Network Management Xiaojia/sysadm.cc
RadiusIt should be familiar to those who work on the system. It is a service program that provides identity authentication.
RadiusIt is widely used, and one of the simplest scenarios is wireless connection. After passing its verification using user name, password or certificate, the wireless network connection can be established.
Of course we must pay attention to such an important basic application service, and naturally we must always understand its operating status.
Then the simplest and most economical way we can think of is to use zabbixor other monitoring software to monitor and manage Radius.
However, after searching the entire Internet, I can't seem to find a more complete and feasible solution.
If you want to use Zabbixto Radiusmonitor the service, it may seem simple if you think about it.
Use Ping, as long as there is no connection, you can judge that the server is faulty and interrupted.
But sometimes the server is Pingaccessible and the network is good, but the service may be stopped.
What to do in this situation?
How about directly monitoring Radiusthe background service?
As long as the service is running, it is considered to be working properly.
It makes sense, but this seems to solve the problem. In fact, if you think about it carefully, if the service is running, but it cannot provide normal authentication and verification services, it is possible, and of course it is also a fault state!
It seems the problem is not that simple!
Having said so much, what is the right thing to do?
If we Radiuslook at the problem from the perspective of providing services, then it is easy to draw a conclusion, that is, as long as it can return the authentication response normally, it is considered to be in a normal state, otherwise it is considered to be in a fault state.
To put it more bluntly, you send it a verification request Access-Request, and if it can return the response information correctly ( SUCCESSor FAILURE), regardless of whether the verification is successful or failed, we can think that its status is OK, otherwise it is NG.
Okay, now that the logic is clear, how to do it specifically?
First, we need to send a request signal Zabbixto .Radius
How do you fix it? You can do it as long as you want?
Yes, this is not easy. I searched all over the Internet and accidentally found an article by a foreigner, which somewhat inspired me.
The general approach is Shellto do this by calling a script, which Zabbixis called an external check in .
But he used Ncatthis type of network tool program to send UDPpackets to Radiusthe server's 1812port.
The theory is feasible, and I have made many attempts, but the operation is very complicated and not easy to implement.
There are two reasons. One is that it Ncatis just a network tool and it does not understand how to construct Access-Requesta request packet.
However, according to the foreign author's intention, it is completely unfeasible to directly use the captured data packets to simulate sending.
Because current general authentication methods do not use lower security level authentication methods, sending requests using this crude method cannot handle multiple returned response information.
Another reason is that even if you can successfully send a legitimate request packet, Radiusthe returned response packet needs to be captured by yourself. It does not have the function of obtaining the return information. It is almost impossible to achieve this through simple operations.
Based on the above reasons and based on my actual experimental results, I finally gave up such a plan.
Although it failed, the idea of the foreigner's article opened up new ideas for me.
First, you can take advantage zabbixof external inspection scripts.
Second, if it doesn't work, then I can just change it to a client program Ncatthat can request normally !Radius
Facts have proved that my new idea completely works!
The final rendering is displayed, Zabbixadd NPSor FreeRadius, and use MSCHAPv2the verification environment to pass the test.
At the same time, when the server fails, the trigger can also trigger problem alarms normally.
The relevant scripts and programs for this article can be downloaded at the end of the article.
zabbixMonitoring Radiusrelated documents (download at the end of the article)
-
Linux- external check script(
1K) RadiusClientMSCHAPV2Authentication Configuration File (1K)- Verify
MSCHAPV2client command compiles source code (16K) - Timeout program compiled source code (
15K)
- external check script(
-
Windows- Authentication
MSCHAPV2clientexeexecutable (6.4M, availableWindowsunder )
- Authentication
How is this achieved?
What pitfalls will you encounter during implementation?
Let’s talk about it in detail below…
Follow the network administrator Xiaojia’s public account and send 001053 to unlock the complete content of the tutorial.
(Including more than 20 example illustrations, more than 5,000 words of detailed explanation, and script program package download)
Integrate technology into life and create interesting stories
Network Management Xiaojia/sysadm.cc