On Jun 11, 2019, at 2:07 PM, eko@flyingtongue.io wrote:
I'm attempting to use Google Secure LDAP solution for authentication and authorization. I'm not able to use this with a supplicant such as a laptop/phone, radtest is working fine which leads me to believe it's an issue of the password being hashed by mschap.
You can't use MS-CHAP and Google Secure LDAP.
I understand from reading previous threads that I need to use EAP-TTLS-PAP or PEAP-GTC. How can I get freeradius to work with Google Secure LDAP? When freeradius does do an ldap bind which user attribute is it looking for? I think userPassword but in this case I don't think it exists.
https://support.google.com/a/answer/9089736?hl=en Click on "FreeRADIUS" But their instructions are wrong, because they're idiots. I've submitted a bug report months ago to fix the documentation. But nothing yet. Step (4) is reasonable. Ignore step (5). Instead, edit sites-enabled/default, and in the "authorize" section, add this *before* the "pap" module. if (User-Password) { update control { Auth-Type := ldap } } And then uncomment the ldap block later in the "authenticate" section: # Auth-Type LDAP { # ldap # } It should then work with TTLS + PAP. Alan DeKok.