1RADCLIENT(1) FreeRADIUS Daemon RADCLIENT(1)
2
6 radclient - send packets to a RADIUS server, show reply
7
9 radclient [-4] [-6] [-c count] [-d raddb_directory] [-D dictio‐
10 nary_directory] [-f file] [-F] [-h] [-i id] [-n num_requests_per_sec‐
11 ond] [-p num_requests_in_parallel] [-q] [-r num_retries] [-s] [-S
12 shared_secret_file] [-t timeout] [-v] [-x] server {acct|auth|sta‐
13 tus|disconnect|auto} secret
14
16 radclient is a radius client program. It can send arbitrary radius
17 packets to a radius server, then shows the reply. It can be used to
18 test changes you made in the configuration of the radius server, or it
19 can be used to monitor if a radius server is up.
20 radclient reads radius attribute/value pairs from it standard input, or
22 from a file specified on the command line. It then encodes these
23 attribute/value pairs using the dictionary, and sends them to the
24 remote server.
25 The User-Password and CHAP-Password attributes are automatically
27 encrypted before the packet is sent to the server.
28
31 -4 Use IPv4 (default)
32 -6 Use IPv6
34 -c count
36 Send each packet count times.
37 -d raddb_directory
39 The directory that contains the user dictionary file. Defaults
40 to /etc/raddb.
41 -D dictionary_directory
43 The directory that contains the main dictionary file. Defaults
44 to /usr/share/freeradius.
45 -f file[:file]
47 File to read the attribute/value pairs from. If this is not
48 specified, they are read from stdin. This option can be speci‐
49 fied multiple times, in which case packets are sent in order by
50 file, and within each file, by first packet to last packet. A
51 blank line separates logical packets within a file. If a pair
52 of files separated by a colon is specified, the second file will
53 be used to filter the responses to requests from the first. The
54 number of requests and filters must be the same. A summary of
55 filter results will be displayed if -s is passed.
56 -F Print the file name, packet number and reply code.
58 -h Print usage help information.
60 -i id Use id as the RADIUS request Id.
62 -n num_requests_per_second
64 Try to send num_requests_per_second, evenly spaced. This option
65 allows you to slow down the rate at which radclient sends
66 requests. When not using -n, the default is to send packets as
67 quickly as possible, with no inter-packet delays.
68 Due to limitations in radclient, this option does not accurately
70 send the requested number of packets per second.
71 -p num_requests_in_parallel
73 Send num_requests_in_parallel, without waiting for a response
74 for each one. By default, radclient sends the first request it
75 has read, waits for the response, and once the response is
76 received, sends the second request in its list. This option
77 allows you to send many requests at simultaneously. Once
78 num_requests_in_parallel are sent, radclient waits for all of
79 the responses to arrive (or for the requests to time out),
80 before sending any more packets.
81 This option permits you to discover the maximum load accepted by
83 a RADIUS server.
84 -P proto
86 Use proto transport protocol ("tcp" or "udp"). Only available
87 if FreeRADIUS is compiled with TCP transport support.
88 -q Go to quiet mode, and do not print out anything.
90 -r num_retries
92 Try to send each packet num_retries times, before giving up on
93 it. The default is 10.
94 -s Print out some summaries of packets sent and received.
96 -S shared_secret_file
98 Rather than reading the shared secret from the command-line
99 (where it can be seen by others on the local system), read it
100 instead from shared_secret_file.
101 -t timeout
103 Wait timeout seconds before deciding that the NAS has not
104 responded to a request, and re-sending the packet. The default
105 timeout is 3.
106 -v Print out version information.
108 -x Print out debugging information.
110 server[:port]
112 The hostname or IP address of the remote server. Optionally a
113 UDP port can be specified. If no UDP port is specified, it is
114 looked up in /etc/services. The service name looked for is
115 radacct for accounting packets, and radius for all other
116 requests. If a service is not found in /etc/services, 1813 and
117 1812 are used respectively.
118 If a host name is specified, then radclient will do a DNS
120 lookup, and use the A record to find the IP address of the
121 RADIUS server. If there is no A record, then radclient will
122 look for an AAAA record. If there is no AAAA record, an error
123 will be produced.
124 IPv6 addresses may be specified by surrounding it in square
126 brackets. For example, [2002:c000:0201:0:0:0:0:0], or with a
127 port, [2002:c000:0201:0:0:0:0:0]:18120.
128 The RADIUS attributes read by radclient can contain the special
130 attribute Packet-Dst-IP-Address. If this attribute exists, then
131 that IP address is where the packet is sent, and the server
132 specified on the command-line is ignored.
133 If the RADIUS attribute list always contains the Packet-Dst-IP-
135 Address attribute, then the server parameter can be given as -.
136 The RADIUS attributes read by radclient can contain the special
138 attribute Packet-Dst-Port. If this attribute exists, then that
139 UDP port is where the packet is sent, and the :port specified on
140 the command-line is ignored.
141 acct | auth | status | disconnect | auto
144 Use auth to send an authentication packet (Access-Request), acct
145 to send an accounting packet (Accounting-Request), status to
146 send an status packet (Status-Server), or disconnect to send a
147 disconnection request. Instead of these values, you can also use
148 a decimal code here. For example, code 12 is also Status-Server.
149 The RADIUS attributes read by radclient can contain the special
151 attribute Packet-Type. If this attribute exists, then that type
152 of packet is sent, and the type specified on the command-line is
153 ignored.
154 If the RADIUS attribute list always contains the Packet-Type
156 attribute, then the type parameter can be given as auto.
157 secret The shared secret for this client. It needs to be defined on
160 the radius server side too, for the IP address you are sending
161 the radius packets from.
162
165 A sample session that queries the remote server for Status-Server (not
166 all servers support this, but FreeRADIUS has configurable support for
167 it).
168 $ echo "Message-Authenticator = 0x00" | radclient 192.0.2.42 status s3cr3t
170 Sending request to server 192.0.2.42, port 1812.
171 radrecv: Packet from host 192.0.2.42 code=2, id=140, length=54
172 Reply-Message = "FreeRADIUS up 21 days, 02:05"
173
177 radiusd(8),
178
180 Miquel van Smoorenburg, miquels@cistron.nl. Alan DeKok <aland@freera‐
181 dius.org>
182 28 February 2017 RADCLIENT(1)