goauthentik
How to use the Radius to authenticate with WPA Enterprise
Describe your question/ I have a Unifi Dream Machine Pro and want to use the authentik radius-provider for the WPA2/3 Enterprise authentication. How can I achive this?
Relevant infos I am using the newest Authentik 2023.4.1 Release and Unifi OS 2.5.17.
Logs There are no logs.
Version and Deployment (please complete the following information):
- authentik version: 2023.4.1
- Deployment: docker-compose
Additional context
I have Deployed an RADIUS-Provider and an RADIUS-Outpost. Then I have added a new RADIUS-Server on the UDMP like so:
If I now try to login to the WiFi witch I configured to WPA2 Enterprise it simply got an timeout and in authentik no logs appears.
@Svenum have you had any luck getting RADIUS working? I've been unable to even get the RADIUS outpost started and the documentation is still lacking on actual instructions for setting up RADIUS.
@jalim MyRADIUS ist working but not for thise use case here.
Here is my docker-compose.yml @jalim:
---
version: '3'
networks:
DMZ:
external: true
proxy_default:
external: true
default:
driver: "bridge"
services:
postgresql:
image: docker.io/library/postgres:12-alpine
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${PG_DATABASE} -U $${PG_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- /mnt/user/appdata/auth/postgresql:/var/lib/postgresql/data
environment:
POSTGRES_USER: ${PG_USER}
POSTGRES_NAME: ${PG_DATABASE}
POSTGRES_PASSWORD: ${PG_PASS}
redis:
image: docker.io/library/redis:alpine
command: --save 60 1 --loglevel warning
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- /mnt/user/appdata/auth/redis:/data
authentik:
image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION}
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DATABASE}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_KEY}
AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
AUTHENTIK_REDIS__CACHE_TIMEOUT: 60
# SMTP Host Emails are sent to
AUTHENTIK_EMAIL__HOST: smtp.zoho.eu
AUTHENTIK_EMAIL__PORT: 465
AUTHENTIK_EMAIL__USERNAME: [email protected]
AUTHENTIK_EMAIL__PASSWORD: ${EMAIL_PASSWORD}
AUTHENTIK_EMAIL__USE_TLS: false
AUTHENTIK_EMAIL__USE_SSL: true
AUTHENTIK_EMAIL__TIMEOUT: 10
AUTHENTIK_EMAIL__FROM: [email protected]
volumes:
- /mnt/user/appdata/auth/authentik/media:/media
- /mnt/user/appdata/auth/authentik/templates:/templates
networks:
default:
proxy_default:
DMZ:
ipv4_address: 172.16.0.9
labels:
traefik.enable: true
traefik.http.routers.authentik.entryPoints: https
traefik.http.services.authentik.loadbalancer.server.scheme: https
traefik.http.services.authentik.loadbalancer.server.port: 9443
authentikworker:
image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION}
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_REDIS__CACHE_TIMEOUT: 60
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DATABASE}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
#AUTHENTIK_SECRET_KEY: ${AUTHENTIK_KEY}
#AUTHENTIK_EMAIL__HOST: smtp.zoho.eu
#AUTHENTIK_EMAIL__PORT: 465
#AUTHENTIK_EMAIL__USERNAME: [email protected]
#AUTHENTIK_EMAIL__PASSWORD: ${EMAIL_PASSWORD}
#AUTHENTIK_EMAIL__USE_TLS: false
#AUTHENTIK_EMAIL__USE_SSL: true
#AUTHENTIK_EMAIL__TIMEOUT: 10
#AUTHENTIK_EMAIL__FROM: [email protected]
user: root
volumes:
- /mnt/user/appdata/auth/authentik/media:/media
- /mnt/user/appdata/auth/authentik/certs:/certs
- /var/run/docker.sock:/var/run/docker.sock
- /mnt/user/appdata/auth/authentik/templates:/templates
authentikldap:
image: ghcr.io/goauthentik/ldap:${AUTHENTIK_VERSION}
restart: unless-stopped
environment:
AUTHENTIK_HOST: http://authentik:9000/
AUTHENTIK_TOKEN: ${AUTHENTIK_TOKEN_LDAP}
AUTHENTIK_INSECURE: true
SSL_CERT_FILE: /etc/ssl/certs/ca-certificates.crt
user: root
networks:
default:
proxy_default:
labels:
io.goauthentik.outpost-uuid: 047aa1afebf1497aa499e998f14c9534
org.opencontainers.image.description: "goauthentik.io LDAP outpost, see https://goauthentik.io for more info."
org.opencontainers.image.source: "https://github.com/goauthentik/authentik"
org.opencontainers.image.url: "https://goauthentik.io"
traefik.enable: true
traefik.tcp.routers.authentikldap.entryPoints: ldaps
traefik.tcp.services.authentikldap.loadbalancer.server.port: 3389
traefik.tcp.routers.authentikldap.rule: 'HostSNI(`svc-authentik.intra.XXXXXXXXXXXXXXXXX.net`) || HostSNI(`authentik.XXXXXXXXXXXXXXXXX.net`)'
traefik.tcp.routers.authentikldap.tls.certresolver: "letsencrypt"
traefik.tcp.routers.authentikldap.tls.domains[0].main: "XXXXXXXXXXXXXXXXX.net"
traefik.tcp.routers.authentikldap.tls.domains[0].sans: "*.XXXXXXXXXXXXXXXXX.net, *.intra.XXXXXXXXXXXXXXXXX.net"
authentikradius:
image: ghcr.io/goauthentik/radius:${AUTHENTIK_VERSION}
restart: unless-stopped
environment:
AUTHENTIK_HOST: http://authentik:9000/
AUTHENTIK_TOKEN: ${AUTHENTIK_TOKEN_RADIUS}
AUTHENTIK_INSECURE: true
SSL_CERT_FILE: /etc/ssl/certs/ca-certificates.crt
user: root
networks:
default:
DMZ:
ipv4_address: XXXXXXXXXXXXXXXXX
labels:
io.goauthentik.outpost-uuid: XXXXXXXXXXXXXXXXX
org.opencontainers.image.description: "goauthentik.io LDAP outpost, see https://goauthentik.io for more info."
org.opencontainers.image.source: "https://github.com/goauthentik/authentik"
org.opencontainers.image.url: "https://goauthentik.io"
@Svenum thanks for the config, I managed to use that as a jumping off point to get the RADIUS provider working, however I'm realising now that I'm running into the same issue as you seem to have with my TP-LINK Omada setup. I can authenticate with a web portal using basic PAP protocol but as soon as I switch to using proper WPA3 Enterprise, I get failures. I assume this is just the lack of support for any protocol other than PAP.
I am considering setting up authentik in my environment. I thought a good starting point might be RADIUS auth (WPA2/WPA3 enterprise) with UniFi since I am working on that anyway. I will follow this issue.
A side note - for my use case it would be nice to support dynamic VLAN per user (sending Tunnel-Private-Group-Id). From what I can tell this is not currently supported, does anyone know if this is planned?
I did deploy the radius outpost similiar to this but it seems my flows do not work. When I send a PAP authentication request from our pfsense box I get this error on the outpost:
2023-05-23T14:55:46.716536000Z DBG undefined | cidr=0.0.0.0/0 event=Matched CIDR ip=10.1.15.1 logger=authentik.outpost.radius timestamp=2023-05-23T14:55:46Z
2023-05-23T14:55:46.716971000Z INF undefined | code=Access-Request event=Radius Request logger=authentik.outpost.radius request=4519e665-6489-4db4-b594-597adaa47da7 timestamp=2023-05-23T14:55:46Z
2023-05-23T14:55:46.792414000Z DBG undefined | client=10.1.15.1 component=ak-stage-access-denied event=Got challenge flow=radius-auth logrus_error=can not add field "requestId" timestamp=2023-05-23T14:55:46Z type=native username=testeduser
```
any idea?
Did you guys add custom flows?
Unifi doesn't support PAP authentication, which at the time is the only authentication type that Authentik supports.
Going off the information in #2050 and the related pull request #1796, right now the authentik radius outpost only supports authentication with PAP. Due to how PEAP-MSCHAPv2 requires passwords to be stored in plain text on the server, this specific method will likely never be supported by authentik's radius outpost. That leaves EAP-TLS and EAP-TTLS/PAP as possibilities, but as the current Golang library used by the radius outpost (see layeh/radius) does not yet offer functions to interact with certificates in the RADIUS packets, this should be a feature request.
An alternative I see some people doing is to spin up an LDAP server to use with freeRADIUS, then add the LDAP server as a directory source in authentik for the SSO stuff. Personally I am using authentik in self-hosting and HomeLab environments so I prefer not to deploy/maintain a complicated setup such as this. It would be nice to have some WPA Enterprise methods supported by authentik natively.
It is indeed like @ekrekeler summarised, we could technically have MSCHAPv2 support but I really don't want to have any kind of plain text password storage. I've been meaning to try and implement EAP-TLS for the radius outpost, but turns out that is not a simple feat.
There is still the option of changing the radius outpost to use freeradius and have that call to a script that will authenticate against authentik, but I feel like that's also kind of a bodge compared to a full solution
It is indeed like @ekrekeler summarised, we could technically have MSCHAPv2 support but I really don't want to have any kind of plain text password storage. I've been meaning to try and implement EAP-TLS for the radius outpost, but turns out that is not a simple feat.
There is still the option of changing the radius outpost to use freeradius and have that call to a script that will authenticate against authentik, but I feel like that's also kind of a bodge compared to a full solution
MSCHAPv2 support would be an amazing feature but I can understand the hesitation.
My understanding of the protocol is limited but if Windows NPS server supports it and it is used in many enterprise grade devices perhaps it is worth it? Potentially hiding it under an unsafe flag or an explicit warning ?
I'm trying to get the RADIUS server running, but I did not have to add the radius container to my docker-compose file, Authentik created the container on it's own through the docker socket mount as normal.
I haven't been able to authenticate while testing with radtest though, it always says that I have an incorrect password, despite logging in with a user that works for other services. Is anyone else having the same problem?
This is my radtest command, and the output from the radius container, with the credentials testuser:test
$ radtest -t pap testuser test <authentik ip> 1812 ""
{"client":"<correct_ip>","component":"ak-stage-identification","event":"Got challenge","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:53Z","type":"native","username":"testuser"}
{"client":"<correct_ip>","component":"ak-stage-password","event":"Got response","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:53Z","type":"native","username":"testuser"}
{"client":"<correct_ip>","component":"ak-stage-password","event":"Got response","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:54Z","type":"native","username":"testuser"}
{"code":"Access-Request","error":"flow error password: Invalid password","event":"failed to execute flow","level":"warning","logger":"authentik.outpost.radius","request":"fa38ac9f-999a-4367-9092-875a87621b62","timestamp":"2023-08-06T22:27:54Z","username":"testuser"}
I'm trying to get the RADIUS server running, but I did not have to add the radius container to my docker-compose file, Authentik created the container on it's own through the docker socket mount as normal.
I haven't been able to authenticate while testing with
radtestthough, it always says that I have an incorrect password, despite logging in with a user that works for other services. Is anyone else having the same problem?This is my radtest command, and the output from the radius container, with the credentials testuser:test
$ radtest -t pap testuser test <authentik ip> 1812 ""{"client":"<correct_ip>","component":"ak-stage-identification","event":"Got challenge","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:53Z","type":"native","username":"testuser"} {"client":"<correct_ip>","component":"ak-stage-password","event":"Got response","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:53Z","type":"native","username":"testuser"} {"client":"<correct_ip>","component":"ak-stage-password","event":"Got response","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:54Z","type":"native","username":"testuser"} {"code":"Access-Request","error":"flow error password: Invalid password","event":"failed to execute flow","level":"warning","logger":"authentik.outpost.radius","request":"fa38ac9f-999a-4367-9092-875a87621b62","timestamp":"2023-08-06T22:27:54Z","username":"testuser"}
I got the same error msg. I moved on to the FreeRadius package of our pfsense box. :-(
I'm trying to get the RADIUS server running, but I did not have to add the radius container to my docker-compose file, Authentik created the container on it's own through the docker socket mount as normal. I haven't been able to authenticate while testing with
radtestthough, it always says that I have an incorrect password, despite logging in with a user that works for other services. Is anyone else having the same problem? This is my radtest command, and the output from the radius container, with the credentials testuser:test$ radtest -t pap testuser test <authentik ip> 1812 ""{"client":"<correct_ip>","component":"ak-stage-identification","event":"Got challenge","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:53Z","type":"native","username":"testuser"} {"client":"<correct_ip>","component":"ak-stage-password","event":"Got response","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:53Z","type":"native","username":"testuser"} {"client":"<correct_ip>","component":"ak-stage-password","event":"Got response","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:54Z","type":"native","username":"testuser"} {"code":"Access-Request","error":"flow error password: Invalid password","event":"failed to execute flow","level":"warning","logger":"authentik.outpost.radius","request":"fa38ac9f-999a-4367-9092-875a87621b62","timestamp":"2023-08-06T22:27:54Z","username":"testuser"}I got the same error msg. I moved on to the FreeRadius package of our pfsense box. :-(
I am running against the same wall. Anyone with any updates or who got it working?
I didnt even connect any services yet - already failing at testing with radtest. Error Messages are the same.
In my case radtest succeeds but Cisco WAP561 fails to authenticate, sends user name, possibly it doesnt talk PAP.
I managed to use Authentik as a source for WPA2 Enterprise, but not by using the RADIUS outpost.
Instead, I used the LDAP outpost and configured FreeRADIUS to use it.
I added a custom attribute to my users called wifipass, which holds the password in plaintext (required for some methods). I also created a flow for (re)setting wifipass, so that users can manage this password themselves.
Not sure if using custom attributes like this would work with the RADIUS outpost, but maybe this helps someone.
I actually found another way to do this with setting a ipaNTHash attribute to the NTLM hash of users' passwords. The only problem is that I can't figure out how to calculate that value when the password changes or to calculate it in a property mapping.
Does anyone know if this is on the roadmap? Is WPA Enterprise so uncommon to not support it? I know not everything can be implemented from the start but this seems to me as a very, very common requirement.
I succeeded in getting WPA2 Enterprise setup with UniFi via FreeRADIUS (on pfsense) -> Authentik LDAP Outpost. The most important part was noticing that FreeRADIUS looked for a user's attribute called ipaNTHash. This can be calculated as the MD4 hash of a user's password (see #8768). With the attributes in-place for our users, they are able to use PEAP/MSCHAPv2 for most devices or EAP-TTLS/MSCHAPv2.
Hey, the above workaround got me thinking. Reading up on how PEAP-MSCHAPv2 works, the WPA supplicant (device authenticating to the access point) sends the password to the RADIUS server hashed in MD4, then the RADIUS server compares the password hash to the known password's ipaNTHash, which is just an MD4 hash of the password. So in theory, authentik and any other RADIUS server should be able to service MSCHAPv2 requests so long as it has the ipaNTHash stored in advance. Now MD4 has already been compromised and can be cracked, but it's at least better than storing the passwords in plain text. Maybe if request for MSCHAPv2 is big enough, calculating ipaNTHash can become a toggleable option in authentik's password change flows.
This isn't the last hurdle before it will work for WPA Enterprise authentication like with PEAP-MSCHAPv2 and EAP-MSCHAPv2 either. PEAP- and EAP-MSCHAPv2 encapsulate the MSCHAPv2 challenge/response in a TLS tunnel during phase 2 of the negotiation. For this reason, authentik's RADIUS outpost would need to support EAP, which goes back to the earlier problem I mentioned:
the current Golang library used by the radius outpost (see layeh/radius) does not yet offer functions to interact with certificates in the RADIUS packets
And if authentik's RADIUS outpost will be gaining support for EAP, EAP-TLS and EAP-TTLS/PAP might be more desirable for authenticating wireless clients because they don't require the unsecure ipaNTHash to be stored in authentik.
Lately though it appears there is some separate work being done towards this in the toughradius project, see #120.
I'll admit I found most of the details on WPA/RADIUS/MSCHAPv2 looking through various Google search results, but it's all in RFCs somewhere if we need to confirm something.
I have it working with EAP-TTLS + PAP on my OpenWRT access points. I had to setup a freeradius docker container that offloads the EAP-TTLS encapsulation and sends a plain PAP query to the authentik radius. Not the best, but good enough for WPA2 Enterprise.
https://stackoverflow.com/questions/33864953/how-to-configure-freeradius-to-proxy-the-pap-request-inside-an-eap-ttls-tunnel#33873013
Also in OpenWRT you can use the passpoint metadata to instruct wireless clients to use EAP-TTLS+PAP and the domain name, without having to manually select the configuration:
https://simeononsecurity.com/guides/unlock-seamless-connectivity-hotspot-2.0-openwrt/
I successfully achieved setup suggested by @jesusdf.
AP is Unifi Dream Machine. Already tested Windows 11 client, Linux + KDE + NetworkManager + wpa_supplicant client and Android client, all worked just fine!
KnyfID is my outpost/app/provider/brand name
Config for freeradius 3.2.7:
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = /opt/startechnica/freeradius/certs
cadir = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
correct_escapes = true
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
hostname_lookups = no
log {
destination = files
colourise = yes
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
msg_denied = "You are already logged in - access denied"
}
checkrad = ${sbindir}/checkrad
security {
user = freerad
group = freerad
allow_core_dumps = no
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
proxy server {
default_fallback = no
}
home_server knyfid {
type = auth
ipaddr = ak-outpost-outpost-for-knyfi.authentik.svc
port = 1812
secret = $ENV{FREERADIUS_KNYFID_SECRET}
}
home_server_pool knyfid {
home_server = knyfid
}
realm knyfid {
auth_pool = knyfid
nostrip
}
client all {
ipaddr = *
proto = *
secret = $ENV{FREERADIUS_CLIENT_SECRET}
require_message_authenticator = no
}
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
auto_limit_acct = no
}
modules {
pap {
auto_header = no
}
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
max_sessions = ${max_requests}
tls-config tls-common {
private_key_password = whatever
private_key_file = ${certdir}/tls.key
certificate_file = ${certdir}/tls.crt
ca_file = ${cadir}/ca.pem
ca_path = ${cadir}
cipher_list = "DEFAULT"
cipher_server_preference = no
tls_min_version = "1.2"
tls_max_version = "1.3"
ecdh_curve = ""
cache {
enable = no
lifetime = 24 # hours
store {
Tunnel-Private-Group-Id
}
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
ttls {
tls = tls-common
default_eap_type = pap
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "default"
}
}
}
server default {
listen {
type = auth
ipaddr = *
port = 1812
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = auth
ipv6addr = ::
port = 1812
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
authorize {
eap {
ok = return
}
pap
update control {
&Proxy-To-Realm := "knyfid"
}
}
authenticate {
Auth-Type PAP {
pap
}
eap
}
post-auth {
update {
&reply: += &session-state:
}
if (&reply:EAP-Session-Id) {
update reply {
EAP-Key-Name := &reply:EAP-Session-Id
}
}
}
post-proxy {
eap
}
}
@jesusdf @JuniorJPDJ Do you do VLAN assignment based on group membership?
I'm interested in that feature, but haven't looked at it yet. I know it should work with some property mappings, but I don't know which ones I need.
https://docs.goauthentik.io/docs/add-secure-apps/providers/radius/
The freeradius attributes for VLAN-assignment are:
Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group-Id
@BeryJu What are the corresponding radius property mappings?
@Svenum it has been from the start since it requires the MTLS stage to function which is enterprise, there have been some changes made to the PR to make it less confusing
@Svenum If I understand @BeryJu correctly, EAP-TTLS+whatever is also implemented but not tested.
@BeryJu I understand that adding EAP-TLS took a lot of time and your company needs to be compensated for that time, but do you think that feature might be non-enterprise sometime in the future? I know I'm not a standard user, but I would love to have per-user VLANs in my home without a complicated FreeRADIUS + LDAP outpost setup.
@BeryJu I understand that adding EAP-TLS took a lot of time and your company needs to be compensated for that time, but do you think that feature might be non-enterprise sometime in the future? I know I'm not a standard user, but I would love to have per-user VLANs in my home without a complicated FreeRADIUS + LDAP outpost setup.
For per-user VLANs, knows as dynamic VLAN assignments, you need to define some RFC attributes. While doing this you will run into #16980 and #16993 .