backend
Backend action for forwarding RADIUS requests to external backends
backend
Call a backend to fetch user authentication information.
backend {
name "DB";
query "FIND_USER";
}
The query statement is optional and may be omitted if the backend does not support multiple queries.
In that case also the short form may be used:
backend "DB";
Result
Depending on the backend the backend action may return accept, reject or ignore.
Parameters
secret
For backends that verify a PAP-style secret — such as a proxied RADIUS backend
that needs a User-Password to forward, an NTLM/LSA backend, or the YubiKey
cloud OTP backend — the optional secret parameter supplies the value the
backend should authenticate. Combine it with the
filter pipeline to derive that value from any
context attribute.
# Strip a trailing 6-digit OTP from the PAP password before forwarding the
# remaining static password to an upstream RADIUS server.
backend {
name "UPSTREAM_RADIUS";
secret radius.request.password | substring(0, -6);
}
When secret is set, its value replaces the protocol PAP response that the
backend would otherwise see. For backend queries with multiple inputs, use the
query's own bindings { ... } block instead — each binding is a full
expression and can use the filter pipeline.
range
Slices the PAP authentication response by character offsets before passing it
to the backend. Prefer secret with the filter pipeline
for new configurations; range is limited to a single contiguous slice and
remains supported mainly for backward compatibility.
Syntax: range <start> <end> [exclusive]
<start>- Starting index (negative values count from end)<end>- Ending index (negative values count from end)exclusive- Optional keyword to invert the range and keep everything except the specified slice- Indices are 0-based
# Pass only the last 6 characters, such as a TOTP code, to the backend.
backend {
name "OTP_BACKEND";
range -6 0;
}