eliott/authentik
1
0
Fork 0
mirror of https://github.com/goauthentik/authentik synced 2026-04-27 09:57:31 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
e7fcfb7e67d5df3e8a8a5da170f18fa4c6b98731
authentik/website/docs/add-secure-apps/providers/radius/index.mdx
Teffen Ellis 8aeedb6380 website: Apply CSpell corrections. (#20189) 
* website: Apply CSpell corrections.

* Lint/spelling fix

---------

Co-authored-by: dewi-tik <dewi@goauthentik.io>
2026-02-11 21:57:36 +01:00

86 lines
4.1 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
title: RADIUS Provider
---
import { HashSupport } from "./HashSupport";
You can configure a Radius provider for applications that don't support any other protocols or that require Radius.
:::info
This provider requires the deployment of a [RADIUS outpost](../../outposts/index.mdx).
:::
Currently, only authentication requests are supported.
### Authentication flow
Authentication requests against the Radius Server use a flow in the background. This allows you to use the same flows, stages, and policies as you do for web-based logins.
The following stages are supported:
- [Identification](../../flows-stages/stages/identification/index.mdx)
- [Password](../../flows-stages/stages/password/index.md)
- [Authenticator validation](../../flows-stages/stages/authenticator_validate/index.mdx)
:::info
Authenticator validation currently only supports DUO, TOTP, and static authenticator.
:::
For code-based authenticators, the code must be given as part of the bind password, separated by a semicolon. For example for the password `example-password` and the MFA token `123456`, the input must be `example-password;123456`.
SMS-based authenticators are not supported because they require a code to be sent from authentik, which is not possible during the bind.
- [User Logout](../../flows-stages/stages/user_logout.md)
- [User Login](../../flows-stages/stages/user_login/index.md)
- [Deny](../../flows-stages/stages/deny.md)
- [Mutual TLS stage](../../flows-stages/stages/mtls/index.md)
### Protocol support
The RADIUS provider supports EAP-TLS and [PAP](https://en.wikipedia.org/wiki/Password_Authentication_Protocol) (Password Authentication Protocol) protocol. For password-based authentication, only PAP protocol is supported due to other password hashing methods requiring reversible password hashes, which we dont support for security reasons.
<details>
<summary>RADIUS compatibility matrix for password-based authentication:</summary>
This table represents the password-hash compatibility with various RADIUS protocols.
<HashSupport />
</details>
### EAP :ak-enterprise :ak-version[2025.10]
authentik supports EAP with TLS as the inner protocol, between the application and transport layers to encrypt and secure communications. To set this up, a certificate authority needs to be available and client certificates need to be installed on machines, the configuration of which is outside of the scope of this document.
#### EAP-TLS
Create an authentication flow with a [Mutual TLS stage](../../flows-stages/stages/mtls/index.md) as its first stage. This stage should be configured to use your CA's certificate. Afterwards a server certificate needs to be selected in the RADIUS provider (which serves as an outpost). Then, configure your RADIUS provider to use this authentication flow to enable EAP-TLS authentication. After the certificate and the authentication flow are configured in the provider, authentication via EAP-TLS is possible.
For certificates, ensure that you use a client certificate and a server certificate that are created by a certificate authority, not a self-generated certificate.
:::warning Use of trusted Certificate Authority
For EAP-TLS, note that you should NOT use a globally known CA.
Using private PKI certificates that are trusted by the end-device is best practice. For example, using a Verisign certificate as a "known CA" means that ANYONE who has a certificate signed by them can authenticate via EAP-TLS, and in addition you should implement [custom validation](../../flows-stages/flow/context/index.mdx#auth_method-string) to prevent unauthorized access.
:::
### RADIUS attributes
Starting with authentik 2024.8, you can create RADIUS provider property mappings, which make it possible to add custom attributes to the RADIUS response packets.
For example, to add the Cisco AV-Pair attribute, this snippet can be used:
```python
define_attribute(
vendor_code=9,
vendor_name="Cisco",
attribute_name="AV-Pair",
attribute_code=1,
attribute_type="string",
)
packet["Cisco-AV-Pair"] = "shell:priv-lvl=15"
return packet
```
After creation, make sure to select the RADIUS property mapping in the RADIUS provider.
Reference in New Issue View Git Blame Copy Permalink