On 15/05/12 13:21, Julien Cornuwel wrote:
Thanks to both of you for taking the time to answer.
I would strongly recommend you migrate to FR 2.1.12 - not only is it
maintained, with
latest features, bug fixes etc but it is also faster.
Unfortunately, this is not an option. HPIDM3 (a radius plugin provided
by HP) doesn't work with Radius 2, and there is no way we can buy the
upgrade to HPIDM4 any time soon. So I'm stuck with 1.1.x
At the very least, upgrade to 1.1.8
Anyway, I can live with a server that crashes once in a while, as long
as I can detect it. The default timeout on the switches is 60 seconds,
which is plenty enough to start a daemon and move a virtual IP...
This brings me back to my second question: how do you monitor your
Radius servers ? I haven't been able to find anything except very
basic Nagios checks...
You implied you wanted to test a "real" authentication and tried to
replay one, which didn't (and shouldn't) work.
Instead, I recommend you download the wpa_supplicant sources, and
compile eapol_test. Write a wrapper script to run this, and perform a
full 802.1x auth against the server. If it fails, it's down and you need
to restart it.
We do something like this:
#!/bin/bash
EAPOL_TEST=/usr/local/bin/eapol_test
CFG=`mktemp`
BUF=`mktemp`
trap "rm -f $CFG $BUF" EXIT
# write out the eapol_test config file
cat <<EOF >$CFG
network={
ssid="example 802.1x network"
key_mgmt=IEEE8021X
eap=PEAP
phase2="auth=MSCHAPV2"
identity="user@domain"
password="XXX"
}
EOF
# run eapol_test
$EAPOL_TEST -c $CFG -a 127.0.0.1 -p 1812 -s testing123 >$BUF 2>&1
if [ $? -ne 0 ]
then
echo eapol_test failed
exit 1
fi
# it's fine
exit 0
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
