Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to use the Radius to authenticate with WPA Enterprise #5328

Open
Svenum opened this issue Apr 20, 2023 · 21 comments
Open

How to use the Radius to authenticate with WPA Enterprise #5328

Svenum opened this issue Apr 20, 2023 · 21 comments
Labels
question Further information is requested

Comments

@Svenum
Copy link

Svenum commented Apr 20, 2023

Describe your question/
I have a Unifi Dream Machine Pro and want to use the authentik radius-provider for the WPA2/3 Enterprise authentication. How can I achive this?

Relevant infos
I am using the newest Authentik 2023.4.1 Release and Unifi OS 2.5.17.

Logs
There are no logs.

Version and Deployment (please complete the following information):

  • authentik version: 2023.4.1
  • Deployment: docker-compose

Additional context
I have Deployed an RADIUS-Provider and an RADIUS-Outpost. Then I have added a new RADIUS-Server on the UDMP like so:
image

If I now try to login to the WiFi witch I configured to WPA2 Enterprise it simply got an timeout and in authentik no logs appears.

@Svenum Svenum added the question Further information is requested label Apr 20, 2023
@jalim
Copy link

jalim commented May 7, 2023

@Svenum have you had any luck getting RADIUS working? I've been unable to even get the RADIUS outpost started and the documentation is still lacking on actual instructions for setting up RADIUS.

@Svenum
Copy link
Author

Svenum commented May 7, 2023

@jalim MyRADIUS ist working but not for thise use case here.

Here is my docker-compose.yml @jalim:

---
version: '3'

networks:
  DMZ:
    external: true
  proxy_default:
    external: true
  default:
    driver: "bridge"

services:
  postgresql:
    image: docker.io/library/postgres:12-alpine
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${PG_DATABASE} -U $${PG_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - /mnt/user/appdata/auth/postgresql:/var/lib/postgresql/data
    environment:
      POSTGRES_USER: ${PG_USER}
      POSTGRES_NAME: ${PG_DATABASE}
      POSTGRES_PASSWORD: ${PG_PASS}
      
  redis:
    image: docker.io/library/redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - /mnt/user/appdata/auth/redis:/data
      
  authentik:
    image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION}
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DATABASE}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_KEY}
      AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
      AUTHENTIK_REDIS__CACHE_TIMEOUT: 60
      # SMTP Host Emails are sent to
      AUTHENTIK_EMAIL__HOST:  smtp.zoho.eu
      AUTHENTIK_EMAIL__PORT: 465
      AUTHENTIK_EMAIL__USERNAME: [email protected]
      AUTHENTIK_EMAIL__PASSWORD: ${EMAIL_PASSWORD}
      AUTHENTIK_EMAIL__USE_TLS: false
      AUTHENTIK_EMAIL__USE_SSL: true
      AUTHENTIK_EMAIL__TIMEOUT: 10
      AUTHENTIK_EMAIL__FROM: [email protected]
    volumes:
      - /mnt/user/appdata/auth/authentik/media:/media
      - /mnt/user/appdata/auth/authentik/templates:/templates
    networks:
      default:
      proxy_default:
      DMZ:
        ipv4_address: 172.16.0.9
    labels:
      traefik.enable: true
      traefik.http.routers.authentik.entryPoints: https
      traefik.http.services.authentik.loadbalancer.server.scheme: https
      traefik.http.services.authentik.loadbalancer.server.port: 9443
      
  authentikworker:
    image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION}
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_REDIS__CACHE_TIMEOUT: 60
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DATABASE}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
      #AUTHENTIK_SECRET_KEY: ${AUTHENTIK_KEY}
      #AUTHENTIK_EMAIL__HOST:  smtp.zoho.eu
      #AUTHENTIK_EMAIL__PORT: 465
      #AUTHENTIK_EMAIL__USERNAME: [email protected]
      #AUTHENTIK_EMAIL__PASSWORD: ${EMAIL_PASSWORD}
      #AUTHENTIK_EMAIL__USE_TLS: false
      #AUTHENTIK_EMAIL__USE_SSL: true
      #AUTHENTIK_EMAIL__TIMEOUT: 10
      #AUTHENTIK_EMAIL__FROM: [email protected]
    user: root
    volumes:
      - /mnt/user/appdata/auth/authentik/media:/media
      - /mnt/user/appdata/auth/authentik/certs:/certs
      - /var/run/docker.sock:/var/run/docker.sock
      - /mnt/user/appdata/auth/authentik/templates:/templates

     
  authentikldap:
    image:      ghcr.io/goauthentik/ldap:${AUTHENTIK_VERSION}
    restart: unless-stopped
    environment:
      AUTHENTIK_HOST: http://authentik:9000/
      AUTHENTIK_TOKEN: ${AUTHENTIK_TOKEN_LDAP}
      AUTHENTIK_INSECURE: true
      SSL_CERT_FILE: /etc/ssl/certs/ca-certificates.crt
    user: root
    networks:
      default:
      proxy_default:
    labels:
      io.goauthentik.outpost-uuid: 047aa1afebf1497aa499e998f14c9534
      org.opencontainers.image.description: "goauthentik.io LDAP outpost, see https://goauthentik.io for more info."
      org.opencontainers.image.source: "https://github.com/goauthentik/authentik"
      org.opencontainers.image.url: "https://goauthentik.io"
      traefik.enable: true
      traefik.tcp.routers.authentikldap.entryPoints: ldaps
      traefik.tcp.services.authentikldap.loadbalancer.server.port: 3389
      traefik.tcp.routers.authentikldap.rule: 'HostSNI(`svc-authentik.intra.XXXXXXXXXXXXXXXXX.net`) || HostSNI(`authentik.XXXXXXXXXXXXXXXXX.net`)'
      traefik.tcp.routers.authentikldap.tls.certresolver: "letsencrypt"
      traefik.tcp.routers.authentikldap.tls.domains[0].main: "XXXXXXXXXXXXXXXXX.net"
      traefik.tcp.routers.authentikldap.tls.domains[0].sans: "*.XXXXXXXXXXXXXXXXX.net, *.intra.XXXXXXXXXXXXXXXXX.net"

  authentikradius:
    image:      ghcr.io/goauthentik/radius:${AUTHENTIK_VERSION}
    restart: unless-stopped
    environment:
      AUTHENTIK_HOST: http://authentik:9000/
      AUTHENTIK_TOKEN: ${AUTHENTIK_TOKEN_RADIUS}
      AUTHENTIK_INSECURE: true
      SSL_CERT_FILE: /etc/ssl/certs/ca-certificates.crt
    user: root
    networks:
      default:
      DMZ:
        ipv4_address: XXXXXXXXXXXXXXXXX
    labels:
      io.goauthentik.outpost-uuid: XXXXXXXXXXXXXXXXX
      org.opencontainers.image.description: "goauthentik.io LDAP outpost, see https://goauthentik.io for more info."
      org.opencontainers.image.source: "https://github.com/goauthentik/authentik"
      org.opencontainers.image.url: "https://goauthentik.io"

@jalim
Copy link

jalim commented May 18, 2023

@Svenum thanks for the config, I managed to use that as a jumping off point to get the RADIUS provider working, however I'm realising now that I'm running into the same issue as you seem to have with my TP-LINK Omada setup. I can authenticate with a web portal using basic PAP protocol but as soon as I switch to using proper WPA3 Enterprise, I get failures. I assume this is just the lack of support for any protocol other than PAP.

@koalaeagle
Copy link

I am considering setting up authentik in my environment. I thought a good starting point might be RADIUS auth (WPA2/WPA3 enterprise) with UniFi since I am working on that anyway. I will follow this issue.

A side note - for my use case it would be nice to support dynamic VLAN per user (sending Tunnel-Private-Group-Id). From what I can tell this is not currently supported, does anyone know if this is planned?

@cfoellmann
Copy link

I did deploy the radius outpost similiar to this but it seems my flows do not work.
When I send a PAP authentication request from our pfsense box I get this error on the outpost:

2023-05-23T14:55:46.716536000Z DBG undefined | cidr=0.0.0.0/0 event=Matched CIDR ip=10.1.15.1 logger=authentik.outpost.radius timestamp=2023-05-23T14:55:46Z 
2023-05-23T14:55:46.716971000Z INF undefined | code=Access-Request event=Radius Request logger=authentik.outpost.radius request=4519e665-6489-4db4-b594-597adaa47da7 timestamp=2023-05-23T14:55:46Z 
2023-05-23T14:55:46.792414000Z DBG undefined | client=10.1.15.1 component=ak-stage-access-denied event=Got challenge flow=radius-auth logrus_error=can not add field "requestId" timestamp=2023-05-23T14:55:46Z type=native username=testeduser
```
any idea?
Did you guys add custom flows?

@KautzA
Copy link

KautzA commented May 24, 2023

I would also find msCHAPv2 and dynamic VLAN per user useful for UniFi WiFi

@yvnggodemis
Copy link

Unifi doesn't support PAP authentication, which at the time is the only authentication type that Authentik supports.

@ekrekeler
Copy link

ekrekeler commented Jul 11, 2023

Going off the information in #2050 and the related pull request #1796, right now the authentik radius outpost only supports authentication with PAP. Due to how PEAP-MSCHAPv2 requires passwords to be stored in plain text on the server, this specific method will likely never be supported by authentik's radius outpost. That leaves EAP-TLS and EAP-TTLS/PAP as possibilities, but as the current Golang library used by the radius outpost (see layeh/radius) does not yet offer functions to interact with certificates in the RADIUS packets, this should be a feature request.

An alternative I see some people doing is to spin up an LDAP server to use with freeRADIUS, then add the LDAP server as a directory source in authentik for the SSO stuff. Personally I am using authentik in self-hosting and HomeLab environments so I prefer not to deploy/maintain a complicated setup such as this. It would be nice to have some WPA Enterprise methods supported by authentik natively.

@BeryJu
Copy link
Member

BeryJu commented Jul 11, 2023

It is indeed like @ekrekeler summarised, we could technically have MSCHAPv2 support but I really don't want to have any kind of plain text password storage. I've been meaning to try and implement EAP-TLS for the radius outpost, but turns out that is not a simple feat.

There is still the option of changing the radius outpost to use freeradius and have that call to a script that will authenticate against authentik, but I feel like that's also kind of a bodge compared to a full solution

@sln-guy
Copy link

sln-guy commented Jul 13, 2023

It is indeed like @ekrekeler summarised, we could technically have MSCHAPv2 support but I really don't want to have any kind of plain text password storage. I've been meaning to try and implement EAP-TLS for the radius outpost, but turns out that is not a simple feat.

There is still the option of changing the radius outpost to use freeradius and have that call to a script that will authenticate against authentik, but I feel like that's also kind of a bodge compared to a full solution

MSCHAPv2 support would be an amazing feature but I can understand the hesitation.

My understanding of the protocol is limited but if Windows NPS server supports it and it is used in many enterprise grade devices perhaps it is worth it? Potentially hiding it under an unsafe flag or an explicit warning ?

@mav8557
Copy link

mav8557 commented Aug 6, 2023

I'm trying to get the RADIUS server running, but I did not have to add the radius container to my docker-compose file, Authentik created the container on it's own through the docker socket mount as normal.

I haven't been able to authenticate while testing with radtest though, it always says that I have an incorrect password, despite logging in with a user that works for other services. Is anyone else having the same problem?

This is my radtest command, and the output from the radius container, with the credentials testuser:test

$ radtest -t pap testuser test <authentik ip> 1812 ""
{"client":"<correct_ip>","component":"ak-stage-identification","event":"Got challenge","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:53Z","type":"native","username":"testuser"}
{"client":"<correct_ip>","component":"ak-stage-password","event":"Got response","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:53Z","type":"native","username":"testuser"}
{"client":"<correct_ip>","component":"ak-stage-password","event":"Got response","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:54Z","type":"native","username":"testuser"}
{"code":"Access-Request","error":"flow error password: Invalid password","event":"failed to execute flow","level":"warning","logger":"authentik.outpost.radius","request":"fa38ac9f-999a-4367-9092-875a87621b62","timestamp":"2023-08-06T22:27:54Z","username":"testuser"}

@cfoellmann
Copy link

I'm trying to get the RADIUS server running, but I did not have to add the radius container to my docker-compose file, Authentik created the container on it's own through the docker socket mount as normal.

I haven't been able to authenticate while testing with radtest though, it always says that I have an incorrect password, despite logging in with a user that works for other services. Is anyone else having the same problem?

This is my radtest command, and the output from the radius container, with the credentials testuser:test

$ radtest -t pap testuser test <authentik ip> 1812 ""
{"client":"<correct_ip>","component":"ak-stage-identification","event":"Got challenge","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:53Z","type":"native","username":"testuser"}
{"client":"<correct_ip>","component":"ak-stage-password","event":"Got response","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:53Z","type":"native","username":"testuser"}
{"client":"<correct_ip>","component":"ak-stage-password","event":"Got response","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:54Z","type":"native","username":"testuser"}
{"code":"Access-Request","error":"flow error password: Invalid password","event":"failed to execute flow","level":"warning","logger":"authentik.outpost.radius","request":"fa38ac9f-999a-4367-9092-875a87621b62","timestamp":"2023-08-06T22:27:54Z","username":"testuser"}

I got the same error msg.
I moved on to the FreeRadius package of our pfsense box. :-(

@ElBatano
Copy link

I'm trying to get the RADIUS server running, but I did not have to add the radius container to my docker-compose file, Authentik created the container on it's own through the docker socket mount as normal.
I haven't been able to authenticate while testing with radtest though, it always says that I have an incorrect password, despite logging in with a user that works for other services. Is anyone else having the same problem?
This is my radtest command, and the output from the radius container, with the credentials testuser:test

$ radtest -t pap testuser test <authentik ip> 1812 ""
{"client":"<correct_ip>","component":"ak-stage-identification","event":"Got challenge","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:53Z","type":"native","username":"testuser"}
{"client":"<correct_ip>","component":"ak-stage-password","event":"Got response","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:53Z","type":"native","username":"testuser"}
{"client":"<correct_ip>","component":"ak-stage-password","event":"Got response","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:54Z","type":"native","username":"testuser"}
{"code":"Access-Request","error":"flow error password: Invalid password","event":"failed to execute flow","level":"warning","logger":"authentik.outpost.radius","request":"fa38ac9f-999a-4367-9092-875a87621b62","timestamp":"2023-08-06T22:27:54Z","username":"testuser"}

I got the same error msg. I moved on to the FreeRadius package of our pfsense box. :-(

I am running against the same wall.
Anyone with any updates or who got it working?

I didnt even connect any services yet - already failing at testing with radtest. Error Messages are the same.

@lotusexpeditor
Copy link

In my case radtest succeeds but Cisco WAP561 fails to authenticate, sends user name, possibly it doesnt talk PAP.

@k8ieone
Copy link

k8ieone commented Feb 21, 2024

I managed to use Authentik as a source for WPA2 Enterprise, but not by using the RADIUS outpost.

Instead, I used the LDAP outpost and configured FreeRADIUS to use it.

I added a custom attribute to my users called wifipass, which holds the password in plaintext (required for some methods). I also created a flow for (re)setting wifipass, so that users can manage this password themselves.

Not sure if using custom attributes like this would work with the RADIUS outpost, but maybe this helps someone.

@jcrapuchettes
Copy link

I actually found another way to do this with setting a ipaNTHash attribute to the NTLM hash of users' passwords. The only problem is that I can't figure out how to calculate that value when the password changes or to calculate it in a property mapping.

@cfoellmann
Copy link

Does anyone know if this is on the roadmap?
Is WPA Enterprise so uncommon to not support it? I know not everything can be implemented from the start but this seems to me as a very, very common requirement.

@jcrapuchettes
Copy link

I succeeded in getting WPA2 Enterprise setup with UniFi via FreeRADIUS (on pfsense) -> Authentik LDAP Outpost. The most important part was noticing that FreeRADIUS looked for a user's attribute called ipaNTHash. This can be calculated as the MD4 hash of a user's password (see #8768). With the attributes in-place for our users, they are able to use PEAP/MSCHAPv2 for most devices or EAP-TTLS/MSCHAPv2.

@ekrekeler
Copy link

ekrekeler commented Mar 9, 2024

Hey, the above workaround got me thinking. Reading up on how PEAP-MSCHAPv2 works, the WPA supplicant (device authenticating to the access point) sends the password to the RADIUS server hashed in MD4, then the RADIUS server compares the password hash to the known password's ipaNTHash, which is just an MD4 hash of the password. So in theory, authentik and any other RADIUS server should be able to service MSCHAPv2 requests so long as it has the ipaNTHash stored in advance. Now MD4 has already been compromised and can be cracked, but it's at least better than storing the passwords in plain text. Maybe if request for MSCHAPv2 is big enough, calculating ipaNTHash can become a toggleable option in authentik's password change flows.

This isn't the last hurdle before it will work for WPA Enterprise authentication like with PEAP-MSCHAPv2 and EAP-MSCHAPv2 either. PEAP- and EAP-MSCHAPv2 encapsulate the MSCHAPv2 challenge/response in a TLS tunnel during phase 2 of the negotiation. For this reason, authentik's RADIUS outpost would need to support EAP, which goes back to the earlier problem I mentioned:

the current Golang library used by the radius outpost (see layeh/radius) does not yet offer functions to interact with certificates in the RADIUS packets

And if authentik's RADIUS outpost will be gaining support for EAP, EAP-TLS and EAP-TTLS/PAP might be more desirable for authenticating wireless clients because they don't require the unsecure ipaNTHash to be stored in authentik.

Lately though it appears there is some separate work being done towards this in the toughradius project, see #120.

I'll admit I found most of the details on WPA/RADIUS/MSCHAPv2 looking through various Google search results, but it's all in RFCs somewhere if we need to confirm something.

@Svenum
Copy link
Author

Svenum commented Sep 4, 2024

Any news here?

@jesusdf
Copy link

jesusdf commented Nov 27, 2024

I have it working with EAP-TTLS + PAP on my OpenWRT access points. I had to setup a freeradius docker container that offloads the EAP-TTLS encapsulation and sends a plain PAP query to the authentik radius. Not the best, but good enough for WPA2 Enterprise.

https://stackoverflow.com/questions/33864953/how-to-configure-freeradius-to-proxy-the-pap-request-inside-an-eap-ttls-tunnel#33873013

Also in OpenWRT you can use the passpoint metadata to instruct wireless clients to use EAP-TTLS+PAP and the domain name, without having to manually select the configuration:

https://simeononsecurity.com/guides/unlock-seamless-connectivity-hotspot-2.0-openwrt/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests