You can use eapol_test
, which is part of the wpa_supplicant
package. You need to download the source code and compile it with make eapol_test
(it's not built by default). It should work at least on Linux, Windows and Mac OS X (not advertised as much, but I could compile and use it on the latter).
You create a configuration file (some examples here, but I could not find an overview of all options, I think src/eap_peer/eap_config.h
contains some), and then run the tool:
./eapol_test -c <config file> -s <shared secret> -a <ip address of radius server>
In all the output you should see the TLS certificate pass by, but you can also dump them to a file by passing the -o
option:
-o<server cert file> = Write received server certificate
chain to the specified file
If you specify the ca_cert
option in the configuration file, the program will also do a verification of the sent chain, and you see the verification result in the output of the program (not in the file with dumped certificates).
Afterwards, you can also use the rad_eap_test
wrapper, which returns a status output compatible with Nagios.