This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/website/docs/providers/radius/index.md

1.8 KiB

title
Radius Provider

:::info This feature is still in technical preview, so please report any Bugs you run into on GitHub :::

You can configure a Radius Provider for applications that don't support any other protocols or require Radius.

:::info This provider requires the deployment of the RADIUS Outpost :::

Currently, only authentication requests are supported.

Authentication flow

Authentication requests against the Radius Server use a flow in the background. This allows you to use the same policies and flows as you do for web-based logins.

The following stages are supported:

  • Identification

  • Password

  • Authenticator validation

    Note: Authenticator validation currently only supports DUO, TOTP and static authenticators.

    For code-based authenticators, the code must be given as part of the bind password, separated by a semicolon. For example for the password example-password and the code 123456, the input must be example-password;123456.

    SMS-based authenticators are not supported as they require a code to be sent from authentik, which is not possible during the bind.

  • User Logout

  • User Login

  • Deny

Limitations

The RADIUS provider only supports the clear-text protocol:

This does not mean that passwords are stored in cleartext, they are hashed and salted in authentik. However as all protocols besides Clear-text, EAP-MD5 and EAP-PWD require the password to be stored in the database in clear text, they are not supported.