Authentik - Bypass MFA on Local Network

Подписаться 2,5 тыс.

Просмотров 6 тыс.

50% 1

In this video, I demonstrate how to setup an expression policy to check if a client's IP address is local and if so, bypass 2-factor-authentication/multi-factor-authentication.
...for those that want to copy and paste (first line can be whatever you want to name it):
Name: local-network-check
Expression: return ak_client_ip.is_private
OR
If you want to use your FQDN/registered DNS record instead of local IP address in your browser and still be able to bypass because you are hosting it on your own public IP address and accessing it from that very same IP address, use this expression ( NOT RECOMMENDED if you DO NOT HAVE a STATIC PUBLIC IP ADDRESS so do this at your own risk; I will not be responsible):
return ak_client_ip == ip_address('your.public.ip.address') or ak_client_ip.is_private

Хобби

Опубликовано:

31 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 38

@stonecoldant316 Год назад

your content is extremely helpful. I wish there was more tutorials like this. Perhaps one that demonstrates how to pass credentials to certain applications ie guacamole or overseer. Or even just an explanation on Flows and Stages.

@cooptonian Год назад

Thanks, I'm glad they're helpful. The Flows are simply pre-defined containers of which there are 7 categories of (currently) and Stages are the instructions/steps within the Flow to process. Analogy: a car tune-up would be a Flow, Stages would be checking/changing oil, check tire pressure, check/replace filters...etc.

@xXsoulshockerXx Год назад

Secondary note though, thanks for these videos. It has helped with setting up Authentik. I am using it for all my services and getting my family involved. No more needing a VPN lol.

@cooptonian Год назад

Yeah! Pretty awesome!

@waddoo1234 Год назад

Any chance you'd be willing to help me with email or basic http auth? I can send a test-email from the authentik terminal, but it throws an error when I use the UI for forgot password. Likewise basic auth doesn't seem to work. I followed the Authentik docs, but nothing seems to be working.

@OrangeRiviere14 Год назад

Great content as usual thank you

@cooptonian Год назад

Much appreciated

@justins5792 Год назад

Thanks for the video! Any ideas on how to do this with nginx/npm in front of Authentik? In my case I have recipes.example.tld and if accessing it from WAN, I would like NPM -> Authentik -> Tandoor. If accessing the same url from local it should go NPM -> Tandoor. the above workflow in your video doesn't seem to work bc NPM doesn't seem to send the IP correctly(?). Still very new and guessing. Any help would be appreciated! Thanks again.

@cooptonian Год назад

There are a couple ways to do this...it is difficult for me to do directly as I am protected and so my public IP(s) are obfuscated. If for instance your public IP is direct and NOT obfuscated. You should be able to create an expression policy to bypass MFA if requests originate from your public IP back to itself (if that makes sense) OR networking methods to do it are to create entries in the HOST file of whatever device you're using to direct to the internal IP of your Tandoor host when recipes.example.tld is entered. OR, DNS entry to redirect (which if running pihole that has DNSMasq is pretty simple) or NAT/firewall routing rule.

@PhillPriceUK Год назад

Hmm while this is cool for the admin panel, when using applications I think they would still try and go to the main address in both cases. I wonder if perhaps another check could be made on the client's IP Address being inside the network?

@cooptonian Год назад

The applications on the local network would be accessed directly via their IP so Authentik would be out of the equation completely...no MFA, no authentication...etc. unless the application is configured with its own mechanism and this will most likely be done by an admin as most basic users do not use IP addresses to navigate to anything. If an argument can be made that, yes, users use the IP addresses then additional configuration either via hosts file or DNS entries to reroute internal IP addresses to Authentik for authentication would need to be made. To that point the entire local network (with DNS entries) could then work that way and connections outside the network would obviously trigger MFA...if that makes sense.

@PhillPriceUK Год назад

@@cooptonian yup i don’t access things by their IP, and many have OIDC that redirect to authentik and back by domain anyway

@xXsoulshockerXx Год назад

Is there any way to force an account to use a secondary source for authentication? For example, I have my GitHub for logging in, and I don't want access into the panel or service without first going through GitHub.

@cooptonian Год назад

...so if I understand correctly, a user navigates to someservice.domain.com and instead of entering their credentials into Authentik, they click Github link, Google, Facebook...etc. to authenticate to load the service?

@xXsoulshockerXx Год назад

@@cooptonian yes. More so along the lines. I basically want to two factor the two factor.

@cooptonian Год назад

LOL...ummmm, maybe with custom policy...you may need to ask that one in discord, maybe even the dev can answer that. It would be along the lines of the stage right after clicking the Github link then have 2FA policy before the login stage (if possible).

@Sethech Год назад

Hi, Thanks for the vidéo I learn a lot about authentik. Concerning this video do you think it is possible to do the same with the public IP ? And is it possible to completly bypass authentification with the IP ? The idea would be when I connect from home I don't have to log to authentik to acces my services.

@cooptonian Год назад

You're welcome, I'm glad the videos helped. Yes you can bypass with specific IP, a policy will just need to be created to do so. As an example, instead of typing the local IP to bypass in my own system, I like to use my domain (so it is the same no matter how I access it). So I set up a policy that if the request is coming from my own public IP, I don't have to MFA. The same policy could be used to not authenticate at all; just set the policy to go around password/MFA...just your identification (if multiple users from same IP...if it is just you, then I guess you can bypass identification too)

@Sethech Год назад

@@cooptonian Hi, Sorry to bother you again, what expression in policies do you suggest ? All I try don"t work it is the same result whatever the IP is .

@cooptonian Год назад

You can model your expression after what I personally am using to skip CAPTCHA and MFA with any requests coming from my own public IP and local network... return ak_client_ip == ip_address('Your.Public.IP.Address') or ak_client_ip.is_private negate the result as you wish, and you can add this to whatever stages to bypass password, mfa, captcha...etc...

@Sethech Год назад

@@cooptonian I was sio close I juste missed the == not familiar with python. Seems to work now I need to adjust settings but I tihnk I'm on a good way Thank you for the help.

@the0samios Год назад

great videos helped me alot on setting up authentik is there any chance to make a video on webauth to use mobile biometrics? thanks in advance

@cooptonian Год назад

...yeah, here you go: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-jCwGTLFABYU.html

@the0samios Год назад

@@cooptonian epic thanks m8

@D1MIN1SHx 8 месяцев назад

can you set a ip?

@cooptonian 8 месяцев назад

...to match an IP? Yes, with expression polices...

@joanromeror Год назад

Great tutorial. Do you know how to apply it for 1FA? I mean. That in Local Network. Do bypass. Thanks

@cooptonian Год назад

...I'm not sure I know what you mean. 1FA would just be your password.

@joanromeror Год назад

@@cooptonian Like Authelia. If you are in Local IP, you don't have to do anything. It bypasses Authentik and you access the service directly.

@cooptonian Год назад

I'm not sure and could be wrong but I think Authentik requires at least 1F to login to access anything (to match user to resource access)...if local, you could just enter the local IP address and bypass authentik altogether. However, based on MFA bypass...I don't see why you couldn't maybe apply the policy to the password stage; then you'd still enter a username but if local IP or specified subnet specified is detected bypass the password...or passwordless setup

@MM-vz3tb Год назад

What about bypassing both 2FA not only 1FA. Your solution only bypasses ONE factor.

@cooptonian Год назад

...then you'd just add whatever other policy to bypass whatever else you'd like to bypass...and the video shows it is no longer prompting for TOTP on the LAN. 1 factor = password, 2FA/MFA = TOTP (or any other form of secure authentication)

@cessna917 Месяц назад

This works when using an IP address, but if using a reverse proxy (swag in my case), it still prompts for MFA. Is there a way to bypass MFA if on a specific network? I tried return ak_client_ip in ip_network('192.168.0.0/24') for my LAN but it didn't work.