2025.10: radius outpost crashes with EAP-TTLS

[cheggerdev]

Describe the bug
The radius outpost crashes when authentication with EAP-TTLS

To Reproduce
Steps to reproduce the behavior:

1. Create eapol_test EAP-TTLS configuration (see eapol_test config files: Add TTLS BeryJu/radius-eap#9)
2. Run eapol_test with EAP-TTLS configuration
3. See crash in the log

Expected behavior
EAP-TTLS should either work or state it is not (yet) supported if so but never crash.

Logs

authentik-outpost-radius-1  | {"code":"Access-Request","event":"Radius Request","id":117,"ip":"172.16.1.1","level":"info","logger":"authentik.outpost.radius","request":"3acacfba-938f-4406-946b-76db59db5e51","timestamp":"2025-10-28T10:45:04Z"}
authentik-outpost-radius-1  | {"code":"Access-Request","event":"Radius Request","id":0,"ip":"172.16.1.1","level":"info","logger":"authentik.outpost.radius","request":"dc5c4fa5-125b-4de9-96c3-caf6478c862f","timestamp":"2025-10-28T10:45:29Z"}
authentik-outpost-radius-1  | panic: runtime error: invalid memory address or nil pointer dereference
authentik-outpost-radius-1  | [signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x9ed471]
authentik-outpost-radius-1  | goauthentik.io/internal/outpost/radius.(*RadiusServer).Handle_AccessRequest(0xc0003d60b0, {0xd299c0, 0xc0000c61e0}, 0xc0002ffc98)
authentik-outpost-radius-1  | 	/go/src/goauthentik.io/internal/outpost/radius/handler.go:95 +0x1d4
authentik-outpost-radius-1  | goauthentik.io/internal/outpost/radius.(*RadiusServer).ServeRADIUS(0xc0003d60b0, {0xd299c0, 0xc0000c61e0}, 0xc0001d7080)
authentik-outpost-radius-1  | 	/go/src/goauthentik.io/internal/outpost/radius/handler.go:87 +0x98d
authentik-outpost-radius-1  | layeh.com/radius.(*PacketServer).Serve.func2({0xc00007c000, 0x80, 0x80}, {0xd2c220, 0xc000258c30})
authentik-outpost-radius-1  | 	/go/pkg/mod/layeh.com/radius@v0.0.0-20231213012653-1006025d24f8/server-packet.go:201 +0x573
authentik-outpost-radius-1 exited with code 0

Version and Deployment (please complete the following information):

• authentik version: 2025.10.0
• Deployment: docker-compose

[dominic-r]

Thanks for opening this issue. we'll investigate and try to land a patch in 2025.10.1

[BeryJu]

I can't reproduce this, @cheggerdev is that the full stacktrace you're getting?

Does the Radius provider have a certificate configured?

[BeryJu]

I can reproduce this with no certificate selected in the provider:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x18 pc=0x102d65038]

goroutine 98 [running]:
beryju.io/radius-eap.(*Packet).handleEAP(0x14000232190, {0x103097410, 0x1400019a180}, {0x1030930a0, 0x1400016a510}, 0x0)
	/Users/jens/.local/share/go/pkg/mod/beryju.io/radius-eap@v0.1.0/handler.go:98 +0xb8
beryju.io/radius-eap.(*Packet).HandleRadiusPacket(0x14000232190, {0x10308f320, 0x14000118660}, 0x1400020e300)
	/Users/jens/.local/share/go/pkg/mod/beryju.io/radius-eap@v0.1.0/handler.go:37 +0x1b0
goauthentik.io/internal/outpost/radius.(*RadiusServer).Handle_AccessRequest_EAP(0x14000442210, {0x10308f320, 0x14000118660}, 0x14000367c88)
	/Users/jens/dev/authentik/internal/outpost/radius/handler_eap.go:32 +0x260
goauthentik.io/internal/outpost/radius.(*RadiusServer).Handle_AccessRequest(0x14000442210, {0x10308f320, 0x14000118660}, 0x14000367c88)
	/Users/jens/dev/authentik/internal/outpost/radius/handler.go:95 +0x170
goauthentik.io/internal/outpost/radius.(*RadiusServer).ServeRADIUS(0x14000442210, {0x10308f320, 0x14000118660}, 0x1400020e300)
	/Users/jens/dev/authentik/internal/outpost/radius/handler.go:87 +0x718
layeh.com/radius.(*PacketServer).Serve.func2({0x14000212200, 0x80, 0x80}, {0x103091b20, 0x140000c0cf0})
	/Users/jens/.local/share/go/pkg/mod/layeh.com/radius@v0.0.0-20231213012653-1006025d24f8/server-packet.go:201 +0x47c
created by layeh.com/radius.(*PacketServer).Serve in goroutine 12
	/Users/jens/.local/share/go/pkg/mod/layeh.com/radius@v0.0.0-20231213012653-1006025d24f8/server-packet.go:146 +0x4b0
exit status 2

[cheggerdev]

I can't reproduce this, @cheggerdev is that the full stacktrace you're getting?

Does the Radius provider have a certificate configured?

Yes, this is the full stacktrace I get in the log.
No, the Radius provider has no certificate configured.