Google LDAP Authentication for WIFI Setup issues

Matthew Newton mcn at freeradius.org
Thu Nov 7 23:27:10 UTC 2024 


On 07/11/2024 22:47, Joseph Allen wrote:
> Next I moved that file to the enabled mods folder as well as moving the
> google-ldap-auth file to the sites-enable folder. (I say move, I did a
> symbolic link). After lots of troubleshooting, I removed the default from
> the sites-enabled just to try and simplify everything.

Here's your problem.

> First I ran into issues with the filter_inner_identity, I don't quite
> understand why that is failing, but I saw somewhere else that is not
> needed, so I commented it out. Now I keep seeing this:

That's fine, not everyone needs it.

> (0) Received Access-Request Id 26 from 192.168.52.1:59099 to
> 192.168.52.155:1812 length 249
...
> (0)   EAP-Message = 0x027b0012017465737440746573742e636f6d

EAP

> (0)   Message-Authenticator = 0xf88e64c655b98a2aa22e62a2844fe21d
> (0) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/google-ldap-auth
> (0)   authorize {
...

there was no "eap" in there.

> (0)     if (&User-Password && !control:Auth-Type)  {
> (0)     if (&User-Password && !control:Auth-Type)   -> FALSE
> (0)   } # authorize = updated
> (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
> Reject
> (0) Failed to authenticate the user

> So the big question, is why is there no password? I am testing with my
> iPad, and I am typing in a password when connecting to the Wifi. The wifi
> config is set to WPA Enterprise.

You removed the default server, and therefore the call to the eap 
module. The comments at the top of the google-ldap configuration say it 
is the inner tunnel virtual server. Sending wifi auth to it directly 
won't work, as it's for an EAP inner method (specifically, EAP-TTLS/PAP 
only, as that's the only commonly used one that has a clear text 
password to use).

You need to add the default virtual server back in again, then configure 
the relevant (TTLS) "virtual_server" in mods-enabled/eap to point to 
"google-ldap" instead of "inner-tunnel" (the default).

Best still, go back to the default configuration, add your user to the 
"users" file, and get the basics working. Once you have done that you 
can remove or change one thing at a time and then you'll whether what 
you have done has broken anything or not. Using version control is 
useful for this.

-- 
Matthew

More information about the Freeradius-Users mailing list