check_radius_adv mangling password

[ccurreri]

I'm running into a very strange issue that I believe I've tracked down to the check_radius_adv plugin mangling radius authentication in transit to the radius server I'd like to set services up for.

NagiosXI version: 5.4.2
Linux version: Red Hat Enterprise Linux Server release 6.8 (Santiago) x64 VM

usernames/passwords/ips changed. 10.0.0.2 is the radius server, 10.0.0.3 is the nagiosxi server

Code: Select all

$ ./check_radius_adv -r 10.0.0.2 -u nagios -s nagios -p nagios
CRITICAL: Access REJECT. (code = 3) | rtt=0.0055 rttms=5.4579 

Response on the radius side:

Code: Select all

# perl /usr/bin/radiusd -foreground -log_stdout -trace 4

Thu Apr 13 12:40:01 2017: DEBUG: Packet dump:
*** Received from 10.0.0.3 port 59297 ....
Code:       Access-Request
Identifier: 222
Authentic:  <223><178><254><186><134><233><172><196><163><172><232><220><156><218><185><192>
Attributes:
	User-Name = "nagios"
	User-Password = i~<152><136><154>{<228>;<14><162><233><200><22>>d<136>

Thu Apr 13 12:40:01 2017: DEBUG: Handling request with Handler 'Client-Identifier=nagios', Identifier ''
Thu Apr 13 12:40:01 2017: DEBUG:  Deleting session for nagios, 10.0.0.3, 
Thu Apr 13 12:40:01 2017: DEBUG: Handling with Radius::AuthFILE: 
Thu Apr 13 12:40:01 2017: DEBUG: Radius::AuthFILE looks for match with nagios [nagios]
Thu Apr 13 12:40:01 2017: DEBUG: Radius::AuthFILE REJECT: Bad Password: nagios [nagios]
Thu Apr 13 12:40:01 2017: DEBUG: AuthBy FILE result: REJECT, Bad Password
Thu Apr 13 12:40:01 2017: INFO: Access rejected for nagios: Bad Password
Thu Apr 13 12:40:01 2017: DEBUG: Packet dump:
*** Sending to 10.0.0.3 port 59297 ....
Code:       Access-Reject
Identifier: 222
Authentic:  '<164><23><253><206><227><167><204>R2<188><193>L<144><139>0
Attributes:
	Reply-Message = "Request Denied"

And the failure log line:

Code: Select all

Thu Apr 13 12:40:01 2017: 10.0.0.2 process=radiusd user=nagios realm= action=failure NAS_IP_Address= Uppercased_Tunnel= Calling_Station_Id= NAS_Port= clear-text-password=`???e?!?gy?????

Note the large amount of unprintable characters in the clear-text-password


Here's what happens when I hit it using radpwtst from the nagiosxi box:

Code: Select all

# radpwtst -user nagios -password nagios -s 10.0.0.2 -secret nagios -auth_port 1812 -noacct
sending Access-Request...
OK

And again the radius server side:

Code: Select all

# perl /usr/bin/radiusd -foreground -log_stdout -trace 4
Thu Apr 13 12:42:11 2017: DEBUG: Packet dump:
*** Received from 10.0.0.3 port 60567 ....
Code:       Access-Request
Identifier: 86
Authentic:  <167><234>ft3\<191><23><11>x<208><224>Q,<188>!
Attributes:
	User-Name = "nagios"
	Service-Type = Framed-User
	NAS-IP-Address = 10.0.0.3
	NAS-Identifier = "10.0.0.3"
	NAS-Port = 1234
	Called-Station-Id = "123456789"
	Calling-Station-Id = "987654321"
	NAS-Port-Type = Async
	User-Password = o<170>,<168><243><18>l*<201><172><179><185><242>t<152>4

Thu Apr 13 12:42:11 2017: DEBUG: Handling request with Handler 'Client-Identifier=nagios', Identifier ''
Thu Apr 13 12:42:11 2017: DEBUG:  Deleting session for nagios, 10.0.0.3, 1234
Thu Apr 13 12:42:11 2017: DEBUG: Handling with Radius::AuthFILE: 
Thu Apr 13 12:42:11 2017: DEBUG: Radius::AuthFILE looks for match with nagios [nagios]
Thu Apr 13 12:42:11 2017: DEBUG: Radius::AuthFILE ACCEPT: : nagios [nagios]
Thu Apr 13 12:42:11 2017: DEBUG: AuthBy FILE result: ACCEPT, 
Thu Apr 13 12:42:11 2017: DEBUG: Access accepted for nagios
Thu Apr 13 12:42:11 2017: DEBUG: Packet dump:
*** Sending to 10.0.0.3 port 60567 ....
Code:       Access-Accept
Identifier: 86
Authentic:  <255>t<149><215>LC<232><242><225><226>9=<140>?<185>h
Attributes:

And the resulting success log line:

Code: Select all

Thu Apr 13 12:42:11 2017: 10.0.0.2 process=radiusd user=nagios realm= action=success NAS_IP_Address=10.0.0.3 Uppercased_Tunnel= Calling_Station_Id=987654321 NAS_Port=1234 clear-text-password=nagios

Note that the password is correct and does not contain mangled non-printable characters. This is clearly not an issue with radius as radpwtst works fine (as do other devices pointed at the radius server for login).

Any assistance in sorting out why this is happening would be incredibly helpful!

[cdienger]

Hi ccurreri,

I'm able to get similar results on a test machine. I'll look into this a bit more and get you an update before day's end.

[cdienger]

Hi ccurreri,

We're currently looking into this but this seems to be the same problem seen in https://support.nagios.com/forum/viewto ... =6&t=35305.

As a work around you can use https://exchange.nagios.org/directory/P ... us/details.

[ccurreri]

Hi cdienger,

I'm able to get the check_radius.pl plugin to work on our dev system. Is there any status update as to when/if check_radius_adv will function? The last message in the thread you linked is from 2015.

[cdienger]

Thanks for the update. We're looking into the best course of action. I'll keep you posted.

[cdienger]

The problem has been documented at https://github.com/nagios-plugins/nagio ... issues/271 to help get it resolved.