Create ESA RADIUS clients via API

If you have integrated ESA protection for many Linux/Mac desktop logins via PAM modules, and you need to configure many RADIUS clients in ESA, the following PowerShell script will ease your work.


1.Configure a RADIUS client in ESA Web Console.

Basic Settings > IP address: Type in the IP address of the computer hosting the PAM module by which the ESA RADIUS server can reach it

Basic Settings > Shared Secret: Type in the same shared secret as you set in your VPN appliance

Authentication > Client Type > Client validates user name and password - use Access-Challenge

2.Enable ESA API and add API credentials for Management API in ESA Web Console.

3.List the IP address and Shared Secret of each VPN appliance in a .csv file as <IP address>;<Shared Secret> pairs.

For example:;test1;test2;test3

If executing the script on a different machine then the one hosting the Authentication Server:

1.Make sure ESA certificate is trusted on that computer.

2.Make sure the certificate includes the FQDN of the Authentication Server in the list of alternative DNS names.

How does the script work?

The script reads each row of the .csv file and creates as many RADIUS clients as many rows of IP address and Shared Secret pairs are found. The Authentication section of each RADIUS client will be configured based on the pre-configured RADIUS client.

Sample PowerShell script to create new ESA RADIUS clients via ESA API - we name the file create_radius_clients.ps1

# configuration


# Management API credentials - username:password

$credentials = "kjssgmarkm:dapweburnx"


# IP address or FQDN of the Authentication Server

$esaAuthenticationServer = ""


# Name of ESA RADIUS Server foudn in ESA Web Console at Componets > RADIUS

$radiusServerName = "BTSH00049D (Authentication Server computer)"


# Name of the pre-configured ESA RADIUS client

$baseRadiusClientName = "Base Client"


# List of IP Address and Shared Secret of each VPN appliance is saved in the clients.csv file.

# The clients.csv file is in the same directory where the this PowerShell script resides

$csvImportFilePath = $PSScriptRoot + "\\clients.csv"


# headers preparation


$ErrorActionPreference = "Stop"


$encodedCredentials = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($credentials))

$basicAuthHeader = "Basic $encodedCredentials"

$headers = @{Authorization = $basicAuthHeader}


# find RADIUS server


$body = @{

  componentType = "radius"


$bodyStr = $body | ConvertTo-Json

$response = Invoke-WebRequest -Uri https://$esaAuthenticationServer/manage/v2/GetComponentSettings -Method POST -Body $bodyStr -ContentType "application/json" -Headers $headers


$components = $response.Content | ConvertFrom-Json


$radiusServerKey = $null

foreach ($component in $components)


  if ($component.Info.Name -ceq $radiusServerName) {

    $radiusServerKey = $component.Info.Key




if ($radiusServerKey -ceq $null) {

  Throw "RADIUS server not found: " + $radiusServerName



# base RADIUS client


$body = @{

  componentKey = $radiusServerKey


$bodyStr = $body | ConvertTo-Json

$response = Invoke-WebRequest -Uri https://$esaAuthenticationServer/manage/v2/GetRadiusClients -Method POST -Body $bodyStr -ContentType "application/json" -Headers $headers


$clients = $response.Content | ConvertFrom-Json


$baseRadiusClientSettings = $null

foreach ($client in $clients)


  if ($client.ClientName -ceq $baseRadiusClientName) {

    $baseRadiusClientSettings = $client




if ($baseRadiusClientSettings -ceq $null) {

    Throw "RADIUS client not found: " + $baseRadiusClientName



# create clients


foreach($line in [System.IO.File]::ReadLines($csvImportFilePath))


  $fields = $line.Split(';')

  if ($fields.Count -cne 2) {

    Throw "Invalid fields count: " + $line



  $ip = $fields[0]

  $sharedSecret = $fields[1]


  $newClientSettings = $baseRadiusClientSettings | ConvertTo-Json | ConvertFrom-Json

  $newClientSettings.Id = [guid]::NewGuid().ToString("d")

  $newClientSettings.ClientName = "Generated - " + $ip

  $newClientSettings.ClientIp = $ip

  $newClientSettings.SharedSecret = $sharedSecret


  $body = @{

    componentKey = $radiusServerKey;

    client = $newClientSettings


  $bodyStr = $body | ConvertTo-Json

  $response = Invoke-WebRequest -Uri https://$esaAuthenticationServer/manage/v2/CreateRadiusClient -Method POST -Body $bodyStr -ContentType "application/json" -Headers $headers



echo "success"