Hi, My organization has a FreeRADIUS server set up to authenticate wifi users with their Google Apps email address and generated app password. It accepts them over EAP in plain text and then runs them against the ClientLogin API in a perl script. Google has deprecated ClientLogin and is cutting it off in April this year. I have consulted with a couple cloud radius providers and they say they can keep this system working as it currently does - users create a Google app password, sign into the WiFi network with it, and they get on the network. This is ideal since we can just direct our existing server's IP to the cloud provider, and our hundreds of clients keep working without a single change. Is there any way FreeRADIUS can authenticate against Google with an app password, without ClientLogin being around anymore? I looked into OAuth2 but it looks like that will require all existing clients to manually sign in again and change details, since it'll require interaction to create the first refresh token. A horrifying other option is to start caching user's passwords on the radius server as they are successfully authenticated, so that we have their working config stored, then when Google cuts off the API we authenticate users against a local database of those stored passwords, manually adding/disabling new/old ones for any user changes. Ugly, insecure, and broken. Any advice? Thanks, Dan