Freeradius monitoring issue with SNMP via LibreNMS

Hello community!
I am having an issue with the monitoring of Radius statistics via the application monitoring feature.
I have set up the snmp extend on Freeradius and have also added the appropriate script freeradius.sh.
When I test the script locally on my Radius server everything works as expected and I get the below results:

[root@radius01 snmp]# /etc/snmp/freeradius.sh
FreeRADIUS-Total-Access-Requests = 26825
FreeRADIUS-Total-Access-Accepts = 6966
FreeRADIUS-Total-Access-Rejects = 19873
FreeRADIUS-Total-Access-Challenges = 0
FreeRADIUS-Total-Auth-Responses = 26839
FreeRADIUS-Total-Auth-Duplicate-Requests = 1
FreeRADIUS-Total-Auth-Malformed-Requests = 0
FreeRADIUS-Total-Auth-Invalid-Requests = 0
FreeRADIUS-Total-Auth-Dropped-Requests = 1
FreeRADIUS-Total-Auth-Unknown-Types = 0
FreeRADIUS-Total-Accounting-Requests = 2381117
FreeRADIUS-Total-Accounting-Responses = 2381075
FreeRADIUS-Total-Acct-Duplicate-Requests = 0
FreeRADIUS-Total-Acct-Malformed-Requests = 0
FreeRADIUS-Total-Acct-Invalid-Requests = 0
FreeRADIUS-Total-Acct-Dropped-Requests = 0
FreeRADIUS-Total-Acct-Unknown-Types = 0
FreeRADIUS-Total-Proxy-Access-Requests = 0
FreeRADIUS-Total-Proxy-Access-Accepts = 0
FreeRADIUS-Total-Proxy-Access-Rejects = 0
FreeRADIUS-Total-Proxy-Access-Challenges = 0
FreeRADIUS-Total-Proxy-Auth-Responses = 0
FreeRADIUS-Total-Proxy-Auth-Duplicate-Requests = 0
FreeRADIUS-Total-Proxy-Auth-Malformed-Requests = 0
FreeRADIUS-Total-Proxy-Auth-Invalid-Requests = 0
FreeRADIUS-Total-Proxy-Auth-Dropped-Requests = 0
FreeRADIUS-Total-Proxy-Auth-Unknown-Types = 0
FreeRADIUS-Total-Proxy-Accounting-Requests = 0
FreeRADIUS-Total-Proxy-Accounting-Responses = 0
FreeRADIUS-Total-Proxy-Acct-Duplicate-Requests = 0
FreeRADIUS-Total-Proxy-Acct-Malformed-Requests = 0
FreeRADIUS-Total-Proxy-Acct-Invalid-Requests = 0
FreeRADIUS-Total-Proxy-Acct-Dropped-Requests = 0
FreeRADIUS-Total-Proxy-Acct-Unknown-Types = 0
FreeRADIUS-Queue-Len-Internal = 0
FreeRADIUS-Queue-Len-Proxy = 0
FreeRADIUS-Queue-Len-Auth = 0
FreeRADIUS-Queue-Len-Acct = 0
FreeRADIUS-Queue-Len-Detail = 0
[root@radius01 snmp]#

Which is exactly what I need, the problem is that when I try to call the script via snmp from my LibreNMS server I get the following error:

[root@nms ~]# snmpget -v2c -c xxxx y.y.y.y .1.3.6.1.4.1.8072.1.3.2.3.1.2.10.102.114.101.101.114.97.100.105.117.115
NET-SNMP-EXTEND-MIB::nsExtendOutputFull.“freeradius” = STRING: /etc/snmp/freeradius.sh: line 29: -x: command not found
invalid result from radclient status request, check server settings
[root@nms ~]#

I have examined the freeradius.sh file, and obviously there is something that is causing an issue with the following line:

RESULT=$(echo “$RADIUS_STATUS_CMD” | $BIN_RADCLIENT -x $RADIUS_SERVER:$RADIUS_PORT status $RADIUS_KEY)

What I can not understand is why the same exact script works fine when I run it locally on the radius server but it throws an error when being called via snmp?

Below is the full content of my freeradius.sh file:

#!/usr/bin/env bash

CONFIGFILE=/etc/snmp/freeradius.conf

# Set 0 for SNMP extend; set to 1 for Check_MK agent
AGENT=0

# Set FreeRADIUS status_server details
RADIUS_SERVER=‘localhost’
RADIUS_PORT=‘18121’
RADIUS_KEY=‘adminsecret’

if [ -f $CONFIGFILE ]; then

  • shellcheck disable=SC1090*

  • . $CONFIGFILE*
    fi

# Default radclient access request, shouldn’t need to be changed
RADIUS_STATUS_CMD=‘Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 31, Response-Packet-Type = Access-Accept’

# Paths for sed and radclient executables, should work if within PATH
BIN_SED="$(command -v sed)"
BIN_RADCLIENT="$(command -v radclient)"

if [ $AGENT -eq 1 ]; then

  • echo “<<>>”*
    fi

*RESULT=$(echo “$RADIUS_STATUS_CMD” | $BIN_RADCLIENT -x $RADIUS_SERVER:$RADIUS_PORT status $RADIUS_KEY) *

if [[ $RESULT != “Access-Accept” ]] ; then

  •    # A valid result must contain the match string. Otherwise, verify:*
    
  •    # - the FreeRADIUS 'status' virtual server is enabled and running*
    
  •    # - the server, port or key match the 'status' server settings*
    
  •    echo "invalid result from radclient status request, check server settings"*
    
  •    exit 1*
    

fi

# Return only those AV pairs expected by the FreeRADIUS app, one per line
# Drop any leading or trailing whitespace
# They may be returned in any order
*echo “$RESULT” | $BIN_SED -n *

  •    -e 's/\s*\(FreeRADIUS-Total-Access-Requests = [0-9]*\)/\1/p' \*
    
  •    -e 's/\s*\(FreeRADIUS-Total-Access-Accepts = [0-9]*\)/\1/p' \*
    
  •    -e 's/\s*\(FreeRADIUS-Total-Access-Rejects = [0-9]*\)/\1/p' \*
    
  •    -e 's/\s*\(FreeRADIUS-Total-Access-Challenges = [0-9]*\)/\1/p' \*
    
  •    -e 's/\s*\(FreeRADIUS-Total-Auth-Responses = [0-9]*\)/\1/p' \*
    
  •    -e 's/\s*\(FreeRADIUS-Total-Auth-Duplicate-Requests = [0-9]*\)/\1/p' \*
    
  •    -e 's/\s*\(FreeRADIUS-Total-Auth-Malformed-Requests = [0-9]*\)/\1/p' \*
    
  •    -e 's/\s*\(FreeRADIUS-Total-Auth-Invalid-Requests = [0-9]*\)/\1/p' \*
    
  •    -e 's/\s*\(FreeRADIUS-Total-Auth-Dropped-Requests = [0-9]*\)/\1/p' \*
    
  •    -e 's/\s*\(FreeRADIUS-Total-Auth-Unknown-Types = [0-9]*\)/\1/p' \*
    
  •    -e 's/\s*\(FreeRADIUS-Total-Accounting-Requests = [0-9]*\)/\1/p' \*
    
  •    -e 's/\s*\(FreeRADIUS-Total-Accounting-Responses = [0-9]*\)/\1/p' \*
    
  •    -e 's/\s*\(FreeRADIUS-Total-Acct-Duplicate-Requests = [0-9]*\)/\1/p' \*
    
  •    -e 's/\s*\(FreeRADIUS-Total-Acct-Malformed-Requests = [0-9]*\)/\1/p' \*
    
  •    -e 's/\s*\(FreeRADIUS-Total-Acct-Invalid-Requests = [0-9]*\)/\1/p' \*
    
  •    -e 's/\s*\(FreeRADIUS-Total-Acct-Dropped-Requests = [0-9]*\)/\1/p' \*
    
  •    -e 's/\s*\(FreeRADIUS-Total-Acct-Unknown-Types = [0-9]*\)/\1/p' \*
    
  •    -e 's/\s*\(FreeRADIUS-Total-Proxy-Access-Requests = [0-9]*\)/\1/p' \*
    
  •    -e 's/\s*\(FreeRADIUS-Total-Proxy-Access-Accepts = [0-9]*\)/\1/p' \*
    
  •    -e 's/\s*\(FreeRADIUS-Total-Proxy-Access-Rejects = [0-9]*\)/\1/p' \*
    
  •    -e 's/\s*\(FreeRADIUS-Total-Proxy-Access-Challenges = [0-9]*\)/\1/p' \*
    
  •    -e 's/\s*\(FreeRADIUS-Total-Proxy-Auth-Responses = [0-9]*\)/\1/p' \*
    
  •                                                                                         [ Wrote 83 lines ]*
    

Any help would be much appreciated.

I don’t have this setup, but you look to be testing the script as root. In normal use it will be running as whatever user snmpd is running as, in my Ubuntu case that’s Debian-snmp. If that user has no login shell, you may have to test with -s, ie:

root@lnms-dev:~# su -s /bin/bash -c 'whoami' Debian-snmp
Debian-snmp

Might help isolate a cause, maybe add some logging to the script to see what it is doing when running under snmpd.

Hi,

Thanks for the comment rhinoau.
In fact we managed to resolve the issue, by modifying the code of the script.
We changed the way the command was run by modifying the following lines (in case someone else runs into the same issue):

BIN_RADCLIENT="$(echo “/usr/local/bin/radclient” -x localhost:18121 status adminsecret)"
RESULT=$(echo “$RADIUS_STATUS_CMD” | $BIN_RADCLIENT)

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.