TTLS-PAP and LDAP for google - User-Password? Cleartext-Password?
Alan DeKok
aland at deployingradius.com
Thu Nov 23 12:12:44 UTC 2023
On Nov 23, 2023, at 6:49 AM, Pietro N. via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> Hello to you,
> my freeradius 3.2.1 is already auth/authorizing through Active Directory and I'm trying to add a second auth/autz source (google) to the configuration.
>
> I'm using the google-related freeradius templates.
> I'm following the google documentation: https://support.google.com/a/answer/9089736?hl=en&ref_topic=9173976&sjid#zippy=%2Cfreeradius
That documentation is garbage. Ignore it. I've submitted requests for them to fix it. But they're Google, and they know better than the FreeRADIUS developers.
> but I'm finding something that don't match with the rlm_pap official documentation. Actually, I'm not able to authenticate.
That's a good hint that the documentation is wrong.
> In particular, the google documentation reports:
> /etc/freeradius/3.0/sites-available/default -> authorize
> ...
> if (User-Password) {
> update control {
> Auth-Type := ldap
> }
> }
That sets Auth-Type for the *outer* session. i.e. TTLS. You need to set it for the *inner* session. i.e. in the inner-tunnel virtual server.
> BUT in an older post I read that you have to set Cleartext-Password (see: https://freeradius-users.freeradius.narkive.com/jbibA0Uf/pap-warning-authentication-will-fail-unless-a-known-good-password-is-available#post1).
There is no magic "set this and it works". The better approach is to understand how the pieces interact.
Cleartext-Password is the *correct* password for the user. If the server is given Cleartext-Password by some configuration (LDAP, SQL, or "update" section), then the PAP module can compare User-Password to Cleartext-Password, and authenticate the user. Or the MS-CHAP module can take Cleartext-Password, do the MS-CHAP calculations, and compare that to the MS-CHAP data sent by the user.
> Moreover, in the rlm_pap docs, I don't see User-Password as an Attribute.
The PAP module checks the User-Password against Cleartext-Password, or Crypt-Password, or
> Should I avoid the google how-to? I chose it because it seemed a clear step-by-step procedure to follow, but if it contains mistakes I'll abandon it.
It's wrong. It might work sometimes, but it completely miu
> Does anyone know another tutorial for such a configuration?
> I'd also need to understand what should I add in the "inner" config.
It depends on what you want to do...
TTLS+PAP to Google LDAP? Configure the LDAP module to point to google. Make the inner-tunnel use LDAP for authentication.
Alan DeKok.
More information about the Freeradius-Users
mailing list