Network Management Xiaojia/sysadm.cc
Radius
It should be familiar to those who work on the system. It is a service program that provides identity authentication.
Radius
It is widely used, and one of the simplest scenarios is wireless connection. After passing its verification using user name, password or certificate, the wireless network connection can be established.
Of course we must pay attention to such an important basic application service, and naturally we must always understand its operating status.
Then the simplest and most economical way we can think of is to use zabbix
or other monitoring software to monitor and manage Radius
.
However, after searching the entire Internet, I can't seem to find a more complete and feasible solution.
If you want to use Zabbix
to Radius
monitor the service, it may seem simple if you think about it.
Use Ping
, as long as there is no connection, you can judge that the server is faulty and interrupted.
But sometimes the server is Ping
accessible and the network is good, but the service may be stopped.
What to do in this situation?
How about directly monitoring Radius
the background service?
As long as the service is running, it is considered to be working properly.
It makes sense, but this seems to solve the problem. In fact, if you think about it carefully, if the service is running, but it cannot provide normal authentication and verification services, it is possible, and of course it is also a fault state!
It seems the problem is not that simple!
Having said so much, what is the right thing to do?
If we Radius
look at the problem from the perspective of providing services, then it is easy to draw a conclusion, that is, as long as it can return the authentication response normally, it is considered to be in a normal state, otherwise it is considered to be in a fault state.
To put it more bluntly, you send it a verification request Access-Request
, and if it can return the response information correctly ( SUCCESS
or FAILURE
), regardless of whether the verification is successful or failed, we can think that its status is OK, otherwise it is NG.
Okay, now that the logic is clear, how to do it specifically?
First, we need to send a request signal Zabbix
to .Radius
How do you fix it? You can do it as long as you want?
Yes, this is not easy. I searched all over the Internet and accidentally found an article by a foreigner, which somewhat inspired me.
The general approach is Shell
to do this by calling a script, which Zabbix
is called an external check in .
But he used Ncat
this type of network tool program to send UDP
packets to Radius
the server's 1812
port.
The theory is feasible, and I have made many attempts, but the operation is very complicated and not easy to implement.
There are two reasons. One is that it Ncat
is just a network tool and it does not understand how to construct Access-Request
a request packet.
However, according to the foreign author's intention, it is completely unfeasible to directly use the captured data packets to simulate sending.
Because current general authentication methods do not use lower security level authentication methods, sending requests using this crude method cannot handle multiple returned response information.
Another reason is that even if you can successfully send a legitimate request packet, Radius
the returned response packet needs to be captured by yourself. It does not have the function of obtaining the return information. It is almost impossible to achieve this through simple operations.
Based on the above reasons and based on my actual experimental results, I finally gave up such a plan.
Although it failed, the idea of the foreigner's article opened up new ideas for me.
First, you can take advantage zabbix
of external inspection scripts.
Second, if it doesn't work, then I can just change it to a client program Ncat
that can request normally !Radius
Facts have proved that my new idea completely works!
The final rendering is displayed, Zabbix
add NPS
or FreeRadius
, and use MSCHAPv2
the verification environment to pass the test.
At the same time, when the server fails, the trigger can also trigger problem alarms normally.
The relevant scripts and programs for this article can be downloaded at the end of the article.
zabbix
Monitoring Radius
related documents (download at the end of the article)
-
Linux
- external check script(
1K
) Radius
ClientMSCHAPV2
Authentication Configuration File (1K
)- Verify
MSCHAPV2
client command compiles source code (16K
) - Timeout program compiled source code (
15K
)
- external check script(
-
Windows
- Authentication
MSCHAPV2
clientexe
executable (6.4M
, availableWindows
under )
- Authentication
How is this achieved?
What pitfalls will you encounter during implementation?
Let’s talk about it in detail below…
Follow the network administrator Xiaojia’s public account and send 001053 to unlock the complete content of the tutorial.
(Including more than 20 example illustrations, more than 5,000 words of detailed explanation, and script program package download)
Integrate technology into life and create interesting stories
Network Management Xiaojia/sysadm.cc