Want to Practice These Techniques?

Try Hackviser's interactive cyber security upskilling platform - Learn by doing!

RADIUS

Default Ports: 1812/UDP (Auth), 1813/UDP (Accounting), 1645/1646 UDP (Legacy)

RADIUS is an AAA protocol used by VPNs, Wi-Fi, NAC, firewalls, routers, and MFA gateways. In pentests, RADIUS testing focuses on exposed servers, weak shared secrets, accepted client IPs, credential validation, and legacy EAP behavior.

Connect

Using radtest

radtest validates basic authentication when the shared secret and source IP are authorized.

radtest username password target.com 0 sharedsecret
radtest -x username password target.com:1812 0 sharedsecret
radtest -x username password target.com 0 sharedsecret

Using radclient

radclient gives control over RADIUS attributes.

cat > radius-request.txt << 'EOF'
User-Name = "username"
User-Password = "password"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x00
EOF

radclient -x target.com auth sharedsecret < radius-request.txt

Accounting Test

Accounting checks whether the server accepts session events from your source.

cat > acct-request.txt << 'EOF'
User-Name = "username"
Acct-Status-Type = Start
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Acct-Session-Id = "pentest-session-1"
EOF

radclient -x target.com acct sharedsecret < acct-request.txt

Recon

Service Detection with Nmap

RADIUS is UDP, so silence may mean filtered, invalid packet, or untrusted client IP.

nmap -sU -p 1812,1813,1645,1646 target.com
nmap -sU -sV -p 1812,1813 target.com
nmap -sU -p 1812,1813 --open 192.168.1.0/24

Integrated Service Discovery

RADIUS usually backs another access service.

nmap -p 443,500,4500,8443,9443 -sV target.com
nmap -sU -p 500,4500,1812,1813 target.com

Shared Secret Behavior

Wrong shared secrets often produce no useful response.

radtest -x username password target.com 0 wrongsecret
radtest -x username password target.com 0 sharedsecret

Enumeration

Client IP Trust

RADIUS servers normally accept requests only from configured NAS clients.

radclient -x target.com auth sharedsecret < radius-request.txt

User Validation

Responses may distinguish invalid users, bad passwords, and MFA requirements.

radtest -x validuser wrongpassword target.com 0 sharedsecret
radtest -x invaliduser password target.com 0 sharedsecret

Attribute Enumeration

Attributes can influence VLANs, groups, and access policy.

cat > attrs.txt << 'EOF'
User-Name = "username"
User-Password = "password"
NAS-IP-Address = 127.0.0.1
NAS-Identifier = "pentest"
Service-Type = Framed-User
EOF

radclient -x target.com auth sharedsecret < attrs.txt

EAP Method Review

Wireless and NAC environments should be checked for legacy EAP methods.

eapol_test -c peap.conf -s sharedsecret -a target.com
eapol_test -c ttls.conf -s sharedsecret -a target.com

Attack Vectors

Weak Shared Secret

Weak shared secrets can allow crafted authentication or accounting traffic.

radtest -x username password target.com 0 sharedsecret

User Enumeration

Different responses or timing may reveal valid users.

while read u; do
  radtest -x "$u" wrongpassword target.com 0 sharedsecret
done < users.txt

Password Guessing

Credential testing must be scoped because RADIUS often backs VPN and Wi-Fi.

hydra -L users.txt -P passwords.txt -s 1812 -P passwords.txt target.com radius

MFA Weakness

RADIUS MFA integrations may allow fail-open, push fatigue, or bypass by policy.

radtest -x username password target.com 0 sharedsecret
radtest -x username 'password,123456' target.com 0 sharedsecret

Accounting Abuse

Accepted accounting packets may pollute logs or session state.

radclient -x target.com acct sharedsecret < acct-request.txt

Post-Exploitation

Access Path Review

Map which VPN, Wi-Fi, or NAC systems depend on the RADIUS server.

grep -Ei 'NAS-IP-Address|NAS-Identifier|Called-Station-Id|Reply-Message' radius-output.txt

Credential Validation

Validate only scoped accounts and avoid broad password spraying.

radtest -x username password target.com 0 sharedsecret

Logging Check

Generate controlled failures and confirm SIEM visibility.

radtest -x invaliduser invalidpass target.com 0 sharedsecret
radclient -x target.com acct sharedsecret < acct-request.txt

Useful Tools

Tool	Purpose
`radtest`	Basic auth checks
`radclient`	Custom packet testing
`eapol_test`	EAP testing
`nmap`	UDP service detection
`hydra`	Scoped credential testing
`tcpdump`	Packet capture

Security Misconfigurations

Misconfiguration	Risk
Weak shared secret	Forged or abused RADIUS requests
Broad client IP trust	Unauthorized NAS requests
Verbose auth responses	User enumeration
Legacy EAP methods	Credential capture or downgrade risk
Weak MFA policy	Remote access bypass
Exposed RADIUS server	Authentication attack surface
Accepted accounting from untrusted clients	Session or log pollution

Want to Practice These Techniques?

RADIUS

Connect​

Using radtest​

Using radclient​

Accounting Test​

Recon​

Service Detection with Nmap​

Integrated Service Discovery​

Shared Secret Behavior​

Enumeration​

Client IP Trust​

User Validation​

Attribute Enumeration​

EAP Method Review​

Attack Vectors​

Weak Shared Secret​

User Enumeration​

Password Guessing​

MFA Weakness​

Accounting Abuse​

Post-Exploitation​

Access Path Review​

Credential Validation​

Logging Check​

Useful Tools​

Security Misconfigurations​