habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

providers/radius: property mapping docs (#10908)

Browse Source 
* migrate protocols to table

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add radius property mapping example

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Apply suggestions from code review

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Jens L. <jens@beryju.org>

* add to release notes

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens L. <jens@beryju.org>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
This commit is contained in:
Jens L.
2024-08-14 18:38:24 +02:00
committed by GitHub
parent 752735d480
commit afb99c5ede
6 changed files with 76 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
website/docs/outposts/index.mdx
View File

@ -8,7 +8,7 @@ An outpost is required if you use any of the following types of providers with y
- [LDAP Provider](../providers/ldap/index.md)
- [Proxy Provider](../providers/proxy/index.md)
- [RADIUS Provider](../providers/radius/index.md)
- [RADIUS Provider](../providers/radius/index.mdx)
- [RAC Provider](../providers/rac/index.md)
These types of providers use an outpost for increased flexibility and speed. Instead of the provider logic being implemented in authentik Core, these providers use an outpost to handle the logic, which provides improved performance.

37
website/docs/providers/radius/index.md
View File

@ -1,37 +0,0 @@
---
title: Radius Provider
---
You can configure a Radius Provider for applications that don't support any other protocols or require Radius.
:::info
This provider requires the deployment of the [RADIUS Outpost](../../outposts/)
:::
Currently, only authentication requests are supported.
### Authentication flow
Authentication requests against the Radius Server use a flow in the background. This allows you to use the same policies and flows as you do for web-based logins.
The following stages are supported:
- [Identification](../../flow/stages/identification/index.md)
- [Password](../../flow/stages/password/index.md)
- [Authenticator validation](../../flow/stages/authenticator_validate/index.md)
Note: Authenticator validation currently only supports DUO, TOTP and static authenticators.
For code-based authenticators, the code must be given as part of the bind password, separated by a semicolon. For example for the password `example-password` and the code `123456`, the input must be `example-password;123456`.
SMS-based authenticators are not supported as they require a code to be sent from authentik, which is not possible during the bind.
- [User Logout](../../flow/stages/user_logout.md)
- [User Login](../../flow/stages/user_login/index.md)
- [Deny](../../flow/stages/deny.md)
### Limitations
The RADIUS provider only supports the [PAP](https://en.wikipedia.org/wiki/Password_Authentication_Protocol) (Password Authentication Protocol) protocol:
![](./protocols.png)

70
website/docs/providers/radius/index.mdx Normal file
View File

@ -0,0 +1,70 @@
---
title: RADIUS Provider
---
import { Check, X, AlertTriangle } from "react-feather";
You can configure a Radius provider for applications that don't support any other protocols or that require Radius.
:::info
This provider requires the deployment of the [RADIUS outpost](../../outposts/)
:::
Currently, only authentication requests are supported.
### Authentication flow
Authentication requests against the Radius Server use a flow in the background. This allows you to use the same flows, stages, and policies as you do for web-based logins.
The following stages are supported:
- [Identification](../../flow/stages/identification/index.md)
- [Password](../../flow/stages/password/index.md)
- [Authenticator validation](../../flow/stages/authenticator_validate/index.md)
Note: Authenticator validation currently only supports DUO, TOTP, and static authenticators.
For code-based authenticators, the code must be given as part of the bind password, separated by a semicolon. For example for the password `example-password` and the MFA token `123456`, the input must be `example-password;123456`.
SMS-based authenticators are not supported because they require a code to be sent from authentik, which is not possible during the bind.
- [User Logout](../../flow/stages/user_logout.md)
- [User Login](../../flow/stages/user_login/index.md)
- [Deny](../../flow/stages/deny.md)
### RADIUS attributes
Starting with authentik 2024.8, you can create RADIUS provider property mappings, which make it possible to add custom attributes to the RADIUS response packets.
For example, to add the Cisco AV-Pair attribute, this snippet can be used:
```python
define_attribute(
vendor_code=9,
vendor_name="Cisco",
attribute_name="AV-Pair",
attribute_code=1,
attribute_type="string",
)
packet["Cisco-AV-Pair"] = "shell:priv-lvl=15"
return packet
```
After creation, make sure to select the RADIUS property mapping in the RADIUS provider.
### Limitations
The RADIUS provider only supports the [PAP](https://en.wikipedia.org/wiki/Password_Authentication_Protocol) (Password Authentication Protocol) protocol:
| | Clear-text | NT hash | MD5 hash | Salted MD5 hash | SHA1 hash | Salted SHA1 hash | Unix Crypt |
| ------------ | --------------- | --------------- | --------------- | --------------- | --------------- | ---------------- | --------------- |
| PAP | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check> |
| CHAP | <Check></Check> | <X></X> | <X></X> | <X></X> | <X></X> | <X></X> | <X></X> |
| Digest | <Check></Check> | <X></X> | <X></X> | <X></X> | <X></X> | <X></X> | <X></X> |
| MS-CHAP | <Check></Check> | <Check></Check> | <X></X> | <X></X> | <X></X> | <X></X> | <X></X> |
| PEAP | <Check></Check> | <Check></Check> | <X></X> | <X></X> | <X></X> | <X></X> | <X></X> |
| EAP-MSCHAPv2 | <Check></Check> | <Check></Check> | <X></X> | <X></X> | <X></X> | <X></X> | <X></X> |
| Cisco LEAP | <Check></Check> | <Check></Check> | <X></X> | <X></X> | <X></X> | <X></X> | <X></X> |
| EAP-GTC | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check> |
| EAP-MD5 | <Check></Check> | <X></X> | <X></X> | <X></X> | <X></X> | <X></X> | <X></X> |
| EAP-PWD | <Check></Check> | <X></X> | <X></X> | <X></X> | <X></X> | <Check></Check> | <Check></Check> |

BIN
website/docs/providers/radius/protocols.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 15 KiB

2
website/docs/releases/2023/v2023.4.md
View File

@ -23,7 +23,7 @@ slug: "/releases/2023.4"
The RADIUS provider also uses a flow to authenticate users, and supports the same stages as the [LDAP Provider](../../../docs/providers/ldap/index.md).
Documentation: [RADIUS Provider](../../../docs/providers/radius/index.md)
Documentation: [RADIUS Provider](../../../docs/providers/radius/index.mdx)
- Decreased CPU usage for workers

4
website/docs/releases/2024/v2024.8.md
View File

@ -66,6 +66,10 @@ To try out the release candidate, replace your Docker image tag with the latest
- **Source property mappings for SCIM, OAuth, SAML and Plex sources**
- **RADIUS provider custom attribute support**
With 2024.8 it is possible to define custom attributes for the RADIUS provider, for example vendor specific attributes like Cisco's `AV-Pair` attribute. These attributes are defined in property mappings which means they can be dynamically defined based on the user authenticating. See [RADIUS Provider](../../providers/radius/index.mdx#radius-attributes)
- **SAML Source encryption support**
It is now possible to configure a SAML Source to decrypt and validate encrypted assertions. This can be configured by certaing a [Certificate-keypair](../../core/certificates.md) and selecting it in the SAML Source.