* Plugin Development Tools

check_freeradius.pl

Write a Review

Description:

# Updated after a suggestion by Rune Nilssen
# Thanks for the suggestion Rune!

A very flexible check radius script using radcheck.
I found all other scripts to slow or to unflexible so i wrote this one.
It has 3 functions check auth check acct and check status and one can supply ones own radius attributes and radius values. Warning and critical thresholds is in seconds.

Current Version

v1.0.2

Last Release Date

2013-09-08

Compatible With

  • Nagios 1.x
  • Nagios 2.x
  • Nagios 3.x
  • Nagios XI
  • Nagios Fusion

Owner

Alexander Silveröhrt

Website

http://www.jing-jok.com

License

GPL

Copy Page Link Recommend Contact Owner Login to Add to Favorites
Project Files
FileDescription
check_freeadius.pl

the main script

check_freeradius_help.txt

Help file

check_radius.pl Nagios setup.txt

Nagios example help file

Project Notes
# 2013-08-09 # Updated after a suggestion by Rune Nilssen # Thanks for the suggestion Rune! Usage: $SCRIPT -|--f|F|FUN|function|FUNCTION -|--h|H|host|HOST -|--p|P|port|PORT -|--t|T|time|TIME|timeout -|--s|S|secret|SECRET -|--cl|CL|client|CLIENT -|--r|R|rad|RAD|radius|RADIUS|radiusattributes|RADIUSATTRIBUTES -|--a|A|attribute|ATTRIBUTE|attributevalues|ATTRIBUTESVALUES -|--del|delimiter -|--w|W|warn|WARN|warning|WARNING -|--c|C|crit|CRIT|critical|CRITICAL -|--v|V|VERSION |version -|--he|HE|help|HELP -|--d|D|DEBUG|debug ./$SCRIPT -F auth -host 10.10.10.1 -port 1812 -TIMEOUT 8 -SECRET testing123 -RADIUSATTR "User-Name;NAS-Port-Id;ADSL-Agent-Circuit-Id;NAS-IP-Address" -ATTRIBUTESVALUES "alex;pw-285:102;'10.13.3.22 eth_1/0/14';10.10.10.1" -CLIENT /usr/bin/radclient -W 5 -C 10 -DEBUG --delimiter ';' ./$SCRIPT -Function status -host 192.168.34.2 -port 1812 -TIMEOUT 8 -secret testing123 -CLIENT /usr/bin/radclient -WARNING 1 -CRITICAL 8 --DEBUG ./$SCRIPT -FUNC acct -h 10.10.10.1 -p 1813 -T 8 -S testing123 -radattributes -ATTRIBUTESVALUES -CLIENT /usr/bin/radclient -W 5 -C 10 ./$SCRIPT -Function status -host 192.168.34.2 -port 1812 -TIMEOUT 8 -secret testing123 -CLIENT /usr/bin/radclient -WARNING 1 -CRITICAL 8 --DEBUG ./$SCRIPT --help ./$SCRIPT --version -|--f|F|FUN|FUNCTION|function Function input is MANDATORY. Can be either auth, acct or status. Use function AUTH to send an authentication packet (Access-Request), function ACCT to send an accounting packet (Accounting-Request), function STATUS to send an status packet (Status-Server). (No DEFAULT)" -|--h|H|host|HOST IP to radius server to query (DEFAULT localhost) -|--p|P|port|PORT Port on radius server to query (Default is 1812) -|--t|T|time|TIME|timeout Wait timeout seconds before deciding that the NAS has not responded to a request, and re-sending the packet. (DEFAULT 8). -|--s|S|secret|SECRET The shared secret for this client. It needs to be defined on the radius server side too, for the IP address you are sending the radius packets from (DEFAULT "testing123") -|--r|R|rad|RAD|radius|RADIUS|radiusattributes|RADIUSATTRIBUTES string of comma separated radius attributes.(Delimiter is default "," unless changed by passing in the flag -|--DELIMITER see section delimiter below for details) i.e "User-Name,NAS-Port-Id,ADSL-Agent-Circuit-Id,NAS-IP-Address". AS A HABIT make sure to double quote "" this string list into the script. (DEFAULT "Message-Authenticator") -|--a|A|attribute|ATTRIBUTE|attributevalues|ATTRIBUTESVALUES string of comma separated Values for above passed in RADIUSATTRIBUTES(Delimiter is default "," unless changed by passing in the flag -|--DELIMITER see section delimiter below for details) i.e alex,pw-285:102,"10.13.3.22 eth_1/0/14",10.10.10.1. AS A HABIT make sure to double quote "" this string list into the script. (DEFAULT 0x00) -|--del|delimiter In some cases the RADIUS Attributes values one needs to pass on to this script may contain default delimiter comma "," in its string values. Like in string holders like Calling-Station-Id, ADSL-Agent-Circuit-Id or ADSL-Agent-Remote-Id etc. And since we don't want to split those string values in the wrong places this is where one can change what delimiter is to be used. DON'T forget to double quote your delimiter to the program like --delim ";" or -DEL ';' -|--cl|CL|client|CLIENT Path to "radclient" to use for the radius query i.e /usr/bin/radclient (DEFAULT "/usr/bin/radclient") -|--w|W|warn|WARN|warning|WARNING This will tell Nagios when to send a WARNING message. This value can only be specified as a integer, no decimals accepted. WARNING Threshold is in seconds, and if the respons time from the radius server exceeds Warning threshold then the program will exit with WARNING exit($ERRORS{'WARNING'}); (DEFAULT 3 sec) -|--c|C|crit|CRIT|critical|CRITICAL This will tell Nagios when to send a CRITICAL message. This value can only be specified as a integer, no decimals accepted. CRITICAL Threshold is in seconds and if the respons time from the radius server exceeds CRITICAL threshold then the program will exit with WARNING exit($ERRORS{'CRITICAL'}); (DEFAULT 7 sec ) -|--d|D|DEBUG|debug : Enable debugging (DEFAULT disabled) -|--he|HE|help|HELP Prints this help screen -|--v|V|VERSION|version Prints program version INFO: NEW in version 1.0.2 is that CRITCAL THRESHOLDS is checked first. The scripts now gives a critical EXIT if radclient exits with something else than 0 This was changed because people wanted to get alarms if passed in radius secret or syntax was wrong, and not only if radius server didn't respond in time. Also only use the debug flag from the CLI Nagios may be very confused by it. If you find any BUGs or have a suggestion on a feature or improvements then please drop a line to cocoon.is@gmail.com IMPORTANT!! For this scripts to work with Nagios! This script needs to be able to find nagios supplied utils.pm file. Edit this file at the top of the file change "use lib qw( /usr/local/nagios/libexec );" to point to where you Nagios installation installed utils.pm. IF you get errors looking like "Global symbol "%ERRORS" requires explicit package name" Then it is a sure sign that your path to utils.pm is wrong. Values of radclient flags -c and -r are hardcoded in the script if one needs to change those VALUES then just edit this file and change where $RADIUS_RESENDS = "1" and/or $RADIUS_SENDS = "1" to whatever values is needed. NAGIOS Setup example ==================== ###Commands.conf # 'check_nrpe' command definition # #ok by Alex define command{ command_name check_nrpe command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -p 5666 -c $ARG1$ -a $ARG2$ $ARG3$ $ARG4$ $ARG5$ $ARG6$ $ARG7$ $ARG8$ $ARG9$ $ARG10$ $ARG11$ $ARG12$ $ARG13$ } servers.conf ================ define service{ use local-service host_name itop0-db0-mgmt service_description Query Freeradius check_command check_nrpe!query_freeradius_daemon!auth!192.168.34.2!1812!8!testing123!User-Name,NAS-Port-Id,Alc-Client-Hardware-Addr!lag-15:1202,pw- 285:102,00:0d:b9:16:61:ba!/usr/bin/radclient!1!3 } nrpe.conf (on remote radius machine) ====== command[query_freeradius_daemon]=/usr/local/nagios/libexec/check_radius.pl -FUNCTION $ARG1$ -HOST $ARG2$ -PORT $ARG3$ -TIME $ARG4$ -SECRET $ARG5$ -RADIUSATTR $ARG6$ -ATTRIBUTES VALUES $ARG7$ -CLIENT $ARG8$ -WARN $ARG9$ -CRIT $ARG10$ VISUDO file on nrpe host =========================== # User privilege specification nagios ALL=(ALL) NOPASSWD: /usr/local/nagios/libexec/eventhandlers/ Test using nrpe client if it works ./check_nrpe -H 192.168.34.2 -c query_freeradius_daemon -a auth 192.168.34.2 1812 8 testing123 User-Name,NAS-Port-Id,Alc-Client-Hardware-Addr lag-15:1202,pw-285:102,00:0d:b9:16:61:ba /usr/bin/radclient 1 3
Reviews (0) Add a Review
Add a Review

You must be logged in to submit a review.

Thank you for your review!

Your review has been submitted and is pending approval.

Recommend

To:


From:


Thank you for your recommendation!

Your recommendation has been sent.

Page Sections
Project Overview Project Files Project Notes Reviews
Project Stats
Rating
0 (0)
Favorites
0
Views
50,077