Table of Contents Table of contents: Radiator® AAA Server <MessageLog FILE> 3.131 - <MessageLog FILE> <GossipRedis> 3.133 - <GossipRedis>

3.132. <Monitor>

This clause enables external client programs to make an authenticated TCP connection to Radiator, and use that connection to monitor, probe, modify, and collect statistics from Radiator. One such external client program is Radar, a real-time interactive GUI that permits monitoring, plotting of statistics and much more. For more information, see Radar website Opens in new window.
Monitor permits the telnet connections and implements a simple command syntax that allows various actions to be executed. For more information about the command language that Monitor implements, see Section 18. Monitor command language. Monitor permits multiple simultaneous independent connections. Radiator also permits multiple Monitor clauses, each listening on a different Port or BindAddress.
Monitor authenticates incoming connections. Only if the connection submits a valid user name and password Monitor honours the requests on that connection. You can configure Monitor with either a hardwired user name and password, or with a standard Radiator AuthBy clause. You can specify one or more AuthBy parameters or AuthBy clauses and an AuthByPolicy similar to <AuthBy GROUP>. For more information, see Section 3.38.1. AuthByPolicy. As a security measure, if a Monitor connection fails authentication 5 times, the connection is automatically disconnected.
CAUTION
Careless configuration of this clause can open security holes in your RADIUS host. To avoid this, we recommend you to take the following actions:
  • Limit the clients that can connect with the Clients parameter.
  • Make sure the configuration file is only readable by root.
  • Consider making radiusd run as a non-privileged user.
  • Use secure user names and passwords to authenticate access to this server.
  • Disable this clause when not required.
<Monitor> supports TLS. For more information about TLS parameters, see Section 3.11. TLS configuration.

3.132.1. Port

This optional parameter specifies the TCP port number to listen on. The argument may be either a numeric port number or an alphanumeric service name as specified in /etc/services (or its equivalent on your system). Defaults to 9048.
Tip
You can pass the port number as a command line argument to radiusd with a configuration like this: 
Port %{GlobalVar:monitorport}
and then run radiusd with an argument to set the port number like this:
radiusd monitorport=9000 ....

3.132.2. Clients

This optional parameter specifies a list of IP addresses that connections will be accepted from. You can specify one or more comma or space separated IP addresses on each Client line. You can specify multiple Client parameters. Only exact matches are supported at present. The default is to accept connections from any and all clients.
If Clients is specified and a client attempts to connect from an IP address that is not named, Radiator will log a WARNING level message then reject and close the connection.
# Only accept connections from some addresses
Clients 127.0.0.1, 203.63.154.29
Clients 203.63.154.27

3.132.3. BindAddress

This optional parameter specifies a single host address to listen for Monitor connections on. It is only useful if you are running Radiator on a multi-homed host (i.e. a host that has more than one network address). Defaults to 0.0.0.0 (i.e. listens on all networks connected to the host). For more information, see Section 3.5. Address binding.
Using this parameter, you can run multiple instances of Radiator on the one computer, where each Radiator listens to Monitor requests directed to a different host address. BindAddress can include special formatting characters.
# Only listen on one network address
BindAddress 203.63.154.1

3.132.4. AuthBy, <AuthBy xxxxxx> and AuthByPolicy

Monitor supports either a hardwired user name and password, or one or more AuthBy parameters or <AuthBy xxxxxx> clauses in a similar way to <AuthBy GROUP>. For more information, see Section 3.38. <AuthBy GROUP>. If there are no AuthBy clauses, or if they all IGNORE the authentication, the hardwired Username and Password will be tried.
Tip
If you are configuring Monitor in order to accept connections from Radar, or any other application that uses the Monitor {chap} passwords, the AuthBy needs to be one that contains plaintext passwords in its database.

3.132.5. Username

This optional parameter specifies the user name that must authenticate any connection through this Monitor clause. Username and Password will be checked if there are no AuthBy clauses, or if they all IGNORE the authentication.
# Hardwired username and password
Username mikem
Password fred

3.132.6. Password

This optional parameter specifies the password that must authenticate any connection through this Monitor clause. Username and Password will be checked if there are no AuthBy clauses, or if they all IGNORE the authentication.

3.132.7. TraceOnly

This optional parameter prevents connections through this Monitor from getting statistics, getting or setting configuration data, or restarting the server. It inhibits the following Monitor commands:
  • STATS
  • DESCRIBE
  • SET
  • LIST
  • RESTART
  • GET
This flag is useful for limiting access to privileged data by certain staff.
Tip
You can have multiple Monitor clauses on different Ports, so it is possible to have one with TraceOnly and one without. This would allow you to permit some Radar users to get access only to Trace data, and some to have access to all functions: 
# This one is restricted
<Monitor>
      Port 9001
      TraceOnly
      Username xxx
      Password xxx
</Monitor>
# This one allows a superuser to get access to all data
<Monitor> 
      Port 9002 
      Username yyy
      Password yyy
</Monitor>

3.132.8. StatisticsOnly

This optional parameter prevents connections through this Monitor from tracing, getting or setting configuration data, or restarting the server. It inhibits the following Monitor commands:
  • TRACE
  • TRACE_USERNAME
  • DESCRIBE
  • SET
  • LIST
  • RESTART
  • GET
This flag is useful for limiting access to privileged data by certain staff.

3.132.9. LogMicroseconds

This optional parameter makes Monitor log the current microseconds at the end of the time string.

3.132.10. LogTraceId

This is a flag parameter. When set, <Monitor> logging includes a tracing identifier. When LogTraceId is set within a <Monitor> clause, the tracing identifier is not added to other Radiator logging messages, it affects only the <Monitor> logging. Otherwise the functionality of LogTraceId within <Monitor> clause is similar to global Section 3.7.4. LogTraceId.

3.132.11. LogFarmInstance

This is a flag parameter. When set, <Monitor> logging includes server farm instance number. When LogFarmInstance is set within a <Monitor> clause, the farm instance number is not added to other Radiator logging messages, it affects only the <Monitor> logging. Otherwise the functionality of LogFarmInstance within <Monitor> clause is similar to global Section 3.7.53. LogFarmInstance.
Table of Contents Table of contents: Radiator® AAA Server <MessageLog FILE> 3.131 - <MessageLog FILE> <GossipRedis> 3.133 - <GossipRedis>