Radius Sentinel Policy

I’m using sentinel for the first time and I’m trying to create a policy to restrict radius authentication to only entities within a specific group.

I thought a simple policy like this would do it

main = rule {
“d8c7e054-eb48-11a0-4d80-648f5b1f6b0a” in keys(identity.groups.by_id)

but after applying it I get this error
vault write sys/policies/egp/radius-policy policy=“${POLICY}” paths=“/auth/radius/login/*” enforcement_level=“hard-mandatory”

vault login -method=radius -token-only username=letmein

Password (will be hidden):

Error authenticating: Error making API request.


Code: 400. Errors:

  • 1 error occurred:

  • error running lookahead function for mfa: missing username

I’m guessing I need to import something but I tried import “mfa” and a few others but I suspect it’s my approach that’s wrong.

Trying to figure out if it’s something from here like the urlusername I need to specify

In my experience you can only make decisions on the payload of the request itself. In the case of radius authentication you would only be able to realistically base any decisions off of the following items:

  1. Any attribute in the request properities
  2. Any of the available radius auth endpoint properties (username and password)

Neither of these contain group information, as that would be included in the login response.

You could, however, enable the Sentinel http import and make a post request to your own Vault instance to lookup an entity by name (assuming you know what the name is and it already exists) in order to retrieve the list of groups the ID is a member of. This does require a hard-coded token in the policy (make sure it only has access to only the information it needs).

If you go down that route, be sure to heed the warnings on the http import in the documentation (it’s disabled by default for a reason). Also write and validate against unit tests to make sure it’s behaving the way you intend before hitting any of your customer facing environments.