Check_Radius

Kalagan · 20 March 2024 09:24

Hello,

I have a Windows NPS server (Radius) that i want to monitor with LibreNMS but i’m struggling with the parameter, mostly the “config file”.

Can someone give me an example as in

-H x.x.x.x. -P 1812 -u username -p password -F config_file

i can’t find the path of my config file on Windows server 2019.

Regards,

David

slashdoom · 20 March 2024 15:47

I assume we’re talking about this check_radius plugin?

If so, the config_file isn’t on your NPS server. It’s something that you create that lives somewhere on your LibreNMS server/poller, so your -F path will point to the location of that file.

Like that page mentions, the config is based on the radiusclient config file format, for example:

github.com

FreeRADIUS/freeradius-client/blob/master/etc/radiusclient.conf.in

# General settings

# specify which authentication comes first respectively which
# authentication is used. possible values are: "radius" and "local".
# if you specify "radius,local" then the RADIUS server is asked
# first then the local one. if only one keyword is specified only
# this server is asked.
auth_order	radius,local

# maximum login tries a user has
login_tries	4

# timeout for all login tries
# if this time is exceeded the user is kicked out
login_timeout	60

# name of the nologin file which when it exists disables logins.
# it may be extended by the ttyname which will result in
# a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable
# logins on /dev/ttyS2)

This file has been truncated. show original

A lot of the options in that file you won’t need because you’ll use your check_radius flags instead. But you’ll notice that you have username/password options but don’t have a RADIUS key option. That’s because this would be defined in the config file by servers option, which is another file that contains RADIUS server hostname/IP and keys. So you’ll need to create that as well. For example:

github.com

FreeRADIUS/freeradius-client/blob/master/etc/servers

## Server Name or Client/Server pair		Key		
## ----------------				---------------
#
#portmaster.elemental.net			hardlyasecret
#portmaster2.elemental.net			donttellanyone
#
## uncomment the following line for simple testing of radlogin
## with freeradius-server
#
#localhost/localhost				testing123

I would heed the advise there about the security risk of the password. Ideally you’d have a user and rules on the NPS side that gives no access beyond getting a simple RADIUS ACCEPT for this check. Locking down access to the RADIUS key both on LibreNMS and NPS is also recommended.

Kalagan · 21 March 2024 08:15

Hello,

Thank a lot for your help. It all makes sense now.

I’ll follow your documents and try to make it work.

Regards,

David