RADIUS auth method
The radius
auth method allows users to authenticate with OpenBao using an
existing RADIUS server that accepts the PAP authentication scheme.
Authentication
The default path is /radius
. If this auth method was enabled at a different
path, specify -path=/my-path
in the CLI.
Via the CLI
$ bao login -method=radius username=sethvargo
Via the API
The default endpoint is auth/radius/login
. If this auth method was enabled
at a different path, use that value instead of radius
.
$ curl \
--request POST \
--data '{"password": "..."}' \
http://127.0.0.1:8200/v1/auth/radius/login/sethvargo
The response will contain a token at auth.client_token
:
{
"auth": {
"client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
"policies": ["admins"],
"metadata": {
"username": "mitchellh"
}
}
}
Configuration
Via the CLI
-
Enable the radius auth method:
$ bao auth enable radius
-
Configure connection details for your RADIUS server.
$ bao write auth/radius/users/mitchellh policies=admins
For the complete list of configuration options, please see the API documentation.
The above creates a new mapping for user "mitchellh" that will be associated with the "admins" policy.
Alternatively, OpenBao can assign a configurable set of policies to any user that successfully authenticates with the RADIUS server but has no explicit mapping in the
users/
path. This is done through theunregistered_user_policies
configuration parameter.
API
The RADIUS auth method has a full HTTP API. Please see the RADIUS Auth API for more details.