RADIUS: Remote Authentication Dial-In User Service
layer 7 RADIUS
Contents
Introduction
RADIUS allows users to authenticate to a network on a centralized entity, the RADIUS server. Moreover the protocol can be used for accounting as well. It was wide spread in companies to grant access to WLANs but is now replaced by DIAMETER. Nevertheless, we will discuss the plugin radiusDecode in the following.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow radiusDecode txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: radius2.pcap.
Please save it in your ~/data folder.
Now you are all set for analyzing RADIUS traffic!
radiusDecode
Let’s look at the plugin configuration first:
radiusDecode
vi src/radiusDecode.h
You can switch on/off Network Access Server, Framed, Tunnel and accounting info.
Moreover the counts of message and AVP types can be controlled via RADIUS_CNTS and
RADIUS_AVPTYPE respectively. RADIUS_NMS influences numeric or text based based
output of all codes or types. We leave everything as default.
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define RADIUS_CNTS 1 // Output counts (required for FORCE_MODE)
#define RADIUS_NAS 1 // Output NAS info
#define RADIUS_FRAMED 1 // Output framed info
#define RADIUS_TUNNEL 1 // Output tunnel info
#define RADIUS_ACCT 1 // Output accounting info
#define RADIUS_AVPTYPE 1 // Output AVP types
#define RADIUS_NMS 1 // 2: names; 1: values; 0: none
#define RAD_CNTMX 20 // Max number of codes/AVP types
#define RADIUS_STRMAX 128 // Max length for strings
/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */
/* No env / runtime configuration flags available for radiusDecode */
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...Now run t2 on the supplied pcap.
t2 -r ~/test_data/data/radius/radius2.pcap -w ~/results -s
So the aggregated radiusStat states that there is RADIUS traffic, actually
100%. Precisely: authentication, configuration and accounting traffic. And
users connected successfully to the network.
The radiusStat column with value 0x17 is to be interpreted as follows:
bit | radiusStat | Description
=============================================================================
0 | 0x01 | Flow is radius
1 | 0x02 | Authentication and configuration traffic
2 | 0x04 | Accounting traffic
4 | 0x10 | Connection successful
All vital parameters are printed in the flow file. Note the aggregated list of codes an AVP types.
tcol ~/results/radius2_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto radiusStat radiusAxsReq_Acc_Rej_Chal radiusAccReq_Resp radiusAccStart_Stop radiusCodes radiusAVPTypes radiusUser radiusPW radiusServiceType radiusLoginService radiusVendor radiusNasId radiusNasIp radiusNasPort radiusNasPortType radiusNasPortId radiusFramedIp radiusFramedMask radiusFramedProto radiusFramedComp radiusFramedMtu radiusTunnel_Medium radiusTunnelCli radiusTunnelSrv radiusTunnelCliAId radiusTunnelSrvAId radiusTunnelPref radiusAcctSessId radiusAcctSessTime radiusAcctStatType radiusAcctTerm radiusAcctInOct_OutOct radiusAcctInPkt_OutPkt radiusAcctInGw_OutGw radiusConnInfo radiusFilterId radiusCalledId radiusCallingId radiusReplyMsg
A 1 0x0400000000004000 1159224178.228064 1159224184.014749 5.786685 1 3 eth:ipv4:udp 00:00:24:c4:9e:d8 00:80:ad:07:a3:54 0x0800 10.1.12.20 04 "Private network" 1034 192.107.171.165 nz "The University of Waikato" 1812 17 0x13 14_0_0_0 0_0 0_0 1 1;4;5;30;31;12;61;77;79;80;24 "test" "" 0 0 0 "" 10.1.12.20 0 19 "" 0.0.0.0 0.0.0.0 0 0 1400 0_0 "" "" "" "" 0 "" 0 0 0 0_0 0_0 0_0 "CONNECT 0Mbps 802.11" "" "00-02-6F-21-EC-52:CRCnet-test" "00-02-6F-21-EC-5F" ""
B 1 0x0400000000004001 1159224178.308331 1159224184.113480 5.805149 1 3 eth:ipv4:udp 00:80:ad:07:a3:54 00:00:24:c4:9e:d8 0x0800 192.107.171.165 nz "The University of Waikato" 1812 10.1.12.20 04 "Private network" 1034 17 0x13 0_2_0_12 0_0 0_0 11;2 85;8;9;79;80;24;26;1 "test" "" 0 0 311 "" 0.0.0.0 0 0 "" 10.1.40.34 255.255.255.0 0 0 0 0_0 "" "" "" "" 0 "" 0 0 0 0_0 0_0 0_0 "" "" "" "" ""
A 2 0x0400000000004000 1159224179.366554 1159224184.174770 4.808216 1 3 eth:ipv4:udp 00:00:24:c4:9e:d8 00:80:ad:07:a3:54 0x0800 10.1.12.20 04 "Private network" 1035 192.107.171.165 nz "The University of Waikato" 1813 17 0x05 0_0_0_0 3_0 2_1 4 44;40;45;1;4;5;30;31;61;77;46;55;49 "test" "" 0 0 0 "" 10.1.12.20 0 19 "" 0.0.0.0 0.0.0.0 0 0 0 0_0 "" "" "" "" 0 "451859ED-00000006" 2 1 1 0_0 0_0 0_0 "CONNECT 0Mbps 802.11" "" "00-02-6F-21-EC-52:CRCnet-test" "00-02-6F-21-EC-5F" ""
B 2 0x0400000000004001 1159224179.437656 1159224184.240228 4.802572 1 3 eth:ipv4:udp 00:80:ad:07:a3:54 00:00:24:c4:9e:d8 0x0800 192.107.171.165 nz "The University of Waikato" 1813 10.1.12.20 04 "Private network" 1035 17 0x05 0_0_0_0 0_3 0_0 5 "" "" 0 0 0 "" 0.0.0.0 0 0 "" 0.0.0.0 0.0.0.0 0 0 0 0_0 "" "" "" "" 0 "" 0 0 0 0_0 0_0 0_0 "" "" "" "" ""Currently only status, code and AVP types per packets are available.
The text based output can be detected in the l7Content.
tcol ~/results/radius2_packets.txt
%pktNo flowInd flowStat time pktIAT flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto radiusStat radiusCode radiusAVPTypes l7Content
1 1 0x0400000000004000 1159224178.228064 0.000000 0.000000 3 eth:ipv4:udp 00:00:24:c4:9e:d8 00:80:ad:07:a3:54 0x0800 10.1.12.20 04 Private network 1034 192.107.171.165 nz The University of Waikato 1812 17 0x03 1 1;4;5;30;31;12;61;77;79;80; ....6._...\ta...9...4..test..\n...........00-02-6F-21-EC-52:CRCnet-test..00-02-6F-21-EC-5F.....x=.....M.CONNECT 0Mbps 802.11O....\t.testP....eE.*.B.._..).
2 1 0x0400000000004001 1159224178.308331 0.000000 0.000000 3 eth:ipv4:udp 00:80:ad:07:a3:54 00:00:24:c4:9e:d8 0x0800 192.107.171.165 nz The University of Waikato 1812 10.1.12.20 04 Private network 1034 17 0x03 11 85;8;9;79;80;24; ...b..,..@2..T..w.q.U.......\n.("\t.....O.......hJ,H..2A^.......P..rMn..t..&....X.....\tcW.`|IP.aE@,E
3 1 0x0400000000004000 1159224178.314156 0.086092 0.086092 3 eth:ipv4:udp 00:00:24:c4:9e:d8 00:80:ad:07:a3:54 0x0800 10.1.12.20 04 Private network 1034 192.107.171.165 nz The University of Waikato 1812 17 0x03 1 1;4;5;30;31;12;61;77;79;24;80; ./...2...\tD?...T<.T...test..\n...........00-02-6F-21-EC-52:CRCnet-test..00-02-6F-21-EC-5F.....x=.....M.CONNECT 0Mbps 802.11O...........\tcW.`|IP.aE@,EP...+.z.]..sW.K...
4 1 0x0400000000004001 1159224178.383704 0.075373 0.075373 3 eth:ipv4:udp 00:80:ad:07:a3:54 00:00:24:c4:9e:d8 0x0800 192.107.171.165 nz The University of Waikato 1812 10.1.12.20 04 Private network 1034 17 0x03 11 85;8;9;79;80;24; ./.R._BNJ..z.......2U.......\n.("\t.....O...... P.%...m76...y.K#<....Q...4..........
5 1 0x0400000000004000 1159224178.416858 0.102702 0.188794 3 eth:ipv4:udp 00:00:24:c4:9e:d8 00:80:ad:07:a3:54 0x0800 10.1.12.20 04 Private network 1034 192.107.171.165 nz The University of Waikato 1812 17 0x03 1 1;4;5;30;31;12;61;77;79;24;80; .0.\nma7h.EG.rb~..fh...test..\n...........00-02-6F-21-EC-52:CRCnet-test..00-02-6F-21-EC-5F.....x=.....M.CONNECT 0Mbps 802.11Ol...j......_...[..E.R.iS:&..j.VG..{F...d.-h.........4.9.8.5.....\n.3.2./.f.....c.b.a.....\t.e.d.`...............Q...4..........P.a.T...6*I.|".Q1.
6 1 0x0400000000004001 1159224178.529794 0.146090 0.221463 3 eth:ipv4:udp 00:80:ad:07:a3:54 00:00:24:c4:9e:d8 0x0800 192.107.171.165 nz The University of Waikato 1812 10.1.12.20 04 Private network 1034 17 0x03 11 85;8;9;79;79;79;79;79;80;24; .0.^_.....u.K....h..U.......\n.("\t.....O....\n.....x....J...F..E.R.n<....O...Y.N...t^.....w.... .y....:?1...\t>4X.{..3.?.....CU.j.5...............]0..Y0....\t...fG....0\r.\t*.H..\r.....0o1.0\t..U....NZ1.0...U....Hamilton1.0\r..U.\n..CRCnet1\r0...U....Auth1.0\t..U....CA1 0..\t*.H..\r.\t...admins@crc.net.nz0.O..\r060921042840Z.\r160918042840Z0s1.0\t..U....NZ1.0...U....Hamilton1.0\r..U.\n..CRCnet1\r0...U....Auth1.0\r..U....radius1 0..\t*.H..\r.\t...admins@crc.net.nz0..0\r.\t*.H..\r.........0.......(iD...83...x.y0jb.%...).......[c.>*....y$....r...e3..!..M\n..a...V...!.."....O.o....VX.(.P...:...%.S.NN......K[H..t.%.........N........0\r.\t*.H..\r.............]o2..;P...j&Lv1..E...?cS.k.l]},..R........p..$.Y..o.....%.{.x.. ...S.H.QP.W\r..........;r;..3g]! W...!S.D....?Z"m^...h.........50..10.........\t..>..}g..0\r.\t*.H..\r.....0o1.0\t..O.U....NZ1.0...U....Hamilton1.0\r..U.\n..CRCnet1\r0...U....Auth1.0\t..U....CA1 0..\t*.H..\r.\t...admins@crc.net.nz0..\r060921042542Z.\r160918042542Z0o1.0\t..U....NZ1.0...U....Hamilton1.0\r..U.\n..CRCnet1\r0...U....Auth1.0\t..U....CA1 0..\t*.H..\r.\t...admins@crc.net.nz0..O.0\r.\t*.H..\r.........0..P.C..QTr%l.jB.u...............].96..
...Now switch on the human readable text based output of the codes.
t2conf radiusDecode -D RADIUS_NMS=2 && t2build radiusDecode
t2 -r ~/test_data/data/radius/radius2.pcap -w ~/results -s
The columns are now filled with code and type names.
tcol ~/results/radius2_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto radiusStat radiusAxsReq_Acc_Rej_Chal radiusAccReq_Resp radiusAccStart_Stop radiusCodesNms radiusAVPTypeNms radiusUser radiusPW radiusServiceType radiusLoginService radiusVendor radiusNasId radiusNasIp radiusNasPort radiusNasPortTypeNm radiusNasPortId radiusFramedIp radiusFramedMask radiusFramedProto radiusFramedComp radiusFramedMtu radiusTunnel_Medium radiusTunnelCli radiusTunnelSrv radiusTunnelCliAId radiusTunnelSrvAId radiusTunnelPref radiusAcctSessId radiusAcctSessTime radiusAcctStatType radiusAcctTerm radiusAcctInOct_OutOct radiusAcctInPkt_OutPkt radiusAcctInGw_OutGw radiusConnInfo radiusFilterId radiusCalledId radiusCallingId radiusReplyMsg
A 1 0x0400000000004000 1159224178.228064 1159224184.014749 5.786685 1 3 eth:ipv4:udp 00:00:24:c4:9e:d8 00:80:ad:07:a3:54 0x0800 10.1.12.20 04 "Private network" 1034 192.107.171.165 nz "The University of Waikato" 1812 17 0x13 14_0_0_0 0_0 0_0 "Access-Rq" "User-Passwd";"NAS-Port";"Service-Type";"Calling-Station-Id";"NAS-Identifier";"Framed-Compress";"Port-Limit";"Config-Token";"Msg-Auth";"Tunnel-Priv-Group-ID";"Class" "test" "" 0 0 0 "" 10.1.12.20 0 "IEEE 802.11" "" 0.0.0.0 0.0.0.0 0 0 1400 0_0 "" "" "" "" 0 "" 0 0 0 0_0 0_0 0_0 "CONNECT 0Mbps 802.11" "" "00-02-6F-21-EC-52:CRCnet-test" "00-02-6F-21-EC-5F" ""
B 1 0x0400000000004001 1159224178.308331 1159224184.113480 5.805149 1 3 eth:ipv4:udp 00:80:ad:07:a3:54 00:00:24:c4:9e:d8 0x0800 192.107.171.165 nz "The University of Waikato" 1812 10.1.12.20 04 "Private network" 1034 17 0x13 0_2_0_12 0_0 0_0 "Access-Chall";"Access-Acpt" "Acct-Tunnel-Pkts-Lst";"Framed-IP-Netmsk";"Framed-Routing";"Msg-Auth";"Tunnel-Priv-Group-ID";"Class";"Session-Timeout";"User-Passwd" "test" "" 0 0 311 "" 0.0.0.0 0 "Async" "" 10.1.40.34 255.255.255.0 0 0 0 0_0 "" "" "" "" 0 "" 0 0 0 0_0 0_0 0_0 "" "" "" "" ""
A 2 0x0400000000004000 1159224179.366554 1159224184.174770 4.808216 1 3 eth:ipv4:udp 00:00:24:c4:9e:d8 00:80:ad:07:a3:54 0x0800 10.1.12.20 04 "Private network" 1035 192.107.171.165 nz "The University of Waikato" 1813 17 0x05 0_0_0_0 3_0 2_1 "Accounting-Rq" "Acct-Authentic";"Acct-Delay-Time";"Acct-Session-Time";"User-Passwd";"NAS-Port";"Service-Type";"Calling-Station-Id";"NAS-Identifier";"Port-Limit";"Config-Token";"Acct-Input-Pkts";"Egress-VLANID";"Acct-Multi-Sess-Id" "test" "" 0 0 0 "" 10.1.12.20 0 "IEEE 802.11" "" 0.0.0.0 0.0.0.0 0 0 0 0_0 "" "" "" "" 0 "451859ED-00000006" 2 1 1 0_0 0_0 0_0 "CONNECT 0Mbps 802.11" "" "00-02-6F-21-EC-52:CRCnet-test" "00-02-6F-21-EC-5F" ""
B 2 0x0400000000004001 1159224179.437656 1159224184.240228 4.802572 1 3 eth:ipv4:udp 00:80:ad:07:a3:54 00:00:24:c4:9e:d8 0x0800 192.107.171.165 nz "The University of Waikato" 1813 10.1.12.20 04 "Private network" 1035 17 0x05 0_0_0_0 0_3 0_0 "Accounting-Res" "" "" 0 0 0 "" 0.0.0.0 0 "Async" "" 0.0.0.0 0.0.0.0 0 0 0 0_0 "" "" "" "" 0 "" 0 0 0 0_0 0_0 0_0 "" "" "" "" ""Same for the packets
tcol ~/results/radius2_packets.txt
%pktNo flowInd flowStat time pktIAT flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto radiusStat radiusCodeNm radiusAVPTypesNm l7Content
1 1 0x0400000000004000 1159224178.228064 0.000000 0.000000 3 eth:ipv4:udp 00:00:24:c4:9e:d8 00:80:ad:07:a3:54 0x0800 10.1.12.20 04 Private network 1034 192.107.171.165 nz The University of Waikato 1812 17 0x03 Access-Rq User-Passwd;NAS-Port;Service-Type;Calling-Station-Id;NAS-Identifier;Framed-Compress;Port-Limit;Config-Token;Msg-Auth;Tunnel-Priv-Group-ID; ....6._...\ta...9...4..test..\n...........00-02-6F-21-EC-52:CRCnet-test..00-02-6F-21-EC-5F.....x=.....M.CONNECT 0Mbps 802.11O....\t.testP....eE.*.B.._..).
2 1 0x0400000000004001 1159224178.308331 0.000000 0.000000 3 eth:ipv4:udp 00:80:ad:07:a3:54 00:00:24:c4:9e:d8 0x0800 192.107.171.165 nz The University of Waikato 1812 10.1.12.20 04 Private network 1034 17 0x03 Access-Chall Acct-Tunnel-Pkts-Lst;Framed-IP-Netmsk;Framed-Routing;Msg-Auth;Tunnel-Priv-Group-ID;Class; ...b..,..@2..T..w.q.U.......\n.("\t.....O.......hJ,H..2A^.......P..rMn..t..&....X.....\tcW.`|IP.aE@,E
3 1 0x0400000000004000 1159224178.314156 0.086092 0.086092 3 eth:ipv4:udp 00:00:24:c4:9e:d8 00:80:ad:07:a3:54 0x0800 10.1.12.20 04 Private network 1034 192.107.171.165 nz The University of Waikato 1812 17 0x03 Access-Rq User-Passwd;NAS-Port;Service-Type;Calling-Station-Id;NAS-Identifier;Framed-Compress;Port-Limit;Config-Token;Msg-Auth;Class;Tunnel-Priv-Group-ID; ./...2...\tD?...T<.T...test..\n...........00-02-6F-21-EC-52:CRCnet-test..00-02-6F-21-EC-5F.....x=.....M.CONNECT 0Mbps 802.11O...........\tcW.`|IP.aE@,EP...+.z.]..sW.K...
4 1 0x0400000000004001 1159224178.383704 0.075373 0.075373 3 eth:ipv4:udp 00:80:ad:07:a3:54 00:00:24:c4:9e:d8 0x0800 192.107.171.165 nz The University of Waikato 1812 10.1.12.20 04 Private network 1034 17 0x03 Access-Chall Acct-Tunnel-Pkts-Lst;Framed-IP-Netmsk;Framed-Routing;Msg-Auth;Tunnel-Priv-Group-ID;Class; ./.R._BNJ..z.......2U.......\n.("\t.....O...... P.%...m76...y.K#<....Q...4..........
5 1 0x0400000000004000 1159224178.416858 0.102702 0.188794 3 eth:ipv4:udp 00:00:24:c4:9e:d8 00:80:ad:07:a3:54 0x0800 10.1.12.20 04 Private network 1034 192.107.171.165 nz The University of Waikato 1812 17 0x03 Access-Rq User-Passwd;NAS-Port;Service-Type;Calling-Station-Id;NAS-Identifier;Framed-Compress;Port-Limit;Config-Token;Msg-Auth;Class;Tunnel-Priv-Group-ID; .0.\nma7h.EG.rb~..fh...test..\n...........00-02-6F-21-EC-52:CRCnet-test..00-02-6F-21-EC-5F.....x=.....M.CONNECT 0Mbps 802.11Ol...j......_...[..E.R.iS:&..j.VG..{F...d.-h.........4.9.8.5.....\n.3.2./.f.....c.b.a.....\t.e.d.`...............Q...4..........P.a.T...6*I.|".Q1.
6 1 0x0400000000004001 1159224178.529794 0.146090 0.221463 3 eth:ipv4:udp 00:80:ad:07:a3:54 00:00:24:c4:9e:d8 0x0800 192.107.171.165 nz The University of Waikato 1812 10.1.12.20 04 Private network 1034 17 0x03 Access-Chall Acct-Tunnel-Pkts-Lst;Framed-IP-Netmsk;Framed-Routing;Msg-Auth;Msg-Auth;Msg-Auth;Msg-Auth;Msg-Auth;Tunnel-Priv-Group-ID;Class; .0.^_.....u.K....h..U.......\n.("\t.....O....\n.....x....J...F..E.R.n<....O...Y.N...t^.....w.... .y....:?1...\t>4X.{..3.?.....CU.j.5...............]0..Y0....\t...fG....0\r.\t*.H..\r.....0o1.0\t..U....NZ1.0...U....Hamilton1.0\r..U.\n..CRCnet1\r0...U....Auth1.0\t..U....CA1 0..\t*.H..\r.\t...admins@crc.net.nz0.O..\r060921042840Z.\r160918042840Z0s1.0\t..U....NZ1.0...U....Hamilton1.0\r..U.\n..CRCnet1\r0...U....Auth1.0\r..U....radius1 0..\t*.H..\r.\t...admins@crc.net.nz0..0\r.\t*.H..\r.........0.......(iD...83...x.y0jb.%...).......[c.>*....y$....r...e3..!..M\n..a...V...!.."....O.o....VX.(.P...:...%.S.NN......K[H..t.%.........N........0\r.\t*.H..\r.............]o2..;P...j&Lv1..E...?cS.k.l]},..R........p..$.Y..o.....%.{.x.. ...S.H.QP.W\r..........;r;..3g]! W...!S.D....?Z"m^...h.........50..10.........\t..>..}g..0\r.\t*.H..\r.....0o1.0\t..O.U....NZ1.0...U....Hamilton1.0\r..U.\n..CRCnet1\r0...U....Auth1.0\t..U....CA1 0..\t*.H..\r.\t...admins@crc.net.nz0..\r060921042542Z.\r160918042542Z0o1.0\t..U....NZ1.0...U....Hamilton1.0\r..U.\n..CRCnet1\r0...U....Auth1.0\t..U....CA1 0..\t*.H..\r.\t...admins@crc.net.nz0..O.0\r.\t*.H..\r.........0..P.C..QTr%l.jB.u...............].96..
..Conclusion
Don’t forget to reset the plugin configuration for the next tutorial.
t2conf radiusDecode --reset && t2build radiusDecode
Have fun analyzing.