Google LDAP

Julien Tessier jtessier at c2.biz
Tue Aug 13 15:41:36 CEST 2019 

Alan,

Thanks for the fast response.

It never occured to me to check the actual VPN client, I've set it to
refuse MS-CHAP and it now sends a PAP request to Freeradius. It's now
authenticating fine with Google LDAP. I spent so much time trying to fix
the wrong thing.





On Mon, 12 Aug 2019 at 16:28, Alan DeKok <aland at deployingradius.com> wrote:

> On Aug 12, 2019, at 3:59 PM, Julien Tessier <jtessier at c2.biz> wrote:
> > I've been trying for some time to connect Freeradius to Google Cloud
> > Identity LDAP server. I followed their install guide and can successfully
> > bind.
>
>   Which is good.  Because their guide tells you to do the wrong thing.
> I've submitted a bug request to them.  But since I'm not worth billions,
> Google ignores me.
>
>   Following the guide will work.  But it will work ONLY for PAP passwords
> to Google LDAP.   The instructions on their guide will break everything
> else.
>
> > Unfortunately, I get (0) pap: WARNING: No "known good" password found
> > for the user.  Not setting Auth-Type and Access-Reject.
>
>   That's not the real error.  Read ALL of the debug output for ERRORs and
> WARNINGs.
>
> > (0) Received Access-Request Id 202 from 10.10.0.1:38106 to
> 10.10.10.100:1812
> > length 136
> > (0)   Service-Type = Framed-User
> > (0)   Framed-Protocol = PPP
> > (0)   User-Name = "jtessier"
> > (0)   MS-CHAP-Challenge = 0x88893572d1caa40f7048f8dcb81abcb3
> > (0)   MS-CHAP2-Response =
> >
> 0x5800d771ab437518177eb9c6eb22db522ba90000000000000000a08191a22342a6358fc5f127965acd3963fc2d317a92cb43
>
>   That's MS-CHAP.  Not PAP.
>
>   Google's LDAP server doesn't do MS-CHAP.
>
> > (0) mschap: WARNING: No Cleartext-Password configured.  Cannot create
> > NT-Password
> > (0) mschap: WARNING: No Cleartext-Password configured.  Cannot create
> > LM-Password
> > (0) mschap: Creating challenge hash with username: jtessier
> > (0) mschap: Client is using MS-CHAPv2
> > (0) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform
> authentication
>
>   That's pretty clear.  FreeRADIUS needs the Cleartext-Password in order
> to do MS-CHAP.
>
>   Google LDAP won't give it to you.  So you can't do MS-CHAP.
>
>   Your options are:
>
> a) use another LDAP server which *will* return Cleartext-Password
>
> b) don't use MS-CHAP.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



-- 

*JULIEN TESSIER*
—
DEVOPS ANALYST
*C2 MONTRÉAL | COMMERCE + CRÉATIVITÉ*
—
C +1-438-830-1360
—

Soyez des nôtres à C2 Montréal 2020 (27–29 mai) sous le thème AU-DELÀ DES
FRONTIÈRES
<https://www.c2montreal.com/fr/theme-2020-au-dela-des-frontieres/#/>. Pour
ne rien manquer des annonces à venir, inscrivez-vous à notre infolettre ici
<http://c2mtl.us7.list-manage1.com/subscribe?u=e2b7d9d72fb5a4e307fff80ec&id=14d765ca7e>
.


Join us for C2 Montréal 2020 (May 27–29) under the theme BEYOND BOUNDARIES
<https://www.c2montreal.com/theme-2020-beyond-boundaries/#/>. Don’t want to
miss any news or updates? Subscribe to our newsletter here
<http://c2mtl.us7.list-manage1.com/subscribe?u=e2b7d9d72fb5a4e307fff80ec&id=14d765ca7e>
.

More information about the Freeradius-Users mailing list