For my home lab environment, I use Authentik as my Identity Provider. Authentik is an open-source authentication and authorization platform that enables Single Sign-On (SSO), identity management, and multi-factor authentication (MFA) via protocols like OAuth, SAML, and LDAP. For various applications, such as the Citrix NetScaler, I use RADIUS for secondary authentication. All my Authentik users have a TOTP token in their authenticator app, which I want to use for RADIUS authentication. While configuring RADIUS in Authentik, I found the available documentation somewhat limited, and it took considerable effort to achieve a working RADIUS setup. This blog describes all the steps I followed to get RADIUS successfully running within Authentik.
Read more: Setup Authentik as Radius ProviderFor this guide, I used Authentik version 2024.10.1. I assume you already have a working Authentik setup where users already have a TOTP authenticator code available.
Within the admin console, select “Stages” under “Flows and Stages” and next select “Create”. First we’ll create a “Identification Stage”. The parameters that should be configured in the stage are:
- Type : Identification Stage
- Name : pepperbyte-radius-identification-stage
- User fields : Username, Email & UPN
Next, we’ll create an “Identification Stage” with the following parameters:
- Type: Authenticator Validation Stage
- Name : pepperbyte-radius-authenticator-validation-stage
- Device classes : Static Tokens & TOTP Authenticators
- Not configured action : Deny the user access
- WebAuthn User verification: user verification should not occur.
Lastly, we’ll create a “User Login Stage” with the following parameters:
- Type : User Login Stage
- Name : pepperbyte-radius-user-login-stage
Now that all the required stages have been created, select “Flows” and create a new Flow with the following parameters:
- Name : PepperByte Radius Authentication Flow
- Title : PepperByte Radius Authentication Flow
- Slug : pepperbyte-radius-authentication-flow
- Designation : Authentication
- Authentication : Require Outpost (flow can only be executed from an outpost)
Select the newly created flow “pepperbyte-radius-authentication-flow”, click on “Stage Bindings”, and then select “Bind existing stage”. Bind the previously created stages in the following order:
- Order : 10, Stage : pepperbyte-radius-identification-stage
- Order : 20, Stage : pepperbyte-radius-authenticator-validation-stage
- Order : 30, Stage : pepperbyte-radius-user-login-stage
With this, the Flow is ready. Next, go to “Provider” under “Applications” and select “Create”. We’ll create a new provider with the following parameters:
- Type : Radius Provider
- Name : PepperByte Radius
- Authentication flow : pepperbyte-radius-authentication-flow
- Code-based MFA Support : Disabled
- Shared secret : Write down the shared secret; we’ll need it later on
- Client Networks : By preference, only specify the IP address of the RADIUS client here.
Next, go to “Applications” and select “Create”. We’ll create a new Application with the following parameters:
- Name : PepperByte Radius
- Slug : pepperbyte-radius
- Provider : PepperByte Radius
Next, select “Outposts” under “Applications” and click “Create”. We’ll create a new Outpost with the following parameters:
- Name : PepperByte Radius
- Type : Radius
- Application : PepperByte Radius
- Configuration :
- authentik_host: https://local authentik ip:port/
- authentik_host_insecure: false
- authentik_host_browser: “https://authentik fqdn/”
With the Radius Outpost created, last thing we have to do within the Authenik admin console is to retreive the “Authentik_Token”, which we’ll need to run the Authenik Radius Container. Select “View Deployment Info” and click “Click to copy token”. Save this token, as we’ll need it later on.
With everything set up within Authentik, we now need to add the actual RADIUS listener by adding the RADIUS Outpost to your (at least in my case) docker-compose file. Add the following configuration to your existing Authentik docker-compose file, with the following parameters:
- {{AUTHENTIK_HOST}} : Internal Authentik FQDN/IP, in my case “https://192.168.x.x:4443”.
- {{AUTHENTIK_RADIUS_TOKEN}} : Then, use the “Authentik_Token” saved when creating the RADIUS Outpost.
radius_outpost: image: ghcr.io/goauthentik/radius:latest restart: unless-stopped ports: - 1812:1812/udp environment: AUTHENTIK_HOST: {{AUTHENTIK_HOST}} AUTHENTIK_INSECURE: "true" AUTHENTIK_TOKEN: {{AUTHENTIK_RADIUS_TOKEN}} depends_on: - server
After redeploying your Authentik setup, an additional “Authentik Radius” container should be present, or you can use the automatically created “ak-outpost-pepperbyte-radius” without redeploying your whole setup. Either way, you should have an “Authentik Radius” container running.
Verify the “Health and Version” status of the RADIUS container from within the Authentik admin console, under Applications > Outpost.
With everything set up, the last step is to validate your setup by using a RADIUS test client like NTRadPing. Simply enter your Authentik server IP, the shared secret, and test a user in combination with a TOTP token code.
Ensure the RADIUS client IP is listed within the “Client Network” field in the RADIUS provider configuration.
In the screenshot below, you’ll see a RADIUS Reject response because an incorrect TOTP code was entered. A correct TOTP will, of course, generate an Access-Accept response.
