Radius plugin is based on modified freeradius container. 

Default configuration if no env parameters are provided is:

SECRET = Notakey

PASSWORD = notakey21

It means, that all users with the given password will be accepted by Radius server and there is no need to configure them separately. Main authentication will be on users smartphone. Smartphone onboarding process remains the same, you can define users in the NAA or you can use external db, like LDAP or Active Directory or combined. 

Plugin configuration:

# Define image to load for this plugin
$ ntk cfg setc :plugins.radius.image "notakey/radius-all:latest"

Additionally you can define these environment values:

SECRET - value you have to define in Authentication Proxy as "vpn_secret_out"

PASSWORD - global password

U_PASSW - default is true, if set to false then global password will be disabled

USERn - n>0, you can define USER1, USER2 etc., for those users PASSW1, PASSW2 should be defined as well. 

PASSWn - n>0 Password for added users. Global password even if enabled will not work for manually added users.

Example of how to manually add two users: 

# You can add as many users as you want, username should be the same as onboarded in the NAA. Onboarding password is different from this. You can leave it as is if you want to use here any username with psw  "notakey21" 

$ ntk cfg setc :plugins.radius.env.USER1 "John"
$ ntk cfg setc :plugins.radius.env.PASSW1 "Doe12"
$ ntk cfg setc :plugins.radius.env.USER1 "Bob"
$ ntk cfg setc :plugins.radius.env.PASSW1 "graCe3"

How to start the plugin:

# First you have to download the image

$ ntk plugins update
==> Updating plugin radius
    image: notakey/radius-all:latest pull finished 

# Now you can start it

$ ntk plugins start
==> Validating plugin radius configuration
    Checking software image...
        required: notakey/radius-all:latest

==> Starting plugin radius instance
    image: notakey/radius-all:latest
    started fedf2243c5bf

If plugin launches successfully add configuration to the authentication proxy:

# Authentication proxy will recognize Radius server by container's name

$ ntk cfg set :ap.vpn_radius_address "radius"

# Set your secret (Default is Notakey. In and out secret should be the same)

$ ntk cfg set :ap.vpn_secret_out "Notakey"
$ ntk cfg set :ap.vpn_secret_in "Notakey"

# Set Application Access ID as seen on Dashboard Application settings page

$ ntk cfg set :ap.vpn_access_id "c468f008-485b-b11c-aad9672fbae1"

Configure authentication proxy for incoming requests and you are all set.