How to connect to PAP or how to use PEAP with Google LDAP?

Alan DeKok aland at
Thu Jan 16 15:30:10 CET 2020

On Jan 16, 2020, at 9:06 AM, Mathias Maes <mathias.maes at> wrote:
> I have set up freeradius with the simple tutorial found on Google help
> pages about their Secure LDAP:

  That guide is wrong.  I've filed an issue with them to fix it.  But of course being google, they don't care about anyone, and they don't care to fix their mistakes.

> I followed all steps, freeradius starts, I get Access-Accept responses when
> I use the radtest tool. Perfect!

  That's good, but their instructions also have unfortunate side effects:

  In their instructions:

5 (b) is not necessary.  It doesn't hurt, but it's not necessary.

5 (c) is also not necessary

5 (d) is wrong, and no one should ever do that.

> Although, when trying to connect to an AP with an Android device, I can
> only connect with an EAP protocol, PAP seems to be unavailable.


> This is a problem, as other protocols encrypt the password (TTLS + PAP) for
> example shows no User-Password field in the incoming request. So freeradius
> can't handle the request because Google really needs that unencrypted
> User-Password field.

  Read the debug output.  There *is* a User-Password attribute, but it's only seen inside of the "inner-tunnel".

> So, how do I connect with an Android device with the PAP protocol the
> server needs after following that Google tutorial, or is there a way to let
> Freeradius decrypt the password and pass it to Google?

  Edit sites-enabled/inner-tunnel, and add the following text to the "authorize" section:

if (User-Password) {
    update control {
        Auth-Type := ldap

  You should also read the instructions at the top of the "inner-tunnel" file.  They explain how to do testing *without* using EAP / WiFi.

  Alan DeKok.

More information about the Freeradius-Users mailing list