Radiator revision history

Revision 4.13 (2014-04-16) Radius proxying, IPv6, TACACS+, Diameter and other enhancements. Bug fixes
Selected compatibility notes and enhancements
  • Unknown attributes can now be proxied instead of being dropped
  • Diameter enhancements may require changes to custom Diameter modules
  • Major IPv6 enhancements include: Attributes with IPv6 values can now be proxied without IPv6 support, Socket6 is no longer an absolute prerequisite. 'ipv6:' prefix is now optional and not prepended in attribute values
  • TACACS+ authentication and authorization can now be decoupled
  • Bind variables are now available for AuthLog SQL and Log SQL.
  • Status-Server requests without correct Message-Identifier are ignored. Status-Server responses are now configurable.
  • LDAP attributes can now be fetched with base scope after subtree scoped search. Useful for example, tokenGroups AD attributes which are not otherwise available
  • Newly added check for CVE-2014-0160, the OpenSSL Heartbleed vulnerability may log false positives
  • New AuthBy for authenticating against YubiKey validation server added
  • See Radiator SIM pack revision history for supported SIM pack versions
Detailed changes
  • Added the attributes from RFC 6911 to dictionary (Framed-IPv6-Address, DNS-Server-IPv6-Address, Route-IPv6-Information, Delegated-IPv6-Prefix-Pool and Stateful-IPv6-Address-Pool). These attributes override a number of attributes that were previously commandeered by Ascend and Merit. The Ascend ones are still available in ascend.dictionary. The Merit attributes were added under the existing Merit VSA entry and the non-VSA Merit attributes were removed from the main dictionary. The non-VSA Merit attributes will continue to be available in a new file goodies/dictionary.merit
  • AuthBy RADIUS and all its subclasses e.g., AuthBy SQLRADIUS, LDAPRADIUS, MULTICAST and proxy algorithm AuthBys, now support special characters in AuthPort and AcctPort. Suggested by David Zych.
  • Added in dictionary: Huawei-Loopback-Address, vendor 6139 (Alcatel-Lucent OmniAccess), vendor 20942 (China Telecom-Guangzhou Research and Development Center) and vendor 27262 DANTE Ltd.
  • Unknown attributes can now be proxied when the new global configuration flag ProxyUnknownAttributes is set to true. Unknown attributes are now alwasy available with special names such as Unknown-9048-120, where 9048 is the vendor id and 120 is the vendor attribute number. Unknown attributes are now logged with level WARNING instead of ERR. A warning is logged for each attribute once per sender IP address. Attribute names starting with Unknown are reserved in dictionary and ignored when the dictionary is loaded.
  • Added in dictionary: Attributes from RFC 5447, RFC 6519, RFC 6677 and RFC 6930.
  • Added support for dictionary type ipv4prefix required by RFC 6572. An example of ipv4prefix format is '192.168.1.0/24'. Added attributes from RFC 6572 in dictionary.
  • Change in 4.12 caused ServerDIAMETER to always create new peer instances for new connections. This caused mainly WatchdogState DOWN log litter.
  • AuthBy DIAMETER and other DiameterClient derived classes, such as Diameter Wx based EAP-SIM, EAP-AKA and EAP-AKAPRIME AuthBys, now support new option SCTPPeer. This option allows defining multiple SCTP peers for the initial SCTP association attempt.
  • Added vendor Arista in dictionary. Updated Netscreen values. Contributed by Garry Shtern.
  • Fixed AuthBy NTLM so it will not leave zombie processes around during reconfigure. Reported by Garry Shtern.
  • AuthBy RATELIMIT now supports optional parameter MaxRateResult, which allows specifying the result when MaxRate is exceeded. MaxRateResult defaults to IGNORE.
  • Significant IPv6 changes. Socket6.pm is no longer required if the core Socket module provides the required IPv6 support. Attributes with IPv6 address or prefix type are now handled as binary if there is no Socket or Socket6 for IPv6 support. This fixes the problem with proxying when Socket6 was not installed. Prefix 'ipv6:' for IPv6 addresses is no longer required but will be accepted. Decoded values for IPv6 address type attributes will no longer have 'ipv6:' prefix. Startup log messages now contain information about the IPv6 support.
  • Updated 3GPP (vendor 10415) attributes in dictionary. 3GPP-Allocate-IP-Type, 3GPP-External-Identifier and 3GPP-TWAN-Identifier were added. 3GPP-Charging-Gateway-Address, 3GPP-GPRS-Negotiated-QoS-Profile and 3GPP-Charging-Gateway-IPv6-Address are now the main attribute names while 3GPP-CG-Address, 3GPP-GPRS-QoS-Profile and 3GPP-CG-IPv6-address are now aliases. 3GPP-PDP-Context value 0 name is now IPv4 while IP is kept as an alias. Attribute types were corrected to use e.g., ipaddrv6, integer8 and integer16 for correct encoding and decoding. Added values for enumerated integer types.
  • Reverted the previous attribute canonical name changes for vendor 3GPP. 3GPP-CG-Address, 3GPP-GPRS-QoS-Profile and 3GPP-CG-IPv6-address are the names Radiator will use for decoding the attributes. The new names will be recognised as aliases. Also, 3GPP-PDP-Context name for value 0 is IP and IPv4 can be used as an alias.
  • EAP_25.pm now makes inner identity available via outer context improving logging options.
  • Updated Application IDs. Updated vendor 3GPP (10415) RADIUS compatible attribute (1-27) list, added new 3GPP-RAT-Type and 3GPP-PDP-Type type values, fixed 3GPP-*-Address encoding to use OctetString instead of Address type, 3GPP-RAT-Type and other 8 bit enumerated values are encoded correctly. 3GPP attribute Location-Estimate type is now OctetString.
  • Improvements to the sample wimax.sql database schema to support long capabilities values.
  • Added VENDOR Radware 89 and VSA Radware-Role to dictionary.
  • Logging level for rejected authenticaton attempts can now be configured globally and for each Handler or Realm. The level is set with new parameter LogRejectLevel. This optional parameter uses the same values as Trace option, and can be set globally or per Handler or Realm.
  • Further logging enhancements. PacketTrace can now be configured to skip selected Log clauses. New flag parameter IgnorePacketTrace can be set in Log clauses which should not participate in PacketTrace logging. Thanks to David Zych for ideas and assistance with the latest logging improvements.
  • Trailing NULs are now stripped from TACACS+ authorization arguments. Reported by Tim Cheyne.
  • Fixed a bug in Diameter Address format encoding with IPv6 addresses. DiaClient now correctly formats IPv6 address in Host-IP-Address for TCP connections.
  • TacacsClient module now supports connecting to TACACS+ servers over IPv6. This allows tacacsplustest to work with IPv6 enabled TACACS+ servers. Requires IO::Socket::INET6.
  • Account expiry dates starting with 'Mmm dd' for Expiration, ValidTo and ValidFrom check items now correctly check for valid month names. Reported by Kennyen Choo.
  • Added Pronto Networks VENDOR Pronto 16521, and Pronto-AVPair to dictionary.
  • Worked around the duplicate name for 3GPP Diameter Gx interface. Fixed typos in Diameter application names.
  • ClientListSQL was calling parent's initialize twice. Clarified AuthSQLHOTP and AuthSQLTOTP parent initialize calls.
  • Improvements to logging. Added support in Log.pm and LogGeneric.pm for dynamically setting the Trace level. An example of using User-Name from the current request is in goodies/hooks.txt.
  • Enhanced AuthBy DIAMETER Destination-Host and Destination-Realm handling. Worked around the duplicate name for 3GPP Diameter Rx interface.
  • When special %s is used, the microseconds are now left padded with zeroes. Suggested by David Zych.
  • PEAP and EAP-TTLS now make maximum fragment size available for inner authentication protocols. EAP-TLS was improved to use this information. This allows PEAP/EAP-TLS and EAP-TTLS/EAP-TLS to work better with environments with variable Framed-MTU sizes.
  • When reading parameter settings from a file with file:"filename", any trailing newlines are now removed from the end of file to make sure the value is correctly parsed. Reported by David Zych.
  • Added goodies/address-allocator-sql.txt for further AddressAllocator SQL examples. Initial examples include MySQL and PostgreSQL queries for environments with multiple Radiator instances allocating from the same database.
  • RDict.pm now supports new method vendorByNum which returns vendor data from a given vendor number. Enhanced Starent VSA decoding to make sure invalid lengths do not cause a crash. Added support and attributes for Starent VSAs which use 1 byte for type and 1 byte for length. The Starent VSAs in Radiator default dictionary use 2 bytes for type and length. Loading goodies/dictionary.starent-vsa1 after the default dictionary will cause Starent VSAs to use 1 byte type and length. The Starent VSAs in the default dictionary will not work with dictionary.starent-vsa1 and should not be used.
  • Significant changes in Diameter dictionary handling: The dictionaries can now be separate modules and a specific dictionary is defined for the application. Diameter Credit Control attributes were moved in module DiaDict_4.pm while Diameter base, NASREQ, Mobile Ipv4, base accounting, EAP, SIP and relay applications still use the default dictionary DiaDict.pm. Any new dictionaries will be created as separate modules. Updated the existing modules AuthDIAMETER, DiaDict, DiaPeer, ServerDIAMETER, DiaClient, DiaMsg and DiaUtil. Added new modules DiaUtil and DiaDict_4.
  • Added support for salted and non-salted SHA-2 hashed passwords. Supported formats are {SHA256} {SSHA256} {SHA384} {SSHA384} {SHA512} and {SSHA512}. Updated sha.pl and ssha.pl in goodies to support SHA-2 hashing. Suggested by Alexander Hartmaier.
  • AddressAllocator DHCP can now use Class attribute for allocation state when configured with UseClassForAllocationInfo. This enables allocation and deallocation to work between server farm members. Configuration notes in goodies/addressallocatordhcp.cfg. Clarified some of the AddressAllocator DHCP options in addressallocatordhcp.cfg
  • Functions pack_sockaddr_pton and gethostbyname in Util.pm and UtilSocket6.pm misinterpreted some hostnames as IPv6 addresses. Reported by Emanuel José Freitas.
  • Updated Huawei VSAs in dictionary. Contributed by Alexander Hartmaier.
  • AddressAllocator identifier in AuthBy DYNADDRESS now supports special formatting characters.
  • Change in DiaPeer watchdog to recover better from unresponsive but still open TCP connections.
  • Diameter dictionaries now support attribute flags. Added add_attr_d, get_attr_d and get_attrs_d in AttrList.pm for adding and accessing Diameter attributes with their names. Any flags, such as M flag, are automatically added based on dictionary. DiaAttrList and RadiusDiameterGateway now correctly set dictionary when using DiaAttrlist->new(). DiaDict is more verbose about possible problems with parsing dictionary files.
  • Marked GroupCacheFile option in ServerTACACSPLUS as deprecated and removed code related to it.
  • ServerTACACSPLUS now adds OSC-TACACS-* attributes to the converted TACACS+ authentication and accounting requests in a more consistent manner. Use of deprecated CommanAuth option gives a warning during startup. Minor cleanups to remove warnings when -w is used. Fixed mapping of missing GroupMemberAttribute value to 'DEFAULT' broken in the previous patch. Updated tacacsplusserver.cfg in goodies.
  • ServerTACACSPLUS can now create a RADIUS Access-Request when TACACS+ authorization request is received but no authorization info is known for the user. This can happen for example, when Radiator is restarted or the TACACS+ client uses some other protocol for authentication. These RADIUS Access-Requests carry Service-Type attribute with value Authorize-Only. Authorization based requests are enabled with AllowAuthorizeOnly flag which defaults to off. Updated tacacsplusserver.cfg and added OSC-TACACS-Authen-Method in dictionary.
  • AuthBy SIP2 now immediately rejects CHAP, MSCHAP and MSCHAP-V2 authentication attempts instead of letting password check fail each time.
  • Added support for PBKDF2 derived User-Password check items. Uses HMAC-SHA1 as the Pseudo Random Function (PRF). Requires Digest::HMAC_SHA1. Added a small utility goodies/pbkdf2.pl which can be used to create derived password in the form Radiator honours.
  • AuthLog SQL now supports SuccessQueryParam and FailureQueryParam parameters, which allow SQL bind variables to be used.
  • AuthBy RSAAM now supports SSLCAFile for RSA AM HTTPS server certificate verification. New parameter ChallengePrefix allows setting the common prompt for PIN change and other challenge questions. Suggested by Garry Shtern.
  • Log SQL now supports LogQueryParam parameters, which allow SQL bind variables to be used.
  • Changes so that the plaintext password is not logged at debug level during EAP-TTLS/PAP authentication.
  • Added support for SSLVerify, SSLCAPath, SSLVerifyCNName, SSLVerifyCNScheme and SSLCertificateVerifyHook configuration parameters in AuthBy RSAAM. The parameters require Perl LWP 6.0 or later or otherwise they are ignored. SSL client certificate options are now set using LWP if LWP version 6.0 or later is detected. These changes allow RSA AM server HTTPS certificate verification without environment variables.
  • tacacsplustest in goodies now supports -bind_address command line argument. TacacsClient module can now pass local address to the socket constructor.
  • Added eduroam-Monitoring-Inflate VSA to dictionary.
  • Added StripFromRequest parameter to ServerRADSEC. Suggested by Paul Dekkers.
  • Logging enhancements: AuthBy RADSEC and ServerRADSEC now format packet dumps only when the log level is DEBUG or more verbose. IPv6 capability is now logged on DEBUG level if IPv6 functionality is provided by the Perl core or Socket6. INFO level message is logged only when there is no full IPv6 functionality.
  • Added new module AuthBy YUBIKEYVALIDATIONSERVER with example configuration yubikey-validationserver.cfg. Authenticates against Yubikey Validation server. This allows using a YubiHSM Hardware Security Module (HSM) by one or more Radiator servers at the same time. The YubiHSM can be installed on the same server where Radiator runs on, or on a remote dedicated server. Refactored AuthYUBIKEYGENERIC.pm to move common code to AuthYUBIKEYBASE.pm allowing AuthBy YUBIKEYVALIDATIONSERVER to run without any dependencies on Yubikey specific support modules such as Auth::Yubikey_Decrypter.
  • Added in dictionary: Attributes from RFC 7055. These started as UKERNA, vendor 25622, VSAs.
  • Removed unneeded code from EAP_25.pm and TLS.pm.
  • Added new global and Client specific configuration parameter StatusServer. This parameter sets the Status-Server response verbosity. The supported values are off, minimal and default. The global default can be overridden by each Client clause. Status-Server requests without correct Message-Authenticator attribute are now ignored.
  • Added new parameter AttrsWithBaseScope to AuthBy LDAP2. AuthBy LDAP2 can now be configured to do a two step search to first locate the user's DN and then follow with a second search where the search base set to the DN and scope to 'base'. This is required for example, to get access to Windows AD constructed attributes, such as tokenGroups, which are only returned when the search scope is set to base. Updated ldap.cfg in goodies.
  • Removed old and unneeded FirstSendTime, LastSendTime and Attempts from Radius.pm.
  • EAP-TTLS now correctly exports the inner identity with $rp->{inner_identity} when the inner authentication is EAP.
  • Added OSC-SIM-* attributes for exporting SIM/USIM authentication information. Added attributes for the upcoming RFC "RADIUS Attributes for IEEE 802".
  • AuthBy SIP2 now honours Timeout option when connecting to SIP2 servers. The timeout defaults to 3 seconds.
  • Added new parameter FailureBackoffTime to Resolver. If the lookup failed to discover any results and there was a timeout while waiting for the nameserver, this optional value specifies how long Radiator will wait before another lookup is made. Previous behaviour was to try again after NegativeCacheTtl expired. Defaults to 3 seconds. Problem with the old behaviour reported by Paul Dekkers.
  • ServerDIAMETER no longer announces Supported-Vendor-Id with value 0 in CER. This is required by the current Diameter base RFC 6733. Value 0 is no longer announced with Acct-Application-Id in CER. Updated diameter-server.cfg.
  • Added new global parameter KeepSocketsOnReload. Note: this is currently considered experimental. This optional flag controls whether opened RADIUS listen sockets should be left intact on a reload request. When enabled, the changes in BindAddress, AuthPort and AcctPort are ignored during reload. You may consider enabling this option when incoming RADIUS requests should be buffered during the reload instead of ICMP unreachable messages being sent back to the RADIUS clients. Contributed by Garry Shtern.
  • Attributes added to the reply by EAP-FAST inner authentication will now be copied to the outer Access-Accept too. This is similar to how PEAP and EAP-TTLS already function. Suggested by Jakob Schlyter.
  • Added the first version of RuntimeChecks module with two checks. The first uses Net::SSLeay to try to detect OpenSSL versions which may have the Heartbleed (CVE-2014-0160) vulnerability. The second test checks for the availability of Digest::MD4 which is often required because of MSCHAP, MSCHAP-V2 and their derivatives. The individual checks can be disabled with the new configuration parameter DisabledRuntimeChecks. Future checks are added as needed. The module is also available for Hooks to implement site local checks.
  • Check Point attributes CP-Gaia-User-Role and CP-Gaia-SuperUser-Access were incorrectly entered in the dictionary. Reported by Jason Griffith.
  • Ldap.pm could crash while logging with old Net::LDAP versions. Reported by Mauricio Montoya Bustamante.
Revision 4.12.1 (2013-09-17) One bug fix. One enhancement.
  • Fixed a bug that prevented AuthBy SQL from loading when it was defined outside of Realm or Handler.
  • Unknown Diameter attribute types are now logged with a warning when Diameter dictionaries are loaded. Diameter encoder and decoder now use Integer32 and Integer64 for signed 32 bit and 64 bit types instead of Signed32 and Signed64.
Revision 4.12 (2013-09-06) New modules, some significant new features. Bug fixes.
  • Improvements to EAP-MD5 handling: in the event of an authentication failure, the reason messages are more descriptive of the reason why.
  • Updated Mikrotic VSAs in dictionary.
  • Added a number of VSAs for Alcatel-ESAM to dictionary.
  • Fixed a potential crash if there were many unfinished EAP-GTC authentication conversiations through AuthBy ACE. Reported by Richard Fairhall.
  • Added support for a number of new check items for AuthBy SQL: Max-All-Session, Max-Hourly-Session, Max-Daily-Session, Max-Monthly-Session, Max-All-Octets, Max-All-Gigawords, Max-Hourly-Octets, Max-Hourly-Gigawords, Max-Daily-Octets, Max-Daily-Gigawords, Max-Monthly-Octets, Max-Monthly-Gigawords. AuthBy SQL supports the foillowing corrsponding configurable queries: AcctTotalQuery, AcctTotalSinceQuery, AcctTotalSinceQuery, AcctTotalSinceQuery, AcctTotalOctetsQuery, AcctTotalGigawordsQuery, AcctTotalOctetsSinceQuery, AcctTotalGigawordsSinceQuery, AcctTotalOctetsSinceQuery, AcctTotalGigawordsSinceQuery, AcctTotalOctetsSinceQuery, AcctTotalGigawordsSinceQuery. With the kind assistance of Richard Fairhall.
  • Updated AuthLog SYSLOG so that it honours the same %0 and %1 in SuccessFormat and FailureFormat as other loggers.
  • Changed all instances of the poorly defined 'octets' type attributes in dictionary to 'binary'.
  • Added F5 BigIP VSAs to dictionary, per http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11431.html, as sent by Alexander Hartmaier.
  • Added further Trapeze VSAs for MSS 8.0 and later to dictionary, as sent by Vandenbroucke Luc.
  • Altered AuthBy RADIUS and AuthBy RADSEC handleReply so that failedRequests and start_failure_grace_time are updated even if there is no $op->{rp}.
  • Performance improvements for TTLS and PEAP: when used with OpenSSL 1.0.1 and later, NetSSLeay 1.52+latest patches and later, the native OpenSSL tls1_PRF function is used.
  • Altered AuthBy RADIUS and AuthBy RADSEC handleReply so that in the event of an Access-Reject from a proxied request, AuthLog* can log the actual Reply-Message from the reply instead of 'Proxied'. Requested by David Zych.
  • Improvements to AuthBy RADIUS and AuthBy RADSEC to detect obvious routing loops and to ignore attempts to proxy a packet to the same BindAddress/port a packet was received on.
  • Fixed a problem in SessionDatabase SQL that could cause a crash if UpdateQuery is defined and an Accounting Alive packet was received. Reported by Chris Millington.
  • Improvements to AuthBy SQL AuthColumnDef. Can now have a trailing ", formatted" keyword in an AuthColumnDef. This will cause the value retrieved from the database in that column to be subject to special character processing before its value is used, and can therefore contain %{something} forms which will be replaced at authentication time. The general format is now:
    
      AuthColumnDef n, attributename, type[, formatted]
    
    
    For example:
    
      AuthColumnDef 1, Filter-Id, reply, formatted
    
    
  • Improvements to AuthBy LDAP2 AuthAttrDef. Can now have a trailing ", formatted" keyword in an AuthAttrDef. This will cause the value(s) retrieved from LDAP to be subject to special character processing before its value is used, and can therefore contain %{something} forms which will be replaced at authentication time. The general format is now:
    
      AuthAttrDef ldapattributename, radiusattributename, type[, formatted]
    
    
    For example:
    
      AuthAttrDef filter, Filter-Id, reply, formatted
    
    
  • All configuration parameters of type 'flag' can now use special characters. This is especially useful to be able to control flags with GlobalVar's.
  • Added example hook to hooks.txt: showing a way to call PostAuthHook with additional fixed arguments set at startup time.
  • Fixed some typos in DiaClient that incorrectly mentioned RadSec.
  • uthBy RADIUS and AuthBy RADSEC now remove unnecessary Timestamp attribute (meant for internal use only) from proxied requests.
  • Improvements to Handler: the reply packet is not set if there is already one present. Useful when AuthBy HANDLER or a hook redespatches a request to another Handler: reply items added by earlier Handlers and AuthBys will not be lost.
  • Added Ericsson redback VSAs 207-213 to dictionary. Also added some alternate values for RB-Framed-IPv6-Prefix, RB-Framed-IPv6-Route, RB-Framed-IPv6-Pool, as used by SmartEdge.
  • Added A-10 Networks VSAs to dictionary.
  • Improvements to SYSLOG loggers to be more compatible with later versions of Sys::Syslog.
  • Fixed a problem with using AuthBy Fidelio and Serial ports that caused a failure to start Radiator. Also changed the default serial port flow control for Fidelio modules to 'rts', since 'xoff' could cause lost characters and bad checksums. Testing with USB-Serial port adapters.
  • Updated goodies/digipass-install.txt to include guidance about how to order Digipass tokens, including the need to order the 'Digipass User Data Subscription Fee' (DUD) option.
  • All tar files are now built with TAR_OPTIONS=--format=gnu to ensure compatibility with other tars, notably the one on Solaris.
  • Testing on Solaris 11. OK with builtin perl 5.12.
  • Added Huawei-3Com (H3C) VSAs to dictionary.
  • Improvements to AuthBy KRB5 and Ldap.pm: Credential Cache now uses memory cache instead of file. Added a new option KrbServerRealm to allow server and user to exist in different realms. Hostname is now used for service tickets instead of IP address. Reverse DNS lookup is now done for the host before requesting a service ticket. Patches by Garry Shtern.
  • Added new dictionary file for Cisco/Altiga attributes compiled by Alexander Hartmaier.
  • Fixed a problem that prevented HostSelect from implementing host counter if HostSelectParmam was defined.
  • Added support for SNMP V2c with new configuration parameter SNMPVersion in SNMPAgent. Fixed a problem where some SNMP decode errors were not correctly detected.
  • Configuration file check no longer activates clauses which could cause spurious error messages. Requested by Garry Shtern.
  • Added Palo Alto Networks VSAs to dictionary. Contributed by Garry Shtern.
  • More improvements to LDAP logging. The hostname and port are now logged after a successful connection. This helps determining to which host the connection was made when the Host parameter is configured with multiple host names. Removed redundant GSSAPI related code. Contributed by Garry Shtern.
  • Fixed a problem with EAP-TTLS where EAPAnonymous %0 did not fetch the inner EAP identity. Reported by Neil M. Johnson.
  • Added a number of Aruba VSAs to dictionary with the kind assistance of Michael Hulko.
  • Fixed UseStatusServerForFailureDetect in AuthRADIUS.pm to work correctly when there are multiple Hosts configured. This also affects AuthRADIUS subclasses and small changes were needed for AuthLOADBALANCE, AuthMULTICAST, AuthROUNDROBIN and AuthVOLUMEBALANCE. AuthHASHBALANCE and AuthEAPBALANCE required no changes. When UseStatusServerForFailureDetect is enabled, all Host objects do individual polling. Expiry of FailureBackoffTime will no longer make the Host eligible for forwarding. Only a response to Status-Server request will bring back a failed Host. Other changes include: AuthRADIUS subclasses will now log an INFO level message when the Host starts responding. BogoMips only affects AuthLOADBALANCE and AuthVOLUMEBALANCE as documented. Setting BogoMips to 0 for a Host will no longer disable it for the other subclasses. KeepaliveTimeout can be specified for the AuthBy or individual Host in the AuthBy. The default value for BogoMips in an AuthBy is now correctly passed to the Hosts in the AuthBy. Thanks to Paul Dekkers for reporting the problem and debugging help.
  • Reverted earlier Status-Server polling related change in AuthRADSEC.pm that caused memory leak when requests were not replied to. Reported and narrowed down by Paul Dekkers.
  • EAP-PWD now honours UsernameMatchesWithoutRealm. Also, if the user is not found, the log message now has EAP-PWD instead of EAP MSCHAP-V2.
  • Fixed UseStatusServerForFailureDetect in AuthRADSEC.pm to work correctly when there are multiple Hosts configured. When UseStatusServerForFailureDetect is enabled, all Host objects do individual polling. Expiry of FailureBackoffTime will no longer make the Host eligible for forwarding. Only a response to Status-Server request will bring back a failed Host. This change is similar to the recent AuthRADIUS.pm change.
  • Added new option -message_authenticator to radpwtst for adding correctly calculated Message-Authenticator in the outgoing requests. Currently supported types are Access-Request, Status-Server, Disconnect-Request and Change-Filter-Request aka COA-Request.
  • PEAP EAP context is now cleared immediately when reading encrypted TLS data fails.
  • AuthBy RADSEC did not correctly reinitialize when signalled with SIGHUP leaking TCP connections, memory and TLS references. Fixed similar memory leak in AuthBy RADIUS. TCP connection leak reported by Karl Gaissmaier.
  • Logging enhancements: replies received by AuthBy RADIUS, AuthBy RADSEC, Client, ServerRADSEC and SimpleClient.pm are now dumped using the loggers configured for the respective clauses and module. PacketTrace now affects the replies received by the clauses. Function decode_attrs no longer dumps the received request. Some messages are now logged by the clauses first instead of just the main logger.
  • Added Blue Coat VSAs to dictionary. Contributed by Garry Shtern.
  • LDAP GSSAPI name resolution enhancements. Based on patch by Garry Shtern.
  • Tested with RSA Authentication Manager 8.0. Updated OnDemand mode prompt handling. No other changes required. Added new parameter ChallengeHasPrompt to AuthBy RSAAM to enable sending RADIUS Prompt attribute with Access-Challenge messages based on the RSA AM responses.
  • Status-Server messages sent by AuthBy RADSEC and AuthBy RADIUS no longer carry Proxy-State attribute. Improved logging in AuthBy RADSEC when Proxy-State in reply is missing or mangled.
  • Added Lancom and CheckPoint GAiA VSAs and updated 3Com and H3C VSAs in dictionary with the kind assistance of Philip Herbert.
  • Added new methods for inserting attributes in AttrList. Useful e.g., for Diameter AVP ordering. Added Origin-AAA-Protocol into DiaAttrList, updated DiaDict to always use DiameterIdentity, DiameterURI, IPFilterRule and QoSFilterRule as data type name instead of short-forms. Fixed a number of spelling mistakes.
  • Added support for authentication with Duo Security https://www.duosecurity.com/ . AuthBy DUO supports two-factor authentication provided by Duo Security auth API. Sample configuration file and partial API simulator is included.
  • Registering an object by its Identifier in Configurable.pm is now done just before object loading finishes, not during object activation. This fixes the recently introduced problem where configuration check gave incorrect results when Identifiers were used for references. Reported by Karl Gaissmaier.
  • Added iPass VSAs to dictionary.
  • DiaPeer and DiaClient now support adding Vendor-Specific-Application-Id attributes in Diameter CER message.
  • Configurable now calls check_config for each module just before it is activated. Configuration checks done by modules within activate were moved to check_config so that they will be run also when radiusd is invoked with -c flag to check the config.
  • Updated sample certificates to expire Aug 14 11:37:20 2015 GMT. Updated goodies/mkcertificate.sh to check for CA.pl availability.
  • Added precompiled Authen-Digipass ppm package for Perl 5.16 on Windows.
  • Added precompiled Authen-ACE4 ppm packages for Perl 5.16 on Windows. Recompiled Authen-ACE4 ppm packages for Perl 5.14.
  • Added new global parameter BindV6Only. This optional parameter allows turning on or off IPV6_V6ONLY socket option for IPv6 wildcard listen sockets. Defaults to undefined and hence no setsockopt is done. See RFC 3493 for more about IPV6_V6ONLY.
  • Client clauses now support CIDR notation for IPv6 clients. For example: ipv6:2001:db8:1:2::/126 and ipv6:::ffff:192.168.1.0/120. It is recommended, but not required, to install Math::BigInt::GMP or Math::BigInt::Pari for faster matching. The default is to use slower pure Perl implementation.
  • Updates in many goodies example and other files.
  • Added preliminary support for AuthBy DIAMETER. AuthBy DIAMETER converts RADIUS messages to Diameter messages and sends them to a Diameter server. Currently targets RFCs 4005 and 6733.
  • AuthBy DUO did not indicate the request was handled asynchronously causing problems with certain modules such as ServerTACACSPLUS. Reported by David LaPorte.
  • Enhanced radpwtst help output and options file support. The file format is now documented in the reference manual. The -time option now works even when -notrace option is given.
  • Unnecessary DNS lookups were done when MAC: or CIDR Clients were defined causing possible slowness during startup or ClientList refresh.
  • Testing with Strawberry Perl on Windows. Updated installation documentation and reference manual to include Strawberry Perl on Windows.
Revision 4.11 (2012-12-14) Some significant new features. Bug fixes.
  • Typo prevented MS-CHAP-Challenge being correctly added to when EAP_LEAP_MSCHAP_Convert is enabled.
  • Changes to continued line parsing in 4.10 broke the ability to spread a the first line of a clause over multiple lines with the backslash line continuation operator. Fixed.
  • AuthBy ACE now supports EnableFastPINChange with EAP-GTC, contributed by Richard Fairhall.
  • Fixed a problem that prevented correct operation of ServerDIAMETER listening when FarmSize was in use: some children could block waiting for an accept. Listen socket is now non-blocking. Reported by Rani Assaf.
  • Fixed a problem that prevented AuthBy RADSEC correctly detection downstream server failure under some circumstances with UseStatusServerForFailureDetect. Reported by Paul Dekkers.
  • Added support for authentication via 3M Standard Interchange Protocol 2 as used in 3Ms Automated Circulation Systems (ACS) for book libraries. AuthBy SIP2 supports TCP-IP connection to 3M ACS systems, and authenticates against library patron name and password.
  • SNMPAgent now supports some more items from MIB2: sysDescr (which returns the Radiator name and version) and sysObjectID (which returns the Radiator OID 1.3.6.1.4.1.9048.1.1). Also added sample goodies/snmp.cfg with some documentation about how to configure and test SNMPAgent.
  • radiusd has a new function main::addChildInitFn() which can be used by modules to register a function that is to be called in each child after it is forked by FarmSize. This can be used by module authors to defer or redo some intialisation in the child.
  • Improvements to error detection in Stream handle_socket_read to detect the possibility of EWOULDBLOCK/EAGAIN, reported by Rani Assaf.
  • Added HP-VC-Groups to dictionary.
  • Further improvements to multiline config file parsing, suggested by Michael.
  • Updated comments in HOTP and TOTP examples to clarify the contents of the 'secret' field. Also fixed a problem in AuthBy SQLTOTP, which could cause an SQL error if the first ever log-in attempt involves typing an incorrect PIN. Reported by Roy Badami.
  • Improvements to PEAP support for Windows failing to work when PEAP fast reconnect was enabled. EAP Extension TLV/Success is now exchanged over TLS tunnel between the server and client before sending final Access-Accept.
  • Added more Unisphere and Juniper VSAs based on http://www.juniper.net/techpubs/software/junos/junos114/radius-dictionary/unisphereDictionary_for_JUNOS_v11-4.dct
  • Fixed a typo in dictionary for WiMAX-QoS-Descriptor value Transmission-Policy.
  • Fixed a problem that could prevent the correct OutPort being used as the source port for AuthBy RADIUS forwarding.
  • Nas finger now uses the standard perl Net::Finger module intead of the internal Finger client in Radius::Finger. The internal Finger client Radius::Finger is now not shipped with Radiator. If you wish to use finger to check online users, you must install the Perl Net::Finger module.
  • Added OSC VSA for pseudo-attribute PoolHint to dictionary.
  • Updated all Nas/*.pm modules to use numeric OIDs instead of sysmbolic, since some recent versions of snmp tools install without MIBs.
  • Added DEBUG logging of DHCP replies reeceived by AddressAllocator DHCP.
  • Fixed a problem that could cause a crash if AuthBy EAPBALANCE was used with the KeepaliveTimeout option.
  • Fixed a problem that caused UseStatusServerForFailureDetect to not work correctly when defined at the AuthBy RADIUS level instead of the Host level.
  • Added new parameter ClientHardwareAddress to AddressAllocator DHCP. ClientHardwareAddress is the name of an attribute in the incoming address which contains the hex encoded MAC address of the client. If present, it will be used as CHADDR in the DHCP request. If not present, and fake CHADDR based on the request XID will be used. The DHCP server may use this when allocating an address for the client. The MAC address can contain extraneous characters such as . or : as long as it contains the 12 hex characters (case insensitive) of the MAC address. Special characters are supported.
  • Added NetworkPhysics-Attribute to dictionary with the kind assistance of "Caporossi, Steve G."
  • Added Procera-Local-User-Name to dictionary with the kind assistance of Lucas Hazel.
  • Improvements to consistency of proxiedRequests and proxiedNoReply statistics counters when the request is proxied by multiple AuthBy RADIUS or AuthBy RADSEC clauses.
  • AuthBy RADMIN now supports PostAuthSelectHook.
  • Enhancements to support Diameter client and server required for new Diameter Wx support in Radius-EAP-SIM.
  • Fixed a problem that caused incorrect RecvTime in tunnelled PEAP requests.
  • Implemented checkproc for SuSE in linux-radiator.init. Contributed by "Aeneas Jaißle (sewikom GmbH)"
  • Added support for PostDiaToRadiusConversionHook and PostRadiusToDiaConversionHook to Server DIAMETER.
  • Refactoring of md5 and mschapv2 challenge code prior to integrating Heimdal digest support.
  • Added new module AuthBy HEIMDALDIGEST with example configuration and test setup instructions. Authenticates from Heimdal Kerberos (http://www.h5l.org/). Supports RADIUS-PAP, EAP-MD5, EAP-MSCHAPV2 (and therefore TTLS-PAP, TTLS-EAP-MD5, PEAP-EAP-MD5, PEAP-EAP-MSCHAPV2, TTLS-EAP-MSCHAPV2). With the kind assistance of Fredrik Pettai. Originally written by Klas Lindfors. Contributed by Stefan Wold of Stockholm University.
  • Fixed a problem where file:"filename" syntax in configuration file could cause strange error messages in hooks if the filename was not found.
  • Fixed a problem where PidFile could be incorrectly deleted if any child was killed in a farm. Now it is only deleted if the farm parent is shut down.
  • Fixed a problem in server farms where if a child process was STOPped or hung, the graceful shutdown process could also hang, resulting in possible failure to restart all children correctly.
  • Improvement to Linux startup script to better handle the case where Radiator fails to exit cleanly after stop command.
  • Improvements to SNMP.pm snmpget, so that failures due to Unknown Object Identifier are detected. Suggested by Michael.
Revision 4.10 (2012-06-28) Some significant new features. Bug fixes.
  • Added support for EAP-PWD per RFC 5931. EAP-PWD is highly secure (the password is never transmitted, even in encrypted form), and does not require PKI certificates, and also requires only 3 authentication round-trips. So it is considered efficient to roll out in eg Eduroam and other environments. Requires that the Radiator user database has access to the correct plaintext password. Sample configuration file and patch for Crypt-OpenSSL-Bignum-0.04 is included.
  • Added 2 Aruba VSAs to dictionary. Contributed by Matt Alexander.
  • Added Tropos and Fortinet VSAs dictionary.
  • Added Ukerna GSS and SAML VSAs to dictionary, with the kind assistance of Luke Howard. Also modified packing routines to split UKERNA SAML-AAA-Assertion into multiple attributes.
  • Removed use of 'use timelocal' from radiusd and radpwtst, code now uses Time::Local instead.
  • Removed use of 'use newgotopt', all code now uses Getopt::Long instead.
  • Added new parameter PasswordUriEscape to AuthBy URL. This optional parameter specifies whether the password needs to be url-encoded or not. Options are "Clear", "Encode". Contributed by Matthew Van Kuyk.
  • Added Nokia Siemens Networks (NSN) VSAs to dictionary.
  • Added support to radpwtst for new command line argument -alive to send Accounting-Alive requests. Alive is not sent by default if accounting is enabled.
  • Fixed an error in the RPM build control file Radiator.spec, which would cause /usr/lib64/perl5/ to be deleted if the Radiator RPM package was erased.
  • Improvements to Log SYSLOG and AuthLog SYSLOG modules so that multiple differing module logging configurations do not confuse Sys::Syslog.
  • Fixed a problem in Server TACACSPLUS that prevented Client-Identifier being set in Tacacs+ derived RADIUS requests. Reported by Tim Cheyne.
  • Improvements to AuthBy WIMAX, which now uses latest WiMAX TLV attribute definitions for packing and unpacking of WiMAX TLV attributes. AuthBy WIMAX now uses latet WiMAX-Capability TLVs. goodies/wimaxtest uses the TLVs, and honours the -capability command line argument where you can specify an alternate WiMAX-Capability.
  • Removed use of 'use newgotopt' from builddbm, buildsql, tacacsplustest, diapwtst, restartwrappert. Code now uses Getopt::Long instead.
  • Added new parameter EAPTLS_AllowUnsafeLegacyRenegotiation to AuthBy *. For TLS based EAP types such as TLS, TTLS and PEAP, and with versions of OpenSSL 0.9.8m and later, this optional parameter enables legacy insecure renegotiation between OpenSSL and unpatched clients or servers. OpenSSL 0.9.8m and later always attempts to use secure renegotiation as described in RFC5746. This counters the prefix attack described in CVE-2009-3555 and elsewhere.
  • Updated ACME VSA's in dictionary to add many missing VSAs and to adopt attribute naming consistent with other RADIUS servers.
  • Updated sample certificates to expire Nov 15 21:48:28 2013 GMT
  • Added support for EAP expanded types per RFC 3748. EAPType parameter can now be specified as a EAP type number, EAP extended vendornumber:typenumber or as a traditional well-known EAP type name eg: EAPType TTLS, MSCHAP-V2, 16776957:4244372217 where 16776957 is the expanded vendor number and 4244372217 is the expanded type (this example is for 0xfffefd and 0xfcfbfaf9, the vendor and type of the wpa_supplicant VENDOR-TEST expanded type). Included module and config to support testing against wpa_supplicant VENDOR-TEST expanded type.
  • Fixed a possible problem in Stream connections where connection failures may not be detected correctly.
  • Improvements to EAP-MSCHAPV2 handling in the case where the underlying database has a database access problem, causing an IGNORE.
  • Testing with RSA Authentication Manager 7.1 SP4. No changes required.
  • Early release of AuthBy SAML2 module. This module fetches Moonshot/SAML2 Assertions for an (already autheticated) user from a Identity Provider (IdP) and puts the assertion in a SAML-AAA-Assertion reply item. Caution: this is beta code and not yet widely tested. Feedback requested. Currently only sends ECP AuthnRequest requests (AAA AttributeRequest is not yet supported). Signing of requests and Verifying of responses is not yet proven to work correctly.
  • EAP-MSCHAPV2 now honours AuthenticateAttribute.
  • New versions of Authen ACE4 version 1.4 ppms with AuthSDK 8.1 for Windows 32 and 64 bit.
  • Added new parameter RoundRobinOnFailure to all Sql clauses. Normally, if Radiator gets an error or a timeout from a database connection it will try to reconect to the database, starting with the first DBSource, and trying them all in order until a successful reconnection. This flag forces the search to start at the database following the current DBSource (if there is one). This can help with some types of overloaded database that can be connected but then timeout when a query is sent.
  • Context is stored in $p->{EAPContext} for all EAP requests.
  • Fixed a problem where HUPping an evaluation vesion would result in messages like Server started: Radiator 4.9 on fmsdev (LOCKED) (LOCKED) (LOCKED) (LOCKED) (LOCKED)
  • Added support for new parameter RequireMessageAuthenticator in Client clauses. Normally, Client clause checks the value of any Message-Authenticator attribute (if present) in incoming requests (EAP or otherwise), and an incorrect authenticator causes the request to be IGNOREd. The optional RequireMessageAuthenticator flag causes this Client to require a (correct) Message-Authenticator attribute to be present in all incoming requests.
  • ServerHTTP now registers itself with Configurable.
  • Additional information in error logs from various TLS operations. Patch from "Bjoern A. Zeeb". Thanks Bjoern.
  • ClientList LDAP now supports file in PreHandlerHook and ClientHook.
  • Fixed a problem with SessionDatabsse SQL which could cause a crash if the query contains %{Quote:...}. Patched by Eddie Stassen. Thanks.
  • Added VENDOR Ericsson 193 VSAs to dictionary.
  • Log FILE now supports %0 (priority) and %1 (og message) as special characters in Filename parameter. AuthLog FILE now permits use of the '|' vertical bar leading character in Filename to permit piping to an external program.
  • AuthBy LDAP2 and all other LDAP clauses now support an optional MultiHomed flag parameter. If this is set then Net::LDAP will try all addresses for a multihomed LDAP host until one is successful. Default is true (set).
  • Improvements to AuthBy SQL and AuthBy FREERADIUSSQL to improve compativ=bility with some Oracle clients in the group checks. Reported by Emanuel Freitas.
  • Added VENDOR Adva 2544 VSAs to dictionary.
  • Added VENDOR Siemens 4329 VSAs to dictionary.
  • Fixed missing 3GPP- prefix for a number of 3GPP VALUE definitions in the standard Diameter dictionary
  • Fixed problems in Diameter to RADIUS gateway that prevented RADIUS attributes that are converted to Diameter Grouped attributes being parsed correctly.
  • For all TLS related operations, improved error logging if SSLeay::new fails.
  • Added StripFromReply and AllowInReply to the parameters permitted in AuthBy DNSROAM. Patched by Bjoern A. Zeeb. Thanks.
  • Added VENDOR TERENA 25178 and eduroam-SP-Country to dictionary
  • Added more VENDOR Alcatel-ESAM attributes to dictionary. Contributed by Hugh Irvine.
  • Added new module AuthBy RATELIMIT which can be used to limit the maximum number of request per second to be served. If more than this number of request are received in any second, they will be IGNOREd.
  • Added radiusd.conf, a sample Upstart script for Debian/Ubuntu. Contributed by Adam Thompson
  • Server TACACSPLUS now honours DefaultRealm from the Client clause that matches the incoming request. If defined in the Client clause, it willl override any DefaultClient defined in the Server TACACSPLUS clause.
  • Global SocketQueueLength was not honoured when creating RADIUS server ports.
  • Fixed a typo in the help message in Monitor. Reported by Scott Bertilson.
  • Added Authen-Digipass-1.11-1.el6.x86_64.rpm (for perl 5.10, x64 on Centos 6 and RHEL6)
  • All TLS context configuration parameters, such as EAPTLS_CertificateFile now honour special characters (such as %K etc) from the EAP identity request.
  • AuthBy WIMAX incorrectly set WiMAX-Capability Accounting-Capabilities to 0 (none) instead of 1 (session-based).
  • All EAP authentications now log at DEBUG level the elapsed time of the entire conversation (since the EAP identity) in seconds (and microseconds if Time::HiRes is available).
  • If a Client address cannot be resolved, the log message now includes the exact address that was not able to be resolved.
  • Updated the prebuilt Authen-Digipass RPM package for RHEL 5 64 bit to version 1.11.
  • Fixed a problem that prevented AuthBy SQLAUTHBY honouring AuthBySelect if AuthBySelectParam was defined.
  • Removed incorrect -authen_args from help in tacacsplustest.
  • Improvements to handling of EAP-GTC so that UsernameMatchesWithoutRealm is honoured even if the EAP-GTC client sends the 'RESPONSE=identity\0password' for of EAP-GTC response.
  • Added Arbor-Privilege-Level to dictionary. Thanks to Markku.
  • RFC 2621 was inadvertently omitted from the distribution.
  • Added support for new configuration parameter. PacketDumpOmitAttributes specifies a comma separated list of RADIUS attribute names which will be omitted from RADIUS packet dumps in logs.
  • ServerHTTP did not permit the creation of ClientListSQL or ClientListLDAP clauses. Reported by Albesiano Alberto.
  • Improved parsing of hooks and display of hooks by ServerHTTP. Reported by Albesiano Alberto.
  • AddToReply AddToReplyIfNotExist when used in Handlers and Clients, would incorrectly add attributes to Access-Rejects. This does not now occur. AuthURL did not correctly honour AddToReply for Access-Accept and Access-Reject. Reported by Albesiano Alberto.
  • RadSec is now an official IETF RFC 6614. RFC 6614 is now included in the distribution. In accordance with RFC 6614, the default shared secret for RadSec has been changed to 'radsec', UseTLS is enabled by default, and TLS_RequireClientCert is enabled in Server RADSEC by default.
  • Added RuggedCom VSA RuggedCom-Privilege-level to dictionary.
  • Added Alvarion-WiMAX-Classifier VSA to attribute definiitons for WiMAX-Packet-Flow-Descriptor, per Alvarion's document 'RADIUS-WiMAX R3 Interop Spec_Rel 3 0 v 0 81.doc'
  • Added Alvarion-WiMAX-Classifier VSA to attribute definitions for WiMAX-Packet-Flow-Descriptor to support atttributes like: WiMAX-Packet-Flow-Descriptor=Alvarion-WiMAX-Classifier="ClassifierID=1,Priority=2,Direction=IN" Also added Alvarion-R3-IF-Descriptor and Alvarion-DHCP-Option VSA tlvs to dictionary, to support attributes like: Alvarion-DHCP-Option="Ref-R3-IF-Name=interface1,DHCP-Option-Container=container1" Alvarion-R3-IF-Descriptor=R3-IF-Name=aaa,R3-IF-ID=1,PDFID=2,IPv4-addr=1.2.3.4,IPv4-netmask=5.6.7.8,DGW-IPv4-add=9.8.7.6 Per Alvarion's document 'RADIUS-WiMAX R3 Interop Spec_Rel 3 0 v 0 81.doc'.
  • Fix to Fidelio interface so that LA messages are not queued unless there is a current connection.
  • Fixed a problem where the LDAP group search did not correctly specify the attributes to fetch, and therefore _all_ attributes were fetched, affecting performance. Reported by Ben Carbery.
  • Improvements to AuthBy SQLYUBIKEY to add support for CheckSecretId. If CheckSecretId is set, then check that the secretId fetched from the database matches the secretId encoded in the submitted Yubikey OTP. This increases the security of the Yubikey OTP and is recommended best practice. Also improved the documentation for for configuring yubikey.cfg and provided a better sample database for use with yubikey.cfg
  • Fixed a problem with EAP-FAST that prevented anaonymous provisioning in some circumstances where the client asks for several ciphersuites. Reported by Sudhir.Harwalkar.
  • Fixed a problem with Server TACACSPLUS and some authenticators such as AuthBy ACE whcih issue AccessChallenge to get additional data from the user. Radiator was sending the challenge as GETPASS rather than GETDATA and wasn't getting the NOECHO flag. Tested against a Cisco Catalyst 3560 switch and also a Cisco ASA 5510 firewall. Reported and patched by Richard Fairhall.
  • Updated Authen-Digipass and Authen-ACE4 Windows PPM packages to include Perl 5.14 x86 and x64 packages. Also updated the prebuilt packages at http://www.open.com.au/radiator/free-downlaods to include versions for Perl 5.14 x86 and x64: Chipcard-PCSC.tar.gz Net-SSLeay.tar.gz Socket6.tar.gz Win32-Lsa.tar.gz
  • Fixed a problem where AuthBy LDAP2 would incorrectly log "DEBUG: No entries for mikem found in LDAP database" if MaxRecords was set larger than the actual number of LDAP records retreived.
  • Improvents to SQL logging shows the name of the database at DEBUG level when connection attempts are made. Also prepareAndExecute and do functions log the database name at DEBUG level. Requested by Philip Herbert.
  • Fixed a problem where NoIgnoreDuplicates could cause a memory leak.
  • Added VSAs for Ruckus Wireless to dictionary.
  • AuthBy NTLM did not reap ntlm_auth if it crashed or exited. Fixed a problem that prevented the error being correctly printed if ntlm_auth if it crashed or exited.
  • Removed use of Digest::SHA1, replaced with Digest::SHA,which is now included with all perls. Digest::SHA is now an absolute prerequisite.
  • Added sample config platypus7.cfg for recent Platypus 7 database.
  • h EAP-LEAP, EAP-TTLS, EAP-PEAP, EAP-MSCHAPV2, EAP-FAST, inner packets are now logged at DEBUG level _after_ the PreHandlerHook (ie any) is run, so that attributes added by the hook will be visible.
  • Fixed a problem where Client DupInterval 0 sometimes did not act as expected, causing a leak in EAP contexts.
  • Improved logging so that AuthBy ACE prompts are not broken up with newlines in logs. Requested by Richard Fairhall.
  • Fixed a problem that preventeed TACACS+ which prevented AuthBy ACE new pin mode and other challenges from working correctly. Patch provided by Richard Fairhall.
  • Added support for KeepaliveTimeout to AuthBy RADSEC. KeepaliveTimeout is the maximum time in seconds that a RadSec connection can be idle before a Status-Server request is sent to keep the TCP connection alive. This helps to keep TCP connections open in the face of "smart" firewalls that might try to close idle connections down. Defaults to 0 seconds, which means inactive.
  • Radpwtst has new option -chap_nc that sends a RADIUS CHAP request, but in the old-fashioned way, with the CHAP Challenge in the authenticator, and not in a separate CHAP-Challenge attribute.
  • Testing on Raspberry Pi running debian6-19-04-2012. It runs out of the box. http://www.raspberrypi.org
  • dded hextobase32.pl to goodies. Script to help with entering HOTP and TOTP codes to Google Authenticator. Converts hex codes to base 32.
  • Added VSAs for Anagran ANA to dictionary. Thanks to Bob Shafer.
  • Added support for KeepaliveTimeout and UseStatusServerForFailureDetect to AuthBy RADIUS and AuthBy RADSEC. If UseStatusServerForFailureDetect is enabled, use only Status-Server requests (if any) to determine that a target server is failed when there is no reply. If not enabled (the default) use no-reply to any type of request. Uses NoreplyTimeout, MaxFailedRequests, MaxFailedGraceTime, FailureBackoffTime during failure detection. If you enable this, you should also ensure KeepaliveTimeout is set to a sensible interval to balance between detecting failures early and loading the target server. KeepaliveTimeout is the maximum time in seconds that a RADIUS connection can be idle before a Status-Server request is sent to keep the connection alive. Defaults to 0 seconds.
  • Added more Unisphere and Juniper VSAs to dictionary based on http://www.juniper.net/techpubs/software/junos/junos114/radius-dictionary/unisphereDictionary_for_JUNOS_v11-4.dct
  • Fixed a problem that could cause a server crash if Framed-IPv6-Prefix was received but Socket6 is not installed.
  • Fixed typos in the names of Management-Transport-Protection and Management-Privilege-Level in dicoitnary. Reported by Ingvar Berg.
Revision 4.9 (2011-09-30) New features and some bug fixes.
  • Fixed an issue with Resolver and AuthBy DNSROAM where the combination Protocol=radius, Transport=tls was incorrectly interprted as UDP RADIUS (for historical reasons). It is now interpreted as TCP RADSEC. Reported by Stefan Winter.
  • Added commands to the sample startup script linux-radiator.init that work for Debian. Submitted by "Michael".
  • Improvements to AuthBy FIDELIO: During a SIGHUP, AuthBy FIDELIO now sends a LE and closes the TCP connection before reopenaing the connection. This should result in better database reading behaviour during SIGHUP. AuthBy FIDELIO now sends periodic LA commands to the Fidelio to check the integrity of the link. Suggestions by Ralf Ertzinger.
  • Fixed further issue with Resolver and AuthBy DNSROAM where the combination Protocol=radius, Transport=tls was incorrectly interpreted. Reported by Paul Dekkers
  • Improvements to AuthBy DNSROAM so that routes for different realms that are discovered to be to the same proxy server will reuse the existing server. Suggested by Stefan Winter.
  • goodies/fideliosim.pl now prints main details of PS posting records it receives.
  • New module AuthBy FIDELIOHOTSPOT which provides hotel guest authentication by Fidelio, and prepaid session times, billed to the user's room by Fidelio. Supports various hotspots such as Mikrotik and Open-Mesh etc. Replaces goodies/fidelio-hotspot-hook.pl as the preferred method of providing prepaid sessions billed to room by Fidelio.
  • Added new parameter MessageHook to AuthBy FIDELIO. MessageHook is called after a message from Fidelio has been unpacked into a hash and before the record is passed to handle_message(). It can be used to change or transform any fields in the record before it is passsed to handle_message() and processed by AuthFIDELIO.
  • Improvements so that if the example Radiator init script for linux is invoked as a symlink (eg /etc/rc2.d/S90radiator->../init.d/radiator), it still deduces the correct program name (radiator) and hence sources the correct sysconfig file (/etc/sysconfig/radiator).
  • Fixed a problem where Realm clauses inside AuthBy DNSROAM did not recognise the Secret parameter. Reported by Paul Dekkers.
  • Added negative caching to Resolver, with new parameter NegativeCacheTtl.
  • Added new parameter RedespatchIfNoTarget to AuthBy DNSROAM. For a given request, if Resolver does not find a target and there is no explicit Route, and no DEFAULT Route and this flag is set, the request will be redepatched to the Handler/Realm system for handling. This allows for a flexible fallback in the case where DNSROAM cannot find how to route a request. The redespatched request will have the attribute OSC-Environment-Identifier set to the AuthBy DNSROAM Identifier (or 'DNSROAM' Identifier is not set)
  • Fixed problems with the Authen-Digipass PPM packages for Windows missing important files.
  • Fixed an issue with AuthBy RADSEC, where failure to deliver a message could cause continuous attempts to reconnect, even if ConnectOnDemand is set.
  • Fixed an issue with Stream based connections, where ConnectOnDemand and an unresponsive server could cause Radiator to hang. Reported by Paul Dekkers.
  • Added workaround for a bug in some versions of perl 5.12.1 (such in openSUSE 11.3) that caused incorrect packing of some RADIUS requests.
  • Improvements to Server TACACSPLUS so that RADIUS STATE is saved in in the connection rather than the context. Patch provided by Nicholas Waples.
  • Reversed a previous change in 4.8 that Server TACACSPLUS expired authentication result in FAIL instead of ERROR. The change in 4.8 was to result in ERROR, which causes some devices to then revert to the local authorisations.
  • Added a number of attributes from RFC 5090 to dictionary, which override a number of attributes that were previously commandeered by Ascend. The Ascend ones are still available in ascend.dictionary.
  • Fixed a typo in dictionary: Ascend-Call-Attempt-Limit was Agscend-Call-Attempt-Limit.
  • Fixed a problem in linux-radiator.init which prevented traceup working on SuSE. Reported by Aeneas Jaißle.
  • Improvements to ClientListSQL to support DisconnectAfterQuery, which will cause disconnection from the SQL database after each query. This can be helpful in cases where firewalls etc close connections that have been idle for a long time.
  • Added sha.pl, ssha.pl to goodies. Simple perl scripts to generate SHA and SSHA hashes of the first command line argument. Useful for generating SHA and SSHA hashed passwords in the form Radiator honours.
  • Fixed a problem with the Radiator init script that prevented reload, traceup and tracedown working with some versions of SuSE.
  • Added ipoque-class VSA for ipoque PRX Traffic Manager to dictionary. With the assistance of A.Sharaz.
  • Improvements to the sample wimax.sql database schema to improve interoperation with Alvarion.
  • All stream protocols that support TLS now support optional TLS_CertificateFingerprint parameter. When a TLS peer presents a certificate, this optional parameter specifies one or more fingerprints, one of which must match the fingerprint of the peer certificate. Format algorithm:fingerprint. Requires Net::SSLeay 1.37 or later.
  • Improvements to AuthBy EAPBALANCE to permit operation with target RADIUS servers that rely on State, such as Windows IAS etc.
  • Added Freeswitch-Direction and Freeswitch-Other-Leg-Id to dictionar.
  • Added Documentation and sample scripts for how to use Radiator and the AuthBy FIDELIO module to handle authentication and accounting for the Freeswitch VOIP switch (http://www.freeswitch.org). It can be used authenticate and to bill VOIP calls to a Micros-Fidelio Opera Hotel Property Management System (http://www.micros.com).
  • Added Riverbed-Local-User VSA to dictionary.
  • Fixed a problem in AuthBy RADMIN where if the database connection fails once, message logging through AuthRADMIN will stop altogether, and along with that, the bad login counting. Reported an patched by Manuel Kasper.
  • Added Aruba-MMS-User-Template to dictionary, fixed typo in Aruba-Port-Identifier. Added AH-HM-Admin-Group-Id.
  • Added support for EAP AKA-PRIME. Required for version 1.32 or Radius-EAP-SIM module.
  • Added new clause AuthBy SQLAUTHBY, which looks up how to authenticate each user based on information in an SQL database. The columns retrieved from SQL are used to create an AuthBy clause that will actually handle the request. The parameters used to configure the clause come from SQL. The clause is reused for as long as the the target realm yields the same SQL query results. The example works with the sample RADSQLAUTHBY table in mysqlCreate.sql.
  • Added support for new parameter AuthChallengeKeyword to AuthBy URL. This parameter permits URL results that trigger a CHALLENGE reply for use with Challenge/Reponse systems. Contributed by Matthew Van Kuyk.
  • Added new parameter DirectAddressLookup to Resolver. If DirectAddressLookup is enabled, and if there are no NAPTR records for the requestsed Realm, Resolver will attempt lookups of A and AAAA records for _radsec._sctp.REALM, _radsec._tcp.REALM and _radius._udp.REALM Enabled by default. Requested by Paul Dekkers.
  • Added sample hook pwaframedip.pl. This hook fixes a problem with Enterasys switches where Framed-IP-Address is not included in accounting packets, but the information is available via SNMP when for Enterasys captive-portal (PWA) authentication. Contributed by Ben Carbery.
  • In AuthBy RADMIN, it is now possible to disable IncrementBadloginsQuery and ClearBadloginsQuery by setting the query string to be empty.
  • Server farm children now always reseed the random number generator so the children dont share the same seed.
  • Improvements to the RPM spec file so RPM installs with recent 64 bit perls will work.
  • Increased the default MaxBufferSize in streams to 10000000.
  • Added support for passwords encrypted with $2a$, $2x$ and $2y$ blowfish crypt and $5$ SHA-256 crypt (where supported by the underlying crypt()). Improvements to support rounds= notation in SHA-256, SHA512 crypt.
  • Ensure RecvTime is set in RADIUS requests derived from tunnelled EAP types.
  • Changed the type of Framed-Interface-Id in dictionary to be ifid. You can now specify Framed-Interface-Id as strings in the format 'aaaa:bbbb:cccc:dddd', which is compatible with FreeRadius.
  • Fixed an issue with TTLS and PEAP: When inner authentication is proxied, e.g. EAP-MSCHAP-V2 to MS NPS, NPS sends back State. If Radiator does not return State, proxying inner auth fails.
  • Added more Nomadix VSAs to dictionary, contributed by Mike Newton.
  • AuthBy EAPBALANCE and AuthBy HASHBALANCE now REJECT if an EAP stream has to be broken up, giving the client and immediate chance to restart. Changed the default protocol version for PEAP in EAPTLS_PEAPVersion from 1 to 0. This is in line with more recent documentation from Microsoft (which contradicts draft-josefsson-pppext-eap-tls-eap-0[35].txt), and it achieves bettter interoperability with Macs.
  • Added more Aruba VSAs, contributed by Alan.
  • EAP-FAST support now follows the recommendations for A_ID: it is now the 16 octet hash of the A_ID_INFO, which is set to the Radiator hostname. Updated instructions for building OpenSSL and Net::SSLeay for more recent versions of Net::SSLeay for use with EAP-FAST.
  • Added sample script goodieshex2base32.pl /to help with entering HOTP and TOTP codes to Google Authenticator. Converts hex codes to base 32.
  • Improvements to ClientList SQL to improve error detection.
  • Improvements to random number seeding: seeding is now done by a new function Radius::Util::seed_random. radiusd calls it at startup and after forking farm children. It can be overridden if necessary to provide local random number initialisation and seeding.
Revision 4.8 (2011-04-28) New features and some bug fixes.
  • Fixed a problem in AuthBy EAPBALANCE where no reply from a proxied request from the middle of an EAP stream would result in unlimited retransmissions of the request. Reported by Keith Ma.
  • Testing on OpenWRT. OK, with caveats as discussed in the updated FAQ.
  • Added Meru-AP-Id and Meru-AP-Name to dictionary. Provided by Neil Johnson.
  • RPM packages were built by default on OpenSuSE with LZMA compression, which is not available for all platforms. This new Radiator.spec disables LZMA and uses BZ2 instead. In future all RPMS will be built with BZ2 comppression. New versions of Radiator-4.7-2.noarch.rpm and Radiator-Locked-4.7-2.noarch.rpm with BZ2 uploaded.
  • Fixed a problem with AuthBy SQLTOTP and AuthBy SQLHOTP where MaxBadLogins, BadLoginWindow, DelayWindow, TimeStep and TimeStepOrigin parameters were not correctly read, resulting in errors like "Unknown keyword 'MaxBadLogins'". Reported by Matthew Reeves-Hairs.
  • GetClientQuery was incorrectly using field 25 instead of 27 for flags. Documentation for GetClientQuery incorrectly decribed field 25 as being flags instead of ClientHook.
  • Added SQLRetries parameter to all SQL type clauses. When executing a query, Radiator will try up to SQLRetries attempts to execute the query, retrying if certain types of SQL error are seen. Defaults to 2. Requested by Michael.
  • Fixed some problems with Radius paths in the RPM on some platforms. Rebuilt and uploaded new RPMs.
  • Improved Client CIDR address searches so a more specific cidr would have priority over a less specific cidr. Contributed by Nicholas Waples.
  • Improved ClientListLDAP, added oscRadiusIdentifier & oscRadiusDefaultRealm into the default list of ClientAttrDef's. were the only attributes missing from oscRadiusClient ldap schema provided (in goodies). Contributed by Nicholas Waples.
  • In Server TACACSPLUS, the call AuthenticationStartHook now includes the priv_lvl and service values from the TACACSPLUS request passed as arguments to the hook.
  • In Server TACACSPLUS, during authetication, we now add cisco-avpair attributes to the RADIUS request for action, authen_type, priv-lvl and service from the incoming TACACSPLUS request.
  • Improvements to AuthBy URL. Improved HTTP and HTML standards compliance by using the LWP::UserAgent methods post() and get(). Can now handle CHAP, MSCHAP and MSCHAPV2 authentication, as well as the previously supported PAP. *CHAP challenges and responses are encoded as HEX and sent as configurable web parameters. Updated the sample config file goodies/url.cfg, and improved documentation. Fixed inconsistant password in sample test_url_md5.cgi. Cleaned up some of the code to be compliant with in-house standards.
  • Added support for BindAddress in all Ldap derived clauses, allowing you to specify a local address for the client side of the LDAP connection with BindAddress, in the form hostname[:port]. Defaults to 0.0.0.0. Updated sample config file. Suggested by Roel Hoek.
  • Updated AuthBy NTLM so that if an authentication fails, the Warning log message records the user name along with the Authentication-Error. Suggested by David Zych.
  • Further improvements to AuthBy URL. Now suports CopyReplyItem parameter. If a successful HTTP reply contains a string like 'xxx=hexencodedvalue' the value will be copied to the RADIUS reply as attribute yyy=value the value is expected to be HEX encoded and will be HEX decoded before adding to the reply.
  • Fixed a problem where some SQL modules were not being correctly initialised, which was revealed when the new SQLRetries was added. Reported by Steffen Weinreich.
  • Further improvements to AuthBy URL. Now supports CopyRequestItem parameter. Adds a tagged item to the HTTP request. Format is CopyRequestItem xxx yyy. The text of yyy (which may be contain special characters) will be added to the HTTP request with the tag xxx. In the special case where yyy is not defined, the value of attribute named xxx will be copied from the incoming RADIUS request and added to the HTTP request as the tagged item yyy. All values are HEX encoded before adding to the HTTP request. Multiple CopyRequestItem parameters are permitted, one per line.
  • Improvements to AuthBy SQLTOTP to implement replay detection. This has required an additional column in the sample SQL database schema, and changes to the default AuthSelect and UpdateQuery parameters. Requested by Matthew Reeves-Hairs.
  • Testing with the Mera MVTS Pro Voip gateway. OK. Added mera-mvts.txt. This document briefly outlines the requirements for interfacing Radiator with Mera MVTS Pro VOIP gateways, along with examples of the types of requests and replies Radiator can be expected to handle when interfacing with MVTS Pro.
  • Added new command line argument -min_interval to restartWrapper, which controls the minimum time interval between successive restarts. Contributed by David Zych.
  • Tested AuthBy HOTP and AuthBy TOTP with a range of iphone OATH soft tokens, including DS3 (HOTP), OATH Token (HOTP and TOTP), and Google Authenticator (HOTP and TOTP). External testing with Feitian C200 OTP Tokens and others. All OK.
  • Added a number of Juniper attributes to dictionary.
  • Monitor and Server HTTP now support AddToRequest to add attributes to the internal RADIUS request they generate when authenticating administrator logins to their respecetive interfaces. They also dump these requests when Trace 4 is enabled.
  • Server TACACSPLUS now supports a new parameter AuthorizeGroupAttr. If this parameter is specified, it specifies the name of an attribute in Access-Accept that will contain per-command authorization patterns for authorising TACACS+ commands. These are processed before any configured-in AuthorizeGroup parameters. The command authorization patterns are in the same format as supported by AuthorizeGroup. Added a new VSA to dictionary OSC-Authorize-Group, which is intended to carry per-user reply command authorization patterns.
  • Improvements to Radiator linux startup script so you can have multiple scripts in /etc/init.d/ with different names, and which lookup different parameters in /etc/sysconfig. For example, you can install the script as /etc/init.d/radiator and /etc/init.d/radiator-acct, and it will look up parameters in /etc/sysconfig/radiator and /etc/sysconfig/radiator-acct. Further improvement is to always use -p RADIUS_PIDFILE to killproc the process, rather than the process name.
  • Added Ascend-Session-Svr-Key an NS-Dummy-Attr-10 to dictionary.
  • Added Alcatel-Lucent 7302 ISAM (OLT) VSAs to dictionary, including OLT-TL1-* and added VALUE definitions for some other A-ESAM-*. In some places, A-ESAM-* are named OLT-CLI-*. we have adopted A-ESAM to be compatible with previously existing definitions.
  • Fixed a problem where EAP-MD5 authentications did not honour UsernameMatchesWithoutRealm. Reported by "Sami Keski-Kasari".
  • Fixed a problem where EAP-MD5 authentication by AuthBy LSA mysteriously failed. Refactoring of EAP_4 check_chap() to AuthGeneric, and thence to AuthLSA Reported by "Sami Keski-Kasari".
  • Fixed a problem which could cause crashes in Socket6::inet_ntop. Reported by James Harton.
  • Testing on MacOS X 10.6.5. OK.
  • Added lookupauthgroup.pl Sample PostSearchHook for AuthBy LDAP2, which finds user group(s) through an LDAP lookup, then finds corresponding check and reply attributes in SQL, based on the user group(s) for that user and the device groups of the RADIUS/TACACS+ client. This allows you to have a add very fine grained authentication/authorisation in an LDAP/SQL environment, based on user and device group membership.
  • Alter the session shutdown in Server TACACSPLUS to be SHUT_RDWR, to fix possible session shutdown problems with some TACACS+ clients.
  • Fixed incorrect sequence numbers in some TACACS+ packets sent by goodies/tacasplustest and that affected interoperation with tac_plus. Fixed issues with TACACS+ version numbers that affected interoperation with tac_plus.
  • Added new parameter SingleSession to Server TACACSPLUS which can be set to 0 to disable the default behaviour which tries to keep the same TCP session for all requests. Setting SingleSession to 0 forces a TCP disconnect after every authentication, authorisation and accounting session. Some TACACS+ clients need this in order to operate correctly.
  • Improvements to AuthBy SQLTOTP so that tokens whose time drifts into the future can be authenticated. Patch supplied by Steffen Weinreich.
  • Decoupled AuthGeneric userIsInGroup from getUserGroups so subclasses can implement their own group finding.
  • Added new optional parameters GroupSearchFilter GroupBaseDN GroupNameCN to specify an LDAP search which will be used to get the names of groups this user is a member of. Used to check Group check items. Updated sample lookupauthgroup.pl to use the new group search function in AuthBy LDAP2
  • AuthBy LSA now honours UsernameMatchesWithoutRealm correectly for users and groups. Reported by Reported by "Sami Keski-Kasari" and "Johnson, Neil M".
  • In AuthBy SQL, the optional GroupMembershipQuery now has the groupname available as the second bound variable.
  • Improvements to Server TACACSPLUS so that it honours the TAC_PLUS_SINGLE_CONNECT_FLAG flag in incoming requests. Now a single session will only be maintained if the Server TACACSPLUS SingleSession parameter is set _and_ the client indicates a willingness to support single sessions with the TAC_PLUS_SINGLE_CONNECT_FLAG. Single sessions can be disabled regardless of client options by setting the SingleSession flag to 0 (defaults to 1)
  • Improvements to goodies/tacacsplustest now correctly sets the TAC_PLUS_SINGLE_CONNECT_FLAG in requests if the -single command line parameter is given. It now closes the connection at the end of each session unless the -single flag is set and the server indicates a willingness to support single connections with the TAC_PLUS_SINGLE_CONNECT_FLAG.
  • Fixed a problem where malformed WiMAX attributes could cause a crash. Reported by Mark Sergeant.
  • Further fixes to Server TACACSPLUS: If SingleSession is set, some Cisco TACACS+ clients will close an authentication session after the first reply. This is a bug in the client. As a workaround, ServerTACACSPLUS.pm now never sets the TAC_PLUS_SINGLE_CONNECT_FLAG in its replies. Reported by Aki Tuomi.
  • Fixed a typo in linux-radiator.init that prevented traceup and tracedown working properly on RHEL5.
  • Added LOG_WARNING log message if a Tacacs+ request is received by Server TACACSPLUS for which no Client could be found.
  • Improvements to Server TACACSPLUS so expired authentication result in ERROR instead of FAIL. Tacacs authorisations are now bound to both the username and the peer address, so user can have different authorisations on each device.
  • Added peer address to a number of warning and info messages produced by Server TACACSPLUS for easier diagnosis.
  • Updated Monitor HELP command documentation to include TRACE_PREDICATE.
  • Fixed problems with linux-radiator.init traceup and tracedown on RHEL5.
  • Improvements to Server TACACSPLUS: Fixed a problem with the new AuthorizeGroupAttr that cased authorisation patterns to not be reset properly. Server TACACSPLUS now updates the global packet counts for each Tacacs+ request received. Database failures that IGNORE now cause a Tacacs *_STATUS_ERROR reply.
  • Added goodies/cisco-vpn.txt a short description on how to configure Cisco VPN 3000 Concentrator VPN groups, and the limitations thereof.
  • Fixed a case where Radiator would crash when certain local devices tried to connect to a tacacs port.
  • Added example rule to goodies/tacacsplusserver.cfg showing how to use uptional tacacs roles, including multiple optional roles.
  • Added new parameter UnbindAfterServerChecksPassword to AuthBy LDAP2, which works around problems with some LDAP servers. Normally, when ServerChecksPassword is set, after Radiator checks a users password the LDAP connection is not unbound. This can cause problems with some LDAP servers (notably Oracle ID and Novell eDirectory), where they unexpectedly cause the following LDAP query to fail with LDAP_INAPPROPRIATE_AUTH. Setting this flag causes an unbind after each ServerChecksPassword bind.
  • Added support for new -I command line flag to radiusd, which adds an include directory to the module search path. Patch by Heikki Vatiainen.
  • In SqlDb::do(), Sql connections now detect PostgreSQL duplicate key violations, which are now not a cause for disconnect. Added similar tests to SqlDb::prepareAndExecute().
  • Sample RAdmin configuration file that shows how to record Tacacs+ commands to the Radmin RADCOMMANDAUDIT table for auditing, and viewing (RAdmin 1.14 plus latest patches required)
  • The ServerRADIUS clause now supports AddToRequest, which makes it easy to tag requests that arrive by RADIUS to distinguish them to those arriving by TACACS+ or Diameter.
  • Server HTTP log messages are now escaped so that HTML characters in the log do not cause display errors. Patch provided by Adam Bishop.
  • Fixed a problem in Auth LDAP2 that could cause a crash if ServerChecksPassword and UnbindAfterServerChecksPassword are enabled, and certain LDAP errors occur during the ServerChecksPassword bind.
  • Fixed spelling mistake in VENDORATTR Timetra-Home-Directory, Added further VSAs to VENDOR Panthera 6527 (Alcatel 7450 ESS Router). Added VENDOR Alcatel-Lucent 800 (Alcatel-Lucent OS6400 switches) VSAs. Added Alcatel-Lucent-SAM VENDORATTR SAM-Security-Group-Name .
  • Improvements to IPV6 handling so the absence of Socket6 causes an warning message instead of an exit.
  • Added a number of FreeSwitch accounting VSAs to dictionary. Added a brief discussion paper about how to integrate FreeSwitch with Radiator. FreeSWITCH is a powerful and versatile telephony platform that can scale from a softphone to a PBX and even to a carrier-class softswitch.
  • Log SYSLOG and AuthLog SYSLOG now support special characters in LogIdent, LogOpt and LogHost.
  • TLS Streams, such as used with Radsec did not correctly verify certificates for 'hostname' if the Host address was specified in Radiator in the form ipv6:hostname. Reported by Patrick Renkens.
  • Fixed an issue where truncated EAP-Message requests would cause a log message like "Could not load EAP module Radius::EAP_" ..... This is now logged as invalid EAP type in EAP request and rejected. Reported by Daniel Rocha.
  • Server TACACSPLUS now honours reply attributes correctly for ASCII type Tacacs+ authentications. Patch from Heikki Vatiainen.
  • Testing with XAMPP on Windows. XAMPP (http://www.apachefriends.org/en/xampp-windows.html) is an excellent, easy to install bundle of useful tools such as Apache, MySQL, Perl etc for Windows. It is a also good base for installing Radiator on Windows, especially if you wish to use Radiator with RAdmin or a MySQL database. Updated installation documentation to include XAMPP on Windows.
  • Added support for Novell eDirectory NMAS (Novell Modular Authentication System) to AuthBy LDAP2. NMAS allows Novell eDirectory to support and authenticate passwords using the Vasco Digipass NMAS method, and other third party token and non-token systems. Vasco Response-Only (RO) tokens are only supported since NMAS does not curently support challenge-response via RADIUS. Sampple configuration file included.
  • Ldap classes now support the "ipv6:" prefix for Ldap server Host names. If Host begins with "ipv6:" the subsequent host name(s) will be interpreted as IPV6 addresses where possible, and Net::LDAP will use INET6 to connect to the LDAP server.
  • In AddressAllocator SQL, the default AllocateQuery was changed to check the STATE during the allocation to catch certain race conditions.
  • With all Ldap clauses, removed the default BindAddress of 0.0.0.0. This was unnecessary and interferes in a non-obvious way with attempts to use ipv6: in the Host. Reported by Dyonisius Visser.
  • Added attributes from RFC 5904 to dictionary. SNMP Agent now supports:
          RFC4669 - RADIUS Authentication Server MIB for IPv6
          RFC4671 - RADIUS Accounting Server MIB for IPv6
       
    The RFC are included in distribution.
  • Improvements to EAP handling to support multiple desired EAP types in EAP NAK response, per RFC 3748.
  • Fixed incorrect error message that referred to ServerHTTP. Repored by Karl Gaissmaier.
  • Added support for PacketTrace to Server TACACSPLUS, Server DIAMETER, Server RADSEC. Requested by Karl Gaissmaier.
  • Fixed a problem where attributes of type ipv6prefix (such as Framed-IPv6-Prefix) would not be decoded correctly if they had fewere than 16 octets. Reported by Lee, Larry KT.
  • Client addresses in the form MAC:nn-nn-nn-nn-nn-nn now work even if the Called-Station-Id has the SSID of the AP appended as described in http://tools.ietf.org/html/rfc3580#section-3.20
  • Added example perl script rpt.pl which logs packets which match a regexp. Contributed by Bart Dumon.
  • Fixed a problem when using AuthBy RADIUS with Synchronous and Fork that if the secrets don't match (resulting in "Bad authenticator received in reply to ID 1. Reply is ignored"), this creates forked processes that never terminate and have to be manually force-killed. Reported by David Zych.
  • Fixed a number of innocuous warnings when radiusd is run with perl -w.
  • Added usage documentation for author_args in tacacsplustest.
  • In AuthSQL, GroupMembershipQuery is now not passed and bind variables. If you wish to use bind variables with GroupMembershipQuery, use the new GroupMembershipQueryParam.
  • Fixed a problem with Server HTTP where some versions of Firefox would hang when trying to access localhost:9048. Also fixed som innocuous warnings when run with the -w flag.
  • Fixed a problem with AuthLog SYSLOG and Log SYSLOG where in some cases with some versions of Sys::Syslog, the loghost was not set correctly. Reported by Klara Mall.
  • radiusd now unlinks PidFile during an orderly shutdown. Suggested by Klara Mall to prevent startup scripts being confused by stale PID files.
  • Improvements to AddressAllocator SQL: If CheckPoolQuery is set to an empty string, no pool checking will be done at startup. If AddAddressQuery is set to an empty string, addresses will not be automatically added to the pool.
  • Testing against RadiusGINA, a Windows RADIUS login authenticator from LSE http://lsexperts.de/. Works well, and easy to install.
  • Fixed a problem in TLS Stream based protocols (such as AuthBy RADSEC AuthBy DNSROAM etc, where ConnectOnDemand would not work correctly in the case where a TLS connection was being established and failed. Reported by Stefan Winter.
  • Added goodies/radiusgina.txt, a Brief introduction to RadiusGINA, a Windows RADIUS login authenticator from LSE http://lsexperts.de
Revision 4.7 (2010-08-11) New features and some bug fixes.
  • Added support for Django style passwords in the format:
    
    sha1$a1976$065f52b49153328da76e13c2b462b860a70eb78b
    and
    md5$a1976$e67d1ca20e9c28321b86e34076cc48ab
    
    
    as specified by http://docs.djangoproject.com/en/dev/topics/auth/#passwords. Contributed by Jerome Fleury.
  • Fixed a bug in ServerTACACSPLUS to do with closing the authgroup file. Reported by Wolfgang.Koenig.
  • Added sample configuration file for Radiator, showing how to proxy requests to the WiKID (http://www.wikidsystems.com/) Strong Authentication RADIUS Server.
  • Fixed a problem where AuthBy SQLRADIUS statistics were not kept correctly up to date in the case of recoverd servers. Reported by Dan Cachola.
  • Factored out EAP-FAST PAC creation and retrieving from EAP_43 to AuthGeneric. AuthBy SQL can now override these functions and use SQL queries to save and retrieve PACS, or to retrieve pre-provisioned PACS from the database. If AuthBy SQL does not define CreateEAPFastPACQuery, then it falls back to the default of saving PACS in Radiator memory.
  • Added sample configuration file and detailed installation instructions for the Secure Metric (www.securemetric.com) SecureOTP one-time-password system, including details on how to proxy requests to the SecureOTP RADIUS Server.
  • Minor changes of some log messages from INFO to DEBUG level, to reduce noise level. Additional information in some AuthBy RADIUS and EAP messages to improve diagnostics in load balancing systems. Requested by Myles Fenton.
  • Added support for -retries flag to radpwtst
  • Removed redundant noReplyFromProxy from goodies. The code is in goodies/hooks.txt.
  • Previously, radpwtst would use the same random authenticator for all requests. Now radpwtst now uses a different random authenticator for all requests, which can help with testing of duplicate detection.
  • Added OSC-Device-Identifier, OSC-User-Identifier and OSC-Group-Identifier to dictionary.
  • Added Identifier to logging in Handling request with Handler .... debug message.
  • Fixed an error in the calculation of responseTime statistics.
  • Improvements to detection and use of Time::HiRes. New function Radius::Util::getTimeHires returns (seconds, microseconds). Microseconds is 0 if Time::Hires is not available. responseTime is now measured with microsecond accuracy if Time::HiRes is available, improving the accuracy of statistics calculations.
  • Added a number of DeTeMobil Vendor-Specific Attributes to dictionary. Contributed by Alexander Hartmaier.
  • Improvements to AuthBy LDAP2 performance: if ServerChecksPassword is in use, and if the server rejects the password due to LDAP_INVALID_CREDENTIALS or LDAP_INAPPROPRIATE_AUTH, do not disconnect from the LDAP server. Previously, this would cause an unnecessary disconnect.
  • Added symbolic vendor names for T-Mobile and TMO to dictionary.
  • Added function changePassword to AuthBy LDAP2 to support custom code to change user passwords. Net::LDAP compatibility improvements with use of Net::LDAP::Entry->get_value(..., asref => 1) instead of get(...).
  • Abstracted the generic Yubikey support code into AuthYUBIKEYGENERIC.pm AuthSQLYUBIKEY is now a subclass. Enables the development of new subclasses for supporting Yubikey in other types of database, such as LDAP.
  • Changes to the RPM build spec to accommodate RPM_BUILD_DIR tro circumvent rpm building problems on some platforms.
  • Added more 3GPP attributes to dictionary as per http://www.3gpp2.org/Public_html/specs/X.S0011-005-E_v1.0_091116.pdf
  • Improved behaviour of AuthBy FIDELIO when LA messages are received. Previously they would always cause a database update. NBow this only happens on the first LA. Fixed a bug in fideliosim.pl. fideliosim.pl now implements LA requests every 10 seconds.
  • AuthBy FIDELIO now never uses a posting sequence number of 0000, following advice from Michael Herzig. Starts at 0001 and wraps from 9999 to 0001.
  • AuthBy FIDELIO now implements 2 new configuration parameters: PostingExtraFields allows you to override or extra data fields to be sent in the Opera posting record. PostingRecordID allows you to change the posting record ID from the default of 'PS' to, say 'PR'. Examples in the fidelio.cfg sample configuration file.
  • Fixed a potential memory leak with EAP-TLS. X509_free is used to free the certificate. Reported by Robert Hwang.
  • Fixed an error with the formatting of dates in the DA field in AuthBy FIDELIO: the month and day elements were reversed. Reported by Michael Herzig.
  • Added new convenience function post() to AuthFIDELIO.pm for posting accounting requests to Fidelio, and which can be used by other hooks. Improved a number of separator formatting issues in messages sent to Fidelio.
  • Added sample Radiator configuration, showing how to build a WiFi hotspot with, for example MikroTik (www.mikrotik.com) hotspot and captive portal, which authenticates against Micros-Fidelio Opera hotel management system, and permits the user to purchase WiFi internet access in blocks of 24 hours which are billed to the user's room through Opera. Example works with MySQL as a session database (schema included), but other databases can be supported.
  • Added new configuration parameter LogOpt to Log SYSLOG and AuthLog SYSLOG clauses, allowing control over the syslog options used. LogOpt is a comma separated list of words from the set cons,ndelay,nofatal,nowait,perror,pid as described in the Perl Sys::Syslog module. Defaults to pid. Contributed by Bjoern A. Zeeb with some changes.
  • Added reload option to goodies/linux-radiator.init. Contributed by David Worth.
  • Added new parameter CheckoutGraceTime to AuthBy FIDELIO. Permits users to log in for this period of time after they have checked out. Contributed by Manuel Kasper, with some minor changes.
  • Improvements to AuthBy LSA to permit machine authentication in groups.
  • Added new parameter NAPTR-Pattern to Resolver. NAPTR-Pattern is an optional parameter that specifies a regexp that will be used to match the contents of NAPTR records during Resolver service discovery. If NAPTR-Pattern is defined and matches a NAPTR DNS record, it will be used to determine the protocol and transport to be used. The regex is expected to match 2 substrings. The first is the protocol and can be 'radsec' or 'radius'. The second is the transport to use, and can be 'tls', 'tcp' or 'udp'. This has been added to support proposed new NAPTR standards for Eduroam. Requested by Stefan Winter.
  • Win32-Lsa for Windows 64 bit ActivePerl 5.10 is now available with
          
    	ppm install http://www.open.com.au/radiator/free-downloads/Win32-Lsa.ppd
       
       
  • Improvements to the "No reply after ...." message in AuthBy RADIUS to include the Identifier and the delay time. Requested by Myles Fenton.
  • Minor improvements to AuthBy NTML for testing.
  • StreamTLS classes, such as ServerRADSEC, ServerDIAMETER, AuthByRADSEC etc. now support EAPTLS_CRLFile with operating system wildcards. Similarly, TLS based classes such as TLS, TTLS, PEAP etc now support TLS_CRLFile with operating system wildcards.
  • Added new parameter TLS_SRVName to StreamTLS classes. This is intended for use by AuthBy RADSEC and AuthBy DNSROAM to specify a DNS SRV Name that will be matched against possible SubjectAltName:SRV extensions in the server certificate. If TLS_SRVName is specified and the server certificate contains SubjectAltName:SRV extensions, none of which match TLS_SRVName, the certificate will not be accepted. Format is _service._transport.name (this is the same format SRV names appear in DNS records). For example "_radsec._tcp.example.com". Only service and name are matched. Requested by Stefan Winter for Eduroam support.
  • Resolver now saves the SRV Name of any SRV record that was followed in order to get an address in the result set. AuthBy DNSROAM now uses this to set the TLS_SRVName in a target AuthBy RADSEC, which enables checking against any SubjectAltName:SRV extensions in the server certificate. Requested by Stefan Winter for Eduroam support.
  • Improvements to AuthBy FIDELIO so that during an accounting posting, the DD field (Dialed Digits) which is based on the Called-Station-Id contaoins only digits. Micros-Fidelio report that contents other than digits can cause problems in Opera.
  • Added surfnet VSAs to dictionary.
  • Improvements to AuthBy RSAAM for interoperation with AM 7.1 SP3. At AM7.1 SP3, the authentication realm requested by the AM server SOAP interface was changed by RSA, causing earlier versions of AuthBy RSAAM to fail to connect with a 401: Unauthorized error. This change permits AuthBy RSAAM to work with pre and post SP3 as well as improving performance. SessionRealm parameter is now unused and obsolete. Reported by Rene Fleissner.
  • Improvements to the Linux Radiator startup script. Added traceup and tracedown commands which signal Radiator to increase or decrease its trace level. Handy for changing trace levels without having to find the process ID first. Contributed by David Worth.
  • Added version of Authen-Digipass module for Active State perl 5.12.
  • Fixed a problem in AuthBy OTP where a PasswordPattern of aaaaaaaa generates OTPs which are twice as many characters as specified and every odd is an 'a'. Reported by Alexander Hartmaier.
  • Fixed default AuthGroupCheck AuthGroupReply GroupMembershipQuery queries which incorrectly referred to the usergroup table instead of the radusergroup table. Reported by Mike Wilson.
  • Changed the type of Framed-IPv6-Prefix in the dicitonary from string to ipv6prefix, allowing entry of IPV6 prefixes in a sensible format.
  • Changed the type of NAS-IPv6-Address in the dictionary to ipaddrv6 for correct iencoding and decoding of IPV6 addresses.
  • When AuthBy HANDLER is used and RejectHasReason is specified, now sets the actual rejection reason in the reply instead of "redirected by AuthHANDLER".
  • AuthBy LSA now honours UsernameMatchesWithoutRealm.
  • Fixed a problem with quoting of parameters passed to the external command by AuthBy EXTERNAL. Reported by KUCZYNSKI, CHRISTOPHE.
  • Updated Coova ChilliSpot VSAs in dictionary.
  • Fixed a problem where EAP type negotiation could remove the EAP-TLS VERIFY_PEER requirement, causing EAP-TLS to sometimes fail when other clients were trying to negotiate TTLS or PEAP. Reported by Keith Ma.
  • Added option to get any configuration parameter from an SQL database with a new form of parameter ParameterName sql:identifer:query which will look for a previously defined AuthBy SQL clause with an Identifier of 'identifier' and run the SQL query given by 'query'. The first row in the result will be used to set the parameter ParameterName. This lookup is only ever done once at startup time.
  • Added new type of special character which will be replaced with a value fetched from an SQL database. Special characters of the form %{SQL:identifier:query} will look for a previously defined AuthBy SQL clause with an Identifier of 'identifier' and run the SQL query given by 'query'. The first row in the result will be used as the value of the special character. This type of lookup is done whenever the special character is evaluated.
  • Fixed a problem with AuthBy FREERADIUS. The test for limit values for Max-All-Session, Max-Daily-Session, Max-Hourly-Session and Max-Monthly-Session was reversed, causing them to fail when they should succeed and vice-versa. Reported by Stanley Thomas.
  • When radpwtst was used to send arbitrary packet types such as CoA-Request, the reply was not decoded and therefore never packet dumped. Reported by Vangelis Kyriakakis.
  • Improvements to the sample gigawords-hook.pl to use 64 bit integers in order to be more proof against overflows with large traffic.
Revision 4.6 (2010-02-05) New features and some bug fixes.
  • Improved AuthLog SYSLOG to support multiple SYSLOG clauses with different LogHost and LogSock options. No comnpatible with multiple Log SYSLOG clauses. Reported by "Martin van der Walle".
  • Improvements to example init script for Linux in linux-radiator.init, to be compliant with LSB requirements in http://wiki.debian.org/LSBInitScripts
  • AuthBy LDAP2 now detects LDAP_INVALID_DN_SYNTAX errors and interprets them as a per-request error and not a connection failure. When LDAP_INVALID_DN_SYNTAX error occurs, the LDAP connection wil not be shut down. Requested by Dawn Lovell.
  • Fixed a problem in Server TACACSPLUS where an AuthorizeGroup of the form AuthorizeGroup group1 permit service=shell cmd\* {autocmd="telnet 169.163.226.81"} (ie with double quotes surrounding the predicate) would result in the autocmd being sent incorrectly with 2 equals signs.
  • AuthBy SQLYUBIKEY now supports static passwords in any format supported by Radiator, including plaintext, {SHA}, {crypt}, {MD5}, {rcrypt}, {mysql}, {mssql}, {nthash}, {dechpwd}, {NS-MTA-MD5}, {clear} etc. TranslatePasswordHook is also supported. Suggested by Jerome Fleury.
  • Minor updates to Yubikey documentation to reflect the fact that AES keys must be programmed into each Yubikey before being imported into the SQLYUBIKEY database. Changes to AuthBy SQLYUBIKEY default SQL queries to work better with databases where the tokenID and AES key are in Hex. Yubikey keys may now be present in the database in either hex (no spaces) or base64 format. But the default queries assume the Token ID and AES secret are in Hex, and that there is a one-to-one mapping between users and Yubikeys. Other options are available with custom SQL queries.
  • Fixed a problem in AuthBy SQLYUBIKEY where it would sometimes incorrectly detect a replay attack in during multiple authentication of the same Yubikey session. General improvements to the AuthBy SQLYUBIKEY replay detection. Replay detection now uses the session counter and the session_use counter. The timestamp is not used. The database column that previously held the timestamp_low is used for the session_use counter. The database column that previously held the timestamp_high is not used.
  • Updated install.html installation instructions for Windows.
  • Improvements to AuthBy EAPBALANCE and AuthBy HASHBALANCE to work better in multi-AP roaming TTLS/PEAP session resumption environments. The default behaviour of AuthBy HASHBALANCE is to compute the HASH based on the same attributes as the EAP context. This prevents false detection of loss of continuity in EAP streams. AuthBy EAPBALANCE now sets the State in all replies in an EAP stream, not just the first, in order to work correctly with some non-compliant APs. AuthBy HASHBALANCE is deprecated in favour of AuthBy EAPBALANCE in any EAP-capable environment.
  • In Server DIAMETER, fixed a problem that prevented some RADIUS reply attributes being correctly translated into Diameter reply attributes.
  • Added new module AuthBy SQLMOTP for MOTP authentication, a new strong, two-factor authentication with mobile phones. See http://motp.sourceforge.net for details. Sample configuration and SQL schema supplied. Modifications to radpwtst to support new -motp_secret flag, allowing it to be used to test AuthBy SQLMOTP like: radpwtst -noacct -motp_secret 7ac61d4736f51a2b -password 1234 The password argument is used as the MOTP PIN, and the motp_secret is used as the MOTP secret key. AuthBy SQLMOTP originally submitted by Jerome Fleury.
  • In diapwtst, fixed a problem that would result in an incorrect status report: "Unexpected result code: DIAMETER_SUCCESS".
  • Improvements to the internal structure of ServerDIAMETER.pm, making it easier to override handling of specific Diameter request types.
  • Fixed a problem with AuthBy VOLUMEBALANCE, where if multiple failed hosts are configured with FailureBackoffTime of 0, it was possible for a request to be handed to each host in turn forever.
  • Added new sample configuration file goodies/crypto-mas.cfg, showing how to proxy requests to the Cryptocard MAS (Managed Authentication Service) CRYPTO-MAS. See http://www.cryptocard.com/
  • Added new parameter MaxTargetHosts to AuthBy VOLUMEBALANCE. Limits the number of different hosts a request will be proxied to in the case of no reply. Defaults to 0 which mean no limit: if the load balancer does not receive a reply from a host, it will keep trying until all hosts are exhausted.
  • Improvements tp RPM spec file to permit installation with Perls that do not include /usr/lib/perl5/site_perl/, such as SLES. Reported by Frank Messie.
  • Improvements to the rpm: make target so the RPM build correctly uses the local perl version number for links in the Perl lib. Contributed by Bjoern.
  • Updated expired test certificates.
  • Fixed a problem with incorrect type in replies to proxied Change-Filter-Request. Reported by Belmont Cheung.
  • Added support for UpdateQuery in SessionDatabase SQL. Patch supplied by Jose Borges Ferreira.
  • Added support for RFC 4818 compliant packing and unpacking of Delegated-IPv6-Prefix. Added new dictionary type ipv6prefix.
  • The TacacsPlus group cache GroupCacheFile now uses the IP address of the client as part of the key, so that in situations where the group name depends on the client the correct group name wil be retrieved.
  • Some Expiration check items in the sample users file had actually expired, causing the test suite to incorrectly fail on tests 2l, 2m, 3g and 3h.
  • Fixed a problem that could cause incorrect authentication of HOTP passwords with leading zeroes.
  • Added support for TOTP (Time-based one-time-passwords) as specified in draft-mraihi-totp-timebased-04.txt. Sample configuration and database schema included.
Revision 4.5.1 (2009-11-17) Minor bug fixes
  • Fixed a problem introduced in version 4.5 where AddressAllocatorSQL could cause errors like: "called with 4 bind variables when 3 are needed" with ReclaimQueryBindVar on certain SQL servers. Reported by Stefan Feurle.
  • AuthSQLYUBIKEY.pm was omitted from the 4.5 distribution.
  • Further changes to oscure plaintext passwords in DEBUG messages. Patched by Markus Moeller.
  • Improvements to support multiple Log SYSLOG clauses with different LogHost and LogSock options. Reported by Arjan Broos.
  • Fixed an error in the example AuthSelect in yubikey.cfg. Changed the default for AuthSelect in AuthBy SQLYUBIKEY to always check the userId too. Suggested by Jerome Fleury.
  • Fixed a problem where calling SNMPAgent->activate multiple times on the agent could cause errors with resolving Manager addresses.
  • Added Brocade VSAs to dictionary. Contributed by Alexander Hartmaier.
  • Added support for -raw and -rawfile options to tacacsplustest.
  • Fixed a problem in the unsupported AuthBy PLSQL in goodies that prevented it working correctly with the Server HTTP browser. Reported by Mike Redan.
  • Fixed a problem with the display of splitstringhash parameters in the Server HTTP browser.
  • Fixed a problem with saving of configurations that include a splitstringhash. Reported and patched by Mike Redan.
Revision 4.5 (2009-10-27) New features and bug fixes
  • Fixed a bug that could cause a crash at startup if the listening RADIUS port could not be opened due for example to an unresolvable bind address. The error message was "Not a CODE reference at Radius/ServerRADIUS.pm". Reported by Thomas Schlottke.
  • Significant performance improvements in Select::add_timeout. Now used binary search for the insertion point, rather than resorting he whole list every time.
  • Added support for authenticating Yubikey tokens from Yubico (http://www.yubico.com). Yubikeys are small, inexpensive USB tokens for one-time-password authentication. Added sample configuration file and descriptive test file. Suports one and 2 factor authentication, replay detection etc.
  • Fixed a problem with AuthBy LDAPRADIUS which would cause a crash during initialization.
  • Improvements to ServerTACACSPLUS so it can find an appropriate Client clause even if the reverse DNS is screwy. Suggested by Ranko Zivojnovic.
  • Fixed a problem with resolution of IPv6 addresses on some plaforms such as Solaris. Some debug messages were inadvertently left in Util::gethostbyname for ipv6. reported by Sami Keski-Kasari.
  • Fixed a problem with heavily loaded server farms where a SIGHUP of the process leader could cause inability to bind to the listening ports after restart. Radiusd now waits for all farm children to die begfore restarting. Reported by Dan Cachola.
  • Added support for HOTP (RFC 4226) one-time-passwords with AuthBy SQLHOTP HOTP one-time-passwords are authenticated based on a secret key stored in an SQL database. Detects replay attacks and brute-force attacks and counter resynchronisation. Can also support static passwords for 2 factor authentication when the user prefixes their static password before the HOTP one-time-password. Supports authentication by RADIUS PAP, EAP-OTP and EAP-GTC. Includes sample configuration file and sample database schema with test users.
  • Added support for IdleTimeout to Server TACACSPLUS. If a client stays connected for more than this number of seconds without sending any requests it will be disconnected. Defaults to 180 seconds. Requested by Yevgeniy Averin.
  • Added new parameter UseContentsForDuplicateDetection to Client. This must be used in a server farm environment. The back end servers in a server farm will receive requests from a range of source ports. Dupliacates received by the front ends and proxied to the back ends may appear to come from a range of source ports and with a range of RADIUS identifiers. This flag causes duplicate detection to be based on the contents of the packet, and not on the 'envelope'. This permits duplicates to be detected regardless of the path they take to to get from the NAS to the server. It must be set in the Client clauses of the back end servers of a server farm architecture.
  • Fixed a problem with the MIB name in CiscoSessionMIB. Reported by Tim Wolgemuth.
  • Added support for UseContentsForDuplicateDetection to ClientList SQL. If the SQL queries returns a row 26, it will be used as the UseContentsForDuplicateDetection flag.
  • Fixed a problem where some type of authentication would incorrectly succeed when NoEAP was in use. Reported by Heinrich Mislik.
  • Added a new ReplyHook flag to AuthBy RADIUS so that hooks can signal the fact that a request has been redirected, and not to generate a reply from the AuthBy RADIUS. Sample configuration file in goodies/rejectproxy.cfg
  • Fixed a problem with duplicate replies in test suite.
  • When Trace -1 is enabled, prints the PID in the "currently handling" message. Suggested by Robert Patrick.
  • Added various Trapeze VSAs to dictionary, contributed by Andrew Clark.
  • Type of WiMAX-IP-Redirection-Rule in dictionary changed to string. Suggested by Garima Mahadik.
  • Fixed a problem reported with TLS where, under unsual circumstances during a proxied TLS authentication, Net::SSLeay::SESSION_get_master_key could crash due to the TLS session being invalidated. Reported by Matti Saarinen.
  • Added a number of Infoblox VSAs to dictionary. Provided by Andrew D. Clark.
  • Fixed a problem with AuthBy PAM on Solaris: if a request without a username is received, it can case PAM to go into an infinite loop with messages like: "DEBUG: PAM is asking for 2: 'Please enter user name'". reported by Markus Moeller.
  • Added a number of Huawei VSAs to dictionary.
  • Reinstated changes to password decoding introduced in version 4 that meant that certain non-compliant password encryptions were not decrypted properly. Reported by Roland Rosenfeld.
  • Fixed a problem in ClientList SQL and ClientListLDAP where if the client creation phase fails, it could cause a subsequent crash when findDuplicate() is called within Client.pm. Reported by Shirley Wou.
  • Added placeholders for Symbol (388) VSAs to dictionary.
  • Packets created by EAP-TTLS for proxying now add Message-Authenticator if there is an EAP-Message. This ensures that if the packet is proxied to another RADIUS server, the lack of EAP-Message wont prevent processing of the request.
  • Fixed a problem in the StreamTLS certificate verificaiton where it does the subjectAltName checks incorrectly if both URI and (IP or DNS) are checked. It never checks the IP or DNS. Reported by Heikki Vatiainen.
  • Fixed a problem where AuthBy DNSROAM would activate AuthBy RADSEC and AuthBy RADIUS too often. Reported by Heikki Vatiainen.
  • Fixed a problem where AuthBy DNSROAM did not correctly set ReplyHook or NoReplyHook in Routes or AuthBy RADSEC or AuthBy RADIUS. Reported by Heikki Vatiainen.
  • Added new attributes from RFC5607 to dictionary.
  • Added new attributes from RFC5580 to dictionary.
  • Fixed a problem that prevented replies to Disconnect-Request and Change-Filter-Request from getting their Authenticator correctly computed. Reported by Jack Ho.
  • For classes that use Stream connections (such as AuthBy RADIUS, ApplePasswordServer, if ConnectOnDemand is set, then, Stream always blocks until the connect either succeeds or fails. Requested by Sam Lin.
  • Stream classes now support special characters in Host, HostAddress, ReconnectTimeout. Requested by Sam Lin.
  • Added example Radiator configuration file and hook, showing how to support both RSA OnDemand and SecurID authentication for the same users.
  • Added new parameter DisableMTUDiscovery to ServerRADIUS and AuthBy RADIUS. Disables MTU discovery on platforms that support that behaviour (currently Linux only). This can be used to prevent discarding of certain large RADIUS packet fragments on supporting operating systems.
  • Added support for FramedGroup, StripFromReply, AllowInReply, AddToReply and AddToReplyIfNotExist to Server RADSEC. Requested by Paul Dekkers.
  • Monitor and SNMPAgent clauses now support the Identifier parameter.
  • Fixed a problem that prevented Origin-Host being set correctly in proxied requests. Reported and patched by Arthur Konovalov.
  • Added sample hook to hooks.txt which runs in each child and closes the Monitor and SNMPAgent ports and re opens them on a different port number.
  • Added OSC-Session-Identifier to dictionary.
  • Added support for new special character Z which is replaced by the RADIUS Identifier in the current packet (if any).
  • Improvements to AuthBy SQLYUBIKEY: Default UpdateQuery now uses current_timestamp() instead of now() for better compatibility with more SQL servers. Static password can now be separated from the token string with a ':' to ensure they can be identified, even with non-standard Yubikey token lengths. Suggestions by Jerome Fleury.
  • Minor change to log message when a requested EAP type is rejected, so the name of the desired type is printed. Patch supplied by Alexander Hartmaier.
  • AuthBy LDAP2 now supports multiple space separated Host names, and Net::LDAP will choose the first available one. Patch supplied by Raphael Luta.
  • Fixed a problem which could result in a blank user name in PEAP or TTLS or other inner requests under some very unusual circumstances. Improved EAP context finding algorithm so inner and outer requests with the same User-Name would not collide.
Revision 4.4 (2009-03-11) Bug fixes and new features.
  • Fixed a problem with AuthBy WIMAX which would fail when TTLS-MSCHAPV2 was used. Improved goodies/wimaxtest to support -mschapv2 flag to cause TTLS-MSCHAPV2 authentication. Reported by "Valentin Tumarkin".
  • Fixed a memory leak in ClientListSQL and ClientListLDAP where Client clauses may not get reclaimed when the client list is refreshed. Reported by Aaron Mar.
  • Fixed a probem with ServerHTTP where manual editing of a file larger than 16k would cause error '413 Request Entity Too Large'. Limit increase to 1Mb. Reported by Tito Macapinlac.
  • Fixed a probem with AuthBy NTLM. UsernameMatchesWithoutRealm worked correctly with MSCHAPV2, but not with PAP or MSCHAPV1. Reported by Sami Keski-Kasari.
  • Altered the behaviour of TLS_SubjectAltNameURI in all StreamTLS based protocols (such as RadSec, DIAMETER etc.) at the suggestion of Stefan Winter. Now TLS_SubjectAltNameURI imposes an additional mandatory constraint on the peer certificate. If TLS_SubjectAltNameURI is defined it MUST match at least one subjectAltNAme:URI in the peer certificate, in addition to any other certificate verfication requirements (such as DNS name, host name etc). Requires NetSSLeay 1.30 or later.
  • Improvements to behaviour of passwords in the form {clear}password, so they will work with CHAP, MSCHAP and MSCHAPV2. Reported by Liam Widdowson.
  • Fixed collisions between some VSAs in dicitonary: renamed Cisco attributes Account-Info, Service-Info, Command-Code, Control-Info to have 'Cisco-' prefix. Renamed Command-Code to Enterasys-Command-Code.
  • AuthBy RSAAM now honours UsernameMatchesWithoutRealm and other username transformation parameters. Reported by Sami Keski-Kasari.
  • Fixed a problem where EAP-MSCHAPV2 would incorrectly authenticate users when misconfigured with AuthBy RSAAM. Reported by Sami Keski-Kasari.
  • EAP Generic Token Card now honours UsernameMatchesWithoutRealm. Reported by Reported by Sami Keski-Kasari.
  • Tested TTLS-MSCHAPV2 with iPhone 2.0. OK.
  • Added instructions and Portfile for installing Radiator on MacOSX. Contributed by Mark Duling. Deprecated INSTALL.MacOSX RadiatorMacOSX.tar.gz.
  • Added goodies/lancom-radsec.txt, instructions and hints for configuring a Lancom L-54g wireless Access Point to authenticate using an external RadSec server.
  • Tested against Lancom L-54g wireless Access Point configured for external RadSec authentication for 802.1X. OK.
  • Improvements to AuthBy WIMAX, in order to support Alvarion WiMAX equipment and various other operator requirements, requested by Manuel Kasper. Can now use AuthSelect and AuthColumnDef to alter the SQL authentication query and add reply attributes. You can customise other SQL queries using during WiMAX processing with GetCachedKeyQuery, GetHotlineProfileQuery, GetQosProfileQuery. Can now handle accounting using AcctSQLStatement the same as AuthBy SQL.
  • Fixed a problem where use of Client CIDR addresses would not alway result in the correct Client being found. Reported by Fabio Prina.
  • In AutbBy LDAP_APS, PasswordServerAddress was working for PAP, but did not work as expected for MSCHAP and Digest-MD5 authentication. Reported by Mark Duling.
  • Added OSC-Version-Identifier to dictionary.
  • Fixed typos in dictionary. Cisco-Maximum-Time was Cisco-Maximun-Time and Cisco-Maximum-Channels was Cisco-Maximun-Channels. Reported by Fabio Prina.
  • Server TACACSPLUS now sets OSC-Version-Identifier in the RADIUS requests from the version number in the incoming Tacacs+ request. The Major and Minor numbers are combined in a single integer as per the Tacacs+ specification (i.e. version 0 is represented as 192 and version 1 is represented as 193).
  • Incoming requests processed by Server RADSEC were logged twice. Reported by Paul Dekkers.
  • Can now properly send Starent VSAs. Receiving was already supported.
  • Fixed a problem that prevented reply attributes from a TTLS inner reply being sent in the reply to a session resumption. Reported by David Spindler.
  • Fixed a problem where certain malformed RADIUS requests could cause a hard loop.
  • Accounting request that are REJECTED (due, say, to UsernameCharset) are now logged at DEBUG level.
  • Added Trapeze Networks attributes to dictionary. Contributed by P Havekes.
  • AuthBy RADIUS would previously die if it was unable to bind to a socket (for example if a non-existent BindAddress was used). Reported by Andrew D. Clark.
  • AuthBy WIMAX now supports ASCII encoding of WiMAX-Packet-Flow-Descriptor and WiMAX-QoS-Descriptor. They are parsed and converted to the WiMAX required binary format automatically.
  • Improvements to Solaris scripts and config file for use by the Solaris package
  • When LogMicroseconds is used, the microseconds are now left padded with zeroes for easier reading.
  • Can now handle Change-Filter-Request requests in AuthINTERNAL and others. Accept will result in a Change-Filter-Request-ACKed replay and a reject will cause a Change-Filter-Request-NAKed.
  • Fixed a problem with AuthBy RADSEC caused by the recently added LocalAddress support: If the Host address is an IPV6 address, an error with binding to 0.0.0.0:0 was reported. The default bind address is now determined by the operating system, except when LocalAddress is specified. Can now specify LocalAddress as an IPV6 address.
  • Error messages from Server TACACSPLUS now include the originating address and port number. Requested by Andrew D. Clark.
  • Added various Nortel OME6500/OM5000 VSAs to dictionary.
  • Added new option -leap to radpwtst for testing EAP-LEAP.
  • Fixed a number of mispellings from 'redespatched' to 'redispatched'
  • Fixed some incorrect behaviour of Resolver under perl5.8.8 on some platforms.
  • Improvements to AuthBy RSAAM so that chains of RSAAM authenticators with different Policy settings will work correctly.
  • Added support for Alcatel/Lucent ESAM VSAs (vendor ID 637) which have non-standard VSA format. Also added A-ESAM-* entries to dictionary. Contributed by John Pendleton.
  • AuthBy LDAPDIGIPASS didn't close its connection if HoldServerConnection wasn't set. Reported and patched by Kees Guequierre.
  • Added precompiled RPM for Authen-Digipass for perl 5.10 (Authen-Digipass-1.9-1.i686.rpm is for perl 5.8 only).
  • In AuthBy RSAAM, added translations for some further prompts, POLICY_VIOLATION_* etc. Improved prompts during system-generated-PIN mode. Improved support for AM server failover. AM Server failure now causes an IGNORE, and AuthByPolicy ContinueWhileIgnore can be used to try multiple AM servers in sequence until a successful connection is made. Changes to chaining of RSAAM clauses mean that in order to try one RSAAM Policy, followed by another you must use the AuthByPolicy ContinueUntilAcceptOrChallenge.
  • Added support for new AuthByPolicy settings of ContinueWhileChallenge and ContinueUntilChallenge.
  • Added support for EAPTLS_RequireClientCert to TTLS and PEAP. Setting this optional parameter now requires the clinet to present a valid client certificate during the TLS handshake.
  • Improved documentation in AuthBy ACE examples. Improved misleading user messages when AuthBy ACE is used with AM 7.1. Fixed problems with Authen-ACE4 when used with AM 7.1 and system-generated PINs, requires Authen-ACE4 1.3. New Authen-ACE4 1.3 ppm packages for Windows, including support for Perl 5.10 on Windows.
  • Added precompiled Authen-Digipass ppm package for perl 5.10 on Windows.
  • Improved session resumption in PEAP. Previously, resumed sessions triggered an inner authentication. Now the inner authentication is reused too. Reported by Tom Rixom.
  • Added new hook EAPTLS_CommonNameHook for EAP TLS support. Normally EAP-TLS attempts to match a CN in the client certificate against either the User-Name or EAP identity (either with or without domain names). This hook allows you to extend this matching and match a certificate CN against some other user attribute, such as the Calling-Station-Id as required by some WiMAX devices.
  • Added EAP TLS initialization to add the SHA256 digest, required for some WiMAX devices and certificates. Requested by Jinsong Zhu. Requires Net-SSLeay 1.35 plus latest SVN patches or later and OpenSSL 0.9.8i or later.
  • Fixed a problem with special character %J, which incorrectly had leading spaces before the day number. Reported by Jose Borges Ferreira.
  • Added Citrix-CAG-Groups to dictionary.
  • Added beta version of a new AuthBy EAPBALANCE module. EAPBALANCE distributes EAP conversations among multiple back ends and ensures that a given conversation always goes to the same backend, even in the face of backend failures. Suitable for use with FarmSize for high performance EAP-capable systems on multi-core hosts.
  • Fixed some errors in the types of WiMAX attributes in dictionary. WiMAX-HTTP-Redirection-Rule changed from binary to string. Added WiMAX-Time-Of-Day-Time. Added NAS-Filter-Rule. Requested by Garima Mahadik.
  • Timestamp was incorrectly added twice if a request was redirected through Handler, say by AuthHANDLER or similar.
  • Changes so that the plaintext password is not logged at debug level during Tacacs authentication. Requested by Markus Moeller.
  • Fixed some problems with mixed placeholders causing crashes on Windows when ODBC in use and when Quote: fails to match properly. Improved error reporting in SqlDb when a prepare croaks. Improvements to nested special character matching to exclude trival matched caused by embedded curlies. Reported by Edgard B. Haddad.
  • In AuthBy POP3, paramters Host, Port and LocalAddr did not have packet-specific data available for special characters. Reported by Aaron Holtz.
  • Fixed a problem with incorrect statistics for dropped requests when inner TTLS and PEAP requests are proxied. Reported by Dan Cachola.
  • Improved handling of Security Questions prompts in AuthBy RSAAM.
  • Fixed AuthBy IMAP so it will work with Mail-IMAP versions later than 2.99, using the new Mail::IMAP RawSocket call. Reported and patched by Wolfram Grienert.
  • Fixed a problem with Server HTTP where a configuration that contained an AuthLog clause would incorrectly be saved as an AuthBy clause. Reported by Steven R Sterner.
  • AuthBy WIMAX incorrectly set Session-Timeout to the absolute epoch time, rather than the relative KeyLifetime. Reported by Valentin Tumarkin.
  • Fixed a problem in AuthBy WIMAX with DHCP keys that could cause a crash. Also fixed a problem with session resumption when Pseudo Ids are in use. goodies/wimaxtest now suports session resumption with a [-reauth count] command line argument.
  • Fixed a problem with reused session authentication in EAP-TTLS.
  • Added sample configuration files for Radiator, Cisco Nexus 7000 and sample debug file, showing how to set up RBAC - Role-Based Access Control on the Cisco Nexus 7000. Contributed by Matthew Nichols.
  • Fixed a problem when AuthBy RADIUS tries to forward to a non-existent DNS name, a crash could occur. Reported by Patrick Renkens.
  • Ensure TLS does not resume sessions unless EAPTLS_SessionResumption is set.
  • Added support for new parameter in AuthBy WIMAX. MSKInMPPEKeys forces the MSK to be encoded in MS-MPPE-Send-Key and MS-MPPE-Recv-Key, as well as the usual WiMAX-MSK reply attributes. This is required by some non-compliant clients, such as some Alcatel-Lucent devices.
  • Improved behaviour of AuthBy WIMAX when creating and setting WiMAX-AAA-Session-ID to be compatible with more WiMAX clients. WiMAX-AAA-Session-ID is now only allocated and returned in the Access-Accept. Also made more SQL queries configurable. Parameter Reported by Kasra Kangavari.
  • Changed primary key in device_session in sample wimax.sql to match earlier changes to session saving based on session ID instead of NAI.
Revision 4.3.1 (2008-07-29) Bug fixes
  • Added new parameter PasswordServerAddress to AuthBy LDAP_APS, which forces Radiator to use the specified address as the address of the Apple Password server, instead of deducing it from the user's password details. Addresses may be one of the forms: 203.63.154.59, dns/yoke.open.com.au, ipv4/203.63.154.59 or ipv6/2001:720:1500:1::a100. This can be useful with replicated password servers. Suggested by Matt Richard.
  • Reverted changes to PreClientHook introduced in 4.3. PreClientHook is now called before despatch to any Client clause. It will always be called even if there is no matching Client, but the attributes will not have been decrypted (as decrypting is done in the context of a particular Client). The new parameter ClientHook has been added to the Client clause, and is called immediately after the attributes have been decrypted by the Client. Requested by Heikki Vatiainen.
  • Fixed problems with trailing NULs not being stripped from User-Name. Reported by Dawn Lovell.
  • Fixed a problem with double logging of reply packeets from AuthBy RADSEC. Reported by Paul Dekkers.
Revision 4.3 (2008-07-17) New modules and bug fixes
  • Added new AuthBy RSAAM module that supports RSA Authentication Manager 7.1 and later. Supports PAP, GTC, OTP, PEAP-GTC, TTLS-PAP etc. Supports all AM authentication methods, including traditional SecurID tokens, static passwords, OnDemand passwords delivered by SMS or email, security questions etc. Runs on all platforms supported by Radiator. Requires SOAP::Lite and prerequisites for SSL, including Crypt::SSLeay or IO::Socket::SSL+Net::SSLeay. Sample configuration files included.
  • Added support for LocalAddress and LocalPort to AuthBy RADSEC. Suggested by Jan Tomasek.
  • AuthBy RADSEC now does case-insensitive matches between the RadSec server certificate DNS name and the target server Host name. Previously, matches were case-sensitive. Suggested by Jan Tomasek.
  • Fixed a number of problems with handling integer64 type, especially when salt encoded
  • Added support for Quote format to format_special, allowing SQL database specific quoting to be used in any configurable parameter in any SQL based module. The new format %{Quote:somestring} will be replaced by the string quoted in the correct format for the SQL database in use. For example when used with a mysql database, %{Quote:somestring} would be replaced by 'somestring'.
  • Added new AuthBy HANDLER module. This clause allows requests to be redirected to a Handler based on the Handler's Identifier. Sample configuration file authhandler.cfg included.
  • Fixed a problem where Radiator would crash if PidFile specified a non-existant directory.
  • Added a number of HP VSAs to the dictionary. Also BATM-privilege-group Guests was incorrectly given as 5 instead of 15. Adjusted typed of WiMAX-Hotline-Indicator and WiMAX-Hotline-Profile-ID to string a per NWG docs.
  • Fixed a problem with Monitor and ServerDIAMETER clauses which could cause a crash if the Clients parameter is specified and a request is received from an address not named in that Clients parameter.
  • Added new Configurable function format_ctime that returns the local time formatted to include microseconds if the object or SererConfig has LogMicroseconds set. Used by Log FILE, Monitor, ServerConfig, ServerHTTP.
  • Added and corrected a number of Redback VSAs from data provided by Redback.
  • Fixed problems with dictionary tag-based encrypting of named integer attributes such as RB-LI-Action and others. Required some restructuring of unpackRadiusAttrs/decode_attrs and removal of encode_attrs. Reported by Ian Forster.
  • Fixed a problem with encrypting long strings: the resulting encryption was wrapped with added newlines. Reported by Dan Cachola.
  • Fixed a problem where DefineGlobalVar and DefineFormattedGlobalVar configuration parameters were not saved correctly by the Server HTTP web console.
  • Improvements to ability of Ldap connections with HoldServerConnection to detect disconnection by the server or a firewall. Patch contributed by Bjoern A. Zeeb.
  • Added new parameter PageNotFoundHook to Server HTTP. If a page is requested but not found in the set of built-in pages PageNotFoundHook is called to try to handle the request. PageNotFoundHook is passed the requested URI and a reference to the ServerHTTP connection. If it can handle the request, it returns an array of ($httpcode, $content, @headers). Requested by Marijke Vandecappelle.
  • Moved the location of PreClientHook call to the very beginning of the Client handle_request, so that decoded and decrypted attributes are available to PreClientHooks. Now, PreClientHook will _not_ be called if there is no matching Client clause. Also, within PreClientHook, the $->{Client} member will now be set to the Client clause handling the request, which may be helpful in some PreClientHooks.
  • Improved compatibility with some EAP-TTLS clients that previously would have required EAPTTLS_NoAckRequired. Reported by Ian Forster.
  • TLS/TTLS/PEAP/RadSec and other SSL users will now use any built-in OpenSSL crypto engines provided the installed Net::SSLeay supports ENGINE_load_builtin_engines and Net::SSLeay::ENGINE_register_all_complete (ie 1.33_01 and later). 'pkcs11' will be set as the default engine provided it exists.
  • Compatibility with new OSC-IMC TNC collector in latest version of libtnc. Format of OS_DETAIL message and other changed.
  • Improved behaviour of TTLS in the unlikely case that openssl resumes the wrong session. Suggested by Belmont Cheung.
  • Improvements to AuthBy SAFEWORD. The new parameter GroupReply maps SafeWord ActionData group names into sets of reply items. Added examples to sample config file. Suggested by Johan Frid.
  • Fixed a problem where a Monitor port that was not correctly closed would not destroy the Monitor, permitting messages to continue to be buffered and causing memory exhaustion. Reported by Thomas Schlottke.
  • Backed out changes to RADIUS socket opening introduced in 4.2: RADIUS socket was opened with SO_REUSEADDR, to prevent socket reopening issues on FreeBSD, but this results in always being able to bind to an existing socket on some platforms. Reported by Steve Rogers.
  • Added support for Client CIDR address specifications. Can now have <Client 203.63.154.0/24>. Also mermits CIDR specifications and MAC: addresses in the IdenticalClients parameter.
  • Added a number of Nortel and Juniper VSAs to dictionary. Contributed by Ronald van der Pol.
  • Fixed a problem where runt EAP-Messages could cause a confusing but useless Access-Accept. Reported by Tom Rixom.
  • Added OSC-Provider-Identifier and OSC-Environment-Identifier to dictionary.
  • AuthBy RADMIN now supports AuthSelectParam for improved performance and alsop supports bind variables for UserAttrQuery and ServiceAttrQuery. Altered sample config to show how to use it.
  • Changed the name of Expiration attribute (21) to Ascend-PW-Expiration to prevent collisions with the Expiration check item. Also changed the type to string to be compatible with other RADIUS servers.
  • Fixed a problem with incorrect results for %u and %w and %W if a global RewriteUsername was used.
Revision 4.2 (2008-03-10) Minor bug fixes
  • Added support to EAP-TLS for examining the SubjectAltNames in the client certificate and matching against Windows UPN, which is a GEN_OTHERNAME. Suggested by Markus Moeller.
  • Fixed a dictionary syntax error with a Huawei attribute and replaced it with the correct Huawei-Qos-Profile-Name. Reported by Andreas Schwarz.
  • Fixed a problem where HUP on FreeBSD would not result in the RADIUS ports being closed properly, resulting in 'Could not bind authentication socket: Address already in use'. Reported by Paul Dekkers.
  • Fixed a problem in Monitor, where a quit command would cause a crash. Also improved handling of too many bad authentications. Reported by Ernst Oudhof.
  • Fixed a problem where Server DIAMETER could refuse a reconnection from a previously connected peer. Reported and patched by Jose Borges Ferreira. Thanks Jose.
  • Fixed a problem where Server HTTP could crash during authentication with some configurations.
Revision 4.1 (2008-02-22) Bug fixes
  • Fixed a problem where anonymous logins to ServerHTTP would not get a Privilege Level. Reported by Dominic J. Eidson.
  • Fixed a significant memory leak that affected certain installations with multiple clients.
  • Fixed a problem where the Configuration Edit link was not displayed on the ServerHTTP GUI in the Locked version.
  • Improved configuration file saving for the case where AuthBy objects are referred to by Identifier. Reported by Dominic J. Eidson.
  • OSC now provides precompiled Net::SSLeay+OpenSSL+EAP-FAST-patches bundles for Linux and Windows. Updated documentation in goodies/eap_fast.txt describing how to install these precompiled bundles.
  • Added new function Radius::AuthWIMAX::get_cached_keys to fetch $sessionid, $mip_rk, $mip_spi, $fa_rk from the database given the outer nai. Requested by Ian Forster.
  • SimpleClient now correctly generates a random authenticator instead of a fixed one.
  • Reinstated support for EAPErrorReject which was accidentally lost from some modules.
  • Fixed a problem where EAPTLS_CAPath would not be set correctly if EAPTLS_CAFile was not defined. Reported by Jan Tomasek.
  • Fixed documentation of EAPTLS_CertificateVerifyHook. The list of arguments passed was incorrect, and out by an index of one. Reported by Jan Tomasek.
  • Added new special character %K, which is replaced with the realm name after the last @ in the user name. Requested by Michael Kwan.
  • Added to dictionary 2 new values for Error-Cause defined in RFC 5176.
  • Fixed a problem with fideliosim.pl not working correctly with serial ports.
  • AuthBy PAM now supports AuthenticateAttribute. Contributed by Markus Moeller.
  • A number of improvements to Diameter support, contributed by Jose Borges Ferreira: In Handler clauses you can catch Diameter attributes: <Handler DiaRequest:Auth-Application-Id=NASREQ> or <Handler DiaRequest:Disconnect-Cause=CREDIT_CONTROL>. Added extra methods to allow vendorByName (returns vendor data from a given vendor name) grouped_attr (allows easy manipulations of grouped attributes). Added avp type vendor, witch is a Unsigned32 variant (like enumerated) that tries to translate vendorname to vendornum and vice-versa. Grouped attributes within grouped attributes are logged with alignments. New attribute SupportedVendorIds for Server DIAMETER. This optional parameter allows you to define the Supported Vendor Ids announced in CER. Defaults to BASE(0). Thanks Jose Borges Ferreira.
  • EAP-FAST was not correctly REJECTING with an EAP failure after a RESULT FAILURE message was received from the clinet, causing retransmissions of the original RESULT FAILURE message. Reported by Jim Veneskey.
  • Added support for AuthLog in Server HTTP. Suggested by Markus Moeller.
  • AuthBy TEST did not correctly support the Identifier parameter. Reported by Ian Forster.
  • Changes to Server HTTP so that manually edited configuration files are saved with the correct line endings appropriate for the local machine. Reported by Jin Tao.
  • When running as a service under Windows, did not correctly restart when a 'restart server' command was given by either Monitor or ServerHTTP. Reported by Jin Tao.
  • Improvements to ServerHTTP, adding some attributes to the Radius packet used to authenticate Server HTTP access, including NAS-IP-Address and Calling-Station-Id. Contributed by Markus Moeller.
  • Added support for EAPTLS_CertificateChainFile wherever EAPTLS_CertificateFile is supported, and added support for TLS_CertificateChainFile wherever TLS_CertificateFile is supported. The ChainFile parameter specifies the name of a file containing a certificate chain for the Radius server certificate. Suggested by Jan Tomasek.
  • Added more detail to WARNING log when AuthBy HASHBALANCE declines to break up an EAP stream.
  • AuthBy RADSEC would not always reply with the correct type of packet. Reported by Paul Dekkers.
  • Fixed problems when Server RADSEC or Server DIAMETER were in use and a SIGHUP was received. Reported by Paul Dekkers.
Revision 4.0 (2008-01-14) Significant new features and some bug fixes
  • Added support for Radiator monitoring and configuration via a web browser, using the new ServerHTTP module. Sample configuration file in goodies/serverhttp.cfg shows how to enable support in any configuration file.
  • Added AuthBy WIMAX module to handle WiMAX authentication and key generation. Uses an SQL database to hold subscription/authentcation information and to cache keys and save accounting. Supports: Authentication of users and devices from SQL database (most EAP types supported). Generation and caching (in SQL) of MIP-RK, MIP-SPI and FA-RK for each device session. Generation of mobility keys for both NAS and HA requests. Generation, caching (in memory) and refreshing of HA-RK, HA-SPI for each HA. Generation, caching (in memory) and supplying DHCP-RK and Key-Id for NAS and DHCP requests. Hotlining profiles. This is an early release Alpha version of WiMAX support which has not yet received extensive testing. Feedback and bug reports are welcomed.
  • Improved performance and behaviour of RADIUS duplicate and retransmission detection in line with RFC 5080. Duplicates and retransmissions within the DupInterval timeout are now detected using the sender's source port in line with RFC 2865. Detected retransmissions that have been replied to will have their earlier reply retransmitted, preventing problems with decoding of duplcicate TLS/TTLS/PEAP fragments. A retransmission that has not (yet) been replied to will be dropped as before.
  • radpwtst now generates random Authenticators.
  • Minimum supported version of Perl is now 5.6.0
  • Sample certificates updated to expire Jan 13 03:42:47 2010 GMT
  • Added support for EAP-FAST. Requires patches for OpenSSL and Net-SSLeay, which are included. Includes detailed instructions for patching OpenSSL and Net-SSLeay and configuring for EAP-FAST.
  • Added support for standard WiMAX VSAs to dictionary, and support for WiMAX VSA continuation flags in packing and unpacking, plus automatic salted encryption and decryption of WiMAX attributes that require it (keys etc). As per WiMAX_End-to-End_Network_Systems_Architecture_Stage_2-3_Release_1.1.0, NWG_R1.1.0-Stage-3.pdf.
  • Added support for additional standard dictionary type integer64 required by draft-ietf-radext-design-02.txt. Previous integer8 attributes in dictionary changed to integer64. Integer8 now means one octet. INteger1 is still treated as integer8 for backwards compatibility.
  • Added WiMAXTLV module for packing and unpacking WiMAX TLV sub-attributes, including symbolic definitions of some WiMAX TLVs.
  • Added support for new dictionary attribute types integer8, integer16, signed-integer and ipaddrv4v6, required by WiMAX.
  • Added WiMAX module for computing various WiMAX keys and other WiMAX routines.
  • All EAP types now export the MSK by setting {msk} in the appropriate reply packet. They also optionally export the EMSK in {emsk} if ExportEMSK is set.
  • Added a number of 3GPP attributes to dictionary
  • When using LEAP with EAP_LEAP_MSCHAP_Convert, some clients would not complete the handshake due to an Access-Accept being sent instead of Access-Challenge.
  • Improvements to AuthBy HASHBALANCE so that EAP sequences from any given user will not be split between hosts during a failover.
  • Fixed a problem with undefined getEAPContext when used with some configurations of AuthBy HASHBALANCE. Reported by Alison Lee.
  • Added a number of Motorola-WiMAX attributes to dictionary. Contributed by Thomas Hartley.
  • Improvements to AuthBy SQLRADIUS so that FailureBackoffTime, MaxFailedRequests and MaxFailedGraceTime are fetched from SQL as rows 11, 12 and 13, and failure history, backoff time etc are cached within Radiator memory, so that SQLRADIUS can be used with FailureBackoffTime etc. Suggested by Sami Keski-Kasari.
  • Improvements to AuthBy GROUP so that it better handles chains of authenticators with EAP type requests, such as LEAP, EAP-MSCHAPV2 etc. Reported by Jani Kariniemi.
  • Reinstated behaviour that was removed in Radiator version 3.15: empty attributes, including empty strings are now permitted to be packed into Radius packets.
  • Fixed problem with acknowledgements and Fidelio Opera interface when using TCP. reported by Andrea Coppini.
  • Added new parameter AgentName to AuthBy SAFEWORD. This field is used when authorizing a request to SafeWord, and allows us to do things like enforce ACLs, Roles, which authenticator in the user record to use when they have multiple, whether to send a MobilePass password, etc. It is very useful! Contributed by David LePage.
  • Added 2 new attributes oscRadiusDefaultRealm and oscRadiusIdentifier to the sample LDAP schema in radiator-ldap.schema. Contributed by Jame Schell.
  • Added new special character %X, which is replaced by the EAP identity, with any trailing @realm stripped off. Patch provided by Heikki Vatiainen.
  • When radpwtst is used with -accton or -acctoff it now always an Accounting Session ID. Suggested by Dan Cachola.
  • All modules now generate 32 octet MPPE keys for WPA compatibility. Reported by Dominic J. Eidson.
  • RadSec and Diameter client and server modules now support TLS_SubjectAltNameURI parameter for certificate validation. TLS_SubjectAltNameURI is a regexp which can match against any Subject Alt Name of type URI. If a match is found the certificate will validate. Suggested by Stefan WINTER. Examples added to configs.
  • ServerRADSEC now honours Status-Server requests directly in the same way as Client. Requested by Stefan WINTER.
  • Fixed a problem with resolving ipv6: names with DNS on RadSec and Diameter connections. Reported by Patrick Renkens.
  • A debugging print statement was inadvertently left in AuthBy LDAPDIGIPASS.
  • Fixed a problem that prevented LocalAddress and OutPort being set for all hosts in AuthBy SQLRADIUS. Reported by Yves Martel.
  • Prevent crashes after signal -HUP with multiple AuthBy KRB5. Reported by Barry Ard.
  • Improvements to sample goodies/radiator.sh startup script, allowing /etc/rc.conf to control the radiator_config file. Provided by Erik Klavon.
  • Added sample hook eap_acct_username.pl, which copies the inner username to the Access-Accept User-Name field so a NAS (Access Point) can provide accounting information with correct (inner) User-Name. Contributed by Rok Papez.
  • Module and sample configuration file that allows RADIUS clients to get user presence information from an SQL accounting database. Special Access-Request formatted with Service-Type=Call-Check-User are replied with Access-Accept containing OSC-User-Presence-Indicator, OSC-User-Presence-Location OSC-User-Presence-Timestamp indicating whether and whered the user is last logged in. Can be used by RADIUS enabled VOIP routing modules etc. Supports mapping of NAS IDs into readable location names etc.
  • Fixed possible socket exhaustion in Server TACACSPLUS under certain unusual circumstances.
  • New RPM packages of Authen-Digipass 1.9 module for both 32 and 64 bit Linux platforms. The 32 bit package contains Vacman Controller 3.5 and the 64 bit package contains Vacman Controller 3.7.
  • Updated Windows Authen-Digipass PPM packages to 1.9. Contains Vacman Controller 3.5 libraries.
  • AuthBy SQL and AuthBy SQLRADIUS now support the AuthSelectParam parameter, which allows SQL bind variables to be used. The first 32 SQL queries that use AuthSelectParam are subject to SQL query caching, which can significantly improve the performance of the SQL server. Patches by Dan Cachola.
  • Fixed a case where the server could crash after receiving malformed requests such as those sent by nmap. Reported by Sven Henderson.
  • Added support for Expiration dates in format 'mmm dd yy(yy)', such as '24 Jul 2007', for compatibility with some SQL database date formats.
  • Added support for Expiration dates in format 'mmm dd yy(yy)', such as '24 Jul 2007', for compatibility with some SQL database date formats.
  • Added support for new special character %J which produces the request timestamp in the format 'yyyy-mm-dd hh:mm:ss'
  • Added support for new check items Max-All-Session, Max-Daily-Session, Max-Hourly-Session and Max-Monthly-Session, along with new AuthBy SQL parameters AcctTotalQuery and AcctTotalSinceQuery. The combination provides a way to check that users have not exceeded hourly, daily, weekly or total usage requirements. These check items are compatible with FreeRadius check items of the same name. They are also conpatible with the Session-timeout=until ValidTo, which will compute a session timeout based on the most restrictive Max-*-Session time left.
  • New AuthBy FREERADIUSSQL is compatible with standard FreeRadius SQL databases, and can be used with the daloRADIUS user manager. Enables easy migration from FreeRadius to Radiator, or allows Radiator to be used with a range of FreeRadius user management packages. Includes sample configuration file.
  • Improved modularity of encryption functions. Fixed a problem with encryption of Ascend-Send-Secret and Ascend-Receive-Secret, in the case where the secret was more than 16 octets. Most encryption functions decomposed to decode_salted and encode_salted.
  • Added support for encryption of Motorola-WiMAX-MIP-KEY attribute.
  • Testing with Strawberry Perl 5.8.8 alpha 2 http://win32.perl.org/wiki/index.php?title=Strawberry_Perl on Windows XP. OK (Testing requires Win32::Process to be installed using cpan using 'force install Win32::Process').
  • Altered the algorithm Server TACACSPLUS uses to find the encrpyion key for a given Tacacsplus client. The order of preference is now: Per-Client TACACSPLUSKey, ServerTACACSPLUS Key, Per-Client Secret. This means that you can use ClientListSQL to provide per-client Tacacs+ keys. Updated documentation to describe the Key search algorithm.
  • Added support for the FreeRadius style dictionary flags has_tag, encrypt=1, encrypt=2 and encrypt=3. Requested by Dan Cachola.
  • Added support for a number of FreeRadius style dictionary keywords: BEGIN-VENDOR, END-VENDOR, $INCLUDE, as well as Radiator style include commands. Some improvements to dictionary parsing and error reporting.
  • Added new parameter SessionDatabaseUseRewrittenName to Handler and Realm. Causes the rewritten username (instead of the original user name) to be used for session database purposes.
  • Performance improvements and rationalisation in RADIUS packet assembly and disassembly.
  • Testing with Perl CamelPack on Windows XP. OK.
  • Added Motorola Canopy attributes to dictionary.
  • Improved compatibility with some EAP-GTC clients that require CHALLENGE= prompts, and deliver RESPONSE=a\0b responses.
  • Special characters now permit nested contructions of the form %{x:%{y:z}}
  • Added -options flag to radpwtst, which makes it read additional command line flags and arguments from the named file.
  • In AuthBy RADIUS, the Host name can now contain nested special characters. Patch provided by "Valentin Tumarkin".
  • Disable OpenSSL 0.9.9 SessionTicket support when negotiating RadSec TLS connections, otherwise get TLS 'unexpected message' errors.
  • Added support for new dictionary type 'integer1' which translates integers encoded as a single octet.
  • Added support for new dictionary type 'integer2' which translates integers encoded as a 16 bit unsigned (2 octets).
  • Added a number of BATM, NS and Alcatel attributes to dictionary. Contributed by Ernst Oudhof.
  • ServerTACACSPLUS now puts Acct-Session-Id in Radius packets derived from accounting requests.
  • New TacacsClient module provides basic Tacacs+ client services.
  • goodies/tacacsplustest was rewritten in terms of the new TacacsClient module.
  • 'make clean' now removes all files created by 'make test'.
  • EAP-TLS now hounours machine certificates, ie where the User-Name and/or identity is in the form host/machinename, but the CN in the certificate has just CN=machinename.
  • Radius port listeners refactored into new ServerRADIUS module.
  • Removed SSLeayTrace from all sample configs. Does nothing now.
  • Significant refactoring of code from ServerHTTP, ServerRADSEC, ServerDIAMETER and Monitor to new module StreamServer.
  • ConfigKeywords can now include documentation for the benefit of ServerHTTP
  • Removed dead Synchronous code from AuthRADSEC. Suggested by Bjoern A. Zeeb.
  • AuthBy RADIUS and RADSEC now drop replies with bad signatures in line with documentation and RFCs. AuthBy RADIUS still allows this behaviour to be overridden with the IgnoreReplySignature flag.
  • Added new dictionary type signed-integer, a 32 bit signed integer
  • Added support for new Cisco optional attributes in ServerTACACSPLUS, contributed by Kristian Larsson, for example: AuthorizeGroup xr-friendly permit service=shell cmd\* {task*#root-system,#cisco-support priv-lvl=15}
  • AuthBy DIGIPASS, when validating Challenge-Response (CR) tokens now caches the last challenge internally instead of relying on the RADIUS client and the State atribute. New configuration parameter ChallengeTimeout allows configuration of the maximum time period the challenge is valid for.
  • EAP-TTLS incorrectly copied attributes from the inner ACCPET to the outer ACCEPT change_attr, which prevented multiple instances of the same attribute being copied.
  • In ClientListSQL, the PREHANDLERHOOK value returned by GetClientQuery can now contain either the text of the hook, or a a hook filename in the form `file:/path/to/hook'. Patch supplied by "Jose Borges Ferreira".
  • Minor changes to SIP authentication in line with forthcoming RFC 5090.
  • Reference manual is no longer shipped as HTML, only as PDF and PostScript.
Revision 3.17.1 (2007-04-12) Some new features and bug fixes
  • Added new load balancing module AuthBy HASHBALANCE, which will use information in the incoming request to choose the preferred host, with the intention that all requests in a single EAP conversation will all go to the same target server, enabling EAP and other stateful RADIUS transactions to be loadbalanced without interfering with streams of related requests. If the preferred host is not available try the following ones until all are exhausted. Sample configuration file in goodies/hashbalance.cfg.
  • ldap-aps.cfg was left out of the 3.17 distribution. Reported by Ken Kawakubo. Other Apple Password Server modules were also omitted.
  • Added EAP_38.pm for TNC support to the distribution.
  • Added RB-DHCP-Vendor-Class-Id to dictionary.
  • Fixed a bug in TLS support when used with TTLS-PAP-EAP-TNC. Reported by Chris Hessing.
  • TranslatePasswordHook now works for EAP-MSCHAPV2, EAP-PAX, EAP-PSK, LEAP and MD5-Challenge. Reported by Rogier Krieger.
  • Added a number of new Redback and DSLForum VSAs to dictionary.
  • Improvements to AuthBy KRB5 to allow it to acquire credentials for a service principal. Includes 3 new configuration parameters: KrbKeyTab, KrbService, KrbServer. Patch contributed by Erik Klavon.
  • Improvements to AuthBy SQLRADIUS so that FailureBackoffTime, MaxFailedRequests and MaxFailedGraceTime are fetched from SQL as rows 11, 12 and 13, and failure history, backoff time etc are cached within Radiator memory, so that SQLRADIUS can be used with FailureBackoffTime etc. Suggested by Sami Keski-Kasari.
Revision 3.17 (2007-03-26) Some major new features and bug fixes
  • Added new module AuthBy LDAP_APS which finds user details in a Mac OS-X Directory Server LDAP database, and then authenticates the user password against a Mac OS-X Apple Password Server. Works on Mac OS-X 10.4 or later. Sample configuration file in goodies/ldap-aps.cfg. Supports PAP, MSCHAPV2, TTLS-PAP, TTLS-MSCHAPV2 or PEAP-MSCHAPV2 requests.
  • Added support for EAP-PSK as per RFC 4764, an EAP method based on a per-user Pre Shared Key, and which supports strong cryptography and dynamic WEP and WPA keys. Tested against wpa_supplicant-0.6-2006-12-05. Sample configuration file included.
  • Added support for EAP-PAX as per draft-clancy-eap-pax-11, an EAP method based on a per-user Authentication Key, and which supports strong cryptography and dynamic WEP and WPA keys. Tested against wpa_supplicant-0.6-2006-12-05. Sample configuration file
  • Added a new flag EnableFastPINChange to AuthBy ACE, allowing compatibilty with some NASs (notably Juniper) that have non-standard behaviour in New Pin Mode: when the user is asked whether they want to set their PIN, the NAS automatically gets the new PIN and returns it to the RADIUS server, which is expected to use it to set the PIN immediately. This flag enables compatibility with this behaviour if the user/device enters a PIN instead of 'y' or 'n
  • Fixed potential memory leak in PEAP and TTLS after handshake failure.
  • Improvements to parseDate so that invalid date formats would not cause a crash.
  • Added support for new special character in the format %{OuterRequest:attrname} which is replaced with the named attribute from the outer request of a tunnelled request. Useful with PEAP and TTLS tunnelled requests.
  • Fixed a memory leak that mostly affected failed authentications in TTLS and PEAP. Reported by David Spindler.
  • Added a number of new Mikrotik VSAs to dictionary.
  • Testing with Cisco Secure Services Client 4.0.5.4889 on XP. OK for TTLS-PAP, TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2, TTLS-EAP-MSCHAPV2, TTLS-MD5, PEAP-MSCHAPV2, PEAP-GTC, PEAP-TLS, LEAP, GTC, TLS, EAP-MSCHAPV2, MD5
  • Added support for special characters in EAPTLS_PrivateKeyPassword and TLS_PrivateKeyPassword. Requested by Redback.
  • Fixed a problem with interoperation between ServerDIAMETER and some Diameter clients. Reported by Arthur Konovalov. Also fixed a typo in doc about how to test ServerDIAMETER.
  • Fixed some minor interoperation issues to do with SIP authentication and RFC 4590.
  • Altered dictionary.sip to make it compliant with RFC 4590.
  • Fixed a problem with the Host-IP-Address in the the CEA by Server DIAMETER. Reported by Arthur Konovalov.
  • ServerDIAMETER now converts the contents of Grouped attributes from the incoming Diameter request into the new Radius request.
  • Fixed a problem with the Mandatory flag in the Diameter Firmware-Revision attribute. Removed restriction of only being able to handle NASREQ application requests. Reported by Arthur Konovalov.
  • Fixed a problem with conversion of SessionId when using NasType of CiscoSessionMIB. Reported by Joe (Mobile).
  • Fixed a problem with incorrect responses to Tacacs accounting requests. Reported by Mohamed.Raddahi.
  • Fixed a problem where a check-item Auth-Type which points to a AuthBy RADIUS inside a GROUP did not work as expected. Reported by Toomas Karner.
  • Added support for Starent VSA's, which have a non-standard format. Patch supplied by Frank Danielson.
  • Fixed some problems with memory leakage especially in PEAP after a successful authentication. Reported by Reported by David Spindler.
  • In AuthBY RADIUS, the Host clause now supports per-host LocalAddress and OutPort parameters. Patched by Bjoern A. Zeeb.
  • Added documentation and sample configuration file for ServerDIAMETER.
  • Removed references to obsolete handle_sigchld, which is not necessary any more. Reported by Dan Cachola.
  • Added support for ConnectionAttemptFailedHook and NoConnectionsHook for custom code to handle various types of SQL connection failure. Patched by Dan Cachola.
  • Fixed a problem with conversion of negative integers by valNameToNum in Radius dictionaries. Reported and patched by Arthur Konovalov.
  • Minor improvement to performance of Radius::Util::random_string.
  • Added more Huawei VSAs to dictionary. Contributed by Jose Borges Ferreira.
  • Improved handling of multiple reply items, possibly containing spaces in AuthorizeGroup, PasswordPrompt is now used everywhere to control password prompts in ServerTACACSPLUS.
  • Added more WCG VSAs to dictionary.
  • Fixed a problem where proxied TTLS inner EAP-MSCHAPV2 replies were not properly processed, resulting in no reply to the originator. Reported by Ian Forster.
  • Fixed a problem where Until::inet_ntop could crash when used with RodopiAAA and TTLS or PEAP.
  • Cleaned up some attributes in dictionary including Tunnel-Type etc.
  • Added support for Cisco cisco-li-configuration attribute, which can be used to enable Lawful Intercepts for selected sessions. Added goodies/cisco_li.txt explaining how to use it.
  • Added various Redback VSAs to dictionary to support Radback Lawful Intercept. Also arranged to support the automatic salt encryption of attributes that require it. Contributed by Jan De Backer.
  • Added some Telkom SA VSAs to dictionary.
  • AuthBy DIGIPASS now honours UsernameMatchesWithoutRealm. Requested by SCHELL .
  • Structural changes in AuthGeneric.pm and changes to the args passed to AuthGeneric::check_mschapv2() in order to support Apple Password Server.
  • Added MS-RAS-Client-Name and MS-RAS-Client-Version to dictionary.
  • Fixed a problem with proxying of Radius requests received by Server DIAMETER, where the authenticator was not correctly set. Reported by Blake Ulmer.
  • Fixed a problem where diapwtst did not correctly handle extra attributes like 'radpwtst Accounting-Session-Id=12345'. Reported by Blake Ulmer.
  • Testing on Ubuntu 6.10. OK.
  • Fixed a typo in CLientListLDAP that prevented StripFromRequest working properly. Reported and patched by Luta.
Revision 3.16 (2006-11-09) Some major new features and a few bug fixes.
  • Added early release of Diameter support. ServerDIAMETER implements a stateless Diameter to Radius translation agent. Incoming Diameter requests are converted to Radius requests which can be served internally by Radiator or proxied to another Radius server. Includes simple Diameter client for testing (diapwtst) and sample configuration file. Supports RFCs 3588, 4005, 4072. Supports TLS encryption, TCP or SCTP transport. Interoperates with OpenDiameter.
  • AuthBy DIGIPASS now supports Vasco Virtual Digipass. This allows Vasco token support even of the user does not have a physical token (or has lost it). AuthBy DIGIPASS generates the correct tokencode and passes it to a hook, where it can be delivered to the user by SMS etc. Example config file digipass.cfg shows how to enable it. New versions of Authen-Digipass that support AAL2GenPassword for Virtual Digipass support.
  • Added new module for sending SMS messages using the Internode NodeText Gateway, a commercial SMS gateway available from Internode in Australia. Also added fully working example configuration file showing how to do One-Time-Passwords delivered by SMS. The NodeText Gateway is a high reliability, high performance SMS Gateway for Australian SMS numbers. Works with GSM, CDMA. Works with Telstra, Optus and Vodafone networks. Billing of SMS delivery charges can be to the sender, or the receiver. The Internode NodeText Gateway can also apply a range of special features, such as name to SMS number translation etc. Multiple recipients, message splitting etc are supported. They also offer an email-to-SMS gateway. This fully working example allows your users to be administered with Radmin, using One-Time-Passwords delivered to the user by SMS. Internode SMS gateway access for Australian SMS numbers is available from http://www.internode.on.net and http://www.internode.on.net/products/sms.htm
  • Added tutorial and config files for installing ChilliSpot, Radiator and RAdmin to provide a complete, locally administered captive portal wireless hotspot solution, including prepaid time for users, user statistics, monitoring etc. See http://www.chillispot.org
  • Ensured SNMP and Status-Server statistics are correctly updated by requests received via RADSEC and TACACSPLUS.
  • Testing on Syllable 0.6. OK, except Any_DBM tie is not implemented on Syllable so that AuthBy DBFILE does not work, resulting in failed tests 1a, 3a, 3d, 3g, 3h.
  • Minor cleanups to remove various warnings when -w is used
  • Special character %z was using a deprecated MD5 hashing routine. Now uses Digest::MD5::md5_hex.
  • Fixed a problem that prevented reply attributes from EAP_PEAP_MSCHAP_Convert converted requests being replied to the client. Reported by Alex Sharaz.
  • Fixed a problem in ClientListLDAP where attributes that expect a stringarray (such as IdenticalClients, FramedGroupBaseAddress, RewriteUsername, DynamicReply) could cause a crash if there were multiple values for that attribute in the LDAP database. Reported by Lohier, Matthew.
  • Fixed a problem withe AcctLogFileName where a file name with a leading '|' for a pipe would incorrectly cause bogus directories to be created. Reported by Anne Bennett.
  • Fixed a problem with AuthBy DIGIPASS clauses that are not contained within a Realm or Handler causing a crash. Reported by Paul Dekkers.
  • Added a number of Unisphere VSAs to dictionary. Contributed by Gareth Coco.
  • Testing on Windows Vista Beta build 5384. OK, using ActiveState ActivePerl 5.8.8.
  • Fixed an error in the definitions of 3GPP2-IP-Technology in dictionary. Reported by Frank Danielson.
  • AuthBy LSA and AuthBy NT on Windows now suport Local as well as Global groups when using the Group parameter.
  • Fixed a problem with anonymous bind not working correctly, resulting in LDAP_INAPPROPRIATE_AUTH. Reported by R.H.Hoek.
  • Fixed a problem with TTLS and PEAP where a proxied reply to the inner request of a session that has been lost or closed would cause a crash. Reported by Shahid Khan.
  • Fixed a problem with goodies/CalledStationId.pm that would cause ERR: Bad attribute=value pair.
  • Improvements to goodies/CalledStationId.pm to support regexps in stations.
  • Added a number of Aruba VSAs to dictionary. Contributed by steven.quek.
  • In AuthBy RADMIN, changed the default MaxMEsageLength to 200 to comply with the standard Radmin database size.
  • Fixed a problem with client certificate verification in EAP TLS that could cause an error 'EAP TLS No peer certificate'.
  • Fixed a problem with EAP-TLS authentication when EAPTLS_NoCheckId was set. reported by Dawn Lovell.
  • Added various VSA to support ChilliSpot, an open source captive portal for wireless with Radius support. http://www.chillispot.org/
  • Testing with ChilliSpot http://www.chillispot.org/ OK. ChilliSpot is a wireless hotspot portal that authenticates users before letting them get access to the internet. ChilliSpot can work with both UAM (where the ChilliSpot hotspotlogin.cgi script solicits a passwords and ChilliSpot sends Radius/CHAP to Radiator), and with EAP (where ChilliSpot forwards Radius/EAP requests to Radiator). Tested with UAM, EAP, TTLS, PEAP. Caution: ChilliSpot 1.1.0 has a bug where Radius replies that contain a Service-Type reply attribute will cause the chilli process to crash. A patch has been submitted to chillispot.
  • Enabled SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS in PEAP TLS, to work around a problem with Vista Beta 2 clients, where the extra empty fragment (sent as a security measure by OpenSSL) confuses the Vista PEAP supplicant. See http://www.openssl.org/~bodo/tls-cbc.txt for reasons behind the empty fragments. Reported by David Spindler.
  • Improvements to EAP LEAP handling to be compatible with some types of LEAP-ignorant APs. Reported by Russ Jones.
Revision 3.15 (2006-06-01)
  • AuthBy RADSEC now supports multiple Hosts, using the same Host clause syntax as AuthBy RADIUS. Hosts will be tried in the order given. FailureBackoffTime can be used to mark unresponsive hosts dead for a period of time and skip them. Example Host clause syntax is shown in goodies/radsec-client.cfg.
  • Example config file goodies/eap_leap_proxy.cfg was inadvertently left out of the distribution.
  • Fixed a problem where the parent process could crash if AuthBy KRB5 was used and the server run in the background. Reported by Carol Ward.
  • Added calling_station_hook_requests.pl, a sample PostAuthHook for PEAP requests that: 1) Insert the Calling-Station-ID into the inner request 2) Insert the Called-Station-ID into the inner request 3) Insert the "outer" EAP identity into the inner request as "Outer-EAP-Id" Contributed by Terry Simons.
  • Testing on openSUSE 10. OK.
  • Fixed a bug in mergedetails that prevented it running under perl 5.005 and earlier. Reported by Greg Schiedler.
  • Alternative version of RequestHoook added to goodies/hooks.txt. The hook saves the time of the last Access-Request for each user and conditionally returns an Access-Accept if the time is less than a preset limit.
  • A typo prevented EAPTLS_CertificateVerifyHook parameter being recognised. Reported by Rodrigo Seguel.
  • Improved logging of LDAP connected host details to include the actual hostname and port after special character translations. Also Port now supports special characters. Requested by Michael Hall.
  • Improved Authen-Digipass RPM to work with perl 5.8.7.
  • Refactored AuthDIGIPASS.pm to move common code to AuthDIGIPASSGeneric.pm. New module AuthSQLDIGIPASS.pm replaces AuthDIGIPASS.pm and AuthBy DIGIPASS is now depreccated in favour of AuthBy SQLDIGIPASS.
  • New version of Authen-Digipass module for Linux, Solaris and Windows where digipass.pl now works with LDAP databases, plus some minor bug fixes.
  • New module AuthBy LDAPDIGIPASS authenticates Vasco Digipass tokens from token data in an LDAP database. Example configuration file goodies/digipass_ldap.cfg, and sample LDAP dataabse schema and sample data in goodies/radiator-ldap.*. Use digipass.pl command line program (part of the Authen-Digipass supplied with Radiator) to import, assign, inspect, reset tokens in the LDAP database).
  • All calls to format_special in AuthBy IMAP now include the current packet so that %R can be used in Host parameter etc. Requested by Petr Zimak.
  • AuthBy SQL did not honour AuthenticateAccounting.
  • Minor fixes, PostSearchHook missing from AuthLDAP2 config options. Reported by Petr Zimak.
  • Added a number of Cisco VOIP VSAs to dictionary.
  • Added a number of VSAs and fixed some errors in dictionary.sip to be in line with draft-schulzrinne-sipping-radius-accounting-00.txt
  • Radpwtst now permits octal escapes in the value in attr=value arguments.
  • Testing with SIP PRoxy Router (SER) from www.iptel.org. Added example configuration file to goodies/sip.cfg showing how to configure Radiator for SIP authentication with SER, and with some helpful information and corrections about configuring SER to work with RADIUS.
  • Zero-length string attributes are now never sent in Radius packets, but are ignored, as per RFC 2138. Zero-length Reply-Message strings have been seen in improperly written hooks. Suggested by Ulrich.
  • Sample startup scripts linux-radiator.init and solaris-radiator.init now force -daemon to prevent running in the foreground when started by init script.
  • Fixed a problem in ClientListSQL and ClientListLDAP that could cause a crash during an automatic update if there were no hardwired Clinet clauses. Reported by Alexander List.
  • Log SYSLOG and AuthLog SYSLOG now support special characters in LogIdent. Requested by Alexander List.
  • Fixed a case where Reply-Message could be incorrectly reset in CachedAttrs, which prevented ServerTACACSPLUS from returning the Reply-Message during a rejection.
  • Added new hooks AuthenticationStartHook and AuthenticationContinueHook to Server TACACSPLUS which can be used for special processing of TACACS+ authentication requests.
  • Minor improvements to test suite. Now reports total erro count and exits with non-zero status if there are errors.
  • Renew test certificates. Previous certificates expired March 16 2006, which would prevent TLS, TTLS, PEAP and RadSec tests working. Minor improvements to mkcertificate to add /usr/share/ssl/misc to the path (for standard OpenSUSE).
  • Improvements to timeout handling for SQL and others for perl 5.8 and later, requested by Gustavo Moreira.
  • Improvements to the way nested calls to format_special were handled. Previously, the value for $cpacket could get clobbered by an error log message during formatting of a special character. Reported by Robert Fisher.
  • Added ChallengeMessage parameter to AuthBy DIGIPASS*, which allows the Digipass challenge message to be customised or internationalised.
  • Fixed a problem with SessionDatabase SQL where a countQuery that returned a username as the fifth field did not alter the user name as expected. Reported by Vangelis Kyriakakis.
  • In ServerTACACSPLUS, added a workaround for a bug in some old Cisco routers where a failed authentication would result in a an unclosed TCP session. Requested by Patrick, Robert.
  • Added a workaround for a bug in some EAP TTLS supplicants, (notably PBG4 on MAC OSX) do not conform to the TTLS protocol specification, and do not understand the ACK sent by the server at the end of TLS negotiation and session resumption, resulting in session resumption not completing. The new EAPTTLS_NoAckRequired flag enables a workaround for such supplicants. Many other supplicants are happy with this too.
  • Fixed a problem with session keys when LEAP was used with EAP_LEAP_MSCHAP_Convert. Reported by Michael Ting.
  • Added new AuthBy SAFEWORD, which authenticates directly to a SafeWord Premier Access server. Includes a sample configuration file. Supports PAP, CHAP, TTLS-PAP, EAP-OTP and EAP-GTC. Supports password changing. Supports fixed (static) passwords and SafeWord Silver and Gold tokens.
  • Fixed a problem that could cause a crash if getpeername fails during a Tacacs connection. Observed on some Solaris platforms. Reported by Ashton, James P.
  • Added new parameter UsernameMatchesWithoutRealm to AuthBy NTLM, contributed by Robin Breathe.
  • Added support for HandleAcctStatusTypes to AuthBy DNSROAM, GROUP, MULTICAST RADIUS, RADSEC and SQL. Contributed by "Nicholas A Waples".
Revision 3.14 (2006-01-16) Significant new features, including DNSROAM and some fixes.
  • Added new module DNSROAM, that provides RadSec and RADIUS proxying to hosts discovered through DNS. Provides secure, reliable, scalable, low maintenace RADIUS meshes and federations. Uses similar technology to Diameter (RFC 3588) for host discovery, which allows target server details to be provided through DNS lookups. Supports RadSec and RADIUS proxying. Includes new Resolver module for asynchronous DNS lookups. Requires Net::DNS Perl module (and the IO::Socket::INET6 module if you wish to consult a DNS server via IPV6)
  • Added new module AuthBy NTLM that allows Radiator running on a Linux or Unix system to authenticate to a Windows domain controller, with the assistance of ntlm_auth and winbindd utilities from the Samba suite (www.samba.org). Sample Radiator and winbindd configurations are included. Supports PAP, MSCHAP, MSCHAPV2, EAP-MSCHAPV2, and works with PEAP, and TTLS.
  • EAP-TTLS-MSCHAPV2 did not correctly copy reply attributes from the inner accept to the outer accept.
  • New example hook in goodies/hooks.txt to parse multiple Digest-Attributes into individual attributes
  • Testing with Funk Odyssey 4.01 client, including EAP-SIM, EAP-GTC, EAP-LEAP and TTLS-EAP-MSCHAPV2. OK.
  • Added cacti_data_query_snmp_get_radius_information.xml radius_server.xml to goodies. These are configuration files to enable monitoring of Radiator by Cacti (http://www.cacti.net/), which is similar to MRTG, except it is web driven and based upon a templating system. Contributed by Chris Hills.
  • Fixed a problem with radpwtst -gui where entering a new port number in the gui had no effect. Reported by Chris Hills. Also fixed a problem where that could produce an error message: Can't locate object method "BINMODE" via package "Tk::Event::IO" on some platforms.
  • Fixed a problem with radpwtst -gui where entering a new port number in the gui had no effect. Reported by Chris Hills. Also fixed a problem where that could produce an error message: Can't locate object method "BINMODE" via package "Tk::Event::IO" on some platforms.
  • Fixed a problem in radpwtst -gui where a Class attribute received ffrom one user authentication would be incorrectly reused for subsequent users.
  • Added new parameter for all AuthBys: EAP_LEAP_MSCHAP_Convert forces all EAP-LEAP requests to be converted to conventional Radius MSCHAP requests that are redespatched, perhaps to be proxied to another non-LEAP capable Radius server or for local authentication. Example config file goodies/eap_leap_proxy.cfg show how to use it.
  • Fixed a problem that prevented CRL checking working with some versions of Net_SSLeay. Requires Net_SSLeay version 1.25 from CPAN and this patch. Reported by Ilana Kaplan.
  • Improved the error message printed when TLS certificate verification fails to include a text string that describes the problem.
  • Testing with Sybase ASE 12.5, improvements to goodies/sybaseCreate.sql to prevent warnings about NULL columns.
  • Added new parameter EAP_LEAP_MSCHAP_Convert that converts incoming LEAP requests to conventional Radius-MSCHAP requests that can then be handled locally or proxied to a remote Radius server that cannot handle LEAP, but which can handle Radius-MSCHAP. Also added example config file goodies/eap_leap_proxy.cfg. Requested by Michael Ting.
  • Improved configurability for 'make rpm' in Makefile.PL.
  • Added support for SASL authentication to LDAP servers. New parameter UseSASL tells AuthBy LDAP2, AuthBy LDAPRADIUS and ClientListLDAP to authenticate the connection to the LDAP server with SASL. See the example config file goodies/ldap-sasl.cfg for details on how to configure it.
  • Fixed a problem that prevented DefaultRealm working in Server TACACSPLUS. Reported by Marc Blum.
  • Improvements to the sample linux-radiator.init and RPM Linux init script so it takes notice of configurable variables in /etc/sysconfig/radiator better. Suggested by Paul Dekkers.
  • Added new configuration method AuthBy SASLAUTHD, which authenticates by connecting to a saslauthd server running on the same host. saslauthd is a Unix authentication server program, part of the Cyrus SASL suite. It can be configured to authenticate from a variety of sources, including PAM, Kerberos, DCE, shadow password files, IMAP, LDAP, SIA or a special SASL user password file. Example configuration file is in goodies/saslauthd.cfg
  • Testing with Gentoo 2005.0. OK.
  • Fixed a problem where AuthBy PLSQL clause did not display its AuthBy type in Radar. Reported by Jovan Sarai.
  • Fixed a problem with AuthACE.pm AuthDIGIPASS.pm AuthKRB5.pm AuthLSA.pm AuthOPIE.pm AuthOTP.pm AuthRSAMOBILE.pm AuthSASLAUTHD.pm that could prevent correct operation with TTLS-EAP-MSCHAPV2 and Odyssey client.
  • Testing on Linspire 5.0. OK.
  • Testing on Ubuntu 5.04. OK.
  • Changes to the default behaviour of AuthLog SYSLOG and Log SYSLOG so that the socket type is only set if LogSock is explicitly defined. Fixes a problem with the socket type search path on Solaris failing if syslogd does not open a unix domain socket.
  • Improvements to EAP-TLS authentication, so that a User-Name with a domain prefix will match the certificate without a domain name. Reported by "Dror Ben-Shlomo".
  • Fixed a problem where EAP-GTC would not work correctly with some AuthBys that did direct password checking (such as AuthBy LDAP2 with ServerChecksPassword enabled). Reported by Michal Marciniszyn.
  • Added a number of Airespace VSAs to dictionary, contributed by Steve Caporossi.
  • Change-Filter-Request now includes a correct authenticator. Reported by Ardolino Antonio.
  • PEAP outer handler did not set OriginalUserName for the inner packets.
  • Added sample hook to goodies/hooks.txt that shows how to discover the socket that received a request on a multihomed host. Contributed by Miko.
  • AuthBy DIGIPASS now supports PAP, CHAP, MSCHAPV2, EAP-MSCHAPV2, EAP-OTP and EAP-GTC requests. Required some changes to the API for check_mschapv2. Requires Authen-Digipass 1.5 or later (Linux and Solaris packages included in this distribution. Windows PPM packages availble for download)
  • Fixed a problem where ForkClosesFDs would incorrectly close sockets created by Monitor, Server TACACSPLUS or Server RADSEC if the server forks or becomes a daemon.
  • In AuthLog SQL SuccessQuery and FailureQuery, new special character %4 is replaced by the SQL quoted original user name from the incoming request (before any RewriteUsername rules were applied).
  • Added support for SALT encryption of Unisphere-Med-Dev-Handle. Required extensive refactoring of attribute encryption and decryption. Attributes requiring encryption and decryption with shared secrets are now done by Radius::encode_attrs and Radius::decode_attrs. Encoding is now done by Client or ServerRADSEC just prior to replying. Function encode_tunnel_password renamed to encode_salt.
  • Performance and security improvements in Util::format_special
  • Fixed a problem that prevented one instance of Radiator acting as both RADSEC server and client or as multiple RADSEC clients at the same time. Requires patch for Net_SSLeay on Windows.
  • Fixed some compatibility problems between mkcertificate.sh and the OpenSSL CA utilites in 0.9.7g and later.
  • New flag NullPasswordMatchesAny enables wildcard mathcing of NULL password columns. Defaults to enabled for AuthBy SQL and disabled for AuthBy RADMIN, to be consistent with current default behaviour.
  • EAP TLS now supports a new hook. EAPTLS_CertificateVerifyHook runs after the request username or identity has been matched with the certificate CN. It is passed the certificate, and various other details, and returns a different user name which will be used to do the user database lookup.
  • Testing with EMIC m/cluster, a MySQL clustering solution from www.emicnetworks.com. M/cluster provides high availability, scalability and manageability services for MySQL. OK.
  • Testing on Fedora Core 4.
  • Added a number of IPWireless attributes to dictionary. Contributed by m.tavakolifard.
  • Testing on Debian 3.1r0a. OK.
  • Added support for LogMicroseconds to Monitor.
  • Added to goodies a new AuthBy RADIUSBYATTR that forwards to a RADIUS server based whose attributes (host, secret etc) are specified in the request. Useful for various specialised testing scenarios. radiusbyattr.txt is a description of how to configure and use it. Contributed by Miko.
  • SNMPAgent now suports special characters in BindAddress and Port parameters. Contributed by Jose Borges Ferreira.
  • Added Daemon configuration file au.com.open.radiator.plist for OSX 10.4 (Tiger) to goodies. Contributed by Matt Richard.
  • EAP-TLS now matches certificate CNs even if they are in Unicode.
  • TTLS and PEAP now always dump the reply to the tunnelled request at DEBUG level.
  • ServerChecksPassword now honours Timeout in AuthBy LDAP2. Patch provided by Campbell Simpson.
  • In AddressAllocator DHCP, fixed a problem with the "secs" field in the DHCP header when there are timeouts and retransmissions. Reported by Ian Amess.
  • ClientListLDAP did not compile any PreHandlerHook entries from LDAP, preventing the hook running. Reported by Peter Crystal.
  • Radpwtst did not use the -acct_port argument properly. Reported and patched by Ruud Besseling.
  • Server TACACSPLUS can now use different per-Client Keys by looking for a TACACSPLUSKey in a Client clause that matches the Tacacs client address. If no matching Client with a TACACSPLUSKey is found, falls back to the global Key defined in the Server TACASCSPLUS clause. Initial idea and patches contributed by James FitzGibbon.
  • Radpwtst with the -code flag sent to the -acct_port instead of the -auth_port. Reported by Phillip Lou.
  • Added new special character %x, which is replaced by the EAP Identity for PEAP and TTLS inner requests.
  • Fixed a problem with the SNMP MIB where some values were returned as integer instead of counter32. Reported by Rani Assaf.
  • Permit plaintext passwords in the format '{clear}password', in order to be compatible with some LDAP servers. Suggested by Andreas Meyer.
  • Testing with Novell NetWare 6.5 with eDirectory 8.7 and iManager 2.5. Improved Makefile.PL to implement the 'install' command under NetWare (where perl Makefile.PL does not work). 'perl Makefile.PL install' now installs all Radiator files, config files and startup script on NetWare. Extended documentation about how to enable Universal Passwords in eDirectory. Added chapter on NetWare installation to the Reference Manual.
  • Testing with DBD::SQLite2. Added example table creation script goodies/sqliteCreate.sql and added hints to documentation.
  • Added a number of new Redback VSAs to dictionary, contributed by Toomas Karner.
  • Improvements so that ServerTACACSPLUS can now be configured for the Username: and Password: prompts when authen-type of ASCII is used. Added new flag -ascii to tacacsplustest to enable use of authent-type ASCII instead of default PAP. Refactored some constants and code from ServerTACACSPLUS to use equivalents in Tacacsplus.pm
  • Fixed some errors in definitions of Airespace-QoS-Level in dictionary. Contributed by Theodore J. Knab.
  • Added goodies/radiator.sh, a Radiator startup script for FreeBSD and rc-ng. Contributed by Paul Dekkers.
  • Improvements to AuthBy ROUNDROBIN. Now it attempts to deliver only a limited amount of times. It will remember which server it tried to send to at first and then on retry it will walk the whole RR list and try each available server in a row. If it reaches the first server again, it will abort the request. Patch provided by Rok Papez.
  • Improvements to allow use of Client-Identifer check items to detect if a request was received by a Server RADSEC clause. Matches against the Identifer of the Server RADSEC clause that received the request. Change to Server RADSEC TLS_ExpectedPeerName now defaults to the DNS name of the RADSEC client (if resolvable) else the client's IP address. Server RADSEC did not check the Radius authenticator on incoming requests. Suggestions by Paul Dekkers.
  • Fixed problems where multiple TLS RadSec clients were initialised within the same server. Certificate passwords were incorrect and some TLS sessions would not initialise properly. Better support for different certificates in each TLS RadSec client. Reported by Paul Dekkers.
  • Fixed some interactions between different uses of Net_SSLeay, where the verify callback got clobbered by IO::Socket::SSL, which caused crashes when LDAP+(SSL or TLS) was used with RadSec or EAP-TLS. Reported by Jan Tomasek and Ross Wakelin.
  • The LDAP Deref parameter did not work as expected, since it was passed to LDAP new rather than search. Reported by Matthew Lohier.
  • AuthBy GROUP now prints the Identifier in the 'Handling with ....' DEBUG message. Requested by Jethro R Binks.
  • Improvements to peer certificate verification for RadSec connections. Client side verifies the configured server Host name against the server certificate CNs or subjectAltNames (DNS or IPADD types). Server side verifies the client IP address against the client certificate CNs or subjectAltNames (IPADD types only). Exact match and wildcard matches are honoured. If those fail then TLS_ExpectedPeerName pattern is matched against the entire Subject name. If all those fail, the certificate is not verified and the RadSec connection will be terminated. Updated RadSec example configuration files. This is all in line with RFC 2595. Suggested by Jan Tomasek. Caution, use of subjectAltNames requires patches for Net_SSLeay from this patch.
  • Testing on FreeBSD 6.0 RELEASE. OK.
  • Fixed problems with session database code crashing if there were no Client clauses defined and Client.pm not loaded, as in purely RadSec or TACACS+ servers. Reported by Sajeewa Warnakulasuriya.
  • Fixed a problem with Status-Server and SNMP statistics where proxied requests were incorrectly counted in the dropped statistics too. Reported by Miko.
  • Fixed a compatibility problem with AuthBy KRB5 and krb5-1.4.*, where krb5_init_ets is not present and not required. Reported by Joon Yun.
  • Added APC-Service-Type and APC-Outlets to dictionary. Contributed by "Cassidy B. Larson".
  • Added support for FailureBackoffTime, MaxFailedRequests and MaxFailedGraceTime similar to AuthBy RADIUS. This permits RADSEC host failure detection and also automatic reforwarding to alternate RADSEC hosts by using NoReplyHook.
  • Server TACACSPLUS now prints the reply to its Radius request when at trace level 4.
  • Added ability to match Client clauses based on client MAC address. Requested by Steve Shippa.
Revision 3.13 (2005-06-02) New features and bug fixes
  • Added several more USR-Bogus-* entries for unknown USR attributes. Suggested by Robert Blayzor.
  • Fixed a problem with startup file on Suse, causing error message Starting Radiator: /usr/bin/radiusd/sbin/start-stop-daemon: (null): Bad address. Reported by Frank Messie.
  • Testing on various Debian distros, aGNUla/DeMuDi. OK.
  • Testing on Xandros 2.0. OK.
  • Testing on Xandros 3.0.1. OK.
  • Testing on Fedora Core 3. OK.
  • Fixed a problem with format_special that prevented %nn numeric replacements working correctly for %10, %11 etc. This affected AuthBy RODOPI accounting, causing multiple identical date fields to be included in SQL queries.
  • Testing on Solaris 10. OK.
  • Testing on Sun Java Desktop Release 2. OK.
  • Testing on Knoppix 3.7. OK.
  • Testing on Flash Linux 0.3.1. OK.
  • Testing on SuSE 9.2. OK.
  • Testing on FreeSBIE 1.1. OK.
  • Testing on MEPIS 3.3. OK.
  • Testing on CentOS 3.4. OK.
  • Monitor now supports more advanced methods for filtering packets to be printed by TRACE. New command TRACE_PREDICATE takes a comma separated list of name op value tests. Operators ==, !=, <, <=, >, >= and =~ (regexp) are supported, eg: TRACE_PREDICATE User-Name =~ "mi",NAS-Port == 1234 Also TRACE_NOPACKET causes messages without an associated packet (ie general server level mesages) to be traced (defaults to 1).
  • Fixed a typo in Giganews-gbpm definition that could cause a crash: Can't use string ("") as a subroutine ref while "strict refs" in use at Radius/Radius.pm line 630.
  • Performance improvements and refactoring in RDict.pm
  • Added support for online checking of Colubris Wi-fi NASes. Tested with Colubris CN3200. Contributed by Vangelis Kyriakakis.
  • Fixed a problem that could cause an error opening the DHCP socket after a restart on some platforms. Reported by Bill Ouchark and Andrew D. Clark.
  • When doing a RefreshPeriod, ClientListSQL and ClientListLDAP now only replaces Clients that were previously loaded by that clause. Clients defined in the configuration file will not be clobbered.
  • New class Predicate to support new command TRACE_PREDICATE in Monitor. TRACE_PREDICATE allows Monitor to select log messages based on multiple attributes in incoming requests, such as: TRACE_PREDICATE User-Name=~"^mik",NAS-Port="1234" Support tests include ==, !=, <, <=, >, >= and =~ (regexp). Also added support for new command TRACE_NOPACKET, which can be used to disable tracing of log messages that are not relevant to a particular incoming request. TRACE_NOPACKET 0
  • The recent change to the type of User-Password in dictionary, combined with broken behaviour of Xsupplicant 1.0 when passwords are 8 chars long resulted in failed authentications with TTLS-PAP. TTLS inner User-Password is now NUL stripped.
  • You can now 'include' multiple files from the configuration file by using file csh style wildcards, and filename expansions such as *, ?, [...], {....}, ~, etc. Files whose first character is a '.' are ignored unless explicitly matched.
  • In Log SYSLOG and AuthLog SYSLOG, a new parameter LogHost allows you to specify the host name of the syslog host when using LogSock of 'tcp' or 'udp'. Defaults to the local host.
  • On BSD/OS encrypted passwords with length 20 are also considered to be crypt(3) encrypted, using DES extended format. Patch provided by Baron Fujimoto.
  • Added sample LDAP schema and example data file for use with OPenLDAP and AuthBy LDAPRADIUS to goodies/radiator-ldap.ldif and goodies/radiator-ldap.schema
  • Fixed a problem with Linux startup file '/etc/init.d/radiator status' hanging with an infinite loop.
  • Added new argument for the current request to pass to TranslatePasswordHook. Requested by Pavel A Crasotin.
  • Added goodies/solaris-radiator.init, a startup script for Solaris 8, 9 and 10. Install as /etc/init.d/radiator and check the other instructions at the top of the file.
  • Added 'make rpm' target to the Makefile to make it easy to build Linux RPMs.
  • Fixed a problem with the type of the State attribute which prevented interoperation with Windows Server 2003 with SP1. Reported by Yoann Foucher and Denis Pavani.
  • Added new parameters MaxFailedRequests and MaxFailedGraceTime, allowing configuration on how AuthBy RADIUS will determine proxy host failure. Requested by Arjan Waardenburg. Briefly: For any remote Host to which a request is sent, if no reply is heard for a specific request after the Retries retransmissions, that request is deemed to have failed for that Host. AuthBy RADIUS keeps track of how many requests failed for each host since the last time a reply was heard from that Host. If more than MaxFailedRequests are deemed to have failed within MaxFailedGraceTime seconds of the last reply heard from that Host, the Host is deemed to have failed until a further FailureBackoffTime seconds have elapsed.
  • Following assignment of an official IANA port number for RadSec protocol, the default port number for RadSec has been changed to 2083.
  • Testing with Linksys wrt54g wireless router with WPA/Radius. OK. The wrt54g does not send accounting requests.
Revision 3.12 (2005-03-17) Major new features. Some bug fixes.
  • Added AuthBy RADSEC, which implements Radius transport over a reliable TCP/IP or SCTP connection, with optional TLS encryption and optional TLS mutual authentication by PKI certificate. The example config files implement a simple proxy from radsec-client.cfg to radsec-server.cfg on localhost.
  • Added support for Novell eDirectory Universal Passwords. Added sample configuration files and install/configure/test instructions for eDirectory on Unix. This support allows Radiator to access each user's Universal Password for authenticating PAP, CHAP, MSCHAP, MSCHAPV2, EAP-TLS, EAP_TTLS-*, PEAP, EAP_MSCHAP, EAP-MD5, LEAP etc.
  • There was a problem with the Solaris Authen-Digipass package included in 3.11 that caused "ERROR: attempt to process datastream failed". New package included.
  • A debugging print statement that had been inadvertently left in Log SQL was removed.
  • Fixed a problem introduced in 3.10 that could cause a crash like 'Undefined subroutine ldap_error_name' in AuthBy LDAP2 after an LDAP error.
  • Fixed a problem with radpwtst -gui, where changing the name of the destination server in the GUI would not actually change the destination. Reported by Ken Bell.
  • radpwtst -gui incorrectly showed Alteon-Service-Type as well as Service-Type options in the Service-Type menu.
  • Added new global parameter MaxChildren which limits the number of Fork children permitted at any one time. Contributed by Ivan Brawley.
  • Added documentation on how to configure Apache 2 for Radius authentication with the mod_auth_radius module. Works with any Radiator authentication module including ACE and DIGIPASS.
  • Added support for Challenge-Response (CR) tokens to AuthBy DIGIPASS.
  • Added documentation on how to configure PAM and pam_radius for use with Radiator to provide Unix login authentication using SecurID, Digipass or any other Radiator supported method.
  • Improved behaviour of RPM distributions, when doing rpm -F install over an old version. The symlink in /usr/lib/perl5/site_perl/Radius could end up incorrect.
  • New version of AuthBy IMAP now supports SSL connections to IMAP server. Contributed by Karl Gaissmaier. Example configuration file imap.cfg extended to show how to configure SSL connections, and TTLS-PAP support too.
  • Testing AuthBy ACE and Authen-ACE4 with ACE Server 5.2. OK. No changes required. Works with Authen-ACE4 compiled with 5.0 ACE Agent SDK on Unix and Windows. Prebuilt Authen-ACE4 binaries from OSC also work fine.
  • Testing AuthBy ACE and Authen-ACE4 with RSA Security Authentication Manager 6.0 (formerly ACE/Server 6.0). OK. No changes required. Works with Authen-ACE4 compiled with 5.0 ACE Agent SDK on Unix and Windows. Prebuilt Authen-ACE4 binaries from OSC also work fine. Tested standard, Pinpad and AES tokens.
  • Improvements to the performance of changeUserName, suggested by Nennker, Axel.
  • Added a number of IPWireless Vendor Specific Attributes to dictionary. Contributed by Mernoz Rostangi.
  • Added new test client for TACACS+. See goodies/tacacsplustest -h for help.
  • Server TACACSPLUS now allows you to set the group cache file name with the GroupCacheFile, which also permits special characters. Also ServerTACSCPLUS now uses the accounting type in incoming requests to set the Acct-Status-Type in Radius Acounting-Requests. Timestamp is now _not_ added to Radius requests, since the following Handler will always do it anyway. Added support for authentication using methods that can challenge, such as DIGIPASS, ACE, OPIE, OTP, INTERNAL etc. Default AuthorizationTimeout for Server TACACSPLUS changed to 600 seconds, to cater for authentication start/challenge/continue sequence that are subject to user input and could take a long time, and so that authorization replies will be available for longer sessions. Added -interactive flag to tacacsplustest to handle Tacacsplus authentications that might ask for additional data (such as when authenticating with DIGIPASS, ACE, OPIE, OTP, INTERNAL etc). The Tacacs group name now defaults to 'DEFAULT' if GroupMemberAttr is not defined, or if the Access-Accept does not include that named attribute (ie if the Tacacs group name cannot be determined).
  • Fixed a problem with AddToReplyIfNotExist in all AuthBys, where some special reply types such as Session-Timeout were not properly interpreted. Reported by "Brian Morris".
  • Added simple Tacacsplus test client to goodies. All perl, does not require additional perl modules.
  • Added new PostAuthSelectHook to AuthBy SQL, which allows a hook to adjust the results of the AuthSelect query before being used. Contributed by Karl Gaissmaier.
  • Testing with ZyXEL ZyAIR B-3000 Wireless access point, using WPA, 802.1x and Radius authentication. OK.
  • AuthLog SYSLOG did not recognise the LogSock parameter.
  • Added -nas_identifier flag and default NAS-Identifier attribute to radpwtst. Contributed by Nennker, Axel.
  • Added a script goodies/rotateacct.pl to rotate the ACCOUNTING table. Contributed by Ray Van Dolson
  • Added goodies/eap_acct_username.txt, A sample hook and script for de-anonymizing EAP-TTLS accounting requests, and which does not require an SQL database. Contributed by Rok Papez, with comments by Roy Badami.
  • Added new parameter for EAP-TLS, EAPTLS_NoCheckId, which prevents the comparison of the username with the certificate common name. The certificate will be acccepted based only on the validity dates and the verification chain to the root certificate. This allows Radiator to mimic the behaviour of some other Radius servers. Contributed by Martin Noha.
  • Added various 3GPP attributes for vendor 10415, contributed by Andy M.
  • Fixed a problem with AuthBy RSAMOBILE, where one incorrect tokencode could cause the user to exceed their maximum login attempts. Reported by Sylvain Maret.
  • Added support for NoCheckPassword to AuthBy LDAP2, so that LDAP can be used to get check and reply items, but where the authenticaiton is done by another module.
  • Improvements to date parsing to make it more tolerant of non-standard case in month names when useed in Expiration etc.
  • Improvements to AuthBy LDAP2 so that when ServerChecksPassword is set, and the password check fails, it wont cause a subsequent attempt to do an NT hashed password check.
  • All modules that can route requests back to the Handlers list now also support PreHandlerHook. Suggested by Roy Badami.
  • Testing on NetBSD 2.0. OK.
  • Fixed a problem with AuthBy PLATYPUS where some versions of perl could result in a trailing comma in the SQL for an accouting request. Reported by Jason D. Borders.
  • Performance improvements in format_special. Added ability to extend format_special indefinitely without performance penalties. Added 2 new attribute formatting operators. %{IntegerVal:attribute} is replaced by the integer value of the named attribute from the current request. %{HexAddress:attribute} is replaced by the IPV4 address catinaed in the named attribute from the current request, formatted as a hex string. Suggested by Pavel A Crasotin.
  • The timing of the writing of the PID to PidFile has been deferred until after the Radius ports are created, and the server is almost certain to start up. Suggested by Karl Gaissmaier.
  • Added example RADAUTHLOG and RADLASTAUTH tables to example SQL scripts that did not have them (all except mysqlCreate.sql).
  • Added new formatter for format_special that can access variable from the server configuration. For example, %{Server:Trace} is replaced by the global server Trace parameter.
  • Fixed a problem with AddressAllocator DHCP that could cause a socket error after a HUP on UNix. Reported by Andrew D. Clark
  • EAP TLS, TTLS and PEAP now take note of the Framed-MTU, if present, to limit the MaxFragmentSize.
  • Added goodies/gigawords-hook.pl, a hook for calculating correct total octets from Gigawords. Contributed by Igor Briski, Iskon Internet d.d.
  • Added goodies/lsa_eap_multi.cfg example config file showing how Radius PAP, CHAP, MSCHAP and MSCHAPV2 and also handles the outer and inner requests for TTSL and PEAP. You can use it to authenticate almost anything against Microsoft Active Directory.
  • In ServerTACACSPLUS, BindAddress now defaults to the global BindAddress, and you can now specify multiple comma separated addresses to listen on multiple interfaces.
  • Added support for passwords encrypted with the Microsoft SQL pwdencrypt() function. The required format is like: {mssql}01003A54FC73501798169BEC84C05CA0D2FBB70009C2556313DA79 59C1A798ECD34514694A13D29ED57BE9CBE5DA
  • AuthBy RADIUS now supports MaxFailedRequests parameter. A proxy host will not be marked as failed until at least MaxFailedRequests requests have not received a reply. This is useful for some buggy remote radius servers, that sometime drop requests for particular users. Also some internal changes to the addHost() function. Suggested by Arnauld Michelizza.
  • Added goodies/checkOnlineSql.pl, a script that checks that all the users in an SQL SessionDatabase are still online, and delete the ones that arent. Uses a client table to determine Nas type etc.
  • The Authen-Digipass package for Solaris did not include libaal2sdk, resulting in an error when tryingg to run Digipass authentication. Reported by Roy Badami.
  • New versions of AuthBy PLSQL and sample config file, which now supports INOUT parameters for Oracle stored procedures. Contributed by Pavel A Crasotin.
  • Improvements and refactoring of IPV6 address code. ServerRADSEC, ServerTACACSPLUS and Monitor can now listen for connections on multiple IPV4 and IPV6 BindAddress addresses.
  • Fixed a problem with goodies/nntp-redirect.pl where it incorrectly looked for case-sensittive AUTHINFO. Reported and patched by Thorsten Huber.
  • Added nntp-redirect.pl, A Radius-enabled Net News NNTP port authenticator and accountor. This program received NNTP connection requests, authenticates each one with Radius, and then forwards the connection to the real NNTP serer. It counts bytes in and out, and at the end of the NNTP session sends Radius accounting data counting the total news traffic in and out. This allows you to integrate NNTP authentication and accounting with the rest of your Radius services. Reply attributes in the Access-Accept can be used to configure the NNTP server and port to redirect to, allowing per-user NNTP configuration via Radius.
  • Altered the SQL database connections to use PrintError 0, so that unneccesary error messages will not be printed to stderr.
  • Testing on SuSE 9.2. OK.
  • Added MaxRecords parameter to AuthBy LDAP2. It specifies the max number of matching LDAP records to use for check and reply items. Default is 1 to be backwards compatible. Only the first match (if any) is used for ServerChecksPassword. Suggested by Kenneth Cheung.
  • Added a number of Mikrotik Vendor Specific Attributes to dictionary. NoContributed by Adrian Tan.
  • Added new NoEAP parameter to all AuthBys that will disable EAP authentication in that AuthBy. Useful for doing additional authentication besides EAP, such as MAC address etc.
  • Added simple_main_loop to Select for simple clients etc.
  • Fixed a problem with all LDAP modules where an LDAP connection problem could cause a Radiator crash.
  • Fixed a problem with radpwtst where specifying IPV6 addresses for both -s and -bind_address could produce 'bind: Cannot assign requested address'. Reported by Paul Dekkers.
  • Improved performance of AuthBy LDAP2, especially when used with ServerChecksPassword. Some servers would disconnect after an unbind. This fix prevents a disconnection after a ServerChecksConection bind, reducing the overhead of reconnecting. Overhead for reconencting with TLS enabled is high. Fixed ServerChecksPassword so it works in more cases, such as Novell eDirectory. Added goodies/edirectory.cfg showing best configuration to use with Novell eDirectory.
  • Improvements to Linux startup script so it recognises Debian start-stop-daemon and uses that to stop and start the server.
  • Testing with Debian and Ubuntu 4.10. OK, but minor changes required to RPM, Radiator.spec and linux-radiator.init
  • Improvements to EAP to prevent multiple MS-MPPE-Send-Key and MS-MPPE-Recv-Key attributes in reply.
  • Fixed a problem that could cause an error in ServerTACACSPLUS 'Too many arguments for open' when runnning on perl 5.005. Reported and patched by Bill Ouchark.
  • EAP-Token is now supported by all static password authentication methods, such as AuthBy FILE, SQL, LDAP etc. goodies/eap_multi.cfg updated to demonstrate this.
  • EAP-TLS now supports client certificates with multiple CNs. At least one CN must match the USer-Name or Identity (after EAPTLSRewriteCertificateCommonName rules are applied to each CN).
  • Added new flag EAPTLS_PEAPBrokenV1Label to make PEAP Version 1 support compatible with nonstandard PEAP V1 clients that use the old broken TLS encryption labels that appear to be used frequently, due to Microsofts use of the incorrect label in its V0 client.
Revision 3.11 (2004-10-25) Some new fxeatures and an important bug fix.
  • New module AuthBy MULTICAST proxies some or all requests to _all_ Hosts in a list. Contributed by Andrew Ivins and Swiftel.
  • New example code in goodies/hooks.txt for processing multiple cisco-avpair attributes. Contributed by Chris.Patterson.
  • Improvements to Monitor.pm so that stringarray and splitstringarray types can be displayed in Radar.
  • Improvements to AuthBy FILE so that a Filename of the form %D/users.%R (where the file to be loked at depends on the users Realm) will work correctly with caching turned on. Contributed by Ivan Brawley.
  • Improvements to ClientListSQL, so that SQL failures during reloading of the client list will result in the old list being continued to be used. Contributed by Ivan Brawley. Similar changes to ClientListLDAP.
  • Testing on Fedora Core 2. OK.
  • Testing on SuSE 9.1. OK, but fixes required for /etc/init.d/radiator in RPM.
  • Testing on Slackware 10.0. OK, but fixes required for RPM installs. Slackware requires rpm --nodeps to install the RPM
  • Fixed a problem that prevented logging of some incoming packets through Monitor. Reported and patched by Ivan Brawley.
  • Fixed a problem introduced in 3.10 with reassociating after poor coverage. Reported by Roy Badami.
  • Fixed a problem with AcceptIfMissing which did not work correctly if the user did not exist in the database.
  • Fixed a problem where logging at trace level 4 to an SQL database could cause problems with quoting on Informix due to a newline in the log message.
  • We now ensure the openssl session resumption time limit is set in accordance with EAPTLS_SessionResumptionLimit. Reported and patched by Roy Badami.
  • Improvements to restartWrapper so it can log to syslog through /usr/bin/logger. Contributed by Nennker, Axel.
  • Log SQL and Log SYSLOG loggers now support MaxMessageLength parameter which trucates the log message (prior to any quoting in the case of SQL). Useful for some types of SQL server that complain if given a string longer than the column its going in to.
Revision 3.10 (2004-10-11) Significant new features. Bug fixes.
  • Radiator is now 'Vasco Ready'. Added support for Vasco Digipass authentication with new AuthBy DIGIPASS module. Example config file in goodies/digipass.cfg. Sample Digipass token data tables added to goodies/*.sql. Documentation on installing and configuring Digipass on Solaris, Linux and Windows in goodies/digipass-install.txt. Prebuilt binaries of required Authen-Digipass module for Solaris, Linux and Windows.
  • New module AuthBy LDAPRADIUS proxies requests to a remote radius host whose details are found in an LDAP database, looked up against users Realm (or Calling-Station-ID etc). Similar in functionality to AuthBy SQLRADIUS. Example LDAP schema, LDAP records and config file are included.
  • Added new clause ClientListLDAP, which lets you define your Client clauses from an LDAP query, similar to ClientListSQL. Also supports RefreshPeriod, so the Client list can be refreshed periodically. Example config files, LDAP data and schema included.
  • New module AuthBy KRB5 for authenticating against Kerberos 5. Works with Radius PAP and EAP-TTLS-PAP. Substantially contributed by Steve Harper with fixes by Jeff Wolfe. Tested against realms hosted by DCE and MIT K5. Example config file in goodies/krb5.cfg
  • Testing with pGina, a free Windows login program for Win2000 and XP that uses Radius to authenticate Windows users (http://sourceforge.net/projects/pgina). Works fine with the example goodies/simple.cfg.
  • Further improvements to handling of EAP Requests. Requests other than Notifications are now IGNORED, except for LEAP.
  • Fixed a problem with dictionary that could occasionally cause MSCHAPV2 authentication to fail.
  • Added support for DefaultRealm in Server TACACSPLUS.
  • Added a number of Nomadix VSAs to dictionary. Contributed by Ing. Rosario Pingaro.
  • Fixes to permit <Handler User-Password=xyz> to work with CHAP, MSCHAP and MSCHAPV2, as well as PAP.
  • Added Ascend-Session-Svr-Key to dictionary.ascend. Contributed by tcrholdings.
  • AuthRSAMOBILE.pm was accidentally left out of the 3.9 distribution.
  • Fixed a problem with CommandAuth in ServerTACACSPLUS. Patch contributed by Nick Slager.
  • Added VSAs for Trapeze Networks to dictionary. Contributed by Matthew Gast.
  • In dictionary, MS-MPPE-Encryption-Types of Encryption-40 and Encryption-128 were reversed.
  • Disconnect-Request packets did not get a correct authenticator when proxied.
  • Added support for AddToRequest in field 22, StripFromRequest in field 23 and AddToRequestIfNotExist in field 24 of ClientListSQL of GetClientQuery.
  • Added some more Extreme VSAs to dictionary. Contributed by Carlo Beronio of Extreme Networks.
  • Added new script goodies/mergedetails which will combine multiple accounting details files into a single file in chronological order.
  • Added new goodies/vlanhooks.txt, with example hooks for handling multiple downstream authenticators, and NASs with incompatible interpretations of Tunnel-Private-Group attributes. Contributed by Matthew Gast.
  • Added VSAs for Sonic Wall to dictionary, contributed by Joe Levy.
  • Testing on Lindows 4.5. OK.
  • Improvements to domain handling in AuthBy LSA. New paramter DefaultDomain specifies the domain if the user does not specifiy a domain in their username. PEAP now passes the entire DOMAIN\username to the authenticating module. If you are using PEAP-MSCHAPV2 with AuthBy FILE, users should not specify a domain when they log in (unless you have DOMAIN\user in your users file). Also added new parameters Group and DomainController to AuthBy LSA. The Group parameter allows you to specify that each user must be the member of at least one of the named Windows global groups. More than one required group can be specified, one per Group line. Requires Win32::NetAdmin (which is installed by default with ActivePerl). If no Group parameters are specified, then Group checks will not be performed. Only Global groups are supported. If Group is required and DomainController is not specified, it will attempt to find the domain controller based on the users domain. Example usage in lsa.cfg.
  • Fixed a problem in goodies/radacctSorted.cgi that could cause a 'divide by zero' error when used with an SQL database.
  • Improvements to AuthLog SYSLOG and Log SYSLOG, so that multiple instances of the logger with different Facility parameters will work as expected. Contributed by Heikki Vatiainen.
  • Versions of Radiator that require a key for unrestricted operation now identify themselves as 'LOCKED' rather than 'EVALUATION'.
  • Added new command line flag to radpwtst. The -eaphex flag allows you to specify an EAP-Message in hex. Contributed by Martin Noha.
  • Added new ConnectionHook parameter to SqlDb.pm. This allows any Sql object (like AuthBy SQL etc) to run database-specific code each time Radiator (re)connects to the database. This is most useful for executing func() to configure the database connection in customised ways. Example hook in goodies/sql.cfg. Suggested by Oleg E. Shubarov.
  • Fixed a typo in ServerConfig.pm, that resulted in 'acccess requests' in status reports.
  • ClearTextTunnelPassword parameter was moved from AuthBy RADIUS to AuthGeneric, so that all AuthBy modules (not just RADIUS proxying) now honour it. Suggested by Patrik Forsberg.
  • New version of Windows Authen-ACE4 PPM package, compiled for both ActivePerl 5.6 and 5.8 with recent SDK for Server 2003 etc. Also PPM summary files for use with PPM3.
  • EAP-MSCHAPV2 in an inner authenticator now honours AddToReply AddToReplyIfNotExist and DefaultReply.
  • Fixed an incorrect header length with EAP-PEAP version 1. Fixed a problem with cached EAP-PEAP version numbers. Reported by Jouni Malinen.
  • goodies/radwho.pl now lets you set the table name to use with -table argument
  • Modules that use syslog now do openlog;syslog;closelog for each log message so that is the syslog facility restarts, Radiator will reconnect to the syslog facility.
  • ReplyHook can now set $op->{RadiusResult} to force particular response.
  • Fixed a problem with goodies/radwho.cgi where some browsers did not work correctly wuth the 'delete session' link.
  • AuthBy RADIUS now determines a suitable local source socket address from LocalAddress, based on whether the destination address is IPV4 or IPv6. The first suitable address in the LocalAddress list will be used as the source address. If LocalAddress does not specify a suitable IPV4 or IPV6 address for the intended destination, the appropriate 'any address' will be used, which generally means the default source address for that host.
  • AuthBy RODOPI now supports Rodopi 5.4 Cisco VOIP authentication and billing. Requests that contain the 'cisco-h323-conf-id' attribute will be handled with the VoipAuthSelect and VoipAcctSQLStatement parameters.
  • Common authentication methods now accept all passwords if NoCheckPassword is set.
  • radwho.cgi now sets the refresh time to 0 after terminating a user, so the automatic browser refresh doesnt keep clobbering the user. Patch submitted by Richard Vander Reyden.
  • EAP MD5-Challenge now rewrites the EAP identity using RewriteUsername.
  • Fixed a problem with EAP TTLS where the TLS client-hello would not be honoured properly on some coombinations of clinet and AP.
  • AddressAllocator SQL now does not run the AllocateQuery if it is an empty string. Also, the expiry time is now calculated once for each allocation, and passed to FindQuery as %2. Suggested by Andy M.
  • In dictionary, some 3GPP attributes were incorrectly called just GPP.
  • Added Giganews VSAs to dictionary. Contributed by Carl Litt.
  • Testing with jradius-client, a java Radius client from sourceforge. OK.
  • Fixed a problem that prevented IPV6 DNS names being used. Reported by Paul Dekkers.
  • Fixed problem with a number of authentication modules that could cause a crash when doing logPassword when used to authenticate for Monitor or Server TACACSPLUS requests. Reported by Carl Litt.
  • Improvements to handling of Windows NT Hashed passwords. Encrypted-Password may now be either 32 bytes of hex encoded NT hashed password, or 16 bytes of binary NT hashed password or 13 bytes of Unix crypt password. User-Password now supports NT Hashed passwords in the form User-Password = {nthash}DCB8E94AC7D0AADC8A81D9C895ACE5F4. The NT Hashed passwords work with PAP, and now with MSCHAP, MSCHAPV2, EAP-MSCHAPV2 and EAP-LEAP. This provides compatibility with Samba SMB passwords (either in a flat file or in LDAP).
  • In PEAP, AllowInReply could cause MPPE keys to be unexpectedly stripped from the reply.
  • Fixed a potential issue in TTLS session resumption. Reported by Roy Badami.
  • Added goodies/radlog.cgi, a CGI script to view the tail of a Radiator log file. Can be helful for helpdesk troubleshooting. Contributed by Mohammad Junaid, Cyberia.
  • Fixed a problem that prevented ClientListSQL properly processing the last column from the query, which can contain a comma separated list of flag names.
  • Changed example LDAP config and sample user data to be compatible with OpenLDAP 2.1. OpenLDAP now defaults to requiring protocol version 3.
  • AuthBy RADMIN can now handle Session-Timeout as a string, such as 'until Time'. Reported by Oliver Insanally.
  • Core LDAP functions moved from AuthLDAP2.pm to new module Ldap.pm to allow reuse by other LDAP modules such as AuthLDAPRADIUS.pm and ClientListLDAP.pm
  • Name of the key-locked distribution file changed from Radiator-Demo to Radiator-Locked.
  • AuthLog SYSLOG now supports the LogIdent parameter, similar to Log SYSLOG.
Revision 3.9 (2004-03-17 New features)
  • Added support for Radius over IPV6. Radiator can new receive Radius requests over IPV6, and proxy to remote servers over IPV6. radpwtst can now send requests over IPV6. See goodies/ipv6.cfg for examples. Requires the Socket6 module from CPAN.
  • radwho.cgi now honours the correct sort order after deleting. Contributed by Cameron Moore.
  • Added support for NAS-Type of NomadixSNMP, contributed by Toomas Karner.
  • Fixed a problem that could affect EAP TTLS where the inner requests was proxied to another Radius server. Could result in no reply sent back to the AP. Reported by Roy Arends.
  • Added support for NasType of Redback by SNMP. Contributed by Toomas Karner.
  • AddressAllocator SQL now does not run the DeallocateQuery or ReclaimQuery if they are empty strings. Suggested by Kwang Moon.
  • Added more USR VSAs to dictionary, contributed by Joseph Eapen.
  • Improvement to AuthBy RSAMOBILE, so the Tokencode prompt includes the expected SMS message ID if possible.
  • Added support for encrypted passwords in ancient Netscape Mail server format: {NS-MTA-MD5}b6b49e37d494a09bfde663033274bc83cd1bf318fa32c5866166a7edcb1e1c87
  • New hook TranslatePasswordHook for all AuthBy clauses. This hook can be used to apply site-specific transaltions to passwords, such as forcing lowercase, decrypting or otherwise transforming passwords retrieved from the user database, prior to checking. Works with plaintext, CHAP, MSCHAP etc.
  • Added support for non-standard VSA format for Ascend/Lucent TAOS code 4846. Also added Ascend-MOH-Timeout to dictionary, which will be decoded according to this non-standard format. Requested by Jeroen.
  • Renamed Redback VSA Acct-Reason to RB-Acct-Reason for consistency with all others Redback attributes.
  • Server TACACSPLUS will now print a hex dump of the raw incoming TACACS request if Trace is set to 5.
  • New certificates for testing TLS/TTLS/PEAP. Previous certificates expired in Feb 2004. These new ones expire in March 2006.
  • Added a number of new attributes to the standard dicitonary, such as VSAs for Juniper ERX, RB-Client-MAC
Revision 3.8 (2003-12-24 New features and bug fixes)
  • Added beta support for EAP Generic Token Card EAP-PEAP Generic Token Card and conventional Radius Access-Accept/Access-Challenge using AuthBy RSAMOBILE and the RSA Mobile authentication system from RSA Security (www.rsasecurity.com) RSA Mobile supports a number of authentication methods, including - username and password - an access code sent by SMS to your mobile phone - RSA SecureID Token Cards and all of these can be configured with AuthBy RSAMOBILE
  • Fixed a problem with SIGHUP on FreeBSD with the Monitor clause, could cause 'Could not bind Monitor socket: Address already in use'.
  • Fixed incorrect references in the documentation to /usr/local/etc/radius.cfg.
  • Changes to Server TACACSPLUS, because some TACACS+ client do not like success packets containing a server message. No server message is ever sent now.
  • Added Redback Acct-Reason VSA to dictionary. Contributed by Kurt Jaeger.
  • Further improvements to Server TACACSPLUS, contributed by Paul Schultz, and confirmed operation with various Cisco and Juniper clients. Added support for CommandAuth, a mechanism for permitting or denying permission fo specific commands requested on the Tacacs client.
  • Added cisco-Policy-Up and cisco-Policy-Down VSAs to dictionary.
  • Added EAPTLS_PEAPVersion parameter to all AuthBy clauses, which allows you to control whoch version of the draft PEAP specification to honour. Defaults to 1. Set it to 0 for unusual clients, such as Funk Odyssey Client 2.22 or later.
  • Fixed a problem with PEAP that could prevent the use of Framed-IP-Address in user records, resulting in an error like:
    Mon Oct 20 15:57:25 2003: ERR: Could not handle an EAP request: Can't call method "attrByNum" on an undefined value at Radius/Radius.pm line 1440.
  • Fixed problems with Server TACACSPLUS, where some cases of incorrect message packaging were found and fixed by Paul Schultz. Also some special characters like %w and %C did not work correctly with requests originating from Server TACACSPLUS. Reported by Garry Thomas.
  • Added a number of Unisphere VSAs to dictionary. Contributed by Chris Patterson.
  • Fixed a problem with AuthBy RADIUS in Synchronous mode, where if all hosts failed to get a reply, Radiator would stop answering requests until the FailureBackoffTime expired.
  • Fixed problem with incorrect replies to Tacacs accounting requests. Reported by Garry Thomas.
  • Fix for broken Breezenet/Breezecom/Alvarion VSA's. These NASs send Ethernet port data in VSAs (up to 11 per accounting request) but unfortunately dont use the same attribute numbers each time. Instead, the attribute number increments each time, then wraps at 256. Radiator automatically maps the fist one in a packet to Breezecom-Attr1, the second to Breezecom-Attr2 etc through to Breezecom-Attr11.
  • Added Packeteer-AVPair to dictionary.
  • $p->{EAPIdentity} is automatically set to the EAP identity (if known) during EAP processing.
  • Added a number of Altiga attributes to dictionary. Contributed by Karl.Gaissmaier.
  • Added missing documentation for SnmpwalkProg to reference manual.
  • EAP LEAP now honours RewriteUsername to rewrite the LEAP identity before authentication.
  • Added NasType CiscoSessionMIB, which uses the new sessionMIB available in Cisco IOS 12.2.15T. See http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t3/dt_asmib.htm for more details.
  • EAP TLS authentication did not take notice of the common name in the certificate when checking the users file. Every users certificate Common Name is now required to be in the users file.
  • Some types of errors in initialising the TLS library would only affect the first EAP request. Subsequent ones could succeed where they should not.
  • Added Copper Mountain Networks Vendor Specific Attributes to dictionary
  • Fixed a problem where runt EAP-Message attributes could cause ERR messages like "Could not load EAP module Radius::EAP_;"
  • New argument -rawfileseq added to radpwtst. Contributed by Martin Noha.
  • Added generic, configurable one-time-password module AuthBy OTP that can be used with EAP-OTP, EAP-GTC and standard dialup. Hooks allow you to generate random passwords and deliver them through a back channel such as SMS by calling an external program.
  • Fixed a bug in AuthBy SQLRADIUS where falling back to the secondary would not occur under some circumstances.
  • Added new parameter SQLRecoveryFile so that any SQL clause (such as AuthBy SQL etc can log failed SQL do queries to a file for later recovery. Performance improvements to AuthBy SQL accounting. Suggested by Kenneth Cheung.
  • Fixed some problems with session resumption on Windows XP EAP-TLS and openssl that could cause a crash.
  • Added support for RFC 3576 Error-Cause attribute to dictionary. Also added all recognition for all Radius packet types per RFC 3576. Added Acct-Tunnel-Packets-Lost per RFC 2867 to dictionary.
  • AuthLog is now passed the reason (if there is one) even with accepts. Suggested by Robert Kiessling.
  • Improvements to PEAP, TTLS and TLS error handling. The SLL context is now cleared on EAP failures.
  • Added goodies/multiprofile.txt, which contains a contribution from Matthias Wamser, showing how to provide different sets of reply items for different types of Dialup, DSL services etc.
  • Fixed to Server TACACSPLUS so that special characters that depend on the OriginalUserName like %u will work.
  • Added Propel VSAs to dictionary, contributed by Craig Gittens.
  • In SessionDatabase SQL, username is now always quoted when it is available as %0.
  • Added support for DEC VMS style hashed passwords, in the format
    {dechpwd}algorithm|salt|hashedpassword
    eg: {dechpwd}3|1234|85ad61e72a41dec4
    Requires Authen-DecHpwd from CPAN.
  • Fixed one case of use of LOG_WARN instead of LOG_WARNING in Server TACACSPLUS. Reported by Robert Kiessling.
  • Fixed problem where <Handler User-Password=xxx> would cause a crash.
Revision 3.7.1 (2003-09-26 Important bug fix, support for EAP Generic Token Card)
  • AuthBy RADIUS now correctly handles replies of type Disconnect-Request-ACKed. Contributed by Robert Thomson.
  • Added support for EAP Generic Token Card (EAP type 6). Modifications so that AuthBy OPIE can be used to authenticate EAP-One-Time-Password, EAP-Token Card and EAP-PEAP Token Card from the OPIE one-time-password system. Tested with Funk Odyssey client. Improvments to radpwtst, added the -eapotp and -eapgtc arguemnts to support testing of EAP One-Time-Password and EAP Generic Token Card.
  • Added support for EAP Generic Token Card and EAP-PEAP Token Card with AuthBy ACE and the SecurID ACE server token code system. Sample config file in goodies/eap_gtc_ace.cfg. AuthBy ACE will also work with EAP PEAP Generic Token Card similar to eap_peap_gtc_opie.cfg.
  • Fixed a typo in attribute parsing that could cause an error like ERR: Bad attribute=value pair:. This typo was introduced in version 3.7.
  • In dictionary, Unisphere-Service-Bundle was incorrectly set as an integer instead of a string. Reported by Jan Munkhammar.
  • Improvements to Server TACACSPLUS by Robert Kiessling: Translate TACACS+ attributes for NAS-Port-Id and Calling-Station-Id for Accounting requests too, not only for Authentication and Authorization requests as before.
  • Typo in dictionary: alreadyDisconneted should have been alreadyDisconnected.
  • Improvements to Server TACACSPLUS suggested by Robert Kiessling: can now use Client-Identifier as a check item to identify requests originated by ServerTACACSPLUS.
Revision 3.7 (2003-09-23 Some significant new features and some minor bug fixes.)
  • Added Cisco LEAP-compatible 802.1x wireless EAP support, and example eap_leap.cfg.
  • Added new AuthBy LSA module which can authenticate PAP, CHAP, MSCHAP, MSCHAPV2, PEAP, LEAP etc against Windows user passwords. Can be run on Windows 2000, 2003 and XP (not Home edition). Requires the Win32-Lsa perl module from Open System Consultants.
  • Added new clause <ServerTACACSPLUS> that acts as a Tacacs+ server and converts Tacacs+ requests into Radius requests. Handles Tacacs+ authentication, authorization and accounting. Sample configuration file in goodies/tacacsplusserver.cfg.
  • New {mysql} password format support did not work correctly on perl 5.005 and earlier, causing failures in the test suite at tests 2w, 2x, 2z, 3a, 3d, 3g, 3h, 4a, 5a, 5f, 6a, 6b, 6c, 6e, 6f, 6g, 6h, 7a, 7b, 7c, 8a, 8b.
  • Performance improvements in regular expression check item matching in AuthGeneric.pm
  • Performance improvements in regular expression Realm selection.
  • Added VSAs for Alcatel BRAS DSL termination gear to dictionary
  • radpwtst now honours the -class flag for Access-Requests as well as Accounting-Requests.
  • Fixed EAP-TTLS so that %u works for the inner authentication.
  • Fixed a problem with UseExtendedIds that could cause a crash with "Can't locate object method "change_attr" via package "Radius::AuthRADIUS"".
  • Testing on Symbol Mobility Server (www.symbol.com). This is a very small ARM Linux server with BusyBox Linux not much bigger than you hand. Takes a CF card as a plug-in file system, and runs Radiator fine, including 802.1x TLS, TTLS and PEAP. Requires cross-compilation of some Perl modules. We can provide instructions if required.
  • Removed logging of password at INFO level during bind in AuthBy LDAP2. Suggested by "Steven P. Crain".
  • Changed the example EAPTLS_MaxFragmentSize in all EAP configuration examples to 1000 to accomodate Enterasys RoamAbout V2 access points, as suggested by Mark Haidl.
  • New -servicename argument to radiusd allows the name of the Windows service to be specified for -installservice and -uninstallservice, allowing multiple instances of Radiator to be run as Windows services at the same time.
  • Fixed typos in isOnline support for Portmaster3, Portmaster4 and Xyplex.
  • radpwtst now sets the authenticator in Disconnect-Request same as for accounting. Some NASs (notably Cisco) require this.
  • Fixed a problem with radpwtst in -gui mode, where the toolbar expands bigger than it should be. Patch contributed by Cameron Moore. Thanks Cameron.
  • Added AllowInRequest parameter to AuthBy RADIUS, which restricts which attributes can be proxied. Suggested by Toomas Karner.
  • Unrecognised EAP types now result in a REJECT insrtead of IGNORE.
  • Improvements to PEAP for Cisco PEAP compatibility.
  • AuthBy INTERNAL now takes a RejectReason parameter. This string will be used as the Reply-Message if the AuthBy INTERNAL rejects a request.
  • Improvements to logging messages and documentation for SessionDatabase SQL, suggested by Claude Iyi Dogan.
  • Fixed some typos in the example goodies/url.cfg and goodies/test_url_md5.cgi files.
  • AuthBy RADIUS could crash if BindAddress was set to multiple comma-separated addresses. Reported by Anthony Stanton.
  • Added support for Session-Timeout="until ValidTo", which sets the session timeout to be the amount of time left to the end of the ValidTo check item account validity period.
  • In ClientListSQL, PreHandlerHook parameters for each client were not properly compiled, and would not run. Fixed.
  • Added WISPr RADIUS attributes to dictionary, based on Wi-Fi Alliance - Wireless ISP Roaming - Best Current Practices v1, Feb 2003, p 14 http://www.weca.net/OpenSection/downloads/WISPr_V1.0.pdf
  • Dictionary VALUEs that looked like integers would be misinterpreted, especially Tunnel-Medium-Type=802
  • With PEAP-MSCHAP-V2, per-user reply items did not get sent back in the final Access-Accept.
  • AuthBy SQLRADIUS now honours AddToreply and StripFromReply attrtibutes from the Host as well as the AuthBy SQLRADIUS.
  • Changes so that a proxied Access-Reject does not get multiple Reply-Message. Patch by Toomas Karner. Thanks Toomas.
  • Testing with Aegis MDC Linux 1.2.0beta client on RedHat 8. Tested all EAP types, including certificate types with Radiator test certificates. See the Radiator FAQ for further remarks. Added certificates suitable for Linux clients (root.pen, cert-clt.pem) to the distribution.
  • Added more KarlNet VSAs to dictionary, contributed by Clinton - Golden IT.
  • SNMPAgent now correctly honours BindAddress when used with SNMP_Session version 0.92 or later.
  • Added EAPTLSRewriteCertificateCommonName parameter for TLS, which rewrites the Common Name from the certificate before using it to fetch user details from the Radiator database. Suggested by Paul Dekkers.
  • When installing as a service on Windows, you can now specify extra arguments to pass to perl on the command line when the service starts. This is useful for specifying an alternative install directory for the Radiator perl modules, eg: perl c:\Radiator\radiusd -installservice -serviceperlargs -Ic:\Radiator
  • Minor changes to AuthBy OPIE, ACE and CRYPTOCARD to better support tunnelled requests.
  • Added example configuration file showing how to authenticate from an IC-ISP mySQL database. IC-ISP is a full source ISP billing package for Unix. See www.ic-isp.com for details about IC-ISP. Accounting is not supported. Works with IC-ISP 2.0.24 and later.
  • AuthBy SQLRADIUS now honours UseExtendedIds as a configuble per-host parameter, and Auth RADIUS now make easch Host inherit its UseExtendedIds from the Auth RADIUS clause.
  • Fixed a problem with AuthBy RADIUS where 2 Proxy-State = OSC-Extended-Id could be added when multiple Hosts were involved.
  • Fixed a problem with PEAP MSCHAPV2: if a Domain was specified, the authentication would fail.
  • Radius packets were incorrectly limited to 8192 bytes on reception. Increased to 65535.
  • The Group parameter did not permit symbolic group names.
  • In SessionDatabase SQL, the session ID (%3) was not always quoted correctly in DeleteQuery.
  • Improvements to storage of VALUE in dictionary allows decoding based on the attribute name rather than the number, which allows correct unpacking of attributes with synonyms, such as Ascend-Disconnect-Cause. This involved changes to RDict::valNumToName.
  • Fixed a potential problem when unpacking non-conforming abinary attributes.
  • Added goodies/logisense.txt, containing example configuration, SQL tables and requirements for interoperation between Radiator and ENGAGE*IP. Contributed by STOWE TELECOM, LLC.
  • Added Slipstream-Auth to dictionary.
  • Under certain circumstances on some platforms with AuthLog SYSLOG and Log SYSLOG, syslog can die. Fixed.
  • Added StartHost parameter to AuthBy SQLRADIUS, contributed by Alexander Mayrhofer.
  • Improvements to error handling in AuthBy LDAP2.
  • Testing on Windows Server 2003. No changes in code or documentation required.
  • Testing on HP PA-RISC Linux (Debian). No changes in code or documentation required.
  • Added -outport and -bind_address options to radpwtst.
  • Fixed a problem where AuthBy URL did not handle AuthUrl starting with https://
  • Fixed a problem involving EAP, where multiple AuthBy clauses could result in incorrect PEAP-MSCHAPV2 challenge message, or using the wrong challenge during authentication.
  • AuthBy SQL now logs to AcctFailedLogFileName if AcctSQLStatement fails as well as if the usual accounting insert fails.
  • AuthBy URL now supports AcctUrl, a URL that will be used for accouting data
  • Added AuthBy SOAP module for converting Radius requests to SOAP and SOAPRequest.pm for converting SOAP requests back to Radius requests. This SOAP interface is useful for tunnelling through firewalls, improving the reliability of Radius by using TCP as the transport, and for improving security by using HTTPS as the protocol.
  • Added VSAs for Quarry devices.
  • Fixed a problem with parsing of attr=val pairs on some platforms with some locales on perl 5.8.0, due to changes in perl regexp handling.
  • Added new special characters. %A is replaced by the Timestamp in standard SQL date time format eg: Sep 12, 2003 15:48. %B is replaced by the current time in standard SQL date time format eg: Sep 12, 2003 15:48. %F is replaced by the Timestamp in extended SQL date time format eg: Sep 12, 2003 15:48:59. %G is replaced by the current time in extended SQL date time format eg: Sep 12, 2003 15:48:59.
  • In AuthBy SQL, columns inserted by ACctColumnDef are now inserted in alphabetical order by column name. Patch provided by Robert Blayzor. Thanks Robert.
  • On some platforms such as FreeBSD, a Monitor connection would not disconnect properly after a QUIT command.
  • Added a number of new attributes to dictionary for CVX and Valemount. Thanks to Craig Gittens and Greg Schiedler.
  • Dates for Expiration, ValidTo, ValidFrom etc can now have optional hh:mm:ss time component. Also support dd.mm.yy(yy) (hh:mm:ss) format.
Revision 3.6 (2003-04-14 Significant improvements to wireless support)
  • Most AuthBy clauses, including AuthBy RADIUS now support the ability to try a previously cached password before authenticating or proxying. The new CachePasswords flags causes Radiator to cache the password and reply for previously accepted authentication requests. The cached password will be tried before subsequent authentication attempts. Caution: works with PAP only. Includes improvments to Proxy-State behaviour.
  • AuthBy RADIUS now supports CachePasswords either before or after proxying. The new flag CacheOnNoReply controls whether the cache will be checked before every request, or only after no reply is recieved. It defaults to 1 (ie check the cache if no reply is received) to be consistent with historical behaviour.
  • Significant improvements to Windows installation process.
  • Added DefaultLimit parameter, allowing you to control the maximum number of DEFAULT users. Defaults to no limit.
  • Added support for password encryption type {digest-md5-hex} which can be used with Digest and SIP (Session Initiation Protocol) authentication.
  • Added support for SIP (Session Initiation Protocol) Telephony Digest authentication, as per draft-sterman-aaa-sip-00.txt, using attributes Digest-Response, Digest-Attributes as defined in the new dictionary.sip.
  • radpwtst now takesd a -sip command line argument that forces it to do SIP digest authentication. Requires the new dictionary.sip as well as the old dictionary like this:
         
            radpwtst -dictionary dictionary,dictionary.sip -sip
         
         
  • Ivan Kohler updated the Freeside accounting insert hook, and the file name was changed from freesideacct.pl to goodies/sqlradacct.pl to be consistent with Ivan's naming convention. Also Ivan's Copyright notice had been omitted. See goodies/freeside.cfg.
  • AddressAllocator SQL now supports SQL bind variables on databases that provide them.
  • SimpleClient.pm now implements retries. Sample code in goodies/simpleClient.pl
  • Previous changes to quote the community in snmp commands with double quotes for correct operation on Windows somehow got lost. Reinstated.
  • In AuthBy LDAP, AuthBy LDAP2 and AuthBy LDAPSDK, AuthDN and AuthPassword now permit special characters. Requested by Dan Melomedman (dan%dan.dan at devonit.com)
  • Added AuthenticateAttribute parameter to most AuthBy clauses, allowing you to authenticate an attribute other then User-Name.
  • Newly reorganised dictionary had incorrect types for vendor-specific Ascend-Data-Filter and Ascend-Call-Filter. Changed to abinary.
  • Added goodies/sqlclienthook.pl, sample code showing a way to have a ClientListSQL-like database of clients, but still use the file:'filename' style of hooks. WrittXen by German Gatica. Thanks German.
  • Improvements to goodies/radacct.cgi to make it tolerant of Acct-Session-Ids that include spaces. Contributed by petri.maenpaa at satakunnanpuhelin.fi.
  • Improved sorting of Time On field in radwho.cgi. Suggested by petri.maenpaa at satakunnanpuhelin.fi.
  • PasswordLogFileName and WtmpFileName now ensure that the directory exists before writing.
  • Could get multiple EAP-Message attributes when tunnelling EAP-MSCHAPV2 through TTLS.
  • In AuthBy SQL, if there are multiple AuthColumnDef reply definitions, they will be added to the reply in the order of the SQL query column number. Previously the order was not guaranteed.
  • Client and Handler clauses incorrectly did not allow you to specify AllowInReply.
  • Added 3GPP and Quintum Vendor-Specific-Attributes to dictionary
  • Testing with Solaris 9. OK. We tested with the precompiled Solaris 8 Perl 5.8.0 binary from SunFreeware.
  • Fixed some compatibility problems for OpenSSL 0.9.7 in the example goodies/mkcertificate.sh.
  • The test suite now tests with a user 'testuser' not 'mikem'.
  • Added detailed installation instructions for Mac OS X to goodies/osx.txt
  • All EAP configuration parameters involving files now support special characters.
  • Added sample EAP certificates to the distribution. None of these certificates should be considered to be secure, and they should NOT be used in a production environment, but only for testing and proof-of-concept for your project. You should use a reputable Certificate Authority package such as CAtool to generate your production certificates. See certificates/README for details on how to use them.
  • Updated example goodies/eap_* configuration files to use sample certificates.
  • The default location of the configuration file for radiusd on Unix has been changed from /usr/local/etc/radius.cfg to /etc/radiator/radius.cfg. On Windows, it now defaults to C:\Program Files\Radiator\radius.cfg.
  • Added goodies/opie.txt, detailed instructions for installing and configuring OPIE on RedHat 7.3 for use with FW-1. Contributed by "Mark Wellins" (markw at checkpoint.com)
  • Log SQL now has the SQL quoted User-Name available as %4.
  • The Microsoft XP SP1 PEAP client uses the wrong MPPE keying material. The new version of EAP_25.pm detects the Microsoft client and interoperates with it as well as with compliant clients. Reported by "Tom Rixom" (tom.rixom at alfa-ariss.com).
  • Improved compatibility with PEAP compliant 802.1x clients, as well as with the broken Microsoft version 0 PEAP client. Now works with Meetinghouse Data's Aegis version 2 client with PEAP (and all other Aegis client authentication types)
  • Added support for 'Session Resumption' for EAP-TTLS and 'Fast Reconnect' for PEAP. Can be optionally disabled with the EAPTLS_SessionResumption flag (defaults to enabled) The time limit for session resumption can be specified with EAPTLS_SessionResumptionLimit. Defaults to 43200 seconds (12 hours).
  • Added goodies/eap_anon_hook.pl, a hook which fixes the problem with some implementations of TTLS, where the accounting requests have the User-Name of anonymous, instead of the real users name. This hook caches the real user name in an SQL table and then does a lookaside to replace the User-Name in accounting requests. Example usage in goodies/eap_ttls.cfg, Example table in goodies/mysqlCreate.sql.
  • Fixed a problem that would cause a crash if Handler User-Password=xxx was used.
  • Performance improvements in AuthGeneric logging. safeLog no longer needed.
  • Improvements to SessionDatabase SQL, contributed by Jeremy Hinton (jgh at visi.net). If your CountQuery SQL statement is written to return a fifth argument (the default is just four), the value of the fifth argument is used in the querying of the NAS as the username to look for.
  • The new BasicSelect parameter mechanism in AuthBy PLATYPUS was broken in version 3.4
  • Minor error logging improvements in AuthBy UNIX.
  • When inner PEAP authentications were proxied, there was no Message-Authenticator included, which could cause some remote radius servers to not reply. Reported by Kawakubo, Ken (kkawakub at fhcrc.org).
  • Added VSAs for Juniper Networks to dictionary. Contributed by eric at ypass.net.
  • New special character %E is replaced by total time (in seconds) since the request was received.
  • Fixed a problem when %c or %C was used with tunnelled requests, causing a crash.
  • Added support for new check items EAPType and EAPTypeName wich match the EAP protocol number (4, 13, 26 etc) and EAP protocol name (MD5, TLS, MSCHAP-V2 etc) that the authentication request was carried in.
  • Added a number of Unisphere, Ascend-Disconnect-Cause and Acct-Terminate-Cause attributes to dictionary. Contributed by Rui Lapa (rui.lapa at oni.pt)
  • Example simple users file goodies/linux-users moved to goodies/users
  • On Windows, 'perl Makefile.PL install' now installs sample config file, sample users file and dictionary in 'c:\Program Files\Radiator' (if they do not already exist there). The files goodies/linux-users was moved to goodies/simple-users. New sample config file for Windows in goodies/windows.cfg.
  • New module Radius/Win32Service.pm to manage automatic installation and running of Radiator as a Windows service. Radiusd internals reorganised to support this. Requires Win32::Daemon (install with ppm install http://www.roth.net/perl/packages/win32-daemon.ppd).
  • The Server Started message now logs at NOTICE level for improved monitoring. Suggested by Scott Worthington (scottw at bnsi.net).
  • Added VSA's for UTStarcom Issanni DSL router to dictionary. Contributed by butch at infowest.com.
  • SNMP now recognises the 'Timeout' error message from some types of SNMP client, especially net-snmp (v5.0.8) (or ucd-snmp v4.2.3) on Windows.
  • Added support for MySQL hashed password, as produced by the MySQL password() function, in the format User-Password = "{mysql}0569ef75321b8fed".
  • Client duplicate detection now ignores the source port, due to some clients (notably Cisco APs) using a different port for every request, resulting in excessive memory usage.
  • Improved handling of Proxy-State. Proxy-State attributes are now never proxied: they are always copied (once) by the proxy server. This prevents multiple copies and facilitates other improvements such as extended ids support. Further, Proxy-Sate is now expected to work correctly with EAP requests, CachedPasswords etc.
  • Added support for UseExtendedIds in AuthBy RADIUS. This mechanism uses a more robust type of Radius packet identifier that is more tolerant of large bursts of packets and various other environmental problems. This mechanism uses Proxy-State to carry a packet identifier with a much larger range, compared with only 256 that the Radius protocol specifies. This mechanism will replace the ServerHasBrokenPortNumbers and ServerHasBrokenAddresses flags, which are now deprecated. Based on code contributed by various staff at KPN. Thank You!.
  • Added a number of attributes from http://www.iana.org/assignments/radius-types to dictionary, including some new Service-Type, Tunnel-Type, Acct-Terminate-Cause etc.
  • Added LogIdent paramterer to Log SYSLOG, allowing you to specify an alternative ident for syslog. Defaults to the executable name as before. Suggested by Stefan Moser (sm at open.ch).
  • AuthBy RADIUS now support ClearTextTunnelPassword flag which prevents Tunnel-Password being decrypted and reencrypted during proxying to support older NASs that do not support encrypted Tunnel-Passwords.
  • Fixed a problem with hanging on Oracle in disconnect with some types of network failures. Contributed by Rodney Volz (rodney at LF.net).
  • Fixed a problem that would cause double logging to files of any startup errors detected within ServerConfig.
  • The ability to match empty string check items was broken in 3.4.
  • radpwtst now has -eapmd5 flag for testing EAP-MD5 challenge. Test suite now uses it.
  • Removed MacRadiusd.sit.hqx from distribution. It is no defunct and caused problems during unpacking on MacOSX.
  • Fixed a problem with AuthBy RADMIN affecting vendor attributes that have no integer definitions. Patch contributed by Stephan (sschoenberger at monzoon.net).
Revision 3.5 (2002-12-17 Minor fixes)
  • Added files EAP_24.pm and EAP_26.pm which were omitted from the previous release. They are required for PEAP and EAP-MSCHAP-V2.
  • Attributes from all dictionaries have been reorganised and amalgamated into a single dictionary file called 'dictionary' in the main distribution directory. There is still a dictionary.ascend that contains the oldfashioned non-vendor-specific Ascend attributes that may be required by some installations. All the dictionaries that were previously shipped in the main distribution are now redundant and have been moved to the goodies directory for reference only.
  • Fixed typo in SessSQL.pm.
  • Pavel A Crasotin (pavel at ctk.ru) provided a new version of his goodies/AuthPLSQL.pm patched to support 'request' type.
  • Fixed a problem in example goodies/kerberos.txt caused by change in args to decode_password in version 3.4. Reported by Chris Myers (c.myers at its.uq.edu.au)
  • RPM adjusted so shutdown scripts are not present for run levels 3, 4, 5, 6. Suggested by Gustav Foseid (gustavf-radiator at initio.no). Thanks Gustav.
  • goodies/radimportacct now exits with non-zero status if any inserts failed. Suggested by "Eli Tovbeyn" (eli at xpert.com).
  • Example goodies/jet.cfg updated to use the new external progrem recommended by Obsidian.
  • Now log DEBUG message at startup when dictionary file(s) and configuration files are read, showing the name of the files.
  • Added SimpleClient.pm, a module that makes writing a simple Radius client simple.
Revision 3.4 (2002-11-29 Significant new features and some fixes)
  • Added support for PEAP and EAP-MSCHAPV2 (as used in Windows XP SP1).
  • Significant enhancements to EAP support, including: TTLS session resumption, improved performance, reduced duplicated code, correct use of EAP identities during authentication, more config examples, configurable User-Name during EAP decode-proxying etc.
  • Added support for AutoMPPEKeys for EAP-TLS. Tested with Windows XP etc. Moved some common TLS and TTLS code to a new module Radius/TLS.pm. Requires Digest-HMAC and Digest-SHA1 from CPAN. Now full Dynamic WEP key protection is available for both TLS and TTLS in Radiator.
  • Testing and some minor fixes for Meetinghoue Data Corp's Aegis wireless client, including MD5, TLS, and TTLS (PAP, CHAP, MSCHAPV1 and MSCHAV2)
  • EAPType can now be a comma separated list of permitted EAP types, with the default (most preferred) named first.
  • Changes to EAP_21.pm for improved interoperation with Meetinghouse Aegis TTLS clients.
  • Added support for Certificate Revocation List (CRL) checking to EAP-TLS. Caution: requires Net_SSLeay-1.20 _plus_ patches, and also openssl 0.9.8 or later.
  • Radiusd now support multiple authentication and accounting ports with AuthPort port,port,port... and AcctPort port,port,port...
  • AuthBy FILE now supports quoted user names with embedded white space, eg "fred bloggs"
  • AuthBy ADSI now supports SearchAttribute, permitting searches for users as well as direct binding. Also added GroupRequired to make group membership checking quicker and easier. Also improved performance of CheckGroup, and obsoleted need for CheckGroupServer (CheckGroup now checks the group list returned from the user bind). Much of this code contributed by Mark Motley (mark at motleynet.com). Thanks Mark.
  • SessionDatabase SQL now suports a new parameter ReplaceQuery. If it is defined it will be used to add a new record to the session database. If it is not defined then DeleteQuery/AddQuery will be used as before. This can improve performance in SQL databases that support the 'insert or replace' type of query, such as MySQL.
  • Special character %W (the realm of the original user name) was not translated correctly.
  • The global Trace parameter did not appear in Radarparamtere inspection. Now appears and can be modified from within Radar.
  • Fixed a problem with setting new effective group ID with Group. On some platforms and with some configurations, it would incorrectly report that setting the egid had failed when in fact it had not. Also fixed a problem where setting the egid would fail on some platforms if User was also used to set the euid.
  • Added dictionary.hiper, a dictionary for 3Com Hiper Access Router Card, in MERIT RADIUS format. This ia added verbatim, and is not compatible with Radiator format.
  • Added Lucent-Vendor-Specific VSA to dictionary
  • When an SNMP sim-use check is run, the community is now quoted with double quotes, not single quotes. Single quotes dont work properly with Windows shells.
  • radwho.pl moved to goodies and out of the standard executables.
  • Fixed a problem with AuthBy INTERNAL, where during Accounting Processing, the AcctAlive and the AcctStop commands never run, while the command AcctStart is executed with Acct-Status-Type=Alive|Start. Reported and fixed by Giuseppe Denora (g.denora at elitel.it). Thanks Giuseppe.
  • AuthBy RADMIN now uses the new ValidFrom and ValidTo check items rather than checking them internally. This will permit NoDefaultIfFound to work correctly with RADMIN. Reported by "Thomas Hartley/NCO/CEtv" (thartley at austar.com.au).
  • Added RFCs 2869 and 2882 to the distribution.
  • Added to goodies/hooks.txt an example hook to add User-Name attributes to accounting requests that may not contain them.
  • Tagged-string attributes were not unpacked correctly if there was no tag present. Reported by Tony Landells (ahl at austclear.com.au).
  • DEFAULT users with a Suffix check item did not always work correctly. Reported by Tony Landells (ahl at austclear.com.au).
  • Fixed a problem with FramedGroup with large port numbers, where the third octet of the computed address could have silly values. Reported by "Miro Majcen" (miro.majcen at smart-com.si).
  • Fixed a problem where a FramedGroupMaxPortsPerClassC of 0 could cause a crash. Reported by "Miro Majcen" (miro.majcen at smart-com.si).
  • Added example configuration file for Telstra (Australia) Dial Connect Virtual ISP.
  • Testing with Perl 5.8.0. OK.
  • AuthLogSQL always reconnected to the database even when there was nothing to do. Reported by Dan Melomedman (dan at devonit.com).
  • AuthBy RADMIN did not correctly handle some integer valued check items.
  • Improvements to SessionDatabase SQL, so that the NAS ID, NAS port and SQL quoted Acct-Session-Id are available in the AddQuery.
  • AuthBy POP3 now permits special characters in the Host field, so that you can handle multiple domains automatically with 'Host pop3.%W'
  • Log SQL and Log EMERALD did not correctly recover from an SQL database outage. No further logging would occur, even after the database came back.
  • In Log SQL, the Table parameter now takes special characters.
  • AuthBy ADSI did not correctly handle some AuthAttrDef attributes. For example if there was more than one otherHomePhone, an incorrect check would be made. Reported by Billy Li (billyl at unitechnetworks.com). More below about this.
  • Added an example xinetd configuration file for Linux and others to the goodies.
  • Added example configuration file for Jet ISP billing in goodies/jet.cfg. Jet is a user management and billing system, specifically designed and created for ISPs. Written in python and Zope, it is highly flexible, and has a modular construction allowing for additional modules to support a customers specific needs. It comes with full source code, and Obsidian's development team is available to produce extensions as required.
  • Added StatisticsOnly flag to Monitor.
  • Added GroupRequired to AuthBy NT on Windows, which ensures the user is a member of the named group. Contributed by "Motley, Mark" (Mark_Motley at earthtech.com). Thanks Mark.
  • Most check items now permit alternation with multiple permitted values separated by vertical bar ('|'). Also, in AuthBy ADSI, AuthBy LDAP*, if an AuthAttrDef of type 'check' is multi-valued, it will be automatically converted into alternates, so you can use multi-values to do a one-of check item match
  • Added goodies/rcrypt, a simple command line utility to do Rcrypt encryption and decryption of passwords.
  • Testing with Mandrake 9.0. No issues or changes required.
  • Added Session_Error_Code and Session_Error_Msg to dictionary.redback
  • Fixed a problem with AuthBy ACE that would cause it to hang if run in the background.
  • Improvements to AuthBy SQL for formatted-date. If Date:Format is not available, logs an error and ignores the column. Suggested by Martin Edge (martinedge at kbs.net.au).
  • AuthBy EXTERNAL now REJECTS if the external program exits due to a signal. Suggested by Inglesant Philip (Philip.Inglesant at netscalibur.co.uk)
  • radwho.pl and radwho.cgi were opening /tmp/xxx instead of /dev/null as workaround for freetds problems. Reported by "Utku Er" (erutku at netone.net.tr).
  • Improved isonline checking for Cisco. Now handles ISDN ports (ie larger than port 20000) with finger. Contributed by "Utku Er" (erutku at netone.net.tr).
  • Can now specify multiple BindAddress addresses, comma separated. Suggested by Jeremy Hinton (jgh at visi.net).
  • Added goodies/CiscoDialupIPPools.doc, a document describing how to do basic ip address assignment for Cisco dialup using radiator. Contributed by "Kent, Ashley" (akent at ue.com.au).
  • Testing EAP with Net::SSLeay 1.21. OK.
  • Fixed a problem with AuthBy POP3 where a failed POP3 connection could cause a crash. Reported by "Johannes Demel" (demel at zid.tuwien.ac.at). Also testing with POP3Client 2.12. OK.
  • Fixed a problem where HUP signal on FreeBSD could cause crashes with "Could not bind authentication socket: Address already in use at radiusd line ...". Reported by "Giuseppe Denora" (g.denora at elitel.it).
  • Testing with Apple AirPort base station. OK for MAC authentication. 802.1x EAP authentication is not supported by AirPort. Added entry to FAQ describing how to set up.
  • Handler now detects accounting Acct-Status-Type of Interim-Update in the same way as type Alive, for compatibility with some non-standard dictionaries.
  • Fixed a problem with AuthByPolicy ContinueWhileIgnore and Auth-Type=Ignore not working as expected. Reported by Petr Zimak (Petr.Zimak at unibas.ch).
  • Added new AuthBy IMAP module, to authenticate from an IMAP server. Contributed by Petr Zimak (Petr.Zimak at unibas.ch). Also example config file goodies/imap.cfg.
  • Added new module AuthBy HTGROUP and example goodies/htgroup.cfg, which can be used to confirm group membership according to an Apache htgroup file. Contributed by Rodger Allen (rodger at infrasecure.com).
  • Fixed a problem with unreliable packing of integer8 Radius attributes.
  • In AuthBy PLATYPUS, can now use BasicSelect parameter to alter the basic user select clause. AuthSelect is still used to optionally augment BaseSelect.
  • Added goodies/AlterNASPort.pl, an example hook to convert Cisco-NAS-Port to NAS-port so you can use the standard session database and NasType Cisco. Contributed by Paul Pilsbury (ppilsbur at connect.com.au).
  • In AuthBy INTERNAL, any error in compiling a hook will result in an IGNORE if the hook is used. Previously, it would ACCEPT. Suggested by "Giuseppe Denora" (g.denora at elitel.it).
  • Improvements to SNMP simultaneous use operations, so that if a NAS fails to respond Radiator will not try to contact it again for SnmpNASErrorTimeout seconds. Contributed by Greg B Zemskov (tingor at kraft-s.ru).
  • AuthBy RADMIN now ignores bad logins if the bad logins column is set to NULL, or if the MaxBadLogins paramter is set to 0.. Suggested by Nicolai van der Smagt (nicolai.vandersmagt at BBNED.NL)
  • Fixed a problem where an SHA password would cause a crash unless Digest::SHA1 is installed. Reported by Camilo Echeverry (caecheverryj at telesat.com.co).
  • Testing with Windows 2000 802.1x hotfix. OK.
  • Improved workaround for UTF8 problems in perl 5.8. All sockets are now binmode to raw mode, preventing wide character interpretations.
  • Performance improvements in Nas.pm for NAS-specific module loading.
  • AuthEMERALD.pm and AuthEMERALinD4.pm needed use Radius::Client to prevent errors when using AuthBy EMERALD with any Client clauses in the config file. Reported by Carlos Molina (cmolina at net-uno.net).
  • ReplyHook is now passed a ref to the Radius::Host structure for the downstream radius server.
  • Added Netscreen vendor specific attributes to dictionary. Contributed by david.loesche at yipes.com.
  • Radius::decode_password is now more generalised. It can decode any argument, not just the password from the current packet.
Revision 3.3.1 (30/8/02 Minor release to fix install problems)
  • Makefile.PL used SITEPREFIX to determine where to install library files, but this is not available on all platforms. removed
  • Added Unisphere-Pppoe-Description to dictionary. Contributed by "Brian Morris" (brian at netspeed.com.au) and Chris Patterson at TransACT.
  • Fixed a typo in EAP_13.pm which meant that sometime EAP-TLS would fail if multiple simultaneous authentications were in progress.
  • SessionDatabase SQL did not allow you to configure ClearNasSessionQuery. Reported by Frederic Olivie (alf at club-internet.fr)
  • AcceptIfMissing did not operate correctly if the user existed by a check item was incorrect. Reported by "Simon Dixon" (sdixon at highway1.com.au).
  • Added new DisconnectAfterQuery to SQlDb.pm that causes all SQL modules to disconnect after a do or a getOneRow. Can be useful for some broken SQL servers that try to disconnect idle SQL connections, but then hang when trying to reconnect.
Revision 3.3 (27/8/02 Important Security Update and some minor new features)
  • Important Security Update: Removed support for the %Eval special character syntax due to security issues that can effect AuthBy SQL and AuthBy LDAP*. We recommend that all operators of Radiator 3.0, 3.1 and 3.2 upgrade to this version immediately.
  • Testing EAP TTLS with Net_SSLeay-1.20. OK. No patches to Net_SSLeay are required now.
  • Added handling for StripFromRequest, AddToRequest and AddToRequestIfNotExist to Client and AuthBy GROUP.
  • Default install directory for Radius/*.pm library files changed to be independent of perl version and for improved RPM installation.
  • Improved handling of failure to open dictionary. Patched by Frederic Olivie (alf at club-internet.fr). Thanks Frederic.
  • Fixed a typo on AuthBy PLATYPUS that can cause an error like: (Missing operator before EQ?). Reported by Justin White-Lowther (jw351898 at oak.cats.ohiou.edu).
  • Added goodies/rcradiator, a Linux LSB comliant startup script, contributed by Carlos Perasso (carlosrp at idea.com.py). Thanks Carlos.
  • AuthBy GROUP was incorrectly checking DefaultSimultaneousUse for accounting as well as Access-Request packets. Reported by "James M. Luedke" (james at enabledsites.com).
Revision 3.2 (20/8/02 New features and fixes)
  • Caution: Updated AuthGeneric.pm and MSCHAP.pm to use more modern Digest::SHA1 instead of SHA. if you are using SHA passwords or MSCHAP authentication, you must install Digest::SHA1.
  • Added new AuthBy URL module, contributed by Mauro Crovato (mauro at crovato.com.ar). This module authenticates by sending the username and password (optionally encrypted) as tags to a URL by HTTP. A CGI or ASP program at the URL authenticates the password.
  • Fixed some interoperability problems with EAP-TLS. Testing with Aironet AP and Client cards with OpenSSL and Xsupplicant on Linux and Windows XP.
  • Beta support for EAP-TTLS as used by Funk Odyssey clients. Supports TTLS-PAP, TTLS-CHAP, TTLS-MSCHAP and TTLS-MSCHAPV2 for both local and proxy authentication. See example configuration files goodies/eap_ttls.cfg and goodies/eap_ttls_proxy.cfg. TTLS is Tunnelled TLS, as per draft-ietf-pppext-eap-ttls-01.txt., It is supported by Funk Odyssey wireless clients through a variety of wireless access points. It provides one-way TLS authentication (the client authenticates the radius server), and authentication requests are delivered securely to the radius server via the encrypted TLS tunnel. Unlike TLS, TTLS does not _require_ a certificate on each client.
  • Tested EAP MD5-Challenge with Aironet AP and Client cards and Windows XP. Added example goodies/eap_md5.cfg config file.
  • Added more Spring Tide VSAs to the dictionary.Contributed by atesillo at ctgred.net.co.
  • AuthBy SQL now runs AuthSQLStatement even if AuthSelect is empty.
  • A debug print statement was accidentally left in AuthLog SQL
  • AuthBy SQL AcctColumnDef now cannot insert the same column multiple times. If there are multiple AcctColumnDef definitions for the same column name and with non-null values, the last one will be the one inserted. This is most likely to improve the case where there are two NASIdentifier definitions, and the NAS reports both NAS-IP-Address and NAS-Identifier. A number of example config files were changed so that NASIdentifier is preferred if present.
  • AuthBy SQL now supports HandleAcctStatusTypes parameter, which allows you to specify a comma separated list of AcctStatusTypes that will be processed. All other types will by acknowledged, but not inserted or processed with AcctSQLStatement. This is a more general mechanism than AccountingStartsOnly, AccountingStopsOnly and AccountingAlivesOnly, and these parameters are now officially deprecated and will not be supported in the future.
  • An typo in Radius.pm prevented Ascend-Xmit-Rate working properly. Reported by "Romain Vergniol" (romain.vergniol at cegedim.fr).
  • In the event of no reply from any hosts, AuthBy SQLRADIUS now runs the NoReplyHook before any FailurePolicy automatic reply. Previously it was run after the automatic reply.
  • Added Roaring Penguin VSA's to dictionary. Contributed by "Scott Helms" (khelms at zcorum.com). Thanks Scott.
  • Added to Monitor support for Clients parameter, a comma or space separated list of IP addresses that Monitor will accept connections from. Default is to accept from any address.
  • Added a number of new Altiga VSAs to dictionary, contributed by "neil d. quiogue" (neil at quiogue.com)
  • Added /usr/local/etc/radiator to the dictionary search path for radpwtst. Suggested by "Martin Edge" (medge at affinityinternet.com.au)
  • Added UseTLS parameter for forcing TLS encryption in AuthBy LDAP2. Contributed by Carl Litt (carl at execulink.com). Thanks Carl.
  • Added a new flags to AuthBy NT on Windows. IgnoreAccountExpiry causes AuthBy NT to ignore the NT account expiry flag when users attempt to log in. IgnorePasswordExpiry causes it to ignore the password expired flag. IgnorePasswordChange causes it to ignore the password change required flag.
  • radpwtst -gui was not correctly showing packet dumps in the 'Detailed' trace level.
  • Fixed a problem where an incorrect data length in an incoming radius packet could result in reports of a 'Malformed request packet:'. Reported by "Thilo Wunderlich" (tw at 7eins.net)
  • New parameter AuthCheckDN in AuthLDAP2 alows you to specify an alternative DN to use to check a user's password, instead of the one returned by the search result. Patch supplied by Jeremy Hinton (jgh at visi.net). Thanks Jeremy.
  • Fixed a problem where HUP or reinitialise with a broken SNMPAgent clause could cause a crash.
  • Fixed goodies/hooks.txt. Example use of replyTo() fixed to be in line with new API.
  • Improvements to AuthBy RADIUS (and by inheritance AuthBy SQLRADIUS so that Host addresses that arent resolved are reported but dont crash Radiator. Reported by "Sebastian Filzek" (sebastian at filzek.org).
  • Attempts to use Session-Timeout in the form nnnn would cause a crash. Reported by "Radius Impsat" (radius at impsat.net.ec).
  • The MS-CHAP2-Success reply in response to an MSCHAP V2 authentication was incorrectly formatted.
  • Crypt encoded password can now be flagged with {crypt}... or {CRYPT}... Its now case insensitive. Similarly for {rcrypt}, {MD5} and {SHA}. Suggested by Karl Gaissmaier (karl.gaissmaier at rz.uni-ulm.de) for compatibility with slappasswd. Thanks Karl.
  • The internal session database is now tolerant of Session-IDs with embedded colons, as used by Nortel CVX 1800 etc.
  • Fixed a problem with AuthBy LDAP2 and UseTLS. Could crash after multiple authentications. Reported by Karl Gaissmaier (karl.gaissmaier at rz.uni-ulm.de).
  • AuthBy RADMIN did not correctly increment bad logins count if encrypted passwords were in use. Reported by glenn_pierce at EnterpriseServices.com.au. Thanks Glenn.
  • When used with MSCHAP V2, the AutoMPPEKeys flag in any AuthBy now automatically generates MS-MPPE-Send-Key and MS-MPPE-Recv-Key as per RFC 3079. When used with MSCHAP V1 it still sends MS-CHAP-MPPE-Keys. Reported by Stephan (sschoenberger at monzoon.net). Fixes interoperability issues with some PPoE clients.
  • Some tagged string attribtues such as Tunnel-Client-Endpoint did not get encoded correctly if no tag was not explicitly specified. Reported by Bob Shafer (bshafer at du.edu).
  • AuthBy SQLRADIUS did not correctly handle RewriteUsername in host definitions. Reported by "James Wiegand" (jwiegand at fiberlink.com).
  • Added USR-Terminal-Type to dictionary. Required by Roaring Penguin. Contributed by Andy Linton (asjl at lionra.net.nz).
  • AuthBy TACACSPLUS now supports an AuthType parameter, which allows you to force the Tacacs+ protocol to use PAP or ASCII authentication. Contributed by Jean-Claude Christophe (jch at oleane.net). Thanks Jean-Claude.
  • AuthBy RADIUS incorrectly added AddToReply etc to all replies, not just Access-Accept.
  • Fixed some problems with radacct.cgi reported by Andy Linton (asjl at lionra.net.nz)
  • AcceptIfMissing did not append AddToReply parameters. Reported by Jeje (jeje at jeje.org).
  • radacct.cgi, radconfig.cgi and radwho.cgi which were previously in the top level of the distribution were moved to the goodies directory so that they would be included in RPM distributions.
  • Fixed a problem in AuthGeneric where conbination of AcceptIfMissing and Auth-Type=Reject behaved incorrectly. Reported by Jaafar Bin Sarim (jrsm at staff.singnet.com.sg).
  • Added some Nomadix VSAs to dictionary. Contributed by Karl Gaissmaier (karl.gaissmaier at rz.uni-ulm.de).
  • If radiusd was started through ssh it crashed with an error 'Bad arg length for Socket::unpack_sockaddr_in'. Reported by Kenya Noshiro (noshiro at net.sony.co.jp).
  • Achint Saxena (ASaxena at Walkerwireless.com) reported that Util.pm needs Time::Local when running on Win32. Added.
  • EAP MD5-Challenge can now use Password as well as User-Password in user databases.
  • Added special character %I that gives the nas identifier as an integer instead of dotted decimal character string. Contributed by Jerome Fleury (jeje at jeje.org). Thanks Jerome.
  • AuthBy PAM now honours Fork. Useful for PAM modules that leak memory. Use with caution: performance impact.
  • Added new parameter AcctInsertQuery to AuthBy SQL, allowing the accounting insert query to be customised.
  • Server now detaches from the controlling terminal in daemon mode. Contributed by Jerome Fleury (jerome.fleury at fr.tiscali.com). Thanks.
  • Improvment to example linux init file in goodies/linux-radiator.init. Now prints an error message if the config file is not found. Contributed by Marc Liyanage (mliyanage at futurelab.ch). Thanks Marc
  • All executable progrmas, including those in goodies now use /usr/bin/perl instead of /usr/local/bin/perl. Suggested by Marc Liyanage (mliyanage at futurelab.ch).
  • Testing on SCO OpenServer 5.0.4. OK. Added hints to faq.html.
  • radiusd now ensures the path to PidFile exists, and creates it if necessary.
  • Improvements to RPM for compatibility with Cobalt and others. Suggested by Daniel Senie (dts at senie.com).
  • New special characters %w replaced by the user name part of the full original user name (before any RewriteUsername rules were applied). %W replaced by the realm part of the full original user name (before any RewriteUsername rules were applied).
  • Fixed a problem in AuthBy LDAP2 that could cause a crash with the message: Can't use an undefined value as a symbol reference at /usr/lib/perl5/site_perl/5.8.0/Radius/AuthLDAP2.pm line 232, <DATA> line 450.. Reported by Paul Swainbank.
  • Added documentation for AuthBy RSAMOBILE to the reference manual.
  • Added documentation for common EAP and EAP-TLS configuraiton parameters to the refereence manual.
Revision 3.1 (23/5/02 New features and fixes)
  • Added and documented UseSSL for AuthBy LDAP2.
  • Monitor clause did not permit multiple instances on different Ports.
  • Fixed a problem with DefaultSimultaneousUse that did not correctly detect users affected by RewriteUsername. Reported by "Scott Rothgaber" (scott at easley.net). Thanks Scott.
  • Added all Radiator pseudo-attributes to the dictionary for reference, and also to facilitate use by packages like RAdmin.
  • Changes to AddressAllocatorDHCP.pm and DHCP.pm to support the User Class Option (option 77) in the ISC DHCP server (www.isc.org). Additional changes to comply with RFC3011 (Subnet Selection Option) and to simplify and streamline the code.
  • radwho.pl did not separate lines with a newline when showing SQL. Reported by "Stephen Malenshek" (stephen at valuelinx.net).
  • In Nas/AscendSNMP.pm, there is alternative code for MAX6000 (TAOS 8.0.1+), suggested by Pavel A Crasotin (pavel at ctk.ru)
  • Added support for HTTP Digest Authentication per RFC2617. QOP's of auth and unspecified are supported. Algorithm of MD5 and unspecified are supported. QOP of auth-int and algorithm of md5-sess are not supported. Also provided patch file goodies/Apache-AuthenRadius-0.3-digest.patch which adds Digest authentication to Apache-AuthenRadius, plus goodies/RadiusPerl-0.05-0.06.patch for RadiusPerl-0.05 to fix long password problems.
  • New flag for buildsql, -f Force DB update for non defined fields. Contributed by Jorge Morgado (jorge.morgado at kpnqwest.com). Thanks Jorge.
  • ClientListSQL now lists its clients in the ServerConfig Client list, so they can be seen by Radar. Reported by "Romain Vergniol" (romain.vergniol at cegedim.fr).
  • ClientListSQL now permits a trailing column that contains a list of comma separated flag parameter names. Contributed by "Tony B" (tonyb at go-concepts.com). Thanks Tony.
  • At 3.0 ClientListSQL (correctly) complains if there is no password for a Client. The error message now says which Client has the problem.
  • AuthGeneric now emits an error If MD4 is not present but is required for an MSCHAP request. Suggested by niceman at att.net.
  • RewriteFunction was broken, resulting in messages like:
    ERR: Error in RewriteFunction(mikem): Can't use string
     ("sub {print "hello world\n"}") as a subroutine ref while
     "strict refs" in use at (eval 23) line 1
        
    Reported by "Andy De Petter" (adepette at krameria.net). Thanks Andy.
  • AuthBy NT and AuthBy TEST had typos that prevented keywords being recognised.
  • Fixed further problems with special character handling. Could get incorrect behaviour if the resulting transformation resulted in %0, %1 etc. Now single char and positional args are all converted in one operation. Reported by "Tristan Woerth" (tristan.woerth at securalis.com). Thanks Tristan.
  • Fixed problems with sending SNMP requests for NasType iff the community contained whitespace or shell special characters. Reported by "Rolando Riley" (rriley at ayayai.com). Thanks Rolando.
  • LogFile, AcctLogFileName and PasswordLogFileName now support pipes. If the first character if the filename is |, then the output is sent to the pipe, else it is appended to the named file. Suggested by "Sergey Y. Afonin" (asy at kraft-s.ru). Thanks Sergey.
  • Fixed an infinite recursion problem with Trace 4 in Log SQL and Log EMERALD.
  • Fixed a problem with log dates in Log EMERALD.
  • Log EMERALD now has configurable LogQuery, defaults to: insert into RadLogs (RadLogMsgID, LogDate, Username, Data) values (%4, \'%5\', %6, %2)
  • Added example config file for working with Advanced ISP Billing.
  • Added AuthBy EMERALD4 to work with IEA Emerald 4 or later. Also an example config file in goodies/emerald4.cfg.
  • Exec-Program now logs the command and the result at DEBUG level. Suggested by "Dave Kitabjian" (dave at netcarrier.com).
  • AuthBy NT now does not crash if attempting to do group checking on Unix. Found and patched by "neil d. quiogue" (quioguen at cpcnet-hk.com). Thanks Neil.
  • Testing with Vasco VACMAN Radius middleware software. Vacman is a very interesting and easy way to add token-based authentication to an existing Radius infrastructure.
  • The value for integer Radius attributes can now be specified as hex, with a leading 0x.
  • handlerFork and safeFork now take an optional subroutine ref that will be called when the child is reaped. The PID of the reaped child will be passed to the function. This is only of interest to code customisers.
  • SqlDb::quote now automatically reconnects to the database if necessary.
  • AddressAlocatorSQL default AllocateQuery was changes, since %2 (the username) is now automatically quoted. This fixes a problem with SQL syntax errors in the event of a disconnect/reconnect. Reported by Eric Lackey (eric at isdn.net). Thanks Eric.
  • Fixed a problem with AuthLogSQL, where SQL errors could cause recursive calls to the log function. This involved changing the name of the log function in all the AuthLog modules from 'log' to 'authlog'. Reported by "Dan Melomedman" (dmelomed at devonitnet.com). Thanks Dan.
  • Added TRACE_USERNAME command to Monitor clause to support user-specific tracing in Radar.
  • Added TraceOnly flag to Monitor clause. If you set TraceOnly, connections through this Monitor are prevented from getting statistics, ort getting or setting configuration data, or restarting the server.
  • AddressAllocatorDHCP incorrectly always defaulted SubnetSelectionOption to SUBNET_SELECTION. This should only happen if SubnetSelectionOption is specified as an empty string.
  • Added IgnoreAccountDisable and IgnoreAccountLockout flags to AuthBy NT. On Windows, these parameters stop AuthBy NT from taking notice of the NT account flags.
  • Added NAS-Port-Type xDSL to dictionary. Provided by Thomas.Krumm at tesion.de. Thanks Thomas.
  • Added CVX-Terminate-Cause, CVX-Reject-Reason and Level 3 VSAs to the dictionary. Contributed by briand at Level3.net. Thanks Brian.
  • Added beta support for EAP TLS. Requires Net::SSLeay 1.15 plus patches or later. Requires openssl 0.9.8 or later. See example in goodies/eap_tls.cfg. Tested with xsupplicant and Aironet wireless card on Linux.
  • Added sample utility for importing accounting data from a detail file into and SQL database. See goodies/radimportacct
  • Added sample command line utility for adding users to an SQL database. See goodies/raduseradd
Revision 3.0 (25/3/02) Significant architectural changes, new features, Radar 1.0 compatibility
  • Significant architectural changes to support remote monitoring, introspection, remote debugging, remote tracing, local and remote stats gathering, improve performance, simplify some code, remove duplicated code etc.
  • Any clause mxgay now have any number of private <Log xxx> clauses, which will be used to log errors and messages originating from within that clause before being logged by any global loggers. Can also use 'Log identifier' to refer to an already existing <Log xxxx> clause from within any other clause.
  • Improved and expanded statistics gathering mechanisms. Many more statistics are collected, including average response time for the server as a whole and for each Client, Realm, Handler, AuthBy and Host.
  • Added new statistics logging clauses that will log various server and 'per-clause' statistics with StatsLog FILE and StatsLog SQL. Example configuration in goodies/statslog.cfg. Example tables for StatsLog SQL in goodies/*.sql.
  • New Monitor class permits an (authenticated) TCP connection to the server allowing telnet and specialised clients to inspect, alter, and collect statistics and tracing etc.
  • Improved support for tagged tunnel attributes. Can now have things like: Tunnel-Type=1:L2F and Tunnel-Password=2:1234. Tagged attribues that dont use the n:value syntax default to a tag of 0.
  • New module AuthBy POP3 allows authentication from a POP3 server, includes APOP support. PAP only.
  • On Unix, you can now control the effective user ID and group ID that the server runs as with the new User and Group parameters.
  • New type of special formatting character %{Eval:expression} is replaced by the value of the perl expression.
  • Merges latest Livingston attributes into dictionary, and converted latest Ascend dictionary to dictionary.ascend2
  • New type for AcctColumnDef in AuthBy SQL. inet_aton formats a dotted quad IP address as an unsigned 32 bit integer. Contributed by Benoit Grange (b.grange at libertysurf.fr) and Jerome Fleury (jerome.fleury at freesbee.net). Thanks.
  • Client, Realm, Handler, and AuthBy clauses now all support a PacketTrace parameter that can turn up the trace level for packets passing 'through' that clause.
  • Added discussion of how to use "daemontools" (http://cr.yp.to/daemontools.html) with Radiator to goodies/highavail.txt. Contributed by "Mariano Absatz" (radiator at lists.com.ar).
  • Additional features in AuthSQLRADUS.pm, permits customisation of the columns returned from HostSelect, including per-host RewriteUsername. Contributed by Steve Roderick (steve at uspops.com). Thanks Steve.
  • In AuthLog SQL SuccessQuery and FailureQuery did not quote the reason string. %1 is now quoted and escaped. Caution: Existing users of AuthLogSQL will need to remove any quotes from around %1.
  • Added KarlNet VSA'a to dictionary.
  • Parameter values in configuration file now permit escaped octal characters.
  • Testing with DBD::CSV. OK with octal character patch described above. Added goodies/dbd-csv.txt discussion of how to configure Radiator to use a DBD::CSV database.
  • Added documentation for Handler HandleAscendAccessEventRequest.
  • Fixed a problem with handlerResult not handling HandleAscendAccessEventRequest correctly.
  • Select::remove_file now takes extra args to indicate whether its read, write or exception callbacks to remove.
  • Performance improvements in Select::select.
  • Sample profiling code in ddprof.pm, contributed by Damir Dzeko (ddzeko at iskon.hr). Thanks Damir. In SessSQL sub delete, $session_id and $framed_ip_address were not passed to format_special. Found and fixed by Damir Dzeko (ddzeko at iskon.hr). Thanks Damir.
  • radiusd in daemon mode now no longer attempts to detach from the controlling terminal: not portably supported on most platforms.
  • New global parameter ForkClosesFDs makes radiusd close file descriptors 3 to 20 inclusive in the child after a Fork. This fixes a problem with some versions of Oracle where the connection to the database would be lost after a Fork with the message ORA-03113: end-of-file on communication channel (DBD ERROR: OCIStmtExecute).
  • Error message for 'Unknown keyword ....' was incorrect. Found and fixed by Stephen Frede (Stephen.Frede at optus.com.au). Thanks Stephen.
  • Fixed CPU hog problem when proxying with AuthBy RADIUS, with Synchronous and there was a network error. Found and fixed by Damir Dzeko (ddzeko at iskon.hr). Thanks Damir.
  • In AddressAllocator SQL, a new Step parameter for AddressPool allows the step size between consecutive addresses to be controlled, permitting the allocation of subnets as well as host addresses. Suggested by (jesus.diaz at ono-sp.com).
  • Added long discussion about how Cisco VOIP and accounting works with examples, contributed by Simon Hackett (simon at internode.com.au) to goodies/voip.txt
  • Calling convention for the constructor for a number of classes changed to come into line with all other constructors. Affects Log::addModule, ClientListSQL, Client, Handler, LogGeneric, Realm etc. AuthBy* is unaffected.
  • Removed many redundant 'new' constructors.
  • Rationalised many 'sub object' config handlers. Uniform argument standards, streamlined code etc.
  • Simplified and streamlined package initialisation in all packages for load-time performance improvement.
  • All loggers can now receive logs of packet dumps, independent of the the global logging level.
  • As previously indicated, UseHint as an alias for UseAddressHint and Dynamic as an alias for DynamicReply in AuthGeneric are now now longer supported.
  • Most classes now have all their configurable keywords defined in a ConfigKeywords hash. You can stil override sub keyword if you need specialised keyword handling. Simplifies and speeds up object initialisation. Legacy classes that still use the sub keyword interface are unaffected.
  • Fixed a problem with the NoBindBeforeOp parameter. Test was round the wrong way. Found by Christophe Wolfhugel (wolf at oleane.net). Thanks Christophe.
  • In AuthBy ADSI, GroupBindString and GroupUserBindString did not have access to special characters from the current packet.
  • AcceptIfMissing is now a generic AuthBy parameter, available in most AuthBy clauses.
  • Added documentation for IgnoreErrors in AuthBy PORTLIMITCHECK.
  • In AuthBy DYNADDRESS, the parameter Allocator has been renamed AddressAllocator for consistency. Allocator is still supported, but support will be removed in the future.
  • When searching for a Handler to use, Realms are not now re-considered. Realms are only considered one. Previously they were re-considered when the Handlers were considered. This meakes it easier and faster to mix Realms and Handlers. No changes should be required to configuration files.
  • Rationalised away many sub object and sub keyword functions, removing much duplicated and similar code.
  • Configurable now automatically tries to load an object for any subclause found in a clause: you can now invent and create your own clause types and packages without changing a single line of standard code.
  • The current reply packet is now always available as $p->{rp}.
  • All internal APIs changed so that $rp is not passed as an argument. External APIs such as handle_request are unchanged.
  • format_special now does not need $rp passed to it: its deduced from $p->{rp}.
  • Significant performance improvements in format_special for special character formatting.
  • CAUTION: APIs for Handler::handlerResult and Client::replyTo changed.
  • DefineGlobalVar and DefineFormattedGlobalVar can now have embedded spaces. Contributed by r.c.w.besseling at kpn.com. Thanks Ruud.
  • Fixed a problem when proxying requests that already contain an Acct-Delay-Time: the delay time in the proxied request now takes into account the delay time in the originally received request. Found and fixed by Nuno Nunes (nfn at isp.novis.pt). Thanks Nuno.
  • Fixed a problem with 0 source mask and dest mask in Ascend binary filters. Found and fixed by Inglesant Philip (Philip.Inglesant at netscalibur.co.uk). Thanks Philip.
  • Workaround for broken Breezecom VSA's, where the VSA length is incorrectly set by Breezecom to 2, irrespective of the actual length. Also added some generic names for Breezecom VSAs to dictionary.
  • AuthBy RADMIN now has configurable queries IncrementBadloginsQuery and ClearBadloginsQuery.
  • Fixed some problems with secure mode in radacct.cgi, reported by various people.
  • If SocketQueueLength was set, the socket length was set for both auth and accounting sockets, even if only one was created. Reported by hill at world.evansville.net. Thanks Jamie.
  • Added Colubris-AVPAIR VSA to dictionary. Sent by "Tito Macapinlac" (titom at aebc.com). Thanks Tito.
  • radpwtst now takes an optional trace level to the -trace flag. If you just use -trace, you get effectively trace level 4. -trace 5 gets hex packet dumps of incoming and outgoing packets.
  • Can now have DefaultReply, FramedGroup, StripFromReply, AllowInReply, AddToReply, AddToReplyIfNotExist and DynamicReply parameters for Client, Realm and Handler, as well as AuthBy. Also optionally supported by ClientListSQL.
  • AuthLog FILE now creates the path to the log file if necessary.
  • RPM package now includes all dictionaries in the doc area.
  • Improved error reporting in SNMP module.
  • NAS support has been separated out into a module per NAS-type, in Radius/Nas/*.pm. This makes it easier to add suport for new NAS types and to submit new NAS type modules for distribution.
  • get_port moved from Radius to Util for consistency.
  • AuthBy GROUP now honours DefaultSimultaneousUse.
  • AuthBy LDAP2 now supports Version and Deref parameters. Suggested by Eli Tovbeyn (eli at xpert.com). Thanks Eli.
  • Changes to Radiator.spec so that RPM files will be compatible with SuSE Linux and similar. Suggested by Alfredo Sola (alfredo at intelideas.com) Thanks Alfredo.
  • Changed the order of replacement of special characters in format_special. Previously, %0, %1 etc were replaced first, but this would cause problems of any of the replaced values had % special chars in them. %0, %1 etc are now done after the spoecial chars, but before GlobalVar etc. Reported by David Miller (dmiller at newportnet.com). Thanks David.
  • Fixed a bug in AuthBy RODOPI that prevented AcctSQLStatement being changed.
  • AuthBy RADMIN now permits a validfrom time of 0 to mean the beginning of time, and a validto time of 0 to mean the end of time.
  • In AuthBy DYNADDRESS, if the PoolHint resolves to an empty string, no address will be allocated. This way you can let the NAS allocate addresses for some users.
  • AuthBy RODOPI now quotes usernames, protecting it from problems where a username is the same as an SQL keyword. Reported by "Hector Lopez" (hlopez at caribe.net)
  • In AuthBy NISPLUS, the Query now has the username being authenticated available as %0. %n will be phased out in a future revision.
Revision 2.19 (27/10/01) RSA SecurID certification, SQL->Radius proxying
  • Received RSA SecurID Certification, based on 2.19alpha.
  • New AuthBy SQLRADIUS provides proxying based on an SQL table. Looks up the target radius server from an SQL table that can depend on Realm, Called-Station-Id etc. Complictated indirect target mapping is also suported. Useful for managing large number of remotes servers, such as in a wholesale ISP. Example tables in goodies/*.sql, plus example config file in goodies/sqlradius.cfg. Obsoletes goodies/AuthSQLRadius.pm.
  • New AuthBy INTERNAL allows you to handle different types of requests in fixed, parameterised ways.
  • Ships with a beta version of command line utility radwho.pl
  • New version of PPM package for Authen-ACE4 works on NT and Win 2000 with AceAgent 4.4.
  • Detailed install and test instructions for AuthBy ACE in goodies/ace.txt
  • Added MainLoopHook which is called once per second during the main dispatch loop.
  • New NASType of Portmaster3 uses SNMP. Contributed by "Griff Hamlin, III" (griff3 at quik.com). Thanks Griff.
  • Fixed a problem with timers persisting through a HUP or reset. Identified by "Mariano Absatz" (radiator at lists.com.ar).
  • Improvements to Linux startup script so it can be used with chkconfig on RH7.1. Contributed by Levent Sarikaya (levents at de.colt.net).
  • Added -interactive flag to radpwtst, allowing easy testing with authentication methods like AuthBy ACE that use multiple Access-Challenge and State attribtues to manage an authentication conversation.
  • Test Oracle radius authentication: Oracle 8 can authenticate Oracle users through Radius. Note: Oracle always upper-cases user names. See the Radiator FAQ for more details.
  • goodies/sybaseCreate.sql did not drop RADLOG.
  • In SessionDatabase SQL, empty DeleteQuery is now handled properly.
  • Fixed a problem with AuthBy EMERALD, where user and service radius attributes were not properly extracted from the database.
  • Fixed a problem with EAP that prevented correct operation with Windows XP. Found and fixed by Travis Hume (travis.hume at tenzing.com). Thanks Travis.
  • Added ShutdownHook which is run just before exiting after a SIGTERM. Suggested by Robert Thomson (sirrmt at dingoblue.net.au).
  • Testing with BillMax 1.5.4 on RedHat 7.1. Added example goodies/billmax.cfg and goodies/billmax.txt.
  • Fixed problems with EAP code that caused requests with Message-Signature and no EAP-Message to not be handled properly.
  • In Handler.pm, removed an unnecessary call to time, use $p->{RecvTime} instead.
  • In AuthBy EMERALD, all SQL queries are now configurable.
  • Reply item MS-CHAP-MPPE-Keys previously was assumed to contain an encoded and encypted session key. Now, if the legth is not exactly 24 octets, Radiator will generate, encode and encrypt 2 session keys based on the given value. Tested with the patient assistance of "Andre D. Henry" (andre at go-net.com). Requires Digest::MD4.
  • Added AutoMPPEKeys parameter to AuthBy, so that if you are doing MS-CHAP authentication with plaintext passwords, and your NAS requires MS-CHAP-MPPE-Keys in the reply, then setting this parameter will force Radiator to automatically reply with MS-CHAP-MPPE-Keys set from the plaintext password.
  • AuthBy RADMIN now understands and honours EncryptedPassword parameter, so it can be used with Radmin Unix encryption.
  • Added StripFromRequest and AddToRequest parameters to Handler and Realm.
  • Added new SQL AcctColumnDef type 'literal' that lets you build columns literally. No quotes are applied.
  • AuthBy NT now hounrs the Fork paramter, which can be useful on Windows, where checking bad passwords is deliberately slowed down by Microsoft. Contributed by Robert Thomson (sirrmt at dingoblue.net.au). Thanks Robert.
  • AuthRADIUS.pm now has virtual function noreply() that is called if there is no reply from any target hosts. Default behaviour is to call the NoReplyHook if there is one.
  • Added new global parameter DefineFormattedGlobalVar like DefineGlobalVar but which honours special formatting characters. DefineGlobalVar is now deprecated, and will be removed one day.
  • In AuthBy SYSTEM, numeric Group check items are now permitted as well symbolic group names.
  • AuthBy LDAPSDK, LDAP and LDAP2, in PostSearchHook the reply packet is now passed as $_[5].
  • Added VALUE definitions for MS-MPPE-Encryption-Policy and MS-MPPE-Encryption-Types values to dictionary.
  • In AuthBy SQL, improved recovery after a failed AcctSQLStatement.
  • Added Tunnel-Client-Auth-ID and Tunnel-Server-Auth-ID and IETF-Token-Immediate to dictionary.
  • Added AddToRequestIfNotExist parameter to Handlers and Realms
  • AuthBy RADIUS now also honours AccountingStartsOnly, AccountingStopsOnly and AccountingAlivesOnly.
  • Added new pseudo reply item Exec-Program which runs an external program only if the user successfully authenticates. Similar to Exec-Program in Cistron. Suggested by "Klaas Koopman" (klaas at isd-holland.nl).
  • Improved text of error message for unknown standard attributes.
  • Improved duplicate detection in the case (such as Lucent TNT) where the Nas-IP-Address is not necessarily constant. Patch contributed by b.grange at libertysurf.fr.
  • hostname.pl utility renamed to radhostname.pl, due to naming conflict with standard hostname.pl library file detected during make install.
  • dictionary.redback had DOS CRLF characters in it. Removed.
  • Improved detection of NAS reboots, and correctly add the session even if it is session ID 00000000.
  • Improvements to test.pl allow selection of individual test sets with the -tests flag.
  • More liberal prerequisite for Digest::MD5. Version 2.02 tested OK.
Revision 2.18.4 (9/9/01) Fix one significant problem, new features.
  • Fixed yet another problem with SessSQL DeleteQuery, caused username to be used instead of NAS id. This significant problem has prompted an earlier release than usual.
  • All code now uses Digest::MD5 instead of MD5, and works with all versions of Digest-MD5. Caution: old installations may require Digest::MD5 to be installed.
  • Added goodies/pam-kerberos.cfg showing how to auth from Kerberos via PAM on Unix.
  • New Context class provides temp keyed storage with automatic timer based destruction. Useful for holding context between related requests that are not guaranteed to arrive.
  • Added new ppm directory to distribution containing pre-built Windows PPM packages for hard-to-build perl modules, such as Authen-ACE4 (required by AuthBy ACE).
  • Added cisco-VPNPassword and cisco-VPNGroupInfo to dictionary.
  • Fixed a problem with RDict::attrByNum return a ref instead of an array if the attribtues is undefined.
  • Fixed a problem in Mib.pm that casued some SNMP clients to think they got no reply from an SNMP set operation. Reported by "Mariano Absatz" (radiator at lists.com.ar).
  • Added -c argument to radiusd, exits after reading and parsing the config file. Suggested by "Todd Dokey" (tdokey at inreach.com). Thanks Todd.
  • Added documentation to goodies/ace.cfg about how to install Authen-ACE4 binary PPM package for Windows.
  • Added Alteon VSA's to dictionary, contributed by Colin D. Easton.
Revision 2.18.3 (30/8/01) Significant new features, some bug fixes
  • Added EAP support for OTP and MD5-Challenge, works with AuthBy OPIE and any authentication database with plaintext passwords (eg AuthBy FILE, AuthBy SQL, etc). Extensible mechanism in EAP.pm permits new EAP protocols to be added.
  • Added support for improvements in RAdmin 1.5, including Service Profiles and arbitrary per-user and per-service RADIUS check and reply items. Caution: the default AuthSelect has changed.
  • Added beta version of AuthBy ACE, permitting authentication direct to a SecureID ACE server, instead of proxying. Certification by RSA is still pending. Example goodies/ace.cfg is included. Requires Authen-ACE4 perl module from Open System Consultants.
  • Default behaviour of Log SYSLOG and AuthLog SYSLOG changed to log via unix sockets by default. This works correctly with more syslog daemons. New parameter LogSock permits this to be changed.
  • Added new comand line argument -rawfile to radpwtst.
  • SessionDatabase SQL DeleteQuery now has the column values of the record to delete passed as %0 to %4.
  • Improvements to RPM packaging suggested by Gustav Foseid (gustavf at initio.no)
  • Added AuthSQLStatement, similar to AcctSQLStatement: any number of SQL statements that will run before authentication. Patch provided by (talist at vif.com). Thanks!
  • Performance improvements in tunnel password and mppe key encryption and decryption.
  • All port parameters (eg AuthPort, AcctPort, Port, OutPort etc) may contain special formatting characters. A typical use of special formatting characters is with GlobalVar and command line arguments.
  • Fixes to AuthBy EMERALD so that if HonourDNISGroups is defined but there is no DNIS in the request, or if HonourServerPortAccess is defined, but there is no Nas-Port in the request, the constraints are not applied.
  • Improvement to AuthBy LDAP2 so that illegal charcaters in a user name wont cause disconnection from the LDAP server. Identified and patched by Carlos Canau (canau at keka.KPNQwest.pt)
  • Added support for group check items to AuthBy PAM, for PAM modules that support the notion of a group (such as pam_teleid).
  • Loading database export files now works independently of the export file was generated on Unix or Windows.
  • Logging of 'Handling with $type' now includes the Identifier of the AuthBy moodule.
  • Added example code to goodies/asplog.txt: How to display Radiator SQL accounting logs with an ASP/VB script. Contributed by "Michael Audet" (audet at vectorcore.com) Thanks Michael!
  • Fixed problem with AuthBy RODOPI that was broken by 2.18.1.
  • Added support for Rcrypt reversibly encrypted passwords. Now your user database can contain passwords that are reversibly encrypted with a secret key. Radius::Rcrypt module provides encrypt and decrypt routines that can be used by any other code. Forthcoming version of RAdmin will also support Rcrypt encryption.
  • Structural improvements to AuthGeneric, which allows some modules that previously implemented their own handle_request to piggy-back off AuthGeneric, saving lots of replicated code
  • Added CheckGroupServer and CheckGroup to AuthBy ADSI and AuthBy NT, so that you can set a Class in the reply that depends on which NT group the user is in.
  • Primary key violation in MySQL and unique constraint violation in Oracle now does not cause disconnection.
  • Added example configuration file prepaid.cfg showing how to implement a simple prepaid card system with an SQL database.
  • AuthLDAP* now handles multiple LDAP attributes for check, reply and request AuthAttrDef. Multiple LDAP attribtues will be added as multiple instances of the same Radius attribute. Contributed by Robert Kiessling (Robert.Kiessling at de.easynet.net) Thanks Robert.
  • In AuthBy LDAP, HoldServerConnection worked in reverse to the correct behaviour.
  • Added Global and per-Handler UsernameCharset allowing you to easily specify what characters are permitted in a user name.
  • In AuthBy RADIUS, Host names for remote servers can now contain special formatting characaters.
  • Added Acct-Input-Gigawords and Acct-Output-Gigawords to dictionary. Reported by Bruno Tiago Rodrigues (bofh at netc.pt).
  • Improvements to sample Linux startup script. Now sources /etc/sysconfig/radiator if present, so you can put config file name and arguments there for preference. Suggested by Ted kandell (tedk at encotone.com). Thanks Ted.
  • Added AuthLog SYSLOG, contributed by Carlos Canau (Carlos.Canau at KPNQwest.pt). Thanks Carlos!
  • Added example hook to goodies/hooks.txt to extract special Cisco format NAS-Port information.
  • Added Vendor-specific attribute Command-Code for Enterasys, contributed by "Separovic, Jason" (jseparov at uecomm.com.au). Thanks Jason.
  • Fixed a problem whre AuthBy UNIX or AuthBy FILE could fail to refresh a file if it could temporarily be stat'd but not read.
  • Fixed a problem with Ascend binary filter attributes and UUnet: UUnet would only let 24 byte filters through, and not the newer format 26 bytes (and larger) filters.
  • All file appends are now done by Util::append, which will facilitate threading or piping of logging in the future.
  • Fixed a problem in ExcludeRegexFromPasswordLog
  • Fixed Radius::unpack so that Vendor Specific Attributes that contain multiple sub-attributes are unpacked correctly. Patch supplied by Roland Rosenfeld (rrosenfeld at netcologne.de). Thanks Roland!
  • In radpwtst, Called-Station-Id and Calling-Station-Id are not sent if -called_station_id or -calling_station_id are set to empty strings.
  • Fixed cosmetics in AddressAllocatorSQL ReclaimQuery, making 'state' uppercase. Suggested by Carlos Canau (canau at keka.KPNQwest.pt).
  • Date formats recognised by Expiration and ValidFrom now include simple integer Unix epoch dates. Documented all the valid date formats.
  • Added new pseudo check item ValidFrom that can specify the start of a valid time range.
  • AddressAllocatorSQL FindQuery now supports special formatting characters including those from the current packet.
  • RPM files are no 'noarch' instead of i386.
  • Improvements to AuthBy LDAP2, contributed by Valentin Tumarkin (tv at xpert.com). NoBindBeforeOp prevents binding before every search operation. Added timeout on 'LDAP BIND' operation in 'sub bind'. Fixes to properly close open LDAP connections after timeouts. Slightly more verbose error messages. Works with perl-ldap-0.24. Thanks Valentin!
  • Timeouts have been generalised and moved to Util::exec_timeout. LDAP, SQL and Finger now use it.
Revision 2.18.2 (10/6/01) Minor fixes, EAP proxy support
  • Added support for proxying of EAP packets. Requests containing EAP-Message and Message-Authenticator are correctly handled and Message-Authenticator is correctly recomputed with the Radius secret for the next hop.
  • More testing with Freeside 1.3.0. OK.
  • In AuthBy RADMIN, LogQuery now will not be run if it defined to the empty string. The old string interpolation has been removed, so perl variables will not now be interpolated into LogQuery.
  • Fixed a problem with DHCP address allocation where multiple DNS server addresses would cause a crash.
  • Configuration file flags now recognise '0' and 'no' to turn flags off. Anything else (including empty string) turns a flag on.
  • Changes to default logger configuration so that LogFile and Trace in the configuration file have immediate effect on the logger.
  • Added Extreme VSA's to dictionary.
  • BaseDN in LDAP2 can now have special characters, which can be used to improve performance of LDAP searches (see the reference manual for more information about how). Contributed by Neale Banks (neale at lowendale.com.au).
  • goodies/ad-ldap.cfg was accidentally left out of the distribution. Added.
  • radpwtst now supports hex escapes etc in attr-value arguments, eg: radpwtst -noacct "EAP-Message=\x11\x12\x13\x14"
  • Added -raw flag to radpwtst to allow the raw packet data to be passed as space separated hex: ./radpwtst -noacct -noauth -raw "01 02 03 04 05 06"
  • radpwtst now searches for a dictionary, starting with ./dictionary and /usr/local/etc/raddb/dictionary
  • Added rpm build spec in Radiator.spec.
  • AuthBy SYSTEM with UseGetspnamf had problems with expiry dates of -1 on some systems.
  • Provide RPM packages
  • Fix a problem with identifiers in AuthBy RADIUS where 2 AuthBy RADIUS proxying to the same host/port could get occasional identifier collisions.
  • Removed interpolation of Perl variables in SearchFilter in AuthBy LDAP*, as promised previously.
  • Added support for MS CHAP V2, and the MS-CHAP2-Success reply attribute as per draft-ietf-pppext-mschap-v2-00.txt and RFC 2548.
  • In AddressAllocatorSQL, can now specify address ranges in CIDR form, eg 192.1.1.0/24
  • Fixed a problem with AddressAllocatorSQL where recovery of a failed SQL database could cause SQL syntax errors.
  • Improvements to AuthBy PAM to allow service-specific error messages to be logged, and different password prompts to be recognised.
  • Testing with Encotone TeleID and AuthBy PAM. This is a very interesting Token based authentication system. Works fine. See sample teleid.cfg and PAM service definition file in goodies.
  • Added GroupList check item, which succeeds if the user is in any of the list of space separated group names.
  • Added OSC attributes to dictionary for Uid, Gid etc, also added UsePamEnv to AuthBy PAM. Now you can turn PAM env variables into Radius reply attributes and therefore do remote PAM login authentication via Radius.
  • Disabled perl variable interpolation in AuthLogSQL
Revision 2.18.1 (26/4/01) Bug fixes, some new features
  • In AuthBy PORTLIMITCHECK, the type of the SessionLimit parameter was incorrectly set to integer instead of string, preventing special formatting characters being used. Reported by Valentin Tumarkin (tv at xpert.com).
  • Added AcctFailedLogFileName and AcctLogFileFormat parameters to AuthBy RADIUS and subclasses, which work in the same way as for AuthBy SQL.
  • Testing with Hawk-i ISP Billing and customer management system. Required slight changes to AuthSQL.pm, because MS-SQL and ODBC can return strings of NULs for nullable nvarchar columns. Empty strings and all-NULL strings are now ignored by AuthColumnDef. Sample config file in hawki.cfg.
  • Fixed typos in ServerConfig .pm and Nas.pm that broke Livingston SNMP sim-use checking.
  • Added IgnoreAccountingResponse and OutPort parameters to AuthBy RADIUS. Contributed by "Arjan Waardenburg" (arjanw at gv-nmc.unisource.nl). Thanks Arjan. OutPort allows you to control the origin port number for forwarding packets, which can be helpful for implementing strict firewall rules.
  • Fixed a problem with Handlers where a MaxSessions denial would still permit AuthBys to run and perhaps 2 replies to be returned. Reported by Frederic Gargula (frederic.gargula at easynet.fr).
  • Added PostSearchHook to AuthBy LDAP, LDAP2 and LDAPSDK, which allows you to do things with the LDAP search results after the AuthBy has finished with them.
  • Fixed a problem with logging that would cause the default file logger to stop working after a SIGHUP.
  • Fixed a problem where a Synchronous AuthBy RADIUS that was chained after another AuthBy RADIUS would not actually wait for the reply.
  • Added CacheReplyHook which runs when a cached reply is about to be sent back to the NAS. Useful for removing previously allocated IP addresses from the cached reply.
  • Fixed a problem with Session-Timeout 'until Time' where you could get a negative Session-Timeout in the one minute following the end of a permitted time interval.
  • Fixed some problems that prevented Log SYSLOG actually doing any logging.
  • Altered AuthBy NT so that on windows it checks passwords without changing them. It now uses Win32::AuthenticateUser and also has much better performance. Built and tested with the kind assistance of Kent, Ashley (akent at ue.com.au). Thanks Ash.
  • Added support for Redback 64 bit integers with new dictionary data type of integer8. Used for RB-Acct-Input-Octets-64, RB-Acct-Output-Octets-64, RB-Acct-Input-Packets-64 and RB-Acct-Output-Packets-64 in dictionary.redback. Such values are decoded in hex format only, with a leading 0x. Values can be encoded as hex (with leading 0x) or decimal.
  • Added support for new AuthBy parameter AllowInReply, which lists the attributes that are permitted in the reply. Useful for applying strict limits to attributes in replies from proxy servers.
  • Finished code and documentation for NasType of Hiper for Hiper Arcs, using algorithms contributed by jesus.diaz at telia-iberia.com.
  • Fixed a typo in goodies/emerald.cfg
  • Added new parameters to AuthBy EMERALD to optionally enable Emerald Servers, Server Port Access, DNIS Groups Roam Servers and Roam Domains. Works with Emerald 2.5 and RadiusNT 2.5 and 3. New version of goodies/emerald.cfg shows how to use them.
  • All findUser functions now get the reply packet passed which means that you can use the %{Reply:xxx} macros in more places than before.
  • Extensive patches to SNMPAgent contributed by Charly Gaissmaier add ROCommunity, RWCommunity and Managers parameters for more selective access control. Thanks Charly!
  • Testing SNMP Agent with SNMP_Session-0.83. OK. Functions receive_request and decode_request that have been subsumed into SNMP_Session have now been removed which means SNMP Agent now requires at least SNMP_Session-0.68.
  • Added AuthBy OPIE for one-time password authentication via OPIE (one time passwords in everything) from Craig Metz, www.inner.net/opie
  • Fixed a problem in AuthBy ADSI where new AD users with a default logon times setup would not be able to login and get the message Outside allowed login hours.
  • Removed a forgotten print statement from AddressAllocator SQL that would cause a message like "deallocate 203.10.203.193" for each deallocation.
  • Fixed a typo in Log SQL that caused an SQL syntax error.
  • Added the reason string as the fourth argument to PostAuthHook. Contributed by Robert Kiessling (Robert.Kiessling at de.easynet.net). Thanks Robert.
  • Added PostProcessingHook to Handler, contributed by Robert Kiessling (Robert.Kiessling at de.easynet.net). Thanks Robert.
  • Added a number of experimental attributes from RFC 2869 to dictionary.
  • Implemented timeout around the search in AuthBy LDAP2 to work around broken LDAP servers that just hang in the search.
  • More testing with Active Directory. Updates to AuthBy ADSI so it will work under a wider variety of conditions, allowing distinct control over how to authenticate and where to get account details from, also added more docs and examples on using with Windows 2000 AD server. Also new example goodies/ad-ldap.cfg shows how to access AD via LDAP from Unix or Windows.
  • Fixed a problem where AccountingHandled had no effect if the result was a REJECT.
  • Found a problem with SNMPAgent where a BindAddress had no effect. There is a bug in SNMP_Session 0.83 that prevents the fix being deployed.
  • Added new check item MS-Login-Hours, which is exactly compatible with the LoginHours user attribute in Microsoft Active Directory, and can therefore be used when accessing Active Directory via LDAP.
  • New special character %r for literal newlines.
  • Fixed a problem with RejectEmptyPassword where a CHAP login could incorrectly trigger rejection. Reported by "Andy De Petter" (adepette at krameria.net).
  • Reinstated NoForwardAuthentication and NoForwardAccounting to AuthBy RADIUS, as the old behaviour was not exactly equivalent to IgnoreAuthentication and IgnoreAccounting.
  • Minor improvements to error reporting in AuthBy NT.
Revision 2.18 (9/3/01)
  • Added a full suite of Radius load balancing modules that allow you to distribute your Radius load over multiple servers. Round Robin, Volume balancing and Load balancing are supported, along with variable backoffs when remote servers fail to answer.
  • Added DHCP address allocation via new module AddressAllocatorDHCP.pm.
  • Added support for Nortel/Aptis CVX 4-byte attributes (the ones between 0x84000000 and 0x85ffffff. These are non-standard undocumented VSAs of a special format only used by Nortel. Also added new dictionary data type 'boolean' as some CVX attributes require only single byte values. Thanks to assistance of Lisa Goulet (Lisa.Goulet at versatel.nl) Dave Salaman (dsalaman at salaman.org) and others.
  • Added LogFormat to Log FILE, allowing customised log file format. Suggested by Paul Oshea (paulo at uma.genie.syncordia.net).
  • Added LogMicroseconds to Log FILE, which makes it log microseconds (requires the Perl Time::Hires module from CPAN or ActiveState).
  • Fixed a problem with Time check item spanning midnight when used with Session-Timeout="until Time". Reported by Deepak Shrestha (deepak at mos.com.np).
  • Added called and calling station IDs to radpwtst (and the GUI). Contributed by Bruno Tiago Rodrigues (RODRIGUEBT at telecel.pt). Thanks Bruno.
  • Added attributes for Unisphere and Nortel (Aptis) CVX VSA to dictionary. Contributed by Ralf Weber (rw at de.colt.net).
  • Added support for NasType of Cyclades. Contributed by Dave Close (dclose at quik.com). Thanks Dave.
  • Modifications to AddressAllocatorSQL so that address allocation is more robust when multiple servers allocate from the same table.
  • Fixes to AuthBy RADIUS so it uses the new AuthLog features to log details of proxied requests. Identified by Carlos Canau (canau at ionia at EUnet.org) and Dave Lloyd (david at freemm.org). Thanks.
  • Added a number of new Livingston attributes to dictionary. Contributed by Keith Olmstead (kolmstea at centurytel.net). Thanks Keith.
  • Added ServerHasBrokenAddresses parameter to AuthBy RADIUS.
  • Added Nortel CVX 1800 VSAs to dictionary.
  • Added the retransmission address to the "No reply after..." message in AuthBy RADIUS. Contributed by Kaj J. Niemi (kajtzu at kpnqwest.fi). Thanks Kaj.
  • Fixed a typo in AuthBy LDAPSDK that caused a crash. Reported by "Russell Wilton" (wilton at uleth.ca). Thanks Russell.
  • Fixed a problem with initialisation that caused -db_dir command line argument (and others) to be handled inconsistently.
  • Acct-Link-Count changed from string to integer in some dictionaries to be consistent with others and the correct value. Reported by Steinar Haug, Nethelp consulting (sthaug at nethelp.no). Thanks Stienar
  • Added attributes for Altiga to dictionary
  • Added IgnoreReplySignature parameter to AuthBy RADIUS to permit operation with remote servers that implement incorrect signature algorithms.
  • Fixed some problems with the standard internal session database that could cause incorrect simultaneous use limits when there are lost stop records. Found and fixed with the welcome assistance of Dave Close (dclose at quik.com)
  • Added Ravlin RedCreek VSA attributes to dictionary.
  • Added IgnoreErrors parameter to AuthBy PORTLIMITCHECK at the suggestion of Steve Roderick (steve at uspops.com).
  • In SessionDatabase SQL, can now set AddQuery, DeleteQuery ClearNasQuery, CountQuery to be empty strings to prevent the query being executed. Implemented with the assistance of Paul Oshea (paulo at uma.genie.syncordia.net).
  • Added FindQuery, AllocateQuery, CheckPoolQuery, AddAddressQuery, DeallocateQuery, ReclaimQuery to AddressAllocator SQL to permit customisation of the SQL queries that module uses.
  • Added new special character %s, replaced by microseconds in the current second (requires the Perl Time::Hires module from CPAN or ActiveState).
  • Changed AuthSelect in SQL so that %0 is now replaced by the quoted escaped user name. Some time in the future, the special handling that makes %n temporarily quoted and escaped will be removed. We recommend converting any custom AuthSelect you may have, and replacing '%n' (including the quotes) with %0 (no quotes).
  • Added platradacct.cgi to goodies, a version of radacct.cgi that works with Platypus Calls table. Contributed by "Leigh Spiegel" (leigh at winshop.com.au). Thanks Leigh.
  • Added VSAs for Foundry and Unisphere to dictionary.
  • If RejectHasReason is set, only one Reply-Message is set in the reply. Previously, 2 would be set. Suggested by Pavel A Crasotin (pavel at ctk.ru).
  • Added index on POOL to all RADPOOL creation scripts in goodies to improve address allocate performance.
  • Made AuthSelect and AcctSQLStatement configurable for AuthBy RODOPI.
  • Permitted bind variables to be passed to SQL prepareAndExecute and do functions. This might be useful for custom SQL code that requires high performance.
  • Rationalised sub keyword in all modules, so that permitted keywords are looked up in a table. Saves lots of if/else code and will permit stronger type checking in future.
  • Fixed a problem with AuthBy RADIUS that prevented retransmission when ServerHasBrokenPortNumbers is set.
  • Added IgnoreAuthentication and IgnoreAccounting to all AuthBy clauses. In the case of AuthBy RADIUS, they are now equivalent to the older (and deprecated) NoForwardAuthentication and NoForwardAccounting.
  • Removed snmp_port from command line arguments in radiusd, because it breaks encapsulation.
  • Improved ServerConfig intialisation and removed lots of excessive code.
  • Moved reply caching from AuthBy RADIUS to AuthGeneric for future use with other authenticators.
  • Rationalised AuthRADIUS.pm to allow definition of Host objects and easier subclassing.
  • Added lots more Nortel CVX VSAs
  • Added special case for SQL Timeout of 0 so it will never issue alarms at all. This is mostly a workaround for Sybase ODBC libraries that muck around with SIGALRM.
  • Added Cisco VENDORATTR Control-Info to dictionary, contributed by Gareth Coco (gcoco at aapt.com.au).
  • Added Timeout and FailureBackoffTime parameters to AuthBy LDAP and LDAP2 so that failed LDAP servers timeout quickly. Timeout defaults to 10 seconds, instead of the standard 120 seconds coded into perl_ldap.
  • Improved docs to make clear that SHA passwords also require Mime::Base64
  • Improved evaluation version so the reason for a radiusd die will be obvious.
  • builddbm now detects attributes not connected to a user. Reported by Jamie Orzechowski (mhz at ripnet.com).
  • Performance improvements to the main loop and packet packing and unpacking.
  • Added UseGetspnamf option to AuthBy SYSTEM, which will honour the password expiration date, if there is one. UseGetspnam is now deprecated.
  • Added synonyms for a number of attributes to the dictionary for the convenience of users with old standard users files, such as is generated by Optigold by default.
  • Testing with Optigold ISP 2.6.7. OK. Added details to FAQ about interfacing, also created sample goodies/optigold.cfg.
  • Fixed AuthBy RADIUS Synchronous so it will work on Windows in the event of a Timeout.
  • AuthBy PAM now honours password and account expiration, and verifies access hour restrictions. Suggestion and code contributed by Richard Lennerts (richard at staff.vianet.net.au).
  • Testing with Digest-MD4 from ActiveState for Windows ActivePerl build 623. OK: MSCHAP passwords work fine.
  • Trace level 5 now does a byte dump of outgoing as well as incoming packets.
  • Removed instructions to install MD5 for ActiveState: its installed automatically on all recent 6xx releases. Also altered Unix installation instructions to use Digest-MD5 instead.
  • Fixed a typo with LAS-Code attributes in dictionary.cisco
  • At the suggestion and with the assistance of Michael Audet (audet at vectorcore.com), AuthBy ADSI now does a direct authentication of the user. Administrators username and passwrod are no longer required, performance is improved, and there is no need to to disable password checking in AD. Also added support for Group membership checking.
  • AuthBy PORTLIMITCHECK now permits special formatting characters in the SessionLimit parameter. Contributed by Valentin Tumarkin (tv at xpert.com). Thanks Valentin!
  • In AuthBy LDAP*, and AuthBy SQL, added support for AuthAttrDef/AuthColumnDef type of 'request' which adds the attribute to the current request from where it can be accessed in later checks with %{attributename}. Contributed by Valentin Tumarkin (tv at xpert.com). Thanks Valentin! Valentin says "Very usefull for chaining LDAPSDK lookups (first lookup user, push group attribute into the request, then lookup the group. Works wonders when combined with 'Auth-Type')."
  • Added special character %z which is replaced with the User-Name in the current packet, hashed with MD5. Contributed by Nick Donaldson (psyclops at psyclops.com). Thanks Nick.
Revision 2.17.1 (22/11/00)
  • Fixed a serious problem with a missing update function that could cause crashes with Alive packets.
  • AuthBy LDAPSDK alo needed protection against attribtues with trailing NULs from Microsoft LDAP.
  • Migrate SQL fixes into goodies/AuthPLSQL.pm. Contributed by Pavel A Crasotin (pavel at ctk.ru). Thanks Pavel.
Revision 2.17 (21/11/00) Some significant new features
  • Added new parameters to AuthBy SQL, to permit logging accounting records to a file if the SQL insert fails. See AcctFailedLogFileName and AcctLogFileFormat.
  • Added MS-CHAP support as per rfc2548. Like ordinary CHAP, it works with plaintext, not encrypted passwords in the user database. Requires Digest-MD4-1.0 or better from CPAN. Also added support for MS-MPPE-Send-Key and MS-MPPE-Recv-Key reply items as tunnel passwords.
  • Fix a problem that prevented AuthBy RADIUS receiving replies after a HUP. Reported by Wim.Biemolt at surfnet.nl. Also fixed some similar issues in AuthFILE and others.
  • AuthBy LDAP2 is now compatible with perl-ldap versions before and after 0.20 (changes to the perl-ldap API made this necessary). With patches from Ragnar Kurm (ragnar at uninet.ee). Thanks Ragnar.
  • Added Nas support for Patton RAS.
  • Fixed a problem with decode_tunnel_password that could cause a crash with various out-of-spec tunnel passwords. Reported and patched by Christophe Wolfhugel (wolf at oleane.net). Thanks Christophe.
  • Fixed a problem with Realms and Handlers that prevented old Realms and Handlers being discarded during a SIGHUP.
  • Fixed minor error in dictionary: VENDORATTR 307 type 2 was incorrectly called 'Livingston'. Changed to 'LE-Terminate-Detail'. Fix identified by Blaz Zupan (blaz at amis.net).
  • Added dictionary.redback for Redback NASs
  • Added sample NoReplyHook to goodies by knind permission of John Kemp (kemp at network-services.uoregon.edu)
  • Separated out a utility function for doing all the magic for replying to a request.
  • Testing on HP-UX 10.20. No changes required.
  • Improved memory cleanup code in AuthRADIUS.pm to slightly reduce memory requirements. Found by Christophe Wolfhugel (wolf at oleane.net). Thanks Christophe.
  • Improved SQL timeout handling, The need for this was revealed by recent versions of Oracle 8 using local transport. Reported by Chris Keladis (Chris.Keladis at cmc.cwo.net.au). Thanks Chris. A similar fix was contributed by David Lloyd (david at freemm.org). Thanks David.
  • Fixed a problem that caused excessive memory usage in Client.pm. Found and fixed by Christophe Wolfhugel (wolf at oleane.net). Thanks Christophe.
  • Removed incorrect reinitialisation code from AuthFILE, which would cause a crash on SIGHUP.
  • Fixed some problems with SIGHUP handling and SNMP Agent, which prevented the Agent receiving requests after a HUP with SNMP_Session-0.77. Fix now works with all versions of SNMP_Session. Reported by Anton Sparrius (asparrius at vivanet.com.au)
  • Mods to a number of classes that inherit from SqlDb.pm, to hide use of the dbh handle, in order to support sharing of SQL connections.
  • Added CachePasswords to AuthBy RADIUS. It implements a password cache. It allows proxying to be more robust when the remote server is not available. It can be very useful if the remote server is unreliable, or at the end of a saturated or unreliable link.
  • Some users have reported that Microsoft LDAP leaves NULs at the end of returned attributes. Added code to AuthLDAP2.pm to strip any trailing NUL.
  • Added NoCheckPassword to AuthBy NT, useful in conjunction with other authentication methods that actually check the password
  • AuthBy RADIUS now honours the global SocketQueueLength parameter, if it is set. Reported by David Lloyd (david at freemm.org). Thanks David.
  • Fixed a problem with AuthLDAP2 that prevented it working with CHAP unless RejectEmptyPassword was cleared. The test is now implemneted witg LDAPRejectEmptyPassword, which defaults to 1 and is only referred to if ServerChecksPassword is set. Reported by Nacho Paredes (iparedes at eurocomercial.es). Thanks Nacho.
  • Improved detection of running under inetd so running under cron wint be mistaken for inetd.
  • Added Alcatel DANA vendor specific attribute to standard dictionary.
  • Added -code flag to radpwtst, allowing it to send any type of request code, eg: radpwtst -noacct -noauth -code Disconnect-Request
  • Changes to Client.pm, Radius.pm to permit proxying of any type of code, eg Disconnect-Request
  • Added hydrarad to goodies. Hydrarad is an agent for the HydraWeb load distributor (www.hydraweb.com). It probes server performance and produces a Usability figure from 0 to 100.
  • In dictionary, the types of CHAP-Password and CHAP-Challenge changed to 'binary' to prevent trailing NULs being stripped.
  • AddToReply and DefaultReply were not honouring special formatting characters.
  • Minor performance improvements in RDict.pm.
  • Permit special characters (eg %{GlobalVar:databasename} in DBSource, DBUsername and DBAuth in any SQL connection.
  • Added new generic authentication logging support contributed by Dave Lloyd (david at freemm.org). Thanks heaps Dave! Also example config file using <AuthLog FILE> in goodies/authlog.cfg and documentation.
  • Added support for USR1Hook, USR2Hook and WINCHHook. Contributed by Dave Lloyd (david at freemm.org). Thanks Dave!
  • Fixed Handler.pm so handlerResult is called when MaxSessions is exceeded. Suggested by Dave Lloyd (david at freemm.org). Thanks Dave!
  • Added Shasta attributes to dictionary. Contributed by "Mariano Absatz" (lradius at pert.com.ar). Thanks Mariano.
  • Improved portability of module importing. Now uses eval("require RADIUS::classname") which will work portably on all platforms, including MAC.
  • Added goodies/blocktime.txt, a discussion about how to implement prepaid time.
  • Hugh added some more examples to goodies/hooks.txt.
  • Prevented warnings 'No CHAP-Password or User-Password in request' when User-Password is empty. reported by Cortney Thompson (Cortney at wyoming.com). Thanks Cortney.
  • Added SNMP MIB 2 variables sysUpTime and sysName. Suggested by Mariano Absatz (lradius at pert.com.ar), since MRTG likes to get them.
  • Fixes to AuthBy EMERALD to be compatible with RadiusNT version 3 (suitable for Platypus version 3 with RadiusNT compatibility too). Also now correctly handles per-user and per-service vendor-specific check and reply items.
Revision 2.16.3 (25/8/00) Fix a serious LDAP problem
  • Fixed a typo in all AuthBy LDAP which causes an error like: "Not a SCALAR reference at Radius/AuthLDAP.pm line 297."
  • AcctColumnDef now supports the type 'formatted' which allows you to use any of the special formatting characters instead of just a Radius attribute name.
  • in AuthBy SQL, AcctColumnDef type 'integer-date' now allows you to specify your own date formatting string to be used instead of the default DateFormat for that SQL.
  • Stop SQL from disconnect/reconnecting if a primary key constraint is violated. Can result in a significant performance impact in some environments.
Revision 2.16.2 (21/8/00) Minor fixes
  • Added support for encryption type MD5, which is MD5 and Mime, eg:
    Password = {MD5}qP0OV/oViFka8YbFMWEWeg==
    Contributed by Robin Gruyters (robin at wish.net). Thanks Robin.
  • radconfig.cgi incorrectly only allowed one Accounting log file name entry in a handler.
  • Testing with MacPerl on PPC iBook with MacOS 9. The default config file under MacPerl is now 'Macintosh HD:Applications:Radiator:etc:radius.cfg'.
  • Fixed minor problems with date parsing on MacPerl. On Mac, times are based on 1904, not 1970.
  • Created a clickable MacPerl droplet for radiusd containing command line arguments: MacRadiusd. You can edit this with MacPerl and set up your own command line args. Useful for running with a config file in a non-standard place. As delivered, it uses the radius.cfg in the current folder.
  • Changes to configuration file processing in 2.16.1 meant that values for SnmpgetProg, FingerProg and some similar parameters were being overridden.
  • Added new check item Client-Identifier that matches the Identifier parameter in the Client clause that received the request.
  • Fixed an error in the documentation concerning the use of GENERIC in LDAP AuthAttrDef parameters.
  • Added support for new SNMP Radius Authentication and Accounting server MIBs as specified by RFC 2619 and RFC 2621. The old draft MIB is still supported.
  • Fixed a problem with AuthAttrDef not working properly in AuthBy LDAP and LDAP2.
  • Fixed a problem with AuthBy TEST that prevented it from honouring the Identifier parameter. Reported by Matt Nichols (matt at hunterlink.net.au). Thanks Matt.
  • Added new parameter CaseInsensitivePasswords to all AuthBy clauses that support plaintext password checking. This involved some rationalisation of the password checking code in Radius.pm too, with resulting performance improvements.
  • Dictionary now permits data type of 'text' in line with RFC 2865, and is treated the same as 'string'.
  • Duplicate checking now takes the client port into account, as required by RFC 2865.
  • Tested the config file "include" directive with external scripts, at the suggestion of Simon Hackett (simon at internode.com.au). For example:
    include %D/myScript.pl|
    this allows you to generate some or all of your Radiator configuration programatically.
  • Added SearchFilter to AuthBy LDAP*, allowing you to fully control the search filter used to find users. This will allow you to select or reject users based on arbitrarily complicated LDAP search filters.
  • Added RejectEmptyPassword to AuthBy to handle some broken remote Radius servers that foolishly always accept logins with empty passwords (eg VMS)! Suggested by Simon Hackett (simon at internode.com.au)
  • Added UsernameMatchesWithoutRealm to AuthBy to permit matching on the bare user name without rewriting the username and therefore affecting accounting too. Suggested by Simon Hackett (simon at internode.com.au)
  • Added missing -h flag to radpwtst
  • Improved handling of MD5 passwords so that it supports both hex digests and base64 encodes. This also makes it compatible with Infranet billing passwords. Contributed by Johnathan Ingram (jingram at intekom.com). Thanks Johnathan.
  • Added some fixes to AuthLDAP.pm to prevent Radiator running out of file handles in some circumstances.
  • Rationalised check_plaintext_password and check_encrypted_password into a single function check_password in AuthGeneric to save lots of duplicate code.
  • Modifications to AuthBy RADIUS so that it will create a separate socket for each distinct LocalAddress. This will make sure the right LocalAddress is used for each proxied request, even if there are multiple LocalAddresses in use. From a report by Ivan Brawley (brawley at internode.com.au). Thanks Ivan.
  • Fixed a problem with timeouts in Select.pm. The timeout list was not always sorted properly, which would sometimes cause timeouts to go off too late. This was especially significant if very long timeouts were used (as in AddressAllocatorSQL and others).
  • Added special characters %q, %Q, %v, %V for days of weeks and months of the year.
  • Added new strftime compatible date formatter
  • Added DateFormat attribute to all SQL derived objects to control how to format dates for insertion. Can use any of of the special characters supported by strftime
  • Added new Description parameter to all objects, mainly for use by radconfig.cgi. Suggested by Matt Nichols (matt at hunterlink.net.au). Thanks Matt.
  • Fixed a problem with Proxy-State. Only the first one would be included in the reply. Now all are included, and kept in the same order as in the incoming request. Reported by Thorsten Wystrychowski. Thanks Thorsten.
  • Improved error reporting when an SQL connection fails.
  • Testing with Informix. Created goodies/informixCreate.sql and added documentation.
  • ClientListSQL now permits the FramedGroupBaseAddress column to contain multiple comma-separated addresses.
  • Incorporated a patch to goodies/hooks.txt to allow getProfiles to have profiles that span multiple lines. Contributes by Christian Hammers (ch at westend.com). Thanks Christian.
  • Added LimitQuery to AuthBy PORTLIMITCHECK, so that the session limit can also be got from the database, instead of being fixed. This allows you to easily get port limits from, say, a customers table in your SQL database.
  • Special formatting now supports %{Client:parmname} which is replaced by the parmname parameter from the Client clause that accepted the current packet.
  • Special formatting now supports %{Handler:parmname} which is replaced by the parmname parameter from the Handler clause that is handling the current packet.
  • Fixed a problem with AuthBy RADIUS that resulted in a Tunnel-Password received from the remote radius or added with AddToReply would not be be encrypted properly. Found and fixed by Christophe Wolfhugel (wolf at oleane.net). Thanks Christophe.
  • Fixed a problem with ClientListSQL, where an empty string in the NoIgnoreDuplicates column would cause a crash.
  • AuthBy RADIUS now permits multiple comma host names in the Host parameter.
  • Fixed some typos in the RADPOOL table creation in some goodies/*.sql scripts. The unique index creation was wrong.
  • Altered evaluation expiry mechanism.
  • radpwtst now takes notice of the Class in any access replies, and uses it in subsequent accounting requests.
Revision 2.16.1 (13/6/00) Major new feature, and a number of bug fixes, one serious.
  • Added support for Windows ActiveDirectory authentication with AuthBy ADSI, see the example config file in goodies/adsi.cfg. Stop Press: also added AuthAttrDef to AuthBy ADSI, so you can get additional attribtues from ADSI.
  • Fixed problem with all SessionDatabases, where attempts to deduce the NAS IP address dusring simultaneous-use double checking would fail with this error message:
    Could not find a Client for NAS to double-check Simultaneous-Use. Perhaps you do not have a reverse DNS for that NAS?.
  • Fixed a problem in radacct.cgi where attributes that contained an = character were not displayed properly when showing a detail file. Reported by Matthew Nichols (matt-home at hunterlink.net.au). Thanks Matt.
  • Fixed a problem with SNMPAgent where it would report "Undefined subroutine &Radius::Radius::get_port" with some unusual configuration files.
  • Fixed a typo in AuthPORTLIMITCHECK.pm where getOneRow was not defined. Reported by Anton Sparrius (anton at vivanet.com.au). Thanks Anton.
  • Added support for NasType PortslaveMoxa, for Linux running Portslave and a Moxa multiport. Contributed by "Le Anh Tuan" (latuan at netnam.vn). Thanks!
  • Fixed some problems with drilling down and volume summaries in radacct.cgi when using SQL. Reported by John Breeden (rad at ns1.phx2.com)
  • SessionDatabase NULL was ignoring all of its configuration, and you could therefore not reference it by Identifier. Reported by Aaron Holtz (aholtz at bright.net). Thanks Aaron.
  • Fix to %a special character was not working properly.
  • Check items could mistake an exact match for a regular expression if it had multiple embedded slashes. Now the first slash must be at the beginning of the regexp.
  • Added workaround for hanging connections when using DBD-Sybase nad MS-SQL.
Revision 2.16 (19/5/00)
  • Added totals of sessions, time, octets and packets to the user page in radacct.cgi.
  • Session-Timeout as a reply item can now takes a value "until Time" which calculates the session timeout until the end the permitted time period defined by a Time check item.
  • Added Auth-Type=Accept, code contributed by David Daney (daney at ibw.com.ni). Thanks David.
  • Added PreProcessingHook to Handlers, which fires before accounting log files etc are written. Code contributed by David Daney (daney at ibw.com.ni). Thanks David.
  • AddToReplyIfNotExist parameter with multiple attr=val, and with white space before the attribute namew would not be parsed properly, resulting in a "Bad attribute=value pair:" error message.
  • Simultaneous-Use would sometimes check the wrong user name for excess sessions when RewriteUsername or Prefix or Suffix was involved.
  • Fixes so that multiple DEFAULT users with Prefixes and/or Suffixes wont strip the the user name for the following DEFAULT. Contributed by David Daney (daney at ibw.com.ni)
  • Added new <Log EMERALD> module that does logging to a Platypus and RadiusNT compatible message log table.
  • Testing with Windows 2000.
  • Fixed radpwtst -gui to work with Tk800.018 and better.
  • Fixed a bug in AuthLDAPSDK.pm, that produces the following error: Global symbol " at vals" requires explicit package name at Radius/AuthLDAPSDK.pm line 256, <FILE> chunk 39. Reported by Bradley Clayton (bac at agad.purdue.edu)
  • Workaround in AuthRADKEY.pm for problems with password lengths on some MAXen.
  • Reinstated the changes that make %a get the Framed-IP-Address from the reply packet instead of the request, and to take ma.overdue into account in in AuthBy EMERALD. These changes were inadvertently lost from the 2.15 distribution.
  • Changes to all SQL based modules to fix an infrequent problem with Sybase on some platforms, and in some environments. Some versions would sometimes hang during the SQL finish operation, which was not protected by timeout.
  • DefaultRealm now only adds the realm if there actually was a User-Name present in the request. Requests without a User-Name will not now have a fake User-Name added.
  • Added cisco-h323* entries to the standard dictionary for Cisco VOIP.
  • The password log for CHAP logins now shows "UNKNOWN-CHAP", instead of "UNKNOWN", to help distinguish form the case where there is no password in the request.
  • Added SessNULL.pm to the distribution, contributed by Daniel Senie (dts at senie.com). Thanks Daniel. SessNULL.pm provides a session database that does not store any session details and always permits multiple logins. Useful for very large user populations where ther is no multiple-login prevention required: this will require much less memory than SessINTERNAL.
  • Added support for HoldServerConnection, plus disconnection after each request to AuthBy LDAPSDK, at the request of Thomas Braber (thomas.den.braber at capgemini.nl).
  • Special formatting can now refer to any attribute in the current reply with %{Reply:attributename}
  • Check items can now refer to attributes in the currently constructed reply. This can be useful for adding more reply items, depending on the reply items that are already there. For example, you might set a Profile psuedo attribute in an AuthBy and in a following AuthBy, add some real reply attributes that depend on the value of the Profile you added before
  • Added support for IP address allocation, and a specific SQL implementation. See goodies/addressallocator.cfg for examples on how to use. STOP PRESS: minor changes in database schema since the 2.16 alpha release. Alpha testers will have to recreate their RADPOOL table.
  • Fixed algorithm for computing port index for Total Control SNMP access checking. Contributed by Aaron Nabil (nabil at spiritone.com). Thanks Aaron.
  • Fixed a problem with AuthAttrDef in AuthBy LDAP and LDAP2.
  • Added the -p switch to builddbm to print out a flat file equivalent. Contributed by Joost Stegeman (joosts at kpn.net). Thanks Joost.
  • ipaddr type attributes can now be specified as a 4 byte string, as well as dotted-quad notation. Useful for putting IP addresses and netmasks in databases as binary instead of strings. Suggested by Mike Nerone (mnerone at idworld.net).
  • Updated GRIC Roaming attributes in various dictionaries.
  • Log SQL and AuthBy RADMIN now permit LogQuery parameters configure the query used to insert into the log table database.
  • AuthBy DBFILE and SessionDatabase DBM now support a DBType parameter, allowing you to specify the type of DBM database to use.
  • AuthBy RADMIN was incorrectly logging all level log messages. Now it honours the global Trace level.
  • Fixed a problem with MD5 password encryption when encrypted passwords had a zero length salt.
  • Fixed a bug in Client.pm that prevented the client list used by SNMP and StatusServer being cleared during a HUP.
  • Added new Bay Annex attributes to dictionary
  • Pushed the permitted perl revision level back to 5.003
  • Testing on Cobalt CacheQube. OK.
  • Fixed a bug in the radwho.cgi and radacct.cgi sort routines that affected user name sorting with mixed alpha and numeric names. Reported by Larry Vaden. Thanks Larry.
  • Fixed a problem with apparent floating point attibutes in AuthBy EMERALD.
  • Fixed some problems in getProfiles example hook in goodies/hooks.txt. Contributed by Christian Hammers (ch at westend.com). Thanks Christian.
  • Added NoReplyHook to AuthBy RADIUS, called if no reply is heard from any remote servers. Useful for storing accounting to an SQL database for later delivery or retransmission (see goodies/reliableaccounting.cfg for example)
  • Testing with InterBase 6.0 and DBD-Interbase-0.021. OK. Note that Interbase 6.0 requires /etc/hosts.equiv to contain the name of each client host, so you may need to add 'localhost' to /etc/hosts.equiv to enable you to start the Interbase server and access it. Also note that InterBase requires a custom AuthSelect since it does not permit columns named PASSWORD. interbaseCreate.sql creates it as PASS_WORD.
  • Due to changes in policy by iPASS, the preferred method of interoperating with iPASS outbound is now to proxy to the iPASS radius server. Altered documentation to suit.
  • Added some improvements to extensibility and customisability: The reinitialize and find functions for Client, Handler, Realm et al are now registered at startup. This allows you to add new subclasses of Client and Handler with new ways of finding the right Client or Handler to use. You can also register your own reinitialise function with main. Added examples csid.cfg and CalledStationId.pm to goodies to demonstrate use of all these features, using the example of fast, exact matching on Called-Station-Id.
  • radpwtst now takes notice of the Framed-IP-Address in the reply and uses it in subsequent accounting starts and stops, unless -framed_ip_address has been used to force a particular address.
  • Added initial version of new radconfig.cgi, a CGI script that will manage a Radiator configuration file.
  • Added new Nas Type of Ping, which will attempt to check simultaneous use by pinging the dialup users Framed-IP-Address. This is not foolproof as the Framed-IP-Address may have been reallocated, but its better than nothing, which is what you may have without finger or snmp access to the NAS.
  • Added missing documentation for SessionDatabase parameter for Realm and Handler, which allows you to control which Session Database a Realm or Handler will use.
  • Fixed a spurious WARNING message if AuthPort or AcctPort was defined as empty (ie no socket to be set up). Reported by Antonio Coloma.
  • Added new Scope parameter that allows you to control the LDAP search scope in LDAP2 and LDAPSDK. Suggested by c.w.vandervelden at kpn.com.
Revision 2.15 (15/2/00) Many new features and some fixes.
  • Added new check item Request-Type. This is mostly useful in Handlers, to allow you to trigger on different types of requests.
  • Fixed a problem with handling escaped octal characters in attribute strings. Contributed by Mike Biesele (wmb at aros.net). Thanks Mike.
  • DynamicCheck and DynamicReply were always doing special character replacements of in all check and reply items, instead of just the ones named.
  • DynamicReply was incorrectly doing special character replacements from the reply packet instead of the incoming packet.
  • The special character %a has been modifed to be replaced with Framed-IP-Address from the reply packet instead of the incoming packet.
  • AuthBy clauses did not honour the "include" keyword.
  • Added some more USR attributes to dictionary.usr
  • Fixed a problem with Tunnel-Password on Intel where it would sometimes produce a non-compliant encrypted password.
  • SQL timeouts while doing a select or an insert did not trigger the backoff period.
  • Added Synchronous flag to AuthBy RADIUS, which will cause the AuthBy RADIUS to block until a reply is received from the remote radius server (or it times out).
  • Rolled the AddToReplyIfNotExist.patch into the base code. This code was contributed by Vincent Gillet (vgi at oleane.net), and implements the AddToReplyIfNotExist parameter, which will append an attribute to a reply if and only if it the attribute is not already present.
  • The include keyword for including other files inline is now case insensitive.
  • Radius standards rfc2138.txt and rfc2139.txt are now included in the doc directory.
  • Added some additional username info to some WARNING and INFO level messages, as suggested by Wim Biemolt (Wim.Biemolt at sec.nl).
  • Incorporated significant performance improvements to AuthBy UNIX, contributed by Jamie Hill (hill at networkWCS.com). Thanks Jamie!
  • If you explicitly undefine AuthPort or AcctPort, Radiator will not bind a socket. Same effect if you specify -auth_port "" or -acct_port "" on the command line.
  • Fixed a problem with compatibility with proxying to Merit server with passwords of exactly 16 octets. Merit incorrectly assumes that passwords are always NUL terminated.
  • Fixed typos with MSN style RewriteUsername regexps, that incorrectly assumed the seprator was a forward slash (/) not a backslash (\). Affected documentation and example radius.cfg
  • Added new parameter HoldServerConnection to AuthBy LDAP, so LDAP servers that support it can be used to do as many authentications as possible from the same LDAP connection.
  • Added details about how to use Radiator with AFS Kerberos to goodies directory. Contributed by Roland Hofmann (hofmann at uni-hohenheim.de). Thanks Roland.
  • Fixed a problem with radacct.cgi where an Acct-Session-Id that contained a dot character was not recognised
  • Added to the goodies an alternative version of radacct.cgi that supports some sorting of users by time, logins, total octets in or out. Contributed by Andrew Aken. Thanks Andrew.
  • AuthBy RADIUS now returns IGNORE if a request is not forwarded due to NoForwardAuthentication or NoForwardAccounting. This is thought to be more correct, but existoing users of multiple AuthBy RADIUS with NoForward* may need to use AuthByPolicy ContinueWhileIgnore.
  • AuthBy LDAP, LDAP2 and LDAPSDK now supports AuthAttrDef, which allows you to easily define check and reply items in your LDAP database, similar to the way its done with SQL. Based on code contributed by Steven E Ames. Thanks Steven.
  • AuthBy RADIUS now passes some additional arguments to ReplyHook:
    ${$_[0]} The reply received from the remote server
    ${$_[1]} The reply packet to be sent back to the original requester
    ${$_[2]} The original request
    ${$_[3]} The request sent to the remote server
  • Added support for old style Ascend password encryption algorithms, new parameter UseOldAscendPasswords for both Client and AuthBy RADIUS. Also added -useoldascendpasswords flag to radpwtst.
  • Added Microsoft vendor-sepcific attributes to dictionary. Contributed by sadkins at voyager2.cns.ohiou.edu (Scott Adkins). Thanks Scott.
  • Suffix and Prefix incorrectly took notice of regexp special characters (such as +, ., * etc) in them. Changed so that Prefix and Suffix only ever do exact literal matches.
  • AuthBy NT did not hounour AddToReply or DefaultReply on Unix.
  • Testing with Apache and Apache::AuthenRadius. Item added to the FAQ.
  • Workaround for a bug with FreeTDS where a datetime set like '12-31-1999 12:01:01.000' comes back as '2000-01-00 12:01:01'.
  • Added radiatorctl sinmple Radiator management script to goodies. Contributed by Ragnar Kurm (ragnar at uninet.ee). Implements start, stop restart, reload, inc, dec operations. Thanks Ragnar.
  • SessDBM has mode sensible mode for new files. Suggested by Ragnar Kurm (ragnar at uninet.ee). Thanks Ragnar.
  • DefaultRealm processing was moved to after PreHandlerHook to allow easier manipulation of user names.Suggested by Ragnar Kurm (ragnar at uninet.ee). Thanks Ragnar.
  • Added GRIC roaming attributes, including Timestamp to a number of dictionaries that did not have them.
  • AuthBy EMERALD was not taking into account the masteraccounts.overdue column. Reported by Ray Carpenter (ray at systec.com). Thanks Ray.
  • Session-Timeout reply attribute now supports a new syntax. If you have for example:
    Session-Timeout="until 1800"
    Then the Session-Timeout in the reply will be calculated as the number of seconds up until the time of day specified
  • AddToReply and DefaultReply did not honour special processing for Session-Timeout="until 1234", Tunnel-Password, Ascend-Send-Secret or Framed-Group.
  • Encrypted-Password can now be in a variety of encrypted password formats: SHA, MD5 and standard Unix crypt. Suggested by Ragnar Kurm (ragnar at uninet.ee). Thanks Ragnar.
  • Added ExcludeRegexFromPasswordLog to Handlers. Suggested by Ragnar Kurm (ragnar at uninet.ee). Thanks Ragnar.
  • NasType TigrisOld has new improved performance code contributed by Ragnar Kurm (ragnar at uninet.ee). Thanks Ragnar.
  • Added ServerHasBrokenPortNumbers parameter to handle broken 3rd party radius servers that reply from a different port number than the one the request was sent to. Required for proxying to GRIC on NT.
  • Added -v flag to radiusd to print version number. Also version is printed on startup INFO line.
  • Improvements to restartWrapper to show more information about why the child died.
  • Fixed a problem with AuthBy LDAP2, where recent versions of Net::LDAP do not support ldap_error_message.
  • Added StartupHook which is called during startup and restarts
  • Fixed a problem with broken VSAs which casued an entire packet to be ignored. Reported by Steve Suehring (suehring at coredcs.com).
  • %M, %H, %S macros always produce 2 digits. Reqested by Daniel Senie (dts at senie.com)
  • Fixed a problem with %y and %e that produced only one digit in 2000. Reported by Thomas Voss (tvoss at netcologne.de). Thanks Robert.
  • AuthBy NT now optionally honours the User Manager Dialin Permission flag. Only available on NT, and requires Win32-RasADmin package to be installed.
  • Fixed a problem with some check attributes. When used to check attributesin a <Handler ....> clause, could get a crash with a message like: Can't call method "log" on unblessed reference at Radius/AuthGeneric.pm line 644.
  • Added support to Auth By NT for Lockout and Account Expiry flags (supported when Radiator tuns on NT). Contributed by talist at vif.com. Thank you!
  • Fixed a problem with FramedGroupBaseAddress and RewriteUserName not being properly assigned by ClientList SQL. Fix contributed by jay.pike at voyager.net.
  • Improved documentation about hooks and when they are called. Suggested by Richi Plana (richip at mozcom.com)
  • Added dictionary.usr.merit to the distribution. This is a copy of http://totalservice.usr.com/ISP/rad/dictnary.dat, and can be used as a source for missing VSA's or it can be used directly as the Radiator dictionary.
  • Further fixes to zombie child reaping, so that we should not miss zombies, even if there is a sigchld collision
  • Added StatusServerShowClientDetails to Client to optionally enable full Cleint statistics in the Status-Server reply. This changes the default behaviour, which used to be to always send the statistics for all Clients. The default is now to not send details for any Clients.
  • Added new Nas-Type Portmaster4 which is suitable for use by Portmaster 4's running ComOS 4.1 or later. Uses pmwho.
  • Fixed a problem with using AcctColumnDef with AuthBy PLATYPUS that would cause an SQL syntax error. Reported by Simon Woodward (simon at 1earth.net). Thanks Simon.
  • Workarounds added to radwho.cgi and radacct.cgi. When used with FreeTDS, messages that FreeTDS prints to stderr would confuse Apache and other web servers. Sterr is redirected to /dev/null on unix during database setup when its FreeTDS.
  • Connect-Rate now supports attributes called USR-Connect-Speed if there is no Connect-Info in the incoming packet.
  • Fixed a typo with incorrect definition of Connect-Info attribute in Radius.pm
  • Added globalvarname=value command line arguments and DefineGlobalVar to the config file. Can now use special formatting like: %{GlobalVar:globalvarname}. Suggested by Christophe Wolfhugel (wolf at oleane.net). Thanks Christophe.
  • Added "Time On" column to radwho.cgi, with formatted time interval since they logged in.
  • Added Debug parameter to AuthBy LDAP2, to assist debugging the Net::LDAP module.
  • The global BindAddress and AuthBy RADIUS BindAddress parameters now permit special formatting macros.
  • All the AuthBy LDAP modules now support special formatting characters in the Host parameter.
  • All classes now have an optional Identifier parameter
  • All classes now honour the "include" keyword.
  • Added NoDefault parameter to AuthBy. When set, it stop Radiator from ever looking for a DEFAULT user entry.
  • Radiator failed to complain if an integer reply item specified a value name that was not in the dictionary.
  • Historical my_crypt was removed from radiusd. It was required for compatibility with the Gursamy Sarathy port of perl on Win 95.
  • New module Util.pm added for general purpose utility routines. main::format_special and a number of other functions were moved there.
  • Added ServerChecksPassword to AuthBy LDAP2, so that servers that implement proprietary encryption algorithms in their passwords (notably Open Directory from Platinum) can be used. Testing with Open Directory. Added opendirectory.cfg to goodies.
  • Added new special character %P that is replaced with the decrypted User-Password from the current request. Code contributed by talist at vif.com. Thanks.
Revision 2.14.1 (29/7/99) Mostly new features
  • Added new <ClientListSQL> clause that allows you to have your Client details in an SQL database, rather than in your config file.
  • Added example Microsoft Access database to goodies. Works with the example sql.cfg, and also includes some sample queries and charts.
  • The fix to default /32 in Ascend filters in 2.14 did not work properly in all circumstances. Found by Ricardo Kustner. Thanks Ricardo.
  • Rolled in additional dictionary entries from ACC into the standard dictionary. Added the ACC dictionary to the distribution.
  • Added support for NasType and Client-Id check items
  • Fixed problems that pevented AuthBy NT working with the latest version of Authen-Smb (Authen-Smb-0.91) on Unix. They changed their naming standards for NTV_NO_ERROR.
Revision 2.14 (14/7/99)
  • Added new AuthBy PAM, which can authenticate through any method supported by PAM on your host.
  • Added support for RAdmin, the new web-based user administration package from Open System Consultants. Supports, sim-use, static IP address, bad login limits, preallocated time, error logging etc etc etc.
  • New authentication module PORTLIMITCHECK, which can check enforce simultaneous-use limits for arbitrary groups of users. This can allow you to sell bundles of ports on a global or per-POP basis, or DNIS etc. It can also set up Class attributes that depend on how many users are currently logged in in that group, so you can have different charging bands for normal and overflow usage etc. Requires a that a <SessionDatabase SQL> be present in your Radiator config.
  • Changes to session databases so that when a NAS is checked for a simultaneous use, the original username (prior to any RewriteUsername) will be used.
  • Log.pm was ignoring LogFile global parameter and always using %D/logfile.
  • Added new parameter DefaultSimultaneousUse to AuthBy. DefaultSimultaneousUse specifies a sim-use limit that will apply if there is no user-specific Simultaneous-Use check item.
  • Added new dictionary.ascend2 for Ascends that use Vendor-Specific attributes with vendor 529.
  • Added Nas-Type of TotalControlSNMP, which uses SNMP to check a Total Control NAS. Contributed by Stephen Roderick (steve at proaxis.com). Thanks Stephen.
  • If you had both DefaultReply and AddToReply, then DefaultReply would have no effect. Fixed.
  • In AuthBy SQL, you can now have multiple definition of the same column name in AcctColumnDef. This allows you to save different attributes from different types of NAS into the same column in a mixed NAS environment.
  • Fixed a problem in radpwtst that could cause a premature exit if there were problems in receiving a reply.
  • Checks for Realm in a Handler clause can now be regexps
  • Added a number of Bay VSA'a to standard dictionary. Thanks to Stuart Henderson (stuart at eclipse.net.uk).
  • Added new NasType of "ignore" that does not contact the NAS, and always assumes there are no multiple logins. Suggested by Stephen Roderick (root at proaxis.com)
  • Some performance improvements in Nas.pm
  • Added new Client parameter NoIgnoreDuplicates. You can use this to fine-tune which types of duplicate requests you will handle (regardless of the setting of DupInterval) The value is a space separated list of request types, such as "Access-Request Accounting-Request" etc. Case sensitive. This can sometimes help if you are losing packets. Suggested by Tim Minchin (tom at interact.net.au).
  • radpwtst can now take any number of additional attribute=value arguments, so you can add any attributes that are in the dictionary to each request.
  • Fixed problem with becoming a daemon on AIX (which doesn't support setsid()).
  • Fixed a problem in the internal SessionDatabase, where it would ask all the NAS ports for all users to double check apparent logins.
  • With SNMP, if you use SNMP_Session-0.70.tar.gz instead of SNMP_Session-0.62.tar.gz, snmpget reported "Unrecognizable or unauthentic packet received". Fixed.
  • Testing with perl 5.00401, no changes required.
  • Testing with AIX, with the assistance of Dave Close (dclose at quik.com). Some fixes required. Thanks Dave.
  • Testing on FreeBSD 2.2.5, no changes required.
  • Added NasType support for Tigris (both old and new MIBS), Bay 4000, and Bay by finger, contributed by Rob Thomas (rob at rpi.net.au). Thanks Rob.
  • Testing on SCO Open Server 5.0.4, no changes required.
  • Added new special character %u, which is replaced by the original full User-Name as it was received and before any RewriteUsernames were applied.
  • Added new special charcter %l, which is replaced by the current local time expressed as a string, eg 'Thu Apr 22 15:39:03 1999'.
  • Added ACC vendor-specific attributes to the standard dicitonary
  • In AuthBy EXTERNAL, the external program can now return any attribute=value pairs on each line on stdout, not just Reply-Message. Contributed by Richi Plana (richip at mozcom.com). Thanks Richi.
  • AuthBy NT was not logging passwords to PasswordLogFileName.
  • ON SIGHUP, old realms were not being removed from the old configuration.
  • Upgraded AuthTACACSPLUS so it can do PAP and CHAP when you have a recent (0.16 or better) version of the TacacsPlus perl library.
  • Now parses Merit style dictionaries, including VENDOR_CODE.
  • radacct.cgi now shows summaries by IP address, suggested by Karl Gaissmaier (karl.gaissmaier at rz.uni-ulm.de) which he says is useful for tracking down attacks.
  • radacct.cgi will automatically decrypt on the fly files with a .gz extension, also suggested by Karl Gaissmaier (karl.gaissmaier at rz.uni-ulm.de). Thanks Karl.
  • radwho.cgi will now automatically refresh every 30 seconds, and also shows the date of the refresh in the title.
  • DefaultRealm was not being honoured by Handlers, only Realms. Reported by Richard Lennerts (richard at vianet.net.au). Thanks Richard.
  • Fixed a race condition in EXTERNAL that could prevent it replying under some conditions. Also fixed other problems that prevented it getting the return code from the externl program on NT. Still not working properly on Win98.
  • Added a new parameter ResultInOutput to AuthBy EXTERNAL so you can use a string in the first line of the output of the external command to signal the type of reply, instead of using the exit status. This is good if you are using Win98 where the exit status is not reliable.
  • Using special characters like %a, %c, %C, %n, %N, %R, %T, %U, %u in a context where there is no associated packet would cause a crash. Now they are just replaced by an empty string.
  • Handlers did not recognise embedded include directives.
  • Changed child reaping to remove the possibility of unreaped child processes if 2 sigchld signals colide.
  • Significant changes in AuthBy FILE to greatly reduce the amount of memory required with large user files to about one tenth of previous requirements.
  • Fixed a problem with LogSQL where strings with quotes in them caused an SQL error.
  • Included in goodies detailed instructions on how to increase the default data size on BSDI, contributed by Paul Thornton (paul at dove.mtx.net.au). Thanks Paul.
  • Can now use case insensitivity in regexp Realms like this: <Realm /realm.com/i> In fact, you can use either the i or x modifiers
  • Added -snmp_port argument to radiusd to override whats in the config file.
  • Improved the behaviour of changeAttrByNum so it correctly updates the cached value too. This is only interesting for authors of hooks.
  • Added code to complain if Client or IdenticalClient names could not be resolved.
  • Added ExcludeFromPasswordLog to Handler, to prevent certain user names being logged to the PasswordLogFileName. Its a good idea to list your sysadmins etc.
  • Added wtmp support for FreeBSD, contributed by Jason (godsey at fidalgo.net). Thanks Jason.
  • AuthBy SYSTEM now checks the primary group as well as the secondary groups. It used only to do the secondaries.
  • Fixed a problem with AuthBy PLATYPUS where the select statement was constructed incorrectly.
  • Fixed a problem with Prefix and Suffix check items that prevented rejection of there was no match.
  • Added new parameter UseGetspnam to AuthBy SYSTEM so it can be used with some systems (notably Solaris) using getspnam
  • Added Timeout parameter to all the SQL based clauses, so that you can get predictable timeout from failed SQL operations due to lost connectivity with the SQL server. Defaults to 60 secs.
  • Fixed a problem in test.pl that prevent reporting of some errors in the test suite. Fixed some other inaccuracies in the test suite.
  • Added new special character %S, which translates to the current second.
  • Added ReplyHook to AuthBy RADIUS, which runs after the reply is received from the remote radius server (as opposed to PostAuthHook, which runs after the request was forwarded, but before the reply is received).
  • Modifed Nas.pm so that if finger detects a problem or a timeout when using finger to verify simultaneous connections, it assumes that the user is still online (i.e. it assumes that the SessionDatabase is correct).
  • Fixed a problem with "include" directives in the configuration file: Recursive includes did not work properly.
  • Can now specify LivingstonOffs and LivingstonHole on a per-Client basis.
  • Fixed a problem with command line arguments in radiusd. -log_file_name was ignored.
  • Changes to Handler.pm and SessINTERNAL.pm to improve behaviour in the face of lost Stops.
  • Mods to AuthLDAP2 so it conforms more closely to the expectations of some LDAP servers. In particular, it now maintains the TCP connection to the server, but binds and unbinds for each search.
  • Fixed a problem in AuthBy EXTERNAL on some OS, where a sigchld handler could prevent getting the returns status of the external process. The result would be no reply top the request.
  • Improved the sort ordering of IP addresses in radacct.cgi.
  • Rationalised some code in Nas.pm to make it smaller and easier to maintain, and to facilitate future internal SNMP client. also added some snmpwalk support, and activeSessions support.
  • Added 20 second timout to internal finger client
  • Added handling of Ascend-Access-Event-Request, which can be used to verify that an SQL SessionDatabase in in sync with reality.
  • Deleting a user from a DBM file with builddbm -d username left an empty user entry, rather than deleting it.
  • Added new special characters %b %o %e %f %g %i %j %k %p for time components from the Timestamp of the current packet.
  • Changed default DupINterval to 2 seconds. This will still detect dups created by duplicate network paths, but now a lost Access-Accpt wont trigger many duplicate requests.
  • Ascend-Data-Filter addresses now default to /32 if the mask length is not specified, eg "ip in drop dstip 1.2.3.4" is equivalent to "ip in drop dstip 1.2.3.4/32".
  • Improved error recovery during log file parsing so that unknown object wont silently cause the rest of the file to be ignored
  • Binary distribution file changed to .tgz extension to prevent problems unpacking on PCs.
  • Improvements to getNasId so it will get an address even if NAS-IP-Address is absent and NAS-Identifier does not include an IP address. Some NAS's do not conform to the Radius spec and this helps with those NASs.
  • Added support for NasType of NortelCVX1800. Contributed by James H. Thompson (jht at lj.net). Thanks James.
  • AuthBy RADIUS will now do round-robin proxying for host names with multiple IP addresses. DNS names for proxy Radius hosts are resolved at startup time.
  • Changes to API standard for findUser in authentication modules allow you to detect database failure, as opposed to "no such user", useful for LDAP and similar to fall back to other LDAP databases.
Revision 2.13.1 (18/3/99) Consolidation of some minor bug fixes
  • MaxSessions exceeded message now includes user name.
  • Fixed a problem with PreAuthHook and PostAuthHook that prevented them being called.
  • Added new %U formatting character that gives the user name with the realm stripped off. Contributed by Stephen Roderick (steve at proaxis.com). Thanks Stephen.
  • Added parameter values in the form file:"filename" which will load the value from an external file. Probably most useful for putting long code fragments for the hooks in an external file:
    PreAuthHook file:"hook.pl"
    From a suggestion and code fragment from Lars (lmb at teuto.net). Thanks Lars.
  • Added auto indexing to the FAQ.
  • AuthBy PLATYPUS and AuthBy EMERALD now honour AuthColumnDef and AuthSelect to handle _extra_ columns returned from the standard select statement.
  • Added support for Xyplex sim-use checking with finger, with assistance of Nikos Aslanakis (aslan at spark.net.gr). Thanks Nikos.
  • Fixed some typos in emerald.cfg that broke Acct-Terminate-Cause.
  • Handler.pm was choosing the wrong handler.
  • Added AddATDefaults parameter to Auth EMERALD. Contributed by Andrew Ruthven. Only adds the contents of RadATConfigs if AddATDefaults is defined in the configuration file. Thanks Andrew.~
  • Added NoDefaultIfFound to AuthGeneric.pm, which stops Radiator looking for any DEFAULT users if an entry for the user was found but their check items failed.
  • Fixed a problem that prevented PreClientHook being called.
  • Added new AuthBy CDB contributed by Pedro Melo. CDB is a fast, reliable, lightweight package for creating and reading constant databases. More details about CDB at ftp://koobera.math.uic.edu/www/cdb.html Thanks Pedro!
  • Fixed some problems where the current trace level was misreported when the trace level was changed with SIGUSR1 and SIGUSR2.
  • SNMP was reporting UpTime as an integer instead of timeticks.
Revision 2.13 (17/2/99) Lots of new features, some bug fixes.
  • Added SNMP Agent. Now supports SNMP V1 requests as per draft-ietf-radius-servmib-04.txt. That means that you can get various types of server statistics, and even reset the server using SNMP. You might want to use MRTG or similar for monitoring your server.
  • Added AuthBy RODOPI and example rodopi.cfg. Rodopi is quite a mature NT/MS-SQL based billing system with a Java/web GUI.
  • Added new configurable and subclassable logging modules: Log FILE, Log SYSLOG and Log SQL. You can now log to any and all places at the same time, plus easily add your own logging modules.
  • Simultaneous use check with finger for Portslave, Ascend, Shiva or Computone now defaults to using an internal perl finger client. You can still force it to use an external finger program by specifying FingerProg in the config file. The internal client improves portability to NT, and will improve performance, since it avoids the cost of starting an external program.
  • Rationalised reporting and logging of rejections: Auth*::handle_request now also returns a reason message, which can optionally be replied to the user with the new Handler keyword RejectHasReason.
  • All AuthBy modules now do their logging through a virtual log() function in AuthGeneric, which allows you to override with your own AuthBy specific error logging function. Suggested by Andrea Campi (andrea at planet.it). Thanks Andrea.
  • Added AuthTACACSPLUS to authenticate from Tacacs Plus server. requires Authen::TacacsPlus module from CPAN. We used the version in TacacsPlus-0.15.tar.gz. If its not on CPAN, its available from the author here.
  • Status-Server message now returns all server and per-client statistics.
  • AuthBy NT can now authenticate from an NT domain controller, even when Radiator is running on Unix. Requires the Authen::Smb package from CPAN.
  • Testing with Security Dynamics ACE/Server Radius (also known as SecurID). Their radius server is very limited, but Radiator can proxy to it fine, and handles the Access-Challenges that are used to set and change PINs etc.
  • Testing with Freeside, a free Unix based ISP billing package. Example freeside.cfg created.
  • Forgot to mention previously the addition of several hooks that allow you to get control with your own perl code during authentication: PreClientHook, PreHandlerHook and PreAuthHook, PostAuthHook.
  • Changed the default Framed-IP-Address in radpwtst.
  • Fixed problem with cached attributes that meant that when a username was rewritten, it was not actually changed in the packet, which made the detail file log incorrectly.
  • Added "delete session" link to radwho.cgi so that bogus sessions can be manually deleted.
  • Added AuthBy GROUP, which allows authentication clauses to be bundled and grouped to any depth. Its intended for experimenters and early adopters. It only understands AuthByPolicy, StripFromReply, AddToReply, DefaultReply so far. Feedback is solicited.
  • Fixed some bugs in radpwtst -gui mode that caused locked windows, false timeouts etc. Now works with Perl 5.005 and Tk800.011 on Unix. Still doesnt work on Win95 (looks like Tk file handlers are still not right on Win95).
  • Fixed problems with wtmp format on Linux that prevented who and last from working.
  • Created mysqlCreate.sql which correctly builds indexes for mysql.
  • Added indexes to all SQL scripts in goodies
  • Can now define AuthBy clauses at the top level, and refer to them and reuse them with the AuthBy parameter. Good for reusing complicated SQL database definitions (and reducing the number of SQL licenses required. From a suggeestion by Stephen Roderick (steve at proaxis.com). Thanks Steve.
  • Added support for binary data type in dictionaries. Especially for use in Proxy-State which can otherwise get trailing NULs stripped off.
  • radwho.cgi now shows the total number of users online, and optionally presents a hotlink to force a user off a NAS, by calling an external progam you specify (not supplied).
  • Added NoForwardAuthentication and NoForwardAccounting to AuthBy RADIUS. From patches supplied by Vincent Gillet (vgi at oleane.net). Thanks Vincent.
  • Makefile.PL can now do installation on Win95 hosts. No need to use make any more on Win95 (many people don't have it).
  • Added LocalAddress to AuthRADIUS, which forces the proxy forwarding port to bind to a particular address. Defaults to the same as BindAddress. Useful for multi-homed hosts. Patch supplied by Lars (lmb at pointer.teuto.de). Thanks Lars.
  • Improved performance of all Hooks by precompiling the code. From a suggestion by Lars (lmb at pointer.teuto.de). Thanks Lars.
  • Improved robstness of the session databases in the face of lost stop packets. Now a stop packet will always remove any previous session that we thought was on that NAS/Port combination. This will make the session database "self-healing". Your existing DBM session database will have to be deleted: the database format for DBM is changed. The table format for the SQL session database is the same, but the indexes have changed: you should probably recreate them if you are using SQL. Also changed radwho.cgi to be compatible with new DBM database format.
  • Expiration now understands dates of the form dd/mm/yy(yy), since some SQL databases produce dates in that form.
  • Improved robustness of SQL connections, and reconnection during database outages. Prevent crashes when MS-SQL disconnects.
  • SQL does not use ping anymore, and will therefore work with DBD-ODBC 0.20 and MS-SQL. Its also faster.
  • Included Vincent Gillet's AddToReplyIfNotExist.patch to the goodies directory. This patch adds attributes to a reply _only_ if they dont already exist. Thanks Vincent.
  • Testing on Red Hat 5.2. No changes required.
  • Testing with Interbiller 98, a resonable, inexpensive ISP billing package. goodies/interbiller.cfg created.
  • Added FramedGroup for all AuthBy clauses, similar in behaviour to Framed-Group, but applying to all requests accepted by an AuthBy clause. Contributed by Garry Shtern (shterng at akula.com). Thanks Garry.
  • Testing on Rhapsody. OK, but building MD5 is non-standard. See the FAQ for details.
  • Fixed problem where accounting info would be stored twice if the Handler forked (such as AuthBy IPASS)
  • Fixed typo in AuthBy IPASS that prevented Acct-Session-Time being properly sent to IPASS.
  • Fixed a problem in SessSQL.pm, where if a session proved to be bogus, SessSQL tried to delete a different session. Reported by Andrea Campi (andrea at planet.it). Thanks Andrea.
  • Added contribution from Todd A. Green (tagreen at ixl.com): a new sorter in radwho.cgi that will sort by IP addresses and mixed Alpha-numeric NAS-Ports (eg for USR/3COM ). Thanks Todd.
  • AuthBy UNIX now correctly uses the password file and group file when checking for primary group membership, instead of using getpwnam etc.
  • AuthBy PLATYPUS now honours AcctColumnDef. It allows you to log extra columns from Accounting Stops in the same was as AuthBy SQL. Suggested by Ricardo Freire (ricardo at allways.com.br). Thanks Ricardo.
  • Testing with DBI Proxy from Unix to NT. OK.
  • Added AccpetIfMissing paramter to AuthBy FILE and AuthBy DBFILE. it will automatically accept a user if they are not in the users file. If they are in the users file, it will accpet them if and only if their check items pass in the ususal way. Useful for applying additional checks on a subset of your user population.
  • Added FramedGroupMaxPortsPerClassC to Client, so you can compute Framed-IP-Address on a NAS with more than 255 ports.
  • Example config to work with Freeside, a free ISP billing package for Unix. See goodies/freeside.cfg
  • AuthBy SQL and PLATYPUS now use the DBI quote function to correctly handle quotes embedded in string data that is inserted with an AcctColumnDef.
  • Support Shiva LanRover sim-use detection using finger. Also added detection of config errors for all uses of finger, and runtime errors with snmpget.
  • Fixed a problem with Ascend binary filters: if the 'drop' keyword was used, it would build an invalid filter.
  • AcctColumnDef will not insert attributes that are not present in the request. Previously, it would insert NULL, which upset peoples ability to define column defaults, and to build indexes.
  • Added VSAs for ACC to dictionary. Courtesy Ingvar Berg (ERA) (Ingvar.Berg at era.ericsson.se). Thanks Ingvar.
  • Added NasType AscendSNMP that will check Ascend with SNMP instead of finger.
  • Added nasclear.cgi to goodies directory. Its a CGI script that shows all the unique NASs in your SQL Session Database, and allows you to clear all sessions for a NAS. Contributed by Aaron Holtz (aholtz at bright.net). Thanks Aaron.
  • Default behaviour when no handler is found changed from IGNORE to REJECT.
  • Auth-Type=Reject now correctly propagates properly back through chains of authenticators. Previously if the chain was more than 1 deep, an immediate reject would be turned back to an ordinary rejection. Thanks to Aaron Holtz for reporting this one.
  • Fixed a problem with AuthEXTERNAL that prevented it working properly on NT. Also made example config file and example external program for EXTERNAL in goodies, demonstrating the protocol for passing and receiving attributes.
  • Added optional format argument to AcctColumnDef, so you can set up SQL-specific conversions etc.
  • PostAuthHook is now given a third arg saying what the result of the authentication is.
  • Completed support for SHA encrypted password. Contributed by Justin Daminato (jd at ozemail.camtech.net.au)
  • Quoted Check and reply items can now have escaped octals in them like
    Tunnel-Server-Endpoint = "\000191.165.126.240 fr:20"
    (thats a NULL as the first octet in the string) Which is useful for adding tags to the front of Tunnel attributes like the above.
  • Added AuthBy LDAP2, which uses Net::LDAP from perl-ldap-0.09 or better. The previous version AuthBy LDAP is now deprecated (since the Net::LDAPapi it uses is now deprected).
  • Added DecryptPassword parameter to AuthBy EXTERNAL, which makes it decrypt User-Password before passing it to the external program.
  • Testing with Bay Annex Server and tunelling, with the help of Stephen Ollis. Thanks Stephen.
  • Now handle Prefix and Suffix check items.
  • Added now AcctColumnDef type "formatted-date" that uses Date::Format to build arbitrary date formats. Especially useful for Oracle's odd date behaviour:
    
    AcctColumnDef	TIME_STAMP,Timestamp,formatted-date,to_date\
     ('%e %m %Y %H:%M:%S', 'DD MM YYYY HH24:MI:SS')
    
  • AcctColumnDef type integer-date now formats dates in the format 'Sep 3, 1995 13:37', ie the full year including the century is now included. Previously it would do 'Sep 3, 99 13:37' and was not Y2K compliant. If this breaks your accounting table, consifer using the new formatted-date type described above.
Revision 2.12.1 (21/10/98) Minor release for some desperately required features.
  • Added support for Ascend's Tunnel-Password according to http://ftp.ietf.org/internet-drafts/draft-ietf-radius-tunnel-auth-06.txt
  • AuthBy RADIUS now supports multiple Hosts. It will try to forward to the each host in the list until it gets a reply from one, or until the list is exhausted.
  • Fixed a bug that causes a crash when Handlers are tested.
  • radpwtst now generates its default identifier from the current time, which causes less confusion if you dont have DupInterval set to 0.
  • New version of IpassPerl that checks the ipass libraries are installed before the Makefile is built.
  • Added -t dbmtype flags to builddbm and buildsql to force them to use a certain DB file format, instead of to accept the "best" one that AnyDBM_File would choose. Can also configure radwho.cgi SessDBM.pm and AuthDBFILE.pm to easily specify the type.
  • Fixed problems with MS-SQL 7 and AuthBy EMERALD, where integers such as account_id and attribute numbers are read as floating point.
  • Fixed a Y2K compliance issue in formatSQLDate.
Revision 2.12 (17/10/98) Major new features and some bug fixes
  • Added <SessionDatabase SQL>, so the external session database can be in SQL. This might be useful to coordinate multiple servers for Simultaneous-Use limits via SQL, or perhaps just to keep a "who is online" database handy. Also added radwho.cgi so you can see the current contents of a DBM or SQL Session Database.
  • Added new <Handler> class that allows you to choose how requests will be handled depending on any attribute of the packet, not just the realm. You can still use Realm; its backwards compatible. Realm is now a superclass of Handler, and Handler understands all the same parameters as Realm.
  • New AuthBy parameter DynamicCheck allows you to do % substitutions on check items prior to authentication. Now recognise DynamicReply as a synonym for Dynamic. Suggested by Tim Young (Tim_Young at compuware.com).
  • Removed hard-coded Radius attribute names from the code.
  • Performance improvements in attribute fetching.
  • Testing with OpenLinkODBC/iODBC for connectivity between Unix and MS-SQL without using Sybase client libs. Documentation in faq.html.
  • Default location for pid file changed from /tmp/radiusd.pid to %L/radiusd.pid as a security measure. Suggested by Andres Kroonmaa.
  • SQL AccountingTable can now contain special formatting characters table names based on the current year and month might be very useful. Suggested by Nicholas Barrington (nbarrington at smart.net.au).
  • Fixed a problem that would prevent proxy working after a HUP.
  • Fixed 2 bugs identified by Andres Kroonmaa (andre at ml.ee) in AuthBy SYSTEM and AuthGeneric that prevented Group membership check items working in SYSTEM, and sometimes with DEFAULTs. Thanks Andres.
  • Fixed problem with signals on Win95 that prevents radiusd surviving as an NT service.
  • Fixed some typos in AuthPLATYPUS that caused crashes to do with formatSQLDate.
  • Fixed some problems with protocol and service specifications in Ascend Binary filters. Reported and diagnosed by Peter Chow. Thanks Peter.
  • Dont die if the log file fills up.
  • New parameter DomainController in AuthBy NT allows you to force it to use a particular Domain Controller, instead of asking on the network.
  • AuthIPASS, AuthEXTERNAL, AuthTEST and AuthNT did not honour StripFromReply, AddToReply or DefaultReply.
  • Added code contributed Nicholas Barrington (nbarrington at smart.net.au) to AuthSQL. Implements AccountingStartsOnly, and AcctSQLStatement, which allows you to execute arbitrary SQL statements for each accounting reqest.
  • Auth-Type=Reject now does an immediate reject: it will not fall through to any following DEFAULTs.
  • Added AcctLogFileFormat, so you can control the format of the accounting log file.
  • Fixed AuthGeneric so it wont leave zombie processes around. This mostly occurred with AuthBy IPASS.
  • Fixed a bug that prevented Total Control online checking from working properly.
  • Added SocketQueueLength parameter, so you can adjust the radius socket queue lengths.
  • Removed all uses of non-blocking IO, since too many operating systems dont support it properly.
  • Cleaned up test.pl. Regression tests now run on Win95 and NT. Adjust documentation to suit.
  • Changes so AuthNT will work with ActiveState perl.
  • Added support for Bay to Nas.pm. Can now use Simultaneous-Use with Bay NASs.
  • DefaultReply was not getting % variable interpolation.
  • Cloned AuthBy LDAP into AuthBy LDAPSDK, which works with Netscape's new PerLDAP module and the latest LDAP SDK. PerLDAP is readily available as a downloadable module for ActiveState perl on NT. This is the easiest way to get LDAP working on NT without compiling your own modules.
  • PasswordLogFile now includes the current date and time in easy-to-read format, as well as in Unix seconds.
  • Documentation for RewriteFunction.
  • Fixed memory leak in AuthRADIUS that affected packets that are proxied and then exceed their retransmit count.
  • The log file directory will now be created if it does not exsit. This makes it easy to have log files rotated into different directories.
  • Fixed problem where Simultaneous-Use would not work properly if you had Clients defined by DNS name instead of IP address.
  • Tested Platypus in RadiusNT compatibility mode against AuthBy EMERALD. Works fine.
  • AuthUNIX did not removed cached passwords if the user was removed from the password file.
  • Fixed a leak that affected some integer attributes during proxying on Perl 5.004.
Revision 2.11 (16/8/98) Major new features and some bug fixes
  • Applied some patches from Aaron Nabil that should have made it into 2.10: correction to users file with correct hiperarc filter syntax
    fix for hiperarc not sending nas_id
    patch to ignore false dupe hiperarc sends on restart
    fix to separate identifiers for different ports
  • Implement Auth-Type = Reject and Auth-Type = Ignore check items.
  • Patch from Shawn Instenes (*shawni at teleport.com) to log more details of requests with bad authenticators.
  • Latest version of USR dictionary in dictionary.usr.
  • Standardised spelling of Van-Jacobson in all dictionaries.
  • Added patch from Aaron Nabil (nabil at spiritone.com) for hex dump of packets at trace level 5.
  • Fixed bug with %C on some platforms that did nothing.
  • Be tolerant of trailing white space in check and reply items
  • Added -v flag to buildsql to print out all SQL statements issued.
  • AuthBy SQL now ACCEPTS Accounting requests if no accounting table or columns is defined. It used to IGNORE, which was not very helpful.
  • test.pl now runs the test server on ports 9721 and 9722 so you can test on a live box. Thanks to a suggestion from Andres Kroonmaa (andre at ml.ee)
  • AddToReply and StripFromReply have been moved from RADIUS to Generic, so any AuthBy can use them now.
  • Check and reply items now silently ignore empty attr-val pairs
  • SQL database access has been abstracted out to a separate inheritable module SqlDb.pm, which has the database connect/reconnect and execute code in it. This will allow it to be reused to support SQL session database, client lists etc one day.
  • Rolled in AuthColumnDef mods contributed by Lars (lmb at teuto.net) in AuthSqlEXT.pm (which is therfore now obsolete). You can now have arbitrary check and reply items in multiple columns in your user database. For backwards compatibility, if no AuthColumnDef is defined, it will assume Password, Check Items, Reply items, backwards compatible with previous versions.
  • Fixes to AuthNT.pm so that it will correctly authenticate in the face of apparent errors that really mean that password policies are in force.
  • Added DefaultReply for all AuthBy, which specifies attributes to be returned only if they have none of their own. Contributed by Phil Freed (pfreed at cyberTours.com). Thanks Phil.
  • Added NIS+ authentication with AuthNISPLUS.pm
  • Following requests from Stephan Forseilles (sf at skynet.be) and others, added include file processing to config files. Thanks for the suggestion.
  • Altered Radius.pm, so it would not die due to badly mangled VSAs sent by 3COM Netserver cards at startup. Thanks to Aaron Nabil for helping to identify this one.
  • Mods to all executables so they will get the modules in the current directory in preference to any installed ones.
  • Some changes to radacct.cgi so it will work with SQL too. Not easily configurable, and not documented yet, but it works. Improvements are scheduled for later.
  • Fixed a bug with %{Attribute-Name} macros that could cause a crash.
  • Packet dumps at trace level 4 and 5 are now logged to the log file instead of only being printed to stdout.
  • AuthBy LDAP now produces more debuggin and error messages. Its now robust in the face of the LDAP server stopping.
  • Support optional encrypted passwords in databases where a plaintext password is normally expected. Supported formats are now like
    • unix crypt "{crypt}1xMKc0GIVUNbE"
    • Netscape SHA encryption "{SHA}0DPiKuNIrrVmD8IUCuw1hQxNqZc="
    • Linux MD5 password encryption "$1$cTpht$Obu9PLSMst1TDou.mN5bk0"
    • Plaintext
  • Added SSL support for LDAP. This is not supported on the Umich LDAP, as SSL is not supported there. You will need the Netscape SDK if you want SSL support.
  • SIGUSR1 increases trace level and SIGUSR2 decreases it for radiusd (suggested by Andrea Campi).
  • New AuthBy SYSTEM that authenticates with getpwnam and getgrnam from whatever your systems underlying username database is. This allows you to hide the authentication system whether its password files, NIS+, PAM or whatever else might be installed on your system. Not supported on Win95 or NT, or on systems with shadow password files.
  • Timestamp was being adjusted in the wrong direction by Acct-Delay-Time.
  • A few lingering "warn"s were changed to LOG_ERR.
  • Permit line continuations within a configuration file with \. After a suggestion by Richard Lennerts.
  • Can now do RewriteUsername on a global or per-Client basis as well as per-Realm.
  • New check item NAS-Address-Port-List specifies a file that contains a list of permitted NAS/Port combinations for the user.
  • Can now use the new Client parameter IdenticalClients to congure a large number of identical client configurations
Revision 2.10 (13/7/98) Major new features.
  • Now works with Emerald (http://www.emerald.iea.com), both authentication and accounting. Includes a new EMERALD AuthBy module and example config file in goodies/emerald.cfg
  • Now works with Platypus (http://www.boardtown.com), both authentication and accounting. Includes a new PLATYPUS AuthBy module and example config file in goodies/platypus.cfg
  • Generalised the Session Database for Simultaneous-Use limits. There is now a SessGeneric.pm abtsract class and SessINTERNAL and SessDBM implementations. This means you can now enforce Simultaneous-Use limits across multiple instances of Radiator. The code structure is similar to the Auth... modules, and adding new database formats is fairly simple. The default is INTERNAL as before.
  • Added support for Connect-Rate check item, that specifies a max Connect-Info speed permitted for the user.
  • Added automatic IP Address allocation with new FramedGroupBaseAddress parameter in Client, and new Framed-Group pseudo-reply item.
  • Accounting packets now always get a Timestamp added to them when received. (Suggestion of Guilherme Maranhao (guiga at rio.com.br))
  • Some minor changes to Realm.pm to make it a bit more economical of memory.
  • Added patch from Aaron Nabil (nabil at spiritone.com) which provides new -bind_address argument to radiusd and BindAddress parameter that allows radiusd to only bind to a single address for multi-homed hosts. Thanks Aaron.
  • Added patch from Aaron Nabil (nabil at spiritone.com) which provides SIGTERM handling to shut down cleanly. Thanks Aaron.
  • Changed a number of 'die's into 'warn'. We now try very hard never to stop unless its completely impossible to go on.
  • Added PasswordLogFileName to Realm. If defined, every login attempt will be logged to the file. Useful for your help desk to diagnose user login problems. Based on a request from Stephan Forseilles (sf at skynet.be).
  • Fixed a bug in Radius::unpack. Malformed radius packets could cause an infinite loop that would exhaust all memory.
  • Redid performance tests in a more realistic environment, resulting in significant improved throughput figures.
  • Added detection of Livingston reboot messages (a Start with Acct-Session-Id = '00000000')
  • Added realtime online user detection for Ascend (with finger), Computone (with finger) and Cisco (with snmp)
  • Added general attribute replacements, so that for example %{Framed-IP-Address} is the same as %a. Contributed by Lars (lmb at pointer.teuto.de). Thanks.
  • AuthRADIUS now logs IP addresses instead of binary. Contributed by Kurt Jaeger (pi at complx.LF.net)
  • SQL Accounting can now convert Timestamp values into SQL dates.
  • Upgraded dictionary.ascend to be in line with latest from Ascend.
  • Tested LDAP on NT with the NETSCAPE DIRECTORY SDK 1.0 and the Net::LDAPapi Windows NT Binaries v1.40 from http://www.wwa.com/~donley/netldap.html
  • AuthBy FILE and AuthBy DBFILE can now use per-request replacements like %n in their Filename. Thanks to Paul Rhodes (paul at atlas.net.uk).
  • Implement Ascend-Send-Secret reply item. Thanks to Paul Rhodes (paul at atlas.net.uk) for this contribution.
  • Changed default DupInterval to 60 secs.
  • Altered all DBM accesses to use AnyDBM_File, which will choose the 'best' format DBM file availble on the host machine.
  • New AuthSQL parameter AccountingStopsOnly, which make SQL only log Accounting Stop requests: all other accounting requests are accepted but not logged.
  • Testing with postgreSQL, documentation.
  • radacct.cgi now uses CGI.pm, instead of cgi-lib.pl, for better portability.
Revision 2.9.1 (23/6/98) Minor bugfix release
  • Fixed bug that altered username in the request when cascading from AuthBy SQL to any other AuthBy method. This only affected cascaded authentications where SQL was not the last method.
  • Altered dictionary.ascend so that Password appears as User-Password, which fixes authentication problems with that dictionary.
  • Applied patch from Aaron Nabil (nabil at spiritone.com) to issue warnings when dictionary integer artributes are missing.
  • Removed some perl5.004 features that inadvertently prevented radiusd running on 5.003.
  • Fixed a memory leak in RDict.pm
Revision 2.9 (14/6/98) Mostly new features:
  • Added restartWrapper to goodies. Can be used to automatically restart radiusd (or any other program) if it stops unexpectedly and optionally email someone.
  • radiusd can now be started automatically by (x)inetd: if stdin is a socket, it assumes it is running under inetd and uses stdin as the authentication port socket.
  • Fixed test.pl so radiusd will not incorrectly load previously installed library modules.
  • In AuthSQL, If the password (or encrypted password) column for a user is NULL in the database, then any password will be accepted for that user.
  • AuthNT now honours the NT account disabled flag. If you check the "Account Disabled" checkbox in the NT User Manager, they wont be able to authenticate. Also AuthNT correctly queries the right Domain Controller, and Group membership is checked against the Global Group (not the Local Group).
  • Some NASs append a NUL to string attributes, contrary to the spec. We now always strip trailing NULs from incoming string attributes.
  • Can now have any number of RewriteUsername lines in a Realm. The rewrites are applied in the order they appear in the config file.
  • radacct.cgi now has a secure option that allows your customers to see only their own usage details on a web page
  • Added RewriteFunction to Realm to define a function that will rewrite user names. If defined, its used in preference to RewriteUsername.
  • AuthBy UNIX was incorrectly reading the password file twice at startup. Thanks to tom at interact.net.au for reporting this.
  • Now can have any number of AcctLogFileName in each Realm, which allows you to have muktiple log files for each realm. Thanks to shawni at teleport.com for this patch.
  • AuthBy FILE and AuthBy UNIX now reread and cache their files if their modification time changes while the server is running. AuthBy UNIX now honours Nocache too.
  • Now handles Accounting On and Off messages. Accounting On clears all the sessions from that NAS. Radpwtst is also able to send Accounting On and Accounting Off now. Contributed by nabil at spiritone.com. Thanks Aaron.
  • Added SNMPCommunity to Client. Thanks to Andrea Campi (andrea at webcom.it) for the suggestion.
  • Added AccountingHandled from shawni at teleport.com. This forces Radiator to reply to Accounting request even if they would have been ignored. Useful for ignoring Accounting requests while keeping the NAS happy. Thanks Shawn.
  • Now works with clients that dont provide RFC 2138 compliant passwords (some clients, notably some versions of radcheck, dont pad passwords to 16 bytes like they should)
  • Added %a to special formatting characters for the Framed-IP-Address of the current request (if any) (Contributed by nabil at spiritone.com)
  • Added new attributes to AuthBy. UseAddressHint forces Radiator to honour a Framed-IP-Address in the request unless it is overridden by a Framed-IP-Address in the reply items. Dynamic specifies reply attributes that will get run-time variable substitution. Both of these contributed by nabil at spiritone.com, and can be used together with the new %a to build anti-spoofing filters.
  • New AuthBy modules contributed by nabil at spiritone.com are included in the goodies directory for exact Livingston user file compatibility (AuthCOMPAT.pm) and for Digital Unix NDBM passwd files (AuthDBUNIX.pm). Thanks a heap Aaron!
  • Added new Realm attribute: AuthByPolicy allows you to control the behaviour of cascaded authentication modules.
  • buildsql now can build an SQL database out of flat files and DBM files, as well as Unix password files.
Revision 2.8 (7/5/98)
  • Added IPASS authentication. Supports both outbound and inbound authentication and accounting with iPASS
  • Added Simultaneous-Use check item for users, which can be either an integer or a filename that contains an integer.
  • Added real interrogation of NASs for Simultaneous-Use verification, similar to Cistron. New Client config parameter NasType added. New global config parameters SnmpgetProg, FingerProg PmwhoProg, LivingstonMIB, LivingstonOffs and LivingstonHole added.
  • Revamped the SQL accounting table specification to be more regular and scalable. Now specify one or more AcctColumnDef lines to specify the attributes to be stored, the column names to store them in and optionally a data type. Thanks to Phil Freed for the original idea and code.
  • Most check items can now be perl regular expressions too.
  • Attribute-value parser is smarter: can now have embedded commas and escaped qouble quotes inside check and reply items
  • Added Time check item to support multiple time bands on different days like: Time = "MoTuWe0800-1530,Wk2200-0400"
  • Added more debugging info
  • Added new Fork parameter which forces authentication modules to fork before handling the request. Use with care.
  • Added -timeout argument to radpwtst
  • Tested ODBC with Oracle and Sybase on Solaris with Intersolve DataDirect ODBC manager and Microsoft SQL 6.5 on NT.
  • Testing with the latest version of DBD for mSQL and mysql from Msql-Mysql-modules-1.1828. Older versions named like DBD-mSQL-0.65 did not work properly when getting the names of fields from a select which would break the new accounting table behaviour in AuthSQL.pm
  • Added Client DefaultRealm for handling realmless request on the basis of which NAS they arrived on. Thanks to Phil Freed for the code.
  • Added Table of Contents in reference manual.
Revision 2.7 (18/4/98)
  • Added AuthBy EXTERNAL, which allows requests to be handled by an external program whose command line you can specify.
  • Added chaining of AuthBy modules: You can now specify more than one AuthBy clause for a Realm, and it will try each one in turn until one succeeds (ie returns other than IGNORE). This is especially good for recording proxied accounting requests to SQL.
  • AuthBy handlers can now return CHALLENGE for an Access-Request, which will cause an Access-Challenge to be replied.
  • Testing with Sybase, created a sybaseCreate.sql. Documentation for Sybase.
  • Applied patches from Steve Davies to fix interop problem with Merit 3.5.6. Thanks Steve.
  • Latest version of USR dictionary.
  • Handling of Group check items now conforms to Lucent and Cistron behaviour: for cascaded UNIX modules the /etc/group file is checked. The old behaviour that checked for the Group in the reply items is not supported now. Added new GroupFilename to UNIX module.
  • Added Group handling to NT module: it uses LocalGroupIsMember to determine whether the user is in a Group if a Group check item is specified. Documentation and faq entry.
  • Added buildsql utility, which can create and update an SQL database from a UNIX password file (DBM file or flat files coming soon).
Revision 2.6 (5/4/98)
  • Added Windows NT authentication.
  • Added support for Ascend abinary type attributes, as used in Ascend-Data-Filter and Ascend-Call-Filter, both in and out. Includes the new IPX filter support.
  • Added support for USR/3COM vendor-specific attributes
  • Updates to some dictionaries
  • The value for VENDORATTR in dictionaries can now be hex or decimal.
  • Radius.pm now uses main::log consistently
  • Fixed memory leak in Select that affected timeouts.
Revision 2.5 (28/3/98)
  • Added CGI script for usage summaries of accounting logs, including drill-down to per-user and per-session details. Useful for billing summaries, or for investigating service problems.
  • Removed code from builddbm that made it grow in size according to how many users in the database. It now stays the same size, regardless of how many users.
  • FAQ was missing from distribution
  • radpwtst now increments session_id after each Accounting Stop
  • Minor changes to dictionary for ascend compatibility
  • Added support for multiple databases and fallback to SQL
  • Fixed bug that prevented StripFromReply working properly
  • Fix interoperation problem with Merit: if reply with Proxy-State but not Proxy-Action, Merit might crash. Now we reply with Proxy-Action if it is present in the request.
Revision 2.4 Production Release (14/3/98)
  • Added StripFromRequest, AddToRequest, StripFromReply, AddToReply to AuthBy RADIUS.
  • Radpwtst: fixed bug on Linux which prevented waiting for replies if an ICMP bad port message arrives.
  • Added %t for current time in special formatting characters
  • Ensured detail file output is Radius compliant by quoting strings.
  • Improved and enlarged documentation.
Revision 2.3 (6/3/98)
  • Fixed bug that made users fall throught to DEFAULT if they existed but authentication failed, even if Fall-Through not set.
  • Add time-of-day blocking with Block-Logon-Until and Block-Logon-From check items.
  • Added PDF documentation.
  • Improved level of DEBUG detail produced when authentication fails. Makes debugging authentication much easier.
  • Added Graphical User Interface option to radpwtst. Test your server configuration with the click of a button on Unix. (not quite working on PC yet).
Revision 2.2 (1/3/98)
  • Fixed bug in LDAP that causes it to always authenticate if the case of the password attribute is not correct.
  • Improved error reporting in radpwtst if no dictionary found.
  • Major rationalisation of Auth* hierarchy. There is now a common superclass AuthGeneric that all Auth modules should inherit from.
  • Added DEFAULT user handling with Fall-Through. Multiple DEFAULT entries are handled. DEFAULT entries are processed in order until one is found that matches and does not have Fall-Through set to yes. Works for FILE, DBFILE, LDAP, SQL.
  • Added handling of Auth-Type check items, which passes authentication to another AuthBy module named with an Identifier parameter. You can therfore cascade from FILE to UNIX to be compatible with other servers or from say FILE to RADIUS to ensure some reply items always go to the NAS irrespective of a downstream servers setup. This is a very deep and verastile feature.
Revision 2.1 Beta (7/2/98)
  • Beta revision for external testing
Revision 1.9 (20/1/98)
  • Internal alpha testing