radius_auth
The radius_auth directive enables RADIUS authentication for specific locations in NGINX configurations.
Description
The radius_auth directive is used within an NGINX location block to facilitate authentication against a RADIUS server. It requires a realm parameter which is used to identify the authentication scope or context, allowing RADIUS to manage user sessions more effectively. This directive integrates NGINX with the RADIUS protocol, enabling it to handle authentication requests efficiently. When a request is made to a location where this directive is set, NGINX will communicate with the specified RADIUS server to validate user credentials based on the realm provided.
This directive works alongside other RADIUS-related configurations, such as radius_server and radius_servers, which define the RADIUS server(s) to be used. It can be combined with the auth_radius directive, which sets up the authentication realm for the RADIUS request. If authentication fails due to an invalid user or other issues, NGINX will return an appropriate error response, ensuring that unauthorized access is prevented. By properly tuning the configuration, including timeouts and retry limits, administrators can achieve a balance between security and usability.
The radius_auth directive can be set to either a specific realm string or turned off depending on the authentication requirement for that particular location. Thus, it is a flexible tool for managing user access based on RADIUS credentials in varying application contexts.
Config Example
location /protected {
radius_servers "radius_server_1";
radius_auth "my_realm";
}Ensure that the RADIUS server is reachable from your NGINX host to prevent authentication failures.
The realm string must match what the RADIUS server expects for proper authentication.
Using multiple RADIUS servers can require careful configuration to handle failover correctly.