Mac OS X | Security / Privacy | Other Security / Privacy | Radiator

Radiator - 4.6

Full source, flexible, extensible, portable RADIUS server.

Download Now

(File Size: form)

Free Product Alerts!

All Time:	(5.0)
This Version:	Not rated (0.0)
Current Version:	4.6
Release Date:	2010-02-04
License:	Commercial
Downloads (this version):	117
Downloads (all versions):	7,292
Price:	$900.00

Information Related to Version:

Broken Link? Newer Version? Tell us!

Product Description:

Radiator RADIUS server is flexible, extensible, and authenticates from a huge range of auth methods, including Wireless, TLS, TTLS, PEAP, LEAP, FAST, SQL, proxy, DBM, files, LDAP, NIS+, password, NT SAM, Emerald, Platypus, Freeside, TACACS+, PAM, external, OPIE, POP3, EAP, Active Directory and Apple Password Server. Interoperates with Vasco Digipass, RSA securID, Yubikey. It runs on Unix, Linux, Solaris, Win95/98/NT/XP/2000/2003/2007, MacOS 9, MacOS X, VMS, and more. Full source provided. Full commercial support available.

What's new in this version:

Improved AuthLog SYSLOG to support multiple SYSLOG clauses with different LogHost and LogSock options. No comnpatible with multiple Log SYSLOG clauses. Reported by "Martin van der Walle".

Improvements to example init script for Linux in linux-radiator.init, to be compliant with LSB requirements in http://wiki.debian.org/LSBInitScripts

AuthBy LDAP2 now detects LDAP_INVALID_DN_SYNTAX errors and interprets them as a per-request error and not a connection failure. When LDAP_INVALID_DN_SYNTAX error occurs, the LDAP connection wil not be shut down. Requested by Dawn Lovell.

Fixed a problem in Server TACACSPLUS where an AuthorizeGroup of the form



      	AuthorizeGroup group1 permit service=shell cmd\* {autocmd="telnet 169.163.226.81"}

(ie with double quotes surrounding the predicate) would result in the autocmd being sent incorrectly with 2 equals signs.

AuthBy SQLYUBIKEY now supports static passwords in any format supported by Radiator, including plaintext, {SHA}, {crypt}, {MD5}, {rcrypt}, {mysql}, {mssql}, {nthash}, {dechpwd}, {NS-MTA-MD5}, {clear} etc. TranslatePasswordHook is also supported. Suggested by Jerome Fleury.

Minor updates to Yubikey documentation to reflect the fact that AES keys must be programmed into each Yubikey before being imported into the SQLYUBIKEY database. Changes to AuthBy SQLYUBIKEY default SQL queries to work better with databases where the tokenID and AES key are in Hex. Yubikey keys may now be present in the database in either hex (no spaces) or base64 format. But the default queries assume the Token ID and AES secret are in Hex, and that there is a one-to-one mapping between users and Yubikeys. Other options are available with custom SQL queries.

Fixed a problem in AuthBy SQLYUBIKEY where it would sometimes incorrectly detect a replay attack in during multiple authentication of the same Yubikey session. General improvements to the AuthBy SQLYUBIKEY replay detection. Replay detection now uses the session counter and the session_use counter. The timestamp is not used. The database column that previously held the timestamp_low is used for the session_use counter. The database column that previously held the timestamp_high is not used.

Updated install.html installation instructions for Windows.

Improvements to AuthBy EAPBALANCE and AuthBy HASHBALANCE to work better in multi-AP roaming TTLS/PEAP session resumption environments. The default behaviour of AuthBy HASHBALANCE is to compute the HASH based on the same attributes as the EAP context. This prevents false detection of loss of continuity in EAP streams. AuthBy EAPBALANCE now sets the State in all replies in an EAP stream, not just the first, in order to work correctly with some non-compliant APs. AuthBy HASHBALANCE is deprecated in favour of AuthBy EAPBALANCE in any EAP-capable environment.

In Server DIAMETER, fixed a problem that prevented some RADIUS reply attributes being correctly translated into Diameter reply attributes.

Added new module AuthBy SQLMOTP for MOTP authentication, a new strong, two-factor authentication with mobile phones. See http://motp.sourceforge.net for details. Sample configuration and SQL schema supplied. Modifications to radpwtst to support new -motp_secret flag, allowing it to be used to test AuthBy SQLMOTP like:



		  radpwtst -noacct -motp_secret 7ac61d4736f51a2b -password 1234

The password argument is used as the MOTP PIN, and the motp_secret is used as the MOTP secret key. AuthBy SQLMOTP originally submitted by Jerome Fleury.

In diapwtst, fixed a problem that would result in an incorrect status report: "Unexpected result code: DIAMETER_SUCCESS".

Improvements to the internal structure of ServerDIAMETER.pm, making it easier to override handling of specific Diameter request types.

Fixed a problem with AuthBy VOLUMEBALANCE, where if multiple failed hosts are configured with FailureBackoffTime of 0, it was possible for a request to be handed to each host in turn forever.

Added new sample configuration file goodies/crypto-mas.cfg, showing how to proxy requests to the Cryptocard MAS (Managed Authentication Service) CRYPTO-MAS. See http://www.cryptocard.com/

Added new parameter MaxTargetHosts to AuthBy VOLUMEBALANCE. Limits the number of different hosts a request will be proxied to in the case of no reply. Defaults to 0 which mean no limit: if the load balancer does not receive a reply from a host, it will keep trying until all hosts are exhausted.

Improvements tp RPM spec file to permit installation with Perls that do not include /usr/lib/perl5/site_perl/, such as SLES. Reported by Frank Messie.

Improvements to the rpm: make target so the RPM build correctly uses the local perl version number for links in the Perl lib. Contributed by Bjoern.

Updated expired test certificates.

Fixed a problem with incorrect type in replies to proxied Change-Filter-Request. Reported by Belmont Cheung.

Added support for UpdateQuery in SessionDatabase SQL. Patch supplied by Jose Borges Ferreira.

Added support for RFC 4818 compliant packing and unpacking of Delegated-IPv6-Prefix. Added new dictionary type ipv6prefix.

The TacacsPlus group cache GroupCacheFile now uses the IP address of the client as part of the key, so that in situations where the group name depends on the client the correct group name wil be retrieved.

Some Expiration check items in the sample users file had actually expired, causing the test suite to incorrectly fail on tests 2l, 2m, 3g and 3h.

Fixed a problem that could cause incorrect authentication of HOTP passwords with leading zeroes.

Added support for TOTP (Time-based one-time-passwords) as specified in draft-mraihi-totp-timebased-04.txt. Sample configuration and database schema included.

Operating System Requirements:

This product is designed to run on the following operating systems:

Mac OS X 10.5 Intel
Mac OS X 10.5 PPC
Mac OS X 10.4 Intel
Mac OS X 10.4 PPC
Mac OS X 10.3.9
Mac OS X 10.3
Mac OS X 10.2
Mac OS X 10.1
Mac OS X 10.0
Mac OS Classic

Feedback Summary:

This Version:
Overall Rating:	Not rated (0.0)	Features:	Not rated (0.0)	Support:	Not rated (0.0)
Ease of Use:	Not rated (0.0)	Quality / Stability:	Not rated (0.0)	Price:	Not rated (0.0)

Key to Types of Feedback:

Reviews Reviews Troubleshooting Usage Tips Developer Notes Commentary Featured Reviews

There is no doubt this is the best radius server - Version: 3.17, 4/26/2007 05:28AM PST

olofson

What can i say , this is the absolutely best radiusserver on the market. Every penny is well spent. Of course i was very sceptic in the beginning because it was running under perl. But all i can say here is never underestimate perl. But once again perl shows its power. With Osc's products you will have a superb authenticsystem, with the freedom that comes with that is almost running on any flavour. And if you enter problems you will get the very best support from their supportteam, take their job very seriously. Dont spend lots of time and money finding a radiuserver that shall serve your needs, i can almost bet that OSC's radius (Radiator) already do it for you. I really recommend this product

This is the best RADIUS server - Version: 3.17, 3/30/2007 06:17PM PST

Chris.Stevens

Radiator is by far the best RADIUS server around. It has a huge range of plug
in modules, and it can be configured to do almost anything you can imagine. And
the support is absolutely the best anywhere.

We have used it on a number of projects, and it is completely reliable. Its
easy to configure and works with any database on any platform you may want. We
have used to it solve a number of difficult authentication needs that no
other RADIUS server could come close to.

Don't waste your time with any other commercial or free RADIUS server.
I cant recommend Radiator highly enough. Great work guys!

New Apple Password Server support - Version: 3.16, 3/22/2007 10:56PM PST

mikem

The latest patch set for version 3.16 includes a new module AuthBy LDAP_APS with support for authenticating from Apple Directory Server and Apple Password server. The support will also be included in the next base release.

Mac OS-X Server includes a facility called Directory Server which provides information about users (amongst other things). Part of the Directory Server facility is an LDAP server that contains the user details. However, the LDAP server never contains any user passwords, it merely contains information about valid methods for authenticating that user. Users that have been configured to use the `Password Server' authentication method can have passwords authenticated by the Apple Password Server facility.

Therefore, AuthBy LDAP_APS can authenticate any user configured into the Apple Directory Server LDAP server, and configured to use the Apple Password Server authentication method.
AuthBy LDAP_APS is a subclass of AuthBy LDAP2. IT queries the Mac OS-X LDAP server for information about a specific user in the same way as AuthBy LDAP2. It uses the user's authAuthority attribute from the LDAP database to determine how to authenticate the password. If the user is configured to be able to use the Apple Password Server (i.e. the authAuthority contains ApplePasswordServer, a user id and a Password Server address) then AuthBy LDAP_APS will authenticate the user's password by contacting (via TCP/IP) the specified Apple Password Server.
At Mac OS-X Server 10.4, Apple Password Server does not support all possible password authentication methods. In particular, it supports Plaintext (via CRAM-MD5), Digest-MD5 and MSCHAPV2. It does not support CHAP or MSCHAPV1. Therefore you can only use AuthBy LDAP_APS to authenticate PAP, MSCHAPV2, TTLS-PAP, TTLS-MSCHAPV2 or PEAP-MSCHAPV2 requests.
AuthBy LDAP_APS is configured in the same was as AuthBy LDAP2, except that you must specify PasswordAttr as authAuthority, since AuthBy LDAP_APS uses that attribute to find and contact the Password Server for that user.
Since standard TCP/IP is used to talk to the LDAP server and the Apple Password Server, it is not necessary to run Radiator and AuthBy LDAP_APS on the Mac OS-X Directory Server host. Radiator could run on a remote Mac, Linux, Windows or other host, different to the Mac OS-X host running the Directory Server and, in the general case, the Apple Password Server could be on a third host.