Search Exchange
Search All Sites
Nagios Live Webinars
Let our experts show you how Nagios can help your organization.Login
New ListingsDirectory Tree
check freeradius/radius auth/acct/status advanced and fully featured
Current Version
1.0.2
Last Release Date
2013-09-08
Compatible With
- Nagios 1.x
- Nagios 3.x
Owner
Website
License
GPL
Hits
62631
Files:
| File | Description |
|---|---|
| check_freeadius.pl | main check program |
| check_freeradius_help.txt | The help file |
| check_radius.pl Nagios setup.txt | The nagios setup help file |
# Thanks for the suggestions Rune!
I could not find a flexible enough and fast enough(have no idea why all those other check radius scripts works so slow?) I had to write my own which came out a fully featured and very flexible check freeradius/radius script which uses radclient.
One can supply owns own radius attributes and radius attributes values and it has 3 function to check authentication/accounting or status.
I could not find a flexible enough and fast enough(have no idea why all those other check radius scripts works so slow?)
I had to write my own which came out a fully featured and very flexible check freeradius/radius script which uses radclient.
One can supply radius attributes and radius attributes values and it has 3 function to check authentication/accounting or status.
Nagios will report a successful check like
OK: Radius respons time: 0.026883 secs, warning threshold: 2, critical threshold: 3, radclient exit status: 0, check_freeradius.pl exit STATUS: 0.
# 2013-08-09
# Updated after a suggestion by Rune Nilssen
# Thanks for the suggestion Rune!
check_freeradius.pl 1.0.1
Usage: check_freeradius.pl -|--f|F|FUN|function|FUNCTION -|--h|H|host|HOST -|--p|P|port|PORT
-|--t|T|time|TIME|timeout -|--s|S|secret|SECRET -|--cl|CL|client|CLIENT
-|--r|R|rad|RAD|radius|RADIUS|radiusattributes|RADIUSATTRIBUTES
-|--a|A|attribute|ATTRIBUTE|attributevalues|ATTRIBUTESVALUES
-|--del|delimiter
-|--w|W|warn|WARN|warning|WARNING
-|--c|C|crit|CRIT|critical|CRITICAL
-|--v|V|VERSION |version -|--he|HE|help|HELP -|--d|D|DEBUG|debug
./check_freeradius.pl -F auth -host 10.10.10.1 -port 1812 -TIMEOUT 8 -SECRET testing123 -RADIUSATTR User-Name;NAS-Port-Id;ADSL-Agent-Circuit-Id;NAS-IP-Address
-ATTRIBUTESVALUES "alex;pw-285:102;'10.13.3.22 eth_1/0/14';10.10.10.1" -CLIENT /usr/bin/radclient -W 5 -C 10 -DEBUG
./check_freeradius.pl -Function status -host 192.168.34.2 -port 1812 -TIMEOUT 8 -secret testing123 -CLIENT /usr/bin/radclient -WARNING 1 -CRITICAL 8 --DEBUG
./check_freeradius.pl -FUNC acct -h 10.10.10.1 -p 1813 -T 8 -S testing123 -radattributes
-ATTRIBUTESVALUES -CLIENT /usr/bin/radclient -W 5 -C 10
./check_freeradius.pl -Function status -host 192.168.34.2 -port 1812 -TIMEOUT 8 -secret testing123 -CLIENT /usr/bin/radclient -WARNING 1 -CRITICAL 8 --DEBUG
./check_freeradius.pl --help
./check_freeradius.pl --version
-|--f|F|FUN|FUNCTION|function Function input is MANDATORY. Can be either auth, acct or status. Use function AUTH to send an authentication packet
(Access-Request), function ACCT to send an accounting packet (Accounting-Request), function STATUS to send an status
packet (Status-Server).
(No DEFAULT)"
-|--h|H|host|HOST IP to radius server to query
(DEFAULT localhost)
-|--p|P|port|PORT Port on radius server to query
(Default is 1812)
-|--t|T|time|TIME|timeout Wait timeout seconds before deciding that the NAS has not responded to a request, and re-sending the packet.
(DEFAULT 8).
-|--s|S|secret|SECRET The shared secret for this client. It needs to be defined on the radius server side too, for the IP address
you are sending the radius packets from
(DEFAULT "testing123")
-|--r|R|rad|RAD|radius|RADIUS|radiusattributes|RADIUSATTRIBUTES string of comma separated radius attributes.(Delimiter is default "," unless changed
by passing in the flag -|--DELIMITER see section delimiter below for details)
i.e "User-Name,NAS-Port-Id,ADSL-Agent-Circuit-Id,NAS-IP-Address". AS A HABIT make sure to
double quote "" this string list into the script.
(DEFAULT "Message-Authenticator")
-|--a|A|attribute|ATTRIBUTE|attributevalues|ATTRIBUTESVALUES string of comma separated Values for above passed in RADIUSATTRIBUTES(Delimiter is default
"," unless changed by passing in the flag -|--DELIMITER see section delimiter below for details)
i.e alex,pw-285:102,"10.13.3.22 eth_1/0/14",10.10.10.1. AS A HABIT make sure to double quote ""
this string list into the script.
(DEFAULT 0x00)
-|--del|delimiter In some cases the RADIUS Attributes values one needs to pass on to this script may contain default delimiter comma ","
in its string values. Like in string holders like Calling-Station-Id, ADSL-Agent-Circuit-Id or ADSL-Agent-Remote-Id etc.
And since we don't want to split those string values in the wrong places this is where one can change what delimiter is to be used.
-|--cl|CL|client|CLIENT Path to "radclient" to use for the radius query i.e /usr/bin/radclient
(DEFAULT "/usr/bin/radclient")
-|--w|W|warn|WARN|warning|WARNING This will tell Nagios when to send a WARNING message. This value can only be specified as a integer, no decimals accepted.
WARNING Threshold is in seconds, and if the respons time from the radius server exceeds Warning threshold
then the program will exit with WARNING exit(1);
(DEFAULT 3 sec)
-|--c|C|crit|CRIT|critical|CRITICAL This will tell Nagios when to send a CRITICAL message. This value can only be specified as a integer, no decimals accepted.
CRITICAL Threshold is in seconds and if the respons time from the radius server exceeds CRITICAL threshold
then the program will exit with WARNING exit(2);
(DEFAULT 7 sec )
-|--d|D|DEBUG|debug : Enable debugging (DEFAULT disabled)
-|--he|HE|help|HELP Prints this help screen
-|--v|V|VERSION|version Prints program version
INFO: NEW in version 1.0.2 is that CRITCAL THRESHOLDS is checked first. The scripts now gives a critical EXIT if radclient exits with something else than 0
This was changed because people wanted to get alarms if passed in radius secret or syntax was wrong, and not only if radius server didn't respond in time.
Also only use the debug flag from the CLI Nagios may be very confused by it.
If you find any BUGs or have a suggestion on a feature or improvements then please drop a line to cocoon.is@gmail.com
IMPORTANT!! For this scripts to work with Nagios! This script needs to be able to find nagios supplied utils.pm file.
Edit this file at the top of the file change "use lib qw( /usr/local/nagios/libexec );" to point to where you Nagios
installation installed utils.pm.
IF you get errors looking like
"Global symbol "%ERRORS" requires explicit package name" Then it is a sure sign that your path to utils.pm is wrong.
Values of radclient flags -c and -r are hardcoded in the script if one needs to change those VALUES then just edit this file and
change where $RADIUS_RESENDS = "1" and/or $RADIUS_SENDS = "1" to whatever values is needed.
Nagios Exemple setup
==========
Test using nrpe client if it works
./check_nrpe -H 192.168.34.2 -c query_freeradius_daemon -a auth 192.168.34.2 1812 8 testing123 User-Name,NAS-Port-Id,Alc-Client-Hardware-Addr lag-15:1202,pw-285:102,00:0d:b9:16:61:ba /usr/bin/radclient 1 3
###Commands.conf
# 'check_nrpe' command definition # #ok by Alex
define command{
command_name check_nrpe
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -p 5666 -c $ARG1$ -a $ARG2$ $ARG3$ $ARG4$ $ARG5$ $ARG6$ $ARG7$ $ARG8$ $ARG9$ $ARG10$ $ARG11$ $ARG12$ $ARG13$
}
servers.conf
================
define service{
use local-service
host_name itop0-db0-mgmt
service_description Query Freeradius
check_command check_nrpe!query_freeradius_daemon!auth!192.168.34.2!1812!8!testing123!User-Name,NAS-Port-Id,Alc-Client-Hardware-Addr!lag-15:1202,pw-
285:102,00:0d:b9:16:61:ba!/usr/bin/radclient!1!3
}
nrpe.conf (on remote radius machine)
======
command[query_freeradius_daemon]=/usr/local/nagios/libexec/check_radius.pl -FUNCTION $ARG1$ -HOST $ARG2$ -PORT $ARG3$ -TIME $ARG4$ -SECRET $ARG5$ -RADIUSATTR $ARG6$ -ATTRIBUTES
VALUES $ARG7$ -CLIENT $ARG8$ -WARN $ARG9$ -CRIT $ARG10$
VISUDO file on nrpe host
===========================
# User privilege specification
nagios ALL=(ALL) NOPASSWD: /usr/local/nagios/libexec/eventhandlers/
# Updated after a suggestion by Rune Nilssen
# Thanks for the suggestion Rune!
check_freeradius.pl 1.0.1
Usage: check_freeradius.pl -|--f|F|FUN|function|FUNCTION
-|--t|T|time|TIME|timeout
-|--r|R|rad|RAD|radius|RADIUS|radiusattributes|RADIUSATTRIBUTES
-|--a|A|attribute|ATTRIBUTE|attributevalues|ATTRIBUTESVALUES
-|--del|delimiter
-|--w|W|warn|WARN|warning|WARNING
-|--c|C|crit|CRIT|critical|CRITICAL
-|--v|V|VERSION |version -|--he|HE|help|HELP -|--d|D|DEBUG|debug
./check_freeradius.pl -F auth -host 10.10.10.1 -port 1812 -TIMEOUT 8 -SECRET testing123 -RADIUSATTR User-Name;NAS-Port-Id;ADSL-Agent-Circuit-Id;NAS-IP-Address
-ATTRIBUTESVALUES "alex;pw-285:102;'10.13.3.22 eth_1/0/14';10.10.10.1" -CLIENT /usr/bin/radclient -W 5 -C 10 -DEBUG
./check_freeradius.pl -Function status -host 192.168.34.2 -port 1812 -TIMEOUT 8 -secret testing123 -CLIENT /usr/bin/radclient -WARNING 1 -CRITICAL 8 --DEBUG
./check_freeradius.pl -FUNC acct -h 10.10.10.1 -p 1813 -T 8 -S testing123 -radattributes
-ATTRIBUTESVALUES
./check_freeradius.pl -Function status -host 192.168.34.2 -port 1812 -TIMEOUT 8 -secret testing123 -CLIENT /usr/bin/radclient -WARNING 1 -CRITICAL 8 --DEBUG
./check_freeradius.pl --help
./check_freeradius.pl --version
-|--f|F|FUN|FUNCTION|function Function input is MANDATORY. Can be either auth, acct or status. Use function AUTH to send an authentication packet
(Access-Request), function ACCT to send an accounting packet (Accounting-Request), function STATUS to send an status
packet (Status-Server).
(No DEFAULT)"
-|--h|H|host|HOST IP to radius server to query
(DEFAULT localhost)
-|--p|P|port|PORT Port on radius server to query
(Default is 1812)
-|--t|T|time|TIME|timeout Wait timeout seconds before deciding that the NAS has not responded to a request, and re-sending the packet.
(DEFAULT 8).
-|--s|S|secret|SECRET The shared secret for this client. It needs to be defined on the radius server side too, for the IP address
you are sending the radius packets from
(DEFAULT "testing123")
-|--r|R|rad|RAD|radius|RADIUS|radiusattributes|RADIUSATTRIBUTES string of comma separated radius attributes.(Delimiter is default "," unless changed
by passing in the flag -|--DELIMITER see section delimiter below for details)
i.e "User-Name,NAS-Port-Id,ADSL-Agent-Circuit-Id,NAS-IP-Address". AS A HABIT make sure to
double quote "" this string list into the script.
(DEFAULT "Message-Authenticator")
-|--a|A|attribute|ATTRIBUTE|attributevalues|ATTRIBUTESVALUES string of comma separated Values for above passed in RADIUSATTRIBUTES(Delimiter is default
"," unless changed by passing in the flag -|--DELIMITER see section delimiter below for details)
i.e alex,pw-285:102,"10.13.3.22 eth_1/0/14",10.10.10.1. AS A HABIT make sure to double quote ""
this string list into the script.
(DEFAULT 0x00)
-|--del|delimiter In some cases the RADIUS Attributes values one needs to pass on to this script may contain default delimiter comma ","
in its string values. Like in string holders like Calling-Station-Id, ADSL-Agent-Circuit-Id or ADSL-Agent-Remote-Id etc.
And since we don't want to split those string values in the wrong places this is where one can change what delimiter is to be used.
-|--cl|CL|client|CLIENT Path to "radclient" to use for the radius query i.e /usr/bin/radclient
(DEFAULT "/usr/bin/radclient")
-|--w|W|warn|WARN|warning|WARNING This will tell Nagios when to send a WARNING message. This value can only be specified as a integer, no decimals accepted.
WARNING Threshold is in seconds, and if the respons time from the radius server exceeds Warning threshold
then the program will exit with WARNING exit(1);
(DEFAULT 3 sec)
-|--c|C|crit|CRIT|critical|CRITICAL This will tell Nagios when to send a CRITICAL message. This value can only be specified as a integer, no decimals accepted.
CRITICAL Threshold is in seconds and if the respons time from the radius server exceeds CRITICAL threshold
then the program will exit with WARNING exit(2);
(DEFAULT 7 sec )
-|--d|D|DEBUG|debug : Enable debugging (DEFAULT disabled)
-|--he|HE|help|HELP Prints this help screen
-|--v|V|VERSION|version Prints program version
INFO: NEW in version 1.0.2 is that CRITCAL THRESHOLDS is checked first. The scripts now gives a critical EXIT if radclient exits with something else than 0
This was changed because people wanted to get alarms if passed in radius secret or syntax was wrong, and not only if radius server didn't respond in time.
Also only use the debug flag from the CLI Nagios may be very confused by it.
If you find any BUGs or have a suggestion on a feature or improvements then please drop a line to cocoon.is@gmail.com
IMPORTANT!! For this scripts to work with Nagios! This script needs to be able to find nagios supplied utils.pm file.
Edit this file at the top of the file change "use lib qw( /usr/local/nagios/libexec );" to point to where you Nagios
installation installed utils.pm.
IF you get errors looking like
"Global symbol "%ERRORS" requires explicit package name" Then it is a sure sign that your path to utils.pm is wrong.
Values of radclient flags -c and -r are hardcoded in the script if one needs to change those VALUES then just edit this file and
change where $RADIUS_RESENDS = "1" and/or $RADIUS_SENDS = "1" to whatever values is needed.
Nagios Exemple setup
==========
Test using nrpe client if it works
./check_nrpe -H 192.168.34.2 -c query_freeradius_daemon -a auth 192.168.34.2 1812 8 testing123 User-Name,NAS-Port-Id,Alc-Client-Hardware-Addr lag-15:1202,pw-285:102,00:0d:b9:16:61:ba /usr/bin/radclient 1 3
###Commands.conf
# 'check_nrpe' command definition # #ok by Alex
define command{
command_name check_nrpe
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -p 5666 -c $ARG1$ -a $ARG2$ $ARG3$ $ARG4$ $ARG5$ $ARG6$ $ARG7$ $ARG8$ $ARG9$ $ARG10$ $ARG11$ $ARG12$ $ARG13$
}
servers.conf
================
define service{
use local-service
host_name itop0-db0-mgmt
service_description Query Freeradius
check_command check_nrpe!query_freeradius_daemon!auth!192.168.34.2!1812!8!testing123!User-Name,NAS-Port-Id,Alc-Client-Hardware-Addr!lag-15:1202,pw-
285:102,00:0d:b9:16:61:ba!/usr/bin/radclient!1!3
}
nrpe.conf (on remote radius machine)
======
command[query_freeradius_daemon]=/usr/local/nagios/libexec/check_radius.pl -FUNCTION $ARG1$ -HOST $ARG2$ -PORT $ARG3$ -TIME $ARG4$ -SECRET $ARG5$ -RADIUSATTR $ARG6$ -ATTRIBUTES
VALUES $ARG7$ -CLIENT $ARG8$ -WARN $ARG9$ -CRIT $ARG10$
VISUDO file on nrpe host
===========================
# User privilege specification
nagios ALL=(ALL) NOPASSWD: /usr/local/nagios/libexec/eventhandlers/
Reviews (0)
Be the first to review this listing!
