• HashiCorp Developer

  • HashiCorp Cloud Platform
  • Terraform
  • Packer
  • Consul
  • Vault
  • Boundary
  • Nomad
  • Waypoint
  • Vagrant
Vault
  • Install
  • Tutorials
  • Documentation
  • API
  • Integrations
  • Try Cloud(opens in new tab)
  • Sign up
Vault Home

Documentation

Skip to main content
  • Documentation
  • What is Vault?
  • Use Cases

  • Browser Support
  • Installing Vault

    • Overview
    • AppRole
    • AliCloud
    • AWS
    • Azure
    • Cloud Foundry
    • GitHub
    • Google Cloud
    • Kerberos
    • Kubernetes
    • LDAP
    • Oracle Cloud Infrastructure
    • Okta
    • RADIUS
    • TLS Certificates
    • Tokens
    • Username & Password

    • App ID
      DEPRECATEDDEPRECATED
  • Vault Integration Program
  • Vault Interoperability Matrix
  • Troubleshoot






  • Glossary


  • Resources

  • Tutorial Library
  • Certifications
  • Community Forum
    (opens in new tab)
  • Support
    (opens in new tab)
  • GitHub
    (opens in new tab)
  1. Developer
  2. Vault
  3. Documentation
  4. Auth Methods
  5. RADIUS
  • Vault
  • v1.11.x
  • v1.10.x
  • v1.9.x
  • v1.8.x
  • v1.7.x
  • v1.6.x
  • v1.5.x
  • v1.4.x

ยปRADIUS Auth Method

The radius auth method allows users to authenticate with Vault using an existing RADIUS server that accepts the PAP authentication scheme.

Authentication

The default path is /radius. If this auth method was enabled at a different path, specify -path=/my-path in the CLI.

Via the CLI

$ vault login -method=radius username=sethvargo

Via the API

The default endpoint is auth/radius/login. If this auth method was enabled at a different path, use that value instead of radius.

$ curl \
    --request POST \
    --data '{"password": "..."}' \
    http://127.0.0.1:8200/v1/auth/radius/login/sethvargo

The response will contain a token at auth.client_token:

{
  "auth": {
    "client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
    "policies": ["admins"],
    "metadata": {
      "username": "mitchellh"
    }
  }
}

Configuration

Via the CLI

  1. Enable the radius auth method:

    $ vault auth enable radius
    
  2. Configure connection details for your RADIUS server.

    $ vault write auth/radius/users/mitchellh policies=admins
    

    For the complete list of configuration options, please see the API documentation.

    The above creates a new mapping for user "mitchellh" that will be associated with the "admins" policy.

    Alternatively, Vault can assign a configurable set of policies to any user that successfully authenticates with the RADIUS server but has no explicit mapping in the users/ path. This is done through the unregistered_user_policies configuration parameter.

API

The RADIUS auth method has a full HTTP API. Please see the RADIUS Auth API for more details.

Edit this page on GitHub

On this page

  1. RADIUS Auth Method
  2. Authentication
  3. Configuration
  4. API
Give Feedback(opens in new tab)
  • Certifications
  • System Status
  • Terms of Use
  • Security
  • Privacy
  • Trademark Policy
  • Trade Controls
  • Give Feedback(opens in new tab)