open-vault/website/content/docs/auth/radius.mdx

---
layout: docs
page_title: RADIUS - Auth Methods
description: |-
  The "radius" auth method allows users to authenticate with Vault using an
  existing RADIUS server.
---

# RADIUS Auth Method

The `radius` auth method allows users to authenticate with Vault using an
existing RADIUS server that accepts the PAP authentication scheme.

## Authentication

The default path is `/radius`. If this auth method was enabled at a different
path, specify `-path=/my-path` in the CLI.

### Via the CLI

```shell-session
$ vault login -method=radius username=sethvargo
```

### Via the API

The default endpoint is `auth/radius/login`. If this auth method was enabled
at a different path, use that value instead of `radius`.

```shell-session
$ curl \
    --request POST \
    --data '{"password": "..."}' \
    http://127.0.0.1:8200/v1/auth/radius/login/sethvargo
```

The response will contain a token at `auth.client_token`:

```json
{
  "auth": {
    "client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
    "policies": ["admins"],
    "metadata": {
      "username": "mitchellh"
    }
  }
}
```

## Configuration

### Via the CLI

1. Enable the radius auth method:

   ```text
   $ vault auth enable radius
   ```

1. Configure connection details for your RADIUS server.

   ```text
   $ vault write auth/radius/users/mitchellh policies=admins
   ```

   For the complete list of configuration options, please see the API
   documentation.

   The above creates a new mapping for user "mitchellh" that will be associated
   with the "admins" policy.

   Alternatively, Vault can assign a configurable set of policies to any user
   that successfully authenticates with the RADIUS server but has no explicit
   mapping in the `users/` path. This is done through the
   `unregistered_user_policies` configuration parameter.

## API

The RADIUS auth method has a full HTTP API. Please see the
[RADIUS Auth API](/api-docs/auth/radius) for more
details.