RADIUS Monitoring tool

Matthew Newton mcn4 at leicester.ac.uk
Wed Feb 25 15:56:13 CET 2015


On Wed, Feb 25, 2015 at 01:28:50PM +0000, Clement Ogedengbe wrote:
> On two occasions in the last 2 weeks, our RADIUS server suddenly
> started to reject ALL users. Even though we have set up a
> failover system. Unfotunately, the fail-over system did not kick
> in because the RADIUS service was still running, only that it
> was rejecting all users for some strange reasons.

A reject to your NAS means that the NAS believe the RADIUS server
is still there (well, it is...) so it doesn't remove it.

> Does anyone know of any monitoring script/tool that can be used
> to test that the RADIUS server is authenticating properly and
> which can send an alert by email or text in the event that the
> server rejects authentication of a valid user credentials a
> number of times.  

I run a shell script on the RADIUS servers. It

  restarts winbind and/or FreeRADIUS if ntlm_auth does not
  succeed

  stops FreeRADIUS if auth still fails after the above

  stops FreeRADIUS if disk usage gets too high

I've had no problems like yours since running this. If there are
problems, FreeRADIUS is forcibly stopped, which means the NAS
jumps on to the next server.

It works for us, but may be full of bugs and eat your system. Use
it at your own risk. There are likely many better solutions out
there, but I've put it on github if you're interested.

  https://gist.github.com/mcnewton/8c6c54ffc04acf031a08

We also run Nagios checks against the RADIUS server, so get alerts
from that as well as this script. The Nagios checks use eapol_test
to check the stack that way, but can't stop the RADIUS server if
there has been a problem.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list