Radiator Changelog

What's new in Radiator 4.16

Oct 28, 2015

Selected bug fixes, compatibility notes and enhancements:
Compatibility update for EAP-based TLS methods for clients that support TLS 1.2. Examples are the future Apple iOS and OS X releases and Android 6 Marshmallow.
Two important security fixes. OSC recommends all users to review OSC security advisory OSC-SEC-2015-02
TLS session resumption may not currently work with all Windows clients. A workaround is to configure the EAPTLS_SessionResumption parameter to 0 or wait for the client to retry the authentication.
Radiator now supports new module AddressAllocator DHCPv6 for IPv6 address allocation and prefix delegation
Detailed changes:
Created separate directory for PPM files compiled for ActivePerl. Moved files from ppm to ppm/activeperl/ and updated the meta file contents.
Win32-Lsa is now compiled for both ActivePerl 5.18 and 5.20 flavours up to Perl 5.20: 64bit and 32bit with 64bit integer.
Created separate directory for PPM files compiled for Strawberry Perl.
Win32-Lsa is now compiled for all Strawberry Perl flavours up to Perl 5.22: 64bit, 32bit with 32bit integers and 32bit with 64bit integers.
Radiator now logs the Net::SSLeay and SSL/TLS library version during the radiusd startup. TLS v1.2 for TLS based EAP methods is not used if it can not be determined that the MPPE keys can be correctly calculated. These changes enhance compatibility with future Apple iOS, OS X and Android 6 Marshmallow. If all TLS versions are not available, details of what can be used is logged. Net::SSLeay 1.53 or later and OpenSSL 1.0.1 or later is required to fully utilise all TLS versions for TLS based EAP methods. Thanks to radiator mailing list members for comments and suggestions.
AuthLog SYSLOG and Log SYSLOG clauses now support LogPort configuration parameter. This parameter requires Sys::Syslog version 0.28 or later. Suggested by Michael and Kilian Krause.
LDAP modules now support BindFailedHook which is called when LDAP bind operation fails. The default is to log the failure. Bind password is no longer logged. To log the password, configure the hook to log it or configure the LDAP clause with the Debug configuration parameter and see the console output. With the kind help of Scott Bertilson.
AuthBy LDAP2 now logs PasswordAttr as **obscured** when debugging is enabled. Binary attribute values are now logged in text format similarly to RADIUS attributes. To debug the password, use the Debug configuration parameter and see the console output or configure PasswordLogFileName for the Handler.
Resolver for AuthBy DNSROAM now uses eval to catch exceptions from Net::DNS. The Net:DNS API had been changed around version 0.72 to raise exceptions when errors occurred. Uncaught exceptions could cause Radiator to crash. Reports and help with patches from Bjoern A. Zeeb and Paul Dekkers.
Updated error levels for Resolver log messages. Most of the log messages are now using WARNING instead of ERR. These messages are logged for example for DNS failures or badly formatted DNS domains.
ServerHTTP authentication now creates a request that can be correctly proxied to a remote server. Previously the proxied authentication would always fail.
AuthBy RADIUS and its derived modules still required 'ipv6:' prefix for LocalAddress parameter. Reported by Claudio Ramirez. Correct address is now logged if binding to LocalAddress fails.
Huawei-DNS-Server-IPv6-Address, Huawei-Framed-IPv6-Address, Alc-Ipv6-Address, Alc-Ipv6-Primary-Dns and Alc-Ipv6-Secondary-Dns had incorrect type ipv6addr. The correct type is ipaddrv6 for IPv6 addresses.
SqlDb now initialises the DBD::ODBC odbc_query_timeout attribute with the Timeout configuration parameter value. This attribute is valid only for ODBC and is set only when Radiator runs on a Windows host. The default value for odbc_query_timeout is 0 which can cause very long timeouts on Windows with SQL queries.
While RADIUS dictionaries are loaded, attributes with unknown types are logged with trace level WARNING. The treatment of unknown types has not changed: the unknown types are treated as binary.
Incorrectly formatted textual IPv6 addresses in configuration files or retrieved for example from SQL backend could cause address resolution loops.
Added support for additional IPv6 functions in Util.pm and UtilSocket6.pm for AddressAllocator DHCPv6 and other modules that require packing IPv6 socket structures with scope ID number and flow information.
AuthBy DYNADDRESS now supports multivalued allocation results. For example, multiple DNS server addresses from DHCPv6 based allocations. The multiple values are mapped to the configured RADIUS attribute, one value per one attribute instance.
AuthBy DYNADDRESS now supports MapResultHook. This hook allows modifying the allocation results after they have been received, and before Radiator has processed the MapAttribute definitions.
Added support for AddressAllocator DHCPv6. AddressAllocator DHCPv6 works in conjunction with AuthBy DYNADDRESS and a DHCPv6 server to dynamically allocate IPv6 addresses and prefixes, and provide other configuration information. Both stateless and stateful DHCPv6 configuration is supported.
See the configuration sample files addressallocatordhcpv6.cfg and addressallocatordhcpv6-dhcpd.conf for Radiator and ISC DHCP server in goodies for more examples including use of Delegated-IPv6-Prefix and Framed-IPv6-Prefix for prefix delegation.
Added better logging for invalid EAPType names. Unknown types are logged during the configuration check. Clarified the error message if the default EAPType is unknown. Thanks to Patrick Honing for informing about the unclear log messages.
Failures with send() when sending RADIUS messages over UDP are now correctly logged.
TLS based EAP methods EAP-FAST, EAP-TLS, EAP-TTLS and PEAP now log the TLS version and cipher chosen for the EAP session. TLS values related to the EAP session are also available as special formatting variables. You can use, for example, %{EAPTLS:Protocol} and %{EAPTLS:Cipher} with AuthLog. Suggested by Alexander Hartmaier.
Updated Stream base class to work correctly with non-blocking sockets on some Windows Perl distributions. Windows returns POSIX::EWOULDBLOCK (140) or WSAEWOULDBLOCK instead of EINPROGRESS. 140 was first seen with Strawberry Perl 5.20 and 5.22
Diameter AttrList get_attrs_d now returns empty list instead of single entry with undef value when the requested attribute was not present.
Changed the type of Cisco-VPN-WebVPN-HTML-Filter in dictionary.cisco-vpn from unsupported bitmap to integer. Reported by Alex Hartmaier.
diapwtst updates: added missing attributes and removed a couple of RADIUS related options
Fixed a bug which could result in an infinite loop when formatting special variables and could be used to create a DOS attack crashing the radiusd process. Reported by Øyvind Aabling.
AuthBy RADIUS and AuthBy RADSEC now use 32 bit id space when UseExtendedIds is set. While the previous 16 bit id space should be enough, the new value matches the value documented in the reference manual.
Unified Session ID based resumption handling for EAP-TLS, EAP-TTLS and PEAP.
radpwtst now supports subsecond resolution with the -time command line option when Time::HiRes Perl module is available. Time::HiRes is part of all recent Perl distributions.
Updated the recent formatting patch and enhanced its compatibility with older Perl versions.
Added support for tracing TLS handshake and session state for the TLS based EAP methods. Tracing can be enabled with one of: new AuthBy level configuration flag parameter EAPTLS_TraceState, setting the Trace configuration parameter to 5 (EXTRA_DEBUG) or with the PacketTrace configuration parameter.
LogFILE now checks for recursion allowing runHook to call logging if needed. This avoids infinite recursion if LogFormatHook raises an exception. Added a JSON example in LogFormatHook for Log FILE in goodies/logformat.cfg and Radius/LogFormat.pm.
Added LogFormatHook for Log SYSLOG and AuthLog SYSLOG. Updated logformat.cfg with JSON format hook example. Suggested by Craig Simons.
Added example of EAPTLS_TraceState in goodies EAP-TLS, EAP-TTLS and PEAP sample files.

New in Radiator 4.15 (Jul 16, 2015)

Selected bug fixes, compatibility notes, new features and enhancements:
Fixes an EAP-MSCHAP-V2 and EAP-pwd vulnerability. OSC recommends all users to review OSC security advisory OSC-SEC-2015-01 to see if they are affected.
perl-ldap-0.32 or better is required. Should be available in all current systems.
EAP-pwd requires Crypt::OpenSSL::Bignum 0.06 or later from CPAN
Configurable TLS version and ciphersuite selection for TLS based EAP and stream modules
CRL checks for the entire certificate chain can now be enabled
Included Gossip framework with Redis based implementation
Support for Gossip when communicating next hop proxy failures between Radiator instances
Shared duplicate cache for a more simple server farm configuration
Windows Event log support
Custom format support for logs, authentication logs and accounting logs. CEF and JSON included
Support for IEEE 802.1AE, also known as MACsec
All AuthBys now support PostAuthHooks
Various binary modules are now available from OSC and were removed from the Radiator distribution
Detailed changes:
Added VENDOR STI (Server Technology Inc.) 1718 and multiple STI VSAs to dictionary. Contributed by Garry Shtern.
Added VENDOR PacketDesign 8083 and VSAs PacketDesign-UserClass and PacketDesign-FTP to dictionary. Contributed by Garry Shtern.
Added SN-Software-Version to dictionary. Reported by Bruno Tiago Rodrigues.
Changed type of VENDORATTR 3076 Cisco-VPN-DHCP-Network-Scope in dictionary.cisco-vpn from text to ipaddr. Reported by Kilian Krause.
Dictionary updates: Added H3C proprietary values H3C-SSH and H3C-Console for Login-Service. Changed Lancom LCS-Mac-Address type from string to hexadecimal. Added H3C-Priority. All reported by Philip Herbert.
Zero length writes are now skipped in Stream.pm write_pending() used by RadSec, Diameter, SIGTRAN and other stream protocols. SCTP does not support 0 length syswrites on all platforms and may close the socket if zero length write is done.
Added VENDOR Airespace 14179 VSAs 7-11 and 13-16 to dictionary.
AuthBy GROUP now updates current AuthBy for %{AuthBy:parmname}. When AuthBy GROUP is used, this special formatting now gets the parameter value from the current AuthBy within the group instead of the AuthBy GROUP itself.
Updated VENDOR 1991 Foundry VSAs in dictionary. foundry-privilege-level is now a synonym for brocade-privilege-level. Added a number of foundry VSAs.
LDAP Version now defaults to 3 instead of 2. Updated a number of LDAP configuration example files in goodies to reflect this change.
Ldap.pm now uses the LDAP object's disconnect method, instead of closing the socket directly.
AuthBy LDAP2 and AuthBy LDAPDIGIPASS now use escape_filter_value provided by Net::LDAP::Util instead of escapeLdapLiteral in Ldap.pm Ldap.pm escapeLdapLiteral is now deprecacted and perl-ldap-0.32 or better is required.
RefreshPeriod in ClientListSQL and ClientListLDAP now support special % formatting. Suggested by Bengi Sağlam.
Updated VENDOR 2011 Huawei VSAs in dictionary. Huawei-Input-Basic-Rate is now an alias for Huawei-Input-Peak-Rate. Huawei-Output-Basic-Rate was changed similarly. Some of the attribute numbers appear to have different names and types between different devices. Huawei-User-Type, Huawei-MIP-Agent-MN-Flag and Huawei-Requested-APN are now aliases but aliasing may be handled with separate dictionary files in the future. Huawei-HW-Portal-Mode was renamed to Huawei-Portal-Mode.
WiMAX dictionary updates: changed WiMAX-Session-Termination-Capability type to integer and added one value: Dynamic-Authorization. Changed WiMAX-PPAQ TLV Quota-Identifier type to binary. WiMAX subattributes within single Vendor-Specific attribute are now correctly decoded.
Dictionary updates for Huawei: Reverted the recent aliasing changes. The conflicting attributes are now in a new Huawei specific dictionary file goodies/dictionary.huawei1. This new dictionary file contains attributes used by, for example, Huawei packet gateway / Wi-Fi controller. Since Huawei seems to use device specific dictionaries, additional dictionary files are added as needed.
Added new AuthLog EVENTLOG and Log EVENTLOG modules for logging to Windows Event Log. Added eventlog.cfg in goodies for configuration example and more information about how to set up registry and DLL Event Log helpers. Precompiled DLLs are available in goodies\windows-dll with source files and compilation examples.
radiusd now handles SIGINT (typically from Ctrl-C) similar to SIGTERM.
Added support for shared and global DupCache. Radiator now supports 3 different options for the new DupCache configuration parameter: local (the default), shared (uses shared memory) and global (uses Radiator's Gossip framework). When DupCache is set to shared, DupCacheFile sets the location of the mmapped shared memory file. Shared DupCache is recommend when FarmSize configuration parameter is set. With shared or global DupCache, the backend workers do not need to have UseContentsForDuplicateDetection enabled anymore. DupCache shared requries Cache::FastMmap module. Sample configuration eapbalance.cfg in goodies was updated to demonstrate the new configuration parameters DupCache and DupCacheFile.
Added a number of VENDOR 22610 A10-Networks VSAs in dictionary. Contributed by Scott Bertilson.
Changed the types of WiMAX-PPAQ TLVs Volume-Quota, Volume-Threshold, Resource-Quota and Resource-Threshold to hexadecimal. This makes the 8 or 12 long values easier to handle in PPAQ applications.
Updated shared and global DupCache debugging and initialisation. If the required Cache::FastMmap is not available when DupCache is set to 'shared', Radiator will log a message and refuses to start. The availability of Cache::FastMmap is checked during the configuration phase.
Added support for Gossip protocol framework and Redis based Gossip implementation. Radiator's Gossip implementation allows Radiator instances to share information and event notifications. The instances may be part of server farm, completely separate processes running on the same or different hosts or any combination of thereof. Redis based Gossip is configured with GossipRedis clause. At first, Gossip support is provided for RADIUS duplicate cache: When the global configuration parameter DupCache is set to 'global', GossipRedis will be used for RADIUS duplicate cache. More Radiator modules will be added and upgraded to use the Gossip framework in the future. Requires Data::MessagePack and Redis Perl modules from CPAN.
Updated AuthLog SQL examples in goodies to use SQL bind variables.
Added Radiator Gossip framework support to AuthBy RADIUS. Multiple Radiator instances can now communicate next hop host unreachability and reachability information with Gossip messages. This allows, for example, just one member to run Status-Server queries when FarmSize configuration parameter is enabled. Added new configuration parameter NoKeepaliveTimeoutForChildInstances to limit Status-Server probing to the first farm instance only. The new features are also available to AuthBy RADIUS sub-types, such as, ROUNDROBIN and HASHBALANCE. See goodies/farmsize.cfg for a configuration example with shared duplicate cache and Gossip and Redis configuration.
Updated EAP-pwd to use unpatched version of Crypt::OpenSSL::Bignum. Radiator 4.14 and earlier required Crypt::OpenSSL::Bignum 0.04 + patches. These patches are no longer needed, and version 0.06 or later from CPAN is now required instead. Caution: Crypt::OpenSSL::Bignum 0.04 + patches in Radiator goodies no longer work with the current version of EAP_52.pm (EAP-pwd). You must update to Crypt::OpenSSL::Bignum 0.06 or later.
Updated dictionary with new attributes for vendors 14823 Aruba, 25053 Ruckus and 25506 H3C.
Fixed a problem that could cause a crash if AuthBy RADIUS was configured with the Synchronous parameter, FailureBackoffTime was set and the next hop proxy becomes unreachable. Reported by Diogo Gonçalves
EAP-pwd now correctly adds the user's and AuthBy's reply attributes in the Access-Accept.
The first components in @INC, the Perl library search locations, are now checked for readability. Unreadable directories may cause hard to diagnose failures when Perl modules are loaded. This may happen, for example, when radiusd process is started as a user with restricted privileges. Reported by Kilian Krause.
Added support for AuthBy specific PostAuthHook configuration parameters. All AuthBys can now define a PostAuthHook that will be called when the AuthBy is done processing the request and has returned. The hook parameters are the same as for Handler's PostAuthHook. After the optional PostAuthHook has run, result, reason and Identifier from the AuthBy are saved in $p for subsequent AuthBys and other use. Updated duo.cfg in goodies to use PostAuthHook for password splitting.
Added support for IEEE 802.1AE, also known as MACsec. Radiator will now return EAP-Key-Name attribute if requested by the RADIUS client. EAP-Key-Name is supported for the following EAP methods: EAP-FAST, EAP-pwd, EAP-TLS, EAP-TTLS and PEAP.
RADIUS attributes using encrypt=2 flag or decode/encode_salted directly, now have their initialisation vector set to all zeroes when there would otherwise be a circular dependeny between the RADIUS fixed header Authenticator, the initialisation vector, and the encrypted attribute value. This allows, for example, proxying RFC 5176 dynamic authentication request so that the encrypted values can be correctly recovered, provided that target also uses zero IV similarly. Known to work with vendor 6527.
EAP-TLS now rejects possible EAP-TLS conversation restart attempts instead of replying, again, with an alert. Some EAP-TLS peers, such as Windows, may try to restart the EAP-TLS conversation after certain alerts such as 'Unknown CA'. Reported by Pieter Jan Van Meerbeeck.
Updated a number of configuration samples in goodies: 'DupInterval 0' is usually not needed and can be harmful. The default value of 10 seconds is preferred and non-default values are only necessary in very unusual circumstances. Handler clauses are in most cases more flexible than Realm clauses. Other typo fixes and small corrections.
EAP-FAST now checks Net::SSLeay::get_keyblock_size() calls for error return values. Also, Net::SSLeay 1.68 and earlier with OpenSSL 1.0.1 and later may return incorrect values, not errors, for get_keyblock_size() which cause authentication to fail. Fix in Net::SSLeay 1.69 allows it to return correct values with recent OpenSSL versions, and any error return values are now correctly checked by EAP-FAST.
Added new configuration parameter TLS_Protocols to set the supported SSL and TLS protocols for Stream based modules, such as Diameter and RadSec. New configurations should use TLS_Protocols instead of UseSSL or UseTLS. TLS_Protocols overrides UseSSL and UseTLS when defined. TLS_Protocols is not defined by default. Added new configuration parameter EAPTLS_Protocols to set the supported TLS protocols for TLS based EAP methods, such as EAP-TLS, EAP-TTLS and PEAP. EAPTLS_Protocols is not defined by default. Both TLS_Protocols and EAPTLS_Protocols accept a list of comma separated values. The supported values are: SSLv3, TLSv1, TLSv1.1 and TLSv1.2 Added new configuration parameters TLS_Ciphers and EAPTLS_Ciphers to define the allowed cipher suites for Stream protocols and TLS based EAP methods. The parameter format is OpenSSL cipher string format. Both parameters default to DEFAULT:!EXPORT:!LOW TLS_Ciphers and EAPTLS_Ciphers can be defined separately from TLS_Protocols and EAPTLS_Protocols.
Updated vendor ZTE 3902 VSAs in dictionary.
Added support for TLS_Protocols and TLS_Ciphers parameters to Monitor and Server HTTP
TLS_Ciphers and EAPTLS_Ciphers now support formatting characters. Net::SSLeay and SSL library version, if available, are now logged after SSL library initialisation.
Added goodies/logformat.cfg, showing how to use LogFormatHook for authentication log and AcctLogFileFormatHook for accounting messages. Added LogFormat.pm with sample hooks for formatting accounting messages in JSON format and authentication log entries in JSON and CEF (ArcSight Common Event Format) formats.
Removed non-functional support for the obsolete RSA ephemeral keying. See TLS_DHFile, EAPTLS_DHFile, TLS_ECDH_Curve and EAPTLS_ECDH_Curve for the currently supported forward secrecy methods.
Updated Radiator's Gossip module Perl requirements based on suggestions by Alan Buxey. Testing with Net::SSLeay 1.69 and LibreSSL 2.2.0. OK.
Added support for CRL checks for the entire certificate chain. New configuration parameters EAPTLS_CRLCheckAll for TLS based EAP methods and TLS_CRLCheckAll for stream based protocols, such as RadSec and Diameter, enable X509_V_FLAG_CRL_CHECK_ALL to turn on CRL checks for the entire certificate chain. Note: you need to also have EAPTLS_CRLCheck or TLS_CRLCheck enabled for any CRL checks to happen. If the CRL files for the intermediate CAs are not found, certificate check fails with: 'SSL3_GET_CLIENT_CERTIFICATE:no certificate returned'.
Updated configuration samples in goodies to include the recently added TLS and related parameters. Updated other goodies files with various other fixes.
Documented SSLCiphers in the reference manual and updated LDAP SSLCiphers default value from 'ALL' to 'DEFAULT:!EXPORT:!LOW'.
Updated ldap.cfg to mention possible interoperability problems between HoldServerConnection and ServerChecksPassword when the both are set. Suggested by Niels Monen. Documented SSLCiphers in ldap.cfg
Removed Authen::Digipass and Authen::ACE4 binary modules from the Radiator distribution. Direct contact with OSC is now preferred to find out how to compile these modules for your chosen OS, Perl version, Perl distribution and 32 or 64 bit platform. Added 32 and 64 bit Win32-Lsa ppms for Strawberry Perl 5.22.
DBM file handling is not working on Strawberry Perl 5.20 or 5.22. Disabled AuthBy DBMFILE checks from test.pl on Windows meanwhile this is investigated.
Updates to EAP-MSCHAP-V2 and EAP-pwd identity handling. See OSC security advisory OSC-SEC-2015-01.

New in Radiator 4.14 (Dec 5, 2014)

Selected bug fixes, compatibility notes and enhancements:
Fixes a vulnerability and very significant bug in EAP authentication. OSC recommends all users to review OSC security advisory OSC-SEC-2014-01 to see if they are affected.
Client findAddress() was changed to lookup CIDR clients before DEFAULT client. Affects ServerTACACSPLUS and in some cases SessionDatabase modules.
Added support for non-blocking sockets on Windows
SessionDatabase SQL queries now support bind variables
Detailed changes:
Added VENDOR Allot 2603 and VSA Allot-User-Role to dictionary.
Added Diameter AVP flag hints in the Diameter Credit-Control Application dictionary.
Prevented crash during startup when configured to support a Diameter application for which no dictionary module was not present. Reported by Arthur. Improved logging of loading of Diameter application dictionary modules.
Improvements to AuthBy SIP2 to add support for SIP2Hook. SIP2Hook can be used for patron authorisation and/or authentication. Added an example hook goodies/sip2hook.pl. Added a new optional parameter UsePatronInformationRequest for configurations in which Patron Status Request is not sufficient.
Fixed a problem with SNMPAgent which could cause a crash if the configuration had no Clients.
Stream and StreamServer sockets are now set to nonblocking mode on Windows too. This allows for example, RadSec to use nonblocking sockets on Windows.
radpwtst now honours -message_authenticator option for all request types specified with the -code parameter.
Client.pm findAddress() was changed to look up CIDR clients before DEFAULT client. This is the same order Client lookup for incoming RADIUS requests uses. This affects mostly ServerTACACSPLUS. SessionDatabase DBM, INTERNAL and SQL also use findAddress() and are affected when Clients have NasType configured for Simultaneous-Use online checking. Client lookup was simplified in ServerTACACSPLUS.
Added VENDOR Cambium 17713 and four Cambium-Canopy VSAs to dictionary. "RADIUS Attributes for IEEE 802 Networks" is now RFC 7268. Updated some of its attribute types.
AuthBy MULTICAST now checks first, not after, if the next hop host is working before creating the request to forward. This will save cycles when the next hop is not working.
Added VENDOR Apcon 10830 and VSA Apcon-User-Level to dictionary. Contributed by Jason Griffith.
Added support for custom password hashes and other user defined password check methods. When the new configuration parameter CheckPasswordHook is defined for an AuthBy and the password retrieved from the user database starts with leading '{OSC-pw-hook}', the request, the submitted password and the retrieved password are passed to the CheckPasswordHook. The hook must return true if the submitted password is deemed correct. TranslatePasswordHook runs before CheckPasswordHook and can be used to add '{OSC-pw-hook}' to the retrieved passwords.
AuthLog SYSLOG and Log SYSLOG now check LogOpt during the configuration check phase. Any problems are now logged with the loggers Identifier.
The defaults for SessionDatabase SQL AddQuery and CountQuery now use %0 where username is needed. Updated the documentation to clarify the value of %0 for AddQuery, CountQuery, ReplaceQuery, UpdateQuery and DeleteQuery: %0 is the quoted original username. However, if SessionDatabaseUseRewrittenName is set for the Handler and the check is done by Handler (MaxSessions) or AuthBy (DefaultSimultaneousUse), then %0 is the rewritten username. For per-user session database queries %0 is always the original username. Updated the documentation for CountQuery to include %0 and %1. For CountQuery %1 is the value of the simultaneous use limit.
Enhanced resolution of vendor names to Vendor-Id values for SupportedVendorIds, VendorAuthApplicationIds and VendorAcctApplicationIds. Keyword DictVendors for SupportedVendorIds now includes vendors from all dictionaries that are loaded. Vendor name in Vendor*ApplicationIds can be in any of the loaded dictionaries in addition of being listed in DiaMsg module.
Added VENDOR InMon 4300 and VSA InMon-Access-Level to dictionary. Contributed by Garry Shtern.
Added ReplyTimeoutHook to AuthBy RADIUS, called if no reply is heard from the currently tried remote server. The hook is called if no reply is heard for a specific request after the Retries retransmissions and the request is deemed to have failed for that Host. Suggested by David Zych.
The default ConnectionAttemptFailedHook no longer logs the real DBAuth value but '**obscured**' instead.
Name clash with SqlDb disconnect method caused unnecessary Fidelio interface disconnects and reconnects in AuthBy FIDELIOHOTSPOT after SQL errors. AuthBy FIDELIOHOTSPOT now inherits directly from SqlDb.
Added VENDOR 4ipnet 31932 and and 14 4ipnet VSAs to dictionary. These VSA are also used by devices from 4ipnet partners, such as LevelOne. Contributed by Itzik Ben Itzhak.
MaxTargetHosts now applies to AuthBy RADIUS and its sub-types AuthBy ROUNDROBIN, VOLUMEBALANCE, LOADBALANCE, HASHBALANCE and EAPBALANCE. MaxTargetHosts was previously implemented only for AuthBy VOLUMEBALANCE. Suggested by David Zych.
Added VENDOR ZTE 3902 and multiple VSAs to dictionary with the kind assistance of Nguyen Song Huy. Updated Cisco VSAs in dictionary.
Added radiator.service, a sample systemd startup file for Linux.
AuthBy FIDELIO and its sub-types now log a warning if the server sends no records during the database resync. This usually indicates a configuration problem on the Fidelio server side, unless there really are no checked in guests. Added a note about this in fidelio.txt in goodies.
Added Diameter Base Protocol AVP flag rules in DiaDict. Radiator no longer sends CEA with Firmware-Revision AVP that has M flag set.
BogoMips again defaults correctly to 1 when BogoMips is not configured in a Host clause in AuthBy LOADBALANCE or VOLUMEBALANCE. Reported by Serge ANDREY. The default was broken in release 4.12. Updated LOADBALANCE example in proxyalgorithm.cfg in goodies.
Ensured that Hosts with BogoMips set to 0 in AuthBy VOLUMEBALANCE will not be a candidates for proxying.
Added Diameter AVP flag rules in DiaDict for the following Diameter applications: RFC 4005 and 7155 NASREQ, RFC 4004 Mobile IPv4 Application, RFC 4740 SIP Application and RFC 4072 EAP Application.
Added the attributes from RFC 6929 to dictionary. The attributes will now be proxied by default but no specific handling is done for them yet.
Added VENDOR Covaro Networks 18022 and multiple Covaro VSAs to dictionary. These VSAs are used by products from ADVA Optical Networking.
Significant performance enhancements in ServerDIAMETER and Diameter request processing. Diameter requests are now formatted for debugging only when the Trace level is set to debug or higher.
AuthLog FILE and Log FILE now support LogFormatHook to customise the log message. The hook is expected to return a single scalar value containing the log message. This allows formatting the logs, for example, in JSON or any other format suitable for the required postprocessing. Suggestion and help by Alexander Hartmaier.
Updated the values for Acct-Terminate-Cause, NAS-Port-Type and Error-Cause in dictionary to match the latest IANA assignments.
Updated sample certificates from SHA-1 and RSA 1024 to SHA-256 and RSA 2048 algorithms. Added new directories certificates/sha1-rsa1024 and certificates/sha256-secp256r1 with certificates using the previous and ECC (Elliptic curve cryptography) algorithms. All sample certificates use the same subject and issuer information and extensions. This allows testing the different signature and public key algorithms with minimal configuration changes. Updated mkcertificate.sh in goodies to create certificates with SHA-256 and RSA 2048 algorithms.
Added new configuration parameters EAPTLS_ECDH_Curve for TLS based EAP methods and TLS_ECDH_Curve for Stream clients and servers such as RadSec and Diameter. This parameter allows Elliptic Curve ephemeral keying negotiation and its value is the EC 'short name' as returned by openssl ecparam -list_curves command. The new parameters require Net-SSLeay 1.56 or later and matching OpenSSL.
Tested Radiator with RSA2048/SHA256 and ECDSA(curve secp256r1)/SHA256 certificates on different platforms and with different clients. EAP client support was widely available on both mobile, such as, Android, IOS and WP8, and other operating systems. Updated multiple EAP, RadSec, Diameter and other configuration files in goodies to include examples of the new EAPTLS_ECDH_Curve and TLS_ECDH_Curve configuration parameters.
Handler and AuthBy SQL, RADIUS, RADSEC and FREERADIUSSQL now support AcctLogFileFormatHook. This hook is available to customise the Accounting-Request messages logged by AcctLogFileName or AcctFailedLogFileName. The hook is expected to return a single scalar value containing the log message. This allows formatting the logs, for example, in JSON or any other format suitable for the required postprocessing.
The Group configuration parameter now supports setting the supplementary group ids in addition to the effective group id. Group can now be specified as comma separated list of groups where the first group is the desired effective group id. If there are names that can not be resolved, groups are not set. The supplementary groups may help with, for example, AuthBy NTLM accessing the winbindd socket.
Added multiple Alcatel, vendor 6527, VSAs to dictionary.
Name resolution for Radius Clients and IdenticalClients is now tested during configuration check phase. Suggested by Garry Shtern. Incorrectly specified IPv4 and IPv6 CIDR blocks are now clearly logged. The checks also cover clients loaded by ClientListLDAP and ClientListSQL.
Special formatting now supports %{AuthBy:parmname} which is replaced by the parmname parameter from the AuthBy clause that is handling the current packet. Suggested by Alexander Hartmaier.
Added VENDOR Tropic Networks 7483, now Alcatel-Lucent, and two Tropic VSAs to dictionary. These VSAs are used by some Alcatel-Lucent products, such as the 1830 Photonic Service Switch. Fixed a typo in RB-IPv6-Option attribute.
TLS 1.1 and TLS 1.2 are now allowed for EAP methods when supported by OpenSSL and EAP supplicants. Thanks to Nick Lowe of Lugatech.
AuthBy FIDELIOHOTSPOT now supports prepaid services, such as plans with different bandwidth. The purchases are posted to Opera with billing records. Configuration files fidelio-hotspot.cfg and fidelio-hotspot.sql in goodies were updated with an example of Mikrotik captive portal integration.
AuthBy RADIUS and AuthBy RADSEC now use less-than and equal when comparing time stamps using MaxFailedGraceTime. Previously strict less-than was used causing an off by one second error when marking next hop Hosts down. Debugged and reported by David Zych.
AuthBy SQLTOTP was updated to support HMAC-SHA-256 and HMAC-SHA-512 functions. The HMAC hash algorithm can now be parametrised for each token as well as time step and Unix time origin. An empty password will now launch Access-Challenge to prompt for the OTP. SQL and configuration examples were updated. A new utility generate-totp.pl in goodies/ can be used to create shared secrets. The secrets are created in hex and RFC 4648 Base32 text formats and as QR code images which can be imported by authenticators such as Google Authenticator and FreeOTP Authenticator.
Reformatted root.pem, cert-clt.pem and cert-srv.pem in the certificates/ directory. The encrypted private keys in these files are now formatted in the traditional SSLeay format instead of PKCS#8 format. Some older systems, such as RHEL 5 and CentOS 5, do not understand the PKCS#8 format and fail with an error message like 'TLS could not use_PrivateKey_file ./certificates/cert-srv.pem, 1: 27197: 1 - error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm' when trying to load the keys. The encrypted private keys in sha1-rsa1024 and sha256-secp256r1 directories remain in the PKCS#8 format. A note about the private key format was added in certificates/README.
Added new parameter for all AuthBys: EAP_GTC_PAP_Convert forces all EAP-GTC requests to be converted to conventional Radius PAP requests that are redespatched, perhaps to be proxied to another non-EAP-GTC capable Radius server or for local authentication. The converted requests can be detected and handled with Handler ConvertedFromGTC=1.
SessionDatabase SQL queries now support bind variables. The query parameters follow the usual naming convention where, for example, AddQueryParam is used for AddQuery bind variables. The updated queries are: AddQuery, DeleteQuery, ReplaceQuery, UpdateQuery, ClearNasQuery, ClearNasSessionQuery, CountQuery and CountNasSessionsQuery.
AddressAllocator SQL now supports a new optional parameter UpdateQuery which will run an SQL statement for each accounting message with Acct-Status-Type of Start or Alive. This query can be used to update the expiry time stamp allowing shorter LeaseReclaimInterval. Added an example of UpdateQuery in addressallocator.cfg in goodies.
Fixed badly formatted log message in AuthBy RADIUS. Reported by Patrik Forsberg. Fixed log messages in EAP-PAX and EAP-PSK and updated a number of configuration examples in goodies.
Compiled Win32-Lsa Windows PPM packages for Perl 5.18 and 5.20 for both x64 and x86 with 32bit integers. The PPMs were compiled with Strawberry Perl 5.18.4.1 and 5.20.1.1. Included these and the previously compiled Win32-Lsa PPMs in the Radiator distribution.
Compiled Authen-Digipass Windows PPM packages with Strawberry Perl 5.18.4.1 and 5.20.1.1 for Perl 5.18 and 5.20 for x86 with 32bit integers. Updated digipass.pl to use Getopt::Long instead of deprecated newgetopt.pl. Repacked Authen-Digipass PPM for Perl 5.16 to include the updated digipass.pl.
Diameter Address type attributes with IPv6 values are now decoded to human readable IPv6 address text representation. Previously, decode returned the raw attribute value. Reported by Arthur Konovalov.
Improved Diameter EAP handling for both AuthBy DIAMETER and ServerDIAMETER. Both modules now advertise Diameter-EAP application by default during the initial capabilities exchange. AuthBy DIAMETER now supports AuthApplicationIds, AcctApplicationIds and SupportedVendorIds configuration parameters
Changed the type of Chargeable-User-Identity in dictionary to binary to make sure any trailing NUL characters are not stripped.
More updates to example configuration files. Remove 'DupInterval 0' and use Handlers instead of Realms
Fixed an EAP bug which could allow bypassing EAP method restrictions. Copied the EAP expanded type test module to goodies and changed the test module to always respond with access reject.
Added backport notes and backports for older Radiator versions to address the EAP bug in OSC security advisory OSC-SEC-2014-01.

New in Radiator 4.13 (Apr 17, 2014)

Radius proxying, IPv6, TACACS+, Diameter and other enhancements. Bug fixes
Selected compatibility notes and enhancements:
Unknown attributes can now be proxied instead of being dropped
Diameter enhancements may require changes to custom Diameter modules
Major IPv6 enhancements include: Attributes with IPv6 values can now be proxied without IPv6 support, Socket6 is no longer an absolute prerequisite. 'ipv6:' prefix is now optional and not prepended in attribute values
TACACS+ authentication and authorization can now be decoupled
Bind variables are now available for AuthLog SQL and Log SQL.
Status-Server requests without correct Message-Identifier are ignored. Status-Server responses are now configurable.
LDAP attributes can now be fetched with base scope after subtree scoped search. Useful for example, tokenGroups AD attributes which are not otherwise available
Newly added check for CVE-2014-0160, the OpenSSL Heartbleed vulnerability may log false positives
New AuthBy for authenticating against YubiKey validation server added
See Radiator SIM pack revision history for supported SIM pack versions
Detailed changes:
Added the attributes from RFC 6911 to dictionary (Framed-IPv6-Address, DNS-Server-IPv6-Address, Route-IPv6-Information, Delegated-IPv6-Prefix-Pool and Stateful-IPv6-Address-Pool). These attributes override a number of attributes that were previously commandeered by Ascend and Merit. The Ascend ones are still available in ascend.dictionary. The Merit attributes were added under the existing Merit VSA entry and the non-VSA Merit attributes were removed from the main dictionary. The non-VSA Merit attributes will continue to be available in a new file goodies/dictionary.merit
AuthBy RADIUS and all its subclasses e.g., AuthBy SQLRADIUS, LDAPRADIUS, MULTICAST and proxy algorithm AuthBys, now support special characters in AuthPort and AcctPort. Suggested by David Zych.
Added in dictionary: Huawei-Loopback-Address, vendor 6139 (Alcatel-Lucent OmniAccess), vendor 20942 (China Telecom-Guangzhou Research and Development Center) and vendor 27262 DANTE Ltd.
Unknown attributes can now be proxied when the new global configuration flag ProxyUnknownAttributes is set to true. Unknown attributes are now alwasy available with special names such as Unknown-9048-120, where 9048 is the vendor id and 120 is the vendor attribute number. Unknown attributes are now logged with level WARNING instead of ERR. A warning is logged for each attribute once per sender IP address. Attribute names starting with Unknown are reserved in dictionary and ignored when the dictionary is loaded.
Added in dictionary: Attributes from RFC 5447, RFC 6519, RFC 6677 and RFC 6930.
Added support for dictionary type ipv4prefix required by RFC 6572. An example of ipv4prefix format is '192.168.1.0/24'. Added attributes from RFC 6572 in dictionary.
Change in 4.12 caused ServerDIAMETER to always create new peer instances for new connections. This caused mainly WatchdogState DOWN log litter.
AuthBy DIAMETER and other DiameterClient derived classes, such as Diameter Wx based EAP-SIM, EAP-AKA and EAP-AKAPRIME AuthBys, now support new option SCTPPeer. This option allows defining multiple SCTP peers for the initial SCTP association attempt.
Added vendor Arista in dictionary. Updated Netscreen values. Contributed by Garry Shtern.
Fixed AuthBy NTLM so it will not leave zombie processes around during reconfigure. Reported by Garry Shtern.
AuthBy RATELIMIT now supports optional parameter MaxRateResult, which allows specifying the result when MaxRate is exceeded. MaxRateResult defaults to IGNORE.
Significant IPv6 changes. Socket6.pm is no longer required if the core Socket module provides the required IPv6 support. Attributes with IPv6 address or prefix type are now handled as binary if there is no Socket or Socket6 for IPv6 support. This fixes the problem with proxying when Socket6 was not installed. Prefix 'ipv6:' for IPv6 addresses is no longer required but will be accepted. Decoded values for IPv6 address type attributes will no longer have 'ipv6:' prefix. Startup log messages now contain information about the IPv6 support.
Updated 3GPP (vendor 10415) attributes in dictionary. 3GPP-Allocate-IP-Type, 3GPP-External-Identifier and 3GPP-TWAN-Identifier were added. 3GPP-Charging-Gateway-Address, 3GPP-GPRS-Negotiated-QoS-Profile and 3GPP-Charging-Gateway-IPv6-Address are now the main attribute names while 3GPP-CG-Address, 3GPP-GPRS-QoS-Profile and 3GPP-CG-IPv6-address are now aliases. 3GPP-PDP-Context value 0 name is now IPv4 while IP is kept as an alias. Attribute types were corrected to use e.g., ipaddrv6, integer8 and integer16 for correct encoding and decoding. Added values for enumerated integer types.
Reverted the previous attribute canonical name changes for vendor 3GPP. 3GPP-CG-Address, 3GPP-GPRS-QoS-Profile and 3GPP-CG-IPv6-address are the names Radiator will use for decoding the attributes. The new names will be recognised as aliases. Also, 3GPP-PDP-Context name for value 0 is IP and IPv4 can be used as an alias.
EAP_25.pm now makes inner identity available via outer context improving logging options.
Updated Application IDs. Updated vendor 3GPP (10415) RADIUS compatible attribute (1-27) list, added new 3GPP-RAT-Type and 3GPP-PDP-Type type values, fixed 3GPP-*-Address encoding to use OctetString instead of Address type, 3GPP-RAT-Type and other 8 bit enumerated values are encoded correctly. 3GPP attribute Location-Estimate type is now OctetString.
Improvements to the sample wimax.sql database schema to support long capabilities values.
Added VENDOR Radware 89 and VSA Radware-Role to dictionary.
Logging level for rejected authenticaton attempts can now be configured globally and for each Handler or Realm. The level is set with new parameter LogRejectLevel. This optional parameter uses the same values as Trace option, and can be set globally or per Handler or Realm.
Further logging enhancements. PacketTrace can now be configured to skip selected Log clauses. New flag parameter IgnorePacketTrace can be set in Log clauses which should not participate in PacketTrace logging. Thanks to David Zych for ideas and assistance with the latest logging improvements.
Trailing NULs are now stripped from TACACS+ authorization arguments. Reported by Tim Cheyne.
Fixed a bug in Diameter Address format encoding with IPv6 addresses. DiaClient now correctly formats IPv6 address in Host-IP-Address for TCP connections.
TacacsClient module now supports connecting to TACACS+ servers over IPv6. This allows tacacsplustest to work with IPv6 enabled TACACS+ servers. Requires IO::Socket::INET6.
Account expiry dates starting with 'Mmm dd' for Expiration, ValidTo and ValidFrom check items now correctly check for valid month names. Reported by Kennyen Choo.
Added Pronto Networks VENDOR Pronto 16521, and Pronto-AVPair to dictionary.
Worked around the duplicate name for 3GPP Diameter Gx interface. Fixed typos in Diameter application names.
ClientListSQL was calling parent's initialize twice. Clarified AuthSQLHOTP and AuthSQLTOTP parent initialize calls.
Improvements to logging. Added support in Log.pm and LogGeneric.pm for dynamically setting the Trace level. An example of using User-Name from the current request is in goodies/hooks.txt.
Enhanced AuthBy DIAMETER Destination-Host and Destination-Realm handling. Worked around the duplicate name for 3GPP Diameter Rx interface.
When special %s is used, the microseconds are now left padded with zeroes. Suggested by David Zych.
PEAP and EAP-TTLS now make maximum fragment size available for inner authentication protocols. EAP-TLS was improved to use this information. This allows PEAP/EAP-TLS and EAP-TTLS/EAP-TLS to work better with environments with variable Framed-MTU sizes.
When reading parameter settings from a file with file:"filename", any trailing newlines are now removed from the end of file to make sure the value is correctly parsed. Reported by David Zych.
Added goodies/address-allocator-sql.txt for further AddressAllocator SQL examples. Initial examples include MySQL and PostgreSQL queries for environments with multiple Radiator instances allocating from the same database.
RDict.pm now supports new method vendorByNum which returns vendor data from a given vendor number. Enhanced Starent VSA decoding to make sure invalid lengths do not cause a crash. Added support and attributes for Starent VSAs which use 1 byte for type and 1 byte for length. The Starent VSAs in Radiator default dictionary use 2 bytes for type and length. Loading goodies/dictionary.starent-vsa1 after the default dictionary will cause Starent VSAs to use 1 byte type and length. The Starent VSAs in the default dictionary will not work with dictionary.starent-vsa1 and should not be used.
Significant changes in Diameter dictionary handling: The dictionaries can now be separate modules and a specific dictionary is defined for the application. Diameter Credit Control attributes were moved in module DiaDict_4.pm while Diameter base, NASREQ, Mobile Ipv4, base accounting, EAP, SIP and relay applications still use the default dictionary DiaDict.pm. Any new dictionaries will be created as separate modules. Updated the existing modules AuthDIAMETER, DiaDict, DiaPeer, ServerDIAMETER, DiaClient, DiaMsg and DiaUtil. Added new modules DiaUtil and DiaDict_4.
Added support for salted and non-salted SHA-2 hashed passwords. Supported formats are {SHA256} {SSHA256} {SHA384} {SSHA384} {SHA512} and {SSHA512}. Updated sha.pl and ssha.pl in goodies to support SHA-2 hashing. Suggested by Alexander Hartmaier.
AddressAllocator DHCP can now use Class attribute for allocation state when configured with UseClassForAllocationInfo. This enables allocation and deallocation to work between server farm members. Configuration notes in goodies/addressallocatordhcp.cfg. Clarified some of the AddressAllocator DHCP options in addressallocatordhcp.cfg
Functions pack_sockaddr_pton and gethostbyname in Util.pm and UtilSocket6.pm misinterpreted some hostnames as IPv6 addresses. Reported by Emanuel José Freitas.
Updated Huawei VSAs in dictionary. Contributed by Alexander Hartmaier.
AddressAllocator identifier in AuthBy DYNADDRESS now supports special formatting characters.
Change in DiaPeer watchdog to recover better from unresponsive but still open TCP connections.
Diameter dictionaries now support attribute flags. Added add_attr_d, get_attr_d and get_attrs_d in AttrList.pm for adding and accessing Diameter attributes with their names. Any flags, such as M flag, are automatically added based on dictionary. DiaAttrList and RadiusDiameterGateway now correctly set dictionary when using DiaAttrlist->new(). DiaDict is more verbose about possible problems with parsing dictionary files.
Marked GroupCacheFile option in ServerTACACSPLUS as deprecated and removed code related to it.
ServerTACACSPLUS now adds OSC-TACACS-* attributes to the converted TACACS+ authentication and accounting requests in a more consistent manner. Use of deprecated CommanAuth option gives a warning during startup. Minor cleanups to remove warnings when -w is used. Fixed mapping of missing GroupMemberAttribute value to 'DEFAULT' broken in the previous patch. Updated tacacsplusserver.cfg in goodies.
ServerTACACSPLUS can now create a RADIUS Access-Request when TACACS+ authorization request is received but no authorization info is known for the user. This can happen for example, when Radiator is restarted or the TACACS+ client uses some other protocol for authentication. These RADIUS Access-Requests carry Service-Type attribute with value Authorize-Only. Authorization based requests are enabled with AllowAuthorizeOnly flag which defaults to off. Updated tacacsplusserver.cfg and added OSC-TACACS-Authen-Method in dictionary.
AuthBy SIP2 now immediately rejects CHAP, MSCHAP and MSCHAP-V2 authentication attempts instead of letting password check fail each time.
Added support for PBKDF2 derived User-Password check items. Uses HMAC-SHA1 as the Pseudo Random Function (PRF). Requires Digest::HMAC_SHA1. Added a small utility goodies/pbkdf2.pl which can be used to create derived password in the form Radiator honours.
AuthLog SQL now supports SuccessQueryParam and FailureQueryParam parameters, which allow SQL bind variables to be used.
AuthBy RSAAM now supports SSLCAFile for RSA AM HTTPS server certificate verification. New parameter ChallengePrefix allows setting the common prompt for PIN change and other challenge questions. Suggested by Garry Shtern.
Log SQL now supports LogQueryParam parameters, which allow SQL bind variables to be used.
Changes so that the plaintext password is not logged at debug level during EAP-TTLS/PAP authentication.
Added support for SSLVerify, SSLCAPath, SSLVerifyCNName, SSLVerifyCNScheme and SSLCertificateVerifyHook configuration parameters in AuthBy RSAAM. The parameters require Perl LWP 6.0 or later or otherwise they are ignored. SSL client certificate options are now set using LWP if LWP version 6.0 or later is detected. These changes allow RSA AM server HTTPS certificate verification without environment variables.
tacacsplustest in goodies now supports -bind_address command line argument. TacacsClient module can now pass local address to the socket constructor.
Added eduroam-Monitoring-Inflate VSA to dictionary.
Added StripFromRequest parameter to ServerRADSEC. Suggested by Paul Dekkers.
Logging enhancements: AuthBy RADSEC and ServerRADSEC now format packet dumps only when the log level is DEBUG or more verbose. IPv6 capability is now logged on DEBUG level if IPv6 functionality is provided by the Perl core or Socket6. INFO level message is logged only when there is no full IPv6 functionality.
Added new module AuthBy YUBIKEYVALIDATIONSERVER with example configuration yubikey-validationserver.cfg. Authenticates against Yubikey Validation server. This allows using a YubiHSM Hardware Security Module (HSM) by one or more Radiator servers at the same time. The YubiHSM can be installed on the same server where Radiator runs on, or on a remote dedicated server. Refactored AuthYUBIKEYGENERIC.pm to move common code to AuthYUBIKEYBASE.pm allowing AuthBy YUBIKEYVALIDATIONSERVER to run without any dependencies on Yubikey specific support modules such as Auth::Yubikey_Decrypter.
Added in dictionary: Attributes from RFC 7055. These started as UKERNA, vendor 25622, VSAs.
Removed unneeded code from EAP_25.pm and TLS.pm.
Added new global and Client specific configuration parameter StatusServer. This parameter sets the Status-Server response verbosity. The supported values are off, minimal and default. The global default can be overridden by each Client clause. Status-Server requests without correct Message-Authenticator attribute are now ignored.
Added new parameter AttrsWithBaseScope to AuthBy LDAP2. AuthBy LDAP2 can now be configured to do a two step search to first locate the user's DN and then follow with a second search where the search base set to the DN and scope to 'base'. This is required for example, to get access to Windows AD constructed attributes, such as tokenGroups, which are only returned when the search scope is set to base. Updated ldap.cfg in goodies.
Removed old and unneeded FirstSendTime, LastSendTime and Attempts from Radius.pm.
EAP-TTLS now correctly exports the inner identity with $rp->{inner_identity} when the inner authentication is EAP.
Added OSC-SIM-* attributes for exporting SIM/USIM authentication information. Added attributes for the upcoming RFC "RADIUS Attributes for IEEE 802".
AuthBy SIP2 now honours Timeout option when connecting to SIP2 servers. The timeout defaults to 3 seconds.
Added new parameter FailureBackoffTime to Resolver. If the lookup failed to discover any results and there was a timeout while waiting for the nameserver, this optional value specifies how long Radiator will wait before another lookup is made. Previous behaviour was to try again after NegativeCacheTtl expired. Defaults to 3 seconds. Problem with the old behaviour reported by Paul Dekkers.
ServerDIAMETER no longer announces Supported-Vendor-Id with value 0 in CER. This is required by the current Diameter base RFC 6733. Value 0 is no longer announced with Acct-Application-Id in CER. Updated diameter-server.cfg.
Added new global parameter KeepSocketsOnReload. Note: this is currently considered experimental. This optional flag controls whether opened RADIUS listen sockets should be left intact on a reload request. When enabled, the changes in BindAddress, AuthPort and AcctPort are ignored during reload. You may consider enabling this option when incoming RADIUS requests should be buffered during the reload instead of ICMP unreachable messages being sent back to the RADIUS clients. Contributed by Garry Shtern.
Attributes added to the reply by EAP-FAST inner authentication will now be copied to the outer Access-Accept too. This is similar to how PEAP and EAP-TTLS already function. Suggested by Jakob Schlyter.
Added the first version of RuntimeChecks module with two checks. The first uses Net::SSLeay to try to detect OpenSSL versions which may have the Heartbleed (CVE-2014-0160) vulnerability. The second test checks for the availability of Digest::MD4 which is often required because of MSCHAP, MSCHAP-V2 and their derivatives. The individual checks can be disabled with the new configuration parameter DisabledRuntimeChecks. Future checks are added as needed. The module is also available for Hooks to implement site local checks.
Check Point attributes CP-Gaia-User-Role and CP-Gaia-SuperUser-Access were incorrectly entered in the dictionary. Reported by Jason Griffith.
Ldap.pm could crash while logging with old Net::LDAP versions. Reported by Mauricio Montoya Bustamante.

New in Radiator 4.12.1 (Sep 18, 2013)

New in Radiator 4.12 (Sep 13, 2013)

Improvements to EAP-MD5 handling: in the event of an authentication failure, the reason messages are more descriptive of the reason why.
Updated Mikrotic VSAs in dictionary.
Added a number of VSAs for Alcatel-ESAM to dictionary.
Fixed a potential crash if there were many unfinished EAP-GTC authentication conversiations through AuthBy ACE. Reported by Richard Fairhall.
Added support for a number of new check items for AuthBy SQL: Max-All-Session, Max-Hourly-Session, Max-Daily-Session, Max-Monthly-Session, Max-All-Octets, Max-All-Gigawords, Max-Hourly-Octets, Max-Hourly-Gigawords, Max-Daily-Octets, Max-Daily-Gigawords, Max-Monthly-Octets, Max-Monthly-Gigawords. AuthBy SQL supports the foillowing corrsponding configurable queries: AcctTotalQuery, AcctTotalSinceQuery, AcctTotalSinceQuery, AcctTotalSinceQuery, AcctTotalOctetsQuery, AcctTotalGigawordsQuery, AcctTotalOctetsSinceQuery, AcctTotalGigawordsSinceQuery, AcctTotalOctetsSinceQuery, AcctTotalGigawordsSinceQuery, AcctTotalOctetsSinceQuery, AcctTotalGigawordsSinceQuery. With the kind assistance of Richard Fairhall.
Updated AuthLog SYSLOG so that it honours the same %0 and %1 in SuccessFormat and FailureFormat as other loggers.
Changed all instances of the poorly defined 'octets' type attributes in dictionary to 'binary'.
Added F5 BigIP VSAs to dictionary, per http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11431.html, as sent by Alexander Hartmaier.
Added further Trapeze VSAs for MSS 8.0 and later to dictionary, as sent by Vandenbroucke Luc.
Altered AuthBy RADIUS and AuthBy RADSEC handleReply so that failedRequests and start_failure_grace_time are updated even if there is no $op->{rp}.
Performance improvements for TTLS and PEAP: when used with OpenSSL 1.0.1 and later, NetSSLeay 1.52+latest patches and later, the native OpenSSL tls1_PRF function is used.
Altered AuthBy RADIUS and AuthBy RADSEC handleReply so that in the event of an Access-Reject from a proxied request, AuthLog* can log the actual Reply-Message from the reply instead of 'Proxied'. Requested by David Zych.
Improvements to AuthBy RADIUS and AuthBy RADSEC to detect obvious routing loops and to ignore attempts to proxy a packet to the same BindAddress/port a packet was received on.
Fixed a problem in SessionDatabase SQL that could cause a crash if UpdateQuery is defined and an Accounting Alive packet was received. Reported by Chris Millington.
Improvements to AuthBy SQL AuthColumnDef. Can now have a trailing ", formatted" keyword in an AuthColumnDef. This will cause the value retrieved from the database in that column to be subject to special character processing before its value is used, and can therefore contain %{something} forms which will be replaced at authentication time. The general format is now: AuthColumnDef n, attributename, type[, formatted]
 For example: AuthColumnDef 1, Filter-Id, reply, formatted
Improvements to AuthBy LDAP2 AuthAttrDef. Can now have a trailing ", formatted" keyword in an AuthAttrDef. This will cause the value(s) retrieved from LDAP to be subject to special character processing before its value is used, and can therefore contain %{something} forms which will be replaced at authentication time. The general format is now: AuthAttrDef ldapattributename, radiusattributename, type[, formatted]
 For example: AuthAttrDef filter, Filter-Id, reply, formatted
All configuration parameters of type 'flag' can now use special characters. This is especially useful to be able to control flags with GlobalVar's.
Added example hook to hooks.txt: showing a way to call PostAuthHook with additional fixed arguments set at startup time.
Fixed some typos in DiaClient that incorrectly mentioned RadSec.
uthBy RADIUS and AuthBy RADSEC now remove unnecessary Timestamp attribute (meant for internal use only) from proxied requests.
Improvements to Handler: the reply packet is not set if there is already one present. Useful when AuthBy HANDLER or a hook redespatches a request to another Handler: reply items added by earlier Handlers and AuthBys will not be lost.
Added Ericsson redback VSAs 207-213 to dictionary. Also added some alternate values for RB-Framed-IPv6-Prefix, RB-Framed-IPv6-Route, RB-Framed-IPv6-Pool, as used by SmartEdge.
Added A-10 Networks VSAs to dictionary.
Improvements to SYSLOG loggers to be more compatible with later versions of Sys::Syslog.
Fixed a problem with using AuthBy Fidelio and Serial ports that caused a failure to start Radiator. Also changed the default serial port flow control for Fidelio modules to 'rts', since 'xoff' could cause lost characters and bad checksums. Testing with USB-Serial port adapters.
Updated goodies/digipass-install.txt to include guidance about how to order Digipass tokens, including the need to order the 'Digipass User Data Subscription Fee' (DUD) option.
All tar files are now built with TAR_OPTIONS=--format=gnu to ensure compatibility with other tars, notably the one on Solaris.
Testing on Solaris 11. OK with builtin perl 5.12.
Added Huawei-3Com (H3C) VSAs to dictionary.
Improvements to AuthBy KRB5 and Ldap.pm: Credential Cache now uses memory cache instead of file. Added a new option KrbServerRealm to allow server and user to exist in different realms. Hostname is now used for service tickets instead of IP address. Reverse DNS lookup is now done for the host before requesting a service ticket. Patches by Garry Shtern.
Added new dictionary file for Cisco/Altiga attributes compiled by Alexander Hartmaier.
Fixed a problem that prevented HostSelect from implementing host counter if HostSelectParmam was defined.
Added support for SNMP V2c with new configuration parameter SNMPVersion in SNMPAgent. Fixed a problem where some SNMP decode errors were not correctly detected.
Configuration file check no longer activates clauses which could cause spurious error messages. Requested by Garry Shtern.
Added Palo Alto Networks VSAs to dictionary. Contributed by Garry Shtern.
More improvements to LDAP logging. The hostname and port are now logged after a successful connection. This helps determining to which host the connection was made when the Host parameter is configured with multiple host names. Removed redundant GSSAPI related code. Contributed by Garry Shtern.
Fixed a problem with EAP-TTLS where EAPAnonymous %0 did not fetch the inner EAP identity. Reported by Neil M. Johnson.
Added a number of Aruba VSAs to dictionary with the kind assistance of Michael Hulko.
Fixed UseStatusServerForFailureDetect in AuthRADIUS.pm to work correctly when there are multiple Hosts configured. This also affects AuthRADIUS subclasses and small changes were needed for AuthLOADBALANCE, AuthMULTICAST, AuthROUNDROBIN and AuthVOLUMEBALANCE. AuthHASHBALANCE and AuthEAPBALANCE required no changes. When UseStatusServerForFailureDetect is enabled, all Host objects do individual polling. Expiry of FailureBackoffTime will no longer make the Host eligible for forwarding. Only a response to Status-Server request will bring back a failed Host. Other changes include: AuthRADIUS subclasses will now log an INFO level message when the Host starts responding. BogoMips only affects AuthLOADBALANCE and AuthVOLUMEBALANCE as documented. Setting BogoMips to 0 for a Host will no longer disable it for the other subclasses. KeepaliveTimeout can be specified for the AuthBy or individual Host in the AuthBy. The default value for BogoMips in an AuthBy is now correctly passed to the Hosts in the AuthBy. Thanks to Paul Dekkers for reporting the problem and debugging help.
Reverted earlier Status-Server polling related change in AuthRADSEC.pm that caused memory leak when requests were not replied to. Reported and narrowed down by Paul Dekkers.
EAP-PWD now honours UsernameMatchesWithoutRealm. Also, if the user is not found, the log message now has EAP-PWD instead of EAP MSCHAP-V2.
Fixed UseStatusServerForFailureDetect in AuthRADSEC.pm to work correctly when there are multiple Hosts configured. When UseStatusServerForFailureDetect is enabled, all Host objects do individual polling. Expiry of FailureBackoffTime will no longer make the Host eligible for forwarding. Only a response to Status-Server request will bring back a failed Host. This change is similar to the recent AuthRADIUS.pm change.
Added new option -message_authenticator to radpwtst for adding correctly calculated Message-Authenticator in the outgoing requests. Currently supported types are Access-Request, Status-Server, Disconnect-Request and Change-Filter-Request aka COA-Request.
PEAP EAP context is now cleared immediately when reading encrypted TLS data fails.
AuthBy RADSEC did not correctly reinitialize when signalled with SIGHUP leaking TCP connections, memory and TLS references. Fixed similar memory leak in AuthBy RADIUS. TCP connection leak reported by Karl Gaissmaier.
Logging enhancements: replies received by AuthBy RADIUS, AuthBy RADSEC, Client, ServerRADSEC and SimpleClient.pm are now dumped using the loggers configured for the respective clauses and module. PacketTrace now affects the replies received by the clauses. Function decode_attrs no longer dumps the received request. Some messages are now logged by the clauses first instead of just the main logger.
Added Blue Coat VSAs to dictionary. Contributed by Garry Shtern.
LDAP GSSAPI name resolution enhancements. Based on patch by Garry Shtern.
Tested with RSA Authentication Manager 8.0. Updated OnDemand mode prompt handling. No other changes required. Added new parameter ChallengeHasPrompt to AuthBy RSAAM to enable sending RADIUS Prompt attribute with Access-Challenge messages based on the RSA AM responses.
Status-Server messages sent by AuthBy RADSEC and AuthBy RADIUS no longer carry Proxy-State attribute. Improved logging in AuthBy RADSEC when Proxy-State in reply is missing or mangled.
Added Lancom and CheckPoint GAiA VSAs and updated 3Com and H3C VSAs in dictionary with the kind assistance of Philip Herbert.
Added new methods for inserting attributes in AttrList. Useful e.g., for Diameter AVP ordering. Added Origin-AAA-Protocol into DiaAttrList, updated DiaDict to always use DiameterIdentity, DiameterURI, IPFilterRule and QoSFilterRule as data type name instead of short-forms. Fixed a number of spelling mistakes.
Added support for authentication with Duo Security https://www.duosecurity.com/ . AuthBy DUO supports two-factor authentication provided by Duo Security auth API. Sample configuration file and partial API simulator is included.
Registering an object by its Identifier in Configurable.pm is now done just before object loading finishes, not during object activation. This fixes the recently introduced problem where configuration check gave incorrect results when Identifiers were used for references. Reported by Karl Gaissmaier.
Added iPass VSAs to dictionary.
DiaPeer and DiaClient now support adding Vendor-Specific-Application-Id attributes in Diameter CER message.
Configurable now calls check_config for each module just before it is activated. Configuration checks done by modules within activate were moved to check_config so that they will be run also when radiusd is invoked with -c flag to check the config.
Updated sample certificates to expire Aug 14 11:37:20 2015 GMT. Updated goodies/mkcertificate.sh to check for CA.pl availability.
Added precompiled Authen-Digipass ppm package for Perl 5.16 on Windows.
Added precompiled Authen-ACE4 ppm packages for Perl 5.16 on Windows. Recompiled Authen-ACE4 ppm packages for Perl 5.14.
Added new global parameter BindV6Only. This optional parameter allows turning on or off IPV6_V6ONLY socket option for IPv6 wildcard listen sockets. Defaults to undefined and hence no setsockopt is done. See RFC 3493 for more about IPV6_V6ONLY.
Client clauses now support CIDR notation for IPv6 clients. For example: ipv6:2001:db8:1:2::/126 and ipv6:::ffff:192.168.1.0/120. It is recommended, but not required, to install Math::BigInt::GMP or Math::BigInt::Pari for faster matching. The default is to use slower pure Perl implementation.
Updates in many goodies example and other files.
Added preliminary support for AuthBy DIAMETER. AuthBy DIAMETER converts RADIUS messages to Diameter messages and sends them to a Diameter server. Currently targets RFCs 4005 and 6733.
AuthBy DUO did not indicate the request was handled asynchronously causing problems with certain modules such as ServerTACACSPLUS. Reported by David LaPorte.
Enhanced radpwtst help output and options file support. The file format is now documented in the reference manual. The -time option now works even when -notrace option is given.
Unnecessary DNS lookups were done when MAC: or CIDR Clients were defined causing possible slowness during startup or ClientList refresh.
Testing with Strawberry Perl on Windows. Updated installation documentation and reference manual to include Strawberry Perl on Windows.

New in Radiator 4.11 (Dec 21, 2012)

Typo prevented MS-CHAP-Challenge being correctly added to when EAP_LEAP_MSCHAP_Convert is enabled.
Changes to continued line parsing in 4.10 broke the ability to spread a the first line of a clause over multiple lines with the backslash line continuation operator. Fixed.
AuthBy ACE now supports EnableFastPINChange with EAP-GTC, contributed by Richard Fairhall.
Fixed a problem that prevented correct operation of ServerDIAMETER listening when FarmSize was in use: some children could block waiting for an accept. Listen socket is now non-blocking. Reported by Rani Assaf.
Fixed a problem that prevented AuthBy RADSEC correctly detection downstream server failure under some circumstances with UseStatusServerForFailureDetect. Reported by Paul Dekkers.
Added support for authentication via 3M Standard Interchange Protocol 2 as used in 3Ms Automated Circulation Systems (ACS) for book libraries. AuthBy SIP2 supports TCP-IP connection to 3M ACS systems, and authenticates against library patron name and password.
SNMPAgent now supports some more items from MIB2: sysDescr (which returns the Radiator name and version) and sysObjectID (which returns the Radiator OID 1.3.6.1.4.1.9048.1.1). Also added sample goodies/snmp.cfg with some documentation about how to configure and test SNMPAgent.
radiusd has a new function main::addChildInitFn() which can be used by modules to register a function that is to be called in each child after it is forked by FarmSize. This can be used by module authors to defer or redo some intialisation in the child.
Improvements to error detection in Stream handle_socket_read to detect the possibility of EWOULDBLOCK/EAGAIN, reported by Rani Assaf.
Added HP-VC-Groups to dictionary.
Further improvements to multiline config file parsing, suggested by Michael.
Updated comments in HOTP and TOTP examples to clarify the contents of the 'secret' field. Also fixed a problem in AuthBy SQLTOTP, which could cause an SQL error if the first ever log-in attempt involves typing an incorrect PIN. Reported by Roy Badami.
Improvements to PEAP support for Windows failing to work when PEAP fast reconnect was enabled. EAP Extension TLV/Success is now exchanged over TLS tunnel between the server and client before sending final Access-Accept.
Added more Unisphere and Juniper VSAs based on http://www.juniper.net/techpubs/software/junos/junos114/radius-dictionary/unisphereDictionary_for_JUNOS_v11-4.dct
Fixed a typo in dictionary for WiMAX-QoS-Descriptor value Transmission-Policy.
Fixed a problem that could prevent the correct OutPort being used as the source port for AuthBy RADIUS forwarding.
Nas finger now uses the standard perl Net::Finger module intead of the internal Finger client in Radius::Finger. The internal Finger client Radius::Finger is now not shipped with Radiator. If you wish to use finger to check online users, you must install the Perl Net::Finger module.
Added OSC VSA for pseudo-attribute PoolHint to dictionary.
Updated all Nas/*.pm modules to use numeric OIDs instead of sysmbolic, since some recent versions of snmp tools install without MIBs.
Added DEBUG logging of DHCP replies reeceived by AddressAllocator DHCP.
Fixed a problem that could cause a crash if AuthBy EAPBALANCE was used with the KeepaliveTimeout option.
Fixed a problem that caused UseStatusServerForFailureDetect to not work correctly when defined at the AuthBy RADIUS level instead of the Host level.
Added new parameter ClientHardwareAddress to AddressAllocator DHCP. ClientHardwareAddress is the name of an attribute in the incoming address which contains the hex encoded MAC address of the client. If present, it will be used as CHADDR in the DHCP request. If not present, and fake CHADDR based on the request XID will be used. The DHCP server may use this when allocating an address for the client. The MAC address can contain extraneous characters such as . or : as long as it contains the 12 hex characters (case insensitive) of the MAC address. Special characters are supported.
Added NetworkPhysics-Attribute to dictionary with the kind assistance of "Caporossi, Steve G."
Added Procera-Local-User-Name to dictionary with the kind assistance of Lucas Hazel.
Improvements to consistency of proxiedRequests and proxiedNoReply statistics counters when the request is proxied by multiple AuthBy RADIUS or AuthBy RADSEC clauses.
AuthBy RADMIN now supports PostAuthSelectHook.
Enhancements to support Diameter client and server required for new Diameter Wx support in Radius-EAP-SIM.
Fixed a problem that caused incorrect RecvTime in tunnelled PEAP requests.
Implemented checkproc for SuSE in linux-radiator.init. Contributed by "Aeneas Jaile (sewikom GmbH)"
Added support for PostDiaToRadiusConversionHook and PostRadiusToDiaConversionHook to Server DIAMETER.
Refactoring of md5 and mschapv2 challenge code prior to integrating Heimdal digest support.
Added new module AuthBy HEIMDALDIGEST with example configuration and test setup instructions. Authenticates from Heimdal Kerberos (http://www.h5l.org/). Supports RADIUS-PAP, EAP-MD5, EAP-MSCHAPV2 (and therefore TTLS-PAP, TTLS-EAP-MD5, PEAP-EAP-MD5, PEAP-EAP-MSCHAPV2, TTLS-EAP-MSCHAPV2). With the kind assistance of Fredrik Pettai. Originally written by Klas Lindfors. Contributed by Stefan Wold of Stockholm University.
Fixed a problem where file:"filename" syntax in configuration file could cause strange error messages in hooks if the filename was not found.
Fixed a problem where PidFile could be incorrectly deleted if any child was killed in a farm. Now it is only deleted if the farm parent is shut down.
Fixed a problem in server farms where if a child process was STOPped or hung, the graceful shutdown process could also hang, resulting in possible failure to restart all children correctly.
Improvement to Linux startup script to better handle the case where Radiator fails to exit cleanly after stop command.
Improvements to SNMP.pm snmpget, so that failures due to Unknown Object Identifier are detected. Suggested by Michael.

New in Radiator 4.10 (Jun 29, 2012)

Added support for EAP-PWD per RFC 5931. EAP-PWD is highly secure (the password is never transmitted, even in encrypted form), and does not require PKI certificates, and also requires only 3 authentication round-trips. So it is considered efficient to roll out in eg Eduroam and other environments. Requires that the Radiator user database has access to the correct plaintext password. Sample configuration file and patch for Crypt-OpenSSL-Bignum-0.04 is included.
Added 2 Aruba VSAs to dictionary. Contributed by Matt Alexander.
Added Tropos and Fortinet VSAs dictionary.
Added Ukerna GSS and SAML VSAs to dictionary, with the kind assistance of Luke Howard. Also modified packing routines to split UKERNA SAML-AAA-Assertion into multiple attributes.
Removed use of 'use timelocal' from radiusd and radpwtst, code now uses Time::Local instead.
Removed use of 'use newgotopt', all code now uses Getopt::Long instead.
Added new parameter PasswordUriEscape to AuthBy URL. This optional parameter specifies whether the password needs to be url-encoded or not. Options are "Clear", "Encode". Contributed by Matthew Van Kuyk.
Added Nokia Siemens Networks (NSN) VSAs to dictionary.
Added support to radpwtst for new command line argument -alive to send Accounting-Alive requests. Alive is not sent by default if accounting is enabled.
Fixed an error in the RPM build control file Radiator.spec, which would cause /usr/lib64/perl5/ to be deleted if the Radiator RPM package was erased.
Improvements to Log SYSLOG and AuthLog SYSLOG modules so that multiple differing module logging configurations do not confuse Sys::Syslog.
Fixed a problem in Server TACACSPLUS that prevented Client-Identifier being set in Tacacs+ derived RADIUS requests. Reported by Tim Cheyne.
Improvements to AuthBy WIMAX, which now uses latest WiMAX TLV attribute definitions for packing and unpacking of WiMAX TLV attributes. AuthBy WIMAX now uses latet WiMAX-Capability TLVs. goodies/wimaxtest uses the TLVs, and honours the -capability command line argument where you can specify an alternate WiMAX-Capability.
Removed use of 'use newgotopt' from builddbm, buildsql, tacacsplustest, diapwtst, restartwrappert. Code now uses Getopt::Long instead.
Added new parameter EAPTLS_AllowUnsafeLegacyRenegotiation to AuthBy *. For TLS based EAP types such as TLS, TTLS and PEAP, and with versions of OpenSSL 0.9.8m and later, this optional parameter enables legacy insecure renegotiation between OpenSSL and unpatched clients or servers. OpenSSL 0.9.8m and later always attempts to use secure renegotiation as described in RFC5746. This counters the prefix attack described in CVE-2009-3555 and elsewhere.
Updated ACME VSA's in dictionary to add many missing VSAs and to adopt attribute naming consistent with other RADIUS servers.
Updated sample certificates to expire Nov 15 21:48:28 2013 GMT
Added support for EAP expanded types per RFC 3748. EAPType parameter can now be specified as a EAP type number, EAP extended vendornumber:typenumber or as a traditional well-known EAP type name eg: EAPType TTLS, MSCHAP-V2, 16776957:4244372217 where 16776957 is the expanded vendor number and 4244372217 is the expanded type (this example is for 0xfffefd and 0xfcfbfaf9, the vendor and type of the wpa_supplicant VENDOR-TEST expanded type). Included module and config to support testing against wpa_supplicant VENDOR-TEST expanded type.
Fixed a possible problem in Stream connections where connection failures may not be detected correctly.
Improvements to EAP-MSCHAPV2 handling in the case where the underlying database has a database access problem, causing an IGNORE.
Testing with RSA Authentication Manager 7.1 SP4. No changes required.
Early release of AuthBy SAML2 module. This module fetches Moonshot/SAML2 Assertions for an (already autheticated) user from a Identity Provider (IdP) and puts the assertion in a SAML-AAA-Assertion reply item. Caution: this is beta code and not yet widely tested. Feedback requested. Currently only sends ECP AuthnRequest requests (AAA AttributeRequest is not yet supported). Signing of requests and Verifying of responses is not yet proven to work correctly.
EAP-MSCHAPV2 now honours AuthenticateAttribute.
New versions of Authen ACE4 version 1.4 ppms with AuthSDK 8.1 for Windows 32 and 64 bit.
Added new parameter RoundRobinOnFailure to all Sql clauses. Normally, if Radiator gets an error or a timeout from a database connection it will try to reconect to the database, starting with the first DBSource, and trying them all in order until a successful reconnection. This flag forces the search to start at the database following the current DBSource (if there is one). This can help with some types of overloaded database that can be connected but then timeout when a query is sent.
Context is stored in $p->{EAPContext} for all EAP requests.
Fixed a problem where HUPping an evaluation vesion would result in messages like Server started: Radiator 4.9 on fmsdev (LOCKED) (LOCKED) (LOCKED) (LOCKED) (LOCKED)
Added support for new parameter RequireMessageAuthenticator in Client clauses. Normally, Client clause checks the value of any Message-Authenticator attribute (if present) in incoming requests (EAP or otherwise), and an incorrect authenticator causes the request to be IGNOREd. The optional RequireMessageAuthenticator flag causes this Client to require a (correct) Message-Authenticator attribute to be present in all incoming requests.
ServerHTTP now registers itself with Configurable.
Additional information in error logs from various TLS operations. Patch from "Bjoern A. Zeeb". Thanks Bjoern.
ClientList LDAP now supports file in PreHandlerHook and ClientHook.
Fixed a problem with SessionDatabsse SQL which could cause a crash if the query contains %{Quote:...}. Patched by Eddie Stassen. Thanks.
Added VENDOR Ericsson 193 VSAs to dictionary.
Log FILE now supports %0 (priority) and %1 (og message) as special characters in Filename parameter. AuthLog FILE now permits use of the '|' vertical bar leading character in Filename to permit piping to an external program.
AuthBy LDAP2 and all other LDAP clauses now support an optional MultiHomed flag parameter. If this is set then Net::LDAP will try all addresses for a multihomed LDAP host until one is successful. Default is true (set).
Improvements to AuthBy SQL and AuthBy FREERADIUSSQL to improve compativ=bility with some Oracle clients in the group checks. Reported by Emanuel Freitas.
Added VENDOR Adva 2544 VSAs to dictionary.
Added VENDOR Siemens 4329 VSAs to dictionary.
Fixed missing 3GPP- prefix for a number of 3GPP VALUE definitions in the standard Diameter dictionary
Fixed problems in Diameter to RADIUS gateway that prevented RADIUS attributes that are converted to Diameter Grouped attributes being parsed correctly.
For all TLS related operations, improved error logging if SSLeay::new fails.
Added StripFromReply and AllowInReply to the parameters permitted in AuthBy DNSROAM. Patched by Bjoern A. Zeeb. Thanks.
Added VENDOR TERENA 25178 and eduroam-SP-Country to dictionary
Added more VENDOR Alcatel-ESAM attributes to dictionary. Contributed by Hugh Irvine.
Added new module AuthBy RATELIMIT which can be used to limit the maximum number of request per second to be served. If more than this number of request are received in any second, they will be IGNOREd.
Added radiusd.conf, a sample Upstart script for Debian/Ubuntu. Contributed by Adam Thompson
Server TACACSPLUS now honours DefaultRealm from the Client clause that matches the incoming request. If defined in the Client clause, it willl override any DefaultClient defined in the Server TACACSPLUS clause.
Global SocketQueueLength was not honoured when creating RADIUS server ports.
Fixed a typo in the help message in Monitor. Reported by Scott Bertilson.
Added Authen-Digipass-1.11-1.el6.x86_64.rpm (for perl 5.10, x64 on Centos 6 and RHEL6)
All TLS context configuration parameters, such as EAPTLS_CertificateFile now honour special characters (such as %K etc) from the EAP identity request.
AuthBy WIMAX incorrectly set WiMAX-Capability Accounting-Capabilities to 0 (none) instead of 1 (session-based).
All EAP authentications now log at DEBUG level the elapsed time of the entire conversation (since the EAP identity) in seconds (and microseconds if Time::HiRes is available).
If a Client address cannot be resolved, the log message now includes the exact address that was not able to be resolved.
Updated the prebuilt Authen-Digipass RPM package for RHEL 5 64 bit to version 1.11.
Fixed a problem that prevented AuthBy SQLAUTHBY honouring AuthBySelect if AuthBySelectParam was defined.
Removed incorrect -authen_args from help in tacacsplustest.
Improvements to handling of EAP-GTC so that UsernameMatchesWithoutRealm is honoured even if the EAP-GTC client sends the 'RESPONSE=identity\0password' for of EAP-GTC response.
Added Arbor-Privilege-Level to dictionary. Thanks to Markku.
RFC 2621 was inadvertently omitted from the distribution.
Added support for new configuration parameter. PacketDumpOmitAttributes specifies a comma separated list of RADIUS attribute names which will be omitted from RADIUS packet dumps in logs.
ServerHTTP did not permit the creation of ClientListSQL or ClientListLDAP clauses. Reported by Albesiano Alberto.
Improved parsing of hooks and display of hooks by ServerHTTP. Reported by Albesiano Alberto.
AddToReply AddToReplyIfNotExist when used in Handlers and Clients, would incorrectly add attributes to Access-Rejects. This does not now occur. AuthURL did not correctly honour AddToReply for Access-Accept and Access-Reject. Reported by Albesiano Alberto.
RadSec is now an official IETF RFC 6614. RFC 6614 is now included in the distribution. In accordance with RFC 6614, the default shared secret for RadSec has been changed to 'radsec', UseTLS is enabled by default, and TLS_RequireClientCert is enabled in Server RADSEC by default.
Added RuggedCom VSA RuggedCom-Privilege-level to dictionary.
Added Alvarion-WiMAX-Classifier VSA to attribute definiitons for WiMAX-Packet-Flow-Descriptor, per Alvarion's document 'RADIUS-WiMAX R3 Interop Spec_Rel 3 0 v 0 81.doc'
Added Alvarion-WiMAX-Classifier VSA to attribute definitions for WiMAX-Packet-Flow-Descriptor to support atttributes like: WiMAX-Packet-Flow-Descriptor=Alvarion-WiMAX-Classifier="ClassifierID=1,Priority=2,Direction=IN" Also added Alvarion-R3-IF-Descriptor and Alvarion-DHCP-Option VSA tlvs to dictionary, to support attributes like: Alvarion-DHCP-Option="Ref-R3-IF-Name=interface1,DHCP-Option-Container=container1" Alvarion-R3-IF-Descriptor=R3-IF-Name=aaa,R3-IF-ID=1,PDFID=2,IPv4-addr=1.2.3.4,IPv4-netmask=5.6.7.8,DGW-IPv4-add=9.8.7.6 Per Alvarion's document 'RADIUS-WiMAX R3 Interop Spec_Rel 3 0 v 0 81.doc'.
Fix to Fidelio interface so that LA messages are not queued unless there is a current connection.
Fixed a problem where the LDAP group search did not correctly specify the attributes to fetch, and therefore _all_ attributes were fetched, affecting performance. Reported by Ben Carbery.
Improvements to AuthBy SQLYUBIKEY to add support for CheckSecretId. If CheckSecretId is set, then check that the secretId fetched from the database matches the secretId encoded in the submitted Yubikey OTP. This increases the security of the Yubikey OTP and is recommended best practice. Also improved the documentation for for configuring yubikey.cfg and provided a better sample database for use with yubikey.cfg
Fixed a problem with EAP-FAST that prevented anaonymous provisioning in some circumstances where the client asks for several ciphersuites. Reported by Sudhir.Harwalkar.
Fixed a problem with Server TACACSPLUS and some authenticators such as AuthBy ACE whcih issue AccessChallenge to get additional data from the user. Radiator was sending the challenge as GETPASS rather than GETDATA and wasn't getting the NOECHO flag. Tested against a Cisco Catalyst 3560 switch and also a Cisco ASA 5510 firewall. Reported and patched by Richard Fairhall.
Updated Authen-Digipass and Authen-ACE4 Windows PPM packages to include Perl 5.14 x86 and x64 packages. Also updated the prebuilt packages at http://www.open.com.au/radiator/free-downlaods to include versions for Perl 5.14 x86 and x64: Chipcard-PCSC.tar.gz Net-SSLeay.tar.gz Socket6.tar.gz Win32-Lsa.tar.gz
Fixed a problem where AuthBy LDAP2 would incorrectly log "DEBUG: No entries for mikem found in LDAP database" if MaxRecords was set larger than the actual number of LDAP records retreived.
Improvents to SQL logging shows the name of the database at DEBUG level when connection attempts are made. Also prepareAndExecute and do functions log the database name at DEBUG level. Requested by Philip Herbert.
Fixed a problem where NoIgnoreDuplicates could cause a memory leak.
Added VSAs for Ruckus Wireless to dictionary.
AuthBy NTLM did not reap ntlm_auth if it crashed or exited. Fixed a problem that prevented the error being correctly printed if ntlm_auth if it crashed or exited.
Removed use of Digest::SHA1, replaced with Digest::SHA,which is now included with all perls. Digest::SHA is now an absolute prerequisite.
Added sample config platypus7.cfg for recent Platypus 7 database.
h EAP-LEAP, EAP-TTLS, EAP-PEAP, EAP-MSCHAPV2, EAP-FAST, inner packets are now logged at DEBUG level _after_ the PreHandlerHook (ie any) is run, so that attributes added by the hook will be visible.
Fixed a problem where Client DupInterval 0 sometimes did not act as expected, causing a leak in EAP contexts.
Improved logging so that AuthBy ACE prompts are not broken up with newlines in logs. Requested by Richard Fairhall.
Fixed a problem that preventeed TACACS+ which prevented AuthBy ACE new pin mode and other challenges from working correctly. Patch provided by Richard Fairhall.
Added support for KeepaliveTimeout to AuthBy RADSEC. KeepaliveTimeout is the maximum time in seconds that a RadSec connection can be idle before a Status-Server request is sent to keep the TCP connection alive. This helps to keep TCP connections open in the face of "smart" firewalls that might try to close idle connections down. Defaults to 0 seconds, which means inactive.
Radpwtst has new option -chap_nc that sends a RADIUS CHAP request, but in the old-fashioned way, with the CHAP Challenge in the authenticator, and not in a separate CHAP-Challenge attribute.
Testing on Raspberry Pi running debian6-19-04-2012. It runs out of the box. http://www.raspberrypi.org
dded hextobase32.pl to goodies. Script to help with entering HOTP and TOTP codes to Google Authenticator. Converts hex codes to base 32.
Added VSAs for Anagran ANA to dictionary. Thanks to Bob Shafer.
Added support for KeepaliveTimeout and UseStatusServerForFailureDetect to AuthBy RADIUS and AuthBy RADSEC. If UseStatusServerForFailureDetect is enabled, use only Status-Server requests (if any) to determine that a target server is failed when there is no reply. If not enabled (the default) use no-reply to any type of request. Uses NoreplyTimeout, MaxFailedRequests, MaxFailedGraceTime, FailureBackoffTime during failure detection. If you enable this, you should also ensure KeepaliveTimeout is set to a sensible interval to balance between detecting failures early and loading the target server. KeepaliveTimeout is the maximum time in seconds that a RADIUS connection can be idle before a Status-Server request is sent to keep the connection alive. Defaults to 0 seconds.

New in Radiator 4.9 (Oct 3, 2011)

Fixed an issue with Resolver and AuthBy DNSROAM where the combination Protocol=radius, Transport=tls was incorrectly interprted as UDP RADIUS (for historical reasons). It is now interpreted as TCP RADSEC. Reported by Stefan Winter.
Added commands to the sample startup script linux-radiator.init that work for Debian. Submitted by "Michael".
Improvements to AuthBy FIDELIO: During a SIGHUP, AuthBy FIDELIO now sends a LE and closes the TCP connection before reopenaing the connection. This should result in better database reading behaviour during SIGHUP. AuthBy FIDELIO now sends periodic LA commands to the Fidelio to check the integrity of the link. Suggestions by Ralf Ertzinger.
Fixed further issue with Resolver and AuthBy DNSROAM where the combination Protocol=radius, Transport=tls was incorrectly interpreted. Reported by Paul Dekkers
Improvements to AuthBy DNSROAM so that routes for different realms that are discovered to be to the same proxy server will reuse the existing server. Suggested by Stefan Winter.
goodies/fideliosim.pl now prints main details of PS posting records it receives.
New module AuthBy FIDELIOHOTSPOT which provides hotel guest authentication by Fidelio, and prepaid session times, billed to the user's room by Fidelio. Supports various hotspots such as Mikrotik and Open-Mesh etc. Replaces goodies/fidelio-hotspot-hook.pl as the preferred method of providing prepaid sessions billed to room by Fidelio.
Added new parameter MessageHook to AuthBy FIDELIO. MessageHook is called after a message from Fidelio has been unpacked into a hash and before the record is passed to handle_message(). It can be used to change or transform any fields in the record before it is passsed to handle_message() and processed by AuthFIDELIO.
Improvements so that if the example Radiator init script for linux is invoked as a symlink (eg /etc/rc2.d/S90radiator->../init.d/radiator), it still deduces the correct program name (radiator) and hence sources the correct sysconfig file (/etc/sysconfig/radiator).
Fixed a problem where Realm clauses inside AuthBy DNSROAM did not recognise the Secret parameter. Reported by Paul Dekkers.
Added negative caching to Resolver, with new parameter NegativeCacheTtl.
Added new parameter RedespatchIfNoTarget to AuthBy DNSROAM. For a given request, if Resolver does not find a target and there is no explicit Route, and no DEFAULT Route and this flag is set, the request will be redepatched to the Handler/Realm system for handling. This allows for a flexible fallback in the case where DNSROAM cannot find how to route a request. The redespatched request will have the attribute OSC-Environment-Identifier set to the AuthBy DNSROAM Identifier (or 'DNSROAM' Identifier is not set)
Fixed problems with the Authen-Digipass PPM packages for Windows missing important files.
Fixed an issue with AuthBy RADSEC, where failure to deliver a message could cause continuous attempts to reconnect, even if ConnectOnDemand is set.
Fixed an issue with Stream based connections, where ConnectOnDemand and an unresponsive server could cause Radiator to hang. Reported by Paul Dekkers.
Added workaround for a bug in some versions of perl 5.12.1 (such in openSUSE 11.3) that caused incorrect packing of some RADIUS requests.
Improvements to Server TACACSPLUS so that RADIUS STATE is saved in in the connection rather than the context. Patch provided by Nicholas Waples.
Reversed a previous change in 4.8 that Server TACACSPLUS expired authentication result in FAIL instead of ERROR. The change in 4.8 was to result in ERROR, which causes some devices to then revert to the local authorisations.
Added a number of attributes from RFC 5090 to dicitonary, which override a number of attributes that were previously commandeered by Ascend. The Ascend ones are still available in ascend.dictionary.
Fixed a typo in dictionary: Ascend-Call-Attempt-Limit was Agscend-Call-Attempt-Limit.
Fixed a problem in linux-radiator.init which prevented traceup working on SuSE. Reported by Aeneas Jai�le.
Improvements to ClientListSQL to support DisconnectAfterQuery, which will cause disconnection from the SQL database after each query. This can be helpful in cases where firewalls etc close connections that have been idle for a long time.
Added sha.pl, ssha.pl to goodies. Simple perl scripts to generate SHA and SSHA hashes of the first command line argument. Useful for generating SHA and SSHA hashed passwords in the form Radiator honours.
Fixed a problem with the Radiator init script that prevented reload, traceup and tracedown working with some versions of SuSE.
Added ipoque-class VSA for ipoque PRX Traffic Manager to dictionary. With the assistance of A.Sharaz.
Improvements to the sample wimax.sql database schema to improve interoperation with Alvarion.
All stream protocols that support TLS now support optional TLS_CertificateFingerprint parameter. When a TLS peer presents a certificate, this optional parameter specifies one or more fingerprints, one of which must match the fingerprint of the peer certificate. Format algorithm:fingerprint. Requires Net::SSLeay 1.37 or later.
Improvements to AuthBy EAPBALANCE to permit operation with target RADIUS servers that rely on State, such as Windows IAS etc.
Added Freeswitch-Direction and Freeswitch-Other-Leg-Id to dictionar.
Added Documentation and sample scripts for how to use Radiator and the AuthBy FIDELIO module to handle authentication and accounting for the Freeswitch VOIP switch (http://www.freeswitch.org). It can be used authenticate and to bill VOIP calls to a Micros-Fidelio Opera Hotel Property Management System (http://www.micros.com).
Added Riverbed-Local-User VSA to dictionary.
Fixed a problem in AuthBy RADMIN where if the database connection fails once, message logging through AuthRADMIN will stop altogether, and along with that, the bad login counting. Reported an patched by Manuel Kasper.
Added Aruba-MMS-User-Template to dictionary, fixed typo in Aruba-Port-Identifier. Added AH-HM-Admin-Group-Id.
Added support for EAP AKA-PRIME. Required for version 1.32 or Radius-EAP-SIM module.
Added new clause AuthBy SQLAUTHBY, which looks up how to authenticate each user based on information in an SQL database. The columns retrieved from SQL are used to create an AuthBy clause that will actually handle the request. The parameters used to configure the clause come from SQL. The clause is reused for as long as the the target realm yields the same SQL query results. The example works with the sample RADSQLAUTHBY table in mysqlCreate.sql.
Added support for new parameter AuthChallengeKeyword to AuthBy URL. This parameter permits URL results that trigger a CHALLENGE reply for use with Challenge/Reponse systems. Contributed by Matthew Van Kuyk.
Added new parameter DirectAddressLookup to Resolver. If DirectAddressLookup is enabled, and if there are no NAPTR records for the requestsed Realm, Resolver will attempt lookups of A and AAAA records for _radsec._sctp.REALM, _radsec._tcp.REALM and _radius._udp.REALM Enabled by default. Requested by Paul Dekkers.
Added sample hook pwaframedip.pl. This hook fixes a problem with Enterasys switches where Framed-IP-Address is not included in accounting packets, but the information is available via SNMP when for Enterasys captive-portal (PWA) authentication. Contributed by Ben Carbery.
In AuthBy RADMIN, it is now possible to disable IncrementBadloginsQuery and ClearBadloginsQuery by setting the query string to be empty.
Server farm children now always reseed the random number generator so the children dont share the same seed.
Improvements to the RPM spec file so RPM installs with recent 64 bit perls will work.
Increased the default MaxBufferSize in streams to 10000000.
Added support for passwords encrypted with $2a$, $2x$ and $2y$ blowfish crypt and $5$ SHA-256 crypt (where supported by the underlying crypt()). Improvements to support rounds= notation in SHA-256, SHA512 crypt.
Ensure RecvTime is set in RADIUS requests derived from tunnelled EAP types.
Changed the type of Framed-Interface-Id in dictionary to be ifid. You can now specify Framed-Interface-Id as strings in the format 'aaaa:bbbb:cccc:dddd', which is compatible with FreeRadius.
Fixed an issue with TTLS and PEAP: When inner authentication is proxied, e.g. EAP-MSCHAP-V2 to MS NPS, NPS sends back State. If Radiator does not return State, proxying inner auth fails.
Added more Nomadix VSAs to dictionary, contributed by Mike Newton.
AuthBy EAPBALANCE and AuthBy HASHBALANCE now REJECT if an EAP stream has to be broken up, giving the client and immediate chance to restart. Changed the default protocol version for PEAP in EAPTLS_PEAPVersion from 1 to 0. This is in line with more recent documentation from Microsoft (which contradicts draft-josefsson-pppext-eap-tls-eap-0[35].txt), and it achieves bettter interoperability with Macs.
Added more Aruba VSAs, contributed by Alan.
EAP-FAST support now follows the recommendations for A_ID: it is now the 16 octet hash of the A_ID_INFO, which is set to the Radiator hostname. Updated instructions for building OpenSSL and Net::SSLeay for more recent versions of Net::SSLeay for use with EAP-FAST.
Added sample script goodieshex2base32.pl /to help with entering HOTP and TOTP codes to Google Authenticator. Converts hex codes to base 32.
Improvements to ClientList SQL to improve error detection.
Improvements to random number seeding: seeding is now done by a new function Radius::Util::seed_random. radiusd calls it at startup and after forking farm children. It can be overridden if necessary to provide local random number initialisation and seeding.

New in Radiator 4.8 (Apr 28, 2011)

Fixed a problem in AuthBy EAPBALANCE where no reply from a proxied request from the middle of an EAP stream would result in unlimited retransmissions of the request. Reported by Keith Ma.
Testing on OpenWRT. OK, with caveats as discussed in the updated FAQ.
Added Meru-AP-Id and Meru-AP-Name to dictionary. Provided by Neil Johnson.
RPM packages were built by default on OpenSuSE with LZMA compression, which is not available for all platforms. This new Radiator.spec disables LZMA and uses BZ2 instead. In future all RPMS will be built with BZ2 comppression. New versions of Radiator-4.7-2.noarch.rpm and Radiator-Locked-4.7-2.noarch.rpm with BZ2 uploaded.
Fixed a problem with AuthBy SQLTOTP and AuthBy SQLHOTP where MaxBadLogins, BadLoginWindow, DelayWindow, TimeStep and TimeStepOrigin parameters were not correctly read, resulting in errors like "Unknown keyword 'MaxBadLogins'". Reported by Matthew Reeves-Hairs.
GetClientQuery was incorrectly using field 25 instead of 27 for flags. Documentation for GetClientQuery incorrectly decribed field 25 as being flags instead of ClientHook.
Added SQLRetries parameter to all SQL type clauses. When executing a query, Radiator will try up to SQLRetries attempts to execute the query, retrying if certain types of SQL error are seen. Defaults to 2. Requested by Michael.
Fixed some problems with Radius paths in the RPM on some platforms. Rebuilt and uploaded new RPMs.
Improved Client CIDR address searches so a more specific cidr would have priority over a less specific cidr. Contributed by Nicholas Waples.
Improved ClientListLDAP, added oscRadiusIdentifier & oscRadiusDefaultRealm into the default list of ClientAttrDef's. were the only attributes missing from oscRadiusClient ldap schema provided (in goodies). Contributed by Nicholas Waples.
In Server TACACSPLUS, the call AuthenticationStartHook now includes the priv_lvl and service values from the TACACSPLUS request passed as arguments to the hook.
In Server TACACSPLUS, during authetication, we now add cisco-avpair attributes to the RADIUS request for action, authen_type, priv-lvl and service from the incoming TACACSPLUS request.
Improvements to AuthBy URL. Improved HTTP and HTML standards compliance by using the LWP::UserAgent methods post() and get(). Can now handle CHAP, MSCHAP and MSCHAPV2 authentication, as well as the previously supported PAP. *CHAP challenges and responses are encoded as HEX and sent as configurable web parameters. Updated the sample config file goodies/url.cfg, and improved documentation. Fixed inconsistant password in sample test_url_md5.cgi. Cleaned up some of the code to be compliant with in-house standards.
Added support for BindAddress in all Ldap derived clauses, allowing you to specify a local address for the client side of the LDAP connection with BindAddress, in the form hostname[:port]. Defaults to 0.0.0.0. Updated sample config file. Suggested by Roel Hoek.
Updated AuthBy NTLM so that if an authentication fails, the Warning log message records the user name along with the Authentication-Error. Suggested by David Zych.
Further improvements to AuthBy URL. Now suports CopyReplyItem parameter. If a successful HTTP reply contains a string like 'xxx=hexencodedvalue' the value will be copied to the RADIUS reply as attribute yyy=value the value is expected to be HEX encoded and will be HEX decoded before adding to the reply.
Fixed a problem where some SQL modules were not being correctly initialised, which was revealed when the new SQLRetries was added. Reported by Steffen Weinreich.
Further improvements to AuthBy URL. Now supports CopyRequestItem parameter. Adds a tagged item to the HTTP request. Format is CopyRequestItem xxx yyy. The text of yyy (which may be contain special characters) will be added to the HTTP request with the tag xxx. In the special case where yyy is not defined, the value of attribute named xxx will be copied from the incoming RADIUS request and added to the HTTP request as the tagged item yyy. All values are HEX encoded before adding to the HTTP request. Multiple CopyRequestItem parameters are permitted, one per line.
Improvements to AuthBy SQLTOTP to implement replay detection. This has required an additional column in the sample SQL database schema, and changes to the default AuthSelect and UpdateQuery parameters. Requested by Matthew Reeves-Hairs.
Testing with the Mera MVTS Pro Voip gateway. OK. Added mera-mvts.txt. This document briefly outlines the requirements for interfacing Radiator with Mera MVTS Pro VOIP gateways, along with examples of the types of requests and replies Radiator can be expected to handle when interfacing with MVTS Pro.
Added new command line argument -min_interval to restartWrapper, which controls the minimum time interval between successive restarts. Contributed by David Zych.
Tested AuthBy HOTP and AuthBy TOTP with a range of iphone OATH soft tokens, including DS3 (HOTP), OATH Token (HOTP and TOTP), and Google Authenticator (HOTP and TOTP). External testing with Feitian C200 OTP Tokens and others. All OK.
Added a number of Juniper attributes to dictionary.
Monitor and Server HTTP now support AddToRequest to add attributes to the internal RADIUS request they generate when authenticating administrator logins to their respecetive interfaces. They also dump these requests when Trace 4 is enabled.
Server TACACSPLUS now supports a new parameter AuthorizeGroupAttr. If this parameter is specified, it specifies the name of an attribute in Access-Accept that will contain per-command authorization patterns for authorising TACACS+ commands. These are processed before any configured-in AuthorizeGroup parameters. The command authorization patterns are in the same format as supported by AuthorizeGroup. Added a new VSA to dictionary OSC-Authorize-Group, which is intended to carry per-user reply command authorization patterns.
Improvements to Radiator linux startup script so you can have multiple scripts in /etc/init.d/ with different names, and which lookup different parameters in /etc/sysconfig. For example, you can install the script as /etc/init.d/radiator and /etc/init.d/radiator-acct, and it will look up parameters in /etc/sysconfig/radiator and /etc/sysconfig/radiator-acct. Further improvement is to always use -p RADIUS_PIDFILE to killproc the process, rather than the process name.
Added Ascend-Session-Svr-Key an NS-Dummy-Attr-10 to dictionary.
Added Alcatel-Lucent 7302 ISAM (OLT) VSAs to dictionary, including OLT-TL1-* and added VALUE definitions for some other A-ESAM-*. In some places, A-ESAM-* are named OLT-CLI-*. we have adopted A-ESAM to be compatible with previously existing definitions.
Fixed a problem where EAP-MD5 authentications did not honour UsernameMatchesWithoutRealm. Reported by "Sami Keski-Kasari".
Fixed a problem where EAP-MD5 authentication by AuthBy LSA mysteriously failed. Refactoring of EAP_4 check_chap() to AuthGeneric, and thence to AuthLSA Reported by "Sami Keski-Kasari".
Fixed a problem which could cause crashes in Socket6::inet_ntop. Reported by James Harton.

New in Radiator 4.7 (Aug 18, 2010)

Added support for Django style passwords in the format:
sha1$a1976$065f52b49153328da76e13c2b462b860a70eb78b
and
md5$a1976$e67d1ca20e9c28321b86e34076cc48ab
as specified by http://docs.djangoproject.com/en/dev/topics/auth/#passwords. Contributed by Jerome Fleury.
Fixed a bug in ServerTACACSPLUS to do with closing the authgroup file. Reported by Wolfgang.Koenig.
Added sample configuration file for Radiator, showing how to proxy requests to the WiKID (http://www.wikidsystems.com/) Strong Authentication RADIUS Server.
Fixed a problem where AuthBy SQLRADIUS statistics were not kept correctly up to date in the case of recoverd servers. Reported by Dan Cachola.
Factored out EAP-FAST PAC creation and retrieving from EAP_43 to AuthGeneric. AuthBy SQL can now override these functions and use SQL queries to save and retrieve PACS, or to retrieve pre-provisioned PACS from the database. If AuthBy SQL does not define CreateEAPFastPACQuery, then it falls back to the default of saving PACS in Radiator memory.
Added sample configuration file and detailed installation instructions for the Secure Metric (www.securemetric.com) SecureOTP one-time-password system, including details on how to proxy requests to the SecureOTP RADIUS Server.
Minor changes of some log messages from INFO to DEBUG level, to reduce noise level. Additional information in some AuthBy RADIUS and EAP messages to improve diagnostics in load balancing systems. Requested by Myles Fenton.
Added support for -retries flag to radpwtst
Removed redundant noReplyFromProxy from goodies. The code is in goodies/hooks.txt.
Previously, radpwtst would use the same random authenticator for all requests. Now radpwtst now uses a different random authenticator for all requests, which can help with testing of duplicate detection.
Added OSC-Device-Identifier, OSC-User-Identifier and OSC-Group-Identifier to dictionary.
Added Identifier to logging in Handling request with Handler .... debug message.
Fixed an error in the calculation of responseTime statistics.
Improvements to detection and use of Time::HiRes. New function Radius::Util::getTimeHires returns (seconds, microseconds). Microseconds is 0 if Time::Hires is not available. responseTime is now measured with microsecond accuracy if Time::HiRes is available, improving the accuracy of statistics calculations.
Added a number of DeTeMobil Vendor-Specific Attributes to dictionary. Contributed by Alexander Hartmaier.
Improvements to AuthBy LDAP2 performance: if ServerChecksPassword is in use, and if the server rejects the password due to LDAP_INVALID_CREDENTIALS or LDAP_INAPPROPRIATE_AUTH, do not disconnect from the LDAP server. Previously, this would cause an unnecessary disconnect.
Added symbolic vendor names for T-Mobile and TMO to dictionary.
Added function changePassword to AuthBy LDAP2 to support custom code to change user passwords. Net::LDAP compatibility improvements with use of Net::LDAP::Entry->get_value(..., asref => 1) instead of get(...).
Abstracted the generic Yubikey support code into AuthYUBIKEYGENERIC.pm AuthSQLYUBIKEY is now a subclass. Enables the development of new subclasses for supporting Yubikey in other types of database, such as LDAP.
Changes to the RPM build spec to accommodate RPM_BUILD_DIR tro circumvent rpm building problems on some platforms.
Added more 3GPP attributes to dictionary as per http://www.3gpp2.org/Public_html/specs/X.S0011-005-E_v1.0_091116.pdf
Improved behaviour of AuthBy FIDELIO when LA messages are received. Previously they would always cause a database update. NBow this only happens on the first LA. Fixed a bug in fideliosim.pl. fideliosim.pl now implements LA requests every 10 seconds.
AuthBy FIDELIO now never uses a posting sequence number of 0000, following advice from Michael Herzig. Starts at 0001 and wraps from 9999 to 0001.
AuthBy FIDELIO now implements 2 new configuration parameters: PostingExtraFields allows you to override or extra data fields to be sent in the Opera posting record. PostingRecordID allows you to change the posting record ID from the default of 'PS' to, say 'PR'. Examples in the fidelio.cfg sample configuration file.
Fixed a potential memory leak with EAP-TLS. X509_free is used to free the certificate. Reported by Robert Hwang.
Fixed an error with the formatting of dates in the DA field in AuthBy FIDELIO: the month and day elements were reversed. Reported by Michael Herzig.
Added new convenience function post() to AuthFIDELIO.pm for posting accounting requests to Fidelio, and which can be used by other hooks. Improved a number of separator formatting issues in messages sent to Fidelio.
Added sample Radiator configuration, showing how to build a WiFi hotspot with, for example MikroTik (www.mikrotik.com) hotspot and captive portal, which authenticates against Micros-Fidelio Opera hotel management system, and permits the user to purchase WiFi internet access in blocks of 24 hours which are billed to the user's room through Opera. Example works with MySQL as a session database (schema included), but other databases can be supported.
Added new configuration parameter LogOpt to Log SYSLOG and AuthLog SYSLOG clauses, allowing control over the syslog options used. LogOpt is a comma separated list of words from the set cons,ndelay,nofatal,nowait,perror,pid as described in the Perl Sys::Syslog module. Defaults to pid. Contributed by Bjoern A. Zeeb with some changes.
Added reload option to goodies/linux-radiator.init. Contributed by David Worth.
Added new parameter CheckoutGraceTime to AuthBy FIDELIO. Permits users to log in for this period of time after they have checked out. Contributed by Manuel Kasper, with some minor changes.
Improvements to AuthBy LSA to permit machine authentication in groups.
Added new parameter NAPTR-Pattern to Resolver. NAPTR-Pattern is an optional parameter that specifies a regexp that will be used to match the contents of NAPTR records during Resolver service discovery. If NAPTR-Pattern is defined and matches a NAPTR DNS record, it will be used to determine the protocol and transport to be used. The regex is expected to match 2 substrings. The first is the protocol and can be 'radsec' or 'radius'. The second is the transport to use, and can be 'tls', 'tcp' or 'udp'. This has been added to support proposed new NAPTR standards for Eduroam. Requested by Stefan Winter.
Win32-Lsa for Windows 64 bit ActivePerl 5.10 is now available with ppm install http://www.open.com.au/radiator/free-downloads/Win32-Lsa.ppd
Improvements to the "No reply after ...." message in AuthBy RADIUS to include the Identifier and the delay time. Requested by Myles Fenton.
Minor improvements to AuthBy NTML for testing.
StreamTLS classes, such as ServerRADSEC, ServerDIAMETER, AuthByRADSEC etc. now support EAPTLS_CRLFile with operating system wildcards. Similarly, TLS based classes such as TLS, TTLS, PEAP etc now support TLS_CRLFile with operating system wildcards.
Added new parameter TLS_SRVName to StreamTLS classes. This is intended for use by AuthBy RADSEC and AuthBy DNSROAM to specify a DNS SRV Name that will be matched against possible SubjectAltName:SRV extensions in the server certificate. If TLS_SRVName is specified and the server certificate contains SubjectAltName:SRV extensions, none of which match TLS_SRVName, the certificate will not be accepted. Format is _service._transport.name (this is the same format SRV names appear in DNS records). For example "_radsec._tcp.example.com". Only service and name are matched. Requested by Stefan Winter for Eduroam support.
Resolver now saves the SRV Name of any SRV record that was followed in order to get an address in the result set. AuthBy DNSROAM now uses this to set the TLS_SRVName in a target AuthBy RADSEC, which enables checking against any SubjectAltName:SRV extensions in the server certificate. Requested by Stefan Winter for Eduroam support.
Improvements to AuthBy FIDELIO so that during an accounting posting, the DD field (Dialed Digits) which is based on the Called-Station-Id contaoins only digits. Micros-Fidelio report that contents other than digits can cause problems in Opera.
Added surfnet VSAs to dictionary.
Improvements to AuthBy RSAAM for interoperation with AM 7.1 SP3. At AM7.1 SP3, the authentication realm requested by the AM server SOAP interface was changed by RSA, causing earlier versions of AuthBy RSAAM to fail to connect with a 401: Unauthorized error. This change permits AuthBy RSAAM to work with pre and post SP3 as well as improving performance. SessionRealm parameter is now unused and obsolete. Reported by Rene Fleissner.
Improvements to the Linux Radiator startup script. Added traceup and tracedown commands which signal Radiator to increase or decrease its trace level. Handy for changing trace levels without having to find the process ID first. Contributed by David Worth.
Added version of Authen-Digipass module for Active State perl 5.12.
Fixed a problem in AuthBy OTP where a PasswordPattern of aaaaaaaa generates OTPs which are twice as many characters as specified and every odd is an 'a'. Reported by Alexander Hartmaier.
Fixed default AuthGroupCheck AuthGroupReply GroupMembershipQuery queries which incorrectly referred to the usergroup table instead of the radusergroup table. Reported by Mike Wilson.
Changed the type of Framed-IPv6-Prefix in the dicitonary from string to ipv6prefix, allowing entry of IPV6 prefixes in a sensible format.
Changed the type of NAS-IPv6-Address in the dictionary to ipaddrv6 for correct iencoding and decoding of IPV6 addresses.
When AuthBy HANDLER is used and RejectHasReason is specified, now sets the actual rejection reason in the reply instead of "redirected by AuthHANDLER".
AuthBy LSA now honours UsernameMatchesWithoutRealm.
Fixed a problem with quoting of parameters passed to the external command by AuthBy EXTERNAL. Reported by KUCZYNSKI, CHRISTOPHE.
Updated Coova ChilliSpot VSAs in dictionary.
Fixed a problem where EAP type negotiation could remove the EAP-TLS VERIFY_PEER requirement, causing EAP-TLS to sometimes fail when other clients were trying to negotiate TTLS or PEAP. Reported by Keith Ma.
Added option to get any configuration parameter from an SQL database with a new form of parameter ParameterName sql:identifer:query which will look for a previously defined AuthBy SQL clause with an Identifier of 'identifier' and run the SQL query given by 'query'. The first row in the result will be used to set the parameter ParameterName. This lookup is only ever done once at startup time.
Added new type of special character which will be replaced with a value fetched from an SQL database. Special characters of the form %{SQL:identifier:query} will look for a previously defined AuthBy SQL clause with an Identifier of 'identifier' and run the SQL query given by 'query'. The first row in the result will be used as the value of the special character. This type of lookup is done whenever the special character is evaluated.
Fixed a problem with AuthBy FREERADIUS. The test for limit values for Max-All-Session, Max-Daily-Session, Max-Hourly-Session and Max-Monthly-Session was reversed, causing them to fail when they should succeed and vice-versa. Reported by Stanley Thomas.
When radpwtst was used to send arbitrary packet types such as CoA-Request, the reply was not decoded and therefore never packet dumped. Reported by Vangelis Kyriakakis.
Improvements to the sample gigawords-hook.pl to use 64 bit integers in order to be more proof against overflows with large traffic.

New in Radiator 4.4 (Mar 11, 2009)

Fixed a problem with AuthBy WIMAX which would fail when TTLS-MSCHAPV2 was used. Improved goodies/wimaxtest to support -mschapv2 flag to cause TTLS-MSCHAPV2 authentication. Reported by "Valentin Tumarkin".
Fixed a memory leak in ClientListSQL and ClientListLDAP where Client clauses may not get reclaimed when the client list is refreshed. Reported by Aaron Mar.
Fixed a probem with ServerHTTP where manual editing of a file larger than 16k would cause error '413 Request Entity Too Large'. Limit increase to 1Mb. Reported by Tito Macapinlac.
Fixed a probem with AuthBy NTLM. UsernameMatchesWithoutRealm worked correctly with MSCHAPV2, but not with PAP or MSCHAPV1. Reported by Sami Keski-Kasari.
Altered the behaviour of TLS_SubjectAltNameURI in all StreamTLS based protocols (such as RadSec, DIAMETER etc.) at the suggestion of Stefan Winter. Now TLS_SubjectAltNameURI imposes an additional mandatory constraint on the peer certificate. If TLS_SubjectAltNameURI is defined it MUST match at least one subjectAltNAme:URI in the peer certificate, in addition to any other certificate verfication requirements (such as DNS name, host name etc). Requires NetSSLeay 1.30 or later.
Improvements to behaviour of passwords in the form {clear}password, so they will work with CHAP, MSCHAP and MSCHAPV2. Reported by Liam Widdowson.
Fixed collisions between some VSAs in dicitonary: renamed Cisco attributes Account-Info, Service-Info, Command-Code, Control-Info to have 'Cisco-' prefix. Renamed Command-Code to Enterasys-Command-Code.
AuthBy RSAAM now honours UsernameMatchesWithoutRealm and other username transformation parameters. Reported by Sami Keski-Kasari.
Fixed a problem where EAP-MSCHAPV2 would incorrectly authenticate users when misconfigured with AuthBy RSAAM. Reported by Sami Keski-Kasari.
EAP Generic Token Card now honours UsernameMatchesWithoutRealm. Reported by Reported by Sami Keski-Kasari.
Tested TTLS-MSCHAPV2 with iPhone 2.0. OK.
Added instructions and Portfile for installing Radiator on MacOSX. Contributed by Mark Duling. Deprecated INSTALL.MacOSX RadiatorMacOSX.tar.gz.
Added goodies/lancom-radsec.txt, instructions and hints for configuring a Lancom L-54g wireless Access Point to authenticate using an external RadSec server.
Tested against Lancom L-54g wireless Access Point configured for external RadSec authentication for 802.1X. OK.
Improvements to AuthBy WIMAX, in order to support Alvarion WiMAX equipment and various other operator requirements, requested by Manuel Kasper. Can now use AuthSelect and AuthColumnDef to alter the SQL authentication query and add reply attributes. You can customise other SQL queries using during WiMAX processing with GetCachedKeyQuery, GetHotlineProfileQuery, GetQosProfileQuery. Can now handle accounting using AcctSQLStatement the same as AuthBy SQL.
Fixed a problem where use of Client CIDR addresses would not alway result in the correct Client being found. Reported by Fabio Prina.
In AutbBy LDAP_APS, PasswordServerAddress was working for PAP, but did not work as expected for MSCHAP and Digest-MD5 authentication. Reported by Mark Duling.
Added OSC-Version-Identifier to dictionary.
Fixed typos in dictionary. Cisco-Maximum-Time was Cisco-Maximun-Time and Cisco-Maximum-Channels was Cisco-Maximun-Channels. Reported by Fabio Prina.
Server TACACSPLUS now sets OSC-Version-Identifier in the RADIUS requests from the version number in the incoming Tacacs+ request. The Major and Minor numbers are combined in a single integer as per the Tacacs+ specification (i.e. version 0 is represented as 192 and version 1 is represented as 193).
Incoming requests processed by Server RADSEC were logged twice. Reported by Paul Dekkers.
Can now properly send Starent VSAs. Receiving was already supported.
Fixed a problem that prevented reply attributes from a TTLS inner reply being sent in the reply to a session resumption. Reported by David Spindler.
Fixed a problem where certain malformed RADIUS requests could cause a hard loop.
Accounting request that are REJECTED (due, say, to UsernameCharset) are now logged at DEBUG level.
Added Trapeze Networks attributes to dictionary. Contributed by P Havekes.
AuthBy RADIUS would previously die if it was unable to bind to a socket (for example if a non-existent BindAddress was used). Reported by Andrew D. Clark.
AuthBy WIMAX now supports ASCII encoding of WiMAX-Packet-Flow-Descriptor and WiMAX-QoS-Descriptor. They are parsed and converted to the WiMAX required binary format automatically.
Improvements to Solaris scripts and config file for use by the Solaris package
When LogMicroseconds is used, the microseconds are now left padded with zeroes for easier reading.
Can now handle Change-Filter-Request requests in AuthINTERNAL and others. Accept will result in a Change-Filter-Request-ACKed replay and a reject will cause a Change-Filter-Request-NAKed.
Fixed a problem with AuthBy RADSEC caused by the recently added LocalAddress support: If the Host address is an IPV6 address, an error with binding to 0.0.0.0:0 was reported. The default bind address is now determined by the operating system, except when LocalAddress is specified. Can now specify LocalAddress as an IPV6 address.
Error messages from Server TACACSPLUS now include the originating address and port number. Requested by Andrew D. Clark.
Added various Nortel OME6500/OM5000 VSAs to dictionary.
Added new option -leap to radpwtst for testing EAP-LEAP.
Fixed a number of mispellings from 'redespatched' to 'redispatched'
Fixed some incorrect behaviour of Resolver under perl5.8.8 on some platforms.
Improvements to AuthBy RSAAM so that chains of RSAAM authenticators with different Policy settings will work correctly.
Added support for Alcatel/Lucent ESAM VSAs (vendor ID 637) which have non-standard VSA format. Also added A-ESAM-* entries to dictionary. Contributed by John Pendleton.
AuthBy LDAPDIGIPASS didn't close its connection if HoldServerConnection wasn't set. Reported and patched by Kees Guequierre.
Added precompiled RPM for Authen-Digipass for perl 5.10 (Authen-Digipass-1.9-1.i686.rpm is for perl 5.8 only).
In AuthBy RSAAM, added translations for some further prompts, POLICY_VIOLATION_* etc. Improved prompts during system-generated-PIN mode. Improved support for AM server failover. AM Server failure now causes an IGNORE, and AuthByPolicy ContinueWhileIgnore can be used to try multiple AM servers in sequence until a successful connection is made. Changes to chaining of RSAAM clauses mean that in order to try one RSAAM Policy, followed by another you must use the AuthByPolicy ContinueUntilAcceptOrChallenge.
Added support for new AuthByPolicy settings of ContinueWhileChallenge and ContinueUntilChallenge.
Added support for EAPTLS_RequireClientCert to TTLS and PEAP. Setting this optional parameter now requires the clinet to present a valid client certificate during the TLS handshake.
Improved documentation in AuthBy ACE examples. Improved misleading user messages when AuthBy ACE is used with AM 7.1. Fixed problems with Authen-ACE4 when used with AM 7.1 and system-generated PINs, requires Authen-ACE4 1.3. New Authen-ACE4 1.3 ppm packages for Windows, including support for Perl 5.10 on Windows.
Added precompiled Authen-Digipass ppm package for perl 5.10 on Windows.
Improved session resumption in PEAP. Previously, resumed sessions triggered an inner authentication. Now the inner authentication is reused too. Reported by Tom Rixom.
Added new hook EAPTLS_CommonNameHook for EAP TLS support. Normally EAP-TLS attempts to match a CN in the client certificate against either the User-Name or EAP identity (either with or without domain names). This hook allows you to extend this matching and match a certificate CN against some other user attribute, such as the Calling-Station-Id as required by some WiMAX devices.
Added EAP TLS initialization to add the SHA256 digest, required for some WiMAX devices and certificates. Requested by Jinsong Zhu. Requires Net-SSLeay 1.35 plus latest SVN patches or later and OpenSSL 0.9.8i or later.
Fixed a problem with special character %J, which incorrectly had leading spaces before the day number. Reported by JosÃÂÃÂÃÂÃÂÃÂÃÂÃÂÃÂÃÂÃÂÃÂÃÂÃÂÃÂÃÂÃÂ© Borges Ferreira.
Added Citrix-CAG-Groups to dictionary.
Added beta version of a new AuthBy EAPBALANCE module. EAPBALANCE distributes EAP conversations among multiple back ends and ensures that a given conversation always goes to the same backend, even in the face of backend failures. Suitable for use with FarmSize for high performance EAP-capable systems on multi-core hosts.
Fixed some errors in the types of WiMAX attributes in dictionary. WiMAX-HTTP-Redirection-Rule changed from binary to string. Added WiMAX-Time-Of-Day-Time. Added NAS-Filter-Rule. Requested by Garima Mahadik.
Timestamp was incorrectly added twice if a request was redirected through Handler, say by AuthHANDLER or similar.
Changes so that the plaintext password is not logged at debug level during Tacacs authentication. Requested by Markus Moeller.
Fixed some problems with mixed placeholders causing crashes on Windows when ODBC in use and when Quote: fails to match properly. Improved error reporting in SqlDb when a prepare croaks. Improvements to nested special character matching to exclude trival matched caused by embedded curlies. Reported by Edgard B. Haddad.
In AuthBy POP3, paramters Host, Port and LocalAddr did not have packet-specific data available for special characters. Reported by Aaron Holtz.
Fixed a problem with incorrect statistics for dropped requests when inner TTLS and PEAP requests are proxied. Reported by Dan Cachola.
Improved handling of Security Questions prompts in AuthBy RSAAM.
Fixed AuthBy IMAP so it will work with Mail-IMAP versions later than 2.99, using the new Mail::IMAP RawSocket call. Reported and patched by Wolfram Grienert.
Fixed a problem with Server HTTP where a configuration that contained an AuthLog clause would incorrectly be saved as an AuthBy clause. Reported by Steven R Sterner.
AuthBy WIMAX incorrectly set Session-Timeout to the absolute epoch time, rather than the relative KeyLifetime. Reported by Valentin Tumarkin.
Fixed a problem in AuthBy WIMAX with DHCP keys that could cause a crash. Also fixed a problem with session resumption when Pseudo Ids are in use. goodies/wimaxtest now suports session resumption with a [-reauth count] command line argument.
Fixed a problem with reused session authentication in EAP-TTLS.
Added sample configuration files for Radiator, Cisco Nexus 7000 and sample debug file, showing how to set up RBAC - Role-Based Access Control on the Cisco Nexus 7000. Contributed by Matthew Nichols.
Fixed a problem when AuthBy RADIUS tries to forward to a non-existent DNS name, a crash could occur. Reported by Patrick Renkens.
Ensure TLS does not resume sessions unless EAPTLS_SessionResumption is set.
Added support for new parameter in AuthBy WIMAX. MSKInMPPEKeys forces the MSK to be encoded in MS-MPPE-Send-Key and MS-MPPE-Recv-Key, as well as the usual WiMAX-MSK reply attributes. This is required by some non-compliant clients, such as some Alcatel-Lucent devices.
Improved behaviour of AuthBy WIMAX when creating and setting WiMAX-AAA-Session-ID to be compatible with more WiMAX clients. WiMAX-AAA-Session-ID is now only allocated and returned in the Access-Accept. Also made more SQL queries configurable. Parameter Reported by Kasra Kangavari.
Changed primary key in device_session in sample wimax.sql to match earlier changes to session saving based on session ID instead of NAI.

Radiator Changelog

What's new in Radiator 4.16

New in Radiator 4.15 (Jul 16, 2015)

New in Radiator 4.14 (Dec 5, 2014)

New in Radiator 4.13 (Apr 17, 2014)

New in Radiator 4.12.1 (Sep 18, 2013)

New in Radiator 4.12 (Sep 13, 2013)

New in Radiator 4.11 (Dec 21, 2012)

New in Radiator 4.10 (Jun 29, 2012)

New in Radiator 4.9 (Oct 3, 2011)

New in Radiator 4.8 (Apr 28, 2011)

New in Radiator 4.7 (Aug 18, 2010)

New in Radiator 4.4 (Mar 11, 2009)

New in Radiator 4.3.1 (Jul 30, 2008)