1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
|
package probes::Radius;
=head1 NAME
probes::Radius - a RADIUS authentication probe for SmokePing
=head1 OVERVIEW
Measures RADIUS authentication latency for SmokePing
=head1 SYNOPSYS
*** Probes ***
+ Radius
passwordfile = /usr/share/smokeping/etc/password
secretfile = /etc/raddb/secret
sleeptime = 0.5 # optional, 1 second by default
username = test-user # optional, overridden by target
password = test-password # optional, overridden by target
secret = test-secret # optional, overridden by target
*** Targets ***
probe = Radius
+ PROBE_CONF
username = testuser
secret = myRadiusSecret # if not present in <secretfile>
password = testuserPass # if not present in <passwordfile>
port = 1645 # optional
nas_ip_address = 1.2.3.4 # optional
=head1 DESCRIPTION
This probe measures RADIUS (RFC 2865) authentication latency for SmokePing.
The username to be tested is specified in either the probe-specific or the
target-specific variable `username', with the target-specific one overriding
the probe-specific one.
The password can be specified either (in order of precedence, with the latter
overriding the former) in the probe-specific variable `password', in the
target-specific variable `password' or in an external file. The location of
this file is given in the probe-specific variable `passwordfile'. See
probes::passwordchecker(3pm) for the format of this file (summary:
colon-separated triplets of the form `<host>:<username>:<password>')
The RADIUS protocol requires a shared secret between the server and the client.
This secret can be specified either (in order of precedence, with the latter
overriding the former) in the probe-specific variable `secret', in the
target-specific variable `secret' or in an external file.
This external file is located by the probe-specific variable `secretfile', and it should
contain whitespace-separated pairs of the form `<host> <secret>'. Comments and blank lines
are OK.
If the optional probe-specific variable `nas_ip_address' is specified, its
value is inserted into the authentication requests as the `NAS-IP-Address'
RADIUS attribute.
The probe tries to be nice to the server and sleeps for the probe-specific
variable `sleeptime' (one second by default) between each authentication
request.
=head1 AUTHOR
Niko Tyni E<lt>ntyni@iki.fiE<gt>
=head1 BUGS
There should be a more general way of specifying RADIUS attributes.
=cut
use strict;
use probes::passwordchecker;
use base qw(probes::passwordchecker);
use Authen::Radius;
use Time::HiRes qw(gettimeofday sleep);
use Carp;
sub ProbeDesc {
return "RADIUS queries";
}
sub new {
my $proto = shift;
my $class = ref($proto) || $proto;
my $self = $class->SUPER::new(@_);
# no need for this if we run as a cgi
unless ($ENV{SERVER_SOFTWARE}) {
if (defined $self->{properties}{secretfile}) {
open(S, "<$self->{properties}{secretfile}")
or croak("Error opening specified secret file $self->{properties}{secretfile}: $!");
while (<S>) {
chomp;
next unless /\S/;
next if /^\s*#/;
my ($host, $secret) = split;
carp("Line $. in $self->{properties}{secretfile} is invalid"), next
unless defined $host and defined $secret;
$self->secret($host, $secret);
}
close S;
}
my $sleeptime = $self->{properties}{sleeptime};
$sleeptime = 1 unless defined $sleeptime;
$self->sleeptime($sleeptime);
}
return $self;
}
sub secret {
my $self = shift;
my $host = shift;
my $newval = shift;
$self->{secret}{$host} = $newval if defined $newval;
return $self->{secret}{$host};
}
sub sleeptime {
my $self = shift;
my $newval = shift;
$self->{sleeptime} = $newval if defined $newval;
return $self->{sleeptime};
}
sub pingone {
my $self = shift;
my $target = shift;
my $host = $target->{addr};
my $vars = $target->{vars};
my $username = $vars->{username} || $self->{properties}->{username};
my $secret = $vars->{secret} || $self->secret($host) || $self->{properties}->{secret};
$self->do_log("Missing RADIUS secret for $host"), return
unless defined $secret;
$self->do_log("Missing RADIUS username for $host"), return
unless defined $username;
my $password = $vars->{password} || $self->password($host, $username) || $self->{properties}->{password};
my $port = $vars->{port};
$host .= ":$port" if defined $port;
$self->do_log("Missing RADIUS password for $host/$username"), return
unless defined $password;
my @times;
for (1..$self->pings($target)) {
my $r = new Authen::Radius(Host => $host, Secret => $secret);
$r->add_attributes(
{ Name => 1, Value => $username, Type => 'string' },
{ Name => 2, Value => $password, Type => 'string' },
);
$r->add_attributes( { Name => 4, Type => 'ipaddr', Value => $vars->{nas_ip_address} })
if exists $vars->{nas_ip_address};
my $c;
my $start = gettimeofday();
$r->send_packet(ACCESS_REQUEST) and $c = $r->recv_packet;
my $end = gettimeofday();
my $result;
if (defined $c) {
$result = $c;
$result = "OK" if $c == ACCESS_ACCEPT;
$result = "fail" if $c == ACCESS_REJECT;
} else {
$result = "no reply";
}
$self->do_debug("$host: radius query $_: $result, " . ($end - $start));
push @times, $end - $start if (defined $c and $c == ACCESS_ACCEPT);
sleep $self->sleeptime; # be nice
}
return sort { $a <=> $b } @times;
}
1;
|
