Radiator Revision History

• Revision 2.14 (14/7/99)
  • Added new AuthBy PAM, which can authenticate through any method supported by PAM on your host.
  • Added support for RAdmin, the new web-based user administration package from Open System Consultants. Supports, sim-use, static IP address, bad login limits, preallocated time, error logging etc etc etc.
  • New authentication module PORTLIMITCHECK, which can check enforce simultaneous-use limits for arbitrary groups of users. This can allow you to sell bundles of ports on a global or per-POP basis, or DNIS etc. It can also set up Class attributes that depend on how many users are currently logged in in that group, so you can have different charging bands for normal and overflow usage etc. Requires a that a be present in your Radiator config.
  • Changes to session databases so that when a NAS is checked for a simultaneous use, the original username (prior to any RewriteUsername) will be used.
  • Log.pm was ignoring LogFile global parameter and always using %D/logfile.
  • Added new parameter DefaultSimultaneousUse to AuthBy. DefaultSimultaneousUse specifies a sim-use limit that will apply if there is no user-specific Simultaneous-Use check item.
  • Added new dictionary.ascend2 for Ascends that use Vendor-Specific attributes with vendor 529.
  • Added Nas-Type of TotalControlSNMP, which uses SNMP to check a Total Control NAS. Contributed by Stephen Roderick (steve@proaxis.com). Thanks Stephen.
  • If you had both DefaultReply and AddToReply, then DefaultReply would have no effect. Fixed.
  • In AuthBy SQL, you can now have multiple definition of the same column name in AcctColumnDef. This allows you to save different attributes from different types of NAS into the same column in a mixed NAS environment.
  • Fixed a problem in radpwtst that could cause a premature exit if there were problems in receiving a reply.
  • Checks for Realm in a Handler clause can now be regexps
  • Added a number of Bay VSA'a to standard dictionary. Thanks to Stuart Henderson (stuart@eclipse.net.uk).
  • Added new NasType of "ignore" that does not contact the NAS, and always assumes there are no multiple logins. Suggested by Stephen Roderick (root@proaxis.com)
  • Some performance improvements in Nas.pm
  • Added new Client parameter NoIgnoreDuplicates. You can use this to fine-tune which types of duplicate requests you will handle (regardless of the setting of DupInterval) The value is a space separated list of request types, such as "Access-Request Accounting-Request" etc. Case sensitive. This can sometimes help if you are losing packets. Suggested by Tim Minchin (tom@interact.net.au).
  • radpwtst can now take any number of additional attribute=value arguments, so you can add any attributes that are in the dictionary to each request.
  • Fixed problem with becoming a daemon on AIX (which doesn't support setsid()).
  • Fixed a problem in the internal SessionDatabase, where it would ask all the NAS ports for all users to double check apparent logins.
  • With SNMP, if you use SNMP_Session-0.70.tar.gz instead of SNMP_Session-0.62.tar.gz, snmpget reported "Unrecognizable or unauthentic packet received". Fixed.
  • Testing with perl 5.00401, no changes required.
  • Testing with AIX, with the assistance of Dave Close (dclose@quik.com). Some fixes required. Thanks Dave.
  • Testing on FreeBSD 2.2.5, no changes required.
  • Added NasType support for Tigris (both old and new MIBS), Bay 4000, and Bay by finger, contributed by Rob Thomas (rob@rpi.net.au). Thanks Rob.
  • Testing on SCO Open Server 5.0.4, no changes required.
  • Added new special character %u, which is replaced by the original full User-Name as it was received and before any RewriteUsernames were applied.
  • Added new special charcter %l, which is replaced by the current local time expressed as a string, eg 'Thu Apr 22 15:39:03 1999'.
  • Added ACC vendor-specific attributes to the standard dicitonary
  • In AuthBy EXTERNAL, the external program can now return any attribute=value pairs on each line on stdout, not just Reply-Message. Contributed by Richi Plana (richip@mozcom.com). Thanks Richi.
  • AuthBy NT was not logging passwords to PasswordLogFileName.
  • ON SIGHUP, old realms were not being removed from the old configuration.
  • Upgraded AuthTACACSPLUS so it can do PAP and CHAP when you have a recent (0.16 or better) version of the TacacsPlus perl library.
  • Now parses Merit style dictionaries, including VENDOR_CODE.
  • radacct.cgi now shows summaries by IP address, suggested by Karl Gaissmaier (karl.gaissmaier@rz.uni-ulm.de) which he says is useful for tracking down attacks.
  • radacct.cgi will automatically decrypt on the fly files with a .gz extension, also suggested by Karl Gaissmaier (karl.gaissmaier@rz.uni-ulm.de). Thanks Karl.
  • radwho.cgi will now automatically refresh every 30 seconds, and also shows the date of the refresh in the title.
  • DefaultRealm was not being honoured by Handlers, only Realms. Reported by Richard Lennerts (richard@vianet.net.au). Thanks Richard.
  • Fixed a race condition in EXTERNAL that could prevent it replying under some conditions. Also fixed other problems that prevented it getting the return code from the externl program on NT. Still not working properly on Win98.
  • Added a new parameter ResultInOutput to AuthBy EXTERNAL so you can use a string in the first line of the output of the external command to signal the type of reply, instead of using the exit status. This is good if you are using Win98 where the exit status is not reliable.
  • Using special characters like %a, %c, %C, %n, %N, %R, %T, %U, %u in a context where there is no associated packet would cause a crash. Now they are just replaced by an empty string.
  • Handlers did not recognise embedded include directives.
  • Changed child reaping to remove the possibility of unreaped child processes if 2 sigchld signals colide.
  • Significant changes in AuthBy FILE to greatly reduce the amount of memory required with large user files to about one tenth of previous requirements.
  • Fixed a problem with LogSQL where strings with quotes in them caused an SQL error.
  • Included in goodies detailed instructions on how to increase the default data size on BSDI, contributed by Paul Thornton (paul@dove.mtx.net.au). Thanks Paul.
  • Can now use case insensitivity in regexp Realms like this:

    <Realm /realm.com/i>
    

    In fact, you can use either the i or x modifiers
  • Added -snmp_port argument to radiusd to override whats in the config file.
  • Improved the behaviour of changeAttrByNum so it correctly updates the cached value too. This is only interesting for authors of hooks.
  • Added code to complain if Client or IdenticalClient names could not be resolved.
  • Added ExcludeFromPasswordLog to Handler, to prevent certain user names being logged to the PasswordLogFileName. Its a good idea to list your sysadmins etc.
  • Added wtmp support for FreeBSD, contributed by Jason (godsey@fidalgo.net). Thanks Jason.
  • AuthBy SYSTEM now checks the primary group as well as the secondary groups. It used only to do the secondaries.
  • Fixed a problem with AuthBy PLATYPUS where the select statement was constructed incorrectly.
  • Fixed a problem with Prefix and Suffix check items that prevented rejection of there was no match.
  • Added new parameter UseGetspnam to AuthBy SYSTEM so it can be used with some systems (notably Solaris) using getspnam
  • Added Timeout parameter to all the SQL based clauses, so that you can get predictable timeout from failed SQL operations due to lost connectivity with the SQL server. Defaults to 60 secs.
  • Fixed a problem in test.pl that prevent reporting of some errors in the test suite. Fixed some other inaccuracies in the test suite.
  • Added new special character %S, which translates to the current second.
  • Added ReplyHook to AuthBy RADIUS, which runs after the reply is received from the remote radius server (as opposed to PostAuthHook, which runs after the request was forwarded, but before the reply is received).
  • Modifed Nas.pm so that if finger detects a problem or a timeout when using finger to verify simultaneous connections, it assumes that the user is still online (i.e. it assumes that the SessionDatabase is correct).
  • Fixed a problem with "include" directives in the configuration file: Recursive includes did not work properly.
  • Can now specify LivingstonOffs and LivingstonHole on a per-Client basis.
  • Fixed a problem with command line arguments in radiusd. -log_file_name was ignored.
  • Changes to Handler.pm and SessINTERNAL.pm to improve behaviour in the face of lost Stops.
  • Mods to AuthLDAP2 so it conforms more closely to the expectations of some LDAP servers. In particular, it now maintains the TCP connection to the server, but binds and unbinds for each search.
  • Fixed a problem in AuthBy EXTERNAL on some OS, where a sigchld handler could prevent getting the returns status of the external process. The result would be no reply top the request.
  • Improved the sort ordering of IP addresses in radacct.cgi.
  • Rationalised some code in Nas.pm to make it smaller and easier to maintain, and to facilitate future internal SNMP client. also added some snmpwalk support, and activeSessions support.
  • Added 20 second timout to internal finger client
  • Added handling of Ascend-Access-Event-Request, which can be used to verify that an SQL SessionDatabase in in sync with reality.
  • Deleting a user from a DBM file with builddbm -d username left an empty user entry, rather than deleting it.
  • Added new special characters %b %o %e %f %g %i %j %k %p for time components from the Timestamp of the current packet.
  • Changed default DupINterval to 2 seconds. This will still detect dups created by duplicate network paths, but now a lost Access-Accpt wont trigger many duplicate requests.
  • Ascend-Data-Filter addresses now default to /32 if the mask length is not specified, eg "ip in drop dstip 1.2.3.4" is equivalent to "ip in drop dstip 1.2.3.4/32".
  • Improved error recovery during log file parsing so that unknown object wont silently cause the rest of the file to be ignored
  • Binary distribution file changed to .tgz extension to prevent problems unpacking on PCs.
  • Improvements to getNasId so it will get an address even if NAS-IP-Address is absent and NAS-Identifier does not include an IP address. Some NAS's do not conform to the Radius spec and this helps with those NASs.
  • Added support for NasType of NortelCVX1800. Contributed by James H. Thompson (jht@lj.net). Thanks James.
  • AuthBy RADIUS will now do round-robin proxying for host names with multiple IP addresses. DNS names for proxy Radius hosts are resolved at startup time.
  • Changes to API standard for findUser in authentication modules allow you to detect database failure, as opposed to "no such user", useful for LDAP and similar to fall back to other LDAP databases.
• Revision 2.13.1 (18/3/99) Consolidation of some minor bug fixes
  • MaxSessions exceeded message now includes user name.
  • Fixed a problem with PreAuthHook and PostAuthHook that prevented them being called.
  • Added new %U formatting character that gives the user name with the realm stripped off. Contributed by Stephen Roderick (steve@proaxis.com). Thanks Stephen.
  • Added parameter values in the form file:"filename" which will load the value from an external file. Probably most useful for putting long code fragments for the hooks in an external file:
    PreAuthHook file:"hook.pl"
    From a suggestion and code fragment from Lars Marowsky-Br�ée (lmb@teuto.net). Thanks Lars.
  • Added auto indexing to the FAQ.
  • AuthBy PLATYPUS and AuthBy EMERALD now honour AuthColumnDef and AuthSelect to handle _extra_ columns returned from the standard select statement.
  • Added support for Xyplex sim-use checking with finger, with assistance of Nikos Aslanakis (aslan@spark.net.gr). Thanks Nikos.
  • Fixed some typos in emerald.cfg that broke Acct-Terminate-Cause.
  • Handler.pm was choosing the wrong handler.
  • Added AddATDefaults parameter to Auth EMERALD. Contributed by Andrew Ruthven. Only adds the contents of RadATConfigs if AddATDefaults is defined in the configuration file. Thanks Andrew.~
  • Added NoDefaultIfFound to AuthGeneric.pm, which stops Radiator looking for any DEFAULT users if an entry for the user was found but their check items failed.
  • Fixed a problem that prevented PreClientHook being called.
  • Added new AuthBy CDB contributed by Pedro Melo. CDB is a fast, reliable, lightweight package for creating and reading constant databases. More details about CDB at ftp://koobera.math.uic.edu/www/cdb.html Thanks Pedro!
  • Fixed some problems where the current trace level was misreported when the trace level was changed with SIGUSR1 and SIGUSR2.
  • SNMP was reporting UpTime as an integer instead of timeticks.
• Revision 2.13 (17/2/99) Lots of new features, some bug fixes.
  • Added SNMP Agent. Now supports SNMP V1 requests as per draft-ietf-radius-servmib-04.txt. That means that you can get various types of server statistics, and even reset the server using SNMP. You might want to use MRTG or similar for monitoring your server.
  • Added AuthBy RODOPI and example rodopi.cfg. Rodopi is quite a mature NT/MS-SQL based billing system with a Java/web GUI.
  • Added new configurable and subclassable logging modules: Log FILE, Log SYSLOG and Log SQL. You can now log to any and all places at the same time, plus easily add your own logging modules.
  • Simultaneous use check with finger for Portslave, Ascend, Shiva or Computone now defaults to using an internal perl finger client. You can still force it to use an external finger program by specifying FingerProg in the config file. The internal client improves portability to NT, and will improve performance, since it avoids the cost of starting an external program.
  • Rationalised reporting and logging of rejections: Auth*::handle_request now also returns a reason message, which can optionally be replied to the user with the new Handler keyword RejectHasReason.
  • All AuthBy modules now do their logging through a virtual log() function in AuthGeneric, which allows you to override with your own AuthBy specific error logging function. Suggested by Andrea Campi (andrea@planet.it). Thanks Andrea.
  • Added AuthTACACSPLUS to authenticate from Tacacs Plus server. requires Authen::TacacsPlus module from CPAN. We used the version in TacacsPlus-0.15.tar.gz. If its not on CPAN, its available from the author here.
  • Status-Server message now returns all server and per-client statistics.
  • AuthBy NT can now authenticate from an NT domain controller, even when Radiator is running on Unix. Requires the Authen::Smb package from CPAN.
  • Testing with Security Dynamics ACE/Server Radius (also known as SecurID). Their radius server is very limited, but Radiator can proxy to it fine, and handles the Access-Challenges that are used to set and change PINs etc.
  • Testing with Freeside, a free Unix based ISP billing package. Example freeside.cfg created.
  • Forgot to mention previously the addition of several hooks that allow you to get control with your own perl code during authentication: PreClientHook, PreHandlerHook and PreAuthHook, PostAuthHook.
  • Changed the default Framed-IP-Address in radpwtst.
  • Fixed problem with cached attributes that meant that when a username was rewritten, it was not actually changed in the packet, which made the detail file log incorrectly.
  • Added "delete session" link to radwho.cgi so that bogus sessions can be manually deleted.
  • Added AuthBy GROUP, which allows authentication clauses to be bundled and grouped to any depth. Its intended for experimenters and early adopters. It only understands AuthByPolicy, StripFromReply, AddToReply, DefaultReply so far. Feedback is solicited.
  • Fixed some bugs in radpwtst -gui mode that caused locked windows, false timeouts etc. Now works with Perl 5.005 and Tk800.011 on Unix. Still doesnt work on Win95 (looks like Tk file handlers are still not right on Win95).
  • Fixed problems with wtmp format on Linux that prevented who and last from working.
  • Created mysqlCreate.sql which correctly builds indexes for mysql.
  • Added indexes to all SQL scripts in goodies
  • Can now define AuthBy clauses at the top level, and refer to them and reuse them with the AuthBy parameter. Good for reusing complicated SQL database definitions (and reducing the number of SQL licenses required. From a suggeestion by Stephen Roderick (steve@proaxis.com). Thanks Steve.
  • Added support for binary data type in dictionaries. Especially for use in Proxy-State which can otherwise get trailing NULs stripped off.
  • radwho.cgi now shows the total number of users online, and optionally presents a hotlink to force a user off a NAS, by calling an external progam you specify (not supplied).
  • Added NoForwardAuthentication and NoForwardAccounting to AuthBy RADIUS. From patches supplied by Vincent Gillet (vgi@oleane.net). Thanks Vincent.
  • Makefile.PL can now do installation on Win95 hosts. No need to use make any more on Win95 (many people don't have it).
  • Added LocalAddress to AuthRADIUS, which forces the proxy forwarding port to bind to a particular address. Defaults to the same as BindAddress. Useful for multi-homed hosts. Patch supplied by Lars Marowsky-Br�ée (lmb@pointer.teuto.de). Thanks Lars.
  • Improved performance of all Hooks by precompiling the code. From a suggestion by Lars Marowsky-Br�ée (lmb@pointer.teuto.de). Thanks Lars.
  • Improved robstness of the session databases in the face of lost stop packets. Now a stop packet will always remove any previous session that we thought was on that NAS/Port combination. This will make the session database "self-healing". Your existing DBM session database will have to be deleted: the database format for DBM is changed. The table format for the SQL session database is the same, but the indexes have changed: you should probably recreate them if you are using SQL. Also changed radwho.cgi to be compatible with new DBM database format.
  • Expiration now understands dates of the form dd/mm/yy(yy), since some SQL databases produce dates in that form.
  • Improved robustness of SQL connections, and reconnection during database outages. Prevent crashes when MS-SQL disconnects.
  • SQL does not use ping anymore, and will therefore work with DBD-ODBC 0.20 and MS-SQL. Its also faster.
  • Included Vincent Gillet's AddToReplyIfNotExist.patch to the goodies directory. This patch adds attributes to a reply _only_ if they dont already exist. Thanks Vincent.
  • Testing on Red Hat 5.2. No changes required.
  • Testing with Interbiller 98, a resonable, inexpensive ISP billing package. goodies/interbiller.cfg created.
  • Added FramedGroup for all AuthBy clauses, similar in behaviour to Framed-Group, but applying to all requests accepted by an AuthBy clause. Contributed by Garry Shtern (shterng@akula.com). Thanks Garry.
  • Testing on Rhapsody. OK, but building MD5 is non-standard. See the FAQ for details.
  • Fixed problem where accounting info would be stored twice if the Handler forked (such as AuthBy IPASS)
  • Fixed typo in AuthBy IPASS that prevented Acct-Session-Time being properly sent to IPASS.
  • Fixed a problem in SessSQL.pm, where if a session proved to be bogus, SessSQL tried to delete a different session. Reported by Andrea Campi (andrea@planet.it). Thanks Andrea.
  • Added contribution from Todd A. Green (tagreen@ixl.com): a new sorter in radwho.cgi that will sort by IP addresses and mixed Alpha-numeric NAS-Ports (eg for USR/3COM ). Thanks Todd.
  • AuthBy UNIX now correctly uses the password file and group file when checking for primary group membership, instead of using getpwnam etc.
  • AuthBy PLATYPUS now honours AcctColumnDef. It allows you to log extra columns from Accounting Stops in the same was as AuthBy SQL. Suggested by Ricardo Freire (ricardo@allways.com.br). Thanks Ricardo.
  • Testing with DBI Proxy from Unix to NT. OK.
  • Added AccpetIfMissing paramter to AuthBy FILE and AuthBy DBFILE. it will automatically accept a user if they are not in the users file. If they are in the users file, it will accpet them if and only if their check items pass in the ususal way. Useful for applying additional checks on a subset of your user population.
  • Added FramedGroupMaxPortsPerClassC to Client, so you can compute Framed-IP-Address on a NAS with more than 255 ports.
  • Example config to work with Freeside, a free ISP billing package for Unix. See goodies/freeside.cfg
  • AuthBy SQL and PLATYPUS now use the DBI quote function to correctly handle quotes embedded in string data that is inserted with an AcctColumnDef.
  • Support Shiva LanRover sim-use detection using finger. Also added detection of config errors for all uses of finger, and runtime errors with snmpget.
  • Fixed a problem with Ascend binary filters: if the 'drop' keyword was used, it would build an invalid filter.
  • AcctColumnDef will not insert attributes that are not present in the request. Previously, it would insert NULL, which upset peoples ability to define column defaults, and to build indexes.
  • Added VSAs for ACC to dictionary. Courtesy Ingvar Berg (ERA) (Ingvar.Berg@era.ericsson.se). Thanks Ingvar.
  • Added NasType AscendSNMP that will check Ascend with SNMP instead of finger.
  • Added nasclear.cgi to goodies directory. Its a CGI script that shows all the unique NASs in your SQL Session Database, and allows you to clear all sessions for a NAS. Contributed by Aaron Holtz (aholtz@bright.net). Thanks Aaron.
  • Default behaviour when no handler is found changed from IGNORE to REJECT.
  • Auth-Type=Reject now correctly propagates properly back through chains of authenticators. Previously if the chain was more than 1 deep, an immediate reject would be turned back to an ordinary rejection. Thanks to Aaron Holtz for reporting this one.
  • Fixed a problem with AuthEXTERNAL that prevented it working properly on NT. Also made example config file and example external program for EXTERNAL in goodies, demonstrating the protocol for passing and receiving attributes.
  • Added optional format argument to AcctColumnDef, so you can set up SQL-specific conversions etc.
  • PostAuthHook is now given a third arg saying what the result of the authentication is.
  • Completed support for SHA encrypted password. Contributed by Justin Daminato (jd@ozemail.camtech.net.au)
  • Quoted Check and reply items can now have escaped octals in them like
    Tunnel-Server-Endpoint = "\000191.165.126.240 fr:20"
    (thats a NULL as the first octet in the string) Which is useful for adding tags to the front of Tunnel attributes like the above.
  • Added AuthBy LDAP2, which uses Net::LDAP from perl-ldap-0.09 or better. The previous version AuthBy LDAP is now deprecated (since the Net::LDAPapi it uses is now deprected).
  • Added DecryptPassword parameter to AuthBy EXTERNAL, which makes it decrypt User-Password before passing it to the external program.
  • Testing with Bay Annex Server and tunelling, with the help of Stephen Ollis. Thanks Stephen.
  • Now handle Prefix and Suffix check items.
  • Added now AcctColumnDef type "formatted-date" that uses Date::Format to build arbitrary date formats. Especially useful for Oracle's odd date behaviour:

    
    AcctColumnDef	TIME_STAMP,Timestamp,formatted-date,to_date('%e %m %Y %H:%M:%S', 'DD MM YYYY HH24:MI:SS')
    

  • AcctColumnDef type integer-date now formats dates in the format 'Sep 3, 1995 13:37', ie the full year including the century is now included. Previously it would do 'Sep 3, 99 13:37' and was not Y2K compliant. If this breaks your accounting table, consifer using the new formatted-date type described above.
• Revision 2.12.1 (21/10/98) Minor release for some desperately required features.
  • Added support for Ascend's Tunnel-Password according to http://ftp.ietf.org/internet-drafts/draft-ietf-radius-tunnel-auth-06.txt
  • AuthBy RADIUS now supports multiple Hosts. It will try to forward to the each host in the list until it gets a reply from one, or until the list is exhausted.
  • Fixed a bug that causes a crash when Handlers are tested.
  • radpwtst now generates its default identifier from the current time, which causes less confusion if you dont have DupInterval set to 0.
  • New version of IpassPerl that checks the ipass libraries are installed before the Makefile is built.
  • Added -t dbmtype flags to builddbm and buildsql to force them to use a certain DB file format, instead of to accept the "best" one that AnyDBM_File would choose. Can also configure radwho.cgi SessDBM.pm and AuthDBFILE.pm to easily specify the type.
  • Fixed problems with MS-SQL 7 and AuthBy EMERALD, where integers such as account_id and attribute numbers are read as floating point.
  • Fixed a Y2K compliance issue in formatSQLDate.
• Revision 2.12 (17/10/98) Major new features and some bug fixes
  • Added , so the external session database can be in SQL. This might be useful to coordinate multiple servers for Simultaneous-Use limits via SQL, or perhaps just to keep a "who is online" database handy. Also added radwho.cgi so you can see the current contents of a DBM or SQL Session Database.
  • Added new class that allows you to choose how requests will be handled depending on any attribute of the packet, not just the realm. You can still use Realm; its backwards compatible. Realm is now a superclass of Handler, and Handler understands all the same parameters as Realm.
  • New AuthBy parameter DynamicCheck allows you to do % substitutions on check items prior to authentication. Now recognise DynamicReply as a synonym for Dynamic. Suggested by Tim Young (Tim_Young@compuware.com).
  • Removed hard-coded Radius attribute names from the code.
  • Performance improvements in attribute fetching.
  • Testing with OpenLinkODBC/iODBC for connectivity between Unix and MS-SQL without using Sybase client libs. Documentation in faq.html.
  • Default location for pid file changed from /tmp/radiusd.pid to %L/radiusd.pid as a security measure. Suggested by Andres Kroonmaa.
  • SQL AccountingTable can now contain special formatting characters table names based on the current year and month might be very useful. Suggested by Nicholas Barrington (nbarrington@smart.net.au).
  • Fixed a problem that would prevent proxy working after a HUP.
  • Fixed 2 bugs identified by Andres Kroonmaa (andre@ml.ee) in AuthBy SYSTEM and AuthGeneric that prevented Group membership check items working in SYSTEM, and sometimes with DEFAULTs. Thanks Andres.
  • Fixed problem with signals on Win95 that prevents radiusd surviving as an NT service.
  • Fixed some typos in AuthPLATYPUS that caused crashes to do with formatSQLDate.
  • Fixed some problems with protocol and service specifications in Ascend Binary filters. Reported and diagnosed by Peter Chow. Thanks Peter.
  • Dont die if the log file fills up.
  • New parameter DomainController in AuthBy NT allows you to force it to use a particular Domain Controller, instead of asking on the network.
  • AuthIPASS, AuthEXTERNAL, AuthTEST and AuthNT did not honour StripFromReply, AddToReply or DefaultReply.
  • Added code contributed Nicholas Barrington to AuthSQL. Implements AccountingStartsOnly, and AcctSQLStatement, which allows you to execute arbitrary SQL statements for each accounting reqest.
  • Auth-Type=Reject now does an immediate reject: it will not fall through to any following DEFAULTs.
  • Added AcctLogFileFormat, so you can control the format of the accounting log file.
  • Fixed AuthGeneric so it wont leave zombie processes around. This mostly occurred with AuthBy IPASS.
  • Fixed a bug that prevented Total Control online checking from working properly.
  • Added SocketQueueLength parameter, so you can adjust the radius socket queue lengths.
  • Removed all uses of non-blocking IO, since too many operating systems dont support it properly.
  • Cleaned up test.pl. Regression tests now run on Win95 and NT. Adjust documentation to suit.
  • Changes so AuthNT will work with ActiveState perl.
  • Added support for Bay to Nas.pm. Can now use Simultaneous-Use with Bay NASs.
  • DefaultReply was not getting % variable interpolation.
  • Cloned AuthBy LDAP into AuthBy LDAPSDK, which works with Netscape's new PerLDAP module and the latest LDAP SDK. PerLDAP is readily available as a downloadable module for ActiveState perl on NT. This is the easiest way to get LDAP working on NT without compiling your own modules.
  • PasswordLogFile now includes the current date and time in easy-to-read format, as well as in Unix seconds.
  • Documentation for RewriteFunction.
  • Fixed memory leak in AuthRADIUS that affected packets that are proxied and then exceed their retransmit count.
  • The log file directory will now be created if it does not exsit. This makes it easy to have log files rotated into different directories.
  • Fixed problem where Simultaneous-Use would not work properly if you had Clients defined by DNS name instead of IP address.
  • Tested Platypus in RadiusNT compatibility mode against AuthBy EMERALD. Works fine.
  • AuthUNIX did not removed cached passwords if the user was removed from the password file.
  • Fixed a leak that affected some integer attributes during proxying on Perl 5.004.
• Revision 2.11 (16/8/98) Major new features and some bug fixes
  • Applied some patches from Aaron Nabil that should have made it into 2.10: correction to users file with correct hiperarc filter syntax
    fix for hiperarc not sending nas_id
    patch to ignore false dupe hiperarc sends on restart
    fix to separate identifiers for different ports
    
  • Implement Auth-Type = Reject and Auth-Type = Ignore check items.
  • Patch from Shawn Instenes (*shawni@teleport.com) to log more details of requests with bad authenticators.
  • Latest version of USR dictionary in dictionary.usr.
  • Standardised spelling of Van-Jacobson in all dictionaries.
  • Added patch from Aaron Nabil (nabil@spiritone.com) for hex dump of packets at trace level 5.
  • Fixed bug with %C on some platforms that did nothing.
  • Be tolerant of trailing white space in check and reply items
  • Added -v flag to buildsql to print out all SQL statements issued.
  • AuthBy SQL now ACCEPTS Accounting requests if no accounting table or columns is defined. It used to IGNORE, which was not very helpful.
  • test.pl now runs the test server on ports 9721 and 9722 so you can test on a live box. Thanks to a suggestion from Andres Kroonmaa (andre@ml.ee)
  • AddToReply and StripFromReply have been moved from RADIUS to Generic, so any AuthBy can use them now.
  • Check and reply items now silently ignore empty attr-val pairs
  • SQL database access has been abstracted out to a separate inheritable module SqlDb.pm, which has the database connect/reconnect and execute code in it. This will allow it to be reused to support SQL session database, client lists etc one day.
  • Rolled in AuthColumnDef mods contributed by Lars Marowsky-Br�ée (lmb@teuto.net) in AuthSqlEXT.pm (which is therfore now obsolete). You can now have arbitrary check and reply items in multiple columns in your user database. For backwards compatibility, if no AuthColumnDef is defined, it will assume Password, Check Items, Reply items, backwards compatible with previous versions.
  • Fixes to AuthNT.pm so that it will correctly authenticate in the face of apparent errors that really mean that password policies are in force.
  • Added DefaultReply for all AuthBy, which specifies attributes to be returned only if they have none of their own. Contributed by Phil Freed (pfreed@cyberTours.com). Thanks Phil.
  • Added NIS+ authentication with AuthNISPLUS.pm
  • Following requests from Stephan Forseilles (sf@skynet.be) and others, added include file processing to config files. Thanks for the suggestion.
  • Altered Radius.pm, so it would not die due to badly mangled VSAs sent by 3COM Netserver cards at startup. Thanks to Aaron Nabil for helping to identify this one.
  • Mods to all executables so they will get the modules in the current directory in preference to any installed ones.
  • Some changes to radacct.cgi so it will work with SQL too. Not easily configurable, and not documented yet, but it works. Improvements are scheduled for later.
  • Fixed a bug with %{Attribute-Name} macros that could cause a crash.
  • Packet dumps at trace level 4 and 5 are now logged to the log file instead of only being printed to stdout.
  • AuthBy LDAP now produces more debuggin and error messages. Its now robust in the face of the LDAP server stopping.
  • Support optional encrypted passwords in databases where a plaintext password is normally expected. Supported formats are now like
    • unix crypt "{crypt}1xMKc0GIVUNbE"
    • Netscape SHA encryption "{SHA}0DPiKuNIrrVmD8IUCuw1hQxNqZc="
    • Linux MD5 password encryption "$1$cTpht$Obu9PLSMst1TDou.mN5bk0"
    • Plaintext
  • Added SSL support for LDAP. This is not supported on the Umich LDAP, as SSL is not supported there. You will need the Netscape SDK if you want SSL support.
  • SIGUSR1 increases trace level and SIGUSR2 decreases it for radiusd (suggested by Andrea Campi).
  • New AuthBy SYSTEM that authenticates with getpwnam and getgrnam from whatever your systems underlying username database is. This allows you to hide the authentication system whether its password files, NIS+, PAM or whatever else might be installed on your system. Not supported on Win95 or NT, or on systems with shadow password files.
  • Timestamp was being adjusted in the wrong direction by Acct-Delay-Time.
  • A few lingering "warn"s were changed to LOG_ERR.
  • Permit line continuations within a configuration file with \. After a suggestion by Richard Lennerts.
  • Can now do RewriteUsername on a global or per-Client basis as well as per-Realm.
  • New check item NAS-Address-Port-List specifies a file that contains a list of permitted NAS/Port combinations for the user.
  • Can now use the new Client parameter IdenticalClients to congure a large number of identical client configurations
• Revision 2.10 (13/7/98) Major new features.
  • Now works with Emerald (http://www.emerald.iea.com), both authentication and accounting. Includes a new EMERALD AuthBy module and example config file in goodies/emerald.cfg
  • Now works with Platypus (http://www.boardtown.com), both authentication and accounting. Includes a new PLATYPUS AuthBy module and example config file in goodies/platypus.cfg
  • Generalised the Session Database for Simultaneous-Use limits. There is now a SessGeneric.pm abtsract class and SessINTERNAL and SessDBM implementations. This means you can now enforce Simultaneous-Use limits across multiple instances of Radiator. The code structure is similar to the Auth... modules, and adding new database formats is fairly simple. The default is INTERNAL as before.
  • Added support for Connect-Rate check item, that specifies a max Connect-Info speed permitted for the user.
  • Added automatic IP Address allocation with new FramedGroupBaseAddress parameter in Client, and new Framed-Group pseudo-reply item.
  • Accounting packets now always get a Timestamp added to them when received. (Suggestion of Guilherme Maranhao )
  • Some minor changes to Realm.pm to make it a bit more economical of memory.
  • Added patch from Aaron Nabil (nabil@spiritone.com) which provides new -bind_address argument to radiusd and BindAddress parameter that allows radiusd to only bind to a single address for multi-homed hosts. Thanks Aaron.
  • Added patch from Aaron Nabil (nabil@spiritone.com) which provides SIGTERM handling to shut down cleanly. Thanks Aaron.
  • Changed a number of 'die's into 'warn'. We now try very hard never to stop unless its completely impossible to go on.
  • Added PasswordLogFileName to Realm. If defined, every login attempt will be logged to the file. Useful for your help desk to diagnose user login problems. Based on a request from Stephan Forseilles (sf@skynet.be).
  • Fixed a bug in Radius::unpack. Malformed radius packets could cause an infinite loop that would exhaust all memory.
  • Redid performance tests in a more realistic environment, resulting in significant improved throughput figures.
  • Added detection of Livingston reboot messages (a Start with Acct-Session-Id = '00000000')
  • Added realtime online user detection for Ascend (with finger), Computone (with finger) and Cisco (with snmp)
  • Added general attribute replacements, so that for example %{Framed-IP-Address} is the same as %a. Contributed by Lars Marowsky-Br�ée (lmb@pointer.teuto.de). Thanks.
  • AuthRADIUS now logs IP addresses instead of binary. Contributed by Kurt Jaeger (pi@complx.LF.net)
  • SQL Accounting can now convert Timestamp values into SQL dates.
  • Upgraded dictionary.ascend to be in line with latest from Ascend.
  • Tested LDAP on NT with the NETSCAPE DIRECTORY SDK 1.0 and the Net::LDAPapi Windows NT Binaries v1.40 from http://www.wwa.com/~donley/netldap.html
  • AuthBy FILE and AuthBy DBFILE can now use per-request replacements like %n in their Filename. Thanks to Paul Rhodes (paul@atlas.net.uk).
  • Implement Ascend-Send-Secret reply item. Thanks to Paul Rhodes (paul@atlas.net.uk) for this contribution.
  • Changed default DupInterval to 60 secs.
  • Altered all DBM accesses to use AnyDBM_File, which will choose the 'best' format DBM file availble on the host machine.
  • New AuthSQL parameter AccountingStopsOnly, which make SQL only log Accounting Stop requests: all other accounting requests are accepted but not logged.
  • Testing with postgreSQL, documentation.
  • radacct.cgi now uses CGI.pm, instead of cgi-lib.pl, for better portability.
• Revision 2.9.1 (23/6/98) Minor bugfix release
  • Fixed bug that altered username in the request when cascading from AuthBy SQL to any other AuthBy method. This only affected cascaded authentications where SQL was not the last method.
  • Altered dictionary.ascend so that Password appears as User-Password, which fixes authentication problems with that dictionary.
  • Applied patch from Aaron Nabil (nabil@spiritone.com) to issue warnings when dictionary integer artributes are missing.
  • Removed some perl5.004 features that inadvertently prevented radiusd running on 5.003.
  • Fixed a memory leak in RDict.pm
• Revision 2.9 (14/6/98) Mostly new features:
  • Added restartWrapper to goodies. Can be used to automatically restart radiusd (or any other program) if it stops unexpectedly and optionally email someone.
  • radiusd can now be started automatically by (x)inetd: if stdin is a socket, it assumes it is running under inetd and uses stdin as the authentication port socket.
  • Fixed test.pl so radiusd will not incorrectly load previously installed library modules.
  • In AuthSQL, If the password (or encrypted password) column for a user is NULL in the database, then any password will be accepted for that user.
  • AuthNT now honours the NT account disabled flag. If you check the "Account Disabled" checkbox in the NT User Manager, they wont be able to authenticate. Also AuthNT correctly queries the right Domain Controller, and Group membership is checked against the Global Group (not the Local Group).
  • Some NASs append a NUL to string attributes, contrary to the spec. We now always strip trailing NULs from incoming string attributes.
  • Can now have any number of RewriteUsername lines in a Realm. The rewrites are applied in the order they appear in the config file.
  • radacct.cgi now has a secure option that allows your customers to see only their own usage details on a web page
  • Added RewriteFunction to Realm to define a function that will rewrite user names. If defined, its used in preference to RewriteUsername.
  • AuthBy UNIX was incorrectly reading the password file twice at startup. Thanks to tom@interact.net.au for reporting this.
  • Now can have any number of AcctLogFileName in each Realm, which allows you to have muktiple log files for each realm. Thanks to shawni@teleport.com for this patch.
  • AuthBy FILE and AuthBy UNIX now reread and cache their files if their modification time changes while the server is running. AuthBy UNIX now honours Nocache too.
  • Now handles Accounting On and Off messages. Accounting On clears all the sessions from that NAS. Radpwtst is also able to send Accounting On and Accounting Off now. Contributed by nabil@spiritone.com. Thanks Aaron.
  • Added SNMPCommunity to Client. Thanks to Andrea Campi (andrea@webcom.it) for the suggestion.
  • Added AccountingHandled from shawni@teleport.com. This forces Radiator to reply to Accounting request even if they would have been ignored. Useful for ignoring Accounting requests while keeping the NAS happy. Thanks Shawn.
  • Now works with clients that dont provide RFC 2138 compliant passwords (some clients, notably some versions of radcheck, dont pad passwords to 16 bytes like they should)
  • Added %a to special formatting characters for the Framed-IP-Address of the current request (if any) (Contributed by nabil@spiritone.com)
  • Added new attributes to AuthBy. UseAddressHint forces Radiator to honour a Framed-IP-Address in the request unless it is overridden by a Framed-IP-Address in the reply items. Dynamic specifies reply attributes that will get run-time variable substitution. Both of these contributed by nabil@spiritone.com, and can be used together with the new %a to build anti-spoofing filters.
  • New AuthBy modules contributed by nabil@spiritone.com are included in the goodies directory for exact Livingston user file compatibility (AuthCOMPAT.pm) and for Digital Unix NDBM passwd files (AuthDBUNIX.pm). Thanks a heap Aaron!
  • Added new Realm attribute: AuthByPolicy allows you to control the behaviour of cascaded authentication modules.
  • buildsql now can build an SQL database out of flat files and DBM files, as well as Unix password files.
• Revision 2.8 (7/5/98)
  • Added IPASS authentication. Supports both outbound and inbound authentication and accounting with iPASS
  • Added Simultaneous-Use check item for users, which can be either an integer or a filename that contains an integer.
  • Added real interrogation of NASs for Simultaneous-Use verification, similar to Cistron. New Client config parameter NasType added. New global config parameters SnmpgetProg, FingerProg PmwhoProg, LivingstonMIB, LivingstonOffs and LivingstonHole added.
  • Revamped the SQL accounting table specification to be more regular and scalable. Now specify one or more AcctColumnDef lines to specify the attributes to be stored, the column names to store them in and optionally a data type. Thanks to Phil Freed for the original idea and code.
  • Most check items can now be perl regular expressions too.
  • Attribute-value parser is smarter: can now have embedded commas and escaped qouble quotes inside check and reply items
  • Added Time check item to support multiple time bands on different days like: Time = "MoTuWe0800-1530,Wk2200-0400"
  • Added more debugging info
  • Added new Fork parameter which forces authentication modules to fork before handling the request. Use with care.
  • Added -timeout argument to radpwtst
  • Tested ODBC with Oracle and Sybase on Solaris with Intersolve DataDirect ODBC manager and Microsoft SQL 6.5 on NT.
  • Testing with the latest version of DBD for mSQL and mysql from Msql-Mysql-modules-1.1828. Older versions named like DBD-mSQL-0.65 did not work properly when getting the names of fields from a select which would break the new accounting table behaviour in AuthSQL.pm
  • Added Client DefaultRealm for handling realmless request on the basis of which NAS they arrived on. Thanks to Phil Freed for the code.
  • Added Table of Contents in reference manual.
• Revision 2.7 (18/4/98)
  • Added AuthBy EXTERNAL, which allows requests to be handled by an external program whose command line you can specify.
  • Added chaining of AuthBy modules: You can now specify more than one AuthBy clause for a Realm, and it will try each one in turn until one succeeds (ie returns other than IGNORE). This is especially good for recording proxied accounting requests to SQL.
  • AuthBy handlers can now return CHALLENGE for an Access-Request, which will cause an Access-Challenge to be replied.
  • Testing with Sybase, created a sybaseCreate.sql. Documentation for Sybase.
  • Applied patches from Steve Davies to fix interop problem with Merit 3.5.6. Thanks Steve.
  • Latest version of USR dictionary.
  • Handling of Group check items now conforms to Lucent and Cistron behaviour: for cascaded UNIX modules the /etc/group file is checked. The old behaviour that checked for the Group in the reply items is not supported now. Added new GroupFilename to UNIX module.
  • Added Group handling to NT module: it uses LocalGroupIsMember to determine whether the user is in a Group if a Group check item is specified. Documentation and faq entry.
  • Added buildsql utility, which can create and update an SQL database from a UNIX password file (DBM file or flat files coming soon).
• Revision 2.6 (5/4/98)
  • Added Windows NT authentication.
  • Added support for Ascend abinary type attributes, as used in Ascend-Data-Filter and Ascend-Call-Filter, both in and out. Includes the new IPX filter support.
  • Added support for USR/3COM vendor-specific attributes
  • Updates to some dictionaries
  • The value for VENDORATTR in dictionaries can now be hex or decimal.
  • Radius.pm now uses main::log consistently
  • Fixed memory leak in Select that affected timeouts.
• Revision 2.5 (28/3/98)
  • Added CGI script for usage summaries of accounting logs, including drill-down to per-user and per-session details. Useful for billing summaries, or for investigating service problems.
  • Removed code from builddbm that made it grow in size according to how many users in the database. It now stays the same size, regardless of how many users.
  • FAQ was missing from distribution
  • radpwtst now increments session_id after each Accounting Stop
  • Minor changes to dictionary for ascend compatibility
  • Added support for multiple databases and fallback to SQL
  • Fixed bug that prevented StripFromReply working properly
  • Fix interoperation problem with Merit: if reply with Proxy-State but not Proxy-Action, Merit might crash. Now we reply with Proxy-Action if it is present in the request.
• Revision 2.4 Production Release (14/3/98)
  • Added StripFromRequest, AddToRequest, StripFromReply, AddToReply to AuthBy RADIUS.
  • Radpwtst: fixed bug on Linux which prevented waiting for replies if an ICMP bad port message arrives.
  • Added %t for current time in special formatting characters
  • Ensured detail file output is Radius compliant by quoting strings.
  • Improved and enlarged documentation.
• Revision 2.3 (6/3/98)
  • Fixed bug that made users fall throught to DEFAULT if they existed but authentication failed, even if Fall-Through not set.
  • Add time-of-day blocking with Block-Logon-Until and Block-Logon-From check items.
  • Added PDF documentation.
  • Improved level of DEBUG detail produced when authentication fails. Makes debugging authentication much easier.
  • Added Graphical User Interface option to radpwtst. Test your server configuration with the click of a button on Unix. (not quite working on PC yet).
• Revision 2.2 (1/3/98)
  • Fixed bug in LDAP that causes it to always authenticate if the case of the password attribute is not correct.
  • Improved error reporting in radpwtst if no dictionary found.
  • Major rationalisation of Auth* hierarchy. There is now a common superclass AuthGeneric that all Auth modules should inherit from.
  • Added DEFAULT user handling with Fall-Through. Multiple DEFAULT entries are handled. DEFAULT entries are processed in order until one is found that matches and does not have Fall-Through set to yes. Works for FILE, DBFILE, LDAP, SQL.
  • Added handling of Auth-Type check items, which passes authentication to another AuthBy module named with an Identifier parameter. You can therfore cascade from FILE to UNIX to be compatible with other servers or from say FILE to RADIUS to ensure some reply items always go to the NAS irrespective of a downstream servers setup. This is a very deep and verastile feature.
• Revision 2.1 Beta (7/2/98)
  • Beta revision for external testing
• Revision 1.9 (20/1/98)
  • Internal alpha testing