Radiator

What is new in this release:

• Added configuration parameters TLS_SecurityLevel and EAPTLS_SecurityLevel and calls to set accepted TLS version ranges. This allows for Radiator module level control of desired TLS settings without modifications of system defaults.
• ClientListSQL configuration can now be simplified with ClientColumnDef parameters.
• AuthBy SQLHOTP and SQLTOTP SQL query parameter support was added.
• Dynamically updated Diameter RealmTable for request routing and forwarding is now available for advanced Diameter applications.
• Added a new configuration flag parameter IgnoreIfMissing.
• Added a new check item ExistsInRequest for matching requests by attribute presence. Useful for Handlers.
• Added new AuthBy REST, which is built on a new class called HTTPClient.
• Packages are now available for Red Hat Enterprise Linux 8 and CentOS 8 and Debian 10 (Buster).
• Added configuration guide and samples for SecureW2 integration.

What is new in version 4.14:

Selected bug fixes, compatibility notes and enhancements

• Fixes a vulnerability and very significant bug in EAP authentication. OSC recommends all users to review OSC security advisory OSC-SEC-2014-01 to see if they are affected.
• Client findAddress() was changed to lookup CIDR clients before DEFAULT client. Affects ServerTACACSPLUS and in some cases SessionDatabase modules.
• Added support for non-blocking sockets on Windows
• SessionDatabase SQL queries now support bind variables

• Added VENDOR Allot 2603 and VSA Allot-User-Role to dictionary.
• Added Diameter AVP flag hints in the Diameter Credit-Control Application dictionary.
• Prevented crash during startup when configured to support a Diameter application for which no dictionary module was not present. Reported by Arthur. Improved logging of loading of Diameter application dictionary modules.
• Improvements to AuthBy SIP2 to add support for SIP2Hook. SIP2Hook can be used for patron authorisation and/or authentication. Added an example hook goodies/sip2hook.pl. Added a new optional parameter UsePatronInformationRequest for configurations in which Patron Status Request is not sufficient.
• Fixed a problem with SNMPAgent which could cause a crash if the configuration had no Clients.
• Stream and StreamServer sockets are now set to nonblocking mode on Windows too. This allows for example, RadSec to use nonblocking sockets on Windows.
• radpwtst now honours -message_authenticator option for all request types specified with the -code parameter.
• Client.pm findAddress() was changed to look up CIDR clients before DEFAULT client. This is the same order Client lookup for incoming RADIUS requests uses. This affects mostly ServerTACACSPLUS. SessionDatabase DBM, INTERNAL and SQL also use findAddress() and are affected when Clients have NasType configured for Simultaneous-Use online checking. Client lookup was simplified in ServerTACACSPLUS.
• Added VENDOR Cambium 17713 and four Cambium-Canopy VSAs to dictionary. "RADIUS Attributes for IEEE 802 Networks" is now RFC 7268. Updated some of its attribute types.
• AuthBy MULTICAST now checks first, not after, if the next hop host is working before creating the request to forward. This will save cycles when the next hop is not working.
• Added VENDOR Apcon 10830 and VSA Apcon-User-Level to dictionary. Contributed by Jason Griffith.
• Added support for custom password hashes and other user defined password check methods. When the new configuration parameter CheckPasswordHook is defined for an AuthBy and the password retrieved from the user database starts with leading '{OSC-pw-hook}', the request, the submitted password and the retrieved password are passed to the CheckPasswordHook. The hook must return true if the submitted password is deemed correct. TranslatePasswordHook runs before CheckPasswordHook and can be used to add '{OSC-pw-hook}' to the retrieved passwords.
• AuthLog SYSLOG and Log SYSLOG now check LogOpt during the configuration check phase. Any problems are now logged with the loggers Identifier.
• The defaults for SessionDatabase SQL AddQuery and CountQuery now use %0 where username is needed. Updated the documentation to clarify the value of %0 for AddQuery, CountQuery, ReplaceQuery, UpdateQuery and DeleteQuery: %0 is the quoted original username. However, if SessionDatabaseUseRewrittenName is set for the Handler and the check is done by Handler (MaxSessions) or AuthBy (DefaultSimultaneousUse), then %0 is the rewritten username. For per-user session database queries %0 is always the original username. Updated the documentation for CountQuery to include %0 and %1. For CountQuery %1 is the value of the simultaneous use limit.
• Enhanced resolution of vendor names to Vendor-Id values for SupportedVendorIds, VendorAuthApplicationIds and VendorAcctApplicationIds. Keyword DictVendors for SupportedVendorIds now includes vendors from all dictionaries that are loaded. Vendor name in Vendor*ApplicationIds can be in any of the loaded dictionaries in addition of being listed in DiaMsg module.
• Added VENDOR InMon 4300 and VSA InMon-Access-Level to dictionary. Contributed by Garry Shtern.
• Added ReplyTimeoutHook to AuthBy RADIUS, called if no reply is heard from the currently tried remote server. The hook is called if no reply is heard for a specific request after the Retries retransmissions and the request is deemed to have failed for that Host. Suggested by David Zych.
• The default ConnectionAttemptFailedHook no longer logs the real DBAuth value but '**obscured**' instead.
• Name clash with SqlDb disconnect method caused unnecessary Fidelio interface disconnects and reconnects in AuthBy FIDELIOHOTSPOT after SQL errors. AuthBy FIDELIOHOTSPOT now inherits directly from SqlDb.
• Added VENDOR 4ipnet 31932 and and 14 4ipnet VSAs to dictionary. These VSA are also used by devices from 4ipnet partners, such as LevelOne. Contributed by Itzik Ben Itzhak.
• MaxTargetHosts now applies to AuthBy RADIUS and its sub-types AuthBy ROUNDROBIN, VOLUMEBALANCE, LOADBALANCE, HASHBALANCE and EAPBALANCE. MaxTargetHosts was previously implemented only for AuthBy VOLUMEBALANCE. Suggested by David Zych.
• Added VENDOR ZTE 3902 and multiple VSAs to dictionary with the kind assistance of Nguyen Song Huy. Updated Cisco VSAs in dictionary.
• Added radiator.service, a sample systemd startup file for Linux.
• AuthBy FIDELIO and its sub-types now log a warning if the server sends no records during the database resync. This usually indicates a configuration problem on the Fidelio server side, unless there really are no checked in guests. Added a note about this in fidelio.txt in goodies.
• Added Diameter Base Protocol AVP flag rules in DiaDict. Radiator no longer sends CEA with Firmware-Revision AVP that has M flag set.
• BogoMips again defaults correctly to 1 when BogoMips is not configured in a Host clause in AuthBy LOADBALANCE or VOLUMEBALANCE. Reported by Serge ANDREY. The default was broken in release 4.12. Updated LOADBALANCE example in proxyalgorithm.cfg in goodies.
• Ensured that Hosts with BogoMips set to 0 in AuthBy VOLUMEBALANCE will not be a candidates for proxying.
• Added Diameter AVP flag rules in DiaDict for the following Diameter applications: RFC 4005 and 7155 NASREQ, RFC 4004 Mobile IPv4 Application, RFC 4740 SIP Application and RFC 4072 EAP Application.
• Added the attributes from RFC 6929 to dictionary. The attributes will now be proxied by default but no specific handling is done for them yet.
• Added VENDOR Covaro Networks 18022 and multiple Covaro VSAs to dictionary. These VSAs are used by products from ADVA Optical Networking.
• Significant performance enhancements in ServerDIAMETER and Diameter request processing. Diameter requests are now formatted for debugging only when the Trace level is set to debug or higher.
• AuthLog FILE and Log FILE now support LogFormatHook to customise the log message. The hook is expected to return a single scalar value containing the log message. This allows formatting the logs, for example, in JSON or any other format suitable for the required postprocessing. Suggestion and help by Alexander Hartmaier.
• Updated the values for Acct-Terminate-Cause, NAS-Port-Type and Error-Cause in dictionary to match the latest IANA assignments.
• Updated sample certificates from SHA-1 and RSA 1024 to SHA-256 and RSA 2048 algorithms. Added new directories certificates/sha1-rsa1024 and certificates/sha256-secp256r1 with certificates using the previous and ECC (Elliptic curve cryptography) algorithms. All sample certificates use the same subject and issuer information and extensions. This allows testing the different signature and public key algorithms with minimal configuration changes. Updated mkcertificate.sh in goodies to create certificates with SHA-256 and RSA 2048 algorithms.
• Added new configuration parameters EAPTLS_ECDH_Curve for TLS based EAP methods and TLS_ECDH_Curve for Stream clients and servers such as RadSec and Diameter. This parameter allows Elliptic Curve ephemeral keying negotiation and its value is the EC 'short name' as returned by openssl ecparam -list_curves command. The new parameters require Net-SSLeay 1.56 or later and matching OpenSSL.
• Tested Radiator with RSA2048/SHA256 and ECDSA(curve secp256r1)/SHA256 certificates on different platforms and with different clients. EAP client support was widely available on both mobile, such as, Android, IOS and WP8, and other operating systems. Updated multiple EAP, RadSec, Diameter and other configuration files in goodies to include examples of the new EAPTLS_ECDH_Curve and TLS_ECDH_Curve configuration parameters.
• Handler and AuthBy SQL, RADIUS, RADSEC and FREERADIUSSQL now support AcctLogFileFormatHook. This hook is available to customise the Accounting-Request messages logged by AcctLogFileName or AcctFailedLogFileName. The hook is expected to return a single scalar value containing the log message. This allows formatting the logs, for example, in JSON or any other format suitable for the required postprocessing.
• The Group configuration parameter now supports setting the supplementary group ids in addition to the effective group id. Group can now be specified as comma separated list of groups where the first group is the desired effective group id. If there are names that can not be resolved, groups are not set. The supplementary groups may help with, for example, AuthBy NTLM accessing the winbindd socket.
• Added multiple Alcatel, vendor 6527, VSAs to dictionary.
• Name resolution for Radius Clients and IdenticalClients is now tested during configuration check phase. Suggested by Garry Shtern. Incorrectly specified IPv4 and IPv6 CIDR blocks are now clearly logged. The checks also cover clients loaded by ClientListLDAP and ClientListSQL.
• Special formatting now supports %{AuthBy:parmname} which is replaced by the parmname parameter from the AuthBy clause that is handling the current packet. Suggested by Alexander Hartmaier.
• Added VENDOR Tropic Networks 7483, now Alcatel-Lucent, and two Tropic VSAs to dictionary. These VSAs are used by some Alcatel-Lucent products, such as the 1830 Photonic Service Switch. Fixed a typo in RB-IPv6-Option attribute.
• TLS 1.1 and TLS 1.2 are now allowed for EAP methods when supported by OpenSSL and EAP supplicants. Thanks to Nick Lowe of Lugatech.
• AuthBy FIDELIOHOTSPOT now supports prepaid services, such as plans with different bandwidth. The purchases are posted to Opera with billing records. Configuration files fidelio-hotspot.cfg and fidelio-hotspot.sql in goodies were updated with an example of Mikrotik captive portal integration.
• AuthBy RADIUS and AuthBy RADSEC now use less-than and equal when comparing time stamps using MaxFailedGraceTime. Previously strict less-than was used causing an off by one second error when marking next hop Hosts down. Debugged and reported by David Zych.
• AuthBy SQLTOTP was updated to support HMAC-SHA-256 and HMAC-SHA-512 functions. The HMAC hash algorithm can now be parametrised for each token as well as time step and Unix time origin. An empty password will now launch Access-Challenge to prompt for the OTP. SQL and configuration examples were updated. A new utility generate-totp.pl in goodies/ can be used to create shared secrets. The secrets are created in hex and RFC 4648 Base32 text formats and as QR code images which can be imported by authenticators such as Google Authenticator and FreeOTP Authenticator.
• Reformatted root.pem, cert-clt.pem and cert-srv.pem in the certificates/ directory. The encrypted private keys in these files are now formatted in the traditional SSLeay format instead of PKCS#8 format. Some older systems, such as RHEL 5 and CentOS 5, do not understand the PKCS#8 format and fail with an error message like 'TLS could not use_PrivateKey_file ./certificates/cert-srv.pem, 1: 27197: 1 - error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm' when trying to load the keys. The encrypted private keys in sha1-rsa1024 and sha256-secp256r1 directories remain in the PKCS#8 format. A note about the private key format was added in certificates/README.
• Added new parameter for all AuthBys: EAP_GTC_PAP_Convert forces all EAP-GTC requests to be converted to conventional Radius PAP requests that are redespatched, perhaps to be proxied to another non-EAP-GTC capable Radius server or for local authentication. The converted requests can be detected and handled with Handler ConvertedFromGTC=1.
• SessionDatabase SQL queries now support bind variables. The query parameters follow the usual naming convention where, for example, AddQueryParam is used for AddQuery bind variables. The updated queries are: AddQuery, DeleteQuery, ReplaceQuery, UpdateQuery, ClearNasQuery, ClearNasSessionQuery, CountQuery and CountNasSessionsQuery.
• AddressAllocator SQL now supports a new optional parameter UpdateQuery which will run an SQL statement for each accounting message with Acct-Status-Type of Start or Alive. This query can be used to update the expiry time stamp allowing shorter LeaseReclaimInterval. Added an example of UpdateQuery in addressallocator.cfg in goodies.
• Fixed badly formatted log message in AuthBy RADIUS. Reported by Patrik Forsberg. Fixed log messages in EAP-PAX and EAP-PSK and updated a number of configuration examples in goodies.
• Compiled Win32-Lsa Windows PPM packages for Perl 5.18 and 5.20 for both x64 and x86 with 32bit integers. The PPMs were compiled with Strawberry Perl 5.18.4.1 and 5.20.1.1. Included these and the previously compiled Win32-Lsa PPMs in the Radiator distribution.
• Compiled Authen-Digipass Windows PPM packages with Strawberry Perl 5.18.4.1 and 5.20.1.1 for Perl 5.18 and 5.20 for x86 with 32bit integers. Updated digipass.pl to use Getopt::Long instead of deprecated newgetopt.pl. Repacked Authen-Digipass PPM for Perl 5.16 to include the updated digipass.pl.
• Diameter Address type attributes with IPv6 values are now decoded to human readable IPv6 address text representation. Previously, decode returned the raw attribute value. Reported by Arthur Konovalov.
• Improved Diameter EAP handling for both AuthBy DIAMETER and ServerDIAMETER. Both modules now advertise Diameter-EAP application by default during the initial capabilities exchange. AuthBy DIAMETER now supports AuthApplicationIds, AcctApplicationIds and SupportedVendorIds configuration parameters
• Changed the type of Chargeable-User-Identity in dictionary to binary to make sure any trailing NUL characters are not stripped.
• More updates to example configuration files. Remove 'DupInterval 0' and use Handlers instead of Realms
• Fixed an EAP bug which could allow bypassing EAP method restrictions. Copied the EAP expanded type test module to goodies and changed the test module to always respond with access reject.
• Added backport notes and backports for older Radiator versions to address the EAP bug in OSC security advisory.

What is new in version 4.13:

• Unknown attributes can now be proxied instead of being dropped
• Diameter enhancements may require changes to custom Diameter modules
• Major IPv6 enhancements include: Attributes with IPv6 values can now be proxied without IPv6 support, Socket6 is no longer an absolute prerequisite. 'ipv6:' prefix is now optional and not prepended in attribute values
• TACACS+ authentication and authorization can now be decoupled
• Bind variables are now available for AuthLog SQL and Log SQL.
• Status-Server requests without correct Message-Identifier are ignored. Status-Server responses are now configurable.
• LDAP attributes can now be fetched with base scope after subtree scoped search. Useful for example, tokenGroups AD attributes which are not otherwise available
• Newly added check for CVE-2014-0160, the OpenSSL Heartbleed vulnerability may log false positives
• New AuthBy for authenticating against YubiKey validation server added
• See Radiator SIM pack revision history for supported SIM pack versions

Limitations:

Maximum 1000 requests. Limited time.