[Mon-commit] mon-contrib/monitors/radius/radius.monitor.detailcheck radius.monitor.detailcheck, NON
Brought to you by:
trockij
Menu
▾
▴
[Mon-commit] mon-contrib/monitors/radius/radius.monitor.detailcheck radius.monitor.detailcheck, NONE, 1.1 radius.monitor.detailcheck.README, NONE, 1.1
|
From: Jim T. <tr...@us...> - 2009-02-26 19:00:30
|
Update of /cvsroot/mon/mon-contrib/monitors/radius/radius.monitor.detailcheck In directory 23jxhf1.ch3.sourceforge.com:/tmp/cvs-serv7552/radius.monitor.detailcheck Added Files: radius.monitor.detailcheck radius.monitor.detailcheck.README Log Message: radius.monitor.detailcheck from Mike Ireton --- NEW FILE: radius.monitor.detailcheck --- #!/usr/bin/perl # # An anal-retentive check of radius. We check to make sure that # we get an expected list of specially cooked items in the reply # that matches a predefined list and we alert if we don't see all # the items, or if any don't match, or if we get unexpected avpairs # in the reply. # # To use this: # # You first need to set up your radius servers to accept requests from # your mon host and test and verify that you can peform simple radius # authorizations using radclient before your proceed. See your radius # server documentation for details. # # 1) Create a special radius test user. I have 'mon' here, # but it's user configurable. Set the below vars to this name and # password. # # 2) Assign different attributes to return for this this user. The # minimum reccomended list is: # # Framed-IP-Address # Framed-IP-Netmask # Framed-Route # Framed-MTU # Filter-Id # # **You should set these all to some weird nonsensical values that # would not be in use in your network. The purpose is to make sure # that these values are being passed thru your radius unaltered.** # # 3) Insert the attributes and values you selected above into # the %refvars hash. This has to match what radius hands back, otherwise, # it will generate an alert. # # 4) Test by running this command and checking the output: # # ./radius.monitor.detailcheck serversecret serverhost1 serverhost2 .. # # You made need to adjust the path to radclient as well as where your local # radius dictionaries are kept. # # Mike Ireton # mi...@wi... # BEGIN { $TEMPFILE=`mktemp /tmp/radius.detailcheck.XXXXXX`; chomp($TEMPFILE); } END { unlink ($TEMPFILE); }; $RADCLIENT="/usr/bin/radclient"; $DICTIONARY="/etc/freeradius"; $USER="mon"; $PASS="yourpasswordhere"; $SECRET=shift; $ok=0; while ($SERVER = shift) { %refvars = ( 'Framed-IP-Address' => "192.168.255.1", 'Framed-MTU' => "1638", 'Service-Type' => "Framed-User", 'Framed-Protocol' => "PPP", 'Framed-Compression' => "Van-Jacobson-TCP-IP", 'Framed-IP-Netmask' => "255.248.240.224", 'Filter-Id' => "\"radiusdebug\"", 'Framed-Route' => "\"192.168.255.252/30\"", ); %skipvars = ( 'User-Name' => "any", 'CHAP-Password' => "any", 'Framed-Protocol' => "any", ); # First, test Access-Accept and returned variables open(FP,"|$RADCLIENT -d $DICTIONARY -r 2 -x $SERVER auth $SECRET > $TEMPFILE 2>&1"); print FP "User-Name = \"$USER\"\n"; print FP "Chap-Password = \"$PASS\"\n"; print FP "Framed-Protocol = PPP\n"; close(FP); open(RESULTS,"<$TEMPFILE"); do { $line=<RESULTS>; if($line =~ /radclient: no response from server/) { $ok=1; print "Server failed to respond: $SERVER\n"; next; } if($line =~ /rad_recv: Access-Reject/) { $ok=1; print "Server rejected test credentials: $SERVER\n"; next; } if($line =~ /Shared secret is incorrect/) { $ok=1; print "Server test failed on $SERVER: shared secret incorrect?\n"; next; } } until $line =~ /^rad_recv/; while ($line=<RESULTS>) { if ($line =~ /^\s+([-a-zA-Z]+)\s?=\s(.+)/ ) { $var=$1; $value=$2; if ( defined $refvars{$var} ) { if ( $refvars{$var} ne $value ) { push @mismatched,"got $var = $value, expected $var = " . $refvars{$var}; } delete $refvars{$var}; } else { push @unexpected,"$var = $value"; } } } close(RESULTS); if(( keys( %refvars ) != 0) || ( @mismatched !=0 ) || (@unexpected != 0)) { print "A server failed avresponse check: $SERVER\n"; $ok=1; }; foreach ( keys %refvars ) { print "\tFailed to receive avpair: " . " " . "$_ = " . $refvars{$_} . "\n"; } foreach ( @mismatched ) { print "\tFailed to match avpair: $_ \n"; } foreach ( @unexpected ) { print "\tUnexpected avpair: $_ \n"; } undef @mismatched; undef @unxepected; } exit $ok; --- NEW FILE: radius.monitor.detailcheck.README --- radius.monitor.detailcheck README ================================= This is an anal-retentive check of radius to ensure that not only are your servers online, but that they are returning expected av pairs. This is a good extra additional check to be doing because configuration mistakes or database problems may create problems for radius that don't show up as a simple 'access-reject'. Since mon only passes simple command line params, and because we need more extensive configuration, you need to modify the script's configuration vars to suit your installation. The general idea is that you set it up with as many unique av pairs as you can, with values that do not match anything you're likely to ever legitimately assign elsewhere, and then this script checks to make sure that all av pairs are returned and ONLY these pairs are seen else it reports. Mike Ireton WillitsOnline Feb 13 2008 |
