Google LDAP integration failure

Arran Cudbard-Bell a.cudbardb at
Tue Feb 26 04:09:58 CET 2019

> On Feb 24, 2019, at 6:50 AM, Phil Grace <phil.grace at> wrote:
> Its not mentioned in the guide at all, so I didn’t do anything with ms-chap as far as that goes. So I guess the clients by default are trying to use MS-CHAP. Testing client is Mac OS and I just leave it on automatic.

Google will not provide the password of the user in cleartext, which is what you'd need for MS-CHAP to work.  For MS-CHAP you need either the Cleartext-Password or the NT-Password (MD4ish(Cleartext-Password)) to be available on both the supplicant and the server.

You're pretty much limited to EAP-TTLS-PAP or PEAP-GTC.  With those EAP methods you'd set control:Auth-Type := LDAP in the authorize section, and call the LDAP module again in the authenticate section.

This authenticates the user by submitting their cleartext credentials to Google's LDAP server as part of a Bind operation.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <>

More information about the Freeradius-Users mailing list