Cookies op Tweakers

Tweakers maakt gebruik van cookies, onder andere om de website te analyseren, het gebruiksgemak te vergroten en advertenties te tonen. Door gebruik te maken van deze website, of door op 'Ga verder' te klikken, geef je toestemming voor het gebruik van cookies. Wil je meer informatie over cookies en hoe ze worden gebruikt, bekijk dan ons cookiebeleid.

Meer informatie

Software-update: Radiator 4.4

Voor het verlenen van toegang tot het netwerk kan gebruik worden gemaakt van Radius. Dit is een aaa-protocol, dat door veel isp's en netwerkbeheerders wordt ingezet. Radiator is een complete Radius-server voor Linux, Mac OS X, Unix en Windows met ondersteuning aan boord voor verschillende authenticatie methoden zoals ldap, active directory en tacacs+. Ook kan er gebruik worden gemaakt van tokens van onder andere RSA Securid, Safeword en Vasco Digipass. Voor meer informatie verwijzen we jullie door naar deze pagina en een overzicht van de prijzen is op deze pagina terug te vinden. De ontwikkelaars hebben Radiator 4.4 uitgebracht met de volgende lijst van aanpassingen sinds de vorige vermelding in de Meuktracker:

Version 4.4:
  • Fixed a problem with AuthBy WIMAX which would fail when TTLS-MSCHAPV2 was used. Improved goodies/wimaxtest to support -mschapv2 flag to cause TTLS-MSCHAPV2 authentication. Reported by "Valentin Tumarkin".
  • Fixed a memory leak in ClientListSQL and ClientListLDAP where Client clauses may not get reclaimed when the client list is refreshed. Reported by Aaron Mar.
  • Fixed a probem with ServerHTTP where manual editing of a file larger than 16k would cause error '413 Request Entity Too Large'. Limit increase to 1Mb. Reported by Tito Macapinlac.
  • Fixed a probem with AuthBy NTLM. UsernameMatchesWithoutRealm worked correctly with MSCHAPV2, but not with PAP or MSCHAPV1. Reported by Sami Keski-Kasari.
  • Altered the behaviour of TLS_SubjectAltNameURI in all StreamTLS based protocols (such as RadSec, DIAMETER etc.) at the suggestion of Stefan Winter. Now TLS_SubjectAltNameURI imposes an additional mandatory constraint on the peer certificate. If TLS_SubjectAltNameURI isdefined it MUST match at least one subjectAltNAme:URI in the peer certificate, in addition to any other certificate verfication requirements (such as DNS name, host name etc). Requires NetSSLeay 1.30 or later.
  • Improvements to behaviour of passwords in the form {clear}password, so they will work with CHAP, MSCHAP and MSCHAPV2. Reported by Liam Widdowson.
  • Fixed collisions between some VSAs in dicitonary: renamed Cisco attributes Account-Info, Service-Info, Command-Code, Control-Info to have 'Cisco-' prefix. Renamed Command-Code to Enterasys-Command-Code.
  • AuthBy RSAAM now honours UsernameMatchesWithoutRealm and other username transformation parameters. Reported by Sami Keski-Kasari.
  • Fixed a problem where EAP-MSCHAPV2 would incorrectly authenticate users when misconfigured with AuthBy RSAAM. Reported by Sami Keski-Kasari.
  • EAP Generic Token Card now honours UsernameMatchesWithoutRealm. Reported by Reported by Sami Keski-Kasari.
  • Tested TTLS-MSCHAPV2 with iPhone 2.0. OK.
  • Added instructions and Portfile for installing Radiator on MacOSX. Contributed by Mark Duling. Deprecated INSTALL.MacOSX RadiatorMacOSX.tar.gz.
  • Added goodies/lancom-radsec.txt, instructions and hints for configuring a Lancom L-54g wireless Access Point to authenticate using an external RadSec server.
  • Tested against Lancom L-54g wireless Access Point configured for external RadSec authentication for 802.1X. OK.
  • Improvements to AuthBy WIMAX, in order to support Alvarion WiMAX equipment and various other operator requirements, requested by Manuel Kasper. Can now use AuthSelect and AuthColumnDef to alter the SQL authentication query and add reply attributes. You can customise other SQL queries using during WiMAX processing with GetCachedKeyQuery, GetHotlineProfileQuery, GetQosProfileQuery. Can now handle accounting using AcctSQLStatement the same as AuthBy SQL.
  • Fixed a problem where use of Client CIDR addresses would not alway result in the correct Client being found. Reported by Fabio Prina.
  • In AutbBy LDAP_APS, PasswordServerAddress was working for PAP, but did not work as expected for MSCHAP and Digest-MD5 authentication. Reported by Mark Duling.
  • Added OSC-Version-Identifier to dictionary.
  • Fixed typos in dictionary. Cisco-Maximum-Time was Cisco-Maximun-Time and Cisco-Maximum-Channels was Cisco-Maximun-Channels. Reported by Fabio Prina.
  • Server TACACSPLUS now sets OSC-Version-Identifier in the RADIUS requests from the version number in the incoming Tacacs+ request. The Major and Minor numbers are combined in a single integer as per the Tacacs+ specification (i.e. version 0 is represented as 192 and version 1 is represented as 193).
  • Incoming requests processed by Server RADSEC were logged twice. Reported by Paul Dekkers.
  • Can now properly send Starent VSAs. Receiving was already supported.
  • Fixed a problem that prevented reply attributes from a TTLS inner reply being sent in the reply to a session resumption. Reported by David Spindler.
  • Fixed a problem where certain malformed RADIUS requests could cause a hard loop.
  • Accounting request that are REJECTED (due, say, to UsernameCharset) are now logged at DEBUG level.
  • Added Trapeze Networks attributes to dictionary. Contributed by P Havekes.
  • AuthBy RADIUS would previously die if it was unable to bind to a socket (for example if a non-existent BindAddress was used). Reported by Andrew D. Clark.
  • AuthBy WIMAX now supports ASCII encoding of WiMAX-Packet-Flow-Descriptor and WiMAX-QoS-Descriptor. They are parsed and converted to the WiMAX required binary format automatically.
  • Improvements to Solaris scripts and config file for use by the Solaris package
  • When LogMicroseconds is used, the microseconds are now left padded with zeroes for easier reading.
  • Can now handle Change-Filter-Request requests in AuthINTERNAL and others. Accept will result in a Change-Filter-Request-ACKed replay and a reject will cause a Change-Filter-Request-NAKed.
  • Fixed a problem with AuthBy RADSEC caused by the recently added LocalAddress support: If the Host address is an IPV6 address, an error with binding to was reported. The default bind address is now determined by the operating system, except when LocalAddress is specified. Can now specify LocalAddress as an IPV6 address.
  • Error messages from Server TACACSPLUS now include the originating address and port number. Requested by Andrew D. Clark.
  • Added various Nortel OME6500/OM5000 VSAs to dictionary.
  • Added new option -leap to radpwtst for testing EAP-LEAP.
  • Fixed a number of mispellings from 'redespatched' to 'redispatched'
  • Fixed some incorrect behaviour of Resolver under perl5.8.8 on some platforms.
  • Improvements to AuthBy RSAAM so that chains of RSAAM authenticators with different Policy settings will work correctly.
  • Added support for Alcatel/Lucent ESAM VSAs (vendor ID 637) which have non-standard VSA format. Also added A-ESAM-* entries to dictionary. Contributed by John Pendleton.
  • AuthBy LDAPDIGIPASS didn't close its connection if HoldServerConnection wasn't set. Reported and patched by Kees Guequierre.
  • Added precompiled RPM for Authen-Digipass for perl 5.10 (Authen-Digipass-1.9-1.i686.rpm is for perl 5.8 only).
  • In AuthBy RSAAM, added translations for some further prompts, POLICY_VIOLATION_* etc. Improved prompts during system-generated-PIN mode. Improved support for AM server failover. AM Server failure now causes an IGNORE, and AuthByPolicy ContinueWhileIgnore can be used to try multiple AM servers in sequence until a successful connection is made. Changes to chaining of RSAAM clauses mean that in order to try one RSAAM Policy, followed by another you must use the AuthByPolicy ContinueUntilAcceptOrChallenge.
  • Added support for new AuthByPolicy settings of ContinueWhileChallenge and ContinueUntilChallenge.
  • Added support for EAPTLS_RequireClientCert to TTLS and PEAP. Setting this optional parameter now requires the clinet to present a valid client certificate during the TLS handshake.
  • Improved documentation in AuthBy ACE examples. Improved misleading user messages when AuthBy ACE is used with AM 7.1. Fixed problems with Authen-ACE4 when used with AM 7.1 and system-generated PINs, requires Authen-ACE4 1.3. New Authen-ACE4 1.3 ppm packages for Windows, including support for Perl 5.10 on Windows.
  • Added precompiled Authen-Digipass ppm package for perl 5.10 on Windows.
  • Improved session resumption in PEAP. Previously, resumed sessions triggered an inner authentication. Now the inner authentication is reused too. Reported by Tom Rixom.
  • Added new hook EAPTLS_CommonNameHook for EAP TLS support. Normally EAP-TLS attempts to match a CN in the client certificate against either the User-Name or EAP identity (either with or without domain names). This hook allows you to extend this matching and match a certificate CN against some other user attribute, such as the Calling-Station-Id as required by some WiMAX devices.
  • Added EAP TLS initialization to add the SHA256 digest, required for some WiMAX devices and certificates. Requested by Jinsong Zhu. Requires Net-SSLeay 1.35 plus latest SVN patches or later and OpenSSL 0.9.8i or later.
  • Fixed a problem with special character %J, which incorrectly had leading spaces before the day number. Reported by José Borges Ferreira.
  • Added Citrix-CAG-Groups to dictionary.
  • Added beta version of a new AuthBy EAPBALANCE module. EAPBALANCE distributes EAP conversations among multiple back ends and ensures that a given conversation always goes to the same backend, even in the face of backend failures. Suitable for use with FarmSize for high performance EAP-capable systems on multi-core hosts.
  • Fixed some errors in the types of WiMAX attributes in dictionary. WiMAX-HTTP-Redirection-Rule changed from binary to string. Added WiMAX-Time-Of-Day-Time. Added NAS-Filter-Rule. Requested by Garima Mahadik.
  • Timestamp was incorrectly added twice if a request was redirected through Handler, say by AuthHANDLER or similar.
  • Changes so that the plaintext password is not logged at debug level during Tacacs authentication. Requested by Markus Moeller.
  • Fixed some problems with mixed placeholders causing crashes on Windows when ODBC in use and when Quote: fails to match properly. Improved error reporting in SqlDb when a prepare croaks. Improvements to nested special character matching to exclude trival matched caused by embedded curlies. Reported by Edgard B. Haddad.
  • In AuthBy POP3, paramters Host, Port and LocalAddr did not have packet-specific data available for special characters. Reported by Aaron Holtz.
  • Fixed a problem with incorrect statistics for dropped requests when inner TTLS and PEAP requests are proxied. Reported by Dan Cachola.
  • Improved handling of Security Questions prompts in AuthBy RSAAM.
  • Fixed AuthBy IMAP so it will work with Mail-IMAP versions later than 2.99, using the new Mail::IMAP RawSocket call. Reported and patched by Wolfram Grienert.
  • Fixed a problem with Server HTTP where a configuration that contained an AuthLog clause would incorrectly be saved as an AuthBy clause. Reported by Steven R Sterner.
  • AuthBy WIMAX incorrectly set Session-Timeout to the absolute epoch time, rather than the relative KeyLifetime. Reported by Valentin Tumarkin.
  • Fixed a problem in AuthBy WIMAX with DHCP keys that could cause a crash. Also fixed a problem with session resumption when Pseudo Ids are in use. goodies/wimaxtest now suports session resumption with a [-reauth count] command line argument.
  • Fixed a problem with reused session authentication in EAP-TTLS.
  • Added sample configuration files for Radiator, Cisco Nexus 7000 and sample debug file, showing how to set up RBAC - Role-Based Access Control on the Cisco Nexus 7000. Contributed by Matthew Nichols.
  • Fixed a problem when AuthBy RADIUS tries to forward to a non-existent DNS name, a crash could occur. Reported by Patrick Renkens.
  • Ensure TLS does not resume sessions unless EAPTLS_SessionResumption is set.
  • Added support for new parameter in AuthBy WIMAX. MSKInMPPEKeys forces the MSK to be encoded in MS-MPPE-Send-Key and MS-MPPE-Recv-Key, as well as the usual WiMAX-MSK reply attributes. This is required by some non-compliant clients, such as some Alcatel-Lucent devices.
  • Improved behaviour of AuthBy WIMAX when creating and setting WiMAX-AAA-Session-ID to be compatible with more WiMAX clients. WiMAX-AAA-Session-ID is now only allocated and returned in the Access-Accept. Also made more SQL queries configurable. Parameter Reported by Kasra Kangavari.
  • Changed primary key in device_session in sample wimax.sql to match earlier changes to session saving based on session ID instead of NAI.
Version 4.3.1:
  • Added new parameter PasswordServerAddress to AuthBy LDAP_APS, which forces Radiator to use the specified address as the address of the Apple Password server, instead of deducing it from the user's password details. Addresses may be one of the forms:, dns/, ipv4/ or ipv6/2001:720:1500:1::a100. This can be useful with replicated password servers. Suggested by Matt Richard.
  • Reverted changes to PreClientHook introduced in 4.3. PreClientHook is now called before despatch to any Client clause. It will always be called even if there is no matching Client, but the attributes will not have been decrypted (as decrypting is done in the context of a particular Client). The new parameter ClientHook has been added to the Client clause, and is called immediately after the attributes have been decrypted by the Client. Requested by Heikki Vatiainen.
  • Fixed problems with trailing NULs not being stripped from User-Name. Reported by Dawn Lovell.
  • Fixed a problem with double logging of reply packeets from AuthBy RADSEC. Reported by Paul Dekkers.
Version 4.3:
  • Added new AuthBy RSAAM module that supports RSA Authentication Manager 7.1 and later. Supports PAP, GTC, OTP, PEAP-GTC, TTLS-PAP etc. Supports all AM authentication methods, including traditional SecurID tokens, static passwords, OnDemand passwords delivered by SMS or email, security questions etc. Runs on all platforms supported by Radiator. Requires SOAP::Lite and prerequisites for SSL, including Crypt::SSLeay or IO::Socket::SSL+Net::SSLeay. Sample configuration files included.
  • Added support for LocalAddress and LocalPort to AuthBy RADSEC. Suggested by Jan Tomasek.
  • AuthBy RADSEC now does case-insensitive matches between the RadSec server certificate DNS name and the target server Host name. Previously, matches were case-sensitive. Suggested by Jan Tomasek.
  • Fixed a number of problems with handling integer64 type, especially when salt encoded
  • Added support for Quote format to format_special, allowing SQL database specific quoting to be used in any configurable parameter in any SQL based module. The new format %{Quote:somestring} will be replaced by the string quoted in the correct format for the SQL database in use. For example when used with a mysql database, %{Quote:somestring} would be replaced by 'somestring'.
  • Added new AuthBy HANDLER module. This clause allows requests to be redirected to a Handler based on the Handler's Identifier. Sample configuration file authhandler.cfg included.
  • Fixed a problem where Radiator would crash if PidFile specified a non-existant directory.
  • Added a number of HP VSAs to the dictionary. Also BATM-privilege-group Guests was incorrectly given as 5 instead of 15. Adjusted typed of WiMAX-Hotline-Indicator and WiMAX-Hotline-Profile-ID to string a per NWG docs.
  • Fixed a problem with Monitor and ServerDIAMETER clauses which could cause a crash if the Clients parameter is specified and a request is received from an address not named in that Clients parameter.
  • Added new Configurable function format_ctime that returns the local time formatted to include microseconds if the object or SererConfig has LogMicroseconds set. Used by Log FILE, Monitor, ServerConfig, ServerHTTP.
  • Added and corrected a number of Redback VSAs from data provided by Redback.
  • Fixed problems with dictionary tag-based encrypting of named integer attributes such as RB-LI-Action and others. Required some restructuring of unpackRadiusAttrs/decode_attrs and removal of encode_attrs. Reported by Ian Forster.
  • Fixed a problem with encrypting long strings: the resulting encryption was wrapped with added newlines. Reported by Dan Cachola.
  • Fixed a problem where DefineGlobalVar and DefineFormattedGlobalVar configuration parameters were not saved correctly by the Server HTTP web console.
  • Improvements to ability of Ldap connections with HoldServerConnection to detect disconnection by the server or a firewall. Patch contributed by Bjoern A. Zeeb.
  • Added new parameter PageNotFoundHook to Server HTTP. If a page is requested but not found in the set of built-in pages PageNotFoundHook is called to try to handle the request. PageNotFoundHook is passed the requested URI and a reference to the ServerHTTP connection. If it can handle the request, it returns an array of ($httpcode, $content, @headers). Requested by Marijke Vandecappelle.
  • Moved the location of PreClientHook call to the very beginning of the Client handle_request, so that decoded and decrypted attributes are available to PreClientHooks. Now, PreClientHook will _not_ be called if there is no matching Client clause. Also, within PreClientHook, the $->{Client} member will now be set to the Client clause handling the request, which may be helpful in some PreClientHooks.
  • Improved compatibility with some EAP-TTLS clients that previously would have required EAPTTLS_NoAckRequired. Reported by Ian Forster.
  • TLS/TTLS/PEAP/RadSec and other SSL users will now use any built-in OpenSSL crypto engines provided the installed Net::SSLeay supports ENGINE_load_builtin_engines and Net::SSLeay::ENGINE_register_all_complete (ie 1.33_01 and later). 'pkcs11' will be set as the default engine provided it exists.
  • Compatibility with new OSC-IMC TNC collector in latest version of libtnc. Format of OS_DETAIL message and other changed.
  • Improved behaviour of TTLS in the unlikely case that openssl resumes the wrong session. Suggested by Belmont Cheung.
  • Improvements to AuthBy SAFEWORD. The new parameter GroupReply maps SafeWord ActionData group names into sets of reply items. Added examples to sample config file. Suggested by Johan Frid.
  • Fixed a problem where a Monitor port that was not correctly closed would not destroy the Monitor, permitting messages to continue to be buffered and causing memory exhaustion. Reported by Thomas Schlottke.
  • Backed out changes to RADIUS socket opening introduced in 4.2: RADIUS socket was opened with SO_REUSEADDR, to prevent socket reopening issues on FreeBSD, but this results in always being able to bind to an existing socket on some platforms. Reported by Steve Rogers.
  • Added support for Client CIDR address specifications. Can now have . Also mermits CIDR specifications and MAC: addresses in the IdenticalClients parameter.
  • Added a number of Nortel and Juniper VSAs to dictionary. Contributed by Ronald van der Pol.
  • Fixed a problem where runt EAP-Messages could cause a confusing but useless Access-Accept. Reported by Tom Rixom.
  • Added OSC-Provider-Identifier and OSC-Environment-Identifier to dictionary.
  • AuthBy RADMIN now supports AuthSelectParam for improved performance and alsop supports bind variables for UserAttrQuery and ServiceAttrQuery. Altered sample config to show how to use it.
  • Changed the name of Expiration attribute (21) to Ascend-PW-Expiration to prevent collisions with the Expiration check item. Also changed the type to string to be compatible with other RADIUS servers.
  • Fixed a problem with incorrect results for %u and %w and %W if a global RewriteUsername was used.
Versienummer 4.4
Releasestatus Final
Besturingssystemen Windows 9x, Windows 2000, Linux, BSD, Windows XP, Mac OS Classic, macOS, Solaris, UNIX, Windows Server 2003, Windows Vista, Windows Server 2008
Website Open System Consultants
Licentietype Voorwaarden (GNU/BSD/etc.)

Door Japke Rosink



Reacties (2)

Wijzig sortering
Ik ben lange changelogs gewend van wine, maar deze overtreft het

Is dit de langste changelog ooit op
Welliswaar zijn er 2 versie updates meegenomen, of moet ik zeggen, was er één vergeten/is er 1 overgeslagen.

[Reactie gewijzigd door g4wx3 op 11 maart 2009 22:12]

Doorgaans word bij langere changelogs alleen een linkje gegeven naar het changelog. Maar ik moet toegeven, er is behoorlijk wat veranderd in de 2 releases.

Op dit item kan niet meer gereageerd worden.

Apple iPhone XS Red Dead Redemption 2 LG W7 Google Pixel 3 XL OnePlus 6T (6GB ram) FIFA 19 Samsung Galaxy S10 Google Pixel 3

Tweakers vormt samen met Tweakers Elect, Hardware.Info, Autotrack, Nationale Vacaturebank en Intermediair de Persgroep Online Services B.V.
Alle rechten voorbehouden © 1998 - 2018 Hosting door True