Open m-akami opened 2 months ago
m-akami
commented
2 months ago For anyone in the same position, after numerous attempts, I finally managed to get it working. I’ll see if submitting a PR to the docs is possible - maybe @BeryJu could check if I’m able to do this. It looks like a very common issue that people are encountering, based on what I’ve seen online and in this repo's discussions.
BeryJu
commented
2 months ago For anyone in the same position, after numerous attempts, I finally managed to get it working. I’ll see if submitting a PR to the docs is possible - maybe @BeryJu could check if I’m able to do this. It looks like a very common issue that people are encountering, based on what I’ve seen online and in this repo's discussions.
Hi @m-akami, I'm curious what your solution is like (I assume freeradius + LDAP?) but feel free to open a PR
m-akami
commented
2 months ago Hi @m-akami, I'm curious what your solution is like (I assume freeradius + LDAP?) but feel free to open a PR
Hi there, and thanks for your work on Authentik; it’s a great IdP. My solution was running RADIUS directly from Authentik and modifying the Docker Compose file, as the RADIUS outpost doesn’t stay alive, which leads to auth timeouts, as mentioned by others. I’ll get round to submitting a full config file and steps.
However, after demoing this for a couple of days, I found that using PAP means it realistically can’t be used for much, as all Apple devices reject that protocol by default due to security issues, including when used over an IKEv2 VPN. I’ve tried to enforce it directly with Apple Configurator 2 and my MDM solution, but it continues to reject the protocol. Unfortunately, I will have to use the FreeRADIUS + LDAP combo instead which is what I'm deploying now, as it allows me to select an Apple-supported protocol (TLS, TTLS, LEAP, PEAP, EAP-FAST, EAP-SIM, or EAP-AKA) for my WLAN and VPN clients. Although the Ruckus Controller’s built-in AAA tester successfully authenticates directly, indicating that the feature works, I can’t use it on the frontend services I want to use it on due to the protocol being outdated.
BeryJu
commented
2 months ago adding support for EAP-TLS is on our roadmap, however from looking into it there's definitely a good reason why there are no open source go implementations out there
m-akami
commented
2 months ago That's understandable. Many other open-source IdPs don't even support RADIUS at all, so having PAP support is already a major step forward. Unfortunately, I don't work with Go, otherwise, I would have loved to contribute with a PR for an EAP-TLS implementation as a side project. Either way, I’m looking forward to seeing how this evolves!
Describe your question/ I've been trying for the past couple days to set up RADIUS on Authentik using the PAP protocol so it can communicate with my Ruckus Controller.
Relevant info Authentik is on a "Security Operations" VLAN and the Ruckus APs are on another named "Infrastructure".
Logs No logs from Authentik's side, but from the Ruckus Management UI it tells me that the connection timed out.
Version and Deployment:
Additional context I’ve tried creating a RADIUS Provider, adding the shared secret to the Ruckus Controller, but it times out. I’ve used the default flow and also set up an Application for it. I can ping the Authentik host directly from the AP, so inter-VLAN routing doesn’t seem to be the issue (all ports are allowed for testing purposes). Additionally, I’ve tried using Google to find a solution but found that documentation on RADIUS is limited, which is why I’m posting this after about a dozen retries. I’ll try any recommended configurations, and if they work, I’ll submit a PR to the docs so others in my position can resolve this issue more quickly.
Thanks!