Skip to content

Testing an IdP

Test every IdP configuration change before exposing it to production users.

1. Validate the Configuration

freeradius -XC

This checks the full FreeRADIUS configuration tree for syntax and module-loading errors.

2. Run in Debug Mode

From one terminal:

systemctl stop freeradius
freeradius -X

Use -X for readable debug output. It is usually sufficient for troubleshooting.

3. Test Local Authentication

For a simple local PAP test:

radtest user@institution.ac.ke 'testpass' 127.0.0.1 0 testing123

This is useful only for backends that accept PAP in the test path. It does not fully simulate Wi-Fi EAP.

4. Test EAP Properly

Where available, use eapol_test from wpa_supplicant to validate PEAP, TTLS, or TLS end to end.

Typical checks:

  • outer EAP negotiation completes
  • server certificate is presented correctly
  • inner authentication succeeds
  • expected reply attributes are returned

5. Production Validation

Before go-live, confirm:

  • local users can authenticate
  • users with each supported realm can authenticate
  • expected VLANs or roles are assigned
  • accounting records are written
  • certificate trust works on Windows, macOS, Linux, Android, and iOS profiles