A RADIUS client that can carry out the following authentication protocols:
mab(MAC address authentication bypass)papeap-ms-chapv2eap-tlseap-ttls-papeap-ttls-eap-ms-chapv2eap-ttls-eap-tlspeap-ms-chapv2
As well as status packets and accounting (WIP).
This is used internally at Keytos to thoroughly test EZRADIUS.
This client seeks to close the gap from existing testing clients such as radclient
and eapol_test,
by first consolidating the capabilities of both tools into one, and then extending
the tool to support RADIUS-over-TLS (RadSec)
and simple, granular controls for Keytos' use-cases.
To install the tool locally for use, you can run the following command
go install github.com/markeytos/radius-client@latest
# To install a specific version, replace `latest` with a version
# $ go install github.com/markeytos/radius-client@vX.X.XIf the RADIUS server you are probing supports Status-Server,
you can probe the server with the following commands:
# Test UDP authentication
radius-client status udp-auth $RADIUS_SERVER_ENDPOINT $SHARED_SECRET
# Test UDP accounting
radius-client status udp-acct $RADIUS_SERVER_ENDPOINT $SHARED_SECRET
# Test RADIUS TLS
radius-client status tls $RADIUS_SERVER_ENDPOINT $RADSEC_SERVER_CA_PATH $RADSEC_CLIENT_CERT_PATHYou can change the specific ports away from defaults if desired with the following flags:
--udp-auth-port(default is 1812)--udp-acct-port(default is 1813)--tcp-port(default is 2083)
All authentication protocols supported by this client can be tested against a Classic RADIUS endpoint (unencrypted RADIUS over UDP), or over RadSec (encrypted and authenticated RADIUS over TCP-TLS).
The following examples will assume that either of the following is exported:
# Classic RADIUS
export RADIUS_AUTH_COMMAND=radius-client authentication udp \
$RADIUS_SERVER_ENDPOINT $SHARED_SECRET
# If you want to test RadSec (RADIUS over TCP-TLS), use:
export RADIUS_AUTH_COMMAND=radius-client authentication tls \
$RADIUS_SERVER_ENDPOINT $RADSEC_SERVER_CA_PATH $RADSEC_CLIENT_CERT_PATHIf you do not need to trust the RadSec server certificate, you can append the --radsec-unsafe
flag. This flag will skip server authentication.
To test MAC authentication bypass, run the following:
$RADIUS_AUTH_COMMAND mab --mac $MAC_ADDRESSTo test basic password authentication, you can use the following:
# Testing PAP
$RADIUS_AUTH_COMMAND pap --username $USERNAME --password $PASSWORD
# Testing MS-CHAP-V2
$RADIUS_AUTH_COMMAND eap-ms-chapv2 --username $USERNAME --password $PASSWORDFor password-based authentication schemes that run over an internal TLS tunnel, here are the commands to test them:
# Testing PAP over EAP-TTLS
$RADIUS_AUTH_COMMAND eap-ttls-pap --tunnel-ca-cert $SERVER_CA_CERT_PATH \
--username $USERNAME --password $PASSWORD
# Testing MS-CHAP-V2 over EAP-TTLS
$RADIUS_AUTH_COMMAND eap-ttls-eap-ms-chapv2 --tunnel-ca-cert $SERVER_CA_CERT_PATH \
--username $USERNAME --password $PASSWORD
# Testing MS-CHAP-V2 over PEAP
$RADIUS_AUTH_COMMAND peap-ms-chapv2 --tunnel-ca-cert $SERVER_CA_CERT_PATH \
--username $USERNAME --password $PASSWORDTwo variants of TLS can be tested, basic EAP-TLS and EAP-TLS inside a EAP-TTLS tunnel:
# Testing EAP-TLS
$RADIUS_AUTH_COMMAND eap-tls --client-cert $CLIENT_CERT_PATH --ca-cert $SERVER_CA_CERT_PATH
# Testing EAP-TLS over EAP-TTLS
$RADIUS_AUTH_COMMAND eap-tls --tunnel-ca-cert $SERVER_CA_CERT_PATH \
--client-cert $CLIENT_CERT_PATH --ca-cert $SERVER_CA_CERT_PATHThe default TLS version supported is 1.2, 1.3 is supported but has not been tested,
and it can be enabled by adding the flag --tls-version 1.X.
RADIUS servers can be configured to expect and behave differently depending on the set of attributes sent. This can be tested and verified by defining attributes that the client should send in every packet in the handshake, and all the attributes it expects to receive in a successful final packet.
--attrs-to-send: Define attributes to be sent in all packets sent to the server--attrs-to-recv: Define attributes that the server must send on successful handshakes
These can be used in the following format:
$RADIUS_AUTH_COMMAND $AUTHENTICATION_PROTOCOL $AUTHENTICATION_PROTOCOL_PARAMETERS \
--attrs-to-send $ATTRIBUTE_TYPE:$ATTRIBUTE_VALUE \
--attrs-to-recv $ATTRIBUTE_TYPE:$ATTRIBUTE_VALUENote
Keep in mind that some attributes should not be sent as they may be utilized by
the authentication protocol and will be overwritten or require different treatment,
such as User-Password.
You can also send multiple attributes and expect multiple attributes. Each attribute
type cannot be defined more than once for each direction for simplicity's sake. Below
is an example of how to define multiple attributes to be sent and received in pap
authentication:
$RADIUS_AUTH_COMMAND pap --username test_user --password test_password \
--attrs-to-send NAS-Identifier:fake-router \
--attrs-to-send Framed-Protocol:PPP \
--attrs-to-recv Framed-Protocol:PPP \
--attrs-to-recv Service-Type:Framed \
--attrs-to-recv Filter-Id:20In the example above, the client attempts to authenticate with pap, sends two
additional attributes to the server, and expects three attributes from the server
in the Access-Accept packet.
You can view all attributes and their values can be defined in this document.
Accounting can be tested against a Classic RADIUS endpoint and RadSec.
The following examples will assume that either of the following is exported:
# Classic RADIUS
export RADIUS_ACCT_COMMAND=radius-client accounting udp \
$RADIUS_SERVER_ENDPOINT $SHARED_SECRET
# If you want to test RadSec (RADIUS over TCP-TLS), use:
export RADIUS_ACCT_COMMAND=radius-client accounting tls \
$RADIUS_SERVER_ENDPOINT $RADSEC_SERVER_CA_PATH $RADSEC_CLIENT_CERT_PATHAn accounting request must contain both Acct-Status-Type and Acct-Session-Id
attributes. These are passed via the --attrs-to-send flag. For example:
$RADIUS_ACCT_COMMAND --attrs-to-send Acct-Status-Type:Start --attrs-to-send Acct-Session-Id:1234Additional accounting values can be passed by adding the other accounting attributes,
which can be found in the list of attributes. Accounting-specific
attributes generally have a Acct- prefix.
- RFC 2759: MS-CHAP-V2
- RFC 2865: RADIUS
- RFC 2866: RADIUS Accounting
- RFC 3579: RADIUS EAP
- RFC 3748: EAP
- RFC 5080: Common RADIUS Implementation Issues and Suggested Fixes
- RFC 5216: EAP-TLS
- RFC 5281: EAP-TTLS
- RFC 5997: Status in RADIUS
- RFC 8940: Session-Id Derivation for EAP-based Authentication
- PEAP
- MAC Authentication Bypass