Blog
December 4, 2020
What is RADIUS server? And how you test RADIUS server? Find out in this blog!
Table of Contents
What Is RADIUS Server?
RADIUS is a client / server application level protocol that supports the AAA (authentication, authorization and accounting) framework, which is a framework for granting access to resources and controlling the utilization of those resources. The test RADIUS server protocol services heavy loads of concurrent users. In this article we are going to describe the approaches to load testing systems that use the RADIUS protocol. We will show how to perform the RADIUS Server testing using Apache JMeter™ and provide examples of possible JMeter scripts.
RADIUS provides centralized authentication, authorization and accounting management for large numbers of users who are connected to various network services. It uses UDP as its transport mechanism and is supported by numerous commercial devices for remote access. RADIUS is one of the most common AAA protocols, together with Diameter and TACACS+.
The RFC2989, which is the standard for evaluating AAA protocols, sets a number of criteria to qualify a protocol as an AAA type protocol. Some of these criteria are: client-server architecture, scalability, failover, data integrity. As for security, AAA protocol types have requirements that include authentication, integrity protection, transmission layer security and confidentiality at an object level. The complete list appears in the RFC2989 standard.
Besides these protocol criteria, the standard defines system architecture requirements. The first of those is that the protocol must be capable of servicing thousands of simultaneous requests and supporting millions of users, devices and other end client types. This means that the systems working with this protocol are high load systems and they definitely need to be load tested.
A simplified image of the system architecture that works with the RADIUS protocol is shown in the figure below.
In this figure, NAS is the network access server. It receives users’ requests for a service and sends them to the RADIUS server over the RADIUS protocol. The AP gateway works as a NAS server too. NAS acts as clients for the RADIUS server. For example, users may communicate over PPP or other protocols with the NAS, requesting the access to the Internet. NAS sends users’ requests to the RADIUS server to authenticate users, authorize their access to the Internet resources and to perform an accounting or billing of user activities.
Another example is an organization whose IT infrastructure uses multiple servers and most of its users have to register on each server to get the access to a certain service. To unify this process, the RADIUS server is used and all users are authenticated there. On the whole, the RADIUS server has to process three types of client requests: the authentication requests for the control of user’s credentials, the authorization requests for the access to the resources or services and for the status of a user’s account and the accounting requests for billing purposes or for the active session status.
There are three types of responses for all these requests:
- An Access-Reject response that shows the user’s request is incorrect.
- An Access-Challenge response which means the user has to provide additional information to the RADIUS server.
- An Access-Accept response that shows the user is granted access or the user’s request is correct and has been executed.
The strategy of load testing of RADIUS servers is by imitating NAS interactions with the RADIUS server, by generating authorization, authentication and accounting requests types over the RADIUS protocol. Apache JMeter™ is a multipurpose tool and it’s possible to interact over this protocol by using it.
Back to topHow to Test RADIUS Server
Approach 1 - Use the Third Party JMeter RADIUS Sampler
1. Download the RadiusSampler.jar file and place it into the /lib/ext directory.
2. Restart JMeter.
3. The new entry “Radius protocol sampler” will appear in the list of samplers in the “Edit-Add-Samplers” menu.
Now, let’s create a simple script, that demonstrates usage of Radius sampler.
4. Right click on the test plan and add a Thread Group component.
5. Right click on the Thread Group and add the Radius protocol sampler.
Let’s examine the control fields of the JMeter Radius protocol Sampler. The Sampler is shown in the screenshot below.
This sampler allows us to configure users that interact with the NAS, which is imitated by JMeter. The instance in which JMeter is running represents a client (NAS) and it interacts with the Radius server, sending users’ data over the Radius protocol.
- The Username and Password fields contain the username and password of the imitated users correspondingly.
- The Server IP field is the IP address of the Radius server.
- The Request Type radio button selects the type of the RADIUS packet that this particular sampler will generate: authentication, accounting or authorization and accounting.
- RADIUS is an application level protocol that uses UDP as a transport layer. The Auth and Acc port fields specify the UDP port for the communication. These ports have to be equal to the ones the RADIUS server is configured to use. By default, the port for authentication of the RADIUS server is 1812 and the accounting port of the RADIUS server is 1813.
- The Shared Secret field represents a secret key string that the client has to send to the RADIUS server. It’s configured in the RADIUS server for each client separately.
- The Timeout field limits the time the client waits for the response from the server.
- The Retry field specifies the number of times the request is repeated.
- The Packet Attributes table contains a list of attribute value pairs that are sent from the client to the Radius server with every request. In every response, the values of specified attributes are sent back from the server to the client.
To complete the script and check how the sampler works, it is necessary to install an environment with the running Radius server. There are implementations of RADIUS server that can be used for free.
For this article, the freeradius server is selected, installed for Linux. The freeradius server can be downloaded from this site.
Follow the instructions for installation and configuration of the RADIUS server, provided on the site, to prepare the test environment. Then, configure the following on freeradius:
- It is necessary to specify the IP or Mac address of the instance with JMeter in the clients.conf file of the Radius server.
- The secret key for the client has to be in this file too. This secret key is used in the JMeter Radius plugin sampler and was mentioned above.
- The ‘users’ file of the RADIUS server has to contain records about all users’ credentials and attributes that will be used in the script in the authentication requests.
- The ‘acct-users’ file of the RADIUS server has to contain records about all users' credentials and attributes that will be used in the script in the accounting requests.
- All attributes, that are passed in the requests, have to be specified in the RADIUS server configuration files too.
After the configuration is complete, let’s add a View Results Tree listener and examine the execution results.
We can see that the response contains Access-Accept. The log file returns all the attributes and the values that are configured for the client and the authenticated user. From this step on we can scale up the script, add a CSV data set config component with the list of users and attribute value pairs, declare variables and use them in the script and implement various load testing scenarios by using this sampler. Another example of JMeter script is shown in the screenshot below.
In this example the authentication request is executed first and following it are ten accounting requests executed under the loop controller. The user data is fed from the csv file.
Approach 2 - Implement the Test RADIUS Server Protocol in JMeter
If we want complete control over the data sent, we can implement communication over the RADIUS protocol by using JSR223 samplers. The code of the JSR223 sampler may be written in JAVA, Groovy or other supported programming languages. In this article we provide an example of JAVA code.
There are a few free JAVA radius client libraries, available for download. Tiny radius is one of them. Now follow the next steps:
1. Download the jar file from the provided link and place it to the /lib/ext folder of the JMeter installation directory.
2. Create your JMeter script. A simple JMeter script, generating authentication and accounting RADIUS requests is shown in the screenshot below. The script is similar to the one demonstrated above. But third party RADIUS samplers are replaced with the JSR223 JMeter samplers: one for the authentication request and one for the accounting request under the loop controller. The JSR223 assertions are child elements of the JSR223 samplers. They assert corresponding RADIUS responses for the acceptance by the RADIUS server.
3. In the screenshot, the JAVA code of the authentication request is shown. This approach demonstrates how to use JSR223 samplers to create RADIUS requests in JMeter.
Here is the code:
import org.tinyradius.packet.*; import org.tinyradius.util.*; RadiusClient RClient = new RadiusClient(vars.get("hostip"), vars.get("secretkey")); AccessRequest ReqPacket = new AccessRequest(vars.get("uname"), vars.get("upass")); ReqPacket.setAuthProtocol(AccessRequest.AUTH_CHAP); try { RadiusPacket RespPacket = RClient.authenticate(ReqPacket); if (RespPacket.ACCESS_ACCEPT == 2) vars.put("$auth_result","accepted"); else{ if (RespPacket.ACCESS_CHALLENGE == 11) vars.put("$auth_result","challenged"); else{ if (RespPacket.ACCESS_REJECT == 3) vars.put("$auth_result","rejected"); else vars.put("$auth_result","unknown"); } log.info("Not authenticated"); } } catch(Exception e){ System.out.println("The authentication request has been failed!"); vars.put("$auth_result","failed"); }
4. To scale up the test, you need to add CSV files with RADIUS clients accounts and users credentials to the thread group. The code for the authentication request is very simple. RadiusClient and AccessRequest objects are created with the parameters hostip, secretkey, uname, upass, which are variables for the radius server ip address, secret key, user name and the password accordingly. With the authentication method of the RadiusClient object, the authentication request is generated. The response result is saved in the variable resp_result, the content of which is analyzed in the child JSR223 assertion.
That’s it! Now that you’ve covered RADIUS Server load testing, it’s time to move on. Learn more JMeter from our free BlazeMeter University.