Radiator revision history for release 3

Revision history major release 4 →

Revision 3.17.1 (2007-04-12) Some new features and bug fixes

Added new load balancing module AuthBy HASHBALANCE, which will use information in the incoming request to choose the preferred host, with the intention that all requests in a single EAP conversation will all go to the same target server, enabling EAP and other stateful RADIUS transactions to be loadbalanced without interfering with streams of related requests. If the preferred host is not available try the following ones until all are exhausted. Sample configuration file in goodies/hashbalance.cfg.
ldap-aps.cfg was left out of the 3.17 distribution. Reported by Ken Kawakubo. Other Apple Password Server modules were also omitted.
Added EAP_38.pm for TNC support to the distribution.
Added RB-DHCP-Vendor-Class-Id to dictionary.
Fixed a bug in TLS support when used with TTLS-PAP-EAP-TNC. Reported by Chris Hessing.
TranslatePasswordHook now works for EAP-MSCHAPV2, EAP-PAX, EAP-PSK, LEAP and MD5-Challenge. Reported by Rogier Krieger.
Added a number of new Redback and DSLForum VSAs to dictionary.
Improvements to AuthBy KRB5 to allow it to acquire credentials for a service principal. Includes 3 new configuration parameters: KrbKeyTab, KrbService, KrbServer. Patch contributed by Erik Klavon.
Improvements to AuthBy SQLRADIUS so that FailureBackoffTime, MaxFailedRequests and MaxFailedGraceTime are fetched from SQL as rows 11, 12 and 13, and failure history, backoff time etc are cached within Radiator memory, so that SQLRADIUS can be used with FailureBackoffTime etc. Suggested by Sami Keski-Kasari.

Revision 3.17 (2007-03-26) Some major new features and bug fixes

Added new module AuthBy LDAP_APS which finds user details in a Mac OS-X Directory Server LDAP database, and then authenticates the user password against a Mac OS-X Apple Password Server. Works on Mac OS-X 10.4 or later. Sample configuration file in goodies/ldap-aps.cfg. Supports PAP, MSCHAPV2, TTLS-PAP, TTLS-MSCHAPV2 or PEAP-MSCHAPV2 requests.
Added support for EAP-PSK as per RFC 4764, an EAP method based on a per-user Pre Shared Key, and which supports strong cryptography and dynamic WEP and WPA keys. Tested against wpa_supplicant-0.6-2006-12-05. Sample configuration file included.
Added support for EAP-PAX as per draft-clancy-eap-pax-11, an EAP method based on a per-user Authentication Key, and which supports strong cryptography and dynamic WEP and WPA keys. Tested against wpa_supplicant-0.6-2006-12-05. Sample configuration file
Added a new flag EnableFastPINChange to AuthBy ACE, allowing compatibilty with some NASs (notably Juniper) that have non-standard behaviour in New Pin Mode: when the user is asked whether they want to set their PIN, the NAS automatically gets the new PIN and returns it to the RADIUS server, which is expected to use it to set the PIN immediately. This flag enables compatibility with this behaviour if the user/device enters a PIN instead of ‘y’ or ‘n
Fixed potential memory leak in PEAP and TTLS after handshake failure.
Improvements to parseDate so that invalid date formats would not cause a crash.
Added support for new special character in the format %{OuterRequest:attrname} which is replaced with the named attribute from the outer request of a tunnelled request. Useful with PEAP and TTLS tunnelled requests.
Fixed a memory leak that mostly affected failed authentications in TTLS and PEAP. Reported by David Spindler.
Added a number of new Mikrotik VSAs to dictionary.
Testing with Cisco Secure Services Client 4.0.5.4889 on XP. OK for TTLS-PAP, TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2, TTLS-EAP-MSCHAPV2, TTLS-MD5, PEAP-MSCHAPV2, PEAP-GTC, PEAP-TLS, LEAP, GTC, TLS, EAP-MSCHAPV2, MD5
Added support for special characters in EAPTLS_PrivateKeyPassword and TLS_PrivateKeyPassword. Requested by Redback.
Fixed a problem with interoperation between ServerDIAMETER and some Diameter clients. Reported by Arthur Konovalov. Also fixed a typo in doc about how to test ServerDIAMETER.
Fixed some minor interoperation issues to do with SIP authentication and RFC 4590.
Altered dictionary.sip to make it compliant with RFC 4590.
Fixed a problem with the Host-IP-Address in the the CEA by Server DIAMETER. Reported by Arthur Konovalov.
ServerDIAMETER now converts the contents of Grouped attributes from the incoming Diameter request into the new Radius request.
Fixed a problem with the Mandatory flag in the Diameter Firmware-Revision attribute. Removed restriction of only being able to handle NASREQ application requests. Reported by Arthur Konovalov.
Fixed a problem with conversion of SessionId when using NasType of CiscoSessionMIB. Reported by Joe (Mobile).
Fixed a problem with incorrect responses to Tacacs accounting requests. Reported by Mohamed.Raddahi.
Fixed a problem where a check-item Auth-Type which points to a AuthBy RADIUS inside a GROUP did not work as expected. Reported by Toomas Karner.
Added support for Starent VSA’s, which have a non-standard format. Patch supplied by Frank Danielson.
Fixed some problems with memory leakage especially in PEAP after a successful authentication. Reported by Reported by David Spindler.
In AuthBY RADIUS, the Host clause now supports per-host LocalAddress and OutPort parameters. Patched by Bjoern A. Zeeb.
Added documentation and sample configuration file for ServerDIAMETER.
Removed references to obsolete handle_sigchld, which is not necessary any more. Reported by Dan Cachola.
Added support for ConnectionAttemptFailedHook and NoConnectionsHook for custom code to handle various types of SQL connection failure. Patched by Dan Cachola.
Fixed a problem with conversion of negative integers by valNameToNum in Radius dictionaries. Reported and patched by Arthur Konovalov.
Minor improvement to performance of Radius::Util::random_string.
Added more Huawei VSAs to dictionary. Contributed by Jose Borges Ferreira.
Improved handling of multiple reply items, possibly containing spaces in AuthorizeGroup, PasswordPrompt is now used everywhere to control password prompts in ServerTACACSPLUS.
Added more WCG VSAs to dictionary.
Fixed a problem where proxied TTLS inner EAP-MSCHAPV2 replies were not properly processed, resulting in no reply to the originator. Reported by Ian Forster.
Fixed a problem where Until::inet_ntop could crash when used with RodopiAAA and TTLS or PEAP.
Cleaned up some attributes in dictionary including Tunnel-Type etc.
Added support for Cisco cisco-li-configuration attribute, which can be used to enable Lawful Intercepts for selected sessions. Added goodies/cisco_li.txt explaining how to use it.
Added various Redback VSAs to dictionary to support Radback Lawful Intercept. Also arranged to support the automatic salt encryption of attributes that require it. Contributed by Jan De Backer.
Added some Telkom SA VSAs to dictionary.
AuthBy DIGIPASS now honours UsernameMatchesWithoutRealm. Requested by SCHELL .
Structural changes in AuthGeneric.pm and changes to the args passed to AuthGeneric::check_mschapv2() in order to support Apple Password Server.
Added MS-RAS-Client-Name and MS-RAS-Client-Version to dictionary.
Fixed a problem with proxying of Radius requests received by Server DIAMETER, where the authenticator was not correctly set. Reported by Blake Ulmer.
Fixed a problem where diapwtst did not correctly handle extra attributes like ‘radpwtst Accounting-Session-Id=12345’. Reported by Blake Ulmer.
Testing on Ubuntu 6.10. OK.
Fixed a typo in CLientListLDAP that prevented StripFromRequest working properly. Reported and patched by Luta.

Revision 3.16 (2006-11-09) Some major new features and a few bug fixes.

Added early release of Diameter support. ServerDIAMETER implements a stateless Diameter to Radius translation agent. Incoming Diameter requests are converted to Radius requests which can be served internally by Radiator or proxied to another Radius server. Includes simple Diameter client for testing (diapwtst) and sample configuration file. Supports RFCs 3588, 4005, 4072. Supports TLS encryption, TCP or SCTP transport. Interoperates with OpenDiameter.
AuthBy DIGIPASS now supports Vasco Virtual Digipass. This allows Vasco token support even of the user does not have a physical token (or has lost it). AuthBy DIGIPASS generates the correct tokencode and passes it to a hook, where it can be delivered to the user by SMS etc. Example config file digipass.cfg shows how to enable it. New versions of Authen-Digipass that support AAL2GenPassword for Virtual Digipass support.
Added new module for sending SMS messages using the Internode NodeText Gateway, a commercial SMS gateway available from Internode in Australia. Also added fully working example configuration file showing how to do One-Time-Passwords delivered by SMS. The NodeText Gateway is a high reliability, high performance SMS Gateway for Australian SMS numbers. Works with GSM, CDMA. Works with Telstra, Optus and Vodafone networks. Billing of SMS delivery charges can be to the sender, or the receiver. The Internode NodeText Gateway can also apply a range of special features, such as name to SMS number translation etc. Multiple recipients, message splitting etc are supported. They also offer an email-to-SMS gateway. This fully working example allows your users to be administered with Radmin, using One-Time-Passwords delivered to the user by SMS. Internode SMS gateway access for Australian SMS numbers is available from http://www.internode.on.net and http://www.internode.on.net/products/sms.htm
Added tutorial and config files for installing ChilliSpot, Radiator and RAdmin to provide a complete, locally administered captive portal wireless hotspot solution, including prepaid time for users, user statistics, monitoring etc. See http://www.chillispot.org
Ensured SNMP and Status-Server statistics are correctly updated by requests received via RADSEC and TACACSPLUS.
Testing on Syllable 0.6. OK, except Any_DBM tie is not implemented on Syllable so that AuthBy DBFILE does not work, resulting in failed tests 1a, 3a, 3d, 3g, 3h.
Minor cleanups to remove various warnings when -w is used
Special character %z was using a deprecated MD5 hashing routine. Now uses Digest::MD5::md5_hex.
Fixed a problem that prevented reply attributes from EAP_PEAP_MSCHAP_Convert converted requests being replied to the client. Reported by Alex Sharaz.
Fixed a problem in ClientListLDAP where attributes that expect a stringarray (such as IdenticalClients, FramedGroupBaseAddress, RewriteUsername, DynamicReply) could cause a crash if there were multiple values for that attribute in the LDAP database. Reported by Lohier, Matthew.
Fixed a problem withe AcctLogFileName where a file name with a leading ‘|’ for a pipe would incorrectly cause bogus directories to be created. Reported by Anne Bennett.
Fixed a problem with AuthBy DIGIPASS clauses that are not contained within a Realm or Handler causing a crash. Reported by Paul Dekkers.
Added a number of Unisphere VSAs to dictionary. Contributed by Gareth Coco.
Testing on Windows Vista Beta build 5384. OK, using ActiveState ActivePerl 5.8.8.
Fixed an error in the definitions of 3GPP2-IP-Technology in dictionary. Reported by Frank Danielson.
AuthBy LSA and AuthBy NT on Windows now suport Local as well as Global groups when using the Group parameter.
Fixed a problem with anonymous bind not working correctly, resulting in LDAP_INAPPROPRIATE_AUTH. Reported by R.H.Hoek.
Fixed a problem with TTLS and PEAP where a proxied reply to the inner request of a session that has been lost or closed would cause a crash. Reported by Shahid Khan.
Fixed a problem with goodies/CalledStationId.pm that would cause ERR: Bad attribute=value pair.
Improvements to goodies/CalledStationId.pm to support regexps in stations.
Added a number of Aruba VSAs to dictionary. Contributed by steven.quek.
In AuthBy RADMIN, changed the default MaxMEsageLength to 200 to comply with the standard Radmin database size.
Fixed a problem with client certificate verification in EAP TLS that could cause an error ‘EAP TLS No peer certificate’.
Fixed a problem with EAP-TLS authentication when EAPTLS_NoCheckId was set. reported by Dawn Lovell.
Added various VSA to support ChilliSpot, an open source captive portal for wireless with Radius support. http://www.chillispot.org/
Testing with ChilliSpot http://www.chillispot.org/ OK. ChilliSpot is a wireless hotspot portal that authenticates users before letting them get access to the internet. ChilliSpot can work with both UAM (where the ChilliSpot hotspotlogin.cgi script solicits a passwords and ChilliSpot sends Radius/CHAP to Radiator), and with EAP (where ChilliSpot forwards Radius/EAP requests to Radiator). Tested with UAM, EAP, TTLS, PEAP. Caution: ChilliSpot 1.1.0 has a bug where Radius replies that contain a Service-Type reply attribute will cause the chilli process to crash. A patch has been submitted to chillispot.
Enabled SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS in PEAP TLS, to work around a problem with Vista Beta 2 clients, where the extra empty fragment (sent as a security measure by OpenSSL) confuses the Vista PEAP supplicant. See http://www.openssl.org/~bodo/tls-cbc.txt for reasons behind the empty fragments. Reported by David Spindler.
Improvements to EAP LEAP handling to be compatible with some types of LEAP-ignorant APs. Reported by Russ Jones.

Revision 3.15 (2006-06-01)

AuthBy RADSEC now supports multiple Hosts, using the same Host clause syntax as AuthBy RADIUS. Hosts will be tried in the order given. FailureBackoffTime can be used to mark unresponsive hosts dead for a period of time and skip them. Example Host clause syntax is shown in goodies/radsec-client.cfg.
Example config file goodies/eap_leap_proxy.cfg was inadvertently left out of the distribution.
Fixed a problem where the parent process could crash if AuthBy KRB5 was used and the server run in the background. Reported by Carol Ward.
Added calling_station_hook_requests.pl, a sample PostAuthHook for PEAP requests that: 1) Insert the Calling-Station-ID into the inner request 2) Insert the Called-Station-ID into the inner request 3) Insert the “outer” EAP identity into the inner request as “Outer-EAP-Id” Contributed by Terry Simons.
Testing on openSUSE 10. OK.
Fixed a bug in mergedetails that prevented it running under perl 5.005 and earlier. Reported by Greg Schiedler.
Alternative version of RequestHoook added to goodies/hooks.txt. The hook saves the time of the last Access-Request for each user and conditionally returns an Access-Accept if the time is less than a preset limit.
A typo prevented EAPTLS_CertificateVerifyHook parameter being recognised. Reported by Rodrigo Seguel.
Improved logging of LDAP connected host details to include the actual hostname and port after special character translations. Also Port now supports special characters. Requested by Michael Hall.
Improved Authen-Digipass RPM to work with perl 5.8.7.
Refactored AuthDIGIPASS.pm to move common code to AuthDIGIPASSGeneric.pm. New module AuthSQLDIGIPASS.pm replaces AuthDIGIPASS.pm and AuthBy DIGIPASS is now depreccated in favour of AuthBy SQLDIGIPASS.
New version of Authen-Digipass module for Linux, Solaris and Windows where digipass.pl now works with LDAP databases, plus some minor bug fixes.
New module AuthBy LDAPDIGIPASS authenticates Vasco Digipass tokens from token data in an LDAP database. Example configuration file goodies/digipass_ldap.cfg, and sample LDAP dataabse schema and sample data in goodies/radiator-ldap.*. Use digipass.pl command line program (part of the Authen-Digipass supplied with Radiator) to import, assign, inspect, reset tokens in the LDAP database).
All calls to format_special in AuthBy IMAP now include the current packet so that %R can be used in Host parameter etc. Requested by Petr Zimak.
AuthBy SQL did not honour AuthenticateAccounting.
Minor fixes, PostSearchHook missing from AuthLDAP2 config options. Reported by Petr Zimak.
Added a number of Cisco VOIP VSAs to dictionary.
Added a number of VSAs and fixed some errors in dictionary.sip to be in line with draft-schulzrinne-sipping-radius-accounting-00.txt
Radpwtst now permits octal escapes in the value in attr=value arguments.
Testing with SIP PRoxy Router (SER) from www.iptel.org. Added example configuration file to goodies/sip.cfg showing how to configure Radiator for SIP authentication with SER, and with some helpful information and corrections about configuring SER to work with RADIUS.
Zero-length string attributes are now never sent in Radius packets, but are ignored, as per RFC 2138. Zero-length Reply-Message strings have been seen in improperly written hooks. Suggested by Ulrich.
Sample startup scripts linux-radiator.init and solaris-radiator.init now force -daemon to prevent running in the foreground when started by init script.
Fixed a problem in ClientListSQL and ClientListLDAP that could cause a crash during an automatic update if there were no hardwired Clinet clauses. Reported by Alexander List.
Log SYSLOG and AuthLog SYSLOG now support special characters in LogIdent. Requested by Alexander List.
Fixed a case where Reply-Message could be incorrectly reset in CachedAttrs, which prevented ServerTACACSPLUS from returning the Reply-Message during a rejection.
Added new hooks AuthenticationStartHook and AuthenticationContinueHook to Server TACACSPLUS which can be used for special processing of TACACS+ authentication requests.
Minor improvements to test suite. Now reports total erro count and exits with non-zero status if there are errors.
Renew test certificates. Previous certificates expired March 16 2006, which would prevent TLS, TTLS, PEAP and RadSec tests working. Minor improvements to mkcertificate to add /usr/share/ssl/misc to the path (for standard OpenSUSE).
Improvements to timeout handling for SQL and others for perl 5.8 and later, requested by Gustavo Moreira.
Improvements to the way nested calls to format_special were handled. Previously, the value for $cpacket could get clobbered by an error log message during formatting of a special character. Reported by Robert Fisher.
Added ChallengeMessage parameter to AuthBy DIGIPASS*, which allows the Digipass challenge message to be customised or internationalised.
Fixed a problem with SessionDatabase SQL where a countQuery that returned a username as the fifth field did not alter the user name as expected. Reported by Vangelis Kyriakakis.
In ServerTACACSPLUS, added a workaround for a bug in some old Cisco routers where a failed authentication would result in a an unclosed TCP session. Requested by Patrick, Robert.
Added a workaround for a bug in some EAP TTLS supplicants, (notably PBG4 on MAC OSX) do not conform to the TTLS protocol specification, and do not understand the ACK sent by the server at the end of TLS negotiation and session resumption, resulting in session resumption not completing. The new EAPTTLS_NoAckRequired flag enables a workaround for such supplicants. Many other supplicants are happy with this too.
Fixed a problem with session keys when LEAP was used with EAP_LEAP_MSCHAP_Convert. Reported by Michael Ting.
Added new AuthBy SAFEWORD, which authenticates directly to a SafeWord Premier Access server. Includes a sample configuration file. Supports PAP, CHAP, TTLS-PAP, EAP-OTP and EAP-GTC. Supports password changing. Supports fixed (static) passwords and SafeWord Silver and Gold tokens.
Fixed a problem that could cause a crash if getpeername fails during a Tacacs connection. Observed on some Solaris platforms. Reported by Ashton, James P.
Added new parameter UsernameMatchesWithoutRealm to AuthBy NTLM, contributed by Robin Breathe.
Added support for HandleAcctStatusTypes to AuthBy DNSROAM, GROUP, MULTICAST RADIUS, RADSEC and SQL. Contributed by “Nicholas A Waples”.

Revision 3.14 (2006-01-16) Significant new features, including DNSROAM and some fixes.

Added new module DNSROAM, that provides RadSec and RADIUS proxying to hosts discovered through DNS. Provides secure, reliable, scalable, low maintenace RADIUS meshes and federations. Uses similar technology to Diameter (RFC 3588) for host discovery, which allows target server details to be provided through DNS lookups. Supports RadSec and RADIUS proxying. Includes new Resolver module for asynchronous DNS lookups. Requires Net::DNS Perl module (and the IO::Socket::INET6 module if you wish to consult a DNS server via IPV6)
Added new module AuthBy NTLM that allows Radiator running on a Linux or Unix system to authenticate to a Windows domain controller, with the assistance of ntlm_auth and winbindd utilities from the Samba suite (www.samba.org). Sample Radiator and winbindd configurations are included. Supports PAP, MSCHAP, MSCHAPV2, EAP-MSCHAPV2, and works with PEAP, and TTLS.
EAP-TTLS-MSCHAPV2 did not correctly copy reply attributes from the inner accept to the outer accept.
New example hook in goodies/hooks.txt to parse multiple Digest-Attributes into individual attributes
Testing with Funk Odyssey 4.01 client, including EAP-SIM, EAP-GTC, EAP-LEAP and TTLS-EAP-MSCHAPV2. OK.
Added cacti_data_query_snmp_get_radius_information.xml radius_server.xml to goodies. These are configuration files to enable monitoring of Radiator by Cacti (http://www.cacti.net/), which is similar to MRTG, except it is web driven and based upon a templating system. Contributed by Chris Hills.
Fixed a problem with radpwtst -gui where entering a new port number in the gui had no effect. Reported by Chris Hills. Also fixed a problem where that could produce an error message: Can’t locate object method “BINMODE” via package “Tk::Event::IO” on some platforms.
Fixed a problem with radpwtst -gui where entering a new port number in the gui had no effect. Reported by Chris Hills. Also fixed a problem where that could produce an error message: Can’t locate object method “BINMODE” via package “Tk::Event::IO” on some platforms.
Fixed a problem in radpwtst -gui where a Class attribute received ffrom one user authentication would be incorrectly reused for subsequent users.
Added new parameter for all AuthBys: EAP_LEAP_MSCHAP_Convert forces all EAP-LEAP requests to be converted to conventional Radius MSCHAP requests that are redespatched, perhaps to be proxied to another non-LEAP capable Radius server or for local authentication. Example config file goodies/eap_leap_proxy.cfg show how to use it.
Fixed a problem that prevented CRL checking working with some versions of Net_SSLeay. Requires Net_SSLeay version 1.25 from CPAN and this patch. Reported by Ilana Kaplan.
Improved the error message printed when TLS certificate verification fails to include a text string that describes the problem.
Testing with Sybase ASE 12.5, improvements to goodies/sybaseCreate.sql to prevent warnings about NULL columns.
Added new parameter EAP_LEAP_MSCHAP_Convert that converts incoming LEAP requests to conventional Radius-MSCHAP requests that can then be handled locally or proxied to a remote Radius server that cannot handle LEAP, but which can handle Radius-MSCHAP. Also added example config file goodies/eap_leap_proxy.cfg. Requested by Michael Ting.
Improved configurability for ‘make rpm’ in Makefile.PL.
Added support for SASL authentication to LDAP servers. New parameter UseSASL tells AuthBy LDAP2, AuthBy LDAPRADIUS and ClientListLDAP to authenticate the connection to the LDAP server with SASL. See the example config file goodies/ldap-sasl.cfg for details on how to configure it.
Fixed a problem that prevented DefaultRealm working in Server TACACSPLUS. Reported by Marc Blum.
Improvements to the sample linux-radiator.init and RPM Linux init script so it takes notice of configurable variables in /etc/sysconfig/radiator better. Suggested by Paul Dekkers.
Added new configuration method AuthBy SASLAUTHD, which authenticates by connecting to a saslauthd server running on the same host. saslauthd is a Unix authentication server program, part of the Cyrus SASL suite. It can be configured to authenticate from a variety of sources, including PAM, Kerberos, DCE, shadow password files, IMAP, LDAP, SIA or a special SASL user password file. Example configuration file is in goodies/saslauthd.cfg
Testing with Gentoo 2005.0. OK.
Fixed a problem where AuthBy PLSQL clause did not display its AuthBy type in Radar. Reported by Jovan Sarai.
Fixed a problem with AuthACE.pm AuthDIGIPASS.pm AuthKRB5.pm AuthLSA.pm AuthOPIE.pm AuthOTP.pm AuthRSAMOBILE.pm AuthSASLAUTHD.pm that could prevent correct operation with TTLS-EAP-MSCHAPV2 and Odyssey client.
Testing on Linspire 5.0. OK.
Testing on Ubuntu 5.04. OK.
Changes to the default behaviour of AuthLog SYSLOG and Log SYSLOG so that the socket type is only set if LogSock is explicitly defined. Fixes a problem with the socket type search path on Solaris failing if syslogd does not open a unix domain socket.
Improvements to EAP-TLS authentication, so that a User-Name with a domain prefix will match the certificate without a domain name. Reported by “Dror Ben-Shlomo”.
Fixed a problem where EAP-GTC would not work correctly with some AuthBys that did direct password checking (such as AuthBy LDAP2 with ServerChecksPassword enabled). Reported by Michal Marciniszyn.
Added a number of Airespace VSAs to dictionary, contributed by Steve Caporossi.
Change-Filter-Request now includes a correct authenticator. Reported by Ardolino Antonio.
PEAP outer handler did not set OriginalUserName for the inner packets.
Added sample hook to goodies/hooks.txt that shows how to discover the socket that received a request on a multihomed host. Contributed by Miko.
AuthBy DIGIPASS now supports PAP, CHAP, MSCHAPV2, EAP-MSCHAPV2, EAP-OTP and EAP-GTC requests. Required some changes to the API for check_mschapv2. Requires Authen-Digipass 1.5 or later (Linux and Solaris packages included in this distribution. Windows PPM packages availble for download)
Fixed a problem where ForkClosesFDs would incorrectly close sockets created by Monitor, Server TACACSPLUS or Server RADSEC if the server forks or becomes a daemon.
In AuthLog SQL SuccessQuery and FailureQuery, new special character %4 is replaced by the SQL quoted original user name from the incoming request (before any RewriteUsername rules were applied).
Added support for SALT encryption of Unisphere-Med-Dev-Handle. Required extensive refactoring of attribute encryption and decryption. Attributes requiring encryption and decryption with shared secrets are now done by Radius::encode_attrs and Radius::decode_attrs. Encoding is now done by Client or ServerRADSEC just prior to replying. Function encode_tunnel_password renamed to encode_salt.
Performance and security improvements in Util::format_special
Fixed a problem that prevented one instance of Radiator acting as both RADSEC server and client or as multiple RADSEC clients at the same time. Requires patch for Net_SSLeay on Windows.
Fixed some compatibility problems between mkcertificate.sh and the OpenSSL CA utilites in 0.9.7g and later.
New flag NullPasswordMatchesAny enables wildcard mathcing of NULL password columns. Defaults to enabled for AuthBy SQL and disabled for AuthBy RADMIN, to be consistent with current default behaviour.
EAP TLS now supports a new hook. EAPTLS_CertificateVerifyHook runs after the request username or identity has been matched with the certificate CN. It is passed the certificate, and various other details, and returns a different user name which will be used to do the user database lookup.
Testing with EMIC m/cluster, a MySQL clustering solution from www.emicnetworks.com. M/cluster provides high availability, scalability and manageability services for MySQL. OK.
Testing on Fedora Core 4.
Added a number of IPWireless attributes to dictionary. Contributed by m.tavakolifard.
Testing on Debian 3.1r0a. OK.
Added support for LogMicroseconds to Monitor.
Added to goodies a new AuthBy RADIUSBYATTR that forwards to a RADIUS server based whose attributes (host, secret etc) are specified in the request. Useful for various specialised testing scenarios. radiusbyattr.txt is a description of how to configure and use it. Contributed by Miko.
SNMPAgent now suports special characters in BindAddress and Port parameters. Contributed by Jose Borges Ferreira.
Added Daemon configuration file au.com.open.radiator.plist for OSX 10.4 (Tiger) to goodies. Contributed by Matt Richard.
EAP-TLS now matches certificate CNs even if they are in Unicode.
TTLS and PEAP now always dump the reply to the tunnelled request at DEBUG level.
ServerChecksPassword now honours Timeout in AuthBy LDAP2. Patch provided by Campbell Simpson.
In AddressAllocator DHCP, fixed a problem with the “secs” field in the DHCP header when there are timeouts and retransmissions. Reported by Ian Amess.
ClientListLDAP did not compile any PreHandlerHook entries from LDAP, preventing the hook running. Reported by Peter Crystal.
Radpwtst did not use the -acct_port argument properly. Reported and patched by Ruud Besseling.
Server TACACSPLUS can now use different per-Client Keys by looking for a TACACSPLUSKey in a Client clause that matches the Tacacs client address. If no matching Client with a TACACSPLUSKey is found, falls back to the global Key defined in the Server TACASCSPLUS clause. Initial idea and patches contributed by James FitzGibbon.
Radpwtst with the -code flag sent to the -acct_port instead of the -auth_port. Reported by Phillip Lou.
Added new special character %x, which is replaced by the EAP Identity for PEAP and TTLS inner requests.
Fixed a problem with the SNMP MIB where some values were returned as integer instead of counter32. Reported by Rani Assaf.
Permit plaintext passwords in the format ‘{clear}password’, in order to be compatible with some LDAP servers. Suggested by Andreas Meyer.
Testing with Novell NetWare 6.5 with eDirectory 8.7 and iManager 2.5. Improved Makefile.PL to implement the ‘install’ command under NetWare (where perl Makefile.PL does not work). ‘perl Makefile.PL install’ now installs all Radiator files, config files and startup script on NetWare. Extended documentation about how to enable Universal Passwords in eDirectory. Added chapter on NetWare installation to the Reference Manual.
Testing with DBD::SQLite2. Added example table creation script goodies/sqliteCreate.sql and added hints to documentation.
Added a number of new Redback VSAs to dictionary, contributed by Toomas Karner.
Improvements so that ServerTACACSPLUS can now be configured for the Username: and Password: prompts when authen-type of ASCII is used. Added new flag -ascii to tacacsplustest to enable use of authent-type ASCII instead of default PAP. Refactored some constants and code from ServerTACACSPLUS to use equivalents in Tacacsplus.pm
Fixed some errors in definitions of Airespace-QoS-Level in dictionary. Contributed by Theodore J. Knab.
Added goodies/radiator.sh, a Radiator startup script for FreeBSD and rc-ng. Contributed by Paul Dekkers.
Improvements to AuthBy ROUNDROBIN. Now it attempts to deliver only a limited amount of times. It will remember which server it tried to send to at first and then on retry it will walk the whole RR list and try each available server in a row. If it reaches the first server again, it will abort the request. Patch provided by Rok Papez.
Improvements to allow use of Client-Identifer check items to detect if a request was received by a Server RADSEC clause. Matches against the Identifer of the Server RADSEC clause that received the request. Change to Server RADSEC TLS_ExpectedPeerName now defaults to the DNS name of the RADSEC client (if resolvable) else the client’s IP address. Server RADSEC did not check the Radius authenticator on incoming requests. Suggestions by Paul Dekkers.
Fixed problems where multiple TLS RadSec clients were initialised within the same server. Certificate passwords were incorrect and some TLS sessions would not initialise properly. Better support for different certificates in each TLS RadSec client. Reported by Paul Dekkers.
Fixed some interactions between different uses of Net_SSLeay, where the verify callback got clobbered by IO::Socket::SSL, which caused crashes when LDAP+(SSL or TLS) was used with RadSec or EAP-TLS. Reported by Jan Tomasek and Ross Wakelin.
The LDAP Deref parameter did not work as expected, since it was passed to LDAP new rather than search. Reported by Matthew Lohier.
AuthBy GROUP now prints the Identifier in the ‘Handling with ….’ DEBUG message. Requested by Jethro R Binks.
Improvements to peer certificate verification for RadSec connections. Client side verifies the configured server Host name against the server certificate CNs or subjectAltNames (DNS or IPADD types). Server side verifies the client IP address against the client certificate CNs or subjectAltNames (IPADD types only). Exact match and wildcard matches are honoured. If those fail then TLS_ExpectedPeerName pattern is matched against the entire Subject name. If all those fail, the certificate is not verified and the RadSec connection will be terminated. Updated RadSec example configuration files. This is all in line with RFC 2595. Suggested by Jan Tomasek. Caution, use of subjectAltNames requires patches for Net_SSLeay from this patch.
Testing on FreeBSD 6.0 RELEASE. OK.
Fixed problems with session database code crashing if there were no Client clauses defined and Client.pm not loaded, as in purely RadSec or TACACS+ servers. Reported by Sajeewa Warnakulasuriya.
Fixed a problem with Status-Server and SNMP statistics where proxied requests were incorrectly counted in the dropped statistics too. Reported by Miko.
Fixed a compatibility problem with AuthBy KRB5 and krb5-1.4.*, where krb5_init_ets is not present and not required. Reported by Joon Yun.
Added APC-Service-Type and APC-Outlets to dictionary. Contributed by “Cassidy B. Larson”.
Added support for FailureBackoffTime, MaxFailedRequests and MaxFailedGraceTime similar to AuthBy RADIUS. This permits RADSEC host failure detection and also automatic reforwarding to alternate RADSEC hosts by using NoReplyHook.
Server TACACSPLUS now prints the reply to its Radius request when at trace level 4.
Added ability to match Client clauses based on client MAC address. Requested by Steve Shippa.

Revision 3.13 (2005-06-02) New features and bug fixes

Added several more USR-Bogus-* entries for unknown USR attributes. Suggested by Robert Blayzor.
Fixed a problem with startup file on Suse, causing error message Starting Radiator: /usr/bin/radiusd/sbin/start-stop-daemon: (null): Bad address. Reported by Frank Messie.
Testing on various Debian distros, aGNUla/DeMuDi. OK.
Testing on Xandros 2.0. OK.
Testing on Xandros 3.0.1. OK.
Testing on Fedora Core 3. OK.
Fixed a problem with format_special that prevented %nn numeric replacements working correctly for %10, %11 etc. This affected AuthBy RODOPI accounting, causing multiple identical date fields to be included in SQL queries.
Testing on Solaris 10. OK.
Testing on Sun Java Desktop Release 2. OK.
Testing on Knoppix 3.7. OK.
Testing on Flash Linux 0.3.1. OK.
Testing on SuSE 9.2. OK.
Testing on FreeSBIE 1.1. OK.
Testing on MEPIS 3.3. OK.
Testing on CentOS 3.4. OK.
Monitor now supports more advanced methods for filtering packets to be printed by TRACE. New command TRACE_PREDICATE takes a comma separated list of name op value tests. Operators ==, !=, <, <=, >, >= and =~ (regexp) are supported, eg: TRACE_PREDICATE User-Name =~ “mi”,NAS-Port == 1234 Also TRACE_NOPACKET causes messages without an associated packet (ie general server level mesages) to be traced (defaults to 1).
Fixed a typo in Giganews-gbpm definition that could cause a crash: Can’t use string (“”) as a subroutine ref while “strict refs” in use at Radius/Radius.pm line 630.
Performance improvements and refactoring in RDict.pm
Added support for online checking of Colubris Wi-fi NASes. Tested with Colubris CN3200. Contributed by Vangelis Kyriakakis.
Fixed a problem that could cause an error opening the DHCP socket after a restart on some platforms. Reported by Bill Ouchark and Andrew D. Clark.
When doing a RefreshPeriod, ClientListSQL and ClientListLDAP now only replaces Clients that were previously loaded by that clause. Clients defined in the configuration file will not be clobbered.
New class Predicate to support new command TRACE_PREDICATE in Monitor. TRACE_PREDICATE allows Monitor to select log messages based on multiple attributes in incoming requests, such as: TRACE_PREDICATE User-Name=~"^mik",NAS-Port="1234" Support tests include ==, !=, <, <=, >, >= and =~ (regexp). Also added support for new command TRACE_NOPACKET, which can be used to disable tracing of log messages that are not relevant to a particular incoming request. TRACE_NOPACKET 0
The recent change to the type of User-Password in dictionary, combined with broken behaviour of Xsupplicant 1.0 when passwords are 8 chars long resulted in failed authentications with TTLS-PAP. TTLS inner User-Password is now NUL stripped.
You can now ‘include’ multiple files from the configuration file by using file csh style wildcards, and filename expansions such as *, ?, […], {….}, ~, etc. Files whose first character is a ‘.’ are ignored unless explicitly matched.
In Log SYSLOG and AuthLog SYSLOG, a new parameter LogHost allows you to specify the host name of the syslog host when using LogSock of ‘tcp’ or ‘udp’. Defaults to the local host.
On BSD/OS encrypted passwords with length 20 are also considered to be crypt(3) encrypted, using DES extended format. Patch provided by Baron Fujimoto.
Added sample LDAP schema and example data file for use with OPenLDAP and AuthBy LDAPRADIUS to goodies/radiator-ldap.ldif and goodies/radiator-ldap.schema
Fixed a problem with Linux startup file ‘/etc/init.d/radiator status’ hanging with an infinite loop.
Added new argument for the current request to pass to TranslatePasswordHook. Requested by Pavel A Crasotin.
Added goodies/solaris-radiator.init, a startup script for Solaris 8, 9 and 10. Install as /etc/init.d/radiator and check the other instructions at the top of the file.
Added ‘make rpm’ target to the Makefile to make it easy to build Linux RPMs.
Fixed a problem with the type of the State attribute which prevented interoperation with Windows Server 2003 with SP1. Reported by Yoann Foucher and Denis Pavani.
Added new parameters MaxFailedRequests and MaxFailedGraceTime, allowing configuration on how AuthBy RADIUS will determine proxy host failure. Requested by Arjan Waardenburg. Briefly: For any remote Host to which a request is sent, if no reply is heard for a specific request after the Retries retransmissions, that request is deemed to have failed for that Host. AuthBy RADIUS keeps track of how many requests failed for each host since the last time a reply was heard from that Host. If more than MaxFailedRequests are deemed to have failed within MaxFailedGraceTime seconds of the last reply heard from that Host, the Host is deemed to have failed until a further FailureBackoffTime seconds have elapsed.
Following assignment of an official IANA port number for RadSec protocol, the default port number for RadSec has been changed to 2083.
Testing with Linksys wrt54g wireless router with WPA/Radius. OK. The wrt54g does not send accounting requests.

Revision 3.12 (2005-03-17) Major new features. Some bug fixes.

Added AuthBy RADSEC, which implements Radius transport over a reliable TCP/IP or SCTP connection, with optional TLS encryption and optional TLS mutual authentication by PKI certificate. The example config files implement a simple proxy from radsec-client.cfg to radsec-server.cfg on localhost.
Added support for Novell eDirectory Universal Passwords. Added sample configuration files and install/configure/test instructions for eDirectory on Unix. This support allows Radiator to access each user’s Universal Password for authenticating PAP, CHAP, MSCHAP, MSCHAPV2, EAP-TLS, EAP_TTLS-*, PEAP, EAP_MSCHAP, EAP-MD5, LEAP etc.
There was a problem with the Solaris Authen-Digipass package included in 3.11 that caused “ERROR: attempt to process datastream failed”. New package included.
A debugging print statement that had been inadvertently left in Log SQL was removed.
Fixed a problem introduced in 3.10 that could cause a crash like ‘Undefined subroutine ldap_error_name’ in AuthBy LDAP2 after an LDAP error.
Fixed a problem with radpwtst -gui, where changing the name of the destination server in the GUI would not actually change the destination. Reported by Ken Bell.
radpwtst -gui incorrectly showed Alteon-Service-Type as well as Service-Type options in the Service-Type menu.
Added new global parameter MaxChildren which limits the number of Fork children permitted at any one time. Contributed by Ivan Brawley.
Added documentation on how to configure Apache 2 for Radius authentication with the mod_auth_radius module. Works with any Radiator authentication module including ACE and DIGIPASS.
Added support for Challenge-Response (CR) tokens to AuthBy DIGIPASS.
Added documentation on how to configure PAM and pam_radius for use with Radiator to provide Unix login authentication using SecurID, Digipass or any other Radiator supported method.
Improved behaviour of RPM distributions, when doing rpm -F install over an old version. The symlink in /usr/lib/perl5/site_perl/Radius could end up incorrect.
New version of AuthBy IMAP now supports SSL connections to IMAP server. Contributed by Karl Gaissmaier. Example configuration file imap.cfg extended to show how to configure SSL connections, and TTLS-PAP support too.
Testing AuthBy ACE and Authen-ACE4 with ACE Server 5.2. OK. No changes required. Works with Authen-ACE4 compiled with 5.0 ACE Agent SDK on Unix and Windows. Prebuilt Authen-ACE4 binaries from OSC also work fine.
Testing AuthBy ACE and Authen-ACE4 with RSA Security Authentication Manager 6.0 (formerly ACE/Server 6.0). OK. No changes required. Works with Authen-ACE4 compiled with 5.0 ACE Agent SDK on Unix and Windows. Prebuilt Authen-ACE4 binaries from OSC also work fine. Tested standard, Pinpad and AES tokens.
Improvements to the performance of changeUserName, suggested by Nennker, Axel.
Added a number of IPWireless Vendor Specific Attributes to dictionary. Contributed by Mernoz Rostangi.
Added new test client for TACACS+. See goodies/tacacsplustest -h for help.
Server TACACSPLUS now allows you to set the group cache file name with the GroupCacheFile, which also permits special characters. Also ServerTACSCPLUS now uses the accounting type in incoming requests to set the Acct-Status-Type in Radius Acounting-Requests. Timestamp is now _not_ added to Radius requests, since the following Handler will always do it anyway. Added support for authentication using methods that can challenge, such as DIGIPASS, ACE, OPIE, OTP, INTERNAL etc. Default AuthorizationTimeout for Server TACACSPLUS changed to 600 seconds, to cater for authentication start/challenge/continue sequence that are subject to user input and could take a long time, and so that authorization replies will be available for longer sessions. Added -interactive flag to tacacsplustest to handle Tacacsplus authentications that might ask for additional data (such as when authenticating with DIGIPASS, ACE, OPIE, OTP, INTERNAL etc). The Tacacs group name now defaults to ‘DEFAULT’ if GroupMemberAttr is not defined, or if the Access-Accept does not include that named attribute (ie if the Tacacs group name cannot be determined).
Fixed a problem with AddToReplyIfNotExist in all AuthBys, where some special reply types such as Session-Timeout were not properly interpreted. Reported by “Brian Morris”.
Added simple Tacacsplus test client to goodies. All perl, does not require additional perl modules.
Added new PostAuthSelectHook to AuthBy SQL, which allows a hook to adjust the results of the AuthSelect query before being used. Contributed by Karl Gaissmaier.
Testing with ZyXEL ZyAIR B-3000 Wireless access point, using WPA, 802.1x and Radius authentication. OK.
AuthLog SYSLOG did not recognise the LogSock parameter.
Added -nas_identifier flag and default NAS-Identifier attribute to radpwtst. Contributed by Nennker, Axel.
Added a script goodies/rotateacct.pl to rotate the ACCOUNTING table. Contributed by Ray Van Dolson
Added goodies/eap_acct_username.txt, A sample hook and script for de-anonymizing EAP-TTLS accounting requests, and which does not require an SQL database. Contributed by Rok Papez, with comments by Roy Badami.
Added new parameter for EAP-TLS, EAPTLS_NoCheckId, which prevents the comparison of the username with the certificate common name. The certificate will be acccepted based only on the validity dates and the verification chain to the root certificate. This allows Radiator to mimic the behaviour of some other Radius servers. Contributed by Martin Noha.
Added various 3GPP attributes for vendor 10415, contributed by Andy M.
Fixed a problem with AuthBy RSAMOBILE, where one incorrect tokencode could cause the user to exceed their maximum login attempts. Reported by Sylvain Maret.
Added support for NoCheckPassword to AuthBy LDAP2, so that LDAP can be used to get check and reply items, but where the authenticaiton is done by another module.
Improvements to date parsing to make it more tolerant of non-standard case in month names when useed in Expiration etc.
Improvements to AuthBy LDAP2 so that when ServerChecksPassword is set, and the password check fails, it wont cause a subsequent attempt to do an NT hashed password check.
All modules that can route requests back to the Handlers list now also support PreHandlerHook. Suggested by Roy Badami.
Testing on NetBSD 2.0. OK.
Fixed a problem with AuthBy PLATYPUS where some versions of perl could result in a trailing comma in the SQL for an accouting request. Reported by Jason D. Borders.
Performance improvements in format_special. Added ability to extend format_special indefinitely without performance penalties. Added 2 new attribute formatting operators. %{IntegerVal:attribute} is replaced by the integer value of the named attribute from the current request. %{HexAddress:attribute} is replaced by the IPV4 address catinaed in the named attribute from the current request, formatted as a hex string. Suggested by Pavel A Crasotin.
The timing of the writing of the PID to PidFile has been deferred until after the Radius ports are created, and the server is almost certain to start up. Suggested by Karl Gaissmaier.
Added example RADAUTHLOG and RADLASTAUTH tables to example SQL scripts that did not have them (all except mysqlCreate.sql).
Added new formatter for format_special that can access variable from the server configuration. For example, %{Server:Trace} is replaced by the global server Trace parameter.
Fixed a problem with AddressAllocator DHCP that could cause a socket error after a HUP on UNix. Reported by Andrew D. Clark
EAP TLS, TTLS and PEAP now take note of the Framed-MTU, if present, to limit the MaxFragmentSize.
Added goodies/gigawords-hook.pl, a hook for calculating correct total octets from Gigawords. Contributed by Igor Briski, Iskon Internet d.d.
Added goodies/lsa_eap_multi.cfg example config file showing how Radius PAP, CHAP, MSCHAP and MSCHAPV2 and also handles the outer and inner requests for TTSL and PEAP. You can use it to authenticate almost anything against Microsoft Active Directory.
In ServerTACACSPLUS, BindAddress now defaults to the global BindAddress, and you can now specify multiple comma separated addresses to listen on multiple interfaces.
Added support for passwords encrypted with the Microsoft SQL pwdencrypt() function. The required format is like: {mssql}01003A54FC73501798169BEC84C05CA0D2FBB70009C2556313DA79 59C1A798ECD34514694A13D29ED57BE9CBE5DA
AuthBy RADIUS now supports MaxFailedRequests parameter. A proxy host will not be marked as failed until at least MaxFailedRequests requests have not received a reply. This is useful for some buggy remote radius servers, that sometime drop requests for particular users. Also some internal changes to the addHost() function. Suggested by Arnauld Michelizza.
Added goodies/checkOnlineSql.pl, a script that checks that all the users in an SQL SessionDatabase are still online, and delete the ones that arent. Uses a client table to determine Nas type etc.
The Authen-Digipass package for Solaris did not include libaal2sdk, resulting in an error when tryingg to run Digipass authentication. Reported by Roy Badami.
New versions of AuthBy PLSQL and sample config file, which now supports INOUT parameters for Oracle stored procedures. Contributed by Pavel A Crasotin.
Improvements and refactoring of IPV6 address code. ServerRADSEC, ServerTACACSPLUS and Monitor can now listen for connections on multiple IPV4 and IPV6 BindAddress addresses.
Fixed a problem with goodies/nntp-redirect.pl where it incorrectly looked for case-sensittive AUTHINFO. Reported and patched by Thorsten Huber.
Added nntp-redirect.pl, A Radius-enabled Net News NNTP port authenticator and accountor. This program received NNTP connection requests, authenticates each one with Radius, and then forwards the connection to the real NNTP serer. It counts bytes in and out, and at the end of the NNTP session sends Radius accounting data counting the total news traffic in and out. This allows you to integrate NNTP authentication and accounting with the rest of your Radius services. Reply attributes in the Access-Accept can be used to configure the NNTP server and port to redirect to, allowing per-user NNTP configuration via Radius.
Altered the SQL database connections to use PrintError 0, so that unneccesary error messages will not be printed to stderr.
Testing on SuSE 9.2. OK.
Added MaxRecords parameter to AuthBy LDAP2. It specifies the max number of matching LDAP records to use for check and reply items. Default is 1 to be backwards compatible. Only the first match (if any) is used for ServerChecksPassword. Suggested by Kenneth Cheung.
Added a number of Mikrotik Vendor Specific Attributes to dictionary. NoContributed by Adrian Tan.
Added new NoEAP parameter to all AuthBys that will disable EAP authentication in that AuthBy. Useful for doing additional authentication besides EAP, such as MAC address etc.
Added simple_main_loop to Select for simple clients etc.
Fixed a problem with all LDAP modules where an LDAP connection problem could cause a Radiator crash.
Fixed a problem with radpwtst where specifying IPV6 addresses for both -s and -bind_address could produce ‘bind: Cannot assign requested address’. Reported by Paul Dekkers.
Improved performance of AuthBy LDAP2, especially when used with ServerChecksPassword. Some servers would disconnect after an unbind. This fix prevents a disconnection after a ServerChecksConection bind, reducing the overhead of reconnecting. Overhead for reconencting with TLS enabled is high. Fixed ServerChecksPassword so it works in more cases, such as Novell eDirectory. Added goodies/edirectory.cfg showing best configuration to use with Novell eDirectory.
Improvements to Linux startup script so it recognises Debian start-stop-daemon and uses that to stop and start the server.
Testing with Debian and Ubuntu 4.10. OK, but minor changes required to RPM, Radiator.spec and linux-radiator.init
Improvements to EAP to prevent multiple MS-MPPE-Send-Key and MS-MPPE-Recv-Key attributes in reply.
Fixed a problem that could cause an error in ServerTACACSPLUS ‘Too many arguments for open’ when runnning on perl 5.005. Reported and patched by Bill Ouchark.
EAP-Token is now supported by all static password authentication methods, such as AuthBy FILE, SQL, LDAP etc. goodies/eap_multi.cfg updated to demonstrate this.
EAP-TLS now supports client certificates with multiple CNs. At least one CN must match the USer-Name or Identity (after EAPTLSRewriteCertificateCommonName rules are applied to each CN).
Added new flag EAPTLS_PEAPBrokenV1Label to make PEAP Version 1 support compatible with nonstandard PEAP V1 clients that use the old broken TLS encryption labels that appear to be used frequently, due to Microsofts use of the incorrect label in its V0 client.

Revision 3.11 (2004-10-25) Some new fxeatures and an important bug fix.

New module AuthBy MULTICAST proxies some or all requests to _all_ Hosts in a list. Contributed by Andrew Ivins and Swiftel.
New example code in goodies/hooks.txt for processing multiple cisco-avpair attributes. Contributed by Chris.Patterson.
Improvements to Monitor.pm so that stringarray and splitstringarray types can be displayed in Radar.
Improvements to AuthBy FILE so that a Filename of the form %D/users.%R (where the file to be loked at depends on the users Realm) will work correctly with caching turned on. Contributed by Ivan Brawley.
Improvements to ClientListSQL, so that SQL failures during reloading of the client list will result in the old list being continued to be used. Contributed by Ivan Brawley. Similar changes to ClientListLDAP.
Testing on Fedora Core 2. OK.
Testing on SuSE 9.1. OK, but fixes required for /etc/init.d/radiator in RPM.
Testing on Slackware 10.0. OK, but fixes required for RPM installs. Slackware requires rpm –nodeps to install the RPM
Fixed a problem that prevented logging of some incoming packets through Monitor. Reported and patched by Ivan Brawley.
Fixed a problem introduced in 3.10 with reassociating after poor coverage. Reported by Roy Badami.
Fixed a problem with AcceptIfMissing which did not work correctly if the user did not exist in the database.
Fixed a problem where logging at trace level 4 to an SQL database could cause problems with quoting on Informix due to a newline in the log message.
We now ensure the openssl session resumption time limit is set in accordance with EAPTLS_SessionResumptionLimit. Reported and patched by Roy Badami.
Improvements to restartWrapper so it can log to syslog through /usr/bin/logger. Contributed by Nennker, Axel.
Log SQL and Log SYSLOG loggers now support MaxMessageLength parameter which trucates the log message (prior to any quoting in the case of SQL). Useful for some types of SQL server that complain if given a string longer than the column its going in to.

Revision 3.10 (2004-10-11) Significant new features. Bug fixes.

Radiator is now ‘Vasco Ready’. Added support for Vasco Digipass authentication with new AuthBy DIGIPASS module. Example config file in goodies/digipass.cfg. Sample Digipass token data tables added to goodies/*.sql. Documentation on installing and configuring Digipass on Solaris, Linux and Windows in goodies/digipass-install.txt. Prebuilt binaries of required Authen-Digipass module for Solaris, Linux and Windows.
New module AuthBy LDAPRADIUS proxies requests to a remote radius host whose details are found in an LDAP database, looked up against users Realm (or Calling-Station-ID etc). Similar in functionality to AuthBy SQLRADIUS. Example LDAP schema, LDAP records and config file are included.
Added new clause ClientListLDAP, which lets you define your Client clauses from an LDAP query, similar to ClientListSQL. Also supports RefreshPeriod, so the Client list can be refreshed periodically. Example config files, LDAP data and schema included.
New module AuthBy KRB5 for authenticating against Kerberos 5. Works with Radius PAP and EAP-TTLS-PAP. Substantially contributed by Steve Harper with fixes by Jeff Wolfe. Tested against realms hosted by DCE and MIT K5. Example config file in goodies/krb5.cfg
Testing with pGina, a free Windows login program for Win2000 and XP that uses Radius to authenticate Windows users (http://sourceforge.net/projects/pgina). Works fine with the example goodies/simple.cfg.
Further improvements to handling of EAP Requests. Requests other than Notifications are now IGNORED, except for LEAP.
Fixed a problem with dictionary that could occasionally cause MSCHAPV2 authentication to fail.
Added support for DefaultRealm in Server TACACSPLUS.
Added a number of Nomadix VSAs to dictionary. Contributed by Ing. Rosario Pingaro.
Fixes to permit <Handler User-Password=xyz> to work with CHAP, MSCHAP and MSCHAPV2, as well as PAP.
Added Ascend-Session-Svr-Key to dictionary.ascend. Contributed by tcrholdings.
AuthRSAMOBILE.pm was accidentally left out of the 3.9 distribution.
Fixed a problem with CommandAuth in ServerTACACSPLUS. Patch contributed by Nick Slager.
Added VSAs for Trapeze Networks to dictionary. Contributed by Matthew Gast.
In dictionary, MS-MPPE-Encryption-Types of Encryption-40 and Encryption-128 were reversed.
Disconnect-Request packets did not get a correct authenticator when proxied.
Added support for AddToRequest in field 22, StripFromRequest in field 23 and AddToRequestIfNotExist in field 24 of ClientListSQL of GetClientQuery.
Added some more Extreme VSAs to dictionary. Contributed by Carlo Beronio of Extreme Networks.
Added new script goodies/mergedetails which will combine multiple accounting details files into a single file in chronological order.
Added new goodies/vlanhooks.txt, with example hooks for handling multiple downstream authenticators, and NASs with incompatible interpretations of Tunnel-Private-Group attributes. Contributed by Matthew Gast.
Added VSAs for Sonic Wall to dictionary, contributed by Joe Levy.
Testing on Lindows 4.5. OK.
Improvements to domain handling in AuthBy LSA. New paramter DefaultDomain specifies the domain if the user does not specifiy a domain in their username. PEAP now passes the entire DOMAIN\username to the authenticating module. If you are using PEAP-MSCHAPV2 with AuthBy FILE, users should not specify a domain when they log in (unless you have DOMAIN\user in your users file). Also added new parameters Group and DomainController to AuthBy LSA. The Group parameter allows you to specify that each user must be the member of at least one of the named Windows global groups. More than one required group can be specified, one per Group line. Requires Win32::NetAdmin (which is installed by default with ActivePerl). If no Group parameters are specified, then Group checks will not be performed. Only Global groups are supported. If Group is required and DomainController is not specified, it will attempt to find the domain controller based on the users domain. Example usage in lsa.cfg.
Fixed a problem in goodies/radacctSorted.cgi that could cause a ‘divide by zero’ error when used with an SQL database.
Improvements to AuthLog SYSLOG and Log SYSLOG, so that multiple instances of the logger with different Facility parameters will work as expected. Contributed by Heikki Vatiainen.
Versions of Radiator that require a key for unrestricted operation now identify themselves as ‘LOCKED’ rather than ‘EVALUATION’.
Added new command line flag to radpwtst. The -eaphex flag allows you to specify an EAP-Message in hex. Contributed by Martin Noha.
Added new ConnectionHook parameter to SqlDb.pm. This allows any Sql object (like AuthBy SQL etc) to run database-specific code each time Radiator (re)connects to the database. This is most useful for executing func() to configure the database connection in customised ways. Example hook in goodies/sql.cfg. Suggested by Oleg E. Shubarov.
Fixed a typo in ServerConfig.pm, that resulted in ‘acccess requests’ in status reports.
ClearTextTunnelPassword parameter was moved from AuthBy RADIUS to AuthGeneric, so that all AuthBy modules (not just RADIUS proxying) now honour it. Suggested by Patrik Forsberg.
New version of Windows Authen-ACE4 PPM package, compiled for both ActivePerl 5.6 and 5.8 with recent SDK for Server 2003 etc. Also PPM summary files for use with PPM3.
EAP-MSCHAPV2 in an inner authenticator now honours AddToReply AddToReplyIfNotExist and DefaultReply.
Fixed an incorrect header length with EAP-PEAP version 1. Fixed a problem with cached EAP-PEAP version numbers. Reported by Jouni Malinen.
goodies/radwho.pl now lets you set the table name to use with -table argument
Modules that use syslog now do openlog;syslog;closelog for each log message so that is the syslog facility restarts, Radiator will reconnect to the syslog facility.
ReplyHook can now set $op->{RadiusResult} to force particular response.
Fixed a problem with goodies/radwho.cgi where some browsers did not work correctly wuth the ‘delete session’ link.
AuthBy RADIUS now determines a suitable local source socket address from LocalAddress, based on whether the destination address is IPV4 or IPv6. The first suitable address in the LocalAddress list will be used as the source address. If LocalAddress does not specify a suitable IPV4 or IPV6 address for the intended destination, the appropriate ‘any address’ will be used, which generally means the default source address for that host.
AuthBy RODOPI now supports Rodopi 5.4 Cisco VOIP authentication and billing. Requests that contain the ‘cisco-h323-conf-id’ attribute will be handled with the VoipAuthSelect and VoipAcctSQLStatement parameters.
Common authentication methods now accept all passwords if NoCheckPassword is set.
radwho.cgi now sets the refresh time to 0 after terminating a user, so the automatic browser refresh doesnt keep clobbering the user. Patch submitted by Richard Vander Reyden.
EAP MD5-Challenge now rewrites the EAP identity using RewriteUsername.
Fixed a problem with EAP TTLS where the TLS client-hello would not be honoured properly on some coombinations of clinet and AP.
AddressAllocator SQL now does not run the AllocateQuery if it is an empty string. Also, the expiry time is now calculated once for each allocation, and passed to FindQuery as %2. Suggested by Andy M.
In dictionary, some 3GPP attributes were incorrectly called just GPP.
Added Giganews VSAs to dictionary. Contributed by Carl Litt.
Testing with jradius-client, a java Radius client from sourceforge. OK.
Fixed a problem that prevented IPV6 DNS names being used. Reported by Paul Dekkers.
Fixed problem with a number of authentication modules that could cause a crash when doing logPassword when used to authenticate for Monitor or Server TACACSPLUS requests. Reported by Carl Litt.
Improvements to handling of Windows NT Hashed passwords. Encrypted-Password may now be either 32 bytes of hex encoded NT hashed password, or 16 bytes of binary NT hashed password or 13 bytes of Unix crypt password. User-Password now supports NT Hashed passwords in the form User-Password = {nthash}DCB8E94AC7D0AADC8A81D9C895ACE5F4. The NT Hashed passwords work with PAP, and now with MSCHAP, MSCHAPV2, EAP-MSCHAPV2 and EAP-LEAP. This provides compatibility with Samba SMB passwords (either in a flat file or in LDAP).
In PEAP, AllowInReply could cause MPPE keys to be unexpectedly stripped from the reply.
Fixed a potential issue in TTLS session resumption. Reported by Roy Badami.
Added goodies/radlog.cgi, a CGI script to view the tail of a Radiator log file. Can be helful for helpdesk troubleshooting. Contributed by Mohammad Junaid, Cyberia.
Fixed a problem that prevented ClientListSQL properly processing the last column from the query, which can contain a comma separated list of flag names.
Changed example LDAP config and sample user data to be compatible with OpenLDAP 2.1. OpenLDAP now defaults to requiring protocol version 3.
AuthBy RADMIN can now handle Session-Timeout as a string, such as ‘until Time’. Reported by Oliver Insanally.
Core LDAP functions moved from AuthLDAP2.pm to new module Ldap.pm to allow reuse by other LDAP modules such as AuthLDAPRADIUS.pm and ClientListLDAP.pm
Name of the key-locked distribution file changed from Radiator-Demo to Radiator-Locked.
AuthLog SYSLOG now supports the LogIdent parameter, similar to Log SYSLOG.

Revision 3.9 (2004-03-17 New features)

Added support for Radius over IPV6. Radiator can new receive Radius requests over IPV6, and proxy to remote servers over IPV6. radpwtst can now send requests over IPV6. See goodies/ipv6.cfg for examples. Requires the Socket6 module from CPAN.
radwho.cgi now honours the correct sort order after deleting. Contributed by Cameron Moore.
Added support for NAS-Type of NomadixSNMP, contributed by Toomas Karner.
Fixed a problem that could affect EAP TTLS where the inner requests was proxied to another Radius server. Could result in no reply sent back to the AP. Reported by Roy Arends.
Added support for NasType of Redback by SNMP. Contributed by Toomas Karner.
AddressAllocator SQL now does not run the DeallocateQuery or ReclaimQuery if they are empty strings. Suggested by Kwang Moon.
Added more USR VSAs to dictionary, contributed by Joseph Eapen.
Improvement to AuthBy RSAMOBILE, so the Tokencode prompt includes the expected SMS message ID if possible.
Added support for encrypted passwords in ancient Netscape Mail server format: {NS-MTA-MD5}b6b49e37d494a09bfde663033274bc83cd1bf318fa32c5866166a7edcb1e1c87
New hook TranslatePasswordHook for all AuthBy clauses. This hook can be used to apply site-specific transaltions to passwords, such as forcing lowercase, decrypting or otherwise transforming passwords retrieved from the user database, prior to checking. Works with plaintext, CHAP, MSCHAP etc.
Added support for non-standard VSA format for Ascend/Lucent TAOS code 4846. Also added Ascend-MOH-Timeout to dictionary, which will be decoded according to this non-standard format. Requested by Jeroen.
Renamed Redback VSA Acct-Reason to RB-Acct-Reason for consistency with all others Redback attributes.
Server TACACSPLUS will now print a hex dump of the raw incoming TACACS request if Trace is set to 5.
New certificates for testing TLS/TTLS/PEAP. Previous certificates expired in Feb 2004. These new ones expire in March 2006.
Added a number of new attributes to the standard dicitonary, such as VSAs for Juniper ERX, RB-Client-MAC

Revision 3.8 (2003-12-24 New features and bug fixes)

Added beta support for EAP Generic Token Card EAP-PEAP Generic Token Card and conventional Radius Access-Accept/Access-Challenge using AuthBy RSAMOBILE and the RSA Mobile authentication system from RSA Security (www.rsasecurity.com) RSA Mobile supports a number of authentication methods, including – username and password – an access code sent by SMS to your mobile phone – RSA SecureID Token Cards and all of these can be configured with AuthBy RSAMOBILE
Fixed a problem with SIGHUP on FreeBSD with the Monitor clause, could cause ‘Could not bind Monitor socket: Address already in use’.
Fixed incorrect references in the documentation to /usr/local/etc/radius.cfg.
Changes to Server TACACSPLUS, because some TACACS+ client do not like success packets containing a server message. No server message is ever sent now.
Added Redback Acct-Reason VSA to dictionary. Contributed by Kurt Jaeger.
Further improvements to Server TACACSPLUS, contributed by Paul Schultz, and confirmed operation with various Cisco and Juniper clients. Added support for CommandAuth, a mechanism for permitting or denying permission fo specific commands requested on the Tacacs client.
Added cisco-Policy-Up and cisco-Policy-Down VSAs to dictionary.
Added EAPTLS_PEAPVersion parameter to all AuthBy clauses, which allows you to control whoch version of the draft PEAP specification to honour. Defaults to 1. Set it to 0 for unusual clients, such as Funk Odyssey Client 2.22 or later.
Fixed a problem with PEAP that could prevent the use of Framed-IP-Address in user records, resulting in an error like:
Mon Oct 20 15:57:25 2003: ERR: Could not handle an EAP request: Can’t call method “attrByNum” on an undefined value at Radius/Radius.pm line 1440.
Fixed problems with Server TACACSPLUS, where some cases of incorrect message packaging were found and fixed by Paul Schultz. Also some special characters like %w and %C did not work correctly with requests originating from Server TACACSPLUS. Reported by Garry Thomas.
Added a number of Unisphere VSAs to dictionary. Contributed by Chris Patterson.
Fixed a problem with AuthBy RADIUS in Synchronous mode, where if all hosts failed to get a reply, Radiator would stop answering requests until the FailureBackoffTime expired.
Fixed problem with incorrect replies to Tacacs accounting requests. Reported by Garry Thomas.
Fix for broken Breezenet/Breezecom/Alvarion VSA’s. These NASs send Ethernet port data in VSAs (up to 11 per accounting request) but unfortunately dont use the same attribute numbers each time. Instead, the attribute number increments each time, then wraps at 256. Radiator automatically maps the fist one in a packet to Breezecom-Attr1, the second to Breezecom-Attr2 etc through to Breezecom-Attr11.
Added Packeteer-AVPair to dictionary.
$p->{EAPIdentity} is automatically set to the EAP identity (if known) during EAP processing.
Added a number of Altiga attributes to dictionary. Contributed by Karl.Gaissmaier.
Added missing documentation for SnmpwalkProg to reference manual.
EAP LEAP now honours RewriteUsername to rewrite the LEAP identity before authentication.
Added NasType CiscoSessionMIB, which uses the new sessionMIB available in Cisco IOS 12.2.15T. See http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t3/dt_asmib.htm for more details.
EAP TLS authentication did not take notice of the common name in the certificate when checking the users file. Every users certificate Common Name is now required to be in the users file.
Some types of errors in initialising the TLS library would only affect the first EAP request. Subsequent ones could succeed where they should not.
Added Copper Mountain Networks Vendor Specific Attributes to dictionary
Fixed a problem where runt EAP-Message attributes could cause ERR messages like “Could not load EAP module Radius::EAP_;”
New argument -rawfileseq added to radpwtst. Contributed by Martin Noha.
Added generic, configurable one-time-password module AuthBy OTP that can be used with EAP-OTP, EAP-GTC and standard dialup. Hooks allow you to generate random passwords and deliver them through a back channel such as SMS by calling an external program.
Fixed a bug in AuthBy SQLRADIUS where falling back to the secondary would not occur under some circumstances.
Added new parameter SQLRecoveryFile so that any SQL clause (such as AuthBy SQL etc can log failed SQL do queries to a file for later recovery. Performance improvements to AuthBy SQL accounting. Suggested by Kenneth Cheung.
Fixed some problems with session resumption on Windows XP EAP-TLS and openssl that could cause a crash.
Added support for RFC 3576 Error-Cause attribute to dictionary. Also added all recognition for all Radius packet types per RFC 3576. Added Acct-Tunnel-Packets-Lost per RFC 2867 to dictionary.
AuthLog is now passed the reason (if there is one) even with accepts. Suggested by Robert Kiessling.
Improvements to PEAP, TTLS and TLS error handling. The SLL context is now cleared on EAP failures.
Added goodies/multiprofile.txt, which contains a contribution from Matthias Wamser, showing how to provide different sets of reply items for different types of Dialup, DSL services etc.
Fixed to Server TACACSPLUS so that special characters that depend on the OriginalUserName like %u will work.
Added Propel VSAs to dictionary, contributed by Craig Gittens.
In SessionDatabase SQL, username is now always quoted when it is available as %0.
Added support for DEC VMS style hashed passwords, in the format
{dechpwd}algorithm|salt|hashedpassword
eg: {dechpwd}3|1234|85ad61e72a41dec4
Requires Authen-DecHpwd from CPAN.
Fixed one case of use of LOG_WARN instead of LOG_WARNING in Server TACACSPLUS. Reported by Robert Kiessling.
Fixed problem where <Handler User-Password=xxx> would cause a crash.

Revision 3.7.1 (2003-09-26 Important bug fix, support for EAP Generic Token Card)

AuthBy RADIUS now correctly handles replies of type Disconnect-Request-ACKed. Contributed by Robert Thomson.
Added support for EAP Generic Token Card (EAP type 6). Modifications so that AuthBy OPIE can be used to authenticate EAP-One-Time-Password, EAP-Token Card and EAP-PEAP Token Card from the OPIE one-time-password system. Tested with Funk Odyssey client. Improvments to radpwtst, added the -eapotp and -eapgtc arguemnts to support testing of EAP One-Time-Password and EAP Generic Token Card.
Added support for EAP Generic Token Card and EAP-PEAP Token Card with AuthBy ACE and the SecurID ACE server token code system. Sample config file in goodies/eap_gtc_ace.cfg. AuthBy ACE will also work with EAP PEAP Generic Token Card similar to eap_peap_gtc_opie.cfg.
Fixed a typo in attribute parsing that could cause an error like ERR: Bad attribute=value pair:. This typo was introduced in version 3.7.
In dictionary, Unisphere-Service-Bundle was incorrectly set as an integer instead of a string. Reported by Jan Munkhammar.
Improvements to Server TACACSPLUS by Robert Kiessling: Translate TACACS+ attributes for NAS-Port-Id and Calling-Station-Id for Accounting requests too, not only for Authentication and Authorization requests as before.
Typo in dictionary: alreadyDisconneted should have been alreadyDisconnected.
Improvements to Server TACACSPLUS suggested by Robert Kiessling: can now use Client-Identifier as a check item to identify requests originated by ServerTACACSPLUS.

Revision 3.7 (2003-09-23 Some significant new features and some minor bug fixes.)

Added Cisco LEAP-compatible 802.1x wireless EAP support, and example eap_leap.cfg.
Added new AuthBy LSA module which can authenticate PAP, CHAP, MSCHAP, MSCHAPV2, PEAP, LEAP etc against Windows user passwords. Can be run on Windows 2000, 2003 and XP (not Home edition). Requires the Win32-Lsa perl module from Open System Consultants.
Added new clause <ServerTACACSPLUS> that acts as a Tacacs+ server and converts Tacacs+ requests into Radius requests. Handles Tacacs+ authentication, authorization and accounting. Sample configuration file in goodies/tacacsplusserver.cfg.
New {mysql} password format support did not work correctly on perl 5.005 and earlier, causing failures in the test suite at tests 2w, 2x, 2z, 3a, 3d, 3g, 3h, 4a, 5a, 5f, 6a, 6b, 6c, 6e, 6f, 6g, 6h, 7a, 7b, 7c, 8a, 8b.
Performance improvements in regular expression check item matching in AuthGeneric.pm
Performance improvements in regular expression Realm selection.
Added VSAs for Alcatel BRAS DSL termination gear to dictionary
radpwtst now honours the -class flag for Access-Requests as well as Accounting-Requests.
Fixed EAP-TTLS so that %u works for the inner authentication.
Fixed a problem with UseExtendedIds that could cause a crash with “Can’t locate object method “change_attr” via package “Radius::AuthRADIUS””.
Testing on Symbol Mobility Server (www.symbol.com). This is a very small ARM Linux server with BusyBox Linux not much bigger than you hand. Takes a CF card as a plug-in file system, and runs Radiator fine, including 802.1x TLS, TTLS and PEAP. Requires cross-compilation of some Perl modules. We can provide instructions if required.
Removed logging of password at INFO level during bind in AuthBy LDAP2. Suggested by “Steven P. Crain”.
Changed the example EAPTLS_MaxFragmentSize in all EAP configuration examples to 1000 to accomodate Enterasys RoamAbout V2 access points, as suggested by Mark Haidl.
New -servicename argument to radiusd allows the name of the Windows service to be specified for -installservice and -uninstallservice, allowing multiple instances of Radiator to be run as Windows services at the same time.
Fixed typos in isOnline support for Portmaster3, Portmaster4 and Xyplex.
radpwtst now sets the authenticator in Disconnect-Request same as for accounting. Some NASs (notably Cisco) require this.
Fixed a problem with radpwtst in -gui mode, where the toolbar expands bigger than it should be. Patch contributed by Cameron Moore. Thanks Cameron.
Added AllowInRequest parameter to AuthBy RADIUS, which restricts which attributes can be proxied. Suggested by Toomas Karner.
Unrecognised EAP types now result in a REJECT insrtead of IGNORE.
Improvements to PEAP for Cisco PEAP compatibility.
AuthBy INTERNAL now takes a RejectReason parameter. This string will be used as the Reply-Message if the AuthBy INTERNAL rejects a request.
Improvements to logging messages and documentation for SessionDatabase SQL, suggested by Claude Iyi Dogan.
Fixed some typos in the example goodies/url.cfg and goodies/test_url_md5.cgi files.
AuthBy RADIUS could crash if BindAddress was set to multiple comma-separated addresses. Reported by Anthony Stanton.
Added support for Session-Timeout=”until ValidTo”, which sets the session timeout to be the amount of time left to the end of the ValidTo check item account validity period.
In ClientListSQL, PreHandlerHook parameters for each client were not properly compiled, and would not run. Fixed.
Added WISPr RADIUS attributes to dictionary, based on Wi-Fi Alliance – Wireless ISP Roaming – Best Current Practices v1, Feb 2003, p 14 http://www.weca.net/OpenSection/downloads/WISPr_V1.0.pdf
Dictionary VALUEs that looked like integers would be misinterpreted, especially Tunnel-Medium-Type=802
With PEAP-MSCHAP-V2, per-user reply items did not get sent back in the final Access-Accept.
AuthBy SQLRADIUS now honours AddToreply and StripFromReply attrtibutes from the Host as well as the AuthBy SQLRADIUS.
Changes so that a proxied Access-Reject does not get multiple Reply-Message. Patch by Toomas Karner. Thanks Toomas.
Testing with Aegis MDC Linux 1.2.0beta client on RedHat 8. Tested all EAP types, including certificate types with Radiator test certificates. See the Radiator FAQ for further remarks. Added certificates suitable for Linux clients (root.pen, cert-clt.pem) to the distribution.
Added more KarlNet VSAs to dictionary, contributed by Clinton – Golden IT.
SNMPAgent now correctly honours BindAddress when used with SNMP_Session version 0.92 or later.
Added EAPTLSRewriteCertificateCommonName parameter for TLS, which rewrites the Common Name from the certificate before using it to fetch user details from the Radiator database. Suggested by Paul Dekkers.
When installing as a service on Windows, you can now specify extra arguments to pass to perl on the command line when the service starts. This is useful for specifying an alternative install directory for the Radiator perl modules, eg: perl c:\Radiator\radiusd -installservice -serviceperlargs -Ic:\Radiator
Minor changes to AuthBy OPIE, ACE and CRYPTOCARD to better support tunnelled requests.
Added example configuration file showing how to authenticate from an IC-ISP mySQL database. IC-ISP is a full source ISP billing package for Unix. See www.ic-isp.com for details about IC-ISP. Accounting is not supported. Works with IC-ISP 2.0.24 and later.
AuthBy SQLRADIUS now honours UseExtendedIds as a configuble per-host parameter, and Auth RADIUS now make easch Host inherit its UseExtendedIds from the Auth RADIUS clause.
Fixed a problem with AuthBy RADIUS where 2 Proxy-State = OSC-Extended-Id could be added when multiple Hosts were involved.
Fixed a problem with PEAP MSCHAPV2: if a Domain was specified, the authentication would fail.
Radius packets were incorrectly limited to 8192 bytes on reception. Increased to 65535.
The Group parameter did not permit symbolic group names.
In SessionDatabase SQL, the session ID (%3) was not always quoted correctly in DeleteQuery.
Improvements to storage of VALUE in dictionary allows decoding based on the attribute name rather than the number, which allows correct unpacking of attributes with synonyms, such as Ascend-Disconnect-Cause. This involved changes to RDict::valNumToName.
Fixed a potential problem when unpacking non-conforming abinary attributes.
Added goodies/logisense.txt, containing example configuration, SQL tables and requirements for interoperation between Radiator and ENGAGE*IP. Contributed by STOWE TELECOM, LLC.
Added Slipstream-Auth to dictionary.
Under certain circumstances on some platforms with AuthLog SYSLOG and Log SYSLOG, syslog can die. Fixed.
Added StartHost parameter to AuthBy SQLRADIUS, contributed by Alexander Mayrhofer.
Improvements to error handling in AuthBy LDAP2.
Testing on Windows Server 2003. No changes in code or documentation required.
Testing on HP PA-RISC Linux (Debian). No changes in code or documentation required.
Added -outport and -bind_address options to radpwtst.
Fixed a problem where AuthBy URL did not handle AuthUrl starting with https://
Fixed a problem involving EAP, where multiple AuthBy clauses could result in incorrect PEAP-MSCHAPV2 challenge message, or using the wrong challenge during authentication.
AuthBy SQL now logs to AcctFailedLogFileName if AcctSQLStatement fails as well as if the usual accounting insert fails.
AuthBy URL now supports AcctUrl, a URL that will be used for accouting data
Added AuthBy SOAP module for converting Radius requests to SOAP and SOAPRequest.pm for converting SOAP requests back to Radius requests. This SOAP interface is useful for tunnelling through firewalls, improving the reliability of Radius by using TCP as the transport, and for improving security by using HTTPS as the protocol.
Added VSAs for Quarry devices.
Fixed a problem with parsing of attr=val pairs on some platforms with some locales on perl 5.8.0, due to changes in perl regexp handling.
Added new special characters. %A is replaced by the Timestamp in standard SQL date time format eg: Sep 12, 2003 15:48. %B is replaced by the current time in standard SQL date time format eg: Sep 12, 2003 15:48. %F is replaced by the Timestamp in extended SQL date time format eg: Sep 12, 2003 15:48:59. %G is replaced by the current time in extended SQL date time format eg: Sep 12, 2003 15:48:59.
In AuthBy SQL, columns inserted by ACctColumnDef are now inserted in alphabetical order by column name. Patch provided by Robert Blayzor. Thanks Robert.
On some platforms such as FreeBSD, a Monitor connection would not disconnect properly after a QUIT command.
Added a number of new attributes to dictionary for CVX and Valemount. Thanks to Craig Gittens and Greg Schiedler.
Dates for Expiration, ValidTo, ValidFrom etc can now have optional hh:mm:ss time component. Also support dd.mm.yy(yy) (hh:mm:ss) format.

Revision 3.6 (2003-04-14 Significant improvements to wireless support)

Most AuthBy clauses, including AuthBy RADIUS now support the ability to try a previously cached password before authenticating or proxying. The new CachePasswords flags causes Radiator to cache the password and reply for previously accepted authentication requests. The cached password will be tried before subsequent authentication attempts. Caution: works with PAP only. Includes improvments to Proxy-State behaviour.
AuthBy RADIUS now supports CachePasswords either before or after proxying. The new flag CacheOnNoReply controls whether the cache will be checked before every request, or only after no reply is recieved. It defaults to 1 (ie check the cache if no reply is received) to be consistent with historical behaviour.
Significant improvements to Windows installation process.
Added DefaultLimit parameter, allowing you to control the maximum number of DEFAULT users. Defaults to no limit.
Added support for password encryption type {digest-md5-hex} which can be used with Digest and SIP (Session Initiation Protocol) authentication.
Added support for SIP (Session Initiation Protocol) Telephony Digest authentication, as per draft-sterman-aaa-sip-00.txt, using attributes Digest-Response, Digest-Attributes as defined in the new dictionary.sip.
radpwtst now takesd a -sip command line argument that forces it to do SIP digest authentication. Requires the new dictionary.sip as well as the old dictionary like this:
```
        radpwtst -dictionary dictionary,dictionary.sip -sip     
```
Ivan Kohler updated the Freeside accounting insert hook, and the file name was changed from freesideacct.pl to goodies/sqlradacct.pl to be consistent with Ivan’s naming convention. Also Ivan’s Copyright notice had been omitted. See goodies/freeside.cfg.
AddressAllocator SQL now supports SQL bind variables on databases that provide them.
SimpleClient.pm now implements retries. Sample code in goodies/simpleClient.pl
Previous changes to quote the community in snmp commands with double quotes for correct operation on Windows somehow got lost. Reinstated.
In AuthBy LDAP, AuthBy LDAP2 and AuthBy LDAPSDK, AuthDN and AuthPassword now permit special characters. Requested by Dan Melomedman (dan%dan.dan at devonit.com)
Added AuthenticateAttribute parameter to most AuthBy clauses, allowing you to authenticate an attribute other then User-Name.
Newly reorganised dictionary had incorrect types for vendor-specific Ascend-Data-Filter and Ascend-Call-Filter. Changed to abinary.
Added goodies/sqlclienthook.pl, sample code showing a way to have a ClientListSQL-like database of clients, but still use the file:’filename’ style of hooks. WrittXen by German Gatica. Thanks German.
Improvements to goodies/radacct.cgi to make it tolerant of Acct-Session-Ids that include spaces. Contributed by petri.maenpaa at satakunnanpuhelin.fi.
Improved sorting of Time On field in radwho.cgi. Suggested by petri.maenpaa at satakunnanpuhelin.fi.
PasswordLogFileName and WtmpFileName now ensure that the directory exists before writing.
Could get multiple EAP-Message attributes when tunnelling EAP-MSCHAPV2 through TTLS.
In AuthBy SQL, if there are multiple AuthColumnDef reply definitions, they will be added to the reply in the order of the SQL query column number. Previously the order was not guaranteed.
Client and Handler clauses incorrectly did not allow you to specify AllowInReply.
Added 3GPP and Quintum Vendor-Specific-Attributes to dictionary
Testing with Solaris 9. OK. We tested with the precompiled Solaris 8 Perl 5.8.0 binary from SunFreeware.
Fixed some compatibility problems for OpenSSL 0.9.7 in the example goodies/mkcertificate.sh.
The test suite now tests with a user ‘testuser’ not ‘mikem’.
Added detailed installation instructions for Mac OS X to goodies/osx.txt
All EAP configuration parameters involving files now support special characters.
Added sample EAP certificates to the distribution. None of these certificates should be considered to be secure, and they should NOT be used in a production environment, but only for testing and proof-of-concept for your project. You should use a reputable Certificate Authority package such as CAtool to generate your production certificates. See certificates/README for details on how to use them.
Updated example goodies/eap_* configuration files to use sample certificates.
The default location of the configuration file for radiusd on Unix has been changed from /usr/local/etc/radius.cfg to /etc/radiator/radius.cfg. On Windows, it now defaults to C:\Program Files\Radiator\radius.cfg.
Added goodies/opie.txt, detailed instructions for installing and configuring OPIE on RedHat 7.3 for use with FW-1. Contributed by “Mark Wellins” (markw at checkpoint.com)
Log SQL now has the SQL quoted User-Name available as %4.
The Microsoft XP SP1 PEAP client uses the wrong MPPE keying material. The new version of EAP_25.pm detects the Microsoft client and interoperates with it as well as with compliant clients. Reported by “Tom Rixom” (tom.rixom at alfa-ariss.com).
Improved compatibility with PEAP compliant 802.1x clients, as well as with the broken Microsoft version 0 PEAP client. Now works with Meetinghouse Data’s Aegis version 2 client with PEAP (and all other Aegis client authentication types)
Added support for ‘Session Resumption’ for EAP-TTLS and ‘Fast Reconnect’ for PEAP. Can be optionally disabled with the EAPTLS_SessionResumption flag (defaults to enabled) The time limit for session resumption can be specified with EAPTLS_SessionResumptionLimit. Defaults to 43200 seconds (12 hours).
Added goodies/eap_anon_hook.pl, a hook which fixes the problem with some implementations of TTLS, where the accounting requests have the User-Name of anonymous, instead of the real users name. This hook caches the real user name in an SQL table and then does a lookaside to replace the User-Name in accounting requests. Example usage in goodies/eap_ttls.cfg, Example table in goodies/mysqlCreate.sql.
Fixed a problem that would cause a crash if Handler User-Password=xxx was used.
Performance improvements in AuthGeneric logging. safeLog no longer needed.
Improvements to SessionDatabase SQL, contributed by Jeremy Hinton (jgh at visi.net). If your CountQuery SQL statement is written to return a fifth argument (the default is just four), the value of the fifth argument is used in the querying of the NAS as the username to look for.
The new BasicSelect parameter mechanism in AuthBy PLATYPUS was broken in version 3.4
Minor error logging improvements in AuthBy UNIX.
When inner PEAP authentications were proxied, there was no Message-Authenticator included, which could cause some remote radius servers to not reply. Reported by Kawakubo, Ken (kkawakub at fhcrc.org).
Added VSAs for Juniper Networks to dictionary. Contributed by eric at ypass.net.
New special character %E is replaced by total time (in seconds) since the request was received.
Fixed a problem when %c or %C was used with tunnelled requests, causing a crash.
Added support for new check items EAPType and EAPTypeName wich match the EAP protocol number (4, 13, 26 etc) and EAP protocol name (MD5, TLS, MSCHAP-V2 etc) that the authentication request was carried in.
Added a number of Unisphere, Ascend-Disconnect-Cause and Acct-Terminate-Cause attributes to dictionary. Contributed by Rui Lapa (rui.lapa at oni.pt)
Example simple users file goodies/linux-users moved to goodies/users
On Windows, ‘perl Makefile.PL install’ now installs sample config file, sample users file and dictionary in ‘c:\Program Files\Radiator’ (if they do not already exist there). The files goodies/linux-users was moved to goodies/simple-users. New sample config file for Windows in goodies/windows.cfg.
New module Radius/Win32Service.pm to manage automatic installation and running of Radiator as a Windows service. Radiusd internals reorganised to support this. Requires Win32::Daemon (install with ppm install http://www.roth.net/perl/packages/win32-daemon.ppd).
The Server Started message now logs at NOTICE level for improved monitoring. Suggested by Scott Worthington (scottw at bnsi.net).
Added VSA’s for UTStarcom Issanni DSL router to dictionary. Contributed by butch at infowest.com.
SNMP now recognises the ‘Timeout’ error message from some types of SNMP client, especially net-snmp (v5.0.8) (or ucd-snmp v4.2.3) on Windows.
Added support for MySQL hashed password, as produced by the MySQL password() function, in the format User-Password = “{mysql}0569ef75321b8fed”.
Client duplicate detection now ignores the source port, due to some clients (notably Cisco APs) using a different port for every request, resulting in excessive memory usage.
Improved handling of Proxy-State. Proxy-State attributes are now never proxied: they are always copied (once) by the proxy server. This prevents multiple copies and facilitates other improvements such as extended ids support. Further, Proxy-Sate is now expected to work correctly with EAP requests, CachedPasswords etc.
Added support for UseExtendedIds in AuthBy RADIUS. This mechanism uses a more robust type of Radius packet identifier that is more tolerant of large bursts of packets and various other environmental problems. This mechanism uses Proxy-State to carry a packet identifier with a much larger range, compared with only 256 that the Radius protocol specifies. This mechanism will replace the ServerHasBrokenPortNumbers and ServerHasBrokenAddresses flags, which are now deprecated. Based on code contributed by various staff at KPN. Thank You!.
Added a number of attributes from http://www.iana.org/assignments/radius-types to dictionary, including some new Service-Type, Tunnel-Type, Acct-Terminate-Cause etc.
Added LogIdent paramterer to Log SYSLOG, allowing you to specify an alternative ident for syslog. Defaults to the executable name as before. Suggested by Stefan Moser (sm at open.ch).
AuthBy RADIUS now support ClearTextTunnelPassword flag which prevents Tunnel-Password being decrypted and reencrypted during proxying to support older NASs that do not support encrypted Tunnel-Passwords.
Fixed a problem with hanging on Oracle in disconnect with some types of network failures. Contributed by Rodney Volz (rodney at LF.net).
Fixed a problem that would cause double logging to files of any startup errors detected within ServerConfig.
The ability to match empty string check items was broken in 3.4.
radpwtst now has -eapmd5 flag for testing EAP-MD5 challenge. Test suite now uses it.
Removed MacRadiusd.sit.hqx from distribution. It is no defunct and caused problems during unpacking on MacOSX.
Fixed a problem with AuthBy RADMIN affecting vendor attributes that have no integer definitions. Patch contributed by Stephan (sschoenberger at monzoon.net).

Revision 3.5 (2002-12-17 Minor fixes)

Added files EAP_24.pm and EAP_26.pm which were omitted from the previous release. They are required for PEAP and EAP-MSCHAP-V2.
Attributes from all dictionaries have been reorganised and amalgamated into a single dictionary file called ‘dictionary’ in the main distribution directory. There is still a dictionary.ascend that contains the oldfashioned non-vendor-specific Ascend attributes that may be required by some installations. All the dictionaries that were previously shipped in the main distribution are now redundant and have been moved to the goodies directory for reference only.
Fixed typo in SessSQL.pm.
Pavel A Crasotin (pavel at ctk.ru) provided a new version of his goodies/AuthPLSQL.pm patched to support ‘request’ type.
Fixed a problem in example goodies/kerberos.txt caused by change in args to decode_password in version 3.4. Reported by Chris Myers (c.myers at its.uq.edu.au)
RPM adjusted so shutdown scripts are not present for run levels 3, 4, 5, 6. Suggested by Gustav Foseid (gustavf-radiator at initio.no). Thanks Gustav.
goodies/radimportacct now exits with non-zero status if any inserts failed. Suggested by “Eli Tovbeyn” (eli at xpert.com).
Example goodies/jet.cfg updated to use the new external progrem recommended by Obsidian.
Now log DEBUG message at startup when dictionary file(s) and configuration files are read, showing the name of the files.
Added SimpleClient.pm, a module that makes writing a simple Radius client simple.

Revision 3.4 (2002-11-29 Significant new features and some fixes)

Added support for PEAP and EAP-MSCHAPV2 (as used in Windows XP SP1).
Significant enhancements to EAP support, including: TTLS session resumption, improved performance, reduced duplicated code, correct use of EAP identities during authentication, more config examples, configurable User-Name during EAP decode-proxying etc.
Added support for AutoMPPEKeys for EAP-TLS. Tested with Windows XP etc. Moved some common TLS and TTLS code to a new module Radius/TLS.pm. Requires Digest-HMAC and Digest-SHA1 from CPAN. Now full Dynamic WEP key protection is available for both TLS and TTLS in Radiator.
Testing and some minor fixes for Meetinghoue Data Corp’s Aegis wireless client, including MD5, TLS, and TTLS (PAP, CHAP, MSCHAPV1 and MSCHAV2)
EAPType can now be a comma separated list of permitted EAP types, with the default (most preferred) named first.
Changes to EAP_21.pm for improved interoperation with Meetinghouse Aegis TTLS clients.
Added support for Certificate Revocation List (CRL) checking to EAP-TLS. Caution: requires Net_SSLeay-1.20 _plus_ patches, and also openssl 0.9.8 or later.
Radiusd now support multiple authentication and accounting ports with AuthPort port,port,port… and AcctPort port,port,port…
AuthBy FILE now supports quoted user names with embedded white space, eg “fred bloggs”
AuthBy ADSI now supports SearchAttribute, permitting searches for users as well as direct binding. Also added GroupRequired to make group membership checking quicker and easier. Also improved performance of CheckGroup, and obsoleted need for CheckGroupServer (CheckGroup now checks the group list returned from the user bind). Much of this code contributed by Mark Motley (mark at motleynet.com). Thanks Mark.
SessionDatabase SQL now suports a new parameter ReplaceQuery. If it is defined it will be used to add a new record to the session database. If it is not defined then DeleteQuery/AddQuery will be used as before. This can improve performance in SQL databases that support the ‘insert or replace’ type of query, such as MySQL.
Special character %W (the realm of the original user name) was not translated correctly.
The global Trace parameter did not appear in Radarparamtere inspection. Now appears and can be modified from within Radar.
Fixed a problem with setting new effective group ID with Group. On some platforms and with some configurations, it would incorrectly report that setting the egid had failed when in fact it had not. Also fixed a problem where setting the egid would fail on some platforms if User was also used to set the euid.
Added dictionary.hiper, a dictionary for 3Com Hiper Access Router Card, in MERIT RADIUS format. This ia added verbatim, and is not compatible with Radiator format.
Added Lucent-Vendor-Specific VSA to dictionary
When an SNMP sim-use check is run, the community is now quoted with double quotes, not single quotes. Single quotes dont work properly with Windows shells.
radwho.pl moved to goodies and out of the standard executables.
Fixed a problem with AuthBy INTERNAL, where during Accounting Processing, the AcctAlive and the AcctStop commands never run, while the command AcctStart is executed with Acct-Status-Type=Alive|Start. Reported and fixed by Giuseppe Denora (g.denora at elitel.it). Thanks Giuseppe.
AuthBy RADMIN now uses the new ValidFrom and ValidTo check items rather than checking them internally. This will permit NoDefaultIfFound to work correctly with RADMIN. Reported by “Thomas Hartley/NCO/CEtv” (thartley at austar.com.au).
Added RFCs 2869 and 2882 to the distribution.
Added to goodies/hooks.txt an example hook to add User-Name attributes to accounting requests that may not contain them.
Tagged-string attributes were not unpacked correctly if there was no tag present. Reported by Tony Landells (ahl at austclear.com.au).
DEFAULT users with a Suffix check item did not always work correctly. Reported by Tony Landells (ahl at austclear.com.au).
Fixed a problem with FramedGroup with large port numbers, where the third octet of the computed address could have silly values. Reported by “Miro Majcen” (miro.majcen at smart-com.si).
Fixed a problem where a FramedGroupMaxPortsPerClassC of 0 could cause a crash. Reported by “Miro Majcen” (miro.majcen at smart-com.si).
Added example configuration file for Telstra (Australia) Dial Connect Virtual ISP.
Testing with Perl 5.8.0. OK.
AuthLogSQL always reconnected to the database even when there was nothing to do. Reported by Dan Melomedman (dan at devonit.com).
AuthBy RADMIN did not correctly handle some integer valued check items.
Improvements to SessionDatabase SQL, so that the NAS ID, NAS port and SQL quoted Acct-Session-Id are available in the AddQuery.
AuthBy POP3 now permits special characters in the Host field, so that you can handle multiple domains automatically with ‘Host pop3.%W’
Log SQL and Log EMERALD did not correctly recover from an SQL database outage. No further logging would occur, even after the database came back.
In Log SQL, the Table parameter now takes special characters.
AuthBy ADSI did not correctly handle some AuthAttrDef attributes. For example if there was more than one otherHomePhone, an incorrect check would be made. Reported by Billy Li (billyl at unitechnetworks.com). More below about this.
Added an example xinetd configuration file for Linux and others to the goodies.
Added example configuration file for Jet ISP billing in goodies/jet.cfg. Jet is a user management and billing system, specifically designed and created for ISPs. Written in python and Zope, it is highly flexible, and has a modular construction allowing for additional modules to support a customers specific needs. It comes with full source code, and Obsidian’s development team is available to produce extensions as required.
Added StatisticsOnly flag to Monitor.
Added GroupRequired to AuthBy NT on Windows, which ensures the user is a member of the named group. Contributed by “Motley, Mark” (Mark_Motley at earthtech.com). Thanks Mark.
Most check items now permit alternation with multiple permitted values separated by vertical bar (‘|’). Also, in AuthBy ADSI, AuthBy LDAP*, if an AuthAttrDef of type ‘check’ is multi-valued, it will be automatically converted into alternates, so you can use multi-values to do a one-of check item match
Added goodies/rcrypt, a simple command line utility to do Rcrypt encryption and decryption of passwords.
Testing with Mandrake 9.0. No issues or changes required.
Added Session_Error_Code and Session_Error_Msg to dictionary.redback
Fixed a problem with AuthBy ACE that would cause it to hang if run in the background.
Improvements to AuthBy SQL for formatted-date. If Date:Format is not available, logs an error and ignores the column. Suggested by Martin Edge (martinedge at kbs.net.au).
AuthBy EXTERNAL now REJECTS if the external program exits due to a signal. Suggested by Inglesant Philip (Philip.Inglesant at netscalibur.co.uk)
radwho.pl and radwho.cgi were opening /tmp/xxx instead of /dev/null as workaround for freetds problems. Reported by “Utku Er” (erutku at netone.net.tr).
Improved isonline checking for Cisco. Now handles ISDN ports (ie larger than port 20000) with finger. Contributed by “Utku Er” (erutku at netone.net.tr).
Can now specify multiple BindAddress addresses, comma separated. Suggested by Jeremy Hinton (jgh at visi.net).
Added goodies/CiscoDialupIPPools.doc, a document describing how to do basic ip address assignment for Cisco dialup using radiator. Contributed by “Kent, Ashley” (akent at ue.com.au).
Testing EAP with Net::SSLeay 1.21. OK.
Fixed a problem with AuthBy POP3 where a failed POP3 connection could cause a crash. Reported by “Johannes Demel” (demel at zid.tuwien.ac.at). Also testing with POP3Client 2.12. OK.
Fixed a problem where HUP signal on FreeBSD could cause crashes with “Could not bind authentication socket: Address already in use at radiusd line …”. Reported by “Giuseppe Denora” (g.denora at elitel.it).
Testing with Apple AirPort base station. OK for MAC authentication. 802.1x EAP authentication is not supported by AirPort. Added entry to FAQ describing how to set up.
Handler now detects accounting Acct-Status-Type of Interim-Update in the same way as type Alive, for compatibility with some non-standard dictionaries.
Fixed a problem with AuthByPolicy ContinueWhileIgnore and Auth-Type=Ignore not working as expected. Reported by Petr Zimak (Petr.Zimak at unibas.ch).
Added new AuthBy IMAP module, to authenticate from an IMAP server. Contributed by Petr Zimak (Petr.Zimak at unibas.ch). Also example config file goodies/imap.cfg.
Added new module AuthBy HTGROUP and example goodies/htgroup.cfg, which can be used to confirm group membership according to an Apache htgroup file. Contributed by Rodger Allen (rodger at infrasecure.com).
Fixed a problem with unreliable packing of integer8 Radius attributes.
In AuthBy PLATYPUS, can now use BasicSelect parameter to alter the basic user select clause. AuthSelect is still used to optionally augment BaseSelect.
Added goodies/AlterNASPort.pl, an example hook to convert Cisco-NAS-Port to NAS-port so you can use the standard session database and NasType Cisco. Contributed by Paul Pilsbury (ppilsbur at connect.com.au).
In AuthBy INTERNAL, any error in compiling a hook will result in an IGNORE if the hook is used. Previously, it would ACCEPT. Suggested by “Giuseppe Denora” (g.denora at elitel.it).
Improvements to SNMP simultaneous use operations, so that if a NAS fails to respond Radiator will not try to contact it again for SnmpNASErrorTimeout seconds. Contributed by Greg B Zemskov (tingor at kraft-s.ru).
AuthBy RADMIN now ignores bad logins if the bad logins column is set to NULL, or if the MaxBadLogins paramter is set to 0.. Suggested by Nicolai van der Smagt (nicolai.vandersmagt at BBNED.NL)
Fixed a problem where an SHA password would cause a crash unless Digest::SHA1 is installed. Reported by Camilo Echeverry (caecheverryj at telesat.com.co).
Testing with Windows 2000 802.1x hotfix. OK.
Improved workaround for UTF8 problems in perl 5.8. All sockets are now binmode to raw mode, preventing wide character interpretations.
Performance improvements in Nas.pm for NAS-specific module loading.
AuthEMERALD.pm and AuthEMERALinD4.pm needed use Radius::Client to prevent errors when using AuthBy EMERALD with any Client clauses in the config file. Reported by Carlos Molina (cmolina at net-uno.net).
ReplyHook is now passed a ref to the Radius::Host structure for the downstream radius server.
Added Netscreen vendor specific attributes to dictionary. Contributed by david.loesche at yipes.com.
Radius::decode_password is now more generalised. It can decode any argument, not just the password from the current packet.

Revision 3.3.1 (30/8/02 Minor release to fix install problems)

Makefile.PL used SITEPREFIX to determine where to install library files, but this is not available on all platforms. removed
Added Unisphere-Pppoe-Description to dictionary. Contributed by “Brian Morris” (brian at netspeed.com.au) and Chris Patterson at TransACT.
Fixed a typo in EAP_13.pm which meant that sometime EAP-TLS would fail if multiple simultaneous authentications were in progress.
SessionDatabase SQL did not allow you to configure ClearNasSessionQuery. Reported by Frederic Olivie (alf at club-internet.fr)
AcceptIfMissing did not operate correctly if the user existed by a check item was incorrect. Reported by “Simon Dixon” (sdixon at highway1.com.au).
Added new DisconnectAfterQuery to SQlDb.pm that causes all SQL modules to disconnect after a do or a getOneRow. Can be useful for some broken SQL servers that try to disconnect idle SQL connections, but then hang when trying to reconnect.

Revision 3.3 (27/8/02 Important Security Update and some minor new features)

Important Security Update: Removed support for the %Eval special character syntax due to security issues that can effect AuthBy SQL and AuthBy LDAP*. We recommend that all operators of Radiator 3.0, 3.1 and 3.2 upgrade to this version immediately.
Testing EAP TTLS with Net_SSLeay-1.20. OK. No patches to Net_SSLeay are required now.
Added handling for StripFromRequest, AddToRequest and AddToRequestIfNotExist to Client and AuthBy GROUP.
Default install directory for Radius/*.pm library files changed to be independent of perl version and for improved RPM installation.
Improved handling of failure to open dictionary. Patched by Frederic Olivie (alf at club-internet.fr). Thanks Frederic.
Fixed a typo on AuthBy PLATYPUS that can cause an error like: (Missing operator before EQ?). Reported by Justin White-Lowther (jw351898 at oak.cats.ohiou.edu).
Added goodies/rcradiator, a Linux LSB comliant startup script, contributed by Carlos Perasso (carlosrp at idea.com.py). Thanks Carlos.
AuthBy GROUP was incorrectly checking DefaultSimultaneousUse for accounting as well as Access-Request packets. Reported by “James M. Luedke” (james at enabledsites.com).

Revision 3.2 (20/8/02 New features and fixes)

Caution: Updated AuthGeneric.pm and MSCHAP.pm to use more modern Digest::SHA1 instead of SHA. if you are using SHA passwords or MSCHAP authentication, you must install Digest::SHA1.
Added new AuthBy URL module, contributed by Mauro Crovato (mauro at crovato.com.ar). This module authenticates by sending the username and password (optionally encrypted) as tags to a URL by HTTP. A CGI or ASP program at the URL authenticates the password.
Fixed some interoperability problems with EAP-TLS. Testing with Aironet AP and Client cards with OpenSSL and Xsupplicant on Linux and Windows XP.
Beta support for EAP-TTLS as used by Funk Odyssey clients. Supports TTLS-PAP, TTLS-CHAP, TTLS-MSCHAP and TTLS-MSCHAPV2 for both local and proxy authentication. See example configuration files goodies/eap_ttls.cfg and goodies/eap_ttls_proxy.cfg. TTLS is Tunnelled TLS, as per draft-ietf-pppext-eap-ttls-01.txt., It is supported by Funk Odyssey wireless clients through a variety of wireless access points. It provides one-way TLS authentication (the client authenticates the radius server), and authentication requests are delivered securely to the radius server via the encrypted TLS tunnel. Unlike TLS, TTLS does not _require_ a certificate on each client.
Tested EAP MD5-Challenge with Aironet AP and Client cards and Windows XP. Added example goodies/eap_md5.cfg config file.
Added more Spring Tide VSAs to the dictionary.Contributed by atesillo at ctgred.net.co.
AuthBy SQL now runs AuthSQLStatement even if AuthSelect is empty.
A debug print statement was accidentally left in AuthLog SQL
AuthBy SQL AcctColumnDef now cannot insert the same column multiple times. If there are multiple AcctColumnDef definitions for the same column name and with non-null values, the last one will be the one inserted. This is most likely to improve the case where there are two NASIdentifier definitions, and the NAS reports both NAS-IP-Address and NAS-Identifier. A number of example config files were changed so that NASIdentifier is preferred if present.
AuthBy SQL now supports HandleAcctStatusTypes parameter, which allows you to specify a comma separated list of AcctStatusTypes that will be processed. All other types will by acknowledged, but not inserted or processed with AcctSQLStatement. This is a more general mechanism than AccountingStartsOnly, AccountingStopsOnly and AccountingAlivesOnly, and these parameters are now officially deprecated and will not be supported in the future.
An typo in Radius.pm prevented Ascend-Xmit-Rate working properly. Reported by “Romain Vergniol” (romain.vergniol at cegedim.fr).
In the event of no reply from any hosts, AuthBy SQLRADIUS now runs the NoReplyHook before any FailurePolicy automatic reply. Previously it was run after the automatic reply.
Added Roaring Penguin VSA’s to dictionary. Contributed by “Scott Helms” (khelms at zcorum.com). Thanks Scott.
Added to Monitor support for Clients parameter, a comma or space separated list of IP addresses that Monitor will accept connections from. Default is to accept from any address.
Added a number of new Altiga VSAs to dictionary, contributed by “neil d. quiogue” (neil at quiogue.com)
Added /usr/local/etc/radiator to the dictionary search path for radpwtst. Suggested by “Martin Edge” (medge at affinityinternet.com.au)
Added UseTLS parameter for forcing TLS encryption in AuthBy LDAP2. Contributed by Carl Litt (carl at execulink.com). Thanks Carl.
Added a new flags to AuthBy NT on Windows. IgnoreAccountExpiry causes AuthBy NT to ignore the NT account expiry flag when users attempt to log in. IgnorePasswordExpiry causes it to ignore the password expired flag. IgnorePasswordChange causes it to ignore the password change required flag.
radpwtst -gui was not correctly showing packet dumps in the ‘Detailed’ trace level.
Fixed a problem where an incorrect data length in an incoming radius packet could result in reports of a ‘Malformed request packet:’. Reported by “Thilo Wunderlich” (tw at 7eins.net)
New parameter AuthCheckDN in AuthLDAP2 alows you to specify an alternative DN to use to check a user’s password, instead of the one returned by the search result. Patch supplied by Jeremy Hinton (jgh at visi.net). Thanks Jeremy.
Fixed a problem where HUP or reinitialise with a broken SNMPAgent clause could cause a crash.
Fixed goodies/hooks.txt. Example use of replyTo() fixed to be in line with new API.
Improvements to AuthBy RADIUS (and by inheritance AuthBy SQLRADIUS so that Host addresses that arent resolved are reported but dont crash Radiator. Reported by “Sebastian Filzek” (sebastian at filzek.org).
Attempts to use Session-Timeout in the form nnnn would cause a crash. Reported by “Radius Impsat” (radius at impsat.net.ec).
The MS-CHAP2-Success reply in response to an MSCHAP V2 authentication was incorrectly formatted.
Crypt encoded password can now be flagged with {crypt}… or {CRYPT}… Its now case insensitive. Similarly for {rcrypt}, {MD5} and {SHA}. Suggested by Karl Gaissmaier (karl.gaissmaier at rz.uni-ulm.de) for compatibility with slappasswd. Thanks Karl.
The internal session database is now tolerant of Session-IDs with embedded colons, as used by Nortel CVX 1800 etc.
Fixed a problem with AuthBy LDAP2 and UseTLS. Could crash after multiple authentications. Reported by Karl Gaissmaier (karl.gaissmaier at rz.uni-ulm.de).
AuthBy RADMIN did not correctly increment bad logins count if encrypted passwords were in use. Reported by glenn_pierce at EnterpriseServices.com.au. Thanks Glenn.
When used with MSCHAP V2, the AutoMPPEKeys flag in any AuthBy now automatically generates MS-MPPE-Send-Key and MS-MPPE-Recv-Key as per RFC 3079. When used with MSCHAP V1 it still sends MS-CHAP-MPPE-Keys. Reported by Stephan (sschoenberger at monzoon.net). Fixes interoperability issues with some PPoE clients.
Some tagged string attribtues such as Tunnel-Client-Endpoint did not get encoded correctly if no tag was not explicitly specified. Reported by Bob Shafer (bshafer at du.edu).
AuthBy SQLRADIUS did not correctly handle RewriteUsername in host definitions. Reported by “James Wiegand” (jwiegand at fiberlink.com).
Added USR-Terminal-Type to dictionary. Required by Roaring Penguin. Contributed by Andy Linton (asjl at lionra.net.nz).
AuthBy TACACSPLUS now supports an AuthType parameter, which allows you to force the Tacacs+ protocol to use PAP or ASCII authentication. Contributed by Jean-Claude Christophe (jch at oleane.net). Thanks Jean-Claude.
AuthBy RADIUS incorrectly added AddToReply etc to all replies, not just Access-Accept.
Fixed some problems with radacct.cgi reported by Andy Linton (asjl at lionra.net.nz)
AcceptIfMissing did not append AddToReply parameters. Reported by Jeje (jeje at jeje.org).
radacct.cgi, radconfig.cgi and radwho.cgi which were previously in the top level of the distribution were moved to the goodies directory so that they would be included in RPM distributions.
Fixed a problem in AuthGeneric where conbination of AcceptIfMissing and Auth-Type=Reject behaved incorrectly. Reported by Jaafar Bin Sarim (jrsm at staff.singnet.com.sg).
Added some Nomadix VSAs to dictionary. Contributed by Karl Gaissmaier (karl.gaissmaier at rz.uni-ulm.de).
If radiusd was started through ssh it crashed with an error ‘Bad arg length for Socket::unpack_sockaddr_in’. Reported by Kenya Noshiro (noshiro at net.sony.co.jp).
Achint Saxena (ASaxena at Walkerwireless.com) reported that Util.pm needs Time::Local when running on Win32. Added.
EAP MD5-Challenge can now use Password as well as User-Password in user databases.
Added special character %I that gives the nas identifier as an integer instead of dotted decimal character string. Contributed by Jerome Fleury (jeje at jeje.org). Thanks Jerome.
AuthBy PAM now honours Fork. Useful for PAM modules that leak memory. Use with caution: performance impact.
Added new parameter AcctInsertQuery to AuthBy SQL, allowing the accounting insert query to be customised.
Server now detaches from the controlling terminal in daemon mode. Contributed by Jerome Fleury (jerome.fleury at fr.tiscali.com). Thanks.
Improvment to example linux init file in goodies/linux-radiator.init. Now prints an error message if the config file is not found. Contributed by Marc Liyanage (mliyanage at futurelab.ch). Thanks Marc
All executable progrmas, including those in goodies now use /usr/bin/perl instead of /usr/local/bin/perl. Suggested by Marc Liyanage (mliyanage at futurelab.ch).
Testing on SCO OpenServer 5.0.4. OK. Added hints to faq.html.
radiusd now ensures the path to PidFile exists, and creates it if necessary.
Improvements to RPM for compatibility with Cobalt and others. Suggested by Daniel Senie (dts at senie.com).
New special characters %w replaced by the user name part of the full original user name (before any RewriteUsername rules were applied). %W replaced by the realm part of the full original user name (before any RewriteUsername rules were applied).
Fixed a problem in AuthBy LDAP2 that could cause a crash with the message: Can’t use an undefined value as a symbol reference at /usr/lib/perl5/site_perl/5.8.0/Radius/AuthLDAP2.pm line 232, <DATA> line 450.. Reported by Paul Swainbank.
Added documentation for AuthBy RSAMOBILE to the reference manual.
Added documentation for common EAP and EAP-TLS configuraiton parameters to the refereence manual.

Revision 3.1 (23/5/02 New features and fixes)

Added and documented UseSSL for AuthBy LDAP2.
Monitor clause did not permit multiple instances on different Ports.
Fixed a problem with DefaultSimultaneousUse that did not correctly detect users affected by RewriteUsername. Reported by “Scott Rothgaber” (scott at easley.net). Thanks Scott.
Added all Radiator pseudo-attributes to the dictionary for reference, and also to facilitate use by packages like RAdmin.
Changes to AddressAllocatorDHCP.pm and DHCP.pm to support the User Class Option (option 77) in the ISC DHCP server (www.isc.org). Additional changes to comply with RFC3011 (Subnet Selection Option) and to simplify and streamline the code.
radwho.pl did not separate lines with a newline when showing SQL. Reported by “Stephen Malenshek” (stephen at valuelinx.net).
In Nas/AscendSNMP.pm, there is alternative code for MAX6000 (TAOS 8.0.1+), suggested by Pavel A Crasotin (pavel at ctk.ru)
Added support for HTTP Digest Authentication per RFC2617. QOP’s of auth and unspecified are supported. Algorithm of MD5 and unspecified are supported. QOP of auth-int and algorithm of md5-sess are not supported. Also provided patch file goodies/Apache-AuthenRadius-0.3-digest.patch which adds Digest authentication to Apache-AuthenRadius, plus goodies/RadiusPerl-0.05-0.06.patch for RadiusPerl-0.05 to fix long password problems.
New flag for buildsql, -f Force DB update for non defined fields. Contributed by Jorge Morgado (jorge.morgado at kpnqwest.com). Thanks Jorge.
ClientListSQL now lists its clients in the ServerConfig Client list, so they can be seen by Radar. Reported by “Romain Vergniol” (romain.vergniol at cegedim.fr).
ClientListSQL now permits a trailing column that contains a list of comma separated flag parameter names. Contributed by “Tony B” (tonyb at go-concepts.com). Thanks Tony.
At 3.0 ClientListSQL (correctly) complains if there is no password for a Client. The error message now says which Client has the problem.
AuthGeneric now emits an error If MD4 is not present but is required for an MSCHAP request. Suggested by niceman at att.net.

RewriteFunction was broken, resulting in messages like:

ERR: Error in RewriteFunction(mikem): Can't use string ("sub {print "hello world\n"}") as a subroutine ref while "strict refs" in use at (eval 23) line 1

Reported by “Andy De Petter” (adepette at krameria.net). Thanks Andy.

AuthBy NT and AuthBy TEST had typos that prevented keywords being recognised.
Fixed further problems with special character handling. Could get incorrect behaviour if the resulting transformation resulted in %0, %1 etc. Now single char and positional args are all converted in one operation. Reported by “Tristan Woerth” (tristan.woerth at securalis.com). Thanks Tristan.
Fixed problems with sending SNMP requests for NasType iff the community contained whitespace or shell special characters. Reported by “Rolando Riley” (rriley at ayayai.com). Thanks Rolando.
LogFile, AcctLogFileName and PasswordLogFileName now support pipes. If the first character if the filename is |, then the output is sent to the pipe, else it is appended to the named file. Suggested by “Sergey Y. Afonin” (asy at kraft-s.ru). Thanks Sergey.
Fixed an infinite recursion problem with Trace 4 in Log SQL and Log EMERALD.
Fixed a problem with log dates in Log EMERALD.
Log EMERALD now has configurable LogQuery, defaults to: insert into RadLogs (RadLogMsgID, LogDate, Username, Data) values (%4, \’%5\’, %6, %2)
Added example config file for working with Advanced ISP Billing.
Added AuthBy EMERALD4 to work with IEA Emerald 4 or later. Also an example config file in goodies/emerald4.cfg.
Exec-Program now logs the command and the result at DEBUG level. Suggested by “Dave Kitabjian” (dave at netcarrier.com).
AuthBy NT now does not crash if attempting to do group checking on Unix. Found and patched by “neil d. quiogue” (quioguen at cpcnet-hk.com). Thanks Neil.
Testing with Vasco VACMAN Radius middleware software. Vacman is a very interesting and easy way to add token-based authentication to an existing Radius infrastructure.
The value for integer Radius attributes can now be specified as hex, with a leading 0x.
handlerFork and safeFork now take an optional subroutine ref that will be called when the child is reaped. The PID of the reaped child will be passed to the function. This is only of interest to code customisers.
SqlDb::quote now automatically reconnects to the database if necessary.
AddressAlocatorSQL default AllocateQuery was changes, since %2 (the username) is now automatically quoted. This fixes a problem with SQL syntax errors in the event of a disconnect/reconnect. Reported by Eric Lackey (eric at isdn.net). Thanks Eric.
Fixed a problem with AuthLogSQL, where SQL errors could cause recursive calls to the log function. This involved changing the name of the log function in all the AuthLog modules from ‘log’ to ‘authlog’. Reported by “Dan Melomedman” (dmelomed at devonitnet.com). Thanks Dan.
Added TRACE_USERNAME command to Monitor clause to support user-specific tracing in Radar.
Added TraceOnly flag to Monitor clause. If you set TraceOnly, connections through this Monitor are prevented from getting statistics, ort getting or setting configuration data, or restarting the server.
AddressAllocatorDHCP incorrectly always defaulted SubnetSelectionOption to SUBNET_SELECTION. This should only happen if SubnetSelectionOption is specified as an empty string.
Added IgnoreAccountDisable and IgnoreAccountLockout flags to AuthBy NT. On Windows, these parameters stop AuthBy NT from taking notice of the NT account flags.
Added NAS-Port-Type xDSL to dictionary. Provided by Thomas.Krumm at tesion.de. Thanks Thomas.
Added CVX-Terminate-Cause, CVX-Reject-Reason and Level 3 VSAs to the dictionary. Contributed by briand at Level3.net. Thanks Brian.
Added beta support for EAP TLS. Requires Net::SSLeay 1.15 plus patches or later. Requires openssl 0.9.8 or later. See example in goodies/eap_tls.cfg. Tested with xsupplicant and Aironet wireless card on Linux.
Added sample utility for importing accounting data from a detail file into and SQL database. See goodies/radimportacct
Added sample command line utility for adding users to an SQL database. See goodies/raduseradd

Revision 3.0 (25/3/02):
Significant architectural changes, new features, Radar 1.0 compatibility

Significant architectural changes to support remote monitoring, introspection, remote debugging, remote tracing, local and remote stats gathering, improve performance, simplify some code, remove duplicated code etc.
Any clause mxgay now have any number of private <Log xxx> clauses, which will be used to log errors and messages originating from within that clause before being logged by any global loggers. Can also use ‘Log identifier’ to refer to an already existing <Log xxxx> clause from within any other clause.
Improved and expanded statistics gathering mechanisms. Many more statistics are collected, including average response time for the server as a whole and for each Client, Realm, Handler, AuthBy and Host.
Added new statistics logging clauses that will log various server and ‘per-clause’ statistics with StatsLog FILE and StatsLog SQL. Example configuration in goodies/statslog.cfg. Example tables for StatsLog SQL in goodies/*.sql.
New Monitor class permits an (authenticated) TCP connection to the server allowing telnet and specialised clients to inspect, alter, and collect statistics and tracing etc.
Improved support for tagged tunnel attributes. Can now have things like: Tunnel-Type=1:L2F and Tunnel-Password=2:1234. Tagged attribues that dont use the n:value syntax default to a tag of 0.
New module AuthBy POP3 allows authentication from a POP3 server, includes APOP support. PAP only.
On Unix, you can now control the effective user ID and group ID that the server runs as with the new User and Group parameters.
New type of special formatting character %{Eval:expression} is replaced by the value of the perl expression.
Merges latest Livingston attributes into dictionary, and converted latest Ascend dictionary to dictionary.ascend2
New type for AcctColumnDef in AuthBy SQL. inet_aton formats a dotted quad IP address as an unsigned 32 bit integer. Contributed by Benoit Grange (b.grange at libertysurf.fr) and Jerome Fleury (jerome.fleury at freesbee.net). Thanks.
Client, Realm, Handler, and AuthBy clauses now all support a PacketTrace parameter that can turn up the trace level for packets passing ‘through’ that clause.
Added discussion of how to use “daemontools” (http://cr.yp.to/daemontools.html) with Radiator to goodies/highavail.txt. Contributed by “Mariano Absatz” (radiator at lists.com.ar).
Additional features in AuthSQLRADUS.pm, permits customisation of the columns returned from HostSelect, including per-host RewriteUsername. Contributed by Steve Roderick (steve at uspops.com). Thanks Steve.
In AuthLog SQL SuccessQuery and FailureQuery did not quote the reason string. %1 is now quoted and escaped. Caution: Existing users of AuthLogSQL will need to remove any quotes from around %1.
Added KarlNet VSA’a to dictionary.
Parameter values in configuration file now permit escaped octal characters.
Testing with DBD::CSV. OK with octal character patch described above. Added goodies/dbd-csv.txt discussion of how to configure Radiator to use a DBD::CSV database.
Added documentation for Handler HandleAscendAccessEventRequest.
Fixed a problem with handlerResult not handling HandleAscendAccessEventRequest correctly.
Select::remove_file now takes extra args to indicate whether its read, write or exception callbacks to remove.
Performance improvements in Select::select.
Sample profiling code in ddprof.pm, contributed by Damir Dzeko (ddzeko at iskon.hr). Thanks Damir. In SessSQL sub delete, $session_id and $framed_ip_address were not passed to format_special. Found and fixed by Damir Dzeko (ddzeko at iskon.hr). Thanks Damir.
radiusd in daemon mode now no longer attempts to detach from the controlling terminal: not portably supported on most platforms.
New global parameter ForkClosesFDs makes radiusd close file descriptors 3 to 20 inclusive in the child after a Fork. This fixes a problem with some versions of Oracle where the connection to the database would be lost after a Fork with the message ORA-03113: end-of-file on communication channel (DBD ERROR: OCIStmtExecute).
Error message for ‘Unknown keyword ….’ was incorrect. Found and fixed by Stephen Frede (Stephen.Frede at optus.com.au). Thanks Stephen.
Fixed CPU hog problem when proxying with AuthBy RADIUS, with Synchronous and there was a network error. Found and fixed by Damir Dzeko (ddzeko at iskon.hr). Thanks Damir.
In AddressAllocator SQL, a new Step parameter for AddressPool allows the step size between consecutive addresses to be controlled, permitting the allocation of subnets as well as host addresses. Suggested by (jesus.diaz at ono-sp.com).
Added long discussion about how Cisco VOIP and accounting works with examples, contributed by Simon Hackett (simon at internode.com.au) to goodies/voip.txt
Calling convention for the constructor for a number of classes changed to come into line with all other constructors. Affects Log::addModule, ClientListSQL, Client, Handler, LogGeneric, Realm etc. AuthBy* is unaffected.
Removed many redundant ‘new’ constructors.
Rationalised many ‘sub object’ config handlers. Uniform argument standards, streamlined code etc.
Simplified and streamlined package initialisation in all packages for load-time performance improvement.
All loggers can now receive logs of packet dumps, independent of the the global logging level.
As previously indicated, UseHint as an alias for UseAddressHint and Dynamic as an alias for DynamicReply in AuthGeneric are now now longer supported.
Most classes now have all their configurable keywords defined in a ConfigKeywords hash. You can stil override sub keyword if you need specialised keyword handling. Simplifies and speeds up object initialisation. Legacy classes that still use the sub keyword interface are unaffected.
Fixed a problem with the NoBindBeforeOp parameter. Test was round the wrong way. Found by Christophe Wolfhugel (wolf at oleane.net). Thanks Christophe.
In AuthBy ADSI, GroupBindString and GroupUserBindString did not have access to special characters from the current packet.
AcceptIfMissing is now a generic AuthBy parameter, available in most AuthBy clauses.
Added documentation for IgnoreErrors in AuthBy PORTLIMITCHECK.
In AuthBy DYNADDRESS, the parameter Allocator has been renamed AddressAllocator for consistency. Allocator is still supported, but support will be removed in the future.
When searching for a Handler to use, Realms are not now re-considered. Realms are only considered one. Previously they were re-considered when the Handlers were considered. This meakes it easier and faster to mix Realms and Handlers. No changes should be required to configuration files.
Rationalised away many sub object and sub keyword functions, removing much duplicated and similar code.
Configurable now automatically tries to load an object for any subclause found in a clause: you can now invent and create your own clause types and packages without changing a single line of standard code.
The current reply packet is now always available as $p->{rp}.
All internal APIs changed so that $rp is not passed as an argument. External APIs such as handle_request are unchanged.
format_special now does not need $rp passed to it: its deduced from $p->{rp}.
Significant performance improvements in format_special for special character formatting.
CAUTION: APIs for Handler::handlerResult and Client::replyTo changed.
DefineGlobalVar and DefineFormattedGlobalVar can now have embedded spaces. Contributed by r.c.w.besseling at kpn.com. Thanks Ruud.
Fixed a problem when proxying requests that already contain an Acct-Delay-Time: the delay time in the proxied request now takes into account the delay time in the originally received request. Found and fixed by Nuno Nunes (nfn at isp.novis.pt). Thanks Nuno.
Fixed a problem with 0 source mask and dest mask in Ascend binary filters. Found and fixed by Inglesant Philip (Philip.Inglesant at netscalibur.co.uk). Thanks Philip.
Workaround for broken Breezecom VSA’s, where the VSA length is incorrectly set by Breezecom to 2, irrespective of the actual length. Also added some generic names for Breezecom VSAs to dictionary.
AuthBy RADMIN now has configurable queries IncrementBadloginsQuery and ClearBadloginsQuery.
Fixed some problems with secure mode in radacct.cgi, reported by various people.
If SocketQueueLength was set, the socket length was set for both auth and accounting sockets, even if only one was created. Reported by hill at world.evansville.net. Thanks Jamie.
Added Colubris-AVPAIR VSA to dictionary. Sent by “Tito Macapinlac” (titom at aebc.com). Thanks Tito.
radpwtst now takes an optional trace level to the -trace flag. If you just use -trace, you get effectively trace level 4. -trace 5 gets hex packet dumps of incoming and outgoing packets.
Can now have DefaultReply, FramedGroup, StripFromReply, AllowInReply, AddToReply, AddToReplyIfNotExist and DynamicReply parameters for Client, Realm and Handler, as well as AuthBy. Also optionally supported by ClientListSQL.
AuthLog FILE now creates the path to the log file if necessary.
RPM package now includes all dictionaries in the doc area.
Improved error reporting in SNMP module.
NAS support has been separated out into a module per NAS-type, in Radius/Nas/*.pm. This makes it easier to add suport for new NAS types and to submit new NAS type modules for distribution.
get_port moved from Radius to Util for consistency.
AuthBy GROUP now honours DefaultSimultaneousUse.
AuthBy LDAP2 now supports Version and Deref parameters. Suggested by Eli Tovbeyn (eli at xpert.com). Thanks Eli.
Changes to Radiator.spec so that RPM files will be compatible with SuSE Linux and similar. Suggested by Alfredo Sola (alfredo at intelideas.com) Thanks Alfredo.
Changed the order of replacement of special characters in format_special. Previously, %0, %1 etc were replaced first, but this would cause problems of any of the replaced values had % special chars in them. %0, %1 etc are now done after the spoecial chars, but before GlobalVar etc. Reported by David Miller (dmiller at newportnet.com). Thanks David.
Fixed a bug in AuthBy RODOPI that prevented AcctSQLStatement being changed.
AuthBy RADMIN now permits a validfrom time of 0 to mean the beginning of time, and a validto time of 0 to mean the end of time.
In AuthBy DYNADDRESS, if the PoolHint resolves to an empty string, no address will be allocated. This way you can let the NAS allocate addresses for some users.
AuthBy RODOPI now quotes usernames, protecting it from problems where a username is the same as an SQL keyword. Reported by “Hector Lopez” (hlopez at caribe.net)
In AuthBy NISPLUS, the Query now has the username being authenticated available as %0. %n will be phased out in a future revision.