radiator-client

radiator-client is a command-line RADIUS test utility for sending RADIUS packets to RADIUS servers. It supports udp/tcp/tls and proxy protocol transports.

Installation

The radiator-client binary is included in the Radiator Server package:

/opt/radiator/server/bin/radiator-client

Command-Line Options

Run radiator-client --help to see all available options.

Basic Usage

Send an Access-Request with username and password:

radiator-client \
    --server 127.0.0.1 \
    --port 1812 \
    --secret mysecret \
    --user alice \
    --password alicepass

Send an Accounting-Request:

radiator-client \
    --server 127.0.0.1 \
    --port 1813 \
    --secret mysecret \
    --user alice \
    --type acct

Adding Attributes

Using Dictionary Names

Add attributes by name with automatic type conversion:

radiator-client \
    --server 127.0.0.1 \
    --secret mysecret \
    --user alice \
    --password secret \
    --attr "Service-Type=Framed-User" \
    --attr "NAS-IP-Address=10.0.0.1" \
    --attr "Cisco-avpair=shell:priv-lvl=15"

Using Raw AVP Format

Add raw AVPs when dictionary names are unavailable:

# Syntax: <type>=<format>,<value>
# Formats: str, hex, u32, i32, u128, i128, ipv4, ipv6

radiator-client \
    --server 127.0.0.1 \
    --secret mysecret \
    --avp "1=str,alice" \
    --avp "4=ipv4,10.0.0.1" \
    --avp "6=u32,2"

Using Vendor-Specific Attributes

Add VSAs with vendor ID and type:

# Syntax: <vendor_id>:<vendor_type>=<format>,<value>[;<vendor_type>=<format>,<value>]

radiator-client \
    --server 127.0.0.1 \
    --secret mysecret \
    --user alice \
    --vsa "9:1=str,shell:priv-lvl=15"

Reading Attributes from File

Create an attribute file:

# attributes.txt
attr User-Name=alice
attr NAS-IP-Address=10.0.0.1
avp 6=u32,2
vsa 9:1=str,shell:priv-lvl=15

Use the file:

radiator-client \
    --server 127.0.0.1 \
    --secret mysecret \
    --attr-file attributes.txt

Read from stdin:

echo "attr User-Name=testuser" | radiator-client \
    --server 127.0.0.1 \
    --secret mysecret \
    --attr-file -

Request Types

Access-Request (auth)

radiator-client \
    --type auth \
    --server 127.0.0.1 \
    --secret mysecret \
    --user alice \
    --password secret

Expected response: Access-Accept (code 2)

Accounting-Request (acct)

radiator-client \
    --type acct \
    --server 127.0.0.1 \
    --port 1813 \
    --secret mysecret \
    --user alice \
    --attr "Acct-Status-Type=Start" \
    --attr "Acct-Session-Id=session123"

Expected response: Accounting-Response (code 5)

Disconnect-Request

radiator-client \
    --type disconnect-request \
    --server 127.0.0.1 \
    --secret mysecret \
    --user alice \
    --attr "Acct-Session-Id=session123"

Expected response: Disconnect-ACK (code 40)

CoA-Request

radiator-client \
    --type coa-request \
    --server 127.0.0.1 \
    --secret mysecret \
    --user alice \
    --attr "Session-Timeout=3600"

Expected response: CoA-ACK (code 43)

Repeating Requests

Execute multiple requests for testing:

# Repeat 10 times, fail if any request fails
radiator-client \
    --server 127.0.0.1 \
    --secret mysecret \
    --user alice \
    --password secret \
    --repeat 10 \
    --repeat-mode all

# Repeat 10 times, succeed if at least one request succeeds
radiator-client \
    --server 127.0.0.1 \
    --secret mysecret \
    --user alice \
    --password secret \
    --repeat 10 \
    --repeat-mode any

Repeat modes:

all: Exit with error if any request fails (default)
any: Exit with error only if all requests fail
whatever: Always exit with zero regardless of results

Transport Protocols

By default, radiator-client uses UDP transport. You can specify TCP or TLS (RadSec) transport using the --transport flag.

UDP Transport (Default)

radiator-client \
    --server 127.0.0.1 \
    --secret mysecret \
    --user alice \
    --password secret

TCP Transport

Use plain TCP transport for RADIUS-over-TCP:

radiator-client \
    --server 127.0.0.1 \
    --port 2083 \
    --secret mysecret \
    --user alice \
    --password secret \
    --transport tcp

TLS Transport (RadSec)

Use TLS transport for secure RADIUS communication (RFC 6614). When using TLS, the shared secret is typically radsec.

Basic TLS with system CA certificates:

radiator-client \
    --server radius.example.com \
    --port 2083 \
    --secret radsec \
    --user alice \
    --password secret \
    --transport tls \
    --tls-server-name radius.example.com

TLS with custom CA certificate:

radiator-client \
    --server 127.0.0.1 \
    --port 2083 \
    --secret radsec \
    --user alice \
    --password secret \
    --transport tls \
    --tls-ca-certificate /path/to/ca.pem \
    --tls-server-name radius.example.com

TLS with mutual authentication (client certificate):

radiator-client \
    --server 127.0.0.1 \
    --port 2083 \
    --secret radsec \
    --user alice \
    --password secret \
    --transport tls \
    --tls-ca-certificate /path/to/ca.pem \
    --tls-certificate /path/to/client-cert.pem \
    --tls-key /path/to/client-key.pem \
    --tls-server-name radius.example.com

TLS Options

Option	Description
`--tls-certificate`	Path to client certificate file (PEM format)
`--tls-key`	Path to client private key file (PEM format)
`--tls-ca-certificate`	Path to CA certificate file (PEM format)
`--tls-server-name`	Server name for TLS SNI and certificate verification

If --tls-ca-certificate is not specified, system root certificates are used for server verification.

PROXY Protocol Support

PROXY protocol can be combined with TCP or TLS transport.

Send requests with PROXY protocol v2 header:

radiator-client \
    --server 127.0.0.1 \
    --secret mysecret \
    --user alice \
    --password secret \
    --transport tcp \
    --proxy-protocol v2 \
    --proxy-client-addr 192.168.1.100:12345

Raw Packet Handling

Send Raw Hex Packet

Replay captured RADIUS packets:

# From Wireshark: right-click packet, Copy -> As Hex Stream
radiator-client \
    --server 127.0.0.1 \
    --hex "0104002a..." \
    --expect-response-code 2

Save Packet to File

Write packet hex without sending:

radiator-client \
    --server 127.0.0.1 \
    --secret mysecret \
    --user alice \
    --password secret \
    --hex-output-file packet.hex

Read Packet from File

radiator-client \
    --server 127.0.0.1 \
    --hex-input-file packet.hex

Exit Codes

Code	Meaning
0	Success (expected response received)
1	Error (timeout, unexpected response, or other failure)

Troubleshooting

Common Issues

Timeout errors

Verify server IP and port are correct
Check firewall rules allow UDP traffic
Increase timeout with --timeout 10s

Invalid response authenticator

Verify shared secret matches server configuration
Check for secret character encoding issues

Access-Reject received

Verify username and password are correct
Check server logs for authentication failure reason
Use --verbose for detailed packet inspection

Verbose Mode

Enable verbose output to see detailed request/response information:

radiator-client \
    --server 127.0.0.1 \
    --secret mysecret \
    --user alice \
    --password secret \
    --verbose

Using Custom Dictionary

Load a custom RADIUS dictionary:

radiator-client \
    --dictionary /path/to/custom.dictionary \
    --server 127.0.0.1 \
    --secret mysecret \
    --attr "Custom-Attribute=value"

Print the built-in dictionary:

radiator-client --print-dictionary

TOTP/HOTP Authentication - Detailed TOTP/HOTP configuration
Duration Units - Timeout format reference