You are on page 1of 13

CoovaRADIUS Documentation 1 Testing with JRadiusSimulator

The JRadiusSimulator is an open-source RADIUS simulation and testing tool based on the JRadius framework. It is very exible, and easy to use for simple RADIUS AAA simulations. It allows you to hand craft RADIUS requests and to see the responses. Select from one of several authentication protocols, UDP or RadSec transport methods, and simulate your NAS by adding standard and Vendor Specic RADIUS attributes. To start the simulator, use the radius-simulator command on Unix or double click on the RadiusSimulator program icon that came with the Windows or Mac distributions. 1.1 Basic Conguration

Congure the RADIUS Server to be your CoovaRADIUS server hostname or IP address. Set the Shared Secret appropriately. Since we are using a trial license, it is shown set to testing123. Select Generate a Unique Acct-Session-Id so that each request looks unique, as in typical real-life usage. Click the Attributes tab to begin adding RADIUS attributes from the JRadius dictionary.

c 2010 Coova Technologies, LLC

Page 1 of 13

CoovaRADIUS Documentation 1.2 Adding RADIUS Attributes

Add RADIUS attributes to the various RADIUS request types and states. Begin by clicking Add Attribute to bring up a listing of all available RADIUS attributes in the JRadius dictionary.

Recommended attributes to add: User-Name User-Password Username and password placeholder (password replaced depending on authentication protocol). The username is in all packets while the password is only added to Access Request and/or Tunneled Requests. The name of the NAS (access point). NAS port type, select from a list. A unique session ID generated by simulator. The service type, select from a list. The IP address of the access point. The MAC address of the access point. The MAC address of the client device. Some simple accounting data to add to accounting Update/Interim and Stop.

NAS-Identifier NAS-Port-Type Acct-Session-Id Service-Type NAS-IP-Address Called-Station-Id Calling-Station-Id Acct-Session-Time Acct-Input-Packets Acct-Output-Packets Acct-Input-Octets Acct-Output-Octets

Warning! Be sure to save your conguration by selecting Save in the File menu of the main window.

c 2010 Coova Technologies, LLC

Page 2 of 13

CoovaRADIUS Documentation 1.3 Running Simulations

To run a simulation, click the Start button on the RADIUS tab.

Adjust the Simulation Type to test either only authentication or authentication followed by accounting. The attributes you have dened are added to packets depending on type (Access-Request or Accounting-Request) and accounting state (Acct-Status-Type) of either Start, Interim/Update, or Stop. If you have selected to Log RADIUS to Log tab, then you will nd the output of your RADIUS simulation after clicking on the Log tab. Use the simulator to also test your system under load by adjusting the Requester Threads and Requests per Thread parameters. Its recommended, however, that you turn o the logging as it will slow you down.

c 2010 Coova Technologies, LLC

Page 3 of 13

CoovaRADIUS Documentation 1.4 Testing against CoovaRADIUS

In order to use the simulator with your CoovaRADIUS server, there are a few congurations required in order to get an Access-Accept for your tests. Access Point in a Network If you have already tried a simulation and it has failed, the rst thing to check is that the MAC address used in the Called-Station-Id is that of a valid access point in CoovaRADIUS and that the Access Point is part of a Network.

Shown is the Access Point with MAC address 00-00-00-00-00-00 automatically added to the system by our rst (failed) authentication attempt. The record has since been edited and placed into the Global Network.

c 2010 Coova Technologies, LLC

Page 4 of 13

CoovaRADIUS Documentation Test User exists and has Access The User dened in the User-Name attribute must exist in the system and must have access to the Network associated with Access Point.

Shown is the User with username test and password test created to be used in our simulation. The user was created with Realm local, which is also the Default Realm of the Global Network. Access was also added for the test user in the Global Network.

c 2010 Coova Technologies, LLC

Page 5 of 13

CoovaRADIUS Documentation 1.5 Testing EAP-TLS and RadSec

Note: A non-trial license is required to use the EAP and RadSec features of CoovaRADIUS. In order to use RadSec as your Transport or to use the EAP-TLS authentication protocol, you must have a Client Certicate to use for authentication. In JRadiusSimulator, you congure this on the Keys tab.

Shown we have the simulator congured with a client certicate and private key (both in PEM format) in le /tmp/key.pem and the trusted root CA certicate in PEM format in le /tmp/ca.pem. Click Trust All Server Certicates and leave the File elds blank to be able to use EAP-TTLS or PEAP without the client certicate congured.

c 2010 Coova Technologies, LLC

Page 6 of 13

CoovaRADIUS Documentation To use with CoovaRADIUS, go to the Access / X509 tab to manage X509 certicates.

Shown is the certicate the test User after clicking New User Certicate button and generating the new certicate. To use this certicate with our simulation, we cut-and-paste the Certicate in PEM format to the /tmp/key.pem le, which is what we used in JRadiusSimulator. Additionally, click on the Export tab in the middle of the page, after selecting the test user certicate in the table, and cut-and-paste the Exported Private Key into the same le. Then click on the Show Certicate Authorities button to see the certicate of the signing CA (as shown above). Cut-and-paste the Certicate in PEM format to the /tmp/ca.pem le, as used in our simulation.

c 2010 Coova Technologies, LLC

Page 7 of 13

CoovaRADIUS Documentation Change the Authentication Protocol to run simulations with dierent authentication methods. Using EAP-TLS requires a client certicate that matches the user, while others, like EAP-TTLS and PEAP, tunnel an inner authentication and the client certicate is not required.

To run a RadSec simulation, select RadSec as the Transport method, congure the Shared Secret to be radsec (required for all RadSec tunnels), and set the ports to 2083, as shown.

c 2010 Coova Technologies, LLC

Page 8 of 13

CoovaRADIUS Documentation 1.6 Example Session Log

Access Request (PEAP) Sending RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessRequest Attributes: NAS-Identifier := simulator NAS-Port-Type := Wireless-802.11 User-Name := test Service-Type := Login-User NAS-IP-Address := 127.0.0.1 Called-Station-Id := 00-00-00-00-00-00 Calling-Station-Id := 11-11-11-11-11-11 Acct-Session-Id := JRadius-1d816f91b414e43683f9e7406c52451f State = [Binary Data (length=46)] EAP-Message += [Binary Data (length=6)] Message-Authenticator := [Binary Data (length=16)] Received RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessChallenge Attributes: EAP-Message = [Binary Data (length=6)] State = [Binary Data (length=46)] Message-Authenticator = [Binary Data (length=16)] Sending RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessRequest Attributes: NAS-Identifier := simulator NAS-Port-Type := Wireless-802.11 User-Name := test Service-Type := Login-User NAS-IP-Address := 127.0.0.1 Called-Station-Id := 00-00-00-00-00-00 Calling-Station-Id := 11-11-11-11-11-11 Acct-Session-Id := JRadius-1d816f91b414e43683f9e7406c52451f State = [Binary Data (length=46)] EAP-Message += [Binary Data (length=72)] Message-Authenticator := [Binary Data (length=16)] Received RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessChallenge Attributes: EAP-Message = [Binary Data (length=253)] EAP-Message = [Binary Data (length=253)] EAP-Message = [Binary Data (length=253)] EAP-Message = [Binary Data (length=253)] EAP-Message = [Binary Data (length=22)] State = [Binary Data (length=46)] Message-Authenticator = [Binary Data (length=16)]

c 2010 Coova Technologies, LLC

Page 9 of 13

CoovaRADIUS Documentation
Sending RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessRequest Attributes: NAS-Identifier := simulator NAS-Port-Type := Wireless-802.11 User-Name := test Service-Type := Login-User NAS-IP-Address := 127.0.0.1 Called-Station-Id := 00-00-00-00-00-00 Calling-Station-Id := 11-11-11-11-11-11 Acct-Session-Id := JRadius-1d816f91b414e43683f9e7406c52451f State = [Binary Data (length=46)] EAP-Message += [Binary Data (length=6)] Message-Authenticator := [Binary Data (length=16)] Received RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessChallenge Attributes: EAP-Message = [Binary Data (length=253)] EAP-Message = [Binary Data (length=105)] State = [Binary Data (length=46)] Message-Authenticator = [Binary Data (length=16)] Sending RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessRequest Attributes: NAS-Identifier := simulator NAS-Port-Type := Wireless-802.11 User-Name := test Service-Type := Login-User NAS-IP-Address := 127.0.0.1 Called-Station-Id := 00-00-00-00-00-00 Calling-Station-Id := 11-11-11-11-11-11 Acct-Session-Id := JRadius-1d816f91b414e43683f9e7406c52451f State = [Binary Data (length=46)] EAP-Message += [Binary Data (length=236)] Message-Authenticator := [Binary Data (length=16)] Received RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessChallenge Attributes: EAP-Message = [Binary Data (length=65)] State = [Binary Data (length=46)] Message-Authenticator = [Binary Data (length=16)] Sending RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessRequest Attributes: NAS-Identifier := simulator NAS-Port-Type := Wireless-802.11 User-Name := test Service-Type := Login-User c 2010 Coova Technologies, LLC

Page 10 of 13

CoovaRADIUS Documentation
NAS-IP-Address := 127.0.0.1 Called-Station-Id := 00-00-00-00-00-00 Calling-Station-Id := 11-11-11-11-11-11 Acct-Session-Id := JRadius-1d816f91b414e43683f9e7406c52451f State = [Binary Data (length=46)] EAP-Message += [Binary Data (length=6)] Message-Authenticator := [Binary Data (length=16)] Received RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessChallenge Attributes: EAP-Message = [Binary Data (length=59)] State = [Binary Data (length=46)] Message-Authenticator = [Binary Data (length=16)] Sending RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessRequest Attributes: NAS-Identifier := simulator NAS-Port-Type := Wireless-802.11 User-Name := test Service-Type := Login-User NAS-IP-Address := 127.0.0.1 Called-Station-Id := 00-00-00-00-00-00 Calling-Station-Id := 11-11-11-11-11-11 Acct-Session-Id := JRadius-1d816f91b414e43683f9e7406c52451f State = [Binary Data (length=46)] EAP-Message += [Binary Data (length=80)] Message-Authenticator := [Binary Data (length=16)] Received RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessChallenge Attributes: EAP-Message = [Binary Data (length=59)] State = [Binary Data (length=46)] Message-Authenticator = [Binary Data (length=16)] Sending RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessRequest Attributes: NAS-Identifier := simulator NAS-Port-Type := Wireless-802.11 User-Name := test Service-Type := Login-User NAS-IP-Address := 127.0.0.1 Called-Station-Id := 00-00-00-00-00-00 Calling-Station-Id := 11-11-11-11-11-11 Acct-Session-Id := JRadius-1d816f91b414e43683f9e7406c52451f State = [Binary Data (length=46)] EAP-Message += [Binary Data (length=144)] Message-Authenticator := [Binary Data (length=16)] Received RADIUS Packet: c 2010 Coova Technologies, LLC

Page 11 of 13

CoovaRADIUS Documentation
---------------------------------------------------------Class: class net.jradius.packet.AccessChallenge Attributes: EAP-Message = [Binary Data (length=43)] State = [Binary Data (length=46)] Message-Authenticator = [Binary Data (length=16)] Sending RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessRequest Attributes: NAS-Identifier := simulator NAS-Port-Type := Wireless-802.11 User-Name := test Service-Type := Login-User NAS-IP-Address := 127.0.0.1 Called-Station-Id := 00-00-00-00-00-00 Calling-Station-Id := 11-11-11-11-11-11 Acct-Session-Id := JRadius-1d816f91b414e43683f9e7406c52451f State = [Binary Data (length=46)] EAP-Message += [Binary Data (length=96)] Message-Authenticator := [Binary Data (length=16)] Received RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccessAccept Attributes: MS-MPPE-Recv-Key = [Binary Data (length=50)] MS-MPPE-Send-Key = [Binary Data (length=50)] EAP-Message = [Binary Data (length=4)] Acct-Interim-Interval = 300 User-Name = test Chargeable-User-Identity = test@local Class = [Binary Data (length=46)] Message-Authenticator = [Binary Data (length=16)] Accounting Sending RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccountingRequest Attributes: NAS-Identifier := simulator NAS-Port-Type := Wireless-802.11 User-Name := test Service-Type := Login-User NAS-IP-Address := 127.0.0.1 Called-Station-Id := 00-00-00-00-00-00 Calling-Station-Id := 11-11-11-11-11-11 Acct-Status-Type := Start Class = [Binary Data (length=46)] Acct-Session-Id := JRadius-1d816f91b414e43683f9e7406c52451f Received RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccountingResponse c 2010 Coova Technologies, LLC

Page 12 of 13

CoovaRADIUS Documentation
Attributes: Sending RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccountingRequest Attributes: NAS-Identifier := simulator NAS-Port-Type := Wireless-802.11 User-Name := test Service-Type := Login-User NAS-IP-Address := 127.0.0.1 Called-Station-Id := 00-00-00-00-00-00 Calling-Station-Id := 11-11-11-11-11-11 Acct-Session-Time := 120 Acct-Input-Packets := 10 Acct-Output-Packets := 20 Acct-Input-Octets := 100 Acct-Output-Octets := 200 Acct-Status-Type := Alive Class = [Binary Data (length=46)] Acct-Session-Id := JRadius-1d816f91b414e43683f9e7406c52451f Received RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccountingResponse Attributes: Sending RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccountingRequest Attributes: NAS-Identifier := simulator NAS-Port-Type := Wireless-802.11 User-Name := test Service-Type := Login-User NAS-IP-Address := 127.0.0.1 Called-Station-Id := 00-00-00-00-00-00 Calling-Station-Id := 11-11-11-11-11-11 Acct-Session-Time := 120 Acct-Input-Packets := 10 Acct-Output-Packets := 20 Acct-Input-Octets := 100 Acct-Output-Octets := 200 Acct-Status-Type := Stop Class = [Binary Data (length=46)] Acct-Session-Id := JRadius-1d816f91b414e43683f9e7406c52451f Received RADIUS Packet: ---------------------------------------------------------Class: class net.jradius.packet.AccountingResponse Attributes:

c 2010 Coova Technologies, LLC

Page 13 of 13

You might also like