web analytics

Capture and Analysis of RADIUS traffic using tshark

Performance evaluation of wireless security systems - Part 4

RADIUS (Remote Authentication Dial In User Service) is a protocol standardized by the IETF for carrying authentication information between an access point and a back-end authentication server. The RADIUS protocol is deployed by most Internet Service Providers and in enterprise wireless networks for managing scalable large networks with large number of subscribers. In this article, we explain how to use the tshark tool to capture authentication traffic between an access point and the RADIUS server. The captured traffic will then be used to get some basic statistics such as number of successful authentications and number of failed authentications.

RADIUS and EAP authentication

In wireless network access control, the RADIUS protocol is used by wireless access points that support the 802.1X protocol to forward EAP messages between the wireless station and the back-end EAP server collocated with the RADIUS server. The Access point extracts EAP messages from 802.1X frames received from the wireless station and encapsulate them into RADIUS packets then send them to the back-end RADIUS server. The RADIUS server, after processing the EAP payload, generates an EAP message and sends it back to the wireless access point. The EAP payload is then encapsulated into an 802.1X frame and sent to the wireless station. The EAP exchange continues until an EAP-Success message is sent from the RADIUS server to the wireless access point.

About tshark

Tshark is an open-source command line tool for dumping and analyzing network traffic It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file.

Tshark is developed as part of the Wireshark project. On Debian-based systems, it can be installed using apt by simply typing

    sudo apt-get install tshark

Generating RADIUS traffic (Optional)

Large amount of traffic that corresponds to EAP authentication over RADIUS can be generated using the eapol_test utility from the wpa_supplicant project. The eapol_test must be compiled from source by typing

    make eapol_test 

To run generate traffic using eapol_test, we run the following script from a machine that can reach the RADIUS server.

    while [ $count -lt 1000 ]
    ./eapol_test -a -c ./wpa_supplicant.conf -r 1 -t 9999
    count=`expr $count + 1`

This will basically runs 1000 EAP/RADIUS authentications with the specified RADIUS server. The options are as follows :

  • The -a flag is used to specify the RADIUS server'IP address
  • The -c flag specifies a wpa_supplicant configuration file where the EAP method as well as authentication credentials are specified.
  • The -r tells the eapol_test utility to not use re-authentications when available but always perform full EAP authentication.

Capturing RADIUS traffic

The first step in analyzing network authentication performance, consists on capturing RADIUS traffic that transports EAP authentication exchanges. In order to do that, we need to run tshark on a host located between the wireless access points and the RADIUS server.

To instruct tshark to capture RADIUS traffic, we need to issue the following command :

    tshark -f "udp port 1812" -i eth0 -w /tmp/capture.cap
  • The -f flag is used to specify a capture filter. Packets that do not verify the condition following the -f flag will not be captured.
  • The -i flag is used to specify the interface from which we expect to see the RADIUS packets. Change 'eth0' to what ever your interface name is.
  • The -w flag is used to specify a file where the captured traffic will be saved for later processing.

Here is a sample capture of EAP/RADIUS authentication traffic capture-peap-sr-20msrtt.cap

Processing the captured RADIUS traffic

The simplest way for processing the captured traffic is to display some fields from all RADIUS packets in the capture file.

For example, the following command, will display the fields 'radius.code', 'eap.type','eap.code','radius.id' of each captured packet

    tshark \
    -z "proto,colinfo,radius.code,radius.code" \
    -z "proto,colinfo,eap.type,eap.type" \
    -z "proto,colinfo,eap.code,eap.code" \
    -z "proto,colinfo,radius.id,radius.id" \
    -r /tmp/capture.cap

This will produce something like the following

      19977 1062.806287 ->  RADIUS Access-Request(1) (id=1, l=1014)  radius.id == 1  eap.code == 2  eap.type == 88  radius.code == 1
      19978 1062.890329 ->  RADIUS Access-challenge(11) (id=1, l=936)  radius.id == 1  eap.code == 1  eap.type == 88  radius.code == 11
      19979 1063.119105 ->  RADIUS Access-Request(1) (id=2, l=1014)  radius.id == 2  eap.code == 2  eap.type == 88  radius.code == 1
      19980 1063.205393 ->  RADIUS Access-challenge(11) (id=2, l=936)  radius.id == 2  eap.code == 1  eap.type == 88  radius.code == 11
      19981 1063.222137 ->  RADIUS Access-Request(1) (id=3, l=1014)  radius.id == 3  eap.code == 2  eap.type == 88  radius.code == 1
      19982 1063.226623 ->  RADIUS Access-challenge(11) (id=3, l=936)  radius.id == 3  eap.code == 1  eap.type == 88  radius.code == 11
      19983 1063.227406 ->  RADIUS Access-Request(1) (id=4, l=1014)  radius.id == 4  eap.code == 2  eap.type == 88  radius.code == 1
      19984 1063.230624 ->  RADIUS Access-Accept(2) (id=4, l=160)  radius.id == 4  eap.code == 3  radius.code == 2
      19985 1063.415240 ->  RADIUS Access-Request(1) (id=5, l=138)  radius.id == 5  eap.code == 2  eap.type == 1  radius.code == 1

The above output contains a lot of data about the RADIUS traffic that we captured, however, that kind of output is not very easy to interpret. Using simple tools such as wc, grep and awk, we can extract more useful statistical information. For example, the number of successful authentication can be easily computed as follows :

    tshark \
    -z "proto,colinfo,radius.code,radius.code" \
    -z "proto,colinfo,eap.type,eap.type" \
    -z "proto,colinfo,eap.code,eap.code" \
    -z "proto,colinfo,radius.id,radius.id" \
    -r /tmp/capture.cap | grep Access-Accept | wc -l

List of articles in this series