Tips for setting up FreeRADIUS with authentik

[rqi14]

Why is this useful?

The RADIUS outpost provided by authentik is very basic. It cannot be used with many routers/ac/switches. With freeradius, it is possible to implement TTLS/PAP. TTLS/PAP is the only support method with encryption (maybe I'm wrong, I'm a physical biologist not a programmer). It is because most of other methods with encryption requires clear text/hashed password from the LDAP outpost, which authentik does not provide. Authentik does not save clear-text password

Here are a few related issues: #8768 #6243 #5328

How to do this?

I'm not going to introduce how to set up freeradius here. There are plenty of tutorials online. Here, I'm writing down the key points to follow.

First, you need to set up a Freeradius instance. I used docker compose approach. Basically, I downloaded the raddb directory from freeraidus repo, changed settings, wrote a Dockerfile to pull the official image and copy & paste my settings to the container.

Second, you need to configure TTLS/PAP. There are plenty of guides online. For example, https://openwisp-radius.readthedocs.io/en/stable/developer/freeradius_wpa_enterprise.html

Third, you need to configure LDAP connection. Again, plenty of guides online. For example, https://medium.com/btech-engineering/ldap-authentication-using-freeradius-4546c022ba16.

You are welcome to reply if you find better tutorials.

Now the key point: bind as user

The default behaviour of LDAP in freeradius is that it trys to fetch NTLM hashed password from LDAP server, and compare with user input password. Authentik does not provide this NTLM hash by default. The good news is that freeradius supports "bind as user" mode, in which it sends clear-text password to the LDAP server and binds as the user for authentication. The bad news is that it is not clearly documented how to do this. It took me a several weeks to figure out. I got it from this post.

Basically, you need this extra bit to "bind as user"

In sites-enabled/default and sites-enabled/inner-tunnel replace these line

#

# The ldap module reads passwords from the LDAP database.

-ldap

with these

#

# The ldap module reads passwords from the LDAP database.

ldap

if ((ok || updated) && User-Password) {

update {

control:Auth-Type := ldap

}

}

and uncomment the following lines

# Auth-Type LDAP {

# ldap

# }

I was planning to write a complete guide and send a pull requests to contribute to the document. After months, I've found I'm too busy to do this. If anyone is willing to help, I think it will be beneficial for many as several issues have been posted with a lot of discussions.