Testing mschapv2 with custom radius attributes

Alan DeKok aland at deployingradius.com
Tue Oct 13 14:37:02 CEST 2020

On Oct 12, 2020, at 4:22 PM, Munroe Sollog <mus3 at lehigh.edu> wrote:
> I guess I'm guilty of asking an X-Y question.  So let's try again.  In
> following this guide:
> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind I
> configured a freeradius server to authenticate against active directory.

  That's good.

> However, I made a tweak to make authentication dependent on a custom VSA
> "Aruba-Essid-Name".  With that tweak the guide's advice for testing using
> radtest to confirm the configuration doesn't work since radtest doesn't
> seem to support manually setting the above VSA.

  Yes, "radtest" is for username / password testing.  If you want more than that in the packet, use radclient.

>  Elsewhere on the wiki I
> see references to radclient, radeapclient, eapol_test and rad_eap_test.  I
> have been unable to wrangle any of these tools correctly to test that my
> freeradius configuration is behaving as I want it to.

  What does that mean?  "I did stuff, but I'm not going to tell you what I did.  Please tell me what I did wrong".

>  Any help would be
> appreciated.  Thanks in advance.

  radclient doesn't do peap.  Neither does radeapclient.  However, both of those tools *will* send any VSA you want.

  See "man radclient".  Or, read "radtest".  It's just a shell script wrapper around radclient.

  Since radclient does MSCHAP, you can do most of the tests you need.  Just give it an input file with the attributes you need.

  Or, run eapol_test, and use -N.  However, you will have to create the contents of the VSA yourself. and pass it as a hex / octet string.

  How do you create the contents of the VSA?  Run "radclient -xxxx ...", and it will print out a helpful hex dump of the packets it's sending. Then, copy the hex codes from the attribute which begins with "1a".

  Alan DeKok.

More information about the Freeradius-Users mailing list