G Suite Secure LDAP - FreeRADIUS (pfSense) - Authentication - Regarding

Alan DeKok aland at deployingradius.com
Thu Jun 10 15:22:16 CEST 2021

On Jun 10, 2021, at 6:21 AM, P.Thirunavukkarasu <drthiruna at tanuvas.org.in> wrote:
> Herewith I am sending the debug output as you mentioned for your reference
> Kindly guide me.


  Read it, looking for "warning" and / or "error".

> (6) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (6) ldap:    --> (uid=ldap)
> (6) ldap: Performing search in "dc=tanuvas,dc=org,dc=in" with filter
> "(uid=ldap)", scope "sub"
> (6) ldap: Waiting for search result...
> (6) ldap: User object found at DN
> "uid=ldap,ou=Faculty,ou=People,ou=Registrar,ou=Users,dc=tanuvas,dc=org,dc=in"
> (6) ldap: Processing user attributes
> (6) ldap: WARNING: No "known good" password added. Ensure the admin user
> has permission to read the password attribute
> (6) ldap: WARNING: PAP authentication will *NOT* work with Active Directory
> (if that is what you were trying to configure)

  That seems to be pretty clear.

> (6) eap_gtc:   Auth-Type PAP {
> (6) pap: Login attempt with password
> (6) pap: No password configured for the user.  Cannot do authentication


  Your database MUST supply a "known good" password to FreeRADIUS.

   Read mods-available/ldap.  It has EXPLICIT instructions for doing tests with "ldapsearch".  If running "ldapsearch" doesn't return a password, then many EAP types simply won't work.

  You MUST configure TTLS + PAP on the client for EAP.  You MUST use LDAP authentication in sites-enabled/inner-tunnel.  i.e.

authorize {
	if (User-Password) {
		update control {
			Auth-Type := LDAP

authenticate {

  Nothing else will work.  This is a limitation of Google Secure LDAP.

  Alan DeKok.

More information about the Freeradius-Users mailing list