Skip to main content

RADIUS auth method

The radius auth method allows users to authenticate with OpenBao using an existing RADIUS server that accepts the PAP authentication scheme.

Authentication

The default path is /radius. If this auth method was enabled at a different path, specify -path=/my-path in the CLI.

Via the CLI

$ bao login -method=radius username=sethvargo

Via the API

The default endpoint is auth/radius/login. If this auth method was enabled at a different path, use that value instead of radius.

$ curl \
--request POST \
--data '{"password": "..."}' \
http://127.0.0.1:8200/v1/auth/radius/login/sethvargo

The response will contain a token at auth.client_token:

{
"auth": {
"client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
"policies": ["admins"],
"metadata": {
"username": "mitchellh"
}
}
}

Configuration

Via the CLI

  1. Enable the radius auth method:

    $ bao auth enable radius
  2. Configure connection details for your RADIUS server.

    $ bao write auth/radius/users/mitchellh policies=admins

    For the complete list of configuration options, please see the API documentation.

    The above creates a new mapping for user "mitchellh" that will be associated with the "admins" policy.

    Alternatively, OpenBao can assign a configurable set of policies to any user that successfully authenticates with the RADIUS server but has no explicit mapping in the users/ path. This is done through the unregistered_user_policies configuration parameter.

API

The RADIUS auth method has a full HTTP API. Please see the RADIUS Auth API for more details.