check_radius_adv from Radius Wizard
-
- Posts: 7
- Joined: Tue Aug 27, 2013 10:07 am
check_radius_adv from Radius Wizard
Trying to understand the check_radius_adv plugin (not sure if this is considered "core" or not). My problem is I have it communicating with my radius servers but not quite understanding the options to be setup. Running it initially from the command line as this general form:
bash-4.1$ /usr/local/nagios/libexec/check_radius_adv -r radiusserver -u "authtest" -p 'XXXXX' -s "YYYY" -c 1812 -v
I get back
Using the following information
-------------------------------
username: authtest
password: XXXXXX
shared secret: YYYYY
server: radiusserver
path of attributes file :
Reply-Msg t=1 l=10: authtest
Reply-Msg t=25 l=33: CACS:aaa1nc0/184051770/10194732
WARNING: Reply-Msg differs! ('' != 'CACS:aaa1nc0/184051770/10194732') Access ACCEPT. (code = 2) | rtt=0.0643 rttms=64.2669
Tried using the -o and -e and -m options that I see on the help, but nothing works to prevent the warning.
The Reply-MSG in the verbose returned comparison is always differnt [ changes from CACS:aaa1nc0/184051770/10194732 to CACS:aaa1nc0/184051770/10195472 (last end number -- timestamp? always different).
Seeing some documentation on the attribute file but not positive how to use that nor what the options match up to in the file. In the sampefile.txt I see #attrib, #vendor and #type but not what I should be putting in for them. The last row in the file showed a Value of "T" and said Event-Timestamp to actual time. Not sure if that is related to my ever changing Reply-Msg problem. Or can I get it to run the -M to match my testing login of "authtest" with some combination of values to get it to use a string return value.
Any guidance would be appreciated.
bash-4.1$ /usr/local/nagios/libexec/check_radius_adv -r radiusserver -u "authtest" -p 'XXXXX' -s "YYYY" -c 1812 -v
I get back
Using the following information
-------------------------------
username: authtest
password: XXXXXX
shared secret: YYYYY
server: radiusserver
path of attributes file :
Reply-Msg t=1 l=10: authtest
Reply-Msg t=25 l=33: CACS:aaa1nc0/184051770/10194732
WARNING: Reply-Msg differs! ('' != 'CACS:aaa1nc0/184051770/10194732') Access ACCEPT. (code = 2) | rtt=0.0643 rttms=64.2669
Tried using the -o and -e and -m options that I see on the help, but nothing works to prevent the warning.
The Reply-MSG in the verbose returned comparison is always differnt [ changes from CACS:aaa1nc0/184051770/10194732 to CACS:aaa1nc0/184051770/10195472 (last end number -- timestamp? always different).
Seeing some documentation on the attribute file but not positive how to use that nor what the options match up to in the file. In the sampefile.txt I see #attrib, #vendor and #type but not what I should be putting in for them. The last row in the file showed a Value of "T" and said Event-Timestamp to actual time. Not sure if that is related to my ever changing Reply-Msg problem. Or can I get it to run the -M to match my testing login of "authtest" with some combination of values to get it to use a string return value.
Any guidance would be appreciated.
- Box293
- Too Basu
- Posts: 5126
- Joined: Sun Feb 07, 2010 10:55 pm
- Location: Deniliquin, Australia
- Contact:
Re: check_radius_adv from Radius Wizard
I don't have a radius server to check this against however I can offer some thoughts.
I was reading the source code for the plugin and I think that perhaps it's the type it's expecting.
It looks like it's expecting type 18 but is getting type 25 instead.
I think you're on the right path with using the -m option however the help doesn't explain it that well.
Maybe try
Also, perhaps use the sample attribute file but remove everything except the Event-Timestamp line.
I hope this helps in some way.
I was reading the source code for the plugin and I think that perhaps it's the type it's expecting.
Code: Select all
-m [replymsg] expected replymsg (type=18) (default: "")
Reply-Msg t=25 l=33: CACS:aaa1nc0/184051770/10194732
I think you're on the right path with using the -m option however the help doesn't explain it that well.
Maybe try
Code: Select all
-m type=25
I hope this helps in some way.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
-
- Posts: 7
- Joined: Tue Aug 27, 2013 10:07 am
Re: check_radius_adv from Radius Wizard
Thanks for the update. Didn't seem to quite work when I had "-m type=25 -v" on the end the plugin tried to use type=25 as the string to match.
WARNING: Reply-Msg differs! ('type=25' != 'CACS:aaa1nc0/184051770/11145122') Access ACCEPT. (code = 2) | rtt=0.0508 rttms=50.8139
I attempted a few variations but always the same. Seems like it needs to do a partial string match to get it to work but no idea how to make that happen.
WARNING: Reply-Msg differs! ('type=25' != 'CACS:aaa1nc0/184051770/11145122') Access ACCEPT. (code = 2) | rtt=0.0508 rttms=50.8139
I attempted a few variations but always the same. Seems like it needs to do a partial string match to get it to work but no idea how to make that happen.
- Box293
- Too Basu
- Posts: 5126
- Joined: Sun Feb 07, 2010 10:55 pm
- Location: Deniliquin, Australia
- Contact:
Re: check_radius_adv from Radius Wizard
Yeah I think you're going to have to create a string to use with the -m option that matches the string you're receiving.
If you are able to find out how that last end number is generated on your radius server then you should be able to create that string on the fly.cmandelblit wrote:The Reply-MSG in the verbose returned comparison is always differnt [ changes from CACS:aaa1nc0/184051770/10194732 to CACS:aaa1nc0/184051770/10195472 (last end number -- timestamp? always different).
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Re: check_radius_adv from Radius Wizard
Hello, I have the same problem, I leave a copy of the error ...
[root@***~]# /usr/local/nagios/libexec/check_radius_adv -r 1**.**.*.17 -u con**s@*****.es -p ******* -s **************************** -m type=26
WARNING: Reply-Msg differs! ('type=26' != 'I¦,') Access ACCEPT. (code = 2) | rtt=0.0056 rttms=5.5789
[root@***~]# /usr/local/nagios/libexec/check_radius_adv -r 1**.**.*.17 -u con**s@*****.es -p ******* -s ****************************
WARNING: Reply-Msg differs! ('' != 'J#¦') Access ACCEPT. (code = 2) | rtt=0.0046 rttms=4.5969
And another server:
[root@Fino ~]# /usr/local/nagios/libexec/check_radius_adv -r 1**.**.*.11 -u con**s@*****.es -p ******* -s ****************************
OK: Access ACCEPT. (code = 2) | rtt=0.0150 rttms=15.0009
[root@***~]# /usr/local/nagios/libexec/check_radius_adv -r 1**.**.*.17 -u con**s@*****.es -p ******* -s **************************** -m type=26
WARNING: Reply-Msg differs! ('type=26' != 'I¦,') Access ACCEPT. (code = 2) | rtt=0.0056 rttms=5.5789
[root@***~]# /usr/local/nagios/libexec/check_radius_adv -r 1**.**.*.17 -u con**s@*****.es -p ******* -s ****************************
WARNING: Reply-Msg differs! ('' != 'J#¦') Access ACCEPT. (code = 2) | rtt=0.0046 rttms=4.5969
And another server:
[root@Fino ~]# /usr/local/nagios/libexec/check_radius_adv -r 1**.**.*.11 -u con**s@*****.es -p ******* -s ****************************
OK: Access ACCEPT. (code = 2) | rtt=0.0150 rttms=15.0009
Re: check_radius_adv from Radius Wizard
Please post the output of both working and non working servers with -v attribute appended:
Code: Select all
/usr/local/nagios/libexec/check_radius_adv -r 1**.**.*.17 -u con**s@*****.es -p ******* -s **************************** -v
Code: Select all
/usr/local/nagios/libexec/check_radius_adv -r 1**.**.*.11 -u con**s@*****.es -p ******* -s **************************** -v
Re: check_radius_adv from Radius Wizard
Thanks for the prompt response!!
[root@***~]# /usr/local/nagios/libexec/check_radius_adv -r 1**.**.*.17 -u con**s@*****.es -p ******* -s **************************** -v
Using the following information
-------------------------------
username: con**s@*****.es
password: *******
shared secret: ****************************
server: 1**.**.*.17
path of attributes file :
Reply-Msg t=8 l=6: ▒▒▒▒
Reply-Msg t=7 l=6:
Reply-Msg t=6 l=6:
Reply-Msg t=25 l=32: J`▒
WARNING: Reply-Msg differs! ('' != 'J`▒') Access ACCEPT. (code = 2) | rtt=0.0250 rttms=24.9819
[root@***~]# /usr/local/nagios/libexec/check_radius_adv -r 1**.**.*.11 -u con**s@*****.es -p ******* -s **************************** -v
Using the following information
-------------------------------
username: con**s@*****.es
password: *******
shared secret: ****************************
server: 1**.**.*.11
path of attributes file :
Reply-Msg t=8 l=6: ▒▒▒▒
Reply-Msg t=7 l=6:
Reply-Msg t=6 l=6:
Reply-Msg t=25 l=32: 7O
Reply-Msg t=26 l=12:
Reply-Msg t=26 l=12:
OK: Access ACCEPT. (code = 2) | rtt=0.0237 rttms=23.6639
[root@***~]# /usr/local/nagios/libexec/check_radius_adv -r 1**.**.*.17 -u con**s@*****.es -p ******* -s **************************** -v
Using the following information
-------------------------------
username: con**s@*****.es
password: *******
shared secret: ****************************
server: 1**.**.*.17
path of attributes file :
Reply-Msg t=8 l=6: ▒▒▒▒
Reply-Msg t=7 l=6:
Reply-Msg t=6 l=6:
Reply-Msg t=25 l=32: J`▒
WARNING: Reply-Msg differs! ('' != 'J`▒') Access ACCEPT. (code = 2) | rtt=0.0250 rttms=24.9819
[root@***~]# /usr/local/nagios/libexec/check_radius_adv -r 1**.**.*.11 -u con**s@*****.es -p ******* -s **************************** -v
Using the following information
-------------------------------
username: con**s@*****.es
password: *******
shared secret: ****************************
server: 1**.**.*.11
path of attributes file :
Reply-Msg t=8 l=6: ▒▒▒▒
Reply-Msg t=7 l=6:
Reply-Msg t=6 l=6:
Reply-Msg t=25 l=32: 7O
Reply-Msg t=26 l=12:
Reply-Msg t=26 l=12:
OK: Access ACCEPT. (code = 2) | rtt=0.0237 rttms=23.6639
Re: check_radius_adv from Radius Wizard
The issue may reside in the Reply-Msg. Do you have access to the RADIUS server? If so, could you change the reply message to something more intelligible?
Let's try the following, for example:
Let's try the following, for example:
Code: Select all
/usr/local/nagios/libexec/check_radius_adv -r 1**.**.*.11 -u con**s@*****.es -p ******* -s **************************** -v -m " J`▒"
Re: check_radius_adv from Radius Wizard
Are those different servers the same version OS or different?
Re: check_radius_adv from Radius Wizard
More information:
Warning= Windows 2003 Enterprise Edition
OK= Windows 2003 R2 Standard Edition
Warning= Windows 2003 Enterprise Edition
OK= Windows 2003 R2 Standard Edition