Post-crash investigations

Phil Mayers p.mayers at
Tue May 15 14:47:45 CEST 2012

On 15/05/12 13:21, Julien Cornuwel wrote:
> Thanks to both of you for taking the time to answer.
>> I would strongly recommend you migrate to FR 2.1.12 - not only is it maintained, with
>> latest features, bug fixes etc but it is also faster.
> Unfortunately, this is not an option. HPIDM3 (a radius plugin provided
> by HP) doesn't work with Radius 2, and there is no way we can buy the
> upgrade to HPIDM4 any time soon. So I'm stuck with 1.1.x

At the very least, upgrade to 1.1.8

> Anyway, I can live with a server that crashes once in a while, as long
> as I can detect it. The default timeout on the switches is 60 seconds,
> which is plenty enough to start a daemon and move a virtual IP...
> This brings me back to my second question: how do you monitor your
> Radius servers ? I haven't been able to find anything except very
> basic Nagios checks...

You implied you wanted to test a "real" authentication and tried to 
replay one, which didn't (and shouldn't) work.

Instead, I recommend you download the wpa_supplicant sources, and 
compile eapol_test. Write a wrapper script to run this, and perform a 
full 802.1x auth against the server. If it fails, it's down and you need 
to restart it.

We do something like this:




trap "rm -f $CFG $BUF" EXIT

# write out the eapol_test config file
cat <<EOF >$CFG
         ssid="example 802.1x network"
         identity="user at domain"

# run eapol_test
$EAPOL_TEST -c $CFG -a -p 1812 -s testing123 >$BUF 2>&1
if [ $? -ne 0 ]
   echo eapol_test failed
   exit 1

# it's fine
exit 0

More information about the Freeradius-Users mailing list