Version Affected: ALL
Description:
Testing RADIUS can be a daunting task, especially when MFA is involved. Using a Linux system or a Windows Subsystem for Linux virtual machine and the radclient utility can make things quite a bit easier.
Cause:
There are several utilities out there that allow testing of RADIUS but not all are equal, not all can test MFA easily, not many are command-line/terminal driven. Using radclient on a Linux system makes this much easier and can even be scripted to work, making testing even quicker.
Resolution:
All examples and/or screenshots here were taken from a WSL build of Debian 11 Linux. You can read about installing WSL on your Windows machine here, this guide will not talk about installing WSL or setting up any type of Linux machine.
Once you have access to your Linux distribution setup, using the package manager to install the freeradius-utils package. This name may be different for different Linux distributions.
Installing freeradius-utils (Debian Linux)
First do a search and once the package name is found, install it:
radclient help/options
Typing radclient in a terminal window will show the help:
From the above, this document will focus on the -x -s options, and the auth command.
Basic RADIUS commands
radclient requires a person to know how to send some basic commands to the RADIUS server. Here is a short list of commands that will be used in the rest of this article to perform basic testing:
User-Name | The username being used during the authentication process |
User-Password | The password being sent during testing for the Username, this is clear text |
State | RADIUS uses UDP which is connectionless. The state allows the server to keep track of the login process |
Testing RADIUS
For an actual test of the RADIUS server it is suggested to create a RADIUS client specifically for the RADIUS client being used, in this case, the Linux/WSL machine.
When ready to test use the command:
echo "User-Name = <username>,User-Password = <password>" | radclient -x -s <RADIUS_SERVER:PORT> auth <shared_secret>
The response will look like:
In the above you will see the "Received Access-Accept" and the "Passed filter : 1" meaning all is good and authentication has worked. RADIUS server logs would also show the flow and prove that the authentication was successful.
Once you know you can authenticate with just a password, next step is to test MFA to ensure you can use authenticate with this testing method.
Change the RADIUS client rule again and instead of having it set to "Password only", set it to "Password | Second Factor"
In this testing, there are going to be several steps due to the number of Factors the test account has available but we will start with the exact same command as above:
echo "User-Name = <username>,User-Password = <password>" | radclient -x -s <RADIUS_SERVER:PORT> auth <shared_secret>
Notice in the above there is a Received Access-Challenge this time and not an Access-Accept. Since it is a challenge this time, we need to use the "State = ..." data to continue the processing of this request, along with the proper "User-Password = ". The password this time, though, is going to be one of the options above: TOTP, 1 for SMS/Text, 2 for phone.
Using SMS/Text we get the command:
echo "State = 0x66326463346263652d356163352d343266352d626639382d353138643139333834363866,User-Name = syorke,User-Password = 1" | radclient -x -s <RADIUS_SERVER:PORT> auth <shared_secret>
The response now asks which phone number to send the SMS/Text message to, so we need to run the same command with the proper password again:
echo "State = 0x66326463346263652d356163352d343266352d626639382d353138643139333834363866,User-Name = syorke,User-Password = 1" | radclient -x -s <RADIUS_SERVER:PORT> auth <shared_secret>
Once done, we should get the OTP that was sent to the number above and as a final step, we send the same command one last time with the proper OTP:
echo "State = 0x66326463346263652d356163352d343266352d626639382d353138643139333834363866,User-Name = syorke,User-Password = 661657" | radclient -x -s <RADIUS_SERVER:PORT> auth <shared_secret>
As we can see in the above, the Access-Accept is verified and the "Passed filter : 1". We have successfully authenticated to the RADIUS server with an SMS delivered OTP code.
Special Considerations (optional as needed):
This guide is directed at Linux users to give them a means of properly testing a RADIUS server setup/configuration. Alternatives to Linux and radclient are NTRadPing as shown in this guide:
How To Test RADIUS Using NTRadPing – SecureAuth Support
Additional attributes can be sent to the RADIUS server, see the RFC lists from FreeRADIUS below for many different options:
Here is a quick video showing testing via a Debian WSL machine:
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Comments
Please sign in to leave a comment.