check_radius_adv issue

[smoren]

Hello,

I'm trying to set up monitoring of radius servers. I created check using configuration wizzard (Radius Server). However, output of command is always "CRITICAL: Access REJECT. (code = 3)". Credentials supplied are correct(works from another system).

This is my command and its output(sensitive data are changed):

Code: Select all

./check_radius_adv -u user@domain -p password -s secret -r servername -v

Using the following information
-------------------------------
username:                 user@domain
password:                 password
shared secret:            secret
server:                   servername
path of attributes file :

CRITICAL: Access REJECT. (code = 3) | rtt=1.0039 rttms=1003.8559

Here is extract from radius server log(sensitive data are changed):

Code: Select all

Tue Oct 20 13:31:15 2015
        Packet-Type = Access-Request
        User-Name = "user@domain"
        User-Password = "\205\331\3161\206\373\244\356k\036\316X\304\313\335\352"
        NAS-IP-Address = 1.2.3.4
        Huntgroup-Name = "groupname"

Line "User-Pasword" usually contains plain-text password. However, when I use plugin 'check_radius_adv' to connect to radius server, it contains malformed string(this line was not changed). Malformed password is changed every time I try to access radius server using this plugin.

It seems that check_radius_adv somehow changes password that is sent to radius server, and thus server rejects access. Any help would be appreciated.
Thanks.

Used environment:
nagios server: Nagios XI 5.2.0 manually installed; RHEL 6.7 (64-bit)
radius server: FreeRADIUS 2.1.12 running at Ubuntu 14.04 LTS (64-bit)

[tmcdonald]

Do you have any special characters like !@#$%^&*'" in your password?

[smoren]

Nope. Just alphanumeric characters and numbers for both password and shared secret.

[rkennedy]

Does the user have permission to authenticate VIA radius? Judging by the error that is one thing I believe.

If you run only the command ./check_radius_adv and enter all of the information interactively versus ./check_radius_adv -u user@domain -p password -s secret -r servername -v does it work?

[smoren]

Yes, user has permission to authenticate via radius(same account is used from another server). But when I try to connect using check_radius_adv, radius server 'thinks' that password is wrong(as you can see from radius log - User-Password line contains password that radius server received). Interactive mode has identical behaviour.

[lmiltchev]

Yes, user has permission to authenticate via radius(same account is used from another server). But when I try to connect using check_radius_adv, radius server 'thinks' that password is wrong

Can you test this with some other tool just to make sure the user can authenticate successfully? You can probably try "radtest".

http://freeradius.org/radiusd/man/radtest.html

You can install it on RHEL/CentOS by running:

Code: Select all

yum install freeradius-utils -y

[rkennedy]

@smoren I was able to replicate your issue (I think) on an Ubuntu box with FreeRadius. Pending your install of radtest, please do post the output as stated above.

The results I am getting are -

Code: Select all

[root@localhost libexec]# radtest test test 192.168.131.135 0 test
Sending Access-Request of id 73 to 192.168.131.135 port 1812
        User-Name = "test"
        User-Password = "test"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 192.168.131.135 port 1812, id=73, length=20

Code: Select all

[root@localhost libexec]# ./check_radius_adv -u test -p test -s test -r 192.168.131.135 -v

Using the following information
-------------------------------
username:                 test
password:                 test
shared secret:            test
server:                   192.168.131.135
path of attributes file :

CRITICAL: Access REJECT. (code = 3) | rtt=1.0024 rttms=1002.4449

when running freeradius -X for debugging I see this on the server side -

radtest

Code: Select all

rad_recv: Access-Request packet from host 192.168.131.130 port 39086, id=71, length=74
        User-Name = "test"
        User-Password = "test"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
        Message-Authenticator = 0xaf91fc251aa9b8cd78a1bfe30752a42c
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry test at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "test"
[pap] Using clear text password "test"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 71 to 192.168.131.130 port 39086
Finished request 35.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 35 ID 71 with timestamp +2714
Ready to process requests.

check_radius_adv

Code: Select all

rad_recv: Access-Request packet from host 192.168.131.130 port 53713, id=18, length=44
        User-Name = "test"
        User-Password = "a۟\021W߯$\2155p\253?\303(\221"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry test at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "a▒??W߯$?5p▒?▒(?"
[pap] Using clear text password "test"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
  WARNING: Unprintable characters in the password.  Double-check the shared secret on the server and the NAS!
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated

I will pass this on to our devs to further look at.

[smoren]

Sorry for delay. I can confirm your tests. Connection via check_radius_adv does not work, but radtest does work. Do you have any input from devs?
Thanks.

[scottwilkerson]

@smoren - there seems to be an unidentified but when running check_radius_adv on 64 bit systems.

As this could take some time to debug, I want to offer an alternative to get you up and running.

Install this plugin
https://exchange.nagios.org/directory/P ... us/details

Run the following from the CLI

Code: Select all

yum install 'perl(Authen::Radius)' -y

Then, go into the Core Config Manager -> Commands and modify the following command

Code: Select all

check_radius_server_adv

Change the command_line to

Code: Select all

$USER1$/check_radius.pl -H $HOSTADDRESS$ $ARG1$

This should allow the wizard to function as expected. From the command line you would run something like

Code: Select all

check_radius.pl -H 192.168.131.135 -u test -p test -s test

[smoren]

Alternative plugin works like a charm . However, this plugin does not provide performance data. I can live with it for now, but if you promise me you will solve the check_radius_adv issue, you may close this case. Hopefully it will be solved in next XI release. Thanks again.