Overview – radtest – Testing RADIUS Authentication
radtest is a command-line tool used to send test authentication requests to a RADIUS (Remote Authentication Dial-In User Service) server. It’s commonly included with the FreeRADIUS utilities on Linux systems and is a simple yet effective tool for testing and troubleshooting RADIUS server configurations.
radtest: A Powerful Command-Line Tool for Testing RADIUS Authentication
Key Uses of radtest
- Verifying RADIUS Authentication Configuration
- radtest allows administrators to check if a RADIUS server is properly set up to authenticate users by sending test credentials and observing the server’s response.
- Successful authentication is indicated by an Access-Accept response, while a failed authentication produces an Access-Reject response.
- Testing Different Authentication Scenarios
- Administrators can use radtest to simulate various scenarios, such as using different usernames, passwords, or client configurations to ensure that authentication works as expected.
- It supports sending additional RADIUS attributes, allowing for more complex tests, like testing the handling of NAS-IP-Address or Framed-IP-Address attributes often used in VPNs and Wi-Fi.
- Debugging RADIUS Configuration Issues
- When run in conjunction with FreeRADIUS’s debug mode (freeradius -X), radtest provides detailed output about how the server processes the authentication request.
- This is helpful in identifying configuration problems, such as mismatches in shared secrets, misconfigured clients, or issues with specific authentication methods (e.g., EAP or PEAP).
- Simulating Authentication Load
- radtest can be used in loops to send multiple authentication requests to simulate load and stress-test the server. This is useful for observing server performance under high traffic or verifying capacity before deployment.
- Validating Shared Secrets
- Each client (such as a Wi-Fi access point or VPN server) has a unique shared secret with the RADIUS server. radtest helps ensure that the shared secrets in clients.conf match those in the clients.
- Testing RADIUS in Various Network Environments
- radtest works both locally and remotely, so you can use it to test the RADIUS server’s accessibility from different parts of the network.
radtest: A Powerful Command-Line Tool for Testing RADIUS Authentication
Basic radtest Syntax
The basic syntax for the radtest command is:
radtest [username] [password] [RADIUS-server-IP] [NAS-port] [shared-secret] [radius-auth-port]
- username: The username you want to authenticate.
- password: The password for the specified username.
- RADIUS-server-IP: IP address of the RADIUS server (use 127.0.0.1 if testing locally).
- NAS-port: NAS (Network Access Server) port, usually set to 0 for testing purposes.
- shared-secret: Shared secret defined in the clients.conf file for the client making the request.
- radius-auth-port: Optional, default is 1812 (standard RADIUS port for authentication).
radtest: A Powerful Command-Line Tool for Testing RADIUS Authentication
1. Simple Authentication Test
This command tests basic authentication for a user on a local RADIUS server:
radtest testuser testpassword 127.0.0.1 0 testing123
- Explanation:
- testuser is the username.
- testpassword is the password.
- 127.0.0.1 specifies the local server.
- 0 is the NAS-port (for testing).
- testing123 is the shared secret as defined in clients.conf.
If successful, you’ll see an Access-Accept message. If unsuccessful, an Access-Reject message indicates a problem with credentials or configuration.
radtest: A Powerful Command-Line Tool for Testing RADIUS Authentication
2. Test Authentication on a Remote RADIUS Server
To test authentication on a remote RADIUS server (e.g., at IP 192.168.1.100):
radtest alice mypassword 192.168.1.100 0 sharedsecret
- Explanation:
- alice is the username.
- mypassword is the password for alice.
- 192.168.1.100 is the IP address of the remote RADIUS server.
- sharedsecret is the shared secret in the RADIUS server’s clients.conf for this client.
radtest: A Powerful Command-Line Tool for Testing RADIUS Authentication
3. Testing with a Specific RADIUS Authentication Port
If your RADIUS server listens on a non-standard port (e.g., 18120):
radtest testuser testpassword 127.0.0.1 0 testing123 18120
- Explanation:
- 18120 is specified as the custom RADIUS port, overriding the default 1812.
radtest: A Powerful Command-Line Tool for Testing RADIUS Authentication
4. Testing with Attributes (NAS-IP-Address)
You can include additional RADIUS attributes in the radtest command by adding them after the shared secret. For example, to include NAS-IP-Address:
radtest testuser testpassword 127.0.0.1 0 testing123 nas-ip-address=192.168.1.1
- Explanation:
- nas-ip-address=192.168.1.1 adds a NAS-IP-Address attribute, which may be required by some RADIUS server policies.
radtest: A Powerful Command-Line Tool for Testing RADIUS Authentication
5. Testing with Framed-IP-Address Attribute
If your RADIUS server requires a Framed-IP-Address attribute (e.g., for VPN):
radtest testuser testpassword 127.0.0.1 0 testing123 framed-ip-address=10.0.0.10
- Explanation:
- framed-ip-address=10.0.0.10 adds the Framed-IP-Address attribute, which is often used in VPN or network access scenarios.
radtest: A Powerful Command-Line Tool for Testing RADIUS Authentication
6. Testing with radtest in Debug Mode
To see more detailed output, you can run radtest while FreeRADIUS is running in debug mode:
- Open another terminal and start FreeRADIUS in debug mode:
sudo freeradius -X
- Run your radtest command. For example:
radtest testuser testpassword 127.0.0.1 0 testing123
- Review the debug output from FreeRADIUS to see detailed authentication processing. This can help identify configuration issues or attribute mismatches.
radtest: A Powerful Command-Line Tool for Testing RADIUS Authentication
7. Simulating a Failed Authentication
To test how the server responds to incorrect credentials, try an invalid username or password:
radtest invaliduser wrongpassword 127.0.0.1 0 testing123
An Access-Reject response indicates the server correctly handled the invalid credentials.
radtest: A Powerful Command-Line Tool for Testing RADIUS Authentication
8. Using radtest with Multiple Authentication Requests
To simulate multiple authentication requests, you can loop radtest commands. For example, testing user alice with 10 requests:
for i in {1..10}; do radtest alice mypassword 127.0.0.1 0 testing123; done
This command will send 10 requests to the RADIUS server, useful for stress-testing.
radtest: A Powerful Command-Line Tool for Testing RADIUS Authentication
Summary of Useful radtest Examples
| Command Example | Description |
| radtest testuser testpassword 127.0.0.1 0 testing123 | Basic test with local RADIUS server |
| radtest alice mypassword 192.168.1.100 0 sharedsecret | Test on remote RADIUS server |
| radtest testuser testpassword 127.0.0.1 0 testing123 18120 | Test on a custom RADIUS port |
| radtest testuser testpassword 127.0.0.1 0 testing123 nas-ip-address=192.168.1.1 | Test with NAS-IP-Address attribute |
| radtest invaliduser wrongpassword 127.0.0.1 0 testing123 | Simulate failed authentication |
| for i in {1..10}; do radtest alice mypassword 127.0.0.1 0 testing123; done | Run multiple authentication requests |
radtest: A Powerful Command-Line Tool for Testing RADIUS Authentication
Summary
In short, radtest is a vital tool for RADIUS administrators, providing a straightforward way to test, verify, and troubleshoot RADIUS authentication and configurations. By simulating various scenarios and using attributes, it ensures that a RADIUS server is properly set up to authenticate and authorize network users and devices.
radtest: A Powerful Command-Line Tool for Testing RADIUS Authentication
Useful Links
https://wiki.freeradius.org/guide/Radtest
https://sanchitgurukul.com/tutorials-cat
radtest: A Powerful Command-Line Tool for Testing RADIUS Authentication
radtest: A Powerful Command-Line Tool for Testing RADIUS Authentication
This article provided insights on the topic. For latest updates and detailed guides, stay connected with Sanchit Gurukul.
