-
-
Notifications
You must be signed in to change notification settings - Fork 891
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
providers/radius: property mapping docs (#10908)
* migrate protocols to table Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add radius property mapping example Signed-off-by: Jens Langhammer <jens@goauthentik.io> * Apply suggestions from code review Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Jens L. <jens@beryju.org> * add to release notes Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens L. <jens@beryju.org> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
- Loading branch information
Showing
6 changed files
with
76 additions
and
39 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
--- | ||
title: RADIUS Provider | ||
--- | ||
|
||
import { Check, X, AlertTriangle } from "react-feather"; | ||
|
||
You can configure a Radius provider for applications that don't support any other protocols or that require Radius. | ||
|
||
:::info | ||
This provider requires the deployment of the [RADIUS outpost](../../outposts/) | ||
::: | ||
|
||
Currently, only authentication requests are supported. | ||
|
||
### Authentication flow | ||
|
||
Authentication requests against the Radius Server use a flow in the background. This allows you to use the same flows, stages, and policies as you do for web-based logins. | ||
|
||
The following stages are supported: | ||
|
||
- [Identification](../../flow/stages/identification/index.md) | ||
- [Password](../../flow/stages/password/index.md) | ||
- [Authenticator validation](../../flow/stages/authenticator_validate/index.md) | ||
|
||
Note: Authenticator validation currently only supports DUO, TOTP, and static authenticators. | ||
|
||
For code-based authenticators, the code must be given as part of the bind password, separated by a semicolon. For example for the password `example-password` and the MFA token `123456`, the input must be `example-password;123456`. | ||
|
||
SMS-based authenticators are not supported because they require a code to be sent from authentik, which is not possible during the bind. | ||
|
||
- [User Logout](../../flow/stages/user_logout.md) | ||
- [User Login](../../flow/stages/user_login/index.md) | ||
- [Deny](../../flow/stages/deny.md) | ||
|
||
### RADIUS attributes | ||
|
||
Starting with authentik 2024.8, you can create RADIUS provider property mappings, which make it possible to add custom attributes to the RADIUS response packets. | ||
|
||
For example, to add the Cisco AV-Pair attribute, this snippet can be used: | ||
|
||
```python | ||
define_attribute( | ||
vendor_code=9, | ||
vendor_name="Cisco", | ||
attribute_name="AV-Pair", | ||
attribute_code=1, | ||
attribute_type="string", | ||
) | ||
packet["Cisco-AV-Pair"] = "shell:priv-lvl=15" | ||
return packet | ||
``` | ||
|
||
After creation, make sure to select the RADIUS property mapping in the RADIUS provider. | ||
|
||
### Limitations | ||
|
||
The RADIUS provider only supports the [PAP](https://en.wikipedia.org/wiki/Password_Authentication_Protocol) (Password Authentication Protocol) protocol: | ||
|
||
| | Clear-text | NT hash | MD5 hash | Salted MD5 hash | SHA1 hash | Salted SHA1 hash | Unix Crypt | | ||
| ------------ | --------------- | --------------- | --------------- | --------------- | --------------- | ---------------- | --------------- | | ||
| PAP | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check> | | ||
| CHAP | <Check></Check> | <X></X> | <X></X> | <X></X> | <X></X> | <X></X> | <X></X> | | ||
| Digest | <Check></Check> | <X></X> | <X></X> | <X></X> | <X></X> | <X></X> | <X></X> | | ||
| MS-CHAP | <Check></Check> | <Check></Check> | <X></X> | <X></X> | <X></X> | <X></X> | <X></X> | | ||
| PEAP | <Check></Check> | <Check></Check> | <X></X> | <X></X> | <X></X> | <X></X> | <X></X> | | ||
| EAP-MSCHAPv2 | <Check></Check> | <Check></Check> | <X></X> | <X></X> | <X></X> | <X></X> | <X></X> | | ||
| Cisco LEAP | <Check></Check> | <Check></Check> | <X></X> | <X></X> | <X></X> | <X></X> | <X></X> | | ||
| EAP-GTC | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check> | <Check></Check> | | ||
| EAP-MD5 | <Check></Check> | <X></X> | <X></X> | <X></X> | <X></X> | <X></X> | <X></X> | | ||
| EAP-PWD | <Check></Check> | <X></X> | <X></X> | <X></X> | <X></X> | <Check></Check> | <Check></Check> | |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters