Hi Heikki, that's a great release! I couldn't find info about CEF and JSON logging in the reference manual, should be included at least as keywords with a pointer to the 'logformat.cfg' goodies file although I'd prefer having it in the main docs.
Is there a way to log the used TLS version and cipher to find out which ones are in use before restricting it with the new EAPTLS_Protocols and EAPTLS_Ciphers config options? Best regards, Alex On 2015-07-15 14:40, Heikki Vatiainen wrote: > We are pleased to announce the release of Radiator version 4.15 > > This version contains fixes for an EAP-MSCHAP-V2 and EAP-pwd > vulnerability. Upgrade is recommended. Please review OSC security > advisory OSC-SEC-2015-01 for more information: > https://www.open.com.au/OSC-SEC-2015-01.html > > As usual, the new version is available to current licensees from: > https://www.open.com.au/radiator/downloads/ > > and to current evaluators from: > https://www.open.com.au/radiator/demo-downloads > > Licensees with expired access contracts can renew at: > https://www.open.com.au/renewal.html > > An extract from the history file > https://www.open.com.au/radiator/history.html is below: > > ----------------------------- > > Revision 4.15 (2015-07-15) > > Selected fixes, compatibility notes and enhancements > > Fixes an EAP-MSCHAP-V2 and EAP-pwd vulnerability. > OSC recommends all users to review OSC security advisory > OSC-SEC-2015-01 to see if they are affected. > https://www.open.com.au/OSC-SEC-2015-01.html > > perl-ldap-0.32 or better is required. Should be available in all current > systems. > > EAP-pwd requires Crypt::OpenSSL::Bignum 0.06 or later from CPAN > > Configurable TLS version and ciphersuite selection for TLS based EAP and > stream modules > > CRL checks for the entire certificate chain can now be enabled > > Included Gossip framework with Redis based implementation > > Support for Gossip when communicating next hop proxy failures between > Radiator instances > > Shared duplicate cache for a more simple server farm configuration > > Windows Event log support > > Custom format support for logs, authentication logs and accounting logs. > CEF and JSON included > > Support for IEEE 802.1AE, also known as MACsec > > All AuthBys now support PostAuthHooks > > Various binary modules are now available from OSC and were removed from > the Radiator distribution > > > > Detailed changes > > Added VENDOR STI (Server Technology Inc.) 1718 and multiple STI VSAs to > dictionary. Contributed by Garry Shtern. > > Added VENDOR PacketDesign 8083 and VSAs PacketDesign-UserClass and > PacketDesign-FTP to dictionary. Contributed by Garry Shtern. > > Added SN-Software-Version to dictionary. Reported by Bruno Tiago Rodrigues. > > Changed type of VENDORATTR 3076 Cisco-VPN-DHCP-Network-Scope in > dictionary.cisco-vpn from text to ipaddr. Reported by Kilian Krause. > > Dictionary updates: Added H3C proprietary values H3C-SSH and H3C-Console > for Login-Service. Changed Lancom LCS-Mac-Address type from string to > hexadecimal. Added H3C-Priority. All reported by Philip Herbert. > > Zero length writes are now skipped in Stream.pm write_pending() used by > RadSec, Diameter, SIGTRAN and other stream protocols. SCTP does not > support 0 length syswrites on all platforms and may close the socket if > zero length write is done. > > Added VENDOR Airespace 14179 VSAs 7-11 and 13-16 to dictionary. > > AuthBy GROUP now updates current AuthBy for %{AuthBy:parmname}. When > AuthBy GROUP is used, this special formatting now gets the parameter > value from the current AuthBy within the group instead of the AuthBy > GROUP itself. > > Updated VENDOR 1991 Foundry VSAs in dictionary. foundry-privilege-level > is now a synonym for brocade-privilege-level. Added a number of foundry > VSAs. > > LDAP Version now defaults to 3 instead of 2. Updated a number of LDAP > configuration example files in goodies to reflect this change. > > Ldap.pm now uses the LDAP object's disconnect method, instead of closing > the socket directly. > > AuthBy LDAP2 and AuthBy LDAPDIGIPASS now use escape_filter_value > provided by Net::LDAP::Util instead of escapeLdapLiteral in Ldap.pm > Ldap.pm escapeLdapLiteral is now deprecacted and perl-ldap-0.32 or > better is required. > > RefreshPeriod in ClientListSQL and ClientListLDAP now support special % > formatting. Suggested by Bengi Sağlam. > > Updated VENDOR 2011 Huawei VSAs in dictionary. Huawei-Input-Basic-Rate > is now an alias for Huawei-Input-Peak-Rate. Huawei-Output-Basic-Rate was > changed similarly. Some of the attribute numbers appear to have > different names and types between different devices. Huawei-User-Type, > Huawei-MIP-Agent-MN-Flag and Huawei-Requested-APN are now aliases but > aliasing may be handled with separate dictionary files in the future. > Huawei-HW-Portal-Mode was renamed to Huawei-Portal-Mode. > > WiMAX dictionary updates: changed WiMAX-Session-Termination-Capability > type to integer and added one value: Dynamic-Authorization. Changed > WiMAX-PPAQ TLV Quota-Identifier type to binary. WiMAX subattributes > within single Vendor-Specific attribute are now correctly decoded. > > Dictionary updates for Huawei: Reverted the recent aliasing changes. The > conflicting attributes are now in a new Huawei specific dictionary file > goodies/dictionary.huawei1. This new dictionary file contains attributes > used by, for example, Huawei packet gateway / Wi-Fi controller. Since > Huawei seems to use device specific dictionaries, additional dictionary > files are added as needed. > > Added new AuthLog EVENTLOG and Log EVENTLOG modules for logging to > Windows Event Log. Added eventlog.cfg in goodies for configuration > example and more information about how to set up registry and DLL Event > Log helpers. Precompiled DLLs are available in goodies\windows-dll with > source files and compilation examples. > > radiusd now handles SIGINT (typically from Ctrl-C) similar to SIGTERM. > > Added support for shared and global DupCache. Radiator now supports 3 > different options for the new DupCache configuration parameter: local > (the default), shared (uses shared memory) and global (uses Radiator's > Gossip framework). When DupCache is set to shared, DupCacheFile sets the > location of the mmapped shared memory file. Shared DupCache is recommend > when FarmSize configuration parameter is set. With shared or global > DupCache, the backend workers do not need to have > UseContentsForDuplicateDetection enabled anymore. DupCache shared > requries Cache::FastMmap module. Sample configuration eapbalance.cfg in > goodies was updated to demonstrate the new configuration parameters > DupCache and DupCacheFile. > > Added a number of VENDOR 22610 A10-Networks VSAs in dictionary. > Contributed by Scott Bertilson. > > Changed the types of WiMAX-PPAQ TLVs Volume-Quota, Volume-Threshold, > Resource-Quota and Resource-Threshold to hexadecimal. This makes the 8 > or 12 long values easier to handle in PPAQ applications. > > Updated shared and global DupCache debugging and initialisation. If the > required Cache::FastMmap is not available when DupCache is set to > 'shared', Radiator will log a message and refuses to start. The > availability of Cache::FastMmap is checked during the configuration phase. > > Added support for Gossip protocol framework and Redis based Gossip > implementation. Radiator's Gossip implementation allows Radiator > instances to share information and event notifications. The instances > may be part of server farm, completely separate processes running on the > same or different hosts or any combination of thereof. Redis based > Gossip is configured with GossipRedis clause. At first, Gossip support > is provided for RADIUS duplicate cache: When the global configuration > parameter DupCache is set to 'global', GossipRedis will be used for > RADIUS duplicate cache. More Radiator modules will be added and upgraded > to use the Gossip framework in the future. Requires Data::MessagePack > and Redis Perl modules from CPAN. > > Updated AuthLog SQL examples in goodies to use SQL bind variables. > > Added Radiator Gossip framework support to AuthBy RADIUS. Multiple > Radiator instances can now communicate next hop host unreachability and > reachability information with Gossip messages. This allows, for example, > just one member to run Status-Server queries when FarmSize configuration > parameter is enabled. Added new configuration parameter > NoKeepaliveTimeoutForChildInstances to limit Status-Server probing to > the first farm instance only. The new features are also available to > AuthBy RADIUS sub-types, such as, ROUNDROBIN and HASHBALANCE. See > goodies/farmsize.cfg for a configuration example with shared duplicate > cache and Gossip and Redis configuration. > > Updated EAP-pwd to use unpatched version of Crypt::OpenSSL::Bignum. > Radiator 4.14 and earlier required Crypt::OpenSSL::Bignum 0.04 + > patches. These patches are no longer needed, and version 0.06 or later > from CPAN is now required instead. Caution: Crypt::OpenSSL::Bignum 0.04 > + patches in Radiator goodies no longer work with the current version of > EAP_52.pm (EAP-pwd). You must update to Crypt::OpenSSL::Bignum 0.06 or > later. > > Updated dictionary with new attributes for vendors 14823 Aruba, 25053 > Ruckus and 25506 H3C. > > Fixed a problem that could cause a crash if AuthBy RADIUS was configured > with the Synchronous parameter, FailureBackoffTime was set and the next > hop proxy becomes unreachable. Reported by Diogo Gonçalves > > EAP-pwd now correctly adds the user's and AuthBy's reply attributes in > the Access-Accept. > > The first components in @INC, the Perl library search locations, are now > checked for readability. Unreadable directories may cause hard to > diagnose failures when Perl modules are loaded. This may happen, for > example, when radiusd process is started as a user with restricted > privileges. Reported by Kilian Krause. > > Added support for AuthBy specific PostAuthHook configuration parameters. > All AuthBys can now define a PostAuthHook that will be called when the > AuthBy is done processing the request and has returned. The hook > parameters are the same as for Handler's PostAuthHook. After the > optional PostAuthHook has run, result, reason and Identifier from the > AuthBy are saved in $p for subsequent AuthBys and other use. Updated > duo.cfg in goodies to use PostAuthHook for password splitting. > > Added support for IEEE 802.1AE, also known as MACsec. Radiator will now > return EAP-Key-Name attribute if requested by the RADIUS client. > EAP-Key-Name is supported for the following EAP methods: EAP-FAST, > EAP-pwd, EAP-TLS, EAP-TTLS and PEAP. > > RADIUS attributes using encrypt=2 flag or decode/encode_salted directly, > now have their initialisation vector set to all zeroes when there would > otherwise be a circular dependeny between the RADIUS fixed header > Authenticator, the initialisation vector, and the encrypted attribute > value. This allows, for example, proxying RFC 5176 dynamic > authentication request so that the encrypted values can be correctly > recovered, provided that target also uses zero IV similarly. Known to > work with vendor 6527. > > EAP-TLS now rejects possible EAP-TLS conversation restart attempts > instead of replying, again, with an alert. Some EAP-TLS peers, such as > Windows, may try to restart the EAP-TLS conversation after certain > alerts such as 'Unknown CA'. Reported by Pieter Jan Van Meerbeeck. > > Updated a number of configuration samples in goodies: 'DupInterval 0' is > usually not needed and can be harmful. The default value of 10 seconds > is preferred and non-default values are only necessary in very unusual > circumstances. Handler clauses are in most cases more flexible than > Realm clauses. Other typo fixes and small corrections. > > EAP-FAST now checks Net::SSLeay::get_keyblock_size() calls for error > return values. Also, Net::SSLeay 1.68 and earlier with OpenSSL 1.0.1 and > later may return incorrect values, not errors, for get_keyblock_size() > which cause authentication to fail. Fix in Net::SSLeay 1.69 allows it to > return correct values with recent OpenSSL versions, and any error return > values are now correctly checked by EAP-FAST. > > Added new configuration parameter TLS_Protocols to set the supported SSL > and TLS protocols for Stream based modules, such as Diameter and RadSec. > New configurations should use TLS_Protocols instead of UseSSL or UseTLS. > TLS_Protocols overrides UseSSL and UseTLS when defined. TLS_Protocols is > not defined by default. Added new configuration parameter > EAPTLS_Protocols to set the supported TLS protocols for TLS based EAP > methods, such as EAP-TLS, EAP-TTLS and PEAP. EAPTLS_Protocols is not > defined by default. Both TLS_Protocols and EAPTLS_Protocols accept a > list of comma separated values. The supported values are: SSLv3, TLSv1, > TLSv1.1 and TLSv1.2 Added new configuration parameters TLS_Ciphers and > EAPTLS_Ciphers to define the allowed cipher suites for Stream protocols > and TLS based EAP methods. The parameter format is OpenSSL cipher string > format. Both parameters default to DEFAULT:!EXPORT:!LOW TLS_Ciphers and > EAPTLS_Ciphers can be defined separately from TLS_Protocols and > EAPTLS_Protocols. > > Updated vendor ZTE 3902 VSAs in dictionary. > > Added support for TLS_Protocols and TLS_Ciphers parameters to Monitor > and Server HTTP > > TLS_Ciphers and EAPTLS_Ciphers now support formatting characters. > Net::SSLeay and SSL library version, if available, are now logged after > SSL library initialisation. > > Added goodies/logformat.cfg, showing how to use LogFormatHook for > authentication log and AcctLogFileFormatHook for accounting messages. > Added LogFormat.pm with sample hooks for formatting accounting messages > in JSON format and authentication log entries in JSON and CEF (ArcSight > Common Event Format) formats. > > Removed non-functional support for the obsolete RSA ephemeral keying. > See TLS_DHFile, EAPTLS_DHFile, TLS_ECDH_Curve and EAPTLS_ECDH_Curve for > the currently supported forward secrecy methods. > > Updated Radiator's Gossip module Perl requirements based on suggestions > by Alan Buxey. Testing with Net::SSLeay 1.69 and LibreSSL 2.2.0. OK. > > Added support for CRL checks for the entire certificate chain. New > configuration parameters EAPTLS_CRLCheckAll for TLS based EAP methods > and TLS_CRLCheckAll for stream based protocols, such as RadSec and > Diameter, enable X509_V_FLAG_CRL_CHECK_ALL to turn on CRL checks for the > entire certificate chain. Note: you need to also have EAPTLS_CRLCheck or > TLS_CRLCheck enabled for any CRL checks to happen. If the CRL files for > the intermediate CAs are not found, certificate check fails with: > 'SSL3_GET_CLIENT_CERTIFICATE:no certificate returned'. > > Updated configuration samples in goodies to include the recently added > TLS and related parameters. Updated other goodies files with various > other fixes. > > Documented SSLCiphers in the reference manual and updated LDAP > SSLCiphers default value from 'ALL' to 'DEFAULT:!EXPORT:!LOW'. > > Updated ldap.cfg to mention possible interoperability problems between > HoldServerConnection and ServerChecksPassword when the both are set. > Suggested by Niels Monen. Documented SSLCiphers in ldap.cfg > > Removed Authen::Digipass and Authen::ACE4 binary modules from the > Radiator distribution. Direct contact with OSC is now preferred to find > out how to compile these modules for your chosen OS, Perl version, Perl > distribution and 32 or 64 bit platform. Added 32 and 64 bit Win32-Lsa > ppms for Strawberry Perl 5.22. > > DBM file handling is not working on Strawberry Perl 5.20 or 5.22. > Disabled AuthBy DBMFILE checks from test.pl on Windows meanwhile this is > investigated. > > Updates to EAP-MSCHAP-V2 and EAP-pwd identity handling. See OSC security > advisory OSC-SEC-2015-01. > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
