【freeradius】使用radclient调试radius协议

freeradius 自带了非常好的客户端程序 radtest, radclient 用来模拟和调试设备和通信过程。radtest多用于认证，radclient更为强大一些，认证，计费，coa都可以模拟，还可以自定义协议包非常强大。

命令帮助

这里大家自己看下就好了，非常容易理解。测试的时候用的都比较简单一些。

radclient -h
Usage: radclient [options] server[:port] <command> [<secret>]
<command>              One of auth, acct, status, coa, disconnect or auto.
-4                     Use IPv4 address of server
-6                     Use IPv6 address of server.
-c <count>             Send each packet 'count' times.
-d <raddb>             Set user dictionary directory (defaults to /usr/local/etc/raddb).
-D <dictdir>           Set main dictionary directory (defaults to /usr/local/share/freeradius).
-f <file>[:<file>]     Read packets from file, not stdin.
If a second file is provided, it will be used to verify responses
-F                     Print the file name, packet number and reply code.
-h                     Print usage help information.
-i <id>                Set request id to 'id'.  Values may be 0..255
-n <num>               Send N requests/s
-p <num>               Send 'num' packets from a file in parallel.
-q                     Do not print anything out.
-r <retries>           If timeout, retry sending the packet 'retries' times.
-s                     Print out summary information of auth results.
-S <file>              read secret from file, not command line.
-t <timeout>           Wait 'timeout' seconds before retrying (may be a floating point number).
-v                     Show program version information.
-x                     Debugging mode.
-P <proto>             Use proto (tcp or udp) for transport.

模拟认证请求

$ echo "User-Name=ff:ff:ff:ff:ff,User-Password=benu123" |radclient 127.0.0.1:1812 auth testing123 -x
Sent Access-Request Id 71 from 0.0.0.0:47403 to 127.0.0.1:1812 length 54
User-Name = "ff:ff:ff:ff:ff"
User-Password = "benu123"
Cleartext-Password = "benu123"
Received Access-Accept Id 71 from 127.0.0.1:1812 to 0.0.0.0:0 length 158
User-Name = "ff:ff:ff:ff:ff"
Benu-Redirection-URL = "http://10.10.4.9:8080/WebAuthLogin1?portal_ip=10.10.4.2&client_id=ff:ff:ff:ff:ff&wbaredirect=http://www.google.com"

echo 的内容是请求内容，

127.0.0.0:1812

是radius认证端口，

auth

是请求类型 ,

testing123

是cleint和radius的密钥，

-x

表明查看详细过程。

模拟coa请求

coa_auth.txt 请求包内容

User-Name=C4-07-2F-85-15-9F
NAS-IP-Address=172.16.15.188
Calling-Station-Id=C4-07-2F-85-15-9F
Benu-ACL-Policy=auth_sla
Benu-QoS-Policy=32M_Full

测试以及结果

# radclient 172.16.15.188:3799 coa test -f coa_auth.txt -x
Sent CoA-Request Id 121 from 0.0.0.0:59699 to 172.16.15.188:3799 length 96
User-Name = "C4-07-2F-85-15-9F"
NAS-IP-Address = 172.16.15.188
Calling-Station-Id = "C4-07-2F-85-15-9F"
Benu-ACL-Policy = "auth_sla"
Benu-QoS-Policy = "32M_Full"
Received CoA-ACK Id 121 from 172.16.15.188:3799 to 0.0.0.0:0 length 26
Event-Timestamp = "Jan  8 2016 10:05:47 CST"

模拟计费请求

主要包含了计费开始，计费更新，计费停止几个报文。

请求命令

radclient 127.0.0.1 auto testing123 -f acct_start.txt

如果想看到详细的过程 命令结尾增加一个

-x

参数即可。

acct_start.txt

Packet-Type=4
Packet-Dst-Port=1813
Acct-Session-Id = "4D2BB8AC-00000099"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
User-Name = "ff:ff:ff:ff:ff"
NAS-Port = 0
Called-Station-Id = "00-02-6F-AA-AA-AA:My Wireless"
Calling-Station-Id = "00-1C-B3-AA-AA-AA"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 48Mbps 802.11b"
Benu-ACL-Policy = "AM"
Benu-QoS-Policy = "DC"
Benu-Acct-Reason-Code = "40"
Benu-Private-Ip-Address = "127.0.0.1"
Benu-Napt-Public-Port-Range = "50"

acct_update.txt

Packet-Type=4
Packet-Dst-Port=1813
Acct-Session-Id = "4D2BB8AC-00000099"
Acct-Status-Type = Interim-Update
Acct-Authentic = RADIUS
User-Name = "ff:ff:ff:ff:ff"
NAS-Port = 0
Called-Station-Id = "00-02-6F-AA-AA-AA:My Wireless"
Calling-Station-Id = "00-1C-B3-AA-AA-AA"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 48Mbps 802.11b"
Acct-Session-Time = 11
Acct-Input-Packets = 15
Acct-Output-Packets = 3
Acct-Input-Octets = 1407
Acct-Output-Octets = 467

acct_stop.txt

Packet-Type=4
Packet-Dst-Port=1813
Acct-Session-Id = "4D2BB8AC-00000099"
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
User-Name = "ff:ff:ff:ff:ff"
NAS-Port = 0
Called-Station-Id = "00-02-6F-AA-AA-AA:My Wireless"
Calling-Station-Id = "00-1C-B3-AA-AA-AA"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 48Mbps 802.11b"
Acct-Session-Time = 30
Acct-Input-Packets = 25
Acct-Output-Packets = 7
Acct-Input-Octets = 3407
Acct-Output-Octets = 867
Acct-Terminate-Cause = User-Request

测试

[root@orangleliu raddb]# radclient 127.0.0.1 auto testing123 -f acct_start.txt
Sent Accounting-Request Id 74 from 0.0.0.0:45094 to 127.0.0.1:1813 length 205
Received Accounting-Response Id 74 from 127.0.0.1:1813 to 0.0.0.0:0 length 20
[root@orangleliu raddb]# radclient 127.0.0.1 auto testing123 -f acct_update.txt
Sent Accounting-Request Id 231 from 0.0.0.0:28329 to 127.0.0.1:1813 length 183
Received Accounting-Response Id 231 from 127.0.0.1:1813 to 0.0.0.0:0 length 20
[root@orangleliu raddb]# radclient 127.0.0.1 auto testing123 -f acct_stop.txt
Sent Accounting-Request Id 209 from 0.0.0.0:62388 to 127.0.0.1:1813 length 189
Received Accounting-Response Id 209 from 127.0.0.1:1813 to 0.0.0.0:0 length 20

一些问题

使用mysql时候 radcheck表中 username 可以重复吗？

INSERT INTO radcheck (id, username, attribute, op, value) VALUES
(1,’myusername‘,’User-Password’,’:=’,’mypassword‘);

数据库
24748   1309500xxxx Cleartext-Password  :=  7170
284748  1309500xxxx Cleartext-Password  :=  7170
284749  1309500xxxx Cleartext-Password  :=  7170

模拟请求没问题

# echo "User-Name=1309500xxxx,User-Password=7170" |radclient 127.0.0.1:1812 auth testing123 -x
Sent Access-Request Id 192 from 0.0.0.0:42540 to 127.0.0.1:1812 length 51
User-Name = '1309500xxxx'
User-Password = '7170'
Received Access-Accept Id 192 from 127.0.0.1:1812 to 0.0.0.0:0 length 20