MediaWiki extensions manual
OOjs UI icon advanced-invert.svg
Release status: unmaintained
Implementation User identity
Description SimpleRadiusAuth is an extension that queries a RADIUS server to authenticate users
Author(s) (null.oztalk)
Latest version 0.1
MediaWiki 1.27+
License GNU General Public License 2.0 or later

Check usage and version matrix.

The SimpleRadiusAuth is an extension that queries a RADIUS server to authenticate users.

Visitors can not create an account and users can not change their password.


  • You must have a RADIUS service running somewhere accessible from the Wiki server.
  • You must use Wikimedia 1.27 or later
  • You must have the PHP RADIUS extension (see https://php.net/book.radius)
  • On RHEL-7 PHP RADIUS Package can be installed using yum, e.g. yum install php-pear-Auth-RADIUS


  • Put the SimpleRadiusAuth in the extensions directory
  • Edit your LocalSettings.php file and add:
// Load SimpleRadiusAuth
wfLoadExtension( 'SimpleRadiusAuth' );
$wgSimpleRadiusAuthServer = "IP_OR_DNSNAME_OF_RADIUS_SERVER";
$wgSimpleRadiusAuthSecret = "SHARED_SECRET";

// Disable account creation
$wgGroupPermissions['*']['createaccount'] = false;

// (Recommended) Allows auto account creation by the extension which bypasses the
// need for manual account creation. The extension only creates the account if the RADIUS
// authentication is successful. If this isn't set to 'true', accounts for each
// RADIUS user will need to be manually created before the user will be able to log in.
$wgGroupPermissions['*']['autocreateaccount'] = true;
  • That's all !

Configuration parametersEdit

the hostname parameter specifies the server host, either as a fully qualified domain name or as a dotted-quad IP address in text form.
the port specifies the UDP port to contact on the server. If port is given as 0, the library looks up the radius/udp or radacct/udp service in the network services database, and uses the port found there. If no entry is found, the library uses the standard Radius ports, 1812 for authentication.
the shared secret for the server host is passed to the secret parameter. The Radius protocol ignores all but the leading 128 bytes of the shared secret.
the timeout for receiving replies from the server is passed to the timeout parameter, in units of seconds.
the maximum number of repeated requests to make before giving up is passed into the max_tries.