Tag Archives: Radius

Graphing near realtime PPPoE/PPPoA link speed using SNMP Traffic Grapher (STG to its friends)

Sometimes it happens to me that, for troubleshooting reasons, I need to graph PPPoE or PPPoA connections speed from the NAS/BRAS side. These links are terminated on Cisco routers, where other hundreds of CPEs are connected; connections are from dialin users and I can’t have static graphs, mostly because I don’t need endusers monitoring on a fulltime basis and it would only be a huge waste of resources.

In this case a little program helps me: STG, SNMPTrafficGrapher.

STG - SNMPTrafficGrapher

STG – SNMPTrafficGrapher

It’s a small Windows utility that uses SNMP to get counters data and put them on a graph, like MRTG does. It’s easy and fast to deploy (run it, set SNMP OID and it’s ready), does not use many resources and can give you graphs updated every second.

Configuration

From the View / Settings menu you just have to set the device’s IP address and SNMP community, and then to select OID and polling frequency.

As said, users have dialin connections which go up and down and there is no way to predict their SNMP interface’s index; to obtain the right OID we can use the show snmp mib ifmib ifindex command.

Initially we get the actual Virtual-Access interface for the user we need to monitor:

Router#sh users | include MyUserName
  Vi1.195      MyUserName	   PPPoATM      -        10.11.12.13

Then we get it’s SNMP index:

Router#show snmp mib ifmib ifindex Virtual-Access 1.195
Interface = Virtual-Access1.195, Ifindex = 257

And finally we can use it to configure STG:

STG setup

Geen OID = 1.3.6.1.2.1.2.2.1.10.257 (ifInOctets.257)
Blue OID = 1.3.6.1.2.1.2.2.1.16.257 (ifOutOctets.257)

Where 257 is the dynamic SNMP ifIndex of our user’s Virtual-Access interface.

References

STG homepage: http://leonidvm.chat.ru/

Different policies in Cisco RADIUS AAA

These days I had to implement centralized terminal authentication on a few Cisco routers using aaa new-model and RADIUS.

The solution in its own was pretty simple: it was based on the usual Microsoft IAS (Internet Authentication Service) which was integrated in an Active Directory domain.

The interesting aspect is that those routers were under different administrative controls, so some users had to be granted access on a part of them and denied on other. Let’s say Group1 had to be enabled on routers RA, RB and RC, while Group2 on routers RD, RE and RF.

Solution adopted

In order to achieve this goal we may use a lot of solutions, but most of them are quite unscalable, because we have to map each router to the specific policy.

To obtain a good degree of scalability we may use the radius-server attribute 32 include-in-access-req command. This command tells IOS to append the NAS-Identifier attribute in the RADIUS authentication request message, and let us to set a format for its value:

RA(config)#radius-server attribute 32 include-in-access-req format ?
  LINE  A string where %i = IP address and %h = hostname, %d = domain name

For example, we can prepend the router’s hostname with a “tag” to distinguish the owner group:

Group1 routers:

RA(config)#radius-server attribute 32 include-in-access-req format Group1-%h
RB(config)#radius-server attribute 32 include-in-access-req format Group1-%h
RC(config)#radius-server attribute 32 include-in-access-req format Group1-%h

Group2 routers:

RD(config)#radius-server attribute 32 include-in-access-req format Group2-%h
RE(config)#radius-server attribute 32 include-in-access-req format Group2-%h
RF(config)#radius-server attribute 32 include-in-access-req format Group2-%h

IAS policy filtered by NAS-Identifier attributeFinally we can create two policies in IAS to handle the incoming authentication requests, by filtering them on the basis of NAS-Identifier attribute.
On the NAS-Identifier filter, we can use a star (“*”) to match any character which follows the router’s “tag”. Once we matched the router’s tag, we bind it to the right Active Directory group. Please take a look at the picture for details.

References

Cisco.com: Cisco IOS Security Command Reference, Release 12.3 T

Cisco.com: Command Lookup Tool

PacketLife.net Blog: Seven free ways to improve your network’s security

Kpjungle’s Weblog: Authentication by Radius on a Cisco device

Zabbix: how to monitor Radius (and other services) with external check items and netcat (nc)

You can monitor Radius (and other services too, such as DNS and other) with Zabbix external check feature and netcat (nc).

How do external check items work?

“External check” items are monitored by Zabbix using external scripts, running on the server; you can create your own scripts and put them in the ExternalScripts directory, as defined by the zabbix_server.conf file:

# Location of external scripts
ExternalScripts=/etc/zabbix/externalscripts

You can setup an external check item using the following syntax for the key parameter:

Type: External check
Key: script[parameters]

For example, you can configure Zabbix to run the script checkradius.sh and to pass it the host IP address:

Description: Radius – Authentication
Type: External check
Key: checkradius.sh[{IPADDRESS}]
Type of information: Numeric (unsigned)

Zabbix will execute checkradius.sh HOSTNAME|HOSTIPADDRESS IPADDRESS, where HOSTNAME|HOSTIPADDRESS is the host name or IP address (it depends on the “Connect to” host parameter), and IPADDRESS is the value of the macro {IPADDRESS} used as parameter.

How to use netcat with external check items

With netcat (nc) you can send a host UDP or TCP data and get a response from it. For example, you can send a Radius authentication packet and wait for a response from the server.

Of course Netcat knows nothing about Radius or other protocols, it simply sends and receives data, so you have to forge an Access-Request packet and to parse an Access-Accept response.

Radius - Access-Request packetTo build the Radius Access-Request packet I simply sniffed a real packet using Wireshark and then I exported it to my Zabbix server (you can see it in the picture).

Once you have sent the Access-Request packet, you should receive an Access-Accept response from your server, so you can parse the response to see if it is the one you expected. You can do this using od to convert netcat output in hex and then grep the Radius Access-Accept code (0x02).

External check item and script configuration

My script uses only one argument, the one Zabbix always passes to external scripts, so I did’nt configure it to pass other parameters:

Description: Radius – Authentication
Type: External check
Key: checkradius.sh[]
Type of information: Numeric (unsigned)

The script gets the Radius packet to send to the server from the $1.rad file, where $1 is the host name or IP address; for example, for the Radius server at 10.0.0.1 I will put the Access-Request packet in the 10.0.0.1.rad file.

EDIT 2011-10-13: I think I forgot the “#! /bin/bash” line!

UPDATE 2011-12-01: I added the timelimit command to the script (you can install it with apt-get install timelimit). This command runs another command (nc in my script) and kills it after a specified time lapse. This is useful to handle endless netcat timeout. Remember to raise the default Timeout in the Zabbix configuration file in order to match your command timeout (file /etc/zabbix/zabbix_server.conf, parameter Timeout=10).

#! /bin/bash

cat /etc/zabbix/externalscripts/$1.rad | 
        timelimit -q -t 5 -T 5 nc -u -w 1 $1 1812 | od -t x1 | 
        grep "0000000 02" > /dev/null
if [ $? == 0 ]; then
        echo 1
        exit 1
else
        echo 0
        exit 0
fi

References

Radius RFC: http://www.ietf.org/rfc/rfc2865.txt

Zabbix: http://www.zabbix.com/

Netcat: http://netcat.sourceforge.net/

Wireshark: http://www.wireshark.org/