TTLS-PAP and LDAP for google - User-Password? Cleartext-Password?

Alan DeKok aland at
Thu Nov 23 12:12:44 UTC 2023

On Nov 23, 2023, at 6:49 AM, Pietro N. via Freeradius-Users <freeradius-users at> wrote:
> Hello to you,
> my freeradius 3.2.1 is already auth/authorizing through Active Directory and I'm trying to add a second auth/autz source (google) to the configuration.
> I'm using the google-related freeradius templates.
> I'm following the google documentation:

  That documentation is garbage.  Ignore it.  I've submitted requests for them to fix it.  But they're Google, and they know better than the FreeRADIUS developers.

> but I'm finding something that don't match with the rlm_pap official documentation. Actually, I'm not able to authenticate.

  That's a good hint that the documentation is wrong.

> In particular, the google documentation reports:
> /etc/freeradius/3.0/sites-available/default -> authorize
> ...
> if (User-Password) {
>    update control {
>        Auth-Type := ldap
>    }
> }

  That sets Auth-Type for the *outer* session.  i.e. TTLS.  You need to set it for the *inner* session.  i.e. in the inner-tunnel virtual server.

> BUT in an older post I read that you have to set Cleartext-Password (see:

  There is no magic "set this and it works".  The better approach is to understand how the pieces interact.

  Cleartext-Password is the *correct* password for the user.  If the server is given Cleartext-Password by some configuration (LDAP, SQL, or "update" section), then the PAP module can compare User-Password to Cleartext-Password, and authenticate the user.  Or the MS-CHAP module can take Cleartext-Password, do the MS-CHAP calculations, and compare that to the MS-CHAP data sent by the user.

> Moreover, in the rlm_pap docs, I don't see User-Password as an Attribute.

  The PAP module checks the User-Password against Cleartext-Password, or Crypt-Password, or 

> Should I avoid the google how-to? I chose it because it seemed a clear step-by-step procedure to follow, but if it contains mistakes I'll abandon it.

  It's wrong.  It might work sometimes, but it completely miu

> Does anyone know another tutorial for such a configuration?
> I'd also need to understand what should I add in the "inner" config.

  It depends on what you want to do...

  TTLS+PAP to Google LDAP?  Configure the LDAP module to point to google.  Make the inner-tunnel use LDAP for authentication.

  Alan DeKok.

More information about the Freeradius-Users mailing list