search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.51k stars 903 forks source link

RADIUS authenticate a Social user #8196

Open vanderpunk opened 9 months ago

vanderpunk commented 9 months ago

I'm trying to authenticate Azure AD users through the RADIUS provider.

Curently using 2023.8.3 of Authentik. Have Azure AD as a Social login. Have a RADIUS provider up and running (Followed the Generic LDAP setup guide). I can authenticate local users via radtest, but all Azure AD users fail to authenticate.

In the Flows & Stages > Flows > radius-identification-stage > Source Settings >Sources, "Azure AD" and "authentik Built-in" are selected.

Logs The Radius outpost logs for a failed user: {"code":"Access-Request","error":"flow error non_field_errors: Failed to authenticate.","event":"failed to execute flow","level":"warning","logger":"authentik.outpost.radius","request":"cf3b5515-a98f-41f3-87d1-7397fd620cae","timestamp":"2024-01-16T18:36:03Z","username":"test@....com"}

The radtest response: radtest test@....com 10 Sent Access-Request Id 70 from 0.0.0.0:49339 to 192....:1812 length 92 User-Name = "test@....com" User-Password = "..." NAS-IP-Address = 127.0.1.1 NAS-Port = 10 Message-Authenticator = 0x00 Cleartext-Password = "..." Received Access-Reject Id 70 from 192....:1812 to 10....:49339 length 20 (0) -: Expected Access-Accept got Access-Reject

Version and Deployment :

I've also added test@...com (Azure AD user) to the radiussearch group, this also did not work.

Is it possible to authenticate the Social users (Azure AD) through the RADIUS outpost?

BeryJu commented 9 months ago

This should work as long as the social users have set a password within authentik, as without that authentik can't authenticate them

vanderpunk commented 9 months ago

I set test@...com's password inside of Authentik so that it's set both in Azure AD and Authentik now, same error

(0) -: Expected Access-Accept got Access-Reject

rqi14 commented 9 months ago

An alternative is to use the LDAP provider together with freeradius

BeryJu commented 3 months ago

Please post the corresponding event from the failed login, as that contains more helpful information. Also make sure the outpost is the same version as the main authentik server