Inspecting RADIUS Traffic with Wireshark

Overview

In this lab, we'll start up a RADIUS server on port 1812. RADIUS supplies centralized authorization, authentication and accounting management for users that are connecting to the service.

Process

We'll start by using IdBlender to create a public RADIUS server.

This should now indicate that we’ve set up a RADIUS server:

Now we can open wireshark and put in a filter for port 1812 (the port RADIUS operates with)

We can open wireshark and run inspecting traffic, but nothing seems to happen. Now we need to use the client in our RADIUS server architecture. We will use a program use NTRadPing. If we put in all of our credentials, the port number RADIUS works on and the IP address that we were provided with our RADIUS server and hit send. We see Access=Accept <img src=https://imgur.com/JWwBvVy.png" alt="NTRadPing" /> If we try an incorrect password we get a different result. Opening wireshark and inspecting the first packet we can see that the username is sent in cleartext and the password is encrypted: We can also see that the first request was successful and the second one failed. RADIUS uses a secret key and the MD5 hashing algorithm to hide the passwords. Now we can open our Access-Request packet and see that our password is now shown in plain text.