On Nov 23, 2023, at 6:49 AM, Pietro N. via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hello to you, my freeradius 3.2.1 is already auth/authorizing through Active Directory and I'm trying to add a second auth/autz source (google) to the configuration.
I'm using the google-related freeradius templates. I'm following the google documentation: https://support.google.com/a/answer/9089736?hl=en&ref_topic=9173976&sjid#zip...
That documentation is garbage. Ignore it. I've submitted requests for them to fix it. But they're Google, and they know better than the FreeRADIUS developers.
but I'm finding something that don't match with the rlm_pap official documentation. Actually, I'm not able to authenticate.
That's a good hint that the documentation is wrong.
In particular, the google documentation reports: /etc/freeradius/3.0/sites-available/default -> authorize ... if (User-Password) { update control { Auth-Type := ldap } }
That sets Auth-Type for the *outer* session. i.e. TTLS. You need to set it for the *inner* session. i.e. in the inner-tunnel virtual server.
BUT in an older post I read that you have to set Cleartext-Password (see: https://freeradius-users.freeradius.narkive.com/jbibA0Uf/pap-warning-authent...).
There is no magic "set this and it works". The better approach is to understand how the pieces interact. Cleartext-Password is the *correct* password for the user. If the server is given Cleartext-Password by some configuration (LDAP, SQL, or "update" section), then the PAP module can compare User-Password to Cleartext-Password, and authenticate the user. Or the MS-CHAP module can take Cleartext-Password, do the MS-CHAP calculations, and compare that to the MS-CHAP data sent by the user.
Moreover, in the rlm_pap docs, I don't see User-Password as an Attribute.
The PAP module checks the User-Password against Cleartext-Password, or Crypt-Password, or
Should I avoid the google how-to? I chose it because it seemed a clear step-by-step procedure to follow, but if it contains mistakes I'll abandon it.
It's wrong. It might work sometimes, but it completely miu
Does anyone know another tutorial for such a configuration? I'd also need to understand what should I add in the "inner" config.
It depends on what you want to do... TTLS+PAP to Google LDAP? Configure the LDAP module to point to google. Make the inner-tunnel use LDAP for authentication. Alan DeKok.