keep eap state when refreshing

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

authentik/providers/radius/models.py

@@ -1,6 +1,7 @@
 """Radius Provider"""
 
 from collections.abc import Iterable
+
 from django.db import models
 from django.templatetags.static import static
 from django.utils.translation import gettext_lazy as _
@@ -41,10 +42,7 @@ class RadiusProvider(OutpostModel, Provider):
     )
 
     certificate = models.ForeignKey(
-        CertificateKeyPair,
+        CertificateKeyPair, on_delete=models.CASCADE, default=None, null=True
-        on_delete=models.CASCADE,
-        default=None,
-        null=True
     )
 
     @property
@@ -67,7 +65,7 @@ class RadiusProvider(OutpostModel, Provider):
         return RadiusProviderSerializer
 
     def get_required_objects(self) -> Iterable[models.Model | str]:
-        required_models = [self]
+        required_models = [self, "authentik_stages_mtls.pass_outpost_certificate"]
         if self.certificate is not None:
             required_models.append(self.certificate)
         return required_models

internal/outpost/radius/api.go

@@ -42,10 +42,15 @@ func (rs *RadiusServer) Refresh() error {
 	if len(apiProviders) < 1 {
 		return errors.New("no radius provider defined")
 	}
-	providers := make([]*ProviderInstance, len(apiProviders))
+	providers := make(map[int32]*ProviderInstance)
-	for idx, provider := range apiProviders {
+	for _, provider := range apiProviders {
+		existing, ok := rs.providers[provider.Pk]
+		state := map[string]*eap.State{}
+		if ok {
+			state = existing.eapState
+		}
 		logger := log.WithField("logger", "authentik.outpost.radius").WithField("provider", provider.Name)
-		providers[idx] = &ProviderInstance{
+		providers[provider.Pk] = &ProviderInstance{
 			SharedSecret:   []byte(provider.GetSharedSecret()),
 			ClientNetworks: parseCIDRs(provider.GetClientNetworks()),
 			MFASupport:     provider.GetMfaSupport(),
@@ -55,15 +60,10 @@ func (rs *RadiusServer) Refresh() error {
 			providerId:     provider.Pk,
 			s:              rs,
 			log:            logger,
-			eapState:       map[string]*eap.State{},
+			eapState:       state,
 		}
 	}
 	rs.providers = providers
 	rs.log.Info("Update providers")
 	return nil
 }
-
-func (rs *RadiusServer) StartRadiusServer() error {
-	rs.log.WithField("listen", rs.s.Addr).Info("Starting radius server")
-	return rs.s.ListenAndServe()
-}

internal/outpost/radius/radius.go

@@ -35,14 +35,14 @@ type RadiusServer struct {
 	ac          *ak.APIController
 	cryptoStore *ak.CryptoStore
 
-	providers []*ProviderInstance
+	providers map[int32]*ProviderInstance
 }
 
 func NewServer(ac *ak.APIController) ak.Outpost {
 	rs := &RadiusServer{
 		log:         log.WithField("logger", "authentik.outpost.radius"),
 		ac:          ac,
-		providers:   []*ProviderInstance{},
+		providers:   map[int32]*ProviderInstance{},
 		cryptoStore: ak.NewCryptoStore(ac.Client.CryptoApi),
 	}
 	rs.s = radius.PacketServer{
@@ -103,7 +103,8 @@ func (rs *RadiusServer) Start() error {
 	}()
 	go func() {
 		defer wg.Done()
-		err := rs.StartRadiusServer()
+		rs.log.WithField("listen", rs.s.Addr).Info("Starting radius server")
+		err := rs.s.ListenAndServe()
 		if err != nil {
 			panic(err)
 		}