Add a UDP payload for ports 1645 and 1812, radius. It is an

Access-Request packet containing no username or password, intended to
get an Access-Reject in response.

payload.cc

@@ -172,6 +172,20 @@ static const char payload_rip[] =
   "\001\001\000\000\000\000\000\000\000\000\000\000\000\000\000\000"
   "\000\000\000\000\000\000\000\020";
 
+/* RADIUS Access-Request. This is a degenerate packet with no username or
+   password; we expect an Access-Reject in response. The Identifier and Request
+   Authenticator are both 0. It was generated by running
+     echo 'User-Password = ""' | radclient <ip> auth ""
+   and then manually stripping out the password.
+
+   Section 2 of the RFC says "A request from a client for which the RADIUS
+   server does not have a shared secret MUST be silently discarded." So this
+   payload only works when the server is configured (or misconfigured) to know
+   the scanning machine as a client. */
+static const char payload_radius[] =
+  "\001\000\000\024"
+  "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000";
+
 /* DNS Service Discovery (DNS-SD) service query, as used in Zeroconf.
    Transaction ID 0x0000, flags 0x0000, 1 question: PTR query for
    _services._dns-sd._udp.local. If the remote host supports DNS-SD it will send
@@ -244,6 +258,13 @@ const char *udp_port2payload(u16 dport, size_t *length){
       SET_PAYLOAD(payload_Sqlping);
       break;
     */
+    /* RFC 2865: "The early deployment of RADIUS was done using UDP port number
+       1645, which conflicts with the "datametrics" service. The officially
+       assigned port number for RADIUS is 1812. */
+    case 1645:
+    case 1812:
+      SET_PAYLOAD(payload_radius);
+      break;
     case 5353:
       SET_PAYLOAD(payload_dns_sd);
       break;