Packet tracing web interface

Brian Candler B.Candler at
Sat Mar 12 14:02:22 CET 2011

I'd like to build a "packet tracer" web interface for freeradius: that is,
somewhere where you can paste in a set of AV pairs (perhaps caught from
radsniff), and you get back the AV responses plus all the decision-making
logic that took place.  Basically what freeradius -X shows.

Has anyone done this before? I have a few considerations.

(1) If I had a single persistent freeradius daemon running, and multiple
users were submitting requests to this web interface, I'd need to separate
out the debug data for each of the requests.  I guess I could have a locking
system so that only one person could be using it at once.

(Alternatively I'd have to fire off a new foreground radiusd for each
request as it came in, and kill it afterwards)

(2) What's the best way to submit the request so that it looks like it's
coming from a particular IP address? The "Client-IP-Address" attribute is
internal only, not on-the-wire.

At the moment the best I've been able to do is to create loopback interfaces
on my box with examples of the source IPs I'm interested in, then use
radclient to send the packet with a Packet-Src-IP-Address of one of those
loopbacks.  Is there a better way I've overlooked?

(Before you say it, I know a well-behaved radius server should be looking at
NAS-IP-Address not Client-IP-Address.  Unfortunately there are some cases
where we have to make logic decisions based on the Client-IP-Address)



More information about the Freeradius-Users mailing list