115 lines
2.7 KiB
Markdown
115 lines
2.7 KiB
Markdown
---
|
|
layout: "docs"
|
|
page_title: "Auth Backend: RADIUS"
|
|
sidebar_current: "docs-auth-radius"
|
|
description: |-
|
|
The "radius" auth backend allows users to authenticate with Vault using an existing RADIUS server.
|
|
---
|
|
|
|
# Auth Backend: RADIUS
|
|
|
|
Name: `radius`
|
|
|
|
The "radius" auth backend allows users to authenticate with Vault using
|
|
an existing RADIUS server that accepts the PAP authentication scheme.
|
|
|
|
The mapping of users to Vault policies is managed by using the
|
|
`users/` path.
|
|
|
|
Optionally, a configurable set of policies can be granted to all users that
|
|
can successfully authenticate but are not registered in the `users/` path.
|
|
|
|
## Authentication
|
|
|
|
#### Via the CLI
|
|
|
|
```
|
|
$ vault auth -method=userpass -path=radius \
|
|
username=foo \
|
|
password=bar
|
|
```
|
|
|
|
#### Via the API
|
|
|
|
The endpoint for the login is `auth/radius/login/<username>`.
|
|
|
|
The password should be sent in the POST body encoded as JSON.
|
|
|
|
```shell
|
|
$ curl $VAULT_ADDR/v1/auth/radius/login/mitchellh \
|
|
-d '{ "password": "foo" }'
|
|
```
|
|
|
|
Alternatively a POST request can be made to `auth/radius/login/`
|
|
with both `username` and `password` sent in the POST body encoded as JSON.
|
|
|
|
The response will be in JSON. For example:
|
|
|
|
```javascript
|
|
{
|
|
"lease_id": "",
|
|
"renewable": false,
|
|
"lease_duration": 0,
|
|
"data": null,
|
|
"auth": {
|
|
"client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
|
|
"policies": [
|
|
"admins"
|
|
],
|
|
"metadata": {
|
|
"username": "mitchellh"
|
|
},
|
|
"lease_duration": 0,
|
|
"renewable": false
|
|
}
|
|
}
|
|
```
|
|
|
|
## Configuration
|
|
|
|
First, you must enable the RADIUS auth backend:
|
|
|
|
```
|
|
$ vault auth-enable radius
|
|
Successfully enabled 'radius' at 'radius'!
|
|
```
|
|
|
|
Now when you run `vault auth -methods`, the RADIUS backend is
|
|
available:
|
|
|
|
```
|
|
Path Type Description
|
|
token/ token token based credentials
|
|
radius/ radius
|
|
```
|
|
|
|
To use the radius auth backend, it must first be configured with connection
|
|
details for your RADIUS server.
|
|
The configuration options are detailed below in the API docs.
|
|
Configuration is written to `auth/radius/config`.
|
|
|
|
To use the "radius" auth backend, an operator must configure a
|
|
mapping between users and policies. An example is shown below.
|
|
Use `vault path-help` for more details.
|
|
|
|
```
|
|
$ vault write auth/radius/users/mitchellh \
|
|
policies=admins
|
|
...
|
|
```
|
|
|
|
The above creates a new mapping for user "mitchellh" that
|
|
will be associated with the "admins" policy.
|
|
|
|
Alternatively, Vault can assign a configurable set of policies to
|
|
any user that successfully authenticates with the RADIUS server but
|
|
has no explicit mapping in the `users/` path.
|
|
This is done through the `unregistered_user_policies` configuration parameter.
|
|
|
|
## API
|
|
|
|
The RADIUS authentication backend has a full HTTP API. Please see the
|
|
[RADIUS Auth API](/api/auth/radius/index.html) for more
|
|
details.
|
|
|