Radiator

Commercial; see text.

Current Version: 4.6 (February 5, 2010)

Open System Consultants Pty Ltd produces Radiator, one of two RADIUS implementations for the Mac that I'm aware of. Radiator is written in Perl and runs an just about any OS, including Mac OS 9 and Mac OS X.

Version 4.6 makes the following changes:

• Improved AuthLog SYSLOG to support multiple SYSLOG clauses with different LogHost and LogSock options. No comnpatible with multiple Log SYSLOG clauses. Reported by "Martin van der Walle".
• Improvements to example init script for Linux in linux-radiator.init, to be compliant with LSB requirements in http://wiki.debian.org/LSBInitScripts
• AuthBy LDAP2 now detects LDAP_INVALID_DN_SYNTAX errors and interprets them as a per-request error and not a connection failure. When LDAP_INVALID_DN_SYNTAX error occurs, the LDAP connection wil not be shut down. Requested by Dawn Lovell.
• Fixed a problem in Server TACACSPLUS where an AuthorizeGroup of the formAuthorizeGroup group1 permit service=shell cmd\* {autocmd="telnet 169.163.226.81"} would result in the autocmd being sent incorrectly with 2 equals signs.
• AuthBy SQLYUBIKEY now supports static passwords in any format supported by Radiator, including plaintext, {SHA}, {crypt}, {MD5}, {rcrypt}, {mysql}, {mssql}, {nthash}, {dechpwd}, {NS-MTA-MD5}, {clear} etc. TranslatePasswordHook is also supported. Suggested by Jerome Fleury.
• Minor updates to Yubikey documentation to reflect the fact that AES keys must be programmed into each Yubikey before being imported into the SQLYUBIKEY database. Changes to AuthBy SQLYUBIKEY default SQL queries to work better with databases where the tokenID and AES key are in Hex. Yubikey keys may now be present in the database in either hex (no spaces) or base64 format. But the default queries assume the Token ID and AES secret are in Hex, and that there is a one-to-one mapping between users and Yubikeys. Other options are available with custom SQL queries.
• Fixed a problem in AuthBy SQLYUBIKEY where it would sometimes incorrectly detect a replay attack in during multiple authentication of the same Yubikey session. General improvements to the AuthBy SQLYUBIKEY replay detection. Replay detection now uses the session counter and the session_use counter. The timestamp is not used. The database column that previously held the timestamp_low is used for the session_use counter. The database column that previously held the timestamp_high is not used.
• Updated install.html installation instructions for Windows.
• Improvements to AuthBy EAPBALANCE and AuthBy HASHBALANCE to work better in multi-AP roaming TTLS/PEAP session resumption environments. The default behaviour of AuthBy HASHBALANCE is to compute the HASH based on the same attributes as the EAP context. This prevents false detection of loss of continuity in EAP streams. AuthBy EAPBALANCE now sets the State in all replies in an EAP stream, not just the first, in order to work correctly with some non-compliant APs. AuthBy HASHBALANCE is deprecated in favour of AuthBy EAPBALANCE in any EAP-capable environment.
• In Server DIAMETER, fixed a problem that prevented some RADIUS reply attributes being correctly translated into Diameter reply attributes.
• Added new module AuthBy SQLMOTP for MOTP authentication, a new strong, two-factor authentication with mobile phones. See http://motp.sourceforge.net for details.
• In diapwtst, fixed a problem that would result in an incorrect status report: "Unexpected result code: DIAMETER_SUCCESS".
• Improvements to the internal structure of ServerDIAMETER.pm, making it easier to override handling of specific Diameter request types.
• Fixed a problem with AuthBy VOLUMEBALANCE, where if multiple failed hosts are configured with FailureBackoffTime of 0, it was possible for a request to be handed to each host in turn forever.
• Added new sample configuration file goodies/crypto-mas.cfg, showing how to proxy requests to the Cryptocard MAS (Managed Authentication Service) CRYPTO-MAS. See http://www.cryptocard.com/
• Added new parameter MaxTargetHosts to AuthBy VOLUMEBALANCE. Limits the number of different hosts a request will be proxied to in the case of no reply. Defaults to 0 which mean no limit: if the load balancer does not receive a reply from a host, it will keep trying until all hosts are exhausted.
• Improvements tp RPM spec file to permit installation with Perls that do not include /usr/lib/perl5/site_perl/, such as SLES. Reported by Frank Messie.
• Improvements to the rpm: make target so the RPM build correctly uses the local perl version number for links in the Perl lib. Contributed by Bjoern.
• Updated expired test certificates.
• Fixed a problem with incorrect type in replies to proxied Change-Filter-Request. Reported by Belmont Cheung.
• Added support for UpdateQuery in SessionDatabase SQL. Patch supplied by Jose Borges Ferreira.
• Added support for RFC 4818 compliant packing and unpacking of Delegated-IPv6-Prefix. Added new dictionary type ipv6prefix.
• The TacacsPlus group cache GroupCacheFile now uses the IP address of the client as part of the key, so that in situations where the group name depends on the client the correct group name wil be retrieved.
• Some Expiration check items in the sample users file had actually expired, causing the test suite to incorrectly fail on tests 2l, 2m, 3g and 3h.
• Fixed a problem that could cause incorrect authentication of HOTP passwords with leading zeroes.
• Added support for TOTP (Time-based one-time-passwords) as specified in draft-mraihi-totp-timebased-04.txt. Sample configuration and database schema included.

The software is available for online purchase for $840 - $7,140.