8950 AAA 6.1.10 Release Notes
Last revised: November 7, 2008
Product Name Change
The VitalAAA product has been rebranded as 8950 AAA. The product was also
known as NavisRadius.
Java Version
8950 AAA requires Java 2 Standard Edition (J2SE) version 6.0 (also known as
version 1.6.0) or later to run on all platforms. Both the J2SE JDK and the
JRE are supported. Please see http://java.sun.com
to get the latest version of Java.
64-bit Operating Systems
Several of the supported operating systems have 64-bit versions. Currently 8950 AAA has full 64 bit
support on Solaris (both Sparc, and X86), and partial support on Microsoft Windows.
The following limitations exists when using a 64 bit JVM on an unsupported platform.
-
GetPWNam does not work on Unix systems. (Except Solaris)
-
Kill does not work. (Except Solaris and Windows)
-
NT Authentication does not work.
Contents
These release notes are intended for 8950 AAA 6 programmers and administrators. They cover the following information:
These release notes supercede all other included
documentation for the 8950 AAA product. Further information can
be found at http://www.8950aaa.com/.
8950 AAA 6.1.5 includes the following features:
-
Responses to feedback on the WiMAX W4.1 pkg 2 delivery.
8950 AAA 6.1.4 includes the following features:
-
Responses to feedback on the WiMAX W4.1 pkg 2 delivery.
8950 AAA 6.1.3 includes the following features:
-
Responses to feedback on the WiMAX W4.1 pkg 2 delivery.
8950 AAA 6.1.2 includes the following features:
-
Responses to feedback on the WiMAX W4.1 pkg 1 delivery.
-
Remainder of the WiMAX W4.1 pkg 2 delivery.
8950 AAA 6.1.1 includes the following features:
-
Responses to feedback on the WiMAX W4.1 pkg 1 milestone.
-
Portions of the WiMAX W4.1 pkg 2 milestone.
-
A custom dictionary that will not be over-written during an
upgrade install.
8950 AAA 6.1.0 includes the following features:
-
The WiMAX W4.1 pkg 1 milestone.
-
A graphic interface to the WiMAX W3 policy set.
8950 AAA 6.0.0 includes the following features:
-
USSv2 now available. This second generation USS supports active/active
deployment scenario, and allows multiple instances of the session database.
-
Remote Configuration file load available. Allows centralizing of server
configuration.
-
Derby has replaced Hypersonic as the embedded database.
-
Tomcat server container technology has been integrated into the
policy server.
-
A web-based user provisioning feature is available.
-
The PolicyAssistant now supports a more general rule based policy
selection phase.
-
Alcatel-Lucent WiMAX support is now more fully integrated.
-
SMT PolicyFlow editor enhancements.
-
SMT->Server, and HA-USS replicas connections can be secured using TLS.
-
VitalAAA 5.2.6 includes the following features:
-
A reverse modifier was added to mapping language which revereses
characters in a value.
-
New WiMAX attributes as defined in WiMAXForum NGW 1.1.2 Stage 3
specification were added to dictionary.
-
Location authorizaton checking based on WiMAX-BS-ID was added to
Evolium W3 sample.
VitalAAA 5.2.3 includes the following features:
-
ReadColumnarText, ReadDelimitedText, Compare, and Branch plug-ins: Add
prefixOf, suffixOf, and within operators to compare operations.
-
TACACS+ now decodes message arguments into separately named variables
named TACACSPLUS-Arg-<name>.
VitalAAA 5.2.2 includes the following features:
-
Suse Linux (x86) is now a supported platform.
VitalAAA 5.2.1 includes the following features:
-
Add experimental plug-in AuthEapFast (RFC 4851).
-
Various code optimizations to support better scaling on multi-CPU/
multi-Core system.
-
The ServerManagementTool has restored dictionary editor support. This
now includes the ability to edit Diameter applications and commands.
VitalAAA 5.2.0 includes the following features:
-
Add an interal cron-like function. This allows the injection of new
work items based on the current time.
-
Add the Dhcpv6 plug-in.
-
Support the IPv6 compatable versions of RADIUS client and server MIBs.
-
Add support WiMAX QoS attributes.
VitalAAA 5.1.5 includes the following features:
-
The TACACS+ protocol support has been updated to respond to initial
customer input. This includes names for TACACS+ field elements, and
which variable group they are stored in.
VitalAAA 5.1.3 includes the following features:
-
The Iterate plug-in now supports executing the input lists in a sorted
order.
VitalAAA 5.1.2 includes the following features:
-
Add new pool allocation strategies to IPAMv2. These consist of three
methods, "exhaustive", "roundrobin" and
"even", which can be set through the allocationScheme
Pool-Selector attribute. "exhaustive" exhuasts the pools in
order, "roundrobin" rotates allocations amongst the pools and
"even" attempts to keep the relative utilization even amongst
the pools in the selector.
VitalAAA 5.1.1 includes the following features:
-
A new IP Address manager, USS Address Manager, has been added to the
product. Its functionality is integrated with the USS and the HA-USS.
-
TACACS+ protocol support added. This includes server, plug-in, and test
client components.
-
CALEA supported added.
-
Admin Interface state ... commands renamed to uss
....
VitalAAA 5.1.0 was a limited internal release.
VitalAAA 5.0.10 includes the following feature:
-
Add new modes to file rollover for the following times:
In weeks: 2,3,4
VitalAAA 5.0.9 includes the following feature:
-
Add Success, Failure, and Challenge maps to the Call, Fork, and Iterate
Plug-ins.
-
Add the following modifiers for maps:
FormatLocalTimestampWithMillis
FormatGmtTimestampWithMillis
dright(delim)
dleft(delim)
nright(count)
nleft(count)
require(value)
prohibit(value)
require-range(low,high)
prohibit-range(low,high)
isNumeric
-
Add new modes to file rollover for the following times:
In minutes: 1,2,3,4,5,6,10,12,15,20,30
In hours: 2,3,4,6,8,12
In months: 2,3,4,6
In years: 1
VitalAAA 5.0.7 includes the following feature:
VitalAAA 5.0.6 includes the following features:
-
ReadDelimitedText/ReadColumnarText plug-ins have new search
modes LIST, PREFIX, REALM, and RANGE.
-
SubString plug-in added.
-
CheckCondition plug-in added.
-
ReplyGenerator plug-in added.
VitalAAA 5.0.5 includes the following features:
-
ReadCache plug-in can now delete an entry after reading.
-
WriteCache plug-in can now optionally write an entry depending
on whether it is already present.
VitalAAA 5.0.4 includes the following new features:
-
Ldap plug-in can now process multiple entries in search
results.
-
Ldap plug-in can now process referrals.
VitalAAA 5.0.0 includes the following new features:
-
Diameter protocol support. (Optional feature)
-
An LDAP view of the USS session database. (Optional feature)
-
Remote communication from the SMT to the policy and configuration
servers can now be protected by an SSL connection.
-
Remote communication to the HTTP servers can now be protected by an SSL
connection.
-
SSH access is now available for the Admin Interface.
-
VitalAAA can now be hosted on a machine using IPv6 interfaces for
RADIUS server and client traffic.
-
Add versions 2C and 3 support to SNMP.
-
Diameter Test Client with SMT support.
-
EAP support for Radius and Diameter test clients.
-
PolicyFlow methods may now define optional logging actions upon
SUCCESS, FAILURE or ERROR.
-
PolicyFlow programs may now be contained in multiple files and may be
invoked as needed.
-
The SMT graphical interface has been redesigned for improved
ease-of-use.
-
Method Selectors has been replaced with Method Dispatch. This offers
improved performence and better scalability for implementation of
complex policy flows.
-
The Snmp plug-in has been added. The Snmp plug-in can send an
SNMP Get, Set, Trap or Inform PDU using SNMP version 1, 2c or 3.
-
The If plug-in has been added. Used to simplify policy flow
branching on booleans
-
The WriteDelimitedFile has been added. Can be used to output
call detail records in delimited format.
-
Allow arbitrarily nested call, fork, and tunnel policy flows.
This initial Diameter release has some limitations that may be removed in
subsequent releases.
-
TLS/TCP/IP and TCP/IPSEC/IP are the only transports available.
-
Diameter application specific logic needs to be implemented in policy
flow.
-
Dynamic peer discovery is not supported.
-
IPv6 transport is not available on Microsoft Windows.
In versions of VitalAAA (NavisRadius) before 5.0, the StateServer plug-in
automatically copied a few attributes into the USS entry, even if they
were not specified in the requestMap property. In 5.0, in order to
accomodate the new Diameter feature, only entries explicitly in the
requestMap will be copied.
The upgrade process will automatically convert the requestMap if
converting from a pre-5.0 version.
The attributes involved are Acct-Status-Type,
Acct-Session-Id, and Acct-Delay-Time.
-
The RADIUS clients file has been renamed
'radius_clients', and is now in the user file format, rather
than the traditional columnar format.
-
The TACACS+ clients file has been added as
'tacacsplus_clients', and is in same format as
'radius_clients'.
-
The admin interface command 'file reload clients' retains the
ability to read the old format RADIUS clients file
'clients'.
-
The Diameter peers file has been renamed
'diameter_peers'. This file has always been in the user file
format.
Before VitalAAA release 5.2.7, the default value used in calculating
MS-CHAP2-Response was ${packet.base-user-name}. This value was fine if
user-name was EXAMPLE\bob but is not okay if user-name is in the form
bob@example.com. Testing with Microsoft IAS RADIUS server showed that
user names with realm must be used 'as is' in calculation of
MS-CHAP2-Response. In VitalAAA release 5.2.7, the default value for
method property AuthLocal-UserName was changed to ${request.user-name}
and AuthLocal-StripMsDomain method property was added to strip DOMAIN\
from the value provided by AuthLocal-UserName. The default for the
AuthLocal-StripMsDomain method property is true. If upgrading to release
5.2.7 breaks existing policies, old behavior can be restored by setting
AuthLocal-UserName to ${packet.base-user-name} and
AuthLocal-StripMsDomain to false. The change in calculating
MS-CHAP2-Response in VitalAAA release 5.2.7 should also match how
FreeRADIUS generates MS-CHAP2-Response when authenticating users.