check_radius_adv from Radius Wizard

[cmandelblit]

Trying to understand the check_radius_adv plugin (not sure if this is considered "core" or not). My problem is I have it communicating with my radius servers but not quite understanding the options to be setup. Running it initially from the command line as this general form:

bash-4.1$ /usr/local/nagios/libexec/check_radius_adv -r radiusserver -u "authtest" -p 'XXXXX' -s "YYYY" -c 1812 -v

I get back

Using the following information
-------------------------------
username: authtest
password: XXXXXX
shared secret: YYYYY
server: radiusserver
path of attributes file :

Reply-Msg t=1 l=10: authtest
Reply-Msg t=25 l=33: CACS:aaa1nc0/184051770/10194732
WARNING: Reply-Msg differs! ('' != 'CACS:aaa1nc0/184051770/10194732') Access ACCEPT. (code = 2) | rtt=0.0643 rttms=64.2669


Tried using the -o and -e and -m options that I see on the help, but nothing works to prevent the warning.

The Reply-MSG in the verbose returned comparison is always differnt [ changes from CACS:aaa1nc0/184051770/10194732 to CACS:aaa1nc0/184051770/10195472 (last end number -- timestamp? always different).

Seeing some documentation on the attribute file but not positive how to use that nor what the options match up to in the file. In the sampefile.txt I see #attrib, #vendor and #type but not what I should be putting in for them. The last row in the file showed a Value of "T" and said Event-Timestamp to actual time. Not sure if that is related to my ever changing Reply-Msg problem. Or can I get it to run the -M to match my testing login of "authtest" with some combination of values to get it to use a string return value.

Any guidance would be appreciated.

[Box293]

I don't have a radius server to check this against however I can offer some thoughts.

I was reading the source code for the plugin and I think that perhaps it's the type it's expecting.

Code: Select all

-m [replymsg]           expected replymsg (type=18) (default: "")
Reply-Msg t=25 l=33: CACS:aaa1nc0/184051770/10194732

It looks like it's expecting type 18 but is getting type 25 instead.

I think you're on the right path with using the -m option however the help doesn't explain it that well.

Maybe try

Code: Select all

-m type=25

Also, perhaps use the sample attribute file but remove everything except the Event-Timestamp line.

I hope this helps in some way.

[cmandelblit]

Thanks for the update. Didn't seem to quite work when I had "-m type=25 -v" on the end the plugin tried to use type=25 as the string to match.

WARNING: Reply-Msg differs! ('type=25' != 'CACS:aaa1nc0/184051770/11145122') Access ACCEPT. (code = 2) | rtt=0.0508 rttms=50.8139

I attempted a few variations but always the same. Seems like it needs to do a partial string match to get it to work but no idea how to make that happen.

[Box293]

Yeah I think you're going to have to create a string to use with the -m option that matches the string you're receiving.

The Reply-MSG in the verbose returned comparison is always differnt [ changes from CACS:aaa1nc0/184051770/10194732 to CACS:aaa1nc0/184051770/10195472 (last end number -- timestamp? always different).

If you are able to find out how that last end number is generated on your radius server then you should be able to create that string on the fly.

[luze]

Hello, I have the same problem, I leave a copy of the error ...

[root@***~]# /usr/local/nagios/libexec/check_radius_adv -r 1**.**.*.17 -u con**s@*****.es -p ******* -s **************************** -m type=26
WARNING: Reply-Msg differs! ('type=26' != 'I¦,') Access ACCEPT. (code = 2) | rtt=0.0056 rttms=5.5789

[root@***~]# /usr/local/nagios/libexec/check_radius_adv -r 1**.**.*.17 -u con**s@*****.es -p ******* -s ****************************
WARNING: Reply-Msg differs! ('' != 'J#¦') Access ACCEPT. (code = 2) | rtt=0.0046 rttms=4.5969

And another server:

[root@Fino ~]# /usr/local/nagios/libexec/check_radius_adv -r 1**.**.*.11 -u con**s@*****.es -p ******* -s ****************************
OK: Access ACCEPT. (code = 2) | rtt=0.0150 rttms=15.0009

[ssax]

Please post the output of both working and non working servers with -v attribute appended:

Code: Select all

/usr/local/nagios/libexec/check_radius_adv -r 1**.**.*.17 -u con**s@*****.es -p ******* -s **************************** -v

Code: Select all

/usr/local/nagios/libexec/check_radius_adv -r 1**.**.*.11 -u con**s@*****.es -p ******* -s **************************** -v

[luze]

Thanks for the prompt response!!

[root@***~]# /usr/local/nagios/libexec/check_radius_adv -r 1**.**.*.17 -u con**s@*****.es -p ******* -s **************************** -v

Using the following information
-------------------------------
username: con**s@*****.es
password: *******
shared secret: ****************************
server: 1**.**.*.17
path of attributes file :

Reply-Msg t=8 l=6: ▒▒▒▒
Reply-Msg t=7 l=6:
Reply-Msg t=6 l=6:
Reply-Msg t=25 l=32: J`▒
WARNING: Reply-Msg differs! ('' != 'J`▒') Access ACCEPT. (code = 2) | rtt=0.0250 rttms=24.9819
[root@***~]# /usr/local/nagios/libexec/check_radius_adv -r 1**.**.*.11 -u con**s@*****.es -p ******* -s **************************** -v

Using the following information
-------------------------------
username: con**s@*****.es
password: *******
shared secret: ****************************
server: 1**.**.*.11
path of attributes file :

Reply-Msg t=8 l=6: ▒▒▒▒
Reply-Msg t=7 l=6:
Reply-Msg t=6 l=6:
Reply-Msg t=25 l=32: 7O
Reply-Msg t=26 l=12:
Reply-Msg t=26 l=12:
OK: Access ACCEPT. (code = 2) | rtt=0.0237 rttms=23.6639

[jolson]

The issue may reside in the Reply-Msg. Do you have access to the RADIUS server? If so, could you change the reply message to something more intelligible?

Let's try the following, for example:

Code: Select all

/usr/local/nagios/libexec/check_radius_adv -r 1**.**.*.11 -u con**s@*****.es -p ******* -s **************************** -v -m " J`▒"

[ssax]

Are those different servers the same version OS or different?

[luze]

More information:
Warning= Windows 2003 Enterprise Edition
OK= Windows 2003 R2 Standard Edition