Page 1 of 2
check_radius_adv issue
Posted: Tue Oct 20, 2015 8:34 am
by smoren
Hello,
I'm trying to set up monitoring of radius servers. I created check using configuration wizzard (Radius Server). However, output of command is always "CRITICAL: Access REJECT. (code = 3)". Credentials supplied are correct(works from another system).
This is my command and its output(sensitive data are changed):
Code: Select all
./check_radius_adv -u user@domain -p password -s secret -r servername -v
Using the following information
-------------------------------
username: user@domain
password: password
shared secret: secret
server: servername
path of attributes file :
CRITICAL: Access REJECT. (code = 3) | rtt=1.0039 rttms=1003.8559
Here is extract from radius server log(sensitive data are changed):
Code: Select all
Tue Oct 20 13:31:15 2015
Packet-Type = Access-Request
User-Name = "user@domain"
User-Password = "\205\331\3161\206\373\244\356k\036\316X\304\313\335\352"
NAS-IP-Address = 1.2.3.4
Huntgroup-Name = "groupname"
Line "User-Pasword" usually contains plain-text password. However, when I use plugin 'check_radius_adv' to connect to radius server, it contains malformed string(this line was not changed). Malformed password is changed every time I try to access radius server using this plugin.
It seems that check_radius_adv somehow changes password that is sent to radius server, and thus server rejects access. Any help would be appreciated.
Thanks.
Used environment:
nagios server: Nagios XI 5.2.0 manually installed; RHEL 6.7 (64-bit)
radius server: FreeRADIUS 2.1.12 running at Ubuntu 14.04 LTS (64-bit)
Re: check_radius_adv issue
Posted: Tue Oct 20, 2015 4:28 pm
by tmcdonald
Do you have any special characters like !@#$%^&*'" in your password?
Re: check_radius_adv issue
Posted: Tue Oct 20, 2015 5:04 pm
by smoren
Nope. Just alphanumeric characters and numbers for both password and shared secret.
Re: check_radius_adv issue
Posted: Wed Oct 21, 2015 3:51 pm
by rkennedy
Does the user have permission to authenticate VIA radius? Judging by the error that is one thing I believe.
If you run only the command ./check_radius_adv and enter all of the information interactively versus ./check_radius_adv -u user@domain -p password -s secret -r servername -v does it work?
Re: check_radius_adv issue
Posted: Wed Oct 21, 2015 4:12 pm
by smoren
Yes, user has permission to authenticate via radius(same account is used from another server). But when I try to connect using check_radius_adv, radius server 'thinks' that password is wrong(as you can see from radius log - User-Password line contains password that radius server received). Interactive mode has identical behaviour.
Re: check_radius_adv issue
Posted: Thu Oct 22, 2015 2:17 pm
by lmiltchev
Yes, user has permission to authenticate via radius(same account is used from another server). But when I try to connect using check_radius_adv, radius server 'thinks' that password is wrong
Can you test this with some other tool just to make sure the user can authenticate successfully? You can probably try "radtest".
http://freeradius.org/radiusd/man/radtest.html
You can install it on RHEL/CentOS by running:
Re: check_radius_adv issue
Posted: Thu Oct 22, 2015 4:01 pm
by rkennedy
@smoren I was able to replicate your issue (I think) on an Ubuntu box with FreeRadius. Pending your install of radtest, please do post the output as stated above.
The results I am getting are -
Code: Select all
[root@localhost libexec]# radtest test test 192.168.131.135 0 test
Sending Access-Request of id 73 to 192.168.131.135 port 1812
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 192.168.131.135 port 1812, id=73, length=20
Code: Select all
[root@localhost libexec]# ./check_radius_adv -u test -p test -s test -r 192.168.131.135 -v
Using the following information
-------------------------------
username: test
password: test
shared secret: test
server: 192.168.131.135
path of attributes file :
CRITICAL: Access REJECT. (code = 3) | rtt=1.0024 rttms=1002.4449
when running freeradius -X for debugging I see this on the server side -
radtest
Code: Select all
rad_recv: Access-Request packet from host 192.168.131.130 port 39086, id=71, length=74
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0xaf91fc251aa9b8cd78a1bfe30752a42c
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry test at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "test"
[pap] Using clear text password "test"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 71 to 192.168.131.130 port 39086
Finished request 35.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 35 ID 71 with timestamp +2714
Ready to process requests.
check_radius_adv
Code: Select all
rad_recv: Access-Request packet from host 192.168.131.130 port 53713, id=18, length=44
User-Name = "test"
User-Password = "a۟\021W߯$\2155p\253?\303(\221"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry test at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "a▒??W߯$?5p▒?▒(?"
[pap] Using clear text password "test"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
I will pass this on to our devs to further look at.
Re: check_radius_adv issue
Posted: Wed Oct 28, 2015 4:40 am
by smoren
Sorry for delay. I can confirm your tests. Connection via check_radius_adv does not work, but radtest does work. Do you have any input from devs?
Thanks.
Re: check_radius_adv issue
Posted: Wed Oct 28, 2015 2:06 pm
by scottwilkerson
@smoren - there seems to be an unidentified but when running check_radius_adv on 64 bit systems.
As this could take some time to debug, I want to offer an alternative to get you up and running.
Install this plugin
https://exchange.nagios.org/directory/P ... us/details
Run the following from the CLI
Code: Select all
yum install 'perl(Authen::Radius)' -y
Then, go into the Core Config Manager -> Commands and modify the following command
Change the command_line to
Code: Select all
$USER1$/check_radius.pl -H $HOSTADDRESS$ $ARG1$
This should allow the wizard to function as expected. From the command line you would run something like
Code: Select all
check_radius.pl -H 192.168.131.135 -u test -p test -s test
Re: check_radius_adv issue
Posted: Thu Nov 05, 2015 11:01 am
by smoren
Alternative plugin works like a charm
. However, this plugin does not provide performance data. I can live with it for now, but if you promise me
you will solve the check_radius_adv issue, you may close this case. Hopefully it will be solved in next XI release. Thanks again.