This authentication method operates similarly to
password except that it uses RADIUS as the
password verification method. RADIUS is used only to validate the
user name/password pairs. Therefore the user must already exist
in the database before RADIUS can be used for authentication.
When using RADIUS authentication, an Access Request message
will be sent to the configured RADIUS server. This request will
be of type
Authenticate Only, and
include parameters for
password (encrypted) and
NAS Identifier. The request will be
encrypted using a secret shared with the server. The RADIUS
server will respond to this server with either
Access Accept or
Reject. There is no support for RADIUS accounting.
Multiple RADIUS servers can be specified, in which case they will be tried sequentially. If a negative response is received from a server, the authentication will fail. If no response is received, the next server in the list will be tried. To specify multiple servers, put the names within quotes and separate the server names with a comma. If multiple servers are specified, all other RADIUS options can also be given as a comma separate list, to apply individual values to each server. They can also be specified as a single value, in which case this value will apply to all servers.
The following configuration options are supported for RADIUS:
The name or IP addresses of the RADIUS servers to connect to. This parameter is required.
The shared secrets used when talking securely to the RADIUS server. This must have exactly the same value on the PostgreSQL and RADIUS servers. It is recommended that this be a string of at least 16 characters. This parameter is required.
The encryption vector used will only be cryptographically strong if PostgreSQL is built with support for OpenSSL. In other cases, the transmission to the RADIUS server should only be considered obfuscated, not secured, and external security measures should be applied if necessary.
The port number on the RADIUS servers to connect to. If
no port is specified, the default port
1812 will be used.
The string used as
Identifier in the RADIUS requests. This parameter
can be used as a second parameter identifying for example
which database user the user is attempting to authenticate
as, which can be used for policy matching on the RADIUS
server. If no identifier is specified, the default
postgresql will be used.
If you see anything in the documentation that is not correct, does not match your experience with the particular feature or requires further clarification, please use this form to report a documentation issue.