HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault
Vault Home

You are viewing documentation for version v1.4.x. View latest version.

RADIUS Auth Method

The radius auth method allows users to authenticate with Vault using an existing RADIUS server that accepts the PAP authentication scheme.

Authentication

The default path is /radius. If this auth method was enabled at a different path, specify -path=/my-path in the CLI.

Via the CLI

$ vault login -path=radius username=sethvargo

Via the API

The default endpoint is auth/radius/login. If this auth method was enabled at a different path, use that value instead of radius.

$ curl \
    --request POST \
    --data '{"password": "..."}' \
    http://127.0.0.1:8200/v1/auth/radius/login/sethvargo

The response will contain a token at auth.client_token:

{
  "auth": {
    "client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
    "policies": ["admins"],
    "metadata": {
      "username": "mitchellh"
    }
  }
}

Configuration

Via the CLI

  1. Enable the radius auth method:

    $ vault auth enable radius

  2. Configure connection details for your RADIUS server.

    $ vault write auth/radius/users/mitchellh policies=admins

    For the complete list of configuration options, please see the API documentation.

    The above creates a new mapping for user "mitchellh" that will be associated with the "admins" policy.

    Alternatively, Vault can assign a configurable set of policies to any user that successfully authenticates with the RADIUS server but has no explicit mapping in the users/ path. This is done through the unregistered_user_policies configuration parameter.

API

The RADIUS auth method has a full HTTP API. Please see the RADIUS Auth API for more details.

Edit this page on GitHub