Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Nagios with Radius authentication

https://support.nagios.com/forum/viewtopic.php?t=26193

Page 1 of 1

Nagios with Radius authentication

Posted: Thu Mar 20, 2014 1:40 am
by gouravjoshi
Hi All,

I am trying to configure nagios with radius authentication. Is it possible? I am thinking about single sign-on with it. Please help me with steps, if anyone has already done it.

Regards,
Gourav

Re: Nagios with Radius authentication

Posted: Thu Mar 20, 2014 7:21 am
by scottwilkerson
I haven't seen this done, but I know you can setup Nagios XI to use Basic authentication through Apache, and there are Radius addons for apache configuration that can connect and authenticate against your Radius server.

e.g.
http://freeradius.org/mod_auth_radius/

You would however still need to add the users to Nagios XI for authorization, but the authentication could theoretically happen via apache's basic auth addon via Radius server.

Re: Nagios with Radius authentication

Posted: Tue Jul 04, 2017 8:14 am
by jslim
Hi,

Last reply on this is from 2014. I am taking a chance today, is there any feature that allow radius authentification directly from nagios XI ?

Thank you

Re: Nagios with Radius authentication

Posted: Wed Jul 05, 2017 4:34 pm
by tgriep
The Nagios XI user interface now supports LDAP and Active DIrectory authenication for logging in to the GUI.
Radius is still not natively supported at this time.

Re: Nagios with Radius authentication

Posted: Thu Aug 31, 2017 1:16 pm
by brain01
yes this IS possible, I have done it but with standard nagios, NOT nagiosXI. for standard, you can set the apache/httpd <virtualhost> settings to use xradius mod to handle the auth, then it passes the username to apache which is what nagios is asking for. so nagios authenticates via apache, which is authd from radius.

once your radius server is authenticating your SSH sessions, you know it will work for apache.
So install mod_auth_xradius and all it's dependencies, use google to get the latest.


httpd.conf

Code: Select all

DocumentRoot "/var/www/html"
### NOTE: any folder/app that needs to use the radius cached credentials must be a subfolder of /var/www/html
###
    ## This Loads mod_auth_xradius into Apache
    LoadModule auth_xradius_module modules/mod_auth_xradius.so
    ## radius cache location
    AuthXRadiusCache dbm "conf/auth_xradius_cache"
    ## Cache timeout in seconds
    AuthXRadiusCacheTimeout 43600

<Directory "/var/www/html">
## Satisfy any must be disabled for cached credentials to work
#Satisfy any

### radius info
        ## This is what the client sees in their Prompt.
        AuthName "RADIUS Authentication Required"

        ## Type of authentication to use.
        AuthType basic
        AuthBasicProvider xradius

        ## Address and the Shared Secret of the RADIUS Server to contact.
        AuthXRadiusAddServer "x.x.x.x:1812" "secretKey"

        ## Time in Seconds to wait for replies from the RADIUS Servers
        AuthXRadiusTimeout 3

        ## Number of times to resend a request to a server if no reply is received.
        AuthXRadiusRetries 3

        ## This tells apache that we want a valid user and password.
        require valid-user

        ## disallow blank passwords
        AuthXRadiusRejectBlank on
also, in the nagios.conf file, you have to COMMENT OUT the original htpasswd credential parameter and replace it with the xradius cache location. So 'AuthUserFile ' becomes 'AuthDBMUserFile' and thats what Nagios will use for cached credentials. adjust the expiration per your needs. i set it to 12 hours for a once daily requirement.

Code: Select all

ScriptAlias /nagios/cgi-bin "/var/www/html/nagios/sbin"

# <Directory "/usr/local/nagios/sbin">
<Directory "/var/www/html/nagios/sbin">
   SSLRequireSSL
   Options ExecCGI
   AllowOverride All
   Order allow,deny
   Allow from all
#  Order deny,allow
#  Deny from all
#  Allow from 127.0.0.1

#   AuthName "Nagios Access"
#   AuthType Basic
#   AuthUserFile /usr/local/nagios/etc/htpasswd.users
   Require valid-user

AuthDBMType default
AuthDBMUserFile conf/auth_xradius_cache

</Directory>

Alias /nagios "/var/www/html/nagios/share"

# <Directory "/usr/local/nagios/share">
<Directory "/var/www/html/nagios/share">
   SSLRequireSSL
   Options None
   AllowOverride All
   Order allow,deny
   Allow from all
#  Order deny,allow
#  Deny from all
#  Allow from 127.0.0.1

#   AuthName "Nagios Access"
#   AuthType Basic
#   AuthUserFile /usr/local/nagios/etc/htpasswd.users
   Require valid-user

AuthDBMType default
AuthDBMUserFile conf/auth_xradius_cache

</Directory>

• Run ldconfig
# ldconfig /usr/local/lib
• Create cache file
# touch /etc/httpd/conf/authxcache
# chown apache:root /etc/httpd/conf/authxcache
• Restart httpd
# service httpd restart

IMPORTANT: Any folder/site/app you want to inherit web auth (radius) authentication must be a child folder of the html folder you have defined above. Anything outside the html folder will not inherit cached radius credentials.

keep in mind you have to make further edits to the SSL.conf file if you intend to use https nagios like i did. that is a PIA.

Re: Nagios with Radius authentication

Posted: Thu Aug 31, 2017 3:32 pm
by tmcdonald
Thanks for the assist, @brain01! OP, let us know if you need further assistance.
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited