Hi All,
I am trying to configure nagios with radius authentication. Is it possible? I am thinking about single sign-on with it. Please help me with steps, if anyone has already done it.
Regards,
Gourav
Nagios with Radius authentication
-
scottwilkerson
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Nagios with Radius authentication
I haven't seen this done, but I know you can setup Nagios XI to use Basic authentication through Apache, and there are Radius addons for apache configuration that can connect and authenticate against your Radius server.
e.g.
http://freeradius.org/mod_auth_radius/
You would however still need to add the users to Nagios XI for authorization, but the authentication could theoretically happen via apache's basic auth addon via Radius server.
e.g.
http://freeradius.org/mod_auth_radius/
You would however still need to add the users to Nagios XI for authorization, but the authentication could theoretically happen via apache's basic auth addon via Radius server.
Re: Nagios with Radius authentication
Hi,
Last reply on this is from 2014. I am taking a chance today, is there any feature that allow radius authentification directly from nagios XI ?
Thank you
Last reply on this is from 2014. I am taking a chance today, is there any feature that allow radius authentification directly from nagios XI ?
Thank you
Re: Nagios with Radius authentication
The Nagios XI user interface now supports LDAP and Active DIrectory authenication for logging in to the GUI.
Radius is still not natively supported at this time.
Radius is still not natively supported at this time.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: Nagios with Radius authentication
yes this IS possible, I have done it but with standard nagios, NOT nagiosXI. for standard, you can set the apache/httpd <virtualhost> settings to use xradius mod to handle the auth, then it passes the username to apache which is what nagios is asking for. so nagios authenticates via apache, which is authd from radius.
once your radius server is authenticating your SSH sessions, you know it will work for apache.
So install mod_auth_xradius and all it's dependencies, use google to get the latest.
httpd.conf
also, in the nagios.conf file, you have to COMMENT OUT the original htpasswd credential parameter and replace it with the xradius cache location. So 'AuthUserFile ' becomes 'AuthDBMUserFile' and thats what Nagios will use for cached credentials. adjust the expiration per your needs. i set it to 12 hours for a once daily requirement.
• Run ldconfig
# ldconfig /usr/local/lib
• Create cache file
# touch /etc/httpd/conf/authxcache
# chown apache:root /etc/httpd/conf/authxcache
• Restart httpd
# service httpd restart
IMPORTANT: Any folder/site/app you want to inherit web auth (radius) authentication must be a child folder of the html folder you have defined above. Anything outside the html folder will not inherit cached radius credentials.
keep in mind you have to make further edits to the SSL.conf file if you intend to use https nagios like i did. that is a PIA.
once your radius server is authenticating your SSH sessions, you know it will work for apache.
So install mod_auth_xradius and all it's dependencies, use google to get the latest.
httpd.conf
Code: Select all
DocumentRoot "/var/www/html"
### NOTE: any folder/app that needs to use the radius cached credentials must be a subfolder of /var/www/html
###
## This Loads mod_auth_xradius into Apache
LoadModule auth_xradius_module modules/mod_auth_xradius.so
## radius cache location
AuthXRadiusCache dbm "conf/auth_xradius_cache"
## Cache timeout in seconds
AuthXRadiusCacheTimeout 43600
<Directory "/var/www/html">
## Satisfy any must be disabled for cached credentials to work
#Satisfy any
### radius info
## This is what the client sees in their Prompt.
AuthName "RADIUS Authentication Required"
## Type of authentication to use.
AuthType basic
AuthBasicProvider xradius
## Address and the Shared Secret of the RADIUS Server to contact.
AuthXRadiusAddServer "x.x.x.x:1812" "secretKey"
## Time in Seconds to wait for replies from the RADIUS Servers
AuthXRadiusTimeout 3
## Number of times to resend a request to a server if no reply is received.
AuthXRadiusRetries 3
## This tells apache that we want a valid user and password.
require valid-user
## disallow blank passwords
AuthXRadiusRejectBlank on
Code: Select all
ScriptAlias /nagios/cgi-bin "/var/www/html/nagios/sbin"
# <Directory "/usr/local/nagios/sbin">
<Directory "/var/www/html/nagios/sbin">
SSLRequireSSL
Options ExecCGI
AllowOverride All
Order allow,deny
Allow from all
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
# AuthName "Nagios Access"
# AuthType Basic
# AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user
AuthDBMType default
AuthDBMUserFile conf/auth_xradius_cache
</Directory>
Alias /nagios "/var/www/html/nagios/share"
# <Directory "/usr/local/nagios/share">
<Directory "/var/www/html/nagios/share">
SSLRequireSSL
Options None
AllowOverride All
Order allow,deny
Allow from all
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
# AuthName "Nagios Access"
# AuthType Basic
# AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user
AuthDBMType default
AuthDBMUserFile conf/auth_xradius_cache
</Directory>
• Run ldconfig
# ldconfig /usr/local/lib
• Create cache file
# touch /etc/httpd/conf/authxcache
# chown apache:root /etc/httpd/conf/authxcache
• Restart httpd
# service httpd restart
IMPORTANT: Any folder/site/app you want to inherit web auth (radius) authentication must be a child folder of the html folder you have defined above. Anything outside the html folder will not inherit cached radius credentials.
keep in mind you have to make further edits to the SSL.conf file if you intend to use https nagios like i did. that is a PIA.
Re: Nagios with Radius authentication
Thanks for the assist, @brain01! OP, let us know if you need further assistance.
Former Nagios employee