Free Radius Test Tool


Free radius test tool set
  • 4Solution

Free performance testing tools are available as well as free trials for paid platforms. Most testing tools are priced according to the number of virtual users available for a testing scenario. Additionally testing legacy systems or varied and sophisticated systems can increase cost. Radius Test is an implementation of the client side of RADIUS - Remote Authentication Dial In User Service. It is a useful tool for testing installations of your RADIUS server. Through Radius Test you can simulate authentication and accounting requests and send them to the RADIUS server making Radius Test as a NAS client.

How to test RADIUS authentication. A successful RADIUS authentication should display a Swivel log message such as:

RADIUS: <87> Access-Accept(2) LEN=57 <IP address>:12004 Access-Request by <username> succeededSuccessful RADIUS authentication

An incorrectly entered One Time Code for RADIUS authentication should display a Swivel log message such as:

RADIUS: <86> Access-Request(1) LEN=57 <IP address>:12004 Access-Request by <username> Failed: AccessRejectException:

For further information on RADIUS see RADIUS How To Guide


RADIUS test tool such as NTRadPing

Tool built into authentication device.

nc command from the command line


Authentication device is not communicating with the Swivel RADIUS server.

Free Radius Test Tool Kit

RADIUS request is sent from Access Device, but does not reach the Swivel server.

RADIUS request is sent from Access Device, and reaches the network interface but does not reach the Swivel application.


Free

1. Check RADIUS is running on the Swivel server. The Swivel log should show a message of RADIUS server manager started. If not look for other log messages.

2. Check Network communication, can the Swivel server receive a ping from the authentication device (Note it is possible that a firewall may be blocking ICMP, but not DNS traffic).

3. Check to see if communication is possible between the authentication device and the Swivel server on the RADIUS port. Note: RADIUS uses UDP which is a connectionless protocol and therefore cannot be tested with tools such as Telnet. Some authentication devices have RADIUS test tools built into them. Another tool is NTRadPing (Search for NTRadPing.exe) which allows testing from a Windows machine. The nc command may also be used, see below

4. If different ports are used check that any local firewall, such as that on the appliance is not blocking the new assigned ports. If a local firewall is blocking access, the RADIUS request will be received on the ethernet interface, but will not reach the Swivel Application.


RADIUS testing using nc

This command is available on many Linux based systems, but also available on the Swivel appliance command line, accessed through the CMI

nc -vnzu <ipaddress> <port>

Example: nc -vnzu 192.168.1.120 1812

For a successful connection to a Swivel RADIUS server

The Swivel log will report the following:

For a failed connection to a Swivel RADIUS server


NTRadPing 1.5 does not support Challenge and Response for Two Stage Authentication

Retrieved from 'https://kb.swivelsecure.com/w/index.php?title=RADIUS_Testing&oldid=2749'

Testing the FreeRADIUS 2.x Package onpfSense

Test the FreeRADIUS configuration¶

FreeRADIUS offers an easy to use command line tool to check if theserver is running and listening to incoming requests. An interface,a NAS/Client and a user must all be configured:

  • Add a User with the following configuration:

    • Username: testuser
    • Password: testpassword

  • Add a Client/NAS with the following configuration:

    • IP-Address: 127.0.0.1
    • Shared Secret: testing123

  • Add an interface with the following configuration:

    • IP-Address: 127.0.0.1
    • Interface-Type: Auth
    • Port: 1812

  • SSH to the pfSense firewall and type in the following on the commandline while FreeRADIUS is running (check before in System Log):

The following output should appear if everything was setup correctly:

The really necessary thing is Access-Accept. Check the system logfor the following output:

If something was configured wrong (such as an incorrect username) thenthis will be displayed:

The Accesss-Reject packet is visible, and the system log willcontain the following output:

If the steps above do not work then do not need proceed with any otherconfiguration. This is the first thing that should be tested.

Radius Test Tool For Windows

There is a Windows testtool availableas well. Another nice tool is the JRadiusFramework, covered next.

Test FreeRADIUS performance with jRadius¶

jRadius is a tool to test a FreeRADIUS server. It can perform manydifferent request types, numbers of requests, attributes andauthentication methods. It can test how many requests a RADIUS servercan answer at a time, to make sure that it will perform well in aspecific environment. This tool needs a non-windows system with java torun. I tried with openSUSE:

  • Download JRadius Minimal (client).

  • Unzip the file with the following command:

  • Start the application with the following command:

Radius Client Software

The application window will open. Fill out the fields:

  • RADIUS tab
    • Transport: UDP
    • RADIUS Server: 192.168.0.10
    • Shared Secret: mysharedsecret
    • Auth Port: 1812
    • Acct Port: 1813
    • Send Timeout: 10 (or fill in what the NAS offers as timeoutto make test more “real”)
    • Send Retries: 0 (or fill in what the NAS offers as timeoutto make test more “real”)
    • Requester Threads: 1 (To understand this option think aboutthe number of NAS nodes. Every NAS is a Requester Thread. Inworst case after a power cycle all NAS reboot at once so enterhere the amount of NAS nodes)
    • Requests per Thread: 1 (To understand this think about thenumber of hosts which are connected to this NAS at a time and whenthe NAS rebooted all clients will try to reauthenticate)
    • Simulation Type: Auth only (if accounting is chosen, thenadditional attributes must be added later)
    • Authentication Protocol: PAP (Change it to suit the needs ofthe site but TLS needs a client cert, PEAP users only the servercert from FreeRADIUS)
    • Verify Standard: None
    • Check Log RADIUS to log tab
  • Attributes tab:
    • User-Name: myuser
    • User-Password: mypass
    • NAS-Port: 25 (any value is ok)
    • NAS-IP-Address: 192.168.0.111 (IP of the NAS)
    • Check all four attributes in AccessReq
  • RADIUS tab
    • Click Start

Then the test will be performed. It could take some time and the displaywill show the number of requests can be handled per second and theresponse speed. If the server cannot handle the requests fast enoughthen think about increasing FreeRADIUS > Settings, Maximum Numberof Threads. Do not increase this unlimited. It will help on peaks butif there is a high load all the time, think about a faster backend(MySQL instead of flat file). There is also a speed difference if thetestuser in FreeRADIUS > USers is listed at the bottom of a 100users long list or at the top. And there is a difference if there aremany reply attributes like VLAN ID and so on.

After this performance test check the FreeRADIUS server as described inthis chapter: FreeRADIUS 2.x package

Comments are closed.