RADIUS Monitoring tool

Clement Ogedengbe c.ogedengbe at worc.ac.uk
Thu Feb 26 09:28:50 CET 2015 

Thanks to Matthew for the shell script. It's brilliant as it perfectly meets our needs (with a few tweek though).


Clement 


-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+c.ogedengbe=worc.ac.uk at lists.freeradius.org] On Behalf Of Matthew Newton
Sent: 25 February 2015 14:56
To: FreeRadius users mailing list
Subject: Re: RADIUS Monitoring tool

On Wed, Feb 25, 2015 at 01:28:50PM +0000, Clement Ogedengbe wrote:
> On two occasions in the last 2 weeks, our RADIUS server suddenly 
> started to reject ALL users. Even though we have set up a failover 
> system. Unfotunately, the fail-over system did not kick in because the 
> RADIUS service was still running, only that it was rejecting all users 
> for some strange reasons.

A reject to your NAS means that the NAS believe the RADIUS server is still there (well, it is...) so it doesn't remove it.

> Does anyone know of any monitoring script/tool that can be used to 
> test that the RADIUS server is authenticating properly and which can 
> send an alert by email or text in the event that the server rejects 
> authentication of a valid user credentials a number of times.

I run a shell script on the RADIUS servers. It

  restarts winbind and/or FreeRADIUS if ntlm_auth does not
  succeed

  stops FreeRADIUS if auth still fails after the above

  stops FreeRADIUS if disk usage gets too high

I've had no problems like yours since running this. If there are problems, FreeRADIUS is forcibly stopped, which means the NAS jumps on to the next server.

It works for us, but may be full of bugs and eat your system. Use it at your own risk. There are likely many better solutions out there, but I've put it on github if you're interested.

  https://gist.github.com/mcnewton/8c6c54ffc04acf031a08

We also run Nagios checks against the RADIUS server, so get alerts from that as well as this script. The Nagios checks use eapol_test to check the stack that way, but can't stop the RADIUS server if there has been a problem.

Matthew


--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list