<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>20.11. RADIUS Authentication</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="auth-ldap.html" title="20.10. LDAP Authentication" /><link rel="next" href="auth-cert.html" title="20.12. Certificate Authentication" /></head><body><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">20.11. RADIUS Authentication</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="auth-ldap.html" title="20.10. LDAP Authentication">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="client-authentication.html" title="Chapter 20. Client Authentication">Up</a></td><th width="60%" align="center">Chapter 20. Client Authentication</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 11.5 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="auth-cert.html" title="20.12. Certificate Authentication">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="AUTH-RADIUS"><div class="titlepage"><div><div><h2 class="title" style="clear: both">20.11. RADIUS Authentication</h2></div></div></div><a id="id-1.6.7.18.2" class="indexterm"></a><p>
    This authentication method operates similarly to
    <code class="literal">password</code> except that it uses RADIUS
    as the password verification method. RADIUS is used only to validate
    the user name/password pairs. Therefore the user must already
    exist in the database before RADIUS can be used for
    authentication.
   </p><p>
    When using RADIUS authentication, an Access Request message will be sent
    to the configured RADIUS server. This request will be of type
    <code class="literal">Authenticate Only</code>, and include parameters for
    <code class="literal">user name</code>, <code class="literal">password</code> (encrypted) and
    <code class="literal">NAS Identifier</code>. The request will be encrypted using
    a secret shared with the server. The RADIUS server will respond to
    this server with either <code class="literal">Access Accept</code> or
    <code class="literal">Access Reject</code>. There is no support for RADIUS accounting.
   </p><p>
    Multiple RADIUS servers can be specified, in which case they will
    be tried sequentially. If a negative response is received from
    a server, the authentication will fail. If no response is received,
    the next server in the list will be tried. To specify multiple
    servers, put the names within quotes and separate the server names
    with a comma. If multiple servers are specified, all other RADIUS
    options can also be given as a comma separate list, to apply
    individual values to each server. They can also be specified as
    a single value, in which case this value will apply to all servers.
   </p><p>
    The following configuration options are supported for RADIUS:
     </p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="literal">radiusservers</code></span></dt><dd><p>
         The name or IP addresses of the RADIUS servers to connect to.
         This parameter is required.
        </p></dd><dt><span class="term"><code class="literal">radiussecrets</code></span></dt><dd><p>
         The shared secrets used when talking securely to the RADIUS
         server. This must have exactly the same value on the PostgreSQL
         and RADIUS servers. It is recommended that this be a string of
         at least 16 characters. This parameter is required.
         </p><div class="note"><h3 class="title">Note</h3><p>
          The encryption vector used will only be cryptographically
          strong if <span class="productname">PostgreSQL</span> is built with support for
          <span class="productname">OpenSSL</span>. In other cases, the transmission to the
          RADIUS server should only be considered obfuscated, not secured, and
          external security measures should be applied if necessary.
         </p></div><p>
        </p></dd><dt><span class="term"><code class="literal">radiusports</code></span></dt><dd><p>
         The port number on the RADIUS servers to connect to. If no port
         is specified, the default port <code class="literal">1812</code> will be used.
        </p></dd><dt><span class="term"><code class="literal">radiusidentifiers</code></span></dt><dd><p>
         The string used as <code class="literal">NAS Identifier</code> in the RADIUS
         requests. This parameter can be used as a second parameter
         identifying for example which database user the user is attempting
         to authenticate as, which can be used for policy matching on
         the RADIUS server. If no identifier is specified, the default
         <code class="literal">postgresql</code> will be used.
        </p></dd></dl></div><p>
   </p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="auth-ldap.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="client-authentication.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="auth-cert.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">20.10. LDAP Authentication </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 20.12. Certificate Authentication</td></tr></table></div></body></html>