Google LDAP integration failure

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Feb 26 04:11:03 CET 2019



> On Feb 26, 2019, at 11:09 AM, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
> 
> 
> 
>> On Feb 24, 2019, at 6:50 AM, Phil Grace <phil.grace at hssd.k12.ar.us> wrote:
>> 
>> 
>> Its not mentioned in the guide at all, so I didn’t do anything with ms-chap as far as that goes. So I guess the clients by default are trying to use MS-CHAP. Testing client is Mac OS and I just leave it on automatic.
> 
> Google will not provide the password of the user in cleartext, which is what you'd need for MS-CHAP to work.  For MS-CHAP you need either the Cleartext-Password or the NT-Password (MD4ish(Cleartext-Password)) to be available on both the supplicant and the server.
> 
> You're pretty much limited to EAP-TTLS-PAP or PEAP-GTC.  With those EAP methods you'd set control:Auth-Type := LDAP in the authorize section, and call the LDAP module again in the authenticate section.

Additionally, to prevent the server from negotiating certain EAP methods, comment them out in mods-available/eap and mods-available/eap_inner.

-Arran

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20190226/35952c94/attachment.sig>


More information about the Freeradius-Users mailing list