Prototyping Radius Server Policies - Part 1

The intention of this blog series is to help Radius Server administrators test their configurations - mostly for purposes of learning and rapid prototyping configurations.

In part 2 we will cover the use of EAP-PEAP authentication and in part 3 we covering testing of authentication.

Prototyping RADIUS Server Policies (Part 1)

There is a wealth of information on the internet about configuring Radius Servers (Cisco ISE or Aruba Clearpass) to perform a multitude of operations.

This blog series aims to help the network administrator in configuring their RADIUS Server policies.



I will assume that you already have either a Cisco ISE or Aruba Clearpass deployment (or any other AAA server for that matter) and that you may find yourself in a situation where you have no networking gear to test your system.

This blog series will take care of that because the most common use cases can be tested entirely in software.

Having a Windows Server running in a VM is also very handy because you can perform authentications against an Active Directory, which is typical in most Enterprises. Server 2012 is available with evaluation licenses.

RADIUS Server Policies



  • PAP/CHAP authentications (simulate MAB, and any simple Request/Response use cases)
  • EAP-PEAP authentications (simulate a Wireless 802.1X doing MS-CHAPv2)
  • EAP-TLS authentications (simulate a Wireless 802.1x doing user certificate authentication)

I will caveat this by saying that what I am proposing is NOT a replacement of a real lab. But the prototyping gets you a long way to your goal. Real devices usually have side effects that you never thought of and it may throw you for a loop.

And in the case of my EAP-PEAP testing I realised that the tool I am using (eapol_test) doesn't cater for human behaviour such as mistyping a credential, and then performing a retry - these are things you will only experience in a real lab.

Let's start with the basics...

PAP and CHAP Authentications

This is the simplest form of authentication I know of and it is surprising how often it is used (e.g. MAB and simple web services).

You may think that PAP should be avoided because its passwords can be decrypted easily but in the case of Cisco ISE, the type of External Identity Source determines whether or not you can use CHAP, MS-CHAPv1/2 – e.g. if you are authenticating against an LDAP directory then ISE won’t allow you to use CHAP or MS-CHAP.

This is probably due to the way passwords need to be stored in the LDAP directory. Microsoft Servers don’t natively support CHAP and prefer MS-CHAP flavours instead.

To perform the tests mentioned in the entire blog series you will need a Linux server. I am assuming you are somewhat comfortable with Linux and installing packages. To make things simple I installed a CentOS 7 VM and made sure I could install packages with the yum command.

There is a great test suite from the Freeradius community called radtest and radclient from the freeradius-utils package. You can install it from your Linux distribution of choice – in CentOS/Redhat/Fedora distributions use the command:

yum install freeradius-utils

Here are some common constants that I will use in my examples
Username: bob
User-Password: AbCd123
Radius shared secret: RadiusS3cret
Radius Server IP address:


PAP and CHAP Authentications: Testing

The Radius UDP Source IP address is (NB: this does NOT have to be the NAD IP address - it's the address that the AAA uses to identify the NAD) - in my case is one of the IP addresses of the CentOS server (I have a single interface with multiple IP addresses to simulate a variety of different NAD's)

Send one PAP request using radtest – this format is quick, but it lacks the ability to send additional attributes that you may need.

radtest bob AbCd123 0 RadiusS3cret 1

The more flexible command ‘radclient’ is used to create more powerful authentication examples. Radclient does not support MS-CHAPv2. There is no switch to specify the password mechanism, PAP/CHAP/MS-CHAPv1 – the difference lies in the Password attribute chosen. The examples below consist of a single command where the parameters extend over multiple lines.



echo "User-Name = 'bob',User-Password = 'AbCd123',NAS-IP-Address =,Packet-Src-IP-Address =,
Calling-Station-ID = '00:00:00:00:00:ff'"| /usr/bin/radclient -x auth RadiusS3cret



echo "User-Name = 'bob',CHAP-Password = 'AbCd123',NAS-IP-Address =, Packet-Src-IP-Address =,
Calling-Station-ID = '00:00:00:00:00:ff'"| /usr/bin/radclient -x auth RadiusS3cret



echo "User-Name = 'bob',MS-CHAP-Password = 'AbCd123',NAS-IP-Address =,Packet-Src-IP-Address =,
Calling-Station-ID = '00:00:00:00:00:ff'"| /usr/bin/radclient -x auth RadiusS3cret

Testing MS-CHAP is interesting because you can provoke situations where the AAA Server returns error codes that indicate the reason why a request was rejected ( – eg:


You can add more attributes (comma separated) to your requests. More information about these commands can be found in the help (man) pages.

man radtest
man radclient

Click here to continue onto the following instalment of the Rapid Prototyping Radius Server Policies blog series which will show us how to perform EAP-PEAP authentications.


Prototyping RADIUS Server Policies: Summary

This concludes this second part, of the three part RADIUS prototyping series.

We've taken a look at the testing process and how you can apply this to your network.

We work mainly with Cisco ISE and Aruba Clearpass, but with RADIUS being a universal standard, the guidelines should assist across other manufacturers.


As with all work you undertake on your RADIUS installation, take great care to have a backup and backout plan: this tends to be critical infrastructure, so take care when making any changes to a live network.


Free Quote


Need Help with your Network Install?

If you’re looking for a partner to help you through the future of networking – or to help you work through the maze of how to upgrade your network, we're here to help.

Contacting us is easy:

We are experts in network design and especially Wi-Fi design and remediation and Cisco ISE. If you're ready to take the plunge, we're ready to help you with DNA Center and SDA too. 

IPTel Solutions - Experts in Network Engineering Excellence


Click to Download "Top 8 Secrets to Great Wi-Fi"