open-vault/website/content/docs/auth/radius.mdx

83 lines
1.9 KiB
Plaintext
Raw Normal View History

2017-02-07 21:04:27 +00:00
---
layout: docs
page_title: RADIUS - Auth Methods
2017-02-07 21:04:27 +00:00
description: |-
The "radius" auth method allows users to authenticate with Vault using an
existing RADIUS server.
2017-02-07 21:04:27 +00:00
---
# RADIUS Auth Method
2017-02-07 21:04:27 +00:00
The `radius` auth method allows users to authenticate with Vault using an
existing RADIUS server that accepts the PAP authentication scheme.
2017-02-07 21:04:27 +00:00
## Authentication
The default path is `/radius`. If this auth method was enabled at a different
path, specify `-path=/my-path` in the CLI.
2017-02-07 21:04:27 +00:00
### Via the CLI
2017-02-07 21:04:27 +00:00
```shell-session
$ vault login -method=radius username=sethvargo
```
2017-02-07 21:04:27 +00:00
### Via the API
2017-02-07 21:04:27 +00:00
The default endpoint is `auth/radius/login`. If this auth method was enabled
at a different path, use that value instead of `radius`.
2017-02-07 21:04:27 +00:00
```shell-session
$ curl \
--request POST \
--data '{"password": "..."}' \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/radius/login/sethvargo
2017-02-07 21:04:27 +00:00
```
The response will contain a token at `auth.client_token`:
2017-02-07 21:04:27 +00:00
```json
2017-02-07 21:04:27 +00:00
{
"auth": {
"client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
"policies": ["admins"],
2017-02-07 21:04:27 +00:00
"metadata": {
"username": "mitchellh"
}
2017-02-07 21:04:27 +00:00
}
}
```
## Configuration
### Via the CLI
2017-02-07 21:04:27 +00:00
1. Enable the radius auth method:
2017-02-07 21:04:27 +00:00
```text
$ vault auth enable radius
```
2017-02-07 21:04:27 +00:00
1. Configure connection details for your RADIUS server.
2017-02-07 21:04:27 +00:00
```text
$ vault write auth/radius/users/mitchellh policies=admins
```
2017-02-07 21:04:27 +00:00
For the complete list of configuration options, please see the API
documentation.
2017-02-07 21:04:27 +00:00
The above creates a new mapping for user "mitchellh" that will be associated
with the "admins" policy.
2017-02-07 21:04:27 +00:00
Alternatively, Vault can assign a configurable set of policies to any user
that successfully authenticates with the RADIUS server but has no explicit
mapping in the `users/` path. This is done through the
`unregistered_user_policies` configuration parameter.
2017-02-07 21:04:27 +00:00
## API
The RADIUS auth method has a full HTTP API. Please see the
[RADIUS Auth API](/api-docs/auth/radius) for more
2017-08-08 16:28:17 +00:00
details.