On Jun 12, 2019, at 10:43 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Jun 11, 2019, at 2:07 PM, eko@flyingtongue.io wrote:
I'm attempting to use Google Secure LDAP solution for authentication and authorization. I'm not able to use this with a supplicant such as a laptop/phone, radtest is working fine which leads me to believe it's an issue of the password being hashed by mschap.
You can't use MS-CHAP and Google Secure LDAP.
I understand from reading previous threads that I need to use EAP-TTLS-PAP or PEAP-GTC. How can I get freeradius to work with Google Secure LDAP? When freeradius does do an ldap bind which user attribute is it looking for? I think userPassword but in this case I don't think it exists.
https://support.google.com/a/answer/9089736?hl=en
Click on "FreeRADIUS"
But their instructions are wrong, because they're idiots. I've submitted a bug report months ago to fix the documentation. But nothing yet.
Step (4) is reasonable. Ignore step (5). Instead, edit sites-enabled/default, and in the "authorize" section, add this *before* the "pap" module.
Just to note, those instructions are for PAP authentication only, *NOT* EAP-TTLS-PAP or any form of EAP based authentication. As stated in my response that should be sites-enabled/inner-tunnel. The default config routes TTLS requests via the inner-tunnel virtual server. The password won't be available in the outer tunnel virtual server. -Arran