Post-crash investigations

Julien Cornuwel cornuwel at gmail.com
Tue May 15 17:00:04 CEST 2012


Thank you. I'll try that as soon as I'm done upgrading to 1.1.8

2012/5/15 Phil Mayers <p.mayers at imperial.ac.uk>:
> On 15/05/12 13:21, Julien Cornuwel wrote:
>>
>> Thanks to both of you for taking the time to answer.
>>
>>> I would strongly recommend you migrate to FR 2.1.12 - not only is it
>>> maintained, with
>>> latest features, bug fixes etc but it is also faster.
>>
>>
>> Unfortunately, this is not an option. HPIDM3 (a radius plugin provided
>> by HP) doesn't work with Radius 2, and there is no way we can buy the
>> upgrade to HPIDM4 any time soon. So I'm stuck with 1.1.x
>
>
> At the very least, upgrade to 1.1.8
>
>
>> Anyway, I can live with a server that crashes once in a while, as long
>> as I can detect it. The default timeout on the switches is 60 seconds,
>> which is plenty enough to start a daemon and move a virtual IP...
>>
>> This brings me back to my second question: how do you monitor your
>> Radius servers ? I haven't been able to find anything except very
>> basic Nagios checks...
>
>
> You implied you wanted to test a "real" authentication and tried to replay
> one, which didn't (and shouldn't) work.
>
> Instead, I recommend you download the wpa_supplicant sources, and compile
> eapol_test. Write a wrapper script to run this, and perform a full 802.1x
> auth against the server. If it fails, it's down and you need to restart it.
>
> We do something like this:
>
> #!/bin/bash
>
> EAPOL_TEST=/usr/local/bin/eapol_test
>
> CFG=`mktemp`
> BUF=`mktemp`
>
> trap "rm -f $CFG $BUF" EXIT
>
> # write out the eapol_test config file
> cat <<EOF >$CFG
> network={
>        ssid="example 802.1x network"
>        key_mgmt=IEEE8021X
>        eap=PEAP
>        phase2="auth=MSCHAPV2"
>        identity="user at domain"
>        password="XXX"
> }
> EOF
>
> # run eapol_test
> $EAPOL_TEST -c $CFG -a 127.0.0.1 -p 1812 -s testing123 >$BUF 2>&1
> if [ $? -ne 0 ]
> then
>  echo eapol_test failed
>  exit 1
> fi
>
> # it's fine
> exit 0
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list