Alternative to ClientLogin for Google Apps authentication?

[Daniel Smith]

Hi,

My organization has a FreeRADIUS server set up to authenticate wifi users
with their Google Apps email address and generated app password. It accepts
them over EAP in plain text and then runs them against the ClientLogin API
in a perl script.

Google has deprecated ClientLogin and is cutting it off in April this year.
I have consulted with a couple cloud radius providers and they say they can
keep this system working as it currently does - users create a Google app
password, sign into the WiFi network with it, and they get on the network.
This is ideal since we can just direct our existing server's IP to the
cloud provider, and our hundreds of clients keep working without a single
change.

Is there any way FreeRADIUS can authenticate against Google with an app
password, without ClientLogin being around anymore? I looked into OAuth2
but it looks like that will require all existing clients to manually sign
in again and change details, since it'll require interaction to create the
first refresh token.

A horrifying other option is to start caching user's passwords on the
radius server as they are successfully authenticated, so that we have their
working config stored, then when Google cuts off the API we authenticate
users against a local database of those stored passwords, manually
adding/disabling new/old ones for any user changes. Ugly, insecure, and
broken.

Any advice?

Thanks,
Dan