16.1.1.28. RADIUS server endpoints

The RADIUS-server REST API manages definitions of remote RADIUS servers. These definitions are referenced by the RADIUS token type and by the passthru to forward authentication to a RADIUS backend. See RADIUS server configuration for the conceptual chapter.

All endpoints require admin authentication. Read access is gated by the admin policy action radiusserver_read; create, update, delete and the test request are gated by radiusserver_write.

POST /radiusserver/(identifier)

Create or update a RADIUS server definition. If a definition with the given identifier already exists it is updated; otherwise it is created. Spaces in identifier are replaced with underscores.

Requires admin authentication and the policy action radiusserver_write.

Parameters:

  • identifier – path component, the unique name of the definition.

JSON Parameters:

  • server – hostname or IP of the RADIUS server (required).

  • port – UDP port of the RADIUS server, default 1812.

  • secret – shared RADIUS secret (required).

  • retries – number of retries on timeout, default 3.

  • timeout – per-attempt timeout in seconds, default 5.

  • dictionary – server-side filesystem path to the FreeRADIUS dictionary file, default /etc/privacyidea/dictionary.

  • description – free-form description.

  • options – optional dictionary of additional connection options.

Status Codes:
GET /radiusserver/

Return all RADIUS server definitions known to this server. The shared secret of each definition is redacted in the response.

The result is a dictionary keyed by identifier; each value contains id, server, port, secret (always "__CENSORED__"), retries, timeout, dictionary, description.

Requires admin authentication and the policy action radiusserver_read.

Status Codes:

  • 200 OK – dict of definitions in result.value.

DELETE /radiusserver/(identifier)

Delete the RADIUS server definition with the given identifier.

Requires admin authentication and the policy action radiusserver_write.

Parameters:

  • identifier – path component, the name of the definition.

Status Codes:

  • 200 OKTrue if a definition was deleted, False otherwise.

POST /radiusserver/test_request

Test a RADIUS server definition by performing an Access-Request against it with the supplied credentials. The definition does not need to be saved first — all parameters are taken from the request body.

Requires admin authentication and the policy action radiusserver_write.

JSON Parameters:

  • identifier – identifier under which the definition would be saved (used for logging/audit only).

  • server – hostname or IP of the RADIUS server (required).

  • port – UDP port, default 1812.

  • secret – shared RADIUS secret (required).

  • retries – number of retries on timeout, default 3.

  • timeout – per-attempt timeout in seconds, default 5.

  • dictionary – server-side filesystem path to the FreeRADIUS dictionary file, default /etc/privacyidea/dictionary.

  • options – optional dictionary of additional connection options.

  • username – user name to test (required).

  • password – password / OTP to test (required).

Status Codes:

  • 200 OKTrue if the RADIUS server accepted the credentials, False otherwise.