-
-
Notifications
You must be signed in to change notification settings - Fork 986
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to use the Radius to authenticate with WPA Enterprise #5328
Comments
@Svenum have you had any luck getting RADIUS working? I've been unable to even get the RADIUS outpost started and the documentation is still lacking on actual instructions for setting up RADIUS. |
@jalim MyRADIUS ist working but not for thise use case here. Here is my docker-compose.yml @jalim: ---
version: '3'
networks:
DMZ:
external: true
proxy_default:
external: true
default:
driver: "bridge"
services:
postgresql:
image: docker.io/library/postgres:12-alpine
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${PG_DATABASE} -U $${PG_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- /mnt/user/appdata/auth/postgresql:/var/lib/postgresql/data
environment:
POSTGRES_USER: ${PG_USER}
POSTGRES_NAME: ${PG_DATABASE}
POSTGRES_PASSWORD: ${PG_PASS}
redis:
image: docker.io/library/redis:alpine
command: --save 60 1 --loglevel warning
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- /mnt/user/appdata/auth/redis:/data
authentik:
image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION}
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DATABASE}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_KEY}
AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
AUTHENTIK_REDIS__CACHE_TIMEOUT: 60
# SMTP Host Emails are sent to
AUTHENTIK_EMAIL__HOST: smtp.zoho.eu
AUTHENTIK_EMAIL__PORT: 465
AUTHENTIK_EMAIL__USERNAME: [email protected]
AUTHENTIK_EMAIL__PASSWORD: ${EMAIL_PASSWORD}
AUTHENTIK_EMAIL__USE_TLS: false
AUTHENTIK_EMAIL__USE_SSL: true
AUTHENTIK_EMAIL__TIMEOUT: 10
AUTHENTIK_EMAIL__FROM: [email protected]
volumes:
- /mnt/user/appdata/auth/authentik/media:/media
- /mnt/user/appdata/auth/authentik/templates:/templates
networks:
default:
proxy_default:
DMZ:
ipv4_address: 172.16.0.9
labels:
traefik.enable: true
traefik.http.routers.authentik.entryPoints: https
traefik.http.services.authentik.loadbalancer.server.scheme: https
traefik.http.services.authentik.loadbalancer.server.port: 9443
authentikworker:
image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION}
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_REDIS__CACHE_TIMEOUT: 60
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DATABASE}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
#AUTHENTIK_SECRET_KEY: ${AUTHENTIK_KEY}
#AUTHENTIK_EMAIL__HOST: smtp.zoho.eu
#AUTHENTIK_EMAIL__PORT: 465
#AUTHENTIK_EMAIL__USERNAME: [email protected]
#AUTHENTIK_EMAIL__PASSWORD: ${EMAIL_PASSWORD}
#AUTHENTIK_EMAIL__USE_TLS: false
#AUTHENTIK_EMAIL__USE_SSL: true
#AUTHENTIK_EMAIL__TIMEOUT: 10
#AUTHENTIK_EMAIL__FROM: [email protected]
user: root
volumes:
- /mnt/user/appdata/auth/authentik/media:/media
- /mnt/user/appdata/auth/authentik/certs:/certs
- /var/run/docker.sock:/var/run/docker.sock
- /mnt/user/appdata/auth/authentik/templates:/templates
authentikldap:
image: ghcr.io/goauthentik/ldap:${AUTHENTIK_VERSION}
restart: unless-stopped
environment:
AUTHENTIK_HOST: http://authentik:9000/
AUTHENTIK_TOKEN: ${AUTHENTIK_TOKEN_LDAP}
AUTHENTIK_INSECURE: true
SSL_CERT_FILE: /etc/ssl/certs/ca-certificates.crt
user: root
networks:
default:
proxy_default:
labels:
io.goauthentik.outpost-uuid: 047aa1afebf1497aa499e998f14c9534
org.opencontainers.image.description: "goauthentik.io LDAP outpost, see https://goauthentik.io for more info."
org.opencontainers.image.source: "https://github.com/goauthentik/authentik"
org.opencontainers.image.url: "https://goauthentik.io"
traefik.enable: true
traefik.tcp.routers.authentikldap.entryPoints: ldaps
traefik.tcp.services.authentikldap.loadbalancer.server.port: 3389
traefik.tcp.routers.authentikldap.rule: 'HostSNI(`svc-authentik.intra.XXXXXXXXXXXXXXXXX.net`) || HostSNI(`authentik.XXXXXXXXXXXXXXXXX.net`)'
traefik.tcp.routers.authentikldap.tls.certresolver: "letsencrypt"
traefik.tcp.routers.authentikldap.tls.domains[0].main: "XXXXXXXXXXXXXXXXX.net"
traefik.tcp.routers.authentikldap.tls.domains[0].sans: "*.XXXXXXXXXXXXXXXXX.net, *.intra.XXXXXXXXXXXXXXXXX.net"
authentikradius:
image: ghcr.io/goauthentik/radius:${AUTHENTIK_VERSION}
restart: unless-stopped
environment:
AUTHENTIK_HOST: http://authentik:9000/
AUTHENTIK_TOKEN: ${AUTHENTIK_TOKEN_RADIUS}
AUTHENTIK_INSECURE: true
SSL_CERT_FILE: /etc/ssl/certs/ca-certificates.crt
user: root
networks:
default:
DMZ:
ipv4_address: XXXXXXXXXXXXXXXXX
labels:
io.goauthentik.outpost-uuid: XXXXXXXXXXXXXXXXX
org.opencontainers.image.description: "goauthentik.io LDAP outpost, see https://goauthentik.io for more info."
org.opencontainers.image.source: "https://github.com/goauthentik/authentik"
org.opencontainers.image.url: "https://goauthentik.io" |
@Svenum thanks for the config, I managed to use that as a jumping off point to get the RADIUS provider working, however I'm realising now that I'm running into the same issue as you seem to have with my TP-LINK Omada setup. I can authenticate with a web portal using basic PAP protocol but as soon as I switch to using proper WPA3 Enterprise, I get failures. I assume this is just the lack of support for any protocol other than PAP. |
I am considering setting up authentik in my environment. I thought a good starting point might be RADIUS auth (WPA2/WPA3 enterprise) with UniFi since I am working on that anyway. I will follow this issue. A side note - for my use case it would be nice to support dynamic VLAN per user (sending Tunnel-Private-Group-Id). From what I can tell this is not currently supported, does anyone know if this is planned? |
I did deploy the radius outpost similiar to this but it seems my flows do not work.
|
I would also find msCHAPv2 and dynamic VLAN per user useful for UniFi WiFi |
Unifi doesn't support PAP authentication, which at the time is the only authentication type that Authentik supports. |
Going off the information in #2050 and the related pull request #1796, right now the authentik radius outpost only supports authentication with PAP. Due to how PEAP-MSCHAPv2 requires passwords to be stored in plain text on the server, this specific method will likely never be supported by authentik's radius outpost. That leaves EAP-TLS and EAP-TTLS/PAP as possibilities, but as the current Golang library used by the radius outpost (see layeh/radius) does not yet offer functions to interact with certificates in the RADIUS packets, this should be a feature request. An alternative I see some people doing is to spin up an LDAP server to use with freeRADIUS, then add the LDAP server as a directory source in authentik for the SSO stuff. Personally I am using authentik in self-hosting and HomeLab environments so I prefer not to deploy/maintain a complicated setup such as this. It would be nice to have some WPA Enterprise methods supported by authentik natively. |
It is indeed like @ekrekeler summarised, we could technically have MSCHAPv2 support but I really don't want to have any kind of plain text password storage. I've been meaning to try and implement EAP-TLS for the radius outpost, but turns out that is not a simple feat. There is still the option of changing the radius outpost to use freeradius and have that call to a script that will authenticate against authentik, but I feel like that's also kind of a bodge compared to a full solution |
MSCHAPv2 support would be an amazing feature but I can understand the hesitation. My understanding of the protocol is limited but if Windows NPS server supports it and it is used in many enterprise grade devices perhaps it is worth it? Potentially hiding it under an unsafe flag or an explicit warning ? |
I'm trying to get the RADIUS server running, but I did not have to add the radius container to my docker-compose file, Authentik created the container on it's own through the docker socket mount as normal. I haven't been able to authenticate while testing with This is my radtest command, and the output from the radius container, with the credentials testuser:test
|
I got the same error msg. |
I am running against the same wall. I didnt even connect any services yet - already failing at testing with radtest. Error Messages are the same. |
In my case radtest succeeds but Cisco WAP561 fails to authenticate, sends user name, possibly it doesnt talk PAP. |
I managed to use Authentik as a source for WPA2 Enterprise, but not by using the RADIUS outpost. Instead, I used the LDAP outpost and configured FreeRADIUS to use it. I added a custom attribute to my users called Not sure if using custom attributes like this would work with the RADIUS outpost, but maybe this helps someone. |
I actually found another way to do this with setting a |
Does anyone know if this is on the roadmap? |
I succeeded in getting WPA2 Enterprise setup with UniFi via FreeRADIUS (on pfsense) -> Authentik LDAP Outpost. The most important part was noticing that FreeRADIUS looked for a user's attribute called |
Hey, the above workaround got me thinking. Reading up on how PEAP-MSCHAPv2 works, the WPA supplicant (device authenticating to the access point) sends the password to the RADIUS server hashed in MD4, then the RADIUS server compares the password hash to the known password's This isn't the last hurdle before it will work for WPA Enterprise authentication like with PEAP-MSCHAPv2 and EAP-MSCHAPv2 either. PEAP- and EAP-MSCHAPv2 encapsulate the MSCHAPv2 challenge/response in a TLS tunnel during phase 2 of the negotiation. For this reason, authentik's RADIUS outpost would need to support EAP, which goes back to the earlier problem I mentioned:
And if authentik's RADIUS outpost will be gaining support for EAP, EAP-TLS and EAP-TTLS/PAP might be more desirable for authenticating wireless clients because they don't require the unsecure Lately though it appears there is some separate work being done towards this in the toughradius project, see #120. I'll admit I found most of the details on WPA/RADIUS/MSCHAPv2 looking through various Google search results, but it's all in RFCs somewhere if we need to confirm something. |
Any news here? |
I have it working with EAP-TTLS + PAP on my OpenWRT access points. I had to setup a freeradius docker container that offloads the EAP-TTLS encapsulation and sends a plain PAP query to the authentik radius. Not the best, but good enough for WPA2 Enterprise. Also in OpenWRT you can use the passpoint metadata to instruct wireless clients to use EAP-TTLS+PAP and the domain name, without having to manually select the configuration: https://simeononsecurity.com/guides/unlock-seamless-connectivity-hotspot-2.0-openwrt/ |
Describe your question/
I have a Unifi Dream Machine Pro and want to use the authentik radius-provider for the WPA2/3 Enterprise authentication. How can I achive this?
Relevant infos
I am using the newest Authentik 2023.4.1 Release and Unifi OS 2.5.17.
Logs
There are no logs.
Version and Deployment (please complete the following information):
Additional context
I have Deployed an RADIUS-Provider and an RADIUS-Outpost. Then I have added a new RADIUS-Server on the UDMP like so:
If I now try to login to the WiFi witch I configured to WPA2 Enterprise it simply got an timeout and in authentik no logs appears.
The text was updated successfully, but these errors were encountered: