Post-crash investigations

[Phil Mayers]

On 15/05/12 13:21, Julien Cornuwel wrote:
> Thanks to both of you for taking the time to answer.
>
>> I would strongly recommend you migrate to FR 2.1.12 - not only is it maintained, with
>> latest features, bug fixes etc but it is also faster.
>
> Unfortunately, this is not an option. HPIDM3 (a radius plugin provided
> by HP) doesn't work with Radius 2, and there is no way we can buy the
> upgrade to HPIDM4 any time soon. So I'm stuck with 1.1.x

At the very least, upgrade to 1.1.8

> Anyway, I can live with a server that crashes once in a while, as long
> as I can detect it. The default timeout on the switches is 60 seconds,
> which is plenty enough to start a daemon and move a virtual IP...
>
> This brings me back to my second question: how do you monitor your
> Radius servers ? I haven't been able to find anything except very
> basic Nagios checks...

You implied you wanted to test a "real" authentication and tried to 
replay one, which didn't (and shouldn't) work.

Instead, I recommend you download the wpa_supplicant sources, and 
compile eapol_test. Write a wrapper script to run this, and perform a 
full 802.1x auth against the server. If it fails, it's down and you need 
to restart it.

We do something like this:

#!/bin/bash

EAPOL_TEST=/usr/local/bin/eapol_test

CFG=`mktemp`
BUF=`mktemp`

trap "rm -f $CFG $BUF" EXIT

# write out the eapol_test config file
cat <<EOF >$CFG
network={
         ssid="example 802.1x network"
         key_mgmt=IEEE8021X
         eap=PEAP
         phase2="auth=MSCHAPV2"
         identity="user at domain"
         password="XXX"
}
EOF

# run eapol_test
$EAPOL_TEST -c $CFG -a 127.0.0.1 -p 1812 -s testing123 >$BUF 2>&1
if [ $? -ne 0 ]
then
   echo eapol_test failed
   exit 1
fi

# it's fine
exit 0