luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/website/source/docs/auth/radius.html.md
Chris Hoffman 191d48f848 API Docs updates (#3101)
2017-08-08 12:28:17 -04:00

2.7 KiB
Raw Blame History

layout page_title sidebar_current description
docs Auth Backend: RADIUS docs-auth-radius The "radius" auth backend allows users to authenticate with Vault using an existing RADIUS server.

Auth Backend: RADIUS

Name: radius

The "radius" auth backend allows users to authenticate with Vault using an existing RADIUS server that accepts the PAP authentication scheme.

The mapping of users to Vault policies is managed by using the users/ path.

Optionally, a configurable set of policies can be granted to all users that can successfully authenticate but are not registered in the users/ path.

Authentication

Via the CLI

$ vault auth -method=userpass -path=radius \
    username=foo \
    password=bar

Via the API

The endpoint for the login is auth/radius/login/<username>.

The password should be sent in the POST body encoded as JSON.

$ curl $VAULT_ADDR/v1/auth/radius/login/mitchellh \
    -d '{ "password": "foo" }'

Alternatively a POST request can be made to auth/radius/login/ with both username and password sent in the POST body encoded as JSON.

The response will be in JSON. For example:

{
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": null,
  "auth": {
    "client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
    "policies": [
      "admins"
    ],
    "metadata": {
      "username": "mitchellh"
    },
    "lease_duration": 0,
    "renewable": false
  }
}

Configuration

First, you must enable the RADIUS auth backend:

$ vault auth-enable radius
Successfully enabled 'radius' at 'radius'!

Now when you run vault auth -methods, the RADIUS backend is available:

Path       Type      Description
token/     token     token based credentials
radius/    radius

To use the radius auth backend, it must first be configured with connection details for your RADIUS server. The configuration options are detailed below in the API docs. Configuration is written to auth/radius/config.

To use the "radius" auth backend, an operator must configure a mapping between users and policies. An example is shown below. Use vault path-help for more details.

$ vault write auth/radius/users/mitchellh \
    policies=admins
...

The above creates a new mapping for user "mitchellh" that will be associated with the "admins" policy.

Alternatively, Vault can assign a configurable set of policies to any user that successfully authenticates with the RADIUS server but has no explicit mapping in the users/ path. This is done through the unregistered_user_policies configuration parameter.

API

The RADIUS authentication backend has a full HTTP API. Please see the RADIUS Auth API for more details.