website/docs: add more RADIUS EAP-TLS docs

[tanberry]

This PR adds more content to the Docs about EAP PR 15702, adds mention of needing to use a proper CA certificate with EAP-TLS and the mTLS stage. Also a few random cleanups.

• The documentation has been updated
• The documentation has been formatted (make docs)

[netlify]

✅ Deploy Preview for authentik-storybook canceled.

Name	Link
🔨 Latest commit	8138023
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-storybook/deploys/68f1489761505f00085a340a

[netlify]

✅ Deploy Preview for authentik-integrations ready!

Name	Link
🔨 Latest commit	8138023
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-integrations/deploys/68f14897571d640008975b18
😎 Deploy Preview	https://deploy-preview-17419--authentik-integrations.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	8138023
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/68f14897ca62f200081355eb
😎 Deploy Preview	https://deploy-preview-17419--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.93%. Comparing base (274b002) to head (8138023).
⚠️ Report is 75 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #17419      +/-   ##
==========================================
- Coverage   92.98%   92.93%   -0.05%     
==========================================
  Files         868      868              
  Lines       47841    47906      +65     
==========================================
+ Hits        44483    44522      +39     
- Misses       3358     3384      +26     

Flag	Coverage Δ
e2e	45.20% <ø> (-0.11%)	⬇️
integration	23.18% <ø> (+<0.01%)	⬆️
unit	90.50% <ø> (-0.56%)	⬇️
unit-migrate	91.13% <ø> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[dewi-tik]

Suggested change

	:::info Use PKI for certificates
	For certificates, we recommend using Public Key Infrastructure (PKI) with the mTLS stage. The PKI issues digital certificates to authenticate both the user and the server.
	:::

I would remove this because it's redundant. All certificates are inherently and fundamentally PKI related. There's no such thing as a non-PKI certificate.

[tanberry]

How about this: "For certificates, ensure that you use a certificate created by a certificate authority, not a self-generated certificate."

[cheggerdev]

Real certificates are always trusted. For EAP-TLS this means, any client can authenticate with real certificates. This is a security incident.
Therefore, self-generated client and server certificates should be provided via PKI.

[tanberry]

Thanks @cheggerdev I might need you and @BeryJu to hash this out... I thought I understood after talking to him that the requirement is that the two certificates (server and client) are proper CA certificates (not self-generated)... What exactly do you mean by PKI.. isn't, as @dewi-tik says above, practically all CA certs made with PKI? Do you feel we really need to specify PKI?

Maybe you could provide the exact phrasing that you would like to see us add, please?

[cheggerdev]

:::warning Use of trusted Certificate Authority
For EAP-TLS, note that you should NOT use a globally known CA!
e.g. using a Verisign cert as a "known CA" means that ANYONE who has a certificate signed by them can authenticate via EAP-TLS! This is likely not what you want.
:::

:::info Client Certificate distribution
Using PKI is best practise to distribute client certificates.
:::

[tanberry]

OK @cheggerdev and @BeryJu I used the above suggestion, plus a few key words from marc, and pushed the same note into both the mTLS and the RADIUS docs. Let me know if that works, or if further tweaks are needed.

[github-actions]

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-813802372e85d41c54c4596c91c0f30437b7de8f
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-813802372e85d41c54c4596c91c0f30437b7de8f

Afterwards, run the upgrade commands from the latest release notes.

[cheggerdev]

Very nice

[tanberry]

Very nice

Thanks for your patience with our word-wrangling. ;-)