Google LDAP integration failure

Arran Cudbard-Bell a.cudbardb at
Tue Feb 26 04:11:03 CET 2019

> On Feb 26, 2019, at 11:09 AM, Arran Cudbard-Bell <a.cudbardb at> wrote:
>> On Feb 24, 2019, at 6:50 AM, Phil Grace <phil.grace at> wrote:
>> Its not mentioned in the guide at all, so I didn’t do anything with ms-chap as far as that goes. So I guess the clients by default are trying to use MS-CHAP. Testing client is Mac OS and I just leave it on automatic.
> Google will not provide the password of the user in cleartext, which is what you'd need for MS-CHAP to work.  For MS-CHAP you need either the Cleartext-Password or the NT-Password (MD4ish(Cleartext-Password)) to be available on both the supplicant and the server.
> You're pretty much limited to EAP-TTLS-PAP or PEAP-GTC.  With those EAP methods you'd set control:Auth-Type := LDAP in the authorize section, and call the LDAP module again in the authenticate section.

Additionally, to prevent the server from negotiating certain EAP methods, comment them out in mods-available/eap and mods-available/eap_inner.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <>

More information about the Freeradius-Users mailing list