--- layout: docs page_title: RADIUS - Auth Methods description: |- The "radius" auth method allows users to authenticate with Vault using an existing RADIUS server. --- # RADIUS Auth Method The `radius` auth method allows users to authenticate with Vault using an existing RADIUS server that accepts the PAP authentication scheme. ## Authentication The default path is `/radius`. If this auth method was enabled at a different path, specify `-path=/my-path` in the CLI. ### Via the CLI ```shell-session $ vault login -method=radius username=sethvargo ``` ### Via the API The default endpoint is `auth/radius/login`. If this auth method was enabled at a different path, use that value instead of `radius`. ```shell-session $ curl \ --request POST \ --data '{"password": "..."}' \ http://127.0.0.1:8200/v1/auth/radius/login/sethvargo ``` The response will contain a token at `auth.client_token`: ```json { "auth": { "client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb", "policies": ["admins"], "metadata": { "username": "mitchellh" } } } ``` ## Configuration ### Via the CLI 1. Enable the radius auth method: ```text $ vault auth enable radius ``` 1. Configure connection details for your RADIUS server. ```text $ vault write auth/radius/users/mitchellh policies=admins ``` For the complete list of configuration options, please see the API documentation. The above creates a new mapping for user "mitchellh" that will be associated with the "admins" policy. Alternatively, Vault can assign a configurable set of policies to any user that successfully authenticates with the RADIUS server but has no explicit mapping in the `users/` path. This is done through the `unregistered_user_policies` configuration parameter. ## API The RADIUS auth method has a full HTTP API. Please see the [RADIUS Auth API](/vault/api-docs/auth/radius) for more details.