EAPTest is a tool that allows testing of authentication on RADIUS servers using common Extended Authentication Protocol (EAP) methods. The tool greatly facilitates the setup and troubleshooting in 802.1x wired and wireless environments.
RADIUS (Remote Authentication Dial In User Service) is a networking protocol that provides centralized Authentication, Authorization and Accounting for users connecting to a wired or wireless secure network. When a client connects to a wired network access switch or to a wireless network access point, before access is granted, valid credentials (user and password) must be provide by the user to the network device. This device validates the user credentials communicating with an Authentication Server. The Authentication Server checks the credentials and responds to the network device accepting or rejecting the user and optionally providing information about the privileges that should been assigned to the user. Clients authenticates to the network using the 802.1x protocol. Network devices validates user credentials using the RADIUS protocol.
Several methods to protect the user credentials sent from the client to the Authentication Server are available. These methods are defined in the EAP protocol (Extended Authentication Protocol). EAPTest supported methods are TTLS, PEAP, TLS, MSCHAPv2, MD5 and GTC. For TTLS is possible to use PAP, CHAP, MSCHAP, MSCHAPv2, MD5 and GTC as inner methods. For PEAP, the inner methods available are MSCHAPv2, MD5 and GTC. TLS Digital Identity authentication can be tested simply loading a Digital Identity PKCS#12 (PFX) file. For TLS based methods, TLS v1, v1.1 and v1.2 are supported.
EAPTest simulates both the client and the network access device communicating with the Authentication Server providing a real time graphical view of the RADIUS messages interchanged with the Authentication Server. RADIUS attributes contained in the messages are shown, including EAP message, TLS establishment and Digital Certificates received from the server.
Information about the type of network access such as access device, wireless network or location are sent to the Authentication Server through attributes contained in the RADIUS messages.
Attributes sent to the Authentication Server can be specified in order to test all the possible scenarios. Information about an authenticated user is also returned by the Server using attributes. A RADIUS Dictionary Database is used to send and interpret received attributes.
RADIUS Accounting can be tested using Start, Stop or Update request types. Attributes sent to the Authentication Server can be specified in order to test all the different scenarios.
Automatic Accounting can be enabled in authentication tests to simulate a complete client access. After a successful authentication, a sequence of Start and Stop Accounting messages are automatically sent.
Full client session simulation can be performed. If the Authentication phase is successful, a sequence of Accounting messages (Start, Stop and Updates) are sent. Session duration can be established or undefined and terminated at the end of the test. During the session, dynamic Authorization Disconnect and Change of Authorization (CoA) messages received from the server are displayed and can be accepted, rejected or ignored.
Default database includes standard attributes from RFC2865, 2868, 3162 and 3576 and vendor specific dictionaries for Microsoft, Cisco and Aruba. More dictionaries can be added to the database importing standard RADIUS Attribute dictionary files. Large number of dictionary files are available from the Freeradius distribution included in OS X.