Center) and vendor 27262 DANTE Ltd. Unknown attributes can now be proxied when the new global configuration flag ProxyUnknownAttributes is set to true. Unknown attributes are now alwasy available with special names such as Unknown-9048-120, where 9048 is the vendor id and 120 is the vendor attribute number. Unknown attributes are now logged with level WARNING instead of ERR. A warning is logged for each attribute once per sender IP address. Attribute names starting with Unknown are reserved in dictionary and ignored when the dictionary is loaded. Added in dictionary: Attributes from RFC 5447, RFC 6519, RFC 6677 and RFC 6930. Added support for dictionary type ipv4prefix required by RFC 6572. An example of ipv4prefix format is '192.168.1.0/24'. Added attributes from RFC 6572 in dictionary. Change in 4.12 caused ServerDIAMETER to always create new peer instances for new connections. This caused mainly WatchdogState DOWN log litter. AuthBy DIAMETER and other DiameterClient derived classes, such as Diameter Wx based EAP-SIM, EAP-AKA and EAP-AKAPRIME AuthBys, now support new option SCTPPeer. This option allows defining multiple SCTP peers for the initial SCTP association attempt. Added vendor Arista in dictionary. Updated Netscreen values. Contributed by Garry Shtern. Fixed AuthBy NTLM so it will not leave zombie processes around during reconfigure. Reported by Garry Shtern. AuthBy RATELIMIT now supports optional parameter MaxRateResult, which allows specifying the result when MaxRate is exceeded. MaxRateResult defaults to IGNORE. Significant IPv6 changes. Socket6.pm is no longer required if the core Socket module provides the required IPv6 support. Attributes with IPv6 address or prefix type are now handled as binary if there is no Socket or Socket6 for IPv6 support. This fixes the problem with proxying when Socket6 was not installed. Prefix 'ipv6:' for IPv6 addresses is no longer required but will be accepted. Decoded values for IPv6 address type attributes will no longer have 'ipv6:' prefix. Startup log messages now contain information about the IPv6 support. Updated 3GPP (vendor 10415) attributes in dictionary. 3GPP-Allocate-IP-Type, 3GPP-External-Identifier and 3GPP-TWAN-Identifier were added. 3GPP-Charging-Gateway-Address, 3GPP-GPRS-Negotiated-QoS-Profile and 3GPP-Charging-Gateway-IPv6-Address are now the main attribute names while 3GPP-CG-Address, 3GPP-GPRS-QoS-Profile and 3GPP-CG-IPv6-address are now aliases. 3GPP-PDP-Context value 0 name is now IPv4 while IP is kept as an alias. Attribute types were corrected to use e.g., ipaddrv6, integer8 and integer16 for correct encoding and decoding. Added values for enumerated integer types. Reverted the previous attribute canonical name changes for vendor 3GPP. 3GPP-CG-Address, 3GPP-GPRS-QoS-Profile and 3GPP-CG-IPv6-address are the names Radiator will use for decoding the attributes. The new names will be recognised as aliases. Also, 3GPP-PDP-Context name for value 0 is IP and IPv4 can be used as an alias. EAP_25.pm now makes inner identity available via outer context improving logging options. Updated Application IDs. Updated vendor 3GPP (10415) RADIUS compatible attribute (1-27) list, added new 3GPP-RAT-Type and 3GPP-PDP-Type type values, fixed 3GPP-*-Address encoding to use OctetString instead of Address type, 3GPP-RAT-Type and other 8 bit enumerated values are encoded correctly. 3GPP attribute Location-Estimate type is now OctetString. Improvements to the sample wimax.sql database schema to support long capabilities values. Added VENDOR Radware 89 and VSA Radware-Role to dictionary. Logging level for rejected authenticaton attempts can now be configured globally and for each Handler or Realm. The level is set with new parameter LogRejectLevel. This optional parameter uses the same values as Trace option, and can be set globally or per Handler or Realm. Further logging enhancements. PacketTrace can now be configured to skip selected Log clauses. New flag parameter IgnorePacketTrace can be set in Log clauses which should not participate in PacketTrace logging. Thanks to David Zych for ideas and assistance with the latest logging improvements. Trailing NULs are now stripped from TACACS+ authorization arguments. Reported by Tim Cheyne. Fixed a bug in Diameter Address format encoding with IPv6 addresses. DiaClient now correctly formats IPv6 address in Host-IP-Address for TCP connections. TacacsClient module now supports connecting to TACACS+ servers over IPv6. This allows tacacsplustest to work with IPv6 enabled TACACS+ servers. Requires IO::Socket::INET6. Account expiry dates starting with 'Mmm dd' for Expiration, ValidTo and ValidFrom check items now correctly check for valid month names. Reported by Kennyen Choo. Added Pronto Networks VENDOR Pronto 16521, and Pronto-AVPair to dictionary. Worked around the duplicate name for 3GPP Diameter Gx interface. Fixed typos in Diameter application names. ClientListSQL was calling parent's initialize twice. Clarified AuthSQLHOTP and AuthSQLTOTP parent initialize calls. Improvements to logging. Added support in Log.pm and LogGeneric.pm for dynamically setting the Trace level. An example of using User-Name from the current request is in goodies/hooks.txt. Enhanced AuthBy DIAMETER Destination-Host and Destination-Realm handling. Worked around the duplicate name for 3GPP Diameter Rx interface. When special %s is used, the microseconds are now left padded with zeroes. Suggested by David Zych. PEAP and EAP-TTLS now make maximum fragment size available for inner authentication protocols. EAP-TLS was improved to use this information. This allows PEAP/EAP-TLS and EAP-TTLS/EAP-TLS to work better with environments with variable Framed-MTU sizes. When reading parameter settings from a file with file:"filename", any trailing newlines are now removed from the end of file to make sure the value is correctly parsed. Reported by David Zych. Added goodies/address-allocator-sql.txt for further AddressAllocator SQL examples. Initial examples include MySQL and PostgreSQL queries for environments with multiple Radiator instances allocating from the same database. RDict.pm now supports new method vendorByNum which returns vendor data from a given vendor number. Enhanced Starent VSA decoding to make sure invalid lengths do not cause a crash. Added support and attributes for Starent VSAs which use 1 byte for type and 1 byte for length. The Starent VSAs in Radiator default dictionary use 2 bytes for type and length. Loading goodies/dictionary.starent-vsa1 after the default dictionary will cause Starent VSAs to use 1 byte type and length. The Starent VSAs in the default dictionary will not work with dictionary.starent-vsa1 and should not be used. Significant changes in Diameter dictionary handling: The dictionaries can now be separate modules and a specific dictionary is defined for the application. Diameter Credit Control attributes were moved in module DiaDict_4.pm while Diameter base, NASREQ, Mobile Ipv4, base accounting, EAP, SIP and relay applications still use the default dictionary DiaDict.pm. Any new dictionaries will be created as separate modules. Updated the existing modules AuthDIAMETER, DiaDict, DiaPeer, ServerDIAMETER, DiaClient, DiaMsg and DiaUtil. Added new modules DiaUtil and DiaDict_4. Added support for salted and non-salted SHA-2 hashed passwords. Supported formats are {SHA256} {SSHA256} {SHA384} {SSHA384} {SHA512} and {SSHA512}. Updated sha.pl and ssha.pl in goodies to support SHA-2 hashing. Suggested by Alexander Hartmaier. AddressAllocator DHCP can now use Class attribute for allocation state when configured with UseClassForAllocationInfo. This enables allocation and deallocation to work between server farm members. Configuration notes in goodies/addressallocatordhcp.cfg. Clarified some of the AddressAllocator DHCP options in addressallocatordhcp.cfg Functions pack_sockaddr_pton and gethostbyname in Util.pm and UtilSocket6.pm misinterpreted some hostnames as IPv6 addresses. Reported by Emanuel José Freitas. Updated Huawei VSAs in dictionary. Contributed by Alexander Hartmaier. AddressAllocator identifier in AuthBy DYNADDRESS now supports special formatting characters. Change in DiaPeer watchdog to recover better from unresponsive but still open TCP connections. Diameter dictionaries now support attribute flags. Added add_attr_d, get_attr_d and get_attrs_d in AttrList.pm for adding and accessing Diameter attributes with their names. Any flags, such as M flag, are automatically added based on dictionary. DiaAttrList and RadiusDiameterGateway now correctly set dictionary when using DiaAttrlist->new(). DiaDict is more verbose about possible problems with parsing dictionary files. Marked GroupCacheFile option in ServerTACACSPLUS as deprecated and removed code related to it. ServerTACACSPLUS now adds OSC-TACACS-* attributes to the converted TACACS+ authentication and accounting requests in a more consistent manner. Use of deprecated CommanAuth option gives a warning during startup. Minor cleanups to remove warnings when -w is used. Fixed mapping of missing GroupMemberAttribute value to 'DEFAULT' broken in the previous patch. Updated tacacsplusserver.cfg in goodies. ServerTACACSPLUS can now create a RADIUS Access-Request when TACACS+ authorization request is received but no authorization info is known for the user. This can happen for example, when Radiator is restarted or the TACACS+ client uses some other protocol for authentication. These RADIUS Access-Requests carry Service-Type attribute with value Authorize-Only. Authorization based requests are enabled with AllowAuthorizeOnly flag which defaults to off. Updated tacacsplusserver.cfg and added OSC-TACACS-Authen-Method in dictionary. AuthBy SIP2 now immediately rejects CHAP, MSCHAP and MSCHAP-V2 authentication attempts instead of letting password check fail each time. Added support for PBKDF2 derived User-Password check items. Uses HMAC-SHA1 as the Pseudo Random Function (PRF). Requires Digest::HMAC_SHA1. Added a small utility goodies/pbkdf2.pl which can be used to create derived password in the form Radiator honours. AuthLog SQL now supports SuccessQueryParam and FailureQueryParam parameters, which allow SQL bind variables to be used. AuthBy RSAAM now supports SSLCAFile for RSA AM HTTPS server certificate verification. New parameter ChallengePrefix allows setting the common prompt for PIN change and other challenge questions. Suggested by Garry Shtern. Log SQL now supports LogQueryParam parameters, which allow SQL bind variables to be used. Changes so that the plaintext password is not logged at debug level during EAP-TTLS/PAP authentication. Added support for SSLVerify, SSLCAPath, SSLVerifyCNName, SSLVerifyCNScheme and SSLCertificateVerifyHook configuration parameters in AuthBy RSAAM. The parameters require Perl LWP 6.0 or later or otherwise they are ignored. SSL client certificate options are now set using LWP if LWP version 6.0 or later is detected. These changes allow RSA AM server HTTPS certificate verification without environment variables. tacacsplustest in goodies now supports -bind_address command line argument. TacacsClient module can now pass local address to the socket constructor. Added eduroam-Monitoring-Inflate VSA to dictionary. Added StripFromRequest parameter to ServerRADSEC. Suggested by Paul Dekkers. Logging enhancements: AuthBy RADSEC and ServerRADSEC now format packet dumps only when the log level is DEBUG or more verbose. IPv6 capability is now logged on DEBUG level if IPv6 functionality is provided by the Perl core or Socket6. INFO level message is logged only when there is no full IPv6 functionality. Added new module AuthBy YUBIKEYVALIDATIONSERVER with example configuration yubikey-validationserver.cfg. Authenticates against Yubikey Validation server. This allows using a YubiHSM Hardware Security Module (HSM) by one or more Radiator servers at the same time. The YubiHSM can be installed on the same server where Radiator runs on, or on a remote dedicated server. Refactored AuthYUBIKEYGENERIC.pm to move common code to AuthYUBIKEYBASE.pm allowing AuthBy YUBIKEYVALIDATIONSERVER to run without any dependencies on Yubikey specific support modules such as Auth::Yubikey_Decrypter. Added in dictionary: Attributes from RFC 7055. These started as UKERNA, vendor 25622, VSAs. Removed unneeded code from EAP_25.pm and TLS.pm. Added new global and Client specific configuration parameter StatusServer. This parameter sets the Status-Server response verbosity. The supported values are off, minimal and default. The global default can be overridden by each Client clause. Status-Server requests without correct Message-Authenticator attribute are now ignored. Added new parameter AttrsWithBaseScope to AuthBy LDAP2. AuthBy LDAP2 can now be configured to do a two step search to first locate the user's DN and then follow with a second search where the search base set to the DN and scope to 'base'. This is required for example, to get access to Windows AD constructed attributes, such as tokenGroups, which are only returned when the search scope is set to base. Updated ldap.cfg in goodies. Removed old and unneeded FirstSendTime, LastSendTime and Attempts from Radius.pm. EAP-TTLS now correctly exports the inner identity with $rp->{inner_identity} when the inner authentication is EAP. Added OSC-SIM-* attributes for exporting SIM/USIM authentication information. Added attributes for the upcoming RFC "RADIUS Attributes for IEEE 802". AuthBy SIP2 now honours Timeout option when connecting to SIP2 servers. The timeout defaults to 3 seconds. Added new parameter FailureBackoffTime to Resolver. If the lookup failed to discover any results and there was a timeout while waiting for the nameserver, this optional value specifies how long Radiator will wait before another lookup is made. Previous behaviour was to try again after NegativeCacheTtl expired. Defaults to 3 seconds. Problem with the old behaviour reported by Paul Dekkers. ServerDIAMETER no longer announces Supported-Vendor-Id with value 0 in CER. This is required by the current Diameter base RFC 6733. Value 0 is no longer announced with Acct-Application-Id in CER. Updated diameter-server.cfg. Added new global parameter KeepSocketsOnReload. Note: this is currently considered experimental. This optional flag controls whether opened RADIUS listen sockets should be left intact on a reload request. When enabled, the changes in BindAddress, AuthPort and AcctPort are ignored during reload. You may consider enabling this option when incoming RADIUS requests should be buffered during the reload instead of ICMP unreachable messages being sent back to the RADIUS clients. Contributed by Garry Shtern. Attributes added to the reply by EAP-FAST inner authentication will now be copied to the outer Access-Accept too. This is similar to how PEAP and EAP-TTLS already function. Suggested by Jakob Schlyter. Added the first version of RuntimeChecks module with two checks. The first uses Net::SSLeay to try to detect OpenSSL versions which may have the Heartbleed (CVE-2014-0160) vulnerability. The second test checks for the availability of Digest::MD4 which is often required because of MSCHAP, MSCHAP-V2 and their derivatives. The individual checks can be disabled with the new configuration parameter DisabledRuntimeChecks. Future checks are added as needed. The module is also available for Hooks to implement site local checks. Check Point attributes CP-Gaia-User-Role and CP-Gaia-SuperUser-Access were incorrectly entered in the dictionary. Reported by Jason Griffith. Ldap.pm could crash while logging with old Net::LDAP versions. Reported by Mauricio Montoya Bustamante. - Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
