keep eap state when refreshing

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2025-05-16 22:59:16 +02:00
parent 50c50c4109
commit 8cf8f1e199
3 changed files with 16 additions and 17 deletions
--- a/authentik/providers/radius/models.py
+++ b/authentik/providers/radius/models.py
@ -1,6 +1,7 @@
 """Radius Provider"""

 from collections.abc import Iterable
+
 from django.db import models
 from django.templatetags.static import static
 from django.utils.translation import gettext_lazy as _
@ -41,10 +42,7 @@ class RadiusProvider(OutpostModel, Provider):
    )

    certificate = models.ForeignKey(
-        CertificateKeyPair,
-        on_delete=models.CASCADE,
-        default=None,
-        null=True
+        CertificateKeyPair, on_delete=models.CASCADE, default=None, null=True
    )

    @property
@ -67,7 +65,7 @@ class RadiusProvider(OutpostModel, Provider):
        return RadiusProviderSerializer

    def get_required_objects(self) -> Iterable[models.Model | str]:
-        required_models = [self]
+        required_models = [self, "authentik_stages_mtls.pass_outpost_certificate"]
        if self.certificate is not None:
            required_models.append(self.certificate)
        return required_models
--- a/internal/outpost/radius/api.go
+++ b/internal/outpost/radius/api.go
@ -42,10 +42,15 @@ func (rs *RadiusServer) Refresh() error {
 	if len(apiProviders) < 1 {
 		return errors.New("no radius provider defined")
 	}
-	providers := make([]*ProviderInstance, len(apiProviders))
-	for idx, provider := range apiProviders {
+	providers := make(map[int32]*ProviderInstance)
+	for _, provider := range apiProviders {
+		existing, ok := rs.providers[provider.Pk]
+		state := map[string]*eap.State{}
+		if ok {
+			state = existing.eapState
+		}
 		logger := log.WithField("logger", "authentik.outpost.radius").WithField("provider", provider.Name)
-		providers[idx] = &ProviderInstance{
+		providers[provider.Pk] = &ProviderInstance{
 			SharedSecret:   []byte(provider.GetSharedSecret()),
 			ClientNetworks: parseCIDRs(provider.GetClientNetworks()),
 			MFASupport:     provider.GetMfaSupport(),
@ -55,15 +60,10 @@ func (rs *RadiusServer) Refresh() error {
 			providerId:     provider.Pk,
 			s:              rs,
 			log:            logger,
-			eapState:       map[string]*eap.State{},
+			eapState:       state,
 		}
 	}
 	rs.providers = providers
 	rs.log.Info("Update providers")
 	return nil
 }
-
-func (rs *RadiusServer) StartRadiusServer() error {
-	rs.log.WithField("listen", rs.s.Addr).Info("Starting radius server")
-	return rs.s.ListenAndServe()
-}
--- a/internal/outpost/radius/radius.go
+++ b/internal/outpost/radius/radius.go
@ -35,14 +35,14 @@ type RadiusServer struct {
 	ac          *ak.APIController
 	cryptoStore *ak.CryptoStore

-	providers []*ProviderInstance
+	providers map[int32]*ProviderInstance
 }

 func NewServer(ac *ak.APIController) ak.Outpost {
 	rs := &RadiusServer{
 		log:         log.WithField("logger", "authentik.outpost.radius"),
 		ac:          ac,
-		providers:   []*ProviderInstance{},
+		providers:   map[int32]*ProviderInstance{},
 		cryptoStore: ak.NewCryptoStore(ac.Client.CryptoApi),
 	}
 	rs.s = radius.PacketServer{
@ -103,7 +103,8 @@ func (rs *RadiusServer) Start() error {
 	}()
 	go func() {
 		defer wg.Done()
-		err := rs.StartRadiusServer()
+		rs.log.WithField("listen", rs.s.Addr).Info("Starting radius server")
+		err := rs.s.ListenAndServe()
 		if err != nil {
 			panic(err)
 		}