mirror of
https://github.com/goauthentik/authentik
synced 2026-04-27 01:55:08 +02:00
1f81d234cb
* implement with library (backend) Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add outpost Signed-off-by: Jens Langhammer <jens@goauthentik.io> * format Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add basic docs Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add enterprise notice to certificate Signed-off-by: Jens Langhammer <jens@goauthentik.io> * clearer enterprise stuff Signed-off-by: Jens Langhammer <jens@goauthentik.io> * idk Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
76 lines
3.0 KiB
Plaintext
76 lines
3.0 KiB
Plaintext
---
|
|
title: RADIUS Provider
|
|
---
|
|
|
|
import { HashSupport } from "./HashSupport";
|
|
|
|
You can configure a Radius provider for applications that don't support any other protocols or that require Radius.
|
|
|
|
:::info
|
|
This provider requires the deployment of the [RADIUS outpost](../../outposts/index.mdx)
|
|
:::
|
|
|
|
Currently, only authentication requests are supported.
|
|
|
|
### Authentication flow
|
|
|
|
Authentication requests against the Radius Server use a flow in the background. This allows you to use the same flows, stages, and policies as you do for web-based logins.
|
|
|
|
The following stages are supported:
|
|
|
|
- [Identification](../../flows-stages/stages/identification/index.mdx)
|
|
- [Password](../../flows-stages/stages/password/index.md)
|
|
- [Authenticator validation](../../flows-stages/stages/authenticator_validate/index.mdx)
|
|
|
|
Note: Authenticator validation currently only supports DUO, TOTP, and static authenticators.
|
|
|
|
For code-based authenticators, the code must be given as part of the bind password, separated by a semicolon. For example for the password `example-password` and the MFA token `123456`, the input must be `example-password;123456`.
|
|
|
|
SMS-based authenticators are not supported because they require a code to be sent from authentik, which is not possible during the bind.
|
|
|
|
- [User Logout](../../flows-stages/stages/user_logout.md)
|
|
- [User Login](../../flows-stages/stages/user_login/index.md)
|
|
- [Deny](../../flows-stages/stages/deny.md)
|
|
- [Mutual TLS stage](../../flows-stages/stages/mtls/index.md)
|
|
|
|
### EAP
|
|
|
|
<div className="badge-group">
|
|
|
|
:ak-version[2025.10]
|
|
:ak-enterprise
|
|
|
|
</div>
|
|
|
|
authentik supports EAP with TLS as the inner protocol. To set this up, a certificate authority needs to be available and client certificates need to be installed on machines, the configuration of which is outside of the scope of this document.
|
|
|
|
#### EAP-TLS
|
|
|
|
Create an authentication flow with a [Mutual TLS stage](../../flows-stages/stages/mtls/index.md) as its first stage. This stage should be configured to use your certificate authority. Afterwards a certificate needs to be generated for the RADIUS outpost, which can be configured in the RADIUS provider. Once the certificate and the authentication flow are configured in the provider, authentication via EAP-TLS is possible.
|
|
|
|
### RADIUS attributes
|
|
|
|
Starting with authentik 2024.8, you can create RADIUS provider property mappings, which make it possible to add custom attributes to the RADIUS response packets.
|
|
|
|
For example, to add the Cisco AV-Pair attribute, this snippet can be used:
|
|
|
|
```python
|
|
define_attribute(
|
|
vendor_code=9,
|
|
vendor_name="Cisco",
|
|
attribute_name="AV-Pair",
|
|
attribute_code=1,
|
|
attribute_type="string",
|
|
)
|
|
packet["Cisco-AV-Pair"] = "shell:priv-lvl=15"
|
|
return packet
|
|
```
|
|
|
|
After creation, make sure to select the RADIUS property mapping in the RADIUS provider.
|
|
|
|
### Limitations
|
|
|
|
The RADIUS provider only supports the [PAP](https://en.wikipedia.org/wiki/Password_Authentication_Protocol) (Password Authentication Protocol) protocol:
|
|
|
|
<HashSupport />
|