On Fri, Jan 30, 2015 at 12:04 AM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 29 Jan 2015, at 04:26, Daniel Smith <danielesmith@gmail.com> wrote: Is there any way FreeRADIUS can authenticate against Google with an app password, without ClientLogin being around anymore? I looked into OAuth2 but it looks like that will require all existing clients to manually sign in again and change details, since it'll require interaction to create the first refresh token.
I don't know how they're doing it. But if you have any requests like extra HMAC functions and want to try something with Oauth2, i'd be happy to help out.
Well we figured out an easy way to solve this - change the perl script that our FreeRADIUS instance is running to authenticate using ClientLogin, to instead connect to pop.gmail.com:995 with an app password. Works perfectly, and no indication I could find anywhere that Google is deprecating it any time soon. One issue however, is that FreeRADIUS now segfaults. If it's ran without -X that is. i.e. if I run "/usr/sbin/radiusd -d /etc/raddb" it starts up and listens for requests, but then the instant an auth is sent it segfaults in SSLeay.so (which is being used by the perl script it's calling). I know, I know, library version mismatches between OpenSSL or something. *However*, if I run "/usr/sbin/radiusd -d /etc/raddb -X" it runs 100% perfectly, doesn't crash, doesn't segfault, everything's A-OK, people authenticate fine. Of course we would prefer to run it without -X as it's messing with our logging. Any advice on how to debug this, or why it would work fine with -X and segfault without it? We're running it in AWS, so the most recent version we have access to is 2.12 unfortunately. This still appears to be an easy fix, since -X gets it working.