Working With EAP-TTLS, and LDAP

Alan DeKok aland at deployingradius.com
Tue Mar 26 14:47:49 CET 2019 

On Mar 26, 2019, at 9:09 AM, Nate . <nate2077developer at gmail.com> wrote:
> 
> I think I understand it better now, I've made those changes, and connecting
> an android phone with the required security preferences is working! Now I'm
> struggling to get an Apple desktop to let me choose what protocols to use,

  Apple "helpfully" removed the EAP configuration options from their desktop systems.

  You will need to download their "Apple Configurator 2" utility, which can create mobile profiles.

> so I'm working on figuring out why that is now. I've already been contacted
> one on one by 8 other people asking for this exact same setup,
> mac/windows/android environment, with Freeradius using LDAP to authenticate
> via Googles Applet.

  People shouldn't be afraid of asking questions on the list.  It's not that scary.  Just (a) describe what you're doing, and (b) follow instructions.

  In the case of LDAP hosted by Google, the only thing that's going to work is TTLS + PAP.  Because I doubt very much that Google will allow the export of clear-text passwords to FreeRADIUS.

  And if you search for "google ldap radius", you get this page:

https://support.google.com/a/answer/9089736?hl=en

  which has *explicit instructions* for getting FreeRADIUS to work.  Although as with damned near all third-party sites, their instructions are in part wrong.

  Specifically, DON'T do #5d.  It will break all kinds of things.  It's not necessary.

  And #5a is wrong, too.  Don't add the block AFTER the "pap" line.  Add the block BEFORE the "pap" line.

  And even for #5c, it's better to uncomment the entire block, not just the "ldap" line.

  And #5b can be done, but isn't necessary.  And their line of " enable LDAP by removing the ‘-’ sign before it." is just wrong.

  <sigh>  You would think that Google of all people would *read* the documentation before giving shitty advice to people.

> I'll update you on what I find.

 Thanks.  Please either update the Wiki, or post a summary here.  They we can update the docs / wiki.

  This *is* an open source project.  We don't (and can't) run every possible combination of every tool.  We can't document every possible combination of every tool.  We rely on the community to help.

  Alan DeKok.

More information about the Freeradius-Users mailing list