diff --git a/website/docs/endpoint-devices/authentik-agent/agent-deployment/automated.mdx b/website/docs/endpoint-devices/authentik-agent/agent-deployment/automated.mdx index 1cf5e6fbcc..783455723f 100644 --- a/website/docs/endpoint-devices/authentik-agent/agent-deployment/automated.mdx +++ b/website/docs/endpoint-devices/authentik-agent/agent-deployment/automated.mdx @@ -10,6 +10,10 @@ authentik Agent can be deployed at scale to multiple devices via Mobile Device M You must [configure your authentik deployment](../configuration.md) to support the authentik Agent. +:::info Serial number required +The Agent requires a serial number be presented by the system. Some hypervisors don't set serial numbers. When deploying on a virtual machine, ensure that it has a serial number set. +::: + ## Create an enrollment token If you have already created have an enrollment token, skip to the next section. diff --git a/website/docs/endpoint-devices/authentik-agent/agent-deployment/linux.mdx b/website/docs/endpoint-devices/authentik-agent/agent-deployment/linux.mdx index 0ccc16f654..b76ff68069 100644 --- a/website/docs/endpoint-devices/authentik-agent/agent-deployment/linux.mdx +++ b/website/docs/endpoint-devices/authentik-agent/agent-deployment/linux.mdx @@ -58,7 +58,17 @@ sudo apt install authentik-cli authentik-agent authentik-sysd ``` 4. Confirm that the authentik Agent is installed by opening a terminal window and entering the following command: `ak` - You should see a response that starts with: `authentik CLI v` + + You should see a response that starts with: `authentik CLI v` + +:::note Headless server +On a headless server, the system agent (sysd) does not start the user agent (ak-agent). You will need to manually start the user agent with this command: + +```bash +systemctl start --user ak-agent +``` + +::: @@ -84,7 +94,17 @@ sudo yum install -y authentik-cli authentik-agent authentik-sysd ``` 3. Confirm that the authentik Agent is installed by opening a terminal window and entering the following command: `ak` - You should see a response that starts with: `authentik CLI v` + + You should see a response that starts with: `authentik CLI v` + +:::note Headless server +On a headless server, the system agent (sysd) does not start the user agent (ak-agent). You will need to manually start the user agent with this command: + +```bash +systemctl start --user ak-agent +``` + +::: @@ -105,6 +125,35 @@ sudo ak-sysd domains join --authentik-url https://authentik.co 2. You will be prompted to enter your [enrollment token](#create-an-enrollment-token). 3. Once provided, the device will be enrolled with your authentik deployment and should appear on the [Devices page](../../manage-devices.mdx) after a [check-in](../../device-compliance/device-reporting.md) is completed. +### Local device login on Debian-based systems + +On non-Debian Linux distributions, you currently need to manually configure NSS and PAM: + +1. Edit `etc/nsswitch.conf` to include `authentik` for `passwd`, `group`, and `shadow`: + +```bash title="etc/nsswitch.conf" +... +passwd: files systemd authentik +group: files systemd authentik +shadow: files systemd authentik +gshadow: files systemd +... +``` + +2. Edit the following two files in the `etc/pam.d/` directory. The order matters, both of these lines should be located above `pam_unix` in the respective files. + +```bash title="etc/pam.d/common-auth" +... +auth [success=2 default=ignore] pam_authentik.so +... +``` + +```bash title="etc/pam.d/common-session" +... +session required pam_authentik.so +... +``` + ## Enable SSH client authentication and CLI application authentication To enable [initiating SSH connections](../../device-authentication/ssh-authentication.mdx) and [CLI application authentication](../../device-authentication/cli-app-authentication/index.mdx), the device must be connected to an authentik deployment. To do so, follow these steps: @@ -128,3 +177,7 @@ ak version ## Logging authentik Agent logs are available via the system journal (`systemd`) or `syslog`, depending on the distribution. + +## Reporting issues + +Please report issues and bugs via the [authentik Platform GitHub repository](https://github.com/goauthentik/platform). diff --git a/website/docs/endpoint-devices/authentik-agent/agent-deployment/macos.md b/website/docs/endpoint-devices/authentik-agent/agent-deployment/macos.md index f714ec8108..bd5e1eae18 100644 --- a/website/docs/endpoint-devices/authentik-agent/agent-deployment/macos.md +++ b/website/docs/endpoint-devices/authentik-agent/agent-deployment/macos.md @@ -46,7 +46,8 @@ The Agent requires a serial number be presented by macOS. Some hypervisors don't - This can be avoided by Option + Right Clicking the package and clicking **Open**. - Alternatively use the following command to remove the package from quarantine: `xattr -r -d com.apple.quarantine "$HOME/Downloads/authentik agent installer.pkg"` 6. Confirm that the authentik Agent is installed by opening a Terminal window and entering the following command: `ak` - You should see a response that starts with: `authentik CLI v` + + You should see a response that starts with: `authentik CLI v` ## Enable device compliance @@ -87,3 +88,7 @@ ak version ## Logging The authentik Agent uses macOS's native logging abilities. To retrieve the logs, open the Console application and then filter for authentik-related processes such as `authentik-agent` or `authentik-sysd`. + +## Reporting issues + +Please report issues and bugs via the [authentik Platform GitHub repository](https://github.com/goauthentik/platform). diff --git a/website/docs/endpoint-devices/authentik-agent/agent-deployment/windows.md b/website/docs/endpoint-devices/authentik-agent/agent-deployment/windows.md index 2e3edefb52..3698af68a6 100644 --- a/website/docs/endpoint-devices/authentik-agent/agent-deployment/windows.md +++ b/website/docs/endpoint-devices/authentik-agent/agent-deployment/windows.md @@ -64,7 +64,8 @@ The Agent requires a serial number be presented by Windows. Some hypervisors don 5. Once the download is complete, install the MSI file. 6. _(Optional)_ During installation, select [Windows Credential Provider](#windows-credential-provider) if you want to log in to the Windows device using authentik credentials. 7. Confirm that the authentik Agent is installed by opening a PowerShell or Terminal window and entering the following command: `ak` - You should see a response that starts with: `authentik CLI v` + + You should see a response that starts with: `authentik CLI v` ## Enable device compliance and local device login @@ -105,3 +106,7 @@ ak version ## Logging All components of the authentik Agent output logs to the "authentik" log in the Windows Event Viewer. + +## Reporting issues + +Please report issues and bugs via the [authentik Platform GitHub repository](https://github.com/goauthentik/platform). diff --git a/website/docs/endpoint-devices/authentik-agent/index.mdx b/website/docs/endpoint-devices/authentik-agent/index.mdx index e46bdf4994..72107d7cc8 100644 --- a/website/docs/endpoint-devices/authentik-agent/index.mdx +++ b/website/docs/endpoint-devices/authentik-agent/index.mdx @@ -18,14 +18,14 @@ The authentik Agent is a service that can be installed on Linux, macOS, and Wind The authentik Agent consists of several components: -| Platform | Component | Description | Dependencies | -| ------------------------- | ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ | -| **Linux, macOS, Windows** | `authentik-cli` | Provides CLI commands for interacting with `authentik-agent`. | `authentik-agent` | -| **Linux, macOS, Windows** | `authentik-agent` | Authentication in a users' context, for CLI tools. service. | `authentik-sysd` | -| **Linux, macOS, Windows** | `authentik-sysd` | Responsible for handling device-level authentication and compliance checks. service. | None | -| **Linux only** | `libpam-authentik` | PAM Module for token-based and interactive authentication via authentik. Used for [SSH authentication](../device-authentication/ssh-authentication.mdx) and [local device login](../device-authentication/local-device-login/index.mdx). | `authentik-sysd` | -| **Linux only** | `libnss-authentik` | NSS Module that makes Linux aware of authentik users. All authentik users will be visible to Linux - but won't be able to login unless configured via device access groups. Provides a consistent `uid` and `gid` for users on all Endpoint Devices. | `authentik-sysd`, `libpam-authentik` | -| **Windows only** | `Windows Credential Provider` (WCP) | Enables logging in to Windows devices using authentik credentials. | `authentik-sysd` | +| Platform | Component | Description | Dependencies | +| ------------------------- | ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | +| **Linux, macOS, Windows** | `authentik-cli` | Provides CLI commands for interacting with `authentik-agent`. | `authentik-agent` | +| **Linux, macOS, Windows** | `authentik-agent` | Authentication within a users' context, for CLI tools. | `authentik-sysd` | +| **Linux, macOS, Windows** | `authentik-sysd` | Responsible for handling device-level authentication and compliance checks. | None | +| **Linux only** | `libpam-authentik` | PAM Module for token-based and interactive authentication via authentik. Used for [SSH authentication](../device-authentication/ssh-authentication.mdx) and [local device login](../device-authentication/local-device-login/index.mdx). | `authentik-sysd` | +| **Linux only** | `libnss-authentik` | NSS Module that makes Linux aware of authentik users. All authentik users will be visible to Linux - but won't be able to login unless configured via device access groups. Provides a consistent `uid` and `gid` for users on all Endpoint Devices. | `authentik-sysd` | +| **Windows only** | `Windows Credential Provider` (WCP) | Enables logging in to Windows devices using authentik credentials. | `authentik-sysd` | ## Technical information @@ -42,6 +42,10 @@ All authentik Agent components communicate via gRPC and Unix domain sockets/Wind Sentry reporting is currently enabled by default and cannot be disabled. This will be configurable in a future release. +## Reporting issues + +Please report issues and bugs via the [authentik Platform GitHub repository](https://github.com/goauthentik/platform). + ## More information For more information refer to each of the topics below: diff --git a/website/docs/endpoint-devices/device-authentication/device-access-groups.mdx b/website/docs/endpoint-devices/device-authentication/device-access-groups.mdx index 7fb4709aba..fbe82b9374 100644 --- a/website/docs/endpoint-devices/device-authentication/device-access-groups.mdx +++ b/website/docs/endpoint-devices/device-authentication/device-access-groups.mdx @@ -4,7 +4,7 @@ sidebar_label: Device access groups tags: [authentik Agent, device authentication, device login, device groups] --- -Device access groups control access to endpoint devices. You can organize devices into groups and bind users, user groups, and policies to determine access. +Device access groups control access to endpoint devices. You can organize devices into groups and bind users, user groups, and policies to determine which users can access the device. ## Creating a device access group diff --git a/website/docs/endpoint-devices/device-authentication/local-device-login/linux.md b/website/docs/endpoint-devices/device-authentication/local-device-login/linux.md index 0c1fb611a6..b0aa206fd2 100644 --- a/website/docs/endpoint-devices/device-authentication/local-device-login/linux.md +++ b/website/docs/endpoint-devices/device-authentication/local-device-login/linux.md @@ -19,10 +19,14 @@ You need to have deployed the authentik Agent on the Linux device, see [Deploy t ## How to log in to a Linux device +:::note +When configured correctly, when logging in you should see a prompt for **authentik Password** rather than just **Password**. +::: + 1. On the Linux login screen, you enter your authentik credentials. 2. Once authenticated, you will be logged in to the Linux device. ## Known issues -- On non-Debian Linux distributions, you will need to manually configure PAM. -- MFA is supported except for Webauthn. +- Only Webauthn MFA is supported. +- On non-Debian Linux distributions, you currently need to [manually configure NSS and PAM](../../authentik-agent/agent-deployment/linux.mdx#local-device-login-on-debian-based-systems). diff --git a/website/docs/endpoint-devices/device-authentication/local-device-login/windows.md b/website/docs/endpoint-devices/device-authentication/local-device-login/windows.md index acb46b5fdd..bb81d64914 100644 --- a/website/docs/endpoint-devices/device-authentication/local-device-login/windows.md +++ b/website/docs/endpoint-devices/device-authentication/local-device-login/windows.md @@ -9,7 +9,7 @@ authentik_enterprise: true Windows Credential Provider (WCP) is a component of the authentik Agent that allows logging in to Windows devices using authentik credentials. -It currently only supports local login; RDP login is not supported. +Currently, only local login is supported; RDP login is not yet available and is under development. :::warning diff --git a/website/docs/endpoint-devices/device-authentication/ssh-authentication.mdx b/website/docs/endpoint-devices/device-authentication/ssh-authentication.mdx index a2b6549cd0..dd04f11e60 100644 --- a/website/docs/endpoint-devices/device-authentication/ssh-authentication.mdx +++ b/website/docs/endpoint-devices/device-authentication/ssh-authentication.mdx @@ -12,7 +12,7 @@ When connected to an endpoint device in this way, sudo authorization can be hand ## Prerequisites -- The [authentik Agent must be deployed](../authentik-agent/agent-deployment/index.mdx) on both the source and SSH target devices. +- The [authentik Agent must be deployed](../authentik-agent/agent-deployment/index.mdx) on both the source and SSH target devices to use the `ak ssh` command. Alternatively, if you're using the standard SSH client (`ssh user@host`) instead of `ak ssh`, the authentik Agent is not required to be deployed on the source and you'll need to authenticate interactively. - The target device needs to be configured, see the [Configure SSH authentication on an endpoint device](#configure-ssh-authentication-on-an-endpoint-device) section below. ## How to SSH to an endpoint device diff --git a/website/docs/endpoint-devices/device-compliance/connectors.md b/website/docs/endpoint-devices/device-compliance/connectors.md index 5c58ffba2e..11be18465b 100644 --- a/website/docs/endpoint-devices/device-compliance/connectors.md +++ b/website/docs/endpoint-devices/device-compliance/connectors.md @@ -2,11 +2,10 @@ title: Connectors sidebar_label: Connectors tags: [device compliance, compliance, connectors, authentik Agent, fleet] +toc_max_heading_level: 4 --- -Connectors allow device information to be reported to authentik. - -They can be used standalone or alongside the [authentik Agent](../authentik-agent/index.mdx). +Connectors allow device information to be reported to authentik. They can be used standalone or alongside the [authentik Agent](../authentik-agent/index.mdx). Currently, the only supported connector is the [authentik Agent](#authentik-agent). diff --git a/website/docs/endpoint-devices/device-compliance/device-compliance-policy.md b/website/docs/endpoint-devices/device-compliance/device-compliance-policy.md index 39c7e46e78..0e9a233e24 100644 --- a/website/docs/endpoint-devices/device-compliance/device-compliance-policy.md +++ b/website/docs/endpoint-devices/device-compliance/device-compliance-policy.md @@ -7,13 +7,11 @@ toc_max_heading_level: 4 Device compliance policies are used to limit access to authentik and applications based on [Device Compliance](./index.mdx) information. -Device compliance policies are currently in development and inaccessible. - -However, similar functionality can be achieved with existing stages and policies. +Device compliance policies are currently in development and inaccessible. However, similar functionality can be achieved with existing stages and policies. ## Prerequisites -You must have [configured compliance](./configuration.md) in authentik and on the endpoint device. +You must have [configured compliance](./configuration.md) in authentik and on the endpoint device ([Linux](../../authentik-agent/agent-deployment/linux/#enable-device-compliance-ssh-server-authentication-and-local-device-login), [Windows](../../authentik-agent/agent-deployment/windows/#enable-device-compliance-and-local-device-login), [macOS](../../authentik-agent/agent-deployment/macos/#enable-device-compliance)). ## Accessing device facts within a flow diff --git a/website/docs/endpoint-devices/index.mdx b/website/docs/endpoint-devices/index.mdx index 91ad5789cb..bc3175a126 100644 --- a/website/docs/endpoint-devices/index.mdx +++ b/website/docs/endpoint-devices/index.mdx @@ -34,17 +34,23 @@ Devices can be registered by installing the [authentik Agent](./authentik-agent/ Alternatively, [Connectors](./device-compliance/connectors.md) allow authentik to be integrated with third party services such as Fleet. This allows for device information to be reported to authentik for [Device compliance](./device-compliance/index.mdx) purposes. +## Why use endpoint devices? + +Endpoint devices offers administrators an alternative to traditional device authentication systems like LDAP for Linux or Active Directory for Windows, while supporting modern MFA methods like FIDO2. This feature set allows authentik to act as a unified authentication platform for devices, servers, and applications. + +Meanwhile, Device Compliance allows administrators to make informed decisions about access to applications by verifying device security requirements, like operating system and application versions, before granting access to applications. + ## Features overview -| Feature | Linux | Windows | macOS | Status | -| --------------------------------------------------------- | -------------- | -------------- | -------------- | ------------------------------------------------------------- | -| **Local device login** | :ak-enterprise | :ak-enterprise | :ak-enterprise | Available for early preview on Windows and Linux. | -| **SSH authentication** | Open source | Open source | Open source | Available for early preview. Only supports Linux SSH targets. | -| **Device compliance** | Open source | Open source | Open source | Available for early preview. | -| **Advanced device compliance** | :ak-enterprise | :ak-enterprise | :ak-enterprise | In development. | -| **authentik Agent** | Open source | Open source | Open source | Available for early preview. | -| **Fleet Connectors** | :ak-enterprise | :ak-enterprise | :ak-enterprise | Available for early preview. | -| **Other Connectors** (Entra, Intune, Cloudflare WARP etc) | :ak-enterprise | :ak-enterprise | :ak-enterprise | In development. | +| Feature | Linux | Windows | macOS | Status | +| ------------------------------------------------------------------------------ | -------------- | -------------- | -------------- | ------------------------------------------------------------- | +| [**Local device login**](./device-authentication/local-device-login/index.mdx) | :ak-enterprise | :ak-enterprise | :ak-enterprise | Available for early preview on Windows and Linux. | +| [**SSH authentication**](./device-authentication/ssh-authentication.mdx) | Open source | Open source | Open source | Available for early preview. Only supports Linux SSH targets. | +| [**Device compliance**](./device-compliance/index.mdx) | Open source | Open source | Open source | Available for early preview. | +| **Advanced device compliance** | :ak-enterprise | :ak-enterprise | :ak-enterprise | In development. | +| [**authentik Agent**](./authentik-agent/index.mdx) | Open source | Open source | Open source | Available for early preview. | +| [**Fleet Connector** ](./device-compliance/connectors/) | :ak-enterprise | :ak-enterprise | :ak-enterprise | Available for early preview. | +| **Other Connectors** (Entra, Intune, Cloudflare WARP etc) | :ak-enterprise | :ak-enterprise | :ak-enterprise | In development. | ## How to provide feedback and report bugs