check_radius.py attributes

[santec]

Hello,

Previous versions of Nagios XI for radius checks had a plugin named check_radius_adv. This plugin check_radius_adv doesn't exist anymore in the latest version of Nagios XI. There's a new plugin named check_radius.py. I need to pass an attribute. The plugin help says you need to pass it in file and pass the parameter -a. I need to pass as attribute nas-ip-address and tried to pass it in a file like nas-ip-address=a.b.c.d (a.b.c.d is the ip address) or 4=a.b.c.d, but this doesn't work. I can't find on the Internet a sample file. How do you pass attributes in a file?

Greetings,
Jorge.

[kfanselow]

Hi Santec,

I believe you can find the check_radius_adv plugin on exchange.nagios.org:

https://exchange.nagios.org/directory/P ... dv/details

Is this the plugin you were looking for ?

Thanks and Best Regards,
Keith

[santec]

Hi,

No I want to pass attributes with the check_radius.py. Is there a sample file on how you edit the attribute file you pass with the the parameter -a? I want to pass the nas-ip-address.

./check_radius.py --help

Usage: check_radius.py [options]

Options:
-h, --help show this help message and exit
-V, --version Print the version number of the plugin
-v, --verbose Print out verbose output
-H HOSTNAME, --hostname=HOSTNAME
The hostname of the RADIUS server to connect to
-P PORT, --port=PORT The port of the RADIUS server
-u USERNAME, --username=USERNAME
The username to authenticate
-p PASSWORD, --password=PASSWORD
The password of the auth user
-s SECRET, --secret=SECRET
The shared secret for the RADIUS server
-t TIMEOUT, --timeout=TIMEOUT
The amount of time to try to authenticate before
timing out
-r RETRIES, --retries=RETRIES
The number of authentication retries
-c CHRESPONSE, --chresponse=CHRESPONSE
Response to challenge message
-a ATTRIBUTES, --attributes=ATTRIBUTES
Location of attributes file


Greetings,
Jorge.

[kfanselow]

Hi Jorge,

We currently don't have formal documentation on the attributes file however it should contain paired attributes one per line such as:

Code: Select all

NAS-IP-Address=10.1.2.3

Unfortunately during the review process one of our engineers discovered a flaw in attribute handling. It's a simple one line fix, and I've attached a copy of the updated plugin or you can patch the script yourself by inserting "attr = {}" after line 665.

Code: Select all

    if options.attributes:                                          if options.attributes:
        attrs = Attributes()                                            attrs = Attributes()
                                                              >         attr = {}
        with open(options.attributes) as f:                             with open(options.attributes) as f:
            for line in f:                                                  for line in f:
                key,val = line.split("=")                                       key,val = line.split("=")
                if key and val:                                                 if key and val:
                    attr[key] = val                                                 attr[key] = val

Thanks and Best Regards,
Keith

[santec]

With those changes now it doesn't throw an exception when you point to the attribute file but it doesn't seem to read the attributes or pass them with the payload. Is there a way to check or debug if it passes the attribute with the payload?

I also see there must be an error with line 119.

119 ATTR_CHAP_PASSWORD = 4
120 ATTR_NAS_IP_ADDRESS = 4

119 ATTR_CHAP_PASSWORD = 3
120 ATTR_NAS_IP_ADDRESS = 4

[kfanselow]

Hi Jorge,

I spent some quality time working with the script today and filed a new bug report with development regarding this plugin. You are correct the type is misidentified for CHAP password attribute but that unfortunately is not the only problem. We're currently working on the issue and I'll let you know when we have a resolution. Can I ask which attributes are a priority for you ?

Thanks and Best Regards,
Keith

[santec]

Hi Keith,

The NAS-IP-Address as priority.

Greetings,
Jorge.

[kfanselow]

It has been noted in the bug report.

Thanks and Best Regards,
Keith

[santec]

Hi,

Any update on this issue?

Greetings,
Jorge.

[kfanselow]

Our development team has the issue and is looking into it but unfortunately that will probably take some time. How many systems are you testing that require the NAS-IP-Address attribute to bet set ?

Thanks and Best Regards,
Keith