Tools radiator-client

Command-line RADIUS test utility for sending RADIUS packets

radiator-client is a command-line RADIUS test utility for sending RADIUS packets to RADIUS servers. It supports udp/tcp/tls and proxy protocol transports.

Installation

The radiator-client binary is included in the Radiator Server package:

/opt/radiator/server/bin/radiator-client

Command-Line Options

Run radiator-client --help to see all available options.

Basic Usage

Send an Access-Request with username and password:

radiator-client \
    --server 127.0.0.1 \
    --port 1812 \
    --secret mysecret \
    --user alice \
    --password alicepass

Send an Accounting-Request:

radiator-client \
    --server 127.0.0.1 \
    --port 1813 \
    --secret mysecret \
    --user alice \
    --type acct

Adding Attributes

Using Dictionary Names

Add attributes by name with automatic type conversion:

radiator-client \
    --server 127.0.0.1 \
    --secret mysecret \
    --user alice \
    --password secret \
    --attr "Service-Type=Framed-User" \
    --attr "NAS-IP-Address=10.0.0.1" \
    --attr "Cisco-avpair=shell:priv-lvl=15"

Using Raw AVP Format

Add raw AVPs when dictionary names are unavailable:

# Syntax: <type>=<format>,<value>
# Formats: str, hex, u32, i32, u128, i128, ipv4, ipv6

radiator-client \
    --server 127.0.0.1 \
    --secret mysecret \
    --avp "1=str,alice" \
    --avp "4=ipv4,10.0.0.1" \
    --avp "6=u32,2"

Using Vendor-Specific Attributes

Add VSAs with vendor ID and type:

# Syntax: <vendor_id>:<vendor_type>=<format>,<value>[;<vendor_type>=<format>,<value>]

radiator-client \
    --server 127.0.0.1 \
    --secret mysecret \
    --user alice \
    --vsa "9:1=str,shell:priv-lvl=15"

Reading Attributes from File

Create an attribute file:

# attributes.txt
attr User-Name=alice
attr NAS-IP-Address=10.0.0.1
avp 6=u32,2
vsa 9:1=str,shell:priv-lvl=15

Use the file:

radiator-client \
    --server 127.0.0.1 \
    --secret mysecret \
    --attr-file attributes.txt

Read from stdin:

echo "attr User-Name=testuser" | radiator-client \
    --server 127.0.0.1 \
    --secret mysecret \
    --attr-file -

Request Types

Access-Request (auth)

radiator-client \
    --type auth \
    --server 127.0.0.1 \
    --secret mysecret \
    --user alice \
    --password secret

Expected response: Access-Accept (code 2)

Accounting-Request (acct)

radiator-client \
    --type acct \
    --server 127.0.0.1 \
    --port 1813 \
    --secret mysecret \
    --user alice \
    --attr "Acct-Status-Type=Start" \
    --attr "Acct-Session-Id=session123"

Expected response: Accounting-Response (code 5)

Disconnect-Request

radiator-client \
    --type disconnect-request \
    --server 127.0.0.1 \
    --secret mysecret \
    --user alice \
    --attr "Acct-Session-Id=session123"

Expected response: Disconnect-ACK (code 40)

CoA-Request

radiator-client \
    --type coa-request \
    --server 127.0.0.1 \
    --secret mysecret \
    --user alice \
    --attr "Session-Timeout=3600"

Expected response: CoA-ACK (code 43)

Repeating Requests

Execute multiple requests for testing:

# Repeat 10 times, fail if any request fails
radiator-client \
    --server 127.0.0.1 \
    --secret mysecret \
    --user alice \
    --password secret \
    --repeat 10 \
    --repeat-mode all

# Repeat 10 times, succeed if at least one request succeeds
radiator-client \
    --server 127.0.0.1 \
    --secret mysecret \
    --user alice \
    --password secret \
    --repeat 10 \
    --repeat-mode any

Repeat modes:

  • all: Exit with error if any request fails (default)
  • any: Exit with error only if all requests fail
  • whatever: Always exit with zero regardless of results

Transport Protocols

By default, radiator-client uses UDP transport. You can specify TCP or TLS (RadSec) transport using the --transport flag.

UDP Transport (Default)

radiator-client \
    --server 127.0.0.1 \
    --secret mysecret \
    --user alice \
    --password secret

TCP Transport

Use plain TCP transport for RADIUS-over-TCP:

radiator-client \
    --server 127.0.0.1 \
    --port 2083 \
    --secret mysecret \
    --user alice \
    --password secret \
    --transport tcp

TLS Transport (RadSec)

Use TLS transport for secure RADIUS communication (RFC 6614). When using TLS, the shared secret is typically radsec.

Basic TLS with system CA certificates:

radiator-client \
    --server radius.example.com \
    --port 2083 \
    --secret radsec \
    --user alice \
    --password secret \
    --transport tls \
    --tls-server-name radius.example.com

TLS with custom CA certificate:

radiator-client \
    --server 127.0.0.1 \
    --port 2083 \
    --secret radsec \
    --user alice \
    --password secret \
    --transport tls \
    --tls-ca-certificate /path/to/ca.pem \
    --tls-server-name radius.example.com

TLS with mutual authentication (client certificate):

radiator-client \
    --server 127.0.0.1 \
    --port 2083 \
    --secret radsec \
    --user alice \
    --password secret \
    --transport tls \
    --tls-ca-certificate /path/to/ca.pem \
    --tls-certificate /path/to/client-cert.pem \
    --tls-key /path/to/client-key.pem \
    --tls-server-name radius.example.com

TLS Options

OptionDescription
--tls-certificatePath to client certificate file (PEM format)
--tls-keyPath to client private key file (PEM format)
--tls-ca-certificatePath to CA certificate file (PEM format)
--tls-server-nameServer name for TLS SNI and certificate verification

If --tls-ca-certificate is not specified, system root certificates are used for server verification.

PROXY Protocol Support

PROXY protocol can be combined with TCP or TLS transport.

Send requests with PROXY protocol v2 header:

radiator-client \
    --server 127.0.0.1 \
    --secret mysecret \
    --user alice \
    --password secret \
    --transport tcp \
    --proxy-protocol v2 \
    --proxy-client-addr 192.168.1.100:12345

Raw Packet Handling

Send Raw Hex Packet

Replay captured RADIUS packets:

# From Wireshark: right-click packet, Copy -> As Hex Stream
radiator-client \
    --server 127.0.0.1 \
    --hex "0104002a..." \
    --expect-response-code Access-Accept

Save Packet to File

Write packet hex without sending:

radiator-client \
    --server 127.0.0.1 \
    --secret mysecret \
    --user alice \
    --password secret \
    --hex-output-file packet.hex

Read Packet from File

radiator-client \
    --server 127.0.0.1 \
    --hex-input-file packet.hex

Response Code Validation

Use --expect-response-code to validate the response packet type. It accepts either a numeric code or a case-insensitive packet type name:

radiator-client \
    --server 127.0.0.1 \
    --secret mysecret \
    --user alice \
    --password secret \
    --expect-response-code Access-Accept

Valid packet type names (case-insensitive): access-request, access-accept, access-reject, accounting-request, accounting-response, access-challenge, status-server, disconnect-request, disconnect-ack, disconnect-nak, coa-request, coa-ack, coa-nak.

Format Packet Subcommand

The format-packet subcommand parses a hex-encoded RADIUS packet and prints its contents in a readable table format. This is useful for inspecting captured packets from Wireshark or other tools.

# From a hex string argument
radiator-client format-packet "0104002ae15a5a35..."

It also accepts Wireshark-style hex dump input with offset prefixes:

radiator-client format-packet "
0000   28 00 00 3e e1 58 5a 35 ca a5 7b b3 cd eb 08 4e
0010   46 0b 10 b2 2c 2a 36 30 32 36 45 46 35 43 44 43
"

See radiator-client format-packet --help for details.

Exit Codes

CodeMeaning
0Success (expected response received)
1Error (timeout, unexpected response, or other failure)

Troubleshooting

Common Issues

Timeout errors

  • Verify server IP and port are correct
  • Check firewall rules allow UDP traffic
  • Increase timeout with --timeout 10s

Invalid response authenticator

  • Verify shared secret matches server configuration
  • Check for secret character encoding issues

Access-Reject received

  • Verify username and password are correct
  • Check server logs for authentication failure reason
  • Use --verbose for detailed packet inspection

Verbose Mode

Enable verbose output to see a structured, annotated hex dump of each RADIUS packet. The output uses #-prefixed comment lines for metadata, so it can be directly re-fed to --hex or --hex-input-file for packet replay.

radiator-client \
    --server 127.0.0.1 \
    --secret mysecret \
    --user alice \
    --password secret \
    --verbose

The verbose output includes:

  • Header section: Code, Identifier, Length, Authenticator, and a hex dump of the 20-byte header
  • Attribute sections: Type, Length, Format, Name, Value, and a per-attribute hex dump. For vendor-specific attributes (VSAs), Vendor-ID, Vendor-Name, and Vendor-Type are also shown

Dry Run

Use --dry-run to build and display the RADIUS request packet without sending it to the server. This is useful for inspecting what would be sent. Works with both normal and raw (--hex / --hex-input-file) modes:

radiator-client \
    --server 127.0.0.1 \
    --secret mysecret \
    --user alice \
    --password secret \
    --dry-run

In JSON mode (--json), --dry-run outputs the request as a JSON object.

Hex Dump

Use --hex-dump to print a full raw hex dump of the entire packet after the table output. Unlike --verbose, which shows an annotated per-attribute hex dump, --hex-dump displays a single contiguous hex dump of the whole packet:

radiator-client \
    --server 127.0.0.1 \
    --secret mysecret \
    --user alice \
    --password secret \
    --hex-dump

The --hex-dump flag is also available on the format-packet subcommand:

radiator-client format-packet --hex-dump "0104002ae15a5a35..."

Using Custom Dictionary

Load a custom RADIUS dictionary:

radiator-client \
    --dictionary /path/to/custom.dictionary \
    --server 127.0.0.1 \
    --secret mysecret \
    --attr "Custom-Attribute=value"

Print the built-in dictionary:

radiator-client --print-dictionary

Subcommands

SubcommandDescription
format-packetParse and display a RADIUS packet from hex input
Navigation
Home