1RADCLIENT(1) FreeRADIUS Daemon RADCLIENT(1)
2
6 radclient - send packets to a RADIUS server, show reply
7
9 radclient [-4] [-6] [-c count] [-d raddb_directory] [-D dictio‐
10 nary_directory] [-f file] [-F] [-h] [-i id] [-n num_requests_per_sec‐
11 ond] [-p num_requests_in_parallel] [-q] [-r num_retries] [-s] [-S
12 shared_secret_file] [-t timeout] [-v] [-x] server {acct|auth|sta‐
13 tus|coa|disconnect|auto} secret
14
16 radclient is a radius client program. It can send arbitrary radius
17 packets to a radius server, then shows the reply. It can be used to
18 test changes you made in the configuration of the radius server, or it
19 can be used to monitor if a radius server is up.
20 radclient reads radius attribute/value pairs from it standard input, or
22 from a file specified on the command line. It then encodes these
23 attribute/value pairs using the dictionary, and sends them to the
24 remote server.
25 The User-Password and CHAP-Password attributes are automatically
27 encrypted before the packet is sent to the server.
28
31 -4 Use IPv4 (default)
32 -6 Use IPv6
34 -c count
36 Send each packet count times.
37 -d raddb_directory
39 The directory that contains the user dictionary file. Defaults
40 to /etc/raddb.
41 -D dictionary_directory
43 The directory that contains the main dictionary file. Defaults
44 to /usr/share/freeradius.
45 -f file[:file]
47 File to read the attribute/value pairs from. If this is not
48 specified, they are read from stdin. This option can be speci‐
49 fied multiple times, in which case packets are sent in order by
50 file, and within each file, by first packet to last packet. A
51 blank line separates logical packets within a file. If a pair
52 of files separated by a colon is specified, the second file will
53 be used to filter the responses to requests from the first. The
54 number of requests and filters must be the same. A summary of
55 filter results will be displayed if -s is passed.
56 -F Print the file name, packet number and reply code.
58 -h Print usage help information.
60 -i id Use id as the RADIUS request Id.
62 -n num_requests_per_second
64 Try to send num_requests_per_second, evenly spaced. This option
65 allows you to slow down the rate at which radclient sends
66 requests. When not using -n, the default is to send packets as
67 quickly as possible, with no inter-packet delays.
68 Due to limitations in radclient, this option does not accurately
70 send the requested number of packets per second.
71 -p num_requests_in_parallel
73 Send num_requests_in_parallel, without waiting for a response
74 for each one. By default, radclient sends the first request it
75 has read, waits for the response, and once the response is
76 received, sends the second request in its list. This option
77 allows you to send many requests at simultaneously. Once
78 num_requests_in_parallel are sent, radclient waits for all of
79 the responses to arrive (or for the requests to time out),
80 before sending any more packets.
81 This option permits you to discover the maximum load accepted by
83 a RADIUS server.
84 -P proto
86 Use proto transport protocol ("tcp" or "udp"). Only available
87 if FreeRADIUS is compiled with TCP transport support.
88 -q Go to quiet mode, and do not print out anything.
90 -r num_retries
92 Try to send each packet num_retries times, before giving up on
93 it. The default is 10.
94 -s Print out some summaries of packets sent and received.
96 -S shared_secret_file
98 Rather than reading the shared secret from the command-line
99 (where it can be seen by others on the local system), read it
100 instead from shared_secret_file.
101 -t timeout
103 Wait timeout seconds before deciding that the NAS has not
104 responded to a request, and re-sending the packet. The default
105 timeout is 3.
106 -v Print out version information.
108 -x Print out debugging information.
110 server[:port]
112 The hostname or IP address of the remote server. Optionally a
113 UDP port can be specified. If no UDP port is specified, it is
114 looked up in /etc/services. The service name looked for is
115 radacct for accounting packets, and radius for all other
116 requests. If a service is not found in /etc/services, 1813 and
117 1812 are used respectively. For coa and disconnect packets,
118 port 3799 is used.
119 If a host name is specified, then radclient will do a DNS
121 lookup, and use the A record to find the IP address of the
122 RADIUS server. If there is no A record, then radclient will
123 look for an AAAA record. If there is no AAAA record, an error
124 will be produced.
125 IPv6 addresses may be specified by surrounding it in square
127 brackets. For example, [2002:c000:0201:0:0:0:0:0], or with a
128 port, [2002:c000:0201:0:0:0:0:0]:18120.
129 The RADIUS attributes read by radclient can contain the special
131 attribute Packet-Dst-IP-Address. If this attribute exists, then
132 that IP address is where the packet is sent, and the server
133 specified on the command-line is ignored.
134 If the RADIUS attribute list always contains the Packet-Dst-IP-
136 Address attribute, then the server parameter can be given as -.
137 The RADIUS attributes read by radclient can contain the special
139 attribute Packet-Dst-Port. If this attribute exists, then that
140 UDP port is where the packet is sent, and the :port specified on
141 the command-line is ignored.
142 acct | auth | status | coa | disconnect | auto
145 Use auth to send an authentication packet (Access-Request), acct
146 to send an accounting packet (Accounting-Request), status to
147 send a status packet (Status-Server), or coa to send a CoA-
148 Request, or disconnect to send a disconnection request. Instead
149 of these values, you can also use a decimal code here. For exam‐
150 ple, code 12 is also Status-Server.
151 The RADIUS attributes read by radclient can contain the special
153 attribute Packet-Type. If this attribute exists, then that type
154 of packet is sent, and the type specified on the command-line is
155 ignored.
156 If the RADIUS attribute list always contains the Packet-Type
158 attribute, then the type parameter can be given as auto.
159 secret The shared secret for this client. It needs to be defined on
162 the radius server side too, for the IP address you are sending
163 the radius packets from.
164
167 A sample session that queries the remote server for Status-Server (not
168 all servers support this, but FreeRADIUS has configurable support for
169 it).
170 $ echo "Message-Authenticator = 0x00" | radclient 192.0.2.42 status s3cr3t
172 Sending request to server 192.0.2.42, port 1812.
173 radrecv: Packet from host 192.0.2.42 code=2, id=140, length=54
174 Reply-Message = "FreeRADIUS up 21 days, 02:05"
175
179 radiusd(8),
180
182 Miquel van Smoorenburg, miquels@cistron.nl. Alan DeKok <aland@freera‐
183 dius.org>
184 22 March 2019 RADCLIENT(1)