Monitoring RADIUS infrastructure with Nagios

Monitoring of RADIUS from Nagios can be complicated but is possible with the right collection of plugins and configurations.  The following are a few methods of doing so:

The check_radius.pl plugin provides two methods for checking your RADIUS infrastructure's status.  The first is to do non-authenticated monitoring by using Status-Server packets (see RFC 5997 for more details).  This was first implemented in FreeRADIUS by Alan DeKok and then adopted by Radiator (and maybe other servers).  When the RADIUS server receives such a request (without a username or password for authentication but it does require a valid RADIUS secret to construct the request) it responds with various status and statistics about that RADIUS server.  You may also use that plugin with a credentials to verify that Authentication is working on the remote host.

Another method you can use to monitor RADIUS is to use the rad_eap_test.sh shell script as described and linked to in the Testing your connection to eduroam section of the Administrator's Guide.  This script was designed to be a Nagios plugin as well.  This allows you to test EAPoL authentication (with the combination of inner and outer methods as appropriate) against the remote site and is more appropriate than the above Nagios plugin if you want to test the state of the AAA infrastructure.

Since the eduroam-US TLRS(s) run Radiator the Server-Status method should generally be sufficient for most institutions to test their connections to the top-level.  The EAPoL method will catch issues with forwarding but requires a test account on the target infrastructure.