Chromebooks, FreeRADIUS and Google Workspace (i.e. G Suites) for 802.1X.
Hi Everyone, I think I know my answer, but I figured I would just try to validate / document. I have customers that use Google Workspace as their primary user database (they're schools). I've been attempting to use FreeRADIUS as middleware to allow the WiFi network to perform an 802.1X authentication against the LDAP service provided by Google. It works well for some clients, but not for Chromebooks. I think the root cause of the issue is FreeRADIUS' need to get an unencrypted copy of the password. Because Google Workspace encrypts the user's passwords, authentication only works if the client sends an unencrypted password to FreeRADIUS. To do that, it needs to support the EAP-GTC method. And, while most clients support EAP-GTC, Chromebooks do not. Am I missing something? Has anyone figured out a way to use 802.1X to authenticate Chromebooks against Google Workspace LDAP? (Just figured I'd ask. :-D) Thanks, -Rob
On 22 August 2022 22:47:00 BST, Robert Montgomery <rob@gsuites.rnav.net> wrote:
I think the root cause of the issue is FreeRADIUS' need to get an unencrypted copy of the password. Because Google Workspace encrypts the user's passwords, authentication only works if the client sends an unencrypted password to FreeRADIUS.
Exactly.
To do that, it needs to support the EAP-GTC method. And, while most clients support EAP-GTC, Chromebooks do not.
Am I missing something? Has anyone figured out a way to use 802.1X to authenticate Chromebooks against Google Workspace LDAP?
EAP-TTLS/PAP Whether Chromebooks support it or not, I have no idea. But that's what everyone else has to do. -- Matthew
I'll play around and see if I can get that to work. (I don't think PAP is supported either...). Thanks! On Mon, Aug 22, 2022 at 6:00 PM Matthew Newton <mcn@freeradius.org> wrote:
On 22 August 2022 22:47:00 BST, Robert Montgomery <rob@gsuites.rnav.net> wrote:
I think the root cause of the issue is FreeRADIUS' need to get an unencrypted copy of the password. Because Google Workspace encrypts the user's passwords, authentication only works if the client sends an unencrypted password to FreeRADIUS.
Exactly.
To do that, it needs to support the EAP-GTC method. And, while most clients support EAP-GTC, Chromebooks do not.
Am I missing something? Has anyone figured out a way to use 802.1X to authenticate Chromebooks against Google Workspace LDAP?
EAP-TTLS/PAP
Whether Chromebooks support it or not, I have no idea. But that's what everyone else has to do.
-- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Aug 23, 2022, at 8:38 AM, Robert Montgomery <rob@gsuites.rnav.net> wrote:
I'll play around and see if I can get that to work. (I don't think PAP is supported either...). Thanks!
TTLS+PAP should be supported. ChromeOS use wpa_supplicant, which definitely supports it. And a quick check around the net shows many people talking about TTLS+PAP for Chromebooks, for years. Alan DeKok.
I took another look and you're right... I had misconfigured the client (or, more specifically, I was failing a certificate check). When I configured it to ignore the certificate (in the lab), it started working. On Tue, Aug 23, 2022 at 8:56 AM Alan DeKok <aland@deployingradius.com> wrote:
On Aug 23, 2022, at 8:38 AM, Robert Montgomery <rob@gsuites.rnav.net> wrote:
I'll play around and see if I can get that to work. (I don't think PAP is supported either...). Thanks!
TTLS+PAP should be supported. ChromeOS use wpa_supplicant, which definitely supports it. And a quick check around the net shows many people talking about TTLS+PAP for Chromebooks, for years.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Matthew Newton -
Robert Montgomery