【freeradius】使用radclient调试radius协议

freeradius 自带了非常好的客户端程序 radtest, radclient 用来模拟和调试设备和通信过程。radtest多用于认证，radclient更为强大一些，认证，计费，coa都可以模拟，还可以自定义协议包非常强大。

命令帮助

这里大家自己看下就好了，非常容易理解。测试的时候用的都比较简单一些。

radclient -h
Usage: radclient [options] server[:port] <command> [<secret>]
  <command>              One of auth, acct, status, coa, disconnect or auto.
  -4                     Use IPv4 address of server
  -6                     Use IPv6 address of server.
  -c <count>             Send each packet 'count' times.
  -d <raddb>             Set user dictionary directory (defaults to /usr/local/etc/raddb).
  -D <dictdir>           Set main dictionary directory (defaults to /usr/local/share/freeradius).
  -f <file>[:<file>]     Read packets from file, not stdin.
                         If a second file is provided, it will be used to verify responses
  -F                     Print the file name, packet number and reply code.
  -h                     Print usage help information.
  -i <id>                Set request id to 'id'.  Values may be 0..255
  -n <num>               Send N requests/s
  -p <num>               Send 'num' packets from a file in parallel.
  -q                     Do not print anything out.
  -r <retries>           If timeout, retry sending the packet 'retries' times.
  -s                     Print out summary information of auth results.
  -S <file>              read secret from file, not command line.
  -t <timeout>           Wait 'timeout' seconds before retrying (may be a floating point number).
  -v                     Show program version information.
  -x                     Debugging mode.
  -P <proto>             Use proto (tcp or udp) for transport.

模拟认证请求

$ echo "User-Name=ff:ff:ff:ff:ff,User-Password=benu123" |radclient 127.0.0.1:1812 auth testing123 -x
Sent Access-Request Id 71 from 0.0.0.0:47403 to 127.0.0.1:1812 length 54
    User-Name = "ff:ff:ff:ff:ff"
    User-Password = "benu123"
    Cleartext-Password = "benu123"
Received Access-Accept Id 71 from 127.0.0.1:1812 to 0.0.0.0:0 length 158
    User-Name = "ff:ff:ff:ff:ff"
    Benu-Redirection-URL = "http://10.10.4.9:8080/WebAuthLogin1?portal_ip=10.10.4.2&client_id=ff:ff:ff:ff:ff&wbaredirect=http://www.google.com"

echo 的内容是请求内容，127.0.0.0:1812是radius认证端口， auth 是请求类型 , testing123 是cleint和radius的密钥， -x 表明查看详细过程。

模拟coa请求

coa_auth.txt 请求包内容

User-Name=C4-07-2F-85-15-9F
NAS-IP-Address=172.16.15.188
Calling-Station-Id=C4-07-2F-85-15-9F
Benu-ACL-Policy=auth_sla
Benu-QoS-Policy=32M_Full

测试以及结果

# radclient 172.16.15.188:3799 coa test -f coa_auth.txt -x
Sent CoA-Request Id 121 from 0.0.0.0:59699 to 172.16.15.188:3799 length 96
        User-Name = "C4-07-2F-85-15-9F"
        NAS-IP-Address = 172.16.15.188
        Calling-Station-Id = "C4-07-2F-85-15-9F"
        Benu-ACL-Policy = "auth_sla"
        Benu-QoS-Policy = "32M_Full"
Received CoA-ACK Id 121 from 172.16.15.188:3799 to 0.0.0.0:0 length 26
        Event-Timestamp = "Jan  8 2016 10:05:47 CST"

模拟计费请求

主要包含了计费开始，计费更新，计费停止几个报文。

请求命令

radclient 127.0.0.1 auto testing123 -f acct_start.txt

如果想看到详细的过程 命令结尾增加一个 -x 参数即可。

acct_start.txt

Packet-Type=4
Packet-Dst-Port=1813
Acct-Session-Id = "4D2BB8AC-00000099"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
User-Name = "ff:ff:ff:ff:ff"
NAS-Port = 0
Called-Station-Id = "00-02-6F-AA-AA-AA:My Wireless"
Calling-Station-Id = "00-1C-B3-AA-AA-AA"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 48Mbps 802.11b"
Benu-ACL-Policy = "AM"
Benu-QoS-Policy = "DC"
Benu-Acct-Reason-Code = "40"
Benu-Private-Ip-Address = "127.0.0.1"
Benu-Napt-Public-Port-Range = "50"

acct_update.txt

Packet-Type=4
Packet-Dst-Port=1813
Acct-Session-Id = "4D2BB8AC-00000099"
Acct-Status-Type = Interim-Update
Acct-Authentic = RADIUS
User-Name = "ff:ff:ff:ff:ff"
NAS-Port = 0
Called-Station-Id = "00-02-6F-AA-AA-AA:My Wireless"
Calling-Station-Id = "00-1C-B3-AA-AA-AA"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 48Mbps 802.11b"
Acct-Session-Time = 11
Acct-Input-Packets = 15
Acct-Output-Packets = 3
Acct-Input-Octets = 1407
Acct-Output-Octets = 467

acct_stop.txt

Packet-Type=4
Packet-Dst-Port=1813
Acct-Session-Id = "4D2BB8AC-00000099"
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
User-Name = "ff:ff:ff:ff:ff"
NAS-Port = 0
Called-Station-Id = "00-02-6F-AA-AA-AA:My Wireless"
Calling-Station-Id = "00-1C-B3-AA-AA-AA"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 48Mbps 802.11b"
Acct-Session-Time = 30
Acct-Input-Packets = 25
Acct-Output-Packets = 7
Acct-Input-Octets = 3407
Acct-Output-Octets = 867
Acct-Terminate-Cause = User-Request

测试

[root@orangleliu raddb]# radclient 127.0.0.1 auto testing123 -f acct_start.txt
Sent Accounting-Request Id 74 from 0.0.0.0:45094 to 127.0.0.1:1813 length 205
Received Accounting-Response Id 74 from 127.0.0.1:1813 to 0.0.0.0:0 length 20
[root@orangleliu raddb]# radclient 127.0.0.1 auto testing123 -f acct_update.txt
Sent Accounting-Request Id 231 from 0.0.0.0:28329 to 127.0.0.1:1813 length 183
Received Accounting-Response Id 231 from 127.0.0.1:1813 to 0.0.0.0:0 length 20
[root@orangleliu raddb]# radclient 127.0.0.1 auto testing123 -f acct_stop.txt
Sent Accounting-Request Id 209 from 0.0.0.0:62388 to 127.0.0.1:1813 length 189
Received Accounting-Response Id 209 from 127.0.0.1:1813 to 0.0.0.0:0 length 20

一些问题

• 使用mysql时候 radcheck表中 username 可以重复吗？

INSERT INTO radcheck (id, username, attribute, op, value) VALUES 
(1,’myusername‘,’User-Password’,’:=’,’mypassword‘);

数据库
24748   1309500xxxx Cleartext-Password  :=  7170
284748  1309500xxxx Cleartext-Password  :=  7170
284749  1309500xxxx Cleartext-Password  :=  7170

模拟请求没问题

# echo "User-Name=1309500xxxx,User-Password=7170" |radclient 127.0.0.1:1812 auth testing123 -x
Sent Access-Request Id 192 from 0.0.0.0:42540 to 127.0.0.1:1812 length 51
    User-Name = '1309500xxxx'
    User-Password = '7170'
Received Access-Accept Id 192 from 127.0.0.1:1812 to 0.0.0.0:0 length 20