Note: ¤ means High prority item involving security, important error correction, or a major change in operation.
· The constructor Attribute(int type, Date date) was incorrectly casting the date in it's calculation to seconds resulting in times being set around 1969 when recovered. This has been fixed. It affected the Event-Timestamp attribute generated by the server in the DMCOA package.
· The method RADIUSEncrypt.saltEncode() was not adding the data length correctly leading to bad decodings by clients.
· Fixed an error where an Access-Reject would not include a Message-Authenticator if one was included in the Access-Request packet.
· Added internal support to the server to add the Chargeable-User-Identity so that if an Access-Request contains the Chargeable-User-Identity it will be copied to the Access-Response list.
· The FreeRadius project's dictionaries are now distributed as the file dictonary.zip included in the distribution under the 'com' directory.
· Server side Digest (SIP) authentication can use a pre-calculated HA1 instead of a password. See the 'RADIUS Extension for Digest Authentication' (draft-sterman-aaa-sip-00.txt) documentation for an explanation of H1A or the API documentation for the DigestAuthentication class.
· The SendDMCOA class is able to set the DMCOA port. Formerly it was hardwired to the standard DMCOA port. It wil use the standard port if the SendDMCOA.setPort(int port) is not used.
· Fixed a problem with the RADIUSClient class where it was possible to misread the packet type and packet identifier resulting in misidentifying packets.
· Fixed a problem with the RADIUSDictionary class where it couldn't look up values for attributes for Vendor-Specific attributes.
E.G.: RADIUSDictionary rd - ... int vendorId = 6; int i = rd.getIntValue(vendorId, "Example-Attribute-Name", "3600KPS"); would always return -1 instead of whatever "3600KPS" was assigned.
¤ Rewrote the SendDMCOA class to avoid having it require the RADIUSServer present to run. This allows it to run anywhere on the server's machine, even in a different JVM. This also resolved a number of issues with verifiying accounting style authenticators.
· Added three methods to the RADIUSClient for testing server side Disconnect-Message and Change of Authorization packet support.
The bind(InetAddress bindAddr, int bindPort) is used primarily for sending DM/COA message. It binds the client to the DMCOA port at a particular host address. The second method, dmcoa(int packetType, AttributeList alist), sends a DM/COA packet to the server. This is really a wrapper around the accounting(int packetType, AttributeList alist) method. There is now a public checkAccountingAuthenticator() method to check accounting authenticators.
V 3.43j June 22, 2007
¤ Fixed some errors in proxying introduced in the generally unreleased V3.43i version.
· Added support for RFC 4372 'Chargeable User Identity' by adding the Chargeable-User-Identity attribute to the known attributes list.
V 3.43h April 26, 2007
· Fixed some proxying problems with Tunnel-Password and MPPE keys. They were not being decoded and encoded properly.
· Another proxying problem has been rectified - under some circumstances the client authenticator could be corrupted.
· The LEAP client now understands that another EAP type might be generated by the server and can send a proper NAK. The same fix has been applied to the EAP-MD5 client.
V 3.43g February 22, 2007
¤ An error in the RADIUSClient would cause CHAP authentication to recurse endlessly until the JVM ran out of memory. This has been fixed.
¤ An error in the EAPMD5 client caused the NAS-Identifier to be ignored when present. This has been fixed.
V 3.43f January 31, 2007
· The RADIUSClient's DM/COA receiver (DMCOAReceiver class) now can run independent of a RADIUSClient. This was requested to handle the DM/COA messages without requiring the RADIUSClient to be present to keep the DMCOAReceiver alive. There is a new constructor that provides this service.
There is a test for the RCAACE client in com.theorem.radserver3.examples.rsaclient.
·
The method
AuthInfo.createMPPEKeys(byte password[], byte secret[], byte authenticator[], boolean encrypt)
has been deprecated. AuthInfo.cmpMSCHAPV2() and AuthInfo.cmpMSCHAP() create the MPPE
keys automatically.
· The BouncyCastle MD4 has been replaced with an internal version.
· A utility to generate the new DefaultDictionary class has been added. This can generate the default dictionary suitable for your needs. It can contain any dictionary files you need. Don't try to add all the dictionaries as Java classes are limited in length. Although the 'DefaultDictionary.java' file will be produced it may not compile.
· Added an RSA ACE Server client (com.theorem.radserver3.auth.rsaace.client). This loops on the ACE server's continual questioning and supplies the answers. It can be used either as a looping client and / or a callback mechanism for some other class. See the package com.theorem.radserver3.auth.rsaace.client for details. An example client appears in com.theorem.radserver3.examples.rsaclient. This authentication method also offers a callback interface for an external system.
V 3.43e June 6, 2006
· Fixed a problem in AV.lookup(int vendorId, int attribute, int value) where it wouldn't find the symbolic value if there was a dictionary present.
V 3.43d June 6, 2006
· Fixed a problem in VendorSpecific.toString() which would throw a null pointer exception if there was no vendor dictionary or vendor class (e.g. Cisco.class) loaded.
V 3.43c May 31, 2006
· Replacing the home spun HMAC-MD5 with the one provided by the javax.crypto.Mac resulted in the server & clients secrets being zeroed after the Message-Authenticator was generated. The HMAC zeroes the 'key' when it's done which happens to the be client/server secret. Problems include not being able to authenticate twice if the MA was used as well as all kinds of proxy problems. This has been fixed by giving a copy of the secret to the HMAC. This is not documented in the Sun javadocs but has been a problem in other projects (like TLS).
· The NAS field 'secretBytes' has been made private and has been replaced by getSecret().
· Exceptions that were caused by AttributeList.toString() or more particularly Attribute.toString() have been fixed. The problem was a null rather than an empty string being returned by a lower level method. This has been fixed. V 3.43b May 21, 2006
· Changed how MD5 is generated. Instead of using a local version of MD5 we use the java.security.MessageDigest version with a wrapper.
V 3.43a May 13, 2006
· A problem that remained with the long tags and VendorSpecific interpretation has been fixed. The Attribute class has two new methods: Attribute.getDataType(int vendorId) and static int getDataType(int vendorId, int tag). These are as reliable as any of the included dictionaries.
V 3.43 May 09, 2006
· Fixed a bug in DMCOA packet proxies. The response packet would not be forwarded to the correct host. The Proxy-State information was potentially either from a client or server but only the server list was checked. Now it checks both lists if it's a DMCOA packet.
· Digest authentication is supported - the version is described in the document draft-sterman-aaa-sip-00.txt. It works for SIP (RFC 2543), HTTP (RFC 2616).
· Fixed many problems in the RADIUSDictionary.
· The FreeRadius dictionary now can read the 'encrypt' directive. There are three such directives, the #1 means PAP encoding, #2 means SALT encoding and #3 means Ascend proprietary encoding. Only #1 and #2 are supported.
V 3.42 February 20, 2006
¤ Fixed a problem with LEAP in the server - it was sending back the wrong EAP packet identifer.
· Added a new authentication method - Digest Authentication. This is described in draft-sterman-aaa-sip-00.txt. It provide authentication for HTTP/SIP and currently only supports the "MD5" and "MD5-sess" algorithms.
· Fixed an attribute display problem where UTF8 data was displayed using 'new String(data)' instead of Util.toUTF8(data). The question marks in the display of the string version of the data should be gone.
·
The class PacketInfo, superclass to AuthInfo, AccoutingInfo, and ProxyInfo is
now able to extract prefix information as well as name and realm information.
In a User-Name like xny556/michael@theorem.com would have
a prefix of xny556, a name of michael and a realm
of theorem.com.
The PacketInfo.getPrefix(), getName() and getRealm() pick out these sections. The method RADIUSServer.setPrefixCharacter() can used to change the default prefix character '/'.
V 3.41i October 31, 2005
¤ Fixed a shutdown problem: the authentication duplicate detection whould not restart if the authentication server was shutdown.
· Added the ability to split the User-Name into prefix, name, and realm. The method is found in Util.splitUserName(String name, char prefix, char realm). The prefix character will match contiguous repetitions of the prefix character. If prefix = '/' it will match 'p/name' or 'p//name'.
V 3.41h May 4, 2005
· If a User-Password arrived that was too long (outside of the RFC specified maximum length of 128 bytes) it would cause an ArrayIndexOutOfBoundsException to be thrown in the RADIUSEncrypt.password() code. The server now checks for packets that contain User-Password attributes for correctness and drops those that are malformed. The RADIUSEncrypt.decode() which actually does the decoding has also been fixed.
V 3.41e Feb 28, 2005
¤ The ProxInfo.setTransparentProxy(String realm) method would try to send the packet to the local server if the local server was specified. For example the common way to do this:
prx.setTransparerentProxy(prx.getHostRealm());would actually forward the packet to the local server. However the local server wouldn't accept delivery since the local server has not NAS entry.
This has been fixed so that the local server handles the packet as a local packet.
V 3.41 Nov 15, 2004
¤ Fixed an error in proxying. If the User-Name contained the current server's name a proxy loop would occur. For example if the User-Name is michael@axl the 'axl' server would loop resending the message to itself instead of accepting it.
¤ The server now uses the javax.crypto package instead of locally contained crypto methods. This should allow everyone to use other crypto packages if Sun's implementation isn't to your liking. BouncyCastle (http://www.bouncycastle.org/) or Cryptix (http://www.cryptix.org/) work well.
· Fixed an error in setting the location in SNMP that could cause a null pointer exception if the location is null.
· The RADIUSClient has a new method - RADIUSClient.retry(). This folds up code that was formerly required to perform a retry - recovering the request attributes and re-authenticating or accounting. The retry() method runs much faster. There is also an explicit RADIUSClient.getRequestAttributes(). In previous versions the getAttributes() doubled as
· Added two methods to AttributeList: decodeAll() and encodeAll(). They decode and encode attributes with a SALT as specified in the draft RFC "Salt-Encryption of RADIUS Attributes". These are used primarily with Vendor-Specific sub-attributes and in particular with Cisco VSA's using the Cisco Encrypted String VSA Format. The server and client must both expect this format.
· Changed the format of packet dumps. Only the data is printed out, trailing zeros to fill the dump no longer appear. Trailing underscores appear instead to help make the display appear normal to those using variable pitch fonts.
· Added support for Expanded Types supporting vendor EAP packets and in the EAPPacket class according to RFC 3748 'Extensible Authentication Protocol (EAP)'. This includes an implementation of the Extended-NAK packets.
· EAPPacket.getIdentity() and EAPPacket.getIdentityBytes() both conform to RFC 3748 specifications that identity values may contain a NULL character (usually as a termination). The data portion prior to the null will be returned.
· Fixed a small problem in the example server - MSCHAP V2 wasn't return the MS-CHAP2-Success or MS-CHAP-Error attributes.
· Fixed some compilation problems for source owners.
· The classes MSChap and MSChapV2 are now public and appear in the API documentation.
V 3.40 Aug 1, 2004
¤ The RADIUSServer.stopAuthenticationServer(), RADIUSServer.stopAccountingServer() and stopServer() methods were not properly shutting down the server. The server was trying to shut down the wrong duplicate packet cleaning thread.
¤ Fixed a problem in the RADIUSClient - it was possible to get a null pointer exception using AV.lookup(A.Acct_Status_Type, "Start"). The static members of the AV class were not initialized. This is now done during the RADIUSClient startup.
¤ ProxyTargets (proxy server descriptions) can have a list of synonyms. This allows the proxy to be known by a number of realms. Any packet with a realm matching a ProxyTarget's synonym entry will automatically have the packet routed to that realm. This also applies to the local server. This will only occur if no ProxyImpl is defined.
This service is also available in ProxyInfo.
¤ The ProxyClient could throw a NullPointerException if an attempt was made to proxy to the current server. It now throws a RADIUSServerException when attempting to send a packet to itself.
¤ The RADIUSClient.createMSCHAP() & RADIUSClient.createMSCHAP2() methods now throws a RADIUSException if it can't run / find DES encoding.
¤ Support has been added to the AXL RADIUS server and AXL RADIUS client for Disconnect-Messages and Change-of-Authorization Messages as described in RFC 3576 (Dynamic Authorization Extensions to RADIUS). Servers may now send DM / COA messages to compliant clients. The NAS and ProxyTarget classes can now control whether or not these message are acceptable.
· Added a method RADIUSServer.getNAS(InetAddress nasIP) which retrieves a NAS entry given the client's address. This is used in resolving the secret when making sending disconnect and other messages to a client (see RFC 3576 "Dynamic Authorization Extensions to RADIUS"). There is now an example of sending these messages to clients prepared to receive these asynchronous messages
· The ProxyTarget class now accepts a list of synonyms for the particular proxy server. The synonyms are realms to be handled by the forwarding server. The special synonym "" (empty string) means that a particular ProxyTarget will handle the default (empty) realm. If the special synonym is not present empty realms will be handled by the local server.
For example the server known as 'andromeda' might also handle the realms 'perseus' and 'draco'. The ProxyTarget named 'andromeda' would have the synonyms 'perseus' and 'draco'. These are now handled internally by the server and no longer require a ProxyImpl implementation to do the work.
· Some bug fixes have been applied These are changes were made after using the FindBugs java program from http://www.cs.umd.edu/~pugh/java/bugs from the University of Maryland. Some are simply small code changes for efficiency and there were a couple of redundent bits of code it discovered. V 3.39.1 May 24,2004
· Added the ability to use NT Hashed passwords to MSCHAP and MSCHAP V2 authentication in the server. The new method is AuthInfo.cmpMSCHAP(byte password[], boolean ntHash).
· Dictionaries have been integrated into the displaying of attributes (Attribute.toString()). There is not a RADIUSServer.addDictionary() method to add the contents of a RADIUS Dictionary to the server.
Similarly there is a RADIUSClient.addDictionary() method as well.
· The com.theorem.radserver3.dictionary.Dictionary class has been renamed to RADIUSDictionary owing to a conflict with java.util.Dictionary that would cause end consumers problems.
· The attribute Acct-Authentic was returning a data type of string from the method Attribute.getDataType(). It now returns the correct data type of integer. Other data types have been fixed as well.
V 3.39 March 27, 2004
¤ Fixed a Proxy-State problem where multiple AXL RADIUS Servers in the chain could sometimes lose one their Proxy-State attributes. One of them would remove the other's Proxy-State on the response side.
· Moved HMAC_MD5 from the radserver3 package to the radserver3.radutil package.
· Added configuration files and information to produce a simple three machine proxy system. Two machines can be used if three are not available. See the example documentation under com/theorem/radserver3/examples/server in the README.txt and PROXYREADME.txt files.
· The example server (com/theorem/radserver3/examples/server) now handles a simple database example. The source is found in com/theorem/radserver3/examples/server/dbaccess along with a README.txt file.
· There's a new method AttributeName.getVendor(String name) which returns the Vendor Id for the given name. The Vendor must be created as a (Vendor).java file to be used. This is not integrated into the dictionary yet. However you can create the (Vendor).java file using the GenerateJavaDictionary class. For example if you need a Bay Networks java file GenerateJavaDictionary will produce a Bay.java file for you to use. This must be compiled and the constructor run to make it available globally to your program.
·
The AXLServer example server now handles Vendor-Specific attributes in the reply attribute list. They have the
form Ascend.Add-Seconds=#40.
V 3.38.1 Feb 25, 2004
¤ As a result of the fix to 3.38 the server erroneously reported the packet that was successful sent failed to be sent.
V 3.38 Feb 20, 2004
¤ Fixed a problem in the server where it was pausing for .5 seconds after each packet was sent.
V 3.37 Feb 16, 2004
¤ The MSCHAP V2 authentication was not returning the MS_CHAP2_Success attribute. This has been fixed again.
· Tunnel attributes are handled a little differently. Attribute.getAttributeData() returns the raw data. All other Attribute conversion (getIP(), getInt(), getString()) continue to work as expected. To get binary tunnel data please us the new Attribute.getTunnelValue() method.
· The AcctInfo.getLivingstonEntry() and getMSNTEntry() methods have been modified to extract tunnel attributes properly with the above change in mind.
V 3.36 Feb 13, 2004
¤ The MSCHAP V2 authentication was not returning the MS_CHAP2_Success attribute. This has been fixed.
· Fixed a problem with Tunnel attributes - they would shorten by a character when converted to tunnel attributes (which is good) but would not reconstitute properly when turned back into an attribute.
· There is a new method Attribute.getTunnelValue() that will reliably return tunnel payload data. Attribute.getAttributeData() now returns the entire attribute data field including the tunnel flag. These two changes make copying attributes work while allowing better definitions for tunnel attribute data retrieval.
· Modules had a problem when the class loader did not include package information. The package is no longer required and modules may be specified outside the RADIUS server and client. Originally modules were meant for internal server extensions but now they're useful for modules outside the server.
V 3.35 Jan 22, 2004
¤ The Modules feature had a problem if the package was not defined by a class loader and would not process modules at all. The modules package is in com.theorem.radserver3.modules. You may now specify the full class path to the particular module, which has the added advantage that your module may be outside the server package. However, a number of server access methods won't be available because they generally have protected access.
· New method: AttributeList.getVendorSpecific(int vendorId, int vendorTag) that extracts all attributes matching a particular vendor Id and tag value. It returns an array of Attributes that match both criteria.
· New method AuthInfo.createMPPEKeys() which creates the MSCHAP (V1) keys for the Microsoft Point-to-Point Encryption Protocol (MPPE). Similarly the RADIUSClient can extract these keys and MSCHAP V2 keys using RADUSClient.getMSCHAPMPPE().
V 3.34 Dec 17, 2003
¤ It appears that certain clients are
using the same authenticators for request / challenge sessions. Therefore the
old NAS address / Port / Packet (NPP) identifier duplicate checker has been
resurected. Currently the authenticator is used as it's properties contain
the words MUST and SHOULD in the RADIUS RFC. The NPP method only rates a
'can' yet some clients believe this is the only way to do it.
Therefore there is a new RADIUSServer method setDuplicateDetectionMethod() that allows either the authenticator
to be used (default action) or the NPP method (slower and prone to false negatives).
· A new class has been added to the Dictionary collection. GenerateJavaDictionary creates vendor classes from dictionary files. These classes are used by the server and client for debugging and building VendorSpecific sub-attributes. Two examples of similar classes are Ascend.java and Cisco.java.
V 3.33 Dec 10, 2003
¤ Removed references to BitSet as half was written in JDK 1.3 and the other half written in JDK 1.4. BitArray() is now used instead to provide the functionality of BitSet. This preserves backwards compatibility with JDK 1.3.
· Added some new methods to radutil.DumpPacket that allows the extraction of packet parts from the dumped packet like the attribute list, packet identifier, code and so on. The radutil.SnoopRecord will return the DumpPacket object so that classes using the SnoopReader can access parts of the RADIUS packet.
V 3.32 Nov 17, 2003
· The RADIUSClient class had some problems cleaning out old duplicate packet data as well as an inconsistancy in how it created packet identifiers between the constructor and the reset() method. These have been fixed.
· RADIUS dictionaries are now rudimentarily supported. Currently the FreeRadius format (an extension of the original Livingston style) is supported. See com.theorem.radserver3.dictionary for documentation.
V 3.31 Oct 06, 2003
· Changed how stack traces are generated by internal problems. It should look like a real and full stack trace. Lately the JVM has limited the trace information to only a few lines.
· Fixed a problem in ProxyClient that caused it to consume RADIUS sessions until no more were left at which point it threw null pointer exceptions. Now it throws a RADIUSServerException if it runs out of sessions. It also politely returns sessions when it's completed it work.
· The server has been tuned a bit and appears to be much faster.
V 3.30 Sep 22, 2003
· The server now drops a packet if the User-Password, Tunnel-Password, or any of several Microsoft Vendor-Specific attributes aren't multiples of 16 when proxied. These attributes are required to be the requisite length.
· Changes to the MersenneTwister pseudo-random number generator required some small server code changes that reduce the number of MD5 calculations slightly.
· The RADIUS packet receiver has been changed to fix the Thread state exceptions that sometimes occurred when shutting down the server.
V 3.29 Sep 12, 2003
· The way the server handles packet overruns has changed. The server will continue to capture packets and drop them with a special session until a regular session becomes available. This fixed a problem where the accounting or authentication port would disappear. The receiver thread would accidently exit if it ran out of sessions.
· The Authinfo class can now can create Tunnel-Password attributes - createTunnelPassword(). Similarly the RADIUSClient can decode them - getTunnelPassword().
· The display of tunnel data has been fixed in Attribute.toString(). The tunnel attribute data was no properly reconstituted after the method convertToTunnel() was used. This has also been fixed. The RADIUS server now proxies them correctly.
· Attribute class - two methods were added. .getDataType() and .getDataType(int attributeTag). These return the probable type of data contained in the attribute data field. The types supported are strings, integers, dates, octets (binary), and IP addresses. Tunnel attributes will have a tunnel flag OR'd with the other flags. This addition can help in determining the display of attribute values without knowing the specific attribute. There is also a setDataType() method that can change the contents of the table if the probable attribute data type is wrong.
V 3.28 Aug 03, 2003
· Fixed a problem with SNMP V2 traps - the trap community wasn't being used for traps but the read community was always being used.
· Added another error to the RADIUSClient - ERROR_WRONG_HOST which indicates the reply packet did not originate from the destination host. In other words the another server replied to our request which could be a security problem.
V 3.27 July 31, 2003
· When the server ran out of sessions it would often stop running and close it's receiver socket. This has been fixed - as a result it is more accurate in tracking packets dropped during this time.
· Added several methods for the RADIUSServer class, ProxyTarget[] getProxyTargetList() which returns a list of ProxyTarget objects, getServerLogLevel() which returns the current server log level (FAILURE, SUCCESS, BOTH, NONE), and log(String msg, int logLevel) which allows implementations to log at the prevailing log level. The RADIUSServer object can be accessed through the PacketInfo..getRADIUSServer() method.
· An error reporting the physical size of a packet when the packet's length field value exceeded the physical packet size has been fixed. It used to report the largest packet acceptable by the server and not the physical size of the packet.
V 3.26 July 28, 2003 · Added Proxy round trip timing to the ProxyInfo class. This enables the server to track round trip times of a forwarded packet back to this server. It can be used to dynamically alter server thresholds or determine that a server is overloaded. The new methods are ProxyInfo.setRoundTripTiming(boolean enable), ProxyInfo.getRoundTripTiming(), and ProxyInfo.getRoundTripTimingString().
· Fixed a number of javadoc items where the @param's didn't match the actual parameters thanks to the release of the JDK 1.4.2 javadoc's new warnings.
· Fixed a problem reconstituting a Vendor-Specific attribute. A VS attribute that had been built from attribute data failed to build the necessary data to reconstitute the vendor Id. This generally showed up a null pointer exceptions when proxying MSCHAP authentications.
· Fixed some problems with RADIUSLogin. For some reason some of the code creating a number of Callbacks had dissappeared.
· The SNMP value for radiusAccServResetTime was not being updated - fixed.
· Changed all the fields LogImpl from protected to public.
· Fixed a synchronized() block error in AttributeName where it was possible to throw a ConcurrentModificationException under some debugging race conditions. AttributeName is largely used by the Attribute.toString() class.
· A new class has been added to aid in load balancing. The ProxyClient class, available through almost any implmentation (AccessImp, AcountingImpl, ProxyImpl). allows packets to be sent to other servers or to the host server. This allow for redundent accounting and perhaps fail over services.
· fixed an error in SNMP where rejected packets are counted twice. The reject logger and packet send code were both incrementing the rejected packet count.
· The ProxyImpl.changeResponse() method had stopped working. Fixed.
· Changed how duplicate packets are detected. Instead of the RFC suggested NAS / Port / Packet Id the server now uses the authenticator. This results in better duplicate detection with extremely few false positives. The only case where there would be a false positive is in accounting packets where no data changes (including the packet id). These are highly unlikely unless they're really duplicates.
· Changed the mechanism for handling State and ProxyState objects. A faster Map class uses primitive as the key (IntMap.class).
· Fixed a proxy problem. If there was no client NAS that matched a TargetProxy the error that the Proxy-State was CORRUPT would occur.
· There are now more informative messages as to why a proxy state is corrupt or missing.
· Added two classes, SnoopReader and SnoopRecord to read Snoop V2 files (RFC1761).
· Made changes to how SNMP NAS client table rows are removed. There was a problem displaying the toVerboseString() results as empty SNMP client rows were accumulating. The accumulations were caused by deleting NAS's.
· If the arriving packet was too small a null pointer exception was thrown within the RADIUSSession. This has been fixed. It now displays properly.
· Added methods to add State attributes to PacketInfo which allows almost all implementations to add State attributes. One or more state objects are permitted but will only occupy one State attribute.
· Now checks authenticators on arriving accounting responses (when acting as a proxy).
· ProxyInfo.setResponseAttributes() wasn't properly returning the attributes in the ProxyImpl method changeResponse(). Fixed.
· Added two methods to ProxyInfo to associate an external object to the Proxy-State attribute. This allows an object to be tracked between forwarding the packet to a proxy and retrieving that object from the response packet. This can be especially useful for ProxyImpl classes, although it can be accessed from all implementations.
· Fixed a problem in SNMP that caused the accumulation of dead entries in the client tables. Fortunately the entries were nulls and didn't take up much space. This behavior only only happened if the RADIUSServer.replaceNASList() method was used.
· Fixed a problem with EAPMD5 that caused failed authentications that should have worked and some that should have failed, yet worked.
· Fixed a problem where the server would not accept return proxies with the message 'OUR PROXY-STATE INFORMATION IS MISSING'. It was using the wrong NAS list to recover the client's NAS information. It was using the Proxy's NAS information.
· Fixed a problem in radutil.Util.cmp() where some comparisons were incorrect.
· Fixed a problem with the server not detecting duplicate accounting packets.
· Added two methods to PacketInfo, used by AuthInfo, AccountingInfo, ProxyInfo, ExtendedInfo, and NASInfo. The methods fromAccountingPort() and fromAuthenticationPort() indicate the origin of the packet and it's probably packet type.
· Fixed a problem with Util.cmp(byte [], int, byte[], int, int) that caused most compares to break, including the proxy signature compare.
· Added a new method to RADIUSServer, setSingleStatePool() which allows for an interesting situation. Different clients can share the same State data. Normally clients cannot access the same state data if they're from a different NAS. Not recommended for general use unless you know what you're doing and understand the slight security risks involved.
· Changed the behavior of the NAS's. There are now separate NAS lists, one for clients and one for proxy servers. This adds a bit more security but mostly allows a proxy server to have a different secret than a client on the same machine.
· Changed the name of the attribute Tunnel_Medium to Tunnel_Medium_Type as specified in RFC 2868. Also added Acct-Tunnel-Connection which was missing.
· Fixed the display of tunnel attributes - the first data byte was missing in some cases.
· Added the method AttributeList.setAttributeAt(int n, Attribute a) to compliment AttributeList.getAttribute(int n).
· Moved the DumpPacket class to the radutil directory.
· Added the class Replay to the radutil directory. This will replay packets extracted from the log files.
· Fixed a reporting problem when a packet arrived that was too small. It would produce a NullPointerException because of an uninitialized class. This is fixed.
· Fixed a problem in RADIUSClient where passing a replay packet wasn't tracking the original authenticator and packet identifier. This would always result in an authenticator or packet id mismatch.
· The class AV contained inner classes that weren't declared static which caused some versions of the Java compiler to generate the error "Can't make a static reference to inner class ...". This has been fixed.
· Fixed a problem in the method EAPPacket.createNotificationResponse() where a null pointer exception was being thrown.
· Setting the minimum number of threads didn't force the creation of the minimum number of threads. Now it does.
· Added the notion of add-in modules to dynamically allow built-in and programmer modules to be added to the server or authentication / accounting methods. These modules will allow cleaner extensions to the server. These modules can be enabled using the RADIUSServer.addModule(String moduleName). If a module isn't present and not requested the server will continue to function. See com/theorem/radserver3/module/Modules.txt for more details.
· IP V6 support added in Attribute / AttributeList / AccountingInfo classes. If your JVM is less than version 1.4 IPv6 references will probably generate UknownHostExceptions when creating or reading the attributes.
RFC 3162 - 'RADIUS and IPv6' specifies the following attributes as IP V6: NAS-IPv6-Address, Framed-Interface-Id, Framed-IPv6-Prefix, Login-IPv6-Host, Framed-IPv6-Route, and Framed-IPv6-Pool.
· Fixed a further proxy problem.
· Fixed a shutdown issue - interrupts were not being properly propogated by the JVM so semaphores are used in those places.
· The login.RADIUSLogin (JAAS) Login Module now returns attributes from an authentication through the CallBackHandler. See the example in examples/login/RADIUSHandler.java to see how this is done using the CallBack class ResponseAttributes.
· RADIUSClient now has an authentication method that handles raw packet data. See RADIUSClient.authentication(byte packetBytes[]).
· DumpPacket has changed to handle input from the debug log without editing the packet data. Now just scrape the raw dump portion of the packet and give it to DumpPacket. DumpPacket now has a method to extract data from the dump and return the packet bytes suitable for use with the above change - RADIUSClient.authentication(byte packetBytes[]).
· The debug log now displays the reason why a corrupt attribute block is corrupt (e.g. empty attribute, or attribute with a bad length).
· Fixed a problem in the RADIUSServer.clearProxyTarget() would fail with a cast exception.
· RADIUSServer methods addNAS() & replaceNASList() now throw RADIUSServerExceptions if a NAS specification is not complete. RADIUSServer methods setPasswordEncoding() and setSecretEncoding() are deprecated because the RADIUS protocol only allows UTF8 encoding.
· Fixed an error in AttributeList.getVendorSpecific where it would return the same VS sub-attribute for as many times as there were the same Vendor-Specific attributes.
· The Authinfo.cmpMSCHAP() method now looks for multiple MS VS attributes when looking for the challenge and response values.
· Fixed a problem with proxying. Proxied packets were sent back to the authenticating server instead of the waiting client.
· Fixed a problem in accounting where a datagram longer than the payload data would be marked as having a bad authenticator.
· Fixed a problem getting the length of an EAP-MD5 response.
· Fixed a problem with not shutting down all threads (stateSessions were not shut down automatically).
· RADIUSServer now has a method to permit empty attributes from clients or other servers.
The method is RADIUSServer.allowEmptyAttributes(boolean).
The same applies to the RADIUSClient class.
· Fixed a null pointer exception that occurred when RADSERVER.setStateTTL() was called.
· Added EAP MD5 to the authentication classes. See EAPInfo for more details.
· Added a method to AttributeList to get an array of Vendor-Specific attributes by vendor.
· Added MS-CHAP and MS-CHAP2, EAP-MD5 to the RADIUS client.
· Fixed an error message that said it was internal - it was catching a perfectly reasonable error inicating that one of the receiver threads failed to start.
· Fixed a problem where the method RADIUSServer.setMinimumPackets() was setting the maximum number of packets.
· Improved the duplicate packet checking code to use vastly less memory and to run a bit faster.
· Persistent State attribute data added. See AuthInfo.setStateObject() / getStateObject() / removeStateObject().
· Altered NAS code. The NAS(InetAddress addr, String id, String secret, boolean enforced) constructor
is deprecated since the id and enforced are no longer used. It it harmless to continue to use it, but consider
using the constructor NAS(InetAddress addr, String secret)
· Added support for javax.security.auth.login.spi.LoginModule. The com.theorem.radserver3.login.RADIUSLogin class handles PAP and CHAP logins.
· The server's SNMP subsystem was counting authentication accesses twice. Fixed.
· The server is more forgiving when a packet arrives thats larger than the payload. Large packets with a small payload used to be dropped. They are now accepted.
· There was a problem in killing all the threads when the server was shut down. Fixed.
·. It was possible for attributes smaller than two bytes to drop a packet without any proper explanation. The server now logs the problem and dumps the packet.
·. Added methods to RADIUSClient allowing retrieval of the request authenticator and secret.
· Added CHAP password support to the RADIUSClient class. To use it call RADIUSClient.createCHAP(byte password[], AttributeList list) and use RADIUSClient.authenticate(AttributeList list) to send the packet.
· Fixed a problem on the recalculation of the Message-Authenticator on return through the proxy server.
· Fixed a problem with Attribute.getVendorID() where it used to return only two bytes instead of four.
· A new version of JoeSNMP is included - fixes Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP).
· All String.getBytes() now perform String.getBytes("UTF8") conversions. A few were non-compliant.
· Fixed a problem in RADIUSSession that occurred when an unknown packet type arrived it would cause a null pointer exception in the logging routine.
· Added more conversion methods to the Attribute class - getString() and getIP().
· Changed the AV class to contain sub-classes to avoid naming conflicts in attribute values. Instead of AV.Start it's AV.Acct_Status_Type.Start.
· RADIUSClient has a new method: authenticate(byte chapPassword[], AttributeList alist)
so a CHAP password can be sent as the authenticator.
· Fixed a potential problem in the Attribute(int tag) constrtuctor. It's length was too short and it could result in an exception assigning empty attributes.
· Fixed a problem where the VendorSpecific class incorrectly reported the wrong number of sub-attributes as a multiple of ten.
· Added better CHAP-Password support, including the AuthInfo.cmpChapPassword(byte plaintextPassword[])
that encodes the plain text password and compares it to the orignal CHAP password.
· Fixed the AuthInfo class to pick up the CHAP-Challenge attribute instead of the CHAP-Password in getPassword().
· Added cmpCHAP(byte plaintextPassword[]) to AuthInfo to aid in handling CHAP authentication.
· Fixed a problem with SNMP tables - the index was in the wrong place.
· The Attribute and AttributeList classes have been optimized for better speed.
· A new method, RADIUSServer.setFastNAS() now allows a RADIUS client to be determined valid solely on it's source address rather than it's NAS-IP-Address and NAS-Identifier. This speed enhancement is at the expense of security (replay attacks are much easier).
· Added server log message to SessionManager to notify that packets are being dropped because there are too few session threads. It takes care to lightly impact additional thread drops by reporting only after a certain number of packets have been dropped and after a certain time has passed since the last occurrence. It also tracks this in the RADIUS MIB.
· The datagram receive buffer is now built when a RADIUS session is constructed rather than for each packet. Also changed: notifyAll() was changed to just a plain notify(). Both have resulted in a performance increase.
· The AttributeList class has been optimized for better speed.
· A new method, RADIUSServer.setFastNAS() now allows a RADIUS client to be determined valid solely on it's source address rather than it's NAS-IP-Address and NAS-Identifier.
· Added RADIUSServer.divertExtendedPacket() which can divert any extended packet type to be handled by the AccessImpl or the AccountingImpl instead of the default ExtendedPacketImpl. This is useful for packet types like Password-Request and Accounting-Message.
· Added RADIUSServer.replaceNASList() which allows the entire NAS table to be replaced as an atomic operation.
· RADIUSClient has two new methods to accomodate the new server abilities to send extended packets to the Authentication and Accounting ports: authenticate(int packetType, AttributeList alist) and account(int packetType, AttributeList alist). These allow arbitrary packet types to be send as authentication or accounting packets. The extended() method has been deprecated in favor of these new methods since it only worked for the authentication server.
· The RADIUS client now has it's own smaller jar file called radclient3.jar.
· Added a method: RADIUSServer.setSNMPManagers(). This restricts the SNMP agent access to the named managers. If this is not called the SNMP agent is unrestricted. If the list is empty no manager has access to the SNMP agent, although traps may still be sent (if enabled).
· Fixed a problem in the NASList class where clearing the NAS list would remove all proxy target entries. Fixed in version 2.55, but changed in the way it was handled in this version.
· Added duplicate packet checking. Duplicate packets (those with the same NAS, same port, and same message ID) are dropped as suggested in RFC 2865. There are methods for modifying the TTL (Time to Live) for the duplicate packet cache as well as disabling duplicate checking. See RADIUSServer.setAuthDuplicateTTL(), RADIUSServer.disableAuthDuplicateChecking() and the same for the accounting server.
· SNMP traps may be disabled at start up if the trapCommunity argument in the RADIUSServer.startSNMP is null.
· Fixed a logging problem where an Access-Accept reponse was being logged as an Access-Challenge.
· Changed the RADIUSServer.addNAS() to replace existing data if the NAS exists.
· SNMP sends traps - Authentication errors, Cold Start for each server, and thread exceptions.
V 3.00 Dec 12, 2001
· Many changes, most especially to the programmer's API. These changes allow for much greater access to server information
· AccessImpl now only has two methods: logs() and authenticate(AuthInfo ai). The new parameter, AuthInfo, provides a much greater amount of information and useful methods for authentication. Access-Responses and Access-Challenges are handled under the same method. Attributes are easier to retrieve and return. There are many helper methods for common chores. See the API documentation on AuthInfo for details.
· Similarly ProxyImpl, ExtendedImpl, and AccountingImp have changed as well offering many helper methods. AccountingImpl even offers several standard logging methods including the Livingston and Microsoft's CVS logging.
· A new NASCallBack implementation introduced in version 2 is now documented. It allows NAS's to be dynamically added to the server. This can allow the server to respond to new machines being added to a system without manual intervention. Providing filtering in your code can limit which machines are permitted access.
· Made the RADIUSClient.authenticate(AttributeList) public. This allows authentication packets to be sent without a User-Password or even a User-Name to be sent. It makes it possible to send a CHAP-Password without a User-Password.
· Fixed a problem with null pointer exceptions during an Access-Challenge/Access-Accept exchange. The snmpNAS value wasn't set, and the Access-Challenge was incorrectly being sent as a reply causing all sorts of problems.
· Fixed a problem with returning Message-Authenticator from the proxy server.
· RADIUSClient will now take an uninitialized Message-Authenticator
(AttributeList.addAttribute(Attribute.Message_Authenticator);)
or any initialized Message-Authenticator and not complain. If a MA exists it's data
portion will be properly initialized.
· Fixed a problem in long password encoding and decoding. The encoding was a little off, while the decoding only decoded the first 16 bytes.
· Fixed a problem with Message-Authenticator not being recalculated through a proxy server.
· RADIUSServer.addNAS() and RADIUSServer.addProxyTarget() now throw an IOException if the resulting NAS entry is a duplicate.
· Previous version required the server to have a realm name even if it didn't require one. This restriction is gone. This was a requirement of the NAS list which now understands the 'anonymous' NAS (one with only an IP address and no NAS-Identifier).
· RADIUSEncrypt now accepts empty or null passwords without throwing a null pointer exception.
· Fixed some outstanding proxying issues now complies exactly with RFC 2865 section "2.3 Proxy"
· Changed the handling of checking NAS-Identifier and NAS-IP-Address to avoid some incorrect matches that could occur.
· Added Attribute constructor that builds attributes with no data. AttributeList.addAttribute(int tag) also added to support attributes with no value.
· Fixed a problem with a failed password causing a null pointer exception.
· RADIUSClient will not add a User-Password attribute if the password is null.
· RADIUSClient now accepts empty or null passwords without throwing a null pointer exception.
· RADIUSServer.startAuthenticationServer() and startAccountingServer() will return false if the servers could not be started.
· Fixed a problem in RADIUSServer.startAccountingServer() where the logs for the various implementations were not initialized unless RADIUSServer.startAuthenticationServer() ran first.
· A User-Name attribute is no longer required when sending an authentication packet. It used to cause the request to be dropped and logged.
· Fixed RADIUSServer.setMinimumPackets() and setMaximumPackets() so that they can be set before the server is started without throwing a null pointer exception.
· RADIUSServer.addNAS() throws an IOException if the NAS entry could not be added.
· The NAS class has a new method NAS.verify() to validate the NAS object.
· Corrected an error message logged when a NAS-Identifier or NAS-IPAddress attribute didn't match a known NAS. It would always report that the attributes were missing when in fact one or the other was wrong.
· AttributeList.addAttribute() now accepts VendorSpecific objects: AttributeList.addAttribute(VendorSpecific vs).
· The RADIUS server now uses the java.security.MessageDigest version of the MD5 algorithm. This is faster than the one previously used.
· Temporary workaround added for transparent proxy's. This is where a concrete ProxyImpl can strip realm information from the User-Name attribute and force proxying to a given realm. This will disappear in version 3.
// Add an AXL VendorSpecific attribute to the list of // returned attributes. The AXL VS attribute will not // appear to the final authentication server. // Use this to create transparent proxy transfers. // Assuming the inbound parameter 'name' has // been stripped of it's realm. AttributeList outList = new AttributeList(list); outList.setAttribute(Attribute.User_Name, name); VendorSpecific vs = new VendorSpecific(AXL.VENDORID); vs.addAttribute(AXL.Transparent_Proxy, "wallawalla.washington"); outList.addAttribute(vs); return outList.getAttributes();
· Fixed an error in RADIUSClient.reset() where a null pointer exception was in the making.
· Added method AttributeListaddAttribute(int, Date) Allows java Date times to be placed in an attribute as seconds since the epoch.
· Added method VendorSpecific.addVendor(string, int) Allows the addition of your own Vendor-Specific class to .toString() methods in the AttributeList and VendorSpecific classes. This will display your VSA attributes with names instead of numbers.
· Extended Packet types are once again subject to the same rigors of NAS checking as regular packets lik eAccess-Request.
· The RADIUSServer.addAuthPacketType() and RADIUSServer.addAcctPacketType() used to ignore resetting entries. This has been changed to permitting the altering of existing packet types in the list.
· ProxyImpl.changeProxy() and ProxyImpl.changeResponse() now throws AccessDropException and AccessRejectException. Both methods also take the shared secret as arguments.
· RADIUSClient - added a method to bind the client to a particular address using RADIUSClient.bind().
· RADIUSClient - added a reset() method that allows reuse of the constructor for new authentications and accounting.
· Added the RADIUSServer.setMaxPacketSize() method to allow for packet sizes larger (or smaller) than traditional 4K packets.
· Added the method AccessRejectException.setAttributes() to allow attributes to be passed to an Access-Reject packet. Returning the message in the Reply- Message no longer works as setAttributes() fulfills the purpose.
· Added a method RADIUSServer.setProxyCharacter() to change the traditional proxy character from '@' (the default) to whatever's needed. This would only be used under very unusual circumstances.
· Added additional methods RADIUSServer.addAuthPacketType() and RADIUSServer.addAcctPacketType() to include the attribute type to use for proxy information. Currently the two generally accepted attributes are User- Name (using the xyz@realm form) or Called-Station-Id attribute. The default is User-Name.
· Changed the RADIUS client to conform with RFC 2865's Retransmission Hints. It's now necessary to create a new RADIUSClient constructor for each new authentication, accounting, and extended packet. Retries must use the same constructor.
· Non-accounting proxied responses authenticators are checked.
· The Message-Authenticator attribute is supported in both the server and client.
· Changed server & debug log format to display useful information in a consistent and compact format.
· Fixed some problems in proxying Access-Rejections.
· Fixed a problem where multiple Proxy-State's were included by the server - harmless, but but it took up space in the packet.
· The beginnnings of SNMP support have appeared in the code. There is no actual SNMP management implemented.
· Fixed a potential null pointer exception in code that removes our own Proxy-State.
· Added a Reply-Message attribute on an AccessRejectException. The text added is message text of the exception (minus the "AccessRejectException: " text).
· Added better protection against thread exceptions in implementation and server code.
· Fixed a problem in Access-Challenges so they really work this time (see above release for erroneous report of fix).
· Added packet type extensions to the server and client. This allows sending packet types beyond the usual Access-Request, Access-Accept, Access-Reject, Access-Challenge, Accounting-Request, and Accounting-Response.
· Added class PacketType to hold regular and extended packet type codes.
· Fixed a problem where a sucessful access challenge return an Access_Challenge instead a proper Access_Accept response.
· RADIUSServer.addNAS() is more strict in what it accepts. Logs errors.
· Server now has a thread pool for RADIUS sessions which has improved throughput.
· MD5 has been improved by unwrapping method calls into inline code to perform the rounds.
· AttributeName has synchronized iteration to prevent concurrent modification exceptions.
· UTF8 is the standard encoding as per RFC-2865.
· Support added for 'RADIUS Attributes for Tunnel Protocol Support' (RFC-2868).
· VendorSpecific class added as well as decoding the attributes.
· Expanded the number of attribute types known to the server.
· Changed AccessImpl.password to accept the NAS secret as a byte array (like getAccessChallenge).
· Added RADIUSEncrypt.trim() to remove padding from decoded passwords. V 2.12 Dec 15, 2000
· Fixed a problem in RADIUSEncrypt which caused passwords with lengths multiples of 16 to be incorrectly encoded.
· Fixed some problems in proxying where the authenticator might be miscalculated.
· Removed a line that caused a null pointer exception in the RADIUSSession.checkProxy().
· Fixed an encoding problem in RADIUSClient.java.
· Added delete methods to AttributeList.java.
· Added packet type constants to RADIUSServer.java, changed method setProxyimplFactory() to setProxyImplFactory().
· Fixed RADIUSEncrypt to generate a correct length for the buffer the encrypted password.
· RADIUSEncrypt methods changed to static methods.
· Fixed a bug in the RADIUSSession where a proxy response was simplistically calculated. It now handles proxy transmissions correctly.
· Changed the AttributeList to always return some attributes, even 0.
· RADIUSServer checks for negative attribute lengths and drops packets instead of killing the thread.
· Sep 15, 2000 Added setMultihomed() to control the server's binding to interfaces.
· Oct 10, 1999 Initial coding.