|
n
Radiator Revision History
- Revision 4.2 (2008-03-10) Minor bug fixes
- Added support to EAP-TLS for examining the SubjectAltNames in the client
certificate and matching against Windows UPN, which is a
GEN_OTHERNAME. Suggested by Markus Moeller.
- Fixed a dictionary syntax error with a Huawei attribute and replaced it with
the correct Huawei-Qos-Profile-Name. Reported by Andreas Schwarz.
- Fixed a problem where HUP on FreeBSD would not result in the RADIUS ports being
closed properly, resulting in 'Could not bind authentication socket: Address
already in use'. Reported by Paul Dekkers.
- Fixed a problem in Monitor, where a quit command would cause a crash. Also
improved handling of too many bad authentications. Reported by Ernst Oudhof.
- Fixed a problem where Server DIAMETER could refuse a reconnection from a
previously connected peer. Reported and patched by Jose Borges Ferreira. Thanks
Jose.
- Fixed a problem where Server HTTP could crash during authentication with some
configurations.
- Revision 4.1 (2008-02-22) Bug fixes
- Fixed a problem where anonymous logins to ServerHTTP would not get a
Privilege Level. Reported by Dominic J. Eidson.
- Fixed a significant memory leak that affected certain installations with multiple
clients.
- Fixed a problem where the Configuration Edit link was not displayed on the
ServerHTTP GUI in the Locked version.
- Improved configuration file saving for the case where AuthBy objects are
referred to by Identifier. Reported by Dominic J. Eidson.
- OSC now provides
precompiled Net::SSLeay+OpenSSL+EAP-FAST-patches bundles for Linux and
Windows.
Updated documentation in goodies/eap_fast.txt describing how to install these
precompiled bundles.
- Added new function Radius::AuthWIMAX::get_cached_keys to fetch
$sessionid, $mip_rk, $mip_spi, $fa_rk from the database given the outer
nai. Requested by Ian Forster.
- SimpleClient now correctly generates a random authenticator instead of a
fixed one.
- Reinstated support for EAPErrorReject which was accidentally lost from some
modules.
- Fixed a problem where EAPTLS_CAPath would not be set correctly if EAPTLS_CAFile
was not defined. Reported by Jan Tomasek.
- Fixed documentation of EAPTLS_CertificateVerifyHook. The list of
arguments passed was incorrect, and out by an index of one.
Reported by Jan Tomasek.
- Added new special character %K, which is replaced with the realm name
after the last @ in the user name. Requested by Michael Kwan.
- Added to dictionary 2 new values for Error-Cause defined in RFC 5176.
- Fixed a problem with fideliosim.pl not working correctly with serial
ports.
- AuthBy PAM now supports AuthenticateAttribute. Contributed by Markus
Moeller.
- A number of improvements to Diameter support, contributed by José Borges
Ferreira: In Handler clauses you can catch Diameter attributes:
<Handler DiaRequest:Auth-Application-Id=NASREQ>
or <Handler DiaRequest:Disconnect-Cause=CREDIT_CONTROL>.
Added extra methods to allow
vendorByName (returns vendor data from a given vendor name)
grouped_attr (allows easy manipulations of grouped attributes).
Added avp type vendor, witch is a Unsigned32 variant (like enumerated)
that tries to translate vendorname to vendornum and vice-versa.
Grouped attributes within grouped attributes are logged with alignments.
New attribute SupportedVendorIds for Server DIAMETER.
This optional parameter allows you to define the
Supported Vendor Ids announced in CER. Defaults to BASE(0).
Thanks José.
- AuthBy PAM now supports PasswordPrompt, parameter, which specifies the password
prompt string asked for by PAM. Contributed by Markus Moeller.
- Improvements to Server TACSCSPLUS. Now uses Client statements for
RewriteUsername, StripFromRequest, AddToRequest, AddToRequestIfNotExist and
PreHandlerHook. There will be two PreHandlers called.
First the one form the Client statement and second the one defined inside
the Server definition. Contributed by Markus Moeller.
- Improvements to special character handling, and to enable multi-char special
character names in the future.
Now, any of the special single-character (and, in future, mutiple character)
special characters can be accessed with, for example, the format
%{Special:x} as well as just %x.
- Added functions ntptime2systime and systime2ntptime
for converting between NTP and systime, useful for
Diameter. Contributed by José Borges Ferreira.
- EAP-FAST was not correctly REJECTING with an EAP failure after a RESULT FAILURE
message was received from the clinet, causing retransmissions of the original
RESULT FAILURE message. Reported by Jim Veneskey.
- Added support for AuthLog in Server HTTP. Suggested by Markus Moeller.
- AuthBy TEST did not correctly support the Identifier parameter. Reported
by Ian Forster.
- Changes to Server HTTP so that manually edited configuration files are saved
with the correct line endings appropriate for the local machine. Reported by
Jin Tao.
- When running as a service under Windows,
did not correctly restart when a 'restart server' command was given by either
Monitor or ServerHTTP. Reported by Jin Tao.
- Improvements to ServerHTTP, adding some attributes to the Radius packet used to
authenticate Server HTTP access, including NAS-IP-Address and
Calling-Station-Id. Contributed by Markus Moeller.
- Added support for EAPTLS_CertificateChainFile wherever EAPTLS_CertificateFile
is supported, and added support for TLS_CertificateChainFile wherever TLS_CertificateFile
is supported. The ChainFile parameter specifies the name of a file containing a
certificate chain for the Radius server certificate. Suggested by Jan
Tomasek.
- Added more detail to WARNING log when AuthBy HASHBALANCE declines to break up
an EAP stream.
- AuthBy RADSEC would not always reply with the correct type of packet. Reported
by Paul Dekkers.
- Fixed problems when Server RADSEC or Server DIAMETER were in use and a SIGHUP
was received. Reported by Paul Dekkers.
- Revision 4.0 (2008-01-14) Significant new features and some bug fixes
- Added support for Radiator monitoring and configuration via a web
browser, using the new ServerHTTP module. Sample configuration file in
goodies/serverhttp.cfg shows how to enable support in any configuration file.
- Added AuthBy WIMAX module to handle WiMAX authentication and key
generation. Uses an SQL database to hold subscription/authentcation
information and to
cache keys and save accounting. Supports: Authentication of users and devices from SQL database (most EAP types supported).
Generation and caching (in SQL) of MIP-RK, MIP-SPI and FA-RK for each
device session.
Generation of mobility keys for both NAS and HA requests.
Generation, caching (in memory) and refreshing of HA-RK, HA-SPI for each HA.
Generation, caching (in memory) and supplying DHCP-RK and Key-Id for
NAS and DHCP requests.
Hotlining profiles. This is an early release Alpha version of WiMAX support
which has not yet received extensive testing. Feedback and bug reports are
welcomed.
- Improved performance and behaviour of RADIUS duplicate and retransmission
detection in line with RFC 5080. Duplicates and retransmissions
within the DupInterval timeout are now detected using the sender's
source port in line
with RFC 2865. Detected retransmissions that have been replied to will have
their earlier reply retransmitted, preventing problems with decoding of
duplcicate TLS/TTLS/PEAP fragments. A retransmission that has not (yet) been
replied to will be dropped as before.
- radpwtst now generates random Authenticators.
- Minimum supported version of Perl is now 5.6.0
- Sample certificates updated to expire Jan 13 03:42:47 2010 GMT
- Added support for EAP-FAST. Requires patches for OpenSSL and Net-SSLeay, which
are included. Includes detailed instructions for patching OpenSSL and
Net-SSLeay and configuring for EAP-FAST.
- Added support for standard WiMAX VSAs to dictionary, and support for
WiMAX VSA continuation flags in packing and unpacking, plus automatic
salted encryption and decryption of WiMAX attributes that require it (keys
etc). As per
WiMAX_End-to-End_Network_Systems_Architecture_Stage_2-3_Release_1.1.0,
NWG_R1.1.0-Stage-3.pdf.
- Added support for additional standard dictionary type integer64
required by draft-ietf-radext-design-02.txt. Previous integer8 attributes in
dictionary changed to integer64. Integer8 now means one octet. INteger1 is
still treated as integer8 for backwards compatibility.
- Added WiMAXTLV module for packing and unpacking WiMAX TLV sub-attributes,
including symbolic definitions of some WiMAX TLVs.
- Added support for new dictionary attribute types integer8, integer16,
signed-integer and ipaddrv4v6, required by WiMAX.
- Added WiMAX module for computing various WiMAX keys and other WiMAX routines.
- All EAP types now export the MSK by setting {msk} in the appropriate
reply packet. They also optionally export the EMSK in {emsk} if ExportEMSK is set.
- Added a number of 3GPP attributes to dictionary
- When using LEAP with EAP_LEAP_MSCHAP_Convert, some clients would not complete
the handshake due to an Access-Accept being sent instead of Access-Challenge.
- Improvements to AuthBy HASHBALANCE so that EAP sequences from any given user
will not be split between hosts during a failover.
- Fixed a problem with undefined getEAPContext when used with some
configurations of AuthBy HASHBALANCE. Reported by Alison Lee.
- Added a number of Motorola-WiMAX attributes to dictionary. Contributed by
Thomas Hartley.
- Improvements to AuthBy SQLRADIUS so that FailureBackoffTime, MaxFailedRequests
and MaxFailedGraceTime are fetched from SQL as rows 11, 12 and 13, and failure
history, backoff time etc are cached within Radiator memory, so that SQLRADIUS
can be used with FailureBackoffTime etc. Suggested by Sami Keski-Kasari.
- Improvements to AuthBy GROUP so that it better handles chains of authenticators
with EAP type requests, such as LEAP, EAP-MSCHAPV2 etc. Reported by Jani Kariniemi.
- Reinstated behaviour that was removed in Radiator version 3.15: empty
attributes, including empty strings are now permitted to be packed into Radius
packets.
- Fixed problem with acknowledgements and Fidelio Opera interface when using TCP.
reported by Andrea Coppini.
- Added new parameter AgentName to AuthBy SAFEWORD.
This field is used when authorizing a request to SafeWord, and allows us to
do things like enforce ACLs, Roles, which authenticator in the user record
to use when they have multiple, whether to send a MobilePass password, etc.
It is very useful! Contributed by David LePage.
- Added 2 new attributes oscRadiusDefaultRealm and oscRadiusIdentifier to the
sample LDAP schema in radiator-ldap.schema. Contributed by Jérôme Schell.
- Added new special character %X, which is replaced by the EAP identity, with any
trailing @realm stripped off. Patch provided by Heikki Vatiainen.
- When radpwtst is used with -accton or -acctoff it now always an Accounting
Session ID. Suggested by Dan Cachola.
- All modules now generate 32 octet MPPE keys for WPA compatibility.
Reported by Dominic J. Eidson.
- RadSec and Diameter client and server modules now support TLS_SubjectAltNameURI
parameter for certificate validation. TLS_SubjectAltNameURI is a regexp which
can match against any Subject Alt Name of type URI. If a match is found the
certificate will validate. Suggested by Stefan WINTER. Examples added to
configs.
- ServerRADSEC now honours Status-Server requests directly in the same way as
Client. Requested by Stefan WINTER.
- Fixed a problem with resolving ipv6: names with DNS on RadSec and Diameter
connections. Reported by Patrick Renkens.
- A debugging print statement was inadvertently left in AuthBy
LDAPDIGIPASS.
- Fixed a problem that prevented LocalAddress and OutPort being set for all
hosts in AuthBy SQLRADIUS. Reported by Yves Martel.
- Prevent crashes after signal -HUP with multiple AuthBy KRB5. Reported by Barry
Ard.
- Improvements to sample goodies/radiator.sh startup script, allowing
/etc/rc.conf to control the radiator_config file. Provided by Erik Klavon.
- Added sample hook eap_acct_username.pl, which copies the inner username
to the Access-Accept User-Name field so a NAS (Access Point) can provide
accounting information with correct (inner) User-Name. Contributed by Rok
Pape‚¾.
- Module and sample configuration file that allows RADIUS clients to get user
presence information from an SQL accounting database. Special Access-Request
formatted with Service-Type=Call-Check-User are replied with Access-Accept
containing OSC-User-Presence-Indicator, OSC-User-Presence-Location
OSC-User-Presence-Timestamp indicating whether and whered the user is last
logged in. Can be used by RADIUS enabled VOIP routing modules etc. Supports
mapping of NAS IDs into readable location names etc.
- Fixed possible socket exhaustion in Server TACACSPLUS under certain unusual
circumstances.
- New RPM packages of Authen-Digipass 1.9 module for both 32 and 64 bit Linux
platforms. The 32 bit package contains Vacman Controller 3.5 and the 64 bit
package contains Vacman Controller 3.7.
- Updated Windows Authen-Digipass PPM packages to 1.9. Contains Vacman
Controller 3.5 libraries.
- AuthBy SQL and AuthBy SQLRADIUS now support the AuthSelectParam parameter,
which allows SQL bind variables to be used. The first 32 SQL queries that use
AuthSelectParam are subject to SQL query caching, which can significantly
improve the performance of the SQL server. Patches by Dan Cachola.
- Fixed a case where the server could crash after receiving malformed requests
such as those sent by nmap. Reported by Sven Henderson.
- Added support for Expiration dates in format 'mmm dd yy(yy)',
such as '24 Jul 2007', for compatibility with some SQL database date formats.
- Added support for Expiration dates in format 'mmm dd yy(yy)',
such as '24 Jul 2007', for compatibility with some SQL database date formats.
- Added support for new special character %J which produces the request
timestamp in the format 'yyyy-mm-dd hh:mm:ss'
- Added support for new check items Max-All-Session, Max-Daily-Session,
Max-Hourly-Session and Max-Monthly-Session, along with new AuthBy SQL
parameters AcctTotalQuery and AcctTotalSinceQuery. The combination provides a
way to check that users have not exceeded hourly, daily, weekly or total
usage requirements. These check items are compatible with FreeRadius check
items of the same name. They are also conpatible with the Session-timeout=until
ValidTo, which will compute a session timeout based on the most restrictive
Max-*-Session time left.
- New AuthBy FREERADIUSSQL is compatible with standard FreeRadius SQL databases,
and can be used with the daloRADIUS user manager. Enables easy migration
from FreeRadius to Radiator, or allows Radiator to be used with a range of
FreeRadius user management packages. Includes sample configuration file.
- Improved modularity of encryption functions. Fixed a problem with encryption of
Ascend-Send-Secret and Ascend-Receive-Secret, in the case where the secret was
more than 16 octets. Most encryption functions decomposed to decode_salted and
encode_salted.
- Added support for encryption of Motorola-WiMAX-MIP-KEY attribute.
- Testing with Strawberry Perl 5.8.8 alpha 2
http://win32.perl.org/wiki/index.php?title=Strawberry_Perl on Windows XP. OK
(Testing requires Win32::Process to be installed using cpan using
'force install Win32::Process').
- Altered the algorithm Server TACACSPLUS uses to find the encrpyion key for a
given Tacacsplus client.
The order of preference is now: Per-Client TACACSPLUSKey,
ServerTACACSPLUS Key, Per-Client Secret.
This means that you can use
ClientListSQL to provide per-client Tacacs+ keys.
Updated documentation to describe the Key search algorithm.
- Added support for the FreeRadius style dictionary flags has_tag,
encrypt=1, encrypt=2 and encrypt=3. Requested by Dan Cachola.
- Added support for a number of FreeRadius style dictionary keywords:
BEGIN-VENDOR, END-VENDOR, $INCLUDE, as well as Radiator style include
commands. Some improvements to dictionary parsing and error reporting.
- Added new parameter SessionDatabaseUseRewrittenName to Handler and
Realm. Causes the rewritten username (instead of the original user name) to be
used for session database purposes.
- Performance improvements and rationalisation in RADIUS packet assembly and
disassembly.
- Testing with Perl CamelPack on Windows XP. OK.
- Added Motorola Canopy attributes to dictionary.
- Improved compatibility with some EAP-GTC clients that require CHALLENGE=
prompts, and deliver RESPONSE=a\0b responses.
- Special characters now permit nested contructions of the form %{x:%{y:z}}
- Added -options flag to radpwtst, which makes it read additional command line
flags and arguments from the named file.
- In AuthBy RADIUS, the Host name can now contain nested special characters. Patch
provided by "Valentin Tumarkin".
- Disable OpenSSL 0.9.9 SessionTicket support when negotiating RadSec TLS
connections, otherwise get TLS 'unexpected message' errors.
- Added support for new dictionary type 'integer1' which translates integers
encoded as a single octet.
- Added support for new dictionary type 'integer2' which translates integers
encoded as a 16 bit unsigned (2 octets).
- Added a number of BATM, NS and Alcatel attributes to dictionary. Contributed
by Ernst Oudhof.
- ServerTACACSPLUS now puts Acct-Session-Id in Radius packets derived from
accounting requests.
- New TacacsClient module provides basic Tacacs+ client services.
- goodies/tacacsplustest was rewritten in terms of the new TacacsClient
module.
- 'make clean' now removes all files created by 'make test'.
- EAP-TLS now hounours machine certificates, ie where the User-Name and/or
identity is in the form host/machinename, but the CN in the certificate
has just CN=machinename.
- Radius port listeners refactored into new ServerRADIUS module.
- Removed SSLeayTrace from all sample configs. Does nothing now.
- Significant refactoring of code from ServerHTTP, ServerRADSEC,
ServerDIAMETER and Monitor to new module StreamServer.
- ConfigKeywords can now include documentation for the benefit of
ServerHTTP
- Removed dead Synchronous code from AuthRADSEC. Suggested by Bjoern
A. Zeeb.
- AuthBy RADIUS and RADSEC now drop replies with bad signatures in line
with documentation and RFCs. AuthBy RADIUS still allows this behaviour to be
overridden with the IgnoreReplySignature flag.
- Added new dictionary type signed-integer, a 32 bit signed integer
- Added support for new Cisco optional attributes in ServerTACACSPLUS,
contributed by Kristian Larsson, for
example:
AuthorizeGroup xr-friendly permit service=shell cmd\*
{task*#root-system,#cisco-support priv-lvl=15}
- AuthBy DIGIPASS, when validating Challenge-Response (CR) tokens now
caches the last challenge internally instead of relying on the RADIUS client
and the State atribute. New configuration parameter ChallengeTimeout allows
configuration of the maximum time period the challenge is valid for.
- EAP-TTLS incorrectly copied attributes from the inner ACCPET to the outer
ACCEPT change_attr, which prevented multiple instances of the same attribute
being copied.
- In ClientListSQL, the PREHANDLERHOOK value returned by GetClientQuery can
now contain either the text of the hook, or a a hook filename in the form
`file:/path/to/hook'. Patch supplied by "Jose Borges Ferreira".
- Minor changes to SIP authentication in line with forthcoming RFC
5090.
- Reference manual is no longer shipped as HTML, only as PDF and PostScript.
- Revision 3.17.1 (2007-04-12) Some new features and bug fixes
- Added new load balancing module AuthBy HASHBALANCE, which will use
information in the incoming request to choose the
preferred host, with the intention that all requests in a single EAP conversation will
all go to the same target server, enabling EAP and other stateful
RADIUS transactions to be loadbalanced without interfering with streams
of related requests.
If the preferred host is not available try the following ones until all are
exhausted. Sample configuration file in goodies/hashbalance.cfg.
- ldap-aps.cfg was left out of the 3.17 distribution. Reported by Ken
Kawakubo. Other Apple Password Server modules were also omitted.
- Added EAP_38.pm for TNC support to the distribution.
- Added RB-DHCP-Vendor-Class-Id to dictionary.
- Fixed a bug in TLS support when used with TTLS-PAP-EAP-TNC.
Reported by Chris Hessing.
- TranslatePasswordHook now works for EAP-MSCHAPV2, EAP-PAX, EAP-PSK, LEAP and
MD5-Challenge. Reported by Rogier Krieger.
- Added a number of new Redback and DSLForum VSAs to dictionary.
- Improvements to AuthBy KRB5 to allow it to acquire credentials for a
service principal. Includes 3 new configuration parameters: KrbKeyTab,
KrbService, KrbServer. Patch contributed by Erik Klavon.
- Improvements to AuthBy SQLRADIUS so that FailureBackoffTime, MaxFailedRequests
and MaxFailedGraceTime are fetched from SQL as rows 11, 12 and 13, and failure
history, backoff time etc are cached within Radiator memory, so that SQLRADIUS
can be used with FailureBackoffTime etc. Suggested by Sami Keski-Kasari.
- Revision 3.17 (2007-03-26) Some major new features and bug fixes
- Added new module AuthBy LDAP_APS which finds user details in a Mac OS-X
Directory Server LDAP database, and then authenticates the user password
against a Mac OS-X Apple Password Server. Works on Mac OS-X 10.4 or
later. Sample configuration file in goodies/ldap-aps.cfg. Supports PAP,
MSCHAPV2, TTLS-PAP, TTLS-MSCHAPV2 or PEAP-MSCHAPV2 requests.
- Added support for EAP-PSK as per RFC 4764, an EAP method based on a per-user
Pre Shared Key, and which supports strong cryptography and dynamic WEP and WPA
keys. Tested against wpa_supplicant-0.6-2006-12-05. Sample configuration file
included.
- Added support for EAP-PAX as per draft-clancy-eap-pax-11, an EAP method based on a per-user
Authentication Key, and which supports strong cryptography and dynamic WEP and WPA
keys. Tested against wpa_supplicant-0.6-2006-12-05. Sample configuration file
- Added a new flag EnableFastPINChange to AuthBy ACE, allowing compatibilty with
some NASs (notably Juniper) that have
non-standard behaviour in New Pin Mode: when the user is
asked whether they want to set their PIN, the NAS
automatically gets the new PIN and returns it to the RADIUS
server, which is expected to use it to set the PIN
immediately. This flag enables compatibility with this
behaviour if the user/device enters a PIN instead of 'y' or 'n
- Fixed potential memory leak in PEAP and TTLS after handshake failure.
- Improvements to parseDate so that invalid date formats would not cause a
crash.
- Added support for new special character in the format %{OuterRequest:attrname}
which is replaced with the named attribute from the outer request of a
tunnelled request. Useful with PEAP and TTLS tunnelled requests.
- Fixed a memory leak that mostly affected failed authentications in TTLS and
PEAP. Reported by David Spindler.
- Added a number of new Mikrotik VSAs to dictionary.
- Testing with Cisco Secure Services Client 4.0.5.4889 on XP. OK for TTLS-PAP,
TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2, TTLS-EAP-MSCHAPV2, TTLS-MD5,
PEAP-MSCHAPV2, PEAP-GTC, PEAP-TLS, LEAP, GTC, TLS, EAP-MSCHAPV2, MD5
- Added support for special characters in EAPTLS_PrivateKeyPassword and
TLS_PrivateKeyPassword. Requested by Redback.
- Fixed a problem with interoperation between ServerDIAMETER and some
Diameter clients. Reported by Arthur Konovalov. Also fixed a typo in doc
about how to test ServerDIAMETER.
- Fixed some minor interoperation issues to do with SIP authentication
and RFC 4590.
- Altered dictionary.sip to make it compliant with RFC 4590.
- Fixed a problem with the Host-IP-Address in the the CEA by Server
DIAMETER. Reported by Arthur Konovalov.
- ServerDIAMETER now converts the contents of Grouped attributes from the
incoming Diameter request into the new
Radius request.
- Fixed a problem with the Mandatory flag in the Diameter Firmware-Revision
attribute. Removed restriction of only being able to handle NASREQ application
requests. Reported by Arthur Konovalov.
- Fixed a problem with conversion of SessionId when using NasType of
CiscoSessionMIB. Reported by Joe (Mobile).
- Fixed a problem with incorrect responses to Tacacs accounting requests.
Reported by Mohamed.Raddahi.
- Fixed a problem where a check-item Auth-Type which points to a AuthBy RADIUS
inside a GROUP did not work as expected. Reported by Toomas Kärner.
- Added support for Starent VSA's, which have a non-standard format. Patch
supplied by Frank Danielson.
- Fixed some problems with memory leakage especially in PEAP after a successful
authentication. Reported by Reported by David Spindler.
- In AuthBY RADIUS, the Host clause now supports per-host LocalAddress and
OutPort parameters. Patched by Bjoern A. Zeeb.
- Added documentation and sample configuration file for ServerDIAMETER.
- Removed references to obsolete handle_sigchld, which is not necessary any
more. Reported by Dan Cachola.
- Added support for ConnectionAttemptFailedHook and NoConnectionsHook for custom
code to handle various types of SQL connection failure. Patched by Dan
Cachola.
- Fixed a problem with conversion of negative integers by valNameToNum in Radius
dictionaries. Reported and patched by Arthur Konovalov.
- Minor improvement to performance of Radius::Util::random_string.
- Added more Huawei VSAs to dictionary. Contributed by José Borges
Ferreira.
- Improved handling of multiple reply items, possibly containing spaces in
AuthorizeGroup, PasswordPrompt is now used everywhere to control password
prompts in ServerTACACSPLUS.
- Added more WCG VSAs to dictionary.
- Fixed a problem where proxied TTLS inner EAP-MSCHAPV2 replies were not properly
processed, resulting in no reply to the originator. Reported by Ian Forster.
- Fixed a problem where Until::inet_ntop could crash when used with RodopiAAA and
TTLS or PEAP.
- Cleaned up some attributes in dictionary including Tunnel-Type etc.
- Added support for Cisco cisco-li-configuration attribute, which can be used to
enable Lawful Intercepts for selected sessions. Added goodies/cisco_li.txt
explaining how to use it.
- Added various Redback VSAs to dictionary to support Radback Lawful Intercept. Also
arranged to support the automatic salt encryption of attributes that require
it. Contributed by Jan De Backer.
- Added some Telkom SA VSAs to dictionary.
- AuthBy DIGIPASS now honours UsernameMatchesWithoutRealm. Requested by
SCHELL Jérôme.
- Structural changes in AuthGeneric.pm and changes to the args passed to
AuthGeneric::check_mschapv2() in order to support Apple Password Server.
- Added MS-RAS-Client-Name and MS-RAS-Client-Version to dictionary.
- Fixed a problem with proxying of Radius requests received by Server DIAMETER,
where the authenticator was not correctly set. Reported by Blake Ulmer.
- Fixed a problem where diapwtst did not correctly handle extra attributes like
'radpwtst Accounting-Session-Id=12345'. Reported by Blake Ulmer.
- Testing on Ubuntu 6.10. OK.
- Fixed a typo in CLientListLDAP that prevented StripFromRequest working
properly. Reported and patched by Raphaël Luta.
- Revision 3.16 (2006-11-09) Some major new features and a few bug fixes.
- Added early release of Diameter support. ServerDIAMETER implements a stateless
Diameter to Radius translation agent. Incoming Diameter requests are converted
to Radius requests which can be served internally by Radiator or proxied to
another Radius server.
Includes simple Diameter client for testing (diapwtst) and sample configuration
file.
Supports RFCs 3588, 4005, 4072. Supports TLS encryption, TCP or SCTP
transport. Interoperates with OpenDiameter.
- AuthBy DIGIPASS now supports Vasco Virtual Digipass. This allows
Vasco token support even of the user does not have a physical
token (or has lost it). AuthBy DIGIPASS generates the correct tokencode and
passes it to a hook, where it can be delivered to the user by SMS etc.
Example config file digipass.cfg shows how to enable it.
New versions of Authen-Digipass that support AAL2GenPassword for Virtual
Digipass support.
- Added new module for sending SMS messages using the Internode NodeText Gateway,
a commercial SMS gateway
available from Internode in Australia. Also added fully working example
configuration file showing how to do One-Time-Passwords delivered by SMS.
The NodeText Gateway is a high reliability, high performance SMS Gateway
for Australian SMS numbers. Works with GSM, CDMA. Works with Telstra, Optus
and Vodafone networks. Billing of SMS delivery charges can be to the sender,
or the receiver. The Internode NodeText Gateway can also apply a range of special
features, such as name to SMS number translation etc. Multiple recipients,
message splitting etc are supported.
They also offer an email-to-SMS gateway.
This fully working example allows your users to be administered with Radmin,
using One-Time-Passwords delivered to the user by SMS.
Internode SMS gateway access for Australian SMS numbers is available
from http://www.internode.on.net
and
http://www.internode.on.net/products/sms.htm
- Added tutorial and config files for installing ChilliSpot, Radiator and
RAdmin to provide a complete, locally administered captive portal wireless hotspot
solution, including prepaid time for users, user statistics,
monitoring etc. See http://www.chillispot.org
- Ensured SNMP and Status-Server statistics are correctly updated by
requests received via RADSEC and TACACSPLUS.
- Testing on Syllable 0.6. OK, except Any_DBM tie is not implemented on Syllable so
that AuthBy DBFILE does not work, resulting in failed tests 1a, 3a, 3d, 3g,
3h.
- Minor cleanups to remove various warnings when -w is used
- Special character %z was using a deprecated MD5 hashing routine. Now uses
Digest::MD5::md5_hex.
- Fixed a problem that prevented reply attributes from EAP_PEAP_MSCHAP_Convert
converted requests being replied to the client. Reported by Alex Sharaz.
- Fixed a problem in ClientListLDAP where attributes that expect a stringarray
(such as IdenticalClients, FramedGroupBaseAddress, RewriteUsername,
DynamicReply) could cause a crash if there were multiple values for that
attribute in the LDAP database. Reported by Lohier, Matthew.
- Fixed a problem withe AcctLogFileName where a file name with a leading '|' for
a pipe would incorrectly cause bogus directories to be created. Reported by Anne Bennett.
- Fixed a problem with AuthBy DIGIPASS clauses that are not contained
within a Realm or Handler causing a crash. Reported by Paul Dekkers.
- Added a number of Unisphere VSAs to dictionary. Contributed by Gareth
Coco.
- Testing on Windows Vista Beta build 5384. OK, using ActiveState ActivePerl 5.8.8.
- Fixed an error in the definitions of 3GPP2-IP-Technology in dictionary.
Reported by Frank Danielson.
- AuthBy LSA and AuthBy NT on Windows now suport Local as well as Global groups
when using the Group parameter.
- Fixed a problem with anonymous bind not working correctly, resulting in
LDAP_INAPPROPRIATE_AUTH. Reported by R.H.Hoek.
- Fixed a problem with TTLS and PEAP where a proxied reply to the inner
request of a session that has been lost or closed would cause a
crash. Reported by Shahid Khan.
- Fixed a problem with goodies/CalledStationId.pm that would cause ERR: Bad
attribute=value pair.
- Improvements to goodies/CalledStationId.pm to support regexps in
stations.
- Added a number of Aruba VSAs to dictionary. Contributed by steven.quek.
- In AuthBy RADMIN, changed the default MaxMEsageLength to 200 to comply
with the standard Radmin database size.
- Fixed a problem with client certificate verification in EAP TLS that could cause
an error 'EAP TLS No peer certificate'.
- Fixed a problem with EAP-TLS authentication when EAPTLS_NoCheckId was set.
reported by Dawn Lovell.
- Added various VSA to support ChilliSpot, an open source captive portal for
wireless with Radius support. http://www.chillispot.org/
- Testing with ChilliSpot http://www.chillispot.org/ OK. ChilliSpot is
a wireless hotspot portal that authenticates users before letting them get
access to the internet. ChilliSpot can
work with both UAM (where the ChilliSpot hotspotlogin.cgi script solicits a
passwords and ChilliSpot sends Radius/CHAP to Radiator), and with EAP (where
ChilliSpot forwards Radius/EAP requests to Radiator). Tested with UAM, EAP,
TTLS, PEAP.
Caution: ChilliSpot 1.1.0 has a bug where Radius replies that contain a
Service-Type reply attribute will cause the chilli process to crash. A patch
has been submitted to chillispot.
- Enabled SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS in PEAP TLS, to work around a
problem with Vista Beta 2 clients, where the extra empty fragment (sent as a
security measure by OpenSSL) confuses
the Vista PEAP supplicant. See http://www.openssl.org/~bodo/tls-cbc.txt
for reasons behind the empty fragments. Reported by David Spindler.
- Improvements to EAP LEAP handling to be compatible with some types of
LEAP-ignorant APs. Reported by Russ Jones.
- Revision 3.15 (2006-06-01)
- AuthBy RADSEC now supports multiple Hosts, using the same Host clause syntax as
AuthBy RADIUS. Hosts will be tried in the order given. FailureBackoffTime can
be used to mark unresponsive hosts dead for a period of time and skip
them. Example Host clause syntax is shown in goodies/radsec-client.cfg.
- Example config file goodies/eap_leap_proxy.cfg was inadvertently
left out of the distribution.
- Fixed a problem where the parent process could crash if AuthBy KRB5
was used and the server run in the background. Reported by Carol
Ward.
- Added calling_station_hook_requests.pl, a sample PostAuthHook for PEAP requests that:
1) Insert the Calling-Station-ID into the inner request
2) Insert the Called-Station-ID into the inner request
3) Insert the "outer" EAP identity into the inner request as "Outer-EAP-Id"
Contributed by Terry Simons.
- Testing on openSUSE 10. OK.
- Fixed a bug in mergedetails that prevented it running under perl
5.005 and earlier. Reported by Greg Schiedler.
- Alternative version of RequestHoook added to goodies/hooks.txt.
The hook saves the time of the last Access-Request for each user
and conditionally returns an Access-Accept if the time is less than a preset limit.
- A typo prevented EAPTLS_CertificateVerifyHook parameter being
recognised. Reported by Rodrigo Seguel.
- Improved logging of LDAP connected host details to include the actual hostname and
port after special character translations. Also Port now supports special
characters. Requested by Michael Hall.
- Improved Authen-Digipass RPM to work with perl 5.8.7.
- Refactored AuthDIGIPASS.pm to move common code to
AuthDIGIPASSGeneric.pm. New module AuthSQLDIGIPASS.pm replaces
AuthDIGIPASS.pm and AuthBy DIGIPASS is now depreccated in favour of AuthBy
SQLDIGIPASS.
- New version of Authen-Digipass module for Linux, Solaris and Windows where
digipass.pl now works with LDAP databases, plus
some minor bug fixes.
- New module AuthBy LDAPDIGIPASS authenticates Vasco Digipass tokens from token
data in an LDAP database. Example configuration file goodies/digipass_ldap.cfg,
and sample LDAP dataabse schema and sample data in goodies/radiator-ldap.*.
Use digipass.pl command line program (part of the Authen-Digipass supplied with
Radiator) to import, assign, inspect, reset tokens in the LDAP database).
- All calls to format_special in AuthBy IMAP now include the current packet
so that %R can be
used in Host parameter etc. Requested by Petr Zimak.
- AuthBy SQL did not honour AuthenticateAccounting.
- Minor fixes, PostSearchHook missing from AuthLDAP2 config options.
Reported by Petr Zimak.
- Added a number of Cisco VOIP VSAs to dictionary.
- Added a number of VSAs and fixed some errors in dictionary.sip to be in line
with draft-schulzrinne-sipping-radius-accounting-00.txt
- Radpwtst now permits octal escapes in the value in attr=value arguments.
- Testing with SIP PRoxy Router (SER) from www.iptel.org. Added
example configuration file to goodies/sip.cfg showing how to configure
Radiator for SIP authentication with SER, and with some helpful information
and corrections about configuring SER to work with RADIUS.
- Zero-length string attributes are now never sent in Radius packets, but are
ignored, as per
RFC 2138. Zero-length Reply-Message strings have been seen in improperly
written hooks. Suggested by Ulrich.
- Sample startup scripts linux-radiator.init and solaris-radiator.init
now force -daemon to prevent running in the
foreground when started by init script.
- Fixed a problem in ClientListSQL and ClientListLDAP that could cause a
crash during an automatic update if there were no hardwired Clinet clauses.
Reported by Alexander List.
- Log SYSLOG and AuthLog SYSLOG now support special characters in
LogIdent. Requested by Alexander List.
- Fixed a case where Reply-Message could be incorrectly reset in
CachedAttrs, which prevented ServerTACACSPLUS from returning the
Reply-Message during a rejection.
- Added new hooks AuthenticationStartHook and AuthenticationContinueHook
to Server TACACSPLUS which can be used for special processing of TACACS+
authentication requests.
- Minor improvements to test suite. Now reports total erro count and exits
with non-zero status if there are errors.
- Renew test certificates. Previous certificates expired March 16 2006, which
would prevent TLS, TTLS, PEAP and RadSec tests working.
Minor improvements to mkcertificate to add /usr/share/ssl/misc to the path (for
standard OpenSUSE).
- Improvements to timeout handling for SQL and others for perl 5.8 and later,
requested by Gustavo Moreira.
- Improvements to the way nested calls to format_special were
handled. Previously, the value for $cpacket could get clobbered by an error
log message during formatting of a special character.
Reported by Robert Fisher.
- Added ChallengeMessage parameter to AuthBy DIGIPASS*, which allows the Digipass
challenge message to be customised or internationalised.
- Fixed a problem with SessionDatabase SQL where a countQuery that returned a
username as the fifth field did not alter the user name as expected. Reported
by Vangelis Kyriakakis.
- In ServerTACACSPLUS, added a workaround for a bug in some old Cisco routers where a failed authentication
would result in a an unclosed TCP session. Requested by Patrick, Robert.
- Added a workaround for a bug in some EAP TTLS supplicants,
(notably PBG4 on MAC OSX) do not conform to the TTLS
protocol specification, and do not understand the ACK sent
by the server at the end of TLS negotiation and session
resumption, resulting in session resumption not
completing. The new EAPTTLS_NoAckRequired flag enables a workaround for such
supplicants. Many other supplicants are happy with this too.
- Fixed a problem with session keys when LEAP was used with
EAP_LEAP_MSCHAP_Convert.
Reported by Michael Ting.
- Added new AuthBy SAFEWORD, which authenticates directly to a SafeWord
Premier Access
server. Includes a sample configuration file.
Supports PAP, CHAP, TTLS-PAP, EAP-OTP and EAP-GTC.
Supports password changing.
Supports fixed (static) passwords and SafeWord Silver and Gold tokens.
- Fixed a problem that could cause a crash if getpeername fails during a Tacacs
connection. Observed on some Solaris platforms. Reported by Ashton, James P.
- Added new parameter UsernameMatchesWithoutRealm to AuthBy NTLM,
contributed by Robin Breathe.
- Added support for HandleAcctStatusTypes to AuthBy DNSROAM, GROUP, MULTICAST
RADIUS, RADSEC and SQL. Contributed by "Nicholas A Waples".
- Revision 3.14 (2006-01-16) Significant new features, including
DNSROAM and some fixes.
- Added new module DNSROAM, that provides RadSec and RADIUS
proxying to hosts discovered through DNS. Provides secure, reliable,
scalable, low maintenace RADIUS meshes and federations. Uses similar
technology to Diameter (RFC 3588) for host discovery, which allows
target server details to be provided through DNS lookups. Supports
RadSec and RADIUS proxying. Includes new Resolver module for
asynchronous DNS lookups. Requires Net::DNS Perl module (and the
IO::Socket::INET6 module if you wish to
consult a DNS server via IPV6)
- Added new module AuthBy NTLM that allows Radiator running on a Linux or Unix
system to authenticate to a Windows domain controller, with the
assistance of ntlm_auth and winbindd utilities from the Samba suite
(www.samba.org). Sample Radiator and winbindd configurations are
included. Supports PAP, MSCHAP, MSCHAPV2, EAP-MSCHAPV2, and works
with PEAP, and TTLS.
- EAP-TTLS-MSCHAPV2 did not correctly copy reply attributes from
the inner accept to the outer accept.
- New example hook in goodies/hooks.txt to parse multiple
Digest-Attributes into individual attributes
- Testing with Funk Odyssey 4.01 client, including EAP-SIM,
EAP-GTC, EAP-LEAP and TTLS-EAP-MSCHAPV2. OK.
- Added cacti_data_query_snmp_get_radius_information.xml
radius_server.xml to goodies. These are
configuration files to enable monitoring of Radiator by Cacti
(http://www.cacti.net/), which is similar to MRTG, except it
is web driven and based upon a templating system. Contributed
by Chris Hills.
- Fixed a problem with radpwtst -gui where entering a new
port number in the gui had no effect. Reported by Chris
Hills.
Also fixed a problem where that could produce an error message:
Can't locate object method "BINMODE" via package
"Tk::Event::IO" on some platforms.
- Fixed a problem with radpwtst -gui where entering a new
port number in the gui had no effect. Reported by Chris
Hills.
Also fixed a problem where that could produce an error message:
Can't locate object method "BINMODE" via package
"Tk::Event::IO" on some platforms.
- Fixed a problem in radpwtst -gui where a Class attribute
received ffrom one user authentication would be incorrectly reused for subsequent
users.
- Added new parameter for all AuthBys: EAP_LEAP_MSCHAP_Convert
forces all EAP-LEAP requests to be converted to conventional Radius
MSCHAP requests that are redespatched, perhaps to be proxied to
another non-LEAP capable Radius server or for local
authentication. Example config file goodies/eap_leap_proxy.cfg show
how to use it.
- Fixed a problem that prevented CRL checking working with some versions
of Net_SSLeay. Requires Net_SSLeay version 1.25
from CPAN and
this patch.
Reported by Ilana Kaplan.
- Improved the error message printed when TLS certificate
verification fails to include a text
string that describes the problem.
- Testing with Sybase ASE 12.5, improvements to goodies/sybaseCreate.sql
to prevent warnings about NULL columns.
- Added new parameter EAP_LEAP_MSCHAP_Convert that converts
incoming LEAP requests to conventional Radius-MSCHAP requests that
can then be handled locally or proxied to a remote Radius server
that cannot handle LEAP, but which can handle Radius-MSCHAP. Also added example
config file goodies/eap_leap_proxy.cfg. Requested by Michael Ting.
- Improved configurability for 'make rpm' in Makefile.PL.
- Added support for SASL authentication to LDAP servers. New parameter
UseSASL tells AuthBy LDAP2, AuthBy LDAPRADIUS and ClientListLDAP to authenticate the connection to the LDAP
server with SASL. See the example config file goodies/ldap-sasl.cfg
for details on how to configure it.
- Fixed a problem that prevented DefaultRealm working in Server
TACACSPLUS. Reported by Marc Blum.
- Improvements to the sample linux-radiator.init and RPM Linux init
script so it takes notice of configurable variables in
/etc/sysconfig/radiator better. Suggested by Paul Dekkers.
- Added new configuration method AuthBy SASLAUTHD, which authenticates by
connecting to a saslauthd server running on the same host. saslauthd
is a Unix authentication server program, part of the Cyrus SASL suite. It can
be configured to
authenticate from a variety of sources, including PAM, Kerberos,
DCE, shadow password files, IMAP, LDAP, SIA or a special SASL user
password file. Example configuration file is in
goodies/saslauthd.cfg
- Testing with Gentoo 2005.0. OK.
- Fixed a problem where AuthBy PLSQL clause did not display its AuthBy
type in Radar. Reported by Jovan Sarai.
- Fixed a problem with AuthACE.pm AuthDIGIPASS.pm AuthKRB5.pm AuthLSA.pm
AuthOPIE.pm AuthOTP.pm AuthRSAMOBILE.pm AuthSASLAUTHD.pm that could prevent correct operation with
TTLS-EAP-MSCHAPV2 and Odyssey client.
- Testing on Linspire 5.0. OK.
- Testing on Ubuntu 5.04. OK.
- Changes to the default behaviour of AuthLog SYSLOG and Log SYSLOG so
that the socket type is only set if LogSock is explicitly defined.
Fixes a problem with the socket type search path on Solaris
failing if syslogd does not open a unix domain socket.
- Improvements to EAP-TLS authentication, so that a
User-Name with a domain prefix will match the certificate without a
domain name. Reported by "Dror Ben-Shlomo".
- Fixed a problem where EAP-GTC would not work correctly with some
AuthBys that did direct password checking (such as AuthBy LDAP2 with
ServerChecksPassword enabled). Reported by Michal Marciniszyn.
- Added a number of Airespace VSAs to dictionary, contributed by
Steve Caporossi.
- Change-Filter-Request now includes a correct
authenticator. Reported by Ardolino Antonio.
- PEAP outer handler did not set OriginalUserName for the inner packets.
- Added sample hook to goodies/hooks.txt that shows how to
discover the socket that received a request on a multihomed
host. Contributed by Miko.
- AuthBy DIGIPASS now supports PAP, CHAP, MSCHAPV2, EAP-MSCHAPV2,
EAP-OTP and EAP-GTC requests. Required some changes to the API for
check_mschapv2.
Requires Authen-Digipass 1.5 or later (Linux and Solaris packages
included in this distribution. Windows PPM packages availble for
download)
- Fixed a problem where ForkClosesFDs would incorrectly close sockets
created by Monitor, Server TACACSPLUS or Server RADSEC if the server
forks or becomes a daemon.
- In AuthLog SQL SuccessQuery and FailureQuery, new special character %4
is replaced by the SQL quoted original user name from the incoming
request (before any RewriteUsername rules were applied).
- Added support for SALT encryption of
Unisphere-Med-Dev-Handle. Required extensive refactoring of attribute
encryption and decryption. Attributes requiring encryption and
decryption with shared secrets are now done by Radius::encode_attrs
and Radius::decode_attrs. Encoding is now done by Client or ServerRADSEC just
prior to replying. Function encode_tunnel_password renamed to
encode_salt.
- Performance and security improvements in Util::format_special
- Fixed a problem that prevented one instance of Radiator acting as both
RADSEC server and client or as multiple RADSEC clients at the same
time. Requires patch for Net_SSLeay on Windows.
- Fixed some compatibility problems between mkcertificate.sh and the
OpenSSL CA utilites in 0.9.7g and later.
- New flag NullPasswordMatchesAny enables wildcard mathcing of NULL
password columns. Defaults to enabled for AuthBy SQL and disabled for
AuthBy RADMIN, to be consistent with current default behaviour.
- EAP TLS now supports a new hook. EAPTLS_CertificateVerifyHook runs
after the request username or identity has been matched with the
certificate CN. It is passed the certificate, and various other
details, and returns a different user name which will be used to do
the user database lookup.
- Testing with EMIC m/cluster, a MySQL clustering solution from
www.emicnetworks.com. M/cluster provides high availability,
scalability and manageability services for MySQL. OK.
- Testing on Fedora Core 4.
- Added a number of IPWireless attributes to dictionary. Contributed
by m.tavakolifard.
- Testing on Debian 3.1r0a. OK.
- Added support for LogMicroseconds to Monitor.
- Added to goodies a new AuthBy RADIUSBYATTR that forwards to a RADIUS server based whose
attributes (host, secret etc) are specified in the request.
Useful for various specialised testing
scenarios. radiusbyattr.txt is a description of how to
configure and use it. Contributed by Miko.
- SNMPAgent now suports special characters in BindAddress and Port
parameters. Contributed by José Borges Ferreira.
- Added Daemon configuration file au.com.open.radiator.plist for
OSX 10.4 (Tiger) to goodies. Contributed by Matt Richard.
- EAP-TLS now matches certificate CNs even if they are in Unicode.
- TTLS and PEAP now always dump the reply to the tunnelled request at
DEBUG level.
- ServerChecksPassword now honours Timeout in AuthBy LDAP2. Patch
provided by Campbell Simpson.
- In AddressAllocator DHCP, fixed a problem with the "secs" field in the
DHCP header when there are timeouts and retransmissions. Reported by
Ian Amess.
- ClientListLDAP did not compile any PreHandlerHook entries from LDAP,
preventing the hook running. Reported by Peter Crystal.
- Radpwtst did not use the -acct_port argument properly. Reported and
patched by Ruud Besseling.
- Server TACACSPLUS can now use different per-Client Keys by looking for a
TACACSPLUSKey in a Client clause that matches the Tacacs client address. If no
matching Client with a TACACSPLUSKey is found, falls back to the
global Key defined in the Server TACASCSPLUS clause. Initial idea and
patches contributed by James FitzGibbon.
- Radpwtst with the -code flag sent to the -acct_port instead of the
-auth_port. Reported by Phillip Lou.
- Added new special character %x, which is replaced by the EAP
Identity for PEAP and TTLS inner requests.
- Fixed a problem with the SNMP MIB where some values were returned as
integer instead of counter32. Reported by Rani Assaf.
- Permit plaintext passwords in the format '{clear}password', in order
to be compatible with some LDAP servers. Suggested by Andreas Meyer.
- Testing with Novell NetWare 6.5 with eDirectory 8.7 and iManager
2.5. Improved Makefile.PL to implement the 'install' command under
NetWare (where perl Makefile.PL does not work). 'perl Makefile.PL
install' now installs all Radiator files, config files and startup
script on NetWare.
Extended documentation about how to enable Universal
Passwords in eDirectory. Added chapter on NetWare installation to
the Reference Manual.
- Testing with DBD::SQLite2. Added example table creation script
goodies/sqliteCreate.sql and added hints to documentation.
- Added a number of new Redback VSAs to dictionary, contributed by
Toomas Karner.
- Improvements so that ServerTACACSPLUS can now be configured for the
Username: and Password: prompts when authen-type of ASCII is used.
Added new flag -ascii to tacacsplustest to enable use of authent-type
ASCII instead of default PAP. Refactored some constants and code from
ServerTACACSPLUS to use equivalents in Tacacsplus.pm
- Fixed some errors in definitions of Airespace-QoS-Level in
dictionary. Contributed by Theodore J. Knab.
- Added goodies/radiator.sh, a Radiator startup script for FreeBSD and rc-ng. Contributed
by Paul Dekkers.
- Improvements to AuthBy ROUNDROBIN. Now it attempts to deliver only a limited amount of times.
It will remember which server it tried to send to at first and then on retry it will walk the whole
RR list and try each available server in a row. If it reaches the
first server again, it will
abort the request. Patch provided by Rok Papez.
- Improvements to allow use of Client-Identifer check items to detect if
a request was received by a Server RADSEC clause. Matches against the
Identifer of the Server RADSEC clause that received the
request. Change to Server RADSEC TLS_ExpectedPeerName now defaults to the DNS
name of the RADSEC client (if resolvable) else the client's IP
address. Server RADSEC did not check the Radius authenticator on incoming requests.
Suggestions by Paul Dekkers.
- Fixed problems where multiple TLS RadSec clients were initialised within the
same server. Certificate passwords were incorrect and some TLS
sessions would not initialise properly. Better support for different
certificates in each TLS RadSec client. Reported by Paul Dekkers.
- Fixed some interactions between different uses of Net_SSLeay, where the
verify callback got clobbered by IO::Socket::SSL, which caused crashes
when LDAP+(SSL or TLS) was used with RadSec or EAP-TLS. Reported by
Jan Tomasek and Ross Wakelin.
- The LDAP Deref parameter did not work as expected, since it was passed to
LDAP new rather than search. Reported by Matthew Lohier.
- AuthBy GROUP now prints the Identifier in the 'Handling with ....'
DEBUG message.
Requested by Jethro R Binks.
- Improvements to peer certificate verification for RadSec connections.
Client side verifies the configured server Host name against the
server certificate CNs or subjectAltNames (DNS or IPADD types).
Server side verifies the client IP address against the client
certificate CNs or subjectAltNames (IPADD types only).
Exact match and wildcard matches are honoured. If those fail then
TLS_ExpectedPeerName pattern is matched against the entire Subject
name. If all those fail, the certificate is not verified and the
RadSec connection will be terminated. Updated RadSec example configuration
files. This is all in line with RFC 2595. Suggested by Jan Tomasek.
Caution, use of subjectAltNames requires patches for Net_SSLeay from
this patch.
- Testing on FreeBSD 6.0 RELEASE. OK.
- Fixed problems with session database code crashing if there were no
Client clauses defined and Client.pm not loaded, as in purely RadSec
or TACACS+ servers. Reported by Sajeewa Warnakulasuriya.
- Fixed a problem with Status-Server and SNMP statistics where proxied
requests were incorrectly counted in the dropped statistics
too. Reported by Miko.
- Fixed a compatibility problem with AuthBy KRB5 and krb5-1.4.*, where krb5_init_ets is
not present and not required. Reported by Joon Yun.
- Added APC-Service-Type and APC-Outlets to
dictionary. Contributed by "Cassidy B. Larson".
- Added support for FailureBackoffTime, MaxFailedRequests and
MaxFailedGraceTime similar to AuthBy RADIUS. This permits RADSEC host
failure detection and also automatic reforwarding to alternate RADSEC hosts
by using NoReplyHook.
- Server TACACSPLUS now
prints the reply to its Radius request when at trace level 4.
- Added ability to match Client clauses based on client MAC
address. Requested by Steve Shippa.
- Revision 3.13 (2005-06-02) New features and bug fixes
- Revision 3.12 (2005-03-17) Major new features. Some bug fixes.
- Added AuthBy RADSEC, which implements Radius transport over
a reliable TCP/IP or SCTP connection, with optional TLS encryption and
optional TLS mutual authentication by PKI certificate. The example
config files implement a simple proxy from radsec-client.cfg to
radsec-server.cfg on localhost.
- Added support for Novell eDirectory Universal Passwords. Added
sample configuration files and install/configure/test instructions
for eDirectory on Unix. This support allows Radiator to access
each user's Universal Password for authenticating PAP, CHAP, MSCHAP, MSCHAPV2,
EAP-TLS, EAP_TTLS-*, PEAP, EAP_MSCHAP, EAP-MD5, LEAP etc.
- There was a problem with the Solaris Authen-Digipass package included
in 3.11 that caused "ERROR: attempt to process datastream failed". New
package included.
- A debugging print statement that had been inadvertently left
in Log SQL was removed.
- Fixed a problem introduced in 3.10 that could cause a crash like 'Undefined subroutine
ldap_error_name' in AuthBy LDAP2 after an LDAP error.
- Fixed a problem with radpwtst -gui, where changing the name of
the destination server in the GUI would not actually change the
destination. Reported by Ken Bell.
- radpwtst -gui incorrectly showed Alteon-Service-Type as well
as Service-Type options in the Service-Type menu.
- Added new global parameter MaxChildren which limits the number of Fork
children permitted at any one time. Contributed by Ivan Brawley.
- Added documentation on how to configure Apache 2 for Radius
authentication with the mod_auth_radius module. Works with any
Radiator authentication module including ACE and DIGIPASS.
- Added support for Challenge-Response (CR) tokens to AuthBy
DIGIPASS.
- Added documentation on how to configure PAM and pam_radius for
use with Radiator to provide Unix login authentication using
SecurID, Digipass or any other Radiator supported method.
- Improved behaviour of RPM distributions, when doing rpm -F
install over an old version.
The symlink in /usr/lib/perl5/site_perl/Radius
could end up incorrect.
- New version of AuthBy IMAP now supports SSL connections to IMAP
server. Contributed by Karl Gaissmaier. Example configuration file
imap.cfg extended to show how to configure SSL connections, and
TTLS-PAP support too.
- Testing AuthBy ACE and Authen-ACE4 with ACE Server 5.2. OK. No
changes required. Works with Authen-ACE4 compiled with 5.0 ACE
Agent SDK on Unix and Windows. Prebuilt Authen-ACE4 binaries from
OSC also work fine.
- Testing AuthBy ACE and Authen-ACE4 with RSA Security
Authentication Manager 6.0 (formerly ACE/Server 6.0). OK. No
changes required. Works with Authen-ACE4 compiled with 5.0 ACE
Agent SDK on Unix and Windows. Prebuilt Authen-ACE4 binaries from
OSC also work fine. Tested standard, Pinpad and AES tokens.
- Improvements to the performance of changeUserName, suggested
by Nennker, Axel.
- Added a number of IPWireless Vendor Specific Attributes to dictionary.
Contributed by Mernoz Rostangi.
- Added new test client for TACACS+.
See goodies/tacacsplustest -h for help.
- Server TACACSPLUS now allows you to set the group cache file name with the GroupCacheFile, which
also permits special characters. Also ServerTACSCPLUS now uses the accounting type in incoming requests to
set the Acct-Status-Type in Radius Acounting-Requests. Timestamp is now _not_ added to
Radius requests, since the following Handler will always do it
anyway. Added support for authentication using methods that can challenge,
such as DIGIPASS, ACE, OPIE, OTP, INTERNAL etc.
Default AuthorizationTimeout for Server TACACSPLUS changed to 600 seconds, to cater for
authentication start/challenge/continue sequence that are subject to
user input and could take a long time, and so that authorization
replies will be available for longer sessions.
Added -interactive flag to tacacsplustest to handle Tacacsplus
authentications that might ask for additional data (such as when
authenticating with DIGIPASS, ACE, OPIE, OTP, INTERNAL etc).
The Tacacs group name now defaults to 'DEFAULT' if GroupMemberAttr
is not defined,
or if the Access-Accept does not include that named attribute (ie
if the Tacacs group name cannot be determined).
- Fixed a problem with AddToReplyIfNotExist in all AuthBys, where some special reply
types such as Session-Timeout were not properly interpreted.
Reported by "Brian Morris".
- Added simple Tacacsplus test client to goodies. All perl, does not
require additional perl modules.
- Added new PostAuthSelectHook to AuthBy SQL, which allows a
hook to adjust the results of the AuthSelect query before being
used.
Contributed by Karl Gaissmaier.
- Testing with ZyXEL ZyAIR B-3000 Wireless access point, using
WPA, 802.1x and Radius authentication. OK.
- AuthLog SYSLOG did not recognise the LogSock parameter.
- Added -nas_identifier flag and default NAS-Identifier attribute to
radpwtst.
Contributed by Nennker, Axel.
- Added a script goodies/rotateacct.pl to rotate the ACCOUNTING table.
Contributed by Ray Van Dolson
- Added goodies/eap_acct_username.txt, A sample hook and script for de-anonymizing EAP-TTLS accounting
requests, and which does not require an SQL database.
Contributed by Rok Papez, with comments by Roy Badami.
- Added new parameter for EAP-TLS, EAPTLS_NoCheckId, which prevents the comparison of the
username with the certificate common name. The certificate will be
acccepted based only on the validity dates and the verification chain
to the root certificate. This allows Radiator to
mimic the behaviour of some other Radius servers.
Contributed by Martin Noha.
- Added various 3GPP attributes for vendor 10415, contributed by
Andy M.
- Fixed a problem with AuthBy RSAMOBILE, where one incorrect tokencode
could cause the user to exceed their maximum login attempts. Reported
by Sylvain Maret.
- Added support for NoCheckPassword to AuthBy LDAP2, so that LDAP can be
used to get check and reply items, but where the authenticaiton is
done by another module.
- Improvements to date parsing to make it more tolerant of non-standard
case in month names when useed in Expiration etc.
- Improvements to AuthBy LDAP2 so that when ServerChecksPassword is set, and the
password check fails, it wont cause a subsequent attempt to do an NT
hashed password check.
- All modules that can route requests back to the Handlers list now
also support PreHandlerHook. Suggested by Roy Badami.
- Testing on NetBSD 2.0. OK.
- Fixed a problem with AuthBy PLATYPUS where some versions of perl
could result in a trailing comma in the SQL for an accouting
request.
Reported by Jason D. Borders.
- Performance improvements in format_special. Added
ability to extend format_special indefinitely without performance
penalties. Added 2 new attribute formatting
operators. %{IntegerVal:attribute} is replaced by the integer value of the
named attribute from the current request. %{HexAddress:attribute}
is replaced by the IPV4 address catinaed in the named attribute
from the current request, formatted as a hex string. Suggested by
Pavel A Crasotin.
- The timing of the writing of the PID to PidFile has been
deferred until after the Radius ports are created, and the server
is almost certain to start up. Suggested by Karl Gaissmaier.
- Added example RADAUTHLOG and RADLASTAUTH tables to example SQL scripts
that did not have them (all except mysqlCreate.sql).
- Added new formatter for format_special that can access variable from
the server configuration. For example, %{Server:Trace} is replaced by
the global server Trace parameter.
- Fixed a problem with AddressAllocator DHCP that could cause a
socket error after a HUP on UNix. Reported by Andrew D. Clark
- EAP TLS, TTLS and PEAP now take note of the Framed-MTU, if present, to
limit the MaxFragmentSize.
- Added goodies/gigawords-hook.pl, a hook for calculating
correct total octets from Gigawords. Contributed by Igor Briski, Iskon Internet d.d.
- Added goodies/lsa_eap_multi.cfg example config file showing
how Radius PAP, CHAP, MSCHAP and MSCHAPV2 and also
handles the outer and inner requests for TTSL and PEAP. You can use
it to authenticate almost anything against Microsoft Active
Directory.
- In ServerTACACSPLUS, BindAddress now defaults to the global
BindAddress, and you can now specify multiple comma separated
addresses to listen on multiple interfaces.
- Added support for passwords encrypted with the Microsoft SQL
pwdencrypt() function. The required format is like:
{mssql}01003A54FC73501798169BEC84C05CA0D2FBB70009C2556313DA79
59C1A798ECD34514694A13D29ED57BE9CBE5DA
- AuthBy RADIUS now supports MaxFailedRequests parameter. A proxy host
will not be marked as failed until at least MaxFailedRequests requests have not
received a reply. This is useful for some buggy remote radius servers,
that sometime drop requests for particular users. Also some internal
changes to the addHost() function. Suggested by Arnauld
Michelizza.
- Added goodies/checkOnlineSql.pl, a script that checks that all the users in an SQL SessionDatabase are
still online, and delete the ones that arent. Uses a client table
to determine Nas type etc.
- The Authen-Digipass package for Solaris did not include libaal2sdk,
resulting in an error when tryingg to run Digipass
authentication. Reported by Roy Badami.
- New versions of AuthBy PLSQL and sample config file, which now
supports INOUT parameters for Oracle stored procedures. Contributed by
Pavel A Crasotin.
- Improvements and refactoring of IPV6 address
code. ServerRADSEC, ServerTACACSPLUS and Monitor can now listen for connections on
multiple IPV4 and IPV6 BindAddress addresses.
- Fixed a problem with goodies/nntp-redirect.pl where it
incorrectly looked for case-sensittive AUTHINFO. Reported and
patched by Thorsten Huber.
- Added nntp-redirect.pl, A Radius-enabled Net News NNTP port
authenticator and
accountor. This program received NNTP connection requests,
authenticates each one with Radius, and then forwards the
connection to the real NNTP serer. It counts bytes in and out,
and at the end of the NNTP session sends Radius accounting
data counting the total news traffic in and out. This allows
you to integrate NNTP authentication and accounting with the
rest of your Radius services. Reply attributes in the
Access-Accept can be used to configure the NNTP server and
port to redirect to, allowing per-user NNTP configuration via
Radius.
- Altered the SQL database connections to use PrintError 0, so that
unneccesary error messages will not be printed to stderr.
- Testing on SuSE 9.2. OK.
- Added MaxRecords parameter to AuthBy LDAP2.
It specifies the max number of matching LDAP records to use for check
and reply items. Default is 1 to be backwards compatible. Only the
first match (if any) is used for ServerChecksPassword.
Suggested by Kenneth Cheung.
- Added a number of Mikrotik Vendor Specific Attributes to dictionary.
NoContributed by Adrian Tan.
- Added new NoEAP parameter to all AuthBys that will disable EAP
authentication in that AuthBy. Useful for doing additional authentication besides
EAP, such as MAC address etc.
- Added simple_main_loop to Select for simple clients etc.
- Fixed a problem with all LDAP modules where an LDAP connection problem
could cause a Radiator crash.
- Fixed a problem with radpwtst where specifying IPV6 addresses for both
-s and -bind_address could produce 'bind: Cannot assign requested
address'. Reported by Paul Dekkers.
- Improved performance of AuthBy LDAP2, especially when used with
ServerChecksPassword. Some servers would disconnect after an
unbind. This fix prevents a disconnection after a
ServerChecksConection bind, reducing the overhead of
reconnecting. Overhead for reconencting with TLS enabled is high.
Fixed ServerChecksPassword so it works in more cases, such as
Novell eDirectory.
Added goodies/edirectory.cfg showing best configuration to use with
Novell eDirectory.
- Improvements to Linux startup script so it recognises Debian
start-stop-daemon and uses that to stop and start the server.
- Testing with Debian and Ubuntu 4.10. OK, but minor changes
required to RPM, Radiator.spec and linux-radiator.init
- Improvements to EAP to prevent multiple MS-MPPE-Send-Key and
MS-MPPE-Recv-Key attributes in reply.
- Fixed a problem that could cause an error in ServerTACACSPLUS
'Too many arguments for open'
when runnning on perl 5.005. Reported and patched by Bill Ouchark.
- EAP-Token is now supported by all static password
authentication methods, such as AuthBy FILE, SQL, LDAP
etc. goodies/eap_multi.cfg updated to demonstrate this.
- EAP-TLS now supports client certificates with multiple CNs. At least
one CN must match the USer-Name or Identity (after
EAPTLSRewriteCertificateCommonName rules are applied to each CN).
- Added new flag EAPTLS_PEAPBrokenV1Label to make PEAP Version 1 support compatible with
nonstandard PEAP V1 clients that use the old broken TLS encryption labels that
appear to be used frequently, due to Microsofts use of the incorrect
label in its V0 client.
- Revision 3.11 (2004-10-25) Some new fxeatures and an important bug fix.
- New module AuthBy MULTICAST proxies some or all requests to
_all_ Hosts in a list. Contributed by Andrew Ivins and Swiftel.
- New example code in goodies/hooks.txt for processing multiple
cisco-avpair attributes. Contributed by Chris.Patterson.
- Improvements to Monitor.pm so that stringarray and
splitstringarray types can be displayed in Radar.
- Improvements to AuthBy FILE so that a Filename of the form
%D/users.%R (where the file to be loked at depends on the users
Realm) will work correctly with caching turned on. Contributed by
Ivan Brawley.
- Improvements to ClientListSQL, so that SQL failures during reloading of
the client list will result in the old list being continued to be
used. Contributed by Ivan Brawley. Similar changes to
ClientListLDAP.
- Testing on Fedora Core 2. OK.
- Testing on SuSE 9.1. OK, but fixes required for
/etc/init.d/radiator in RPM.
- Testing on Slackware 10.0. OK, but fixes required for
RPM installs. Slackware requires rpm --nodeps to install the RPM
- Fixed a problem that prevented logging of some incoming packets
through Monitor. Reported and patched by Ivan Brawley.
- Fixed a problem introduced in 3.10 with reassociating after poor
coverage. Reported by Roy Badami.
- Fixed a problem with AcceptIfMissing which did not work correctly if
the user did not exist in the database.
- Fixed a problem where logging at trace level 4 to an SQL database
could cause problems with quoting on Informix due to a newline in the
log message.
- We now ensure the openssl session resumption time limit is set in
accordance with EAPTLS_SessionResumptionLimit. Reported and patched
by Roy Badami.
- Improvements to restartWrapper so it can log to syslog through
/usr/bin/logger. Contributed by Nennker, Axel.
- Log SQL and Log SYSLOG loggers now support MaxMessageLength parameter which
trucates the log message (prior to any quoting in the case of
SQL). Useful for some types of SQL server that complain if given a
string longer than the column its going in to.
- Revision 3.10 (2004-10-11) Significant new features. Bug fixes.
- Radiator is now 'Vasco Ready'.
Added support for Vasco Digipass authentication with new
AuthBy DIGIPASS module. Example config file in
goodies/digipass.cfg. Sample Digipass token data tables added to
goodies/*.sql. Documentation on installing and configuring
Digipass on Solaris, Linux and Windows in
goodies/digipass-install.txt. Prebuilt binaries of required
Authen-Digipass module for Solaris, Linux and Windows.
- New module AuthBy LDAPRADIUS proxies requests to a remote
radius host whose details are found in an LDAP database, looked up
against users Realm (or Calling-Station-ID etc). Similar in
functionality to AuthBy SQLRADIUS. Example LDAP schema,
LDAP records and config file are included.
- Added new clause ClientListLDAP, which lets you define your Client
clauses from an LDAP query, similar to ClientListSQL. Also supports
RefreshPeriod, so the Client list can be refreshed
periodically. Example config files, LDAP data and schema included.
- New module AuthBy KRB5 for authenticating against Kerberos 5. Works with Radius PAP
and EAP-TTLS-PAP. Substantially contributed by Steve Harper with fixes by Jeff Wolfe.
Tested against realms hosted by DCE and MIT K5. Example config file in goodies/krb5.cfg
- Testing with pGina, a free Windows login program for Win2000
and XP that uses
Radius to authenticate Windows users
(http://sourceforge.net/projects/pgina).
Works fine with the example goodies/simple.cfg.
- Further improvements to handling of EAP Requests.
Requests other than Notifications are now IGNORED, except for LEAP.
- Fixed a problem with dictionary that could occasionally cause MSCHAPV2
authentication to fail.
- Added support for DefaultRealm in Server TACACSPLUS.
- Added a number of Nomadix VSAs to dictionary. Contributed by Ing. Rosario Pingaro.
- Fixes to permit <Handler User-Password=xyz> to work with CHAP, MSCHAP and MSCHAPV2,
as well as PAP.
- Added Ascend-Session-Svr-Key to dictionary.ascend. Contributed by tcrholdings.
- AuthRSAMOBILE.pm was accidentally left out of the 3.9 distribution.
- Fixed a problem with CommandAuth in ServerTACACSPLUS. Patch contributed by Nick Slager.
- Added VSAs for Trapeze Networks to dictionary. Contributed by Matthew Gast.
- In dictionary, MS-MPPE-Encryption-Types of Encryption-40 and Encryption-128 were reversed.
- Disconnect-Request packets did not get a correct authenticator when proxied.
- Added support for AddToRequest in field 22, StripFromRequest in field 23
and AddToRequestIfNotExist in field 24 of ClientListSQL of GetClientQuery.
- Added some more Extreme VSAs to dictionary. Contributed by Carlo Beronio of Extreme Networks.
- Added new script goodies/mergedetails which will combine multiple accounting details
files into a single file in chronological order.
- Added new goodies/vlanhooks.txt, with example hooks for handling multiple downstream
authenticators, and NASs with
incompatible interpretations of Tunnel-Private-Group attributes.
Contributed by Matthew Gast.
- Added VSAs for Sonic Wall to dictionary, contributed by Joe Levy.
- Testing on Lindows 4.5. OK.
- Improvements to domain handling in AuthBy LSA. New paramter DefaultDomain specifies the
domain if the user does not specifiy a domain in their username. PEAP now passes the entire
DOMAIN\username to the authenticating module. If you are using PEAP-MSCHAPV2 with AuthBy FILE, users
should not specify a domain when they log in (unless you have
DOMAIN\user in your users file).
Also added new parameters Group and DomainController to AuthBy LSA. The
Group parameter allows you to specify that each user must be the
member of at least one of the named Windows global groups. More than
one required group can be specified, one per Group line. Requires
Win32::NetAdmin (which is installed by default with ActivePerl). If no
Group parameters are specified, then Group checks will not be
performed. Only Global groups are supported. If Group is required
and DomainController
is not specified, it will attempt to find the domain controller
based on the users domain.
Example usage in lsa.cfg.
- Fixed a problem in goodies/radacctSorted.cgi that could cause a 'divide by zero' error when used with an SQL database.
- Improvements to AuthLog SYSLOG and Log SYSLOG, so that multiple instances of the logger
with different Facility parameters will work as expected. Contributed by Heikki Vatiainen.
- Versions of Radiator that require a key for unrestricted operation now identify themselves as
'LOCKED' rather than 'EVALUATION'.
- Added new command line flag to radpwtst. The -eaphex flag allows you to specify an EAP-Message
in hex. Contributed by Martin Noha.
- Added new ConnectionHook parameter to SqlDb.pm. This allows any Sql object (like AuthBy SQL etc)
to run database-specific code each time Radiator (re)connects to the database. This is most
useful for executing func() to configure the database connection in customised ways. Example
hook in goodies/sql.cfg. Suggested by Oleg E. Shubarov.
- Fixed a typo in ServerConfig.pm, that resulted in 'acccess requests' in status reports.
- ClearTextTunnelPassword parameter was moved from AuthBy RADIUS to AuthGeneric, so that all
AuthBy modules (not just RADIUS proxying) now honour it. Suggested by Patrik Forsberg.
- New version of Windows Authen-ACE4 PPM package, compiled for both ActivePerl 5.6 and 5.8
with recent SDK for Server 2003 etc. Also PPM summary files for use with PPM3.
- EAP-MSCHAPV2 in an inner authenticator now honours AddToReply AddToReplyIfNotExist and DefaultReply.
- Fixed an incorrect header length with EAP-PEAP version 1.
Fixed a problem with cached EAP-PEAP version numbers. Reported by
Jouni Malinen.
- goodies/radwho.pl now lets you set the table name to use with
-table argument
- Modules that use syslog now do openlog;syslog;closelog for each log
message so that is the syslog facility restarts, Radiator will reconnect
to the syslog facility.
- ReplyHook can now set $op->{RadiusResult} to force particular
response.
- Fixed a problem with goodies/radwho.cgi where some browsers did not work correctly wuth the
'delete session' link.
- AuthBy RADIUS now determines a suitable local source socket address from
LocalAddress, based on whether the destination address is IPV4 or
IPv6. The first suitable address in the LocalAddress list will be
used as the source address. If LocalAddress does not specify a suitable IPV4 or IPV6 address
for the intended destination, the appropriate 'any address' will be
used, which generally means the default source address for that
host.
- AuthBy RODOPI now supports Rodopi 5.4 Cisco VOIP
authentication and billing.
Requests that contain the 'cisco-h323-conf-id' attribute will
be handled with the VoipAuthSelect and VoipAcctSQLStatement
parameters.
- Common authentication methods now accept all passwords if
NoCheckPassword is set.
- radwho.cgi now sets the refresh time to 0 after terminating
a user, so the automatic browser refresh doesnt keep clobbering the
user. Patch submitted by Richard Vander Reyden.
- EAP MD5-Challenge now rewrites the EAP identity using
RewriteUsername.
- Fixed a problem with EAP TTLS where the TLS client-hello would
not be honoured properly on some coombinations of clinet and AP.
- AddressAllocator SQL now does not run the AllocateQuery if it is an
empty string. Also, the expiry time is now calculated once for each
allocation, and passed to FindQuery as %2. Suggested by Andy M.
- In dictionary, some 3GPP attributes were incorrectly called
just GPP.
- Added Giganews VSAs to dictionary. Contributed by Carl Litt.
- Testing with jradius-client, a java Radius client from
sourceforge. OK.
- Fixed a problem that prevented IPV6 DNS names being
used. Reported by Paul Dekkers.
- Fixed problem with a number of authentication modules that
could cause a crash when doing logPassword when used to authenticate for Monitor or Server
TACACSPLUS requests. Reported by Carl Litt.
-
Improvements to handling of Windows NT Hashed passwords.
Encrypted-Password may now be either 32 bytes of hex encoded
NT hashed password, or 16 bytes of binary NT hashed password or 13 bytes
of Unix crypt password.
User-Password now supports NT Hashed
passwords in the form User-Password = {nthash}DCB8E94AC7D0AADC8A81D9C895ACE5F4.
The NT Hashed passwords work with PAP, and
now with MSCHAP, MSCHAPV2, EAP-MSCHAPV2 and EAP-LEAP.
This provides
compatibility with Samba SMB passwords (either in a flat file or in LDAP).
- In PEAP, AllowInReply could cause MPPE keys to
be unexpectedly stripped from the reply.
- Fixed a potential issue in TTLS session resumption. Reported
by Roy Badami.
- Added goodies/radlog.cgi, a CGI script to view the tail of a Radiator log file. Can be
helful for helpdesk troubleshooting. Contributed by Mohammad
Junaid, Cyberia.
- Fixed a problem that prevented ClientListSQL properly processing the
last column from the query, which can contain a comma separated
list of flag names.
- Changed example LDAP config and sample user data to be compatible with
OpenLDAP 2.1. OpenLDAP now defaults to requiring protocol version
3.
- AuthBy RADMIN can now handle Session-Timeout as a string, such as
'until Time'. Reported by Oliver Insanally.
- Core LDAP functions moved from AuthLDAP2.pm to new module
Ldap.pm to allow reuse by other LDAP modules such as
AuthLDAPRADIUS.pm and ClientListLDAP.pm
- Name of the key-locked distribution file changed from Radiator-Demo
to Radiator-Locked.
- AuthLog SYSLOG now supports the LogIdent parameter, similar to Log SYSLOG.
- Revision 3.9 (2004-03-17 New features)
- Added support for Radius over IPV6. Radiator can new receive Radius requests over IPV6, and proxy
to remote servers over IPV6. radpwtst can now send requests over IPV6.
See goodies/ipv6.cfg for examples.
Requires the Socket6 module from CPAN.
- radwho.cgi now honours the correct sort order after deleting. Contributed by Cameron Moore.
- Added support for NAS-Type of NomadixSNMP, contributed by Toomas Kärner.
- Fixed a problem that could affect EAP TTLS where the inner requests was proxied to another
Radius server. Could result in no reply sent back to the AP. Reported by Roy Arends.
- Added support for NasType of Redback by SNMP. Contributed by Toomas Kärner.
- AddressAllocator SQL now does not run the DeallocateQuery or ReclaimQuery
if they are empty strings. Suggested by Kwang Moon.
- Added more USR VSAs to dictionary, contributed by Joseph Eapen.
- Improvement to AuthBy RSAMOBILE, so the Tokencode prompt includes the expected SMS message ID
if possible.
- Added support for encrypted passwords in ancient Netscape Mail server format:
{NS-MTA-MD5}b6b49e37d494a09bfde663033274bc83cd1bf318fa32c5866166a7edcb1e1c87
- New hook TranslatePasswordHook for all AuthBy clauses. This hook can be used to apply
site-specific transaltions to passwords, such as forcing lowercase, decrypting or
otherwise transforming passwords retrieved from the user database, prior to checking.
Works with plaintext, CHAP, MSCHAP etc.
- Added support for non-standard VSA format for Ascend/Lucent TAOS code 4846. Also added
Ascend-MOH-Timeout to dictionary, which will be decoded according to this non-standard
format. Requested by Jeroen.
- Renamed Redback VSA Acct-Reason to RB-Acct-Reason for consistency with all others
Redback attributes.
- Server TACACSPLUS will now print a hex dump of the raw incoming TACACS
request if Trace is set to 5.
- New certificates for testing TLS/TTLS/PEAP. Previous certificates expired in Feb 2004.
These new ones expire in March 2006.
- Added a number of new attributes to the standard dicitonary, such as VSAs for Juniper ERX,
RB-Client-MAC
- Revision 3.8 (2003-12-24 New features and bug fixes)
- Added beta support for EAP Generic Token Card
EAP-PEAP Generic Token Card and conventional Radius Access-Accept/Access-Challenge
using AuthBy RSAMOBILE and the RSA Mobile authentication system
from RSA Security (www.rsasecurity.com)
RSA Mobile supports a number of authentication methods, including
- username and password
- an access code sent by SMS to your mobile phone
- RSA SecureID Token Cards
and all of these can be configured with AuthBy RSAMOBILE
- Fixed a problem with SIGHUP on FreeBSD with the Monitor clause, could cause
'Could not bind Monitor socket: Address already in use'.
- Fixed incorrect references in the documentation to /usr/local/etc/radius.cfg.
- Changes to Server TACACSPLUS, because some TACACS+ client do not like success
packets containing a server message. No server message is ever sent now.
- Added Redback Acct-Reason VSA to dictionary. Contributed by Kurt Jaeger.
- Further improvements to Server TACACSPLUS, contributed by Paul Schultz,
and confirmed operation with various Cisco and Juniper clients. Added support
for CommandAuth, a mechanism for permitting or denying permission fo
specific commands requested on the Tacacs client.
- Added cisco-Policy-Up and cisco-Policy-Down VSAs to dictionary.
- Added EAPTLS_PEAPVersion parameter to all AuthBy clauses, which allows you
to control whoch version of the draft PEAP specification to honour.
Defaults to 1. Set it to 0 for unusual clients,
such as Funk Odyssey Client 2.22 or later.
- Fixed a problem with PEAP that could prevent the use of Framed-IP-Address
in user records, resulting in an error like:
Mon Oct 20 15:57:25 2003: ERR: Could not handle an EAP request: Can't call method "attrByNum" on an undefined value at Radius/Radius.pm line 1440.
- Fixed problems with Server TACACSPLUS, where some cases of incorrect message packaging were found
and fixed by Paul Schultz. Also some special characters like %w and %C did not work correctly with
requests originating from Server TACACSPLUS. Reported by Garry Thomas.
- Added a number of Unisphere VSAs to dictionary. Contributed by Chris Patterson.
- Fixed a problem with AuthBy RADIUS in Synchronous mode, where if all hosts
failed to get a reply, Radiator would stop answering requests until the
FailureBackoffTime expired.
- Fixed problem with incorrect replies to Tacacs accounting requests.
Reported by Garry Thomas.
- Fix for broken Breezenet/Breezecom/Alvarion VSA's.
These NASs send Ethernet port data in VSAs (up to 11 per accounting request)
but unfortunately dont use
the same attribute numbers each time. Instead, the attribute number increments
each time, then wraps at 256. Radiator automatically maps the fist one in a packet
to Breezecom-Attr1, the second to Breezecom-Attr2 etc through to Breezecom-Attr11.
- Added Packeteer-AVPair to dictionary.
- $p->{EAPIdentity} is automatically set to the EAP identity (if known) during
EAP processing.
- Added a number of Altiga attributes to dictionary. Contributed by Karl.Gaissmaier.
- Added missing documentation for SnmpwalkProg to reference manual.
- EAP LEAP now honours RewriteUsername to rewrite the LEAP identity
before authentication.
- Added NasType CiscoSessionMIB, which uses the new sessionMIB available in
Cisco IOS 12.2.15T. See http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t3/dt_asmib.htm for more details.
- EAP TLS authentication did not take notice of the common name in the certificate when
checking the users file. Every users certificate Common Name is now
required to be in the users file.
- Some types of errors in initialising the TLS library would only affect the first
EAP request. Subsequent ones could succeed where they should not.
- Added Copper Mountain Networks Vendor Specific Attributes to dictionary
- Fixed a problem where runt EAP-Message attributes could cause ERR messages
like "Could not load EAP module Radius::EAP_;"
- New argument -rawfileseq added to radpwtst. Contributed by Martin Noha.
- Added generic, configurable one-time-password module AuthBy OTP that can be used with
EAP-OTP, EAP-GTC and standard dialup. Hooks allow you to generate random passwords
and deliver them through a back channel such as SMS by calling an external program.
- Fixed a bug in AuthBy SQLRADIUS where falling back to the secondary would not occur
under some circumstances.
- Added new parameter SQLRecoveryFile so that any SQL clause (such as AuthBy SQL etc can
log failed SQL do queries to a file for later recovery. Performance improvements to
AuthBy SQL accounting. Suggested by Kenneth Cheung.
- Fixed some problems with session resumption on Windows XP EAP-TLS and openssl
that could cause a crash.
- Added support for RFC 3576 Error-Cause attribute to dictionary.
Also added all recognition for all Radius packet types per RFC 3576.
Added Acct-Tunnel-Packets-Lost per RFC 2867 to dictionary.
- AuthLog is now passed the reason (if there is one) even with accepts.
Suggested by Robert Kiessling.
- Improvements to PEAP, TTLS and TLS error handling.
The SLL context is now cleared on EAP failures.
- Added goodies/multiprofile.txt, which contains a contribution from Matthias Wamser,
showing how to provide different sets of reply items for
different types of Dialup, DSL services etc.
- Fixed to Server TACACSPLUS so that special characters that depend on the
OriginalUserName like %u will work.
- Added Propel VSAs to dictionary, contributed by Craig Gittens.
- In SessionDatabase SQL, username is now always quoted when it is available as %0.
- Added support for DEC VMS style hashed passwords, in the format
{dechpwd}algorithm|salt|hashedpassword
eg: {dechpwd}3|1234|85ad61e72a41dec4
Requires Authen-DecHpwd from CPAN.
- Fixed one case of use of LOG_WARN instead of LOG_WARNING in Server TACACSPLUS.
Reported by Robert Kiessling.
- Fixed problem where <Handler User-Password=xxx> would cause a crash.
- Revision 3.7.1 (2003-09-26 Important bug fix, support for EAP Generic Token Card)
- AuthBy RADIUS now correctly handles replies of type Disconnect-Request-ACKed.
Contributed by Robert Thomson.
- Added support for EAP Generic Token Card (EAP type 6). Modifications so that
AuthBy OPIE can be used to authenticate EAP-One-Time-Password,
EAP-Token Card and EAP-PEAP Token Card
from the OPIE one-time-password system. Tested with Funk Odyssey client.
Improvments to radpwtst, added the -eapotp and -eapgtc arguemnts to support
testing of EAP One-Time-Password and EAP Generic Token Card.
- Added support for EAP Generic Token Card and EAP-PEAP Token Card
with AuthBy ACE and the SecurID ACE server token code system. Sample config
file in goodies/eap_gtc_ace.cfg. AuthBy ACE will also
work with EAP PEAP Generic Token Card similar to eap_peap_gtc_opie.cfg.
- Fixed a typo in attribute parsing that could cause an
error like
ERR: Bad attribute=value pair:. This typo was introduced
in version 3.7.
- In dictionary, Unisphere-Service-Bundle was incorrectly set as an integer
instead of a string. Reported by Jan Munkhammar.
- Improvements to Server TACACSPLUS by Robert Kiessling:
Translate TACACS+ attributes for NAS-Port-Id and
Calling-Station-Id for Accounting requests too, not only for
Authentication and Authorization requests as before.
- Typo in dictionary: alreadyDisconneted should have been alreadyDisconnected.
- Improvements to Server TACACSPLUS suggested by Robert Kiessling:
can now use Client-Identifier as a check item to identify requests
originated by ServerTACACSPLUS.
- Revision 3.7 (2003-09-23 Some significant new features and some minor bug fixes.)
- Added Cisco LEAP-compatible 802.1x wireless EAP support, and example eap_leap.cfg.
- Added new AuthBy LSA module which can authenticate PAP, CHAP, MSCHAP, MSCHAPV2,
PEAP, LEAP etc against Windows user passwords. Can be run on
Windows 2000, 2003 and XP (not Home edition).
Requires the Win32-Lsa perl module from Open System Consultants.
- Added new clause <ServerTACACSPLUS> that acts as a Tacacs+ server and converts
Tacacs+ requests into Radius requests. Handles Tacacs+ authentication, authorization
and accounting. Sample configuration file in goodies/tacacsplusserver.cfg.
- New {mysql} password format support did not work correctly on perl 5.005 and earlier,
causing failures in the test suite at tests 2w, 2x, 2z, 3a, 3d, 3g, 3h, 4a, 5a, 5f, 6a,
6b, 6c, 6e, 6f, 6g, 6h, 7a, 7b, 7c, 8a, 8b.
- Performance improvements in regular expression check item matching in AuthGeneric.pm
- Performance improvements in regular expression Realm selection.
- Added VSAs for Alcatel BRAS DSL termination gear to dictionary
- radpwtst now honours the -class flag for Access-Requests as well as Accounting-Requests.
- Fixed EAP-TTLS so that %u works for the inner authentication.
- Fixed a problem with UseExtendedIds that could cause a crash with
"Can't locate object method "change_attr" via package "Radius::AuthRADIUS"".
- Testing on Symbol Mobility Server (www.symbol.com). This is a very small
ARM Linux server with BusyBox Linux not much bigger than you hand.
Takes a CF card as a plug-in file system,
and runs Radiator fine, including 802.1x TLS, TTLS and PEAP.
Requires cross-compilation of some Perl modules.
We can provide instructions if required.
- Removed logging of password at INFO level during bind in AuthBy LDAP2.
Suggested by "Steven P. Crain".
- Changed the example EAPTLS_MaxFragmentSize in all EAP configuration examples
to 1000 to accomodate Enterasys RoamAbout V2 access points, as suggested by
Mark Haidl.
- New -servicename argument to radiusd allows the name of the Windows service to be
specified for -installservice and -uninstallservice, allowing multiple instances of Radiator to
be run as Windows services at the same time.
- Fixed typos in isOnline support for Portmaster3, Portmaster4 and Xyplex.
- radpwtst now sets the authenticator in Disconnect-Request same as for
accounting. Some NASs (notably Cisco) require this.
- Fixed a problem with radpwtst in -gui mode, where the toolbar expands bigger than it should be.
Patch contributed by Cameron Moore. Thanks Cameron.
- Added AllowInRequest parameter to AuthBy RADIUS, which restricts which attributes
can be proxied. Suggested by Toomas Kärner.
- Unrecognised EAP types now result in a REJECT insrtead of IGNORE.
- Improvements to PEAP for Cisco PEAP compatibility.
- AuthBy INTERNAL now takes a RejectReason parameter. This string will be used
as the Reply-Message if the AuthBy INTERNAL rejects a request.
- Improvements to logging messages and documentation for SessionDatabase SQL,
suggested by Claude Iyi Dogan.
- Fixed some typos in the example goodies/url.cfg and goodies/test_url_md5.cgi files.
- AuthBy RADIUS could crash if BindAddress was set to multiple comma-separated addresses.
Reported by Anthony Stanton.
- Added support for Session-Timeout="until ValidTo", which sets the session timeout to be
the amount of time left to the end of the ValidTo check item account validity period.
- In ClientListSQL, PreHandlerHook parameters for each client were not properly
compiled, and would not run. Fixed.
- Added WISPr RADIUS attributes to dictionary, based on
Wi-Fi Alliance - Wireless ISP Roaming - Best Current Practices v1,
Feb 2003, p 14
http://www.weca.net/OpenSection/downloads/WISPr_V1.0.pdf
- Dictionary VALUEs that looked like integers would be misinterpreted,
especially Tunnel-Medium-Type=802
- With PEAP-MSCHAP-V2, per-user reply items did not get sent back in the final
Access-Accept.
- AuthBy SQLRADIUS now honours AddToreply and StripFromReply attrtibutes from the Host
as well as the AuthBy SQLRADIUS.
- Changes so that a proxied Access-Reject does not get multiple Reply-Message.
Patch by Toomas Kärner. Thanks Toomas.
- Testing with Aegis MDC Linux 1.2.0beta client on RedHat 8.
Tested all EAP types, including certificate types with Radiator test certificates.
See the Radiator FAQ for further remarks. Added certificates suitable for Linux
clients (root.pen, cert-clt.pem) to the distribution.
- Added more KarlNet VSAs to dictionary, contributed by Clinton - Golden IT.
- SNMPAgent now correctly honours BindAddress when used with SNMP_Session version
0.92 or later.
- Added EAPTLSRewriteCertificateCommonName parameter for TLS, which rewrites the
Common Name from the certificate before using it to fetch user details from the
Radiator database. Suggested by Paul Dekkers.
- When installing as a service on Windows, you can now specify extra arguments
to pass to perl on the command line when the service starts.
This is useful for specifying an alternative
install directory for the Radiator perl modules, eg:
perl c:\Radiator\radiusd -installservice -serviceperlargs -Ic:\Radiator
- Minor changes to AuthBy OPIE, ACE and CRYPTOCARD to better support tunnelled requests.
- Added example configuration file showing how to authenticate from an IC-ISP mySQL database.
IC-ISP is a full source ISP billing package for Unix.
See www.ic-isp.com for details about IC-ISP. Accounting is not supported.
Works with IC-ISP 2.0.24 and later.
- AuthBy SQLRADIUS now honours UseExtendedIds as a configuble per-host
parameter, and Auth RADIUS now make easch Host inherit its UseExtendedIds
from the Auth RADIUS clause.
- Fixed a problem with AuthBy RADIUS where 2 Proxy-State = OSC-Extended-Id could be added
when multiple Hosts were involved.
- Fixed a problem with PEAP MSCHAPV2: if a Domain was specified, the authentication would
fail.
- Radius packets were incorrectly limited to 8192 bytes on reception. Increased to 65535.
- The Group parameter did not permit symbolic group names.
- In SessionDatabase SQL, the session ID (%3) was not always quoted correctly in DeleteQuery.
- Improvements to storage of VALUE in dictionary allows decoding based on the attribute name rather
than the number, which allows correct unpacking of attributes with synonyms,
such as Ascend-Disconnect-Cause. This involved changes to RDict::valNumToName.
- Fixed a potential problem when unpacking non-conforming abinary attributes.
- Added goodies/logisense.txt, containing
example configuration, SQL tables and requirements for interoperation between
Radiator and ENGAGE*IP. Contributed by STOWE TELECOM, LLC.
- Added Slipstream-Auth to dictionary.
- Under certain circumstances on some platforms with AuthLog SYSLOG and Log SYSLOG,
syslog can die. Fixed.
- Added StartHost parameter to AuthBy SQLRADIUS, contributed by Alexander Mayrhofer.
- Improvements to error handling in AuthBy LDAP2.
- Testing on Windows Server 2003. No changes in code or documentation required.
- Testing on HP PA-RISC Linux (Debian). No changes in code or documentation required.
- Added -outport and -bind_address options to radpwtst.
- Fixed a problem where AuthBy URL did not handle AuthUrl starting with https://
- Fixed a problem involving EAP, where multiple AuthBy clauses could result in
incorrect PEAP-MSCHAPV2 challenge message, or using the wrong challenge
during authentication.
- AuthBy SQL now logs to AcctFailedLogFileName if AcctSQLStatement
fails as well as if the usual accounting insert fails.
- AuthBy URL now supports AcctUrl, a URL that will be used for accouting data
- Added AuthBy SOAP module for converting Radius requests to SOAP and
SOAPRequest.pm for converting SOAP requests back to Radius requests. This SOAP
interface is useful for tunnelling through firewalls, improving the reliability
of Radius by using TCP as the transport, and for improving security by using HTTPS as the
protocol.
- Added VSAs for Quarry devices.
- Fixed a problem with parsing of attr=val pairs on some platforms with some locales
on perl 5.8.0, due to changes in perl regexp handling.
- Added new special characters. %A is replaced by the Timestamp in standard SQL
date time format eg: Sep 12, 2003 15:48.
%B is replaced by the current time in standard SQL date time format eg: Sep 12, 2003 15:48.
%F is replaced by the Timestamp in extended SQL
date time format eg: Sep 12, 2003 15:48:59.
%G is replaced by the current time in extended SQL
date time format eg: Sep 12, 2003 15:48:59.
- In AuthBy SQL, columns inserted by ACctColumnDef are now inserted in
alphabetical order by column name. Patch provided by Robert Blayzor. Thanks Robert.
- On some platforms such as FreeBSD, a Monitor connection would not disconnect
properly after a QUIT command.
- Added a number of new attributes to dictionary for CVX and Valemount.
Thanks to Craig Gittens and Greg Schiedler.
- Dates for Expiration, ValidTo, ValidFrom etc can now have optional hh:mm:ss
time component. Also support dd.mm.yy(yy) (hh:mm:ss) format.
- Revision 3.6 (2003-04-14 Significant improvements to wireless support)
|
