Radcli library

Introduction

radcli is a C library for adding RADIUS authentication and accounting to an application in roughly 50 lines of code. All server addresses, credentials, and transport choices (UDP, TCP, TLS, DTLS) live in a single configuration file; the calling application needs no transport-specific code.

Quick start

The normal call sequence is three steps:

1. Load configuration — parses the config file and initialises the transport:

   rc_handle *rh = rc_read_config("/etc/radiusclient/radiusclient.conf");

2. Build an attribute list — attach the attributes you want to send:

   VALUE_PAIR *send = NULL;
   rc_avpair_add(rh, &send, PW_USER_NAME,     username, -1, 0);
   rc_avpair_add(rh, &send, PW_USER_PASSWORD, password, -1, 0);

3. Send the request — rc_auth() handles retries, failover, and response validation automatically:

   VALUE_PAIR *received = NULL;
   int result = rc_auth(rh, 0, send, &received, NULL);
   // result == OK_RC on success
   rc_avpair_free(send);
   rc_avpair_free(received);
   rc_destroy(rh);

The transport is selected entirely in the config file (serv-type = udp, tcp, tls, or dtls); no code changes are required to switch. TLS and DTLS additionally require certificate or PSK credentials to be set in the config file (tls-ca-file, tls-cert-file, tls-key-file). See radexample.c for a complete compilable example.

Operation without a config file

Programmatic configuration (without a file) is also possible using rc_new(), rc_config_init(), rc_add_config(), and rc_apply_config().

Background

RADIUS (Remote Authentication Dial In User Service, RFC 2865/2866) is a protocol for carrying authentication, authorisation, and accounting information between a Network Access Server and a shared Authentication Server. radcli implements the client side, and is source-compatible with freeradius-client and radiusclient-ng.