open-vault/website/source/docs/auth/radius.html.md

layout	page_title	sidebar_current	description
docs	RADIUS - Auth Methods	docs-auth-radius	The "radius" auth method allows users to authenticate with Vault using an existing RADIUS server.

RADIUS Auth Method

The radius auth method allows users to authenticate with Vault using an existing RADIUS server that accepts the PAP authentication scheme.

Authentication

The default path is /radius. If this auth method was enabled at a different path, specify -path=/my-path in the CLI.

Via the CLI

$ vault login -path=radius username=sethvargo

Via the API

The default endpoint is auth/radius/login. If this auth method was enabled at a different path, use that value instead of radius.

$ curl \
    --request POST \
    --data '{"password": "..."}' \
    http://127.0.0.1:8200/v1/auth/radius/login/sethvargo

The response will contain a token at auth.client_token:

{
  "auth": {
    "client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
    "policies": [
      "admins"
    ],
    "metadata": {
      "username": "mitchellh"
    }
  }
}

Configuration

Via the CLI

1. Enable the radius auth method:

   $ vault auth enable radius
   

2. Configure connection details for your RADIUS server.

   $ vault write auth/radius/users/mitchellh policies=admins
   

   For the complete list of configuration options, please see the API documentation.

   The above creates a new mapping for user "mitchellh" that will be associated with the "admins" policy.

   Alternatively, Vault can assign a configurable set of policies to any user that successfully authenticates with the RADIUS server but has no explicit mapping in the users/ path. This is done through the unregistered_user_policies configuration parameter.

API

The RADIUS auth method has a full HTTP API. Please see the RADIUS Auth API for more details.