Alternative to ClientLogin for Google Apps authentication?

Arran Cudbard-Bell a.cudbardb at
Fri Jan 30 06:04:49 CET 2015

> On 29 Jan 2015, at 04:26, Daniel Smith <danielesmith at> wrote:
> Hi,
> My organization has a FreeRADIUS server set up to authenticate wifi users
> with their Google Apps email address and generated app password. It accepts
> them over EAP in plain text and then runs them against the ClientLogin API
> in a perl script.
> Google has deprecated ClientLogin and is cutting it off in April this year.
> I have consulted with a couple cloud radius providers and they say they can
> keep this system working as it currently does

They probably use FreeRADIUS as a backend. I know Cloudessa does at least.
They don't support the project in any way though.

> - users create a Google app
> password, sign into the WiFi network with it, and they get on the network.
> This is ideal since we can just direct our existing server's IP to the
> cloud provider, and our hundreds of clients keep working without a single
> change.
> Is there any way FreeRADIUS can authenticate against Google with an app
> password, without ClientLogin being around anymore? I looked into OAuth2
> but it looks like that will require all existing clients to manually sign
> in again and change details, since it'll require interaction to create the
> first refresh token.

I don't know how they're doing it. But if you have any requests like extra 
HMAC functions and want to try something with Oauth2, i'd be happy to help


Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

More information about the Freeradius-Users mailing list