Google LDAP integration failure
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Tue Feb 26 04:11:03 CET 2019
> On Feb 26, 2019, at 11:09 AM, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>
>
>
>> On Feb 24, 2019, at 6:50 AM, Phil Grace <phil.grace at hssd.k12.ar.us> wrote:
>>
>>
>> Its not mentioned in the guide at all, so I didn’t do anything with ms-chap as far as that goes. So I guess the clients by default are trying to use MS-CHAP. Testing client is Mac OS and I just leave it on automatic.
>
> Google will not provide the password of the user in cleartext, which is what you'd need for MS-CHAP to work. For MS-CHAP you need either the Cleartext-Password or the NT-Password (MD4ish(Cleartext-Password)) to be available on both the supplicant and the server.
>
> You're pretty much limited to EAP-TTLS-PAP or PEAP-GTC. With those EAP methods you'd set control:Auth-Type := LDAP in the authorize section, and call the LDAP module again in the authenticate section.
Additionally, to prevent the server from negotiating certain EAP methods, comment them out in mods-available/eap and mods-available/eap_inner.
-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20190226/35952c94/attachment.sig>
More information about the Freeradius-Users
mailing list