ref: 13ed958d65981a2744683ffbffae1c0d2c51e36d vpn-documentation/RADIUS.md -rw-r--r-- 3.2 KiB
13ed958dFrançois Kooman make clear that "the only difference" now refers only to OAuth 4 months ago

#title: RADIUS description: Enable RADIUS Authentication category: authentication

This document describes how to configure RADIUS for deployed systems. We assume you used the deploy_${DIST}.sh script to deploy the software. Below we assume you use vpn.example, but modify this domain to your own domain name!

RADIUS integration can currently only be used to authenticate users, not for authorization/ACL purposes.

In order to make a particular user an "administrator" in the portal, see PORTAL_ADMIN.

NOTE: RADIUS integration does NOT support PEAP/TTLS, plain text authentication ONLY!, RADIUS servers used for eduroam authentication will typically be configured with PEAP/TTLS, as plain text authentication is not supported for 802.1X.

NOTE: If you have the choice between LDAP and RADIUS, always choose LDAP! LDAP is supported by all common IdMs, even Active Directory. Go here for instructions on how to configure LDAP.


First install the PHP module for RADIUS:

$ sudo yum install php-pecl-radius # CentOS/Fedora
$ sudo apt install php-radius      # Debian

Restart PHP to activate the RADIUS module:

$ sudo systemctl restart php-fpm                            # CentOS/Fedora
$ sudo systemctl restart php$(/usr/sbin/phpquery -V)-fpm    # Debian

You can configure the portal to use RADIUS. This is configured in the file /etc/vpn-user-portal/config.php.

You have to set authMethod first:

'authMethod' => 'FormRadiusAuthentication',

Then you can configure the RADIUS server:

'FormRadiusAuthentication' => [
    'serverList' => [
            'host' => 'radius.example.org',
            'secret' => 'testing123',
            //'port' => 1812,
    //'addRealm' => 'example.org',
    //'nasIdentifier' => 'vpn.example.org',
    //'permissionAttribute' => RADIUS_REPLY_MESSAGE,
    //'permissionAttribute' => 16,

Here serverList is an array of server configurations where you can add multiple RADIUS servers to be used for user authentication. Set the host to the host of your RADIUS server. You can optionally also specify the port (defaults to 1812).

You can also configure whether or not to add a "realm" to the identifier the user provides. If for example the user provides foo as a user ID, the addRealm option when set to example.org modifies the user ID to foo@example.org and uses that to authenticate to the RADIUS server.

The host and secret options are REQUIRED, the others are optional.

In vpn-user-portal >= 2.3.13 it is also possible to specify an attribute for user authorization using the permissionAttribute configuration option. For now only officially registered attributes are supported, so NO vendor specific attributes. See the list here for a complete list. Make sure you use a "text" or "string" type. Not all attributes are registered in the PHP RADIUS plugin, so you can also use the integer value, e.g. 16 instead of RADIUS_REPLY_MESSAGE. For the PHP list look here.