search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
7.84k stars 601 forks source link

How to use the Radius to authenticate with WPA Enterprise #5328

Open Svenum opened 1 year ago

Svenum commented 1 year ago

Describe your question/ I have a Unifi Dream Machine Pro and want to use the authentik radius-provider for the WPA2/3 Enterprise authentication. How can I achive this?

Relevant infos I am using the newest Authentik 2023.4.1 Release and Unifi OS 2.5.17.

Logs There are no logs.

Version and Deployment (please complete the following information):

Additional context I have Deployed an RADIUS-Provider and an RADIUS-Outpost. Then I have added a new RADIUS-Server on the UDMP like so: image

If I now try to login to the WiFi witch I configured to WPA2 Enterprise it simply got an timeout and in authentik no logs appears.

jalim commented 1 year ago

@Svenum have you had any luck getting RADIUS working? I've been unable to even get the RADIUS outpost started and the documentation is still lacking on actual instructions for setting up RADIUS.

Svenum commented 1 year ago

@jalim MyRADIUS ist working but not for thise use case here.

Here is my docker-compose.yml @jalim: 

---
version: '3'

networks:
  DMZ:
    external: true
  proxy_default:
    external: true
  default:
    driver: "bridge"

services:
  postgresql:
    image: docker.io/library/postgres:12-alpine
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${PG_DATABASE} -U $${PG_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - /mnt/user/appdata/auth/postgresql:/var/lib/postgresql/data
    environment:
      POSTGRES_USER: ${PG_USER}
      POSTGRES_NAME: ${PG_DATABASE}
      POSTGRES_PASSWORD: ${PG_PASS}

  redis:
    image: docker.io/library/redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - /mnt/user/appdata/auth/redis:/data

  authentik:
    image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION}
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DATABASE}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_KEY}
      AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
      AUTHENTIK_REDIS__CACHE_TIMEOUT: 60
      # SMTP Host Emails are sent to
      AUTHENTIK_EMAIL__HOST:  smtp.zoho.eu
      AUTHENTIK_EMAIL__PORT: 465
      AUTHENTIK_EMAIL__USERNAME: authentik@XXXXXXXXXXXXXXXXX.net
      AUTHENTIK_EMAIL__PASSWORD: ${EMAIL_PASSWORD}
      AUTHENTIK_EMAIL__USE_TLS: false
      AUTHENTIK_EMAIL__USE_SSL: true
      AUTHENTIK_EMAIL__TIMEOUT: 10
      AUTHENTIK_EMAIL__FROM: authentik@XXXXXXXXXXXXXXXXX.net
    volumes:
      - /mnt/user/appdata/auth/authentik/media:/media
      - /mnt/user/appdata/auth/authentik/templates:/templates
    networks:
      default:
      proxy_default:
      DMZ:
        ipv4_address: 172.16.0.9
    labels:
      traefik.enable: true
      traefik.http.routers.authentik.entryPoints: https
      traefik.http.services.authentik.loadbalancer.server.scheme: https
      traefik.http.services.authentik.loadbalancer.server.port: 9443

  authentikworker:
    image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION}
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_REDIS__CACHE_TIMEOUT: 60
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DATABASE}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
      #AUTHENTIK_SECRET_KEY: ${AUTHENTIK_KEY}
      #AUTHENTIK_EMAIL__HOST:  smtp.zoho.eu
      #AUTHENTIK_EMAIL__PORT: 465
      #AUTHENTIK_EMAIL__USERNAME: authentik@XXXXXXXXXXXXXXXXX.net
      #AUTHENTIK_EMAIL__PASSWORD: ${EMAIL_PASSWORD}
      #AUTHENTIK_EMAIL__USE_TLS: false
      #AUTHENTIK_EMAIL__USE_SSL: true
      #AUTHENTIK_EMAIL__TIMEOUT: 10
      #AUTHENTIK_EMAIL__FROM: authentik@XXXXXXXXXXXXXXXXX.net
    user: root
    volumes:
      - /mnt/user/appdata/auth/authentik/media:/media
      - /mnt/user/appdata/auth/authentik/certs:/certs
      - /var/run/docker.sock:/var/run/docker.sock
      - /mnt/user/appdata/auth/authentik/templates:/templates

  authentikldap:
    image:      ghcr.io/goauthentik/ldap:${AUTHENTIK_VERSION}
    restart: unless-stopped
    environment:
      AUTHENTIK_HOST: http://authentik:9000/
      AUTHENTIK_TOKEN: ${AUTHENTIK_TOKEN_LDAP}
      AUTHENTIK_INSECURE: true
      SSL_CERT_FILE: /etc/ssl/certs/ca-certificates.crt
    user: root
    networks:
      default:
      proxy_default:
    labels:
      io.goauthentik.outpost-uuid: 047aa1afebf1497aa499e998f14c9534
      org.opencontainers.image.description: "goauthentik.io LDAP outpost, see https://goauthentik.io for more info."
      org.opencontainers.image.source: "https://github.com/goauthentik/authentik"
      org.opencontainers.image.url: "https://goauthentik.io"
      traefik.enable: true
      traefik.tcp.routers.authentikldap.entryPoints: ldaps
      traefik.tcp.services.authentikldap.loadbalancer.server.port: 3389
      traefik.tcp.routers.authentikldap.rule: 'HostSNI(`svc-authentik.intra.XXXXXXXXXXXXXXXXX.net`) || HostSNI(`authentik.XXXXXXXXXXXXXXXXX.net`)'
      traefik.tcp.routers.authentikldap.tls.certresolver: "letsencrypt"
      traefik.tcp.routers.authentikldap.tls.domains[0].main: "XXXXXXXXXXXXXXXXX.net"
      traefik.tcp.routers.authentikldap.tls.domains[0].sans: "*.XXXXXXXXXXXXXXXXX.net, *.intra.XXXXXXXXXXXXXXXXX.net"

  authentikradius:
    image:      ghcr.io/goauthentik/radius:${AUTHENTIK_VERSION}
    restart: unless-stopped
    environment:
      AUTHENTIK_HOST: http://authentik:9000/
      AUTHENTIK_TOKEN: ${AUTHENTIK_TOKEN_RADIUS}
      AUTHENTIK_INSECURE: true
      SSL_CERT_FILE: /etc/ssl/certs/ca-certificates.crt
    user: root
    networks:
      default:
      DMZ:
        ipv4_address: XXXXXXXXXXXXXXXXX
    labels:
      io.goauthentik.outpost-uuid: XXXXXXXXXXXXXXXXX
      org.opencontainers.image.description: "goauthentik.io LDAP outpost, see https://goauthentik.io for more info."
      org.opencontainers.image.source: "https://github.com/goauthentik/authentik"
      org.opencontainers.image.url: "https://goauthentik.io"
jalim commented 1 year ago

@Svenum thanks for the config, I managed to use that as a jumping off point to get the RADIUS provider working, however I'm realising now that I'm running into the same issue as you seem to have with my TP-LINK Omada setup. I can authenticate with a web portal using basic PAP protocol but as soon as I switch to using proper WPA3 Enterprise, I get failures. I assume this is just the lack of support for any protocol other than PAP.

koalaeagle commented 1 year ago

I am considering setting up authentik in my environment. I thought a good starting point might be RADIUS auth (WPA2/WPA3 enterprise) with UniFi since I am working on that anyway. I will follow this issue.

A side note - for my use case it would be nice to support dynamic VLAN per user (sending Tunnel-Private-Group-Id). From what I can tell this is not currently supported, does anyone know if this is planned?

cfoellmann commented 1 year ago

I did deploy the radius outpost similiar to this but it seems my flows do not work. When I send a PAP authentication request from our pfsense box I get this error on the outpost:

2023-05-23T14:55:46.716536000Z DBG undefined | cidr=0.0.0.0/0 event=Matched CIDR ip=10.1.15.1 logger=authentik.outpost.radius timestamp=2023-05-23T14:55:46Z 
2023-05-23T14:55:46.716971000Z INF undefined | code=Access-Request event=Radius Request logger=authentik.outpost.radius request=4519e665-6489-4db4-b594-597adaa47da7 timestamp=2023-05-23T14:55:46Z 
2023-05-23T14:55:46.792414000Z DBG undefined | client=10.1.15.1 component=ak-stage-access-denied event=Got challenge flow=radius-auth logrus_error=can not add field "requestId" timestamp=2023-05-23T14:55:46Z type=native username=testeduser

any idea? Did you guys add custom flows?

KautzA commented 1 year ago

I would also find msCHAPv2 and dynamic VLAN per user useful for UniFi WiFi

yvnggodemis commented 1 year ago

Unifi doesn't support PAP authentication, which at the time is the only authentication type that Authentik supports.

ekrekeler commented 12 months ago

Going off the information in #2050 and the related pull request #1796, right now the authentik radius outpost only supports authentication with PAP. Due to how PEAP-MSCHAPv2 requires passwords to be stored in plain text on the server, this specific method will likely never be supported by authentik's radius outpost. That leaves EAP-TLS and EAP-TTLS/PAP as possibilities, but as the current Golang library used by the radius outpost (see layeh/radius) does not yet offer functions to interact with certificates in the RADIUS packets, this should be a feature request.

An alternative I see some people doing is to spin up an LDAP server to use with freeRADIUS, then add the LDAP server as a directory source in authentik for the SSO stuff. Personally I am using authentik in self-hosting and HomeLab environments so I prefer not to deploy/maintain a complicated setup such as this. It would be nice to have some WPA Enterprise methods supported by authentik natively.

BeryJu commented 12 months ago

It is indeed like @ekrekeler summarised, we could technically have MSCHAPv2 support but I really don't want to have any kind of plain text password storage. I've been meaning to try and implement EAP-TLS for the radius outpost, but turns out that is not a simple feat.

There is still the option of changing the radius outpost to use freeradius and have that call to a script that will authenticate against authentik, but I feel like that's also kind of a bodge compared to a full solution

sln-guy commented 12 months ago

It is indeed like @ekrekeler summarised, we could technically have MSCHAPv2 support but I really don't want to have any kind of plain text password storage. I've been meaning to try and implement EAP-TLS for the radius outpost, but turns out that is not a simple feat.

There is still the option of changing the radius outpost to use freeradius and have that call to a script that will authenticate against authentik, but I feel like that's also kind of a bodge compared to a full solution

MSCHAPv2 support would be an amazing feature but I can understand the hesitation.

My understanding of the protocol is limited but if Windows NPS server supports it and it is used in many enterprise grade devices perhaps it is worth it? Potentially hiding it under an unsafe flag or an explicit warning ?

mav8557 commented 11 months ago

I'm trying to get the RADIUS server running, but I did not have to add the radius container to my docker-compose file, Authentik created the container on it's own through the docker socket mount as normal.

I haven't been able to authenticate while testing with radtest though, it always says that I have an incorrect password, despite logging in with a user that works for other services. Is anyone else having the same problem?

This is my radtest command, and the output from the radius container, with the credentials testuser:test

$ radtest -t pap testuser test <authentik ip> 1812 ""
{"client":"<correct_ip>","component":"ak-stage-identification","event":"Got challenge","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:53Z","type":"native","username":"testuser"}
{"client":"<correct_ip>","component":"ak-stage-password","event":"Got response","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:53Z","type":"native","username":"testuser"}
{"client":"<correct_ip>","component":"ak-stage-password","event":"Got response","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:54Z","type":"native","username":"testuser"}
{"code":"Access-Request","error":"flow error password: Invalid password","event":"failed to execute flow","level":"warning","logger":"authentik.outpost.radius","request":"fa38ac9f-999a-4367-9092-875a87621b62","timestamp":"2023-08-06T22:27:54Z","username":"testuser"}
cfoellmann commented 11 months ago

I'm trying to get the RADIUS server running, but I did not have to add the radius container to my docker-compose file, Authentik created the container on it's own through the docker socket mount as normal.

I haven't been able to authenticate while testing with radtest though, it always says that I have an incorrect password, despite logging in with a user that works for other services. Is anyone else having the same problem?

This is my radtest command, and the output from the radius container, with the credentials testuser:test

$ radtest -t pap testuser test <authentik ip> 1812 ""
{"client":"<correct_ip>","component":"ak-stage-identification","event":"Got challenge","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:53Z","type":"native","username":"testuser"}
{"client":"<correct_ip>","component":"ak-stage-password","event":"Got response","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:53Z","type":"native","username":"testuser"}
{"client":"<correct_ip>","component":"ak-stage-password","event":"Got response","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:54Z","type":"native","username":"testuser"}
{"code":"Access-Request","error":"flow error password: Invalid password","event":"failed to execute flow","level":"warning","logger":"authentik.outpost.radius","request":"fa38ac9f-999a-4367-9092-875a87621b62","timestamp":"2023-08-06T22:27:54Z","username":"testuser"}

I got the same error msg. I moved on to the FreeRadius package of our pfsense box. :-(

ElBatano commented 9 months ago

I'm trying to get the RADIUS server running, but I did not have to add the radius container to my docker-compose file, Authentik created the container on it's own through the docker socket mount as normal. I haven't been able to authenticate while testing with radtest though, it always says that I have an incorrect password, despite logging in with a user that works for other services. Is anyone else having the same problem? This is my radtest command, and the output from the radius container, with the credentials testuser:test

$ radtest -t pap testuser test <authentik ip> 1812 ""
{"client":"<correct_ip>","component":"ak-stage-identification","event":"Got challenge","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:53Z","type":"native","username":"testuser"}
{"client":"<correct_ip>","component":"ak-stage-password","event":"Got response","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:53Z","type":"native","username":"testuser"}
{"client":"<correct_ip>","component":"ak-stage-password","event":"Got response","flow":"default-authentication-flow","level":"debug","logrus_error":"can not add field \"requestId\"","timestamp":"2023-08-06T22:27:54Z","type":"native","username":"testuser"}
{"code":"Access-Request","error":"flow error password: Invalid password","event":"failed to execute flow","level":"warning","logger":"authentik.outpost.radius","request":"fa38ac9f-999a-4367-9092-875a87621b62","timestamp":"2023-08-06T22:27:54Z","username":"testuser"}

I got the same error msg. I moved on to the FreeRadius package of our pfsense box. :-(

I am running against the same wall. Anyone with any updates or who got it working?

I didnt even connect any services yet - already failing at testing with radtest. Error Messages are the same.

lotusexpeditor commented 4 months ago

In my case radtest succeeds but Cisco WAP561 fails to authenticate, sends user name, possibly it doesnt talk PAP.

k8ieone commented 4 months ago

I managed to use Authentik as a source for WPA2 Enterprise, but not by using the RADIUS outpost.

Instead, I used the LDAP outpost and configured FreeRADIUS to use it.

I added a custom attribute to my users called wifipass, which holds the password in plaintext (required for some methods). I also created a flow for (re)setting wifipass, so that users can manage this password themselves.

Not sure if using custom attributes like this would work with the RADIUS outpost, but maybe this helps someone.

jcrapuchettes commented 4 months ago

I actually found another way to do this with setting a ipaNTHash attribute to the NTLM hash of users' passwords. The only problem is that I can't figure out how to calculate that value when the password changes or to calculate it in a property mapping.

cfoellmann commented 4 months ago

Does anyone know if this is on the roadmap? Is WPA Enterprise so uncommon to not support it? I know not everything can be implemented from the start but this seems to me as a very, very common requirement.

jcrapuchettes commented 4 months ago

I succeeded in getting WPA2 Enterprise setup with UniFi via FreeRADIUS (on pfsense) -> Authentik LDAP Outpost. The most important part was noticing that FreeRADIUS looked for a user's attribute called ipaNTHash. This can be calculated as the MD4 hash of a user's password (see #8768). With the attributes in-place for our users, they are able to use PEAP/MSCHAPv2 for most devices or EAP-TTLS/MSCHAPv2.

ekrekeler commented 4 months ago

Hey, the above workaround got me thinking. Reading up on how PEAP-MSCHAPv2 works, the WPA supplicant (device authenticating to the access point) sends the password to the RADIUS server hashed in MD4, then the RADIUS server compares the password hash to the known password's ipaNTHash, which is just an MD4 hash of the password. So in theory, authentik and any other RADIUS server should be able to service MSCHAPv2 requests so long as it has the ipaNTHash stored in advance. Now MD4 has already been compromised and can be cracked, but it's at least better than storing the passwords in plain text. Maybe if request for MSCHAPv2 is big enough, calculating ipaNTHash can become a toggleable option in authentik's password change flows.

This isn't the last hurdle before it will work for WPA Enterprise authentication like with PEAP-MSCHAPv2 and EAP-MSCHAPv2 either. PEAP- and EAP-MSCHAPv2 encapsulate the MSCHAPv2 challenge/response in a TLS tunnel during phase 2 of the negotiation. For this reason, authentik's RADIUS outpost would need to support EAP, which goes back to the earlier problem I mentioned:

the current Golang library used by the radius outpost (see layeh/radius) does not yet offer functions to interact with certificates in the RADIUS packets

And if authentik's RADIUS outpost will be gaining support for EAP, EAP-TLS and EAP-TTLS/PAP might be more desirable for authenticating wireless clients because they don't require the unsecure ipaNTHash to be stored in authentik.

Lately though it appears there is some separate work being done towards this in the toughradius project, see #120.

I'll admit I found most of the details on WPA/RADIUS/MSCHAPv2 looking through various Google search results, but it's all in RFCs somewhere if we need to confirm something.