19.11. RADIUS Authentication#
This authentication method operates similarly topassword except that it uses RADIUS as the password verification method. RADIUS is used only to validate the user name/password pairs. Therefore the user must already exist in the database before RADIUS can be used for authentication.
When using RADIUS authentication, an Access Request message will be sent to the configured RADIUS server. This request will be of typeAuthenticate Only, and include parameters foruser name,password (encrypted) andNAS Identifier. The request will be encrypted using a secret shared with the server. The RADIUS server will respond to this request with eitherAccess Accept orAccess Reject. There is no support for RADIUS accounting.
Multiple RADIUS servers can be specified, in which case they will be tried sequentially. If a negative response is received from a server, the authentication will fail. If no response is received, the next server in the list will be tried. To specify multiple servers, separate the server names with commas and surround the list with double quotes. If multiple servers are specified, the other RADIUS options can also be given as comma-separated lists, to provide individual values for each server. They can also be specified as a single value, in which case that value will apply to all servers.
The following configuration options are supported for RADIUS:
radiusserversThe DNS names or IP addresses of the RADIUS servers to connect to. This parameter is required.
radiussecretsThe shared secrets used when talking securely to the RADIUS servers. This must have exactly the same value on the Postgres Pro and RADIUS servers. It is recommended that this be a string of at least 16 characters. This parameter is required.
Note
The encryption vector used will only be cryptographically strong ifPostgres Pro is built with support forOpenSSL. In other cases, the transmission to the RADIUS server should only be considered obfuscated, not secured, and external security measures should be applied if necessary.
radiusportsThe port numbers to connect to on the RADIUS servers. If no port is specified, the default RADIUS port (
1812) will be used.radiusidentifiersThe strings to be used as
NAS Identifierin the RADIUS requests. This parameter can be used, for example, to identify which database cluster the user is attempting to connect to, which can be useful for policy matching on the RADIUS server. If no identifier is specified, the defaultpostgresqlwill be used.
If it is necessary to have a comma or whitespace in a RADIUS parameter value, that can be done by putting double quotes around the value, but it is tedious because two layers of double-quoting are now required. An example of putting whitespace into RADIUS secret strings is:
host ... radius radiusservers="server1,server2" radiussecrets="""secret one"",""secret two"""