RADIUS packet format (UDP packet)
code
(1 byte) 		identifier
(1 byte) 		length
(2 bytes)
authenticator
(16 bytes)
attributes
(variable length)

As per RFC-2865 and RFC-2866

RADIUS packet fields
Field Length Meaning Values
Code field 1 byte Identifies the type of RADIUS packet
 Code  Meaning
1 Access-Request
2 Access-Accept
3 Access-Reject
4 Accounting-Request
5 Accounting-Response
11 Access-Challenge
12 Status-Server (experimental)
13 Status-Client (experimental)
255 Reserved
Identifier 1 byte Matches requests and replies, in combination with the source IP address and port  
Length 2 bytes Total length of the packet in bytes, including Code, Identifier, Length, Authenticator and Attributes. Must be validated (packets shorter than stated are discarded, longer are cut to the stated length) 20 to 4096
Authenticator 16 bytes Authenticates the reply from the server
Type of packet Authenticator field contents
Access-Request 16 byte random (unpredictable) value. The secret shared between the RADIUS client and server, followed by the Authenticator field, is put trough a MD5 hash, generating a 16 byte digest value which is xored with the password entered by the user and placed in the User-Password attribute
Access-Accept
Access-Reject
Access-Challenge		 The MD5 hash of the concatenation of:
Code field + Identifier + Length + Authenticator field of the request + Attributes + Shared secret

Note: the specific shared secret must be selected based on the IP of the client, so that different clients can have different secrets
Attributes variable Contains the attributes according to the packet type See below

Access-Request

Should include:

one User-Name attribute
one or both NAS-IP-Address attribute
NAS-Identifier attribute
one of User-Password attribute (coded as above)
CHAP-Password attribute
State attribute
zero, one or both NAS-Port attribute
NAS-Port-Type attribute

Note: the identifier field must be changed for each new request, and not changed on retransmit

Note: other attributes may be present, but they can be ignored

Access-Accept

If all attributes from the Access-Request are acceptable, a Access-Accept packet must be sent back.

The Identifier field will be the same as the one in the Access-Request.

Should include the needed attributes to configure the NAS.

If any of the attributes from the Access-Request is unacceptable, a Access-Reject must be sent back.

The Identifier field will be the same as the one in the Access-Request.

Attributes are optional, and may be logged by the client.

Accept-Challenge

tbd

Attributes

Attribute layout

type
(1 byte) 		length
(1 byte) 		value
(variable length)

The type is defined in the Assigned numbers RFC.

The possible data type for the attributes

data type description
text 1 to 253 bytes of UTF8 character data
string 1 to 253 bytes of binary data
address 32 bit value, MSB first
integer unsigned 32 bits, MSB first
time unsigned 32 bit, MSB first, time in seconds since the epoch
type description area data type size
1 User-Name Authentication string >=1
2 User-Password Authentication string >=16
3 CHAP-Password Authentication string 16
4 NAS-IP-Address Authentication address 4
5 NAS-Port Authentication integer 4
6 Service-Type Authentication integer key to table:
key name description
1 Login The user should be connected to a host
2 Framed A Framed Protocol should be started for the User, such as PPP or SLIP
3 Callback Login The user should be disconnected and called back, then connected to a host
4 Callback Framed The user should be disconnected and called back, then a Framed Protocol should be started for the User, such as PPP or SLIP
5 Outbound The user should be granted access to outgoing devices
6 Administrative The user should be granted access to the administrative interface to the NAS from which privileged commands can be executed
7 NAS Prompt The user should be provided a command prompt on the NAS from which non-privileged commands can be executed
8 Authenticate Only Only Authentication is requested, and no authorization information needs to be returned in the Access-Accept (typically used by proxy servers rather than the NAS itself)
9 Callback NAS Prompt The user should be disconnected and called back, then provided a command prompt on the NAS from which non-privileged commands can be executed
10 Call Check Used by the NAS in an Access-Request packet to indicate that a call is being received and that the RADIUS server should send back an Access-Accept to answer the call, or an Access-Reject to not accept the call, typically based on the Called-Station-Id or Calling-Station-Id attributes. It is recommended that such Access-Requests use the value of Calling-Station-Id as the value of the User-Name
11 Callback Administrative The user should be disconnected and called back, then granted access to the administrative interface to the NAS from which privileged commands can be executed
4
7 Framed-Protocol Authentication integer key to table:
1 PPP
2 SLIP
3 AppleTalk Remote Access Protocol (ARAP)
4 Gandalf proprietary SingleLink/MultiLink protocol
5 Xylogics proprietary IPX/SLIP
6 X.75 Synchronous
4
8 Framed-IP-Address Authentication address
0xffffffff enables the user to select an address
0xfffffffe enables the NAS to select an address
other value is the address to be assigned		 4
9 Framed-IP-Netmask Authentication address 4
10 Framed-Routing Authentication integer key to table:
0 None
1 Send routing packets
2 Listen for routing packets
3 Send and Listen
4
11 Filter-Id Authentication text
the name of the filter list for the user		 >=1
12 Framed-MTU Authentication integer
the MTU to be configured for the user, from 64 to 65535		 4
13 Framed-Compression Authentication integer key to table:
0 None
1 VJ TCP/IP header compression [10]
2 IPX header compression
3 Stac-LZS compression
4
14 Login-IP-Host Authentication address
the system with which to connect the user (with Login-Service)
0xffffffff enables the user to select the address
0x00000000 enables the NAS to select the address
other values indicate the address		 4
15 Login-Service Authentication integer key to table:
0 Telnet
1 Rlogin
2 TCP Clear
3 PortMaster (proprietary)
4 LAT
5 X25-PAD
6 X25-T3POS
8 TCP Clear Quiet (suppresses any NAS-generated connect string)
4
16 Login-TCP-Port Authentication integer 4
17 (unassigned) -
18 Reply-Message Authentication text
a optional message sent to the user		 >=1
19 Callback-Number Authentication text
dialing string for callback		 >=1
20 Callback-Id Authentication string
the name of the place to be called		 >=1
21 (unassigned) - -o-o-
22 Framed-Route Authentication
23 Framed-IPX-Network Authentication
24 State Authentication
25 Class Authentication
26 Vendor-Specific Authentication
27 Session-Timeout Authentication
28 Idle-Timeout Authentication
29 Termination-Action Authentication
30 Called-Station-Id Authentication
31 Calling-Station-Id Authentication
32 NAS-Identifier Authentication
33 Proxy-State Authentication
34 Login-LAT-Service Authentication
35 Login-LAT-Node Authentication
36 Login-LAT-Group Authentication
37 Framed-AppleTalk-Link Authentication
38 Framed-AppleTalk-Network Authentication
39 Framed-AppleTalk-Zone Authentication
40 Acct-Status-Type Accounting
41 Acct-Delay-Time Accounting
42 Acct-Input-Octets Accounting
43 Acct-Output-Octets Accounting
44 Acct-Session-Id Accounting
45 Acct-Authentic Accounting
46 Acct-Session-Time Accounting
47 Acct-Input-Packets Accounting
48 Acct-Output-Packets Accounting
49 Acct-Terminate-Cause Accounting
50 Acct-Multi-Session-Id Accounting
51 Acct-Link-Count Accounting
52-59 (reserved) Accounting
60 CHAP-Challenge Authentication
61 NAS-Port-Type Authentication
62 Port-Limit Authentication
63 Login-LAT-Port Authentication
192-223 (experimental) -
224-240 (implementation-specific) -
241-255 (reserved) -