Monitoring a local RADIUS VM using the PRTG Network Monitor

In this topic, you will learn how to monitor your local RADIUS virtual machine using the PRTG Network Monitor.

Note:
This is an example of how to monitor the local RADIUS server using SNMP. You can use different network monitoring software, and you can also monitor the host machine with Docker containers. Treat this guide as a framework and an example of how you can actively monitor your servers to make sure they are healthy.

Before you begin:

  • We assume that you already have a virtual machine with the PRTG Network Monitor server running, and that you already have a local RADIUS server configured and running.

  • Make sure that the virtual machine hosting the PRTG Network Monitor server can connect to the local RADIUS virtual machine on UDP ports 1812 and 1813 for RADIUS, and on UDP ports 161 and 162 for SNMP.

  • If you plan to use syslog, also make sure that the local RADIUS virtual machine can connect to the PRTG Network Monitor server on UDP port 514.

Note:
In this example, we used a PRTG Network Monitor 26.2.119.1662 x64 trial installation installed on a virtual machine with Windows 11. Older or future versions of this software may differ slightly in functionality or user interface.

Configure the local RADIUS server

In this section, you will learn how to configure your local RADIUS server virtual machine to work with the PRTG Network Monitor. You must complete these steps, or some of the steps in the later sections will not work.

  1. In Portnox Cloud, go to: Settings > Services > LOCAL RADIUS SERVICE > Local RADIUS instance > your_local_RADIUS_instance > Edit.
  2. Activate the Enable SNMP v1 and v2c checkbox, and in the Community String field, enter the community string you want to use.

    Note:
    The default string is public, but for security reasons, we recommend that you use a different string. In a lab environment, you can use the default string, which will allow you to skip some configuration steps in PRTG Network Monitor.
  3. Optional: In the Syslog Destination field, enter the IP address of your PRTG Network Monitor server.

    The local RADIUS server will send syslog information to this IP address.

  4. Click on the Save button to save your configuration changes.

    Note:
    If your local RADIUS machine is already running, configuration changes will be sent to it the next time it synchronizes with Portnox Cloud, within 1 minute. If the local RADIUS machine is new, click on the Save And Download button instead, and follow this guide to set up the virtual machine using the downloaded ISO file: Set up a local RADIUS server using a virtual machine
  5. Click on the  ⧉  icon next to the Shared Secret field, and save the value in a temporary text file. You will need it later for the RADIUS sensor in the PRTG Network Monitor.

The local RADIUS server will now be available for monitoring via SNMP from the PRTG Network Monitor, and will optionally send syslog logs to the PRTG Network Monitor for additional information.

Configure a Portnox Cloud account and group

In this section, you will learn how to set up a Portnox Cloud account and group exclusively for testing the local RADIUS server. You must complete these steps, or some of the steps in the later sections will not work.

  1. In Portnox Cloud, go to: Groups > Add group, and configure the new group as follows:
    Note:
    You can use an existing group, but we strongly recommend that you create a new group just for this purpose, because of the unique configuration requirements. If you change the configuration of your existing groups, it may affect the accounts already assigned to those groups.
    1. In the Group name field, enter the name for this group.

      In this example, we used the name Monitoring, but you can use any name you like.

    2. In the VPN Access section, activate the Enable VPN access for accounts in this group switch, activate the Credentials checkbox, and deactivate the Validate Risk score for all managed devices checkbox.

    3. Click on the Save button to save your group.
  2. Go to: Devices > Accounts > Add > Portnox Account, and create a Portnox account. In the Group assignment field, select the group you just created.

    After you create the account and receive an email, create a password and save it in a temporary text file, because you will need it later for the RADIUS sensor in the PRTG Network Monitor.

    Note:
    You can create a Portnox account even in a domain that is already managed by your authentication repository. We recommend that you create a Portnox account instead of creating an account in your authentication repository, because it makes managing the account easier. However, you will still need to create a new account in the authentication repository to receive the email for the Portnox account.

Set up the PRTG Network Monitor

In this section, you will learn how to set up the PRTG Network Monitor to monitor your local RADIUS virtual machine by using different types of sensors.

  1. Configure the community string for SNMP:
    Note:
    Skip this step if you configured the default community string public in Portnox Cloud.
    1. Go to Devices > All, and click on the IP address of your local RADIUS server.

    2. On the Device screen, click on the Settings tab, scroll down to the Credentials for SNMP Devices section, deactivate the inherit from switch, and in the Community String (SNMP v2c) field, enter the community string that you configured earlier in Portnox Cloud. Then, click on the Save button.

    3. Optional: Go back to the Devices > All screen, right-click on the IP address of your local RADIUS server, and select: Auto-Discovery > Run Auto-Discovery.

      This will allow the PRTG Network Monitor to immediately gather more information about the local RADIUS server using the default sensors.

  2. Add a RADIUS sensor:
    1. On the Devices > All screen, find your local RADIUS server, and then click on the Add Sensor tile at the end of the list of sensor tiles.

    2. On the Add Sensor to Device screen, in the Search field, type: radius, and then in the Matching Sensor Types list, click on the RADIUS v2 tile.

    3. In the Specific Sensor Settings section, fill in the following fields:

      • User Name: enter the email address that you used to create the Portnox account earlier.

      • Password: enter the password that you set when you created the Portnox account earlier (you were asked to save it in a temporary file).

      • Shared Secret: enter the shared secret for your local RADIUS server (you were asked to save it in a temporary file).

      • NAS IP Address: enter the IP address of the PRTG Network Monitor server.

    4. Click on the Create button to create your RADIUS sensor.

    Example of a working RADIUS sensor:

  3. Add a syslog sensor:
    Note:
    Only add this sensor if you added the IP address of the PRTG Network Monitor server in the Syslog Destination field in Portnox Cloud. If you did not do this, the sensor will not receive any information.
    1. On the Devices > All screen, find your local RADIUS server, and then click on the Add Sensor tile at the end of the list of sensor tiles.

    2. On the Add Sensor to Device screen, in the Search field, type: syslog, and then in the Matching Sensor Types list, click on the Syslog Receiver tile.

    3. Optional: In the Include Filter field, limit the source information to your local RADIUS server, and include the desired severity levels.
      For example: 
      severity[0-7] and source [10.0.0.249]
    4. Click on the Create button to create your Syslog sensor.

    Example of a working Syslog sensor:

  4. Optional: Adjust the configuration of the PRTG Network Monitor to meet your requirements:
    1. Decrease the scanning interval for selected sensors: go to Sensor selected_sensor > Settings > Scanning Interval, deactivate the inherit from switch, and select a value in the Scanning Interval field. Then, click on the Save button.
      Note:
      By default, the scanning interval is 60 seconds, which may cause an excessive number of alerts. We suggest that you adjust it to your requirements after you finish testing.
      Note:
      You may also want to change the value in the If a Sensor Scan Fails field to set the sensor to the Down state not just after one failed scan, but after several failed scans, to make sure the server is really down and it is not just an intermittent network issue.
      Note:
      You can also set the scanning interval for all sensors for your local RADIUS server by going to the Device screen for your local RADIUS server, and configuring Settings > Scanning Interval there.
    2. Configure email notifications for selected sensors: go to Sensor selected_sensor > Notification Triggers, and configure your notification rules as required.

      To create a new notification, click on the  +  button, select the type of trigger, and configure the rules.

      Note:
      You can also set the notification rules for all sensors for your local RADIUS server by going to the Device screen for your local RADIUS server, and configuring Notification Triggers there.

    For more options, and to learn more about how to use the PRTG Network Monitor to effectively monitor your resources, consult the PRTG Network Monitor manual.

The following are recommendations for what to monitor for the local RADIUS server:

  • Monitor the CPU and memory of the server by using the default CPU Load and Physical Memory sensors.

  • Monitor the network connectivity of the server by using the default Ping V2 sensor, focusing on the Packet Loss and Response Time field values.

    Note:
    When the RADIUS server is unreachable or in the Down state, all other sensors are paused, because they are dependent on the ping sensor.

  • Track the number of authentications to monitor the load. Local RADIUS server resource utilization depends on the number of RADIUS authentication and accounting packets processed. If you monitor this number over time, you can establish a baseline (for example, 7 days of data) and decide whether an increase in CPU or memory resources is needed.

    You can do this by using the Syslog sensor (an existing one, or a new one) with the following filter: 
    message[Access-Request] or message[Access-Accept] or message[Access-Reject]
    Note:
    Add 
    message[Accounting-Request]
    to the filter to include accounting packets.

    In Notification Triggers, click on the  +  button, select Add Threshold Trigger, and in the new trigger, configure the rule: When Messages channel reaches X per hour, perform Notification.